SEooC — Safety Element out of Context 工程实战深度

ISO 26262-1:2018 vocabulary(term 3.138)原文定义:"safety-related element which is not developed for a specific item, i.e. not developed in the context of a particular vehicle"(即一个 safety-related element,不在某一具体车辆 item 上下文中开发)。注意:safety-related element 涵盖 system / sub-system / hardware component / software component(ISO 26262-10:2018 扩展说明),不局限于 "an E/E system";"an E/E system ... not developed based on the specific requirements provided by the OEM/suppliers/technology vendors" 那种说法是第三方厂商 paraphrase,不是 ISO 原文。

3 句话理解:

• SEooC 是 hardware 或 software 元件,按 ISO 26262 开发但没有完整的 item-level system definition
• 供方为缺失信息编写"有据可循的假设"(justified assumptions)
• 一句话定位:"Safety element out of context" — 在 item 上下文之外开发,后续在多个 item 中复用,前提是集成时假设能成立

下表是 6 类典型 SEooC 对象 + 主流 vendor:

里程碑:AURIX TC3xx 是"first embedded safety controller worldwide certified ASIL-D under ISO 26262:2018";S32K3 由 NXP 按 BCaM7 process 开发并 TÜV SÜD 认证;TMS570 在 concept phase 已显式按 ISO 26262-10:2012 §9 SEooC 流程分析。

两种开发模式的根本差异:

• SEoC (Safety Element of Context):在已知 item 上下文 + OEM 明确 safety goals + 全部 system requirements 下开发。Top-down 经典 V-model 路径
• SEooC:bottom-up,先决定"这个元件要做到 ASIL-x",再反推应满足哪些上层假设

实操区别:

• SEoC 的 validation 是 item-level + vehicle-level 全闭环
• SEooC 的 validation 只覆盖到 supplier-controllable 边界;vehicle-level validation delegated to OEM/Tier-1

完整理解 SEooC 必须先弄清楚 5 个术语:

• Assumption of Use (AoU) — supplier 在缺 item 上下文情况下对使用方式的假设。Renesas 在 Safety Application Note 里用 AoU-SIR-xx 编号每条
• Assumption of Environment (AoE) — 电气特性、通讯协议、温度/湿度边界、集成约束等环境假设
• Item-Level Integration — Tier-1 把 SEooC 放进 item 上下文做 hazard analysis → safety goals 映射 → AoU 反向验证的全过程,安全论证最后一公里 lifecycle 显式 delegate 给 OEM/integrator
• Validation Argument — SEooC supplier 只能 demonstrate "element fulfils its safety requirements under the assumed context",所以 Safety Manual 变成"safety case 的可移交载体"(critical safety artifact)
• DIA (Development Interface Agreement) — Tier-2/Tier-1/OEM 三方 RACI 文档,划清安全活动归谁

Safety Manual 的典型 10 章结构(汇总 Microchip / Infineon / TI / NXP 模板):

1. Scope + 适用器件版本 / Rev
2. Safety architecture overview
3. Assumptions of Use (AoU) — 编号 list (AoU-001...AoU-NNN)
4. Safety Mechanism (SM) list — 每条带:覆盖的 failure mode + diagnostic coverage % + 触发条件 + 软件配置
5. FMEDA(量化失效率 + SPFM/LFM/PMHF)
6. Failure mode 表(已覆盖 / 未覆盖 / residual)
7. Integration guidelines(pin config / 启动序列 / fault reaction time)
8. Configuration constraints(禁用 pin 组合、寄存器锁定、不允许的运行模式)
9. Application examples(EPS / ABS / Inverter)
10. Document history + ASIL claim

关键 quote(Microchip Sample MCU Safety Manual):"The System Integrator shall fulfill all Assumptions of Use (AoU) listed in the safety manual, and the AoUs were assumed to be fulfilled when analyzing the failure rates and Fault metrics in the provided FMEDA"。

AoU 必须分维度逐条编号,Tier-1 在集成时逐条对照:

Integration Manual 4 阶段套用(基于 Electronic Design 4-step + Renesas 3-stage):

1. 假设核对(AoU validation)
2. 需求映射(SEooC requirements ↔ item requirements)
3. Target 上运行验证(element runs correctly on target)
4. Item-specific integration tests 覆盖 SEooC 在真实 item 中表现

主流 vendor 集成 AN 文档清单:

权威源对 SEooC mismatch 的统一警告:

• "If an OEM violates assumptions, the SEooC's safety argument is no longer valid."(Intertek)
• "Most SEooC integration issues arise not from technical failures but from violated assumptions."(Intertek)
• "If APIs aren't called correctly or features misconfigured, the ASIL OS may get 'downgraded' to non-ASIL."(functionalsafetyfirst.com)

