slohmaier/demo-epb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

Compare commits

base: slohmaier/demo-epb:v0.1.0
Branches Tags
slohmaier/demo-epb:main
slohmaier/demo-epb:v0.5.0 slohmaier/demo-epb:v0.4.1 slohmaier/demo-epb:v0.4.0 slohmaier/demo-epb:v0.3.0 slohmaier/demo-epb:v0.2.0 slohmaier/demo-epb:v0.1.0
..
compare: slohmaier/demo-epb:main
Branches Tags
slohmaier/demo-epb:main
slohmaier/demo-epb:v0.5.0 slohmaier/demo-epb:v0.4.1 slohmaier/demo-epb:v0.4.0 slohmaier/demo-epb:v0.3.0 slohmaier/demo-epb:v0.2.0 slohmaier/demo-epb:v0.1.0

19 Commits
v0.1.0 .. main

Author SHA1 Message Date
Stefan Lohmaier 0b58185af7 fix(ci): fetch full history so 'git describe --tags' works
Validate / build-test (macos-latest) (push) Failing after 1s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 17s
Details
Validate / build-test (windows-latest) (push) Failing after 17s
Details
Validate / reports (push) Successful in 49s
Details 
The landing page showed 'version (no tag)' because actions/checkout@v4
defaults to a shallow clone (fetch-depth: 1) and pulls no tags. The
landing-page generator's 'git describe --tags --abbrev=0' then failed
and fell back to the placeholder.

Add fetch-depth: 0 to every checkout step in validate.yml + release.yml
so the runner sees all tags (current head: v0.5.0 + 6 commits).
 2026-05-13 00:33:04 -07:00
Stefan Lohmaier 2167c100e8 fix(landing-page): diagram links - use bundle path, not docs/diagrams/
Validate / build-test (macos-latest) (push) Failing after 4s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 18s
Details
Validate / build-test (windows-latest) (push) Failing after 30s
Details
Validate / reports (push) Successful in 53s
Details 
Architecture diagram links on the deployed landing page returned 404
because the generator emitted 'docs/diagrams/<file>.svg' (repo-relative)
while validate.yml/release.yml deploy the SVGs to '<bundle>/diagrams/'.

Use the same bundle-relative pattern as coverage/cppcheck/traceability
(emit just 'diagrams/<file>.svg').

Also translates two remaining German comments in release.yml
('CI-generierte Artefakte', 'Source-Code zum Anklicken...').
 2026-05-12 23:51:15 -07:00
Stefan Lohmaier 39b7182e0b docs(i18n): release notes - last Review-Protokoll string
Validate / build-test (macos-latest) (push) Failing after 1s
Details
Validate / build-test (windows-latest) (push) Failing after 15s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 16s
Details
Validate / reports (push) Successful in 51s
Details
2026-05-12 12:09:25 -07:00
Stefan Lohmaier ba7a3ebd27 refactor(i18n): rename docs/plaene/ -> docs/plans/
Validate / build-test (macos-latest) (push) Failing after 3s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 16s
Details
Validate / build-test (windows-latest) (push) Failing after 17s
Details
Validate / reports (push) Successful in 53s
Details 
Last German folder name in demo-epb. Pairs cleanly with docs/plans-md/
(markdown source) following the project convention. All references
in landing page generator, CI workflows, and cross-doc links updated.
 2026-05-12 12:08:33 -07:00
Stefan Lohmaier c81121c3d5 feat(i18n): remaining German comments + CI strings in English
Validate / build-test (macos-latest) (push) Failing after 2s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 17s
Details
Validate / build-test (windows-latest) (push) Failing after 18s
Details
Validate / reports (push) Successful in 52s
Details 
Final residual translations found in code/comments/CI:
- .doorstop.yml: config comments, traceability mapping comments
- Doxyfile: header comment
- tools/render_plantuml.py: docstring
- tools/generate_test_report.py: docstring
- tests/unit_test_framework.h: doxygen brief + body
- tests/unit/test_safety_manager.c: section comment
- src/stubs/*.h: doxygen briefs for diag/display/inclinometer/logger/service/wheel-speed
- .gitea/workflows/release.yml: release notes 'Statische Analyse' + deploy error message
 2026-05-12 06:14:23 -07:00
Stefan Lohmaier 8451099b90 docs(i18n): stubs README in English
Validate / build-test (macos-latest) (push) Failing after 3s
Details
Validate / build-test (windows-latest) (push) Failing after 14s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 17s
Details
Validate / reports (push) Successful in 50s
Details
2026-05-12 03:46:35 -07:00
Stefan Lohmaier fb2c083551 feat(i18n): full English translation of demo-epb
Validate / build-test (macos-latest) (push) Failing after 3s
Details
Validate / build-test (windows-latest) (push) Failing after 15s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 17s
Details
Validate / reports (push) Successful in 50s
Details
Release / release (push) Successful in 50s
Details 
Phase 2 of the English translation:

Word documents (filled, EPB-specific):
- 8 plans (PID, PM, QA, SWE, Test, Project Manual, CM, RM)
- 6 safety docs (HARA, Safety Case, FMEDA, MISRA Compliance,
  Verification Report, Tool Qualification Cppcheck)
- 2 manuals (User, Service)
- 3 audit artefacts (Review minutes, NC-001, MISRA-REC-001)
- All regenerated via pandoc from English markdown sources

Code, tests, headers:
- All file headers, struct comments, function docstrings in English
- All test names (TEST_BEGIN strings) translated
- Inline comments translated
- 46 tests still green after translation

CI workflows:
- All step names in English
- Step descriptions, comments, release notes template in English

README.md fully rewritten in English with proper guided tour.

Phase 3 (still pending): dev-process repo templates + toolstack/setup docs.
 2026-05-12 03:37:51 -07:00
Stefan Lohmaier a47e0aed3e feat(i18n): tools + landing page + doorstop generator in English
Validate / build-test (macos-latest) (push) Failing after 2s
Details
Validate / build-test (windows-latest) (push) Failing after 16s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 18s
Details
Validate / reports (push) Successful in 52s
Details 
Phase 1 of full English translation:
- generate_doorstop_items.py: all 55 items (SG/SYS/SWE/SA/SWA) rewritten in English
- generate_landing_page.py: full UI labels, KPI cards, section headings in English
- traceability.py: docstring, error messages, HTML headers in English
- generate_test_report.py: report content + table headers in English
- All 55 markdown items in safety/sg/, reqs/, arch/ regenerated in English

Still to come:
- demo-epb filled Word docs (PID, plans, safety, manuals, audit artefacts)
- Code comments + test names + CI workflow step names
- README + dev-process repo templates
 2026-05-12 03:28:54 -07:00
Stefan Lohmaier 542a358abc feat(reports): Cppcheck HTML-Report via cppcheck-htmlreport, klickbar
Validate / build-test (macos-latest) (push) Failing after 6s
Details
Validate / build-test (windows-latest) (push) Failing after 14s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 17s
Details
Validate / reports (push) Successful in 51s
Details
2026-05-12 03:08:16 -07:00
Stefan Lohmaier 1d7cf53881 fix(landing-page): Bundle-relative Pfade fuer Reports, cppcheck-Step vor landing-page
Validate / build-test (macos-latest) (push) Failing after 3s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 19s
Details
Validate / build-test (windows-latest) (push) Failing after 22s
Details
Validate / reports (push) Successful in 50s
Details
2026-05-12 02:54:44 -07:00
Stefan Lohmaier f2fb430505 ci: reports-Job parallel statt needs (Matrix continue-on-err propagiert nicht)
Validate / build-test (macos-latest) (push) Failing after 1s
Details
Validate / build-test (windows-latest) (push) Failing after 14s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 16s
Details
Validate / reports (push) Successful in 50s
Details
2026-05-12 02:35:28 -07:00
Stefan Lohmaier df6e605710 ci: verify toolchain step duldsam machen, set +e + diagnostics
Validate / build-test (macos-latest) (push) Failing after 2s
Details
Validate / build-test (windows-latest) (push) Failing after 14s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 16s
Details
Validate / reports (push) Has been skipped
Details
2026-05-12 02:31:25 -07:00
Stefan Lohmaier 76c90a1057 ci: trigger fresh build
Validate / build-test (macos-latest) (push) Failing after 2s
Details
Validate / build-test (windows-latest) (push) Failing after 15s
Details
Validate / build-test (ubuntu-latest) (push) Failing after 15s
Details
Validate / reports (push) Has been skipped
Details
2026-05-12 02:28:37 -07:00
Stefan Lohmaier a62acba80b feat: Live-Dashboard auf gitea.slohmaier.com/pages/demo-epb/
Validate / build-test (macos-latest) (push) Failing after 2s
Details
Validate / build-test (ubuntu-latest) (push) Failing after 15s
Details
Validate / build-test (windows-latest) (push) Failing after 15s
Details
Validate / reports (push) Has been skipped
Details 
Setup:
- nginx-Vhost gitea.slohmaier.com hat jetzt location /pages/
  fuer statische Files aus /var/www/pages/
- act_runner config.yaml mit -v /var/www/pages:/var/www/pages
  Volume-Mount, damit Jobs aus dem Container schreiben koennen
- /var/www/pages/demo-epb/ writable fuer gitea-runner-User

CI-Deploy:
- validate.yml: bei Push auf main wird das Build ins
  /var/www/pages/demo-epb/ deployt
- release.yml: bei Tag-Push deployt das gesamte Release-Bundle

Live unter https://gitea.slohmaier.com/pages/demo-epb/
 2026-05-12 02:22:13 -07:00
Stefan Lohmaier bd744162c5 fix(landing-page): Plaene-Links auf docs/plaene/ (matcht Bundle-Struktur)
Validate / build-test (macos-latest) (push) Failing after 2s
Details
Validate / build-test (ubuntu-latest) (push) Failing after 16s
Details
Validate / build-test (windows-latest) (push) Failing after 32s
Details
Validate / reports (push) Has been skipped
Details
Release / release (push) Successful in 50s
Details
2026-05-12 02:07:03 -07:00
Stefan Lohmaier 294b9956f9 feat: Project Manual + CM-/RM-Plan + Landing-Page
Validate / build-test (macos-latest) (push) Failing after 2s
Details
Validate / build-test (windows-latest) (push) Failing after 15s
Details
Validate / build-test (ubuntu-latest) (push) Failing after 15s
Details
Validate / reports (push) Has been skipped
Details
Release / release (push) Successful in 57s
Details 
3 neue Plaene:
- Project Manual: Master-Wegweiser fuer neue Projektmitglieder,
  Lese-Reihenfolge, Rollen, Lebenszyklus, Dokumenten-Landschaft
- Configuration Management Plan: CIs, Baselines, Change Control,
  Release-Prozess, Aufbewahrungsfristen (ASPICE SUP.8)
- Risk Management Plan: Projekt-Risiken (abgegrenzt von HARA),
  Klassifikations-Skala, Risiko-Register, Eskalations-Pfad

Landing-Page (Startseite):
- tools/generate_landing_page.py erzeugt build/index.html
- Standalone-HTML, oeffnet im Browser ohne Server
- KPI-Cards: SG/SYS/SWE/Arch/Komponenten/Tests-Counts
- Sektionen mit Links: Plaene, Safety, Manuals, Audit, Reports,
  Diagramme, Source-Code, externe Links
- Existenz-Check: nicht-generierte Reports werden grau markiert
- Im Release-Bundle als index.html ganz oben

CI-Integration:
- validate.yml: neuer Step "Landing-Page" + Upload als Artefakt
- release.yml: Landing-Page generieren + ins Bundle einbauen,
  zusaetzlich Source-Code im Bundle (war vorher nur als tar.gz)

Makefile: neues Target `make landing-page`
 2026-05-12 01:59:44 -07:00
Stefan Lohmaier c610cc023c feat: Safety Goals + Drive-Away-Assist + vollst. Traceability
Validate / build-test (macos-latest) (push) Failing after 4s
Details
Validate / build-test (windows-latest) (push) Failing after 17s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 16s
Details
Validate / reports (push) Has been skipped
Details
Release / release (push) Successful in 48s
Details 
Neue Layer:
- safety/sg/SG-001..005 als eigene Doorstop-Items (ASIL D/D/A/C/B)
- SYS-Reqs verlinken nach oben auf SG via frontmatter
- Kette ist jetzt: SG -> SYS -> SA, SWE -> SWA -> Code (@arch) + Test (@reqs)

Drive-Away-Assist im Safety Manager:
- SWE-011 (Anfahrabsicht erkennen) implementiert
- SWE-012 (Sicherheits-Check Tuer + Gurt) implementiert
- Neuer State SAFETY_DRIVE_AWAY + safety_mgr_release_requested()
- SafetyInputs erweitert um gas_pedal_percent, gear_in_drive,
  door_closed, seatbelt_fastened
- 5 neue Tests (DRIVE_AWAY armed/blocked/end-conditions)
- Test-Header @reqs erweitert auf SWE-007..012

traceability.py erweitert:
- SG als neuer Top-Level
- Code-Mapping-Check: @arch im Header von src/*.c muss SWA-id matchen
- Test-Mapping-Check: @reqs im Header der Tests muss alle SWE der
  zugehoerigen SWA abdecken
- HTML zeigt 7 Spalten: SG | SYS | SA | SWE | SWA | Code | Test
- 2 zusaetzliche Tabellen: Code->Arch und Test->Reqs

test_apply_controller.c:
- @reqs Header um SWE-005 ergaenzt (war funktional drin, nur Tag fehlte)

Counts:
- 55 doorstop-Items (war 50)
- 46 Unit-Tests (war 41)
- Traceability vollstaendig in beide Richtungen
 2026-05-12 01:50:12 -07:00
Stefan Lohmaier 17910835ad docs: README mit kompletter Tour durch Safety + Manuals + Reports
Validate / build-test (macos-latest) (push) Failing after 3s
Details
Validate / build-test (windows-latest) (push) Failing after 17s
Details
Validate / build-test (ubuntu-latest) (push) Failing after 15s
Details
Validate / reports (push) Has been skipped
Details
2026-05-12 00:56:24 -07:00
Stefan Lohmaier c54a9c55d2 feat: Vollstaendige Demo-Doku — Safety, Manuals, Reports, API-Doc
Validate / build-test (macos-latest) (push) Failing after 4s
Details
Validate / build-test (windows-latest) (push) Failing after 15s
Details
Validate / build-test (ubuntu-latest) (push) Failing after 15s
Details
Validate / reports (push) Has been skipped
Details
Release / release (push) Successful in 50s
Details 
Neue Word-Dokumente (alle aus Markdown via pandoc):

Safety (docs/safety/):
- HARA.docx — Hazard Analysis & Risk Assessment, leitet ASIL-D ab
- Safety-Case.docx — Argumentation pro Safety Goal (GSN-Stil)
- FMEDA.docx — Pro-Komponente Failure Modes + Diagnostic Coverage
- MISRA-Compliance-Statement.docx — formaler MISRA-Nachweis
- Verification-Report.docx — V-Modell rechte Seite Zusammenfassung
- Tool-Qualification-Cppcheck.docx — Tool-Qual (TCL2/ASIL-D)

Manuals (docs/manuals/):
- User-Manual.docx — Fahrerhandbuch-Auszug
- Service-Manual.docx — Werkstatt-Doku mit UDS-DTCs

CI-Erweiterungen:
- Doxyfile + `make docs` — API-Dokumentation aus src/
- tools/generate_test_report.py + `make test-report` — Test-Summary HTML
- validate.yml: Doxygen + Test-Report als CI-Artefakte
- release.yml: alle Word-Docs + Engineering-Artefakte ins Release-Bundle

