Brembo: Automotive SPICE and IEC 61508 · 2008-03-18 · Interfacing IEC 61508 and Automotive-SPICE...

"Strictly Confidential. © Brembo S.p.A. reserves all rights of use and disposal, under law protection, also in connection with I.P.R., as well copying and passing on third parties"

Bre

mb

o: A

uto

mo

tive

SP

ICE

an

d IE

C 6

15

08

…a

pro

ce

ss

imp

rov

em

en

t ex

pe

rien

ce

AU

TO

SP

IN W

ork

sh

op

Mila

no

11

Oc

tob

er

200

7


Ag

en

da

1.

Bre

mb

o C

orp

ora

te -

Mech

atro

nic

Ad

va

nc

ed

R&

D

2.

So

ftware

Pro

cess im

pro

vem

en

t with

Au

tom

otiv

e-S

PIC

E

3.

Safe

ty P

roce

ss im

pro

ve

men

t with

IEC

61508

4.

Co

nclu

sio

ns


1.

Bre

mb

o M

ec

ha

tron

icA

dv

an

ce

d R

&D

"StrictlyConfidential. ©

Brembo S.p.A. reservesallrights

ofuseand disposal,

under lawprotection, alsoin connection withI.P.R., aswellcopyingand passingon thirdparties"

Brembo Corporate

World leader in the design and manufacturing of high performance braking systems and components

A fully integrated industrial process from foundries to assembly


Ad

va

nc

ed

R&

D: e

xa

mp

les

of M

ec

ha

tron

icp

roje

cts

Ele

ctric

al P

ark

ing

Bra

ke fo

r ligh

t trucks

Ele

ctric

al P

ark

ing

Bra

ke fo

r hig

h p

erfo

rman

ce

cars



ofuseand disposal,


Targeting Automotive-SPICE and IEC 61508

Customers are requiring a Software Process

compliant to Automotive-

SPICE to be considered assuppliers

In order to be able to propose new mechatronic products to hisCustomers, Brembo decided to:

� implement his Software Process @ Automotive-SPICE

� implement his Safety Process @ IEC 61508



ofuseand disposal,


Standards for functional safety

…State of the art at the date of product placed on the market…

IEC61508

Generic basic standard for the functional

safety of electrical / electronic /

programmable

electronic systems

FAKRA (WD26262)

(not yet available)

Application standard

for the automotiveindustry sector

based on IEC61508



ofuseand disposal,


Process Team & Project Teams: Brembo organization

MechatronicProcess Team

• Software Process

• Safety Process

Team EPB VeCoCoachingSPICE

CoachingIEC61508

Automotive-SPICEAssessors

BREMBO Advanced R&D

Team EPB Auto

Team BBW

Independent SafetyAssessors


2. S

oftw

are

Pro

ce

ss

Imp

rov

em

en

t



ofuseand disposal,


Software Process @ Automotive-SPICE

Dic-06

AutomotiveSPICE

Level 2EPB VeCo

SW Process

Setup

Execution

& Feedback

May-06

External

Assessment

Apr-2006 Jun-07

Coaching by Intecs…..

Pilot project: EPB VeCoKick-off

Jan-07 May-07

A-phase B-phase

SW v1 SW v2 SW v3 SW v4



ofuseand disposal,


Supporting activities:

MAN3 Project mngt

MAN5 Risk mngt

ACQ4 Supplier monitoring

ACQ11 Technical requirements

ACQ13 Project requirements

SUP1 Quality assurance

SUP8 Configuration mngt

SUP9 Problem resolution mngt

SUP10 Change request mngt

SPL1 Supplier tendering

Customerneeds

ENG6 Software Construction:Coding and Unit test

ENG5Software Design

ENG4 Software Requirement

Analysis

ENG3System Design

ENG2 SystemRequirement

Analysis

ENG1 RequirementElicitation

ENG7 Software Integration Testing

ENG8Software Testing

ENG9 System Integration

Analysis

ENG10System Testing

SPL2 Product Release

Automotive-SPICE in Brembo: target activities for assessment



ofuseand disposal,


Software Process improvement activities: Guidelines & Procedures

Automotive SPICE PAM & PRM

IEC 61508

MISRA-C Guidelines (C language)

Customer norms

MISRA Guidelines

IEEE Software Engineering Guidelines Collection

Software Development GuidelineSoftware Tailoring Guideline

Software Project Management GuidelineSoftware Requirements Specification Guideline

Software Design GuidelineSoftware Coding GuidelineSoftware Testing Guideline

Software Problem Resolution GuidelineSoftware Configuration Management Guideline

Software Quality Assurance Guideline

Brembo Internal Guidelines

Applicable external norms and guidelines Referenced external norms and guidelines


So

ftware

Pro

ce

ss

imp

rove

me

nt

ac

tivitie

s: E

NG

1 to

EN

G 1

0

Req

uire

men

tsM

an

ag

em

en

t with

Do

ors

®



ofuseand disposal,


Process improvement activities: ENG 6

Source File Revision

StateManager.c 668

Analysis Description

CANTATA test failure

•The LINE_CODE value for function Operational_du is 120, much more than the threshold (50) •The LINE_CODE value for function StartUp_du is 96, much more than the threshold (50). Try to split the file.•Decision coverage = 91.4%, statement coverage = 91.3%, both less than 100%.. There is possibly unreachable code in several lines (there is a IF condition always true). JUSTIFIED as it seems due to a decision of TargetLink tool..

CANTATA warnings

•The LINE_CODE value for function Service_du is 72, much more than the threshold (50). JUSTIFIED as the deviation is not critical

Code Inspection •There is a case of default switch action followed immediately by an instruction break. The default case should always do something•There are some parameters not used in function Applying_en. Remove the unused parameters from the function or check the design •There are some parameters not used in function Applying_du. Remove the unused parameters from the function or check the design •The function Leaving_du is empty.

