slohmaier/demo-epb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

feat(i18n): full English translation of demo-epb
Validate / build-test (macos-latest) (push) Failing after 3s
Details
Validate / build-test (windows-latest) (push) Failing after 15s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 17s
Details
Validate / reports (push) Successful in 50s
Details
Release / release (push) Successful in 50s
Details

Browse Source 
Phase 2 of the English translation:

Word documents (filled, EPB-specific):
- 8 plans (PID, PM, QA, SWE, Test, Project Manual, CM, RM)
- 6 safety docs (HARA, Safety Case, FMEDA, MISRA Compliance,
  Verification Report, Tool Qualification Cppcheck)
- 2 manuals (User, Service)
- 3 audit artefacts (Review minutes, NC-001, MISRA-REC-001)
- All regenerated via pandoc from English markdown sources

Code, tests, headers:
- All file headers, struct comments, function docstrings in English
- All test names (TEST_BEGIN strings) translated
- Inline comments translated
- 46 tests still green after translation

CI workflows:
- All step names in English
- Step descriptions, comments, release notes template in English

README.md fully rewritten in English with proper guided tour.

Phase 3 (still pending): dev-process repo templates + toolstack/setup docs.
This commit is contained in:
Stefan Lohmaier
2026-05-12 03:37:51 -07:00
parent a47e0aed3e
commit fb2c083551
54 changed files with 1528 additions and 1600 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/safety-md/Safety-Case.md
+85 -88
View File
@@ -1,139 +1,136 @@
---
doc-id: SLM-EPB-SC-001
version: 1.0
status: Freigegeben
datum: 2026-05-12
status: Released
date: 2026-05-12
---
# Safety Case — demo-epb
| Feld | Wert |
|----------------|------------------------------------------------|
| Projekt | demo-epb |
| Dokument-ID | SLM-EPB-SC-001 |
| Datum | 2026-05-12 |
| Version | 1.0 |
| Status | Freigegeben |
| Norm | ISO 26262 Part 2 §6.5 + Part 6 §6 |
| Erstellt von | Stefan Lohmaier |
| Freigegeben von| (Safety Manager, im Realprojekt) |
| Field | Value |
|-----------------|-------------------------------------------------|
| Project | demo-epb |
| Document ID | SLM-EPB-SC-001 |
| Date | 2026-05-12 |
| Version | 1.0 |
| Status | Released |
| Standard | ISO 26262 Part 2 §6.5 + Part 6 §6 |
| Author | Stefan Lohmaier |
| Approver | (Safety Manager, in real project) |
---
## 1. Zweck
## 1. Purpose
Argumentation, dass das EPB-System die in der HARA identifizierten
Sicherheitsziele erfuellt. Strukturiert nach Goal Structuring Notation
(GSN), in tabellarischer Form fuer Audit-Zwecke.
Argument that the EPB system satisfies the safety goals identified in the HARA. Structured per Goal Structuring Notation (GSN), in tabular form for audit purposes.
## 2. Top-Goal
## 2. Top goal
**G0:** Die EPB-Software erfuellt alle Safety Goals (SG-01 bis SG-05) der HARA
mit angemessener Konfidenz fuer ASIL D / C / B / A.
**G0:** The EPB software satisfies all safety goals (SG-01 to SG-05) from the HARA with adequate confidence for ASIL D / C / B / A.
## 3. Argument-Struktur
## 3. Argument structure
| Goal | Behauptung | Strategie | Evidenz |
|------|------------------------------------------------------|------------------------------------------|------------------------------------------|
| G0 | EPB erfuellt alle SG aus HARA | Decomposition nach SG | G1, G2, G3, G4, G5 |
