Requirement Based Safety Monitor Generation and Integration 2014-01-0214

The safety monitor is a high integrity control that monitors the health and performance of safety related computer controlled functions in vehicles. The integrity of the safety monitor code is critical to the overall performance of the control software. Traditionally, once monitor requirements are understood, then the safety monitor is hand coded or created in a modeling environment. New practices such as ISO 26262 prescribe formal or semiformal methods are used against certain classes of foreseeable faults. Recently, a new tool, which is capable of auto-generating C-code based on safety monitor formal functional requirements is available from BTC Company. Ford Motor Company investigated the tool using an application example from a powertrain control feature safety monitor.

The paper describes a pilot project and process assessment, comprising the steps of requirement-based C-code generation, code integration, code analysis and code verification using requirements selected from the powertrain control feature's specification. First, the paper describes the C-code generation process. This includes requirements capture as textual descriptions, the conversion of the requirements to macros, use of these macros in the creation of temporal logic patterns in formal notations, code generation and target code export. Then the paper discusses the code integration process, and after that the paper compares code analysis reports from Polyspace®, one from the pilot requirement based implementation and one from a Simulink® implementation. Afterwards, the paper demonstrates the functional testing of the code at both unit level and vehicle integration level. In conclusion, the paper summarizes the recommendations and lessons-learned with usage of the tools.