Two hybrid approach observations
|
Christopher Temple
Dear all,
As stated during yesterday’s safety architecture WG I have some observations around the hybrid approach being proposed for ELISA.
Here are two observations:
Unless there is a simple explanation I’m not sure if I can manage lengthy email threads – maybe we can discuss this in the call next Tuesday.
Best regards Chris ----------------------------------------
|
||||
|
|
||||
|
Gurvitz, Eli (Mobileye)
Hi,
The answer to the first point can be as follows. The whole tell-tale system is ASIL B. It can be decomposed into ASIL QM (tell-tale rendering) and ASIL B (safety function). Therefore, only the safety function is considered SR for the purpose of the analysis.
Thanks, Eli
From: safety-architecture@... <safety-architecture@...>
On Behalf Of Christopher Temple
Dear all,
As stated during yesterday’s safety architecture WG I have some observations around the hybrid approach being proposed for ELISA.
Here are two observations:
Unless there is a simple explanation I’m not sure if I can manage lengthy email threads – maybe we can discuss this in the call next Tuesday.
Best regards Chris ----------------------------------------
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. --------------------------------------------------------------------- This e-mail and any attachments may contain confidential material for |
||||
|
|
||||
|
Christopher Temple
Hi Eli,
I don’t see that this is a case of ASIL decomposition, but let’s put this aside.
So the explanation would be that the non-safety related function emerges through decomposition.
This leads to another observation:
Best regards Chris
From: safety-architecture@... <safety-architecture@...>
On Behalf Of Gurvitz, Eli (Mobileye) via lists.elisa.tech
Hi,
The answer to the first point can be as follows. The whole tell-tale system is ASIL B. It can be decomposed into ASIL QM (tell-tale rendering) and ASIL B (safety function). Therefore, only the safety function is considered SR for the purpose of the analysis.
Thanks, Eli
From:
safety-architecture@... <safety-architecture@...>
On Behalf Of Christopher Temple
Dear all,
As stated during yesterday’s safety architecture WG I have some observations around the hybrid approach being proposed for ELISA.
Here are two observations:
Unless there is a simple explanation I’m not sure if I can manage lengthy email threads – maybe we can discuss this in the call next Tuesday.
Best regards Chris ----------------------------------------
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. --------------------------------------------------------------------- This e-mail and any attachments may contain confidential material for |
||||
|
|
||||
|
Paccapeli, Roberto
Hi Chris,
I remember that we have already discussed about the Telltale use case scenario and the assumptions: https://docs.google.com/presentation/d/1Tiz5IT5tVi4QynXMYrChLZm8KLeH14Vz/ OK, by comparison with https://docs.google.com/presentation/d/1L1Q8jDltic4ZgKED_rHTz9_8TolAMjnq/ I think there is an error in the slide shown by Gab: all blocks in the picture should be safety related. And I guess it is just an editorial error, otherwise why highlighting an NSR as QM?? 😊
Now, clarified (Gab?) that probably we are speaking about the same type of ASIL Decomposition already discussed in the other meetings, my doubts is about the conceptual correlation that you have identified between Gab/Daniel's “hybrid” approach and the assumptions. According to my understanding, the assumptions are derived from Automotive Use case (i.e. from a Technical Safety Concept) and they are used “just” as input to derive the allocation of (safety) requirements on Linux. Then, this hybrid approach analyzes the Linux design against the requirements in order to provide a certain list of argumentations, including the FFI (or at least it seems to do that by looking the material shared during the workshop https://drive.google.com/drive/u/0/folders/1BoK0PC1yYWuVtT4AuK_VW1T2U2WwQZTF).
About the required analysis, I agree with you that something should be done at the level of the claims done. Then, if we claim ASILx we need a dedicated analysis; If we claim a partitioning like NSR and SR, QM and ASIL or ASILx and ASILy etc. etc. we need to produce an FFI rationale. Anyway, I have another doubt: why are you using “Single Point” Fault terminology here? This term is intended to be used for HW random failure, but, according to my understanding, the intent of this work is to justify the usability of Kernel as classic SW design, then by using the natural systematic (architectural) point of view. What am I missing?
Thanks,
Roberto Paccapeli Functional Safety Manager | IOTG PMCE FSS
D +39 050.782.0014 | M +39 339.589.2630 Via Lenin 132/p | S. Giuliano Terme, Italy, 56017 Intel Corporation | intel.com
From: safety-architecture@... <safety-architecture@...>
On Behalf Of Christopher Temple
Hi Eli,
I don’t see that this is a case of ASIL decomposition, but let’s put this aside.
So the explanation would be that the non-safety related function emerges through decomposition.
This leads to another observation:
Best regards Chris
From:
safety-architecture@... <safety-architecture@...>
On Behalf Of Gurvitz, Eli (Mobileye) via lists.elisa.tech
Hi,
The answer to the first point can be as follows. The whole tell-tale system is ASIL B. It can be decomposed into ASIL QM (tell-tale rendering) and ASIL B (safety function). Therefore, only the safety function is considered SR for the purpose of the analysis.
Thanks, Eli
From:
safety-architecture@... <safety-architecture@...>
On Behalf Of Christopher Temple
Dear all,
As stated during yesterday’s safety architecture WG I have some observations around the hybrid approach being proposed for ELISA.
