Project 2 - Phases 0-17 Done

Automotive Safety PlatformZonal Vehicle Architecture Prototype

ISO 26262 ASIL D zonal vehicle platform with 7 ECUs, 475 requirements, 1,648 unit tests, and ~43,800 LOC of C firmware. Full safety lifecycle from HARA to unit verification.

Start Here

Scroll down for the interactive showcase with metrics, code snippets, and process evidence.
Use Decision Log Summary for a faster executive overview.

Decision Log Summary View Full Document

Phases 0-17 DONEISO 26262 ASIL D | ASPICE SWE.6 | MISRA C

ECU Nodes

4 physical + 3 simulated

475

Requirements

Full safety lifecycle

1,648

Unit Tests

Test-driven development

~43,800

Firmware LOC

Real C firmware

475

Traceability Links

SG to SWR to test

>=99%

SPFM

Exceeds ASIL D target

System Architecture Snapshot

Vehicle Layer

Edge Gateway

Cloud Platform

SAP QM + Business

Browse Source Code Live SIL Demo

Portfolio project — firmware tested in SIL (software-in-loop), not yet on physical boards. STM32 is IEC 61508 certified (industrial), not ISO 26262 qualified.

Physical Safety Hardware

3x STM32G474RE (CVC, FZC, RZC) — Cortex-M4 170 MHz
TMS570LC43x Safety Controller — Cortex-R5 lockstep (TUV-certified)
CAN 2.0B at 500 kbps — 32 message types, 24% bus load
Diverse redundancy: STMicroelectronics + Texas Instruments (different vendors, different architectures)
BOM: $537–$937 for complete platform

Delivery Roadmap

18 of 19 phases complete95%

Phase 0

Project Setup & Architecture Docs

Completed

Phase 1

Safety Concept (HARA, Safety Goals, FSC)

Completed

Phase 2

Safety Analysis (FMEA, DFA, HW Metrics)

Completed

Phase 3

Requirements & System Architecture

Completed

Phase 4

CAN Protocol & HSI Design

Completed

Phase 5

Shared BSW Layer (18 AUTOSAR-like modules)

Completed

Phase 6

CVC Firmware (12 SWCs, 254 tests)

Completed

Phase 7

FZC Firmware (steering, braking, lidar)

Completed

Phase 8

RZC Firmware (motor control, current, battery)

Completed

Phase 9

Safety Controller (TMS570 independent monitor)

Completed

Phase 10

BCM, ICU, TCU Firmware (simulated ECUs)

Completed

Phase 11

POSIX Port + Docker SIL (7 ECUs containerized)

Completed

Phase 12

DBC File + Plant Simulator (physics models)

Completed

Phase 13

CAN-to-MQTT Gateway + WebSocket Bridge

Completed

Phase 14

Live Telemetry Dashboard (/embedded)

Completed

Phase 15

SAP QM Mock API (OData endpoints)

Completed

Phase 16

Edge ML Anomaly Detection + Fault Injection

Completed

Phase 17

VPS Deployment + Live Demo

Completed

Phase 18

Physical Hardware Build + HIL Testing

Planned

Requirements Cascade (V-Model)

Safety Goals (8) -> FSR (25) -> TSR (51) -> SSR (81) -> SWR (197)
                                            -> HSR (25)
+ System Reqs (56) + Stakeholder Reqs (32) + FMEA (50 failure modes)
= 475 total requirements, 1,648 unit tests, 475 traced end-to-end

Safety Lifecycle Summary

HARA: 6 operational situations, 16 hazardous events, 8 safety goals (3 ASIL D, 2 ASIL C)
FMEA: 50 failure modes, 11 severity >= 9, 23 safety mechanisms
DFA: 6 common cause failures, 5 cascading failures analyzed
HW Metrics: SPFM >= 99%, PMHF 5.2 FIT (under 10 FIT ASIL D target)

Code Showcase

Const Transition Table(Swc_VehicleState.c:69-154)

