Demo page details
Page source code: fsr.rst
1{% set page="fsr.rst" %}
2{% include "demo_page_header.rst" with context %}
3
4📋 Functional Safety Requirements (FSR)
5========================================
6
7Functional Safety Requirements are specific, verifiable requirements decomposed
8from safety goals. FSRs:
9
10- Detail what the system must functionally do
11- Are more specific than safety goals
12- Remain technology-agnostic (not implementation-specific)
13- Inherit ASIL from parent safety goals
14- Form the basis for technical safety requirements and implementation
15
16These FSRs are derived from the TU Braunschweig research using STPA causal factor
17analysis of the control loop components: sensors, processes, controllers, and actuators.
18
19FSR Overview
20------------
21
22.. needtable::
23 :filter: type == "fsr" and docname is not None and "safety_example" in docname
24 :columns: id, title, asil, derives_from
25 :style: table
26
27Traceability by ASIL
28--------------------
29
30.. needpie:: FSRs by ASIL Level
31 :labels: ASIL D
32
33 type == "fsr" and docname is not None and "safety_example" in docname and asil == "D"
34
35Steering System FSRs
36--------------------
37
38Steering Controller FSRs
39~~~~~~~~~~~~~~~~~~~~~~~~
40
41.. fsr:: Steering Controller Robust Control Algorithm
42 :id: FSR_STEER_CTRL_01
43 :asil: D
44 :derives_from: SG_17, SG_18, SG_19, SG_20
45 :status: open
46
47 Control algorithm must be robust against uncertainties of the steering
48 dynamics model and disturbances. Algorithm shall maintain stability and
49 performance under model parameter variations of ±20%.
50
51.. fsr:: Steering Controller Validated Dynamics Model
52 :id: FSR_STEER_CTRL_02
53 :asil: D
54 :derives_from: SG_17, SG_18, SG_19, SG_20
55 :status: open
56
57 Sufficiently precise and validated steering dynamics model. Model accuracy
58 shall be verified through physical testing with maximum error <5% across
59 the operational envelope.
60
61.. fsr:: Steering Controller Fail-Operational Design
62 :id: FSR_STEER_CTRL_03
63 :asil: D
64 :derives_from: SG_17, SG_18, SG_19, SG_20
65 :status: open
66
67 Fail-operational design of steering controller. Single-point failures shall
68 not cause loss of steering control. Redundant execution paths required.
69
70.. fsr:: Steering Controller Timing Requirements
71 :id: FSR_STEER_CTRL_04
72 :asil: D
73 :derives_from: SG_17, SG_18, SG_19, SG_20
74 :status: open
75
76 Operation must be provided in required cycle time and jitter. Control loop
77 execution time: 10ms ± 1ms. Maximum jitter: 500µs.
78
79Steering Sensors FSRs
80~~~~~~~~~~~~~~~~~~~~~
81
82.. fsr:: Steering Sensor Feedback Compensation
83 :id: FSR_STEER_SENS_01
84 :asil: D
85 :derives_from: SG_17, SG_18, SG_19, SG_20
86 :status: open
87
88 Inadequate or missing feedback must be recognized and compensated for.
89 Sensor plausibility checks with redundant measurements. Timeout detection: 50ms.
90
91.. fsr:: Steering Sensor Power Supply
92 :id: FSR_STEER_SENS_02
93 :asil: D
94 :derives_from: SG_17, SG_18, SG_19, SG_20
95 :status: open
96
97 Continuous and sufficient power supply for steering-internal sensors.
98 Redundant power supply with automatic switchover <10ms.
99
100.. fsr:: Steering Sensor Measurement Accuracy
101 :id: FSR_STEER_SENS_03
102 :asil: D
103 :derives_from: SG_17, SG_18, SG_19, SG_20
104 :status: open
105
106 Sufficient measurement accuracy for steering operation. Position accuracy:
107 ±0.5°, velocity accuracy: ±1°/s.