下表是 Tier-2 假设 vs Tier-1 实际不匹配的典型 6 维 + 后果:

标准动作(Intertek + Renesas)4 步:

• 把 Safety Manual 每条 AoU-xxx 提到 requirements 系统(DOORS / Polarion / Codebeamer)
• 对每条做 status:Satisfied / Violated / Not Applicable + 论证
• Violated 的走 ISO 26262-8 change management(Part 8 §8)触发 impact analysis
• 必要时回到 Tier-2 重做 FMEDA(NXP 的 FMEDA 是 customer-configurable 就是这个原因)

完整读取是不可妥协的:

• 不能只看 datasheet 数值,Safety Manual 第 3、4 章 AoU + SM 列表是核心
• Common pitfall(functionalsafetyfirst):"heard about safety manuals but have not read one, or read but found challenging to apply"
• Output:AoU 全清单(已编号)+ SM 全清单 + FMEDA 输入参数 list

把 SEooC 放进 item 上下文做 3 件事:

• 做 item 级 HARA → 推导 safety goals
• 把 safety goal 拆到 SEooC 假设的 ASIL
• 对 AoU 一条一条 check "is the assumption true in this item"
• Output:assumption mapping 表 + gap list

ISO 26262-2:2018 §6.4.9 Table 1 规定 confirmation measure 独立性按 ASIL 分级。注意:独立性级别是 I1/I2/I3,不是 M1/M2/M3 — 后者是 UNECE/EU 车辆类别(M1=乘用车 / M2/M3=客车/商用车;ISO 26262 仅在 scope 中引用,不在 26262 定义)。

关键认知:"perform item-specific integration tests of the SEooC running in the target context"。

必测 4 类:

• AoU 边界(温度 corner / 电压 corner / fsw corner)
• SM 触发路径(fault injection)
• 实际 mission profile 应力(不能只测 datasheet 数值)
• FTTI 端到端时序

最后一步把 Tier-2 work products 整进 item-level safety case:

• 整合内容:DIA + FMEA + FMEDA + Safety Manual + Safety Analysis Report
• Synopsys 论证形式 quote:"Certain assumptions indicated during SEooC development are converted to justifications in the system level Assurance Case"
• 推荐 notation:GSN(Goal Structuring Notation) — Lorit Consultancy Hall sensor 案例展示 GSN 在 SEooC 中的用法

AURIX TC3xx Safety Manual 4-section 结构:

1. Safety concept + platform scalability
2. MCU architecture safety 集成(lockstep CPU / ECC / SMU)
3. Application use cases(EPS / XEV traction inverter)
4. Safety SW enablement

关键架构:SMU (Safety Management Unit) 集中所有 alarm signal,可配置 internal action + external fault signaling protocol。AoU 含 safety goals / FTTI / safe state / severity-exposure-controllability。FMEDA template customer-configurable(ISO 26262 + IEC 61508 双合规)。全套文档 NDA。

S32K3 MCU + FS26 SBC 是 ASIL-D 标准配对:

• MCU 提供算力 + 内部 SM,FS26 提供外部 watchdog / voltage monitor / fail-safe output
• 集成 AN:AN14068 + AN14492 + S32 SAF Quick Start Guide
• 全套文档在 SafeAssure NDA program:safety manuals + standardized FMEDAs + analysis reports + assessment reports + PPAPs
• 安全分析方法:FTA + DFA + FMEDA(quantitative)

TMS570 是早期 SEooC 公开案例:

• Safety Manual(SPNU620 等)显式声明:"devices analyzed during concept phase to support SEooC development per ISO 26262-10:2012"
• 例:EPS FTTI 假设 10 ms,ESC 100 ms — 设计取最严那一个为目标
• 配套 SafeTI Diagnostic Library Software Safety Manual(SPNU592)

Renesas 用 Safety Application Note (SAN) 作为 Safety Manual + Integration Manual 的混合载体:

• AoU 编号 + 解释:每条都说明"integrator 要做什么"
• 提供 ASIL-quality MCAL + Core Self Test 库

Tier-1 偷懒不做 item-level integration analysis 是最致命的反模式:

• 表现:Tier-1 拿到 SEooC 不做 item-level integration analysis,直接套用
• 后果:AoU 没验证 → 安全论证链断 → "SEooC's safety argument is no longer valid"

只读 datasheet 跳过 Safety Manual AoU + SM 章节是常态错误:

• 表现:只看 datasheet,跳过 Safety Manual 第 3、4 章 AoU + SM 列表
• 后果:漏关键 SM 配置 → "ASIL OS may get downgraded to non-ASIL"