MISRA C Checker No problems.

ORACLE TEST Checked on 25/06/07: PASSED

Software Unit Testing

Code InspectionMISRA C

checker

Oracle Tests Complexity



ofuseand disposal,


Process improvement activities: ENG 7

SlopeEstimation

[SlopeEstimation.c]

CustomSaturation

[CustomSaturation.c]

Test ID: EPBSW_SWIT_002

SW aggregate:

SW Units: SlopeEstimation.c•CustomSaturation.c

Test driver file:

•Test_ SlopeEstimation.c

Test driver functions:

test_SlopeEstimation

Calling function: SlopeEstimation

Called functions:

CustomSaturation

Tested interfaces:

SlopeEstimation -> CustomSaturation

Test Driverfunctions:

test_SlopeEstimation_1

Description: ORACLE_TEST Testing SlopeEstimation calling CustomSaturation when

StaticCondition_u8 = 8, Slope_i16 = 1, CANIn.WheelsSpeeds[0] = 10, CANIn.WheelsSpeeds[1] = 10, CANIn.WheelsSpeeds[2] = 10, CANIn.WheelsSpeeds[3] = 10. EXPECTED VALUES: return1 = 1, return2 = 1, return3 = 1,

Software Unit Integration Testing



ofuseand disposal,


Process improvement activities: SUP1

New activity in Brembo Mechatronic team

Dedicated resource for Software Quality Insurance

Software Quality Plan for each project to provideindependent quality assurance activity

Software Quality periodic reviews

Software Quality Reports issued regularly on a monthly basis

Possibility to start an escalation process to Top Management and Brembo Central Quality Department

Software Quality Insurance


Au

tom

otiv

eS

PIC

E A

ss

es

sm

en

t: resu

ltso

fJ

un

e2

00

7

Le

vel

2 O

K

Le

vel

2 O

K

AC

Q4 a

ss

ess

ed

on

28/0

9: w

aitin

gfo

rre

su

lt…

3 d

ays

on

-site

As

ses

sm

en

tco

nd

ucte

db

yC

NR

-IST

I, Pis

a


3. S

afe

ty P

roc

es

s Im

pro

ve

me

nt



ofuseand disposal,


04/2006 03/2007 12/2007

SAFETY CASE

System Level(Concept Phase)

Assessment

Gap Analysis

Kick-off

SAFETY CASE

Component Level(Detailed Phase)

EPB Product

Certification

SAFETY Process

Setup

Coaching by external consultants

Safety Process @ IEC61508

Functional Safety Management

Pilot project: EPB VeCo

A-phase B-phase C-phase


IEC

61

508

: ove

rall

E/E

/PE

S S

afe

tylife

cyc

le



ofuseand disposal,


IEC 61508: E/E/PES Safety lifecycle and Automotive-SPICE

ENG6 Software Construction:Coding and Unit test

ENG5Software Design

ENG4 Software Requirement

Analysis

ENG3System Design

ENG2 SystemRequirement

Analysis

ENG1 RequirementElicitation

ENG7 Software Integration Testing

ENG8Software Testing

ENG9 System Integration

Analysis

ENG10

System Testing

SPL2 Product Release

GOAL: provide evidence that the implementedsystem fulfils the requirements of the SW Safety

Requirements Specification and their defined SIL



ofuseand disposal,


Interfacing IEC 61508 and Automotive-SPICE

Estabilishment of responsibilities

Documentation of the activities

Specification of SW Safety lifecycle (similar to SPICE V-model) partitioningeach activity into elementary actions

Design and code specific Safety Functions and related diagnostics on the base of the defined system safe states or downgraded mode

Provide Safety Integrity attributes to Software Requirements as pointedout by Risk Analysis and cross-check with other techniques (FMEA)

Define adequate, specific techniques and measures for the guarantee ofquality and safety of software on the base of requested SIL (tuning ofinternal Software Tailoring Guidelines):

Ensure modularity, testability and safe modifiability of the software

Specific Verification&Validation plans and methods to demonstrate

safety (100% unit, integration and functional tests)

Plan and provide documented impact analysis, redesign, re-

verification for every SW modification


3. C

on

clu

sio

ns



ofuseand disposal,


SPICE and IEC 61508: some remarks and open issues…

Automotive-SPICE Model based design and automaticcode generation not explicitely

taken into consideration

Absence of guidelines for mappingAutomotive SPICE to other

widespread standards like CMMI

IEC 61508 The norm requires onerousinterpretation and experience: difficult to implement without

strong, qualified coaching.

WD26262: when will it be availableand usable?

Then will life really become easier?



ofuseand disposal,


Software & Safety Process: mid-term roadmap

Q4- 2007: To extend the application of Automotive SPICE & IEC

61508 to other mechatronic safety-critical projects

Q1-2008: To consolidate level 2 (Largely -> Fully performed) on the defined activities and further project phases

Q2-2008: To update Brembo Quality Manual integrating the Software & Functional Safety processes (Mid 2008)

Q3-2008: To provide performance targets to some SPICE activities


Th

an

k y

ou

!

Tito

_S

pin

elli@

bre

mbo.it

JeanB

runo_M

etz

en@

bre

mb

o.it

Brembo: Automotive SPICE and IEC 61508 · 2008-03-18 · Interfacing IEC 61508 and Automotive-SPICE...

Documents

Transcript of Brembo: Automotive SPICE and IEC 61508 · 2008-03-18 · Interfacing IEC 61508 and Automotive-SPICE...