Platform Safety Manual#
Platform Safety Manual
|
status: draft
security: NO
safety: ASIL_B
|
||||
Introduction/Scope#
This safety manual applies to the S-CORE SW platform, defined by its modules, see Modules It covers all assumed (Technical) Safety Requirements of the S-CORE SW platform and all general Assumptions of Use which are relevant for all users of any platform module. The specific Assumptions of Use relevant only for the users of a specific module are documented in the module’s safety manual. That means that the platform safety manual always has to be read together with all its modules safety manuals.
Assumed Platform Safety Requirements#
For the S-CORE Platform the following functional safety related stakeholder requirements are assumed to define the top level functionality (purpose) of the S-CORE Platform. I.e. from these all the feature and component requirements implemented are derived.
Title |
ID |
Status |
Safety |
|---|---|---|---|
Support for Safety-Critical ML |
valid |
ASIL_B |
|
Support for Time-based Architectures |
valid |
ASIL_B |
|
Safe Communication |
valid |
ASIL_B |
|
Automotive Safety Integrity Level |
valid |
ASIL_B |
|
SW-platform error reaction |
valid |
ASIL_B |
|
Error report timing |
valid |
ASIL_B |
|
Program Flow Monitoring |
valid |
ASIL_B |
|
No mixed ASIL |
valid |
ASIL_B |
|
Safe SW-platform state |
valid |
ASIL_B |
|
Health Management |
valid |
ASIL_B |
|
External Supervision |
valid |
ASIL_B |
|
Safe Mode Switch |
valid |
ASIL_B |
|
E2E Protection |
valid |
ASIL_B |
|
HW Self-Test |
valid |
ASIL_B |
|
Safe Startup and Reset |
valid |
ASIL_B |
|
DMA Protection |
valid |
ASIL_B |
|
Memory Protection |
valid |
ASIL_B |
|
Cache Protection |
valid |
ASIL_B |
|
Memory Error Correction |
valid |
ASIL_B |
|
SW Lockstep |
valid |
ASIL_B |
|
Safe Computation |
valid |
ASIL_B |
|
Safe Configuration |
valid |
ASIL_B |
|
Support of safe Key/Value store |
valid |
ASIL_B |
|
Action Safety and Governance |
valid |
ASIL_B |
|
Seamless Integration with Vehicle Systems |
valid |
ASIL_B |
Assumptions of Use#
Assumptions on the Environment#
Generally the assumption of the project platform SEooC is that it is integrated in a safe system, i.e. the POSIX OS it runs on is qualified and also the HW related failures are taken into account by the system integrator, if not otherwise stated in the module’s safety concept.
<List here all the OS calls the project platform expects to be safe.>
List of AoUs expected from the environment the platform runs on:
Title |
ID |
Status |
|---|---|---|
External Health Management |
valid |
|
OS safety functions |
valid |
|
POSIX Operating System |
valid |
|
Process Isolation |
valid |
|
Safe HW platform |
valid |
Assumptions on the User#
As there is no assumption on which specific OS and HW is used, the integration testing of the stakeholder and feature requirements is expected to be performed by the user of the platform SEooC. Tests covering all stakeholder and feature requirements performed on a reference platform (tbd link to reference platform specification), reviewed and passed are included in the platform SEooC safety package. Additionally the components of the platform may have additional specific assumptions how they are used. These are part of every module documentation: <link to add>. Assumptions from components to their users can be fulfilled in two ways:
There are assumption which need to be fulfilled by all SW components, e.g. “every user of an IPC mechanism needs to make sure that he provides correct data (including appropriate ASIL level)” - in this case the AoU is marked as “platform”.
There are assumption which can be fulfilled by a safety mechanism realized by some other project platform component and are therefore not relevant for an user who uses the whole platform. But those are relevant if you chose to use the module SEooC stand-alone - in this case the AoU is marked as “module”. An example would be the “JSON read” which requires “The user shall provide a string as input which is not corrupted due to HW or QM SW errors.” - which is covered when using together with safe project platform persistency feature.
List of AoUs on the user of the platform features or the module of this safety manual:
Title |
ID |
Status |
|---|---|---|
Avoidance of Exceptions |
valid |
|
Error Reaction |
valid |
|
Integration levels |
valid |
|
Integrator safety anomaly reporting |
valid |
|
No mixed ASIL |
valid |
|
Program Flow Monitoring |
valid |
|
Safety integration |
valid |
|
Safety matching |
valid |
|
SW-platform integration bug reporting |
valid |
|
SW-platform test completion |
valid |
|
SW-platform testing |
valid |
Safety concept of the SEooC#
The S-CORE SW platform has no safety concept additional to its module’s safety concept, as it does not implement additional functionality. The expectations towards the execution environment are described in the respective AoU, this is mainly that a safe posix operating system integrated into a target hardware which includes safety mechanisms which cover hardware related errors.
Safety Anomalies#
Anomalies (bugs in ASIL SW, detected by testing or by users, which could not be fixed) known before release are documented in the platform/module release notes <add link to release note>.