108
109Steering Process FSRs
110~~~~~~~~~~~~~~~~~~~~~
111
112.. fsr:: Steering Mechanical Design
113 :id: FSR_STEER_PROC_01
114 :asil: D
115 :derives_from: SG_17, SG_18, SG_19, SG_20
116 :status: open
117
118 Electrical and mechanical design according to state of the art. Components
119 shall meet automotive standards (ISO 26262, ISO 16750).
120
121.. fsr:: Steering Component Monitoring
122 :id: FSR_STEER_PROC_02
123 :asil: D
124 :derives_from: SG_17, SG_18, SG_19, SG_20
125 :status: open
126
127 Monitoring of electrical and mechanical components and report to superordinate
128 controller. Motor current, temperature, position sensor health monitored at 100Hz.
129
130Brake System FSRs
131-----------------
132
133Brake Controller FSRs
134~~~~~~~~~~~~~~~~~~~~~
135
136.. fsr:: Brake Controller Robust Algorithm
137 :id: FSR_BRAKE_CTRL_01
138 :asil: D
139 :derives_from: SG_15, SG_16
140 :status: open
141
142 Control algorithm robust against uncertainties of the brake dynamics model
143 and disturbances. Performance maintained under friction coefficient variations
144 (µ=0.2 to µ=1.0).
145
146.. fsr:: Brake Controller Fail-Operational Design
147 :id: FSR_BRAKE_CTRL_02
148 :asil: D
149 :derives_from: SG_15, SG_16
150 :status: open
151
152 Fail-operational design of brake controller. Independent brake circuits with
153 separate power supplies. Each circuit capable of achieving minimum 0.3g deceleration.
154
155.. fsr:: Brake Controller Operational Monitoring
156 :id: FSR_BRAKE_CTRL_03
157 :asil: D
158 :derives_from: SG_15, SG_16
159 :status: open
160
161 Monitoring of operational state of brake controller and process and report
162 to superordinate controller. Status reported every 10ms with fault detection <100ms.
163
164Brake Process FSRs
165~~~~~~~~~~~~~~~~~~
166
167.. fsr:: Brake System Design Limits
168 :id: FSR_BRAKE_PROC_01
169 :asil: D
170 :derives_from: SG_05, SG_06, SG_15, SG_16
171 :status: open
172
173 Brake controller must recognize brakes operating beyond design limits and
174 react appropriately. Maximum pressure, temperature, duty cycle monitoring
175 with protective actions.
176
177.. fsr:: Brake Component Health Monitoring
178 :id: FSR_BRAKE_PROC_02
179 :asil: D
180 :derives_from: SG_15, SG_16
181 :status: open
182
183 Monitoring of electrical and mechanical brake components with reporting to
184 VDC. Pad wear, fluid level, actuator health, sensor status monitored continuously.
185
186Drive System FSRs
187-----------------
188
189Drive Controller FSRs
190~~~~~~~~~~~~~~~~~~~~~
191
192.. fsr:: Drive Controller Robust Algorithm
193 :id: FSR_DRIVE_CTRL_01
194 :asil: D
195 :derives_from: SG_13, SG_14
196 :status: open
197
198 Control algorithm robust against uncertainties of the drive dynamics model
199 and disturbances. Torque control accuracy ±5% under all conditions.
200
201.. fsr:: Drive Controller Validated Model
202 :id: FSR_DRIVE_CTRL_02
203 :asil: D
204 :derives_from: SG_13, SG_14
205 :status: open
206
207 Sufficiently precise and validated drive dynamics model. Process variables
208 must comply with the physical process state. Model verified across full
209 speed and torque range.
210
211.. fsr:: Drive Controller Fail-Operational Design
212 :id: FSR_DRIVE_CTRL_03
213 :asil: D
214 :derives_from: SG_13, SG_14
215 :status: open
216
217 Fail-operational design of drive controller. Graceful degradation to limp-home
218 mode with minimum 20% torque capability maintained.