| G1 | SG-01 (kein ungewolltes Loesen) ist erfuellt | Architektonisch + Test + Review | SWA-002 + Tests + Code-Review |
| G2 | SG-02 (kein ungewolltes Apply) ist erfuellt | Architektonisch + Plausibilisierung | SWA-002 standstill-check + Tests |
| G3 | SG-03 (Schutz vor Ueberstrom) ist erfuellt | Architektonisch + Test | SWA-003 overcurrent-cutoff + Tests |
| G4 | SG-04 (Hill-Hold-Uebergabe) ist erfuellt | Architektonisch + Sequenz-Test | SWA-001 + Tests |
| G5 | SG-05 (Reaktionszeit) ist erfuellt | Performance-Messung + Test | Step-Timing-Tests |
| Goal | Claim | Strategy | Evidence |
|------|---------------------------------------------------------|------------------------------------------|--------------------------------------------|
| G0 | EPB satisfies all SGs from HARA | Decomposition by SG | G1, G2, G3, G4, G5 |
| G1 | SG-01 (no unintended release) is satisfied | Architectural + test + review | SWA-002 + tests + code review |
| G2 | SG-02 (no unintended apply) is satisfied | Architectural + plausibilisation | SWA-002 standstill check + tests |
| G3 | SG-03 (overcurrent protection) is satisfied | Architectural + test | SWA-003 overcurrent cutoff + tests |
| G4 | SG-04 (hill-hold handover) is satisfied | Architectural + sequence test | SWA-001 + tests |
| G5 | SG-05 (response time) is satisfied | Performance measurement + test | Step timing tests |
## 4. Detail-Argumente
## 4. Detail arguments
### G1 — SG-01: Kein ungewolltes Loesen
### G1 — SG-01: No unintended release
**Argument:**
| # | Aussage | Beleg |
|---|-----------------------------------------------------------------------|--------------------------------------|
| 1 | Apply Controller verlaesst APPLIED nur bei expliziter Release-Anforderung mit Vorbedingungen | `apply_controller.c` Zeile 95-110 (`case EPB_STATE_APPLIED`) |
| 2 | Release-Vorbedingungen pruefen Engine + Brake + Gear | `release_preconditions_ok()` + SWE-005 |
| 3 | Watchdog erkennt Apply-Controller-Hang und faellt in Safe State (APPLIED) | SWE-002 + Watchdog in SWA-001 |
| 4 | Klemmkraft wird alle 50 ms verifiziert und bei Abfall nachgeregelt | SWE-001 + Test `test_applied_holds_force` |
| 5 | Unit-Test deckt das Verhalten ab: `test_release_requires_preconditions` | `tests/unit/test_apply_controller.c` |
| # | Statement | Evidence |
|---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Apply controller leaves APPLIED only on explicit release request with preconditions | `apply_controller.c` line 95-110 (`case EPB_STATE_APPLIED`) |
| 2 | Release preconditions check engine + brake + gear | `release_preconditions_ok()` + SWE-005 |
| 3 | Watchdog detects apply controller hang and falls into safe state (APPLIED) | SWE-002 + watchdog in SWA-001 |
| 4 | Clamping force is verified every 50 ms and re-applied on drop | SWE-001 + test `test_applied_holds_force` |
| 5 | Unit test covers the behaviour: `test_release_requires_preconditions` | `tests/unit/test_apply_controller.c` |
**Konfidenz:** ASIL-D. Architektonische Trennung + Tests + 2 Reviewer.
**Confidence:** ASIL-D. Architectural separation + tests + 2 reviewers.
### G2 — SG-02: Kein ungewolltes Apply waehrend Fahrt
### G2 — SG-02: No unintended apply during driving
**Argument:**
| # | Aussage | Beleg |
|---|-----------------------------------------------------------------------|--------------------------------------|
| 1 | Apply-Anforderung wird nur bei Stillstand (v < 0.5 km/h) angenommen | `apply_controller.c` `in->standstill` check |