Here are two observations:
Unless there is a simple explanation I’m not sure if I can manage lengthy email threads – maybe we can discuss this in the call next Tuesday.
Best regards Chris ----------------------------------------
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. --------------------------------------------------------------------- This e-mail and any attachments may contain confidential material for IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. --------------------------------------------------------------------- This e-mail and any attachments may contain confidential material for |
||||
|
|
||||
|
Hi All
On 08/07/2021 16:32, Paccapeli, Roberto wrote: Hi Chris,Yes, probably the correct way would be to have a decomposition as in QM(B) for the telltale rendering and ASILB(B) for the safety function + the external monitor. This is also pretty clear from the safety concept: https://github.com/Jochen-Kall/wg-automotive/blob/master/AGL_cluster_demo_use_case/Concept.md where we have QM(B) reqs Yes correct. the analysis we did is agnostic of the decomposition and we assume to be able to prove FFI between SR and NSR Kernel components (however this point is OPEN and must be still discussed). WRT FFI between QM(B) and ASILB(B) user space apps this is required according to KSR_0015 and KSR_0016 as in https://docs.google.com/spreadsheets/d/1EbuVvhXo-xZc2aPTfMgQtPNPDQYtcozs/edit#gid=584539121 However we still need to elaborate on these reqs, so this is a TODO. Thank you Gab
|
||||
|
|
||||
|
Christopher Temple
Hi Roberto,
Ok, if it’s an (editorial) error then we should wait with further discussions until the document is updated. I understand that the update will lead to the functionality involved with rendering being denoted as safety related, which sounds sensible.
To understand the argument about decomposition, which safety requirement is decomposed?
Regarding your last comment – you are correct the term “single-point fault” is defined in ISO26262 in the context of HW only – thanks for spotting it. The statement should read “The IOCTL problem that is being discussed, for example, cannot lead directly to the loss of a critical tell-tale, irrespective of whether it performs correctly or not.”
Best regards Chris
From: Paccapeli, Roberto <roberto.paccapeli@...>
Hi Chris,
I remember that we have already discussed about the Telltale use case scenario and the assumptions: https://docs.google.com/presentation/d/1Tiz5IT5tVi4QynXMYrChLZm8KLeH14Vz/ OK, by comparison with https://docs.google.com/presentation/d/1L1Q8jDltic4ZgKED_rHTz9_8TolAMjnq/ I think there is an error in the slide shown by Gab: all blocks in the picture should be safety related. And I guess it is just an editorial error, otherwise why highlighting an NSR as QM?? 😊
Now, clarified (Gab?) that probably we are speaking about the same type of ASIL Decomposition already discussed in the other meetings, my doubts is about the conceptual correlation that you have identified between Gab/Daniel's “hybrid” approach and the assumptions. According to my understanding, the assumptions are derived from Automotive Use case (i.e. from a Technical Safety Concept) and they are used “just” as input to derive the allocation of (safety) requirements on Linux. Then, this hybrid approach analyzes the Linux design against the requirements in order to provide a certain list of argumentations, including the FFI (or at least it seems to do that by looking the material shared during the workshop https://drive.google.com/drive/u/0/folders/1BoK0PC1yYWuVtT4AuK_VW1T2U2WwQZTF).
About the required analysis, I agree with you that something should be done at the level of the claims done. Then, if we claim ASILx we need a dedicated analysis; If we claim a partitioning like NSR and SR, QM and ASIL or ASILx and ASILy etc. etc. we need to produce an FFI rationale. Anyway, I have another doubt: why are you using “Single Point” Fault terminology here? This term is intended to be used for HW random failure, but, according to my understanding, the intent of this work is to justify the usability of Kernel as classic SW design, then by using the natural systematic (architectural) point of view. What am I missing?
Thanks,
Roberto Paccapeli Functional Safety Manager | IOTG PMCE FSS
D +39 050.782.0014 | M +39 339.589.2630 Via Lenin 132/p | S. Giuliano Terme, Italy, 56017 Intel Corporation | intel.com
From:
safety-architecture@... <safety-architecture@...>
On Behalf Of Christopher Temple
Hi Eli,
I don’t see that this is a case of ASIL decomposition, but let’s put this aside.
So the explanation would be that the non-safety related function emerges through decomposition.
This leads to another observation:
Best regards Chris
From:
safety-architecture@... <safety-architecture@...>
On Behalf Of Gurvitz, Eli (Mobileye) via lists.elisa.tech
Hi,
The answer to the first point can be as follows. The whole tell-tale system is ASIL B. It can be decomposed into ASIL QM (tell-tale rendering) and ASIL B (safety function). Therefore, only the safety function is considered SR for the purpose of the analysis.
Thanks, Eli
From:
safety-architecture@... <safety-architecture@...>
On Behalf Of Christopher Temple
Dear all,
As stated during yesterday’s safety architecture WG I have some observations around the hybrid approach being proposed for ELISA.
Here are two observations:
Unless there is a simple explanation I’m not sure if I can manage lengthy email threads – maybe we can discuss this in the call next Tuesday.
Best regards Chris ----------------------------------------
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. --------------------------------------------------------------------- This e-mail and any attachments may contain confidential material for IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. --------------------------------------------------------------------- This e-mail and any attachments may contain confidential material for |
||||
|
|
