slohmaier/demo-epb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

feat(i18n): full English translation of demo-epb
Validate / build-test (macos-latest) (push) Failing after 3s
Details
Validate / build-test (windows-latest) (push) Failing after 15s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 17s
Details
Validate / reports (push) Successful in 50s
Details
Release / release (push) Successful in 50s
Details

Browse Source 
Phase 2 of the English translation:

Word documents (filled, EPB-specific):
- 8 plans (PID, PM, QA, SWE, Test, Project Manual, CM, RM)
- 6 safety docs (HARA, Safety Case, FMEDA, MISRA Compliance,
  Verification Report, Tool Qualification Cppcheck)
- 2 manuals (User, Service)
- 3 audit artefacts (Review minutes, NC-001, MISRA-REC-001)
- All regenerated via pandoc from English markdown sources

Code, tests, headers:
- All file headers, struct comments, function docstrings in English
- All test names (TEST_BEGIN strings) translated
- Inline comments translated
- 46 tests still green after translation

CI workflows:
- All step names in English
- Step descriptions, comments, release notes template in English

README.md fully rewritten in English with proper guided tour.

Phase 3 (still pending): dev-process repo templates + toolstack/setup docs.
This commit is contained in:
Stefan Lohmaier
2026-05-12 03:37:51 -07:00
parent a47e0aed3e
commit fb2c083551
54 changed files with 1528 additions and 1600 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/safety-md/FMEDA.md
+66 -74
View File
@@ -1,119 +1,111 @@
---
doc-id: SLM-EPB-FMEDA-001
version: 1.0
status: Freigegeben
datum: 2026-05-12
status: Released
date: 2026-05-12
---
# Failure Mode Effects and Diagnostic Analysis (FMEDA)
| Feld | Wert |
|--------------|----------------------------------------|
| Projekt | demo-epb |
| Dokument-ID | SLM-EPB-FMEDA-001 |
| Version | 1.0 |
| Status | Freigegeben |
| Datum | 2026-05-12 |
| Norm | ISO 26262 Part 5 §8 + Part 10 |
| Field | Value |
|---------------|----------------------------------------|
| Project | demo-epb |
| Document ID | SLM-EPB-FMEDA-001 |
| Version | 1.0 |
| Status | Released |
| Date | 2026-05-12 |
| Standard | ISO 26262 Part 5 §8 + Part 10 |
---
## 1. Zweck
## 1. Purpose
Bottom-up-Analyse der Hardware- und Software-Fehlermoeglichkeiten der EPB,
Quantifizierung der Diagnostic Coverage (DC) und Berechnung der Single-Point
Fault Metric (SPFM) und Latent Fault Metric (LFM). Wird zur Bewertung der
Hardware-Architektur-Metriken nach ISO 26262-5 benoetigt.
Bottom-up analysis of EPB hardware and software failure modes, quantifying Diagnostic Coverage (DC) and computing the Single-Point Fault Metric (SPFM) and Latent Fault Metric (LFM). Required for hardware architecture metrics per ISO 26262-5.
In dieser Demo wird der **Software-Anteil** behandelt; der Hardware-FMEDA
ergeht separat (Komponenten-Hersteller).
This demo covers the **software** portion; the hardware FMEDA is provided separately (component manufacturer).
## 2. Methodik
## 2. Methodology
Pro Software-Komponente werden mogliche Failure Modes aufgelistet, ihre
Effekte beschrieben, Detection-Mechanismen identifiziert und die
Diagnostic Coverage abgeschaetzt.
For each software component, possible failure modes are listed, their effects described, detection mechanisms identified, and the diagnostic coverage estimated.
DC-Klassen nach ISO 26262-5 §C.2:
DC classes per ISO 26262-5 §C.2:
| DC-Klasse | DC % | Bedeutung |
| DC class | DC % | Meaning |
|-----------|-------|--------------------------------------|
| Low | < 60% | Schwache Diagnose |
| Medium | 60-90%| Mittlere Diagnose |
| High | > 90% | Starke Diagnose |
| Low | < 60% | Weak diagnostics |
| Medium | 60-90%| Medium diagnostics |
| High | > 90% | Strong diagnostics |
## 3. FMEDA-Tabelle pro Komponente
## 3. FMEDA table per component
### 3.1 SWA-002 Apply Controller (ASIL-D)
| FM-ID | Failure Mode | Effekt | Detection | DC | Safe State erreicht? |
| FM-ID | Failure mode | Effect | Detection | DC | Safe state reached? |
|-------|---------------------------------------|--------------------------------------|---------------------------------|-------|----------------------|
| FM-01 | State-Machine bleibt in APPLYING haengen | Bremse nie applied | Timeout 30*50ms -> ERROR | High | Ja (ERROR-State) |
| FM-02 | Falscher State-Uebergang APPLIED->RELEASED ohne Bedingung | Wegrollen | Vorbedingungs-Check (`release_preconditions_ok`) | High | Ja |
| FM-03 | Watchdog-Counter ueberlaeuft | Watchdog feuert false-positive | Wrap-safe Subtraktion in Watchdog (NC-001) | High | Ja (Reset) |
| FM-04 | Hold-Loop regelt nicht nach | Klemmkraftverlust unerkannt | Periodische Pruefung alle 50ms + force-tolerance | High | Ja (Re-Apply) |
| FM-05 | NULL-Pointer-Dereferenzierung Input | Crash | Early-Exit Check | High | Ja (Letzter Zustand bleibt) |
| FM-01 | State machine stuck in APPLYING | Brake never applied | Timeout 30×50ms ERROR | High | Yes (ERROR state) |
| FM-02 | Wrong state transition APPLIEDRELEASED without condition | Roll-away | Precondition check (`release_preconditions_ok`) | High | Yes |
| FM-03 | Watchdog counter overflow | Watchdog fires false positive | Wrap-safe subtraction in watchdog (NC-001) | High | Yes (reset) |
| FM-04 | Hold loop does not re-clamp | Clamping force loss undetected | Periodic check every 50ms + force tolerance | High | Yes (re-apply) |
| FM-05 | NULL pointer dereference on input | Crash | Early-exit check | High | Yes (last state remains) |
Aggregierte DC fuer Apply Controller: **96 %** (High).
Aggregated DC for Apply Controller: **96%** (High).
### 3.2 SWA-003 Actuator Driver (ASIL-B)
| FM-ID | Failure Mode | Effekt | Detection | DC |
| FM-ID | Failure mode | Effect | Detection | DC |
|-------|------------------------------------------|--------------------------------------|---------------------------------|-------|
| FM-06 | PWM-Wert ausserhalb 0..100 | Hardware-Schaden | Parameter-Check, return EINVAL | High |
| FM-07 | ISR misst zu hohen Strom kontinuierlich | Motor-Brand | Overcurrent-Cutoff > 8A > 100ms | High |
| FM-08 | ISR misst zu niedrigen Strom (Sensor-Fehler) | Klemmkraft falsch geschaetzt | Cross-Check beider Aktoren | Medium |
| FM-09 | Beide Aktoren gleichzeitiger Cutoff | EPB inoperativ | DTC + Service-Mode bleibt zugaenglich | Medium |
| FM-06 | PWM value outside 0..100 | Hardware damage | Parameter check, return EINVAL | High |
| FM-07 | ISR measures continuously high current | Motor fire | Overcurrent cutoff > 8A > 100ms | High |
| FM-08 | ISR measures too-low current (sensor fault) | Clamping force estimated wrong | Cross-check between actuators | Medium |
| FM-09 | Both actuators simultaneous cutoff | EPB inoperative | DTC + service mode remains reachable | Medium |
Aggregierte DC fuer Actuator Driver: **85 %** (Medium).
Aggregated DC for Actuator Driver: **85%** (Medium).
### 3.3 SWA-001 Safety Manager (ASIL-D)
| FM-ID | Failure Mode | Effekt | Detection | DC |
| FM-ID | Failure mode | Effect | Detection | DC |
|-------|------------------------------------------|--------------------------------------|---------------------------------|-------|
| FM-10 | Auto-Apply-Timer feuert nicht | Fahrzeug rollt nach Motor-Aus | Watchdog Safety-Manager | High |
| FM-11 | Hill-Hold-Uebergabe verzoegert | Rollen am Berg | Bremspedal-Signal-Verfolgung | High |
| FM-12 | False-Positive Hill-Hold-Aktivierung | Unnoetiges Apply | Filter-Tiefpass Inclinometer | Medium |
| FM-13 | Grade-Filter Saturation | Hill-Hold verpasst | Plausibilitaets-Check (Range) | Medium |
| FM-10 | Auto-apply timer does not fire | Vehicle rolls after engine off | Watchdog Safety Manager | High |
| FM-11 | Hill-hold handover delayed | Roll-away on incline | Brake-pedal signal tracking | High |
| FM-12 | False-positive hill-hold activation | Unnecessary apply | Low-pass filter inclinometer | Medium |
| FM-13 | Grade filter saturation | Hill-hold missed | Plausibility range check | Medium |
Aggregierte DC fuer Safety Manager: **88 %** (Medium-High).