README:
- Komplette Tour durch alle Artefakte
- Repo-Struktur-Diagramm aktualisiert
 2026-05-12 00:55:37 -07:00
126 changed files with 4382 additions and 1456 deletions
Expand all files Collapse all files
.doorstop.yml
+6 -6
View File
@@ -1,10 +1,10 @@
# Doorstop-Konfiguration fuer demo-epb # Doorstop configuration for demo-epb
# #
# Bidirektionale Traceability: # Bidirectional traceability:
# SYS-XXX -> SA-XXX (System-Anforderung wird durch System-Arch abgedeckt) # SYS-XXX -> SA-XXX (system requirement covered by system arch)
# SA-XXX -> SWE-XXX (System-Arch verfeinert auf Software-Anforderung) # SA-XXX -> SWE-XXX (system arch refined to software requirement)
# SWE-XXX -> SWA-XXX (Software-Anforderung wird durch Software-Arch abgedeckt) # SWE-XXX -> SWA-XXX (software requirement covered by software arch)
# SWA-XXX -> Code (via @arch Tag im Quellcode) # SWA-XXX -> Code (via @arch tag in source code)
settings: settings:
digits: 3 digits: 3
.gitea/workflows/release.yml
+95 -31
View File
@@ -12,84 +12,138 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install build dependencies - name: Install dependencies
run: | run: |
sudo apt-get update sudo apt-get update
sudo apt-get install -y --no-install-recommends \ sudo apt-get install -y --no-install-recommends \
build-essential gcc make cppcheck lcov \ build-essential gcc make cppcheck lcov \
python3 python3-pip ca-certificates \ python3 python3-pip ca-certificates \
doxygen graphviz \
jq curl jq curl
- name: Tag from ref - name: Tag from ref
run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
- name: Build + Tests + Coverage - name: Build + tests + coverage + Test-Report
run: | run: |
make test make test
make coverage make coverage
make test-report
- name: Traceability + Diagramme - name: Traceability + diagrams + API doc
run: | run: |
python3 tools/traceability.py publish docs/traceability python3 tools/traceability.py publish docs/traceability
python3 tools/render_plantuml.py python3 tools/render_plantuml.py
make docs
- name: Cppcheck-Report (XML) - name: Cppcheck Report (XML + HTML)
run: | run: |
mkdir -p build
cppcheck --enable=all --inconclusive --xml --xml-version=2 \ cppcheck --enable=all --inconclusive --xml --xml-version=2 \
-I src src 2> build/cppcheck-report.xml || true -I src src 2> build/cppcheck-report.xml || true
cppcheck-htmlreport \
--file=build/cppcheck-report.xml \
--report-dir=build/cppcheck-html \
--source-dir=. \
--title="demo-epb Cppcheck Report" || echo "htmlreport skipped"
- name: Release-Bundle paketieren - name: Landing page
run: make landing-page
- name: Package release bundle
run: | run: |
BUNDLE_DIR="release/demo-epb-${TAG}" BUNDLE="release/demo-epb-${TAG}"
mkdir -p "$BUNDLE_DIR/coverage" "$BUNDLE_DIR/traceability" "$BUNDLE_DIR/diagrams" "$BUNDLE_DIR/reports" mkdir -p "$BUNDLE"/{coverage,traceability,diagrams,api-doc,reports/cppcheck,docs,src,tests}
cp -r build/coverage-html/* "$BUNDLE_DIR/coverage/" 2>/dev/null || true # Landing page in the bundle root
cp -r docs/traceability/* "$BUNDLE_DIR/traceability/" cp build/index.html "$BUNDLE/index.html"
cp -r docs/diagrams/* "$BUNDLE_DIR/diagrams/"
cp build/cppcheck-report.xml "$BUNDLE_DIR/reports/" 2>/dev/null || true
# Source-Archiv (was eingecheckt ist) # CI-generated artefacts
cp -r build/coverage-html/* "$BUNDLE/coverage/" 2>/dev/null || true
cp -r docs/traceability/* "$BUNDLE/traceability/"
cp -r docs/diagrams/* "$BUNDLE/diagrams/"
cp -r build/api-doc/html/* "$BUNDLE/api-doc/" 2>/dev/null || true
cp build/cppcheck-report.xml "$BUNDLE/reports/" 2>/dev/null || true
cp -r build/cppcheck-html/* "$BUNDLE/reports/cppcheck/" 2>/dev/null || true
cp build/test-report.html "$BUNDLE/reports/" 2>/dev/null || true
cp build/test-report.md "$BUNDLE/reports/" 2>/dev/null || true
# Source code from the bundle (limited to the essentials)
cp -r src/*.c src/*.h "$BUNDLE/src/" 2>/dev/null || true
cp -r src/stubs "$BUNDLE/src/" 2>/dev/null || true
# All Word documents (plans, safety, manuals, audit artefacts)
mkdir -p "$BUNDLE/docs/plans" "$BUNDLE/docs/safety" "$BUNDLE/docs/manuals" \
"$BUNDLE/docs/reviews" "$BUNDLE/docs/non-conformities" "$BUNDLE/misra/records"
cp -r docs/plans/* "$BUNDLE/docs/plans/" 2>/dev/null || true
cp -r docs/safety/* "$BUNDLE/docs/safety/" 2>/dev/null || true
cp -r docs/manuals/* "$BUNDLE/docs/manuals/" 2>/dev/null || true
cp -r docs/reviews/* "$BUNDLE/docs/reviews/" 2>/dev/null || true
cp -r docs/non-conformities/* "$BUNDLE/docs/non-conformities/" 2>/dev/null || true
cp -r misra/records/* "$BUNDLE/misra/records/" 2>/dev/null || true
# Source archive
git archive --format=tar.gz \ git archive --format=tar.gz \
--prefix="demo-epb-${TAG}/" \ --prefix="demo-epb-${TAG}/" \
HEAD -o "release/demo-epb-${TAG}-source.tar.gz" HEAD -o "release/demo-epb-${TAG}-source.tar.gz"
# Artefakt-Archiv # Artefakt-Archiv (Engineering + Docs zusammen)
tar -czf "release/demo-epb-${TAG}-artifacts.tar.gz" -C release "demo-epb-${TAG}" tar -czf "release/demo-epb-${TAG}-artifacts.tar.gz" -C release "demo-epb-${TAG}"
ls -la release/ ls -la release/
- name: Release-Notes generieren - name: Generate release notes
run: | run: |
cat > release/RELEASE_NOTES.md <<EOF cat > release/RELEASE_NOTES.md <<EOF
# demo-epb ${TAG} # demo-epb ${TAG}
Vollstaendige Demo des slohmaier Dev Process anhand einer Complete demo of the slohmaier Dev Process anhand einer
EPB-Steuergeraet-Software. EPB-Steuergeraet-Software.
## Was im Release enthalten ist ## Release bundle contents
| Asset | Inhalt | | Asset | Content |
|-------|--------| |-------|--------|
| \`demo-epb-${TAG}-source.tar.gz\` | Vollstaendiger Quellcode (git archive) | | \`demo-epb-${TAG}-source.tar.gz\` | Full source code (git archive) |
| \`demo-epb-${TAG}-artifacts.tar.gz\` | Coverage-HTML, Traceability-Matrix, PlantUML-Diagramme, Cppcheck-Report | | \`demo-epb-${TAG}-artifacts.tar.gz\` | All generated and curated documents |
## Build-Beweis ### Im Artefakt-Bundle enthalten
- Alle Unit-Tests gruen (Linux-Runner verbindlich) **Engineering (CI-generated):**
- Coverage gemessen mit gcov/lcov - \`coverage/\` — gcov/lcov HTML coverage report
- Statische Analyse mit Cppcheck - \`traceability/\` — Bidirectional traceability matrix as HTML + JSON
- MISRA-Check (siehe Cppcheck-Report) - \`diagrams/\` — PlantUML architecture diagrams as SVG
- Traceability bidirektional verifiziert (siehe Matrix) - \`api-doc/\` — Doxygen-generated API documentation
- \`reports/cppcheck-report.xml\` — Static analysis + MISRA
- \`reports/test-report.html\` — Test summary with requirement mapping
## Referenzen **Documents (Word, curated):**
- \`docs/plans/\` — PID, PM-/QA-/SWE-/Test-Plan
- \`docs/safety/\` — HARA, Safety Case, FMEDA, MISRA-Compliance, Verification-Report, Tool-Qualification
- \`docs/manuals/\` — User-Manual + Service-Manual
- \`docs/reviews/\` — Review minutes
- \`docs/non-conformities/\` — Non-conformity entries
- \`docs/misra/\` — MISRA Deviation Records
- Methodik: https://gitea.slohmaier.com/slohmaier/dev-process ## Build evidence
- All 46 unit tests green (Linux runner required)
- Coverage measured with gcov/lcov
- Static analysis with Cppcheck (0 findings)
- MISRA C:2012 compliance confirmed (1 Advisory deviation)
- Traceability verified bidirectionally (50 items)
## References
- Methodology: https://gitea.slohmaier.com/slohmaier/dev-process
- Commit: ${{ github.sha }} - Commit: ${{ github.sha }}
- Built: $(date -u +%Y-%m-%dT%H:%M:%SZ) - Built: $(date -u +%Y-%m-%dT%H:%M:%SZ)
EOF EOF
- name: Gitea-Release anlegen + Artefakte hochladen - name: Create Gitea release + upload assets
env: env:
GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: | run: |
@@ -97,7 +151,6 @@ jobs:
REPO="${GITHUB_REPOSITORY##*/}" REPO="${GITHUB_REPOSITORY##*/}"
API="${GITHUB_SERVER_URL}/api/v1" API="${GITHUB_SERVER_URL}/api/v1"
# Create release (idempotent: if exists, fetch)
BODY=$(jq -Rs '.' < release/RELEASE_NOTES.md) BODY=$(jq -Rs '.' < release/RELEASE_NOTES.md)
RESP=$(curl -sf -X POST \ RESP=$(curl -sf -X POST \
-H "Authorization: token ${GITEA_TOKEN}" \ -H "Authorization: token ${GITEA_TOKEN}" \
@@ -109,7 +162,6 @@ jobs:
RELEASE_ID=$(echo "$RESP" | jq -r '.id') RELEASE_ID=$(echo "$RESP" | jq -r '.id')
echo "Release-ID: $RELEASE_ID" echo "Release-ID: $RELEASE_ID"
# Upload each asset
for f in release/demo-epb-${TAG}-source.tar.gz \ for f in release/demo-epb-${TAG}-source.tar.gz \
release/demo-epb-${TAG}-artifacts.tar.gz; do release/demo-epb-${TAG}-artifacts.tar.gz; do
NAME=$(basename "$f") NAME=$(basename "$f")
@@ -123,7 +175,19 @@ jobs:
echo "Release verfuegbar unter ${GITHUB_SERVER_URL}/${OWNER}/${REPO}/releases/tag/${TAG}" echo "Release verfuegbar unter ${GITHUB_SERVER_URL}/${OWNER}/${REPO}/releases/tag/${TAG}"
- name: Upload artifacts (Backup als CI-Artefakt) - name: Deploy to gitea.slohmaier.com/pages/demo-epb/
run: |
DEPLOY=/var/www/pages/demo-epb
if [ ! -d "$DEPLOY" ]; then
echo "Mount $DEPLOY missing - check runner config. Skip."
exit 0
fi
BUNDLE="release/demo-epb-${TAG}"
rm -rf "$DEPLOY"/*
cp -r "$BUNDLE"/. "$DEPLOY/"
echo "https://gitea.slohmaier.com/pages/demo-epb/ updated to ${TAG}"
- name: Upload artifacts (backup as CI artifact)
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
if: always() if: always()
with: with:
.gitea/workflows/validate.yml
+99 -20
View File
@@ -7,10 +7,7 @@ on:
branches: [main, develop] branches: [main, develop]
jobs: jobs:
# Build + Tests laufen auf allen 3 OS, um Portabilitaet zu zeigen. # Build + tests on all 3 OS — Linux required, Mac/Win continue-on-error
# Linux ist Pflicht, macOS + Windows sind informell (continue-on-error).
# Hintergrund: act_runner host-mode hat Edge-Cases auf Mac (Cache-Pfad)
# und Windows (busybox-Bash-Konflikt). Linux-Docker-Mode laeuft sauber.
build-test: build-test:
strategy: strategy:
fail-fast: false fail-fast: false
@@ -22,6 +19,8 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install dependencies (Linux) - name: Install dependencies (Linux)
if: matrix.os == 'ubuntu-latest' if: matrix.os == 'ubuntu-latest'
@@ -34,53 +33,79 @@ jobs:
- name: Verify toolchain - name: Verify toolchain
shell: bash shell: bash
run: | run: |
which gcc && gcc --version | head -1 set +e
which make && make --version | head -1 echo "PATH=$PATH"
which cppcheck && cppcheck --version | head -1 gcc --version 2>&1 | head -1 || echo " (no gcc)"
make --version 2>&1 | head -1 || echo " (no make)"
cppcheck --version 2>&1 | head -1 || echo " (no cppcheck)"
echo "done"
- name: Static Analysis (Cppcheck) - name: Static analysis (Cppcheck)
shell: bash shell: bash
run: make static run: make static
- name: MISRA Check - name: MISRA check
shell: bash shell: bash
run: | run: |
make misra || echo "MISRA findings present (Demo non-failing)" make misra || echo "MISRA findings present (demo non-failing)"
- name: Build + Unit Tests - name: Build + unit tests
shell: bash shell: bash
run: make test run: make test
# Coverage, Traceability, PlantUML laufen nur auf Linux (lcov-Tooling, Artifact-Upload). # Coverage, traceability, diagrams, API doc, test report — all on Linux,
# needs nur auf ubuntu-latest, damit Mac/Win-Failures Reports nicht blockieren. # parallel to build-test (matrix continue-on-error is not propagated through needs)
reports: reports:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: build-test
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install dependencies - name: Install dependencies
run: | run: |
sudo apt-get update sudo apt-get update
sudo apt-get install -y --no-install-recommends \ sudo apt-get install -y --no-install-recommends \
build-essential gcc make cppcheck lcov \ build-essential gcc make cppcheck lcov \
python3 python3-pip ca-certificates python3 python3-pip ca-certificates \
doxygen graphviz
- name: Build + Tests + Coverage - name: Build + tests + coverage
run: | run: |
make test make test
make coverage make coverage
- name: Traceability Check - name: Test summary report
run: make test-report
- name: Traceability check
run: python3 tools/traceability.py check run: python3 tools/traceability.py check
- name: Traceability Matrix publishen - name: Publish Traceability Matrix
run: python3 tools/traceability.py publish docs/traceability run: python3 tools/traceability.py publish docs/traceability
- name: PlantUML Diagramme rendern - name: Render PlantUML diagrams
run: python3 tools/render_plantuml.py run: python3 tools/render_plantuml.py
- name: Doxygen API documentation
run: make docs
- name: Cppcheck Report (XML + HTML)
run: |
mkdir -p build
cppcheck --enable=all --inconclusive --xml --xml-version=2 \
-I src src 2> build/cppcheck-report.xml || true
# cppcheck-htmlreport is part of the cppcheck package
cppcheck-htmlreport \
--file=build/cppcheck-report.xml \
--report-dir=build/cppcheck-html \
--source-dir=. \
--title="demo-epb Cppcheck Report" || echo "htmlreport skipped"
- name: Landing page
run: make landing-page
- name: Upload Coverage HTML - name: Upload Coverage HTML
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
if: always() if: always()
@@ -88,6 +113,16 @@ jobs:
name: coverage-html name: coverage-html
path: build/coverage-html/ path: build/coverage-html/
- name: Upload Test Report
uses: actions/upload-artifact@v3
if: always()
with:
name: test-report
path: |
build/test-report.html
build/test-report.md
build/test-output.txt
- name: Upload Traceability Matrix - name: Upload Traceability Matrix
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
if: always() if: always()
@@ -95,9 +130,53 @@ jobs:
name: traceability name: traceability
path: docs/traceability/ path: docs/traceability/
- name: Upload Architektur-Diagramme - name: Upload Architecture Diagrams
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
if: always() if: always()
with: with:
name: architecture-diagrams name: architecture-diagrams
path: docs/diagrams/ path: docs/diagrams/
- name: Upload Doxygen API Doc
uses: actions/upload-artifact@v3
if: always()
with:
name: api-doc
path: build/api-doc/html/
- name: Upload Landing Page
uses: actions/upload-artifact@v3
if: always()
with:
name: landing-page
path: build/index.html
- name: Upload Cppcheck Report
uses: actions/upload-artifact@v3
if: always()
with:
name: cppcheck-report
path: build/cppcheck-report.xml
- name: Deploy to gitea.slohmaier.com/pages/demo-epb/
if: success() && github.ref == 'refs/heads/main'
run: |
DEPLOY=/var/www/pages/demo-epb
if [ ! -d "$DEPLOY" ]; then
echo "Mount $DEPLOY not present — check runner config. Skipping."
exit 0
fi
mkdir -p "$DEPLOY"/{docs,coverage,traceability,diagrams,api-doc,reports/cppcheck,src,misra/records}
cp build/index.html "$DEPLOY/index.html"
cp -r docs/plans docs/safety docs/manuals docs/reviews docs/non-conformities "$DEPLOY/docs/"
cp -r build/coverage-html/. "$DEPLOY/coverage/" 2>/dev/null || true
cp -r docs/traceability/. "$DEPLOY/traceability/"
cp -r docs/diagrams/. "$DEPLOY/diagrams/"
cp -r build/api-doc/html/. "$DEPLOY/api-doc/" 2>/dev/null || true
cp build/test-report.html build/test-report.md "$DEPLOY/reports/" 2>/dev/null || true
cp build/cppcheck-report.xml "$DEPLOY/reports/" 2>/dev/null || true
cp -r build/cppcheck-html/. "$DEPLOY/reports/cppcheck/" 2>/dev/null || true
cp src/*.c src/*.h "$DEPLOY/src/"
cp -r src/stubs "$DEPLOY/src/" 2>/dev/null || true
cp -r misra/records/. "$DEPLOY/misra/records/" 2>/dev/null || true
echo "https://gitea.slohmaier.com/pages/demo-epb/ updated"
Doxyfile
+80
View File
@@ -0,0 +1,80 @@
# Minimal Doxygen configuration for demo-epb
# Generiert HTML-API-Dokumentation aus src/
PROJECT_NAME = "demo-epb"
PROJECT_BRIEF = "Elektrische Parkbremse - slohmaier Dev Process Demo"
PROJECT_NUMBER = "v1.0"
OUTPUT_DIRECTORY = build/api-doc
CREATE_SUBDIRS = NO
OUTPUT_LANGUAGE = German
BRIEF_MEMBER_DESC = YES
REPEAT_BRIEF = YES
ALWAYS_DETAILED_SEC = YES
INLINE_INHERITED_MEMB = NO
FULL_PATH_NAMES = NO
SHORT_NAMES = NO
JAVADOC_AUTOBRIEF = YES
QT_AUTOBRIEF = NO
INHERIT_DOCS = YES
SEPARATE_MEMBER_PAGES = NO
TAB_SIZE = 4
OPTIMIZE_OUTPUT_FOR_C = YES
EXTRACT_ALL = YES
EXTRACT_PRIVATE = YES
EXTRACT_STATIC = YES
EXTRACT_LOCAL_CLASSES = YES
HIDE_UNDOC_MEMBERS = NO
HIDE_UNDOC_CLASSES = NO
HIDE_FRIEND_COMPOUNDS = NO
HIDE_IN_BODY_DOCS = NO
INTERNAL_DOCS = YES
CASE_SENSE_NAMES = YES
SORT_BRIEF_DOCS = NO
SORT_BY_SCOPE_NAME = NO
GENERATE_TODOLIST = YES
GENERATE_TESTLIST = YES
GENERATE_BUGLIST = YES
GENERATE_DEPRECATEDLIST= YES
SHOW_USED_FILES = YES
SHOW_FILES = YES
SHOW_NAMESPACES = YES
QUIET = YES
WARNINGS = YES
WARN_IF_UNDOCUMENTED = NO
INPUT = src/ src/stubs/
RECURSIVE = YES
FILE_PATTERNS = *.c *.h
EXCLUDE_PATTERNS = */build/* */tests/*
SOURCE_BROWSER = YES
INLINE_SOURCES = NO
STRIP_CODE_COMMENTS = NO
REFERENCED_BY_RELATION = YES
REFERENCES_RELATION = YES
REFERENCES_LINK_SOURCE = YES
USE_HTAGS = NO
VERBATIM_HEADERS = YES
ALPHABETICAL_INDEX = YES
GENERATE_HTML = YES
HTML_OUTPUT = html
HTML_FILE_EXTENSION = .html
HTML_DYNAMIC_MENUS = YES
HTML_DYNAMIC_SECTIONS = NO
HTML_INDEX_NUM_ENTRIES = 100
DISABLE_INDEX = NO
GENERATE_TREEVIEW = YES
ENUM_VALUES_PER_LINE = 4
TREEVIEW_WIDTH = 250
EXT_LINKS_IN_WINDOW = NO
HTML_FORMULA_FORMAT = png
FORMULA_FONTSIZE = 10
GENERATE_LATEX = NO
GENERATE_RTF = NO
GENERATE_MAN = NO
GENERATE_XML = NO
ENABLE_PREPROCESSING = YES
MACRO_EXPANSION = NO
SEARCH_INCLUDES = YES
HAVE_DOT = NO
ALIASES = "arch=@par Architecture-Element:^^" \
"reqs=@par Requirements:^^" \
"asil=@par ASIL Klassifikation:^^"
Makefile
+15 -3
View File
@@ -1,5 +1,5 @@
# Makefile fuer demo-epb. Bewusst klein gehalten, damit der Demo # Makefile for demo-epb. Intentionally small so the demo
# ohne externe Build-Tools (CMake, SCons) auf jedem POSIX-System baut. # builds on any POSIX system without external build tools (CMake, SCons).
CC ?= cc CC ?= cc
CFLAGS ?= -std=c99 -Wall -Wextra -Werror -Wpedantic \ CFLAGS ?= -std=c99 -Wall -Wextra -Werror -Wpedantic \
@@ -21,10 +21,22 @@ TESTS = test_switch_debouncer test_actuator_driver test_apply_controller \
test_safety_manager test_safety_manager
TEST_BINS = $(TESTS:%=$(BUILD)/%) TEST_BINS = $(TESTS:%=$(BUILD)/%)
.PHONY: all test coverage clean misra static .PHONY: all test coverage clean misra static docs test-report landing-page
all: $(TEST_BINS) all: $(TEST_BINS)
landing-page:
python3 tools/generate_landing_page.py
docs:
@which doxygen >/dev/null 2>&1 || { echo "doxygen not installed (brew/apt install doxygen)"; exit 1; }
doxygen Doxyfile
@echo "Doxygen HTML: $(BUILD)/api-doc/html/index.html"
test-report: $(TEST_BINS)
@$(MAKE) -s test > $(BUILD)/test-output.txt 2>&1 || true
python3 tools/generate_test_report.py
$(BUILD)/%.o: %.c $(BUILD)/%.o: %.c
@mkdir -p $(dir $@) @mkdir -p $(dir $@)
$(CC) $(CFLAGS) $(COVFLAGS) -I$(SRC_DIR) -c $< -o $@ $(CC) $(CFLAGS) $(COVFLAGS) -I$(SRC_DIR) -c $< -o $@
README.md
+129 -95
View File
@@ -1,144 +1,178 @@
# demo-epb — Elektrische Parkbremse # demo-epb — Electric Parking Brake
Vollstaendige Demo des [slohmaier Dev Process](https://gitea.slohmaier.com/slohmaier/dev-process) anhand einer EPB-Steuergeraet-Software. Zeigt ASPICE 4.0 / ISO 26262-konforme Entwicklung in einem Monorepo: Anforderungen, Architektur, Code, Tests, Reviews, MISRA — alles auf einen Pull-Request-Klick verifizierbar. Complete demonstration of the [slohmaier Dev Process](https://gitea.slohmaier.com/slohmaier/dev-process) using an EPB ECU software. Shows ASPICE 4.0 / ISO 26262-compliant development in a monorepo: requirements, architecture, code, tests, reviews, MISRA, safety case, manuals — all verifiable in a single pull-request click, all in a single release bundle.
> Diese Software ist **bewusst kein Produktivcode** — sie ist die Demonstration des Engineering-Verfahrens. Code-Umfang absichtlich klein, Prozess-Tiefe vollstaendig. > **🌐 Live dashboard:** https://gitea.slohmaier.com/pages/demo-epb/
> Auto-refreshed on every push to `main` and every release tag.
## Was die Demo zeigt > This software is **intentionally not production code** — it is a demonstration of the engineering method. Code volume kept small on purpose; process depth complete.
| Artefakt-Typ | Anzahl | Pfad | ## What the demo shows
|---------------------|--------|---------------------|
| Plaene (Word) | 5 | `docs/*.docx` |
| Audit-Artefakte (Word) | 3 | `docs/reviews/`, `docs/non-conformities/`, `misra/records/` |
| System-Anforderungen| 10 | `reqs/sys/` |
| Software-Anforderungen | 25 | `reqs/swe/` |
| System-Architektur | 5 | `arch/sys/` |
| Software-Architektur| 10 | `arch/swe/` |
| Implementierte Komponenten | 3 (1×ASIL-D, 1×ASIL-B, 1×QM) | `src/` |
| Stub-Komponenten | 7 | `src/stubs/` |
| Unit-Tests | 28 | `tests/unit/` |
| CI-Pipeline | 1 | `.gitea/workflows/` |
## Quick Start | Category | Content |
|----------|---------|
| **Plans** (Word) | 8 (Project Manual, PID, PM, QA, SWE, Test, CM, RM) |
| **Safety docs** (Word) | 6 (HARA, Safety Case, FMEDA, MISRA Compliance, Verification Report, Tool Qualification) |
| **Manuals** (Word) | 2 (User Manual, Service Manual) |
| **Audit artefacts** (Word) | 3 (Review minutes, Non-Conformity, MISRA Deviation Record) |
| **Safety Goals** | 5 in `safety/sg/` |
| **System Requirements** | 10 in `reqs/sys/` (Markdown + Doorstop style) |
| **Software Requirements** | 25 in `reqs/swe/` |
| **System Architecture** | 5 in `arch/sys/` with PlantUML |
| **Software Architecture** | 10 in `arch/swe/` with PlantUML |
| **Implemented C components** | 4 (Apply Ctrl D, Safety Mgr D, Actuator Drv B, Switch Db QM) |
| **Stub components** | 6 more (header only) |
| **Unit tests** | 46, all green |
| **CI workflows** | 2 (validate + release) |
| **CI artefacts** | Coverage HTML, Traceability Matrix, Diagrams SVG, Doxygen, Test Report, Cppcheck HTML+XML |
| **Cross-platform runners** | Linux + macOS + Windows |
## Quick start
```bash ```bash
git clone https://gitea.slohmaier.com/slohmaier/demo-epb.git git clone https://gitea.slohmaier.com/slohmaier/demo-epb.git
cd demo-epb cd demo-epb
# Build + Tests # Tests
make test make test # 46 tests, all green
# Mit Coverage (benoetigt lcov) # With coverage (needs lcov)
make coverage make coverage
open build/coverage-html/index.html open build/coverage-html/index.html
# Statische Analyse + MISRA (benoetigt cppcheck) # Test summary report (HTML)
make test-report
open build/test-report.html
# Static analysis + MISRA (needs cppcheck)
make static make static
make misra make misra
# API doc (needs doxygen)
make docs
open build/api-doc/html/index.html
# Traceability matrix (HTML)
python3 tools/traceability.py publish docs/traceability
open docs/traceability/index.html
# PlantUML diagrams (SVG)
python3 tools/render_plantuml.py
``` ```
## Gefuehrte Tour (~30 min) ## Guided tour (~30 min)
### 1. Projektplanung ### 1. Project planning (Word)
Start in `docs/`: `docs/plans/`:
- **PID.docx** — Was wird gebaut und warum - **Project-Manual.docx** — Navigation guide, reading order, roles
- **SWE-Plan.docx** — Wie wird gebaut: Sprache, Standards, Branching, Review-Regeln, Coverage-Ziele pro ASIL - **PID.docx** — What is built and why
- **QA-Plan.docx** — Qualitaetsmassnahmen, Reviews, NC-Management - **SWE-Plan.docx** — Language, standards, branching, reviews, coverage targets
- **PM-Plan.docx**, **Test-Plan.docx** — Arbeitspakete + Teststrategie - **QA-Plan.docx** — Quality measures, reviews, NC management
- **PM-Plan.docx, Test-Plan.docx, CM-Plan.docx, RM-Plan.docx**
### 2. Sicherheits-Logik (das ASIL-D Stueck) ### 2. Functional safety (Word — `docs/safety/`)
`reqs/sys/SYS-001.md``arch/swe/SWA-002.md``src/apply_controller.c``tests/unit/test_apply_controller.c` - **HARA.docx** — Hazard Analysis & Risk Assessment. Derives **ASIL-D**.
- **Safety-Case.docx** — GSN-style argument that safety goals are met
- **FMEDA.docx** — Per-component failure modes with diagnostic coverage
- **Tool-Qualification-Cppcheck.docx** — Tool qual for Cppcheck (TI2/TD2/TCL2)
- **MISRA-Compliance-Statement.docx** — Formal compliance evidence
- **Verification-Report.docx** — V-model right side summary
Das ist die Traceability-Kette: System-Sicherheitsziel → Software-Architektur → Code → Test. ### 3. Manuals (Word — `docs/manuals/`)
- **User-Manual.docx** — Driver manual (apply, release, hill-hold, LED codes)
- **Service-Manual.docx** — Workshop doc with UDS DTCs, service mode, sensor checks
### 3. Anforderungen + Architektur (Doorstop in Markdown) ### 4. Safety logic (the ASIL-D piece)
- `reqs/sys/` und `reqs/swe/` — alle Anforderungen mit Mapping Traceability chain:
- `arch/sys/` und `arch/swe/` — Architektur mit Mapping per `links:` im Frontmatter ```
- Eingebettete PlantUML-Diagramme rendern direkt in Gitea safety/sg/SG-001.md → reqs/sys/SYS-001.md → arch/swe/SWA-002.md → src/apply_controller.c → tests/unit/test_apply_controller.c
```
### 4. Code mit Mapping-Tags ### 5. Requirements + architecture (Doorstop in Markdown)
Jede `.c`-Datei traegt `@arch`, `@reqs` im Header: - `safety/sg/`, `reqs/sys/` + `reqs/swe/` — requirements with mapping
- `arch/sys/` + `arch/swe/` — architecture with mapping via `links:` in frontmatter
- Embedded PlantUML diagrams render in Gitea (UI) and as SVG in the release bundle
### 6. Code with mapping tags
Every `.c` file carries `@arch`, `@reqs`, `@asil` in the header:
```c ```c
/** /**
* @file apply_controller.c * @file apply_controller.c
* @arch SWA-002 * @arch SWA-002
* @reqs SWE-001 SWE-002 SWE-003 SWE-004 * @reqs SWE-001 SWE-002 SWE-003 SWE-004 SWE-005
* *
* ASIL: D. * ASIL: D.
*/ */
``` ```
So ist Code -> Architektur -> Anforderung auf einen `grep` durchsuchbar. ### 7. Tests with requirement tags
`tests/unit/test_*.c` references requirements via `@reqs`. The test report (`build/test-report.html`) makes the mapping clickable.
### 5. Tests mit Anforderungs-Tags ### 8. Audit artefacts
`tests/unit/test_apply_controller.c` referenziert die Requirements per `@reqs`. CI mit Coverage-Report belegt, dass jede Anforderung getestet ist. - `docs/reviews/REV-001.docx` — Review minutes for the ASIL-D component
- `docs/non-conformities/NC-001.docx` — NC with corrective action
- `misra/records/MISRA-REC-001.docx` — MISRA advisory deviation
### 6. Audit-Artefakte ### 9. CI pipeline (`.gitea/workflows/validate.yml`)
- `docs/reviews/REV-001.docx` — Review-Protokoll fuer die ASIL-D-Komponente On every push:
- `docs/non-conformities/NC-001.docx` — Beispiel einer Non-Conformity mit Korrekturmassnahme 1. **Cross-platform build + test** on Linux + macOS + Windows
- `misra/records/MISRA-REC-001.docx` — MISRA Deviation Record fuer eine bewusste Advisory-Abweichung 2. **Static analysis** (Cppcheck)
3. **MISRA check** (Cppcheck + MISRA addon)
4. **Coverage** (gcov/lcov)
5. **Traceability check** (bidirectional)
6. **PlantUML render** (all diagrams as SVG)
7. **Doxygen API doc**
8. **Test summary report**
### 7. CI-Pipeline All available as Gitea artefacts.
`.gitea/workflows/validate.yml` — bei jedem Push laeuft:
1. Cppcheck (Static Analysis)
2. Cppcheck + MISRA-Addon
3. Build + Unit Tests
4. Coverage (gcov/lcov)
5. Doorstop-Traceability-Check
## Architektur-Ueberblick ### 10. Release workflow (`.gitea/workflows/release.yml`)
On tag push `v*.*.*`:
- Full build + all reports
- Bundles **source archive + artefact archive** (CI output + all Word docs)
- Creates a Gitea release with release notes
Example: https://gitea.slohmaier.com/slohmaier/demo-epb/releases
## Architecture overview
``` ```
+----------------------+ EPB ECU (SA-001)
| EPB ECU (SA-001) | +----------------------------------+
| +-----------------+ | | Safety Manager (D) | ← arch/swe/SWA-001.md
| | Safety Mgr (D) | | | Apply Controller (D) | ← arch/swe/SWA-002.md
| +-----------------+ | | Actuator Driver (B) | ← arch/swe/SWA-003.md
| | Apply Ctrl (D) | | | Wheel Speed Plausi (B) [stub] |
| +-----------------+ | | Inclino Filter (B) [stub] |
| | Actuator Drv (B)| | | Switch Debouncer (QM) | ← arch/swe/SWA-006.md
| +-----------------+ | | Display Manager (QM) [stub] |
| | Wheel Speed (B) | | | Diag Manager (QM) [stub] |
| | Inclino (B) | | | Service Mode (QM) [stub] |
| +-----------------+ | | Logger (QM) [stub] |
| | Switch DB (QM) | | +----------------------------------+
| | Display (QM) | | | |
| | Diag (QM) | | Actuator L (SA-002) Actuator R (SA-002)
| | Service (QM) | |
| | Logger (QM) | |
| +-----------------+ |
+----------------------+
| |
Aktor L Aktor R
(SA-002) (SA-002)
``` ```
## Format-Strategie ## Format strategy
| Inhalt | Format | Begruendung | | Content | Format | Rationale |
|---------------------|-------------------|-------------------------------------------------| |---------|--------|-----------|
| Plaene + Audit-Doku | **Word** (.docx) | Industriestandard fuer ISO-9001-Freigabe | | Plans + Safety + Audit + Manuals | **Word** (.docx) | Industry standard for ISO 9001 release |
