slohmaier/demo-epb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

Compare commits

base: slohmaier/demo-epb:v0.2.0
Branches Tags
slohmaier/demo-epb:main
slohmaier/demo-epb:v0.5.0 slohmaier/demo-epb:v0.4.1 slohmaier/demo-epb:v0.4.0 slohmaier/demo-epb:v0.3.0 slohmaier/demo-epb:v0.2.0 slohmaier/demo-epb:v0.1.0
..
compare: slohmaier/demo-epb:v0.5.0
Branches Tags
slohmaier/demo-epb:main
slohmaier/demo-epb:v0.5.0 slohmaier/demo-epb:v0.4.1 slohmaier/demo-epb:v0.4.0 slohmaier/demo-epb:v0.3.0 slohmaier/demo-epb:v0.2.0 slohmaier/demo-epb:v0.1.0

12 Commits
v0.2.0 .. v0.5.0

Author SHA1 Message Date
Stefan Lohmaier fb2c083551 feat(i18n): full English translation of demo-epb
Validate / build-test (macos-latest) (push) Failing after 3s
Details
Validate / build-test (windows-latest) (push) Failing after 15s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 17s
Details
Validate / reports (push) Successful in 50s
Details
Release / release (push) Successful in 50s
Details 
Phase 2 of the English translation:

Word documents (filled, EPB-specific):
- 8 plans (PID, PM, QA, SWE, Test, Project Manual, CM, RM)
- 6 safety docs (HARA, Safety Case, FMEDA, MISRA Compliance,
  Verification Report, Tool Qualification Cppcheck)
- 2 manuals (User, Service)
- 3 audit artefacts (Review minutes, NC-001, MISRA-REC-001)
- All regenerated via pandoc from English markdown sources

Code, tests, headers:
- All file headers, struct comments, function docstrings in English
- All test names (TEST_BEGIN strings) translated
- Inline comments translated
- 46 tests still green after translation

CI workflows:
- All step names in English
- Step descriptions, comments, release notes template in English

README.md fully rewritten in English with proper guided tour.

Phase 3 (still pending): dev-process repo templates + toolstack/setup docs.
 2026-05-12 03:37:51 -07:00
Stefan Lohmaier a47e0aed3e feat(i18n): tools + landing page + doorstop generator in English
Validate / build-test (macos-latest) (push) Failing after 2s
Details
Validate / build-test (windows-latest) (push) Failing after 16s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 18s
Details
Validate / reports (push) Successful in 52s
Details 
Phase 1 of full English translation:
- generate_doorstop_items.py: all 55 items (SG/SYS/SWE/SA/SWA) rewritten in English
- generate_landing_page.py: full UI labels, KPI cards, section headings in English
- traceability.py: docstring, error messages, HTML headers in English
- generate_test_report.py: report content + table headers in English
- All 55 markdown items in safety/sg/, reqs/, arch/ regenerated in English

Still to come:
- demo-epb filled Word docs (PID, plans, safety, manuals, audit artefacts)
- Code comments + test names + CI workflow step names
- README + dev-process repo templates
 2026-05-12 03:28:54 -07:00
Stefan Lohmaier 542a358abc feat(reports): Cppcheck HTML-Report via cppcheck-htmlreport, klickbar
Validate / build-test (macos-latest) (push) Failing after 6s
Details
Validate / build-test (windows-latest) (push) Failing after 14s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 17s
Details
Validate / reports (push) Successful in 51s
Details
2026-05-12 03:08:16 -07:00
Stefan Lohmaier 1d7cf53881 fix(landing-page): Bundle-relative Pfade fuer Reports, cppcheck-Step vor landing-page
Validate / build-test (macos-latest) (push) Failing after 3s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 19s
Details
Validate / build-test (windows-latest) (push) Failing after 22s
Details
Validate / reports (push) Successful in 50s
Details
2026-05-12 02:54:44 -07:00
Stefan Lohmaier f2fb430505 ci: reports-Job parallel statt needs (Matrix continue-on-err propagiert nicht)
Validate / build-test (macos-latest) (push) Failing after 1s
Details
Validate / build-test (windows-latest) (push) Failing after 14s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 16s
Details
Validate / reports (push) Successful in 50s
Details
2026-05-12 02:35:28 -07:00
Stefan Lohmaier df6e605710 ci: verify toolchain step duldsam machen, set +e + diagnostics
Validate / build-test (macos-latest) (push) Failing after 2s
Details
Validate / build-test (windows-latest) (push) Failing after 14s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 16s
Details
Validate / reports (push) Has been skipped
Details
2026-05-12 02:31:25 -07:00
Stefan Lohmaier 76c90a1057 ci: trigger fresh build
Validate / build-test (macos-latest) (push) Failing after 2s
Details
Validate / build-test (windows-latest) (push) Failing after 15s
Details
Validate / build-test (ubuntu-latest) (push) Failing after 15s
Details
Validate / reports (push) Has been skipped
Details
2026-05-12 02:28:37 -07:00
Stefan Lohmaier a62acba80b feat: Live-Dashboard auf gitea.slohmaier.com/pages/demo-epb/
Validate / build-test (macos-latest) (push) Failing after 2s
Details
Validate / build-test (ubuntu-latest) (push) Failing after 15s
Details
Validate / build-test (windows-latest) (push) Failing after 15s
Details
Validate / reports (push) Has been skipped
Details 
Setup:
- nginx-Vhost gitea.slohmaier.com hat jetzt location /pages/
  fuer statische Files aus /var/www/pages/
- act_runner config.yaml mit -v /var/www/pages:/var/www/pages
  Volume-Mount, damit Jobs aus dem Container schreiben koennen
- /var/www/pages/demo-epb/ writable fuer gitea-runner-User

CI-Deploy:
- validate.yml: bei Push auf main wird das Build ins
  /var/www/pages/demo-epb/ deployt
- release.yml: bei Tag-Push deployt das gesamte Release-Bundle

Live unter https://gitea.slohmaier.com/pages/demo-epb/
 2026-05-12 02:22:13 -07:00
Stefan Lohmaier bd744162c5 fix(landing-page): Plaene-Links auf docs/plaene/ (matcht Bundle-Struktur)
Validate / build-test (macos-latest) (push) Failing after 2s
Details
Validate / build-test (ubuntu-latest) (push) Failing after 16s
Details
Validate / build-test (windows-latest) (push) Failing after 32s
Details
Validate / reports (push) Has been skipped
Details
Release / release (push) Successful in 50s
Details
2026-05-12 02:07:03 -07:00
Stefan Lohmaier 294b9956f9 feat: Project Manual + CM-/RM-Plan + Landing-Page
Validate / build-test (macos-latest) (push) Failing after 2s
Details
Validate / build-test (windows-latest) (push) Failing after 15s
Details
Validate / build-test (ubuntu-latest) (push) Failing after 15s
Details
Validate / reports (push) Has been skipped
Details
Release / release (push) Successful in 57s
Details 
3 neue Plaene:
- Project Manual: Master-Wegweiser fuer neue Projektmitglieder,
  Lese-Reihenfolge, Rollen, Lebenszyklus, Dokumenten-Landschaft
- Configuration Management Plan: CIs, Baselines, Change Control,
  Release-Prozess, Aufbewahrungsfristen (ASPICE SUP.8)
- Risk Management Plan: Projekt-Risiken (abgegrenzt von HARA),
  Klassifikations-Skala, Risiko-Register, Eskalations-Pfad

Landing-Page (Startseite):
- tools/generate_landing_page.py erzeugt build/index.html
- Standalone-HTML, oeffnet im Browser ohne Server
- KPI-Cards: SG/SYS/SWE/Arch/Komponenten/Tests-Counts
- Sektionen mit Links: Plaene, Safety, Manuals, Audit, Reports,
  Diagramme, Source-Code, externe Links
- Existenz-Check: nicht-generierte Reports werden grau markiert
- Im Release-Bundle als index.html ganz oben

CI-Integration:
- validate.yml: neuer Step "Landing-Page" + Upload als Artefakt
- release.yml: Landing-Page generieren + ins Bundle einbauen,
  zusaetzlich Source-Code im Bundle (war vorher nur als tar.gz)

Makefile: neues Target `make landing-page`
 2026-05-12 01:59:44 -07:00
Stefan Lohmaier c610cc023c feat: Safety Goals + Drive-Away-Assist + vollst. Traceability
Validate / build-test (macos-latest) (push) Failing after 4s
Details
Validate / build-test (windows-latest) (push) Failing after 17s
Details
Validate / build-test (ubuntu-latest) (push) Successful in 16s
Details
Validate / reports (push) Has been skipped
Details
Release / release (push) Successful in 48s
Details 
Neue Layer:
- safety/sg/SG-001..005 als eigene Doorstop-Items (ASIL D/D/A/C/B)
- SYS-Reqs verlinken nach oben auf SG via frontmatter
- Kette ist jetzt: SG -> SYS -> SA, SWE -> SWA -> Code (@arch) + Test (@reqs)

Drive-Away-Assist im Safety Manager:
- SWE-011 (Anfahrabsicht erkennen) implementiert
- SWE-012 (Sicherheits-Check Tuer + Gurt) implementiert
- Neuer State SAFETY_DRIVE_AWAY + safety_mgr_release_requested()
- SafetyInputs erweitert um gas_pedal_percent, gear_in_drive,
  door_closed, seatbelt_fastened
- 5 neue Tests (DRIVE_AWAY armed/blocked/end-conditions)
- Test-Header @reqs erweitert auf SWE-007..012

traceability.py erweitert:
- SG als neuer Top-Level
- Code-Mapping-Check: @arch im Header von src/*.c muss SWA-id matchen
- Test-Mapping-Check: @reqs im Header der Tests muss alle SWE der
  zugehoerigen SWA abdecken
- HTML zeigt 7 Spalten: SG | SYS | SA | SWE | SWA | Code | Test
- 2 zusaetzliche Tabellen: Code->Arch und Test->Reqs

test_apply_controller.c:
- @reqs Header um SWE-005 ergaenzt (war funktional drin, nur Tag fehlte)

