Stefan Lohmaier
fb2c083551
Validate / build-test (macos-latest) (push) Failing after 3s
Validate / build-test (windows-latest) (push) Failing after 15s
Validate / build-test (ubuntu-latest) (push) Successful in 17s
Validate / reports (push) Successful in 50s
Release / release (push) Successful in 50s
Phase 2 of the English translation: Word documents (filled, EPB-specific): - 8 plans (PID, PM, QA, SWE, Test, Project Manual, CM, RM) - 6 safety docs (HARA, Safety Case, FMEDA, MISRA Compliance, Verification Report, Tool Qualification Cppcheck) - 2 manuals (User, Service) - 3 audit artefacts (Review minutes, NC-001, MISRA-REC-001) - All regenerated via pandoc from English markdown sources Code, tests, headers: - All file headers, struct comments, function docstrings in English - All test names (TEST_BEGIN strings) translated - Inline comments translated - 46 tests still green after translation CI workflows: - All step names in English - Step descriptions, comments, release notes template in English README.md fully rewritten in English with proper guided tour. Phase 3 (still pending): dev-process repo templates + toolstack/setup docs.
8.3 KiB
8.3 KiB
doc-id, version, status, date
| doc-id | version | status | date |
|---|---|---|---|
| SLM-EPB-SC-001 | 1.0 | Released | 2026-05-12 |
Safety Case — demo-epb
| Field | Value |
|---|---|
| Project | demo-epb |
| Document ID | SLM-EPB-SC-001 |
| Date | 2026-05-12 |
| Version | 1.0 |
| Status | Released |
| Standard | ISO 26262 Part 2 §6.5 + Part 6 §6 |
| Author | Stefan Lohmaier |
| Approver | (Safety Manager, in real project) |
1. Purpose
Argument that the EPB system satisfies the safety goals identified in the HARA. Structured per Goal Structuring Notation (GSN), in tabular form for audit purposes.
2. Top goal
G0: The EPB software satisfies all safety goals (SG-01 to SG-05) from the HARA with adequate confidence for ASIL D / C / B / A.
3. Argument structure
| Goal | Claim | Strategy | Evidence |
|---|---|---|---|
| G0 | EPB satisfies all SGs from HARA | Decomposition by SG | G1, G2, G3, G4, G5 |
| G1 | SG-01 (no unintended release) is satisfied | Architectural + test + review | SWA-002 + tests + code review |
| G2 | SG-02 (no unintended apply) is satisfied | Architectural + plausibilisation | SWA-002 standstill check + tests |
| G3 | SG-03 (overcurrent protection) is satisfied | Architectural + test | SWA-003 overcurrent cutoff + tests |
| G4 | SG-04 (hill-hold handover) is satisfied | Architectural + sequence test | SWA-001 + tests |
| G5 | SG-05 (response time) is satisfied | Performance measurement + test | Step timing tests |
4. Detail arguments
G1 — SG-01: No unintended release
Argument:
| # | Statement | Evidence |
|---|---|---|
| 1 | Apply controller leaves APPLIED only on explicit release request with preconditions | apply_controller.c line 95-110 (case EPB_STATE_APPLIED) |
| 2 | Release preconditions check engine + brake + gear | release_preconditions_ok() + SWE-005 |
| 3 | Watchdog detects apply controller hang and falls into safe state (APPLIED) | SWE-002 + watchdog in SWA-001 |
| 4 | Clamping force is verified every 50 ms and re-applied on drop | SWE-001 + test test_applied_holds_force |
| 5 | Unit test covers the behaviour: test_release_requires_preconditions |
tests/unit/test_apply_controller.c |
Confidence: ASIL-D. Architectural separation + tests + 2 reviewers.
G2 — SG-02: No unintended apply during driving
Argument:
| # | Statement | Evidence |
|---|---|---|
| 1 | Apply request is accepted only at standstill (v < 0.5 km/h) | apply_controller.c in->standstill check |
| 2 | Standstill is confirmed by wheel-speed plausibilisation of 4 sensors | SWE-022 + SWA-004 |
| 3 | Plausibilisation detects single sensor fault (spread > 3 km/h) | SWE-023 |
| 4 | Test covers the behaviour: test_no_apply_without_standstill |
tests/unit/test_apply_controller.c |
Confidence: ASIL-D. Sensor redundancy + test + 2 reviewers.
G3 — SG-03: Protection against actuator overcurrent
Argument:
| # | Statement | Evidence |
|---|---|---|
| 1 | Motor current is sampled at 1 kHz | actuator_isr_1khz + SWE-013 |
| 2 | On > 8 A for > 100 ms the motor is shut down | actuator_driver.c overcurrent logic + SWE-014 |
| 3 | After overcurrent, actuator_apply is blocked (returns EPB_EOVERCURRENT) |
Test test_overcurrent_blocks_subsequent_apply |
| 4 | DTC is set (Diagnostic Manager SWA-008) | SWE-014 (implicit DTC trigger) |
Confidence: ASIL-A (hazard H-05). Local logic + test.
G4 — SG-04: Hill-hold handover
Argument:
| # | Statement | Evidence |
|---|---|---|
| 1 | Hill-hold activates at grade > 5%, v=0, brake pressed | safety_manager.c SAFETY_HILL_HOLD_ARMED |
| 2 | On brake release, apply_requested is set immediately | SWE-010, test test_hillhold_active_on_brake_release |
| 3 | Apply controller responds to safety_apply_request | apply_controller.c apply_request_present() |
| 4 | Inclinometer is low-pass filtered (robustness against sensor noise) | SWA-005 + SWE-024 |
Confidence: ASIL-C. Architectural + tests + filter.
G5 — SG-05: Response time
Argument:
| # | Statement | Evidence |
|---|---|---|
| 1 | Apply controller runs every 50 ms | apply_ctrl_step_50ms |
| 2 | Switch is debounced in 50 ms (5 stable samples) | switch_debouncer.c |
| 3 | Total response switch → actuator start: ≤ 100 ms | Timing analysis |
| 4 | Actuator apply completes in ≤ 800 ms (spec) and max 1500 ms (timeout) | Apply timeout, SWE-006 |
Confidence: ASIL-B. Performance + timeout.
5. Common cause / common mode
The following common-cause risks were checked:
| Risk | Mitigation |
|---|---|
| Memory errors (stack/heap) | Static allocation, MISRA C 21.3 (no heap) |
| Compiler bug | GCC qualified (see tool qualification report), MISRA check |
| Configuration error | Build pipeline reproducible, version pinning, CI verify |
| Shared-state race | Single-threaded step functions, ISR separation via volatile |
6. Residual risks
The following risks remain:
| Risk | Assessment | Rationale |
|---|---|---|
| Inclinometer sensor drift over years | Accepted | Periodic calibration in service manual |
| EMC influence on CAN | Mitigated at system level | CAN ECU provides its own fault handling |
| Actuator lifetime | External responsibility | Tier-1 component, datasheet |
7. Revision history
| Version | Date | Change | Author |
|---|---|---|---|
| 0.1 | 2026-05-11 | Initial draft | S. Lohmaier |
| 1.0 | 2026-05-12 | First release | S. Lohmaier |