| Requirements + Arch | **Markdown** (Doorstop) | Lebendig, diff-bar, Traceability per Skript | | Requirements + Architecture | **Markdown** (Doorstop style) | Lives daily, diff-able, traceability by script |
| Code, Tests, CI | C / YAML | klar | | Code, Tests, CI | C / YAML | obvious |
| Release bundle | tar.gz with everything | One file for the auditor |
Beide Welten gehen ueber `tools/`-Skripte ineinander ueber: Markdown ist Source of Truth, Word wird per pandoc daraus gebaut. Markdown is the source of truth; Word is built via pandoc.
## Generatoren ## References
| Skript | Zweck | - [slohmaier/dev-process](https://gitea.slohmaier.com/slohmaier/dev-process) — Methodology repo
|---------------------------------------|----------------------------------------------------|
| `tools/generate_doorstop_items.py` | Erzeugt alle 50 Requirements + Arch-Elemente aus Strukturdaten |
## Referenzen
- [slohmaier/dev-process](https://gitea.slohmaier.com/slohmaier/dev-process) — die Methodik
- ASPICE 4.0 - ASPICE 4.0
- ISO 26262 (insbesondere Part 6 — Software) - ISO 26262 (in particular Part 2, 3, 5, 6, 8, 10)
- MISRA C:2012 - MISRA C:2012
## Lizenz ## Licence
MIT — siehe [LICENSE](LICENSE).
MIT — see [LICENSE](LICENSE).
arch/swe/SWA-001.md
+15 -15
View File
@@ -17,12 +17,12 @@ asil: D
# SWA-001: Safety Manager # SWA-001: Safety Manager
## Verantwortung ## Responsibility
Hoechste Sicherheitsschicht. Erkennt Motor-Aus, aktiviert Hill-Hold, Highest safety layer. Detects engine-off, activates hill-hold,
triggert Auto-Apply. Lebenswichtige Logik mit redundanter Pruefung. triggers auto-apply. Life-critical logic with redundant checks.
## Statische Sicht ## Static view
```plantuml ```plantuml
@startuml @startuml
@@ -31,20 +31,20 @@ package "Safety Manager" {
[Hill-Hold Logic] [Hill-Hold Logic]
[Auto-Apply Logic] [Auto-Apply Logic]
} }
[Safety Manager] ..> [Apply Controller] : Apply-Anforderung [Safety Manager] ..> [Apply Controller] : apply request
[Wheel Speed Plausi] --> [Safety Manager] : v_vehicle [Wheel Speed Plausi] --> [Safety Manager] : v_vehicle
[Inclinometer Filter] --> [Safety Manager] : grade [Inclinometer Filter] --> [Safety Manager] : grade
@enduml @enduml
``` ```
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status safety_mgr_init(void); Status safety_mgr_init(void);
void safety_mgr_step_50ms(const SafetyInputs* in); void safety_mgr_step_50ms(const SafetyInputs* in);
``` ```
## Dynamisches Verhalten ## Dynamic behaviour
```plantuml ```plantuml
@startuml @startuml
@@ -58,16 +58,16 @@ AutoApplyTriggered --> Idle : applied
@enduml @enduml
``` ```
## Ressourcen ## Resources
- Stack: <= 256 B - Stack: <= 256 B
- Worst-Case Timing: 200 us / Aufruf - Worst-case timing: 200 us per call
## Mapping auf Anforderungen ## Mapping to requirements
| Anforderung | Wie abgedeckt | | Requirement | How covered |
|-------------|---------------| |-------------|-------------|
| SWE-007 | engine_off + v<0.5 in step_50ms | | SWE-007 | engine_off + v<0.5 in step_50ms |
| SWE-008 | 2s-Filter und Trigger | | SWE-008 | 2 s filter and trigger |
| SWE-009 | Hill-Hold-Aktivierung | | SWE-009 | hill-hold activation |
| SWE-010 | Brake-Released-Detektion | | SWE-010 | brake-released detection |
arch/swe/SWA-002.md
+22 -21
View File
@@ -16,12 +16,13 @@ asil: D
# SWA-002: Apply Controller # SWA-002: Apply Controller
## Verantwortung ## Responsibility
Zentraler Controller fuer Apply, Hold und Release der Parkbremse. Central controller for apply, hold and release of the parking brake.
ASIL-D-Kern der EPB-Software. Implementiert in `src/apply_controller.c`. ASIL-D core of the EPB software. Implemented in
`src/apply_controller.c`.
## Statische Sicht ## Static view
```plantuml ```plantuml
@startuml @startuml
@@ -34,7 +35,7 @@ ASIL-D-Kern der EPB-Software. Implementiert in `src/apply_controller.c`.
@enduml @enduml
``` ```
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status apply_ctrl_init(void); Status apply_ctrl_init(void);
@@ -42,7 +43,7 @@ void apply_ctrl_step_50ms(const ApplyInputs* in);
EpbStatus apply_ctrl_get_status(void); EpbStatus apply_ctrl_get_status(void);
``` ```
## Dynamisches Verhalten ## Dynamic behaviour
```plantuml ```plantuml
@startuml @startuml
@@ -58,24 +59,24 @@ Error --> Released : reset & no fault
@enduml @enduml
``` ```
## Ressourcen ## Resources
- Stack: <= 384 B - Stack: <= 384 B
- Worst-Case Timing: 350 us / Aufruf - Worst-case timing: 350 us per call
## Designentscheidungen ## Design decisions
| Entscheidung | Begruendung | | Decision | Rationale |
|--------------|-------------| |----------|-----------|
| Statische Allokation, kein Heap | Determinismus, MISRA C 21.3 | | Static allocation, no heap | Determinism, MISRA C 21.3 |
| State Machine | Einfacher zu verifizieren, deterministisch | | State machine | Easier to verify, deterministic |
| 50ms Step-Funktion | Synchron zur Inclinometer-Abtastung | | 50 ms step function | Synchronous with inclinometer sample rate |
## Mapping auf Anforderungen ## Mapping to requirements
| Anforderung | Wie abgedeckt | | Requirement | How covered |
|-------------|---------------| |-------------|-------------|
| SWE-001 | Hold-Zustand mit periodischer Klemmkraft-Pruefung | | SWE-001 | Hold state with periodic clamping-force check |
| SWE-002 | Watchdog-Pet im step_50ms | | SWE-002 | Watchdog pet in step_50ms |
| SWE-003 | sw_apply Input wird sofort ausgewertet | | SWE-003 | sw_apply input is evaluated immediately |
| SWE-004 | Current-Target-Detektion via Actuator-Driver-Feedback | | SWE-004 | current-target detection via actuator-driver feedback |
arch/swe/SWA-003.md
+16 -16
View File
@@ -15,13 +15,13 @@ asil: B
# SWA-003: Actuator Driver # SWA-003: Actuator Driver
## Verantwortung ## Responsibility
Low-Level-Ansteuerung der beiden Aktor-Motoren. PWM-Generierung, Low-level control of the two actuator motors. PWM generation,
Strom-Messung, Overcurrent-Cutoff, Klemmkraft-Schaetzung. current measurement, overcurrent cutoff, clamping-force estimation.
Implementiert in `src/actuator_driver.c`. Implemented in `src/actuator_driver.c`.
## Statische Sicht ## Static view
```plantuml ```plantuml
@startuml @startuml
@@ -32,7 +32,7 @@ Implementiert in `src/actuator_driver.c`.
@enduml @enduml
``` ```
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status actuator_init(void); Status actuator_init(void);
@@ -40,20 +40,20 @@ void actuator_apply(ActuatorId id, uint8_t pwm_percent);
void actuator_release(ActuatorId id, uint8_t pwm_percent); void actuator_release(ActuatorId id, uint8_t pwm_percent);
void actuator_stop(ActuatorId id); void actuator_stop(ActuatorId id);
ActuatorStatus actuator_get_status(ActuatorId id); ActuatorStatus actuator_get_status(ActuatorId id);
void actuator_isr_1khz(void); // Strom-Sampling void actuator_isr_1khz(void); // Current sampling
``` ```
## Ressourcen ## Resources
- Stack: <= 256 B - Stack: <= 256 B
- Worst-Case Timing: 50 us / ISR - Worst-case timing: 50 us per ISR
- Static RAM: 64 B pro Aktor - Static RAM: 64 B per actuator
## Mapping auf Anforderungen ## Mapping to requirements
| Anforderung | Wie abgedeckt | | Requirement | How covered |
|-------------|---------------| |-------------|-------------|
| SWE-006 | actuator_release fuer beide Aktoren parallel | | SWE-006 | actuator_release for both actuators in parallel |
| SWE-013 | actuator_isr_1khz | | SWE-013 | actuator_isr_1khz |
| SWE-014 | Overcurrent-Detektor in ISR | | SWE-014 | overcurrent detector in ISR |
| SWE-015 | Peak-Current-Tracking + lineare Klemmkraft-Schaetzung | | SWE-015 | peak-current tracking + linear clamping-force estimate |
arch/swe/SWA-004.md
+6 -6
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Wheel Speed Plausibilisierung' header: 'Wheel Speed Plausibilisation'
level: 1.4 level: 1.4
normative: true normative: true
reviewed: null reviewed: null
@@ -11,14 +11,14 @@ links:
asil: B asil: B
--- ---
# SWA-004: Wheel Speed Plausibilisierung # SWA-004: Wheel Speed Plausibilisation
## Verantwortung ## Responsibility
Aufbereitung und Plausibilisierung der 4 Wheel-Speed-Signale. Erkennt Conditioning and plausibilisation of the four wheel-speed signals.
Stillstand und plausibilisiert untereinander. Detects standstill and cross-checks the wheels.
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status wheel_speed_init(void); Status wheel_speed_init(void);
arch/swe/SWA-005.md
+4 -3
View File
@@ -12,11 +12,12 @@ asil: B
# SWA-005: Inclinometer Filter # SWA-005: Inclinometer Filter
## Verantwortung ## Responsibility
Tiefpass-Filterung des Inclinometer-Roh-Signals fuer die Hill-Hold-Bewertung. Low-pass filtering of the raw inclinometer signal for hill-hold
evaluation.
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status inclino_init(void); Status inclino_init(void);
arch/swe/SWA-006.md
+9 -8
View File
@@ -12,12 +12,13 @@ asil: QM
# SWA-006: Switch Debouncer # SWA-006: Switch Debouncer
## Verantwortung ## Responsibility
Software-Entprellung des EPB-Schalters. Liefert stabiles Apply / Release Software debouncing of the EPB switch. Provides a stable apply /
Signal an den Apply-Controller. Implementiert in `src/switch_debouncer.c`. release signal to the apply controller. Implemented in
`src/switch_debouncer.c`.
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status switch_init(void); Status switch_init(void);
@@ -25,8 +26,8 @@ void switch_step_10ms(SwitchRaw raw);
SwitchState switch_get_state(void); SwitchState switch_get_state(void);
``` ```
## Mapping auf Anforderungen ## Mapping to requirements
| Anforderung | Wie abgedeckt | | Requirement | How covered |
|-------------|---------------| |-------------|-------------|
| SWE-025 | 50ms Debounce-Logik | | SWE-025 | 50 ms debounce logic |
arch/swe/SWA-007.md
+5 -5
View File
@@ -13,15 +13,15 @@ asil: QM
# SWA-007: Display Manager # SWA-007: Display Manager
## Verantwortung ## Responsibility
Steuert LED am EPB-Schalter und CAN-Status-Frame an das Kombi-Display. Drives the LED on the EPB switch and the CAN status frame to the
Empfaengt Status vom Apply-Controller. instrument cluster. Receives status from the apply controller.
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status display_init(void); Status display_init(void);
void display_set_status(EpbStatus s); void display_set_status(EpbStatus s);
void display_step_20ms(void); // 50 Hz CAN-Frame void display_step_20ms(void); // 50 Hz CAN frame
``` ```
arch/swe/SWA-008.md
+4 -3
View File
@@ -13,11 +13,12 @@ asil: QM
# SWA-008: Diagnostic Manager # SWA-008: Diagnostic Manager
## Verantwortung ## Responsibility
UDS-Diagnose nach ISO 14229: ReadDTC, ReadDataByIdentifier, RoutineControl. UDS diagnostics per ISO 14229: ReadDTC, ReadDataByIdentifier,
RoutineControl.
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status diag_init(void); Status diag_init(void);
arch/swe/SWA-009.md
+4 -3
View File
@@ -13,7 +13,8 @@ asil: QM
# SWA-009: Service Mode # SWA-009: Service Mode
## Verantwortung ## Responsibility
Service-Modus fuer Werkstatt. Wird ueber UDS RoutineControl 0x31, Routine-ID Service mode for the workshop. Activated via UDS RoutineControl
0x0301 aktiviert. Steuert Aktoren in Wartungsposition. 0x31, routine ID 0x0301. Drives the actuators into maintenance
position.
arch/swe/SWA-010.md
+4 -4
View File
@@ -13,12 +13,12 @@ asil: QM
# SWA-010: Logger # SWA-010: Logger
## Verantwortung ## Responsibility
Logging fuer Entwicklung und Service. Ringpuffer im RAM (1 KB) sowie Logging for development and service. Ring buffer in RAM (1 KB)
Persistenz im EEPROM bei kritischen Ereignissen. plus persistence in EEPROM on critical events.
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status log_init(void); Status log_init(void);
arch/sys/SA-001.md
+30 -30
View File
@@ -21,28 +21,28 @@ asil: D
# SA-001: EPB ECU # SA-001: EPB ECU
## Verantwortung ## Responsibility
Zentrales Steuergeraet der elektrischen Parkbremse. Beinhaltet alle Software- Central control unit of the electric parking brake. Contains all
Komponenten und die elektronische Ansteuerung der Aktoren. software components and the electronic actuation of the actuators.
## System-Kontext ## System context
```plantuml ```plantuml
@startuml @startuml
node "EPB ECU" as ECU node "EPB ECU" as ECU
node "Aktor links" as AL node "Actuator left" as AL
node "Aktor rechts" as AR node "Actuator right" as AR
node "Wheel Speed Sensoren (x4)" as WS node "Wheel-speed sensors (x4)" as WS
node "Inclinometer" as IN node "Inclinometer" as IN
node "EPB-Schalter + LED" as SW node "EPB switch + LED" as SW
node "CAN-Bus" as CAN node "CAN bus" as CAN
node "Kombi-Display" as DI node "Instrument cluster" as DI
node "OBD-Tester" as OBD node "OBD tester" as OBD
ECU --> AL : PWM, I-Mess ECU --> AL : PWM, I-meas
ECU --> AR : PWM, I-Mess ECU --> AR : PWM, I-meas
WS --> ECU : Pulse WS --> ECU : pulses
IN --> ECU : SPI IN --> ECU : SPI
SW --> ECU : GPIO SW --> ECU : GPIO
ECU --> SW : LED ECU --> SW : LED
@@ -52,24 +52,24 @@ CAN <-> OBD
@enduml @enduml
``` ```
## Schnittstellen ## Interfaces
| Schnittstelle | Typ | Richtung | | Interface | Type | Direction |
|---------------|----------------|----------| |---------------|------------------|-----------|
| Aktor L/R | PWM + Shunt | I/O | | Actuator L/R | PWM + shunt | I/O |
| Wheel Speed | Hall-Pulse | In | | Wheel speed | Hall pulses | in |
| Inclinometer | SPI | In | | Inclinometer | SPI | in |
| Schalter | GPIO debounced | In | | Switch | GPIO debounced | in |
| LED | GPIO | Out | | LED | GPIO | out |
| CAN | ISO 11898 | I/O | | CAN | ISO 11898 | I/O |
## Subkomponenten (Aufteilung auf SW) ## Subcomponents (allocated to software)
Realisiert in Software: alle SWA-Elemente SWA-001..SWA-010. Realised in software: all SWA elements SWA-001..SWA-010.
## Nichtfunktionale Eigenschaften ## Non-functional properties
- Worst-Case Reaktionszeit (Schalter → Aktor-Bewegung): 250 ms - Worst-case reaction time (switch to actuator motion): 250 ms
- Flash-Bedarf: < 256 KB - Flash demand: < 256 KB
- RAM-Bedarf: < 32 KB - RAM demand: < 32 KB
- Stromaufnahme: < 200 mA (Standby) / < 30 A (Aktor-Spitze) - Current: < 200 mA (standby) / < 30 A (actuator peak)
arch/sys/SA-002.md
+17 -17
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Aktoren (Caliper-Motoren)' header: 'Actuators (calliper motors)'
level: 1.2 level: 1.2
normative: true normative: true
reviewed: null reviewed: null
@@ -13,25 +13,25 @@ links:
asil: D asil: D
--- ---
# SA-002: Aktoren (Caliper-Motoren) # SA-002: Actuators (calliper motors)
## Verantwortung ## Responsibility
Zwei elektromechanische Aktoren an den hinteren Bremssaetteln klemmen Two electromechanical actuators on the rear callipers clamp and
und loesen die Bremsbelaege. Geliefert (Annahme): kommerzielles Bauteil release the brake pads. Supplied (assumption): commercial component
eines Tier-1-Lieferanten. from a Tier-1 supplier.
## Schnittstellen ## Interfaces
| Schnittstelle | Typ | Bemerkung | | Interface | Type | Notes |
|---------------|--------------|-----------------------------------| |---------------|--------------|---------------------------------|
| Power | 12 V, PWM | bidirektional fuer Apply/Release | | Power | 12 V, PWM | bidirectional for apply/release |
| Strom-Shunt | Analog | wird in der ECU abgegriffen | | Current shunt | analog | sampled inside the ECU |
## Nichtfunktionale Eigenschaften ## Non-functional properties
- Max. Klemmkraft: 20 kN - Max clamping force: 20 kN
- Apply-Zeit (0 → max): 600 ms - Apply time (0 → max): 600 ms
- Strom (nominal): 4 A - Nominal current: 4 A
- Strom (Spitze): 30 A (kurzzeitig) - Peak current: 30 A (brief)
- Temperaturbereich: -40°C bis +85°C - Temperature range: -40 °C to +85 °C
arch/sys/SA-003.md
+19 -19
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Sensor-Cluster' header: 'Sensor cluster'
level: 1.3 level: 1.3
normative: true normative: true
reviewed: null reviewed: null
@@ -12,27 +12,27 @@ links:
asil: B asil: B
--- ---
# SA-003: Sensor-Cluster # SA-003: Sensor cluster
## Verantwortung ## Responsibility
Zusammenfassung aller fuer die EPB benoetigten Eingangssignale: Summary of all input signals required by the EPB: wheel-speed
Wheel-Speed-Sensoren (4x), Inclinometer (1x), EPB-Schalter, Bremspedal- sensors (4x), inclinometer (1x), EPB switch, brake-pedal status,
Status, Gear-Position, Door-Open, Seat-Belt — die letzten vier per CAN. gear position, door open, seatbelt — the last four via CAN.
## Schnittstellen ## Interfaces
| Sensor | Typ | Quelle | | Sensor | Type | Source |
|-----------------|------------------|--------------| |-----------------|--------------|------------|
| Wheel Speed x4 | Hall-Pulse | direkt | | Wheel speed x4 | Hall pulses | direct |
| Inclinometer | SPI 1 kHz | direkt | | Inclinometer | SPI 1 kHz | direct |
| EPB-Schalter | GPIO | direkt | | EPB switch | GPIO | direct |
| Bremspedal | CAN 0x100 | aus BCM | | Brake pedal | CAN 0x100 | from BCM |
| Gear | CAN 0x110 | aus TCU | | Gear | CAN 0x110 | from TCU |
| Door / Belt | CAN 0x120 | aus BCM | | Door / belt | CAN 0x120 | from BCM |
## Nichtfunktionale Eigenschaften ## Non-functional properties
- Wheel-Speed-Genauigkeit: +/- 0.1 km/h ab 1 km/h - Wheel-speed accuracy: +/- 0.1 km/h above 1 km/h
- Inclinometer-Genauigkeit: +/- 0.5° - Inclinometer accuracy: +/- 0.5°
- Sampling-Frequenz Inclinometer: 100 Hz - Inclinometer sampling rate: 100 Hz
arch/sys/SA-004.md
+11 -11
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'HMI (Schalter, LED, Display)' header: 'HMI (switch, LED, display)'
level: 1.4 level: 1.4
normative: true normative: true
reviewed: null reviewed: null
@@ -11,17 +11,17 @@ links:
asil: QM asil: QM
--- ---
# SA-004: HMI (Schalter, LED, Display) # SA-004: HMI (switch, LED, display)
## Verantwortung ## Responsibility
Fahrer-Interaktion und -Information: Tippschalter mit integrierter LED, Driver interaction and information: tap switch with integrated LED,
Statusanzeige im Kombi-Display via CAN. status display in the instrument cluster via CAN.
## Schnittstellen ## Interfaces
| Element | Typ | Verhalten | | Element | Type | Behaviour |
|---------------|----------|--------------------------------------------| |---------------|----------|-------------------------------------------|
| Tippschalter | GPIO | Apply-Richtung / Release-Richtung | | Tap switch | GPIO | apply direction / release direction |
| LED | GPIO | aus / an / blink 2 Hz / blink 4 Hz | | LED | GPIO | off / on / blink 2 Hz / blink 4 Hz |
| Display | CAN 0x3A0 | 50 Hz Status-Frame | | Display | CAN 0x3A0| 50 Hz status frame |
arch/sys/SA-005.md
+11 -10
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'CAN-Bus' header: 'CAN bus'
level: 1.5 level: 1.5
normative: true normative: true
reviewed: null reviewed: null
@@ -11,16 +11,17 @@ links:
asil: QM asil: QM
--- ---
# SA-005: CAN-Bus # SA-005: CAN bus
## Verantwortung ## Responsibility
Kommunikations-Backbone fuer Eingangsdaten (Bremspedal, Gang, Tuer, Gurt), Communication backbone for input data (brake pedal, gear, door,
Ausgabe (Status-Frame an Display) und Diagnose (UDS auf Tester-Adresse). belt), output (status frame to the display) and diagnostics (UDS
on the tester address).
## Schnittstellen ## Interfaces
- Baudrate: 500 kbit/s, CAN 2.0B - Baud rate: 500 kbit/s, CAN 2.0B
- Empfangene Frames: 0x100 (Bremspedal), 0x110 (Gang), 0x120 (Door/Belt), - Received frames: 0x100 (brake pedal), 0x110 (gear),
0x712 (UDS-Request) 0x120 (door/belt), 0x712 (UDS request)
- Gesendete Frames: 0x3A0 (Status 50 Hz), 0x71A (UDS-Response) - Sent frames: 0x3A0 (status 50 Hz), 0x71A (UDS response)
docs/manuals-md/Service-Manual.md
+138
View File
@@ -0,0 +1,138 @@
---
doc-id: SLM-EPB-SVC-001
version: 1.0
status: Released
date: 2026-05-12
---
# Service Manual — Electric Parking Brake (EPB)
| Field | Value |
|---------------|----------------------------------------|
| Product | demo-epb EPB ECU |
| Version | 1.0 |
| Date | 2026-05-12 |
| Audience | Workshop technicians |
---
## 1. Tools
- OBD-II diagnostic tester with UDS support (ISO 14229)
- Torque wrench 60 Nm
- Sliding tool 28×40 mm (for brake-pad replacement)
## 2. UDS diagnostics
### 2.1 Identification
| Parameter | Value |
|-------------------|-------------|
| Tester address | 0x712 |
| ECU response | 0x71A |
| CAN baud rate | 500 kbit/s |
### 2.2 Service IDs
| SID | Service | Notes |
|------|-------------------------------|--------------------------------|
| 0x10 | DiagnosticSessionControl | 0x03 = Extended Session |
| 0x11 | ECUReset | 0x01 = Hard Reset |
| 0x14 | ClearDiagnosticInformation | Clears all DTCs |
| 0x19 | ReadDTCInformation | Sub 0x02 = reportDTCByStatusMask |
| 0x22 | ReadDataByIdentifier | See DID list |
| 0x27 | SecurityAccess | Not implemented in demo |
| 0x31 | RoutineControl | 0x0301 = Service mode |
### 2.3 DIDs (Data Identifiers)
| DID | Description | Type |
|--------|--------------------------------------|----------------|
| 0xF187 | SW version | ASCII 16 byte |
| 0xF18B | ECU hardware version | ASCII 16 byte |
| 0x0301 | Clamping force left | uint16 (N) |
| 0x0302 | Clamping force right | uint16 (N) |
| 0x0303 | Motor current left | uint16 (mA) |
| 0x0304 | Motor current right | uint16 (mA) |
| 0x0305 | Inclinometer (filtered) | int16 (m°) |
## 3. DTC list
| DTC | Meaning | Action |
|----------|---------------------------------------------------|----------------------------------------|
| P0571 | EPB switch plausibility | Check switch |
| P0572 | EPB switch permanently actuated | Switch jammed? Clean |
| P0808 | Actuator current left too high (overcurrent) | Check motor + wiring |
| P0809 | Actuator current right too high (overcurrent) | Check motor + wiring |
| P080A | Clamping force left not reached (apply timeout) | Check actuator / mechanism |
| P080B | Clamping force right not reached | Check actuator / mechanism |
| P080C | Wheel-speed sensor plausibility | Check sensors / wiring |
| P080D | Inclinometer plausibility | Check sensor / mounting |
| P080E | Apply controller watchdog trip | Software reset; if recurring replace ECU |
| U0123 | CAN bus communication lost | Check CAN wiring + BCM status |
## 4. Service mode (brake-pad replacement)
### 4.1 Activation
Preconditions:
- Ignition on, engine off
- Vehicle on lift or with chocked wheels
- Driver door closed (or door signal bypassed)
Steps:
1. Connect diagnostic tester, Extended Session (0x10 0x03)
2. Send RoutineControl `0x31 01 03 01` — start routine
3. ECU acknowledges, EPB LED starts blinking at 2 Hz
4. Actuators move to maintenance position (fully released)
### 4.2 Deactivation
1. Send RoutineControl `0x31 02 03 01` — stop routine
2. EPB LED stops blinking
3. Apply function available again
### 4.3 Brake-pad replacement procedure
1. Activate service mode (see above)
2. Remove brake calliper
3. Replace pads, grease guides
4. Tighten calliper to 60 Nm
5. Deactivate service mode
6. Perform three apply/release cycles (bedding-in)
7. Clear DTC memory (service 0x14)
## 5. Sensor check
### 5.1 Wheel-speed sensors
- Resistance: 800-1500 Ω at 20 °C
- Voltage at 50 km/h: 2-5 V peak-to-peak (Hall)
### 5.2 Inclinometer
- SPI bus 1 MHz
- Expected value on level road: 0 ± 0.5°
- Drift check: ECU + tester, monitor > 5 min
## 6. Actuator check
| Parameter | Target value |
|-----------------------|------------------------|
| Resistance per motor | 0.8 1.2 Ω |
| Nominal current | 3 5 A |
| Peak current (apply) | 15 25 A |
| Cutoff threshold | 8 A for 100 ms |
## 7. Software update
1. UDS Extended Session (0x10 0x03)
2. Programming Session (0x10 0x02)
3. Flashloader sequence per OEM specification
4. Verify new SW version via DID 0xF187
## 8. Revision history
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/manuals-md/User-Manual.md
+105
View File
@@ -0,0 +1,105 @@
---
doc-id: SLM-EPB-USR-001
version: 1.0
status: Released
date: 2026-05-12
---
# User Manual — Electric Parking Brake (EPB)
| Field | Value |
|---------------|----------------------------------------|
| Product | demo-epb EPB ECU |
| Version | 1.0 |
| Date | 2026-05-12 |
| Audience | Vehicle drivers |
---
> **Read the important safety information first!**
> Familiarise yourself with the functions before using the EPB.
## 1. What is the Electric Parking Brake?
The Electric Parking Brake (EPB) replaces the classical handbrake. You operate it via a switch in the centre console; the system clamps the rear brakes electromechanically.
## 2. Operation
### 2.1 Engage the parking brake (apply)
1. Bring the vehicle to a complete standstill.
2. Keep the brake pedal pressed.
3. Pull the EPB switch **upwards** (arrow points to the windshield).
4. The red LED on the switch lights up steadily.
You will hear a soft humming sound — that is the actuator motors.
### 2.2 Release the parking brake
**Preconditions** (all must be met):
- Engine is running
- Brake pedal is pressed
- Gear selector is engaged (not in neutral)
1. Push the EPB switch **downwards**.
2. The LED goes out.
3. You will hear a short humming sound again.
### 2.3 Auto-Hold (driver leaving the car)
When you switch the engine off and the vehicle is at a standstill, the EPB engages **automatically after 2 seconds** — even if you didn't operate it manually. The LED confirms.
### 2.4 Hill-Hold on inclines
When stopping on a slope (> 5%):
1. Press the brake pedal — vehicle stops.
2. Lift your foot off the brake pedal — the EPB takes over automatically.
3. The LED blinks slowly while hill-hold is active.
4. On drive-away (throttle + gear engaged), the EPB releases automatically.
## 3. LED indicator meaning
| LED status | Meaning |
|-------------------------|---------------------------------------------------|
| Off | EPB released |
| Steady red | EPB active (apply / hold) |
| Slow blink (2 Hz) | Hill-hold active or service mode |
| Fast blink (4 Hz) | Fault — visit a workshop |
## 4. Display in the instrument cluster
The instrument cluster shows additional text:
| Text | Meaning |
|---------------------------|-------------------------------------------|
| "EPB active" | Parking brake engaged |
| "Hill-Hold active" | Hill-hold is taking over |
| "EPB fault" | Fault — visit a workshop |
| "EPB service mode" | In workshop mode, do not release yourself |
## 5. Emergency mode
If the EPB does not respond:
- **Stationary and won't move:** push the EPB switch downwards several times; if unsuccessful, call breakdown service.
- **Stationary and the EPB does not engage:** secure the vehicle with wheel chocks, contact a workshop.
## 6. Safety information
> **⚠ WARNING**
>
> - The EPB does not replace engaging a gear when parking
> - On slippery surfaces additionally use wheel chocks
> - While the engine is running and the EPB is engaged, do not stand on the brake pedal long-term
## 7. Maintenance
The EPB is maintenance-free. For brake pad replacement, the workshop must activate **service mode** — please do not jack up the vehicle yourself while the EPB is in the active state.
## 8. Revision history
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/manuals/Service-Manual.docx
BIN
View File
Binary file not shown.
docs/manuals/User-Manual.docx
BIN
View File
Binary file not shown.
docs/non-conformities-md/NC-001.md
+30 -38
View File
@@ -1,60 +1,52 @@
--- ---
nc-id: NC-001 nc-id: NC-001
projekt: demo-epb project: demo-epb
datum-festgestellt: 2026-05-11 date-discovered: 2026-05-11
schwere: Critical severity: Critical
status: Closed status: Closed
--- ---
# Non-Conformity NC-001: Step-Counter-Ueberlauf nicht dokumentiert # Non-Conformity NC-001: Step counter overflow not documented
| Feld | Wert | | Field | Value |
|---------------------|-----------------------------------| |---------------------|-----------------------------------|
| NC-ID | NC-001 | | NC ID | NC-001 |
| Projekt | demo-epb | | Project | demo-epb |
| Datum festgestellt | 2026-05-11 | | Date discovered | 2026-05-11 |
| Festgestellt durch | Review REV-001 | | Discovered by | Review REV-001 |
| Betroffenes Artefakt| `src/apply_controller.c` | | Affected artefact | `src/apply_controller.c` |
| Anforderung | SWE-002 (Watchdog) | | Requirement | SWE-002 (watchdog) |
| Schwere | Critical | | Severity | Critical |
| Status | Closed | | Status | Closed |
--- ---
## 1. Beschreibung ## 1. Description
Der `step_count` im Apply-Controller ist als `uint32_t` deklariert und wird in `step_count` in the apply controller is declared as `uint32_t` and is monotonically incremented in `apply_ctrl_step_50ms`. At 50 ms/tick the counter overflows after 2^32 * 50 ms ≈ 6.8 years. The watchdog in SWA-002 only compares the delta between two reads (wrap-around safe), but the behaviour is not documented in the header and may lead to errors in subsequent maintenance.