Counts:
- 55 doorstop-Items (war 50)
- 46 Unit-Tests (war 41)
- Traceability vollstaendig in beide Richtungen
 2026-05-12 01:50:12 -07:00
Stefan Lohmaier 17910835ad docs: README mit kompletter Tour durch Safety + Manuals + Reports
Validate / build-test (macos-latest) (push) Failing after 3s
Details
Validate / build-test (windows-latest) (push) Failing after 17s
Details
Validate / build-test (ubuntu-latest) (push) Failing after 15s
Details
Validate / reports (push) Has been skipped
Details
2026-05-12 00:56:24 -07:00
115 changed files with 3676 additions and 2125 deletions
Expand all files Collapse all files
.gitea/workflows/release.yml
+60 -32
View File
@@ -25,28 +25,39 @@ jobs:
- name: Tag from ref - name: Tag from ref
run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
- name: Build + Tests + Coverage + Test-Report - name: Build + tests + coverage + Test-Report
run: | run: |
make test make test
make coverage make coverage
make test-report make test-report
- name: Traceability + Diagramme + API-Doc - name: Traceability + diagrams + API doc
run: | run: |
python3 tools/traceability.py publish docs/traceability python3 tools/traceability.py publish docs/traceability
python3 tools/render_plantuml.py python3 tools/render_plantuml.py
make docs make docs
- name: Cppcheck-Report (XML) - name: Cppcheck Report (XML + HTML)
run: | run: |
mkdir -p build mkdir -p build
cppcheck --enable=all --inconclusive --xml --xml-version=2 \ cppcheck --enable=all --inconclusive --xml --xml-version=2 \
-I src src 2> build/cppcheck-report.xml || true -I src src 2> build/cppcheck-report.xml || true
cppcheck-htmlreport \
--file=build/cppcheck-report.xml \
--report-dir=build/cppcheck-html \
--source-dir=. \
--title="demo-epb Cppcheck Report" || echo "htmlreport skipped"
- name: Release-Bundle paketieren - name: Landing page
run: make landing-page
- name: Package release bundle
run: | run: |
BUNDLE="release/demo-epb-${TAG}" BUNDLE="release/demo-epb-${TAG}"
mkdir -p "$BUNDLE"/{coverage,traceability,diagrams,api-doc,reports,docs} mkdir -p "$BUNDLE"/{coverage,traceability,diagrams,api-doc,reports/cppcheck,docs,src,tests}
# Landing page in the bundle root
cp build/index.html "$BUNDLE/index.html"
# CI-generierte Artefakte # CI-generierte Artefakte
cp -r build/coverage-html/* "$BUNDLE/coverage/" 2>/dev/null || true cp -r build/coverage-html/* "$BUNDLE/coverage/" 2>/dev/null || true
@@ -54,18 +65,23 @@ jobs:
cp -r docs/diagrams/* "$BUNDLE/diagrams/" cp -r docs/diagrams/* "$BUNDLE/diagrams/"
cp -r build/api-doc/html/* "$BUNDLE/api-doc/" 2>/dev/null || true cp -r build/api-doc/html/* "$BUNDLE/api-doc/" 2>/dev/null || true
cp build/cppcheck-report.xml "$BUNDLE/reports/" 2>/dev/null || true cp build/cppcheck-report.xml "$BUNDLE/reports/" 2>/dev/null || true
cp -r build/cppcheck-html/* "$BUNDLE/reports/cppcheck/" 2>/dev/null || true
cp build/test-report.html "$BUNDLE/reports/" 2>/dev/null || true cp build/test-report.html "$BUNDLE/reports/" 2>/dev/null || true
cp build/test-report.md "$BUNDLE/reports/" 2>/dev/null || true cp build/test-report.md "$BUNDLE/reports/" 2>/dev/null || true
# Alle Word-Dokumente (Plaene, Safety, Manuals, Audit-Artefakte) # Source-Code zum Anklicken aus dem Bundle (begrenzt auf das wichtigste)
cp -r src/*.c src/*.h "$BUNDLE/src/" 2>/dev/null || true
cp -r src/stubs "$BUNDLE/src/" 2>/dev/null || true
# All Word documents (plans, safety, manuals, audit artefacts)
mkdir -p "$BUNDLE/docs/plaene" "$BUNDLE/docs/safety" "$BUNDLE/docs/manuals" \ mkdir -p "$BUNDLE/docs/plaene" "$BUNDLE/docs/safety" "$BUNDLE/docs/manuals" \
"$BUNDLE/docs/reviews" "$BUNDLE/docs/non-conformities" "$BUNDLE/docs/misra" "$BUNDLE/docs/reviews" "$BUNDLE/docs/non-conformities" "$BUNDLE/misra/records"
cp docs/*.docx "$BUNDLE/docs/plaene/" 2>/dev/null || true cp -r docs/plaene/* "$BUNDLE/docs/plaene/" 2>/dev/null || true
cp -r docs/safety/* "$BUNDLE/docs/safety/" 2>/dev/null || true cp -r docs/safety/* "$BUNDLE/docs/safety/" 2>/dev/null || true
cp -r docs/manuals/* "$BUNDLE/docs/manuals/" 2>/dev/null || true cp -r docs/manuals/* "$BUNDLE/docs/manuals/" 2>/dev/null || true
cp -r docs/reviews/* "$BUNDLE/docs/reviews/" 2>/dev/null || true cp -r docs/reviews/* "$BUNDLE/docs/reviews/" 2>/dev/null || true
cp -r docs/non-conformities/* "$BUNDLE/docs/non-conformities/" 2>/dev/null || true cp -r docs/non-conformities/* "$BUNDLE/docs/non-conformities/" 2>/dev/null || true
cp -r misra/records/* "$BUNDLE/docs/misra/" 2>/dev/null || true cp -r misra/records/* "$BUNDLE/misra/records/" 2>/dev/null || true
# Source archive # Source archive
git archive --format=tar.gz \ git archive --format=tar.gz \
@@ -77,55 +93,55 @@ jobs:
ls -la release/ ls -la release/
- name: Release-Notes generieren - name: Generate release notes
run: | run: |
cat > release/RELEASE_NOTES.md <<EOF cat > release/RELEASE_NOTES.md <<EOF
# demo-epb ${TAG} # demo-epb ${TAG}
Vollstaendige Demo des slohmaier Dev Process anhand einer Complete demo of the slohmaier Dev Process anhand einer
EPB-Steuergeraet-Software. EPB-Steuergeraet-Software.
## Release-Bundle Inhalt ## Release bundle contents
| Asset | Inhalt | | Asset | Content |
|-------|--------| |-------|--------|
| \`demo-epb-${TAG}-source.tar.gz\` | Vollstaendiger Quellcode (git archive) | | \`demo-epb-${TAG}-source.tar.gz\` | Full source code (git archive) |
| \`demo-epb-${TAG}-artifacts.tar.gz\` | Alle generierten und kuratierten Dokumente | | \`demo-epb-${TAG}-artifacts.tar.gz\` | All generated and curated documents |
### Im Artefakt-Bundle enthalten ### Im Artefakt-Bundle enthalten
**Engineering (CI-generiert):** **Engineering (CI-generated):**
- \`coverage/\` — gcov/lcov HTML-Coverage-Report - \`coverage/\` — gcov/lcov HTML coverage report
- \`traceability/\` — Bidirektionale Traceability-Matrix als HTML + JSON - \`traceability/\` — Bidirectional traceability matrix as HTML + JSON
- \`diagrams/\` — PlantUML-Architektur-Diagramme als SVG - \`diagrams/\` — PlantUML architecture diagrams as SVG
- \`api-doc/\` — Doxygen-generierte API-Dokumentation - \`api-doc/\` — Doxygen-generated API documentation
- \`reports/cppcheck-report.xml\` — Statische Analyse + MISRA - \`reports/cppcheck-report.xml\` — Static analysis + MISRA
- \`reports/test-report.html\` — Test-Summary mit Anforderungs-Mapping - \`reports/test-report.html\` — Test summary with requirement mapping
**Dokumente (Word, kuratiert):** **Documents (Word, curated):**
- \`docs/plaene/\` — PID, PM-/QA-/SWE-/Test-Plan - \`docs/plaene/\` — PID, PM-/QA-/SWE-/Test-Plan
- \`docs/safety/\` — HARA, Safety Case, FMEDA, MISRA-Compliance, Verification-Report, Tool-Qualification - \`docs/safety/\` — HARA, Safety Case, FMEDA, MISRA-Compliance, Verification-Report, Tool-Qualification
- \`docs/manuals/\` — User-Manual + Service-Manual - \`docs/manuals/\` — User-Manual + Service-Manual
- \`docs/reviews/\` — Review-Protokoll(e) - \`docs/reviews/\` — Review-Protokoll(e)
- \`docs/non-conformities/\` — Non-Conformity-Eintraege - \`docs/non-conformities/\` — Non-conformity entries
- \`docs/misra/\` — MISRA Deviation Records - \`docs/misra/\` — MISRA Deviation Records
## Build-Beweis ## Build evidence
- Alle 41 Unit-Tests gruen (Linux-Runner verbindlich) - All 46 unit tests green (Linux runner required)
- Coverage gemessen mit gcov/lcov - Coverage measured with gcov/lcov
- Statische Analyse mit Cppcheck (0 Findings) - Statische Analyse mit Cppcheck (0 Findings)
- MISRA-C:2012 Compliance bestaetigt (1 Advisory Deviation) - MISRA C:2012 compliance confirmed (1 Advisory deviation)
- Traceability bidirektional verifiziert (50 Items) - Traceability verified bidirectionally (50 Items)
## Referenzen ## Referenzen
- Methodik: https://gitea.slohmaier.com/slohmaier/dev-process - Methodology: https://gitea.slohmaier.com/slohmaier/dev-process
- Commit: ${{ github.sha }} - Commit: ${{ github.sha }}
- Built: $(date -u +%Y-%m-%dT%H:%M:%SZ) - Built: $(date -u +%Y-%m-%dT%H:%M:%SZ)
EOF EOF
- name: Gitea-Release anlegen + Artefakte hochladen - name: Create Gitea release + upload assets
env: env:
GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: | run: |
@@ -157,7 +173,19 @@ jobs:
echo "Release verfuegbar unter ${GITHUB_SERVER_URL}/${OWNER}/${REPO}/releases/tag/${TAG}" echo "Release verfuegbar unter ${GITHUB_SERVER_URL}/${OWNER}/${REPO}/releases/tag/${TAG}"
- name: Upload artifacts (Backup als CI-Artefakt) - name: Deploy to gitea.slohmaier.com/pages/demo-epb/
run: |
DEPLOY=/var/www/pages/demo-epb
if [ ! -d "$DEPLOY" ]; then
echo "Mount $DEPLOY nicht da — Runner-Config pruefen. Skip."
exit 0
fi
BUNDLE="release/demo-epb-${TAG}"
rm -rf "$DEPLOY"/*
cp -r "$BUNDLE"/. "$DEPLOY/"
echo "https://gitea.slohmaier.com/pages/demo-epb/ updated to ${TAG}"
- name: Upload artifacts (backup as CI artifact)
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
if: always() if: always()
with: with:
.gitea/workflows/validate.yml
+63 -21
View File
@@ -7,7 +7,7 @@ on:
branches: [main, develop] branches: [main, develop]
jobs: jobs:
# Build + Tests auf allen 3 OS — Linux verbindlich, Mac/Win continue-on-error # Build + tests on all 3 OS — Linux required, Mac/Win continue-on-error
build-test: build-test:
strategy: strategy:
fail-fast: false fail-fast: false
@@ -31,27 +31,30 @@ jobs:
- name: Verify toolchain - name: Verify toolchain
shell: bash shell: bash
run: | run: |
which gcc && gcc --version | head -1 set +e
which make && make --version | head -1 echo "PATH=$PATH"
which cppcheck && cppcheck --version | head -1 gcc --version 2>&1 | head -1 || echo " (no gcc)"
make --version 2>&1 | head -1 || echo " (no make)"
cppcheck --version 2>&1 | head -1 || echo " (no cppcheck)"
echo "done"
- name: Static Analysis (Cppcheck) - name: Static analysis (Cppcheck)
shell: bash shell: bash
run: make static run: make static
- name: MISRA Check - name: MISRA check
shell: bash shell: bash
run: | run: |
make misra || echo "MISRA findings present (Demo non-failing)" make misra || echo "MISRA findings present (demo non-failing)"
- name: Build + Unit Tests - name: Build + unit tests
shell: bash shell: bash
run: make test run: make test
# Coverage, Traceability, Diagrams, API-Doc, Test-Report — alle auf Linux # Coverage, traceability, diagrams, API doc, test report — all on Linux,
# parallel to build-test (matrix continue-on-error is not propagated through needs)
reports: reports:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: build-test
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
@@ -64,31 +67,40 @@ jobs:
python3 python3-pip ca-certificates \ python3 python3-pip ca-certificates \
doxygen graphviz doxygen graphviz
- name: Build + Tests + Coverage - name: Build + tests + coverage
run: | run: |
make test make test
make coverage make coverage
- name: Test-Summary-Report - name: Test summary report
run: make test-report run: make test-report
- name: Traceability Check - name: Traceability check
run: python3 tools/traceability.py check run: python3 tools/traceability.py check
- name: Traceability Matrix publishen - name: Publish Traceability Matrix
run: python3 tools/traceability.py publish docs/traceability run: python3 tools/traceability.py publish docs/traceability
- name: PlantUML Diagramme rendern - name: Render PlantUML diagrams
run: python3 tools/render_plantuml.py run: python3 tools/render_plantuml.py
- name: Doxygen API-Dokumentation - name: Doxygen API documentation
run: make docs run: make docs
- name: Cppcheck-Report (XML) - name: Cppcheck Report (XML + HTML)
run: | run: |
mkdir -p build mkdir -p build
cppcheck --enable=all --inconclusive --xml --xml-version=2 \ cppcheck --enable=all --inconclusive --xml --xml-version=2 \
-I src src 2> build/cppcheck-report.xml || true -I src src 2> build/cppcheck-report.xml || true
# cppcheck-htmlreport is part of the cppcheck package
cppcheck-htmlreport \
--file=build/cppcheck-report.xml \
--report-dir=build/cppcheck-html \
--source-dir=. \
--title="demo-epb Cppcheck Report" || echo "htmlreport skipped"
- name: Landing page
run: make landing-page
- name: Upload Coverage HTML - name: Upload Coverage HTML
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
@@ -97,7 +109,7 @@ jobs:
name: coverage-html name: coverage-html
path: build/coverage-html/ path: build/coverage-html/
- name: Upload Test-Report - name: Upload Test Report
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
if: always() if: always()
with: with:
@@ -114,23 +126,53 @@ jobs:
name: traceability name: traceability
path: docs/traceability/ path: docs/traceability/
- name: Upload Architektur-Diagramme - name: Upload Architecture Diagrams
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
if: always() if: always()
with: with:
name: architecture-diagrams name: architecture-diagrams
path: docs/diagrams/ path: docs/diagrams/
- name: Upload Doxygen API-Doc - name: Upload Doxygen API Doc
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
if: always() if: always()
with: with:
name: api-doc name: api-doc
path: build/api-doc/html/ path: build/api-doc/html/
- name: Upload Cppcheck-Report - name: Upload Landing Page
uses: actions/upload-artifact@v3
if: always()
with:
name: landing-page
path: build/index.html
- name: Upload Cppcheck Report
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
if: always() if: always()
with: with:
name: cppcheck-report name: cppcheck-report
path: build/cppcheck-report.xml path: build/cppcheck-report.xml
- name: Deploy to gitea.slohmaier.com/pages/demo-epb/
if: success() && github.ref == 'refs/heads/main'
run: |
DEPLOY=/var/www/pages/demo-epb
if [ ! -d "$DEPLOY" ]; then
echo "Mount $DEPLOY not present — check runner config. Skipping."
exit 0
fi
mkdir -p "$DEPLOY"/{docs,coverage,traceability,diagrams,api-doc,reports/cppcheck,src,misra/records}
cp build/index.html "$DEPLOY/index.html"
cp -r docs/plaene docs/safety docs/manuals docs/reviews docs/non-conformities "$DEPLOY/docs/"
cp -r build/coverage-html/. "$DEPLOY/coverage/" 2>/dev/null || true
cp -r docs/traceability/. "$DEPLOY/traceability/"
cp -r docs/diagrams/. "$DEPLOY/diagrams/"
cp -r build/api-doc/html/. "$DEPLOY/api-doc/" 2>/dev/null || true
cp build/test-report.html build/test-report.md "$DEPLOY/reports/" 2>/dev/null || true
cp build/cppcheck-report.xml "$DEPLOY/reports/" 2>/dev/null || true
cp -r build/cppcheck-html/. "$DEPLOY/reports/cppcheck/" 2>/dev/null || true
cp src/*.c src/*.h "$DEPLOY/src/"
cp -r src/stubs "$DEPLOY/src/" 2>/dev/null || true
cp -r misra/records/. "$DEPLOY/misra/records/" 2>/dev/null || true
echo "https://gitea.slohmaier.com/pages/demo-epb/ updated"
Makefile
+6 -3
View File
@@ -1,5 +1,5 @@
# Makefile fuer demo-epb. Bewusst klein gehalten, damit der Demo # Makefile for demo-epb. Intentionally small so the demo
# ohne externe Build-Tools (CMake, SCons) auf jedem POSIX-System baut. # builds on any POSIX system without external build tools (CMake, SCons).
CC ?= cc CC ?= cc
CFLAGS ?= -std=c99 -Wall -Wextra -Werror -Wpedantic \ CFLAGS ?= -std=c99 -Wall -Wextra -Werror -Wpedantic \
@@ -21,10 +21,13 @@ TESTS = test_switch_debouncer test_actuator_driver test_apply_controller \
test_safety_manager test_safety_manager
TEST_BINS = $(TESTS:%=$(BUILD)/%) TEST_BINS = $(TESTS:%=$(BUILD)/%)
.PHONY: all test coverage clean misra static docs test-report .PHONY: all test coverage clean misra static docs test-report landing-page
all: $(TEST_BINS) all: $(TEST_BINS)
landing-page:
python3 tools/generate_landing_page.py
docs: docs:
@which doxygen >/dev/null 2>&1 || { echo "doxygen not installed (brew/apt install doxygen)"; exit 1; } @which doxygen >/dev/null 2>&1 || { echo "doxygen not installed (brew/apt install doxygen)"; exit 1; }
doxygen Doxyfile doxygen Doxyfile
README.md
+128 -94
View File
@@ -1,144 +1,178 @@
# demo-epb — Elektrische Parkbremse # demo-epb — Electric Parking Brake
Vollstaendige Demo des [slohmaier Dev Process](https://gitea.slohmaier.com/slohmaier/dev-process) anhand einer EPB-Steuergeraet-Software. Zeigt ASPICE 4.0 / ISO 26262-konforme Entwicklung in einem Monorepo: Anforderungen, Architektur, Code, Tests, Reviews, MISRA — alles auf einen Pull-Request-Klick verifizierbar. Complete demonstration of the [slohmaier Dev Process](https://gitea.slohmaier.com/slohmaier/dev-process) using an EPB ECU software. Shows ASPICE 4.0 / ISO 26262-compliant development in a monorepo: requirements, architecture, code, tests, reviews, MISRA, safety case, manuals — all verifiable in a single pull-request click, all in a single release bundle.
> Diese Software ist **bewusst kein Produktivcode** — sie ist die Demonstration des Engineering-Verfahrens. Code-Umfang absichtlich klein, Prozess-Tiefe vollstaendig. > **🌐 Live dashboard:** https://gitea.slohmaier.com/pages/demo-epb/
> Auto-refreshed on every push to `main` and every release tag.
## Was die Demo zeigt > This software is **intentionally not production code** — it is a demonstration of the engineering method. Code volume kept small on purpose; process depth complete.
| Artefakt-Typ | Anzahl | Pfad | ## What the demo shows
|---------------------|--------|---------------------|
| Plaene (Word) | 5 | `docs/*.docx` |
| Audit-Artefakte (Word) | 3 | `docs/reviews/`, `docs/non-conformities/`, `misra/records/` |
| System-Anforderungen| 10 | `reqs/sys/` |
| Software-Anforderungen | 25 | `reqs/swe/` |
| System-Architektur | 5 | `arch/sys/` |
| Software-Architektur| 10 | `arch/swe/` |
| Implementierte Komponenten | 3 (1×ASIL-D, 1×ASIL-B, 1×QM) | `src/` |
| Stub-Komponenten | 7 | `src/stubs/` |
| Unit-Tests | 28 | `tests/unit/` |
| CI-Pipeline | 1 | `.gitea/workflows/` |
## Quick Start | Category | Content |
|----------|---------|
| **Plans** (Word) | 8 (Project Manual, PID, PM, QA, SWE, Test, CM, RM) |
| **Safety docs** (Word) | 6 (HARA, Safety Case, FMEDA, MISRA Compliance, Verification Report, Tool Qualification) |
| **Manuals** (Word) | 2 (User Manual, Service Manual) |
| **Audit artefacts** (Word) | 3 (Review minutes, Non-Conformity, MISRA Deviation Record) |
| **Safety Goals** | 5 in `safety/sg/` |
| **System Requirements** | 10 in `reqs/sys/` (Markdown + Doorstop style) |
| **Software Requirements** | 25 in `reqs/swe/` |
| **System Architecture** | 5 in `arch/sys/` with PlantUML |
| **Software Architecture** | 10 in `arch/swe/` with PlantUML |
| **Implemented C components** | 4 (Apply Ctrl D, Safety Mgr D, Actuator Drv B, Switch Db QM) |
| **Stub components** | 6 more (header only) |
| **Unit tests** | 46, all green |
| **CI workflows** | 2 (validate + release) |
| **CI artefacts** | Coverage HTML, Traceability Matrix, Diagrams SVG, Doxygen, Test Report, Cppcheck HTML+XML |
| **Cross-platform runners** | Linux + macOS + Windows |
## Quick start
```bash ```bash
git clone https://gitea.slohmaier.com/slohmaier/demo-epb.git git clone https://gitea.slohmaier.com/slohmaier/demo-epb.git
cd demo-epb cd demo-epb
# Build + Tests # Tests
make test make test # 46 tests, all green
# Mit Coverage (benoetigt lcov) # With coverage (needs lcov)
make coverage make coverage
open build/coverage-html/index.html open build/coverage-html/index.html
# Statische Analyse + MISRA (benoetigt cppcheck) # Test summary report (HTML)
make test-report
open build/test-report.html
# Static analysis + MISRA (needs cppcheck)
make static make static
make misra make misra
# API doc (needs doxygen)
make docs
open build/api-doc/html/index.html
# Traceability matrix (HTML)
python3 tools/traceability.py publish docs/traceability
open docs/traceability/index.html
# PlantUML diagrams (SVG)
python3 tools/render_plantuml.py
``` ```
## Gefuehrte Tour (~30 min) ## Guided tour (~30 min)
### 1. Projektplanung ### 1. Project planning (Word)
Start in `docs/`: `docs/plaene/`:
- **PID.docx** — Was wird gebaut und warum - **Project-Manual.docx** — Navigation guide, reading order, roles
- **SWE-Plan.docx** — Wie wird gebaut: Sprache, Standards, Branching, Review-Regeln, Coverage-Ziele pro ASIL - **PID.docx** — What is built and why
- **QA-Plan.docx** — Qualitaetsmassnahmen, Reviews, NC-Management - **SWE-Plan.docx** — Language, standards, branching, reviews, coverage targets
- **PM-Plan.docx**, **Test-Plan.docx** — Arbeitspakete + Teststrategie - **QA-Plan.docx** — Quality measures, reviews, NC management
- **PM-Plan.docx, Test-Plan.docx, CM-Plan.docx, RM-Plan.docx**
### 2. Sicherheits-Logik (das ASIL-D Stueck) ### 2. Functional safety (Word — `docs/safety/`)
`reqs/sys/SYS-001.md``arch/swe/SWA-002.md``src/apply_controller.c``tests/unit/test_apply_controller.c` - **HARA.docx** — Hazard Analysis & Risk Assessment. Derives **ASIL-D**.
- **Safety-Case.docx** — GSN-style argument that safety goals are met
- **FMEDA.docx** — Per-component failure modes with diagnostic coverage
- **Tool-Qualification-Cppcheck.docx** — Tool qual for Cppcheck (TI2/TD2/TCL2)
- **MISRA-Compliance-Statement.docx** — Formal compliance evidence
- **Verification-Report.docx** — V-model right side summary
Das ist die Traceability-Kette: System-Sicherheitsziel → Software-Architektur → Code → Test. ### 3. Manuals (Word — `docs/manuals/`)
- **User-Manual.docx** — Driver manual (apply, release, hill-hold, LED codes)
- **Service-Manual.docx** — Workshop doc with UDS DTCs, service mode, sensor checks
### 3. Anforderungen + Architektur (Doorstop in Markdown) ### 4. Safety logic (the ASIL-D piece)
- `reqs/sys/` und `reqs/swe/` — alle Anforderungen mit Mapping Traceability chain:
- `arch/sys/` und `arch/swe/` — Architektur mit Mapping per `links:` im Frontmatter ```
- Eingebettete PlantUML-Diagramme rendern direkt in Gitea safety/sg/SG-001.md → reqs/sys/SYS-001.md → arch/swe/SWA-002.md → src/apply_controller.c → tests/unit/test_apply_controller.c
```
### 4. Code mit Mapping-Tags ### 5. Requirements + architecture (Doorstop in Markdown)
Jede `.c`-Datei traegt `@arch`, `@reqs` im Header: - `safety/sg/`, `reqs/sys/` + `reqs/swe/` — requirements with mapping
- `arch/sys/` + `arch/swe/` — architecture with mapping via `links:` in frontmatter
- Embedded PlantUML diagrams render in Gitea (UI) and as SVG in the release bundle
### 6. Code with mapping tags
Every `.c` file carries `@arch`, `@reqs`, `@asil` in the header:
```c ```c
/** /**
* @file apply_controller.c * @file apply_controller.c
* @arch SWA-002 * @arch SWA-002
* @reqs SWE-001 SWE-002 SWE-003 SWE-004 * @reqs SWE-001 SWE-002 SWE-003 SWE-004 SWE-005
* *
* ASIL: D. * ASIL: D.
*/ */
``` ```
So ist Code -> Architektur -> Anforderung auf einen `grep` durchsuchbar. ### 7. Tests with requirement tags
`tests/unit/test_*.c` references requirements via `@reqs`. The test report (`build/test-report.html`) makes the mapping clickable.
### 5. Tests mit Anforderungs-Tags ### 8. Audit artefacts
`tests/unit/test_apply_controller.c` referenziert die Requirements per `@reqs`. CI mit Coverage-Report belegt, dass jede Anforderung getestet ist. - `docs/reviews/REV-001.docx` — Review minutes for the ASIL-D component
- `docs/non-conformities/NC-001.docx` — NC with corrective action
- `misra/records/MISRA-REC-001.docx` — MISRA advisory deviation
### 6. Audit-Artefakte ### 9. CI pipeline (`.gitea/workflows/validate.yml`)
- `docs/reviews/REV-001.docx` — Review-Protokoll fuer die ASIL-D-Komponente On every push:
- `docs/non-conformities/NC-001.docx` — Beispiel einer Non-Conformity mit Korrekturmassnahme 1. **Cross-platform build + test** on Linux + macOS + Windows
- `misra/records/MISRA-REC-001.docx` — MISRA Deviation Record fuer eine bewusste Advisory-Abweichung 2. **Static analysis** (Cppcheck)
3. **MISRA check** (Cppcheck + MISRA addon)
4. **Coverage** (gcov/lcov)
5. **Traceability check** (bidirectional)
6. **PlantUML render** (all diagrams as SVG)
7. **Doxygen API doc**
8. **Test summary report**
### 7. CI-Pipeline All available as Gitea artefacts.
`.gitea/workflows/validate.yml` — bei jedem Push laeuft:
1. Cppcheck (Static Analysis)
2. Cppcheck + MISRA-Addon
3. Build + Unit Tests
4. Coverage (gcov/lcov)
5. Doorstop-Traceability-Check
## Architektur-Ueberblick ### 10. Release workflow (`.gitea/workflows/release.yml`)
On tag push `v*.*.*`:
- Full build + all reports
- Bundles **source archive + artefact archive** (CI output + all Word docs)
- Creates a Gitea release with release notes
Example: https://gitea.slohmaier.com/slohmaier/demo-epb/releases
## Architecture overview
``` ```
+----------------------+ EPB ECU (SA-001)
| EPB ECU (SA-001) | +----------------------------------+
| +-----------------+ | | Safety Manager (D) | ← arch/swe/SWA-001.md
| | Safety Mgr (D) | | | Apply Controller (D) | ← arch/swe/SWA-002.md
| +-----------------+ | | Actuator Driver (B) | ← arch/swe/SWA-003.md
| | Apply Ctrl (D) | | | Wheel Speed Plausi (B) [stub] |
| +-----------------+ | | Inclino Filter (B) [stub] |
| | Actuator Drv (B)| | | Switch Debouncer (QM) | ← arch/swe/SWA-006.md
| +-----------------+ | | Display Manager (QM) [stub] |
| | Wheel Speed (B) | | | Diag Manager (QM) [stub] |
| | Inclino (B) | | | Service Mode (QM) [stub] |
| +-----------------+ | | Logger (QM) [stub] |
| | Switch DB (QM) | | +----------------------------------+
| | Display (QM) | |
| | Diag (QM) | |
| | Service (QM) | |
| | Logger (QM) | |
| +-----------------+ |
+----------------------+
| | | |
Aktor L Aktor R Actuator L (SA-002) Actuator R (SA-002)
(SA-002) (SA-002)
``` ```
## Format-Strategie ## Format strategy
| Inhalt | Format | Begruendung | | Content | Format | Rationale |
|---------------------|-------------------|-------------------------------------------------| |---------|--------|-----------|
| Plaene + Audit-Doku | **Word** (.docx) | Industriestandard fuer ISO-9001-Freigabe | | Plans + Safety + Audit + Manuals | **Word** (.docx) | Industry standard for ISO 9001 release |
| Requirements + Arch | **Markdown** (Doorstop) | Lebendig, diff-bar, Traceability per Skript | | Requirements + Architecture | **Markdown** (Doorstop style) | Lives daily, diff-able, traceability by script |
| Code, Tests, CI | C / YAML | klar | | Code, Tests, CI | C / YAML | obvious |
| Release bundle | tar.gz with everything | One file for the auditor |
Beide Welten gehen ueber `tools/`-Skripte ineinander ueber: Markdown ist Source of Truth, Word wird per pandoc daraus gebaut. Markdown is the source of truth; Word is built via pandoc.
## Generatoren ## References
| Skript | Zweck | - [slohmaier/dev-process](https://gitea.slohmaier.com/slohmaier/dev-process) — Methodology repo
|---------------------------------------|----------------------------------------------------|
| `tools/generate_doorstop_items.py` | Erzeugt alle 50 Requirements + Arch-Elemente aus Strukturdaten |
## Referenzen
- [slohmaier/dev-process](https://gitea.slohmaier.com/slohmaier/dev-process) — die Methodik
- ASPICE 4.0 - ASPICE 4.0
- ISO 26262 (insbesondere Part 6 — Software) - ISO 26262 (in particular Part 2, 3, 5, 6, 8, 10)
- MISRA C:2012 - MISRA C:2012
## Lizenz ## Licence
MIT — siehe [LICENSE](LICENSE).
MIT — see [LICENSE](LICENSE).
arch/swe/SWA-001.md
+15 -15
View File
@@ -17,12 +17,12 @@ asil: D
# SWA-001: Safety Manager # SWA-001: Safety Manager
## Verantwortung ## Responsibility
Hoechste Sicherheitsschicht. Erkennt Motor-Aus, aktiviert Hill-Hold, Highest safety layer. Detects engine-off, activates hill-hold,
triggert Auto-Apply. Lebenswichtige Logik mit redundanter Pruefung. triggers auto-apply. Life-critical logic with redundant checks.
## Statische Sicht ## Static view
```plantuml ```plantuml
@startuml @startuml
@@ -31,20 +31,20 @@ package "Safety Manager" {
[Hill-Hold Logic] [Hill-Hold Logic]
[Auto-Apply Logic] [Auto-Apply Logic]
} }
[Safety Manager] ..> [Apply Controller] : Apply-Anforderung [Safety Manager] ..> [Apply Controller] : apply request
[Wheel Speed Plausi] --> [Safety Manager] : v_vehicle [Wheel Speed Plausi] --> [Safety Manager] : v_vehicle
[Inclinometer Filter] --> [Safety Manager] : grade [Inclinometer Filter] --> [Safety Manager] : grade
@enduml @enduml
``` ```
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status safety_mgr_init(void); Status safety_mgr_init(void);
void safety_mgr_step_50ms(const SafetyInputs* in); void safety_mgr_step_50ms(const SafetyInputs* in);
``` ```
## Dynamisches Verhalten ## Dynamic behaviour
```plantuml ```plantuml
@startuml @startuml
@@ -58,16 +58,16 @@ AutoApplyTriggered --> Idle : applied
@enduml @enduml
``` ```
## Ressourcen ## Resources
- Stack: <= 256 B - Stack: <= 256 B
- Worst-Case Timing: 200 us / Aufruf - Worst-case timing: 200 us per call
## Mapping auf Anforderungen ## Mapping to requirements
| Anforderung | Wie abgedeckt | | Requirement | How covered |
|-------------|---------------| |-------------|-------------|
| SWE-007 | engine_off + v<0.5 in step_50ms | | SWE-007 | engine_off + v<0.5 in step_50ms |
| SWE-008 | 2s-Filter und Trigger | | SWE-008 | 2 s filter and trigger |
| SWE-009 | Hill-Hold-Aktivierung | | SWE-009 | hill-hold activation |
| SWE-010 | Brake-Released-Detektion | | SWE-010 | brake-released detection |
arch/swe/SWA-002.md
+22 -21
View File
@@ -16,12 +16,13 @@ asil: D
# SWA-002: Apply Controller # SWA-002: Apply Controller
## Verantwortung ## Responsibility
Zentraler Controller fuer Apply, Hold und Release der Parkbremse. Central controller for apply, hold and release of the parking brake.
ASIL-D-Kern der EPB-Software. Implementiert in `src/apply_controller.c`. ASIL-D core of the EPB software. Implemented in
`src/apply_controller.c`.
## Statische Sicht ## Static view
```plantuml ```plantuml
@startuml @startuml
@@ -34,7 +35,7 @@ ASIL-D-Kern der EPB-Software. Implementiert in `src/apply_controller.c`.
@enduml @enduml
``` ```
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status apply_ctrl_init(void); Status apply_ctrl_init(void);
@@ -42,7 +43,7 @@ void apply_ctrl_step_50ms(const ApplyInputs* in);
EpbStatus apply_ctrl_get_status(void); EpbStatus apply_ctrl_get_status(void);
``` ```
## Dynamisches Verhalten ## Dynamic behaviour
```plantuml ```plantuml
@startuml @startuml
@@ -58,24 +59,24 @@ Error --> Released : reset & no fault
@enduml @enduml
``` ```
## Ressourcen ## Resources
- Stack: <= 384 B - Stack: <= 384 B
- Worst-Case Timing: 350 us / Aufruf - Worst-case timing: 350 us per call
## Designentscheidungen ## Design decisions
| Entscheidung | Begruendung | | Decision | Rationale |
|--------------|-------------| |----------|-----------|
| Statische Allokation, kein Heap | Determinismus, MISRA C 21.3 | | Static allocation, no heap | Determinism, MISRA C 21.3 |
| State Machine | Einfacher zu verifizieren, deterministisch | | State machine | Easier to verify, deterministic |
| 50ms Step-Funktion | Synchron zur Inclinometer-Abtastung | | 50 ms step function | Synchronous with inclinometer sample rate |
## Mapping auf Anforderungen ## Mapping to requirements
| Anforderung | Wie abgedeckt | | Requirement | How covered |
|-------------|---------------| |-------------|-------------|
| SWE-001 | Hold-Zustand mit periodischer Klemmkraft-Pruefung | | SWE-001 | Hold state with periodic clamping-force check |
| SWE-002 | Watchdog-Pet im step_50ms | | SWE-002 | Watchdog pet in step_50ms |
| SWE-003 | sw_apply Input wird sofort ausgewertet | | SWE-003 | sw_apply input is evaluated immediately |
| SWE-004 | Current-Target-Detektion via Actuator-Driver-Feedback | | SWE-004 | current-target detection via actuator-driver feedback |
arch/swe/SWA-003.md
+16 -16
View File
@@ -15,13 +15,13 @@ asil: B
# SWA-003: Actuator Driver # SWA-003: Actuator Driver
## Verantwortung ## Responsibility
Low-Level-Ansteuerung der beiden Aktor-Motoren. PWM-Generierung, Low-level control of the two actuator motors. PWM generation,
Strom-Messung, Overcurrent-Cutoff, Klemmkraft-Schaetzung. current measurement, overcurrent cutoff, clamping-force estimation.
Implementiert in `src/actuator_driver.c`. Implemented in `src/actuator_driver.c`.
## Statische Sicht ## Static view
```plantuml ```plantuml
@startuml @startuml
@@ -32,7 +32,7 @@ Implementiert in `src/actuator_driver.c`.
@enduml @enduml
``` ```
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status actuator_init(void); Status actuator_init(void);
@@ -40,20 +40,20 @@ void actuator_apply(ActuatorId id, uint8_t pwm_percent);
void actuator_release(ActuatorId id, uint8_t pwm_percent); void actuator_release(ActuatorId id, uint8_t pwm_percent);
void actuator_stop(ActuatorId id); void actuator_stop(ActuatorId id);
ActuatorStatus actuator_get_status(ActuatorId id); ActuatorStatus actuator_get_status(ActuatorId id);
void actuator_isr_1khz(void); // Strom-Sampling void actuator_isr_1khz(void); // Current sampling
``` ```
## Ressourcen ## Resources
- Stack: <= 256 B - Stack: <= 256 B
- Worst-Case Timing: 50 us / ISR - Worst-case timing: 50 us per ISR
- Static RAM: 64 B pro Aktor - Static RAM: 64 B per actuator
## Mapping auf Anforderungen ## Mapping to requirements
| Anforderung | Wie abgedeckt | | Requirement | How covered |
|-------------|---------------| |-------------|-------------|
| SWE-006 | actuator_release fuer beide Aktoren parallel | | SWE-006 | actuator_release for both actuators in parallel |
| SWE-013 | actuator_isr_1khz | | SWE-013 | actuator_isr_1khz |
| SWE-014 | Overcurrent-Detektor in ISR | | SWE-014 | overcurrent detector in ISR |
| SWE-015 | Peak-Current-Tracking + lineare Klemmkraft-Schaetzung | | SWE-015 | peak-current tracking + linear clamping-force estimate |
arch/swe/SWA-004.md
+6 -6
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Wheel Speed Plausibilisierung' header: 'Wheel Speed Plausibilisation'
level: 1.4 level: 1.4
normative: true normative: true
reviewed: null reviewed: null
@@ -11,14 +11,14 @@ links:
asil: B asil: B
--- ---
# SWA-004: Wheel Speed Plausibilisierung # SWA-004: Wheel Speed Plausibilisation
## Verantwortung ## Responsibility
Aufbereitung und Plausibilisierung der 4 Wheel-Speed-Signale. Erkennt Conditioning and plausibilisation of the four wheel-speed signals.
Stillstand und plausibilisiert untereinander. Detects standstill and cross-checks the wheels.
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status wheel_speed_init(void); Status wheel_speed_init(void);
arch/swe/SWA-005.md
+4 -3
View File
@@ -12,11 +12,12 @@ asil: B
