RE: [sc] Highest software SIL possible to achieve

RE: [sc] Highest software SIL possible to achieve

From: jean-louis.boulanger_at_xxxxxx
Date: Thu, 22 Feb 2007 21:08:43 +0100
Message-ID: <1172174923.45ddf84ba9ed9@xxxxxx>
Selon Simon.Schilling@xxxxxx:

> @ Jean-Louis:
> Let's say 1E+6 cars per year and 1000h of operation during a year (that's
> very much, as you will know...)

I supposes that exist some statistic for car used, and I hink reasonable to say
that I use my car 2h by day.
2h by day = 2* 365 = 730 h/year with 1.5 year

> Let's further assume a typical SIL3 (ASIL D in ISO WD 26262) system like a
> steer by wire application.
> How do you prove the absence of failures and faults, e.g. in software? 

 1. by using formal method for the realisation 
 2. by using functionnal testing in completion of proof;
 3. by using ....
 I am a teacher/researcher but in a previous life I worked at the RATP. I known
the realization process (dev, V&V, RAMS, quality) and actually I am an
evaluator/certificator at CERTIFER (French association of railways
certaification). I know that exist methodologie, quality process, rams process,
... that provide the possibility to demonstrate that the software respect
specification and doing the good system. This state of art is not using in car
domain but tomorrow the 26262 give some requirement that require the
application of the current state of art.

> Posibility 1: By counting real accidents? No, because you will never know,
> how many failures occured, which did not end with an accident (e.g. during
> low speed). 

It exist some system to log all informations and provide the capability to
replay the accident. In aircraft we have the black box. In railways, the need
of black box appear.

> And it will be hard to prove that an accident occured because of
> the software. We don't do telemetry and stuff. 

In current project such AUTOSAR, the question of "responsability" appear and the
need of error detection for a software is important.

> And people do the craziest things when driving.

I think that "car software do the craziest things today". I am not sure that
actual car software are reliable.

> Possibility 2: By counting failure records in your ECUs? Maybe, but keep in
> mind that you probably will not have an independent observer within your
> system, which could reliably detect all possible failures. If your
> (redundant, because of ASIL D) system fails and we usually only have two
> channels, who do you trust to correctly write the failure record? And of
> course even if you could be sure about recognizing the failure at first hand,
> there are all those nasty little problems with deriving real failure rates
> from those ECU entries...

In car domain, many 2 channels ECU provide an architecture based on error
detection. We can report this and say what I see. In VDA architecture, you have
3 level of application with 2 level dedicate for error detection. I am sure you
have the possibility to log error.

I want just recall that the beginning of this discussion is 10-x is possible in
operationnal ... and I say that for car the number of car provide the
capability to rapidly validate this objectif.

> Plus: do not forget the frequent software "updates" in your car. Just a
> little change here and a tweak there... and all your statistical basis is
> gone...

You have update because the initial version is not "clear" and I suppose these
version does not validate the SIL fixed. I hope that the application of the
26262 give you a new direction with a very small number of "update".

> True, in automotive we have the numbers. But also true: we lack the regular
> and frequent inspections, a real maintenace regime and so on, which usually
> help a great deal to recognize and count one's failures.

> But maybe I'm just too much of a pessimist, so, what did you have in mind?

Perhaps I am an optimist, If I know problem I can find a solution ..... My mind
is just to say that it exist some system where the probability of défaillance
must be demonstrate by operational data.

> Viele Gruesse, Simon
> -- 
> ------------------------------------------
> BMW Group
> Simon J. Schilling
> Munich, Germany
> PGP-encryption preferred.
> ------------------------------------------
> Bayerische Motoren Werke Aktiengesellschaft
> Vorstand: Norbert Reithofer, Vorsitzender,
> Frank-Peter Arndt, Ernst Baumann, Klaus Draeger, Michael Ganal, Stefan
> Krause
> Vorsitzender des Aufsichtsrats: Joachim Milberg
> Sitz und Registergericht: München HRB 42243
> ------------------------------------------

Received on Thu 22 Feb 2007 - 20:09:14 GMT