Pattern: Table-driven state machine — 6 states x 11 events

"Every transition is statically defined — no runtime surprises"

static const uint8 transition_table[CVC_STATE_COUNT][CVC_EVT_COUNT] = {
    /* CVC_STATE_INIT */
    {
        CVC_STATE_RUN,         /* EVT_SELF_TEST_PASS     -> RUN        */
        CVC_STATE_SAFE_STOP,   /* EVT_SELF_TEST_FAIL     -> SAFE_STOP  */
        CVC_STATE_INVALID,     /* EVT_PEDAL_FAULT_SINGLE -> (invalid)  */
        CVC_STATE_INVALID,     /* EVT_PEDAL_FAULT_DUAL   -> (invalid)  */
        ...
    },
    /* CVC_STATE_RUN */
    {
        CVC_STATE_INVALID,     /* EVT_SELF_TEST_PASS     -> (invalid)  */
        CVC_STATE_INVALID,     /* EVT_SELF_TEST_FAIL     -> (invalid)  */
        CVC_STATE_DEGRADED,    /* EVT_PEDAL_FAULT_SINGLE -> DEGRADED   */
        CVC_STATE_SAFE_STOP,   /* EVT_PEDAL_FAULT_DUAL   -> SAFE_STOP  */
        CVC_STATE_LIMP,        /* EVT_CAN_TIMEOUT_SINGLE -> LIMP       */
        CVC_STATE_SAFE_STOP,   /* EVT_CAN_TIMEOUT_DUAL   -> SAFE_STOP  */
        CVC_STATE_SAFE_STOP,   /* EVT_ESTOP              -> SAFE_STOP  */
        CVC_STATE_SAFE_STOP,   /* EVT_SC_KILL            -> SAFE_STOP  */
        ...
    },
    /* ... DEGRADED, LIMP, SAFE_STOP, SHUTDOWN */
};

Dual Sensor Plausibility with Debounce(Swc_Pedal.c:323-334)

Pattern: Cross-check two independent sensors, debounce before fault

"Both AS5048A sensors must agree within threshold for N consecutive cycles"

/* Plausibility check (only if both sensors read OK) */
if (new_fault == CVC_PEDAL_NO_FAULT) {
    delta = Pedal_AbsDiff16(raw1_local, raw2_local);

    if (delta >= Pedal_CfgPtr->plausThreshold) {
        Pedal_PlausDebounce++;
        if (Pedal_PlausDebounce >= Pedal_CfgPtr->plausDebounce) {
            new_fault = CVC_PEDAL_PLAUSIBILITY;
        }
    } else {
        Pedal_PlausDebounce = 0u;
    }
}

E2E Protection — CRC-8 + Alive Counter(E2E.c:101-131)

Pattern: AUTOSAR E2E Profile P01 — CRC + counter packed into CAN PDU

"16 of 32 CAN messages are E2E-protected — detects corruption, loss, and replay"

Std_ReturnType E2E_Protect(const E2E_ConfigType* Config,
                           E2E_StateType* State,
                           uint8* DataPtr, uint16 Length)
{
    uint8 crc;

    if ((Config == NULL_PTR) || (State == NULL_PTR) || (DataPtr == NULL_PTR))
        return E_NOT_OK;

    if (Length < E2E_PAYLOAD_OFFSET)
        return E_NOT_OK;

    /* Increment alive counter (4-bit, wraps 0..15) */
    State->Counter = (State->Counter + 1u) & 0x0Fu;

    /* Write byte 0: [counter:4 | dataId:4] */
    DataPtr[E2E_BYTE_COUNTER_ID] =
        (uint8)((State->Counter << 4u) | (Config->DataId & 0x0Fu));

    /* Compute CRC over payload (bytes 2..N-1) + DataId */
    crc = E2E_ComputePduCrc(DataPtr, Length, Config->DataId);
    DataPtr[E2E_BYTE_CRC] = crc;

    return E_OK;
}

Documentation Library

~160 documents — draft (filled), complete content, not yet formally reviewed

ISO 26262 — Concept Phase (Part 3)4

Item Definition— 7 functions, system boundary, interface list
Hazard Analysis & Risk Assessment— 6 operational situations, 16 hazardous events, ASIL determination
Safety Goals— 8 safety goals (3 ASIL D, 2 ASIL C, 1 ASIL B, 2 ASIL A)
Functional Safety Concept— 23 safety mechanisms, 4 safe states, 25 FSRs

