Safety strategy for integrating ASIL and QM components

Question

I am looking into building a strategy about integration of ASIL and QM software components. ASIL targets the critical safety, while the QM ("Quality Managed") software does not address the safety in a way to be compliant with the standards. Breaking down is called ASIL decompositions. All that is quite relevant for industrial and automotive applications, and running on embedded hardware. In practice, that would mean that the ASIL and QM will run in different processes on the machine. This way the operation of safety critical components would not be endangered for malfunction by a faulty QM component. On the other hand, there should be also a reliable inter process communication service.

My question is, if someone have good experience with such decomposition, to share some experience and knowledge. For example, I have been told, that one possible approach is to have an initial process that would start (fork) two processes - one for the ASIL and one for QM, and will then kill itself.

Answer 1

One Famous approach is the EGAS concept, where you divide your application into 3 levels:

1- Level one (L1): Contains control functions, input / output diagnostic.

2- Level two (L2): Detects the defective process of level 1 functional software.

3- Level three (L3): Checks that level 2 is running correctly (program flow check) and that hardware is able to detect any failure during level 2 execution.

For more info: https://nanopdf.com/download/standardized-e-gas-monitoring-concept-for-gasoline-and_pdf