`apply_ctrl_step_50ms` monoton inkrementiert. Bei 50 ms/Tick ueberlaeuft der
Zaehler nach 2^32 * 50 ms ~= 6.8 Jahren. Der Watchdog in SWA-002 vergleicht
zwar nur das Delta zwischen zwei Lese-Zugriffen (Wrap-Around unkritisch), aber
das Verhalten ist nicht im Header dokumentiert und kann bei nachfolgender
Code-Pflege Fehler erzeugen.
## 2. Risikobewertung ## 2. Risk assessment
| Aspekt | Bewertung | | Aspect | Assessment |
|-------------------|----------------------------------------------------------------| |-------------------|-------------------------------------------------------------------|
| Auswirkung | Theoretisch Watchdog-False-Negative bei Wrap-Around-Vergleich | | Effect | In theory false-negative watchdog on wrap-around comparison |
| Eintritts-Wahrscheinlichkeit | Sehr niedrig (6.8 Jahre Lebensdauer) | | Likelihood | Very low (6.8 years lifetime) |
| Sicherheits-Beitrag | Indirekt — Watchdog ist Teil der SG-01 Implementierung | | Safety contribution | Indirect — watchdog is part of the SG-01 implementation |
## 3. Sofortmassnahme ## 3. Immediate action
Header-Kommentar in `apply_controller.h` ergaenzt: explizite Beschreibung des Header comment in `apply_controller.h` extended: explicit description of wrap-around behaviour. The watchdog implementation (in SWA-001) must use `uint32_t` subtraction for delta comparison (wrap-safe).
Wrap-Around-Verhaltens. Watchdog-Implementierung (in SWA-001) muss Delta-
Vergleich mit `uint32_t` Subtraktion verwenden (Wrap-safe).
## 4. Korrekturmassnahme (Root-Cause) ## 4. Corrective action (root cause)
Im Code-Review-Checklisten-Eintrag "Integer-Ueberlauf-Verhalten dokumentieren" Add the checklist item "document integer overflow behaviour" to the code-review checklist. Verify in subsequent reviews.
ergaenzen. Pruefung in folgenden Reviews.
## 5. Verifikation ## 5. Verification
- Kommentar in `apply_controller.h` v1.1 (Commit `<hash>`) - Comment in `apply_controller.h` v1.1 (commit `<hash>`)
- Watchdog in SWA-001 verwendet `uint32_t`-Subtraktion (siehe SWA-001 §4) - Watchdog in SWA-001 uses `uint32_t` subtraction (see SWA-001 §4)
- Review-Checkliste aktualisiert - Review checklist updated
## 6. Abschluss ## 6. Closure
Geschlossen am 2026-05-11 durch S. Lohmaier nach Verifikation. Closed on 2026-05-11 by S. Lohmaier after verification.
docs/non-conformities/NC-001.docx
BIN
View File
Binary file not shown.
docs/plans-md/CM-Plan.md
+146
View File
@@ -0,0 +1,146 @@
---
doc-id: SLM-EPB-CM-001
version: 1.0
status: Released
date: 2026-05-12
---
# Configuration Management Plan (CM Plan)
| Field | Value |
|---------------|----------------------------------------|
| Project | demo-epb |
| Document ID | SLM-EPB-CM-001 |
| Version | 1.0 |
| Status | Released |
| Date | 2026-05-12 |
| Standard | ASPICE SUP.8 + ISO 26262-8 §7 |
---
## 1. Purpose
Describes how configuration items are identified, versioned, released, and controlled-change managed.
## 2. Configuration Items (CIs)
The following artefacts are under configuration control:
| Type | Path | Versioning |
|-------------------------|----------------------------------------|------------------------------|
| Source code | `src/**/*.{c,h}` | Git |
| Tests | `tests/**` | Git |
| Requirements | `reqs/{sys,swe}/*.md` | Git + Doorstop item hash |
| Architecture | `arch/{sys,swe}/*.md` | Git + Doorstop item hash |
| Safety Goals | `safety/sg/*.md` | Git |
| Plans (Word) | `docs/plans/*.docx` | Git + document version block |
| Safety docs (Word) | `docs/safety/*.docx` | Git |
| Manuals (Word) | `docs/manuals/*.docx` | Git |
| Reviews + NCs | `docs/reviews/`, `docs/non-conformities/` | Git |
| MISRA records | `misra/records/*.docx` | Git |
| CI configuration | `.gitea/workflows/*.yml` | Git |
| Build definition | `Makefile`, `Doxyfile` | Git |
| Tools | `tools/*.py` | Git |
## 3. Repository structure
- **Remote:** https://gitea.slohmaier.com/slohmaier/demo-epb
- **Branch `main`:** stable, always released state
- **Branch `develop`:** current development state
- **Feature branches:** `feature/SWE-XXX-...`
- **Bugfix branches:** `bugfix/<issue>-...`
- **Release branches:** `release/vX.Y` (real projects only; demo: from main directly)
## 4. Baselines
A baseline is a frozen, released state. Baselines are set via git tags.
| Baseline type | Tag scheme | When |
|---------------------------|-------------------|----------------------------------------|
| Requirements baseline | `req-vX.Y` | After requirements release |
| Architecture baseline | `arch-vX.Y` | After architecture review |
| Release baseline | `vX.Y.Z` | On productive release |
| Internal snapshot | `snap-YYYY-MM-DD` | On significant intermediate states |
Every tag (specifically `vX.Y.Z`) triggers the release workflow, which produces a bundle.
## 5. Versioning scheme
| Artefact | Scheme |
|-----------------------|------------------------------------------|
| Software release | Semantic Versioning `MAJOR.MINOR.PATCH` |
| Requirements | Doorstop level `X.Y` + date |
| Architecture | Doorstop level `X.Y` + date |
| Word documents | `MAJOR.MINOR` in document header |
## 6. Change control
Changes to configuration items occur via:
1. **Trivial change** (typos, comments): directly on the branch, PR with 1 approval
2. **Normal change** (feature, bug fix): feature branch, PR with reviews per ASIL
3. **Major change** (architecture, safety concept): change request + reviewer quorum
| ASIL | Minimum reviewer count |
|---------|---------------------------------------|
| QM | 1 |
| ASIL-A/B| 1 |
| ASIL-C | 2 (at least 1 technical reviewer) |
| ASIL-D | 2 technical reviewers + Safety Manager |
Reviews are documented in `docs/reviews/REV-XXX.docx`.
## 7. Release process
```
1. All PRs merged into main
2. Branch protected, all CI checks green
3. Release notes drafted in the PR
4. Set tag: git tag -a vX.Y.Z -m "..."
5. Push: git push origin vX.Y.Z
6. Release workflow runs (.gitea/workflows/release.yml):
- Build + tests + coverage
- Traceability + diagrams + API doc
- Bundle Word documents
- Pack source + artefact archives
- Create Gitea release
7. Review release manually (download bundle, inspect)
8. Mark release as "stable"
```
## 8. Retention
| Artefact | Retention |
|--------------------------|----------------------------------------|
| Git repository | Indefinite (Gitea + backup) |
| Release bundles | 10 years after product EOL |
| Reviews + NCs | 10 years after product EOL |
| MISRA records | 10 years after product EOL |
| CI artefacts (short-lived)| 90 days (in Gitea artifacts) |
ISO 26262 requires 10 years after end-of-production-life (assumption).
## 9. Verification
All pull requests pass through:
- Doorstop-equivalent traceability check (`tools/traceability.py check`)
- Build + unit tests
- Static analysis + MISRA check
- Coverage measurement
Only after approval and green CI may a merge into `main` occur.
## 10. Responsibilities
| Role | Task |
|------------------|---------------------------------------------------|
| Configuration Mgr| Maintain this CM Plan, repo hygiene, baselines |
| Developer | Correct branching, meaningful commit messages |
| Reviewer | Review before merge, audit trail |
| Project Owner | Release approval |
## 11. Revision history
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/plans-md/PID.md
+71 -71
View File
@@ -1,107 +1,107 @@
# Project Initiation Document (PID) # Project Initiation Document (PID)
| Feld | Wert | | Field | Value |
|-----------------|--------------------------------------| |-----------------|--------------------------------------|
| Projekt | demo-epb (Elektrische Parkbremse) | | Project | demo-epb (Electric Parking Brake) |
| Projekt-ID | SLM-EPB-001 | | Project ID | SLM-EPB-001 |
| Auftraggeber | slohmaier.com (Demo-Eigenentwicklung)| | Client | slohmaier.com (in-house demo) |
| Auftragnehmer | Stefan Lohmaier | | Contractor | Stefan Lohmaier |
| Datum | 2026-05-11 | | Date | 2026-05-11 |
| Version | 1.0 | | Version | 1.0 |
| Status | Freigegeben | | Status | Released |
| Klassifikation | Oeffentlich | | Classification | Public |
--- ---
## 1. Projektzweck ## 1. Project purpose
Demonstration des slohmaier Dev Process anhand einer EPB-Steuergeraet-Software. Ziel ist nicht die produktive Software, sondern der vollstaendige Nachweis von: Demonstration of the slohmaier Dev Process using an EPB ECU software. The goal is not the productive software but a complete demonstration of:
- ASPICE-4.0-konformer Entwicklungsablauf - ASPICE 4.0-compliant development flow
- ISO-26262-konforme Behandlung von Sicherheitsanforderungen (ASIL-D / ASIL-B / QM) - ISO 26262-compliant handling of safety requirements (ASIL-D / ASIL-B / QM)
- MISRA-C-Compliance - MISRA C compliance
- Werkzeugkette: Gitea + Doorstop + Cppcheck + gcov + CppUTest + pandoc - Toolchain: Gitea + Doorstop + Cppcheck + gcov + CppUTest + pandoc
Adressat ist potenzielle Kundschaft, die sehen will, wie ein realer Audit-faehiger Engineering-Stand aussieht. The target audience is potential customers who want to see what a real audit-ready engineering snapshot looks like.
## 2. Produktbeschreibung ## 2. Product description
Eine Electronic Parking Brake (EPB) klemmt im Stillstand zwei Bremssaettel ueber kleine Elektromotoren fest und loest sie bei Anfahrt wieder. Funktionsumfang: An Electric Parking Brake (EPB) clamps two rear callipers via small electric motors at standstill and releases them on drive-away. Functional scope:
- Apply / Release auf Fahrer-Anforderung - Apply / Release on driver request
- Hold-Funktion mit Auto-Apply bei Motor-Aus - Hold function with auto-apply on engine-off
- Drive-Away-Assist (Auto-Release beim Anfahren) - Drive-Away-Assist (auto-release on drive-away)
- Hill-Hold am Berg - Hill-Hold on inclines
- Aktor-Stromueberwachung - Actuator current monitoring
- Service-Modus fuer Werkstatt - Service mode for the workshop
- UDS-Diagnose ueber CAN - UDS diagnostics via CAN
## 3. Sicherheitsziele ## 3. Safety goals
| ID | Sicherheitsziel | ASIL | | ID | Safety goal | ASIL |
|-------|---------------------------------------------------------------|------| |-------|---------------------------------------------------------------|------|
| SG-01 | Verhinderung ungewollten Wegrollens des Fahrzeugs | D | | SG-01 | Prevent unintended vehicle roll-away | D |
| SG-02 | Verhinderung ungewollten Loesens der Parkbremse | D | | SG-02 | Prevent unintended release of the parking brake | D |
| SG-03 | Verhinderung Motorschaden durch Ueberlast | B | | SG-03 | Prevent motor damage from overload | B |
Die Sicherheitsziele werden in den System-Anforderungen (`reqs/sys/`) weiter detailliert. Safety goals are detailed further in the system requirements (`reqs/sys/`).
## 4. Stakeholder ## 4. Stakeholders
| Rolle | Person / Funktion | | Role | Person / Function |
|--------------------|--------------------------------| |--------------------|--------------------------------|
| Project Owner | Stefan Lohmaier | | Project Owner | Stefan Lohmaier |
| Technical Lead | Stefan Lohmaier | | Technical Lead | Stefan Lohmaier |
| Quality Assurance | Stefan Lohmaier | | Quality Assurance | Stefan Lohmaier |
| Reviewer | Externer Reviewer (TBD) | | Reviewer | External reviewer (TBD) |
| Kunde (Demo) | Interessenten / Prospects | | Customer (demo) | Prospects / interested parties |
Bei einem Realprojekt waeren QA und TL personell getrennt; in dieser Demo wird die Rollentrennung dokumentarisch nachgehalten. In a real project QA and TL would be separate persons; in this demo the role separation is kept on paper.
## 5. Liefergegenstaende ## 5. Deliverables
| Artefakt | Format | Status | | Artefact | Format | Status |
|-----------------------------------|---------------|-------------| |-------------------------------------------|---------------|-------------|
| PID, PM-Plan, QA-Plan, SWE-Plan, Test-Plan | Word | Vorhanden | | PID, PM Plan, QA Plan, SWE Plan, Test Plan | Word | Available |
| System-Anforderungen (SYS-001..010) | Doorstop-MD | Vorhanden | | System Requirements (SYS-001..010) | Doorstop MD | Available |
| Software-Anforderungen (SWE-001..025) | Doorstop-MD | Vorhanden | | Software Requirements (SWE-001..025) | Doorstop MD | Available |
| System-Architektur (SA-001..005) | Doorstop-MD | Vorhanden | | System Architecture (SA-001..005) | Doorstop MD | Available |
| Software-Architektur (SWA-001..010) | Doorstop-MD | Vorhanden | | Software Architecture (SWA-001..010) | Doorstop MD | Available |
| Quellcode (3 Demo-Komponenten) | C99 | Vorhanden | | Source code (3 demo components) | C99 | Available |
| Unit-Tests + Coverage-Report | CppUTest, lcov| Vorhanden | | Unit tests + coverage report | CppUTest, lcov | Available |
| MISRA-Report | Cppcheck XML | Vorhanden | | MISRA report | Cppcheck XML | Available |
| Traceability-Matrix | Doorstop HTML | Generiert in CI | | Traceability matrix | Doorstop HTML | Generated in CI |
| Review-Protokoll (Beispiel) | Word | Vorhanden | | Review minutes (example) | Word | Available |
| MISRA Deviation Record (Beispiel) | Word | Vorhanden | | MISRA Deviation Record (example) | Word | Available |
## 6. Zeitplan ## 6. Schedule
Demo-Projekt, Single-Sprint-Erstellung. Eintaegige Initialerstellung, danach Pflege. Demo project, single-sprint creation. One-day initial creation, maintenance thereafter.
| Phase | Start | Ende | | Phase | Start | End |
|------------------------|-------------|-------------| |-------------------------------|-------------|-------------|
| Konzept + Setup | 2026-05-11 | 2026-05-11 | | Concept + setup | 2026-05-11 | 2026-05-11 |
| Requirements + Architektur | 2026-05-11 | 2026-05-11 | | Requirements + architecture | 2026-05-11 | 2026-05-11 |
| Implementierung Demo-Komponenten | 2026-05-11 | 2026-05-11 | | Implementation of demo components | 2026-05-11 | 2026-05-11 |
| Tests + CI | 2026-05-11 | 2026-05-11 | | Tests + CI | 2026-05-11 | 2026-05-11 |
| Freigabe v1.0 | 2026-05-11 | 2026-05-11 | | Release v1.0 | 2026-05-11 | 2026-05-11 |
## 7. Budget ## 7. Budget
Demo-Projekt, kein externes Budget. Aufwand intern. Demo project, no external budget. Internal effort.
## 8. Risiken ## 8. Risks
| Risiko | Wahrsch. | Auswirkung | Massnahme | | Risk | Likelihood | Impact | Mitigation |
|-----------------------------------------|----------|------------|-------------------------------------------| |-----------------------------------------------|------------|--------|----------------------------------------------|
| Demo wird als produktreifer Code missverstanden | M | M | README + Disclaimer explicit kennzeichnen | | Demo is mistaken for production-ready code | M | M | Disclaimer in README + plain labelling |
| MISRA-Tooling-Update bricht CI | N | M | Tool-Versionen in CI pinnen | | MISRA tooling update breaks CI | L | M | Pin tool versions in CI |
| Reviewer-Verfuegbarkeit | M | N | Self-Review dokumentiert (Demo) | | Reviewer availability | M | L | Self-review documented (demo only) |
## 9. Erfolgskriterien ## 9. Success criteria
- Alle 35 Anforderungen sind verlinkt und durch Architektur abgedeckt - All 35 requirements are linked and covered by architecture
- `doorstop check` ist gruen - `doorstop check` is green
- MISRA-Check in CI ist gruen (mit dokumentierten Deviations) - MISRA check in CI is green (with documented deviations)
- Coverage der Demo-Komponenten >= Zielwert (siehe SWE-Plan) - Demo-component coverage meets target (see SWE Plan)
- Demo-Tour im README ist fuer einen Prospect in <30 min nachvollziehbar - The guided tour in the README is navigable by a prospect in < 30 min
docs/plans-md/PM-Plan.md
+44 -44
View File
@@ -1,63 +1,63 @@
# Projektmanagement-Plan (PM-Plan) # Project Management Plan (PM Plan)
| Feld | Wert | | Field | Value |
|-----------------|--------------------------------------| |-----------------|--------------------------------------|
| Projekt | demo-epb | | Project | demo-epb |
| Datum | 2026-05-11 | | Date | 2026-05-11 |
| Version | 1.0 | | Version | 1.0 |
| Status | Freigegeben | | Status | Released |
--- ---
## 1. Projektorganisation ## 1. Project organisation
Single-Person-Projekt mit dokumentierter Rollentrennung. In einem Real-Projekt waeren QA, TL und Entwickler personell getrennt; hier wird der Audit-Trail durch Self-Review mit Begruendung gefuehrt (siehe SWE-Plan, Abschnitt 5). Single-person project with documented role separation. In a real project, QA, TL, and developer would be separate persons; here the audit trail is maintained through self-review with rationale (see SWE Plan, section 5).
## 2. Arbeitspakete ## 2. Work packages
| WP-ID | Arbeitspaket | Verantwortlich | Status | | WP-ID | Work package | Owner | Status |
|-------|--------------------------------------------|----------------|--------------| |-------|---------------------------------------------|----------------|--------|
| WP-01 | Projektplanung (PID, PM-Plan, QA-Plan, SWE-Plan, Test-Plan) | S. Lohmaier | Done | | WP-01 | Project planning (PID, PM, QA, SWE, Test) | S. Lohmaier | Done |
| WP-02 | System-Anforderungen (SYS-001..010) | S. Lohmaier | Done | | WP-02 | System Requirements (SYS-001..010) | S. Lohmaier | Done |
| WP-03 | Software-Anforderungen (SWE-001..025) | S. Lohmaier | Done | | WP-03 | Software Requirements (SWE-001..025) | S. Lohmaier | Done |
| WP-04 | System-Architektur (SA-001..005) | S. Lohmaier | Done | | WP-04 | System Architecture (SA-001..005) | S. Lohmaier | Done |
| WP-05 | Software-Architektur (SWA-001..010) | S. Lohmaier | Done | | WP-05 | Software Architecture (SWA-001..010) | S. Lohmaier | Done |
| WP-06 | Implementierung Demo-Komponenten | S. Lohmaier | Done | | WP-06 | Implementation of demo components | S. Lohmaier | Done |
| WP-07 | Unit-Tests + Coverage | S. Lohmaier | Done | | WP-07 | Unit tests + coverage | S. Lohmaier | Done |
| WP-08 | CI-Pipeline (Gitea Actions) | S. Lohmaier | Done | | WP-08 | CI pipeline (Gitea Actions) | S. Lohmaier | Done |
| WP-09 | Audit-Artefakte (Review, NC, MISRA-Record) | S. Lohmaier | Done | | WP-09 | Audit artefacts (Review, NC, MISRA record) | S. Lohmaier | Done |
## 3. Aenderungsverwaltung ## 3. Change control
- Aenderungen an freigegebenen Artefakten erfolgen ueber Pull Requests - Changes to released artefacts go through pull requests
- Jeder PR braucht mindestens 1 Approval (siehe SWE-Plan, Abschnitt 5) - Every PR needs at least 1 approval (see SWE Plan, section 5)
- Bei Aenderung von Architektur oder Anforderungen ist die Traceability-Matrix neu zu erzeugen (`doorstop publish`) - When requirements or architecture change, the traceability matrix must be regenerated (`doorstop publish`)
- Aenderungshistorie wird in der jeweiligen `.md`-Datei oder Word-Datei revisioniert - Revision history is maintained inside the respective `.md` file or Word document
## 4. Konfigurationsmanagement ## 4. Configuration management
| Artefakt-Typ | Versionsverwaltung | Baseline-Mechanismus | | Artefact type | Versioning | Baseline mechanism |
|-----------------------|------------------------|--------------------------| |-------------------|-----------------------|------------------------------------|
| Code | Git (Gitea) | Git-Tag (z.B. v1.0.0) | | Code | Git (Gitea) | Git tag (e.g. v1.0.0) |
| Anforderungen / Arch | Git + Doorstop | Git-Tag + doorstop publish | | Requirements / Arch | Git + Doorstop | Git tag + doorstop publish |
| Word-Dokumente | Git | Datei-Versionsstempel + Revisions-History im Dokument | | Word documents | Git | File version stamp + revision history in the document |
| CI-Konfiguration | Git | Versionsdatei + Tag | | CI configuration | Git | Version pin + tag |
## 5. Kommunikation ## 5. Communication
| Kanal | Zweck | | Channel | Purpose |
|---------------|-----------------------------------| |---------------|--------------------------------------|
| Gitea Issues | Bug-Tracking, Tasks | | Gitea Issues | Bug tracking, tasks |
| Gitea PRs | Review, Approval, Audit-Trail | | Gitea PRs | Review, approval, audit trail |
| Matrix Chat | Schnelle Abstimmung | | Matrix chat | Quick alignment |
| E-Mail | Formelle Freigaben (CC: Auftraggeber) | | Email | Formal releases (cc client) |
## 6. Berichtswesen ## 6. Reporting
- Wochenstatus per E-Mail (in Real-Projekten) - Weekly status by email (in real projects)
- Audit-Report bei Projektabschluss (PDF aus Doorstop + Word-Plaene) - Audit report at project closure (PDF from Doorstop + Word plans)
- Coverage- und MISRA-Reports werden bei jedem Push aktualisiert (CI-Artefakte) - Coverage and MISRA reports are refreshed on every push (CI artefacts)
## 7. Abschluss ## 7. Closure
Projekt gilt als abgeschlossen, wenn alle Erfolgskriterien aus dem PID erfuellt sind und ein Git-Tag `v1.0` gesetzt ist. The project is considered closed when all success criteria from the PID are met and the `v1.0` git tag is set.
docs/plans-md/Project-Manual.md
+168
View File
@@ -0,0 +1,168 @@
---
doc-id: SLM-EPB-PM-MAN-001
version: 1.0
status: Released
date: 2026-05-12
---
# Project Manual — demo-epb
| Field | Value |
|---------------|----------------------------------------|
| Project | demo-epb (Electric Parking Brake) |
| Document ID | SLM-EPB-PM-MAN-001 |
| Version | 1.0 |
| Status | Released |
| Date | 2026-05-12 |
| Audience | New project members, auditors |
---
## 1. Purpose
This Project Manual is the entry point to the demo-epb project. It answers:
- What is being built?
- Which documents exist, in what reading order?
- Who is responsible for what?
- How does the development and release cycle work?
## 2. What is demo-epb?
A complete demo of the **slohmaier Dev Process** using an EPB ECU software. The goal is **not** the productive software, but evidence of ASPICE 4.0 / ISO 26262-compliant development.
Detail: `docs/plans/PID.docx`.
## 3. Reading order for new project members
| Day | Document | Why |
|-----|----------------------------------------|----------------------------------------|
| 1 | this Project Manual | Orientation |
| 1 | `PID.docx` | What + Why |
| 1 | `User-Manual.docx` | Product understanding |
| 2 | `HARA.docx` + `Safety-Case.docx` | Safety concept |
| 2 | `SWE-Plan.docx` + `QA-Plan.docx` | Engineering conventions |
| 3 | `reqs/` + `arch/` (markdown) | Requirements + architecture |
| 3 | `src/apply_controller.c` | Example ASIL-D code |
| 4 | `traceability/index.html` | Wiring of artefacts |
| 4 | `coverage/index.html` | What is tested |
| 5 | Maintain this manual | Onboarding for the next person |
## 4. Document landscape
```
demo-epb/
├── docs/plans/ ← PID, PM Plan, QA Plan, SWE Plan, Test Plan, CM Plan, RM Plan
├── docs/safety/ ← HARA, Safety Case, FMEDA, MISRA Compliance, Verification Report, Tool Qualification
├── docs/manuals/ ← User Manual, Service Manual
├── docs/reviews/ ← Review minutes
├── docs/non-conformities/ ← NC entries
├── misra/records/ ← MISRA deviation records
├── reqs/sys/ ← Doorstop MD system requirements
├── reqs/swe/ ← Doorstop MD software requirements
├── arch/sys/ ← Doorstop MD system architecture + PlantUML
├── arch/swe/ ← Doorstop MD software architecture + PlantUML
├── safety/sg/ ← Doorstop MD safety goals (ASIL derivation)
├── src/ ← C source, with @arch + @reqs tags in headers
├── tests/ ← Unit tests with @reqs tags
├── tools/ ← Python helper scripts (traceability, PlantUML, reports)
├── .gitea/workflows/ ← CI pipelines (validate + release)
└── docs/index.html ← Auto-generated landing page
```
A clickable overview is `docs/index.html` (open in browser).
## 5. Roles and responsibilities
| Role | Responsibility | Person (demo) |
|--------------------|-------------------------------------------------------|--------------------------|
| Project Owner | Strategic decisions, release approval | Stefan Lohmaier |
| Technical Lead | Architecture, code reviews, technical decisions | Stefan Lohmaier |
| Safety Manager | HARA, Safety Case, ASIL conformance | Stefan Lohmaier (demo) |
| QA Officer | QA Plan maintenance, audit preparation | Stefan Lohmaier (demo) |
| Configuration Mgr | Baselines, releases, git repo hygiene | Stefan Lohmaier (demo) |
| Developer | Implementation per architecture + tests | Stefan Lohmaier (demo) |
| Reviewer | Code and document reviews | External reviewer (TBD) |
In this demo one person fills all roles; in a real project with ASIL-C/D these are to be separated personnel-wise (developer ≠ reviewer for safety-critical code).
## 6. Development lifecycle
```
Requirement
Architecture (Markdown + PlantUML)
Implementation (C, with @arch + @reqs)
Unit test (CppUTest-like framework, with @reqs)
Pull request (branch → main)
CI: build + test + coverage + MISRA + traceability check
Code review (approval required per ASIL)
Merge to main
▼ (at release point)
Tag v*.*.*
CI release workflow: bundle + Gitea release
```
## 7. Release strategy
- **Pull requests** need at least 1 approval (more for ASIL-C/D, see SWE Plan)
- **Tags** of the form `vMAJOR.MINOR.PATCH` trigger the release workflow
- **Release bundle** contains source + all reports + all Word documents
- **Audit readiness** is maintained continuously (git history + document lifecycle)
## 8. Where to report problems
| Problem type | Where to document |
|----------------------|------------------------------------------------|
| Bug | Gitea issue (tag `bug`) |
| Requirement change | Gitea issue (tag `requirement`) + Doorstop update |
| Non-conformity | `docs/non-conformities-md/NC-XXX.md` → Word |
| MISRA deviation | `misra/records-md/MISRA-REC-XXX.md` → Word |
| Safety problem | Escalate to Safety Manager + NC |
## 9. Tools
See `infrastructure/` in the iCloud workspace for setup details. Short list:
- **Gitea** (gitea.slohmaier.com) — source control + CI + releases
- **Doorstop-style** Markdown — requirements + architecture
- **PlantUML** — diagrams (embedded)
- **Cppcheck** + **GCC -Werror** — static analysis + MISRA
- **gcov/lcov** — coverage
- **Doxygen** — API doc
- **pandoc** — Markdown → Word/PDF
- **Python** (stdlib) — traceability + report generators
## 10. Related documents
| Plan | File | Content |
|----------------------|------------------------------------|----------------------------------------|
| Project Initiation | `PID.docx` | What + Why |
| Project Management | `PM-Plan.docx` | Work packages, schedule, stakeholders |
| Quality Assurance | `QA-Plan.docx` | Reviews, audits, NC management |
| Configuration Mgmt | `CM-Plan.docx` | Baselines, releases, change control |
| Risk Management | `RM-Plan.docx` | Risks, mitigation, monitoring |
| Software Development | `SWE-Plan.docx` | Language, standards, coverage targets |
| Test | `Test-Plan.docx` | Test strategy |
## 11. Revision history
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/plans-md/QA-Plan.md
+47 -47
View File
@@ -1,67 +1,67 @@
# Qualitaetssicherungs-Plan (QA-Plan) # Quality Assurance Plan (QA Plan)
| Feld | Wert | | Field | Value |
|-----------------|--------------------------------------| |-----------------|--------------------------------------|
| Projekt | demo-epb | | Project | demo-epb |
| Datum | 2026-05-11 | | Date | 2026-05-11 |
| Version | 1.0 | | Version | 1.0 |
| Status | Freigegeben | | Status | Released |
--- ---
## 1. Qualitaetsziele ## 1. Quality goals
- Vollstaendige Traceability: SYS → SA → SWE → SWA → Code → Test - Complete traceability: SYS → SA → SWE → SWA → Code → Test
- 0 MISRA-Required-Violations (Deviations dokumentiert) - 0 MISRA Required violations (deviations documented)
- 0 statische-Analyse-Findings auf High/Error-Level - 0 static-analysis findings at High / Error level
- Coverage-Ziele (siehe SWE-Plan Abschnitt 8) eingehalten - Coverage targets met (see SWE Plan section 8)
- Alle PRs reviewed und approved - All PRs reviewed and approved
## 2. Qualitaetsmassnahmen ## 2. Quality measures
| Massnahme | Tool / Methode | Frequenz | | Measure | Tool / Method | Frequency |
|---------------------------------|----------------------------|----------------| |----------------------------------|------------------------------|------------------|
| Traceability-Check | `doorstop check` | jeder Push | | Traceability check | `doorstop check` | every push |
| MISRA-Check | Cppcheck + MISRA-Addon | jeder Push | | MISRA check | Cppcheck + MISRA addon | every push |
| Static Analysis | Cppcheck, clang-tidy | jeder Push | | Static analysis | Cppcheck, clang-tidy | every push |
| Unit Tests | CppUTest | jeder Push | | Unit tests | CppUTest | every push |
| Coverage | gcov / lcov | jeder Push | | Coverage | gcov / lcov | every push |
