Disclaimer: This engagement had put to test, our team’s capability in achieving ASIL-C compliance of the Complex Device Drivers for an AUTOSAR based Powertrain control unit.
About the Customer:
We have a long-standing and a successful partnership with this electric vehicle OEM.
During our previous engagements, our automotive product engineering team had developed Complex Device Drivers (CDD) for the customer. These device drivers were necessary to extend the functionalities of a pre-designed AUTOSAR based powertrain ECU.
Some new hardware components in the powertrain ECU like speed sensors, and Real Time Clock (RTC), I/O expander, H-Bridge etc. had to be added. Due to speed constraints and few other limitations, these components had to be kept separate. Therefore complex device drivers were required for the communication between powertrain ECU and additional hardware components.
Also having develop confidence in our Automotive Functional Safety capabilities, the customer inked an additional responsibility and entrusted us with ISO26262 based ASIL-C compliance of the CDDs.
The complex device drivers were already developed and were ready-to-be deployed. Customer realized the need for ASIL-C compliance of these device drivers post the development.
This realization was the result of the HARA analysis (as per ISO26262 framework) performed by the customer at a later stage. The components with which CDD interacted were mostly ASIL-C. It was therefore decided that these device drivers should also be ASIL-C compliant.
The main challenge before the customer was to go back to the design level and implement ISO26262 mandated safety planning activities across the development process.
After a few rounds of discussion with the functional safety team of the customer, the following project scope was chalked out:
- Development Interface Agreement (DIA) was to be signed together. Safety Plan to be created at Embitel for the activities involved in CDD compliance.
- SW compliance scope was confined from Unit Design to Unit testing as per ISO26262 Standard Part 6.
- Making necessary changes in the design and tech specs of the CDD based on code check report.
- Report generation from different tools as evidence for ASIL-C compliance.
- Part-2 (Safety Management) and Part 8 (Support Process) of the ISO26262 guidelines had to be implemented.
- Integration of ISO26262 ASIL-C CDD modules with the final project.
As the complex device drivers were already developed, we had to retrace our steps and go back to the unit designing part. We covered part-2, part-6 and part-8 of the safety lifecycle as recommended by ISO26262 standard.
Here is the step-by-step process we adhered to for ISO26262 ASIL-C compliance safety lifecycle–
- Implementing the Functional Safety guidelines from Part-2 document of the ISO26262 Framework:
- Confirmation reviews of the entire safety lifecycle.
- Development Interface Agreement (DIA) RASI- Responsibility Accountability Support and Information.
- Safety planning activities.
- The Part-6 document recommended methods and techniques were followed manually as well as with the help of testing tools like Polyspace and Cantata.The Unit Design, Implementation and Testing was implemented as per the mandatory guidelines for ASIL-C compliance under Part-6 document of the ISO26262 standard.
- ASIL-C compliant design documents based on flowcharts generated by UML based tool.
- Part 6 contains several methods like backward and forward recovery, control flow analysis and data flow analysis, etc. All such relevant methods were covered.
- We performed the static and dynamic code analysis using Polyspace and the unit test cases using CanTATA. These tools help in analyzing the coverage of part 6 techniques in addition to technical reviews by Safety team.
- Confirmation review was performed on all safety case evidences whether they were technical analysis reports or safety management artifacts.
- We also handled the processes related to the execution of safety lifecycle as recommended in the part-8 document of the ISO26262 framework. The safety specific QMS also included:
- Configuration Management, Root Cause Analysis.
- Tool Qualification- Whether the tools used are ISO26262 compliant.
The Team Structure for Automotive Functional Safety project:
This is how our team structure looked like:
Team comprised of a dedicated Safety Manager along with a Project Manager. The Functional Safety team, Software Development team and the QA team worked together to ensure all the guidelines of ISO26262 standard were implemented in letter and spirit.
We were able to make a considerable impact with our Functional safety expertise. The production-grade Complex Device Drivers were now on the same level as the components they interacted with i.e. ASIL-C.
The impact was felt across all components that communicated with the help of CDDs:
- It ensured additional safety mechanism as per Part-6 of standard.
- More ways of going to the safe state in case of any fault, were added as per the standard.
- Identification of severity, occurrence and detection got improved.
Better measurement of the fault would also help in prevention of any damage in the future. In the context of electric vehicles this would help the customer in the long run to build safer and more efficient EVs.
As we had developed the CDDs for the customer, our automotive team was fully aware of the project nuances. This reduced the time and cost to get the ASIL-C compliance done.
Tools and Technologies Expertise:
- Polyspace – Running the tool for ASIL-C compliant Static and Dynamic analysis and correction of errors and warnings as per the reports.
- CanTATA – Setup and running of ASIL-C compliant Unit testing and correction of errors and warnings as per the reports.
- Visio Tool– UML Based Documentation.