Stefan Lohmaier
fb2c083551
Validate / build-test (macos-latest) (push) Failing after 3s
Validate / build-test (windows-latest) (push) Failing after 15s
Validate / build-test (ubuntu-latest) (push) Successful in 17s
Validate / reports (push) Successful in 50s
Release / release (push) Successful in 50s
Phase 2 of the English translation: Word documents (filled, EPB-specific): - 8 plans (PID, PM, QA, SWE, Test, Project Manual, CM, RM) - 6 safety docs (HARA, Safety Case, FMEDA, MISRA Compliance, Verification Report, Tool Qualification Cppcheck) - 2 manuals (User, Service) - 3 audit artefacts (Review minutes, NC-001, MISRA-REC-001) - All regenerated via pandoc from English markdown sources Code, tests, headers: - All file headers, struct comments, function docstrings in English - All test names (TEST_BEGIN strings) translated - Inline comments translated - 46 tests still green after translation CI workflows: - All step names in English - Step descriptions, comments, release notes template in English README.md fully rewritten in English with proper guided tour. Phase 3 (still pending): dev-process repo templates + toolstack/setup docs.
6.8 KiB
6.8 KiB
doc-id, version, status, date
| doc-id | version | status | date |
|---|---|---|---|
| SLM-EPB-FMEDA-001 | 1.0 | Released | 2026-05-12 |
Failure Mode Effects and Diagnostic Analysis (FMEDA)
| Field | Value |
|---|---|
| Project | demo-epb |
| Document ID | SLM-EPB-FMEDA-001 |
| Version | 1.0 |
| Status | Released |
| Date | 2026-05-12 |
| Standard | ISO 26262 Part 5 §8 + Part 10 |
1. Purpose
Bottom-up analysis of EPB hardware and software failure modes, quantifying Diagnostic Coverage (DC) and computing the Single-Point Fault Metric (SPFM) and Latent Fault Metric (LFM). Required for hardware architecture metrics per ISO 26262-5.
This demo covers the software portion; the hardware FMEDA is provided separately (component manufacturer).
2. Methodology
For each software component, possible failure modes are listed, their effects described, detection mechanisms identified, and the diagnostic coverage estimated.
DC classes per ISO 26262-5 §C.2:
| DC class | DC % | Meaning |
|---|---|---|
| Low | < 60% | Weak diagnostics |
| Medium | 60-90% | Medium diagnostics |
| High | > 90% | Strong diagnostics |
3. FMEDA table per component
3.1 SWA-002 Apply Controller (ASIL-D)
| FM-ID | Failure mode | Effect | Detection | DC | Safe state reached? |
|---|---|---|---|---|---|
| FM-01 | State machine stuck in APPLYING | Brake never applied | Timeout 30×50ms → ERROR | High | Yes (ERROR state) |
| FM-02 | Wrong state transition APPLIED → RELEASED without condition | Roll-away | Precondition check (release_preconditions_ok) |
High | Yes |
| FM-03 | Watchdog counter overflow | Watchdog fires false positive | Wrap-safe subtraction in watchdog (NC-001) | High | Yes (reset) |
| FM-04 | Hold loop does not re-clamp | Clamping force loss undetected | Periodic check every 50ms + force tolerance | High | Yes (re-apply) |
| FM-05 | NULL pointer dereference on input | Crash | Early-exit check | High | Yes (last state remains) |
Aggregated DC for Apply Controller: 96% (High).
3.2 SWA-003 Actuator Driver (ASIL-B)
| FM-ID | Failure mode | Effect | Detection | DC |
|---|---|---|---|---|
| FM-06 | PWM value outside 0..100 | Hardware damage | Parameter check, return EINVAL | High |
| FM-07 | ISR measures continuously high current | Motor fire | Overcurrent cutoff > 8A > 100ms | High |
| FM-08 | ISR measures too-low current (sensor fault) | Clamping force estimated wrong | Cross-check between actuators | Medium |
| FM-09 | Both actuators simultaneous cutoff | EPB inoperative | DTC + service mode remains reachable | Medium |
Aggregated DC for Actuator Driver: 85% (Medium).
3.3 SWA-001 Safety Manager (ASIL-D)
| FM-ID | Failure mode | Effect | Detection | DC |
|---|---|---|---|---|
| FM-10 | Auto-apply timer does not fire | Vehicle rolls after engine off | Watchdog Safety Manager | High |
| FM-11 | Hill-hold handover delayed | Roll-away on incline | Brake-pedal signal tracking | High |
| FM-12 | False-positive hill-hold activation | Unnecessary apply | Low-pass filter inclinometer | Medium |
| FM-13 | Grade filter saturation | Hill-hold missed | Plausibility range check | Medium |
Aggregated DC for Safety Manager: 88% (Medium-High).
3.4 SWA-004 Wheel Speed Plausibilisation (ASIL-B)
| FM-ID | Failure mode | Effect | Detection | DC |
|---|---|---|---|---|
| FM-14 | Stuck-at-zero on one wheel | False standstill detected | Spread > 3 km/h check + DTC | High |
| FM-15 | All 4 sensors failed | Standstill undetected | Total-failure DTC + load assumption | High |
DC: 95% (High).
4. Aggregated metrics (software)
| Metric | Value | ASIL-D requirement |
|---|---|---|
| SPFM (Single-Point Fault) | 95% | ≥ 99% (software alone insufficient; HW required) |
| LFM (Latent Fault) | 90% | ≥ 90% |
| Aggregated DC | 92% | High |
Note: The software DC values reported here are not the ASIL-D hardware metrics. ASIL-D-compliant SPFM/LFM require quantitative hardware FIT rates, which are computed at the HW level (Tier-1 actuators, ECU hardware).
5. Diagnostic measures (inventory)
| Mechanism | Component | Trigger |
|---|---|---|
| Timeout watchdog | Apply Controller | 30×50ms in APPLYING |
| Clamping force hold check | Apply Controller | every 50ms |
| Overcurrent cutoff | Actuator Driver | 8A > 100ms |
| Sensor spread check | Wheel Speed Plausi | every 10ms cycle |
| Inclinometer range check | Inclinometer Filter | every 10ms |
| Watchdog Safety Manager | Safety Manager | 100ms liveness |
| Diagnostic Manager UDS DTCs | Diag Manager | call of diag_set_dtc() |
6. Revision history
| Version | Date | Change | Author |
|---|---|---|---|
| 0.1 | 2026-05-11 | Initial draft | S. Lohmaier |
| 1.0 | 2026-05-12 | First release | S. Lohmaier |