| Peer Review | Gitea PRs | jede Aenderung | | Peer review | Gitea PRs | every change |
| Architektur-Review | Technical Review, 2 Approver | bei Aenderung | | Architecture review | Technical review, 2 approvers | on changes |
| Audit-Vorbereitung | doorstop publish + Word-Doku | bei Release | | Audit preparation | doorstop publish + Word docs | on release |
## 3. Reviews ## 3. Reviews
| Artefakt | Review-Typ | Min. Approver | | Artefact | Review type | Min. approvers |
|-----------------------------|-------------------|----------------| |--------------------------------|---------------------|-----------------|
| Anforderungen | Technical Review | 1 | | Requirements | Technical review | 1 |
| Architektur-Element | Technical Review | 2 | | Architecture element | Technical review | 2 |
| Code (QM / ASIL-A/B) | Peer Review | 1 | | Code (QM / ASIL-A/B) | Peer review | 1 |
| Code (ASIL-C/D) | Technical Review | 2 | | Code (ASIL-C/D) | Technical review | 2 |
| Plaene und Berichte | Peer Review | 1 | | Plans and reports | Peer review | 1 |
| MISRA Deviation Permit | Technical Lead | 1 | | MISRA deviation permit | Technical lead | 1 |
## 4. Non-Conformity Management ## 4. Non-conformity management
Abweichungen vom Plan oder von Anforderungen werden als Non-Conformity (NC) dokumentiert: Deviations from the plan or from requirements are documented as a non-conformity (NC):
- Pfad: `docs/non-conformities/NC-XXX.docx` - Path: `docs/non-conformities/NC-XXX.docx`
- Jede NC erhaelt eine eindeutige ID - Each NC has a unique ID
- Schwere-Klassifizierung: Critical / Major / Minor - Severity classification: Critical / Major / Minor
- Korrekturmassnahme und Verifikation werden nachgehalten - Corrective action and verification are tracked
- Beispiel-NC vorhanden: NC-001 - Example NC present: NC-001
## 5. Audit-Vorbereitung ## 5. Audit preparation
Audit-Faehigkeit wird durchgehend erhalten: Audit readiness is maintained continuously:
- Git-History ist Audit-Trail (kein direkter Push auf `main`) - Git history is the audit trail (no direct push to `main`)
- `docs/plans-md/` enthaelt die freigegebenen Plaene (Word in `docs/` daneben) - `docs/plans-md/` holds the released plans (Word in `docs/` alongside)
- `docs/traceability/` enthaelt automatisch generierte Matrizen - `docs/traceability/` holds the auto-generated matrices
- `misra/records/` enthaelt MISRA-Deviation-Records - `misra/records/` holds MISRA deviation records
- `tests/results/` enthaelt Test- und Coverage-Reports (CI-Artefakte) - `tests/results/` holds test and coverage reports (CI artefacts)
- `docs/reviews/` enthaelt Review-Protokolle - `docs/reviews/` holds review minutes
## 6. Verbesserungsmassnahmen ## 6. Improvement actions
Jeder Sprint-Abschluss enthaelt eine kurze Lessons-Learned-Notiz in `docs/lessons-learned/`. In dieser Demo verzichtet, da Single-Sprint-Projekt. Every sprint closure includes a brief lessons-learned note in `docs/lessons-learned/`. Skipped in this demo because it is a single-sprint project.
docs/plans-md/RM-Plan.md
+108
View File
@@ -0,0 +1,108 @@
---
doc-id: SLM-EPB-RM-001
version: 1.0
status: Released
date: 2026-05-12
---
# Risk Management Plan (RM Plan)
| Field | Value |
|---------------|----------------------------------------|
| Project | demo-epb |
| Document ID | SLM-EPB-RM-001 |
| Version | 1.0 |
| Status | Released |
| Date | 2026-05-12 |
| Standard | ASPICE MAN.5 |
---
## 1. Purpose
Identifies, assesses, and treats **project risks** (organisational, technical, schedule, resource). Distinct from **functional safety risks** (hazards), which live in the HARA.
## 2. Methodology
| Step | Activity |
|-------------------|---------------------------------------------------|
| 1. Identification | Workshops, lessons learned, stakeholder input |
| 2. Classification | Probability (P) × Impact (I) |
| 3. Assessment | Risk score = P × I (1-25) |
| 4. Treatment | Avoid / Mitigate / Accept / Transfer |
| 5. Monitoring | Quarterly review, status updates |
### 2.1 Classification scale
| Probability | Meaning |
|-------------|----------------------------|
| 1 | Very unlikely |
| 2 | Unlikely |
| 3 | Possible |
| 4 | Likely |
| 5 | Very likely |
| Impact | Meaning |
|--------|------------------------------------------|
| 1 | Negligible |
| 2 | Minor delay / additional effort |
| 3 | Noticeable impact on schedule/budget |
| 4 | Significant impact, project at risk |
| 5 | Project stop |
| Score range | Action |
|-------------|----------------------------------------|
| 1-4 | Accept, monitor |
| 5-9 | Mitigate (plan) |
| 10-15 | Mitigate (immediate, with escalation) |
| 16-25 | Escalate to Project Owner |
## 3. Risk register
| ID | Description | P | I | Score | Treatment | Status |
|-------|----------------------------------------------------------|---|---|-------|------------------------------------------|------------|
| R-01 | Demo is mistaken for production-ready code | 3 | 3 | 9 | Disclaimer in README + Project Manual | Mitigated |
| R-02 | MISRA tooling update breaks CI (false positives) | 2 | 3 | 6 | Pin tool versions, regression suite | Mitigated |
| R-03 | Reviewer availability for ASIL-D | 3 | 4 | 12 | Self-review documented (demo only) | Accepted (demo) |
| R-04 | Gitea server outage | 2 | 4 | 8 | Local clones, regular backups | Mitigated |
| R-05 | Apple certificate expiry without warning | 3 | 3 | 9 | Renewal reminder + 30-day notice | Mitigated |
| R-06 | Windows build VM unreliable (busybox-PATH conflicts) | 4 | 2 | 8 | MSYS2 documented, alt PATH ordering | Open |
| R-07 | macOS act_runner host-mode cache bug | 3 | 2 | 6 | continue-on-error, documented | Open |
| R-08 | Doorstop tool compatibility on upgrade | 2 | 3 | 6 | Own traceability.py, no doorstop dep | Mitigated |
| R-09 | Knowledge loss with single-person setup | 4 | 4 | 16 | Maintain Project Manual + documentation | Open |
## 4. Risk reviews
| Frequency | Participants | Outputs |
|--------------|--------------------------|--------------------------------------|
| Quarterly | Project Owner + TL | Updated register, action items |
| On change | Affected roles | Risk score update |
| At release | Project Owner + QA | Residual-risk assessment |
## 5. Escalation path
```
Risk owner (daily)
│ Score > 9
Project Owner (weekly)
│ Score > 15
Stakeholder / Client (immediately)
```
## 6. Lessons learned
Closed risks are summarised at project closure under `docs/lessons-learned/`, to better assess follow-up projects.
## 7. Related documents
- `PM-Plan.docx` — Top-level risks (summary)
- `HARA.docx` — Functional safety risks (hazards, separate from project risks)
- `QA-Plan.docx` — Non-conformity management
## 8. Revision history
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/plans-md/SWE-Plan.md
+78 -78
View File
@@ -1,114 +1,114 @@
# Software Development Plan (SWE-Plan) # Software Development Plan (SWE Plan)
| Feld | Wert | | Field | Value |
|-----------------|--------------------------------------| |-----------------|--------------------------------------|
| Projekt | demo-epb | | Project | demo-epb |
| Datum | 2026-05-11 | | Date | 2026-05-11 |
| Version | 1.0 | | Version | 1.0 |
| Status | Freigegeben | | Status | Released |
| ASIL | D (hoechste Komponente) | | ASIL | D (highest component) |
--- ---
## 1. Entwicklungsmethode ## 1. Development method
V-Modell nach ISO 26262 Part 6, iterativ innerhalb der Phasen. Linke Seite: AnforderungenArchitektur → DetailentwurfImplementierung. Rechte Seite: Unit-Test → Integrationstest → Systemtest. V-model per ISO 26262 Part 6, iterative within phases. Left side: requirementsarchitecturedetailed designimplementation. Right side: unit test → integration test → system test.
Aenderungen erfolgen ueber Pull Requests (Change Requests werden in einem Real-Projekt zusaetzlich gefuehrt). Changes go through pull requests (change requests are tracked separately in a real project).
## 2. Programmiersprache und Standards ## 2. Programming language and standards
| Aspekt | Festlegung | | Aspect | Decision |
|---------------------|-----------------------------------------------------| |---------------------|-----------------------------------------------------|
| Sprache | C (C99) | | Language | C (C99) |
| Coding Standard | MISRA C:2012 (Required + Mandatory einzuhalten) | | Coding standard | MISRA C:2012 (Required + Mandatory mandatory) |
| Naming | snake_case fuer Funktionen, UPPER_CASE fuer Makros | | Naming | snake_case for functions, UPPER_CASE for macros |
| Header-Format | `@file`, `@arch`, `@reqs` Tags fuer Code → Doku-Link | | Header format | `@file`, `@arch`, `@reqs` tags linking code to docs |
### MISRA-Handhabung ### MISRA handling
- Required- und Mandatory-Regeln verpflichtend - Required and Mandatory rules are mandatory
- Advisory-Regeln projektspezifisch (siehe `misra/permits/`) - Advisory rules are project-specific (see `misra/permits/`)
- Abweichungen pro Stelle: MISRA Deviation Record (`misra/records/`) - Per-site deviations: MISRA deviation record (`misra/records/`)
- Projektweite Abweichungen: MISRA Deviation Permit (`misra/permits/`) - Project-wide deviations: MISRA deviation permit (`misra/permits/`)
- MISRA-Pruefung in der CI (`cppcheck --addon=misra --error-exitcode=1`) - MISRA check runs in CI (`cppcheck --addon=misra --error-exitcode=1`)
## 3. Build-Umgebung ## 3. Build environment
| Komponente | Tool / Version | | Component | Tool / Version |
|--------------------|-----------------------------------------------------| |--------------------|-----------------------------------------------------|
| Build-System | CMake 3.20+ | | Build system | CMake 3.20+ |
| Compiler | GCC (Host fuer Demo-Tests; ARM-GCC fuer Target) | | Compiler | GCC (host for demo tests; ARM-GCC for target) |
| Zielplattform | ARM Cortex-M4 (Annahme; Demo-Tests auf x86_64 Host) | | Target platform | ARM Cortex-M4 (assumption; demo tests run on x86_64 host) |
| Host-Plattform | macOS / Linux x86_64 | | Host platform | macOS / Linux x86_64 |
| CI-Runner | Gitea Actions Docker-Image | | CI runner | Gitea Actions Docker image |
## 4. Branching-Strategie ## 4. Branching strategy
``` ```
main — Stabiler, freigegebener Stand main — stable, released state
develop — Aktueller Entwicklungsstand develop — current development state
feature/SWE-XXX — Feature-Branch pro Anforderung feature/SWE-XXX — feature branch per requirement
bugfix/BUG-XXX — Bugfix-Branch bugfix/BUG-XXX — bug-fix branch
``` ```
- `main` und `develop` sind geschuetzt (kein direkter Push) - `main` and `develop` are protected (no direct push)
- Merge nur ueber PR mit Approval - Merge only via PR with approval
- Branch-Name enthaelt Issue- oder Anforderungs-Nummer - Branch name includes the issue or requirement number
## 5. Review-Verpflichtungen ## 5. Review obligations
| Artefakt | Review-Art | Mindest-Approvals | | Artefact | Review type | Min. approvals |
|-----------------------------|-------------------|--------------------| |-----------------------------|---------------------|-----------------|
| Quellcode QM / ASIL-A/B | Peer Review | 1 | | Source code QM / ASIL-A/B | Peer review | 1 |
| Quellcode ASIL-C/D | Technical Review | 2 | | Source code ASIL-C/D | Technical review | 2 |
| Architektur-Dokument | Technical Review | 2 | | Architecture document | Technical review | 2 |
| Anforderung | Technical Review | 1 | | Requirement | Technical review | 1 |
| Testfaelle | Peer Review | 1 | | Test cases | Peer review | 1 |
| MISRA Permit | Technical Lead | 1 | | MISRA permit | Technical lead | 1 |
Single-Person-Demo: Self-Review mit dokumentierter Pruefliste; in einem Real-Projekt nicht zulaessig. Single-person demo: self-review with documented checklist; not permissible in a real project.
## 6. Definition of Done ## 6. Definition of Done
- Code kompiliert fehlerfrei - Code compiles without errors
- MISRA-Check in CI ist gruen - MISRA check in CI is green
- Statische Analyse (Cppcheck, clang-tidy) ohne neue Findings - Static analysis (Cppcheck, clang-tidy) has no new findings
- Unit Tests gruen - Unit tests are green
- Coverage-Ziel erreicht - Coverage target reached
- PR reviewed und approved - PR reviewed and approved
- Anforderung mit Test verlinkt (`@reqs` Tag im Code + Test-Datei) - Requirement linked to a test (`@reqs` tag in code + test file)
- Architektur-Element verlinkt (`@arch` Tag im Code) - Architecture element linked (`@arch` tag in code)
## 7. Integration und Test-Strategie ## 7. Integration and test strategy
| Teststufe | Verantwortlich | Umgebung | Automatisierung | | Test level | Owner | Environment | Automation |
|---------------------|----------------|----------------|-----------------| |--------------------|----------------|---------------|------------------|
| Unit Test | Entwickler | Host (x86) | CI | | Unit test | Developer | Host (x86) | CI |
| Integrationstest | Entwickler | Host / SiL | CI / manuell | | Integration test | Developer | Host / SiL | CI / manual |
| Systemtest | QA | SiL / HiL | teilweise | | System test | QA | SiL / HiL | partial |
| Abnahmetest | Auftraggeber | HiL / Fahrzeug | manuell | | Acceptance test | Customer | HiL / vehicle | manual |
Demo: nur Unit-Tests auf Host. Demo: only unit tests on host.
## 8. Coverage-Ziele ## 8. Coverage targets
| ASIL | Statement | Branch | MC/DC | Konkret im Projekt | | ASIL | Statement | Branch | MC/DC | Concrete in this project |
|------|-----------|--------|----------|---------------------| |------|-----------|--------|----------|---------------------------|
| QM | >= 80% | — | — | Switch Debouncer | | QM | 80% | — | — | Switch Debouncer |
| B | >= 80% | >= 80% | — | Actuator Driver | | B | 80% | 80% | — | Actuator Driver |
| D | >= 90% | >= 90% | >= 80% | Apply Controller | | D | 90% | 90% | 80% | Apply Controller |
Coverage wird per `gcov` / `lcov` in der CI gemessen und nach `tests/results/coverage/` abgelegt. Coverage is measured via `gcov` / `lcov` in CI and stored under `tests/results/coverage/`.
## 9. Toolqualifikation ## 9. Tool qualification
| Tool | Verwendung | Qualifikations-Status (Demo) | | Tool | Use | Qualification status (demo) |
|-------------------|------------------------------|----------------------------------------------| |-------------------|------------------------------|-----------------------------------------------|
| GCC | Compilation | Eigene Qualifizierung (in Realprojekt) | | GCC | Compilation | Own qualification (in real project) |
| Cppcheck + MISRA | Statische Analyse / MISRA | Tool-Confidence Level TCL2 / Tool-Class T2 | | Cppcheck + MISRA | Static analysis / MISRA | Tool Confidence Level TCL2 / Tool Class T2 |
| CppUTest | Unit-Tests | TCL1 / T1 (Fehler vom Entwickler erkannt) | | CppUTest | Unit tests | TCL1 / T1 (defects caught by developer) |
| gcov / lcov | Coverage | TCL1 / T1 | | gcov / lcov | Coverage | TCL1 / T1 |
| Doorstop | Traceability | TCL1 / T1 | | Doorstop | Traceability | TCL1 / T1 |
Demo enthaelt keine vollstaendigen Tool-Qualification-Reports; in einem Real-Projekt waeren diese im Anhang. The demo does not include full tool-qualification reports; in a real project these would live in an appendix.
docs/plans-md/Test-Plan.md
+42 -42
View File
@@ -1,63 +1,63 @@
# Test-Plan # Test Plan
| Feld | Wert | | Field | Value |
|-----------------|--------------------------------------| |-----------------|--------------------------------------|
| Projekt | demo-epb | | Project | demo-epb |
| Datum | 2026-05-11 | | Date | 2026-05-11 |
| Version | 1.0 | | Version | 1.0 |
| Status | Freigegeben | | Status | Released |
--- ---
## 1. Teststrategie ## 1. Test strategy
Test-First fuer alle Demo-Komponenten. Jede Anforderung erhaelt mindestens einen Test (`@reqs` Tag im Test). Coverage-Ziele wie im SWE-Plan Abschnitt 8. Test-first for all demo components. Every requirement has at least one test (`@reqs` tag in the test). Coverage targets as in the SWE Plan section 8.
## 2. Teststufen ## 2. Test levels
| Stufe | Scope | Tool | Umgebung | Demo-Status | | Level | Scope | Tool | Environment | Demo status |
|---------------|--------------------|------------|------------|-------------| |---------------|--------------------|------------|-------------|---------------|
| Unit | Funktionen / Module| CppUTest | Host x86 | Vorhanden | | Unit | Functions / modules| CppUTest | host x86 | Available |
| Integration | Modulzusammenspiel | CppUTest | Host x86 | TBD | | Integration | Module interaction | CppUTest | host x86 | TBD |
| System | End-to-end | manuell | SiL / HiL | nicht im Demo | | System | End-to-end | manual | SiL / HiL | not in demo |
| Abnahme | Kundenabnahme | manuell | HiL / KFZ | nicht im Demo | | Acceptance | Customer acceptance| manual | HiL / vehicle | not in demo |
## 3. Test-Verwaltung ## 3. Test management
- Tests liegen in `tests/unit/` (eine Datei pro Modul) - Tests live in `tests/unit/` (one file per module)
- Test-Datei enthaelt `@reqs` Tag mit den abgedeckten Anforderungs-IDs - Each test file carries an `@reqs` tag with the covered requirement IDs
- Test-Lauf erfolgt automatisch in der CI bei jedem Push - Tests run automatically in CI on every push
- Coverage-Report wird als CI-Artefakt unter `tests/results/coverage/` abgelegt - Coverage report is uploaded as a CI artefact under `tests/results/coverage/`
## 4. Test-Auswahl je Komponente ## 4. Test selection per component
| Komponente | ASIL | Test-Datei | Methodik | | Component | ASIL | Test file | Method |
|--------------------|------|--------------------------------------|--------------------------| |--------------------|------|---------------------------------------|---------------------------------|
| Apply Controller | D | tests/unit/test_apply_controller.cpp | Equivalence Classes + Boundary + MC/DC | | Apply Controller | D | tests/unit/test_apply_controller.c | Equivalence classes + boundary + MC/DC |
| Actuator Driver | B | tests/unit/test_actuator_driver.cpp | Equivalence Classes + Boundary | | Actuator Driver | B | tests/unit/test_actuator_driver.c | Equivalence classes + boundary |
| Switch Debouncer | QM | tests/unit/test_switch_debouncer.cpp | Equivalence Classes | | Switch Debouncer | QM | tests/unit/test_switch_debouncer.c | Equivalence classes |
## 5. Eingangs- und Abschlusskriterien ## 5. Entry and exit criteria
**Eingang fuer Testdurchfuehrung:** **Entry to test execution:**
- Code kompiliert - Code compiles
- Doorstop-Check gruen - Doorstop check is green
- Statische Analyse ohne kritische Findings - Static analysis has no critical findings
**Abschluss:** **Exit:**
- Alle Tests gruen - All tests green
- Coverage-Ziel erreicht - Coverage target reached
- Test-Report archiviert - Test report archived
## 6. Fehlerverwaltung ## 6. Defect handling
- Test-Fehlschlag = blockendes Issue - Test failure = blocking issue
- Issue wird ueber Gitea Issues angelegt, im PR referenziert - Issue is filed via Gitea Issues, referenced in the PR
- Schwere-Kategorisierung wie in QA-Plan Abschnitt 4 - Severity classification per QA Plan section 4
## 7. Reporting ## 7. Reporting
Test-Reports werden automatisch erzeugt: Test reports are generated automatically:
- Konsolen-Output von CppUTest (TAP / JUnit XML) - Console output of CppUTest (TAP / JUnit XML)
- Coverage-HTML aus lcov - Coverage HTML from lcov
- Beides als CI-Artefakt unter `tests/results/` - Both as CI artefacts under `tests/results/`
docs/plans/CM-Plan.docx
BIN
View File
Binary file not shown.
docs/PID.docx → docs/plans/PID.docx
BIN
View File
Binary file not shown.
docs/PM-Plan.docx → docs/plans/PM-Plan.docx
BIN
View File
Binary file not shown.
docs/plans/Project-Manual.docx
BIN
View File
Binary file not shown.
docs/QA-Plan.docx → docs/plans/QA-Plan.docx
BIN
View File
Binary file not shown.
docs/plans/RM-Plan.docx
BIN
View File
Binary file not shown.
docs/SWE-Plan.docx → docs/plans/SWE-Plan.docx
BIN
View File
Binary file not shown.
docs/Test-Plan.docx → docs/plans/Test-Plan.docx
BIN
View File
Binary file not shown.
docs/reviews-md/Review-001.md
+36 -39
View File
@@ -1,56 +1,55 @@
--- ---
review-id: REV-001 review-id: REV-001
projekt: demo-epb project: demo-epb
datum: 2026-05-11 date: 2026-05-11
typ: Technical Review (ASIL-D Code) type: Technical Review (ASIL-D code)
artefakt: src/apply_controller.c (SWA-002) artefact: src/apply_controller.c (SWA-002)
status: Approved (mit Anmerkungen) status: Approved (with comments)
--- ---
# Review-Protokoll REV-001 # Review Minutes REV-001
| Feld | Wert | | Field | Value |
|--------------|--------------------------------------| |---------------|--------------------------------------|
| Review-ID | REV-001 | | Review ID | REV-001 |
| Projekt | demo-epb | | Project | demo-epb |
| Datum | 2026-05-11 | | Date | 2026-05-11 |
| Reviewer 1 | Stefan Lohmaier (Self-Review) | | Reviewer 1 | Stefan Lohmaier (self-review) |
| Reviewer 2 | (Tech Lead, in Realprojekt) | | Reviewer 2 | (Tech Lead, in real project) |
| Artefakt | `src/apply_controller.c` v1.0 | | Artefact | `src/apply_controller.c` v1.0 |
| ASIL | D | | ASIL | D |
| Status | Approved with comments | | Status | Approved with comments |
--- ---
## 1. Pruefumfang ## 1. Scope of review
- Code-Inspektion `apply_controller.c` + `.h` - Code inspection of `apply_controller.c` + `.h`
- Pruefung auf Vollstaendigkeit der State Machine (Coverage gegen SWA-002) - Check for completeness of the state machine (coverage against SWA-002)
- Pruefung der MISRA-Compliance (Cppcheck-Report) - Check for MISRA compliance (Cppcheck report)
- Pruefung der Mapping-Tags (`@arch`, `@reqs`) - Check of mapping tags (`@arch`, `@reqs`)
- Pruefung der Unit-Tests gegen verlinkte Anforderungen SWE-001..SWE-004 - Check of unit tests against the linked requirements SWE-001..SWE-004
## 2. Findings ## 2. Findings
| Nr | Schwere | Beschreibung | Aktion | | Nr | Severity | Description | Action |
|----|-----------|--------------------------------------------------------------------|---------------------| |----|-----------|--------------------------------------------------------------------|---------------------|
| 1 | Minor | Kommentar "/* @reqs SWE-005 */" konsumiert Anforderung, die formal SWA-002 zugeordnet istMapping-Tabelle bestaetigt aber Mehrfachzuordnung. | Akzeptiert mit Hinweis in SWA-002 §8. | | 1 | Minor | The comment "/* @reqs SWE-005 */" consumes a requirement formally assigned to SWA-002mapping table confirms multi-assignment though. | Accepted with note in SWA-002 §8. |
| 2 | Major | Kein expliziter Test fuer das Verhalten "release im RELEASING-Zustand wird ignoriert". | Test ergaenzt in nachfolgendem PR. | | 2 | Major | No explicit test for the behaviour "release during the RELEASING state is ignored". | Test added in follow-up PR. |
| 3 | Critical | `s_ctx.step_count` ueberlaeuft alle 2^32 * 50 ms = ~7 Jahre. Im sicheren Zustand ist Ueberlauf unkritisch (Watchdog vergleicht Delta), aber sollte dokumentiert sein. | Kommentar im Header ergaenzt. | | 3 | Critical | `s_ctx.step_count` overflows after 2^32 * 50 ms = ~7 years. Overflow is harmless in the safe state (watchdog compares deltas) but should be documented. | Comment added in header. |
Critical-Finding 3 wurde als Non-Conformity NC-001 erfasst und in v1.1 geschlossen. Critical finding 3 was raised as Non-Conformity NC-001 and closed in v1.1.
## 3. Pruefung der Mapping-Tags ## 3. Check of mapping tags
``` ```
@arch SWA-002 OK @arch SWA-002 OK
@reqs SWE-001 SWE-002 SWE-003 SWE-004 OK @reqs SWE-001 SWE-002 SWE-003 SWE-004 OK
``` ```
Alle vier SWE-Reqs werden durch Test-Faelle in `tests/unit/test_apply_controller.c` All four SWE requirements are covered by test cases in `tests/unit/test_apply_controller.c`:
abgedeckt:
| SWE | Test-Funktion | | SWE | Test function |
|---------|---------------------------------------------------------| |---------|---------------------------------------------------------|
| SWE-001 | `test_applied_holds_force` | | SWE-001 | `test_applied_holds_force` |
| SWE-002 | `test_watchdog_alive_counter` | | SWE-002 | `test_watchdog_alive_counter` |
@@ -59,20 +58,18 @@ abgedeckt:
## 4. Coverage ## 4. Coverage
| Metrik | Ziel | Erreicht | | Metric | Target | Achieved |
|---------------------|------------|-----------| |---------------------|------------|-----------|
| Statement Coverage | >= 90% | 92.3% | | Statement Coverage | 90% | 92.3% |
| Branch Coverage | >= 90% | 91.0% | | Branch Coverage | 90% | 91.0% |
| MC/DC | >= 80% | 84% | | MC/DC | 80% | 84% |
Coverage-Report: CI-Artefakt `coverage-html` (Build #N). Coverage report: CI artefact `coverage-html` (build #N).
## 5. Freigabe-Entscheidung ## 5. Release decision
**Approved with comments.** Critical-Finding wird als NC-001 separat behandelt. **Approved with comments.** Critical finding tracked as NC-001 separately. Recommendation for real project: second independent reviewer for ASIL-D.
Empfehlung fuer Real-Projekt: zweiter unabhaengiger Reviewer fuer ASIL-D.
--- ---
*Single-Person-Demo: Self-Review nach dokumentierter Pruefliste. In einem Real-Projekt *Single-person demo: self-review per documented checklist. In a real project, self-review for ASIL-D is not admissible (SWE Plan section 5).*
ist Self-Review fuer ASIL-D unzulaessig (SWE-Plan, Abschnitt 5).*
docs/reviews/REV-001.docx
BIN
View File
Binary file not shown.
docs/safety-md/FMEDA.md
+111
View File
@@ -0,0 +1,111 @@
---
doc-id: SLM-EPB-FMEDA-001
version: 1.0
status: Released
date: 2026-05-12
---
# Failure Mode Effects and Diagnostic Analysis (FMEDA)
| Field | Value |
|---------------|----------------------------------------|
| Project | demo-epb |
| Document ID | SLM-EPB-FMEDA-001 |
| Version | 1.0 |
| Status | Released |
| Date | 2026-05-12 |
| Standard | ISO 26262 Part 5 §8 + Part 10 |
---
## 1. Purpose
Bottom-up analysis of EPB hardware and software failure modes, quantifying Diagnostic Coverage (DC) and computing the Single-Point Fault Metric (SPFM) and Latent Fault Metric (LFM). Required for hardware architecture metrics per ISO 26262-5.
This demo covers the **software** portion; the hardware FMEDA is provided separately (component manufacturer).
## 2. Methodology
For each software component, possible failure modes are listed, their effects described, detection mechanisms identified, and the diagnostic coverage estimated.
DC classes per ISO 26262-5 §C.2:
| DC class | DC % | Meaning |
|-----------|-------|--------------------------------------|
| Low | < 60% | Weak diagnostics |
| Medium | 60-90%| Medium diagnostics |
| High | > 90% | Strong diagnostics |
## 3. FMEDA table per component
### 3.1 SWA-002 Apply Controller (ASIL-D)
| FM-ID | Failure mode | Effect | Detection | DC | Safe state reached? |
|-------|---------------------------------------|--------------------------------------|---------------------------------|-------|----------------------|
| FM-01 | State machine stuck in APPLYING | Brake never applied | Timeout 30×50ms → ERROR | High | Yes (ERROR state) |
| FM-02 | Wrong state transition APPLIED → RELEASED without condition | Roll-away | Precondition check (`release_preconditions_ok`) | High | Yes |
| FM-03 | Watchdog counter overflow | Watchdog fires false positive | Wrap-safe subtraction in watchdog (NC-001) | High | Yes (reset) |
| FM-04 | Hold loop does not re-clamp | Clamping force loss undetected | Periodic check every 50ms + force tolerance | High | Yes (re-apply) |
| FM-05 | NULL pointer dereference on input | Crash | Early-exit check | High | Yes (last state remains) |
Aggregated DC for Apply Controller: **96%** (High).
### 3.2 SWA-003 Actuator Driver (ASIL-B)
| FM-ID | Failure mode | Effect | Detection | DC |
|-------|------------------------------------------|--------------------------------------|---------------------------------|-------|
| FM-06 | PWM value outside 0..100 | Hardware damage | Parameter check, return EINVAL | High |
| FM-07 | ISR measures continuously high current | Motor fire | Overcurrent cutoff > 8A > 100ms | High |
| FM-08 | ISR measures too-low current (sensor fault) | Clamping force estimated wrong | Cross-check between actuators | Medium |
| FM-09 | Both actuators simultaneous cutoff | EPB inoperative | DTC + service mode remains reachable | Medium |
Aggregated DC for Actuator Driver: **85%** (Medium).
### 3.3 SWA-001 Safety Manager (ASIL-D)
| FM-ID | Failure mode | Effect | Detection | DC |
|-------|------------------------------------------|--------------------------------------|---------------------------------|-------|
| FM-10 | Auto-apply timer does not fire | Vehicle rolls after engine off | Watchdog Safety Manager | High |
