Stefan Lohmaier
fb2c083551
Validate / build-test (macos-latest) (push) Failing after 3s
Validate / build-test (windows-latest) (push) Failing after 15s
Validate / build-test (ubuntu-latest) (push) Successful in 17s
Validate / reports (push) Successful in 50s
Release / release (push) Successful in 50s
Phase 2 of the English translation: Word documents (filled, EPB-specific): - 8 plans (PID, PM, QA, SWE, Test, Project Manual, CM, RM) - 6 safety docs (HARA, Safety Case, FMEDA, MISRA Compliance, Verification Report, Tool Qualification Cppcheck) - 2 manuals (User, Service) - 3 audit artefacts (Review minutes, NC-001, MISRA-REC-001) - All regenerated via pandoc from English markdown sources Code, tests, headers: - All file headers, struct comments, function docstrings in English - All test names (TEST_BEGIN strings) translated - Inline comments translated - 46 tests still green after translation CI workflows: - All step names in English - Step descriptions, comments, release notes template in English README.md fully rewritten in English with proper guided tour. Phase 3 (still pending): dev-process repo templates + toolstack/setup docs.
8.0 KiB
8.0 KiB
doc-id, version, status, date
| doc-id | version | status | date |
|---|---|---|---|
| SLM-EPB-HARA-001 | 1.0 | Released | 2026-05-12 |
Hazard Analysis & Risk Assessment (HARA)
| Field | Value |
|---|---|
| Project | demo-epb (Electric Parking Brake) |
| Document ID | SLM-EPB-HARA-001 |
| Date | 2026-05-12 |
| Version | 1.0 |
| Status | Released |
| Standard | ISO 26262 Part 3 (Concept Phase) |
| Author | Stefan Lohmaier |
| Reviewer | (Tech Lead, independent in real project) |
| Approver | (Safety Manager, independent in real project) |
1. Purpose
Identification and classification of all relevant EPB hazards per ISO 26262-3. From the hazards, safety goals are derived and an Automotive Safety Integrity Level (ASIL) is assigned.
2. Item definition
The EPB is an electromechanical system that clamps both rear callipers using two small electric motors and releases them. Item boundary (ISO 26262-3 §5):
- Inside: EPB ECU, both calliper motors, EPB switch, status LED
- Outside: ESP, engine management, brake system (hydraulic), steering
- Interfaces: CAN bus, wheel-speed sensors, inclinometer
3. Operational situations & hazards
The following operational situations and hazards were identified in the concept workshop (2026-05-11):
3.1 Hazard list
| H-ID | Hazard | Operational situation |
|---|---|---|
| H-01 | Unintended release of the parking brake at standstill | Vehicle parked on incline, driver out |
| H-02 | Unintended clamping during driving | Driving > 10 km/h |
| H-03 | No apply reaction to driver request | Standstill, driver actuates switch |
| H-04 | Loss of clamping force in hold state | Parking phase longer than 1 h |
| H-05 | Motor damage from overcurrent | Actuator mechanics blocked |
| H-06 | Incorrect hill-hold handover (roll-away on incline) | Drive-away on incline |
| H-07 | No release reaction on drive-away | Standstill, driver wants to drive |
| H-08 | LED indicator wrong | any |
3.2 Severity / Exposure / Controllability
Classification per ISO 26262-3 §6:
| Severity | Meaning |
|---|---|
| S0 | No injuries |
| S1 | Light / moderate injuries |
| S2 | Severe injuries (survival likely) |
| S3 | Life-threatening injuries (survival uncertain) |
| Exposure | Meaning |
|---|---|
| E0 | Very unlikely |
| E1 | Very rare situation |
| E2 | Rare situation |
| E3 | Medium likelihood |
| E4 | Frequent situation |
| Controllability | Meaning |
|---|---|
| C0 | Generally controllable |
| C1 | Simply controllable (>99% of drivers) |
| C2 | Normally controllable (>90% of drivers) |
| C3 | Difficult to control or uncontrollable |
3.3 ASIL determination
| H-ID | Description | S | E | C | ASIL |
|---|---|---|---|---|---|
| H-01 | Unintended release, parking phase | S3 | E4 | C3 | D |
| H-02 | Unintended clamping during driving | S3 | E4 | C3 | D |
| H-03 | No apply reaction to request | S2 | E4 | C2 | B |
| H-04 | Clamping force loss in hold | S3 | E4 | C3 | D |
| H-05 | Motor damage from overcurrent | S1 | E3 | C2 | A |
| H-06 | Hill-hold failure (roll-away on incline) | S3 | E3 | C3 | C |
| H-07 | No release reaction | S1 | E4 | C2 | A |
| H-08 | LED indicator wrong | S0 | -- | -- | QM |
ASIL matrix per ISO 26262-3 Table 4 applied. H-06 was downgraded from ASIL-D to ASIL-C in review, since hill-hold failure on dry road remains controllable through driver response (C2-C3 borderline, conservatively C3).
4. Safety goals
From the hazards the following safety goals are derived:
| SG-ID | Safety goal | ASIL | Covered hazards |
|---|---|---|---|
| SG-01 | The EPB must not unintentionally release while at standstill | D | H-01, H-04 |
| SG-02 | The EPB must not unintentionally clamp while driving | D | H-02 |
| SG-03 | The EPB must protect against actuator overcurrent | A | H-05 |
| SG-04 | Hill-hold must reliably hand over to the apply controller | C | H-06 |
| SG-05 | The EPB must respond to driver requests within specified times | B | H-03, H-07 |
5. Safe state
Definitions per ISO 26262-3 §7.4.2.5:
| Item / Function | Safe state |
|---|---|
| Apply phase | Stop actuator, set status to APPLIED |
| Hold phase | Maintain clamping force (passive) |
| Release phase | Return to apply, maintain clamping force |
| On hardware fault | Force APPLIED state (prevents roll-away) |
The conservative safe state across all cases is APPLIED: rather over-clamp than under-clamp.
6. FTTI (Fault Tolerant Time Interval)
| Hazard | FTTI | Rationale |
|---|---|---|
| H-01 | 5 s | Roll-away on incline starts after ~1-2 s, hand action possible after ~5 s |
| H-02 | 100 ms | Shock deceleration at 50 km/h must be detected within 100 ms |
| H-04 | 30 s | Clamping force loss accumulates slowly, periodic check every 50 ms suffices |
| H-06 | 500 ms | Hill-hold handover must complete before roll-away begins (< 500 ms) |
7. Functional Safety Requirements (FSR)
From the safety goals the SYS requirements in reqs/sys/ are derived (see traceability matrix). Mapping:
| SG-ID | SYS requirements |
|---|---|
| SG-01 | SYS-001, SYS-004 |
| SG-02 | SYS-002 (apply plausibility), SYS-005 |
| SG-03 | SYS-007 |
| SG-04 | SYS-005, SYS-006 |
| SG-05 | SYS-002, SYS-003 |
8. Revision history
| Version | Date | Change | Author |
|---|---|---|---|
| 0.1 | 2026-05-11 | Initial draft | S. Lohmaier |
| 1.0 | 2026-05-12 | First release after review | S. Lohmaier |