# 기능안전 확보를 위한 SW 측면 고려사항 - Architecture 개선 측면 ### **DNV GL - Introduction** ≈100,000 1864 350 REVENUE (MILLION NOK) 19,475 12,715 ### **DNV GL Korea - Automotive Functional Safety Business Portfolio** #### **Concept Engineering** - Item Definition - HARA (Hazard Analysis & Risk Assessment) - FSC Engineering #### **Vehicle Test** Safety Validation Specification #### **FuSa Management** - DIA Management - **OEM Engineering Process** - Supplier Management - Supplier Engineering Review (e.g. TSC) #### **System Engineering** Technical Safety Concept (i.e. Safety structure, safety mechanisms design) #### **Hardware Engineering** - Schematic Analysis (SPFM, LFM, PMHF) - MCU/ASIC Engineering Support #### **Software Engineering** - SW Architecture Design - **AUTOSAR/OSEK Support** - SW Safety Analysis, DFA #### **Supplier Engineering Process** - A-SPICE Process Consulting - ISO 26262:2018 Process Consulting #### **3rd Party Evaluation** - FuSa Audit - FuSa Assessment - A-SPICE Assessment #### **Training** - ISO 26262: 2018 ## **Challenges for the SW Architecture** How the architecture can satisfy FuSa requirements? - Consider... - SSRs - Different ASILs in the same SW architecture - Sufficient and effective safety mechanisms - ASIL decomposition - Evidences - etc **Safety Analysis and Dependent Failure Analysis** #### **Static Architecture – Data Flow (Nominal Control)** ## **SW Safety Analysis - Background** | Consideration | Description | | |----------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--| | 구현 수준 (즉, code level)의 분석은 수행하지 않음 | Variable, C-function 수준의 분석은 수행하지 않음<br>구현 수준의 systematic fault로 인한 영향은 SW architecture 수준에서 발생하는<br>각 SW component의 오동작과 대부분 중복적인 성격을 갖음.<br>구현 수준의 fault는 code review, analysis (e.g. static analysis, run-time<br>analysis), testing을 통해 검출 및 수정 수행 | | | RHF에 대한 고려는 제한적으로 수행 | MCU의 processing core, memory 수준의 fault (transient fault 포함) 정도가<br>부분적으로 고려 될 수 있음 | | | SW의 random fault는 고려하지 않음 | SW는 자제척인 random fault를 가지고 있지 않음 | | | Fault classification을 수행하지 않음 | SPF, RF, MPF는 HW fault에만 적용되는 개념임 | | | Failure rate estimation, failure mode distribution,<br>diagnostic coverage과 같은 정량적인 분석을 수행하지<br>않음 | 정량적인 지표 산출 불가 | | | HW safety mechanism이 고려 될 수 있음 | 특정 SW fault는 HW safety mechanism에 의해 cover될 수 있음 (e.g. MPU) | | | Inductive, deductive 방식에 대한 recommendation<br>level이 없음 | FTA 방식의 효과성은 널리 알려지지 않음 | | ## SW Safety Analysis and Dependent Failure Analysis - Background | Term. | Definition | | |-------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--| | Cascading Failure | Failure of an element of an item resulting from a root cause (inside or outside of the element) and then causing a failure of another element of elements of the same or different item | | | Common Cause<br>Failure | Failure of two or more elements of an item resulting directly for a single specific event or root cause which is either internal or external to all of these elements | | ## SW Safety Analysis and Dependent Failure Analysis - Background Achievement of independence or freedom from interference between the software architectural elements can be required because of: - the application of an ASIL decomposition at the software level (see 6.4.3), - the implementation of software safety requirements (see 7.4.11), for example to provide evidence for effectiveness of the software safety mechanisms such as independence between the monitored element and the monitor, or - required coexistence of the software architectural elements (see 7.4.6, 7.4.8 and 7.4.9 and ISO 26262-9:2018, Clause 6). ## Achievement of freedom from interference – ISO 26262:2018 (Part 6) | | Timing and execution | Memory | Exchange of information | |-------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Faults | <ul> <li>Blocking of execution</li> <li>Deadlocks</li> <li>Livelocks</li> <li>Incorrect allocation of execution time</li> <li>Incorrect synchronization between software elements</li> </ul> | <ul> <li>Corruption of content</li> <li>Inconsistent data (read/write timing)</li> <li>Stack overflow/underflow</li> <li>Access violation (read/write)</li> </ul> | <ul> <li>Repetition</li> <li>Information loss, delay, insertion</li> <li>Masquerade</li> <li>Incorrect sequence</li> <li>Information corruption</li> <li>Asymmetric information sending (sender → multiple receiver)</li> <li>Information sending to subset of receivers</li> <li>Communication channel access block</li> </ul> | | Example<br>Safety<br>measures | <ul> <li>Cyclic execution scheduling</li> <li>Fixed priority based scheduling</li> <li>Processor execution time monitoring</li> <li>Program sequence monitoring</li> </ul> | <ul> <li>Memory protection</li> <li>Error-correcting code (ECC)</li> <li>Cyclic redundancy check (CRC)</li> <li>Redundant storage</li> <li>Restricted memory access</li> <li>Memory static allocation</li> </ul> | <ul> <li>Information repetition</li> <li>Loop back</li> <li>Information ACK</li> <li>Sequence numbers</li> <li>Alive counter</li> <li>EDC/ECC (error detection code, error correction code)</li> </ul> | ## **Architecture(first step) - example** #### **Static Architecture – Data Flow (Nominal Control)** # Thank you for your attention 고병각 기능안전 실장 Byeong.gak.ko@dnvgl.com 010-5646-0923 www.dnvgl.com **SAFER, SMARTER, GREENER**