219
220Drive Process FSRs
221~~~~~~~~~~~~~~~~~~
222
223.. fsr:: Drive Component Monitoring
224 :id: FSR_DRIVE_PROC_01
225 :asil: D
226 :derives_from: SG_07, SG_08, SG_13, SG_14
227 :status: open
228
229 Monitoring of electrical/mechanical drive components and report to WRDC.
230 Motor temperature, inverter status, gear health monitored at 50Hz.
231
232.. fsr:: Drive System Design Limits
233 :id: FSR_DRIVE_PROC_02
234 :asil: D
235 :derives_from: SG_13, SG_14
236 :status: open
237
238 Drive controller must recognize drive operating beyond design limits and
239 react appropriately. Overspeed, overcurrent, overtemperature protection active.
240
241Wheel Rotational Dynamics Controller FSRs
242------------------------------------------
243
244.. fsr:: WRDC Fault-Tolerant Algorithm
245 :id: FSR_WRDC_CTRL_01
246 :asil: D
247 :derives_from: SG_05, SG_06, SG_07, SG_08, SG_09, SG_10, SG_11, SG_12
248 :status: open
249
250 Fault-tolerant wheel rotational dynamics control algorithm. Algorithm shall
251 detect and compensate for single wheel actuator failures while maintaining
252 vehicle stability.
253
254.. fsr:: WRDC Fail-Operational Design
255 :id: FSR_WRDC_CTRL_02
256 :asil: D
257 :derives_from: SG_05, SG_06, SG_07, SG_08, SG_09, SG_10, SG_11, SG_12
258 :status: open
259
260 Fail-operational design of wheel rotational dynamics controller. Redundant
261 processing elements with cross-monitoring. Switchover time <20ms.
262
263.. fsr:: WRDC Precise Dynamics Model
264 :id: FSR_WRDC_CTRL_03
265 :asil: D
266 :derives_from: SG_05, SG_06, SG_07, SG_08, SG_09, SG_10, SG_11, SG_12
267 :status: open
268
269 Sufficiently precise and validated wheel rotational dynamics model. Tire
270 friction estimation accuracy ±10% across all surface conditions.
271
272.. fsr:: WRDC Timing Requirements
273 :id: FSR_WRDC_CTRL_04
274 :asil: D
275 :derives_from: SG_05, SG_06, SG_07, SG_08, SG_09, SG_10, SG_11, SG_12
276 :status: open
277
278 Operation must be provided in required cycle time and jitter. Control loop:
279 5ms ± 0.5ms. Anti-lock/anti-spin response time <20ms.
280
281Vehicle Dynamics Controller FSRs
282---------------------------------
283
284.. fsr:: VDC Robust Control Algorithm
285 :id: FSR_VDC_CTRL_01
286 :asil: D
287 :derives_from: SG_01, SG_02, SG_03, SG_04
288 :status: open
289
290 Control algorithm robust against uncertainties of the vehicle dynamics model
291 and disturbances. Trajectory tracking error <0.5m at speeds up to 130 km/h.
292
293.. fsr:: VDC Validated Dynamics Model
294 :id: FSR_VDC_CTRL_02
295 :asil: D
296 :derives_from: SG_01, SG_02, SG_03, SG_04
297 :status: open
298
299 Sufficiently precise and validated vehicle dynamics model. Process variables
300 must comply with the physical process state. Model validated through
301 hardware-in-the-loop testing.
302
303.. fsr:: VDC Fail-Operational Design
304 :id: FSR_VDC_CTRL_03
305 :asil: D
306 :derives_from: SG_01, SG_02, SG_03, SG_04
307 :status: open
308
309 Fail-operational design of vehicle dynamics controller. Dual-redundant
310 processing with diverse algorithms. Cross-checking every cycle.
311
312.. fsr:: VDC Fault-Tolerant Algorithm
313 :id: FSR_VDC_CTRL_04
314 :asil: D
315 :derives_from: SG_01, SG_02, SG_03, SG_04
316 :status: open
317
318 Fault-tolerant vehicle dynamics control algorithm capable of handling
319 degraded actuation (e.g., loss of one steering actuator or brake circuit).