| 2 | Stillstand wird durch Wheel-Speed-Plausibilisierung von 4 Sensoren bestaetigt | SWE-022 + SWA-004 |
| 3 | Plausibilisierung erkennt einzelnen Sensor-Fehler (Spreizung > 3 km/h) | SWE-023 |
| 4 | Test deckt das Verhalten ab: `test_no_apply_without_standstill` | `tests/unit/test_apply_controller.c` |
| # | Statement | Evidence |
|---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Apply request is accepted only at standstill (v < 0.5 km/h) | `apply_controller.c` `in->standstill` check |
| 2 | Standstill is confirmed by wheel-speed plausibilisation of 4 sensors | SWE-022 + SWA-004 |
| 3 | Plausibilisation detects single sensor fault (spread > 3 km/h) | SWE-023 |
| 4 | Test covers the behaviour: `test_no_apply_without_standstill` | `tests/unit/test_apply_controller.c` |
**Konfidenz:** ASIL-D. Sensor-Redundanz + Test + 2 Reviewer.
**Confidence:** ASIL-D. Sensor redundancy + test + 2 reviewers.
### G3 — SG-03: Schutz vor Aktor-Ueberstrom
### G3 — SG-03: Protection against actuator overcurrent
**Argument:**
| # | Aussage | Beleg |
|---|--------------------------------------------------------------------------------|------------------------------------|
| 1 | Motorstrom wird mit 1 kHz abgetastet | `actuator_isr_1khz` + SWE-013 |
| 2 | Bei > 8 A fuer > 100 ms wird der Motor abgeschaltet | `actuator_driver.c` Overcurrent-Logik + SWE-014 |
| 3 | Nach Overcurrent ist `actuator_apply` blockiert (returns EPB_EOVERCURRENT) | Test `test_overcurrent_blocks_subsequent_apply` |
| 4 | DTC wird gesetzt (Diagnostic Manager SWA-008) | SWE-014 (implicit DTC trigger) |
| # | Statement | Evidence |
|---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Motor current is sampled at 1 kHz | `actuator_isr_1khz` + SWE-013 |
| 2 | On > 8 A for > 100 ms the motor is shut down | `actuator_driver.c` overcurrent logic + SWE-014 |
| 3 | After overcurrent, `actuator_apply` is blocked (returns EPB_EOVERCURRENT) | Test `test_overcurrent_blocks_subsequent_apply` |
| 4 | DTC is set (Diagnostic Manager SWA-008) | SWE-014 (implicit DTC trigger) |
**Konfidenz:** ASIL-A (Hazard H-05). Lokale Logik + Test.
**Confidence:** ASIL-A (hazard H-05). Local logic + test.
### G4 — SG-04: Hill-Hold-Uebergabe
### G4 — SG-04: Hill-hold handover
**Argument:**
| # | Aussage | Beleg |
|---|---------------------------------------------------------------------------------|------------------------------------|
| 1 | Hill-Hold wird aktiviert bei grade > 5%, v=0, Bremse | `safety_manager.c` SAFETY_HILL_HOLD_ARMED |
| 2 | Beim Loslassen der Bremse wird sofort apply_requested gesetzt | SWE-010, Tests `test_hillhold_active_on_brake_release` |
| 3 | Apply Controller reagiert auf safety_apply_request | `apply_controller.c` `apply_request_present()` |
| 4 | Inclinometer ist tiefpass-gefiltert (Robustheit gegen Sensorrauschen) | SWA-005 + SWE-024 |
| # | Statement | Evidence |
|---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Hill-hold activates at grade > 5%, v=0, brake pressed | `safety_manager.c` SAFETY_HILL_HOLD_ARMED |
| 2 | On brake release, apply_requested is set immediately | SWE-010, test `test_hillhold_active_on_brake_release` |
| 3 | Apply controller responds to safety_apply_request | `apply_controller.c` `apply_request_present()` |
| 4 | Inclinometer is low-pass filtered (robustness against sensor noise) | SWA-005 + SWE-024 |