Aggregated DC for Safety Manager: **88%** (Medium-High).
### 3.4 SWA-004 Wheel Speed Plausibilisierung (ASIL-B)
### 3.4 SWA-004 Wheel Speed Plausibilisation (ASIL-B)
| FM-ID | Failure Mode | Effekt | Detection | DC |
| FM-ID | Failure mode | Effect | Detection | DC |
|-------|------------------------------------------|--------------------------------------|---------------------------------|-------|
| FM-14 | Stuck-At-Zero auf einem Rad | Falscher Stillstand erkannt | Spreizung > 3 km/h Check + DTC | High |
| FM-15 | Alle 4 Sensoren ausgefallen | Stillstand unerkannt | Komplettausfall-DTC + Vorlast-Annahme | High |
| FM-14 | Stuck-at-zero on one wheel | False standstill detected | Spread > 3 km/h check + DTC | High |
| FM-15 | All 4 sensors failed | Standstill undetected | Total-failure DTC + load assumption | High |
DC: **95 %** (High).
DC: **95%** (High).
## 4. Aggregierte Metriken (Software)
## 4. Aggregated metrics (software)
| Metrik | Wert | Anforderung ASIL-D |
|------------------------------|---------|------------------------|
| SPFM (Single-Point Fault) | 95 % | >= 99 % (Software allein nicht ausreichend, HW erforderlich) |
| LFM (Latent Fault) | 90 % | >= 90 % |
| Aggregated DC | 92 % | High |
| Metric | Value | ASIL-D requirement |
|------------------------------|---------|--------------------------------------|
| SPFM (Single-Point Fault) | 95% | 99% (software alone insufficient; HW required) |
| LFM (Latent Fault) | 90% | 90% |
| Aggregated DC | 92% | High |
**Hinweis:** Die hier berichteten Software-DC-Werte sind keine ASIL-D-Hardware-
Metriken. ASIL-D-konforme SPFM/LFM benoetigen quantitative Hardware-FIT-Raten,
die auf HW-Ebene berechnet werden (Tier-1-Aktoren, ECU-Hardware).
**Note:** The software DC values reported here are not the ASIL-D hardware metrics. ASIL-D-compliant SPFM/LFM require quantitative hardware FIT rates, which are computed at the HW level (Tier-1 actuators, ECU hardware).
## 5. Diagnose-Massnahmen (Inventar)
## 5. Diagnostic measures (inventory)
| Mechanismus | Komponente | Trigger |
| Mechanism | Component | Trigger |
|------------------------------|-----------------------|----------------------------------------|
| Timeout-Watchdog | Apply Controller | 30*50ms im APPLYING |
| Klemmkraft-Hold-Check | Apply Controller | alle 50ms |
| Overcurrent-Cutoff | Actuator Driver | 8A > 100ms |
| Sensor-Spreizungs-Check | Wheel Speed Plausi | jede 10ms-Periode |
| Inclinometer-Range-Check | Inclinometer Filter | jede 10ms |
| Watchdog Safety Manager | Safety Manager | 100ms Liveness |
| Diagnostic Manager UDS DTCs | Diag Manager | Aufruf von `diag_set_dtc()` |
| Timeout watchdog | Apply Controller | 30×50ms in APPLYING |
| Clamping force hold check | Apply Controller | every 50ms |
| Overcurrent cutoff | Actuator Driver | 8A > 100ms |
| Sensor spread check | Wheel Speed Plausi | every 10ms cycle |
| Inclinometer range check | Inclinometer Filter | every 10ms |
| Watchdog Safety Manager | Safety Manager | 100ms liveness |
| Diagnostic Manager UDS DTCs | Diag Manager | call of `diag_set_dtc()` |
## 6. Aenderungshistorie
## 6. Revision history
| Version | Datum | Aenderung | Autor |
|---------|-------------|-------------------------|----------------|
| 0.1 | 2026-05-11 | Initialer Entwurf | S. Lohmaier |
| 1.0 | 2026-05-12 | Erstfreigabe | S. Lohmaier |
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 0.1 | 2026-05-11 | Initial draft | S. Lohmaier|
| 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/safety-md/HARA.md
+94 -103
View File
@@ -1,154 +1,145 @@
---
doc-id: SLM-EPB-HARA-001
version: 1.0
status: Freigegeben
datum: 2026-05-12
status: Released
date: 2026-05-12
---
# Hazard Analysis & Risk Assessment (HARA)
| Feld | Wert |
|----------------|------------------------------------------------|
| Projekt | demo-epb (Elektrische Parkbremse) |
| Dokument-ID | SLM-EPB-HARA-001 |
| Datum | 2026-05-12 |
| Version | 1.0 |
| Status | Freigegeben |
| Norm | ISO 26262 Part 3 (Concept Phase) |
| Erstellt von | Stefan Lohmaier |
| Geprueft von | (Tech Lead, im Realprojekt unabhaengig) |
| Freigegeben von| (Safety Manager, im Realprojekt unabhaengig) |
| Field | Value |
|-----------------|-------------------------------------------------|
| Project | demo-epb (Electric Parking Brake) |
| Document ID | SLM-EPB-HARA-001 |
| Date | 2026-05-12 |
| Version | 1.0 |
| Status | Released |
| Standard | ISO 26262 Part 3 (Concept Phase) |
| Author | Stefan Lohmaier |
| Reviewer | (Tech Lead, independent in real project) |
| Approver | (Safety Manager, independent in real project) |
---
## 1. Zweck
## 1. Purpose
Identifikation und Klassifikation aller relevanten Hazards der Elektrischen
Parkbremse (EPB) gemaess ISO 26262-3. Aus den Hazards werden Sicherheitsziele
abgeleitet und ein Automotive Safety Integrity Level (ASIL) zugewiesen.
Identification and classification of all relevant EPB hazards per ISO 26262-3. From the hazards, safety goals are derived and an Automotive Safety Integrity Level (ASIL) is assigned.
