tag 标签: 系统安全

相关博文
  • 热度 12
    2013-12-27 10:09
    1369 次阅读|
    0 个评论
       上周的时候,北美来了个负责系统安全的工程师,顺道在我们这里打望了一圈,有机会和我们聊聊,觉得受益匪浅,记录一些要点分享一下。    考虑EV/HEV的安全,确实是一个技术活,传统车的安全问题基本需要考虑到,还需要考虑一些特殊的问题。就种类而言,参考文献1的分类,总需要一些人 以另外的一些角度来审视汽车的安全性,其维度可分为正常使用/非正常状态;客户一般人使用和专业人员使用,从汽车的生命周期来看,从生产、停置、驾驶、充 电、碰撞、营救、维修和报废,所有的状态方方面面的问题和场景都需要考虑到,这确实是需要一个专门的团队来干这个事情。     所以这里也就必须用一个Overall Safety,或者用System Safety这个概念来涵盖了。    危害的种类,大致可分为电气、化学和热,这个在文献2里面介绍的很详细;当然这里并不完整,考虑车的话还有一些机械、驾驶和碰撞等。     关于严重度,这里听到一个例子很有趣。不同的事件,每个人的想法是不同的。比如车用的部件发热至50~60度,如果客户碰到了会怎么办?我想一般人大概都 是会选择S1,至少我也是这么想的,不过根据医院的统计10%的手皮肤接触过热事件可能致死;整个手掌接触会有0.7%的概率死伤。我暂时无法查证这个数 据的依据,不过这也是一个很值得调查的议题,在不同的事件和评级上,相信工程师们会对此有不同的看法。   S0   No injuries S1 Light and moderate injuries S2 Severe and life-threatening injuries (survival probable) S3 Life-threatening injuries (survival uncertain), fatal injuries      令我印象深刻的就是还有一点,对于汽车OEM来说,哪些是有约束力的法规,哪些是没有约束力的择善而从之的意思。以下图开发ECU的安全要求为例,在美 国真正有约束力的是FMVSS、CMVSS,不同的汽车OEM有着自己的积累和方法,也不可能跟着SAE、ISO的标准走,特别是其为了使大多数人能接 受,掺和了大家都同意的条款,框架太大了难免就会臃肿。 摘录自文献2和文献4的组合    按照参考5的说法,对于26262确实米国和日本的汽车企业不是很积极,不过参考6罗列的事实也是血淋淋的被严重打脸,光靠OEM企业+配套零部件的积累是无法规避自身的风险的,期待未来的变化。    最后一点就是,负责安全的工程师到底怎么去做。光是想想在汽车OEM里面,将车的安全问题,分解分类分析清楚(PHA),然后依靠安全功能分配至需求, 由DRE来负责,由Validation Engineer来确认,这个细节过程都是供应商的开发团队,软硬件、机构和独立的安全工程师来完成,想要真正做到实处,非一朝一夕可以完成。有个经典的 问题是,比如SDM安全气囊的系统,早在26262之前,历经10数年的技术成本和安全优化,想要去改动,这笔帐谁来买单,又如何将一个成熟的 部件变成一个需要验证的部件。想想就是一堆人吵架、开会和妥协。开发想快其实也不太可能快得起来的。    总之,这次约2小时的茶话会,让我理解不少,比看冷冰冰的标准、教材和案例,来的直接和清楚些。 汽车电子控制软件问题索引,选自参考文献6. In July 1999,General Motors has to recall 3.5 million vehicles because of an anti-lock braking software defect. • Stopping distances were extended by 15- 20 meters. Federal investigators received reports of 2,111 crashes and 293 injuries. • http://autopedia.com/html/Recall_GM072199.html In September 2000 , Production of year 2001 models of Ford Windstar,Crown Victoria, Mercury Grand and Li coln stopped because of software defect causing airbags to deploy on their own and seatbelts to tighten suddenly. • This stopped production for several days at Ford of Canada and other sites. • http://www.findarticles.com/p/article s/mi_m3165/is_2000_Oct/ai_68324491 Source: http://www.leshatton.org/Documents/Hatton_Xmas1_03.pdf 20/May/2002.  2000 top of the range BMW cars had to be recalled because of a software defect in the fuel injection pump. • http://www.heise.de/newsticker/data/uvo-28.05.02-002 (in German) In September 2003  , Mercedes reported that they were reviewing early time  to market in the wake of defects in automotive software systems which ‘were proving hard to debug’. • http://www.autonewseurope.com/ (but unable to find this article) May 2004; Mercedes has $30 million recall of 680,000 cars due to defects in brake-assist-by-wire system. Blamed on hydraulics but the fix is applying a software patch. • http://www.automobil.md/news/comments.php?id=7 March 2004: Chrysler Pacifica (34,561 vehicles) • Software protocol used to test the vehicle exhaust gas recirculation (EGR) system may lead to engine stalling under certain circumstances, increasing the risk of a crash. • http://www.car-accident-advice.com/chrysler-pacifica-recalls-030004.html Apr 2004: Jaguar recalls 67,798 cars for transmission fix  • Software defect