汽车电子功能安全标准ISO26262解析(八)——ASIL等级分解

版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/pianpian_zct/article/details/79043102

ISO 26262-9 Clause 5 Requirements decomposition with respect to ASIL tailoring

The objective of this clause is to provide rules and guidance for decomposing safety requirements into redundant safety requirements to allow ASIL tailoring at the next level of detail.

本章节的目的是为安全需求分解提供规则和指导,以便于将需求分解为冗余的安全需求,并使得下一级别的ASIL裁剪成为可能。

The ASIL, as an attribute of the safety goal, is inherited by each subsequent safety requirement.

每一条安全需求都从安全目标继承ASIL等级。

The functional and technical safety requirements are allocated to architectural elements, starting with preliminary architectural assumptions and ending with the hardware and software elements.

通过最初的架构假设,功能性和技术性的安全需求被分配给架构的每一个硬件和软件模块。

During the allocation process, benefit can be obtained from architectural decisions and the existence of independent architectural elements. This offers the opportunity:

在ASIL等级分配的过程中,架构的决定性和架构中每个模块的独立存在性为我们提供了如下机会:

1) to implement safety requirements redundantly by these independent architectural elements;

通过使用这些独立的架构模块,来冗余地实现安全需求。

2) to assign a potentially lower ASIL to these redundant safety requirements.

为这些冗余的安全需求定义一个更低的ASIL等级。

If there is no independence between the elements, the ASIL of the safety goal is inherited by each requirement and element.

如果在模块之间没有独立性,那么每一条需求和每一个模块直接继承上一级的安全目标ASIL等级。

NOTE 1 ASIL decomposition is an ASIL tailoring measure that can be applied to the functional, technical, hardware or software safety requirements of the item or system.

ASIL等级分解是一种ASIL等级裁剪的方法,该方法可以使用在功能、技术、硬件以及软件的安全需求中。

NOTE 2 As a basic rule, the application of ASIL decomposition requires redundancy of safety requirements allocated to architectural elements that are sufficiently independent.

作为一个基本的原则,ASIL等级分级的使用要求安全需求的冗余性,该冗余性分配给足够独立的架构模块。

NOTE 3 In the case of use of homogenous redundancy(e.g. by duplicated device or duplicated software) the ASIL with respect to systematic failures of hardware and software cannot be reduced unless an analysis of dependent failures show sufficient independence of that the potential common causes lead to a safe state. Therefore, homogenous redundancy is in general not sufficient for reducing the ASIL due to the lack of independence between the elements.

使用同类的冗余方法,例如重复器件或者重复软件,基于缺少模块之间的独立性,ASIL等级不能降低。

ASIL decomposition may be performed in the following subphases: ISO 26262-3: Clause 8 "Functional safety concept", ISO 26262-4: Clause 7 "System design", ISO 26262-5: Clause 7 "Hardware design", and ISO 26262-6: Clause 7 "Software architectural design".

ASIL等级的分解可以在如下的几个子阶段被执行:功能安全概念阶段、系统设计阶段、硬件设计阶段和软件架构设计阶段。

1. Prerequisites

输入:

--- safety requirements at the applied system, hardware or software level

待进行需求分解的系统、硬件或者软件的安全需求

--- architectural information at the applied system, hardware or software level

待进行需求分解的系统、硬件或者软件的架构信息

2. 

ASIL decomposition shall be performed considering each allocated safety requirement of the element.

需求分解执行时应考虑对模块的每一条安全需求进行分解。

--- diverse redundancy is used to cope with both systematic failures and random hardware failures;

     不同的冗余可以用来处理系统失效和随机硬件失效。

--- homogeneous redundancy is used to cope with random hardware failures only.

     同类的冗余仅仅可以用来处理随机硬件失效。

总结:

1. 分解对象:每一条安全需求,每一个系统模块、硬件模块或软件模块

2. 实施阶段:功能安全概念阶段、系统设计阶段、硬件设计阶段、软件设计阶段

3. 分解原则:独立性

4. 分解方法:

 

如有兴趣,可扫下方二维码关注功能安全公纵号,也可直接入群,参与交流与讨论,管理员会定期更新功能安全相关经验、对标准的理解,等等。

 

 

 

展开阅读全文

没有更多推荐了,返回首页