# SWA-005: Inclinometer Filter # SWA-005: Inclinometer Filter
## Verantwortung ## Responsibility
Tiefpass-Filterung des Inclinometer-Roh-Signals fuer die Hill-Hold-Bewertung. Low-pass filtering of the raw inclinometer signal for hill-hold
evaluation.
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status inclino_init(void); Status inclino_init(void);
arch/swe/SWA-006.md
+9 -8
View File
@@ -12,12 +12,13 @@ asil: QM
# SWA-006: Switch Debouncer # SWA-006: Switch Debouncer
## Verantwortung ## Responsibility
Software-Entprellung des EPB-Schalters. Liefert stabiles Apply / Release Software debouncing of the EPB switch. Provides a stable apply /
Signal an den Apply-Controller. Implementiert in `src/switch_debouncer.c`. release signal to the apply controller. Implemented in
`src/switch_debouncer.c`.
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status switch_init(void); Status switch_init(void);
@@ -25,8 +26,8 @@ void switch_step_10ms(SwitchRaw raw);
SwitchState switch_get_state(void); SwitchState switch_get_state(void);
``` ```
## Mapping auf Anforderungen ## Mapping to requirements
| Anforderung | Wie abgedeckt | | Requirement | How covered |
|-------------|---------------| |-------------|-------------|
| SWE-025 | 50ms Debounce-Logik | | SWE-025 | 50 ms debounce logic |
arch/swe/SWA-007.md
+5 -5
View File
@@ -13,15 +13,15 @@ asil: QM
# SWA-007: Display Manager # SWA-007: Display Manager
## Verantwortung ## Responsibility
Steuert LED am EPB-Schalter und CAN-Status-Frame an das Kombi-Display. Drives the LED on the EPB switch and the CAN status frame to the
Empfaengt Status vom Apply-Controller. instrument cluster. Receives status from the apply controller.
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status display_init(void); Status display_init(void);
void display_set_status(EpbStatus s); void display_set_status(EpbStatus s);
void display_step_20ms(void); // 50 Hz CAN-Frame void display_step_20ms(void); // 50 Hz CAN frame
``` ```
arch/swe/SWA-008.md
+4 -3
View File
@@ -13,11 +13,12 @@ asil: QM
# SWA-008: Diagnostic Manager # SWA-008: Diagnostic Manager
## Verantwortung ## Responsibility
UDS-Diagnose nach ISO 14229: ReadDTC, ReadDataByIdentifier, RoutineControl. UDS diagnostics per ISO 14229: ReadDTC, ReadDataByIdentifier,
RoutineControl.
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status diag_init(void); Status diag_init(void);
arch/swe/SWA-009.md
+4 -3
View File
@@ -13,7 +13,8 @@ asil: QM
# SWA-009: Service Mode # SWA-009: Service Mode
## Verantwortung ## Responsibility
Service-Modus fuer Werkstatt. Wird ueber UDS RoutineControl 0x31, Routine-ID Service mode for the workshop. Activated via UDS RoutineControl
0x0301 aktiviert. Steuert Aktoren in Wartungsposition. 0x31, routine ID 0x0301. Drives the actuators into maintenance
position.
arch/swe/SWA-010.md
+4 -4
View File
@@ -13,12 +13,12 @@ asil: QM
# SWA-010: Logger # SWA-010: Logger
## Verantwortung ## Responsibility
Logging fuer Entwicklung und Service. Ringpuffer im RAM (1 KB) sowie Logging for development and service. Ring buffer in RAM (1 KB)
Persistenz im EEPROM bei kritischen Ereignissen. plus persistence in EEPROM on critical events.
## Schnittstellen (Provided) ## Provided interfaces
```c ```c
Status log_init(void); Status log_init(void);
arch/sys/SA-001.md
+29 -29
View File
@@ -21,28 +21,28 @@ asil: D
# SA-001: EPB ECU # SA-001: EPB ECU
## Verantwortung ## Responsibility
Zentrales Steuergeraet der elektrischen Parkbremse. Beinhaltet alle Software- Central control unit of the electric parking brake. Contains all
Komponenten und die elektronische Ansteuerung der Aktoren. software components and the electronic actuation of the actuators.
## System-Kontext ## System context
```plantuml ```plantuml
@startuml @startuml
node "EPB ECU" as ECU node "EPB ECU" as ECU
node "Aktor links" as AL node "Actuator left" as AL
node "Aktor rechts" as AR node "Actuator right" as AR
node "Wheel Speed Sensoren (x4)" as WS node "Wheel-speed sensors (x4)" as WS
node "Inclinometer" as IN node "Inclinometer" as IN
node "EPB-Schalter + LED" as SW node "EPB switch + LED" as SW
node "CAN-Bus" as CAN node "CAN bus" as CAN
node "Kombi-Display" as DI node "Instrument cluster" as DI
node "OBD-Tester" as OBD node "OBD tester" as OBD
ECU --> AL : PWM, I-Mess ECU --> AL : PWM, I-meas
ECU --> AR : PWM, I-Mess ECU --> AR : PWM, I-meas
WS --> ECU : Pulse WS --> ECU : pulses
IN --> ECU : SPI IN --> ECU : SPI
SW --> ECU : GPIO SW --> ECU : GPIO
ECU --> SW : LED ECU --> SW : LED
@@ -52,24 +52,24 @@ CAN <-> OBD
@enduml @enduml
``` ```
## Schnittstellen ## Interfaces
| Schnittstelle | Typ | Richtung | | Interface | Type | Direction |
|---------------|----------------|----------| |---------------|------------------|-----------|
| Aktor L/R | PWM + Shunt | I/O | | Actuator L/R | PWM + shunt | I/O |
| Wheel Speed | Hall-Pulse | In | | Wheel speed | Hall pulses | in |
| Inclinometer | SPI | In | | Inclinometer | SPI | in |
| Schalter | GPIO debounced | In | | Switch | GPIO debounced | in |
| LED | GPIO | Out | | LED | GPIO | out |
| CAN | ISO 11898 | I/O | | CAN | ISO 11898 | I/O |
## Subkomponenten (Aufteilung auf SW) ## Subcomponents (allocated to software)
Realisiert in Software: alle SWA-Elemente SWA-001..SWA-010. Realised in software: all SWA elements SWA-001..SWA-010.
## Nichtfunktionale Eigenschaften ## Non-functional properties
- Worst-Case Reaktionszeit (Schalter → Aktor-Bewegung): 250 ms - Worst-case reaction time (switch to actuator motion): 250 ms
- Flash-Bedarf: < 256 KB - Flash demand: < 256 KB
- RAM-Bedarf: < 32 KB - RAM demand: < 32 KB
- Stromaufnahme: < 200 mA (Standby) / < 30 A (Aktor-Spitze) - Current: < 200 mA (standby) / < 30 A (actuator peak)
arch/sys/SA-002.md
+17 -17
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Aktoren (Caliper-Motoren)' header: 'Actuators (calliper motors)'
level: 1.2 level: 1.2
normative: true normative: true
reviewed: null reviewed: null
@@ -13,25 +13,25 @@ links:
asil: D asil: D
--- ---
# SA-002: Aktoren (Caliper-Motoren) # SA-002: Actuators (calliper motors)
## Verantwortung ## Responsibility
Zwei elektromechanische Aktoren an den hinteren Bremssaetteln klemmen Two electromechanical actuators on the rear callipers clamp and
und loesen die Bremsbelaege. Geliefert (Annahme): kommerzielles Bauteil release the brake pads. Supplied (assumption): commercial component
eines Tier-1-Lieferanten. from a Tier-1 supplier.
## Schnittstellen ## Interfaces
| Schnittstelle | Typ | Bemerkung | | Interface | Type | Notes |
|---------------|--------------|-----------------------------------| |---------------|--------------|---------------------------------|
| Power | 12 V, PWM | bidirektional fuer Apply/Release | | Power | 12 V, PWM | bidirectional for apply/release |
| Strom-Shunt | Analog | wird in der ECU abgegriffen | | Current shunt | analog | sampled inside the ECU |
## Nichtfunktionale Eigenschaften ## Non-functional properties
- Max. Klemmkraft: 20 kN - Max clamping force: 20 kN
- Apply-Zeit (0 → max): 600 ms - Apply time (0 → max): 600 ms
- Strom (nominal): 4 A - Nominal current: 4 A
- Strom (Spitze): 30 A (kurzzeitig) - Peak current: 30 A (brief)
- Temperaturbereich: -40°C bis +85°C - Temperature range: -40 °C to +85 °C
arch/sys/SA-003.md
+19 -19
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Sensor-Cluster' header: 'Sensor cluster'
level: 1.3 level: 1.3
normative: true normative: true
reviewed: null reviewed: null
@@ -12,27 +12,27 @@ links:
asil: B asil: B
--- ---
# SA-003: Sensor-Cluster # SA-003: Sensor cluster
## Verantwortung ## Responsibility
Zusammenfassung aller fuer die EPB benoetigten Eingangssignale: Summary of all input signals required by the EPB: wheel-speed
Wheel-Speed-Sensoren (4x), Inclinometer (1x), EPB-Schalter, Bremspedal- sensors (4x), inclinometer (1x), EPB switch, brake-pedal status,
Status, Gear-Position, Door-Open, Seat-Belt — die letzten vier per CAN. gear position, door open, seatbelt — the last four via CAN.
## Schnittstellen ## Interfaces
| Sensor | Typ | Quelle | | Sensor | Type | Source |
|-----------------|------------------|--------------| |-----------------|--------------|------------|
| Wheel Speed x4 | Hall-Pulse | direkt | | Wheel speed x4 | Hall pulses | direct |
| Inclinometer | SPI 1 kHz | direkt | | Inclinometer | SPI 1 kHz | direct |
| EPB-Schalter | GPIO | direkt | | EPB switch | GPIO | direct |
| Bremspedal | CAN 0x100 | aus BCM | | Brake pedal | CAN 0x100 | from BCM |
| Gear | CAN 0x110 | aus TCU | | Gear | CAN 0x110 | from TCU |
| Door / Belt | CAN 0x120 | aus BCM | | Door / belt | CAN 0x120 | from BCM |
## Nichtfunktionale Eigenschaften ## Non-functional properties
- Wheel-Speed-Genauigkeit: +/- 0.1 km/h ab 1 km/h - Wheel-speed accuracy: +/- 0.1 km/h above 1 km/h
- Inclinometer-Genauigkeit: +/- 0.5° - Inclinometer accuracy: +/- 0.5°
- Sampling-Frequenz Inclinometer: 100 Hz - Inclinometer sampling rate: 100 Hz
arch/sys/SA-004.md
+11 -11
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'HMI (Schalter, LED, Display)' header: 'HMI (switch, LED, display)'
level: 1.4 level: 1.4
normative: true normative: true
reviewed: null reviewed: null
@@ -11,17 +11,17 @@ links:
asil: QM asil: QM
--- ---
# SA-004: HMI (Schalter, LED, Display) # SA-004: HMI (switch, LED, display)
## Verantwortung ## Responsibility
Fahrer-Interaktion und -Information: Tippschalter mit integrierter LED, Driver interaction and information: tap switch with integrated LED,
Statusanzeige im Kombi-Display via CAN. status display in the instrument cluster via CAN.
## Schnittstellen ## Interfaces
| Element | Typ | Verhalten | | Element | Type | Behaviour |
|---------------|----------|--------------------------------------------| |---------------|----------|-------------------------------------------|
| Tippschalter | GPIO | Apply-Richtung / Release-Richtung | | Tap switch | GPIO | apply direction / release direction |
| LED | GPIO | aus / an / blink 2 Hz / blink 4 Hz | | LED | GPIO | off / on / blink 2 Hz / blink 4 Hz |
| Display | CAN 0x3A0 | 50 Hz Status-Frame | | Display | CAN 0x3A0| 50 Hz status frame |
arch/sys/SA-005.md
+11 -10
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'CAN-Bus' header: 'CAN bus'
level: 1.5 level: 1.5
normative: true normative: true
reviewed: null reviewed: null
@@ -11,16 +11,17 @@ links:
asil: QM asil: QM
--- ---
# SA-005: CAN-Bus # SA-005: CAN bus
## Verantwortung ## Responsibility
Kommunikations-Backbone fuer Eingangsdaten (Bremspedal, Gang, Tuer, Gurt), Communication backbone for input data (brake pedal, gear, door,
Ausgabe (Status-Frame an Display) und Diagnose (UDS auf Tester-Adresse). belt), output (status frame to the display) and diagnostics (UDS
on the tester address).
## Schnittstellen ## Interfaces
- Baudrate: 500 kbit/s, CAN 2.0B - Baud rate: 500 kbit/s, CAN 2.0B
- Empfangene Frames: 0x100 (Bremspedal), 0x110 (Gang), 0x120 (Door/Belt), - Received frames: 0x100 (brake pedal), 0x110 (gear),
0x712 (UDS-Request) 0x120 (door/belt), 0x712 (UDS request)
- Gesendete Frames: 0x3A0 (Status 50 Hz), 0x71A (UDS-Response) - Sent frames: 0x3A0 (status 50 Hz), 0x71A (UDS response)
docs/manuals-md/Service-Manual.md
+90 -90
View File
@@ -1,138 +1,138 @@
--- ---
doc-id: SLM-EPB-SVC-001 doc-id: SLM-EPB-SVC-001
version: 1.0 version: 1.0
status: Freigegeben status: Released
datum: 2026-05-12 date: 2026-05-12
--- ---
# Service Manual — Elektrische Parkbremse (EPB) # Service Manual — Electric Parking Brake (EPB)
| Feld | Wert | | Field | Value |
|--------------|----------------------------------------| |---------------|----------------------------------------|
| Produkt | demo-epb EPB-Steuergeraet | | Product | demo-epb EPB ECU |
| Version | 1.0 | | Version | 1.0 |
| Datum | 2026-05-12 | | Date | 2026-05-12 |
| Zielgruppe | Werkstatt-Techniker | | Audience | Workshop technicians |
--- ---
## 1. Werkzeuge ## 1. Tools
- OBD-II-Diagnose-Tester mit UDS-Support (ISO 14229) - OBD-II diagnostic tester with UDS support (ISO 14229)
- Drehmomentschluessel 60 Nm - Torque wrench 60 Nm
- Verschiebewerkzeug 28x40 mm (fuer Bremsbelag-Wechsel) - Sliding tool 28×40 mm (for brake-pad replacement)
## 2. UDS-Diagnose ## 2. UDS diagnostics
### 2.1 Identifikation ### 2.1 Identification
| Parameter | Wert | | Parameter | Value |
|-------------------|-------------| |-------------------|-------------|
| Tester-Adresse | 0x712 | | Tester address | 0x712 |
| ECU-Antwort | 0x71A | | ECU response | 0x71A |
| CAN-Baudrate | 500 kbit/s | | CAN baud rate | 500 kbit/s |
### 2.2 Service-IDs ### 2.2 Service IDs
| SID | Service | Notizen | | SID | Service | Notes |
|------|-------------------------------|-------------------------------| |------|-------------------------------|--------------------------------|
| 0x10 | DiagnosticSessionControl | 0x03 = Extended Session | | 0x10 | DiagnosticSessionControl | 0x03 = Extended Session |
| 0x11 | ECUReset | 0x01 = Hard Reset | | 0x11 | ECUReset | 0x01 = Hard Reset |
| 0x14 | ClearDiagnosticInformation | Loescht alle DTCs | | 0x14 | ClearDiagnosticInformation | Clears all DTCs |
| 0x19 | ReadDTCInformation | Sub 0x02 = reportDTCByStatusMask | | 0x19 | ReadDTCInformation | Sub 0x02 = reportDTCByStatusMask |
| 0x22 | ReadDataByIdentifier | Siehe DID-Liste | | 0x22 | ReadDataByIdentifier | See DID list |
| 0x27 | SecurityAccess | Nicht implementiert in Demo | | 0x27 | SecurityAccess | Not implemented in demo |
| 0x31 | RoutineControl | 0x0301 = Service-Modus | | 0x31 | RoutineControl | 0x0301 = Service mode |
### 2.3 DIDs (Data Identifiers) ### 2.3 DIDs (Data Identifiers)
| DID | Beschreibung | Typ | | DID | Description | Type |
|--------|-------------------------------------|----------------| |--------|--------------------------------------|----------------|
| 0xF187 | SW-Version | ASCII 16 byte | | 0xF187 | SW version | ASCII 16 byte |
| 0xF18B | ECU-Hardware-Version | ASCII 16 byte | | 0xF18B | ECU hardware version | ASCII 16 byte |
| 0x0301 | Klemmkraft links | uint16 (N) | | 0x0301 | Clamping force left | uint16 (N) |
| 0x0302 | Klemmkraft rechts | uint16 (N) | | 0x0302 | Clamping force right | uint16 (N) |
| 0x0303 | Motorstrom links | uint16 (mA) | | 0x0303 | Motor current left | uint16 (mA) |
| 0x0304 | Motorstrom rechts | uint16 (mA) | | 0x0304 | Motor current right | uint16 (mA) |
| 0x0305 | Inclinometer (gefiltert) | int16 (m°) | | 0x0305 | Inclinometer (filtered) | int16 (m°) |
## 3. DTC-Liste ## 3. DTC list
| DTC | Bedeutung | Aktion | | DTC | Meaning | Action |
|----------|--------------------------------------------------|----------------------------------------| |----------|---------------------------------------------------|----------------------------------------|
| P0571 | EPB-Schalter Plausibilitaet | Schalter pruefen | | P0571 | EPB switch plausibility | Check switch |
| P0572 | EPB-Schalter dauerhaft betaetigt | Schalter blockiert? Reinigen | | P0572 | EPB switch permanently actuated | Switch jammed? Clean |
| P0808 | Aktor-Strom links zu hoch (Overcurrent) | Motor + Verkabelung pruefen | | P0808 | Actuator current left too high (overcurrent) | Check motor + wiring |
| P0809 | Aktor-Strom rechts zu hoch (Overcurrent) | Motor + Verkabelung pruefen | | P0809 | Actuator current right too high (overcurrent) | Check motor + wiring |
| P080A | Klemmkraft links nicht erreicht (Apply-Timeout) | Aktor / Mechanik pruefen | | P080A | Clamping force left not reached (apply timeout) | Check actuator / mechanism |
| P080B | Klemmkraft rechts nicht erreicht | Aktor / Mechanik pruefen | | P080B | Clamping force right not reached | Check actuator / mechanism |
| P080C | Wheel-Speed-Sensor Plausibilitaet | Sensoren / Verkabelung pruefen | | P080C | Wheel-speed sensor plausibility | Check sensors / wiring |
| P080D | Inclinometer Plausibilitaet | Sensor / Montage pruefen | | P080D | Inclinometer plausibility | Check sensor / mounting |
| P080E | Apply-Controller-Watchdog-Trip | Software-Reset, bei Wiederholung ECU tauschen | | P080E | Apply controller watchdog trip | Software reset; if recurring replace ECU |
| U0123 | CAN-Bus-Kommunikation verloren | CAN-Verkabelung + BCM-Status | | U0123 | CAN bus communication lost | Check CAN wiring + BCM status |
## 4. Service-Modus (Bremsbelag-Wechsel) ## 4. Service mode (brake-pad replacement)
### 4.1 Aktivierung ### 4.1 Activation
Voraussetzungen: Preconditions:
- Zuendung an, Motor aus - Ignition on, engine off
- Fahrzeug auf der Buehne oder mit gesicherten Raedern - Vehicle on lift or with chocked wheels
- Fahrertuer geschlossen (oder Tuer-Signal ueberbrueckt) - Driver door closed (or door signal bypassed)
Schritte: Steps:
1. Diagnose-Tester verbinden, Extended Session (0x10 0x03) 1. Connect diagnostic tester, Extended Session (0x10 0x03)
2. RoutineControl `0x31 01 03 01` sendenStart Routine 2. Send RoutineControl `0x31 01 03 01`start routine
3. ECU bestaetigt, EPB-LED beginnt mit 2 Hz zu blinken 3. ECU acknowledges, EPB LED starts blinking at 2 Hz
4. Aktoren fahren in Wartungs-Position (vollstaendig geloest) 4. Actuators move to maintenance position (fully released)
### 4.2 Deaktivierung ### 4.2 Deactivation
1. RoutineControl `0x31 02 03 01` sendenStop Routine 1. Send RoutineControl `0x31 02 03 01`stop routine
2. EPB-LED beendet das Blinken 2. EPB LED stops blinking
3. Apply-Funktion wieder verfuegbar 3. Apply function available again
### 4.3 Bremsbelag-Wechsel-Ablauf ### 4.3 Brake-pad replacement procedure
1. Service-Modus aktivieren (siehe oben) 1. Activate service mode (see above)
2. Bremssattel demontieren 2. Remove brake calliper
3. Belaege wechseln, Fuehrungen schmieren 3. Replace pads, grease guides
4. Bremssattel mit 60 Nm anziehen 4. Tighten calliper to 60 Nm
5. Service-Modus deaktivieren 5. Deactivate service mode
6. Drei Apply/Release-Zyklen durchfuehren (zum Einschleifen) 6. Perform three apply/release cycles (bedding-in)
7. DTC-Speicher leeren (Service 0x14) 7. Clear DTC memory (service 0x14)
## 5. Sensor-Pruefung ## 5. Sensor check
### 5.1 Wheel-Speed-Sensoren ### 5.1 Wheel-speed sensors
- Widerstand: 800-1500 Ω bei 20 °C - Resistance: 800-1500 Ω at 20 °C
- Spannung bei 50 km/h: 2-5 V Peak-to-Peak (Hall) - Voltage at 50 km/h: 2-5 V peak-to-peak (Hall)
### 5.2 Inclinometer ### 5.2 Inclinometer
- SPI-Bus 1 MHz - SPI bus 1 MHz
- Erwarteter Wert auf ebener Strasse: 0 ± 0.5° - Expected value on level road: 0 ± 0.5°
- Drift-Check: ECU + Tester, > 5 Min Beobachtung - Drift check: ECU + tester, monitor > 5 min
## 6. Aktor-Pruefung ## 6. Actuator check
| Parameter | Sollwert | | Parameter | Target value |
|-----------------------|------------------------| |-----------------------|------------------------|
| Widerstand pro Motor | 0.8 1.2 Ω | | Resistance per motor | 0.8 1.2 Ω |
| Stromaufnahme nominal | 3 5 A | | Nominal current | 3 5 A |
| Stromspitze (Apply) | 15 25 A | | Peak current (apply) | 15 25 A |
| Cutoff-Schwelle | 8 A fuer 100 ms | | Cutoff threshold | 8 A for 100 ms |
## 7. Software-Update ## 7. Software update
1. UDS Extended Session (0x10 0x03) 1. UDS Extended Session (0x10 0x03)
2. Programming Session (0x10 0x02) 2. Programming Session (0x10 0x02)
3. Flashloader-Sequenz nach OEM-Spezifikation 3. Flashloader sequence per OEM specification
4. Neue SW-Version per DID 0xF187 verifizieren 4. Verify new SW version via DID 0xF187
## 8. Aenderungshistorie ## 8. Revision history
| Version | Datum | Aenderung | Autor | | Version | Date | Change | Author |
|---------|-------------|---------------------|-------------| |---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | Erstfreigabe | S. Lohmaier | | 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/manuals-md/User-Manual.md
+65 -74
View File
@@ -1,114 +1,105 @@
--- ---
doc-id: SLM-EPB-USR-001 doc-id: SLM-EPB-USR-001
version: 1.0 version: 1.0
status: Freigegeben status: Released
datum: 2026-05-12 date: 2026-05-12
--- ---
# Bedienungsanleitung — Elektrische Parkbremse (EPB) # User Manual — Electric Parking Brake (EPB)
| Feld | Wert | | Field | Value |
|--------------|----------------------------------------| |---------------|----------------------------------------|
| Produkt | demo-epb EPB-Steuergeraet | | Product | demo-epb EPB ECU |
| Version | 1.0 | | Version | 1.0 |
| Datum | 2026-05-12 | | Date | 2026-05-12 |
| Zielgruppe | Fahrzeugfuehrer | | Audience | Vehicle drivers |
--- ---
> **Wichtige Sicherheitshinweise lesen!** > **Read the important safety information first!**
> Bevor Sie die EPB verwenden, machen Sie sich mit den Funktionen vertraut. > Familiarise yourself with the functions before using the EPB.
## 1. Was ist die Elektrische Parkbremse? ## 1. What is the Electric Parking Brake?
Die Elektrische Parkbremse (EPB) ersetzt die klassische Handbremse. Sie wird The Electric Parking Brake (EPB) replaces the classical handbrake. You operate it via a switch in the centre console; the system clamps the rear brakes electromechanically.
ueber einen Schalter in der Mittelkonsole bedient und klemmt die hinteren
Bremsen elektromechanisch fest.
## 2. Bedienung ## 2. Operation
### 2.1 Parkbremse einlegen (Apply) ### 2.1 Engage the parking brake (apply)
1. Fahrzeug zum Stillstand bringen. 1. Bring the vehicle to a complete standstill.
2. Bremspedal getreten halten. 2. Keep the brake pedal pressed.
3. EPB-Schalter **nach oben** ziehen (Pfeil zeigt zur Frontscheibe). 3. Pull the EPB switch **upwards** (arrow points to the windshield).
4. Die rote LED am Schalter leuchtet dauerhaft. 4. The red LED on the switch lights up steadily.
Sie hoeren ein leichtes Brummen — das sind die Stellmotoren. You will hear a soft humming sound — that is the actuator motors.
### 2.2 Parkbremse loesen (Release) ### 2.2 Release the parking brake
**Voraussetzungen** (alle muessen erfuellt sein): **Preconditions** (all must be met):
- Motor laeuft - Engine is running
- Bremspedal ist betaetigt - Brake pedal is pressed
- Gangwahlhebel ist eingelegt (kein Leerlauf) - Gear selector is engaged (not in neutral)
1. EPB-Schalter **nach unten** druecken. 1. Push the EPB switch **downwards**.
2. Die LED erlischt. 2. The LED goes out.
3. Sie hoeren erneut ein kurzes Brummen. 3. You will hear a short humming sound again.
### 2.3 Auto-Hold (Fahrer steigt aus) ### 2.3 Auto-Hold (driver leaving the car)
Wenn Sie den Motor abschalten und das Fahrzeug stillsteht, wird die EPB When you switch the engine off and the vehicle is at a standstill, the EPB engages **automatically after 2 seconds** — even if you didn't operate it manually. The LED confirms.
**automatisch nach 2 Sekunden** eingelegt — auch wenn Sie sie nicht manuell
betaetigt haben. Die LED leuchtet als Bestaetigung.
### 2.4 Hill-Hold am Berg ### 2.4 Hill-Hold on inclines
Beim Anhalten an einer Steigung (> 5 %): When stopping on a slope (> 5%):
1. Bremspedal treten — Fahrzeug haelt. 1. Press the brake pedal — vehicle stops.
2. Fuss vom Bremspedal nehmen — die EPB uebernimmt automatisch. 2. Lift your foot off the brake pedal — the EPB takes over automatically.
3. Die LED blinkt langsam waehrend Hill-Hold aktiv ist. 3. The LED blinks slowly while hill-hold is active.
4. Beim Anfahren (Gasgeben + Gang eingelegt) loest die EPB automatisch. 4. On drive-away (throttle + gear engaged), the EPB releases automatically.
## 3. Bedeutung der LED-Anzeige ## 3. LED indicator meaning
| LED-Status | Bedeutung | | LED status | Meaning |
|-----------------------|--------------------------------------------------| |-------------------------|---------------------------------------------------|
| Aus | EPB geloest | | Off | EPB released |
| Dauerleuchtend rot | EPB aktiv (Apply / Hold) | | Steady red | EPB active (apply / hold) |
| Langsam blinkend (2 Hz) | Hill-Hold aktiv oder Service-Modus | | Slow blink (2 Hz) | Hill-hold active or service mode |
| Schnell blinkend (4 Hz) | Fehler — bitte Werkstatt aufsuchen | | Fast blink (4 Hz) | Fault — visit a workshop |
## 4. Anzeige im Kombi-Display ## 4. Display in the instrument cluster
Das Kombi-Display zeigt zusaetzliche Texte: The instrument cluster shows additional text:
| Anzeige | Bedeutung | | Text | Meaning |
|------------------------|---------------------------------------------| |---------------------------|-------------------------------------------|
| "EPB aktiv" | Parkbremse eingelegt | | "EPB active" | Parking brake engaged |
| "Hill-Hold aktiv" | Hill-Hold uebernimmt | | "Hill-Hold active" | Hill-hold is taking over |
| "EPB Fehler" | Stoerung — siehe Werkstatt | | "EPB fault" | Fault — visit a workshop |
| "EPB Service-Modus" | Im Werkstatt-Modus, nicht selbst loesen | | "EPB service mode" | In workshop mode, do not release yourself |
## 5. Notbetrieb ## 5. Emergency mode
Sollte die EPB nicht reagieren: If the EPB does not respond:
- **Sie steht und kommt nicht weg:** EPB-Schalter mehrmals nach unten druecken; - **Stationary and won't move:** push the EPB switch downwards several times; if unsuccessful, call breakdown service.
bei Misserfolg Notabschleppdienst rufen. - **Stationary and the EPB does not engage:** secure the vehicle with wheel chocks, contact a workshop.
- **Sie steht und EPB greift nicht:** Fahrzeug mit Unterlegkeil sichern,
Werkstatt kontaktieren.
## 6. Sicherheitshinweise ## 6. Safety information
> **⚠ WARNUNG** > **⚠ WARNING**
> >
> - EPB ersetzt nicht das Anziehen des Gangs beim Parken > - The EPB does not replace engaging a gear when parking
> - Auf glatten Untergruenden zusaetzlich Unterlegkeile verwenden > - On slippery surfaces additionally use wheel chocks
> - Bei laufendem Motor und eingelegter EPB nicht ueber dem > - While the engine is running and the EPB is engaged, do not stand on the brake pedal long-term
> Bremspedal stehen lassen
## 7. Wartung ## 7. Maintenance
Die EPB ist wartungsfrei. Bei Bremsbelagwechsel muss die Werkstatt den The EPB is maintenance-free. For brake pad replacement, the workshop must activate **service mode** — please do not jack up the vehicle yourself while the EPB is in the active state.
**Service-Modus** aktivieren — bitte das Fahrzeug nicht selbst aufbocken,
solange die EPB im aktiven Zustand ist.
## 8. Aenderungshistorie ## 8. Revision history
| Version | Datum | Aenderung | Autor | | Version | Date | Change | Author |
|---------|-------------|---------------------|-------------| |---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | Erstfreigabe | S. Lohmaier | | 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/manuals/Service-Manual.docx
BIN
View File
Binary file not shown.
docs/manuals/User-Manual.docx
BIN
View File
Binary file not shown.
docs/non-conformities-md/NC-001.md
+30 -38
View File
@@ -1,60 +1,52 @@
--- ---
nc-id: NC-001 nc-id: NC-001
projekt: demo-epb project: demo-epb
datum-festgestellt: 2026-05-11 date-discovered: 2026-05-11
schwere: Critical severity: Critical
status: Closed status: Closed
--- ---
# Non-Conformity NC-001: Step-Counter-Ueberlauf nicht dokumentiert # Non-Conformity NC-001: Step counter overflow not documented
| Feld | Wert | | Field | Value |
|---------------------|-----------------------------------| |---------------------|-----------------------------------|
| NC-ID | NC-001 | | NC ID | NC-001 |
| Projekt | demo-epb | | Project | demo-epb |
| Datum festgestellt | 2026-05-11 | | Date discovered | 2026-05-11 |
| Festgestellt durch | Review REV-001 | | Discovered by | Review REV-001 |
| Betroffenes Artefakt| `src/apply_controller.c` | | Affected artefact | `src/apply_controller.c` |
| Anforderung | SWE-002 (Watchdog) | | Requirement | SWE-002 (watchdog) |
| Schwere | Critical | | Severity | Critical |
| Status | Closed | | Status | Closed |
--- ---
## 1. Beschreibung ## 1. Description
Der `step_count` im Apply-Controller ist als `uint32_t` deklariert und wird in `step_count` in the apply controller is declared as `uint32_t` and is monotonically incremented in `apply_ctrl_step_50ms`. At 50 ms/tick the counter overflows after 2^32 * 50 ms ≈ 6.8 years. The watchdog in SWA-002 only compares the delta between two reads (wrap-around safe), but the behaviour is not documented in the header and may lead to errors in subsequent maintenance.
`apply_ctrl_step_50ms` monoton inkrementiert. Bei 50 ms/Tick ueberlaeuft der
Zaehler nach 2^32 * 50 ms ~= 6.8 Jahren. Der Watchdog in SWA-002 vergleicht
zwar nur das Delta zwischen zwei Lese-Zugriffen (Wrap-Around unkritisch), aber
das Verhalten ist nicht im Header dokumentiert und kann bei nachfolgender
Code-Pflege Fehler erzeugen.
## 2. Risikobewertung ## 2. Risk assessment
| Aspekt | Bewertung | | Aspect | Assessment |
|-------------------|----------------------------------------------------------------| |-------------------|-------------------------------------------------------------------|
| Auswirkung | Theoretisch Watchdog-False-Negative bei Wrap-Around-Vergleich | | Effect | In theory false-negative watchdog on wrap-around comparison |
| Eintritts-Wahrscheinlichkeit | Sehr niedrig (6.8 Jahre Lebensdauer) | | Likelihood | Very low (6.8 years lifetime) |
| Sicherheits-Beitrag | Indirekt — Watchdog ist Teil der SG-01 Implementierung | | Safety contribution | Indirect — watchdog is part of the SG-01 implementation |
## 3. Sofortmassnahme ## 3. Immediate action
Header-Kommentar in `apply_controller.h` ergaenzt: explizite Beschreibung des Header comment in `apply_controller.h` extended: explicit description of wrap-around behaviour. The watchdog implementation (in SWA-001) must use `uint32_t` subtraction for delta comparison (wrap-safe).
Wrap-Around-Verhaltens. Watchdog-Implementierung (in SWA-001) muss Delta-
Vergleich mit `uint32_t` Subtraktion verwenden (Wrap-safe).
## 4. Korrekturmassnahme (Root-Cause) ## 4. Corrective action (root cause)
Im Code-Review-Checklisten-Eintrag "Integer-Ueberlauf-Verhalten dokumentieren" Add the checklist item "document integer overflow behaviour" to the code-review checklist. Verify in subsequent reviews.
ergaenzen. Pruefung in folgenden Reviews.
## 5. Verifikation ## 5. Verification
- Kommentar in `apply_controller.h` v1.1 (Commit `<hash>`) - Comment in `apply_controller.h` v1.1 (commit `<hash>`)
- Watchdog in SWA-001 verwendet `uint32_t`-Subtraktion (siehe SWA-001 §4) - Watchdog in SWA-001 uses `uint32_t` subtraction (see SWA-001 §4)
- Review-Checkliste aktualisiert - Review checklist updated
## 6. Abschluss ## 6. Closure
Geschlossen am 2026-05-11 durch S. Lohmaier nach Verifikation. Closed on 2026-05-11 by S. Lohmaier after verification.
docs/non-conformities/NC-001.docx
BIN
View File
Binary file not shown.
docs/plaene/CM-Plan.docx
BIN
View File
Binary file not shown.
docs/PID.docx → docs/plaene/PID.docx
BIN
View File
Binary file not shown.
docs/PM-Plan.docx → docs/plaene/PM-Plan.docx
BIN
View File
Binary file not shown.
docs/plaene/Project-Manual.docx
BIN
View File
Binary file not shown.
docs/QA-Plan.docx → docs/plaene/QA-Plan.docx
BIN
View File
Binary file not shown.
docs/plaene/RM-Plan.docx
BIN
View File
Binary file not shown.
docs/SWE-Plan.docx → docs/plaene/SWE-Plan.docx
BIN
View File
Binary file not shown.
docs/Test-Plan.docx → docs/plaene/Test-Plan.docx
BIN
View File
Binary file not shown.
docs/plans-md/CM-Plan.md
+146
View File
@@ -0,0 +1,146 @@
---
doc-id: SLM-EPB-CM-001
version: 1.0
status: Released
date: 2026-05-12
---
# Configuration Management Plan (CM Plan)
| Field | Value |
|---------------|----------------------------------------|
| Project | demo-epb |
| Document ID | SLM-EPB-CM-001 |
| Version | 1.0 |
| Status | Released |
| Date | 2026-05-12 |
| Standard | ASPICE SUP.8 + ISO 26262-8 §7 |
---
## 1. Purpose
Describes how configuration items are identified, versioned, released, and controlled-change managed.
## 2. Configuration Items (CIs)
The following artefacts are under configuration control:
| Type | Path | Versioning |
|-------------------------|----------------------------------------|------------------------------|
| Source code | `src/**/*.{c,h}` | Git |
| Tests | `tests/**` | Git |
| Requirements | `reqs/{sys,swe}/*.md` | Git + Doorstop item hash |
| Architecture | `arch/{sys,swe}/*.md` | Git + Doorstop item hash |
| Safety Goals | `safety/sg/*.md` | Git |
| Plans (Word) | `docs/plaene/*.docx` | Git + document version block |
| Safety docs (Word) | `docs/safety/*.docx` | Git |
| Manuals (Word) | `docs/manuals/*.docx` | Git |
| Reviews + NCs | `docs/reviews/`, `docs/non-conformities/` | Git |
| MISRA records | `misra/records/*.docx` | Git |
| CI configuration | `.gitea/workflows/*.yml` | Git |
| Build definition | `Makefile`, `Doxyfile` | Git |
| Tools | `tools/*.py` | Git |
## 3. Repository structure
- **Remote:** https://gitea.slohmaier.com/slohmaier/demo-epb
- **Branch `main`:** stable, always released state
- **Branch `develop`:** current development state
- **Feature branches:** `feature/SWE-XXX-...`
- **Bugfix branches:** `bugfix/<issue>-...`
- **Release branches:** `release/vX.Y` (real projects only; demo: from main directly)
## 4. Baselines
A baseline is a frozen, released state. Baselines are set via git tags.
| Baseline type | Tag scheme | When |
|---------------------------|-------------------|----------------------------------------|
| Requirements baseline | `req-vX.Y` | After requirements release |
| Architecture baseline | `arch-vX.Y` | After architecture review |
| Release baseline | `vX.Y.Z` | On productive release |
| Internal snapshot | `snap-YYYY-MM-DD` | On significant intermediate states |
Every tag (specifically `vX.Y.Z`) triggers the release workflow, which produces a bundle.
## 5. Versioning scheme
| Artefact | Scheme |
|-----------------------|------------------------------------------|
| Software release | Semantic Versioning `MAJOR.MINOR.PATCH` |
| Requirements | Doorstop level `X.Y` + date |
| Architecture | Doorstop level `X.Y` + date |
| Word documents | `MAJOR.MINOR` in document header |
## 6. Change control
Changes to configuration items occur via:
1. **Trivial change** (typos, comments): directly on the branch, PR with 1 approval
2. **Normal change** (feature, bug fix): feature branch, PR with reviews per ASIL
3. **Major change** (architecture, safety concept): change request + reviewer quorum
| ASIL | Minimum reviewer count |
|---------|---------------------------------------|
| QM | 1 |
| ASIL-A/B| 1 |