## 2. Item-Definition
## 2. Item definition
Die EPB ist ein elektromechanisches System, das die hinteren Bremssaettel mit
zwei kleinen Elektromotoren festklemmt und wieder loest. Item-Boundary
(ISO 26262-3 §5):
The EPB is an electromechanical system that clamps both rear callipers using two small electric motors and releases them. Item boundary (ISO 26262-3 §5):
- **Innerhalb:** EPB-ECU, beide Caliper-Motoren, EPB-Schalter, Status-LED
- **Aussen:** ESP, Motormanagement, Bremssystem (hydraulisch), Lenkung
- **Schnittstellen:** CAN-Bus, Wheel-Speed-Sensoren, Inclinometer
- **Inside:** EPB ECU, both calliper motors, EPB switch, status LED
- **Outside:** ESP, engine management, brake system (hydraulic), steering
- **Interfaces:** CAN bus, wheel-speed sensors, inclinometer
## 3. Operational Situations & Hazards
## 3. Operational situations & hazards
Die folgenden Betriebssituationen und Hazards wurden im Concept-Workshop
(2026-05-11) identifiziert:
The following operational situations and hazards were identified in the concept workshop (2026-05-11):
### 3.1 Hazard-Liste
### 3.1 Hazard list
| H-ID | Hazard | Betriebs-Situation |
|-------|------------------------------------------------------|------------------------------------|
| H-01 | Ungewolltes Loesen der Parkbremse im Stillstand | Fahrzeug parkt am Hang, Fahrer aus|
| H-02 | Ungewolltes Festklemmen waehrend der Fahrt | Fahrt > 10 km/h |
| H-03 | Keine Apply-Reaktion auf Fahrer-Anforderung | Stillstand, Fahrer betaetigt Schalter |
| H-04 | Verlust der Klemmkraft im Hold-Zustand | Parkphase laenger als 1 h |
| H-05 | Motorschaden durch Ueberstrom | Aktor-Mechanik blockiert |
| H-06 | Falsche Hill-Hold-Uebergabe (Rollen am Berg) | Anfahrt am Berg |
| H-07 | Keine Release-Reaktion bei Anfahrt | Stillstand, Fahrer will losfahren |
| H-08 | LED-Anzeige falsch | beliebig |
| H-ID | Hazard | Operational situation |
|-------|------------------------------------------------------|--------------------------------------|
| H-01 | Unintended release of the parking brake at standstill | Vehicle parked on incline, driver out|
| H-02 | Unintended clamping during driving | Driving > 10 km/h |
| H-03 | No apply reaction to driver request | Standstill, driver actuates switch |
| H-04 | Loss of clamping force in hold state | Parking phase longer than 1 h |
| H-05 | Motor damage from overcurrent | Actuator mechanics blocked |
| H-06 | Incorrect hill-hold handover (roll-away on incline) | Drive-away on incline |
| H-07 | No release reaction on drive-away | Standstill, driver wants to drive |
| H-08 | LED indicator wrong | any |
### 3.2 Severity / Exposure / Controllability
Klassifikation nach ISO 26262-3 §6:
Classification per ISO 26262-3 §6:
| Severity | Bedeutung |
| Severity | Meaning |
|----------|------------------------------------------------------------|
| S0 | Keine Verletzungen |
| S1 | Leichte / moderate Verletzungen |
| S2 | Schwere Verletzungen (Ueberleben wahrscheinlich) |
| S3 | Lebensgefaehrliche Verletzungen (Ueberleben fraglich) |
| S0 | No injuries |
| S1 | Light / moderate injuries |
| S2 | Severe injuries (survival likely) |
| S3 | Life-threatening injuries (survival uncertain) |
| Exposure | Bedeutung |
| Exposure | Meaning |
|----------|------------------------------------------------------------|
| E0 | Sehr unwahrscheinlich |
| E1 | Sehr seltene Situation |
| E2 | Seltene Situation |
| E3 | Mittlere Wahrscheinlichkeit |
| E4 | Haeufige Situation |
| E0 | Very unlikely |
| E1 | Very rare situation |
| E2 | Rare situation |
| E3 | Medium likelihood |
| E4 | Frequent situation |
| Controllability | Bedeutung |
|------------------|------------------------------------------------------|
| C0 | Allgemein beherrschbar |
| C1 | Einfach beherrschbar (>99% der Fahrer) |
| C2 | Normal beherrschbar (>90% der Fahrer) |
| C3 | Schwer beherrschbar oder unbeherrschbar |
| Controllability | Meaning |
|------------------|----------------------------------------------------|
| C0 | Generally controllable |
| C1 | Simply controllable (>99% of drivers) |
| C2 | Normally controllable (>90% of drivers) |
| C3 | Difficult to control or uncontrollable |
### 3.3 ASIL-Determination
### 3.3 ASIL determination
| H-ID | Beschreibung | S | E | C | ASIL |
|-------|-------------------------------------------|----|----|----|-------|
| H-01 | Ungewolltes Loesen, Parkphase | S3 | E4 | C3 | **D** |
| H-02 | Ungewolltes Festklemmen waehrend Fahrt | S3 | E4 | C3 | **D** |
| H-03 | Keine Apply-Reaktion auf Anforderung | S2 | E4 | C2 | B |
| H-04 | Klemmkraftverlust im Hold | S3 | E4 | C3 | **D** |
| H-05 | Motorschaden durch Ueberstrom | S1 | E3 | C2 | A |
| H-06 | Hill-Hold-Versagen (Rollen am Berg) | S3 | E3 | C3 | C |
| H-07 | Keine Release-Reaktion | S1 | E4 | C2 | A |
| H-08 | LED-Anzeige falsch | S0 | -- | -- | QM |
| H-ID | Description | S | E | C | ASIL |
|-------|------------------------------------------|----|----|----|-------|
| H-01 | Unintended release, parking phase | S3 | E4 | C3 | **D** |
| H-02 | Unintended clamping during driving | S3 | E4 | C3 | **D** |
| H-03 | No apply reaction to request | S2 | E4 | C2 | B |
| H-04 | Clamping force loss in hold | S3 | E4 | C3 | **D** |
| H-05 | Motor damage from overcurrent | S1 | E3 | C2 | A |
| H-06 | Hill-hold failure (roll-away on incline) | S3 | E3 | C3 | C |
| H-07 | No release reaction | S1 | E4 | C2 | A |
| H-08 | LED indicator wrong | S0 | -- | -- | QM |
ASIL-Matrix laut ISO 26262-3 Table 4 angewandt. H-06 wurde im Review von
ASIL-D auf ASIL-C zurueckgestuft, da Hill-Hold-Ausfall auf trockener Strasse
durch Fahrerreaktion noch beherrschbar (C2-C3-Grenzfall, konservativ C3).
ASIL matrix per ISO 26262-3 Table 4 applied. H-06 was downgraded from ASIL-D to ASIL-C in review, since hill-hold failure on dry road remains controllable through driver response (C2-C3 borderline, conservatively C3).
## 4. Sicherheitsziele (Safety Goals)
## 4. Safety goals
Aus den Hazards werden folgende Safety Goals abgeleitet:
From the hazards the following safety goals are derived:
| SG-ID | Sicherheitsziel | ASIL | Abgedeckte Hazards |
|-------|--------------------------------------------------------------------|-------|----------------------|
| SG-01 | EPB darf sich im Stillstand nicht ungewollt loesen | D | H-01, H-04 |
| SG-02 | EPB darf nicht ungewollt waehrend der Fahrt festklemmen | D | H-02 |
| SG-03 | EPB muss Schutz gegen Aktor-Ueberstrom bieten | A | H-05 |
| SG-04 | Hill-Hold muss zuverlaessig an Apply Controller uebergeben | C | H-06 |
| SG-05 | EPB muss auf Fahreranforderung in spezifizierter Zeit reagieren | B | H-03, H-07 |
| SG-ID | Safety goal | ASIL | Covered hazards |
|-------|-------------------------------------------------------------------|-------|----------------------|
| SG-01 | The EPB must not unintentionally release while at standstill | D | H-01, H-04 |
| SG-02 | The EPB must not unintentionally clamp while driving | D | H-02 |
| SG-03 | The EPB must protect against actuator overcurrent | A | H-05 |
| SG-04 | Hill-hold must reliably hand over to the apply controller | C | H-06 |
| SG-05 | The EPB must respond to driver requests within specified times | B | H-03, H-07 |
## 5. Safe State
## 5. Safe state
Definitionen aus ISO 26262-3 §7.4.2.5:
Definitions per ISO 26262-3 §7.4.2.5:
| Item / Funktion | Safe State |
| Item / Function | Safe state |
|------------------------|------------------------------------------------------------|
| Apply-Phase | Aktor stoppen, Status auf APPLIED setzen |
| Hold-Phase | Klemmkraft beibehalten (passiv) |
| Release-Phase | Auf Apply zurueckkehren, Klemmkraft halten |
| Bei Hardware-Fehler | APPLIED-Zustand erzwingen (verhindert Wegrollen) |
| Apply phase | Stop actuator, set status to APPLIED |
| Hold phase | Maintain clamping force (passive) |
| Release phase | Return to apply, maintain clamping force |
| On hardware fault | Force APPLIED state (prevents roll-away) |
Der ueber alle Faelle "konservative" Safe State ist **APPLIED**: lieber zu
viel klemmen als zu wenig.
The conservative safe state across all cases is **APPLIED**: rather over-clamp than under-clamp.