slams car into reverse gear if there is a major oil pressure drop • http://www.accidentreconstruction.com/news/apr04/042104a.asp Apr 2004: GM recalls 12,329 Cadillac SRXs  One-second delay in brake activation “The  problem, due to a software anomaly, only occurs during the first few seconds of driving when the SUV is moving slowly” • http://www.accidentreconstruction.com/news/apr04/040204a.asp Dec 2004: Hyundai recalls 120,000 Elantras • Airbag software problem detected in Insuran ce Institute crash tests (driver side airbag  didn’t deploy in crash test) • http://money.cnn.com/2004/12/19/pf/autos/ bc.autos.hyundai.r ecall.reut/index.htm May 2005 Toyota recalls 23,900 Prius cars • Hybrid car, engine dying in the middle of the highway • Requires a software upgrade due to a “programming glitch” • http://money.cnn.com/2005/05/16/Autos/prius_computer/index.htm Feb 2010: CNN Headline: “Toyota: Software to blame for Prius brake problems” •“ Toyota officials described the problem as a "disconnect" in the vehicle's  complex anti-lock brake system (ABS) that causes less than a one-second lag. With the delay, a vehicle going 60 mph  will have traveled nearly another 90 feet before the brakes begin to take hold.” • “Brakes in hybrids such as the Prius ope  rate differently from brakes in most  cars. In addition to standard brakes , which use friction from pads pressed  against drums or rotors, the electric mo tors in hybrids help slow them. The process also generates electricity to recharge the batteries.” • “The complaints received via our dealers center around when drivers are on a  bumpy road or frozen surface, said Pa ul Nolasco, a Toyota Motor Corp. spokesman in Japan. "The driver steps on  the brake, and they do not get as full  of a braking feel a* expected." • http://www.cnn.com/2010/WORLD/asiapcf/02/04/ja pan.prius.complaints/index.html?hpt=T1 March 2010: Toyota vehicles cause Congressional inquiries • Newer vehicles are throttle-by-wire • Concerns about runaway vehicles • http://embeddedgurus.com/barr-code/ 2011/03/unintended-acceleration-and- other-embedded-software-bugs/ April 2010: Toyota recalls Lexus GX 460 SUVs • Consumer reports rated “do not buy” due  to rollover risk uncovered during  testing • Toyota recalled 9,400 in US; 34,000 worldwide, and suspended sales. • Vehicle Stability Control software fix • http://money.cnn.com/2010/04/19/autos/lexus_gx460_recall/index.htm Nov 2011: Ford sends 250,000 flash drives with software upgrades  to MyFord Touch • Problems are said to be responsible for dramatic downtrend in quality perception • Not sure how to upgrade 200K buyers outside US •“ the company also learned quickly that buyers aren't as forgiving with  glitches in their cars as they are with  their phones or computers.” • http://www.manufacturing.net/News/2011/11/Electrical-Electr onics-Ford-To-Upgrade-MyFord-Touch-After-Taking-Heat/? 参考文件: 1)Safety of electric and hybrid vehicles,Dr David Ward, 2)Application of System Safety Engineering Processes to Advanced Battery Safety 3)  ISO 26262 4)Automotive Software Safety: Current Practice and Future Challenges   Opportunities 5) 汽车功能安全标准ISO 26262颁布,历经6年终成正式标准 6)20 Critical Systems Engineering Distributed Embedded Systems Philip Koopman