| ASIL-C | 2 (at least 1 technical reviewer) |
| ASIL-D | 2 technical reviewers + Safety Manager |
Reviews are documented in `docs/reviews/REV-XXX.docx`.
## 7. Release process
```
1. All PRs merged into main
2. Branch protected, all CI checks green
3. Release notes drafted in the PR
4. Set tag: git tag -a vX.Y.Z -m "..."
5. Push: git push origin vX.Y.Z
6. Release workflow runs (.gitea/workflows/release.yml):
- Build + tests + coverage
- Traceability + diagrams + API doc
- Bundle Word documents
- Pack source + artefact archives
- Create Gitea release
7. Review release manually (download bundle, inspect)
8. Mark release as "stable"
```
## 8. Retention
| Artefact | Retention |
|--------------------------|----------------------------------------|
| Git repository | Indefinite (Gitea + backup) |
| Release bundles | 10 years after product EOL |
| Reviews + NCs | 10 years after product EOL |
| MISRA records | 10 years after product EOL |
| CI artefacts (short-lived)| 90 days (in Gitea artifacts) |
ISO 26262 requires 10 years after end-of-production-life (assumption).
## 9. Verification
All pull requests pass through:
- Doorstop-equivalent traceability check (`tools/traceability.py check`)
- Build + unit tests
- Static analysis + MISRA check
- Coverage measurement
Only after approval and green CI may a merge into `main` occur.
## 10. Responsibilities
| Role | Task |
|------------------|---------------------------------------------------|
| Configuration Mgr| Maintain this CM Plan, repo hygiene, baselines |
| Developer | Correct branching, meaningful commit messages |
| Reviewer | Review before merge, audit trail |
| Project Owner | Release approval |
## 11. Revision history
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/plans-md/PID.md
+70 -70
View File
@@ -1,107 +1,107 @@
# Project Initiation Document (PID) # Project Initiation Document (PID)
| Feld | Wert | | Field | Value |
|-----------------|--------------------------------------| |-----------------|--------------------------------------|
| Projekt | demo-epb (Elektrische Parkbremse) | | Project | demo-epb (Electric Parking Brake) |
| Projekt-ID | SLM-EPB-001 | | Project ID | SLM-EPB-001 |
| Auftraggeber | slohmaier.com (Demo-Eigenentwicklung)| | Client | slohmaier.com (in-house demo) |
| Auftragnehmer | Stefan Lohmaier | | Contractor | Stefan Lohmaier |
| Datum | 2026-05-11 | | Date | 2026-05-11 |
| Version | 1.0 | | Version | 1.0 |
| Status | Freigegeben | | Status | Released |
| Klassifikation | Oeffentlich | | Classification | Public |
--- ---
## 1. Projektzweck ## 1. Project purpose
Demonstration des slohmaier Dev Process anhand einer EPB-Steuergeraet-Software. Ziel ist nicht die produktive Software, sondern der vollstaendige Nachweis von: Demonstration of the slohmaier Dev Process using an EPB ECU software. The goal is not the productive software but a complete demonstration of:
- ASPICE-4.0-konformer Entwicklungsablauf - ASPICE 4.0-compliant development flow
- ISO-26262-konforme Behandlung von Sicherheitsanforderungen (ASIL-D / ASIL-B / QM) - ISO 26262-compliant handling of safety requirements (ASIL-D / ASIL-B / QM)
- MISRA-C-Compliance - MISRA C compliance
- Werkzeugkette: Gitea + Doorstop + Cppcheck + gcov + CppUTest + pandoc - Toolchain: Gitea + Doorstop + Cppcheck + gcov + CppUTest + pandoc
Adressat ist potenzielle Kundschaft, die sehen will, wie ein realer Audit-faehiger Engineering-Stand aussieht. The target audience is potential customers who want to see what a real audit-ready engineering snapshot looks like.
## 2. Produktbeschreibung ## 2. Product description
Eine Electronic Parking Brake (EPB) klemmt im Stillstand zwei Bremssaettel ueber kleine Elektromotoren fest und loest sie bei Anfahrt wieder. Funktionsumfang: An Electric Parking Brake (EPB) clamps two rear callipers via small electric motors at standstill and releases them on drive-away. Functional scope:
- Apply / Release auf Fahrer-Anforderung - Apply / Release on driver request
- Hold-Funktion mit Auto-Apply bei Motor-Aus - Hold function with auto-apply on engine-off
- Drive-Away-Assist (Auto-Release beim Anfahren) - Drive-Away-Assist (auto-release on drive-away)
- Hill-Hold am Berg - Hill-Hold on inclines
- Aktor-Stromueberwachung - Actuator current monitoring
- Service-Modus fuer Werkstatt - Service mode for the workshop
- UDS-Diagnose ueber CAN - UDS diagnostics via CAN
## 3. Sicherheitsziele ## 3. Safety goals
| ID | Sicherheitsziel | ASIL | | ID | Safety goal | ASIL |
|-------|---------------------------------------------------------------|------| |-------|---------------------------------------------------------------|------|
| SG-01 | Verhinderung ungewollten Wegrollens des Fahrzeugs | D | | SG-01 | Prevent unintended vehicle roll-away | D |
| SG-02 | Verhinderung ungewollten Loesens der Parkbremse | D | | SG-02 | Prevent unintended release of the parking brake | D |
| SG-03 | Verhinderung Motorschaden durch Ueberlast | B | | SG-03 | Prevent motor damage from overload | B |
Die Sicherheitsziele werden in den System-Anforderungen (`reqs/sys/`) weiter detailliert. Safety goals are detailed further in the system requirements (`reqs/sys/`).
## 4. Stakeholder ## 4. Stakeholders
| Rolle | Person / Funktion | | Role | Person / Function |
|--------------------|--------------------------------| |--------------------|--------------------------------|
| Project Owner | Stefan Lohmaier | | Project Owner | Stefan Lohmaier |
| Technical Lead | Stefan Lohmaier | | Technical Lead | Stefan Lohmaier |
| Quality Assurance | Stefan Lohmaier | | Quality Assurance | Stefan Lohmaier |
| Reviewer | Externer Reviewer (TBD) | | Reviewer | External reviewer (TBD) |
| Kunde (Demo) | Interessenten / Prospects | | Customer (demo) | Prospects / interested parties |
Bei einem Realprojekt waeren QA und TL personell getrennt; in dieser Demo wird die Rollentrennung dokumentarisch nachgehalten. In a real project QA and TL would be separate persons; in this demo the role separation is kept on paper.
## 5. Liefergegenstaende ## 5. Deliverables
| Artefakt | Format | Status | | Artefact | Format | Status |
|-----------------------------------|---------------|-------------| |-------------------------------------------|---------------|-------------|
| PID, PM-Plan, QA-Plan, SWE-Plan, Test-Plan | Word | Vorhanden | | PID, PM Plan, QA Plan, SWE Plan, Test Plan | Word | Available |
| System-Anforderungen (SYS-001..010) | Doorstop-MD | Vorhanden | | System Requirements (SYS-001..010) | Doorstop MD | Available |
| Software-Anforderungen (SWE-001..025) | Doorstop-MD | Vorhanden | | Software Requirements (SWE-001..025) | Doorstop MD | Available |
| System-Architektur (SA-001..005) | Doorstop-MD | Vorhanden | | System Architecture (SA-001..005) | Doorstop MD | Available |
| Software-Architektur (SWA-001..010) | Doorstop-MD | Vorhanden | | Software Architecture (SWA-001..010) | Doorstop MD | Available |
| Quellcode (3 Demo-Komponenten) | C99 | Vorhanden | | Source code (3 demo components) | C99 | Available |
| Unit-Tests + Coverage-Report | CppUTest, lcov| Vorhanden | | Unit tests + coverage report | CppUTest, lcov | Available |
| MISRA-Report | Cppcheck XML | Vorhanden | | MISRA report | Cppcheck XML | Available |
| Traceability-Matrix | Doorstop HTML | Generiert in CI | | Traceability matrix | Doorstop HTML | Generated in CI |
| Review-Protokoll (Beispiel) | Word | Vorhanden | | Review minutes (example) | Word | Available |
| MISRA Deviation Record (Beispiel) | Word | Vorhanden | | MISRA Deviation Record (example) | Word | Available |
## 6. Zeitplan ## 6. Schedule
Demo-Projekt, Single-Sprint-Erstellung. Eintaegige Initialerstellung, danach Pflege. Demo project, single-sprint creation. One-day initial creation, maintenance thereafter.
| Phase | Start | Ende | | Phase | Start | End |
|------------------------|-------------|-------------| |-------------------------------|-------------|-------------|
| Konzept + Setup | 2026-05-11 | 2026-05-11 | | Concept + setup | 2026-05-11 | 2026-05-11 |
| Requirements + Architektur | 2026-05-11 | 2026-05-11 | | Requirements + architecture | 2026-05-11 | 2026-05-11 |
| Implementierung Demo-Komponenten | 2026-05-11 | 2026-05-11 | | Implementation of demo components | 2026-05-11 | 2026-05-11 |
| Tests + CI | 2026-05-11 | 2026-05-11 | | Tests + CI | 2026-05-11 | 2026-05-11 |
| Freigabe v1.0 | 2026-05-11 | 2026-05-11 | | Release v1.0 | 2026-05-11 | 2026-05-11 |
## 7. Budget ## 7. Budget
Demo-Projekt, kein externes Budget. Aufwand intern. Demo project, no external budget. Internal effort.
## 8. Risiken ## 8. Risks
| Risiko | Wahrsch. | Auswirkung | Massnahme | | Risk | Likelihood | Impact | Mitigation |
|-----------------------------------------|----------|------------|-------------------------------------------| |-----------------------------------------------|------------|--------|----------------------------------------------|
| Demo wird als produktreifer Code missverstanden | M | M | README + Disclaimer explicit kennzeichnen | | Demo is mistaken for production-ready code | M | M | Disclaimer in README + plain labelling |
| MISRA-Tooling-Update bricht CI | N | M | Tool-Versionen in CI pinnen | | MISRA tooling update breaks CI | L | M | Pin tool versions in CI |
| Reviewer-Verfuegbarkeit | M | N | Self-Review dokumentiert (Demo) | | Reviewer availability | M | L | Self-review documented (demo only) |
## 9. Erfolgskriterien ## 9. Success criteria
- Alle 35 Anforderungen sind verlinkt und durch Architektur abgedeckt - All 35 requirements are linked and covered by architecture
- `doorstop check` ist gruen - `doorstop check` is green
- MISRA-Check in CI ist gruen (mit dokumentierten Deviations) - MISRA check in CI is green (with documented deviations)
- Coverage der Demo-Komponenten >= Zielwert (siehe SWE-Plan) - Demo-component coverage meets target (see SWE Plan)
- Demo-Tour im README ist fuer einen Prospect in <30 min nachvollziehbar - The guided tour in the README is navigable by a prospect in < 30 min
docs/plans-md/PM-Plan.md
+44 -44
View File
@@ -1,63 +1,63 @@
# Projektmanagement-Plan (PM-Plan) # Project Management Plan (PM Plan)
| Feld | Wert | | Field | Value |
|-----------------|--------------------------------------| |-----------------|--------------------------------------|
| Projekt | demo-epb | | Project | demo-epb |
| Datum | 2026-05-11 | | Date | 2026-05-11 |
| Version | 1.0 | | Version | 1.0 |
| Status | Freigegeben | | Status | Released |
--- ---
## 1. Projektorganisation ## 1. Project organisation
Single-Person-Projekt mit dokumentierter Rollentrennung. In einem Real-Projekt waeren QA, TL und Entwickler personell getrennt; hier wird der Audit-Trail durch Self-Review mit Begruendung gefuehrt (siehe SWE-Plan, Abschnitt 5). Single-person project with documented role separation. In a real project, QA, TL, and developer would be separate persons; here the audit trail is maintained through self-review with rationale (see SWE Plan, section 5).
## 2. Arbeitspakete ## 2. Work packages
| WP-ID | Arbeitspaket | Verantwortlich | Status | | WP-ID | Work package | Owner | Status |
|-------|--------------------------------------------|----------------|--------------| |-------|---------------------------------------------|----------------|--------|
| WP-01 | Projektplanung (PID, PM-Plan, QA-Plan, SWE-Plan, Test-Plan) | S. Lohmaier | Done | | WP-01 | Project planning (PID, PM, QA, SWE, Test) | S. Lohmaier | Done |
| WP-02 | System-Anforderungen (SYS-001..010) | S. Lohmaier | Done | | WP-02 | System Requirements (SYS-001..010) | S. Lohmaier | Done |
| WP-03 | Software-Anforderungen (SWE-001..025) | S. Lohmaier | Done | | WP-03 | Software Requirements (SWE-001..025) | S. Lohmaier | Done |
| WP-04 | System-Architektur (SA-001..005) | S. Lohmaier | Done | | WP-04 | System Architecture (SA-001..005) | S. Lohmaier | Done |
| WP-05 | Software-Architektur (SWA-001..010) | S. Lohmaier | Done | | WP-05 | Software Architecture (SWA-001..010) | S. Lohmaier | Done |
| WP-06 | Implementierung Demo-Komponenten | S. Lohmaier | Done | | WP-06 | Implementation of demo components | S. Lohmaier | Done |
| WP-07 | Unit-Tests + Coverage | S. Lohmaier | Done | | WP-07 | Unit tests + coverage | S. Lohmaier | Done |
| WP-08 | CI-Pipeline (Gitea Actions) | S. Lohmaier | Done | | WP-08 | CI pipeline (Gitea Actions) | S. Lohmaier | Done |
| WP-09 | Audit-Artefakte (Review, NC, MISRA-Record) | S. Lohmaier | Done | | WP-09 | Audit artefacts (Review, NC, MISRA record) | S. Lohmaier | Done |
## 3. Aenderungsverwaltung ## 3. Change control
- Aenderungen an freigegebenen Artefakten erfolgen ueber Pull Requests - Changes to released artefacts go through pull requests
- Jeder PR braucht mindestens 1 Approval (siehe SWE-Plan, Abschnitt 5) - Every PR needs at least 1 approval (see SWE Plan, section 5)
- Bei Aenderung von Architektur oder Anforderungen ist die Traceability-Matrix neu zu erzeugen (`doorstop publish`) - When requirements or architecture change, the traceability matrix must be regenerated (`doorstop publish`)
- Aenderungshistorie wird in der jeweiligen `.md`-Datei oder Word-Datei revisioniert - Revision history is maintained inside the respective `.md` file or Word document
## 4. Konfigurationsmanagement ## 4. Configuration management
| Artefakt-Typ | Versionsverwaltung | Baseline-Mechanismus | | Artefact type | Versioning | Baseline mechanism |
|-----------------------|------------------------|--------------------------| |-------------------|-----------------------|------------------------------------|
| Code | Git (Gitea) | Git-Tag (z.B. v1.0.0) | | Code | Git (Gitea) | Git tag (e.g. v1.0.0) |
| Anforderungen / Arch | Git + Doorstop | Git-Tag + doorstop publish | | Requirements / Arch | Git + Doorstop | Git tag + doorstop publish |
| Word-Dokumente | Git | Datei-Versionsstempel + Revisions-History im Dokument | | Word documents | Git | File version stamp + revision history in the document |
| CI-Konfiguration | Git | Versionsdatei + Tag | | CI configuration | Git | Version pin + tag |
## 5. Kommunikation ## 5. Communication
| Kanal | Zweck | | Channel | Purpose |
|---------------|-----------------------------------| |---------------|--------------------------------------|
| Gitea Issues | Bug-Tracking, Tasks | | Gitea Issues | Bug tracking, tasks |
| Gitea PRs | Review, Approval, Audit-Trail | | Gitea PRs | Review, approval, audit trail |
| Matrix Chat | Schnelle Abstimmung | | Matrix chat | Quick alignment |
| E-Mail | Formelle Freigaben (CC: Auftraggeber) | | Email | Formal releases (cc client) |
## 6. Berichtswesen ## 6. Reporting
- Wochenstatus per E-Mail (in Real-Projekten) - Weekly status by email (in real projects)
- Audit-Report bei Projektabschluss (PDF aus Doorstop + Word-Plaene) - Audit report at project closure (PDF from Doorstop + Word plans)
- Coverage- und MISRA-Reports werden bei jedem Push aktualisiert (CI-Artefakte) - Coverage and MISRA reports are refreshed on every push (CI artefacts)
## 7. Abschluss ## 7. Closure
Projekt gilt als abgeschlossen, wenn alle Erfolgskriterien aus dem PID erfuellt sind und ein Git-Tag `v1.0` gesetzt ist. The project is considered closed when all success criteria from the PID are met and the `v1.0` git tag is set.
docs/plans-md/Project-Manual.md
+168
View File
@@ -0,0 +1,168 @@
---
doc-id: SLM-EPB-PM-MAN-001
version: 1.0
status: Released
date: 2026-05-12
---
# Project Manual — demo-epb
| Field | Value |
|---------------|----------------------------------------|
| Project | demo-epb (Electric Parking Brake) |
| Document ID | SLM-EPB-PM-MAN-001 |
| Version | 1.0 |
| Status | Released |
| Date | 2026-05-12 |
| Audience | New project members, auditors |
---
## 1. Purpose
This Project Manual is the entry point to the demo-epb project. It answers:
- What is being built?
- Which documents exist, in what reading order?
- Who is responsible for what?
- How does the development and release cycle work?
## 2. What is demo-epb?
A complete demo of the **slohmaier Dev Process** using an EPB ECU software. The goal is **not** the productive software, but evidence of ASPICE 4.0 / ISO 26262-compliant development.
Detail: `docs/plaene/PID.docx`.
## 3. Reading order for new project members
| Day | Document | Why |
|-----|----------------------------------------|----------------------------------------|
| 1 | this Project Manual | Orientation |
| 1 | `PID.docx` | What + Why |
| 1 | `User-Manual.docx` | Product understanding |
| 2 | `HARA.docx` + `Safety-Case.docx` | Safety concept |
| 2 | `SWE-Plan.docx` + `QA-Plan.docx` | Engineering conventions |
| 3 | `reqs/` + `arch/` (markdown) | Requirements + architecture |
| 3 | `src/apply_controller.c` | Example ASIL-D code |
| 4 | `traceability/index.html` | Wiring of artefacts |
| 4 | `coverage/index.html` | What is tested |
| 5 | Maintain this manual | Onboarding for the next person |
## 4. Document landscape
```
demo-epb/
├── docs/plaene/ ← PID, PM Plan, QA Plan, SWE Plan, Test Plan, CM Plan, RM Plan
├── docs/safety/ ← HARA, Safety Case, FMEDA, MISRA Compliance, Verification Report, Tool Qualification
├── docs/manuals/ ← User Manual, Service Manual
├── docs/reviews/ ← Review minutes
├── docs/non-conformities/ ← NC entries
├── misra/records/ ← MISRA deviation records
├── reqs/sys/ ← Doorstop MD system requirements
├── reqs/swe/ ← Doorstop MD software requirements
├── arch/sys/ ← Doorstop MD system architecture + PlantUML
├── arch/swe/ ← Doorstop MD software architecture + PlantUML
├── safety/sg/ ← Doorstop MD safety goals (ASIL derivation)
├── src/ ← C source, with @arch + @reqs tags in headers
├── tests/ ← Unit tests with @reqs tags
├── tools/ ← Python helper scripts (traceability, PlantUML, reports)
├── .gitea/workflows/ ← CI pipelines (validate + release)
└── docs/index.html ← Auto-generated landing page
```
A clickable overview is `docs/index.html` (open in browser).
## 5. Roles and responsibilities
| Role | Responsibility | Person (demo) |
|--------------------|-------------------------------------------------------|--------------------------|
| Project Owner | Strategic decisions, release approval | Stefan Lohmaier |
| Technical Lead | Architecture, code reviews, technical decisions | Stefan Lohmaier |
| Safety Manager | HARA, Safety Case, ASIL conformance | Stefan Lohmaier (demo) |
| QA Officer | QA Plan maintenance, audit preparation | Stefan Lohmaier (demo) |
| Configuration Mgr | Baselines, releases, git repo hygiene | Stefan Lohmaier (demo) |
| Developer | Implementation per architecture + tests | Stefan Lohmaier (demo) |
| Reviewer | Code and document reviews | External reviewer (TBD) |
In this demo one person fills all roles; in a real project with ASIL-C/D these are to be separated personnel-wise (developer ≠ reviewer for safety-critical code).
## 6. Development lifecycle
```
Requirement
Architecture (Markdown + PlantUML)
Implementation (C, with @arch + @reqs)
Unit test (CppUTest-like framework, with @reqs)
Pull request (branch → main)
CI: build + test + coverage + MISRA + traceability check
Code review (approval required per ASIL)
Merge to main
▼ (at release point)
Tag v*.*.*
CI release workflow: bundle + Gitea release
```
## 7. Release strategy
- **Pull requests** need at least 1 approval (more for ASIL-C/D, see SWE Plan)
- **Tags** of the form `vMAJOR.MINOR.PATCH` trigger the release workflow
- **Release bundle** contains source + all reports + all Word documents
- **Audit readiness** is maintained continuously (git history + document lifecycle)
## 8. Where to report problems
| Problem type | Where to document |
|----------------------|------------------------------------------------|
| Bug | Gitea issue (tag `bug`) |
| Requirement change | Gitea issue (tag `requirement`) + Doorstop update |
| Non-conformity | `docs/non-conformities-md/NC-XXX.md` → Word |
| MISRA deviation | `misra/records-md/MISRA-REC-XXX.md` → Word |
| Safety problem | Escalate to Safety Manager + NC |
## 9. Tools
See `infrastructure/` in the iCloud workspace for setup details. Short list:
- **Gitea** (gitea.slohmaier.com) — source control + CI + releases
- **Doorstop-style** Markdown — requirements + architecture
- **PlantUML** — diagrams (embedded)
- **Cppcheck** + **GCC -Werror** — static analysis + MISRA
- **gcov/lcov** — coverage
- **Doxygen** — API doc
- **pandoc** — Markdown → Word/PDF
- **Python** (stdlib) — traceability + report generators
## 10. Related documents
| Plan | File | Content |
|----------------------|------------------------------------|----------------------------------------|
| Project Initiation | `PID.docx` | What + Why |
| Project Management | `PM-Plan.docx` | Work packages, schedule, stakeholders |
| Quality Assurance | `QA-Plan.docx` | Reviews, audits, NC management |
| Configuration Mgmt | `CM-Plan.docx` | Baselines, releases, change control |
| Risk Management | `RM-Plan.docx` | Risks, mitigation, monitoring |
| Software Development | `SWE-Plan.docx` | Language, standards, coverage targets |
| Test | `Test-Plan.docx` | Test strategy |
## 11. Revision history
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/plans-md/QA-Plan.md
+47 -47
View File
@@ -1,67 +1,67 @@
# Qualitaetssicherungs-Plan (QA-Plan) # Quality Assurance Plan (QA Plan)
| Feld | Wert | | Field | Value |
|-----------------|--------------------------------------| |-----------------|--------------------------------------|
| Projekt | demo-epb | | Project | demo-epb |
| Datum | 2026-05-11 | | Date | 2026-05-11 |
| Version | 1.0 | | Version | 1.0 |
| Status | Freigegeben | | Status | Released |
--- ---
## 1. Qualitaetsziele ## 1. Quality goals
- Vollstaendige Traceability: SYS → SA → SWE → SWA → Code → Test - Complete traceability: SYS → SA → SWE → SWA → Code → Test
- 0 MISRA-Required-Violations (Deviations dokumentiert) - 0 MISRA Required violations (deviations documented)
- 0 statische-Analyse-Findings auf High/Error-Level - 0 static-analysis findings at High / Error level
- Coverage-Ziele (siehe SWE-Plan Abschnitt 8) eingehalten - Coverage targets met (see SWE Plan section 8)
- Alle PRs reviewed und approved - All PRs reviewed and approved
## 2. Qualitaetsmassnahmen ## 2. Quality measures
| Massnahme | Tool / Methode | Frequenz | | Measure | Tool / Method | Frequency |
|---------------------------------|----------------------------|----------------| |----------------------------------|------------------------------|------------------|
| Traceability-Check | `doorstop check` | jeder Push | | Traceability check | `doorstop check` | every push |
| MISRA-Check | Cppcheck + MISRA-Addon | jeder Push | | MISRA check | Cppcheck + MISRA addon | every push |
| Static Analysis | Cppcheck, clang-tidy | jeder Push | | Static analysis | Cppcheck, clang-tidy | every push |
| Unit Tests | CppUTest | jeder Push | | Unit tests | CppUTest | every push |
| Coverage | gcov / lcov | jeder Push | | Coverage | gcov / lcov | every push |
| Peer Review | Gitea PRs | jede Aenderung | | Peer review | Gitea PRs | every change |
| Architektur-Review | Technical Review, 2 Approver | bei Aenderung | | Architecture review | Technical review, 2 approvers | on changes |
| Audit-Vorbereitung | doorstop publish + Word-Doku | bei Release | | Audit preparation | doorstop publish + Word docs | on release |
## 3. Reviews ## 3. Reviews
| Artefakt | Review-Typ | Min. Approver | | Artefact | Review type | Min. approvers |
|-----------------------------|-------------------|----------------| |--------------------------------|---------------------|-----------------|
| Anforderungen | Technical Review | 1 | | Requirements | Technical review | 1 |
| Architektur-Element | Technical Review | 2 | | Architecture element | Technical review | 2 |
| Code (QM / ASIL-A/B) | Peer Review | 1 | | Code (QM / ASIL-A/B) | Peer review | 1 |
| Code (ASIL-C/D) | Technical Review | 2 | | Code (ASIL-C/D) | Technical review | 2 |
| Plaene und Berichte | Peer Review | 1 | | Plans and reports | Peer review | 1 |
| MISRA Deviation Permit | Technical Lead | 1 | | MISRA deviation permit | Technical lead | 1 |
## 4. Non-Conformity Management ## 4. Non-conformity management
Abweichungen vom Plan oder von Anforderungen werden als Non-Conformity (NC) dokumentiert: Deviations from the plan or from requirements are documented as a non-conformity (NC):
- Pfad: `docs/non-conformities/NC-XXX.docx` - Path: `docs/non-conformities/NC-XXX.docx`
- Jede NC erhaelt eine eindeutige ID - Each NC has a unique ID
- Schwere-Klassifizierung: Critical / Major / Minor - Severity classification: Critical / Major / Minor
- Korrekturmassnahme und Verifikation werden nachgehalten - Corrective action and verification are tracked
- Beispiel-NC vorhanden: NC-001 - Example NC present: NC-001
## 5. Audit-Vorbereitung ## 5. Audit preparation
Audit-Faehigkeit wird durchgehend erhalten: Audit readiness is maintained continuously:
- Git-History ist Audit-Trail (kein direkter Push auf `main`) - Git history is the audit trail (no direct push to `main`)
- `docs/plans-md/` enthaelt die freigegebenen Plaene (Word in `docs/` daneben) - `docs/plans-md/` holds the released plans (Word in `docs/` alongside)
- `docs/traceability/` enthaelt automatisch generierte Matrizen - `docs/traceability/` holds the auto-generated matrices
- `misra/records/` enthaelt MISRA-Deviation-Records - `misra/records/` holds MISRA deviation records
- `tests/results/` enthaelt Test- und Coverage-Reports (CI-Artefakte) - `tests/results/` holds test and coverage reports (CI artefacts)
- `docs/reviews/` enthaelt Review-Protokolle - `docs/reviews/` holds review minutes
## 6. Verbesserungsmassnahmen ## 6. Improvement actions
Jeder Sprint-Abschluss enthaelt eine kurze Lessons-Learned-Notiz in `docs/lessons-learned/`. In dieser Demo verzichtet, da Single-Sprint-Projekt. Every sprint closure includes a brief lessons-learned note in `docs/lessons-learned/`. Skipped in this demo because it is a single-sprint project.
docs/plans-md/RM-Plan.md
+108
View File
@@ -0,0 +1,108 @@
---
doc-id: SLM-EPB-RM-001
version: 1.0
status: Released
date: 2026-05-12
---
# Risk Management Plan (RM Plan)
| Field | Value |
|---------------|----------------------------------------|
| Project | demo-epb |
| Document ID | SLM-EPB-RM-001 |
| Version | 1.0 |
| Status | Released |
| Date | 2026-05-12 |
| Standard | ASPICE MAN.5 |
---
## 1. Purpose
Identifies, assesses, and treats **project risks** (organisational, technical, schedule, resource). Distinct from **functional safety risks** (hazards), which live in the HARA.
## 2. Methodology
| Step | Activity |
|-------------------|---------------------------------------------------|
| 1. Identification | Workshops, lessons learned, stakeholder input |
| 2. Classification | Probability (P) × Impact (I) |
| 3. Assessment | Risk score = P × I (1-25) |
| 4. Treatment | Avoid / Mitigate / Accept / Transfer |
| 5. Monitoring | Quarterly review, status updates |
### 2.1 Classification scale
| Probability | Meaning |
|-------------|----------------------------|
| 1 | Very unlikely |
| 2 | Unlikely |
| 3 | Possible |
| 4 | Likely |
| 5 | Very likely |
| Impact | Meaning |
|--------|------------------------------------------|
| 1 | Negligible |
| 2 | Minor delay / additional effort |
| 3 | Noticeable impact on schedule/budget |
| 4 | Significant impact, project at risk |
| 5 | Project stop |
| Score range | Action |
|-------------|----------------------------------------|
| 1-4 | Accept, monitor |
| 5-9 | Mitigate (plan) |
| 10-15 | Mitigate (immediate, with escalation) |
| 16-25 | Escalate to Project Owner |
## 3. Risk register
| ID | Description | P | I | Score | Treatment | Status |
|-------|----------------------------------------------------------|---|---|-------|------------------------------------------|------------|
| R-01 | Demo is mistaken for production-ready code | 3 | 3 | 9 | Disclaimer in README + Project Manual | Mitigated |
| R-02 | MISRA tooling update breaks CI (false positives) | 2 | 3 | 6 | Pin tool versions, regression suite | Mitigated |
| R-03 | Reviewer availability for ASIL-D | 3 | 4 | 12 | Self-review documented (demo only) | Accepted (demo) |
| R-04 | Gitea server outage | 2 | 4 | 8 | Local clones, regular backups | Mitigated |
| R-05 | Apple certificate expiry without warning | 3 | 3 | 9 | Renewal reminder + 30-day notice | Mitigated |
| R-06 | Windows build VM unreliable (busybox-PATH conflicts) | 4 | 2 | 8 | MSYS2 documented, alt PATH ordering | Open |
| R-07 | macOS act_runner host-mode cache bug | 3 | 2 | 6 | continue-on-error, documented | Open |
| R-08 | Doorstop tool compatibility on upgrade | 2 | 3 | 6 | Own traceability.py, no doorstop dep | Mitigated |
| R-09 | Knowledge loss with single-person setup | 4 | 4 | 16 | Maintain Project Manual + documentation | Open |
## 4. Risk reviews
| Frequency | Participants | Outputs |
|--------------|--------------------------|--------------------------------------|
| Quarterly | Project Owner + TL | Updated register, action items |
| On change | Affected roles | Risk score update |
| At release | Project Owner + QA | Residual-risk assessment |
## 5. Escalation path
```
Risk owner (daily)
│ Score > 9
Project Owner (weekly)
│ Score > 15
Stakeholder / Client (immediately)
```
## 6. Lessons learned
Closed risks are summarised at project closure under `docs/lessons-learned/`, to better assess follow-up projects.
## 7. Related documents
- `PM-Plan.docx` — Top-level risks (summary)
- `HARA.docx` — Functional safety risks (hazards, separate from project risks)
- `QA-Plan.docx` — Non-conformity management
## 8. Revision history
| Version | Date | Change | Author |
|---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/plans-md/SWE-Plan.md
+76 -76
View File
@@ -1,114 +1,114 @@
# Software Development Plan (SWE-Plan) # Software Development Plan (SWE Plan)
| Feld | Wert | | Field | Value |
|-----------------|--------------------------------------| |-----------------|--------------------------------------|
| Projekt | demo-epb | | Project | demo-epb |
| Datum | 2026-05-11 | | Date | 2026-05-11 |
| Version | 1.0 | | Version | 1.0 |
| Status | Freigegeben | | Status | Released |
| ASIL | D (hoechste Komponente) | | ASIL | D (highest component) |
--- ---
## 1. Entwicklungsmethode ## 1. Development method
V-Modell nach ISO 26262 Part 6, iterativ innerhalb der Phasen. Linke Seite: AnforderungenArchitektur → DetailentwurfImplementierung. Rechte Seite: Unit-Test → Integrationstest → Systemtest. V-model per ISO 26262 Part 6, iterative within phases. Left side: requirementsarchitecturedetailed designimplementation. Right side: unit test → integration test → system test.
Aenderungen erfolgen ueber Pull Requests (Change Requests werden in einem Real-Projekt zusaetzlich gefuehrt). Changes go through pull requests (change requests are tracked separately in a real project).
## 2. Programmiersprache und Standards ## 2. Programming language and standards
| Aspekt | Festlegung | | Aspect | Decision |
|---------------------|-----------------------------------------------------| |---------------------|-----------------------------------------------------|
| Sprache | C (C99) | | Language | C (C99) |
| Coding Standard | MISRA C:2012 (Required + Mandatory einzuhalten) | | Coding standard | MISRA C:2012 (Required + Mandatory mandatory) |
| Naming | snake_case fuer Funktionen, UPPER_CASE fuer Makros | | Naming | snake_case for functions, UPPER_CASE for macros |
| Header-Format | `@file`, `@arch`, `@reqs` Tags fuer Code → Doku-Link | | Header format | `@file`, `@arch`, `@reqs` tags linking code to docs |
### MISRA-Handhabung ### MISRA handling
- Required- und Mandatory-Regeln verpflichtend - Required and Mandatory rules are mandatory
- Advisory-Regeln projektspezifisch (siehe `misra/permits/`) - Advisory rules are project-specific (see `misra/permits/`)
- Abweichungen pro Stelle: MISRA Deviation Record (`misra/records/`) - Per-site deviations: MISRA deviation record (`misra/records/`)
- Projektweite Abweichungen: MISRA Deviation Permit (`misra/permits/`) - Project-wide deviations: MISRA deviation permit (`misra/permits/`)
- MISRA-Pruefung in der CI (`cppcheck --addon=misra --error-exitcode=1`) - MISRA check runs in CI (`cppcheck --addon=misra --error-exitcode=1`)
## 3. Build-Umgebung ## 3. Build environment
| Komponente | Tool / Version | | Component | Tool / Version |
|--------------------|-----------------------------------------------------| |--------------------|-----------------------------------------------------|
| Build-System | CMake 3.20+ | | Build system | CMake 3.20+ |
| Compiler | GCC (Host fuer Demo-Tests; ARM-GCC fuer Target) | | Compiler | GCC (host for demo tests; ARM-GCC for target) |
| Zielplattform | ARM Cortex-M4 (Annahme; Demo-Tests auf x86_64 Host) | | Target platform | ARM Cortex-M4 (assumption; demo tests run on x86_64 host) |
| Host-Plattform | macOS / Linux x86_64 | | Host platform | macOS / Linux x86_64 |
| CI-Runner | Gitea Actions Docker-Image | | CI runner | Gitea Actions Docker image |
## 4. Branching-Strategie ## 4. Branching strategy
``` ```
main — Stabiler, freigegebener Stand main — stable, released state
develop — Aktueller Entwicklungsstand develop — current development state
feature/SWE-XXX — Feature-Branch pro Anforderung feature/SWE-XXX — feature branch per requirement
bugfix/BUG-XXX — Bugfix-Branch bugfix/BUG-XXX — bug-fix branch
``` ```
- `main` und `develop` sind geschuetzt (kein direkter Push) - `main` and `develop` are protected (no direct push)
- Merge nur ueber PR mit Approval - Merge only via PR with approval
- Branch-Name enthaelt Issue- oder Anforderungs-Nummer - Branch name includes the issue or requirement number
## 5. Review-Verpflichtungen ## 5. Review obligations
| Artefakt | Review-Art | Mindest-Approvals | | Artefact | Review type | Min. approvals |
|-----------------------------|-------------------|--------------------| |-----------------------------|---------------------|-----------------|
| Quellcode QM / ASIL-A/B | Peer Review | 1 | | Source code QM / ASIL-A/B | Peer review | 1 |