Validation 不覆盖 AoU 边界等同于没验证:

• 表现:温度/电压 corner 只测 nominal,没测 AoU 边界
• 后果:实际 mission profile 应力下 SPFM 不达标,量产掉 ASIL

compiler / IDE 也是 SEooC,默认不做 qualification 落 TCL3 → assessment reject:

• 表现:用 GCC/IAR/Keil compiler,没做 ISO 26262-8 §11 tool qualification
• TCL 决定:TI(Tool Impact)× TD(Tool error Detection)→ TCL1/2/3;compiler 默认 TI2,未做 TD → TCL3
• 后果:safety case 在 assessment 时被 reject

把 confirmation reviewer 当形式 + 把 I 级与 M 级搞混是 ASIL-C/D 项目常见 reject 原因:

• 表现:confirmation reviewer 是同组同事(应 I2/I3),functional safety audit 没做或没独立性
• 常见误区:很多团队把 M1/M2/M3 搞混 — 这是车辆类别,不是 confirmation 独立性级别。正确是 I1/I2/I3
• 后果:ASIL-C/D 项目过不了 assessment

ISO 26262 三个直接相关 part:

• ISO 26262-10:2018 §9 SEooC(标准本体,需购买)
• ISO 26262-2:2018 §6.4.9 Table 1 confirmation measures by ASIL
• ISO 26262-8:2018 §11 tool qualification

权威解读 + 工程实战:

• Intertek — Exploring Safety Elements out of Context:https://www.intertek.com/blog/2026/01-15-exploring-safety-elements-out-of-context/
• Embitel — What is SEooC:https://www.embitel.com/blog/embedded-blog/what-is-safety-element-out-of-context-seooc-in-automotive-functional-safety
• Renesas Blog — Applying ISO 26262 to SEooC Software:https://www.renesas.com/en/blogs/renesas-functional-safety-support-automotive-3-applying-iso-26262-standard-seooc-software
• functionalsafetyfirst.com — SEooC for Dummies:https://www.functionalsafetyfirst.com/2020/10/seooc-for-dummies.html
• Electronic Design — Apply the ISO 26262 SEooC Model:https://www.electronicdesign.com/markets/automotive/article/21808428/apply-the-iso-26262-seooc-model-to-automotive-software
• Synopsys SEooC V&V whitepaper:https://www.synopsys.com/dw/doc.php/wp/automotive_verification_validation_seooc_wp.pdf

Tier-2 主流 IC vendor 的 SEooC 文档锚点:

• Infineon AURIX TC3xx — AN1001/AN1002 FuSa in a Nutshell:https://www.infineon.com/dgdl/Infineon-AN1002-FuSa_in_a_Nutshell_Introduction_to_AURIX_TC3xx_functional_safety-ApplicationNotes-v01_00-EN.pdf
• NXP S32K3 SafeAssure:https://www.nxp.com/company/blog/meeting-functional-safety-requirements-with-s32k3-mcus:BL-SAFETY-REQUIREMENTS-WITH-S32K3-MCUS
• NXP AN14068 S32K3 + FS26 hardware/safety guide:https://www.nxp.com/docs/en/application-note/AN14068.pdf
• TI Hercules SPNU620 Safety Manual:https://www.ti.com/lit/fs/spnu620a/spnu620a.pdf
• Microchip Sample MCU Safety Manual DS40002252A:https://ww1.microchip.com/downloads/en/DeviceDoc/Sample-MCU-Safety-Manual-DS40002252A.pdf
• ST AN5691 ASM330LHB safety library:https://www.st.com/resource/en/application_note/an5691-asm330lhbxxasilblibrary-safety-manual-stmicroelectronics.pdf

独立性 I1/I2/I3 + Tool Qual 权威源:

• BRACE Automotive — Confirmation Measures:https://www.brace-automotive.com/en/blog/add-value-your-iso-26262-development-confirmation-measures
• Spyrosoft — ISO 26262 guide:https://spyro-soft.com/iso-26262
• piembsystech — Tool Qualification TCL:https://piembsystech.com/tool-qualification-tcl-iso-26262/
• Siemens Verification Horizons — Clearing the Fog of Tool Qualification:https://blogs.sw.siemens.com/verificationhorizons/2022/04/13/clearing-the-fog-of-iso-26262-tool-qualification/

Safety Case Argument + Mission Profile:

• Lorit Consultancy GSN-SEooC Paper:https://lorit-consultancy.com/wp-content/uploads/2017/02/GSN-SEooC-Paper-8-April-161.pdf
• Power Electronics News — Mission Profile:https://www.powerelectronicsnews.com/ebook-may-21-8-automotive-electronics-reliability-testing-starts-and-ends-with-the-mission-profile/