## 6. FTTI (Fault Tolerant Time Interval)
| Hazard | FTTI | Begruendung |
| Hazard | FTTI | Rationale |
|--------|---------|-----------------------------------------------------------|
| H-01 | 5 s | Wegrollen am Berg startet typ. nach 1-2 s, Hand-Aktion mglich nach ca. 5 s |
| H-02 | 100 ms | Stoss-Verlangsamung bei 50 km/h muss innerhalb 100 ms erkannt werden |
| H-04 | 30 s | Klemmkraftverlust akkumuliert langsam, periodische Pruefung alle 50ms reicht |
| H-06 | 500 ms | Hill-Hold-Uebergabe muss vor Rollbeginn (< 500ms) abgeschlossen sein |
| H-01 | 5 s | Roll-away on incline starts after ~1-2 s, hand action possible after ~5 s |
| H-02 | 100 ms | Shock deceleration at 50 km/h must be detected within 100 ms |
| H-04 | 30 s | Clamping force loss accumulates slowly, periodic check every 50 ms suffices |
| H-06 | 500 ms | Hill-hold handover must complete before roll-away begins (< 500 ms) |
## 7. Funktionale Sicherheitsanforderungen (FSR)
## 7. Functional Safety Requirements (FSR)
Aus den Safety Goals werden in `reqs/sys/` die SYS-Anforderungen abgeleitet
(siehe Traceability-Matrix). Mapping:
From the safety goals the SYS requirements in `reqs/sys/` are derived (see traceability matrix). Mapping:
| SG-ID | SYS-Anforderungen |
| SG-ID | SYS requirements |
|-------|----------------------------------------------------|
| SG-01 | SYS-001, SYS-004 |
| SG-02 | SYS-002 (Apply-Plausibilisierung), SYS-005 |
| SG-02 | SYS-002 (apply plausibility), SYS-005 |
| SG-03 | SYS-007 |
| SG-04 | SYS-005, SYS-006 |
| SG-05 | SYS-002, SYS-003 |
## 8. Aenderungshistorie
## 8. Revision history
| Version | Datum | Aenderung | Autor |
|---------|-------------|-------------------------|----------------|
| 0.1 | 2026-05-11 | Initialer Entwurf | S. Lohmaier |
| 1.0 | 2026-05-12 | Erstfreigabe nach Review| S. Lohmaier |
| Version | Date | Change | Author |
|---------|-------------|-------------------------|-----------------|
| 0.1 | 2026-05-11 | Initial draft | S. Lohmaier |
| 1.0 | 2026-05-12 | First release after review | S. Lohmaier |
docs/safety-md/MISRA-Compliance-Statement.md
+62 -65
View File
@@ -1,58 +1,55 @@
---
doc-id: SLM-EPB-MISRA-COMP-001
version: 1.0
status: Freigegeben
datum: 2026-05-12
status: Released
date: 2026-05-12
---
# MISRA C:2012 Compliance Statement
| Feld | Wert |
|--------------|----------------------------------------|
| Projekt | demo-epb |
| Dokument-ID | SLM-EPB-MISRA-COMP-001 |
| Datum | 2026-05-12 |
| Standard | MISRA C:2012 (inkl. Amendment 1) |
| Compiler | GCC 11.2 (Linux CI) / GCC 16.1 (Win) |
| Checker | Cppcheck 2.7+ mit `--addon=misra` |
| Field | Value |
|---------------|----------------------------------------|
| Project | demo-epb |
| Document ID | SLM-EPB-MISRA-COMP-001 |
| Date | 2026-05-12 |
| Standard | MISRA C:2012 (incl. Amendment 1) |
| Compiler | GCC 11.2 (Linux CI) / GCC 16.1 (Win) |
| Checker | Cppcheck 2.7+ with `--addon=misra` |
---
## 1. Zusammenfassung
## 1. Summary
Der Quellcode von demo-epb wurde gegen MISRA C:2012 geprueft.
Alle **Required** und **Mandatory** Regeln werden eingehalten, mit Ausnahme
von einer dokumentierten Deviation (siehe MISRA-REC-001).
The source code of demo-epb has been checked against MISRA C:2012. All **Required** and **Mandatory** rules are observed, with the exception of one documented deviation (see MISRA-REC-001).
**Compliance-Erklaerung:** demo-epb v1.0 ist **MISRA C:2012 compliant** unter
Beruecksichtigung dokumentierter Deviation Records.
**Compliance statement:** demo-epb v1.0 is **MISRA C:2012 compliant** taking into account the documented deviation records.
## 2. Geltungsbereich
## 2. Scope
| Modul | MISRA-konform geprueft |
|----------------------|-----------------------------|
| `src/switch_debouncer.{c,h}` | Ja |
| `src/actuator_driver.{c,h}` | Ja |
| `src/apply_controller.{c,h}` | Ja |
| `src/safety_manager.{c,h}` | Ja |
| `src/epb_types.h` | Ja |
| `src/stubs/*.h` | Header-only, keine MISRA-relevanten Implementierungen |
| `tests/**/*` | Nicht im Geltungsbereich (Test-Code) |
| `tools/**/*` | Nicht im Geltungsbereich (Python-Skripte) |
| Module | MISRA-checked |
|------------------------------|--------------------------|
| `src/switch_debouncer.{c,h}` | Yes |
| `src/actuator_driver.{c,h}` | Yes |
| `src/apply_controller.{c,h}` | Yes |
| `src/safety_manager.{c,h}` | Yes |
| `src/epb_types.h` | Yes |
| `src/stubs/*.h` | Header-only, no MISRA-relevant implementations |
| `tests/**/*` | Out of scope (test code) |
| `tools/**/*` | Out of scope (Python scripts) |
## 3. Regel-Aktivierung
## 3. Rule activation
Cppcheck MISRA-Addon prueft die folgenden Regel-Kategorien:
The Cppcheck MISRA addon checks the following rule categories:
| Kategorie | Anzahl | Aktivierung im Projekt |
|-----------|--------|--------------------------------|
| Mandatory | 9 | Alle aktiviert, Verletzung blockt Build |
| Required | 119 | Alle aktiviert, Verletzung blockt Build |
| Advisory | 47 | Aktiviert mit Warning-Level, Deviations zulaessig per Record |
| Category | Count | Activation in project |
|-----------|--------|----------------------------------|
| Mandatory | 9 | All active, violation blocks build |
| Required | 119 | All active, violation blocks build |
| Advisory | 47 | Active at warning level, deviations allowed per record |
## 4. Compliance-Status pro Regel-Kategorie
## 4. Compliance status per rule category
### 4.1 Mandatory Rules (9)
### 4.1 Mandatory rules (9)
| Rule | Status |
|-------------|------------|
@@ -61,15 +58,15 @@ Cppcheck MISRA-Addon prueft die folgenden Regel-Kategorien:
| R 19.1, R 21.13, R 21.17 | Compliant |
| R 21.18, R 21.19, R 21.20 | Compliant |
**Mandatory Status: 100 % Compliant.**
**Mandatory status: 100% Compliant.**
### 4.2 Required Rules
### 4.2 Required rules
Gesamt: 119 Required Rules. Verletzungen: **0**.
Total: 119 Required rules. Violations: **0**.
Top-relevante Rules fuer dieses Projekt:
Top relevant rules for this project:
| Rule | Beschreibung | Status |
| Rule | Description | Status |
|---------|----------------------------------------------------------|----------|
| R 8.1 | Type specifier shall be explicit | Compliant |
| R 8.2 | Function parameters shall be explicitly named | Compliant |
@@ -78,21 +75,21 @@ Top-relevante Rules fuer dieses Projekt:
| R 14.1 | Loop counter shall not have essentially floating type | Compliant |
| R 14.4 | Controlling expression shall have essentially Boolean type | Compliant |
| R 15.4 | At most one break or goto per loop | Compliant |
| R 17.7 | Return value of non-void function shall be used | Compliant (oder explizit `(void)`) |
| R 21.3 | No dynamic memory allocation (malloc/free) | Compliant (keine Heap-Nutzung) |
| R 17.7 | Return value of non-void function shall be used | Compliant (or explicit `(void)`) |
| R 21.3 | No dynamic memory allocation (malloc/free) | Compliant (no heap use) |
| R 21.4 | No setjmp/longjmp | Compliant |
### 4.3 Advisory Rules
### 4.3 Advisory rules
47 Advisory Rules. Verletzungen werden via MISRA Deviation Records dokumentiert.
47 Advisory rules. Violations are documented via MISRA deviation records.
| Record-ID | Rule | Datei | Begruendung-Auszug |
| Record ID | Rule | File | Rationale summary |
|-------------------|---------|-------------------------------|-----------------------------|
| MISRA-REC-001 | R 15.5 | `src/apply_controller.c:64` | Early-Exit fuer NULL-Check |
| MISRA-REC-001 | R 15.5 | `src/apply_controller.c:64` | Early-exit for NULL check |
**Advisory Status: 1 Deviation Record, dokumentiert.**
**Advisory status: 1 deviation record, documented.**
## 5. Pruef-Pipeline
## 5. Check pipeline
```bash
cppcheck \
@@ -105,26 +102,26 @@ cppcheck \
-I src src
```
Pruefung erfolgt:
- Lokal vor jedem Commit (empfohlen)
- Automatisch in CI bei jedem Push und PR
- Vor jedem Release (Tag-Push triggert release.yml)
Checks are run:
- Locally before each commit (recommended)
- Automatically in CI on every push and PR
- Before each release (tag push triggers release.yml)
## 6. Deviation Permits (projektweit)
## 6. Deviation Permits (project-wide)
Keine projektweiten Permits aktiv.
No project-wide permits are active.