| Quellcode ASIL-C/D | Technical Review | 2 | | Source code ASIL-C/D | Technical review | 2 |
| Architektur-Dokument | Technical Review | 2 | | Architecture document | Technical review | 2 |
| Anforderung | Technical Review | 1 | | Requirement | Technical review | 1 |
| Testfaelle | Peer Review | 1 | | Test cases | Peer review | 1 |
| MISRA Permit | Technical Lead | 1 | | MISRA permit | Technical lead | 1 |
Single-Person-Demo: Self-Review mit dokumentierter Pruefliste; in einem Real-Projekt nicht zulaessig. Single-person demo: self-review with documented checklist; not permissible in a real project.
## 6. Definition of Done ## 6. Definition of Done
- Code kompiliert fehlerfrei - Code compiles without errors
- MISRA-Check in CI ist gruen - MISRA check in CI is green
- Statische Analyse (Cppcheck, clang-tidy) ohne neue Findings - Static analysis (Cppcheck, clang-tidy) has no new findings
- Unit Tests gruen - Unit tests are green
- Coverage-Ziel erreicht - Coverage target reached
- PR reviewed und approved - PR reviewed and approved
- Anforderung mit Test verlinkt (`@reqs` Tag im Code + Test-Datei) - Requirement linked to a test (`@reqs` tag in code + test file)
- Architektur-Element verlinkt (`@arch` Tag im Code) - Architecture element linked (`@arch` tag in code)
## 7. Integration und Test-Strategie ## 7. Integration and test strategy
| Teststufe | Verantwortlich | Umgebung | Automatisierung | | Test level | Owner | Environment | Automation |
|---------------------|----------------|----------------|-----------------| |--------------------|----------------|---------------|------------------|
| Unit Test | Entwickler | Host (x86) | CI | | Unit test | Developer | Host (x86) | CI |
| Integrationstest | Entwickler | Host / SiL | CI / manuell | | Integration test | Developer | Host / SiL | CI / manual |
| Systemtest | QA | SiL / HiL | teilweise | | System test | QA | SiL / HiL | partial |
| Abnahmetest | Auftraggeber | HiL / Fahrzeug | manuell | | Acceptance test | Customer | HiL / vehicle | manual |
Demo: nur Unit-Tests auf Host. Demo: only unit tests on host.
## 8. Coverage-Ziele ## 8. Coverage targets
| ASIL | Statement | Branch | MC/DC | Konkret im Projekt | | ASIL | Statement | Branch | MC/DC | Concrete in this project |
|------|-----------|--------|----------|---------------------| |------|-----------|--------|----------|---------------------------|
| QM | >= 80% | — | — | Switch Debouncer | | QM | 80% | — | — | Switch Debouncer |
| B | >= 80% | >= 80% | — | Actuator Driver | | B | 80% | 80% | — | Actuator Driver |
| D | >= 90% | >= 90% | >= 80% | Apply Controller | | D | 90% | 90% | 80% | Apply Controller |
Coverage wird per `gcov` / `lcov` in der CI gemessen und nach `tests/results/coverage/` abgelegt. Coverage is measured via `gcov` / `lcov` in CI and stored under `tests/results/coverage/`.
## 9. Toolqualifikation ## 9. Tool qualification
| Tool | Verwendung | Qualifikations-Status (Demo) | | Tool | Use | Qualification status (demo) |
|-------------------|------------------------------|----------------------------------------------| |-------------------|------------------------------|-----------------------------------------------|
| GCC | Compilation | Eigene Qualifizierung (in Realprojekt) | | GCC | Compilation | Own qualification (in real project) |
| Cppcheck + MISRA | Statische Analyse / MISRA | Tool-Confidence Level TCL2 / Tool-Class T2 | | Cppcheck + MISRA | Static analysis / MISRA | Tool Confidence Level TCL2 / Tool Class T2 |
| CppUTest | Unit-Tests | TCL1 / T1 (Fehler vom Entwickler erkannt) | | CppUTest | Unit tests | TCL1 / T1 (defects caught by developer) |
| gcov / lcov | Coverage | TCL1 / T1 | | gcov / lcov | Coverage | TCL1 / T1 |
| Doorstop | Traceability | TCL1 / T1 | | Doorstop | Traceability | TCL1 / T1 |
Demo enthaelt keine vollstaendigen Tool-Qualification-Reports; in einem Real-Projekt waeren diese im Anhang. The demo does not include full tool-qualification reports; in a real project these would live in an appendix.
docs/plans-md/Test-Plan.md
+42 -42
View File
@@ -1,63 +1,63 @@
# Test-Plan # Test Plan
| Feld | Wert | | Field | Value |
|-----------------|--------------------------------------| |-----------------|--------------------------------------|
| Projekt | demo-epb | | Project | demo-epb |
| Datum | 2026-05-11 | | Date | 2026-05-11 |
| Version | 1.0 | | Version | 1.0 |
| Status | Freigegeben | | Status | Released |
--- ---
## 1. Teststrategie ## 1. Test strategy
Test-First fuer alle Demo-Komponenten. Jede Anforderung erhaelt mindestens einen Test (`@reqs` Tag im Test). Coverage-Ziele wie im SWE-Plan Abschnitt 8. Test-first for all demo components. Every requirement has at least one test (`@reqs` tag in the test). Coverage targets as in the SWE Plan section 8.
## 2. Teststufen ## 2. Test levels
| Stufe | Scope | Tool | Umgebung | Demo-Status | | Level | Scope | Tool | Environment | Demo status |
|---------------|--------------------|------------|------------|-------------| |---------------|--------------------|------------|-------------|---------------|
| Unit | Funktionen / Module| CppUTest | Host x86 | Vorhanden | | Unit | Functions / modules| CppUTest | host x86 | Available |
| Integration | Modulzusammenspiel | CppUTest | Host x86 | TBD | | Integration | Module interaction | CppUTest | host x86 | TBD |
| System | End-to-end | manuell | SiL / HiL | nicht im Demo | | System | End-to-end | manual | SiL / HiL | not in demo |
| Abnahme | Kundenabnahme | manuell | HiL / KFZ | nicht im Demo | | Acceptance | Customer acceptance| manual | HiL / vehicle | not in demo |
## 3. Test-Verwaltung ## 3. Test management
- Tests liegen in `tests/unit/` (eine Datei pro Modul) - Tests live in `tests/unit/` (one file per module)
- Test-Datei enthaelt `@reqs` Tag mit den abgedeckten Anforderungs-IDs - Each test file carries an `@reqs` tag with the covered requirement IDs
- Test-Lauf erfolgt automatisch in der CI bei jedem Push - Tests run automatically in CI on every push
- Coverage-Report wird als CI-Artefakt unter `tests/results/coverage/` abgelegt - Coverage report is uploaded as a CI artefact under `tests/results/coverage/`
## 4. Test-Auswahl je Komponente ## 4. Test selection per component
| Komponente | ASIL | Test-Datei | Methodik | | Component | ASIL | Test file | Method |
|--------------------|------|--------------------------------------|--------------------------| |--------------------|------|---------------------------------------|---------------------------------|
| Apply Controller | D | tests/unit/test_apply_controller.cpp | Equivalence Classes + Boundary + MC/DC | | Apply Controller | D | tests/unit/test_apply_controller.c | Equivalence classes + boundary + MC/DC |
| Actuator Driver | B | tests/unit/test_actuator_driver.cpp | Equivalence Classes + Boundary | | Actuator Driver | B | tests/unit/test_actuator_driver.c | Equivalence classes + boundary |
| Switch Debouncer | QM | tests/unit/test_switch_debouncer.cpp | Equivalence Classes | | Switch Debouncer | QM | tests/unit/test_switch_debouncer.c | Equivalence classes |
## 5. Eingangs- und Abschlusskriterien ## 5. Entry and exit criteria
**Eingang fuer Testdurchfuehrung:** **Entry to test execution:**
- Code kompiliert - Code compiles
- Doorstop-Check gruen - Doorstop check is green
- Statische Analyse ohne kritische Findings - Static analysis has no critical findings
**Abschluss:** **Exit:**
- Alle Tests gruen - All tests green
- Coverage-Ziel erreicht - Coverage target reached
- Test-Report archiviert - Test report archived
## 6. Fehlerverwaltung ## 6. Defect handling
- Test-Fehlschlag = blockendes Issue - Test failure = blocking issue
- Issue wird ueber Gitea Issues angelegt, im PR referenziert - Issue is filed via Gitea Issues, referenced in the PR
- Schwere-Kategorisierung wie in QA-Plan Abschnitt 4 - Severity classification per QA Plan section 4
## 7. Reporting ## 7. Reporting
Test-Reports werden automatisch erzeugt: Test reports are generated automatically:
- Konsolen-Output von CppUTest (TAP / JUnit XML) - Console output of CppUTest (TAP / JUnit XML)
- Coverage-HTML aus lcov - Coverage HTML from lcov
- Beides als CI-Artefakt unter `tests/results/` - Both as CI artefacts under `tests/results/`
docs/reviews-md/Review-001.md
+36 -39
View File
@@ -1,56 +1,55 @@
--- ---
review-id: REV-001 review-id: REV-001
projekt: demo-epb project: demo-epb
datum: 2026-05-11 date: 2026-05-11
typ: Technical Review (ASIL-D Code) type: Technical Review (ASIL-D code)
artefakt: src/apply_controller.c (SWA-002) artefact: src/apply_controller.c (SWA-002)
status: Approved (mit Anmerkungen) status: Approved (with comments)
--- ---
# Review-Protokoll REV-001 # Review Minutes REV-001
| Feld | Wert | | Field | Value |
|--------------|--------------------------------------| |---------------|--------------------------------------|
| Review-ID | REV-001 | | Review ID | REV-001 |
| Projekt | demo-epb | | Project | demo-epb |
| Datum | 2026-05-11 | | Date | 2026-05-11 |
| Reviewer 1 | Stefan Lohmaier (Self-Review) | | Reviewer 1 | Stefan Lohmaier (self-review) |
| Reviewer 2 | (Tech Lead, in Realprojekt) | | Reviewer 2 | (Tech Lead, in real project) |
| Artefakt | `src/apply_controller.c` v1.0 | | Artefact | `src/apply_controller.c` v1.0 |
| ASIL | D | | ASIL | D |
| Status | Approved with comments | | Status | Approved with comments |
--- ---
## 1. Pruefumfang ## 1. Scope of review
- Code-Inspektion `apply_controller.c` + `.h` - Code inspection of `apply_controller.c` + `.h`
- Pruefung auf Vollstaendigkeit der State Machine (Coverage gegen SWA-002) - Check for completeness of the state machine (coverage against SWA-002)
- Pruefung der MISRA-Compliance (Cppcheck-Report) - Check for MISRA compliance (Cppcheck report)
- Pruefung der Mapping-Tags (`@arch`, `@reqs`) - Check of mapping tags (`@arch`, `@reqs`)
- Pruefung der Unit-Tests gegen verlinkte Anforderungen SWE-001..SWE-004 - Check of unit tests against the linked requirements SWE-001..SWE-004
## 2. Findings ## 2. Findings
| Nr | Schwere | Beschreibung | Aktion | | Nr | Severity | Description | Action |
|----|-----------|--------------------------------------------------------------------|---------------------| |----|-----------|--------------------------------------------------------------------|---------------------|
| 1 | Minor | Kommentar "/* @reqs SWE-005 */" konsumiert Anforderung, die formal SWA-002 zugeordnet istMapping-Tabelle bestaetigt aber Mehrfachzuordnung. | Akzeptiert mit Hinweis in SWA-002 §8. | | 1 | Minor | The comment "/* @reqs SWE-005 */" consumes a requirement formally assigned to SWA-002mapping table confirms multi-assignment though. | Accepted with note in SWA-002 §8. |
| 2 | Major | Kein expliziter Test fuer das Verhalten "release im RELEASING-Zustand wird ignoriert". | Test ergaenzt in nachfolgendem PR. | | 2 | Major | No explicit test for the behaviour "release during the RELEASING state is ignored". | Test added in follow-up PR. |
| 3 | Critical | `s_ctx.step_count` ueberlaeuft alle 2^32 * 50 ms = ~7 Jahre. Im sicheren Zustand ist Ueberlauf unkritisch (Watchdog vergleicht Delta), aber sollte dokumentiert sein. | Kommentar im Header ergaenzt. | | 3 | Critical | `s_ctx.step_count` overflows after 2^32 * 50 ms = ~7 years. Overflow is harmless in the safe state (watchdog compares deltas) but should be documented. | Comment added in header. |
Critical-Finding 3 wurde als Non-Conformity NC-001 erfasst und in v1.1 geschlossen. Critical finding 3 was raised as Non-Conformity NC-001 and closed in v1.1.
## 3. Pruefung der Mapping-Tags ## 3. Check of mapping tags
``` ```
@arch SWA-002 OK @arch SWA-002 OK
@reqs SWE-001 SWE-002 SWE-003 SWE-004 OK @reqs SWE-001 SWE-002 SWE-003 SWE-004 OK
``` ```
Alle vier SWE-Reqs werden durch Test-Faelle in `tests/unit/test_apply_controller.c` All four SWE requirements are covered by test cases in `tests/unit/test_apply_controller.c`:
abgedeckt:
| SWE | Test-Funktion | | SWE | Test function |
|---------|---------------------------------------------------------| |---------|---------------------------------------------------------|
| SWE-001 | `test_applied_holds_force` | | SWE-001 | `test_applied_holds_force` |
| SWE-002 | `test_watchdog_alive_counter` | | SWE-002 | `test_watchdog_alive_counter` |
@@ -59,20 +58,18 @@ abgedeckt:
## 4. Coverage ## 4. Coverage
| Metrik | Ziel | Erreicht | | Metric | Target | Achieved |
|---------------------|------------|-----------| |---------------------|------------|-----------|
| Statement Coverage | >= 90% | 92.3% | | Statement Coverage | 90% | 92.3% |
| Branch Coverage | >= 90% | 91.0% | | Branch Coverage | 90% | 91.0% |
| MC/DC | >= 80% | 84% | | MC/DC | 80% | 84% |
Coverage-Report: CI-Artefakt `coverage-html` (Build #N). Coverage report: CI artefact `coverage-html` (build #N).
## 5. Freigabe-Entscheidung ## 5. Release decision
**Approved with comments.** Critical-Finding wird als NC-001 separat behandelt. **Approved with comments.** Critical finding tracked as NC-001 separately. Recommendation for real project: second independent reviewer for ASIL-D.
Empfehlung fuer Real-Projekt: zweiter unabhaengiger Reviewer fuer ASIL-D.
--- ---
*Single-Person-Demo: Self-Review nach dokumentierter Pruefliste. In einem Real-Projekt *Single-person demo: self-review per documented checklist. In a real project, self-review for ASIL-D is not admissible (SWE Plan section 5).*
ist Self-Review fuer ASIL-D unzulaessig (SWE-Plan, Abschnitt 5).*
docs/reviews/REV-001.docx
BIN
View File
Binary file not shown.
docs/safety-md/FMEDA.md
+65 -73
View File
@@ -1,119 +1,111 @@
--- ---
doc-id: SLM-EPB-FMEDA-001 doc-id: SLM-EPB-FMEDA-001
version: 1.0 version: 1.0
status: Freigegeben status: Released
datum: 2026-05-12 date: 2026-05-12
--- ---
# Failure Mode Effects and Diagnostic Analysis (FMEDA) # Failure Mode Effects and Diagnostic Analysis (FMEDA)
| Feld | Wert | | Field | Value |
|--------------|----------------------------------------| |---------------|----------------------------------------|
| Projekt | demo-epb | | Project | demo-epb |
| Dokument-ID | SLM-EPB-FMEDA-001 | | Document ID | SLM-EPB-FMEDA-001 |
| Version | 1.0 | | Version | 1.0 |
| Status | Freigegeben | | Status | Released |
| Datum | 2026-05-12 | | Date | 2026-05-12 |
| Norm | ISO 26262 Part 5 §8 + Part 10 | | Standard | ISO 26262 Part 5 §8 + Part 10 |
--- ---
## 1. Zweck ## 1. Purpose
Bottom-up-Analyse der Hardware- und Software-Fehlermoeglichkeiten der EPB, Bottom-up analysis of EPB hardware and software failure modes, quantifying Diagnostic Coverage (DC) and computing the Single-Point Fault Metric (SPFM) and Latent Fault Metric (LFM). Required for hardware architecture metrics per ISO 26262-5.
Quantifizierung der Diagnostic Coverage (DC) und Berechnung der Single-Point
Fault Metric (SPFM) und Latent Fault Metric (LFM). Wird zur Bewertung der
Hardware-Architektur-Metriken nach ISO 26262-5 benoetigt.
In dieser Demo wird der **Software-Anteil** behandelt; der Hardware-FMEDA This demo covers the **software** portion; the hardware FMEDA is provided separately (component manufacturer).
ergeht separat (Komponenten-Hersteller).
## 2. Methodik ## 2. Methodology
Pro Software-Komponente werden mogliche Failure Modes aufgelistet, ihre For each software component, possible failure modes are listed, their effects described, detection mechanisms identified, and the diagnostic coverage estimated.
Effekte beschrieben, Detection-Mechanismen identifiziert und die
Diagnostic Coverage abgeschaetzt.
DC-Klassen nach ISO 26262-5 §C.2: DC classes per ISO 26262-5 §C.2:
| DC-Klasse | DC % | Bedeutung | | DC class | DC % | Meaning |
|-----------|-------|--------------------------------------| |-----------|-------|--------------------------------------|
| Low | < 60% | Schwache Diagnose | | Low | < 60% | Weak diagnostics |
| Medium | 60-90%| Mittlere Diagnose | | Medium | 60-90%| Medium diagnostics |
| High | > 90% | Starke Diagnose | | High | > 90% | Strong diagnostics |
## 3. FMEDA-Tabelle pro Komponente ## 3. FMEDA table per component
### 3.1 SWA-002 Apply Controller (ASIL-D) ### 3.1 SWA-002 Apply Controller (ASIL-D)
| FM-ID | Failure Mode | Effekt | Detection | DC | Safe State erreicht? | | FM-ID | Failure mode | Effect | Detection | DC | Safe state reached? |
|-------|---------------------------------------|--------------------------------------|---------------------------------|-------|----------------------| |-------|---------------------------------------|--------------------------------------|---------------------------------|-------|----------------------|
| FM-01 | State-Machine bleibt in APPLYING haengen | Bremse nie applied | Timeout 30*50ms -> ERROR | High | Ja (ERROR-State) | | FM-01 | State machine stuck in APPLYING | Brake never applied | Timeout 30×50ms ERROR | High | Yes (ERROR state) |
| FM-02 | Falscher State-Uebergang APPLIED->RELEASED ohne Bedingung | Wegrollen | Vorbedingungs-Check (`release_preconditions_ok`) | High | Ja | | FM-02 | Wrong state transition APPLIEDRELEASED without condition | Roll-away | Precondition check (`release_preconditions_ok`) | High | Yes |
| FM-03 | Watchdog-Counter ueberlaeuft | Watchdog feuert false-positive | Wrap-safe Subtraktion in Watchdog (NC-001) | High | Ja (Reset) | | FM-03 | Watchdog counter overflow | Watchdog fires false positive | Wrap-safe subtraction in watchdog (NC-001) | High | Yes (reset) |
| FM-04 | Hold-Loop regelt nicht nach | Klemmkraftverlust unerkannt | Periodische Pruefung alle 50ms + force-tolerance | High | Ja (Re-Apply) | | FM-04 | Hold loop does not re-clamp | Clamping force loss undetected | Periodic check every 50ms + force tolerance | High | Yes (re-apply) |
| FM-05 | NULL-Pointer-Dereferenzierung Input | Crash | Early-Exit Check | High | Ja (Letzter Zustand bleibt) | | FM-05 | NULL pointer dereference on input | Crash | Early-exit check | High | Yes (last state remains) |
Aggregierte DC fuer Apply Controller: **96 %** (High). Aggregated DC for Apply Controller: **96%** (High).
### 3.2 SWA-003 Actuator Driver (ASIL-B) ### 3.2 SWA-003 Actuator Driver (ASIL-B)
| FM-ID | Failure Mode | Effekt | Detection | DC | | FM-ID | Failure mode | Effect | Detection | DC |
|-------|------------------------------------------|--------------------------------------|---------------------------------|-------| |-------|------------------------------------------|--------------------------------------|---------------------------------|-------|
| FM-06 | PWM-Wert ausserhalb 0..100 | Hardware-Schaden | Parameter-Check, return EINVAL | High | | FM-06 | PWM value outside 0..100 | Hardware damage | Parameter check, return EINVAL | High |
| FM-07 | ISR misst zu hohen Strom kontinuierlich | Motor-Brand | Overcurrent-Cutoff > 8A > 100ms | High | | FM-07 | ISR measures continuously high current | Motor fire | Overcurrent cutoff > 8A > 100ms | High |
| FM-08 | ISR misst zu niedrigen Strom (Sensor-Fehler) | Klemmkraft falsch geschaetzt | Cross-Check beider Aktoren | Medium | | FM-08 | ISR measures too-low current (sensor fault) | Clamping force estimated wrong | Cross-check between actuators | Medium |
| FM-09 | Beide Aktoren gleichzeitiger Cutoff | EPB inoperativ | DTC + Service-Mode bleibt zugaenglich | Medium | | FM-09 | Both actuators simultaneous cutoff | EPB inoperative | DTC + service mode remains reachable | Medium |
Aggregierte DC fuer Actuator Driver: **85 %** (Medium). Aggregated DC for Actuator Driver: **85%** (Medium).
### 3.3 SWA-001 Safety Manager (ASIL-D) ### 3.3 SWA-001 Safety Manager (ASIL-D)
| FM-ID | Failure Mode | Effekt | Detection | DC | | FM-ID | Failure mode | Effect | Detection | DC |
|-------|------------------------------------------|--------------------------------------|---------------------------------|-------| |-------|------------------------------------------|--------------------------------------|---------------------------------|-------|
| FM-10 | Auto-Apply-Timer feuert nicht | Fahrzeug rollt nach Motor-Aus | Watchdog Safety-Manager | High | | FM-10 | Auto-apply timer does not fire | Vehicle rolls after engine off | Watchdog Safety Manager | High |
| FM-11 | Hill-Hold-Uebergabe verzoegert | Rollen am Berg | Bremspedal-Signal-Verfolgung | High | | FM-11 | Hill-hold handover delayed | Roll-away on incline | Brake-pedal signal tracking | High |
| FM-12 | False-Positive Hill-Hold-Aktivierung | Unnoetiges Apply | Filter-Tiefpass Inclinometer | Medium | | FM-12 | False-positive hill-hold activation | Unnecessary apply | Low-pass filter inclinometer | Medium |
| FM-13 | Grade-Filter Saturation | Hill-Hold verpasst | Plausibilitaets-Check (Range) | Medium | | FM-13 | Grade filter saturation | Hill-hold missed | Plausibility range check | Medium |
Aggregierte DC fuer Safety Manager: **88 %** (Medium-High). Aggregated DC for Safety Manager: **88%** (Medium-High).
### 3.4 SWA-004 Wheel Speed Plausibilisierung (ASIL-B) ### 3.4 SWA-004 Wheel Speed Plausibilisation (ASIL-B)
| FM-ID | Failure Mode | Effekt | Detection | DC | | FM-ID | Failure mode | Effect | Detection | DC |
|-------|------------------------------------------|--------------------------------------|---------------------------------|-------| |-------|------------------------------------------|--------------------------------------|---------------------------------|-------|
| FM-14 | Stuck-At-Zero auf einem Rad | Falscher Stillstand erkannt | Spreizung > 3 km/h Check + DTC | High | | FM-14 | Stuck-at-zero on one wheel | False standstill detected | Spread > 3 km/h check + DTC | High |
| FM-15 | Alle 4 Sensoren ausgefallen | Stillstand unerkannt | Komplettausfall-DTC + Vorlast-Annahme | High | | FM-15 | All 4 sensors failed | Standstill undetected | Total-failure DTC + load assumption | High |
DC: **95 %** (High). DC: **95%** (High).
## 4. Aggregierte Metriken (Software) ## 4. Aggregated metrics (software)
| Metrik | Wert | Anforderung ASIL-D | | Metric | Value | ASIL-D requirement |
|------------------------------|---------|------------------------| |------------------------------|---------|--------------------------------------|
| SPFM (Single-Point Fault) | 95 % | >= 99 % (Software allein nicht ausreichend, HW erforderlich) | | SPFM (Single-Point Fault) | 95% | 99% (software alone insufficient; HW required) |
| LFM (Latent Fault) | 90 % | >= 90 % | | LFM (Latent Fault) | 90% | 90% |
| Aggregated DC | 92 % | High | | Aggregated DC | 92% | High |
**Hinweis:** Die hier berichteten Software-DC-Werte sind keine ASIL-D-Hardware- **Note:** The software DC values reported here are not the ASIL-D hardware metrics. ASIL-D-compliant SPFM/LFM require quantitative hardware FIT rates, which are computed at the HW level (Tier-1 actuators, ECU hardware).
Metriken. ASIL-D-konforme SPFM/LFM benoetigen quantitative Hardware-FIT-Raten,
die auf HW-Ebene berechnet werden (Tier-1-Aktoren, ECU-Hardware).
## 5. Diagnose-Massnahmen (Inventar) ## 5. Diagnostic measures (inventory)
| Mechanismus | Komponente | Trigger | | Mechanism | Component | Trigger |
|------------------------------|-----------------------|----------------------------------------| |------------------------------|-----------------------|----------------------------------------|
| Timeout-Watchdog | Apply Controller | 30*50ms im APPLYING | | Timeout watchdog | Apply Controller | 30×50ms in APPLYING |
| Klemmkraft-Hold-Check | Apply Controller | alle 50ms | | Clamping force hold check | Apply Controller | every 50ms |
| Overcurrent-Cutoff | Actuator Driver | 8A > 100ms | | Overcurrent cutoff | Actuator Driver | 8A > 100ms |
| Sensor-Spreizungs-Check | Wheel Speed Plausi | jede 10ms-Periode | | Sensor spread check | Wheel Speed Plausi | every 10ms cycle |
| Inclinometer-Range-Check | Inclinometer Filter | jede 10ms | | Inclinometer range check | Inclinometer Filter | every 10ms |
| Watchdog Safety Manager | Safety Manager | 100ms Liveness | | Watchdog Safety Manager | Safety Manager | 100ms liveness |
| Diagnostic Manager UDS DTCs | Diag Manager | Aufruf von `diag_set_dtc()` | | Diagnostic Manager UDS DTCs | Diag Manager | call of `diag_set_dtc()` |
## 6. Aenderungshistorie ## 6. Revision history
| Version | Datum | Aenderung | Autor | | Version | Date | Change | Author |
|---------|-------------|-------------------------|----------------| |---------|-------------|---------------------|------------|
| 0.1 | 2026-05-11 | Initialer Entwurf | S. Lohmaier | | 0.1 | 2026-05-11 | Initial draft | S. Lohmaier|
| 1.0 | 2026-05-12 | Erstfreigabe | S. Lohmaier | | 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/safety-md/HARA.md
+93 -102
View File
@@ -1,154 +1,145 @@
--- ---
doc-id: SLM-EPB-HARA-001 doc-id: SLM-EPB-HARA-001
version: 1.0 version: 1.0
status: Freigegeben status: Released
datum: 2026-05-12 date: 2026-05-12
--- ---
# Hazard Analysis & Risk Assessment (HARA) # Hazard Analysis & Risk Assessment (HARA)
| Feld | Wert | | Field | Value |
|----------------|------------------------------------------------| |-----------------|-------------------------------------------------|
| Projekt | demo-epb (Elektrische Parkbremse) | | Project | demo-epb (Electric Parking Brake) |
| Dokument-ID | SLM-EPB-HARA-001 | | Document ID | SLM-EPB-HARA-001 |
| Datum | 2026-05-12 | | Date | 2026-05-12 |
| Version | 1.0 | | Version | 1.0 |
| Status | Freigegeben | | Status | Released |
| Norm | ISO 26262 Part 3 (Concept Phase) | | Standard | ISO 26262 Part 3 (Concept Phase) |
| Erstellt von | Stefan Lohmaier | | Author | Stefan Lohmaier |
| Geprueft von | (Tech Lead, im Realprojekt unabhaengig) | | Reviewer | (Tech Lead, independent in real project) |
| Freigegeben von| (Safety Manager, im Realprojekt unabhaengig) | | Approver | (Safety Manager, independent in real project) |
--- ---
## 1. Zweck ## 1. Purpose
Identifikation und Klassifikation aller relevanten Hazards der Elektrischen Identification and classification of all relevant EPB hazards per ISO 26262-3. From the hazards, safety goals are derived and an Automotive Safety Integrity Level (ASIL) is assigned.
Parkbremse (EPB) gemaess ISO 26262-3. Aus den Hazards werden Sicherheitsziele
abgeleitet und ein Automotive Safety Integrity Level (ASIL) zugewiesen.
## 2. Item-Definition ## 2. Item definition
Die EPB ist ein elektromechanisches System, das die hinteren Bremssaettel mit The EPB is an electromechanical system that clamps both rear callipers using two small electric motors and releases them. Item boundary (ISO 26262-3 §5):
zwei kleinen Elektromotoren festklemmt und wieder loest. Item-Boundary
(ISO 26262-3 §5):
- **Innerhalb:** EPB-ECU, beide Caliper-Motoren, EPB-Schalter, Status-LED - **Inside:** EPB ECU, both calliper motors, EPB switch, status LED
- **Aussen:** ESP, Motormanagement, Bremssystem (hydraulisch), Lenkung - **Outside:** ESP, engine management, brake system (hydraulic), steering
- **Schnittstellen:** CAN-Bus, Wheel-Speed-Sensoren, Inclinometer - **Interfaces:** CAN bus, wheel-speed sensors, inclinometer
## 3. Operational Situations & Hazards ## 3. Operational situations & hazards
Die folgenden Betriebssituationen und Hazards wurden im Concept-Workshop The following operational situations and hazards were identified in the concept workshop (2026-05-11):
(2026-05-11) identifiziert:
### 3.1 Hazard-Liste ### 3.1 Hazard list
| H-ID | Hazard | Betriebs-Situation | | H-ID | Hazard | Operational situation |
|-------|------------------------------------------------------|------------------------------------| |-------|------------------------------------------------------|--------------------------------------|
| H-01 | Ungewolltes Loesen der Parkbremse im Stillstand | Fahrzeug parkt am Hang, Fahrer aus| | H-01 | Unintended release of the parking brake at standstill | Vehicle parked on incline, driver out|
| H-02 | Ungewolltes Festklemmen waehrend der Fahrt | Fahrt > 10 km/h | | H-02 | Unintended clamping during driving | Driving > 10 km/h |
| H-03 | Keine Apply-Reaktion auf Fahrer-Anforderung | Stillstand, Fahrer betaetigt Schalter | | H-03 | No apply reaction to driver request | Standstill, driver actuates switch |
| H-04 | Verlust der Klemmkraft im Hold-Zustand | Parkphase laenger als 1 h | | H-04 | Loss of clamping force in hold state | Parking phase longer than 1 h |
| H-05 | Motorschaden durch Ueberstrom | Aktor-Mechanik blockiert | | H-05 | Motor damage from overcurrent | Actuator mechanics blocked |
| H-06 | Falsche Hill-Hold-Uebergabe (Rollen am Berg) | Anfahrt am Berg | | H-06 | Incorrect hill-hold handover (roll-away on incline) | Drive-away on incline |
| H-07 | Keine Release-Reaktion bei Anfahrt | Stillstand, Fahrer will losfahren | | H-07 | No release reaction on drive-away | Standstill, driver wants to drive |
| H-08 | LED-Anzeige falsch | beliebig | | H-08 | LED indicator wrong | any |
### 3.2 Severity / Exposure / Controllability ### 3.2 Severity / Exposure / Controllability
Klassifikation nach ISO 26262-3 §6: Classification per ISO 26262-3 §6:
| Severity | Bedeutung | | Severity | Meaning |
|----------|------------------------------------------------------------| |----------|------------------------------------------------------------|
| S0 | Keine Verletzungen | | S0 | No injuries |
| S1 | Leichte / moderate Verletzungen | | S1 | Light / moderate injuries |
| S2 | Schwere Verletzungen (Ueberleben wahrscheinlich) | | S2 | Severe injuries (survival likely) |
| S3 | Lebensgefaehrliche Verletzungen (Ueberleben fraglich) | | S3 | Life-threatening injuries (survival uncertain) |
| Exposure | Bedeutung | | Exposure | Meaning |
|----------|------------------------------------------------------------| |----------|------------------------------------------------------------|
| E0 | Sehr unwahrscheinlich | | E0 | Very unlikely |
| E1 | Sehr seltene Situation | | E1 | Very rare situation |
| E2 | Seltene Situation | | E2 | Rare situation |
| E3 | Mittlere Wahrscheinlichkeit | | E3 | Medium likelihood |
| E4 | Haeufige Situation | | E4 | Frequent situation |
| Controllability | Bedeutung | | Controllability | Meaning |
|------------------|------------------------------------------------------| |------------------|----------------------------------------------------|
| C0 | Allgemein beherrschbar | | C0 | Generally controllable |
| C1 | Einfach beherrschbar (>99% der Fahrer) | | C1 | Simply controllable (>99% of drivers) |
| C2 | Normal beherrschbar (>90% der Fahrer) | | C2 | Normally controllable (>90% of drivers) |
| C3 | Schwer beherrschbar oder unbeherrschbar | | C3 | Difficult to control or uncontrollable |
### 3.3 ASIL-Determination ### 3.3 ASIL determination
| H-ID | Beschreibung | S | E | C | ASIL | | H-ID | Description | S | E | C | ASIL |
|-------|-------------------------------------------|----|----|----|-------| |-------|------------------------------------------|----|----|----|-------|
| H-01 | Ungewolltes Loesen, Parkphase | S3 | E4 | C3 | **D** | | H-01 | Unintended release, parking phase | S3 | E4 | C3 | **D** |
| H-02 | Ungewolltes Festklemmen waehrend Fahrt | S3 | E4 | C3 | **D** | | H-02 | Unintended clamping during driving | S3 | E4 | C3 | **D** |
| H-03 | Keine Apply-Reaktion auf Anforderung | S2 | E4 | C2 | B | | H-03 | No apply reaction to request | S2 | E4 | C2 | B |
| H-04 | Klemmkraftverlust im Hold | S3 | E4 | C3 | **D** | | H-04 | Clamping force loss in hold | S3 | E4 | C3 | **D** |
| H-05 | Motorschaden durch Ueberstrom | S1 | E3 | C2 | A | | H-05 | Motor damage from overcurrent | S1 | E3 | C2 | A |
| H-06 | Hill-Hold-Versagen (Rollen am Berg) | S3 | E3 | C3 | C | | H-06 | Hill-hold failure (roll-away on incline) | S3 | E3 | C3 | C |
| H-07 | Keine Release-Reaktion | S1 | E4 | C2 | A | | H-07 | No release reaction | S1 | E4 | C2 | A |
| H-08 | LED-Anzeige falsch | S0 | -- | -- | QM | | H-08 | LED indicator wrong | S0 | -- | -- | QM |
ASIL-Matrix laut ISO 26262-3 Table 4 angewandt. H-06 wurde im Review von ASIL matrix per ISO 26262-3 Table 4 applied. H-06 was downgraded from ASIL-D to ASIL-C in review, since hill-hold failure on dry road remains controllable through driver response (C2-C3 borderline, conservatively C3).
ASIL-D auf ASIL-C zurueckgestuft, da Hill-Hold-Ausfall auf trockener Strasse
durch Fahrerreaktion noch beherrschbar (C2-C3-Grenzfall, konservativ C3).
## 4. Sicherheitsziele (Safety Goals) ## 4. Safety goals
Aus den Hazards werden folgende Safety Goals abgeleitet: From the hazards the following safety goals are derived:
| SG-ID | Sicherheitsziel | ASIL | Abgedeckte Hazards | | SG-ID | Safety goal | ASIL | Covered hazards |
|-------|--------------------------------------------------------------------|-------|----------------------| |-------|-------------------------------------------------------------------|-------|----------------------|
| SG-01 | EPB darf sich im Stillstand nicht ungewollt loesen | D | H-01, H-04 | | SG-01 | The EPB must not unintentionally release while at standstill | D | H-01, H-04 |
| SG-02 | EPB darf nicht ungewollt waehrend der Fahrt festklemmen | D | H-02 | | SG-02 | The EPB must not unintentionally clamp while driving | D | H-02 |
| SG-03 | EPB muss Schutz gegen Aktor-Ueberstrom bieten | A | H-05 | | SG-03 | The EPB must protect against actuator overcurrent | A | H-05 |
| SG-04 | Hill-Hold muss zuverlaessig an Apply Controller uebergeben | C | H-06 | | SG-04 | Hill-hold must reliably hand over to the apply controller | C | H-06 |
| SG-05 | EPB muss auf Fahreranforderung in spezifizierter Zeit reagieren | B | H-03, H-07 | | SG-05 | The EPB must respond to driver requests within specified times | B | H-03, H-07 |
## 5. Safe State ## 5. Safe state
Definitionen aus ISO 26262-3 §7.4.2.5: Definitions per ISO 26262-3 §7.4.2.5:
| Item / Funktion | Safe State | | Item / Function | Safe state |
|------------------------|------------------------------------------------------------| |------------------------|------------------------------------------------------------|
| Apply-Phase | Aktor stoppen, Status auf APPLIED setzen | | Apply phase | Stop actuator, set status to APPLIED |
| Hold-Phase | Klemmkraft beibehalten (passiv) | | Hold phase | Maintain clamping force (passive) |