ISO 26262 — Safety Management (Part 2)2

Safety Plan— Lifecycle phases, roles, activities, tool qualification
Safety Case— Claims, argument, evidence structure

ISO 26262 — Safety Analysis (Part 9)4

Failure Mode & Effects Analysis— 50 failure modes, 11 severity >= 9
Dependent Failure Analysis— 6 common cause failures, 5 cascading failures
Hardware Architectural Metrics— SPFM >= 99%, PMHF 5.2 FIT
ASIL Decomposition— 2 decompositions with independence arguments

ISO 26262 — Safety Requirements (Parts 4-6)5

Functional Safety Requirements— 25 FSRs (FSR-001 to FSR-025)
Technical Safety Requirements— 51 TSRs — 26 ASIL D, 17 C, 4 B, 4 A
Software Safety Requirements— 81 SSRs across 4 physical ECUs
Hardware Safety Requirements— 25 HSRs across 4 ECUs
HW-Software Interface Specification— Per-ECU peripheral configs, memory maps, MPU, startup

ISO 26262 — Safety Validation1

Safety Validation Report— Vehicle-level validation plan and evidence

ASPICE — System Engineering (SYS.1-3)5

Stakeholder Requirements— 32 stakeholder reqs (STK-001 to STK-032)
System Requirements Specification— 56 system reqs — 18 ASIL D, 12 C
System Architecture— 10 element categories, system state machine, FFI
CAN Message Matrix— 32 message types, 16 E2E-protected, 24% bus load
Interface Control Document— 22 interfaces (CAN, SPI, UART, ADC, PWM, GPIO, I2C, MQTT)

ASPICE — Software Engineering (SWE.1-2)11

SW Architecture— Per-ECU decomposition, task scheduling, 81 SSR-to-module allocation
BSW Architecture— 18 modules with full C API signatures, 3 platform targets
vECU Architecture— POSIX MCAL abstraction, Docker containers, CI/CD
SWR-CVC (35 reqs)
SWR-FZC (32 reqs)
SWR-RZC (30 reqs)
SWR-SC (26 reqs)
SWR-BCM (12 reqs)
SWR-ICU (10 reqs)
SWR-TCU (15 reqs)
SWR-BSW (27 reqs)

ASPICE — Verification (SWE.4-6, SYS.4-5)12

Unit Test Plan
Unit Test Report— 1,648 unit tests across all ECUs + BSW
Integration Strategy
Integration Test Report
SW Verification Plan
Release Notes
System Integration Report
System Verification Report
MIL Report
SIL Report
PIL Report
HIL Report

Hardware Engineering (HWE.1-3)2

Hardware Requirements— 33 HWRs in 7 categories
Hardware Design— Per-ECU circuit designs, power distribution, BOM

Support & Management (SUP, MAN.3)5

Quality Assurance Plan
CM Strategy— Git Flow, baselines, access rights
Traceability Matrix— 475 traced: SG to FSR to TSR to SSR to SWR to test
Architecture Decision Log— 13 ADRs with T1-T4 tier scoring
Progress Dashboard

Process & Governance

Traceability Evidence

475 traced requirements: SG to FSR to TSR to SSR to SWR to module to test
Every safety goal has a complete trace to code and tests
Example: SG-001 to FSR-001 to TSR-001 to SSR-001 to Swc_Pedal.c to test_Swc_Pedal.c

ADR Governance

13 Architecture Decision Records with T1-T4 tier scoring
Scored on 4 dimensions: Cost, Time, Safety, Resume impact
Every decision includes rationale + 2 alternatives + why chosen wins

Process Maturity

26 rule files in .claude/rules/ (MISRA, ISO, ASPICE, security, testing)
Git Flow branching strategy with immutable baselines
Phase-based execution with gate criteria