320
321Vehicle Motion Sensor FSRs
322---------------------------
323
324.. fsr:: Vehicle Motion Sensor Feedback
325 :id: FSR_VEHICLE_SENS_01
326 :asil: D
327 :derives_from: SG_01, SG_02, SG_03, SG_04
328 :status: open
329
330 Inadequate or missing feedback must be recognized. Sensor fusion from multiple
331 sources (IMU, wheel speeds, GNSS). Fault detection within 100ms.
332
333.. fsr:: Vehicle Motion Sensor Accuracy
334 :id: FSR_VEHICLE_SENS_02
335 :asil: D
336 :derives_from: SG_01, SG_02, SG_03, SG_04
337 :status: open
338
339 Sufficient measurement accuracy for vehicle dynamics control. Lateral
340 acceleration: ±0.1 m/s², yaw rate: ±0.5°/s, velocity: ±0.1 m/s.
341
342.. fsr:: Vehicle Motion Sensor Timing
343 :id: FSR_VEHICLE_SENS_03
344 :asil: D
345 :derives_from: SG_01, SG_02, SG_03, SG_04
346 :status: open
347
348 Updated feedback available in required cycle time and jitter. Sensor data
349 age <10ms, synchronized across all sensors with <1ms skew.
350
351Wheel Motion Sensor FSRs
352~~~~~~~~~~~~~~~~~~~~~~~~~
353
354.. fsr:: Wheel Motion Sensor Compensation
355 :id: FSR_WHEEL_SENS_01
356 :asil: D
357 :derives_from: SG_09, SG_10, SG_11, SG_12
358 :status: open
359
360 Inadequate or missing wheel speed feedback must be recognized and compensated.
361 Redundant sensing per wheel with plausibility checking against vehicle sensors.
362
363.. fsr:: Wheel Motion Sensor Power
364 :id: FSR_WHEEL_SENS_02
365 :asil: D
366 :derives_from: SG_09, SG_10, SG_11, SG_12
367 :status: open
368
369 Continuous and sufficient power supply for wheel motion sensors. Battery-backed
370 power during transients. Voltage regulation ±5%.
371
372Process Dynamics FSRs
373---------------------
374
375.. fsr:: Vehicle Dynamics Control Action Consistency
376 :id: FSR_PROC_CONFLICT_01
377 :asil: D
378 :derives_from: SG_01, SG_02, SG_03, SG_04
379 :status: open
380
381 Control actions of the vehicle dynamics controller must target the same
382 vehicle motion. Coordination logic prevents conflicting brake/drive commands.
383 Maximum conflict resolution time: 10ms.
384
385.. fsr:: Wheel Dynamics Brake-Drive Conflict Prevention
386 :id: FSR_PROC_CONFLICT_02
387 :asil: D
388 :derives_from: SG_05, SG_06, SG_07, SG_08
389 :status: open
390
391 Exclusion of drive and brake actuation with conflicting targets. Hardware
392 interlocks prevent simultaneous brake and drive application >10% torque.
393
394Power Supply FSRs
395-----------------
396
397.. fsr:: Actuator Power Supply Continuity
398 :id: FSR_POWER_01
399 :asil: D
400 :derives_from: SG_13, SG_14, SG_15, SG_16, SG_17, SG_18, SG_19, SG_20
401 :status: open
402
403 Continuous and sufficient power supply for all safety-critical actuators.
404 Redundant power sources with automatic failover. Minimum hold-up time: 500ms.
405
406.. fsr:: Controller Power Supply Continuity
407 :id: FSR_POWER_02
408 :asil: D
409 :derives_from: SG_01, SG_02, SG_03, SG_04, SG_05, SG_06, SG_07, SG_08
410 :status: open
411
412 Continuous and sufficient power supply for VDC and WRDC. Independent power
413 domains with galvanic isolation. Voltage monitoring and brown-out protection.