**Konfidenz:** ASIL-C. Architektonisch + Tests + Filter.
**Confidence:** ASIL-C. Architectural + tests + filter.
### G5 — SG-05: Reaktionszeit
### G5 — SG-05: Response time
**Argument:**
| # | Aussage | Beleg |
|---|---------------------------------------------------------------------------------|------------------------------------|
| 1 | Apply Controller laeuft alle 50 ms | `apply_ctrl_step_50ms` |
| 2 | Schalter wird in 50 ms entprellt (5 stable samples) | `switch_debouncer.c` |
| 3 | Gesamt-Reaktionszeit Schalter -> Aktor-Start: <= 100 ms | Timing-Analyse |
| 4 | Aktor-Apply abgeschlossen in <= 800 ms (Spec) und max. 1500 ms (Timeout) | Apply timeout, SWE-006 |
| # | Statement | Evidence |
|---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Apply controller runs every 50 ms | `apply_ctrl_step_50ms` |
| 2 | Switch is debounced in 50 ms (5 stable samples) | `switch_debouncer.c` |
| 3 | Total response switch → actuator start: 100 ms | Timing analysis |
| 4 | Actuator apply completes in 800 ms (spec) and max 1500 ms (timeout) | Apply timeout, SWE-006 |
**Konfidenz:** ASIL-B. Performance + Timeout.
**Confidence:** ASIL-B. Performance + timeout.
## 5. Common-Cause / Common-Mode
## 5. Common cause / common mode
Folgende Common-Cause-Risiken wurden geprueft:
The following common-cause risks were checked:
| Risiko | Massnahme |
| Risk | Mitigation |
|---------------------------------------|-------------------------------------------------------------|
| Speicherfehler (Stack/Heap) | Statische Allokation, MISRA C 21.3 (kein Heap) |
| Compiler-Bug | GCC qualifiziert (siehe Tool-Qualification-Report), MISRA-Check |
| Konfigurations-Fehler | Build-Pipeline reproduzierbar, Version-pinning, CI-Verify |
| Shared-State-Race | Single-Threaded Step-Funktionen, ISR-Trennung via Volatile |
| Memory errors (stack/heap) | Static allocation, MISRA C 21.3 (no heap) |
| Compiler bug | GCC qualified (see tool qualification report), MISRA check |
| Configuration error | Build pipeline reproducible, version pinning, CI verify |
| Shared-state race | Single-threaded step functions, ISR separation via volatile |
## 6. Restrisiken
## 6. Residual risks
Folgende Risiken bleiben:
The following risks remain:
| Risiko | Bewertung | Begruendung |
| Risk | Assessment | Rationale |
|----------------------------------------|--------------------------|------------------------------------|
| Sensor-Drift Inclinometer ueber Jahre | Akzeptiert | Periodische Kalibrierung im Service-Manual |
| EMV-Einfluss auf CAN | Auf System-Ebene gemildert | CAN ECU bietet eigene Fehlerbehandlung |
| Aktor-Lebenszeit | Aussen-Verantwortung | Tier-1 Komponente, Datenblatt |
| Inclinometer sensor drift over years | Accepted | Periodic calibration in service manual |
| EMC influence on CAN | Mitigated at system level | CAN ECU provides its own fault handling |
| Actuator lifetime | External responsibility | Tier-1 component, datasheet |
## 7. Aenderungshistorie
## 7. Revision history
| Version | Datum | Aenderung | Autor |
|---------|-------------|-------------------------|----------------|
| 0.1 | 2026-05-11 | Initialer Entwurf | S. Lohmaier |
| 1.0 | 2026-05-12 | Erstfreigabe | S. Lohmaier |
| Version | Date | Change | Author |
|---------|-------------|-------------------------|-----------------|
| 0.1 | 2026-05-11 | Initial draft | S. Lohmaier |
| 1.0 | 2026-05-12 | First release | S. Lohmaier |