汽车电子功能安全标准ISO26262解析（十一）——安全机制

ISO 26262-4： 6.4.7
1. The safety mechanisms shall be specified by technical safety requirements including:
安全机制通过分析技术安全需求来制定，包括：
a) the measures related to the detection, indication and control of faults in the system itself (self-monitoring of the system or elements);
  系统和模块的自我管理：检测、指示、控制系统本身错误有关的方法。
NOTE 1 This includes the self-monitoring of the system or elements to detect random hardware faults and, if appropriate, to detect systematic failures.
自我管理包括对系统或模块的随机硬件错误的检测及对系统失效的检测。
b) the measures related to the detection, indication and control of faults in external devices interacting with the system; 
EXAMPLE External devices include other electronic control units, power supply or communication devices.
  外部器件错误的检测、指示、控制方法，包括其他电子控制器、电源和通信器件。
c) the measures that enable the system to achieve or maintain a safe state;
NOTE 2 This includes prioritisation and arbitration logic in the case of conflicting safety mechanisms.
使系统达到并保持安全状态的方法，包括冲突发生时的优先级处理和仲裁逻辑。
d) the measures to detail and implement the warning and degradation concept;
 细化并实施报警和降级概念。
e) the measures which prevent faults from being latent(6.4.10). 
NOTE 3 These measures are usually related to tests of measures during power up (pre-drive checks), operation, power down (post-drive checks) and as part of maintenance.
 阻止错误成为潜在错误的方法，通常包括上电检测、下电检测、工作时周期性检测等。
2. ISO 26262-4： 6.4.9
For each safety mechanism that enables an item to achieve or maintain a safe state the following shall be specified: 
对于每个安全机制，制定安全机制内容的同时，还应该包括如下几个方面：
a) the transition to the safe state, including the requirements to control the actuators;
切换到安全状态的条件，包括控制执行器的需求；
b) the fault-tolerant time interval;
错误的容忍时间；
c) the emergency operation interval if the safe state can not be reached by immediately switching off;
如果不能通过立刻断电来达到安全状态，需要指明紧急操作的时间。
d) the measures to maintain the safe state.
保持安全状态的措施。