414
415Implementation Notes
416--------------------
417
418These FSRs form the foundation for Technical Safety Requirements (TSRs) that
419specify implementation details including:
420
421- Hardware architecture and redundancy concepts
422- Software safety mechanisms (checksums, watchdogs, voting)
423- Diagnostic coverage targets per ASIL D requirements
424- Safety response times and fail-safe behaviors
425
426.. seealso::
427
428 **ISO 26262-4:2018** - Product development at the system level
429
430 **ISO 26262-6:2018** - Product development at the software level
431
432 Research paper: Stolte et al., "Safety Goals and Functional Safety Requirements
433 for Actuation Systems of Automated Vehicles," IEEE ITSC 2016
📋 Functional Safety Requirements (FSR)¶
Functional Safety Requirements are specific, verifiable requirements decomposed from safety goals. FSRs:
Detail what the system must functionally do
Are more specific than safety goals
Remain technology-agnostic (not implementation-specific)
Inherit ASIL from parent safety goals
Form the basis for technical safety requirements and implementation
These FSRs are derived from the TU Braunschweig research using STPA causal factor analysis of the control loop components: sensors, processes, controllers, and actuators.
FSR Overview¶
ID |
Title |
Asil |
Derives From |
|---|---|---|---|
Brake Controller Robust Algorithm |
D |
||
Brake Controller Fail-Operational Design |
D |
||
Brake Controller Operational Monitoring |
D |
||
Brake System Design Limits |
D |
||
Brake Component Health Monitoring |
D |
||
Drive Controller Robust Algorithm |
D |
||
Drive Controller Validated Model |
D |
||
Drive Controller Fail-Operational Design |
D |
||
Drive Component Monitoring |
D |
||
Drive System Design Limits |
D |
||
Actuator Power Supply Continuity |
D |
||
Controller Power Supply Continuity |
D |
||
Vehicle Dynamics Control Action Consistency |
D |
||
Wheel Dynamics Brake-Drive Conflict Prevention |
D |
||
Steering Controller Robust Control Algorithm |
D |
||
Steering Controller Validated Dynamics Model |
D |
||
Steering Controller Fail-Operational Design |
D |
||
Steering Controller Timing Requirements |
D |
||
Steering Mechanical Design |
D |
||
Steering Component Monitoring |
D |
||
Steering Sensor Feedback Compensation |
D |
||
Steering Sensor Power Supply |
D |
||
Steering Sensor Measurement Accuracy |
D |
||
VDC Robust Control Algorithm |
D |
||
VDC Validated Dynamics Model |
D |
||
VDC Fail-Operational Design |
D |
||
VDC Fault-Tolerant Algorithm |
D |
||
Vehicle Motion Sensor Feedback |
D |
||
Vehicle Motion Sensor Accuracy |
D |
||
Vehicle Motion Sensor Timing |
D |
||
Wheel Motion Sensor Compensation |
D |
||
Wheel Motion Sensor Power |
D |
||
WRDC Fault-Tolerant Algorithm |
D |
||
WRDC Fail-Operational Design |
D |
||
WRDC Precise Dynamics Model |
D |
||
WRDC Timing Requirements |
D |
Traceability by ASIL¶
Steering System FSRs¶
Steering Controller FSRs¶
Control algorithm must be robust against uncertainties of the steering dynamics model and disturbances. Algorithm shall maintain stability and performance under model parameter variations of ±20%. |
Sufficiently precise and validated steering dynamics model. Model accuracy shall be verified through physical testing with maximum error <5% across the operational envelope. |
Fail-operational design of steering controller. Single-point failures shall not cause loss of steering control. Redundant execution paths required. |
Operation must be provided in required cycle time and jitter. Control loop execution time: 10ms ± 1ms. Maximum jitter: 500µs. |
Steering Sensors FSRs¶
Inadequate or missing feedback must be recognized and compensated for. Sensor plausibility checks with redundant measurements. Timeout detection: 50ms. |
Continuous and sufficient power supply for steering-internal sensors. Redundant power supply with automatic switchover <10ms. |
Sufficient measurement accuracy for steering operation. Position accuracy: ±0.5°, velocity accuracy: ±1°/s. |
Steering Process FSRs¶
Electrical and mechanical design according to state of the art. Components shall meet automotive standards (ISO 26262, ISO 16750). |