| Release-Phase | Auf Apply zurueckkehren, Klemmkraft halten | | Release phase | Return to apply, maintain clamping force |
| Bei Hardware-Fehler | APPLIED-Zustand erzwingen (verhindert Wegrollen) | | On hardware fault | Force APPLIED state (prevents roll-away) |
Der ueber alle Faelle "konservative" Safe State ist **APPLIED**: lieber zu The conservative safe state across all cases is **APPLIED**: rather over-clamp than under-clamp.
viel klemmen als zu wenig.
## 6. FTTI (Fault Tolerant Time Interval) ## 6. FTTI (Fault Tolerant Time Interval)
| Hazard | FTTI | Begruendung | | Hazard | FTTI | Rationale |
|--------|---------|-----------------------------------------------------------| |--------|---------|-----------------------------------------------------------|
| H-01 | 5 s | Wegrollen am Berg startet typ. nach 1-2 s, Hand-Aktion mglich nach ca. 5 s | | H-01 | 5 s | Roll-away on incline starts after ~1-2 s, hand action possible after ~5 s |
| H-02 | 100 ms | Stoss-Verlangsamung bei 50 km/h muss innerhalb 100 ms erkannt werden | | H-02 | 100 ms | Shock deceleration at 50 km/h must be detected within 100 ms |
| H-04 | 30 s | Klemmkraftverlust akkumuliert langsam, periodische Pruefung alle 50ms reicht | | H-04 | 30 s | Clamping force loss accumulates slowly, periodic check every 50 ms suffices |
| H-06 | 500 ms | Hill-Hold-Uebergabe muss vor Rollbeginn (< 500ms) abgeschlossen sein | | H-06 | 500 ms | Hill-hold handover must complete before roll-away begins (< 500 ms) |
## 7. Funktionale Sicherheitsanforderungen (FSR) ## 7. Functional Safety Requirements (FSR)
Aus den Safety Goals werden in `reqs/sys/` die SYS-Anforderungen abgeleitet From the safety goals the SYS requirements in `reqs/sys/` are derived (see traceability matrix). Mapping:
(siehe Traceability-Matrix). Mapping:
| SG-ID | SYS-Anforderungen | | SG-ID | SYS requirements |
|-------|----------------------------------------------------| |-------|----------------------------------------------------|
| SG-01 | SYS-001, SYS-004 | | SG-01 | SYS-001, SYS-004 |
| SG-02 | SYS-002 (Apply-Plausibilisierung), SYS-005 | | SG-02 | SYS-002 (apply plausibility), SYS-005 |
| SG-03 | SYS-007 | | SG-03 | SYS-007 |
| SG-04 | SYS-005, SYS-006 | | SG-04 | SYS-005, SYS-006 |
| SG-05 | SYS-002, SYS-003 | | SG-05 | SYS-002, SYS-003 |
## 8. Aenderungshistorie ## 8. Revision history
| Version | Datum | Aenderung | Autor | | Version | Date | Change | Author |
|---------|-------------|-------------------------|----------------| |---------|-------------|-------------------------|-----------------|
| 0.1 | 2026-05-11 | Initialer Entwurf | S. Lohmaier | | 0.1 | 2026-05-11 | Initial draft | S. Lohmaier |
| 1.0 | 2026-05-12 | Erstfreigabe nach Review| S. Lohmaier | | 1.0 | 2026-05-12 | First release after review | S. Lohmaier |
docs/safety-md/MISRA-Compliance-Statement.md
+61 -64
View File
@@ -1,58 +1,55 @@
--- ---
doc-id: SLM-EPB-MISRA-COMP-001 doc-id: SLM-EPB-MISRA-COMP-001
version: 1.0 version: 1.0
status: Freigegeben status: Released
datum: 2026-05-12 date: 2026-05-12
--- ---
# MISRA C:2012 Compliance Statement # MISRA C:2012 Compliance Statement
| Feld | Wert | | Field | Value |
|--------------|----------------------------------------| |---------------|----------------------------------------|
| Projekt | demo-epb | | Project | demo-epb |
| Dokument-ID | SLM-EPB-MISRA-COMP-001 | | Document ID | SLM-EPB-MISRA-COMP-001 |
| Datum | 2026-05-12 | | Date | 2026-05-12 |
| Standard | MISRA C:2012 (inkl. Amendment 1) | | Standard | MISRA C:2012 (incl. Amendment 1) |
| Compiler | GCC 11.2 (Linux CI) / GCC 16.1 (Win) | | Compiler | GCC 11.2 (Linux CI) / GCC 16.1 (Win) |
| Checker | Cppcheck 2.7+ mit `--addon=misra` | | Checker | Cppcheck 2.7+ with `--addon=misra` |
--- ---
## 1. Zusammenfassung ## 1. Summary
Der Quellcode von demo-epb wurde gegen MISRA C:2012 geprueft. The source code of demo-epb has been checked against MISRA C:2012. All **Required** and **Mandatory** rules are observed, with the exception of one documented deviation (see MISRA-REC-001).
Alle **Required** und **Mandatory** Regeln werden eingehalten, mit Ausnahme
von einer dokumentierten Deviation (siehe MISRA-REC-001).
**Compliance-Erklaerung:** demo-epb v1.0 ist **MISRA C:2012 compliant** unter **Compliance statement:** demo-epb v1.0 is **MISRA C:2012 compliant** taking into account the documented deviation records.
Beruecksichtigung dokumentierter Deviation Records.
## 2. Geltungsbereich ## 2. Scope
| Modul | MISRA-konform geprueft | | Module | MISRA-checked |
|----------------------|-----------------------------| |------------------------------|--------------------------|
| `src/switch_debouncer.{c,h}` | Ja | | `src/switch_debouncer.{c,h}` | Yes |
| `src/actuator_driver.{c,h}` | Ja | | `src/actuator_driver.{c,h}` | Yes |
| `src/apply_controller.{c,h}` | Ja | | `src/apply_controller.{c,h}` | Yes |
| `src/safety_manager.{c,h}` | Ja | | `src/safety_manager.{c,h}` | Yes |
| `src/epb_types.h` | Ja | | `src/epb_types.h` | Yes |
| `src/stubs/*.h` | Header-only, keine MISRA-relevanten Implementierungen | | `src/stubs/*.h` | Header-only, no MISRA-relevant implementations |
| `tests/**/*` | Nicht im Geltungsbereich (Test-Code) | | `tests/**/*` | Out of scope (test code) |
| `tools/**/*` | Nicht im Geltungsbereich (Python-Skripte) | | `tools/**/*` | Out of scope (Python scripts) |
## 3. Regel-Aktivierung ## 3. Rule activation
Cppcheck MISRA-Addon prueft die folgenden Regel-Kategorien: The Cppcheck MISRA addon checks the following rule categories:
| Kategorie | Anzahl | Aktivierung im Projekt | | Category | Count | Activation in project |
|-----------|--------|--------------------------------| |-----------|--------|----------------------------------|
| Mandatory | 9 | Alle aktiviert, Verletzung blockt Build | | Mandatory | 9 | All active, violation blocks build |
| Required | 119 | Alle aktiviert, Verletzung blockt Build | | Required | 119 | All active, violation blocks build |
| Advisory | 47 | Aktiviert mit Warning-Level, Deviations zulaessig per Record | | Advisory | 47 | Active at warning level, deviations allowed per record |
## 4. Compliance-Status pro Regel-Kategorie ## 4. Compliance status per rule category
### 4.1 Mandatory Rules (9) ### 4.1 Mandatory rules (9)
| Rule | Status | | Rule | Status |
|-------------|------------| |-------------|------------|
@@ -61,15 +58,15 @@ Cppcheck MISRA-Addon prueft die folgenden Regel-Kategorien:
| R 19.1, R 21.13, R 21.17 | Compliant | | R 19.1, R 21.13, R 21.17 | Compliant |
| R 21.18, R 21.19, R 21.20 | Compliant | | R 21.18, R 21.19, R 21.20 | Compliant |
**Mandatory Status: 100 % Compliant.** **Mandatory status: 100% Compliant.**
### 4.2 Required Rules ### 4.2 Required rules
Gesamt: 119 Required Rules. Verletzungen: **0**. Total: 119 Required rules. Violations: **0**.
Top-relevante Rules fuer dieses Projekt: Top relevant rules for this project:
| Rule | Beschreibung | Status | | Rule | Description | Status |
|---------|----------------------------------------------------------|----------| |---------|----------------------------------------------------------|----------|
| R 8.1 | Type specifier shall be explicit | Compliant | | R 8.1 | Type specifier shall be explicit | Compliant |
| R 8.2 | Function parameters shall be explicitly named | Compliant | | R 8.2 | Function parameters shall be explicitly named | Compliant |
@@ -78,21 +75,21 @@ Top-relevante Rules fuer dieses Projekt:
| R 14.1 | Loop counter shall not have essentially floating type | Compliant | | R 14.1 | Loop counter shall not have essentially floating type | Compliant |
| R 14.4 | Controlling expression shall have essentially Boolean type | Compliant | | R 14.4 | Controlling expression shall have essentially Boolean type | Compliant |
| R 15.4 | At most one break or goto per loop | Compliant | | R 15.4 | At most one break or goto per loop | Compliant |
| R 17.7 | Return value of non-void function shall be used | Compliant (oder explizit `(void)`) | | R 17.7 | Return value of non-void function shall be used | Compliant (or explicit `(void)`) |
| R 21.3 | No dynamic memory allocation (malloc/free) | Compliant (keine Heap-Nutzung) | | R 21.3 | No dynamic memory allocation (malloc/free) | Compliant (no heap use) |
| R 21.4 | No setjmp/longjmp | Compliant | | R 21.4 | No setjmp/longjmp | Compliant |
### 4.3 Advisory Rules ### 4.3 Advisory rules
47 Advisory Rules. Verletzungen werden via MISRA Deviation Records dokumentiert. 47 Advisory rules. Violations are documented via MISRA deviation records.
| Record-ID | Rule | Datei | Begruendung-Auszug | | Record ID | Rule | File | Rationale summary |
|-------------------|---------|-------------------------------|-----------------------------| |-------------------|---------|-------------------------------|-----------------------------|
| MISRA-REC-001 | R 15.5 | `src/apply_controller.c:64` | Early-Exit fuer NULL-Check | | MISRA-REC-001 | R 15.5 | `src/apply_controller.c:64` | Early-exit for NULL check |
**Advisory Status: 1 Deviation Record, dokumentiert.** **Advisory status: 1 deviation record, documented.**
## 5. Pruef-Pipeline ## 5. Check pipeline
```bash ```bash
cppcheck \ cppcheck \
@@ -105,26 +102,26 @@ cppcheck \
-I src src -I src src
``` ```
Pruefung erfolgt: Checks are run:
- Lokal vor jedem Commit (empfohlen) - Locally before each commit (recommended)
- Automatisch in CI bei jedem Push und PR - Automatically in CI on every push and PR
- Vor jedem Release (Tag-Push triggert release.yml) - Before each release (tag push triggers release.yml)
## 6. Deviation Permits (projektweit) ## 6. Deviation Permits (project-wide)
Keine projektweiten Permits aktiv. No project-wide permits are active.
## 7. Re-Audit-Trigger ## 7. Re-audit triggers
Diese Compliance-Erklaerung muss bei folgenden Aenderungen neu erstellt werden: This compliance statement must be re-created on the following changes:
- Compiler-Wechsel (z.B. GCC -> Clang) - Compiler change (e.g. GCC Clang)
- Major-Update von Cppcheck oder MISRA-Addon - Major update of Cppcheck or the MISRA addon
- Neue Quelldateien ausserhalb `src/` - New source files outside `src/`
- MISRA-Standard-Update (z.B. C:2025 Release) - MISRA standard update (e.g. C:2025 release)
## 8. Aenderungshistorie ## 8. Revision history
| Version | Datum | Aenderung | Autor | | Version | Date | Change | Author |
|---------|-------------|-------------------------|----------------| |---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | Erstfreigabe v1.0 | S. Lohmaier | | 1.0 | 2026-05-12 | First release v1.0 | S. Lohmaier|
docs/safety-md/Safety-Case.md
+84 -87
View File
@@ -1,139 +1,136 @@
--- ---
doc-id: SLM-EPB-SC-001 doc-id: SLM-EPB-SC-001
version: 1.0 version: 1.0
status: Freigegeben status: Released
datum: 2026-05-12 date: 2026-05-12
--- ---
# Safety Case — demo-epb # Safety Case — demo-epb
| Feld | Wert | | Field | Value |
|----------------|------------------------------------------------| |-----------------|-------------------------------------------------|
| Projekt | demo-epb | | Project | demo-epb |
| Dokument-ID | SLM-EPB-SC-001 | | Document ID | SLM-EPB-SC-001 |
| Datum | 2026-05-12 | | Date | 2026-05-12 |
| Version | 1.0 | | Version | 1.0 |
| Status | Freigegeben | | Status | Released |
| Norm | ISO 26262 Part 2 §6.5 + Part 6 §6 | | Standard | ISO 26262 Part 2 §6.5 + Part 6 §6 |
| Erstellt von | Stefan Lohmaier | | Author | Stefan Lohmaier |
| Freigegeben von| (Safety Manager, im Realprojekt) | | Approver | (Safety Manager, in real project) |
--- ---
## 1. Zweck ## 1. Purpose
Argumentation, dass das EPB-System die in der HARA identifizierten Argument that the EPB system satisfies the safety goals identified in the HARA. Structured per Goal Structuring Notation (GSN), in tabular form for audit purposes.
Sicherheitsziele erfuellt. Strukturiert nach Goal Structuring Notation
(GSN), in tabellarischer Form fuer Audit-Zwecke.
## 2. Top-Goal ## 2. Top goal
**G0:** Die EPB-Software erfuellt alle Safety Goals (SG-01 bis SG-05) der HARA **G0:** The EPB software satisfies all safety goals (SG-01 to SG-05) from the HARA with adequate confidence for ASIL D / C / B / A.
mit angemessener Konfidenz fuer ASIL D / C / B / A.
## 3. Argument-Struktur ## 3. Argument structure
| Goal | Behauptung | Strategie | Evidenz | | Goal | Claim | Strategy | Evidence |
|------|------------------------------------------------------|------------------------------------------|------------------------------------------| |------|---------------------------------------------------------|------------------------------------------|--------------------------------------------|
| G0 | EPB erfuellt alle SG aus HARA | Decomposition nach SG | G1, G2, G3, G4, G5 | | G0 | EPB satisfies all SGs from HARA | Decomposition by SG | G1, G2, G3, G4, G5 |
| G1 | SG-01 (kein ungewolltes Loesen) ist erfuellt | Architektonisch + Test + Review | SWA-002 + Tests + Code-Review | | G1 | SG-01 (no unintended release) is satisfied | Architectural + test + review | SWA-002 + tests + code review |
| G2 | SG-02 (kein ungewolltes Apply) ist erfuellt | Architektonisch + Plausibilisierung | SWA-002 standstill-check + Tests | | G2 | SG-02 (no unintended apply) is satisfied | Architectural + plausibilisation | SWA-002 standstill check + tests |
| G3 | SG-03 (Schutz vor Ueberstrom) ist erfuellt | Architektonisch + Test | SWA-003 overcurrent-cutoff + Tests | | G3 | SG-03 (overcurrent protection) is satisfied | Architectural + test | SWA-003 overcurrent cutoff + tests |
| G4 | SG-04 (Hill-Hold-Uebergabe) ist erfuellt | Architektonisch + Sequenz-Test | SWA-001 + Tests | | G4 | SG-04 (hill-hold handover) is satisfied | Architectural + sequence test | SWA-001 + tests |
| G5 | SG-05 (Reaktionszeit) ist erfuellt | Performance-Messung + Test | Step-Timing-Tests | | G5 | SG-05 (response time) is satisfied | Performance measurement + test | Step timing tests |
## 4. Detail-Argumente ## 4. Detail arguments
### G1 — SG-01: Kein ungewolltes Loesen ### G1 — SG-01: No unintended release
**Argument:** **Argument:**
| # | Aussage | Beleg | | # | Statement | Evidence |
|---|-----------------------------------------------------------------------|--------------------------------------| |---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Apply Controller verlaesst APPLIED nur bei expliziter Release-Anforderung mit Vorbedingungen | `apply_controller.c` Zeile 95-110 (`case EPB_STATE_APPLIED`) | | 1 | Apply controller leaves APPLIED only on explicit release request with preconditions | `apply_controller.c` line 95-110 (`case EPB_STATE_APPLIED`) |
| 2 | Release-Vorbedingungen pruefen Engine + Brake + Gear | `release_preconditions_ok()` + SWE-005 | | 2 | Release preconditions check engine + brake + gear | `release_preconditions_ok()` + SWE-005 |
| 3 | Watchdog erkennt Apply-Controller-Hang und faellt in Safe State (APPLIED) | SWE-002 + Watchdog in SWA-001 | | 3 | Watchdog detects apply controller hang and falls into safe state (APPLIED) | SWE-002 + watchdog in SWA-001 |
| 4 | Klemmkraft wird alle 50 ms verifiziert und bei Abfall nachgeregelt | SWE-001 + Test `test_applied_holds_force` | | 4 | Clamping force is verified every 50 ms and re-applied on drop | SWE-001 + test `test_applied_holds_force` |
| 5 | Unit-Test deckt das Verhalten ab: `test_release_requires_preconditions` | `tests/unit/test_apply_controller.c` | | 5 | Unit test covers the behaviour: `test_release_requires_preconditions` | `tests/unit/test_apply_controller.c` |
**Konfidenz:** ASIL-D. Architektonische Trennung + Tests + 2 Reviewer. **Confidence:** ASIL-D. Architectural separation + tests + 2 reviewers.
### G2 — SG-02: Kein ungewolltes Apply waehrend Fahrt ### G2 — SG-02: No unintended apply during driving
**Argument:** **Argument:**
| # | Aussage | Beleg | | # | Statement | Evidence |
|---|-----------------------------------------------------------------------|--------------------------------------| |---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Apply-Anforderung wird nur bei Stillstand (v < 0.5 km/h) angenommen | `apply_controller.c` `in->standstill` check | | 1 | Apply request is accepted only at standstill (v < 0.5 km/h) | `apply_controller.c` `in->standstill` check |
| 2 | Stillstand wird durch Wheel-Speed-Plausibilisierung von 4 Sensoren bestaetigt | SWE-022 + SWA-004 | | 2 | Standstill is confirmed by wheel-speed plausibilisation of 4 sensors | SWE-022 + SWA-004 |
| 3 | Plausibilisierung erkennt einzelnen Sensor-Fehler (Spreizung > 3 km/h) | SWE-023 | | 3 | Plausibilisation detects single sensor fault (spread > 3 km/h) | SWE-023 |
| 4 | Test deckt das Verhalten ab: `test_no_apply_without_standstill` | `tests/unit/test_apply_controller.c` | | 4 | Test covers the behaviour: `test_no_apply_without_standstill` | `tests/unit/test_apply_controller.c` |
**Konfidenz:** ASIL-D. Sensor-Redundanz + Test + 2 Reviewer. **Confidence:** ASIL-D. Sensor redundancy + test + 2 reviewers.
### G3 — SG-03: Schutz vor Aktor-Ueberstrom ### G3 — SG-03: Protection against actuator overcurrent
**Argument:** **Argument:**
| # | Aussage | Beleg | | # | Statement | Evidence |
|---|--------------------------------------------------------------------------------|------------------------------------| |---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Motorstrom wird mit 1 kHz abgetastet | `actuator_isr_1khz` + SWE-013 | | 1 | Motor current is sampled at 1 kHz | `actuator_isr_1khz` + SWE-013 |
| 2 | Bei > 8 A fuer > 100 ms wird der Motor abgeschaltet | `actuator_driver.c` Overcurrent-Logik + SWE-014 | | 2 | On > 8 A for > 100 ms the motor is shut down | `actuator_driver.c` overcurrent logic + SWE-014 |
| 3 | Nach Overcurrent ist `actuator_apply` blockiert (returns EPB_EOVERCURRENT) | Test `test_overcurrent_blocks_subsequent_apply` | | 3 | After overcurrent, `actuator_apply` is blocked (returns EPB_EOVERCURRENT) | Test `test_overcurrent_blocks_subsequent_apply` |
| 4 | DTC wird gesetzt (Diagnostic Manager SWA-008) | SWE-014 (implicit DTC trigger) | | 4 | DTC is set (Diagnostic Manager SWA-008) | SWE-014 (implicit DTC trigger) |
**Konfidenz:** ASIL-A (Hazard H-05). Lokale Logik + Test. **Confidence:** ASIL-A (hazard H-05). Local logic + test.
### G4 — SG-04: Hill-Hold-Uebergabe ### G4 — SG-04: Hill-hold handover
**Argument:** **Argument:**
| # | Aussage | Beleg | | # | Statement | Evidence |
|---|---------------------------------------------------------------------------------|------------------------------------| |---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Hill-Hold wird aktiviert bei grade > 5%, v=0, Bremse | `safety_manager.c` SAFETY_HILL_HOLD_ARMED | | 1 | Hill-hold activates at grade > 5%, v=0, brake pressed | `safety_manager.c` SAFETY_HILL_HOLD_ARMED |
| 2 | Beim Loslassen der Bremse wird sofort apply_requested gesetzt | SWE-010, Tests `test_hillhold_active_on_brake_release` | | 2 | On brake release, apply_requested is set immediately | SWE-010, test `test_hillhold_active_on_brake_release` |
| 3 | Apply Controller reagiert auf safety_apply_request | `apply_controller.c` `apply_request_present()` | | 3 | Apply controller responds to safety_apply_request | `apply_controller.c` `apply_request_present()` |
| 4 | Inclinometer ist tiefpass-gefiltert (Robustheit gegen Sensorrauschen) | SWA-005 + SWE-024 | | 4 | Inclinometer is low-pass filtered (robustness against sensor noise) | SWA-005 + SWE-024 |
**Konfidenz:** ASIL-C. Architektonisch + Tests + Filter. **Confidence:** ASIL-C. Architectural + tests + filter.
### G5 — SG-05: Reaktionszeit ### G5 — SG-05: Response time
**Argument:** **Argument:**
| # | Aussage | Beleg | | # | Statement | Evidence |
|---|---------------------------------------------------------------------------------|------------------------------------| |---|-------------------------------------------------------------------------|----------------------------------------|
| 1 | Apply Controller laeuft alle 50 ms | `apply_ctrl_step_50ms` | | 1 | Apply controller runs every 50 ms | `apply_ctrl_step_50ms` |
| 2 | Schalter wird in 50 ms entprellt (5 stable samples) | `switch_debouncer.c` | | 2 | Switch is debounced in 50 ms (5 stable samples) | `switch_debouncer.c` |
| 3 | Gesamt-Reaktionszeit Schalter -> Aktor-Start: <= 100 ms | Timing-Analyse | | 3 | Total response switch → actuator start: 100 ms | Timing analysis |
| 4 | Aktor-Apply abgeschlossen in <= 800 ms (Spec) und max. 1500 ms (Timeout) | Apply timeout, SWE-006 | | 4 | Actuator apply completes in 800 ms (spec) and max 1500 ms (timeout) | Apply timeout, SWE-006 |
**Konfidenz:** ASIL-B. Performance + Timeout. **Confidence:** ASIL-B. Performance + timeout.
## 5. Common-Cause / Common-Mode ## 5. Common cause / common mode
Folgende Common-Cause-Risiken wurden geprueft: The following common-cause risks were checked:
| Risiko | Massnahme | | Risk | Mitigation |
|---------------------------------------|-------------------------------------------------------------| |---------------------------------------|-------------------------------------------------------------|
| Speicherfehler (Stack/Heap) | Statische Allokation, MISRA C 21.3 (kein Heap) | | Memory errors (stack/heap) | Static allocation, MISRA C 21.3 (no heap) |
| Compiler-Bug | GCC qualifiziert (siehe Tool-Qualification-Report), MISRA-Check | | Compiler bug | GCC qualified (see tool qualification report), MISRA check |
| Konfigurations-Fehler | Build-Pipeline reproduzierbar, Version-pinning, CI-Verify | | Configuration error | Build pipeline reproducible, version pinning, CI verify |
| Shared-State-Race | Single-Threaded Step-Funktionen, ISR-Trennung via Volatile | | Shared-state race | Single-threaded step functions, ISR separation via volatile |
## 6. Restrisiken ## 6. Residual risks
Folgende Risiken bleiben: The following risks remain:
| Risiko | Bewertung | Begruendung | | Risk | Assessment | Rationale |
|----------------------------------------|--------------------------|------------------------------------| |----------------------------------------|--------------------------|------------------------------------|
| Sensor-Drift Inclinometer ueber Jahre | Akzeptiert | Periodische Kalibrierung im Service-Manual | | Inclinometer sensor drift over years | Accepted | Periodic calibration in service manual |
| EMV-Einfluss auf CAN | Auf System-Ebene gemildert | CAN ECU bietet eigene Fehlerbehandlung | | EMC influence on CAN | Mitigated at system level | CAN ECU provides its own fault handling |
| Aktor-Lebenszeit | Aussen-Verantwortung | Tier-1 Komponente, Datenblatt | | Actuator lifetime | External responsibility | Tier-1 component, datasheet |
## 7. Aenderungshistorie ## 7. Revision history
| Version | Datum | Aenderung | Autor | | Version | Date | Change | Author |
|---------|-------------|-------------------------|----------------| |---------|-------------|-------------------------|-----------------|
| 0.1 | 2026-05-11 | Initialer Entwurf | S. Lohmaier | | 0.1 | 2026-05-11 | Initial draft | S. Lohmaier |
| 1.0 | 2026-05-12 | Erstfreigabe | S. Lohmaier | | 1.0 | 2026-05-12 | First release | S. Lohmaier |
docs/safety-md/Tool-Qualification-Cppcheck.md
+73 -82
View File
@@ -1,136 +1,127 @@
--- ---
doc-id: SLM-EPB-TQ-Cppcheck-001 doc-id: SLM-EPB-TQ-Cppcheck-001
version: 1.0 version: 1.0
status: Freigegeben status: Released
datum: 2026-05-12 date: 2026-05-12
--- ---
# Tool-Qualification — Cppcheck + MISRA-Addon # Tool Qualification — Cppcheck + MISRA addon
| Feld | Wert | | Field | Value |
|--------------|----------------------------------------| |---------------|----------------------------------------|
| Tool | Cppcheck mit MISRA-Addon | | Tool | Cppcheck with MISRA addon |
| Version | 2.7+ (Linux apt) / 2.20.0 (Windows/macOS) | | Version | 2.7+ (Linux apt) / 2.20.0 (Windows/macOS) |
| Hersteller | Daniel Marjamaeki et al. (Open Source)| | Vendor | Daniel Marjamäki et al. (open source) |
| Lizenz | GPLv3 | | Licence | GPLv3 |
| Verwendung | Statische Analyse, MISRA-C:2012-Check | | Use | Static analysis, MISRA C:2012 check |
| Norm | ISO 26262 Part 8 §11 | | Standard | ISO 26262 Part 8 §11 |
--- ---
## 1. Zweck ## 1. Purpose
Dieser Bericht qualifiziert Cppcheck mit MISRA-Addon fuer den Einsatz in der This report qualifies Cppcheck with the MISRA addon for use in demo-epb development. Tool qualification per ISO 26262-8 §11 is mandatory when:
demo-epb Entwicklung. Tool-Qualifikation nach ISO 26262-8 §11 ist
verpflichtend, wenn:
- Das Tool das Sicherheitsniveau der Software beeinflussen kann (TI > 1) - The tool can influence the safety level of the software (TI > 1)
- Das Tool keine Off-the-Shelf-Zertifizierung besitzt - The tool lacks off-the-shelf certification
## 2. Tool-Klassifikation ## 2. Tool classification
### 2.1 Use Cases ### 2.1 Use cases
| UC-ID | Use Case | Output verifiziert? | | UC-ID | Use case | Output verified? |
|-------|-----------------------------------|----------------------------| |-------|-----------------------------------|----------------------------|
| UC-01 | Statische Analyse waehrend Build | Per Review (CI-Log) | | UC-01 | Static analysis during build | Via review (CI log) |
| UC-02 | MISRA-C:2012-Konformitaetsbeleg | Per Deviation-Records | | UC-02 | MISRA C:2012 compliance evidence | Via deviation records |
| UC-03 | Identifikation von Bugs | Ergebnisse werden geprueft | | UC-03 | Bug identification | Findings are reviewed |
### 2.2 Tool Impact (TI) ### 2.2 Tool Impact (TI)
Definition nach ISO 26262-8 §11.4.5.1: Definition per ISO 26262-8 §11.4.5.1:
| Frage | Antwort | | Question | Answer |
|------------------------------------------------------------------------|-----------| |------------------------------------------------------------------------|-----------|
| Kann ein Fehler des Tools zur Verletzung einer Sicherheitsanforderung fuehren? | Ja (Tool kann Bugs uebersehen) | | Can a tool error lead to a violation of a safety requirement? | Yes (the tool may miss bugs) |
| Kann ein Fehler die Erkennung eines Bugs verhindern? | Ja | | Can a tool error prevent detection of a bug? | Yes |
=> **TI = TI2** (Tool kann Sicherheit beeinflussen) **TI = TI2** (the tool can influence safety)
### 2.3 Tool Error Detection (TD) ### 2.3 Tool Error Detection (TD)
Definition nach ISO 26262-8 §11.4.5.4: Definition per ISO 26262-8 §11.4.5.4:
| Frage | Antwort | | Question | Answer |
|------------------------------------------------------------------------|-------------| |------------------------------------------------------------------------|--------------|
| Wird das Tool-Output durch andere Massnahmen verifiziert? | Teilweise: Doppelgang via clang-tidy + Code-Review + Unit-Tests | | Is the tool output verified by other measures? | Partially: redundant via clang-tidy + code review + unit tests |
| Werden Bugs durch nachgelagerte Reviews / Tests erkannt? | Ja | | Are bugs detected by downstream reviews / tests? | Yes |
=> **TD = TD2** (Mittlere Detection-Wahrscheinlichkeit) **TD = TD2** (medium detection probability)
### 2.4 Tool Confidence Level (TCL) ### 2.4 Tool Confidence Level (TCL)
Mit TI2 + TD2 ergibt sich laut ISO 26262-8 Tabelle 4: **TCL2**. With TI2 + TD2 we obtain per ISO 26262-8 Table 4: **TCL2**.
### 2.5 Qualification Method ### 2.5 Qualification method
Fuer TCL2 + ASIL-D ist eine **Tool-Qualifikation** notwendig (Tabelle 5). For TCL2 + ASIL-D, a **tool qualification** is required (Table 5). Applicable methods:
Anwendbare Methoden:
- Increased confidence from use (§11.4.7) — fuer Cppcheck verfuegbar - Increased confidence from use (§11.4.7) — available for Cppcheck
- Evaluation of the tool development process (§11.4.8) - Evaluation of the tool development process (§11.4.8)
- Validation of the software tool (§11.4.9) - Validation of the software tool (§11.4.9)
In diesem Projekt: **Increased Confidence from Use**. In this project: **Increased Confidence from Use**.
## 3. Increased Confidence from Use — Evidenz ## 3. Increased Confidence from Use — evidence
### 3.1 Reifegrad / Verbreitung ### 3.1 Maturity / adoption
| Kriterium | Bewertung | | Criterion | Assessment |
|----------------------------------------|----------------------------------------| |----------------------------------------|------------------------------------------|
| Tool-Alter | > 15 Jahre Entwicklung | | Tool age | > 15 years of development |
| Aktive Community | > 100 Contributors auf GitHub | | Active community | > 100 contributors on GitHub |
| Releases pro Jahr | ~6 Stable Releases | | Releases per year | ~6 stable releases |
| Bekannte Anwender im Automotive-Sektor | Documented users incl. mehrere OEMs | | Known automotive users | Documented users including several OEMs |
| Bug-Tracker | Oeffentlich (GitHub Issues) | | Bug tracker | Public (GitHub Issues) |
| Test-Suite | Eigene Self-Test-Suite, > 5000 Tests | | Test suite | Own self-test suite, > 5000 tests |
### 3.2 Frueheren Einsatz im Projekt-Kontext ### 3.2 Prior use in project context
Cppcheck wird seit 2023 in slohmaier-Projekten fuer Static-Analysis-Builds Cppcheck has been used since 2023 in slohmaier projects for static-analysis builds (anecdotally: ControlNav, BrailleKit). No known cases where Cppcheck missed a real safety violation that wasn't subsequently caught by code review.
eingesetzt (Anekdotisch: ControlNav, BrailleKit). Keine bekannten Faelle, in
denen Cppcheck eine echte Sicherheitsverletzung uebersehen hat, die durch
Code-Review nicht doch noch gefunden wurde.
### 3.3 Validation-Tests im Projekt ### 3.3 Validation tests in project
Pro Build werden folgende Validierungs-Checks gegen Cppcheck durchgefuehrt: Each build performs the following validation checks against Cppcheck:
| Test | Erwartetes Verhalten | Ergebnis | | Test | Expected behaviour | Result |
|--------------------------------------------|----------------------------------|-----------| |--------------------------------------------|----------------------------------|-----------|
| Eingebauter Test-Case `tests/validation_cppcheck.c` mit bewusst injiziertem Bug | Cppcheck erkennt | OK | | Built-in test case `tests/validation_cppcheck.c` with intentionally injected bug | Cppcheck detects it | OK |
| Cppcheck-Output ist deterministisch | Wiederholte Laeufe == identisch | OK | | Cppcheck output is deterministic | Repeated runs == identical | OK |
| MISRA-Regeln werden gegen Referenz-Set geprueft | Erkennung min. 95% required-Regeln | OK | | MISRA rules checked against reference set | Detection ≥ 95% required rules | OK |
## 4. Bekannte Einschraenkungen ## 4. Known limitations
| Einschraenkung | Mitigation | | Limitation | Mitigation |
|------------------------------------------|------------------------------------------| |------------------------------------------|---------------------------------------------|
| MISRA-Addon implementiert nicht alle 175 Regeln vollstaendig | Manuelle Review-Checklisten fuer fehlende Regeln | | MISRA addon does not implement all 175 rules completely | Manual review checklists for missing rules |
| Geringere Erkennungsrate bei Heap-Bugs | Keine Heap-Nutzung im Projekt (MISRA 21.3) | | Lower detection rate for heap bugs | No heap usage in this project (MISRA 21.3) |
| False Positives bei komplexen Pointer-Aliasen | Deviation-Records pro Fall | | False positives on complex pointer aliasing | Per-instance deviation records |
## 5. Qualification-Verdict ## 5. Qualification verdict
Cppcheck mit MISRA-Addon ist **qualifiziert** fuer den Einsatz in demo-epb mit Cppcheck with the MISRA addon is **qualified** for use in demo-epb at TCL2 ASIL-D, based on "Increased Confidence from Use".
TCL2 ASIL-D, basierend auf "Increased Confidence from Use".
Diese Qualifikation gilt fuer die Version 2.7+ auf Linux (CI) und Version This qualification applies to version 2.7+ on Linux (CI) and version 2.20.0 on macOS/Windows (developer workstations). On tool update the validation must be repeated (regression suite).
2.20.0 auf macOS/Windows (Entwickler-Workstations). Bei Tool-Update muss die
Validierung wiederholt werden (Regression-Suite).
## 6. Geltungsbereich ## 6. Scope
Diese Tool-Qualifikation gilt **nur** fuer: This tool qualification applies **only** to:
- Projekt: demo-epb - Project: demo-epb
- ASIL: bis D - ASIL: up to D
- Verwendung: statische Analyse + MISRA-Check (CI + lokal) - Use: static analysis + MISRA check (CI + local)
- Tool-Versionen: 2.7+ Linux / 2.20.0 macOS+Windows - Tool versions: 2.7+ Linux / 2.20.0 macOS+Windows
## 7. Aenderungshistorie ## 7. Revision history
| Version | Datum | Aenderung | Autor | | Version | Date | Change | Author |
|---------|-------------|-------------------------|----------------| |---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | Erstfreigabe | S. Lohmaier | | 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/safety-md/Verification-Report.md
+66 -71
View File
@@ -1,132 +1,127 @@
--- ---
doc-id: SLM-EPB-VER-001 doc-id: SLM-EPB-VER-001
version: 1.0 version: 1.0
status: Freigegeben status: Released
datum: 2026-05-12 date: 2026-05-12
--- ---
# Verifikations-Bericht (V-Modell rechte Seite) # Verification Report (V-model right side)
| Feld | Wert | | Field | Value |
|--------------|----------------------------------------| |---------------|----------------------------------------|
| Projekt | demo-epb | | Project | demo-epb |
| Dokument-ID | SLM-EPB-VER-001 | | Document ID | SLM-EPB-VER-001 |
| Datum | 2026-05-12 | | Date | 2026-05-12 |
| Version | 1.0 | | Version | 1.0 |
| Norm | ISO 26262 Part 6 §9 + §10 | | Standard | ISO 26262 Part 6 §9 + §10 |
--- ---
## 1. Zweck ## 1. Purpose
Zusammenfassender Verifikations-Nachweis fuer die EPB-Software v1.0. Belegt, Consolidated verification evidence for EPB software v1.0. Confirms that the implementation satisfies the specified requirements (V-model right side, test and verification phase).
dass die Implementierung die spezifizierten Anforderungen erfuellt
(V-Modell rechte Seite, Test- und Verifikationsphase).
## 2. Verifikations-Methoden ## 2. Verification methods
| Methode | Verwendung | | Method | Use |
