1. Safety goals of the overall system characterized by the vehicle level perspective
2. Functional safety concepts derived from the safety goals and their allocations to high level system functions
3. Technical safety concepts derived from the functional safety requirements and the allocations to hardware and software specific design solutions
4. Hardware and software safety requirements allocated to the hardware and software architectures at the implementation level.
Figure 14. An overview of EAST-ADL support for safety requirements and their allocations to system artifacts. For full resolution click here .
Along with the specification of safety requirements, EAST-ADL allows the formalization of system functions and operational situations for safety analysis at various levels of abstraction.
Figure 14 shows part of the modeling support for PHA (Preliminary Hazard Analysis), which is focused on hazard identification and risk assessment and thereby the definition of safety goals. According to ISO/DIS 26262, an item refers to the function(s), component(s) or system(s) that is of particular concern with regard to functional safety. With EAST-ADL, a PHA is performed at the vehicle level by examining the potential malfunctions of system features, which represent the items of a target system. To shape the top-level safety requirements, each hazard definition captures potentially dangerous item behaviours and the associated hazardous events triggered by such item behaviours occurring in specific operational situations.
Figure 15. Deriving hazardous events and safety goals of braking function through Preliminary Safety Analysis (PHA). For full resolution click here .
To facilitate safety engineering tasks, EAST-ADL tools enable creating initial error models from nominal functional architecture models. Figure 15 shows in MetaEdit+ tool how corresponding dependability and error models are produced from functional design related to regenerative breaking. These automatically produced error models can provide traces to the nominal architecture supporting safety analysis and recognizing the changes in the architecture designs.
Figure 16. Automatically generated error functions from functional design of regenerative breaking. For full