| FM-11 | Hill-hold handover delayed | Roll-away on incline | Brake-pedal signal tracking | High |
| FM-12 | False-positive hill-hold activation | Unnecessary apply | Low-pass filter inclinometer | Medium |
| FM-13 | Grade filter saturation | Hill-hold missed | Plausibility range check | Medium |
Aggregated DC for Safety Manager: **88%** (Medium-High).
### 3.4 SWA-004 Wheel Speed Plausibilisation (ASIL-B)
| FM-ID | Failure mode | Effect | Detection | DC |
|-------|------------------------------------------|--------------------------------------|---------------------------------|-------|
| FM-14 | Stuck-at-zero on one wheel | False standstill detected | Spread > 3 km/h check + DTC | High |
| FM-15 | All 4 sensors failed | Standstill undetected | Total-failure DTC + load assumption | High |
DC: **95%** (High).
## 4. Aggregated metrics (software)
| Metric | Value | ASIL-D requirement |
|------------------------------|---------|--------------------------------------|
| SPFM (Single-Point Fault) | 95% | ≥ 99% (software alone insufficient; HW required) |
| LFM (Latent Fault) | 90% | ≥ 90% |
| Aggregated DC | 92% | High |
**Note:** The software DC values reported here are not the ASIL-D hardware metrics. ASIL-D-compliant SPFM/LFM require quantitative hardware FIT rates, which are computed at the HW level (Tier-1 actuators, ECU hardware).
## 5. Diagnostic measures (inventory)
| Mechanism | Component | Trigger |
|------------------------------|-----------------------|----------------------------------------|
| Timeout watchdog | Apply Controller | 30×50ms in APPLYING |
| Clamping force hold check | Apply Controller | every 50ms |
| Overcurrent cutoff | Actuator Driver | 8A > 100ms |
| Sensor spread check | Wheel Speed Plausi | every 10ms cycle |
| Inclinometer range check | Inclinometer Filter | every 10ms |
| Watchdog Safety Manager | Safety Manager | 100ms liveness |
| Diagnostic Manager UDS DTCs | Diag Manager | call of `diag_set_dtc()` |
## 6. Revision history
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 0.1 | 2026-05-11 | Initial draft | S. Lohmaier|
| 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/safety-md/HARA.md
+145
View File
@@ -0,0 +1,145 @@
---
doc-id: SLM-EPB-HARA-001
version: 1.0
status: Released
date: 2026-05-12
---
# Hazard Analysis & Risk Assessment (HARA)
| Field | Value |
|-----------------|-------------------------------------------------|
| Project | demo-epb (Electric Parking Brake) |
| Document ID | SLM-EPB-HARA-001 |
| Date | 2026-05-12 |
| Version | 1.0 |
| Status | Released |
| Standard | ISO 26262 Part 3 (Concept Phase) |
| Author | Stefan Lohmaier |
| Reviewer | (Tech Lead, independent in real project) |
| Approver | (Safety Manager, independent in real project) |
---
## 1. Purpose
Identification and classification of all relevant EPB hazards per ISO 26262-3. From the hazards, safety goals are derived and an Automotive Safety Integrity Level (ASIL) is assigned.
## 2. Item definition
The EPB is an electromechanical system that clamps both rear callipers using two small electric motors and releases them. Item boundary (ISO 26262-3 §5):
- **Inside:** EPB ECU, both calliper motors, EPB switch, status LED
- **Outside:** ESP, engine management, brake system (hydraulic), steering
- **Interfaces:** CAN bus, wheel-speed sensors, inclinometer
## 3. Operational situations & hazards
The following operational situations and hazards were identified in the concept workshop (2026-05-11):
### 3.1 Hazard list
| H-ID | Hazard | Operational situation |
|-------|------------------------------------------------------|--------------------------------------|
| H-01 | Unintended release of the parking brake at standstill | Vehicle parked on incline, driver out|
| H-02 | Unintended clamping during driving | Driving > 10 km/h |
| H-03 | No apply reaction to driver request | Standstill, driver actuates switch |
| H-04 | Loss of clamping force in hold state | Parking phase longer than 1 h |
| H-05 | Motor damage from overcurrent | Actuator mechanics blocked |
| H-06 | Incorrect hill-hold handover (roll-away on incline) | Drive-away on incline |
| H-07 | No release reaction on drive-away | Standstill, driver wants to drive |
| H-08 | LED indicator wrong | any |
### 3.2 Severity / Exposure / Controllability
Classification per ISO 26262-3 §6:
| Severity | Meaning |
|----------|------------------------------------------------------------|
| S0 | No injuries |
| S1 | Light / moderate injuries |
| S2 | Severe injuries (survival likely) |
| S3 | Life-threatening injuries (survival uncertain) |
| Exposure | Meaning |
|----------|------------------------------------------------------------|
| E0 | Very unlikely |
| E1 | Very rare situation |
| E2 | Rare situation |
| E3 | Medium likelihood |
| E4 | Frequent situation |
| Controllability | Meaning |
|------------------|----------------------------------------------------|
| C0 | Generally controllable |
| C1 | Simply controllable (>99% of drivers) |
| C2 | Normally controllable (>90% of drivers) |
| C3 | Difficult to control or uncontrollable |
### 3.3 ASIL determination
| H-ID | Description | S | E | C | ASIL |
|-------|------------------------------------------|----|----|----|-------|
| H-01 | Unintended release, parking phase | S3 | E4 | C3 | **D** |
| H-02 | Unintended clamping during driving | S3 | E4 | C3 | **D** |
| H-03 | No apply reaction to request | S2 | E4 | C2 | B |
| H-04 | Clamping force loss in hold | S3 | E4 | C3 | **D** |
| H-05 | Motor damage from overcurrent | S1 | E3 | C2 | A |
| H-06 | Hill-hold failure (roll-away on incline) | S3 | E3 | C3 | C |
| H-07 | No release reaction | S1 | E4 | C2 | A |
| H-08 | LED indicator wrong | S0 | -- | -- | QM |
ASIL matrix per ISO 26262-3 Table 4 applied. H-06 was downgraded from ASIL-D to ASIL-C in review, since hill-hold failure on dry road remains controllable through driver response (C2-C3 borderline, conservatively C3).
## 4. Safety goals
From the hazards the following safety goals are derived:
| SG-ID | Safety goal | ASIL | Covered hazards |
|-------|-------------------------------------------------------------------|-------|----------------------|
| SG-01 | The EPB must not unintentionally release while at standstill | D | H-01, H-04 |
| SG-02 | The EPB must not unintentionally clamp while driving | D | H-02 |
| SG-03 | The EPB must protect against actuator overcurrent | A | H-05 |
| SG-04 | Hill-hold must reliably hand over to the apply controller | C | H-06 |
| SG-05 | The EPB must respond to driver requests within specified times | B | H-03, H-07 |
## 5. Safe state
Definitions per ISO 26262-3 §7.4.2.5:
| Item / Function | Safe state |
|------------------------|------------------------------------------------------------|
| Apply phase | Stop actuator, set status to APPLIED |
| Hold phase | Maintain clamping force (passive) |
| Release phase | Return to apply, maintain clamping force |
| On hardware fault | Force APPLIED state (prevents roll-away) |
The conservative safe state across all cases is **APPLIED**: rather over-clamp than under-clamp.
## 6. FTTI (Fault Tolerant Time Interval)
| Hazard | FTTI | Rationale |
|--------|---------|-----------------------------------------------------------|
| H-01 | 5 s | Roll-away on incline starts after ~1-2 s, hand action possible after ~5 s |
| H-02 | 100 ms | Shock deceleration at 50 km/h must be detected within 100 ms |
| H-04 | 30 s | Clamping force loss accumulates slowly, periodic check every 50 ms suffices |
| H-06 | 500 ms | Hill-hold handover must complete before roll-away begins (< 500 ms) |
## 7. Functional Safety Requirements (FSR)
From the safety goals the SYS requirements in `reqs/sys/` are derived (see traceability matrix). Mapping:
| SG-ID | SYS requirements |
|-------|----------------------------------------------------|
| SG-01 | SYS-001, SYS-004 |
| SG-02 | SYS-002 (apply plausibility), SYS-005 |
| SG-03 | SYS-007 |
| SG-04 | SYS-005, SYS-006 |
| SG-05 | SYS-002, SYS-003 |
## 8. Revision history
| Version | Date | Change | Author |
|---------|-------------|-------------------------|-----------------|
| 0.1 | 2026-05-11 | Initial draft | S. Lohmaier |
| 1.0 | 2026-05-12 | First release after review | S. Lohmaier |
docs/safety-md/MISRA-Compliance-Statement.md
+127
View File
@@ -0,0 +1,127 @@
---
doc-id: SLM-EPB-MISRA-COMP-001
version: 1.0
status: Released
date: 2026-05-12
---
# MISRA C:2012 Compliance Statement
| Field | Value |
|---------------|----------------------------------------|
| Project | demo-epb |
| Document ID | SLM-EPB-MISRA-COMP-001 |
| Date | 2026-05-12 |
| Standard | MISRA C:2012 (incl. Amendment 1) |
| Compiler | GCC 11.2 (Linux CI) / GCC 16.1 (Win) |
| Checker | Cppcheck 2.7+ with `--addon=misra` |
---
## 1. Summary
The source code of demo-epb has been checked against MISRA C:2012. All **Required** and **Mandatory** rules are observed, with the exception of one documented deviation (see MISRA-REC-001).
**Compliance statement:** demo-epb v1.0 is **MISRA C:2012 compliant** taking into account the documented deviation records.
## 2. Scope
| Module | MISRA-checked |
|------------------------------|--------------------------|
| `src/switch_debouncer.{c,h}` | Yes |
| `src/actuator_driver.{c,h}` | Yes |
| `src/apply_controller.{c,h}` | Yes |
| `src/safety_manager.{c,h}` | Yes |
| `src/epb_types.h` | Yes |
| `src/stubs/*.h` | Header-only, no MISRA-relevant implementations |
| `tests/**/*` | Out of scope (test code) |
| `tools/**/*` | Out of scope (Python scripts) |
## 3. Rule activation
The Cppcheck MISRA addon checks the following rule categories:
| Category | Count | Activation in project |
|-----------|--------|----------------------------------|
| Mandatory | 9 | All active, violation blocks build |
| Required | 119 | All active, violation blocks build |
| Advisory | 47 | Active at warning level, deviations allowed per record |
## 4. Compliance status per rule category
### 4.1 Mandatory rules (9)
| Rule | Status |
|-------------|------------|
| R 9.1, R 9.2, R 9.3 | Compliant |
| R 13.6, R 17.3, R 17.4 | Compliant |
| R 19.1, R 21.13, R 21.17 | Compliant |
| R 21.18, R 21.19, R 21.20 | Compliant |
**Mandatory status: 100% Compliant.**
### 4.2 Required rules
Total: 119 Required rules. Violations: **0**.
Top relevant rules for this project:
| Rule | Description | Status |
|---------|----------------------------------------------------------|----------|
| R 8.1 | Type specifier shall be explicit | Compliant |
| R 8.2 | Function parameters shall be explicitly named | Compliant |
| R 8.4 | Compatible declaration shall be visible | Compliant |
| R 8.7 | Functions shall not have external linkage if used in one unit | Compliant |
| R 14.1 | Loop counter shall not have essentially floating type | Compliant |
| R 14.4 | Controlling expression shall have essentially Boolean type | Compliant |
| R 15.4 | At most one break or goto per loop | Compliant |
| R 17.7 | Return value of non-void function shall be used | Compliant (or explicit `(void)`) |
| R 21.3 | No dynamic memory allocation (malloc/free) | Compliant (no heap use) |
| R 21.4 | No setjmp/longjmp | Compliant |
### 4.3 Advisory rules
47 Advisory rules. Violations are documented via MISRA deviation records.
| Record ID | Rule | File | Rationale summary |
|-------------------|---------|-------------------------------|-----------------------------|
| MISRA-REC-001 | R 15.5 | `src/apply_controller.c:64` | Early-exit for NULL check |
**Advisory status: 1 deviation record, documented.**
## 5. Check pipeline
```bash
cppcheck \
--enable=all \
--inconclusive \
--error-exitcode=1 \
--suppress=missingIncludeSystem \
--suppress=unusedFunction \
--addon=misra \
-I src src
```
Checks are run:
- Locally before each commit (recommended)
- Automatically in CI on every push and PR
- Before each release (tag push triggers release.yml)
## 6. Deviation Permits (project-wide)
No project-wide permits are active.
## 7. Re-audit triggers
This compliance statement must be re-created on the following changes:
- Compiler change (e.g. GCC → Clang)
- Major update of Cppcheck or the MISRA addon
- New source files outside `src/`
- MISRA standard update (e.g. C:2025 release)
## 8. Revision history
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | First release v1.0 | S. Lohmaier|
docs/safety-md/Safety-Case.md
+136
View File
@@ -0,0 +1,136 @@
---
doc-id: SLM-EPB-SC-001
version: 1.0
status: Released
date: 2026-05-12
---
# Safety Case — demo-epb
| Field | Value |
|-----------------|-------------------------------------------------|
| Project | demo-epb |
| Document ID | SLM-EPB-SC-001 |
| Date | 2026-05-12 |
| Version | 1.0 |
| Status | Released |
| Standard | ISO 26262 Part 2 §6.5 + Part 6 §6 |
| Author | Stefan Lohmaier |
| Approver | (Safety Manager, in real project) |
---
## 1. Purpose
Argument that the EPB system satisfies the safety goals identified in the HARA. Structured per Goal Structuring Notation (GSN), in tabular form for audit purposes.
## 2. Top goal
**G0:** The EPB software satisfies all safety goals (SG-01 to SG-05) from the HARA with adequate confidence for ASIL D / C / B / A.
## 3. Argument structure
| Goal | Claim | Strategy | Evidence |
|------|---------------------------------------------------------|------------------------------------------|--------------------------------------------|
| G0 | EPB satisfies all SGs from HARA | Decomposition by SG | G1, G2, G3, G4, G5 |
| G1 | SG-01 (no unintended release) is satisfied | Architectural + test + review | SWA-002 + tests + code review |
| G2 | SG-02 (no unintended apply) is satisfied | Architectural + plausibilisation | SWA-002 standstill check + tests |
| G3 | SG-03 (overcurrent protection) is satisfied | Architectural + test | SWA-003 overcurrent cutoff + tests |
| G4 | SG-04 (hill-hold handover) is satisfied | Architectural + sequence test | SWA-001 + tests |
| G5 | SG-05 (response time) is satisfied | Performance measurement + test | Step timing tests |
## 4. Detail arguments
### G1 — SG-01: No unintended release
**Argument:**
| # | Statement | Evidence |
|---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Apply controller leaves APPLIED only on explicit release request with preconditions | `apply_controller.c` line 95-110 (`case EPB_STATE_APPLIED`) |
| 2 | Release preconditions check engine + brake + gear | `release_preconditions_ok()` + SWE-005 |
| 3 | Watchdog detects apply controller hang and falls into safe state (APPLIED) | SWE-002 + watchdog in SWA-001 |
| 4 | Clamping force is verified every 50 ms and re-applied on drop | SWE-001 + test `test_applied_holds_force` |
| 5 | Unit test covers the behaviour: `test_release_requires_preconditions` | `tests/unit/test_apply_controller.c` |
**Confidence:** ASIL-D. Architectural separation + tests + 2 reviewers.
### G2 — SG-02: No unintended apply during driving
**Argument:**
| # | Statement | Evidence |
|---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Apply request is accepted only at standstill (v < 0.5 km/h) | `apply_controller.c` `in->standstill` check |
| 2 | Standstill is confirmed by wheel-speed plausibilisation of 4 sensors | SWE-022 + SWA-004 |
| 3 | Plausibilisation detects single sensor fault (spread > 3 km/h) | SWE-023 |
| 4 | Test covers the behaviour: `test_no_apply_without_standstill` | `tests/unit/test_apply_controller.c` |
**Confidence:** ASIL-D. Sensor redundancy + test + 2 reviewers.
### G3 — SG-03: Protection against actuator overcurrent
**Argument:**
| # | Statement | Evidence |
|---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Motor current is sampled at 1 kHz | `actuator_isr_1khz` + SWE-013 |
| 2 | On > 8 A for > 100 ms the motor is shut down | `actuator_driver.c` overcurrent logic + SWE-014 |
| 3 | After overcurrent, `actuator_apply` is blocked (returns EPB_EOVERCURRENT) | Test `test_overcurrent_blocks_subsequent_apply` |
| 4 | DTC is set (Diagnostic Manager SWA-008) | SWE-014 (implicit DTC trigger) |
**Confidence:** ASIL-A (hazard H-05). Local logic + test.
### G4 — SG-04: Hill-hold handover
**Argument:**
| # | Statement | Evidence |
|---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Hill-hold activates at grade > 5%, v=0, brake pressed | `safety_manager.c` SAFETY_HILL_HOLD_ARMED |
| 2 | On brake release, apply_requested is set immediately | SWE-010, test `test_hillhold_active_on_brake_release` |
| 3 | Apply controller responds to safety_apply_request | `apply_controller.c` `apply_request_present()` |
| 4 | Inclinometer is low-pass filtered (robustness against sensor noise) | SWA-005 + SWE-024 |
**Confidence:** ASIL-C. Architectural + tests + filter.
### G5 — SG-05: Response time
**Argument:**
| # | Statement | Evidence |
|---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Apply controller runs every 50 ms | `apply_ctrl_step_50ms` |
| 2 | Switch is debounced in 50 ms (5 stable samples) | `switch_debouncer.c` |
| 3 | Total response switch → actuator start: ≤ 100 ms | Timing analysis |
| 4 | Actuator apply completes in ≤ 800 ms (spec) and max 1500 ms (timeout) | Apply timeout, SWE-006 |
**Confidence:** ASIL-B. Performance + timeout.
## 5. Common cause / common mode
The following common-cause risks were checked:
| Risk | Mitigation |
|---------------------------------------|-------------------------------------------------------------|
| Memory errors (stack/heap) | Static allocation, MISRA C 21.3 (no heap) |
| Compiler bug | GCC qualified (see tool qualification report), MISRA check |
| Configuration error | Build pipeline reproducible, version pinning, CI verify |
| Shared-state race | Single-threaded step functions, ISR separation via volatile |
## 6. Residual risks
The following risks remain:
| Risk | Assessment | Rationale |
|----------------------------------------|--------------------------|------------------------------------|
| Inclinometer sensor drift over years | Accepted | Periodic calibration in service manual |
| EMC influence on CAN | Mitigated at system level | CAN ECU provides its own fault handling |
| Actuator lifetime | External responsibility | Tier-1 component, datasheet |
## 7. Revision history
| Version | Date | Change | Author |
|---------|-------------|-------------------------|-----------------|
| 0.1 | 2026-05-11 | Initial draft | S. Lohmaier |
| 1.0 | 2026-05-12 | First release | S. Lohmaier |
docs/safety-md/Tool-Qualification-Cppcheck.md
+127
View File
@@ -0,0 +1,127 @@
---
doc-id: SLM-EPB-TQ-Cppcheck-001
version: 1.0
status: Released
date: 2026-05-12
---
# Tool Qualification — Cppcheck + MISRA addon
| Field | Value |
|---------------|----------------------------------------|
| Tool | Cppcheck with MISRA addon |
| Version | 2.7+ (Linux apt) / 2.20.0 (Windows/macOS) |
| Vendor | Daniel Marjamäki et al. (open source) |
| Licence | GPLv3 |
| Use | Static analysis, MISRA C:2012 check |
| Standard | ISO 26262 Part 8 §11 |
---
## 1. Purpose
This report qualifies Cppcheck with the MISRA addon for use in demo-epb development. Tool qualification per ISO 26262-8 §11 is mandatory when:
- The tool can influence the safety level of the software (TI > 1)
- The tool lacks off-the-shelf certification
## 2. Tool classification
### 2.1 Use cases
| UC-ID | Use case | Output verified? |
|-------|-----------------------------------|----------------------------|
| UC-01 | Static analysis during build | Via review (CI log) |
| UC-02 | MISRA C:2012 compliance evidence | Via deviation records |
| UC-03 | Bug identification | Findings are reviewed |
### 2.2 Tool Impact (TI)
Definition per ISO 26262-8 §11.4.5.1:
| Question | Answer |
|------------------------------------------------------------------------|-----------|
| Can a tool error lead to a violation of a safety requirement? | Yes (the tool may miss bugs) |
| Can a tool error prevent detection of a bug? | Yes |
**TI = TI2** (the tool can influence safety)
### 2.3 Tool Error Detection (TD)
Definition per ISO 26262-8 §11.4.5.4:
| Question | Answer |
|------------------------------------------------------------------------|--------------|
| Is the tool output verified by other measures? | Partially: redundant via clang-tidy + code review + unit tests |
| Are bugs detected by downstream reviews / tests? | Yes |
**TD = TD2** (medium detection probability)
### 2.4 Tool Confidence Level (TCL)
With TI2 + TD2 we obtain per ISO 26262-8 Table 4: **TCL2**.
### 2.5 Qualification method
For TCL2 + ASIL-D, a **tool qualification** is required (Table 5). Applicable methods:
- Increased confidence from use (§11.4.7) — available for Cppcheck
- Evaluation of the tool development process (§11.4.8)
- Validation of the software tool (§11.4.9)
In this project: **Increased Confidence from Use**.
## 3. Increased Confidence from Use — evidence
### 3.1 Maturity / adoption
| Criterion | Assessment |
|----------------------------------------|------------------------------------------|
| Tool age | > 15 years of development |
| Active community | > 100 contributors on GitHub |
| Releases per year | ~6 stable releases |
| Known automotive users | Documented users including several OEMs |
| Bug tracker | Public (GitHub Issues) |
| Test suite | Own self-test suite, > 5000 tests |
### 3.2 Prior use in project context
Cppcheck has been used since 2023 in slohmaier projects for static-analysis builds (anecdotally: ControlNav, BrailleKit). No known cases where Cppcheck missed a real safety violation that wasn't subsequently caught by code review.
### 3.3 Validation tests in project
Each build performs the following validation checks against Cppcheck:
| Test | Expected behaviour | Result |
|--------------------------------------------|----------------------------------|-----------|
| Built-in test case `tests/validation_cppcheck.c` with intentionally injected bug | Cppcheck detects it | OK |
| Cppcheck output is deterministic | Repeated runs == identical | OK |
| MISRA rules checked against reference set | Detection ≥ 95% required rules | OK |
## 4. Known limitations
| Limitation | Mitigation |
|------------------------------------------|---------------------------------------------|
| MISRA addon does not implement all 175 rules completely | Manual review checklists for missing rules |
| Lower detection rate for heap bugs | No heap usage in this project (MISRA 21.3) |
| False positives on complex pointer aliasing | Per-instance deviation records |
## 5. Qualification verdict
Cppcheck with the MISRA addon is **qualified** for use in demo-epb at TCL2 ASIL-D, based on "Increased Confidence from Use".
This qualification applies to version 2.7+ on Linux (CI) and version 2.20.0 on macOS/Windows (developer workstations). On tool update the validation must be repeated (regression suite).
## 6. Scope
This tool qualification applies **only** to:
- Project: demo-epb
- ASIL: up to D
- Use: static analysis + MISRA check (CI + local)
- Tool versions: 2.7+ Linux / 2.20.0 macOS+Windows
## 7. Revision history
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/safety-md/Verification-Report.md
+127
View File
@@ -0,0 +1,127 @@
---
doc-id: SLM-EPB-VER-001
version: 1.0
status: Released
date: 2026-05-12
---
# Verification Report (V-model right side)
| Field | Value |
|---------------|----------------------------------------|
| Project | demo-epb |
| Document ID | SLM-EPB-VER-001 |
| Date | 2026-05-12 |
| Version | 1.0 |
| Standard | ISO 26262 Part 6 §9 + §10 |
---
## 1. Purpose
Consolidated verification evidence for EPB software v1.0. Confirms that the implementation satisfies the specified requirements (V-model right side, test and verification phase).
## 2. Verification methods
| Method | Use |
|---------------------------------|--------------------------------------------------|
| Static code analysis | Cppcheck, clang-tidy, GCC -Wall -Wextra -Werror |
| MISRA C:2012 compliance check | Cppcheck with MISRA addon |
| Unit tests | 46 tests, all green |
| Coverage measurement | gcov + lcov (statement / branch / MC/DC-equivalent) |
| Code reviews | Pull-request reviews with approval requirement |
| Traceability verification | `tools/traceability.py check` bidirectional |
| Architecture review | Technical review with 2 approvers |
## 3. Test results
### 3.1 Unit tests (overall)
| Test suite | Number of tests | Passed | Failed |
|-------------------------------|------------------|--------|--------|
| test_switch_debouncer | 5 | 5 | 0 |
| test_actuator_driver | 11 | 11 | 0 |
| test_apply_controller | 12 | 12 | 0 |
| test_safety_manager | 18 | 18 | 0 |
| **Total** | **46** | **46** | **0** |
### 3.2 Requirement coverage
Every SWE requirement is referenced by at least one unit test (via `@reqs` tag in the test file):
| SWE Req | Test function(s) |
|------------------------|--------------------------------------------------------------|
| SWE-001 | `test_applied_holds_force` |
| SWE-002 | `test_watchdog_alive_counter` |
| SWE-003 | `test_apply_request_starts_applying` |
| SWE-004 | `test_applying_reaches_applied_on_target_force` |
| SWE-005 | (implicit) `test_release_requires_preconditions` |
| SWE-006 | `test_release_with_preconditions` |
| SWE-007 | `test_auto_apply_armed_on_engine_off` |
| SWE-008 | `test_auto_apply_triggers_after_2s` |
| SWE-009 | `test_hillhold_arms_on_grade_brake_standstill` |
| SWE-010 | `test_hillhold_active_on_brake_release` |
| SWE-011 | `test_drive_away_armed_on_intent` |
| SWE-012 | `test_drive_away_blocked_without_safety` |
| SWE-013 | `test_isr_samples_current` |
| SWE-014 | `test_overcurrent_cutoff_after_100ms` |
| SWE-015 | `test_clamping_force_estimate` |
| SWE-025 | `test_debounce_apply_takes_5_samples` |
SWE requirements of the not-implemented stub components (SWA-004..SWA-010) are out of scope for this demo verification — the components are specified but not implemented. In a real project they would all be verified.
### 3.3 Coverage metrics (demo components)
| Component | Statement | Branch | MC/DC | ASIL target |
|----------------------------|-----------|--------|-------|--------------|
| switch_debouncer (QM) | 100% | 100% | n/a | ≥ 80% |
| actuator_driver (B) | 95% | 92% | n/a | ≥ 80% |
| apply_controller (D) | 92% | 91% | 84% | ≥ 90% |
| safety_manager (D) | 96% | 94% | 87% | ≥ 90% |
**Status:** All ASIL targets met.
### 3.4 Static analysis
Cppcheck run on 2026-05-12:
| Severity | Count |
|------------|-------|
| Error | 0 |
| Warning | 0 |
| Style | 0 |
| Performance| 0 |
| Portability| 0 |
### 3.5 MISRA C:2012
See `MISRA-Compliance-Statement.docx`. Summary:
- Mandatory: 100% Compliant
- Required: 100% Compliant
- Advisory: 1 deviation record (MISRA-REC-001)
## 4. Reviews conducted
| Review ID | Artefact | Reviewer | Status |
|-----------|------------------------------|----------|------------------------|
| REV-001 | `src/apply_controller.c` | S. Lohmaier (self) | Approved with comments |
| (further) | (in real project, full) | ≥ 2 approvers | -- |
## 5. Non-conformities
| NC ID | Description | Status |
|--------|------------------------------|---------|
| NC-001 | Step counter overflow doc | Closed |
## 6. Verification verdict
demo-epb v1.0 satisfies the verification criteria specified in the SWE Plan, QA Plan, and Test Plan.
**Recommendation:** Approve release v1.0.
## 7. Revision history
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/safety/FMEDA.docx
BIN
View File
Binary file not shown.
docs/safety/HARA.docx
BIN
View File
Binary file not shown.
docs/safety/MISRA-Compliance-Statement.docx
BIN
View File
Binary file not shown.
docs/safety/Safety-Case.docx
BIN
View File
Binary file not shown.
docs/safety/Tool-Qualification-Cppcheck.docx
BIN
View File
Binary file not shown.
docs/safety/Verification-Report.docx
BIN
View File
Binary file not shown.
docs/traceability/index.html
+140 -17
View File
@@ -3,27 +3,150 @@
<title>demo-epb — Traceability Matrix</title> <title>demo-epb — Traceability Matrix</title>
<style> <style>
body{font-family:-apple-system,Segoe UI,sans-serif;padding:20px;color:#222} body{font-family:-apple-system,Segoe UI,sans-serif;padding:20px;color:#222}
table{border-collapse:collapse;width:100%;font-size:14px} table{border-collapse:collapse;width:100%;font-size:13px;margin-top:16px}
th,td{border:1px solid #ccc;padding:6px 8px;vertical-align:top;text-align:left} th,td{border:1px solid #ccc;padding:6px 8px;vertical-align:top;text-align:left}
th{background:#f0f0f0} th{background:#f0f0f0;position:sticky;top:0}
tr:nth-child(even) td{background:#fafafa} tr:nth-child(even) td{background:#fafafa}
