ASIL分解和误区 汽车电子咖啡厅

莱茵技术（上海）有限公司边俊/Jemmy Bian

ASIL分解是什么

为什么要做ASIL 分解

不同安全级别所选用的研发、测试的方式方法是不同的

ASIL 分解在标准中的定义

?[ISO 26262-9, 5.2] The method of ASIL tailoring during the design process is called "ASIL decomposition". During the allocation process, benefit can be obtained from architectural decisions including the existence of sufficiently independent architectural elements. This offers the opportunity:

-to implement safety requirements redundantly by these independent architectural elements, and

-to assign a potentially lower ASIL to these decomposed safety requirements.

?[ISO 26262-9, 5.2] ASIL decomposition is an ASIL tailoring measure that can be applied to the functional, technical, hardware or software safety requirements of the item or element.

? [ISO 26262-10, 11.1] The objective of ASIL decomposition is to apply redundancy in order to comply with the safety goal with respect to systematic failures.

ASIL 分解在概念、系统、软件、硬件阶段的应用Functional safety requirement / Technical safety requirements

T-SR-1 [ASIL D]: A sensor shall detect that a person is sitting on the seat ?T-SR-1a [ASIL B (D)]: A pressure sensor …

?T-SR-1b [ASIL B (D)]: A camera…

Hardware safety requirements

HW-SR-1 [ASIL D]: Power supply shall be disabled

?HW-SR-1a [ASIL A (D)]: … by MOSFET

?HW-SR-1b [ASIL C (D)]: … by bipolar transistors

Software safety requirements

SW-SR-1 [ASIL C]: Output value shall be calculated by algorithm

?SW-SR-1a [ASIL B (C)]: … algorithm a…

?SW-SR-1b [ASIL A (C)]: … algorithm b…

怎么做ASIL decomposition ？

ASIL D

ASIL C(D) ASIL A(D)

ASIL C

ASIL B(C) ASIL A(C) or + + ASIL D

ASIL B(D) ASIL B(D)

ASIL B

ASIL A(B) ASIL A(B) + + Decomposition of ASIL D

Decomposition of ASIL B

Decomposition of ASIL C

5.4.11 5.4.11 5.4.12

5.4.11

5.4.11

ASIL 分解的依据和来源是什么？

SIL1(ASIL A)+SIL1(ASIL A)=SIL2(ASIL B) SIL2(ASIL B)+SIL2(ASIL B)=SIL3(ASIL D) SIL1(ASIL A)+SIL2(ASIL B)=SIL?(ASIL C)

[IEC 61508-2010-2, 7.4.3.2] For an element of systematic capability SC N (N=1, 2, 3), where a systematic fault of that element does not cause a failure of the specified safety function but does so only in combination with a second systematic fault of another element of systematic capability SC N,the systematic capability of the combination of the two elements can be treated as having a systematic capability of SC (N + 1) providing that sufficient independence exists between the two elements .

ASIL 分解的好处：减少对以往设计的改动

throttle pedal AC

motor ASIL C

ASIL C QM (C) ASIL C

low performance μC

ASIL C (C)

ASIL C

intended function

safety mechanism

complex

inverter drive

system

增加一个额外且逻辑简单的安全监控电路,避免对原有设计的改动

使用已有的低级别的安全组件的组合,完成高级别的安全功能

- E.g.开车过程中防止方向盘误锁

ASIL 分解的好处：使用已有的安全组件

Vehicle speed from

ABS

ASIL B (D)

IGN status from

BCM

ASIL B (D)ESCL ASIL D

ASIL分解的常见误区

ASIL分解的常见误区

误区1：不了解ASIL分解的目的 盲目的ASIL分解会降低产品的可靠性

>

ASIL 分解是什么？

误区2：认为ASIL 分解能够改变随机性失效度量指标

[ISO26262-9, 5.2:] The requirements specific to the random hardware failures , including

?evaluation of the hardware architectural metrics (SPFM, LFM)

?evaluation of safety goal violations due to random hardware failures (PHMF) remain unchanged by ASIL decomposition. Architectural element 1

Architectural element 2

[ASIL C (D)]

[ASIL A (D)]

Safety Goal

(ASIL D)

SPFM >= 99 % LFM >= 90 % PMHF <10-8 h -1

The target values for the safety goal of the item remain the same.

误区3：认为检测机制就是ASIL分解

?看门狗与处理器并不是真正意义上的冗余，不独立执行一个完整的安全功能

?这是一种常用的针对随机失效的检测方式，而不是分解

μC ASIL D

μC QM (D) Watchdog ASIL D (D)

误区4：无法区分安全冗余与功能冗余

只有当冗余的目的是提高产品的安全性而不是保证功能的正常使用时，才可能是分解

来自某个客户的典型问题：

信号1和信号2同时为高时才能启动一个功能(ASIL C)，请问信号1，2是继承ASIL C还是可以做分解正确的回答是：

只有当信号1和信号2同时失效，才可能导致某安全功能的失效时，信号1和信号2可以做ASIL分解(前提是信号1和信号2没有依赖关系)

误区5：即使是安全冗余也不一定可以分解

?两个相同的传感器，如果一个设计有问题，另一个也有问题，他们存在共因

?[ISO 26262-9, 5.4.11] In the case of use of homogenous redundancy and with respect to systematic failures of hardware and software, the ASIL cannot be reduced unless an analysis of dependent failures provides evidence that

?sufficient independence exists or

?the potential common causes lead to a safe state

Sensor

ASIL D

Sensor X ASIL B (D) Sensor X ASIL B (D)

误区6：过早的做了ASIL 分解，实际实施时不对应

这种情况往往出现在设计前期过早的做了ASIL 分解，到后期更改了设计

计划

Sensor ASIL D Logic 1 QM (D)

Logic 2 ASIL D (D)

实际

Sensor ASIL D Logic 1 QM (D)

Logic 2 ASIL D (D)

如何实现正确的ASIL分解

实例1：概念阶段的ASIL分解（ISO26262-10,chapter11）

Step1:描述上一层需求(安全目标)，画初始的系统架构

-Safety Goal : Avoid activating the actuator while the vehicle speed is greater than 15 km/h : ASIL C

实例1：概念阶段的ASIL分解（ISO26262-10,chapter11） Step2:增加冗余回路，更新系统架构

实例1：概念阶段的ASIL分解（ISO26262-10,chapter11） Step3:故障树分析(可选)，考虑底事件间的与或关系