Skip to content

Minutes 08 Jun 2023

Jump to bottom
Paul Albertella edited this page Jun 8, 2023 · 1 revision

Host: Paul Albertella

Participants: Pete Brink, Igor Stoppa, Dana Vede, Gabriele Paoloni

Agenda: Planning approach to Safety Analysis to Telltale UC

Pete: Is there any documentation regarding ks-nav?

  • Gab: There is a README
  • Relevant from a tool qualification perspective
  • How do we get to the point where we can have confidence in a tool?
  • Paul: Qualifying a tool is one use that the RAFIA approach (which this safety analysis part is a component of) is intended for STPA can be used to model non-safety goals as well, so this can be a basis for engineering processes beyond safety

Safety Analysis scope definition

Two distinct parts:

  • General instrument cluster / dashboard display (non-safety)
  • Specific telltale notifications as part of this display

What are the safety mechanisms that we are concerned with?

  • e.g. Specific mechanism that verifies that the telltales are displayed correctly
  • That the rendering of the telltale portions of the display have resulted in the correct result on the screen

Looking at this diagram:

  • The system boundary is an ECU running an operating system (involving Linux) that is responsible for executing the cluster display and associated processing
  • The checking control and safety manager are the safety-relevant components that implement the safety mechanism
  • The dashboard manage may also be safety relevant, because it provides the input data to the checking control
  • The watchdog may be internal to the ECU or external (future design decision)
    • This is an additional safety mechanism that we have proactively added at this stage, but we may want to omit it at the initial stage of analysis

Does the type of telltale(s) that we are considering make a difference to our analysis?

  • i.e. the ASIL determination
  • By their nature, telltales tend to be lower ASIL, because there is an assumption that action from the driver needs to happen within a reasonably timeframe
  • For a higher severity problem an additional warning mechanism would be required, but the telltale display may still play a part in the expected response
  • For initial consideration, let’s think about a Check Engine warning.

Igor: How are we going to align with the Automotive WG?

  • Paul: Will coordinate with Phillip Ahmann
Clone this wiki locally