Automotive SPICE is the state-of-the-art process reference model in automotive engineering. However, practical challenges arise when customers specify detailed designs, such as OS versions or watchdog configurations. These constraints often contradict idealized engineering theory, leading to waste such as 'abstract re-engineering' of detailed designs. In this article, I propose a pragmatic and A-SPICE-compliant approach to manage these challenges efficiently.
Content
The Problem: Methodical Issues
According to A-SPICE SYS.3.BP3 (see figure 1) and SWE.2.BP3 we shall not only document design decisions but also the rationale behind them[1]:
In theory, requirements should remain solution-agnostic, focusing solely on functional goals (black box input-output relations). During the architectural or detailed design phases, engineers develop the »best satisficing«[2] technical solution (white box view). This iterative process, as illustrated in Figure 2, ensures that decisions are made at the most appropriate level of expertise.[3]
However, when customers specify detailed designs, this process is undermined. While such constraints are often necessary—for example, to define system interfaces or ensure safety mechanisms—they create methodical issues for suppliers. Common issues include:
- copy-pasting requirements along the V-model: This approach introduces functionality at higher system levels where it cannot be verified. For instance, memory protection mechanisms require white box fault injection tests at the driver level.
- bypassing the system level: Directly linking requirements to hardware, software, or mechanical components creates gaps at the system level. This can result in missing system test cases or incomplete traceability.
- abstract re-engineering of the system level: Pretending that the customer’s detailed design does not exist leads to redundant efforts. This is merely norm fulfillment without adding tangible value.
These approaches result in waste and fail to meet the intent of SYS.3.BP3 and SWE.2.BP3. While such practices may still pass superficial audits, a critical auditor might devalue the base practices, emphasizing their ineffectiveness.
Lean Solution: A Priori Design Constraint
To address these issues, I take a step back from A-SPICE. From an architectural viewpoint we need to identify what constrains our freedom in design, implementation, processes, and decision-making.[4] Constraints have a wide range from project goals (e.g., time, budget), over business goals (e.g., product roadmap) to technical limitations. A customer’s detailed design specification is no more than such a constraint. That is exactly how we can address this topic efficiently while ensuring A-SPICE compliance: The design constraint was specified and contracted »a priori«. The following is an example of a generic system requirement:
Constraint: The <logical element> shall fulfill the detailed design according to the customer requirements <unambiguous reference>: - <Short summary of the detailed design> Remark: <verification remarks>.
For illustrative purposes, consider the following example:
Constraint: The CAN communication shall fulfill the detailed design according to the customer requirements LAH_1321 to LAH_1328: - K-Matrix in the newest available version Remark: The correct CAN-communication shall be verified along with the related system functions. The complete implementation of the K-Matrix can be verified via a SiL model.
A more extended example:
Constraint: The external watchdog shall fulfill the detailed design according to the customer requirements LAH_2006 to LAH_2015: - Configuration in window-mode - Error Detection: Monitoring of the µC via questions-answer-communication and time out - Error Reaction (1st level): If the monitoring is invalid, the external watchdog shall reset the µC - Error Reaction (2nd level): If there are more than three resets within the same driving cycle, the external watchdog shall trigger the system safe state and switch-off CAN-communication within FHTI=60ms. - Error Healing: No more resets OR T15 reset Remark: On system level the error reaction (1st and 2nd level) and healing shall be verified via an adequate error injection. The healing shall be verified with positive and negative test cases. The error detection can be verified on software level. The completeness of events that lead to error detection shall be supported by safety analysis.
Crucial Condition: The customer’s detailed design is a valid solution for your system. If not, renegotiation is unavoidable.
Support the Rational: Rapid-Prototyping or Evidence
A-SPICE SYS.3.BP3 (Figure 1) and SWE.2.BP3 require documented rationale. Stating that the design constraint was specified by the customer should already constitute a valid rationale. However, some assessors may not accept this reasoning.
To support your rationale, provide evidence from prototypes or early samples that validate the solution. Ensure a trace between the design constraint and the evidence.
Shifting the Burden of Proof
Since my proposed solution is not explicitly outlined in A-SPICE, some assessors might question whether it is an accepted methodology within my organization.
We can address this issue with process descriptions. They shift the burden of proof from the people to the organization. Demonstrating adherence to process descriptions often satisfies audit requirements. A concise statement in the process description at the system level might be:
Customer’s detailed design specifications shall be referenced and summarized as requirements type = 'constraint'. Alternative solutions can be omitted. V&V remarks may be documented as needed. If there are V&V remarks they become the definition of done for this constraint, i.e. traces to released evidence are required.
Note: In order to comply with A-SPICE Level 3 or ISO 26262-8, it is essential to have a process description in place.
Summary
Customers often specify detailed designs for new systems. By reframing these as constraints, they become structured elements of the system design, streamlining efforts while ensuring A-SPICE compliance. Support the rationale with test evidence and clear process descriptions.
Yours, Nico Litschke
Endnotes
- ↑Automotive SPICE (2023). Automotive SPICE® Process Assessment / Reference Model. Version 3.991, 06. Juni 2023. Status: Draft (Do not use for assessments). Vertraulich: Revision. Im Internet, abgerufen am 01.12.2024: https://vda-qmc.de/automotive-spice/automotive-spice-veroeffentlichungen/.
- ↑Simon, H. A. (1955). A Behavioral Model of Rational Choice. The Quarterly Journal of Economics, 69(1), S. 99-118. https://doi.org/10.2307/1884852.
- ↑Haberfellner, R., Fricke, E., de Weck, O., & Vössner, S. (2012). Systems Engineering: Grundlagen und Anwendung (12., völlig neu bearbeitete und erweiterte Auflage). Zürich: Orell Füssli.
- ↑Starke, G. (2015). Effektive Software-Architekturen: Ein praktischer Leitfaden (4., aktualisierte und erweiterte Auflage). München: Carl Hanser. https://doi.org/10.3139/9783446444065.fm.
Titelbild: generiert mit DALL-E von OpenAI
Kommentar schreiben