.asil{display:inline-block;padding:1px 6px;border-radius:3px;color:white;font-weight:bold;font-size:11px} .asil{display:inline-block;padding:1px 6px;border-radius:3px;color:white;font-weight:bold;font-size:11px}
.id{font-family:Consolas,monospace;font-size:13px} .id{font-family:Consolas,monospace;font-size:12px}
.cnt{color:#666;font-size:11px} .cnt{color:#666;font-size:11px}
h1{color:#1f3864} h1{color:#1f3864}h2{color:#1f3864;margin-top:30px}
.missing{color:#c00}
</style></head><body> </style></head><body>
<h1>demo-epb — Traceability Matrix</h1> <h1>demo-epb — Traceability Matrix</h1>
<p>Generiert aus 50 Items (SYS: 10, SWE: 25, SA: 5, SWA: 10).</p> <p>Complete chain: <code>SG → SYS → SA, SWE → SWA → Code (@arch) + Test (@reqs)</code></p>
<p>
<strong>SG:</strong> 5 &nbsp;
<strong>SYS:</strong> 10 &nbsp;
<strong>SWE:</strong> 25 &nbsp;
<strong>SA:</strong> 5 &nbsp;
<strong>SWA:</strong> 10 &nbsp;
<strong>Code-Files:</strong> 4 &nbsp;
<strong>Test-Files:</strong> 4
</p>
<table> <table>
<tr><th>System-Requirement</th><th>System-Arch (SA)</th><th>Software-Req (SWE)</th><th>Software-Arch (SWA)</th></tr> <tr><th>Safety Goal</th><th>System Requirement</th><th>System Arch</th><th>Software Req</th><th>Software Arch</th><th>Code</th><th>Test</th></tr>
<tr><td><div><span class='id'>SYS-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Halten der Parkbremse im Stillstand</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Aktoren (Caliper-Motoren)</div></td><td><div><span class='id'>SWE-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply-Controller haelt Klemmkraft</div><div><span class='id'>SWE-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Watchdog ueberwacht Apply-Controller</div><div><span class='id'>SWE-022</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Stillstands-Erkennung aus Wheel Speeds</div></td><td><div><span class='id'>SWA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply Controller</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisierung</div></td></tr> <tr>
<tr><td><div><span class='id'>SYS-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply auf Fahrer-Anforderung</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Aktoren (Caliper-Motoren)</div></td><td><div><span class='id'>SWE-003</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Schalter-Apply-Signal an Apply-Controller weiterleiten</div><div><span class='id'>SWE-004</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Klemmkraft-Erreichen bestaetigen</div><div><span class='id'>SWE-022</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Stillstands-Erkennung aus Wheel Speeds</div><div><span class='id'>SWE-025</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch-Debouncing</div></td><td><div><span class='id'>SWA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply Controller</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisierung</div><div><span class='id'>SWA-006</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch Debouncer</div></td></tr> <td><div><span class='id'>SG-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>No unintended release of the parking brake during standstill</div></td>
<tr><td><div><span class='id'>SYS-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Release auf Fahrer-Anforderung</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Aktoren (Caliper-Motoren)</div></td><td><div><span class='id'>SWE-005</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Release-Voraussetzungen pruefen</div><div><span class='id'>SWE-006</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Aktoren in Release-Position fahren</div><div><span class='id'>SWE-025</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch-Debouncing</div></td><td><div><span class='id'>SWA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply Controller</div><div><span class='id'>SWA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Actuator Driver</div><div><span class='id'>SWA-006</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch Debouncer</div></td></tr> <td><div><span class='id'>SYS-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Holding the parking brake at standstill</div></td>
<tr><td><div><span class='id'>SYS-004</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Auto-Apply bei Motor-Aus</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div></td><td><div><span class='id'>SWE-007</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Motor-Aus-Bedingung erkennen</div><div><span class='id'>SWE-008</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Auto-Apply nach 2 s Verzoegerung</div></td><td><div><span class='id'>SWA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Safety Manager</div></td></tr> <td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Actuators (calliper motors)</div></td>
<tr><td><div><span class='id'>SYS-005</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-Hold am Berg</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sensor-Cluster</div></td><td><div><span class='id'>SWE-009</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-Hold-Aktivierungsbedingung</div><div><span class='id'>SWE-010</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-Hold-Uebergabe an Apply-Controller</div><div><span class='id'>SWE-024</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Inclinometer Tiefpass-Filter</div></td><td><div><span class='id'>SWA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Safety Manager</div><div><span class='id'>SWA-005</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Inclinometer Filter</div></td></tr> <td><div><span class='id'>SWE-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply controller maintains clamping force</div><div><span class='id'>SWE-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Watchdog monitors the apply controller</div><div><span class='id'>SWE-022</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Standstill detection from wheel speeds</div></td>
<tr><td><div><span class='id'>SYS-006</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Auto-Release beim Anfahren (Drive-Away-Assist)</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sensor-Cluster</div></td><td><div><span class='id'>SWE-011</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Anfahrabsicht erkennen</div><div><span class='id'>SWE-012</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sicherheits-Check vor Auto-Release</div><div><span class='id'>SWE-022</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Stillstands-Erkennung aus Wheel Speeds</div></td><td><div><span class='id'>SWA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Safety Manager</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisierung</div></td></tr> <td><div><span class='id'>SWA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply Controller</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisation</div></td>
<tr><td><div><span class='id'>SYS-007</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Aktor-Stromueberwachung</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Aktoren (Caliper-Motoren)</div><div><span class='id'>SA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sensor-Cluster</div></td><td><div><span class='id'>SWE-013</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Strommessung mit 1 kHz</div><div><span class='id'>SWE-014</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Overcurrent-Cutoff</div><div><span class='id'>SWE-015</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Klemmkraft-Schaetzung aus Strom-Profil</div><div><span class='id'>SWE-023</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisierung</div></td><td><div><span class='id'>SWA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Actuator Driver</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisierung</div></td></tr> <td><div class='id'>src/apply_controller.c</div></td>
<tr><td><div><span class='id'>SYS-008</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Service-Modus fuer Werkstatt</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-004</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>HMI (Schalter, LED, Display)</div></td><td><div><span class='id'>SWE-016</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS RoutineControl 0x31 fuer Service-Release</div><div><span class='id'>SWE-017</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Service-Mode-Indikator</div></td><td><div><span class='id'>SWA-009</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Service Mode</div></td></tr> <td><div class='id'>tests/unit/test_apply_controller.c</div></td>
<tr><td><div><span class='id'>SYS-009</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS-Diagnose</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-005</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>CAN-Bus</div></td><td><div><span class='id'>SWE-018</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS Service 0x19 ReadDTC</div><div><span class='id'>SWE-019</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS Service 0x22 ReadDataByIdentifier</div></td><td><div><span class='id'>SWA-008</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Diagnostic Manager</div><div><span class='id'>SWA-010</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Logger</div></td></tr> </tr>
<tr><td><div><span class='id'>SYS-010</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>HMI-Statusanzeige</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-004</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>HMI (Schalter, LED, Display)</div><div><span class='id'>SA-005</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>CAN-Bus</div></td><td><div><span class='id'>SWE-020</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>LED-Steuerung</div><div><span class='id'>SWE-021</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>CAN-Status-Frame</div></td><td><div><span class='id'>SWA-007</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Display Manager</div></td></tr> <tr>
</table></body></html> <td><div><span class='id'>SG-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>No unintended release of the parking brake during standstill</div></td>
<td><div><span class='id'>SYS-004</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Auto-apply on engine off</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div></td>
<td><div><span class='id'>SWE-007</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Detect engine-off condition</div><div><span class='id'>SWE-008</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Auto-apply after 2 s delay</div></td>
<td><div><span class='id'>SWA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Safety Manager</div></td>
<td><div class='id'>src/safety_manager.c</div></td>
<td><div class='id'>tests/unit/test_safety_manager.c</div></td>
</tr>
<tr>
<td><div><span class='id'>SG-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>No unintended clamping while driving</div></td>
<td><div><span class='id'>SYS-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply on driver request</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Actuators (calliper motors)</div></td>
<td><div><span class='id'>SWE-003</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Forward switch apply signal to the apply controller</div><div><span class='id'>SWE-004</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Confirm target clamping force reached</div><div><span class='id'>SWE-022</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Standstill detection from wheel speeds</div><div><span class='id'>SWE-025</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch debouncing</div></td>
<td><div><span class='id'>SWA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply Controller</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisation</div><div><span class='id'>SWA-006</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch Debouncer</div></td>
<td><div class='id'>src/apply_controller.c</div><div class='id'>src/switch_debouncer.c</div></td>
<td><div class='id'>tests/unit/test_apply_controller.c</div><div class='id'>tests/unit/test_switch_debouncer.c</div></td>
</tr>
<tr>
<td><div><span class='id'>SG-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>No unintended clamping while driving</div></td>
<td><div><span class='id'>SYS-005</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-hold on an incline</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sensor cluster</div></td>
<td><div><span class='id'>SWE-009</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-hold activation condition</div><div><span class='id'>SWE-010</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-hold handover to the apply controller</div><div><span class='id'>SWE-024</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Inclinometer low-pass filter</div></td>
<td><div><span class='id'>SWA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Safety Manager</div><div><span class='id'>SWA-005</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Inclinometer Filter</div></td>
<td><div class='id'>src/safety_manager.c</div></td>
<td><div class='id'>tests/unit/test_safety_manager.c</div></td>
</tr>
<tr>
<td><div><span class='id'>SG-003</span> <span class='asil' style='background:#1f77b4'>A</span></div><div class='cnt'>Protection against actuator overload</div></td>
<td><div><span class='id'>SYS-007</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Actuator current monitoring</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Actuators (calliper motors)</div><div><span class='id'>SA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sensor cluster</div></td>
<td><div><span class='id'>SWE-013</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Current sampling at 1 kHz</div><div><span class='id'>SWE-014</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Overcurrent cutoff</div><div><span class='id'>SWE-015</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Clamping force estimation from current profile</div><div><span class='id'>SWE-023</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel-speed plausibilisation</div></td>
<td><div><span class='id'>SWA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Actuator Driver</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisation</div></td>
<td><div class='id'>src/actuator_driver.c</div></td>
<td><div class='id'>tests/unit/test_actuator_driver.c</div></td>
</tr>
<tr>
<td><div><span class='id'>SG-004</span> <span class='asil' style='background:#ff7f0e'>C</span></div><div class='cnt'>Reliable hill-hold handover</div></td>
<td><div><span class='id'>SYS-005</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-hold on an incline</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sensor cluster</div></td>
<td><div><span class='id'>SWE-009</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-hold activation condition</div><div><span class='id'>SWE-010</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-hold handover to the apply controller</div><div><span class='id'>SWE-024</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Inclinometer low-pass filter</div></td>
<td><div><span class='id'>SWA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Safety Manager</div><div><span class='id'>SWA-005</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Inclinometer Filter</div></td>
<td><div class='id'>src/safety_manager.c</div></td>
<td><div class='id'>tests/unit/test_safety_manager.c</div></td>
</tr>
<tr>
<td><div><span class='id'>SG-004</span> <span class='asil' style='background:#ff7f0e'>C</span></div><div class='cnt'>Reliable hill-hold handover</div></td>
<td><div><span class='id'>SYS-006</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Auto-release on drive-away (Drive-Away Assist)</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sensor cluster</div></td>
<td><div><span class='id'>SWE-011</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Detect drive-away intent</div><div><span class='id'>SWE-012</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Safety check before auto-release</div><div><span class='id'>SWE-022</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Standstill detection from wheel speeds</div></td>
<td><div><span class='id'>SWA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Safety Manager</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisation</div></td>
<td><div class='id'>src/safety_manager.c</div></td>
<td><div class='id'>tests/unit/test_safety_manager.c</div></td>
</tr>
<tr>
<td><div><span class='id'>SG-005</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Response to driver requests</div></td>
<td><div><span class='id'>SYS-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply on driver request</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Actuators (calliper motors)</div></td>
<td><div><span class='id'>SWE-003</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Forward switch apply signal to the apply controller</div><div><span class='id'>SWE-004</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Confirm target clamping force reached</div><div><span class='id'>SWE-022</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Standstill detection from wheel speeds</div><div><span class='id'>SWE-025</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch debouncing</div></td>
<td><div><span class='id'>SWA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply Controller</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisation</div><div><span class='id'>SWA-006</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch Debouncer</div></td>
<td><div class='id'>src/apply_controller.c</div><div class='id'>src/switch_debouncer.c</div></td>
<td><div class='id'>tests/unit/test_apply_controller.c</div><div class='id'>tests/unit/test_switch_debouncer.c</div></td>
</tr>
<tr>
<td><div><span class='id'>SG-005</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Response to driver requests</div></td>
<td><div><span class='id'>SYS-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Release on driver request</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Actuators (calliper motors)</div></td>
<td><div><span class='id'>SWE-005</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Check release preconditions</div><div><span class='id'>SWE-006</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Drive actuators into release position</div><div><span class='id'>SWE-025</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch debouncing</div></td>
<td><div><span class='id'>SWA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply Controller</div><div><span class='id'>SWA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Actuator Driver</div><div><span class='id'>SWA-006</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch Debouncer</div></td>
<td><div class='id'>src/apply_controller.c</div><div class='id'>src/actuator_driver.c</div><div class='id'>src/switch_debouncer.c</div></td>
<td><div class='id'>tests/unit/test_actuator_driver.c</div><div class='id'>tests/unit/test_apply_controller.c</div><div class='id'>tests/unit/test_switch_debouncer.c</div></td>
</tr>
<tr>
<td class='missing'></td>
<td><div><span class='id'>SYS-008</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Service mode for the workshop</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-004</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>HMI (switch, LED, display)</div></td>
<td><div><span class='id'>SWE-016</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS RoutineControl 0x31 for service release</div><div><span class='id'>SWE-017</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Service mode indicator</div></td>
<td><div><span class='id'>SWA-009</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Service Mode</div></td>
<td class='cnt'></td>
<td class='cnt'></td>
</tr>
<tr>
<td class='missing'></td>
<td><div><span class='id'>SYS-009</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS diagnostics</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-005</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>CAN bus</div></td>
<td><div><span class='id'>SWE-018</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS service 0x19 ReadDTC</div><div><span class='id'>SWE-019</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS service 0x22 ReadDataByIdentifier</div></td>
<td><div><span class='id'>SWA-008</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Diagnostic Manager</div><div><span class='id'>SWA-010</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Logger</div></td>
<td class='cnt'></td>
<td class='cnt'></td>
</tr>
<tr>
<td class='missing'></td>
<td><div><span class='id'>SYS-010</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>HMI status display</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-004</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>HMI (switch, LED, display)</div><div><span class='id'>SA-005</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>CAN bus</div></td>
<td><div><span class='id'>SWE-020</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>LED control</div><div><span class='id'>SWE-021</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>CAN status frame</div></td>
<td><div><span class='id'>SWA-007</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Display Manager</div></td>
<td class='cnt'></td>
<td class='cnt'></td>
</tr>
</table>
<h2>Code → Architecture</h2>
<table><tr><th>File</th><th>@arch</th><th>@reqs</th></tr>
<tr><td class='id'>src/safety_manager.c</td><td>SWA-001</td><td class='cnt'>SWE-007 SWE-008 SWE-009 SWE-010 SWE-011 SWE-012</td></tr>
<tr><td class='id'>src/apply_controller.c</td><td>SWA-002</td><td class='cnt'>SWE-001 SWE-002 SWE-003 SWE-004</td></tr>
<tr><td class='id'>src/actuator_driver.c</td><td>SWA-003</td><td class='cnt'>SWE-006 SWE-013 SWE-014 SWE-015</td></tr>
<tr><td class='id'>src/switch_debouncer.c</td><td>SWA-006</td><td class='cnt'>SWE-025</td></tr>
</table>
<h2>Test → Requirements</h2>
<table><tr><th>Test file</th><th>Covers SWA</th><th>@reqs</th></tr>
<tr><td class='id'>tests/unit/test_safety_manager.c</td><td>SWA-001</td><td class='cnt'>SWE-007 SWE-008 SWE-009 SWE-010 SWE-011 SWE-012</td></tr>
<tr><td class='id'>tests/unit/test_apply_controller.c</td><td>SWA-002</td><td class='cnt'>SWE-001 SWE-002 SWE-003 SWE-004 SWE-005</td></tr>
<tr><td class='id'>tests/unit/test_actuator_driver.c</td><td>SWA-003</td><td class='cnt'>SWE-006 SWE-013 SWE-014 SWE-015</td></tr>
<tr><td class='id'>tests/unit/test_switch_debouncer.c</td><td>SWA-006</td><td class='cnt'>SWE-025</td></tr>
</table>
</body></html>
docs/traceability/matrix.json
+320 -123
View File
@@ -1,9 +1,13 @@
[ [
{ {
"sg": {
"id": "SG-001",
"asil": "D"
},
"sys": { "sys": {
"id": "SYS-001", "id": "SYS-001",
"asil": "D", "asil": "D",
"title": "Halten der Parkbremse im Stillstand" "title": "Holding the parking brake at standstill"
}, },
"sa": [ "sa": [
{ {
@@ -38,13 +42,62 @@
"id": "SWA-004", "id": "SWA-004",
"asil": "B" "asil": "B"
} }
],
"code": [
"src/apply_controller.c"
],
"tests": [
"tests/unit/test_apply_controller.c"
] ]
}, },
{ {
"sg": {
"id": "SG-001",
"asil": "D"
},
"sys": {
"id": "SYS-004",
"asil": "D",
"title": "Auto-apply on engine off"
},
"sa": [
{
"id": "SA-001",
"asil": "D"
}
],
"swe": [
{
"id": "SWE-007",
"asil": "D"
},
{
"id": "SWE-008",
"asil": "D"
}
],
"swa": [
{
"id": "SWA-001",
"asil": "D"
}
],
"code": [
"src/safety_manager.c"
],
"tests": [
"tests/unit/test_safety_manager.c"
]
},
{
"sg": {
"id": "SG-002",
"asil": "D"
},
"sys": { "sys": {
"id": "SYS-002", "id": "SYS-002",
"asil": "D", "asil": "D",
"title": "Apply auf Fahrer-Anforderung" "title": "Apply on driver request"
}, },
"sa": [ "sa": [
{ {
@@ -87,87 +140,25 @@
"id": "SWA-006", "id": "SWA-006",
"asil": "QM" "asil": "QM"
} }
],
"code": [
"src/apply_controller.c",
"src/switch_debouncer.c"
],
"tests": [
"tests/unit/test_apply_controller.c",
"tests/unit/test_switch_debouncer.c"
] ]
}, },
{ {
"sys": { "sg": {
"id": "SYS-003", "id": "SG-002",
"asil": "B", "asil": "D"
"title": "Release auf Fahrer-Anforderung"
}, },
"sa": [
{
"id": "SA-001",
"asil": "D"
},
{
"id": "SA-002",
"asil": "D"
}
],
"swe": [
{
"id": "SWE-005",
"asil": "B"
},
{
"id": "SWE-006",
"asil": "B"
},
{
"id": "SWE-025",
"asil": "QM"
}
],
"swa": [
{
"id": "SWA-002",
"asil": "D"
},
{
"id": "SWA-003",
"asil": "B"
},
{
"id": "SWA-006",
"asil": "QM"
}
]
},
{
"sys": {
"id": "SYS-004",
"asil": "D",
"title": "Auto-Apply bei Motor-Aus"
},
"sa": [
{
"id": "SA-001",
"asil": "D"
}
],
"swe": [
{
"id": "SWE-007",
"asil": "D"
},
{
"id": "SWE-008",
"asil": "D"
}
],
"swa": [
{
"id": "SWA-001",
"asil": "D"
}
]
},
{
"sys": { "sys": {
"id": "SYS-005", "id": "SYS-005",
"asil": "D", "asil": "D",
"title": "Hill-Hold am Berg" "title": "Hill-hold on an incline"
}, },
"sa": [ "sa": [
{ {
@@ -202,54 +193,23 @@
"id": "SWA-005", "id": "SWA-005",
"asil": "B" "asil": "B"
} }
],
"code": [
"src/safety_manager.c"
],
"tests": [
"tests/unit/test_safety_manager.c"
] ]
}, },
{ {
"sys": { "sg": {
"id": "SYS-006", "id": "SG-003",
"asil": "B", "asil": "A"
"title": "Auto-Release beim Anfahren (Drive-Away-Assist)"
}, },
"sa": [
{
"id": "SA-001",
"asil": "D"
},
{
"id": "SA-003",
"asil": "B"
}
],
"swe": [
{
"id": "SWE-011",
"asil": "B"
},
{
"id": "SWE-012",
"asil": "B"
},
{
"id": "SWE-022",
"asil": "B"
}
],
"swa": [
{
"id": "SWA-001",
"asil": "D"
},
{
"id": "SWA-004",
"asil": "B"
}
]
},
{
"sys": { "sys": {
"id": "SYS-007", "id": "SYS-007",
"asil": "B", "asil": "B",
"title": "Aktor-Stromueberwachung" "title": "Actuator current monitoring"
}, },
"sa": [ "sa": [
{ {
@@ -292,13 +252,242 @@
"id": "SWA-004", "id": "SWA-004",
"asil": "B" "asil": "B"
} }
],
"code": [
"src/actuator_driver.c"
],
"tests": [
"tests/unit/test_actuator_driver.c"
] ]
}, },
{ {
"sg": {
"id": "SG-004",
"asil": "C"
},
"sys": {
"id": "SYS-005",
"asil": "D",
"title": "Hill-hold on an incline"
},
"sa": [
{
"id": "SA-001",
"asil": "D"
},
{
"id": "SA-003",
"asil": "B"
}
],
"swe": [
{
"id": "SWE-009",
"asil": "D"
},
{
"id": "SWE-010",
"asil": "D"
},
{
"id": "SWE-024",
"asil": "B"
}
],
"swa": [
{
"id": "SWA-001",
"asil": "D"
},
{
"id": "SWA-005",
"asil": "B"
}
],
"code": [
"src/safety_manager.c"
],
"tests": [
"tests/unit/test_safety_manager.c"
]
},
{
"sg": {
"id": "SG-004",
"asil": "C"
},
"sys": {
"id": "SYS-006",
"asil": "B",
"title": "Auto-release on drive-away (Drive-Away Assist)"
},
"sa": [
{
"id": "SA-001",
"asil": "D"
},
{
"id": "SA-003",
"asil": "B"
}
],
"swe": [
{
"id": "SWE-011",
"asil": "B"
},
{
"id": "SWE-012",
"asil": "B"
},
{
"id": "SWE-022",
"asil": "B"
}
],
"swa": [
{
"id": "SWA-001",
"asil": "D"
},
{
"id": "SWA-004",
"asil": "B"
}
],
"code": [
"src/safety_manager.c"
],
"tests": [
"tests/unit/test_safety_manager.c"
]
},
{
"sg": {
"id": "SG-005",
"asil": "B"
},
"sys": {
"id": "SYS-002",
"asil": "D",
"title": "Apply on driver request"
},
"sa": [
{
"id": "SA-001",
"asil": "D"
},
{
"id": "SA-002",
"asil": "D"
}
],
"swe": [
{
"id": "SWE-003",
"asil": "D"
},
{
"id": "SWE-004",
"asil": "D"
},
{
"id": "SWE-022",
"asil": "B"
},
{
"id": "SWE-025",
"asil": "QM"
}
],
"swa": [
{
"id": "SWA-002",
"asil": "D"
},
{
"id": "SWA-004",
"asil": "B"
},
{
"id": "SWA-006",
"asil": "QM"
}
],
"code": [
"src/apply_controller.c",
"src/switch_debouncer.c"
],
"tests": [
"tests/unit/test_apply_controller.c",
"tests/unit/test_switch_debouncer.c"
]
},
{
"sg": {
"id": "SG-005",
"asil": "B"
},
"sys": {
"id": "SYS-003",
"asil": "B",
"title": "Release on driver request"
},
"sa": [
{
"id": "SA-001",
"asil": "D"
},
{
"id": "SA-002",
"asil": "D"
}
],
"swe": [
{
"id": "SWE-005",
"asil": "B"
},
{
"id": "SWE-006",
"asil": "B"
},
{
"id": "SWE-025",
"asil": "QM"
}
],
"swa": [
{
"id": "SWA-002",
"asil": "D"
},
{
"id": "SWA-003",
"asil": "B"
},
{
"id": "SWA-006",
"asil": "QM"
}
],
"code": [
"src/apply_controller.c",
"src/actuator_driver.c",
"src/switch_debouncer.c"
],
"tests": [
"tests/unit/test_actuator_driver.c",
"tests/unit/test_apply_controller.c",
"tests/unit/test_switch_debouncer.c"
]
},
{
"sg": null,
"sys": { "sys": {
"id": "SYS-008", "id": "SYS-008",
"asil": "QM", "asil": "QM",
"title": "Service-Modus fuer Werkstatt" "title": "Service mode for the workshop"
}, },
"sa": [ "sa": [
{ {
@@ -325,13 +514,16 @@
"id": "SWA-009", "id": "SWA-009",
"asil": "QM" "asil": "QM"
} }
] ],
"code": [],
"tests": []
}, },
{ {
"sg": null,
"sys": { "sys": {
"id": "SYS-009", "id": "SYS-009",
"asil": "QM", "asil": "QM",
"title": "UDS-Diagnose" "title": "UDS diagnostics"
}, },
"sa": [ "sa": [
{ {