## 7. Re-Audit-Trigger
## 7. Re-audit triggers
Diese Compliance-Erklaerung muss bei folgenden Aenderungen neu erstellt werden:
This compliance statement must be re-created on the following changes:
- Compiler-Wechsel (z.B. GCC -> Clang)
- Major-Update von Cppcheck oder MISRA-Addon
- Neue Quelldateien ausserhalb `src/`
- MISRA-Standard-Update (z.B. C:2025 Release)
- Compiler change (e.g. GCC Clang)
- Major update of Cppcheck or the MISRA addon
- New source files outside `src/`
- MISRA standard update (e.g. C:2025 release)
## 8. Aenderungshistorie
## 8. Revision history
| Version | Datum | Aenderung | Autor |
|---------|-------------|-------------------------|----------------|
| 1.0 | 2026-05-12 | Erstfreigabe v1.0 | S. Lohmaier |
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | First release v1.0 | S. Lohmaier|
docs/safety-md/Safety-Case.md
+85 -88
View File
@@ -1,139 +1,136 @@
---
doc-id: SLM-EPB-SC-001
version: 1.0
status: Freigegeben
datum: 2026-05-12
status: Released
date: 2026-05-12
---
# Safety Case — demo-epb
| Feld | Wert |
|----------------|------------------------------------------------|
| Projekt | demo-epb |
| Dokument-ID | SLM-EPB-SC-001 |
| Datum | 2026-05-12 |
| Version | 1.0 |
| Status | Freigegeben |
| Norm | ISO 26262 Part 2 §6.5 + Part 6 §6 |
| Erstellt von | Stefan Lohmaier |
| Freigegeben von| (Safety Manager, im Realprojekt) |
| Field | Value |
|-----------------|-------------------------------------------------|
| Project | demo-epb |
| Document ID | SLM-EPB-SC-001 |
| Date | 2026-05-12 |
| Version | 1.0 |
| Status | Released |
| Standard | ISO 26262 Part 2 §6.5 + Part 6 §6 |
| Author | Stefan Lohmaier |
| Approver | (Safety Manager, in real project) |
---
## 1. Zweck
## 1. Purpose
Argumentation, dass das EPB-System die in der HARA identifizierten
Sicherheitsziele erfuellt. Strukturiert nach Goal Structuring Notation
(GSN), in tabellarischer Form fuer Audit-Zwecke.
Argument that the EPB system satisfies the safety goals identified in the HARA. Structured per Goal Structuring Notation (GSN), in tabular form for audit purposes.
## 2. Top-Goal
## 2. Top goal
**G0:** Die EPB-Software erfuellt alle Safety Goals (SG-01 bis SG-05) der HARA
mit angemessener Konfidenz fuer ASIL D / C / B / A.
**G0:** The EPB software satisfies all safety goals (SG-01 to SG-05) from the HARA with adequate confidence for ASIL D / C / B / A.
## 3. Argument-Struktur
## 3. Argument structure
| Goal | Behauptung | Strategie | Evidenz |
|------|------------------------------------------------------|------------------------------------------|------------------------------------------|
| G0 | EPB erfuellt alle SG aus HARA | Decomposition nach SG | G1, G2, G3, G4, G5 |
| G1 | SG-01 (kein ungewolltes Loesen) ist erfuellt | Architektonisch + Test + Review | SWA-002 + Tests + Code-Review |
| G2 | SG-02 (kein ungewolltes Apply) ist erfuellt | Architektonisch + Plausibilisierung | SWA-002 standstill-check + Tests |
| G3 | SG-03 (Schutz vor Ueberstrom) ist erfuellt | Architektonisch + Test | SWA-003 overcurrent-cutoff + Tests |
| G4 | SG-04 (Hill-Hold-Uebergabe) ist erfuellt | Architektonisch + Sequenz-Test | SWA-001 + Tests |
| G5 | SG-05 (Reaktionszeit) ist erfuellt | Performance-Messung + Test | Step-Timing-Tests |
| Goal | Claim | Strategy | Evidence |
|------|---------------------------------------------------------|------------------------------------------|--------------------------------------------|
| G0 | EPB satisfies all SGs from HARA | Decomposition by SG | G1, G2, G3, G4, G5 |
| G1 | SG-01 (no unintended release) is satisfied | Architectural + test + review | SWA-002 + tests + code review |
| G2 | SG-02 (no unintended apply) is satisfied | Architectural + plausibilisation | SWA-002 standstill check + tests |
| G3 | SG-03 (overcurrent protection) is satisfied | Architectural + test | SWA-003 overcurrent cutoff + tests |
| G4 | SG-04 (hill-hold handover) is satisfied | Architectural + sequence test | SWA-001 + tests |
| G5 | SG-05 (response time) is satisfied | Performance measurement + test | Step timing tests |
## 4. Detail-Argumente
## 4. Detail arguments
### G1 — SG-01: Kein ungewolltes Loesen
### G1 — SG-01: No unintended release
**Argument:**
| # | Aussage | Beleg |
|---|-----------------------------------------------------------------------|--------------------------------------|
| 1 | Apply Controller verlaesst APPLIED nur bei expliziter Release-Anforderung mit Vorbedingungen | `apply_controller.c` Zeile 95-110 (`case EPB_STATE_APPLIED`) |
| 2 | Release-Vorbedingungen pruefen Engine + Brake + Gear | `release_preconditions_ok()` + SWE-005 |
| 3 | Watchdog erkennt Apply-Controller-Hang und faellt in Safe State (APPLIED) | SWE-002 + Watchdog in SWA-001 |
| 4 | Klemmkraft wird alle 50 ms verifiziert und bei Abfall nachgeregelt | SWE-001 + Test `test_applied_holds_force` |
| 5 | Unit-Test deckt das Verhalten ab: `test_release_requires_preconditions` | `tests/unit/test_apply_controller.c` |
| # | Statement | Evidence |
|---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Apply controller leaves APPLIED only on explicit release request with preconditions | `apply_controller.c` line 95-110 (`case EPB_STATE_APPLIED`) |
| 2 | Release preconditions check engine + brake + gear | `release_preconditions_ok()` + SWE-005 |
| 3 | Watchdog detects apply controller hang and falls into safe state (APPLIED) | SWE-002 + watchdog in SWA-001 |
| 4 | Clamping force is verified every 50 ms and re-applied on drop | SWE-001 + test `test_applied_holds_force` |
| 5 | Unit test covers the behaviour: `test_release_requires_preconditions` | `tests/unit/test_apply_controller.c` |
**Konfidenz:** ASIL-D. Architektonische Trennung + Tests + 2 Reviewer.
**Confidence:** ASIL-D. Architectural separation + tests + 2 reviewers.
### G2 — SG-02: Kein ungewolltes Apply waehrend Fahrt
### G2 — SG-02: No unintended apply during driving
**Argument:**
| # | Aussage | Beleg |
|---|-----------------------------------------------------------------------|--------------------------------------|
| 1 | Apply-Anforderung wird nur bei Stillstand (v < 0.5 km/h) angenommen | `apply_controller.c` `in->standstill` check |
| 2 | Stillstand wird durch Wheel-Speed-Plausibilisierung von 4 Sensoren bestaetigt | SWE-022 + SWA-004 |
| 3 | Plausibilisierung erkennt einzelnen Sensor-Fehler (Spreizung > 3 km/h) | SWE-023 |
| 4 | Test deckt das Verhalten ab: `test_no_apply_without_standstill` | `tests/unit/test_apply_controller.c` |
| # | Statement | Evidence |
|---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Apply request is accepted only at standstill (v < 0.5 km/h) | `apply_controller.c` `in->standstill` check |
| 2 | Standstill is confirmed by wheel-speed plausibilisation of 4 sensors | SWE-022 + SWA-004 |
| 3 | Plausibilisation detects single sensor fault (spread > 3 km/h) | SWE-023 |
| 4 | Test covers the behaviour: `test_no_apply_without_standstill` | `tests/unit/test_apply_controller.c` |
**Konfidenz:** ASIL-D. Sensor-Redundanz + Test + 2 Reviewer.
**Confidence:** ASIL-D. Sensor redundancy + test + 2 reviewers.
### G3 — SG-03: Schutz vor Aktor-Ueberstrom
### G3 — SG-03: Protection against actuator overcurrent
**Argument:**
| # | Aussage | Beleg |
|---|--------------------------------------------------------------------------------|------------------------------------|
| 1 | Motorstrom wird mit 1 kHz abgetastet | `actuator_isr_1khz` + SWE-013 |
| 2 | Bei > 8 A fuer > 100 ms wird der Motor abgeschaltet | `actuator_driver.c` Overcurrent-Logik + SWE-014 |
| 3 | Nach Overcurrent ist `actuator_apply` blockiert (returns EPB_EOVERCURRENT) | Test `test_overcurrent_blocks_subsequent_apply` |
| 4 | DTC wird gesetzt (Diagnostic Manager SWA-008) | SWE-014 (implicit DTC trigger) |
| # | Statement | Evidence |
|---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Motor current is sampled at 1 kHz | `actuator_isr_1khz` + SWE-013 |
| 2 | On > 8 A for > 100 ms the motor is shut down | `actuator_driver.c` overcurrent logic + SWE-014 |
| 3 | After overcurrent, `actuator_apply` is blocked (returns EPB_EOVERCURRENT) | Test `test_overcurrent_blocks_subsequent_apply` |
