Software Safety Requirements and Architecture

Lane Assistance
Document Version: 1.0, Released on 2018-07-01
Template Version 1.0, Released on 2017-06-21

!
Document history

Date Version Editor Description

07/01/2018 1.0 Anand Mandapati Initial Version

Table of Contents
Document history

Table of Contents

Purpose

Inputs to the Software Requirements and Architecture Document

Technical safety requirements
Refined Architecture Diagram from the Technical Safety Concept

Software Requirements

Refined Architecture Diagram

Purpose
The purpose of the Software Requirement and Architecture portion of the Safety Plan is to
derive software requirements from the technical safety requirements and allocate them to the
appropriate location in the system architecture.
Inputs to the Software Requirements and
Architecture Document
Technical safety requirements
Technical Safety Requirements related to Functional Safety Requirement 01-01 are:
ID Technical Safety A Fault Architecture Safe State
Requirement S Tolerant Allocation
IL Time
Interval
Technical The LDW safety component C 50ms EPS ECU - LDW torque
Safety shall ensure that the LDW Safety output is set
Requirement amplitude of the Component to zero.
01
‘LDW_Torque_Request’ sent
to the ‘Final electronic power
steering Torque’ component
is below
‘Max_Torque_Amplitude’
Technical As soon as the LDW function C 50ms EPS ECU - LDW torque
Safety deactivates the LDW feature, LDW Safety output is set
Requirement the ‘LDW Safety’ software Component to zero.
02 block shall send a signal to
the car display ECU to turn
on a warning light.
Technical As soon as a failure is C 50ms EPS ECU - LDW torque
Safety detected by the LDW LDW Safety output is set
Requirement function, it shall deactivate Component to zero.
03 the LDW feature and the
‘LDW_Torque_Request’ shall
be set to zero.
Technical The validity and integrity of C 50ms EPS ECU – LDW torque
Safety the data transmission for Data output is set
Requirement ‘LDW_Torque_Request’ Transmission to zero.
04 signal shall be ensured. Integrity
Check
Technical Memory test shall be A Ignition EPS ECU – LDW torque
Safety conducted at startup of the cycle Safety output is set
Requirement EPS ECU to check for any Startup to zero.
05 faults in memory. Memory Test
Refined Architecture Diagram from the Technical Safety Concept

Software Requirements
Lane Departure Warning (LDW) Amplitude Malfunction Software Requirements:

ID Technical Safety Requirement A Fault Allocation to Safe State

S Tolerant Architecture
IL Time
Interval
Technical The LDW safety component C 50ms EPS ECU - LDW torque
Safety shall ensure that the amplitude LDW Safety output is set
Requirement of the ‘LDW_Torque_Request’ Component to zero.
01 sent to the ‘Final electronic
power steering Torque’
component is below
‘Max_Torque_Amplitude’
ID Software Safety Requirement A Allocation Software Safe State
S Elements
IL
Software The input signal C LDW_SAFETY_INPUT_ N/A
Safety “Primary_LDW_Torq_Req” PROCESSING
Requiremen shall be read and pre-
t processed to determine the
01-01 torque request coming from
the “Basic/Main
LAFunctionality” SW
Component. Signal
“processed_LDW_Torq_Req”
shall be generated at the end
of the processing.
Software In case the C TORQUE_LIMITER “limited_LDW_
Safety “processed_LDW_Torq_Req” Torq_Req” = 0
Requiremen signal has a value greater than (Nm)
t 01-02 “Max_Torque_Ampltide_LDW”(
maximum allowed safe
torque), the torque signal
“limited_LDW_Torq_Req” shall
be set to 0, else
“limited_LDW_Torq_Req” shall
take the value of
“processed_LDW_Torq_Req”.
Software The “limited_LDW_Torq_Req” C LDW_SAFETY_OUTPU LDW_Torq_Re
Safety shall be transformed into a T_GENERATOR q= 0 (Nm)
Requiremen signal “LDW_Torq_Req” which
t 01-03 is suitable to be transmitted
outside of the LDW Safety
component (“LDW Safety”) to
the “Final EPS Torque”
component.