  • 热度 18
    2013-12-17 22:37
    3560 次阅读|
    0 个评论
      上周的时候,北美来了个负责系统安全的工程师,顺道在我们这里打望了一圈,有机会和我们聊聊,觉得受益匪浅,记录一些要点分享一下。    考虑EV/HEV的安全,确实是一个技术活,传统车的安全问题基本需要考虑到,还需要考虑一些特殊的问题。就种类而言,参考文献1的分类,总需要一些人以另外的一些角度来审视汽车的安全性,其维度可分为正常使用/非正常状态;客户一般人使用和专业人员使用,从汽车的生命周期来看,从生产、停置、驾驶、充电、碰撞、营救、维修和报废,所有的状态方方面面的问题和场景都需要考虑到,这确实是需要一个专门的团队来干这个事情。     所以这里也就必须用一个Overall Safety,或者用System Safety这个概念来涵盖了。    危害的种类,大致可分为电气、化学和热,这个在文献2里面介绍的很详细;当然这里并不完整,考虑车的话还有一些机械、驾驶和碰撞等。     关于严重度,这里听到一个例子很有趣。不同的事件,每个人的想法是不同的。比如车用的部件发热至50~60度,如果客户碰到了会怎么办?我想一般人大概都是会选择S1,至少我也是这么想的,不过根据医院的统计10%的手皮肤接触过热事件可能致死;整个手掌接触会有0.7%的概率死伤。我暂时无法查证这个数据的依据,不过这也是一个很值得调查的议题,在不同的事件和评级上,相信工程师们会对此有不同的看法。   S0   No injuries S1 Light and moderate injuries S2 Severe and life-threatening injuries (survival probable) S3 Life-threatening injuries (survival uncertain), fatal injuries      令我印象深刻的就是还有一点,对于汽车OEM来说,哪些是有约束力的法规,哪些是没有约束力的择善而从之的意思。以下图开发ECU的安全要求为例,在美国真正有约束力的是FMVSS、CMVSS,不同的汽车OEM有着自己的积累和方法,也不可能跟着SAE、ISO的标准走,特别是其为了使大多数人能接受,掺和了大家都同意的条款,框架太大了难免就会臃肿。 摘录自文献2和文献4的组合    按照参考5的说法,对于26262确实米国和日本的汽车企业不是很积极,不过参考6罗列的事实也是血淋淋的被严重打脸,光靠OEM企业+配套零部件的积累是无法规避自身的风险的,期待未来的变化。    最后一点就是,负责安全的工程师到底怎么去做。光是想想在汽车OEM里面,将车的安全问题,分解分类分析清楚(PHA),然后依靠安全功能分配至需求,由DRE来负责,由Validation Engineer来确认,这个细节过程都是供应商的开发团队,软硬件、机构和独立的安全工程师来完成,想要真正做到实处,非一朝一夕可以完成。有个经典的问题是,比如SDM安全气囊的系统,早在26262之前,历经10数年的技术成本和安全优化,想要去改动,这笔帐谁来买单,又如何将一个成熟的部件变成一个需要验证的部件。想想就是一堆人吵架、开会和妥协。开发想快其实也不太可能快得起来的。    总之,这次约2小时的茶话会,让我理解不少,比看冷冰冰的标准、教材和案例,来的直接和清楚些。 汽车电子控制软件问题索引,选自参考文献6. In July 1999,General Motors has to recall 3.5 million vehicles because of an anti-lock braking software defect. • Stopping distances were extended by 15- 20 meters. Federal investigators received reports of 2,111 crashes and 293 injuries. • http://autopedia.com/html/Recall_GM072199.html In September 2000 , Production of year 2001 models of Ford Windstar,Crown Victoria, Mercury Grand and Li coln stopped because of software defect causing airbags to deploy on their own and seatbelts to tighten suddenly. • This stopped production for several days at Ford of Canada and other sites. • http://www.findarticles.com/p/article s/mi_m3165/is_2000_Oct/ai_68324491 Source: http://www.leshatton.org/Documents/Hatton_Xmas1_03.pdf 20/May/2002.  2000 top of the range BMW cars had to be recalled because of a software defect in the fuel injection pump. • http://www.heise.de/newsticker/data/uvo-28.05.02-002 (in German) In September 2003  , Mercedes reported that they were reviewing early time  to market in the wake of defects in automotive software systems which ‘were proving hard to debug’. • http://www.autonewseurope.com/ (but unable to find this article) May 2004; Mercedes has $30 million recall of 680,000 cars due to defects in brake-assist-by-wire system. Blamed on hydraulics but the fix is applying a software patch. • http://www.automobil.md/news/comments.php?id=7 March 2004: Chrysler Pacifica (34,561 vehicles) • Software protocol used to test the vehicle exhaust gas recirculation (EGR) system may lead to engine stalling under certain circumstances, increasing the risk of a crash. • http://www.car-accident-advice.com/chrysler-pacifica-recalls-030004.html Apr 2004: Jaguar recalls 67,798 cars for transmission fix  • Software defect slams car into