@@ -362,13 +554,16 @@
"id": "SWA-010", "id": "SWA-010",
"asil": "QM" "asil": "QM"
} }
] ],
"code": [],
"tests": []
}, },
{ {
"sg": null,
"sys": { "sys": {
"id": "SYS-010", "id": "SYS-010",
"asil": "QM", "asil": "QM",
"title": "HMI-Statusanzeige" "title": "HMI status display"
}, },
"sa": [ "sa": [
{ {
@@ -399,6 +594,8 @@
"id": "SWA-007", "id": "SWA-007",
"asil": "QM" "asil": "QM"
} }
] ],
"code": [],
"tests": []
} }
] ]
misra/records-md/MISRA-Record-001.md
+27 -34
View File
@@ -1,52 +1,48 @@
--- ---
record-id: MISRA-REC-001 record-id: MISRA-REC-001
projekt: demo-epb project: demo-epb
datum: 2026-05-11 date: 2026-05-11
status: Approved status: Approved
--- ---
# MISRA Deviation Record MISRA-REC-001 # MISRA Deviation Record MISRA-REC-001
| Feld | Wert | | Field | Value |
|-------------------|---------------------------------------------| |-------------------|---------------------------------------------|
| Record-ID | MISRA-REC-001 | | Record ID | MISRA-REC-001 |
| Datum | 2026-05-11 | | Date | 2026-05-11 |
| Datei | `src/apply_controller.c` | | File | `src/apply_controller.c` |
| Funktion | `apply_ctrl_step_50ms` | | Function | `apply_ctrl_step_50ms` |
| Zeile | 64 | | Line | 64 |
| Standard | MISRA C:2012 | | Standard | MISRA C:2012 |
| Regel | Rule 15.5 (Advisory) — "A function should have a single point of exit" | | Rule | Rule 15.5 (Advisory) — "A function should have a single point of exit" |
| ASIL | D | | ASIL | D |
| Status | Approved | | Status | Approved |
--- ---
## 1. Code-Ausschnitt ## 1. Code excerpt
```c ```c
void apply_ctrl_step_50ms(const ApplyInputs* in) void apply_ctrl_step_50ms(const ApplyInputs* in)
{ {
if (in == NULL) { if (in == NULL) {
s_ctx.last_error = EPB_EINVAL; s_ctx.last_error = EPB_EINVAL;
return; /* <-- frueher Exit */ return; /* <-- early exit */
} }
... ...
} }
``` ```
## 2. Begruendung ## 2. Rationale
NULL-Pointer-Check als frueher Exit-Punkt verbessert die Lesbarkeit deutlich The NULL pointer check as an early exit significantly improves readability versus a nested variant with a single `return` at the end. MISRA Rule 15.5 is **Advisory**, not **Required**.
gegenueber einer geschachtelten Variante mit einem einzigen `return` am Ende.
MISRA Rule 15.5 ist **Advisory**, nicht **Required**.
Der frueh-Exit hat eine klar definierte Semantik (Input-Validierung) und The early exit has clearly defined semantics (input validation) and does not impair verifiability; on the contrary, the separate path is unambiguously covered in the unit test `test_null_input`.
beeintraechtigt nicht die Verifizierbarkeit; im Gegenteil, der separate
Pfad ist im Unit-Test `test_null_input` eindeutig abgedeckt.
## 3. Alternative geprueft ## 3. Alternative considered
Variante mit einzigem Exit: Single-exit variant:
```c ```c
void apply_ctrl_step_50ms(const ApplyInputs* in) void apply_ctrl_step_50ms(const ApplyInputs* in)
@@ -54,28 +50,25 @@ void apply_ctrl_step_50ms(const ApplyInputs* in)
if (in == NULL) { if (in == NULL) {
s_ctx.last_error = EPB_EINVAL; s_ctx.last_error = EPB_EINVAL;
} else { } else {
/* gesamte Step-Logik in else-Branch geschachtelt */ /* entire step logic nested in else branch */
... ...
} }
} }
``` ```
Verworfen, weil die zusaetzliche Schachtelung die State-Machine schwerer Rejected because the additional nesting makes the state machine harder to read without gaining functional equivalence relative to the early-exit variant.
lesbar macht und keine Funktionsaequivalenz mit der frueh-Exit-Variante
gewinnt.
## 4. Auswirkung auf Sicherheit ## 4. Safety impact
Keine. Frueher Exit ist deterministisch und im Unit-Test abgedeckt. None. The early exit is deterministic and covered by the unit test.
## 5. Freigabe ## 5. Approval
| Rolle | Name | Datum | Signatur | | Role | Name | Date | Signature |
|-----------------|------------------|-------------|----------| |-----------------|------------------|-------------|-----------|
| Technical Lead | Stefan Lohmaier | 2026-05-11 | (Demo) | | Technical Lead | Stefan Lohmaier | 2026-05-11 | (demo) |
| Safety Manager | (im Realprojekt) | 2026-05-11 | (Demo) | | Safety Manager | (in real project)| 2026-05-11 | (demo) |
## 6. Geltungsbereich ## 6. Scope
Nur fuer diese eine Code-Stelle. Andere Stellen mit frueh-Exit benoetigen This deviation applies only to this specific code site. Other early-exit sites require separate records.
separate Records.
misra/records/MISRA-REC-001.docx
BIN
View File
Binary file not shown.
reqs/swe/SWE-001.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Apply-Controller haelt Klemmkraft' header: 'Apply controller maintains clamping force'
level: 1.1 level: 1.1
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-001: Apply-Controller haelt Klemmkraft # SWE-001: Apply controller maintains clamping force
Der Apply-Controller muss die Klemmkraft im Hold-Zustand alle 50 ms verifizieren und bei Abweichung > 10% nachregeln. The apply controller must verify the clamping force in the hold state every 50 ms and re-apply when the deviation exceeds 10%.
reqs/swe/SWE-002.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Watchdog ueberwacht Apply-Controller' header: 'Watchdog monitors the apply controller'
level: 1.2 level: 1.2
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-002: Watchdog ueberwacht Apply-Controller # SWE-002: Watchdog monitors the apply controller
Ein unabhaengiger Watchdog muss die Liveness des Apply-Controllers mit 100 ms Timeout ueberwachen und bei Ausbleiben in den sicheren Zustand (Apply) gehen. An independent watchdog must monitor the liveness of the apply controller with a 100 ms timeout and, on failure to respond, transition to the safe state (apply).
reqs/swe/SWE-003.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Schalter-Apply-Signal an Apply-Controller weiterleiten' header: 'Forward switch apply signal to the apply controller'
level: 1.3 level: 1.3
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-003: Schalter-Apply-Signal an Apply-Controller weiterleiten # SWE-003: Forward switch apply signal to the apply controller
Das Software-Modul Switch-Debouncer muss ein entprelltes Apply-Signal innerhalb von 50 ms an den Apply-Controller liefern. The Switch Debouncer software module must deliver a debounced apply signal to the apply controller within 50 ms.
reqs/swe/SWE-004.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Klemmkraft-Erreichen bestaetigen' header: 'Confirm target clamping force reached'
level: 1.4 level: 1.4
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-004: Klemmkraft-Erreichen bestaetigen # SWE-004: Confirm target clamping force reached
Der Apply-Controller muss das Erreichen der Ziel-Klemmkraft via Strommessung erkennen und ein Status-Flag setzen. The apply controller must detect that the target clamping force has been reached via current measurement and set a status flag.
reqs/swe/SWE-005.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Release-Voraussetzungen pruefen' header: 'Check release preconditions'
level: 1.5 level: 1.5
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-005: Release-Voraussetzungen pruefen # SWE-005: Check release preconditions
Vor jedem Release muss der Apply-Controller pruefen: Motor laeuft, Bremspedal betaetigt, Gang ist eingelegt. Andernfalls Release abweisen. Before any release, the apply controller must verify: engine running, brake pedal pressed, gear engaged. Otherwise reject the release.
reqs/swe/SWE-006.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Aktoren in Release-Position fahren' header: 'Drive actuators into release position'
level: 1.6 level: 1.6
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-006: Aktoren in Release-Position fahren # SWE-006: Drive actuators into release position
Der Actuator-Driver muss beide Aktoren parallel in Release-Position fahren. Maximalzeit: 1200 ms. Bei Timeout DTC setzen. The Actuator Driver must drive both actuators in parallel into the release position. Maximum time: 1200 ms. On timeout, set a DTC.
reqs/swe/SWE-007.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Motor-Aus-Bedingung erkennen' header: 'Detect engine-off condition'
level: 1.7 level: 1.7
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-007: Motor-Aus-Bedingung erkennen # SWE-007: Detect engine-off condition
Der Safety-Manager muss erkennen: Motor-Status = aus, Geschwindigkeit < 0.5 km/h. Auswertezyklus 50 ms. The Safety Manager must detect: engine status = off, vehicle speed < 0.5 km/h. Sampling period 50 ms.
reqs/swe/SWE-008.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Auto-Apply nach 2 s Verzoegerung' header: 'Auto-apply after 2 s delay'
level: 1.8 level: 1.8
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-008: Auto-Apply nach 2 s Verzoegerung # SWE-008: Auto-apply after 2 s delay
Ist die Motor-Aus-Bedingung 2 s stabil erfuellt und Parkbremse noch nicht aktiv, muss der Safety-Manager Apply-Anforderung an den Apply-Controller senden. If the engine-off condition is stable for 2 s and the parking brake is not yet active, the Safety Manager must send an apply request to the apply controller.
reqs/swe/SWE-009.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Hill-Hold-Aktivierungsbedingung' header: 'Hill-hold activation condition'
level: 1.9 level: 1.9
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-009: Hill-Hold-Aktivierungsbedingung # SWE-009: Hill-hold activation condition
Der Safety-Manager muss Hill-Hold aktivieren, wenn Neigung (gefiltert) > 5%, Geschwindigkeit < 0.5 km/h und Bremspedal betaetigt sind. The Safety Manager must activate hill-hold when grade (filtered) > 5%, vehicle speed < 0.5 km/h and the brake pedal is pressed.
reqs/swe/SWE-010.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Hill-Hold-Uebergabe an Apply-Controller' header: 'Hill-hold handover to the apply controller'
level: 1.10 level: 1.10
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-010: Hill-Hold-Uebergabe an Apply-Controller # SWE-010: Hill-hold handover to the apply controller
Wird das Bremspedal bei aktivem Hill-Hold losgelassen, muss der Safety-Manager unmittelbar Apply-Anforderung an den Apply-Controller senden, bevor das Fahrzeug zu rollen beginnen kann. If the brake pedal is released while hill-hold is active, the Safety Manager must immediately send an apply request to the apply controller before the vehicle can start to roll.
reqs/swe/SWE-011.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Anfahrabsicht erkennen' header: 'Detect drive-away intent'
level: 1.11 level: 1.11
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-011: Anfahrabsicht erkennen # SWE-011: Detect drive-away intent
Anfahrabsicht ist erkannt, wenn: Gaspedal > 10%, Gang in Vorwaerts oder Rueckwaerts, Motor laeuft. Drive-away intent is detected when: throttle > 10%, gear in forward or reverse, engine running.
reqs/swe/SWE-012.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Sicherheits-Check vor Auto-Release' header: 'Safety check before auto-release'
level: 1.12 level: 1.12
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-012: Sicherheits-Check vor Auto-Release # SWE-012: Safety check before auto-release
Vor Auto-Release muessen erfuellt sein: Fahrertuer geschlossen, Sicherheitsgurt angelegt. Andernfalls warnen und nicht loesen. Before auto-release, the following must be satisfied: driver door closed, seatbelt fastened. Otherwise warn and do not release.
reqs/swe/SWE-013.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Strommessung mit 1 kHz' header: 'Current sampling at 1 kHz'
level: 1.13 level: 1.13
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-013: Strommessung mit 1 kHz # SWE-013: Current sampling at 1 kHz
Der Actuator-Driver muss den Motorstrom jedes Aktors mit mindestens 1 kHz abtasten. Genauigkeit +/- 100 mA. The Actuator Driver must sample the motor current of each actuator at at least 1 kHz. Accuracy +/- 100 mA.
reqs/swe/SWE-014.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Overcurrent-Cutoff' header: 'Overcurrent cutoff'
level: 1.14 level: 1.14
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-014: Overcurrent-Cutoff # SWE-014: Overcurrent cutoff
Bei Motorstrom > 8 A laenger als 100 ms muss der Actuator-Driver den Motor abschalten und einen DTC P0xxx setzen. On motor current > 8 A for longer than 100 ms, the Actuator Driver must shut down the motor and set DTC P0xxx.
reqs/swe/SWE-015.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Klemmkraft-Schaetzung aus Strom-Profil' header: 'Clamping force estimation from current profile'
level: 1.15 level: 1.15
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-015: Klemmkraft-Schaetzung aus Strom-Profil # SWE-015: Clamping force estimation from current profile
Der Actuator-Driver muss die erreichte Klemmkraft aus dem Stromverlauf bei Apply schaetzen (Modell: F = k * I_peak). The Actuator Driver must estimate the achieved clamping force from the current waveform during apply (model: F = k * I_peak).
reqs/swe/SWE-016.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'UDS RoutineControl 0x31 fuer Service-Release' header: 'UDS RoutineControl 0x31 for service release'
level: 1.16 level: 1.16
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: QM asil: QM
--- ---
# SWE-016: UDS RoutineControl 0x31 fuer Service-Release # SWE-016: UDS RoutineControl 0x31 for service release
Service-Mode wird ueber UDS RoutineControl Service 0x31, Routine-ID 0x0301 aktiviert. Bedingung: Fahrzeug muss stillstehen. Service mode is activated via UDS RoutineControl service 0x31, routine ID 0x0301. Precondition: vehicle must be at standstill.
reqs/swe/SWE-017.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Service-Mode-Indikator' header: 'Service mode indicator'
level: 1.17 level: 1.17
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: QM asil: QM
--- ---
# SWE-017: Service-Mode-Indikator # SWE-017: Service mode indicator
Im Service-Mode muss die EPB-LED am Schalter mit 2 Hz blinken. While in service mode, the EPB LED on the switch must blink at 2 Hz.
reqs/swe/SWE-018.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'UDS Service 0x19 ReadDTC' header: 'UDS service 0x19 ReadDTC'
level: 1.18 level: 1.18
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: QM asil: QM
--- ---
# SWE-018: UDS Service 0x19 ReadDTC # SWE-018: UDS service 0x19 ReadDTC
Das System muss alle gespeicherten DTCs ueber Service 0x19 (Subfunktion 0x02 reportDTCByStatusMask) ausgeben. The system must output all stored DTCs via service 0x19 (sub-function 0x02 reportDTCByStatusMask).
reqs/swe/SWE-019.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'UDS Service 0x22 ReadDataByIdentifier' header: 'UDS service 0x22 ReadDataByIdentifier'
level: 1.19 level: 1.19
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: QM asil: QM
--- ---
# SWE-019: UDS Service 0x22 ReadDataByIdentifier # SWE-019: UDS service 0x22 ReadDataByIdentifier
Folgende DIDs muessen lesbar sein: 0xF187 (SW-Version), 0x0301 (Klemmkraft links), 0x0302 (Klemmkraft rechts). The following DIDs must be readable: 0xF187 (SW version), 0x0301 (clamping force left), 0x0302 (clamping force right).
reqs/swe/SWE-020.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'LED-Steuerung' header: 'LED control'
level: 1.20 level: 1.20
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: QM asil: QM
--- ---
# SWE-020: LED-Steuerung # SWE-020: LED control
Apply-aktiv: LED dauerleuchtend. Release: LED aus. Fehler: LED blinkt 4 Hz. Service-Mode: LED blinkt 2 Hz. Apply active: LED solid. Release: LED off. Fault: LED blinks at 4 Hz. Service mode: LED blinks at 2 Hz.
reqs/swe/SWE-021.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'CAN-Status-Frame' header: 'CAN status frame'
level: 1.21 level: 1.21
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: QM asil: QM
--- ---
# SWE-021: CAN-Status-Frame # SWE-021: CAN status frame
Status-Frame 0x3A0 mit 50 Hz: Byte 0 = Status (0=Released, 1=Applied, 2=Applying, 3=Releasing, 0xFF=Error), Byte 1-2 = Klemmkraft links, Byte 3-4 = Klemmkraft rechts. Status frame 0x3A0 at 50 Hz: byte 0 = status (0=released, 1=applied, 2=applying, 3=releasing, 0xFF=error), byte 1-2 = left clamping force, byte 3-4 = right clamping force.
reqs/swe/SWE-022.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Stillstands-Erkennung aus Wheel Speeds' header: 'Standstill detection from wheel speeds'
level: 1.22 level: 1.22
normative: true normative: true
reviewed: null reviewed: null
@@ -12,6 +12,6 @@ links:
asil: B asil: B
--- ---
# SWE-022: Stillstands-Erkennung aus Wheel Speeds # SWE-022: Standstill detection from wheel speeds
Stillstand ist erkannt, wenn alle 4 Wheel-Speed-Signale fuer mindestens 200 ms unter 0.5 km/h liegen. Standstill is detected when all 4 wheel-speed signals stay below 0.5 km/h for at least 200 ms.
reqs/swe/SWE-023.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Wheel Speed Plausibilisierung' header: 'Wheel-speed plausibilisation'
level: 1.23 level: 1.23
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-023: Wheel Speed Plausibilisierung # SWE-023: Wheel-speed plausibilisation
Spreizung der Wheel-Speed-Signale: bei Geradeaus-Fahrt darf die Differenz nicht > 3 km/h sein. Andernfalls Sensor-Fehler-DTC. Spread of the wheel-speed signals: when driving straight, the difference must not exceed 3 km/h. Otherwise set a sensor fault DTC.
reqs/swe/SWE-024.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Inclinometer Tiefpass-Filter' header: 'Inclinometer low-pass filter'
level: 1.24 level: 1.24
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-024: Inclinometer Tiefpass-Filter # SWE-024: Inclinometer low-pass filter
Das Roh-Neigungssignal muss mit einem Tiefpass 1. Ordnung (Zeitkonstante 200 ms) gefiltert werden, bevor es zur Hill-Hold-Bewertung verwendet wird. The raw inclinometer signal must be filtered with a first-order low-pass (time constant 200 ms) before being used for hill-hold evaluation.
reqs/swe/SWE-025.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Switch-Debouncing' header: 'Switch debouncing'
level: 1.25 level: 1.25
normative: true normative: true
reviewed: null reviewed: null
@@ -11,6 +11,6 @@ links:
asil: QM asil: QM
--- ---
# SWE-025: Switch-Debouncing # SWE-025: Switch debouncing
Der EPB-Schalter muss mit einer Entprell-Zeit von 50 ms entprellt werden. Stabiler Pegel = Eingangssignal fuer Apply-Controller. The EPB switch must be debounced with a debounce time of 50 ms. Stable level = input signal for the apply controller.
reqs/sys/SYS-001.md
+6 -5
View File
@@ -1,16 +1,17 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Halten der Parkbremse im Stillstand' header: 'Holding the parking brake at standstill'
level: 1.1 level: 1.1
normative: true normative: true
reviewed: null reviewed: null
links: [] links:
- SG-001
asil: D asil: D
--- ---
# SYS-001: Halten der Parkbremse im Stillstand # SYS-001: Holding the parking brake at standstill
Wenn die Parkbremse aktiviert ist und das Fahrzeug stillsteht, muss das EPB-System die mechanische Klemmkraft an beiden hinteren Bremssaetteln aufrecht erhalten, bis ein Loesen ausdruecklich angefordert wird. Sicherheitsziel: SG-01. When the parking brake is engaged and the vehicle is at a standstill, the EPB system must maintain the mechanical clamping force on both rear callipers until a release is explicitly requested. Safety goal: SG-001.
**Verifikation:** SiL-Test mit Auf-/Ab-Hangelung, Klemmkraftmessung. **Verification:** SiL test with up/down grade scenarios, clamping force measurement.
reqs/sys/SYS-002.md
+6 -4
View File
@@ -1,14 +1,16 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Apply auf Fahrer-Anforderung' header: 'Apply on driver request'
level: 1.2 level: 1.2
normative: true normative: true
reviewed: null reviewed: null
links: [] links:
- SG-002
- SG-005
asil: D asil: D
--- ---
# SYS-002: Apply auf Fahrer-Anforderung # SYS-002: Apply on driver request
Bei Betaetigung des EPB-Schalters in Apply-Richtung muss das System innerhalb von 800 ms die Parkbremse anlegen, sofern die Voraussetzungen erfuellt sind (Stillstand oder Geschwindigkeit unter 5 km/h). Sicherheitsziel: SG-01. On apply-direction actuation of the EPB switch, the system must engage the parking brake within 800 ms, provided the preconditions are met (standstill or vehicle speed below 5 km/h). Safety goal: SG-002.
reqs/sys/SYS-003.md
+5 -4
View File
@@ -1,14 +1,15 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Release auf Fahrer-Anforderung' header: 'Release on driver request'
level: 1.3 level: 1.3
normative: true normative: true
reviewed: null reviewed: null
links: [] links:
- SG-005
asil: B asil: B
--- ---
# SYS-003: Release auf Fahrer-Anforderung # SYS-003: Release on driver request
Bei Betaetigung des EPB-Schalters in Release-Richtung muss das System die Parkbremse loesen, sofern die folgenden Voraussetzungen erfuellt sind: Motor laeuft, Fahrer betaetigt Bremspedal, Gang ist eingelegt. Maximalzeit fuer Loesen: 1500 ms. On release-direction actuation of the EPB switch, the system must release the parking brake provided the following preconditions are met: engine running, driver pressing the brake pedal, a gear is engaged. Maximum release time: 1500 ms.
reqs/sys/SYS-004.md
+5 -4
View File
@@ -1,14 +1,15 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Auto-Apply bei Motor-Aus' header: 'Auto-apply on engine off'
level: 1.4 level: 1.4
normative: true normative: true
reviewed: null reviewed: null
links: [] links:
- SG-001
asil: D asil: D
--- ---
# SYS-004: Auto-Apply bei Motor-Aus # SYS-004: Auto-apply on engine off
Wenn der Motor ausgeschaltet wird und das Fahrzeug stillsteht und keine Parkbremse aktiv ist, muss das System die Parkbremse spaetestens 2 s nach Erkennung Motor-Aus automatisch anlegen. Sicherheitsziel: SG-01. When the engine is switched off and the vehicle is at a standstill, and the parking brake is not yet engaged, the system must automatically engage the parking brake at the latest 2 s after detecting engine-off. Safety goal: SG-001.
reqs/sys/SYS-005.md
+6 -4
View File
@@ -1,14 +1,16 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Hill-Hold am Berg' header: 'Hill-hold on an incline'
level: 1.5 level: 1.5
normative: true normative: true
reviewed: null reviewed: null
links: [] links:
- SG-002
- SG-004
asil: D asil: D
--- ---
# SYS-005: Hill-Hold am Berg # SYS-005: Hill-hold on an incline
Bei aktivem Hill-Hold (Fahrzeug steht am Hang mit Neigung > 5%, Fahrer betaetigt Bremspedal) uebernimmt das EPB-System die Bremskraft beim Loesen des Bremspedals und haelt diese, bis die Anfahrt erkannt wird. Sicherheitsziel: SG-01. When hill-hold is active (vehicle on a slope with grade > 5%, driver pressing the brake pedal), the EPB system shall take over the brake force when the brake pedal is released and shall maintain it until drive-away is detected. Safety goal: SG-002.
reqs/sys/SYS-006.md
+5 -4
View File
@@ -1,14 +1,15 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Auto-Release beim Anfahren (Drive-Away-Assist)' header: 'Auto-release on drive-away (Drive-Away Assist)'
level: 1.6 level: 1.6
normative: true normative: true
reviewed: null reviewed: null
links: [] links:
- SG-004
asil: B asil: B
--- ---
# SYS-006: Auto-Release beim Anfahren (Drive-Away-Assist) # SYS-006: Auto-release on drive-away (Drive-Away Assist)
Wenn die Parkbremse aktiv ist und der Fahrer Anfahrabsicht zeigt (Gaspedal-Betaetigung bei eingelegtem Gang), muss das System die Parkbremse innerhalb von 500 ms loesen. Voraussetzung: alle Sicherheitskriterien (Fahrertuer geschlossen, Sicherheitsgurt) erfuellt. When the parking brake is engaged and the driver shows intent to drive away (throttle actuation with gear engaged), the system must release the parking brake within 500 ms. Precondition: all safety criteria (driver door closed, seatbelt fastened) are met.
reqs/sys/SYS-007.md
+5 -4
View File
@@ -1,14 +1,15 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Aktor-Stromueberwachung' header: 'Actuator current monitoring'
level: 1.7 level: 1.7
normative: true normative: true
reviewed: null reviewed: null
links: [] links:
- SG-003
asil: B asil: B
--- ---
# SYS-007: Aktor-Stromueberwachung # SYS-007: Actuator current monitoring
Das System muss den Motorstrom jedes Aktors mit mindestens 1 kHz ueberwachen und bei Ueberschreitung von 8 A fuer mehr als 100 ms den Aktor abschalten und einen DTC setzen. Sicherheitsziel: SG-03. The system must monitor the motor current of each actuator at at least 1 kHz and, on exceeding 8 A for more than 100 ms, shut down the actuator and set a DTC. Safety goal: SG-003.
reqs/sys/SYS-008.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Service-Modus fuer Werkstatt' header: 'Service mode for the workshop'
level: 1.8 level: 1.8
normative: true normative: true
reviewed: null reviewed: null
@@ -9,6 +9,6 @@ links: []
asil: QM asil: QM
--- ---
# SYS-008: Service-Modus fuer Werkstatt # SYS-008: Service mode for the workshop
Das System muss ueber UDS RoutineControl (Service 0x31) einen Service-Modus bereitstellen, in dem die Aktoren manuell in Wartungs-Position gefahren werden koennen (z.B. fuer Bremsbelag-Wechsel). The system must provide a service mode via UDS RoutineControl (service 0x31) in which the actuators can be moved manually into maintenance position (e.g. for brake pad replacement).
reqs/sys/SYS-009.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'UDS-Diagnose' header: 'UDS diagnostics'
level: 1.9 level: 1.9
normative: true normative: true
reviewed: null reviewed: null
@@ -9,6 +9,6 @@ links: []
asil: QM asil: QM
--- ---
# SYS-009: UDS-Diagnose # SYS-009: UDS diagnostics
Das System muss UDS-Diagnose nach ISO 14229 bereitstellen: ReadDTC (0x19), ReadDataByIdentifier (0x22), RoutineControl (0x31), ECUReset (0x11). Tester-Adresse 0x712, Antwort-Adresse 0x71A. The system must provide UDS diagnostics per ISO 14229: ReadDTC (0x19), ReadDataByIdentifier (0x22), RoutineControl (0x31), ECUReset (0x11). Tester address 0x712, response address 0x71A.
reqs/sys/SYS-010.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'HMI-Statusanzeige' header: 'HMI status display'
level: 1.10 level: 1.10
normative: true normative: true
reviewed: null reviewed: null
@@ -9,6 +9,6 @@ links: []
asil: QM asil: QM
--- ---
# SYS-010: HMI-Statusanzeige # SYS-010: HMI status display
Der EPB-Status muss dem Fahrer signalisiert werden: LED am Schalter (an = Apply, aus = Release, blinkend = Fehler) sowie Text im Kombi-Display via CAN-Bus (Frame-ID 0x3A0, 50 Hz). The EPB status must be signalled to the driver: LED on the switch (on = applied, off = released, blinking = error) and a text in the instrument cluster via CAN bus (frame ID 0x3A0, 50 Hz).
safety/sg/SG-001.md
+17
View File
@@ -0,0 +1,17 @@
---
active: true
derived: false
header: 'No unintended release of the parking brake during standstill'
level: 1.1
normative: true
reviewed: null
links: []
asil: D
---
# SG-001: No unintended release of the parking brake during standstill
The EPB shall not unintentionally release while the vehicle is at a standstill. Derived from HARA hazards H-01 (unintended release during parking) and H-04 (clamping force loss in hold state).
**FTTI:** 5 s (H-01) / 30 s (H-04).
**Safe state:** APPLIED (maintain clamping force).
safety/sg/SG-002.md
+17
View File
@@ -0,0 +1,17 @@
---
active: true
derived: false
header: 'No unintended clamping while driving'
level: 1.2
normative: true
reviewed: null
links: []
asil: D
---
# SG-002: No unintended clamping while driving
The EPB shall not unintentionally clamp while the vehicle is moving. Derived from HARA hazard H-02.
**FTTI:** 100 ms.
**Safe state:** Actuator stop (do not initiate apply).
safety/sg/SG-003.md
+17
View File
@@ -0,0 +1,17 @@
---
active: true
derived: false
header: 'Protection against actuator overload'
level: 1.3
normative: true
reviewed: null
links: []
asil: A
---
# SG-003: Protection against actuator overload
The system shall prevent actuator motor damage due to overcurrent. Derived from HARA hazard H-05.
**FTTI:** 100 ms.
**Safe state:** Disable actuator, set DTC.
safety/sg/SG-004.md
+17
View File
@@ -0,0 +1,17 @@
---
active: true
derived: false
header: 'Reliable hill-hold handover'
level: 1.4
normative: true
reviewed: null
links: []
asil: C
---
# SG-004: Reliable hill-hold handover
When the driver releases the brake pedal on an incline, the EPB shall take over the braking force before the vehicle starts rolling. Derived from HARA hazard H-06.
**FTTI:** 500 ms.
**Safe state:** Initiate apply.

Some files were not shown because too many files have changed in this diff Show More