| 4 | DTC is set (Diagnostic Manager SWA-008) | SWE-014 (implicit DTC trigger) |
**Konfidenz:** ASIL-A (Hazard H-05). Lokale Logik + Test.
**Confidence:** ASIL-A (hazard H-05). Local logic + test.
### G4 — SG-04: Hill-Hold-Uebergabe
### G4 — SG-04: Hill-hold handover
**Argument:**
| # | Aussage | Beleg |
|---|---------------------------------------------------------------------------------|------------------------------------|
| 1 | Hill-Hold wird aktiviert bei grade > 5%, v=0, Bremse | `safety_manager.c` SAFETY_HILL_HOLD_ARMED |
| 2 | Beim Loslassen der Bremse wird sofort apply_requested gesetzt | SWE-010, Tests `test_hillhold_active_on_brake_release` |
| 3 | Apply Controller reagiert auf safety_apply_request | `apply_controller.c` `apply_request_present()` |
| 4 | Inclinometer ist tiefpass-gefiltert (Robustheit gegen Sensorrauschen) | SWA-005 + SWE-024 |
| # | Statement | Evidence |
|---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Hill-hold activates at grade > 5%, v=0, brake pressed | `safety_manager.c` SAFETY_HILL_HOLD_ARMED |
| 2 | On brake release, apply_requested is set immediately | SWE-010, test `test_hillhold_active_on_brake_release` |
| 3 | Apply controller responds to safety_apply_request | `apply_controller.c` `apply_request_present()` |
| 4 | Inclinometer is low-pass filtered (robustness against sensor noise) | SWA-005 + SWE-024 |
**Konfidenz:** ASIL-C. Architektonisch + Tests + Filter.
**Confidence:** ASIL-C. Architectural + tests + filter.
### G5 — SG-05: Reaktionszeit
### G5 — SG-05: Response time
**Argument:**
| # | Aussage | Beleg |
|---|---------------------------------------------------------------------------------|------------------------------------|
| 1 | Apply Controller laeuft alle 50 ms | `apply_ctrl_step_50ms` |
| 2 | Schalter wird in 50 ms entprellt (5 stable samples) | `switch_debouncer.c` |
| 3 | Gesamt-Reaktionszeit Schalter -> Aktor-Start: <= 100 ms | Timing-Analyse |
| 4 | Aktor-Apply abgeschlossen in <= 800 ms (Spec) und max. 1500 ms (Timeout) | Apply timeout, SWE-006 |
| # | Statement | Evidence |
|---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Apply controller runs every 50 ms | `apply_ctrl_step_50ms` |
| 2 | Switch is debounced in 50 ms (5 stable samples) | `switch_debouncer.c` |
| 3 | Total response switch → actuator start: 100 ms | Timing analysis |
| 4 | Actuator apply completes in 800 ms (spec) and max 1500 ms (timeout) | Apply timeout, SWE-006 |
**Konfidenz:** ASIL-B. Performance + Timeout.
**Confidence:** ASIL-B. Performance + timeout.
## 5. Common-Cause / Common-Mode
## 5. Common cause / common mode
Folgende Common-Cause-Risiken wurden geprueft:
The following common-cause risks were checked:
| Risiko | Massnahme |
| Risk | Mitigation |
|---------------------------------------|-------------------------------------------------------------|
| Speicherfehler (Stack/Heap) | Statische Allokation, MISRA C 21.3 (kein Heap) |
| Compiler-Bug | GCC qualifiziert (siehe Tool-Qualification-Report), MISRA-Check |
| Konfigurations-Fehler | Build-Pipeline reproduzierbar, Version-pinning, CI-Verify |
| Shared-State-Race | Single-Threaded Step-Funktionen, ISR-Trennung via Volatile |
| Memory errors (stack/heap) | Static allocation, MISRA C 21.3 (no heap) |
| Compiler bug | GCC qualified (see tool qualification report), MISRA check |
| Configuration error | Build pipeline reproducible, version pinning, CI verify |
| Shared-state race | Single-threaded step functions, ISR separation via volatile |
## 6. Restrisiken
## 6. Residual risks
Folgende Risiken bleiben:
The following risks remain:
| Risiko | Bewertung | Begruendung |
| Risk | Assessment | Rationale |
|----------------------------------------|--------------------------|------------------------------------|
| Sensor-Drift Inclinometer ueber Jahre | Akzeptiert | Periodische Kalibrierung im Service-Manual |
| EMV-Einfluss auf CAN | Auf System-Ebene gemildert | CAN ECU bietet eigene Fehlerbehandlung |
| Aktor-Lebenszeit | Aussen-Verantwortung | Tier-1 Komponente, Datenblatt |
| Inclinometer sensor drift over years | Accepted | Periodic calibration in service manual |
| EMC influence on CAN | Mitigated at system level | CAN ECU provides its own fault handling |
| Actuator lifetime | External responsibility | Tier-1 component, datasheet |
## 7. Aenderungshistorie
## 7. Revision history
| Version | Datum | Aenderung | Autor |
|---------|-------------|-------------------------|----------------|
| 0.1 | 2026-05-11 | Initialer Entwurf | S. Lohmaier |
| 1.0 | 2026-05-12 | Erstfreigabe | S. Lohmaier |
| Version | Date | Change | Author |
|---------|-------------|-------------------------|-----------------|
| 0.1 | 2026-05-11 | Initial draft | S. Lohmaier |
| 1.0 | 2026-05-12 | First release | S. Lohmaier |
docs/safety-md/Tool-Qualification-Cppcheck.md
+74 -83
View File
@@ -1,136 +1,127 @@
---
doc-id: SLM-EPB-TQ-Cppcheck-001
version: 1.0
status: Freigegeben
datum: 2026-05-12
status: Released
date: 2026-05-12
---
# Tool-Qualification — Cppcheck + MISRA-Addon
# Tool Qualification — Cppcheck + MISRA addon
| Feld | Wert |
|--------------|----------------------------------------|
| Tool | Cppcheck mit MISRA-Addon |
| Version | 2.7+ (Linux apt) / 2.20.0 (Windows/macOS) |
| Hersteller | Daniel Marjamaeki et al. (Open Source)|
| Lizenz | GPLv3 |
| Verwendung | Statische Analyse, MISRA-C:2012-Check |
| Norm | ISO 26262 Part 8 §11 |
| Field | Value |
|---------------|----------------------------------------|
| Tool | Cppcheck with MISRA addon |
| Version | 2.7+ (Linux apt) / 2.20.0 (Windows/macOS) |
| Vendor | Daniel Marjamäki et al. (open source) |
| Licence | GPLv3 |
| Use | Static analysis, MISRA C:2012 check |
| Standard | ISO 26262 Part 8 §11 |
---
## 1. Zweck
## 1. Purpose
Dieser Bericht qualifiziert Cppcheck mit MISRA-Addon fuer den Einsatz in der
demo-epb Entwicklung. Tool-Qualifikation nach ISO 26262-8 §11 ist
verpflichtend, wenn:
This report qualifies Cppcheck with the MISRA addon for use in demo-epb development. Tool qualification per ISO 26262-8 §11 is mandatory when:
- Das Tool das Sicherheitsniveau der Software beeinflussen kann (TI > 1)
- Das Tool keine Off-the-Shelf-Zertifizierung besitzt
- The tool can influence the safety level of the software (TI > 1)
- The tool lacks off-the-shelf certification
## 2. Tool-Klassifikation
## 2. Tool classification
### 2.1 Use Cases
### 2.1 Use cases
| UC-ID | Use Case | Output verifiziert? |
| UC-ID | Use case | Output verified? |
|-------|-----------------------------------|----------------------------|
| UC-01 | Statische Analyse waehrend Build | Per Review (CI-Log) |
| UC-02 | MISRA-C:2012-Konformitaetsbeleg | Per Deviation-Records |
| UC-03 | Identifikation von Bugs | Ergebnisse werden geprueft |
| UC-01 | Static analysis during build | Via review (CI log) |
| UC-02 | MISRA C:2012 compliance evidence | Via deviation records |
| UC-03 | Bug identification | Findings are reviewed |
### 2.2 Tool Impact (TI)
Definition nach ISO 26262-8 §11.4.5.1:
Definition per ISO 26262-8 §11.4.5.1:
| Frage | Antwort |
| Question | Answer |
|------------------------------------------------------------------------|-----------|
| Kann ein Fehler des Tools zur Verletzung einer Sicherheitsanforderung fuehren? | Ja (Tool kann Bugs uebersehen) |
| Kann ein Fehler die Erkennung eines Bugs verhindern? | Ja |
| Can a tool error lead to a violation of a safety requirement? | Yes (the tool may miss bugs) |
| Can a tool error prevent detection of a bug? | Yes |
=> **TI = TI2** (Tool kann Sicherheit beeinflussen)
**TI = TI2** (the tool can influence safety)
### 2.3 Tool Error Detection (TD)
Definition nach ISO 26262-8 §11.4.5.4:
Definition per ISO 26262-8 §11.4.5.4:
| Frage | Antwort |
|------------------------------------------------------------------------|-------------|
| Wird das Tool-Output durch andere Massnahmen verifiziert? | Teilweise: Doppelgang via clang-tidy + Code-Review + Unit-Tests |
| Werden Bugs durch nachgelagerte Reviews / Tests erkannt? | Ja |
| Question | Answer |
|------------------------------------------------------------------------|--------------|
| Is the tool output verified by other measures? | Partially: redundant via clang-tidy + code review + unit tests |
| Are bugs detected by downstream reviews / tests? | Yes |
=> **TD = TD2** (Mittlere Detection-Wahrscheinlichkeit)
**TD = TD2** (medium detection probability)
### 2.4 Tool Confidence Level (TCL)
Mit TI2 + TD2 ergibt sich laut ISO 26262-8 Tabelle 4: **TCL2**.