|-------------------------------|--------------------------------------------------| |---------------------------------|--------------------------------------------------|
| Statische Code-Analyse | Cppcheck, clang-tidy, GCC -Wall -Wextra -Werror | | Static code analysis | Cppcheck, clang-tidy, GCC -Wall -Wextra -Werror |
| MISRA-C:2012 Compliance-Check | Cppcheck mit MISRA-Addon | | MISRA C:2012 compliance check | Cppcheck with MISRA addon |
| Unit-Tests | 41 Tests, alle gruen | | Unit tests | 46 tests, all green |
| Coverage-Messung | gcov + lcov (Statement / Branch / MCDC-aequivalent) | | Coverage measurement | gcov + lcov (statement / branch / MC/DC-equivalent) |
| Code-Reviews | Pull-Request-Reviews mit Approval-Pflicht | | Code reviews | Pull-request reviews with approval requirement |
| Traceability-Verifikation | `tools/traceability.py check` bidirektional | | Traceability verification | `tools/traceability.py check` bidirectional |
| Architektur-Review | Technical Review mit 2 Approvern | | Architecture review | Technical review with 2 approvers |
## 3. Test-Ergebnisse ## 3. Test results
### 3.1 Unit-Tests (gesamt) ### 3.1 Unit tests (overall)
| Test-Suite | Anzahl Tests | Erfolgreich | Fehlgeschlagen | | Test suite | Number of tests | Passed | Failed |
|-------------------------------|--------------|-------------|-----------------| |-------------------------------|------------------|--------|--------|
| test_switch_debouncer | 5 | 5 | 0 | | test_switch_debouncer | 5 | 5 | 0 |
| test_actuator_driver | 11 | 11 | 0 | | test_actuator_driver | 11 | 11 | 0 |
| test_apply_controller | 12 | 12 | 0 | | test_apply_controller | 12 | 12 | 0 |
| test_safety_manager | 13 | 13 | 0 | | test_safety_manager | 18 | 18 | 0 |
| **Total** | **41** | **41** | **0** | | **Total** | **46** | **46** | **0** |
### 3.2 Anforderungs-Coverage ### 3.2 Requirement coverage
Jede SWE-Anforderung wird durch mindestens einen Unit-Test referenziert Every SWE requirement is referenced by at least one unit test (via `@reqs` tag in the test file):
(via `@reqs` Tag im Test-File):
| SWE-Req | Test-Funktion(en) | | SWE Req | Test function(s) |
|------------------------|------------------------------------------------------------| |------------------------|--------------------------------------------------------------|
| SWE-001 | `test_applied_holds_force` | | SWE-001 | `test_applied_holds_force` |
| SWE-002 | `test_watchdog_alive_counter` | | SWE-002 | `test_watchdog_alive_counter` |
| SWE-003 | `test_apply_request_starts_applying` | | SWE-003 | `test_apply_request_starts_applying` |
| SWE-004 | `test_applying_reaches_applied_on_target_force` | | SWE-004 | `test_applying_reaches_applied_on_target_force` |
| SWE-005 | (implizit) `test_release_requires_preconditions` | | SWE-005 | (implicit) `test_release_requires_preconditions` |
| SWE-006 | `test_release_with_preconditions` | | SWE-006 | `test_release_with_preconditions` |
| SWE-007 | `test_auto_apply_armed_on_engine_off` | | SWE-007 | `test_auto_apply_armed_on_engine_off` |
| SWE-008 | `test_auto_apply_triggers_after_2s` | | SWE-008 | `test_auto_apply_triggers_after_2s` |
| SWE-009 | `test_hillhold_arms_on_grade_brake_standstill` | | SWE-009 | `test_hillhold_arms_on_grade_brake_standstill` |
| SWE-010 | `test_hillhold_active_on_brake_release` | | SWE-010 | `test_hillhold_active_on_brake_release` |
| SWE-011 | `test_drive_away_armed_on_intent` |
| SWE-012 | `test_drive_away_blocked_without_safety` |
| SWE-013 | `test_isr_samples_current` | | SWE-013 | `test_isr_samples_current` |
| SWE-014 | `test_overcurrent_cutoff_after_100ms` | | SWE-014 | `test_overcurrent_cutoff_after_100ms` |
| SWE-015 | `test_clamping_force_estimate` | | SWE-015 | `test_clamping_force_estimate` |
| SWE-025 | `test_debounce_apply_takes_5_samples` | | SWE-025 | `test_debounce_apply_takes_5_samples` |
SWE-Reqs aus den nicht implementierten Komponenten (SWA-004..SWA-010, SWE requirements of the not-implemented stub components (SWA-004..SWA-010) are out of scope for this demo verification — the components are specified but not implemented. In a real project they would all be verified.
Stubs) sind im Verifikations-Scope dieser Demo nicht abgedeckt — die
Komponenten sind als Stubs spezifiziert, aber nicht implementiert. Im
Realprojekt waeren auch diese vollstaendig geprueft.
### 3.3 Coverage-Metriken (Demo-Komponenten) ### 3.3 Coverage metrics (demo components)
| Komponente | Statement | Branch | MC/DC | Ziel ASIL | | Component | Statement | Branch | MC/DC | ASIL target |
|---------------------------|-----------|--------|-------|-----------| |----------------------------|-----------|--------|-------|--------------|
| switch_debouncer (QM) | 100 % | 100 % | n/a | >= 80 % | | switch_debouncer (QM) | 100% | 100% | n/a | 80% |
| actuator_driver (B) | 95 % | 92 % | n/a | >= 80 % | | actuator_driver (B) | 95% | 92% | n/a | 80% |
| apply_controller (D) | 92 % | 91 % | 84 % | >= 90 % | | apply_controller (D) | 92% | 91% | 84% | 90% |
| safety_manager (D) | 96 % | 94 % | 87 % | >= 90 % | | safety_manager (D) | 96% | 94% | 87% | 90% |
**Status:** Alle ASIL-Ziele erreicht. **Status:** All ASIL targets met.
### 3.4 Statische Analyse ### 3.4 Static analysis
Cppcheck Run vom 2026-05-12: Cppcheck run on 2026-05-12:
| Severity | Anzahl | | Severity | Count |
|------------|--------| |------------|-------|
| Error | 0 | | Error | 0 |
| Warning | 0 | | Warning | 0 |
| Style | 0 | | Style | 0 |
| Performance| 0 | | Performance| 0 |
| Portability| 0 | | Portability| 0 |
### 3.5 MISRA-C:2012 ### 3.5 MISRA C:2012
Siehe `MISRA-Compliance-Statement.docx`. Zusammenfassung: See `MISRA-Compliance-Statement.docx`. Summary:
- Mandatory: 100 % Compliant - Mandatory: 100% Compliant
- Required: 100 % Compliant - Required: 100% Compliant
- Advisory: 1 Deviation Record (MISRA-REC-001) - Advisory: 1 deviation record (MISRA-REC-001)
## 4. Reviews durchgefuehrt ## 4. Reviews conducted
| Review-ID | Artefakt | Reviewer | Status | | Review ID | Artefact | Reviewer | Status |
|-----------|------------------------------|----------|------------------------| |-----------|------------------------------|----------|------------------------|
| REV-001 | `src/apply_controller.c` | S. Lohmaier (Self) | Approved with comments | | REV-001 | `src/apply_controller.c` | S. Lohmaier (self) | Approved with comments |
| (weitere) | (im Realprojekt voll) | mind. 2 Approver | -- | | (further) | (in real project, full) | ≥ 2 approvers | -- |
## 5. Non-Conformities ## 5. Non-conformities
| NC-ID | Beschreibung | Status | | NC ID | Description | Status |
|--------|------------------------------|---------| |--------|------------------------------|---------|
| NC-001 | Step-Counter-Ueberlauf-Dok | Closed | | NC-001 | Step counter overflow doc | Closed |
## 6. Verifications-Verdict ## 6. Verification verdict
demo-epb v1.0 erfuellt die in SWE-Plan, QA-Plan und Test-Plan spezifizierten demo-epb v1.0 satisfies the verification criteria specified in the SWE Plan, QA Plan, and Test Plan.
Verifikations-Kriterien.
**Empfehlung:** Freigabe fuer Release v1.0. **Recommendation:** Approve release v1.0.
## 7. Aenderungshistorie ## 7. Revision history
| Version | Datum | Aenderung | Autor | | Version | Date | Change | Author |
|---------|-------------|---------------------|-------------| |---------|-------------|---------------------|------------|
| 1.0 | 2026-05-12 | Erstfreigabe | S. Lohmaier | | 1.0 | 2026-05-12 | First release | S. Lohmaier|
docs/safety/FMEDA.docx
BIN
View File
Binary file not shown.
docs/safety/HARA.docx
BIN
View File
Binary file not shown.
docs/safety/MISRA-Compliance-Statement.docx
BIN
View File
Binary file not shown.
docs/safety/Safety-Case.docx
BIN
View File
Binary file not shown.
docs/safety/Tool-Qualification-Cppcheck.docx
BIN
View File
Binary file not shown.
docs/safety/Verification-Report.docx
BIN
View File
Binary file not shown.
docs/traceability/index.html
+140 -17
View File
@@ -3,27 +3,150 @@
<title>demo-epb — Traceability Matrix</title> <title>demo-epb — Traceability Matrix</title>
<style> <style>
body{font-family:-apple-system,Segoe UI,sans-serif;padding:20px;color:#222} body{font-family:-apple-system,Segoe UI,sans-serif;padding:20px;color:#222}
table{border-collapse:collapse;width:100%;font-size:14px} table{border-collapse:collapse;width:100%;font-size:13px;margin-top:16px}
th,td{border:1px solid #ccc;padding:6px 8px;vertical-align:top;text-align:left} th,td{border:1px solid #ccc;padding:6px 8px;vertical-align:top;text-align:left}
th{background:#f0f0f0} th{background:#f0f0f0;position:sticky;top:0}
tr:nth-child(even) td{background:#fafafa} tr:nth-child(even) td{background:#fafafa}
.asil{display:inline-block;padding:1px 6px;border-radius:3px;color:white;font-weight:bold;font-size:11px} .asil{display:inline-block;padding:1px 6px;border-radius:3px;color:white;font-weight:bold;font-size:11px}
.id{font-family:Consolas,monospace;font-size:13px} .id{font-family:Consolas,monospace;font-size:12px}
.cnt{color:#666;font-size:11px} .cnt{color:#666;font-size:11px}
h1{color:#1f3864} h1{color:#1f3864}h2{color:#1f3864;margin-top:30px}
.missing{color:#c00}
</style></head><body> </style></head><body>
<h1>demo-epb — Traceability Matrix</h1> <h1>demo-epb — Traceability Matrix</h1>
<p>Generiert aus 50 Items (SYS: 10, SWE: 25, SA: 5, SWA: 10).</p> <p>Complete chain: <code>SG → SYS → SA, SWE → SWA → Code (@arch) + Test (@reqs)</code></p>
<p>
<strong>SG:</strong> 5 &nbsp;
<strong>SYS:</strong> 10 &nbsp;
<strong>SWE:</strong> 25 &nbsp;
<strong>SA:</strong> 5 &nbsp;
<strong>SWA:</strong> 10 &nbsp;
<strong>Code-Files:</strong> 4 &nbsp;
<strong>Test-Files:</strong> 4
</p>
<table> <table>
<tr><th>System-Requirement</th><th>System-Arch (SA)</th><th>Software-Req (SWE)</th><th>Software-Arch (SWA)</th></tr> <tr><th>Safety Goal</th><th>System Requirement</th><th>System Arch</th><th>Software Req</th><th>Software Arch</th><th>Code</th><th>Test</th></tr>
<tr><td><div><span class='id'>SYS-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Halten der Parkbremse im Stillstand</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Aktoren (Caliper-Motoren)</div></td><td><div><span class='id'>SWE-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply-Controller haelt Klemmkraft</div><div><span class='id'>SWE-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Watchdog ueberwacht Apply-Controller</div><div><span class='id'>SWE-022</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Stillstands-Erkennung aus Wheel Speeds</div></td><td><div><span class='id'>SWA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply Controller</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisierung</div></td></tr> <tr>
<tr><td><div><span class='id'>SYS-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply auf Fahrer-Anforderung</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Aktoren (Caliper-Motoren)</div></td><td><div><span class='id'>SWE-003</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Schalter-Apply-Signal an Apply-Controller weiterleiten</div><div><span class='id'>SWE-004</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Klemmkraft-Erreichen bestaetigen</div><div><span class='id'>SWE-022</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Stillstands-Erkennung aus Wheel Speeds</div><div><span class='id'>SWE-025</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch-Debouncing</div></td><td><div><span class='id'>SWA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply Controller</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisierung</div><div><span class='id'>SWA-006</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch Debouncer</div></td></tr> <td><div><span class='id'>SG-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>No unintended release of the parking brake during standstill</div></td>
<tr><td><div><span class='id'>SYS-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Release auf Fahrer-Anforderung</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Aktoren (Caliper-Motoren)</div></td><td><div><span class='id'>SWE-005</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Release-Voraussetzungen pruefen</div><div><span class='id'>SWE-006</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Aktoren in Release-Position fahren</div><div><span class='id'>SWE-025</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch-Debouncing</div></td><td><div><span class='id'>SWA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply Controller</div><div><span class='id'>SWA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Actuator Driver</div><div><span class='id'>SWA-006</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch Debouncer</div></td></tr> <td><div><span class='id'>SYS-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Holding the parking brake at standstill</div></td>
<tr><td><div><span class='id'>SYS-004</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Auto-Apply bei Motor-Aus</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div></td><td><div><span class='id'>SWE-007</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Motor-Aus-Bedingung erkennen</div><div><span class='id'>SWE-008</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Auto-Apply nach 2 s Verzoegerung</div></td><td><div><span class='id'>SWA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Safety Manager</div></td></tr> <td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Actuators (calliper motors)</div></td>
<tr><td><div><span class='id'>SYS-005</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-Hold am Berg</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sensor-Cluster</div></td><td><div><span class='id'>SWE-009</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-Hold-Aktivierungsbedingung</div><div><span class='id'>SWE-010</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-Hold-Uebergabe an Apply-Controller</div><div><span class='id'>SWE-024</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Inclinometer Tiefpass-Filter</div></td><td><div><span class='id'>SWA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Safety Manager</div><div><span class='id'>SWA-005</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Inclinometer Filter</div></td></tr> <td><div><span class='id'>SWE-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply controller maintains clamping force</div><div><span class='id'>SWE-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Watchdog monitors the apply controller</div><div><span class='id'>SWE-022</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Standstill detection from wheel speeds</div></td>
<tr><td><div><span class='id'>SYS-006</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Auto-Release beim Anfahren (Drive-Away-Assist)</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sensor-Cluster</div></td><td><div><span class='id'>SWE-011</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Anfahrabsicht erkennen</div><div><span class='id'>SWE-012</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sicherheits-Check vor Auto-Release</div><div><span class='id'>SWE-022</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Stillstands-Erkennung aus Wheel Speeds</div></td><td><div><span class='id'>SWA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Safety Manager</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisierung</div></td></tr> <td><div><span class='id'>SWA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply Controller</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisation</div></td>
<tr><td><div><span class='id'>SYS-007</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Aktor-Stromueberwachung</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Aktoren (Caliper-Motoren)</div><div><span class='id'>SA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sensor-Cluster</div></td><td><div><span class='id'>SWE-013</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Strommessung mit 1 kHz</div><div><span class='id'>SWE-014</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Overcurrent-Cutoff</div><div><span class='id'>SWE-015</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Klemmkraft-Schaetzung aus Strom-Profil</div><div><span class='id'>SWE-023</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisierung</div></td><td><div><span class='id'>SWA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Actuator Driver</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisierung</div></td></tr> <td><div class='id'>src/apply_controller.c</div></td>
<tr><td><div><span class='id'>SYS-008</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Service-Modus fuer Werkstatt</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-004</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>HMI (Schalter, LED, Display)</div></td><td><div><span class='id'>SWE-016</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS RoutineControl 0x31 fuer Service-Release</div><div><span class='id'>SWE-017</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Service-Mode-Indikator</div></td><td><div><span class='id'>SWA-009</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Service Mode</div></td></tr> <td><div class='id'>tests/unit/test_apply_controller.c</div></td>
<tr><td><div><span class='id'>SYS-009</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS-Diagnose</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-005</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>CAN-Bus</div></td><td><div><span class='id'>SWE-018</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS Service 0x19 ReadDTC</div><div><span class='id'>SWE-019</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS Service 0x22 ReadDataByIdentifier</div></td><td><div><span class='id'>SWA-008</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Diagnostic Manager</div><div><span class='id'>SWA-010</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Logger</div></td></tr> </tr>
<tr><td><div><span class='id'>SYS-010</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>HMI-Statusanzeige</div></td><td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-004</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>HMI (Schalter, LED, Display)</div><div><span class='id'>SA-005</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>CAN-Bus</div></td><td><div><span class='id'>SWE-020</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>LED-Steuerung</div><div><span class='id'>SWE-021</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>CAN-Status-Frame</div></td><td><div><span class='id'>SWA-007</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Display Manager</div></td></tr> <tr>
</table></body></html> <td><div><span class='id'>SG-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>No unintended release of the parking brake during standstill</div></td>
<td><div><span class='id'>SYS-004</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Auto-apply on engine off</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div></td>
<td><div><span class='id'>SWE-007</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Detect engine-off condition</div><div><span class='id'>SWE-008</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Auto-apply after 2 s delay</div></td>
<td><div><span class='id'>SWA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Safety Manager</div></td>
<td><div class='id'>src/safety_manager.c</div></td>
<td><div class='id'>tests/unit/test_safety_manager.c</div></td>
</tr>
<tr>
<td><div><span class='id'>SG-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>No unintended clamping while driving</div></td>
<td><div><span class='id'>SYS-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply on driver request</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Actuators (calliper motors)</div></td>
<td><div><span class='id'>SWE-003</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Forward switch apply signal to the apply controller</div><div><span class='id'>SWE-004</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Confirm target clamping force reached</div><div><span class='id'>SWE-022</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Standstill detection from wheel speeds</div><div><span class='id'>SWE-025</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch debouncing</div></td>
<td><div><span class='id'>SWA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply Controller</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisation</div><div><span class='id'>SWA-006</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch Debouncer</div></td>
<td><div class='id'>src/apply_controller.c</div><div class='id'>src/switch_debouncer.c</div></td>
<td><div class='id'>tests/unit/test_apply_controller.c</div><div class='id'>tests/unit/test_switch_debouncer.c</div></td>
</tr>
<tr>
<td><div><span class='id'>SG-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>No unintended clamping while driving</div></td>
<td><div><span class='id'>SYS-005</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-hold on an incline</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sensor cluster</div></td>
<td><div><span class='id'>SWE-009</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-hold activation condition</div><div><span class='id'>SWE-010</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-hold handover to the apply controller</div><div><span class='id'>SWE-024</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Inclinometer low-pass filter</div></td>
<td><div><span class='id'>SWA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Safety Manager</div><div><span class='id'>SWA-005</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Inclinometer Filter</div></td>
<td><div class='id'>src/safety_manager.c</div></td>
<td><div class='id'>tests/unit/test_safety_manager.c</div></td>
</tr>
<tr>
<td><div><span class='id'>SG-003</span> <span class='asil' style='background:#1f77b4'>A</span></div><div class='cnt'>Protection against actuator overload</div></td>
<td><div><span class='id'>SYS-007</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Actuator current monitoring</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Actuators (calliper motors)</div><div><span class='id'>SA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sensor cluster</div></td>
<td><div><span class='id'>SWE-013</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Current sampling at 1 kHz</div><div><span class='id'>SWE-014</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Overcurrent cutoff</div><div><span class='id'>SWE-015</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Clamping force estimation from current profile</div><div><span class='id'>SWE-023</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel-speed plausibilisation</div></td>
<td><div><span class='id'>SWA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Actuator Driver</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisation</div></td>
<td><div class='id'>src/actuator_driver.c</div></td>
<td><div class='id'>tests/unit/test_actuator_driver.c</div></td>
</tr>
<tr>
<td><div><span class='id'>SG-004</span> <span class='asil' style='background:#ff7f0e'>C</span></div><div class='cnt'>Reliable hill-hold handover</div></td>
<td><div><span class='id'>SYS-005</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-hold on an incline</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sensor cluster</div></td>
<td><div><span class='id'>SWE-009</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-hold activation condition</div><div><span class='id'>SWE-010</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Hill-hold handover to the apply controller</div><div><span class='id'>SWE-024</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Inclinometer low-pass filter</div></td>
<td><div><span class='id'>SWA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Safety Manager</div><div><span class='id'>SWA-005</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Inclinometer Filter</div></td>
<td><div class='id'>src/safety_manager.c</div></td>
<td><div class='id'>tests/unit/test_safety_manager.c</div></td>
</tr>
<tr>
<td><div><span class='id'>SG-004</span> <span class='asil' style='background:#ff7f0e'>C</span></div><div class='cnt'>Reliable hill-hold handover</div></td>
<td><div><span class='id'>SYS-006</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Auto-release on drive-away (Drive-Away Assist)</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Sensor cluster</div></td>
<td><div><span class='id'>SWE-011</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Detect drive-away intent</div><div><span class='id'>SWE-012</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Safety check before auto-release</div><div><span class='id'>SWE-022</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Standstill detection from wheel speeds</div></td>
<td><div><span class='id'>SWA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Safety Manager</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisation</div></td>
<td><div class='id'>src/safety_manager.c</div></td>
<td><div class='id'>tests/unit/test_safety_manager.c</div></td>
</tr>
<tr>
<td><div><span class='id'>SG-005</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Response to driver requests</div></td>
<td><div><span class='id'>SYS-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply on driver request</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Actuators (calliper motors)</div></td>
<td><div><span class='id'>SWE-003</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Forward switch apply signal to the apply controller</div><div><span class='id'>SWE-004</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Confirm target clamping force reached</div><div><span class='id'>SWE-022</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Standstill detection from wheel speeds</div><div><span class='id'>SWE-025</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch debouncing</div></td>
<td><div><span class='id'>SWA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply Controller</div><div><span class='id'>SWA-004</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Wheel Speed Plausibilisation</div><div><span class='id'>SWA-006</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch Debouncer</div></td>
<td><div class='id'>src/apply_controller.c</div><div class='id'>src/switch_debouncer.c</div></td>
<td><div class='id'>tests/unit/test_apply_controller.c</div><div class='id'>tests/unit/test_switch_debouncer.c</div></td>
</tr>
<tr>
<td><div><span class='id'>SG-005</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Response to driver requests</div></td>
<td><div><span class='id'>SYS-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Release on driver request</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Actuators (calliper motors)</div></td>
<td><div><span class='id'>SWE-005</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Check release preconditions</div><div><span class='id'>SWE-006</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Drive actuators into release position</div><div><span class='id'>SWE-025</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch debouncing</div></td>
<td><div><span class='id'>SWA-002</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>Apply Controller</div><div><span class='id'>SWA-003</span> <span class='asil' style='background:#2ca02c'>B</span></div><div class='cnt'>Actuator Driver</div><div><span class='id'>SWA-006</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Switch Debouncer</div></td>
<td><div class='id'>src/apply_controller.c</div><div class='id'>src/actuator_driver.c</div><div class='id'>src/switch_debouncer.c</div></td>
<td><div class='id'>tests/unit/test_actuator_driver.c</div><div class='id'>tests/unit/test_apply_controller.c</div><div class='id'>tests/unit/test_switch_debouncer.c</div></td>
</tr>
<tr>
<td class='missing'></td>
<td><div><span class='id'>SYS-008</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Service mode for the workshop</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-004</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>HMI (switch, LED, display)</div></td>
<td><div><span class='id'>SWE-016</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS RoutineControl 0x31 for service release</div><div><span class='id'>SWE-017</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Service mode indicator</div></td>
<td><div><span class='id'>SWA-009</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Service Mode</div></td>
<td class='cnt'></td>
<td class='cnt'></td>
</tr>
<tr>
<td class='missing'></td>
<td><div><span class='id'>SYS-009</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS diagnostics</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-005</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>CAN bus</div></td>
<td><div><span class='id'>SWE-018</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS service 0x19 ReadDTC</div><div><span class='id'>SWE-019</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>UDS service 0x22 ReadDataByIdentifier</div></td>
<td><div><span class='id'>SWA-008</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Diagnostic Manager</div><div><span class='id'>SWA-010</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Logger</div></td>
<td class='cnt'></td>
<td class='cnt'></td>
</tr>
<tr>
<td class='missing'></td>
<td><div><span class='id'>SYS-010</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>HMI status display</div></td>
<td><div><span class='id'>SA-001</span> <span class='asil' style='background:#d62728'>D</span></div><div class='cnt'>EPB ECU</div><div><span class='id'>SA-004</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>HMI (switch, LED, display)</div><div><span class='id'>SA-005</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>CAN bus</div></td>
<td><div><span class='id'>SWE-020</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>LED control</div><div><span class='id'>SWE-021</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>CAN status frame</div></td>
<td><div><span class='id'>SWA-007</span> <span class='asil' style='background:#888'>QM</span></div><div class='cnt'>Display Manager</div></td>
<td class='cnt'></td>
<td class='cnt'></td>
</tr>
</table>
<h2>Code → Architecture</h2>
<table><tr><th>File</th><th>@arch</th><th>@reqs</th></tr>
<tr><td class='id'>src/safety_manager.c</td><td>SWA-001</td><td class='cnt'>SWE-007 SWE-008 SWE-009 SWE-010 SWE-011 SWE-012</td></tr>
<tr><td class='id'>src/apply_controller.c</td><td>SWA-002</td><td class='cnt'>SWE-001 SWE-002 SWE-003 SWE-004</td></tr>
<tr><td class='id'>src/actuator_driver.c</td><td>SWA-003</td><td class='cnt'>SWE-006 SWE-013 SWE-014 SWE-015</td></tr>
<tr><td class='id'>src/switch_debouncer.c</td><td>SWA-006</td><td class='cnt'>SWE-025</td></tr>
</table>
<h2>Test → Requirements</h2>
<table><tr><th>Test file</th><th>Covers SWA</th><th>@reqs</th></tr>
<tr><td class='id'>tests/unit/test_safety_manager.c</td><td>SWA-001</td><td class='cnt'>SWE-007 SWE-008 SWE-009 SWE-010 SWE-011 SWE-012</td></tr>
<tr><td class='id'>tests/unit/test_apply_controller.c</td><td>SWA-002</td><td class='cnt'>SWE-001 SWE-002 SWE-003 SWE-004 SWE-005</td></tr>
<tr><td class='id'>tests/unit/test_actuator_driver.c</td><td>SWA-003</td><td class='cnt'>SWE-006 SWE-013 SWE-014 SWE-015</td></tr>
<tr><td class='id'>tests/unit/test_switch_debouncer.c</td><td>SWA-006</td><td class='cnt'>SWE-025</td></tr>
</table>
</body></html>
docs/traceability/matrix.json
+319 -122
View File
@@ -1,9 +1,13 @@
[ [
{ {
"sg": {
"id": "SG-001",
"asil": "D"
},
"sys": { "sys": {
"id": "SYS-001", "id": "SYS-001",
"asil": "D", "asil": "D",
"title": "Halten der Parkbremse im Stillstand" "title": "Holding the parking brake at standstill"
}, },
"sa": [ "sa": [
{ {
@@ -38,13 +42,62 @@
"id": "SWA-004", "id": "SWA-004",
"asil": "B" "asil": "B"
} }
],
"code": [
"src/apply_controller.c"
],
"tests": [
"tests/unit/test_apply_controller.c"
] ]
}, },
{ {
"sg": {
"id": "SG-001",
"asil": "D"
},
"sys": {
"id": "SYS-004",
"asil": "D",
"title": "Auto-apply on engine off"
},
"sa": [
{
"id": "SA-001",
"asil": "D"
}
],
"swe": [
{
"id": "SWE-007",
"asil": "D"
},
{
"id": "SWE-008",
"asil": "D"
}
],
"swa": [
{
"id": "SWA-001",
"asil": "D"
}
],
"code": [
"src/safety_manager.c"
],
"tests": [
"tests/unit/test_safety_manager.c"
]
},
{
"sg": {
"id": "SG-002",
"asil": "D"
},
"sys": { "sys": {
"id": "SYS-002", "id": "SYS-002",
"asil": "D", "asil": "D",
"title": "Apply auf Fahrer-Anforderung" "title": "Apply on driver request"
}, },
"sa": [ "sa": [
{ {
@@ -87,87 +140,25 @@
"id": "SWA-006", "id": "SWA-006",
"asil": "QM" "asil": "QM"
} }
],
"code": [
"src/apply_controller.c",
"src/switch_debouncer.c"
],
"tests": [
"tests/unit/test_apply_controller.c",
"tests/unit/test_switch_debouncer.c"
] ]
}, },
{ {
"sys": { "sg": {
"id": "SYS-003", "id": "SG-002",
"asil": "B",
"title": "Release auf Fahrer-Anforderung"
},
"sa": [
{
"id": "SA-001",
"asil": "D" "asil": "D"
}, },
{
"id": "SA-002",
"asil": "D"
}
],
"swe": [
{
"id": "SWE-005",
"asil": "B"
},
{
"id": "SWE-006",
"asil": "B"
},
{
"id": "SWE-025",
"asil": "QM"
}
],
"swa": [
{
"id": "SWA-002",
"asil": "D"
},
{
"id": "SWA-003",
"asil": "B"
},
{
"id": "SWA-006",
"asil": "QM"
}
]
},
{
"sys": {
"id": "SYS-004",
"asil": "D",
"title": "Auto-Apply bei Motor-Aus"
},
"sa": [
{
"id": "SA-001",
"asil": "D"
}
],
"swe": [
{
"id": "SWE-007",
"asil": "D"
},
{
"id": "SWE-008",
"asil": "D"
}
],
"swa": [
{
"id": "SWA-001",
"asil": "D"
}
]
},
{
"sys": { "sys": {
"id": "SYS-005", "id": "SYS-005",
"asil": "D", "asil": "D",
"title": "Hill-Hold am Berg" "title": "Hill-hold on an incline"
}, },
"sa": [ "sa": [
{ {
@@ -202,54 +193,23 @@
"id": "SWA-005", "id": "SWA-005",
"asil": "B" "asil": "B"
} }
],
"code": [
"src/safety_manager.c"
],
"tests": [
"tests/unit/test_safety_manager.c"
] ]
}, },
{ {
"sys": { "sg": {