ID Technical Safety Requirement A Fault Allocation to Safe State

S Tolerant Architecture
IL Time
Interval
Technical The validity and integrity of the C 50ms EPS ECU – LDW torque
Safety data transmission for Data output is set
Requirement ‘LDW_Torque_Request’ signal Transmission to zero.
02 shall be ensured. Integrity Check
ID Software Safety Requirement A Allocation Software Safe State
S Elements
IL
Software Any data to be transmitted C E2ECalc LDW_Torq_Re
Safety outside of the LDW Safety q= 0 (Nm)
Requirement component (“LDW Safety”)
02-01 including "LDW_Torque_Req"
and “activation_status” shall be
protected by an End2End (E2E)
protection mechanism.
Software The E2E protection protocol C E2ECalc LDW_Torq_Re
Safety shall contain and attach the q= 0 (Nm)
Requirement control data: alive counter
02-02 (SQC) and CRC to the data to
be transmitted.

ID Technical Safety Requirement A Fault Allocation to Safe State

S Tolerant Architecture
IL Time
Interval
Technical As soon as a failure is detected C 50ms EPS ECU - LDW torque
Safety by the LDW function, it shall LDW Safety output is set
Requirement deactivate the LDW feature and Component to zero.
03 the ‘LDW_Torque_Request’
shall be set to zero.
ID Software Safety Requirement A Allocation Safe State
S Software
IL Elements
Software Each of the SW elements shall C All N/A
Safety output a signal to indicate any
Requirement error which is detected by the
03-01 element.

Error signals:
error_status_input
(LDW_SAFETY_INPUT_PROC
ESSING)

error_status_torque_limiter
(TORQUE_LIMITER)

error_status_output_gen
(LDW_SAFETY_OUTPUT_GEN
ERATOR)
Software A software element shall C LDW_SAFETY Activation_status = 0
Safety evaluate the error status of all _ACTIVATION (LDW function
Requirement the other software elements and deactivated)
03-02 in case any one of them
indicates an error, it shall
deactivate the LDW feature.

(“activation_status”=0)
Software In case of no errors from the C LDW_SAFETY N/A
Safety software elements, the status of _ACTIVATION
Requirement the LDW feature shall be set to
03-03 activated.

(“activation_status”=1)
Software In case an error is detected by C All LDW_Torq_Req = 0
Safety any of the software elements, it
Requirement shall set the value of its
03-04 corresponding torque to 0 so
that “LDW_Torq_Req” is set to
0.
Software Once the LDW functionality has C LDW_SAFETY Activation_status = 0
Safety been deactivated, it shall stay _ACTIVATION (LDW function
Requirement deactivated till the time the deactivated)
03-05 ignition is switched from off to
on again.
ID Technical Safety Requirement A Fault Allocation to Safe State
S Tolerant Architecture
IL Time
Interval
Technical As soon as the LDW function C 50ms EPS ECU - LDW torque
Safety deactivates the LDW feature, LDW Safety output is set
Requirement the ‘LDW Safety’ software block Component to zero.
04 shall send a signal to the car
display ECU to turn on a
warning light.

ID Software Safety Requirement A Allocation Safe State

S Software
IL Elements
Software When the LDW function is C LDW_SAFET N/A
Safety deactivated (activation_status Y_ACTIVATIO
Requirement set to 0), the activation_status N, Car Display
04-01 shall be sent to the Car Display ECU
ECU.

ID Technical Safety Requirement A Fault Allocation to Safe State

S Tolerant Architecture
IL Time
Interval
Technical Memory test shall be conducted A Ignition EPS ECU – LDW torque
Safety at startup of the EPS ECU to cycle Safety Startup output is set
Requirement check for any faults in memory. Memory Test to zero.
05

ID Software Safety Requirement A Allocation Safe State

S Software
IL Elements
Software A CRC verification check over A MEMORY Activation_status = 0
Safety the software code in the Flash TEST
Requirement memory shall be done every
05-01 time the ignition is switched from
off to on to check for any
corruption of content.
 Software Standard RAM tests to check A MEMORY Activation_status = 0
Safety the data bus, address bus and TEST
Requirement device integrity shall be done
05-02 every time the ignition is
switched from off to on (E.g.:
walking 1s test, RAM pattern
test. Refer RAM and processor
vendor recommendations).
Software The test result of the RAM or A MEMORY Activation_status = 0
Safety Flash memory shall be indicated TEST
Requirement to the LDW_Safety component
05-03 via the “test_status” signal.
Software In case any fault is indicated via A LDW_SAFET Activation_status = 0
Safety the “test_status” signal the Y_INPUT_PR
Requirement INPUT_LDW_PROCESSING OCESSING
05-04 shall set an error on
error_status_input (=1) so that
the LDW functionality is
deactivated and the
LDW_Torque is set to 0.

Refined Architecture Diagram