1 莱茵技术（上海）有限公司 边俊/Jemmy Bian ASIL分解是什么 ASIL 分解是什么？分解是什么？ 29.08.2016 3 不同安全级别所选用的研发、测试的方式方法是不同的不同安全级别所选用的研发、测试的方式方法是不同的 如，在一个实际项目中，每高一级安全等级，仅花费的人力资源就是上一级的1.2-1.5倍左右（仅供参考） 为什么要做为什么要做ASIL 分解分解 ASIL 分解是什么？分解是什么？ ISO 26262-9, 5.2 The method of ASIL tailoring during the design process is called ASIL decomposition. During the allocation process, benefit can be obtained from architectural decisions including the existence of sufficiently independent architectural elements. This offers the opportunity: - to implement safety requirements redundantly by these independent architectural elements, and - to assign a potentially lower ASIL to these decomposed safety requirements. ISO 26262-9, 5.2 ASIL decomposition is an ASIL tailoring measure that can be applied to the functional, technical, hardware or software safety requirements of the item or element. ISO 26262-10, 11.1 The objective of ASIL decomposition is to apply redundancy in order to comply with the safety goal with respect to systematic failures. 29.08.2016 4 ASIL 分解在标准中的定义分解在标准中的定义 ASIL 分解是什么？分解是什么？ 29.08.2016 5 ASIL 分解在概念分解在概念、系统系统、软件软件、硬件阶段的应用硬件阶段的应用 Functional safety requirement / Technical safety requirements T-SR-1 ASIL D: A sensor shall detect that a person is sitting on the seat T-SR-1a ASIL B (D): A pressure sensor T-SR-1b ASIL B (D): A camera Hardware safety requirements HW-SR-1 ASIL D: Power supply shall be disabled HW-SR-1a ASIL A (D): by MOSFET HW-SR-1b ASIL C (D): by bipolar transistors Software safety requirements SW-SR-1 ASIL C: Output value shall be calculated by algorithm SW-SR-1a ASIL B (C): algorithm a SW-SR-1b ASIL A (C): algorithm b ASIL 分解分解是是什么？什么？ 29.08.2016 6 怎么做怎么做ASIL decomposition？ ASIL D ASIL C(D) ASIL A(D) ASIL C ASIL B(C) ASIL A(C) or + + ASIL D ASIL B(D) ASIL B(D) ASIL B ASIL A(B) ASIL A(B) + + Decomposition of ASIL D Decomposition of ASIL B Decomposition of ASIL C 5.4.11 5.4.11 5.4.12 5.4.11 5.4.11 ASIL 分解是什么？分解是什么？ 29.08.2016 7 ASIL分解的依据和来源是什么分解的依据和来源是什么？ SIL1(ASIL A)+SIL1(ASIL A)=SIL2(ASIL B) SIL2(ASIL B)+SIL2(ASIL B)=SIL3(ASIL D) SIL1(ASIL A)+SIL2(ASIL B)=SIL?(ASIL C) IEC 61508-2010-2, 7.4.3.2 For an element of systematic capability SC N (N=1, 2, 3), where a systematic fault of that element does not cause a failure of the specified safety function but does so only in combination with a second systematic fault of another element of systematic capability SC N,the systematic capability of the combination of the two elements can be treated as having a systematic capability of SC (N + 1) providing that sufficient independence exists between the two elements . ASIL 分解是什么？分解是什么？ 29.08.2016 8 ASIL 分解的好处分解的好处：减少对减少对以往设计的改动以往设计的改动 throttle pedal AC motor ASIL C ASIL C QM (C) ASIL C low performance C ASIL C (C) ASIL C intended function safety mechanism complex inverter drive system 增加一个额外且逻辑简单的安全监控电路,避免对原有设计的改动 ASIL 分解是什么？分解是什么？ 使用已有的低级别的安全组件的组合,完成高级别的安全功能 - E.g.开车过程开车过程中防止方向盘误锁 29.08.2016 9 ASIL 分解的好处分解的好处：使用已有的安全组件使用已有的安全组件 Vehicle speed from ABS ASIL B (D) IGN status from BCM ASIL B (D) ESCL ASIL D ASIL分解的常见误区 ASIL分解的常见误区分解的常见误区 29.08.2016 11 误误区区1：不了解不了解ASIL分解的目的分解的目的 盲目的ASIL分解会降低产品的可靠性 ASIL 分解是什么？分解是什么？ 29.08.2016 12 误误区区2：认为认为ASIL分解能够改变随机性失效度量指标分解能够改变随机性失效度量指标 ISO26262-9, 5.2: The requirements specific to the random hardware failures, including evaluation of the hardware architectural metrics (SPFM, LFM) evaluation of safety goal violations due to random hardware failures (PHMF) remain unchanged by ASIL decomposition. Architectural element 1 Architectural element 2 ASIL C (D) ASIL A (D) Safety Goal (ASIL D) SPFM = 99 % LFM = 90 % PMHF ASIL C Requirement B 2: the AC ECU does not power the actuator if the vehicle speed is greater than 15 km/h= ASIL QM (C) Requirement B 3: the VS ECU sends accurate vehicle speed information to the Redundant Switch. =ASIL C Requirement B 4: the Redundant Switch is in an open state if the vehicle speed is greater than 15 km/h.= ASIL C (C) Requirement B 5: : The actuator operates only when powered by the AC ECU and the Redundant Switch is closed. = ASIL C Requirement B 6: Sufficient independence of the AC ECU and the Redundant Switch is shown. := ASILC 如果是一个输出，可以合并； 如果不是，同样可以做分解 如何实现正确的如何实现正确的ASIL分分解解 29.08.2016 22 实例实例2：软件的软件的ASIL分解分解（E-gas 6.0） Level 1：function level (QM or ASIL A) Level 2：function monitoring level Question? 在实际的开发过程 中，针对硬件ASIL 分解的好处是什么？ 哪些硬件需要考虑 ASIL分解？ 29.08.2016 23 在硬件中的在硬件中的ASIL分解分解 Thanks Ms. Joan YANG 杨家玥 Sales Manager | Industrial Services of TV Rheinland (China) e-mail: Mobile: +86 136 6186 1123 Mr. Jemmy Bian边俊 Project Manager | Industrial Services of TV Rheinland (China) e-mail: J Mobile: +86 153 810 90002