--- doc-id: SLM-EPB-SC-001 version: 1.0 status: Released date: 2026-05-12 --- # Safety Case — demo-epb | Field | Value | |-----------------|-------------------------------------------------| | Project | demo-epb | | Document ID | SLM-EPB-SC-001 | | Date | 2026-05-12 | | Version | 1.0 | | Status | Released | | Standard | ISO 26262 Part 2 §6.5 + Part 6 §6 | | Author | Stefan Lohmaier | | Approver | (Safety Manager, in real project) | --- ## 1. Purpose Argument that the EPB system satisfies the safety goals identified in the HARA. Structured per Goal Structuring Notation (GSN), in tabular form for audit purposes. ## 2. Top goal **G0:** The EPB software satisfies all safety goals (SG-01 to SG-05) from the HARA with adequate confidence for ASIL D / C / B / A. ## 3. Argument structure | Goal | Claim | Strategy | Evidence | |------|---------------------------------------------------------|------------------------------------------|--------------------------------------------| | G0 | EPB satisfies all SGs from HARA | Decomposition by SG | G1, G2, G3, G4, G5 | | G1 | SG-01 (no unintended release) is satisfied | Architectural + test + review | SWA-002 + tests + code review | | G2 | SG-02 (no unintended apply) is satisfied | Architectural + plausibilisation | SWA-002 standstill check + tests | | G3 | SG-03 (overcurrent protection) is satisfied | Architectural + test | SWA-003 overcurrent cutoff + tests | | G4 | SG-04 (hill-hold handover) is satisfied | Architectural + sequence test | SWA-001 + tests | | G5 | SG-05 (response time) is satisfied | Performance measurement + test | Step timing tests | ## 4. Detail arguments ### G1 — SG-01: No unintended release **Argument:** | # | Statement | Evidence | |---|-------------------------------------------------------------------------|----------------------------------------| | 1 | Apply controller leaves APPLIED only on explicit release request with preconditions | `apply_controller.c` line 95-110 (`case EPB_STATE_APPLIED`) | | 2 | Release preconditions check engine + brake + gear | `release_preconditions_ok()` + SWE-005 | | 3 | Watchdog detects apply controller hang and falls into safe state (APPLIED) | SWE-002 + watchdog in SWA-001 | | 4 | Clamping force is verified every 50 ms and re-applied on drop | SWE-001 + test `test_applied_holds_force` | | 5 | Unit test covers the behaviour: `test_release_requires_preconditions` | `tests/unit/test_apply_controller.c` | **Confidence:** ASIL-D. Architectural separation + tests + 2 reviewers. ### G2 — SG-02: No unintended apply during driving **Argument:** | # | Statement | Evidence | |---|-------------------------------------------------------------------------|----------------------------------------| | 1 | Apply request is accepted only at standstill (v < 0.5 km/h) | `apply_controller.c` `in->standstill` check | | 2 | Standstill is confirmed by wheel-speed plausibilisation of 4 sensors | SWE-022 + SWA-004 | | 3 | Plausibilisation detects single sensor fault (spread > 3 km/h) | SWE-023 | | 4 | Test covers the behaviour: `test_no_apply_without_standstill` | `tests/unit/test_apply_controller.c` | **Confidence:** ASIL-D. Sensor redundancy + test + 2 reviewers. ### G3 — SG-03: Protection against actuator overcurrent **Argument:** | # | Statement | Evidence | |---|-------------------------------------------------------------------------|----------------------------------------| | 1 | Motor current is sampled at 1 kHz | `actuator_isr_1khz` + SWE-013 | | 2 | On > 8 A for > 100 ms the motor is shut down | `actuator_driver.c` overcurrent logic + SWE-014 | | 3 | After overcurrent, `actuator_apply` is blocked (returns EPB_EOVERCURRENT) | Test `test_overcurrent_blocks_subsequent_apply` | | 4 | DTC is set (Diagnostic Manager SWA-008) | SWE-014 (implicit DTC trigger) | **Confidence:** ASIL-A (hazard H-05). Local logic + test. ### G4 — SG-04: Hill-hold handover **Argument:** | # | Statement | Evidence | |---|-------------------------------------------------------------------------|----------------------------------------| | 1 | Hill-hold activates at grade > 5%, v=0, brake pressed | `safety_manager.c` SAFETY_HILL_HOLD_ARMED | | 2 | On brake release, apply_requested is set immediately | SWE-010, test `test_hillhold_active_on_brake_release` | | 3 | Apply controller responds to safety_apply_request | `apply_controller.c` `apply_request_present()` | | 4 | Inclinometer is low-pass filtered (robustness against sensor noise) | SWA-005 + SWE-024 | **Confidence:** ASIL-C. Architectural + tests + filter. ### G5 — SG-05: Response time **Argument:** | # | Statement | Evidence | |---|-------------------------------------------------------------------------|----------------------------------------| | 1 | Apply controller runs every 50 ms | `apply_ctrl_step_50ms` | | 2 | Switch is debounced in 50 ms (5 stable samples) | `switch_debouncer.c` | | 3 | Total response switch → actuator start: ≤ 100 ms | Timing analysis | | 4 | Actuator apply completes in ≤ 800 ms (spec) and max 1500 ms (timeout) | Apply timeout, SWE-006 | **Confidence:** ASIL-B. Performance + timeout. ## 5. Common cause / common mode The following common-cause risks were checked: | Risk | Mitigation | |---------------------------------------|-------------------------------------------------------------| | Memory errors (stack/heap) | Static allocation, MISRA C 21.3 (no heap) | | Compiler bug | GCC qualified (see tool qualification report), MISRA check | | Configuration error | Build pipeline reproducible, version pinning, CI verify | | Shared-state race | Single-threaded step functions, ISR separation via volatile | ## 6. Residual risks The following risks remain: | Risk | Assessment | Rationale | |----------------------------------------|--------------------------|------------------------------------| | Inclinometer sensor drift over years | Accepted | Periodic calibration in service manual | | EMC influence on CAN | Mitigated at system level | CAN ECU provides its own fault handling | | Actuator lifetime | External responsibility | Tier-1 component, datasheet | ## 7. Revision history | Version | Date | Change | Author | |---------|-------------|-------------------------|-----------------| | 0.1 | 2026-05-11 | Initial draft | S. Lohmaier | | 1.0 | 2026-05-12 | First release | S. Lohmaier |