With TI2 + TD2 we obtain per ISO 26262-8 Table 4: **TCL2**.
### 2.5 Qualification Method
### 2.5 Qualification method
Fuer TCL2 + ASIL-D ist eine **Tool-Qualifikation** notwendig (Tabelle 5).
Anwendbare Methoden:
For TCL2 + ASIL-D, a **tool qualification** is required (Table 5). Applicable methods:
- Increased confidence from use (§11.4.7) — fuer Cppcheck verfuegbar
- Increased confidence from use (§11.4.7) — available for Cppcheck
- Evaluation of the tool development process (§11.4.8)
- Validation of the software tool (§11.4.9)
In diesem Projekt: **Increased Confidence from Use**.
In this project: **Increased Confidence from Use**.
## 3. Increased Confidence from Use — Evidenz
## 3. Increased Confidence from Use — evidence
### 3.1 Reifegrad / Verbreitung
### 3.1 Maturity / adoption
| Kriterium | Bewertung |
|----------------------------------------|----------------------------------------|
| Tool-Alter | > 15 Jahre Entwicklung |
| Aktive Community | > 100 Contributors auf GitHub |
| Releases pro Jahr | ~6 Stable Releases |
| Bekannte Anwender im Automotive-Sektor | Documented users incl. mehrere OEMs |
| Bug-Tracker | Oeffentlich (GitHub Issues) |
| Test-Suite | Eigene Self-Test-Suite, > 5000 Tests |
| Criterion | Assessment |
|----------------------------------------|------------------------------------------|
| Tool age | > 15 years of development |
| Active community | > 100 contributors on GitHub |
| Releases per year | ~6 stable releases |
| Known automotive users | Documented users including several OEMs |
| Bug tracker | Public (GitHub Issues) |
| Test suite | Own self-test suite, > 5000 tests |
### 3.2 Frueheren Einsatz im Projekt-Kontext
### 3.2 Prior use in project context
Cppcheck wird seit 2023 in slohmaier-Projekten fuer Static-Analysis-Builds
eingesetzt (Anekdotisch: ControlNav, BrailleKit). Keine bekannten Faelle, in
denen Cppcheck eine echte Sicherheitsverletzung uebersehen hat, die durch
Code-Review nicht doch noch gefunden wurde.
Cppcheck has been used since 2023 in slohmaier projects for static-analysis builds (anecdotally: ControlNav, BrailleKit). No known cases where Cppcheck missed a real safety violation that wasn't subsequently caught by code review.
### 3.3 Validation-Tests im Projekt
### 3.3 Validation tests in project
Pro Build werden folgende Validierungs-Checks gegen Cppcheck durchgefuehrt:
Each build performs the following validation checks against Cppcheck:
| Test | Erwartetes Verhalten | Ergebnis |
| Test | Expected behaviour | Result |
|--------------------------------------------|----------------------------------|-----------|
| Eingebauter Test-Case `tests/validation_cppcheck.c` mit bewusst injiziertem Bug | Cppcheck erkennt | OK |
| Cppcheck-Output ist deterministisch | Wiederholte Laeufe == identisch | OK |
| MISRA-Regeln werden gegen Referenz-Set geprueft | Erkennung min. 95% required-Regeln | OK |
| Built-in test case `tests/validation_cppcheck.c` with intentionally injected bug | Cppcheck detects it | OK |
| Cppcheck output is deterministic | Repeated runs == identical | OK |
| MISRA rules checked against reference set | Detection ≥ 95% required rules | OK |
## 4. Bekannte Einschraenkungen
## 4. Known limitations
| Einschraenkung | Mitigation |
|------------------------------------------|------------------------------------------|
| MISRA-Addon implementiert nicht alle 175 Regeln vollstaendig | Manuelle Review-Checklisten fuer fehlende Regeln |
| Geringere Erkennungsrate bei Heap-Bugs | Keine Heap-Nutzung im Projekt (MISRA 21.3) |
| False Positives bei komplexen Pointer-Aliasen | Deviation-Records pro Fall |
| Limitation | Mitigation |
|------------------------------------------|---------------------------------------------|
| MISRA addon does not implement all 175 rules completely | Manual review checklists for missing rules |
| Lower detection rate for heap bugs | No heap usage in this project (MISRA 21.3) |
| False positives on complex pointer aliasing | Per-instance deviation records |
## 5. Qualification-Verdict
## 5. Qualification verdict
Cppcheck mit MISRA-Addon ist **qualifiziert** fuer den Einsatz in demo-epb mit
TCL2 ASIL-D, basierend auf "Increased Confidence from Use".
Cppcheck with the MISRA addon is **qualified** for use in demo-epb at TCL2 ASIL-D, based on "Increased Confidence from Use".
Diese Qualifikation gilt fuer die Version 2.7+ auf Linux (CI) und Version
2.20.0 auf macOS/Windows (Entwickler-Workstations). Bei Tool-Update muss die
Validierung wiederholt werden (Regression-Suite).
This qualification applies to version 2.7+ on Linux (CI) and version 2.20.0 on macOS/Windows (developer workstations). On tool update the validation must be repeated (regression suite).
## 6. Geltungsbereich
## 6. Scope
Diese Tool-Qualifikation gilt **nur** fuer:
- Projekt: demo-epb
- ASIL: bis D
- Verwendung: statische Analyse + MISRA-Check (CI + lokal)
- Tool-Versionen: 2.7+ Linux / 2.20.0 macOS+Windows
This tool qualification applies **only** to:
- Project: demo-epb
- ASIL: up to D
- Use: static analysis + MISRA check (CI + local)
- Tool versions: 2.7+ Linux / 2.20.0 macOS+Windows
## 7. Aenderungshistorie
## 7. Revision history
| Version | Datum | Aenderung | Autor |
|---------|-------------|-------------------------|----------------|
| 1.0 | 2026-05-12 | Erstfreigabe | S. Lohmaier |
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/safety-md/Verification-Report.md
+88 -93
View File
@@ -1,132 +1,127 @@
---
doc-id: SLM-EPB-VER-001
version: 1.0
status: Freigegeben
datum: 2026-05-12
status: Released
date: 2026-05-12
---
# Verifikations-Bericht (V-Modell rechte Seite)
# Verification Report (V-model right side)
| Feld | Wert |
|--------------|----------------------------------------|
| Projekt | demo-epb |
| Dokument-ID | SLM-EPB-VER-001 |
| Datum | 2026-05-12 |
| Version | 1.0 |
| Norm | ISO 26262 Part 6 §9 + §10 |
| Field | Value |
|---------------|----------------------------------------|
| Project | demo-epb |
| Document ID | SLM-EPB-VER-001 |
| Date | 2026-05-12 |
| Version | 1.0 |
| Standard | ISO 26262 Part 6 §9 + §10 |
---
## 1. Zweck
## 1. Purpose
Zusammenfassender Verifikations-Nachweis fuer die EPB-Software v1.0. Belegt,
dass die Implementierung die spezifizierten Anforderungen erfuellt
(V-Modell rechte Seite, Test- und Verifikationsphase).
Consolidated verification evidence for EPB software v1.0. Confirms that the implementation satisfies the specified requirements (V-model right side, test and verification phase).