reverse gear if there is a major oil pressure drop • http://www.accidentreconstruction.com/news/apr04/042104a.asp Apr 2004: GM recalls 12,329 Cadillac SRXs  One-second delay in brake activation “The  problem, due to a software anomaly, only occurs during the first few seconds of driving when the SUV is moving slowly” • http://www.accidentreconstruction.com/news/apr04/040204a.asp Dec 2004: Hyundai recalls 120,000 Elantras • Airbag software problem detected in Insuran ce Institute crash tests (driver side airbag  didn’t deploy in crash test) • http://money.cnn.com/2004/12/19/pf/autos/ bc.autos.hyundai.r ecall.reut/index.htm May 2005 Toyota recalls 23,900 Prius cars • Hybrid car, engine dying in the middle of the highway • Requires a software upgrade due to a “programming glitch” • http://money.cnn.com/2005/05/16/Autos/prius_computer/index.htm Feb 2010: CNN Headline: “Toyota: Software to blame for Prius brake problems” •“ Toyota officials described the problem as a "disconnect" in the vehicle's  complex anti-lock brake system (ABS) that causes less than a one-second lag. With the delay, a vehicle going 60 mph  will have traveled nearly another 90 feet before the brakes begin to take hold.” • “Brakes in hybrids such as the Prius ope  rate differently from brakes in most  cars. In addition to standard brakes , which use friction from pads pressed  against drums or rotors, the electric mo tors in hybrids help slow them. The process also generates electricity to recharge the batteries.” • “The complaints received via our dealers center around when drivers are on a  bumpy road or frozen surface, said Pa ul Nolasco, a Toyota Motor Corp. spokesman in Japan. "The driver steps on  the brake, and they do not get as full  of a braking feel as expected." • http://www.cnn.com/2010/WORLD/asiapcf/02/04/ja pan.prius.complaints/index.html?hpt=T1 March 2010: Toyota vehicles cause Congressional inquiries • Newer vehicles are throttle-by-wire • Concerns about runaway vehicles • http://embeddedgurus.com/barr-code/ 2011/03/unintended-acceleration-and- other-embedded-software-bugs/ April 2010: Toyota recalls Lexus GX 460 SUVs • Consumer reports rated “do not buy” due  to rollover risk uncovered during  testing • Toyota recalled 9,400 in US; 34,000 worldwide, and suspended sales. • Vehicle Stability Control software fix • http://money.cnn.com/2010/04/19/autos/lexus_gx460_recall/index.htm Nov 2011: Ford sends 250,000 flash drives with software upgrades  to MyFord Touch • Problems are said to be responsible for dramatic downtrend in quality perception • Not sure how to upgrade 200K buyers outside US •“ the company also learned quickly that buyers aren't as forgiving with  glitches in their cars as they are with  their phones or computers.” • http://www.manufacturing.net/News/2011/11/Electrical-Electr onics-Ford-To-Upgrade-MyFord-Touch-After-Taking-Heat/? 参考文件: 1)Safety of electric and hybrid vehicles,Dr David Ward, 2)Application of System Safety Engineering Processes to Advanced Battery Safety 3)  ISO 26262 4)Automotive Software Safety: Current Practice and Future Challenges   Opportunities 5) 汽车功能安全标准ISO 26262颁布,历经6年终成正式标准 6)20 Critical Systems Engineering Distributed Embedded Systems Philip Koopman
相关资源