"id": "SYS-006", "id": "SG-003",
"asil": "B", "asil": "A"
"title": "Auto-Release beim Anfahren (Drive-Away-Assist)"
}, },
"sa": [
{
"id": "SA-001",
"asil": "D"
},
{
"id": "SA-003",
"asil": "B"
}
],
"swe": [
{
"id": "SWE-011",
"asil": "B"
},
{
"id": "SWE-012",
"asil": "B"
},
{
"id": "SWE-022",
"asil": "B"
}
],
"swa": [
{
"id": "SWA-001",
"asil": "D"
},
{
"id": "SWA-004",
"asil": "B"
}
]
},
{
"sys": { "sys": {
"id": "SYS-007", "id": "SYS-007",
"asil": "B", "asil": "B",
"title": "Aktor-Stromueberwachung" "title": "Actuator current monitoring"
}, },
"sa": [ "sa": [
{ {
@@ -292,13 +252,242 @@
"id": "SWA-004", "id": "SWA-004",
"asil": "B" "asil": "B"
} }
],
"code": [
"src/actuator_driver.c"
],
"tests": [
"tests/unit/test_actuator_driver.c"
] ]
}, },
{ {
"sg": {
"id": "SG-004",
"asil": "C"
},
"sys": {
"id": "SYS-005",
"asil": "D",
"title": "Hill-hold on an incline"
},
"sa": [
{
"id": "SA-001",
"asil": "D"
},
{
"id": "SA-003",
"asil": "B"
}
],
"swe": [
{
"id": "SWE-009",
"asil": "D"
},
{
"id": "SWE-010",
"asil": "D"
},
{
"id": "SWE-024",
"asil": "B"
}
],
"swa": [
{
"id": "SWA-001",
"asil": "D"
},
{
"id": "SWA-005",
"asil": "B"
}
],
"code": [
"src/safety_manager.c"
],
"tests": [
"tests/unit/test_safety_manager.c"
]
},
{
"sg": {
"id": "SG-004",
"asil": "C"
},
"sys": {
"id": "SYS-006",
"asil": "B",
"title": "Auto-release on drive-away (Drive-Away Assist)"
},
"sa": [
{
"id": "SA-001",
"asil": "D"
},
{
"id": "SA-003",
"asil": "B"
}
],
"swe": [
{
"id": "SWE-011",
"asil": "B"
},
{
"id": "SWE-012",
"asil": "B"
},
{
"id": "SWE-022",
"asil": "B"
}
],
"swa": [
{
"id": "SWA-001",
"asil": "D"
},
{
"id": "SWA-004",
"asil": "B"
}
],
"code": [
"src/safety_manager.c"
],
"tests": [
"tests/unit/test_safety_manager.c"
]
},
{
"sg": {
"id": "SG-005",
"asil": "B"
},
"sys": {
"id": "SYS-002",
"asil": "D",
"title": "Apply on driver request"
},
"sa": [
{
"id": "SA-001",
"asil": "D"
},
{
"id": "SA-002",
"asil": "D"
}
],
"swe": [
{
"id": "SWE-003",
"asil": "D"
},
{
"id": "SWE-004",
"asil": "D"
},
{
"id": "SWE-022",
"asil": "B"
},
{
"id": "SWE-025",
"asil": "QM"
}
],
"swa": [
{
"id": "SWA-002",
"asil": "D"
},
{
"id": "SWA-004",
"asil": "B"
},
{
"id": "SWA-006",
"asil": "QM"
}
],
"code": [
"src/apply_controller.c",
"src/switch_debouncer.c"
],
"tests": [
"tests/unit/test_apply_controller.c",
"tests/unit/test_switch_debouncer.c"
]
},
{
"sg": {
"id": "SG-005",
"asil": "B"
},
"sys": {
"id": "SYS-003",
"asil": "B",
"title": "Release on driver request"
},
"sa": [
{
"id": "SA-001",
"asil": "D"
},
{
"id": "SA-002",
"asil": "D"
}
],
"swe": [
{
"id": "SWE-005",
"asil": "B"
},
{
"id": "SWE-006",
"asil": "B"
},
{
"id": "SWE-025",
"asil": "QM"
}
],
"swa": [
{
"id": "SWA-002",
"asil": "D"
},
{
"id": "SWA-003",
"asil": "B"
},
{
"id": "SWA-006",
"asil": "QM"
}
],
"code": [
"src/apply_controller.c",
"src/actuator_driver.c",
"src/switch_debouncer.c"
],
"tests": [
"tests/unit/test_actuator_driver.c",
"tests/unit/test_apply_controller.c",
"tests/unit/test_switch_debouncer.c"
]
},
{
"sg": null,
"sys": { "sys": {
"id": "SYS-008", "id": "SYS-008",
"asil": "QM", "asil": "QM",
"title": "Service-Modus fuer Werkstatt" "title": "Service mode for the workshop"
}, },
"sa": [ "sa": [
{ {
@@ -325,13 +514,16 @@
"id": "SWA-009", "id": "SWA-009",
"asil": "QM" "asil": "QM"
} }
] ],
"code": [],
"tests": []
}, },
{ {
"sg": null,
"sys": { "sys": {
"id": "SYS-009", "id": "SYS-009",
"asil": "QM", "asil": "QM",
"title": "UDS-Diagnose" "title": "UDS diagnostics"
}, },
"sa": [ "sa": [
{ {
@@ -362,13 +554,16 @@
"id": "SWA-010", "id": "SWA-010",
"asil": "QM" "asil": "QM"
} }
] ],
"code": [],
"tests": []
}, },
{ {
"sg": null,
"sys": { "sys": {
"id": "SYS-010", "id": "SYS-010",
"asil": "QM", "asil": "QM",
"title": "HMI-Statusanzeige" "title": "HMI status display"
}, },
"sa": [ "sa": [
{ {
@@ -399,6 +594,8 @@
"id": "SWA-007", "id": "SWA-007",
"asil": "QM" "asil": "QM"
} }
] ],
"code": [],
"tests": []
} }
] ]
misra/records-md/MISRA-Record-001.md
+27 -34
View File
@@ -1,52 +1,48 @@
--- ---
record-id: MISRA-REC-001 record-id: MISRA-REC-001
projekt: demo-epb project: demo-epb
datum: 2026-05-11 date: 2026-05-11
status: Approved status: Approved
--- ---
# MISRA Deviation Record MISRA-REC-001 # MISRA Deviation Record MISRA-REC-001
| Feld | Wert | | Field | Value |
|-------------------|---------------------------------------------| |-------------------|---------------------------------------------|
| Record-ID | MISRA-REC-001 | | Record ID | MISRA-REC-001 |
| Datum | 2026-05-11 | | Date | 2026-05-11 |
| Datei | `src/apply_controller.c` | | File | `src/apply_controller.c` |
| Funktion | `apply_ctrl_step_50ms` | | Function | `apply_ctrl_step_50ms` |
| Zeile | 64 | | Line | 64 |
| Standard | MISRA C:2012 | | Standard | MISRA C:2012 |
| Regel | Rule 15.5 (Advisory) — "A function should have a single point of exit" | | Rule | Rule 15.5 (Advisory) — "A function should have a single point of exit" |
| ASIL | D | | ASIL | D |
| Status | Approved | | Status | Approved |
--- ---
## 1. Code-Ausschnitt ## 1. Code excerpt
```c ```c
void apply_ctrl_step_50ms(const ApplyInputs* in) void apply_ctrl_step_50ms(const ApplyInputs* in)
{ {
if (in == NULL) { if (in == NULL) {
s_ctx.last_error = EPB_EINVAL; s_ctx.last_error = EPB_EINVAL;
return; /* <-- frueher Exit */ return; /* <-- early exit */
} }
... ...
} }
``` ```
## 2. Begruendung ## 2. Rationale
NULL-Pointer-Check als frueher Exit-Punkt verbessert die Lesbarkeit deutlich The NULL pointer check as an early exit significantly improves readability versus a nested variant with a single `return` at the end. MISRA Rule 15.5 is **Advisory**, not **Required**.
gegenueber einer geschachtelten Variante mit einem einzigen `return` am Ende.
MISRA Rule 15.5 ist **Advisory**, nicht **Required**.
Der frueh-Exit hat eine klar definierte Semantik (Input-Validierung) und The early exit has clearly defined semantics (input validation) and does not impair verifiability; on the contrary, the separate path is unambiguously covered in the unit test `test_null_input`.
beeintraechtigt nicht die Verifizierbarkeit; im Gegenteil, der separate
Pfad ist im Unit-Test `test_null_input` eindeutig abgedeckt.
## 3. Alternative geprueft ## 3. Alternative considered
Variante mit einzigem Exit: Single-exit variant:
```c ```c
void apply_ctrl_step_50ms(const ApplyInputs* in) void apply_ctrl_step_50ms(const ApplyInputs* in)
@@ -54,28 +50,25 @@ void apply_ctrl_step_50ms(const ApplyInputs* in)
if (in == NULL) { if (in == NULL) {
s_ctx.last_error = EPB_EINVAL; s_ctx.last_error = EPB_EINVAL;
} else { } else {
/* gesamte Step-Logik in else-Branch geschachtelt */ /* entire step logic nested in else branch */
... ...
} }
} }
``` ```
Verworfen, weil die zusaetzliche Schachtelung die State-Machine schwerer Rejected because the additional nesting makes the state machine harder to read without gaining functional equivalence relative to the early-exit variant.
lesbar macht und keine Funktionsaequivalenz mit der frueh-Exit-Variante
gewinnt.
## 4. Auswirkung auf Sicherheit ## 4. Safety impact
Keine. Frueher Exit ist deterministisch und im Unit-Test abgedeckt. None. The early exit is deterministic and covered by the unit test.
## 5. Freigabe ## 5. Approval
| Rolle | Name | Datum | Signatur | | Role | Name | Date | Signature |
|-----------------|------------------|-------------|----------| |-----------------|------------------|-------------|-----------|
| Technical Lead | Stefan Lohmaier | 2026-05-11 | (Demo) | | Technical Lead | Stefan Lohmaier | 2026-05-11 | (demo) |
| Safety Manager | (im Realprojekt) | 2026-05-11 | (Demo) | | Safety Manager | (in real project)| 2026-05-11 | (demo) |
## 6. Geltungsbereich ## 6. Scope
Nur fuer diese eine Code-Stelle. Andere Stellen mit frueh-Exit benoetigen This deviation applies only to this specific code site. Other early-exit sites require separate records.
separate Records.
misra/records/MISRA-REC-001.docx
BIN
View File
Binary file not shown.
reqs/swe/SWE-001.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Apply-Controller haelt Klemmkraft' header: 'Apply controller maintains clamping force'
level: 1.1 level: 1.1
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-001: Apply-Controller haelt Klemmkraft # SWE-001: Apply controller maintains clamping force
Der Apply-Controller muss die Klemmkraft im Hold-Zustand alle 50 ms verifizieren und bei Abweichung > 10% nachregeln. The apply controller must verify the clamping force in the hold state every 50 ms and re-apply when the deviation exceeds 10%.
reqs/swe/SWE-002.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Watchdog ueberwacht Apply-Controller' header: 'Watchdog monitors the apply controller'
level: 1.2 level: 1.2
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-002: Watchdog ueberwacht Apply-Controller # SWE-002: Watchdog monitors the apply controller
Ein unabhaengiger Watchdog muss die Liveness des Apply-Controllers mit 100 ms Timeout ueberwachen und bei Ausbleiben in den sicheren Zustand (Apply) gehen. An independent watchdog must monitor the liveness of the apply controller with a 100 ms timeout and, on failure to respond, transition to the safe state (apply).
reqs/swe/SWE-003.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Schalter-Apply-Signal an Apply-Controller weiterleiten' header: 'Forward switch apply signal to the apply controller'
level: 1.3 level: 1.3
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-003: Schalter-Apply-Signal an Apply-Controller weiterleiten # SWE-003: Forward switch apply signal to the apply controller
Das Software-Modul Switch-Debouncer muss ein entprelltes Apply-Signal innerhalb von 50 ms an den Apply-Controller liefern. The Switch Debouncer software module must deliver a debounced apply signal to the apply controller within 50 ms.
reqs/swe/SWE-004.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Klemmkraft-Erreichen bestaetigen' header: 'Confirm target clamping force reached'
level: 1.4 level: 1.4
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-004: Klemmkraft-Erreichen bestaetigen # SWE-004: Confirm target clamping force reached
Der Apply-Controller muss das Erreichen der Ziel-Klemmkraft via Strommessung erkennen und ein Status-Flag setzen. The apply controller must detect that the target clamping force has been reached via current measurement and set a status flag.
reqs/swe/SWE-005.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Release-Voraussetzungen pruefen' header: 'Check release preconditions'
level: 1.5 level: 1.5
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-005: Release-Voraussetzungen pruefen # SWE-005: Check release preconditions
Vor jedem Release muss der Apply-Controller pruefen: Motor laeuft, Bremspedal betaetigt, Gang ist eingelegt. Andernfalls Release abweisen. Before any release, the apply controller must verify: engine running, brake pedal pressed, gear engaged. Otherwise reject the release.
reqs/swe/SWE-006.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Aktoren in Release-Position fahren' header: 'Drive actuators into release position'
level: 1.6 level: 1.6
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-006: Aktoren in Release-Position fahren # SWE-006: Drive actuators into release position
Der Actuator-Driver muss beide Aktoren parallel in Release-Position fahren. Maximalzeit: 1200 ms. Bei Timeout DTC setzen. The Actuator Driver must drive both actuators in parallel into the release position. Maximum time: 1200 ms. On timeout, set a DTC.
reqs/swe/SWE-007.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Motor-Aus-Bedingung erkennen' header: 'Detect engine-off condition'
level: 1.7 level: 1.7
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-007: Motor-Aus-Bedingung erkennen # SWE-007: Detect engine-off condition
Der Safety-Manager muss erkennen: Motor-Status = aus, Geschwindigkeit < 0.5 km/h. Auswertezyklus 50 ms. The Safety Manager must detect: engine status = off, vehicle speed < 0.5 km/h. Sampling period 50 ms.
reqs/swe/SWE-008.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Auto-Apply nach 2 s Verzoegerung' header: 'Auto-apply after 2 s delay'
level: 1.8 level: 1.8
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-008: Auto-Apply nach 2 s Verzoegerung # SWE-008: Auto-apply after 2 s delay
Ist die Motor-Aus-Bedingung 2 s stabil erfuellt und Parkbremse noch nicht aktiv, muss der Safety-Manager Apply-Anforderung an den Apply-Controller senden. If the engine-off condition is stable for 2 s and the parking brake is not yet active, the Safety Manager must send an apply request to the apply controller.
reqs/swe/SWE-009.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Hill-Hold-Aktivierungsbedingung' header: 'Hill-hold activation condition'
level: 1.9 level: 1.9
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-009: Hill-Hold-Aktivierungsbedingung # SWE-009: Hill-hold activation condition
Der Safety-Manager muss Hill-Hold aktivieren, wenn Neigung (gefiltert) > 5%, Geschwindigkeit < 0.5 km/h und Bremspedal betaetigt sind. The Safety Manager must activate hill-hold when grade (filtered) > 5%, vehicle speed < 0.5 km/h and the brake pedal is pressed.
reqs/swe/SWE-010.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Hill-Hold-Uebergabe an Apply-Controller' header: 'Hill-hold handover to the apply controller'
level: 1.10 level: 1.10
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: D asil: D
--- ---
# SWE-010: Hill-Hold-Uebergabe an Apply-Controller # SWE-010: Hill-hold handover to the apply controller
Wird das Bremspedal bei aktivem Hill-Hold losgelassen, muss der Safety-Manager unmittelbar Apply-Anforderung an den Apply-Controller senden, bevor das Fahrzeug zu rollen beginnen kann. If the brake pedal is released while hill-hold is active, the Safety Manager must immediately send an apply request to the apply controller before the vehicle can start to roll.
reqs/swe/SWE-011.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Anfahrabsicht erkennen' header: 'Detect drive-away intent'
level: 1.11 level: 1.11
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-011: Anfahrabsicht erkennen # SWE-011: Detect drive-away intent
Anfahrabsicht ist erkannt, wenn: Gaspedal > 10%, Gang in Vorwaerts oder Rueckwaerts, Motor laeuft. Drive-away intent is detected when: throttle > 10%, gear in forward or reverse, engine running.
reqs/swe/SWE-012.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Sicherheits-Check vor Auto-Release' header: 'Safety check before auto-release'
level: 1.12 level: 1.12
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-012: Sicherheits-Check vor Auto-Release # SWE-012: Safety check before auto-release
Vor Auto-Release muessen erfuellt sein: Fahrertuer geschlossen, Sicherheitsgurt angelegt. Andernfalls warnen und nicht loesen. Before auto-release, the following must be satisfied: driver door closed, seatbelt fastened. Otherwise warn and do not release.
reqs/swe/SWE-013.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Strommessung mit 1 kHz' header: 'Current sampling at 1 kHz'
level: 1.13 level: 1.13
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-013: Strommessung mit 1 kHz # SWE-013: Current sampling at 1 kHz
Der Actuator-Driver muss den Motorstrom jedes Aktors mit mindestens 1 kHz abtasten. Genauigkeit +/- 100 mA. The Actuator Driver must sample the motor current of each actuator at at least 1 kHz. Accuracy +/- 100 mA.
reqs/swe/SWE-014.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Overcurrent-Cutoff' header: 'Overcurrent cutoff'
level: 1.14 level: 1.14
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-014: Overcurrent-Cutoff # SWE-014: Overcurrent cutoff
Bei Motorstrom > 8 A laenger als 100 ms muss der Actuator-Driver den Motor abschalten und einen DTC P0xxx setzen. On motor current > 8 A for longer than 100 ms, the Actuator Driver must shut down the motor and set DTC P0xxx.
reqs/swe/SWE-015.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Klemmkraft-Schaetzung aus Strom-Profil' header: 'Clamping force estimation from current profile'
level: 1.15 level: 1.15
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-015: Klemmkraft-Schaetzung aus Strom-Profil # SWE-015: Clamping force estimation from current profile
Der Actuator-Driver muss die erreichte Klemmkraft aus dem Stromverlauf bei Apply schaetzen (Modell: F = k * I_peak). The Actuator Driver must estimate the achieved clamping force from the current waveform during apply (model: F = k * I_peak).
reqs/swe/SWE-016.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'UDS RoutineControl 0x31 fuer Service-Release' header: 'UDS RoutineControl 0x31 for service release'
level: 1.16 level: 1.16
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: QM asil: QM
--- ---
# SWE-016: UDS RoutineControl 0x31 fuer Service-Release # SWE-016: UDS RoutineControl 0x31 for service release
Service-Mode wird ueber UDS RoutineControl Service 0x31, Routine-ID 0x0301 aktiviert. Bedingung: Fahrzeug muss stillstehen. Service mode is activated via UDS RoutineControl service 0x31, routine ID 0x0301. Precondition: vehicle must be at standstill.
reqs/swe/SWE-017.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Service-Mode-Indikator' header: 'Service mode indicator'
level: 1.17 level: 1.17
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: QM asil: QM
--- ---
# SWE-017: Service-Mode-Indikator # SWE-017: Service mode indicator
Im Service-Mode muss die EPB-LED am Schalter mit 2 Hz blinken. While in service mode, the EPB LED on the switch must blink at 2 Hz.
reqs/swe/SWE-018.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'UDS Service 0x19 ReadDTC' header: 'UDS service 0x19 ReadDTC'
level: 1.18 level: 1.18
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: QM asil: QM
--- ---
# SWE-018: UDS Service 0x19 ReadDTC # SWE-018: UDS service 0x19 ReadDTC
Das System muss alle gespeicherten DTCs ueber Service 0x19 (Subfunktion 0x02 reportDTCByStatusMask) ausgeben. The system must output all stored DTCs via service 0x19 (sub-function 0x02 reportDTCByStatusMask).
reqs/swe/SWE-019.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'UDS Service 0x22 ReadDataByIdentifier' header: 'UDS service 0x22 ReadDataByIdentifier'
level: 1.19 level: 1.19
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: QM asil: QM
--- ---
# SWE-019: UDS Service 0x22 ReadDataByIdentifier # SWE-019: UDS service 0x22 ReadDataByIdentifier
Folgende DIDs muessen lesbar sein: 0xF187 (SW-Version), 0x0301 (Klemmkraft links), 0x0302 (Klemmkraft rechts). The following DIDs must be readable: 0xF187 (SW version), 0x0301 (clamping force left), 0x0302 (clamping force right).
reqs/swe/SWE-020.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'LED-Steuerung' header: 'LED control'
level: 1.20 level: 1.20
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: QM asil: QM
--- ---
# SWE-020: LED-Steuerung # SWE-020: LED control
Apply-aktiv: LED dauerleuchtend. Release: LED aus. Fehler: LED blinkt 4 Hz. Service-Mode: LED blinkt 2 Hz. Apply active: LED solid. Release: LED off. Fault: LED blinks at 4 Hz. Service mode: LED blinks at 2 Hz.
reqs/swe/SWE-021.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'CAN-Status-Frame' header: 'CAN status frame'
level: 1.21 level: 1.21
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: QM asil: QM
--- ---
# SWE-021: CAN-Status-Frame # SWE-021: CAN status frame
Status-Frame 0x3A0 mit 50 Hz: Byte 0 = Status (0=Released, 1=Applied, 2=Applying, 3=Releasing, 0xFF=Error), Byte 1-2 = Klemmkraft links, Byte 3-4 = Klemmkraft rechts. Status frame 0x3A0 at 50 Hz: byte 0 = status (0=released, 1=applied, 2=applying, 3=releasing, 0xFF=error), byte 1-2 = left clamping force, byte 3-4 = right clamping force.
reqs/swe/SWE-022.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Stillstands-Erkennung aus Wheel Speeds' header: 'Standstill detection from wheel speeds'
level: 1.22 level: 1.22
normative: true normative: true
reviewed: null reviewed: null
@@ -12,6 +12,6 @@ links:
asil: B asil: B
--- ---
# SWE-022: Stillstands-Erkennung aus Wheel Speeds # SWE-022: Standstill detection from wheel speeds
Stillstand ist erkannt, wenn alle 4 Wheel-Speed-Signale fuer mindestens 200 ms unter 0.5 km/h liegen. Standstill is detected when all 4 wheel-speed signals stay below 0.5 km/h for at least 200 ms.
reqs/swe/SWE-023.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Wheel Speed Plausibilisierung' header: 'Wheel-speed plausibilisation'
level: 1.23 level: 1.23
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-023: Wheel Speed Plausibilisierung # SWE-023: Wheel-speed plausibilisation
Spreizung der Wheel-Speed-Signale: bei Geradeaus-Fahrt darf die Differenz nicht > 3 km/h sein. Andernfalls Sensor-Fehler-DTC. Spread of the wheel-speed signals: when driving straight, the difference must not exceed 3 km/h. Otherwise set a sensor fault DTC.
reqs/swe/SWE-024.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Inclinometer Tiefpass-Filter' header: 'Inclinometer low-pass filter'
level: 1.24 level: 1.24
normative: true normative: true
reviewed: null reviewed: null
@@ -10,6 +10,6 @@ links:
asil: B asil: B
--- ---
# SWE-024: Inclinometer Tiefpass-Filter # SWE-024: Inclinometer low-pass filter
Das Roh-Neigungssignal muss mit einem Tiefpass 1. Ordnung (Zeitkonstante 200 ms) gefiltert werden, bevor es zur Hill-Hold-Bewertung verwendet wird. The raw inclinometer signal must be filtered with a first-order low-pass (time constant 200 ms) before being used for hill-hold evaluation.
reqs/swe/SWE-025.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Switch-Debouncing' header: 'Switch debouncing'
level: 1.25 level: 1.25
normative: true normative: true
reviewed: null reviewed: null
@@ -11,6 +11,6 @@ links:
asil: QM asil: QM
--- ---
# SWE-025: Switch-Debouncing # SWE-025: Switch debouncing
Der EPB-Schalter muss mit einer Entprell-Zeit von 50 ms entprellt werden. Stabiler Pegel = Eingangssignal fuer Apply-Controller. The EPB switch must be debounced with a debounce time of 50 ms. Stable level = input signal for the apply controller.
reqs/sys/SYS-001.md
+6 -5
View File
@@ -1,16 +1,17 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Halten der Parkbremse im Stillstand' header: 'Holding the parking brake at standstill'
level: 1.1 level: 1.1
normative: true normative: true
reviewed: null reviewed: null
links: [] links:
- SG-001
asil: D asil: D
--- ---
# SYS-001: Halten der Parkbremse im Stillstand # SYS-001: Holding the parking brake at standstill
Wenn die Parkbremse aktiviert ist und das Fahrzeug stillsteht, muss das EPB-System die mechanische Klemmkraft an beiden hinteren Bremssaetteln aufrecht erhalten, bis ein Loesen ausdruecklich angefordert wird. Sicherheitsziel: SG-01. When the parking brake is engaged and the vehicle is at a standstill, the EPB system must maintain the mechanical clamping force on both rear callipers until a release is explicitly requested. Safety goal: SG-001.
**Verifikation:** SiL-Test mit Auf-/Ab-Hangelung, Klemmkraftmessung. **Verification:** SiL test with up/down grade scenarios, clamping force measurement.
reqs/sys/SYS-002.md
+6 -4
View File
@@ -1,14 +1,16 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Apply auf Fahrer-Anforderung' header: 'Apply on driver request'
level: 1.2 level: 1.2
normative: true normative: true
reviewed: null reviewed: null
links: [] links:
- SG-002
- SG-005
asil: D asil: D
--- ---
# SYS-002: Apply auf Fahrer-Anforderung # SYS-002: Apply on driver request
Bei Betaetigung des EPB-Schalters in Apply-Richtung muss das System innerhalb von 800 ms die Parkbremse anlegen, sofern die Voraussetzungen erfuellt sind (Stillstand oder Geschwindigkeit unter 5 km/h). Sicherheitsziel: SG-01. On apply-direction actuation of the EPB switch, the system must engage the parking brake within 800 ms, provided the preconditions are met (standstill or vehicle speed below 5 km/h). Safety goal: SG-002.
reqs/sys/SYS-003.md
+5 -4
View File
@@ -1,14 +1,15 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Release auf Fahrer-Anforderung' header: 'Release on driver request'
level: 1.3 level: 1.3
normative: true normative: true
reviewed: null reviewed: null
links: [] links:
- SG-005
asil: B asil: B
--- ---
# SYS-003: Release auf Fahrer-Anforderung # SYS-003: Release on driver request
Bei Betaetigung des EPB-Schalters in Release-Richtung muss das System die Parkbremse loesen, sofern die folgenden Voraussetzungen erfuellt sind: Motor laeuft, Fahrer betaetigt Bremspedal, Gang ist eingelegt. Maximalzeit fuer Loesen: 1500 ms. On release-direction actuation of the EPB switch, the system must release the parking brake provided the following preconditions are met: engine running, driver pressing the brake pedal, a gear is engaged. Maximum release time: 1500 ms.
reqs/sys/SYS-004.md
+5 -4
View File
@@ -1,14 +1,15 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Auto-Apply bei Motor-Aus' header: 'Auto-apply on engine off'
level: 1.4 level: 1.4
normative: true normative: true
reviewed: null reviewed: null
links: [] links:
- SG-001
asil: D asil: D
--- ---
# SYS-004: Auto-Apply bei Motor-Aus # SYS-004: Auto-apply on engine off
Wenn der Motor ausgeschaltet wird und das Fahrzeug stillsteht und keine Parkbremse aktiv ist, muss das System die Parkbremse spaetestens 2 s nach Erkennung Motor-Aus automatisch anlegen. Sicherheitsziel: SG-01. When the engine is switched off and the vehicle is at a standstill, and the parking brake is not yet engaged, the system must automatically engage the parking brake at the latest 2 s after detecting engine-off. Safety goal: SG-001.
reqs/sys/SYS-005.md
+6 -4
View File
@@ -1,14 +1,16 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Hill-Hold am Berg' header: 'Hill-hold on an incline'
level: 1.5 level: 1.5
normative: true normative: true
reviewed: null reviewed: null
links: [] links:
- SG-002
- SG-004
asil: D asil: D
--- ---
# SYS-005: Hill-Hold am Berg # SYS-005: Hill-hold on an incline
Bei aktivem Hill-Hold (Fahrzeug steht am Hang mit Neigung > 5%, Fahrer betaetigt Bremspedal) uebernimmt das EPB-System die Bremskraft beim Loesen des Bremspedals und haelt diese, bis die Anfahrt erkannt wird. Sicherheitsziel: SG-01. When hill-hold is active (vehicle on a slope with grade > 5%, driver pressing the brake pedal), the EPB system shall take over the brake force when the brake pedal is released and shall maintain it until drive-away is detected. Safety goal: SG-002.
reqs/sys/SYS-006.md
+5 -4
View File
@@ -1,14 +1,15 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Auto-Release beim Anfahren (Drive-Away-Assist)' header: 'Auto-release on drive-away (Drive-Away Assist)'
level: 1.6 level: 1.6
normative: true normative: true
reviewed: null reviewed: null
links: [] links:
- SG-004
asil: B asil: B
--- ---
# SYS-006: Auto-Release beim Anfahren (Drive-Away-Assist) # SYS-006: Auto-release on drive-away (Drive-Away Assist)
Wenn die Parkbremse aktiv ist und der Fahrer Anfahrabsicht zeigt (Gaspedal-Betaetigung bei eingelegtem Gang), muss das System die Parkbremse innerhalb von 500 ms loesen. Voraussetzung: alle Sicherheitskriterien (Fahrertuer geschlossen, Sicherheitsgurt) erfuellt. When the parking brake is engaged and the driver shows intent to drive away (throttle actuation with gear engaged), the system must release the parking brake within 500 ms. Precondition: all safety criteria (driver door closed, seatbelt fastened) are met.
reqs/sys/SYS-007.md
+5 -4
View File
@@ -1,14 +1,15 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Aktor-Stromueberwachung' header: 'Actuator current monitoring'
level: 1.7 level: 1.7
normative: true normative: true
reviewed: null reviewed: null
links: [] links:
- SG-003
asil: B asil: B
--- ---
# SYS-007: Aktor-Stromueberwachung # SYS-007: Actuator current monitoring
Das System muss den Motorstrom jedes Aktors mit mindestens 1 kHz ueberwachen und bei Ueberschreitung von 8 A fuer mehr als 100 ms den Aktor abschalten und einen DTC setzen. Sicherheitsziel: SG-03. The system must monitor the motor current of each actuator at at least 1 kHz and, on exceeding 8 A for more than 100 ms, shut down the actuator and set a DTC. Safety goal: SG-003.
reqs/sys/SYS-008.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'Service-Modus fuer Werkstatt' header: 'Service mode for the workshop'
level: 1.8 level: 1.8
normative: true normative: true
reviewed: null reviewed: null
@@ -9,6 +9,6 @@ links: []
asil: QM asil: QM
--- ---
# SYS-008: Service-Modus fuer Werkstatt # SYS-008: Service mode for the workshop
Das System muss ueber UDS RoutineControl (Service 0x31) einen Service-Modus bereitstellen, in dem die Aktoren manuell in Wartungs-Position gefahren werden koennen (z.B. fuer Bremsbelag-Wechsel). The system must provide a service mode via UDS RoutineControl (service 0x31) in which the actuators can be moved manually into maintenance position (e.g. for brake pad replacement).
reqs/sys/SYS-009.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'UDS-Diagnose' header: 'UDS diagnostics'
level: 1.9 level: 1.9
normative: true normative: true
reviewed: null reviewed: null
@@ -9,6 +9,6 @@ links: []
asil: QM asil: QM
--- ---
# SYS-009: UDS-Diagnose # SYS-009: UDS diagnostics
Das System muss UDS-Diagnose nach ISO 14229 bereitstellen: ReadDTC (0x19), ReadDataByIdentifier (0x22), RoutineControl (0x31), ECUReset (0x11). Tester-Adresse 0x712, Antwort-Adresse 0x71A. The system must provide UDS diagnostics per ISO 14229: ReadDTC (0x19), ReadDataByIdentifier (0x22), RoutineControl (0x31), ECUReset (0x11). Tester address 0x712, response address 0x71A.
reqs/sys/SYS-010.md
+3 -3
View File
@@ -1,7 +1,7 @@
--- ---
active: true active: true
derived: false derived: false
header: 'HMI-Statusanzeige' header: 'HMI status display'
level: 1.10 level: 1.10
normative: true normative: true
reviewed: null reviewed: null
@@ -9,6 +9,6 @@ links: []
asil: QM asil: QM
--- ---
# SYS-010: HMI-Statusanzeige # SYS-010: HMI status display
Der EPB-Status muss dem Fahrer signalisiert werden: LED am Schalter (an = Apply, aus = Release, blinkend = Fehler) sowie Text im Kombi-Display via CAN-Bus (Frame-ID 0x3A0, 50 Hz). The EPB status must be signalled to the driver: LED on the switch (on = applied, off = released, blinking = error) and a text in the instrument cluster via CAN bus (frame ID 0x3A0, 50 Hz).
safety/sg/SG-001.md
+17
View File
@@ -0,0 +1,17 @@
---
active: true
derived: false
header: 'No unintended release of the parking brake during standstill'
level: 1.1
normative: true
reviewed: null
links: []
asil: D
---
# SG-001: No unintended release of the parking brake during standstill
The EPB shall not unintentionally release while the vehicle is at a standstill. Derived from HARA hazards H-01 (unintended release during parking) and H-04 (clamping force loss in hold state).
**FTTI:** 5 s (H-01) / 30 s (H-04).
**Safe state:** APPLIED (maintain clamping force).
safety/sg/SG-002.md
+17
View File
@@ -0,0 +1,17 @@
---
active: true
derived: false
header: 'No unintended clamping while driving'
level: 1.2
normative: true
reviewed: null
links: []
asil: D
---
# SG-002: No unintended clamping while driving
The EPB shall not unintentionally clamp while the vehicle is moving. Derived from HARA hazard H-02.
**FTTI:** 100 ms.
**Safe state:** Actuator stop (do not initiate apply).
safety/sg/SG-003.md
+17
View File
@@ -0,0 +1,17 @@
---
active: true
derived: false
header: 'Protection against actuator overload'
level: 1.3
normative: true
reviewed: null
links: []
asil: A
---
# SG-003: Protection against actuator overload
The system shall prevent actuator motor damage due to overcurrent. Derived from HARA hazard H-05.
**FTTI:** 100 ms.
**Safe state:** Disable actuator, set DTC.
safety/sg/SG-004.md
+17
View File
@@ -0,0 +1,17 @@
---
active: true
derived: false
header: 'Reliable hill-hold handover'
level: 1.4
normative: true
reviewed: null
links: []
asil: C
---
# SG-004: Reliable hill-hold handover
When the driver releases the brake pedal on an incline, the EPB shall take over the braking force before the vehicle starts rolling. Derived from HARA hazard H-06.
**FTTI:** 500 ms.
**Safe state:** Initiate apply.
safety/sg/SG-005.md
+16
View File
@@ -0,0 +1,16 @@
---
active: true
derived: false
header: 'Response to driver requests'
level: 1.5
normative: true
reviewed: null
links: []
asil: B
---
# SG-005: Response to driver requests
The system shall respond to driver apply and release requests within specified times. Derived from HARA hazards H-03 and H-07.
**Response time:** apply <= 800 ms, release <= 1500 ms.
src/actuator_driver.c
+3 -3
View File
@@ -11,7 +11,7 @@
typedef struct { typedef struct {
ActuatorStatus status; ActuatorStatus status;
uint16_t over_ms; /* Millisekunden ueber Strom-Limit (zaehlt in 1 kHz ISR) */ uint16_t over_ms; /* Milliseconds above current limit (counts in 1 kHz ISR) */
} ActuatorCtx; } ActuatorCtx;
static ActuatorCtx s_ctx[ACTUATOR_COUNT]; static ActuatorCtx s_ctx[ACTUATOR_COUNT];
@@ -100,7 +100,7 @@ void actuator_isr_1khz(ActuatorId id, uint16_t current_sample_ma)
s_ctx[id].status.peak_current_ma = current_sample_ma; s_ctx[id].status.peak_current_ma = current_sample_ma;
} }
/* SWE-014: Overcurrent-Cutoff bei > 8 A fuer > 100 ms */ /* SWE-014: Overcurrent cutoff at > 8 A for > 100 ms */
if (current_sample_ma > ACT_OVERCURRENT_LIMIT_MA) { if (current_sample_ma > ACT_OVERCURRENT_LIMIT_MA) {
if (s_ctx[id].over_ms < UINT16_MAX) { if (s_ctx[id].over_ms < UINT16_MAX) {
++s_ctx[id].over_ms; ++s_ctx[id].over_ms;
@@ -115,7 +115,7 @@ void actuator_isr_1khz(ActuatorId id, uint16_t current_sample_ma)
s_ctx[id].over_ms = 0U; s_ctx[id].over_ms = 0U;
} }
/* SWE-015: Klemmkraft aus Peak-Strom schaetzen (nur bei Apply). */ /* SWE-015: Estimate clamping force from peak current (only on apply). */
if (s_ctx[id].status.direction == ACT_DIR_APPLY) { if (s_ctx[id].status.direction == ACT_DIR_APPLY) {
const uint32_t force = ((uint32_t)s_ctx[id].status.peak_current_ma const uint32_t force = ((uint32_t)s_ctx[id].status.peak_current_ma
* ACT_FORCE_PER_AMP_N) / 1000U; * ACT_FORCE_PER_AMP_N) / 1000U;

Some files were not shown because too many files have changed in this diff Show More