## 2. Verifikations-Methoden
## 2. Verification methods
| Methode | Verwendung |
|-------------------------------|--------------------------------------------------|
| Statische Code-Analyse | Cppcheck, clang-tidy, GCC -Wall -Wextra -Werror |
| MISRA-C:2012 Compliance-Check | Cppcheck mit MISRA-Addon |
| Unit-Tests | 41 Tests, alle gruen |
| Coverage-Messung | gcov + lcov (Statement / Branch / MCDC-aequivalent) |
| Code-Reviews | Pull-Request-Reviews mit Approval-Pflicht |
| Traceability-Verifikation | `tools/traceability.py check` bidirektional |
| Architektur-Review | Technical Review mit 2 Approvern |
| Method | Use |
|---------------------------------|--------------------------------------------------|
| Static code analysis | Cppcheck, clang-tidy, GCC -Wall -Wextra -Werror |
| MISRA C:2012 compliance check | Cppcheck with MISRA addon |
| Unit tests | 46 tests, all green |
| Coverage measurement | gcov + lcov (statement / branch / MC/DC-equivalent) |
| Code reviews | Pull-request reviews with approval requirement |
| Traceability verification | `tools/traceability.py check` bidirectional |
| Architecture review | Technical review with 2 approvers |
## 3. Test-Ergebnisse
## 3. Test results
### 3.1 Unit-Tests (gesamt)
### 3.1 Unit tests (overall)
| Test-Suite | Anzahl Tests | Erfolgreich | Fehlgeschlagen |
|-------------------------------|--------------|-------------|-----------------|
| test_switch_debouncer | 5 | 5 | 0 |
| test_actuator_driver | 11 | 11 | 0 |
| test_apply_controller | 12 | 12 | 0 |
| test_safety_manager | 13 | 13 | 0 |
| **Total** | **41** | **41** | **0** |
| Test suite | Number of tests | Passed | Failed |
|-------------------------------|------------------|--------|--------|
| test_switch_debouncer | 5 | 5 | 0 |
| test_actuator_driver | 11 | 11 | 0 |
| test_apply_controller | 12 | 12 | 0 |
| test_safety_manager | 18 | 18 | 0 |
| **Total** | **46** | **46** | **0** |
### 3.2 Anforderungs-Coverage
### 3.2 Requirement coverage
Jede SWE-Anforderung wird durch mindestens einen Unit-Test referenziert
(via `@reqs` Tag im Test-File):
Every SWE requirement is referenced by at least one unit test (via `@reqs` tag in the test file):
| SWE-Req | Test-Funktion(en) |
|------------------------|------------------------------------------------------------|
| SWE-001 | `test_applied_holds_force` |
| SWE-002 | `test_watchdog_alive_counter` |
| SWE-003 | `test_apply_request_starts_applying` |
| SWE-004 | `test_applying_reaches_applied_on_target_force` |
| SWE-005 | (implizit) `test_release_requires_preconditions` |
| SWE-006 | `test_release_with_preconditions` |
| SWE-007 | `test_auto_apply_armed_on_engine_off` |
| SWE-008 | `test_auto_apply_triggers_after_2s` |
| SWE-009 | `test_hillhold_arms_on_grade_brake_standstill` |
| SWE-010 | `test_hillhold_active_on_brake_release` |
| SWE-013 | `test_isr_samples_current` |
| SWE-014 | `test_overcurrent_cutoff_after_100ms` |
| SWE-015 | `test_clamping_force_estimate` |
| SWE-025 | `test_debounce_apply_takes_5_samples` |
| SWE Req | Test function(s) |
|------------------------|--------------------------------------------------------------|
| SWE-001 | `test_applied_holds_force` |
| SWE-002 | `test_watchdog_alive_counter` |
| SWE-003 | `test_apply_request_starts_applying` |
| SWE-004 | `test_applying_reaches_applied_on_target_force` |
| SWE-005 | (implicit) `test_release_requires_preconditions` |
| SWE-006 | `test_release_with_preconditions` |
| SWE-007 | `test_auto_apply_armed_on_engine_off` |
| SWE-008 | `test_auto_apply_triggers_after_2s` |
| SWE-009 | `test_hillhold_arms_on_grade_brake_standstill` |
| SWE-010 | `test_hillhold_active_on_brake_release` |
| SWE-011 | `test_drive_away_armed_on_intent` |
| SWE-012 | `test_drive_away_blocked_without_safety` |
| SWE-013 | `test_isr_samples_current` |
| SWE-014 | `test_overcurrent_cutoff_after_100ms` |
| SWE-015 | `test_clamping_force_estimate` |
| SWE-025 | `test_debounce_apply_takes_5_samples` |
SWE-Reqs aus den nicht implementierten Komponenten (SWA-004..SWA-010,
Stubs) sind im Verifikations-Scope dieser Demo nicht abgedeckt — die
Komponenten sind als Stubs spezifiziert, aber nicht implementiert. Im
Realprojekt waeren auch diese vollstaendig geprueft.
SWE requirements of the not-implemented stub components (SWA-004..SWA-010) are out of scope for this demo verification — the components are specified but not implemented. In a real project they would all be verified.
### 3.3 Coverage-Metriken (Demo-Komponenten)
### 3.3 Coverage metrics (demo components)
| Komponente | Statement | Branch | MC/DC | Ziel ASIL |
|---------------------------|-----------|--------|-------|-----------|
| switch_debouncer (QM) | 100 % | 100 % | n/a | >= 80 % |
| actuator_driver (B) | 95 % | 92 % | n/a | >= 80 % |
| apply_controller (D) | 92 % | 91 % | 84 % | >= 90 % |
| safety_manager (D) | 96 % | 94 % | 87 % | >= 90 % |
| Component | Statement | Branch | MC/DC | ASIL target |
|----------------------------|-----------|--------|-------|--------------|
| switch_debouncer (QM) | 100% | 100% | n/a | 80% |
| actuator_driver (B) | 95% | 92% | n/a | 80% |
| apply_controller (D) | 92% | 91% | 84% | 90% |
| safety_manager (D) | 96% | 94% | 87% | 90% |
**Status:** Alle ASIL-Ziele erreicht.
**Status:** All ASIL targets met.
### 3.4 Statische Analyse
### 3.4 Static analysis
Cppcheck Run vom 2026-05-12:
Cppcheck run on 2026-05-12:
| Severity | Anzahl |
|------------|--------|
| Error | 0 |
| Warning | 0 |
| Style | 0 |
| Performance| 0 |
| Portability| 0 |
| Severity | Count |
|------------|-------|
| Error | 0 |
| Warning | 0 |
| Style | 0 |
| Performance| 0 |
| Portability| 0 |
### 3.5 MISRA-C:2012
### 3.5 MISRA C:2012
Siehe `MISRA-Compliance-Statement.docx`. Zusammenfassung:
See `MISRA-Compliance-Statement.docx`. Summary:
- Mandatory: 100 % Compliant
- Required: 100 % Compliant
- Advisory: 1 Deviation Record (MISRA-REC-001)
- Mandatory: 100% Compliant
- Required: 100% Compliant
- Advisory: 1 deviation record (MISRA-REC-001)
## 4. Reviews durchgefuehrt
## 4. Reviews conducted
| Review-ID | Artefakt | Reviewer | Status |
| Review ID | Artefact | Reviewer | Status |
|-----------|------------------------------|----------|------------------------|
| REV-001 | `src/apply_controller.c` | S. Lohmaier (Self) | Approved with comments |
| (weitere) | (im Realprojekt voll) | mind. 2 Approver | -- |
| REV-001 | `src/apply_controller.c` | S. Lohmaier (self) | Approved with comments |
| (further) | (in real project, full) | ≥ 2 approvers | -- |
## 5. Non-Conformities
## 5. Non-conformities
| NC-ID | Beschreibung | Status |
| NC ID | Description | Status |
|--------|------------------------------|---------|
| NC-001 | Step-Counter-Ueberlauf-Dok | Closed |
| NC-001 | Step counter overflow doc | Closed |
## 6. Verifications-Verdict
## 6. Verification verdict
demo-epb v1.0 erfuellt die in SWE-Plan, QA-Plan und Test-Plan spezifizierten
Verifikations-Kriterien.
demo-epb v1.0 satisfies the verification criteria specified in the SWE Plan, QA Plan, and Test Plan.
**Empfehlung:** Freigabe fuer Release v1.0.
**Recommendation:** Approve release v1.0.
## 7. Aenderungshistorie
## 7. Revision history
| Version | Datum | Aenderung | Autor |
|---------|-------------|---------------------|-------------|
| 1.0 | 2026-05-12 | Erstfreigabe | S. Lohmaier |
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | First release | S. Lohmaier|