Monitoring of electrical and mechanical components and report to superordinate controller. Motor current, temperature, position sensor health monitored at 100Hz. |
Brake System FSRs¶
Brake Controller FSRs¶
Control algorithm robust against uncertainties of the brake dynamics model and disturbances. Performance maintained under friction coefficient variations (µ=0.2 to µ=1.0). |
Fail-operational design of brake controller. Independent brake circuits with separate power supplies. Each circuit capable of achieving minimum 0.3g deceleration. |
Monitoring of operational state of brake controller and process and report to superordinate controller. Status reported every 10ms with fault detection <100ms. |
Brake Process FSRs¶
Brake controller must recognize brakes operating beyond design limits and react appropriately. Maximum pressure, temperature, duty cycle monitoring with protective actions. |
Monitoring of electrical and mechanical brake components with reporting to VDC. Pad wear, fluid level, actuator health, sensor status monitored continuously. |
Drive System FSRs¶
Drive Controller FSRs¶
Control algorithm robust against uncertainties of the drive dynamics model and disturbances. Torque control accuracy ±5% under all conditions. |
Sufficiently precise and validated drive dynamics model. Process variables must comply with the physical process state. Model verified across full speed and torque range. |
Fail-operational design of drive controller. Graceful degradation to limp-home mode with minimum 20% torque capability maintained. |
Drive Process FSRs¶
Monitoring of electrical/mechanical drive components and report to WRDC. Motor temperature, inverter status, gear health monitored at 50Hz. |
Drive controller must recognize drive operating beyond design limits and react appropriately. Overspeed, overcurrent, overtemperature protection active. |
Wheel Rotational Dynamics Controller FSRs¶
Fault-tolerant wheel rotational dynamics control algorithm. Algorithm shall detect and compensate for single wheel actuator failures while maintaining vehicle stability. |
Fail-operational design of wheel rotational dynamics controller. Redundant processing elements with cross-monitoring. Switchover time <20ms. |
Sufficiently precise and validated wheel rotational dynamics model. Tire friction estimation accuracy ±10% across all surface conditions. |
Operation must be provided in required cycle time and jitter. Control loop: 5ms ± 0.5ms. Anti-lock/anti-spin response time <20ms. |
Vehicle Dynamics Controller FSRs¶
Control algorithm robust against uncertainties of the vehicle dynamics model and disturbances. Trajectory tracking error <0.5m at speeds up to 130 km/h. |
Sufficiently precise and validated vehicle dynamics model. Process variables must comply with the physical process state. Model validated through hardware-in-the-loop testing. |
Fail-operational design of vehicle dynamics controller. Dual-redundant processing with diverse algorithms. Cross-checking every cycle. |
Fault-tolerant vehicle dynamics control algorithm capable of handling degraded actuation (e.g., loss of one steering actuator or brake circuit). |
Vehicle Motion Sensor FSRs¶
Inadequate or missing feedback must be recognized. Sensor fusion from multiple sources (IMU, wheel speeds, GNSS). Fault detection within 100ms. |
Sufficient measurement accuracy for vehicle dynamics control. Lateral acceleration: ±0.1 m/s², yaw rate: ±0.5°/s, velocity: ±0.1 m/s. |
Updated feedback available in required cycle time and jitter. Sensor data age <10ms, synchronized across all sensors with <1ms skew. |
Wheel Motion Sensor FSRs¶
Inadequate or missing wheel speed feedback must be recognized and compensated. Redundant sensing per wheel with plausibility checking against vehicle sensors. |
Continuous and sufficient power supply for wheel motion sensors. Battery-backed power during transients. Voltage regulation ±5%. |
Process Dynamics FSRs¶
Control actions of the vehicle dynamics controller must target the same vehicle motion. Coordination logic prevents conflicting brake/drive commands. Maximum conflict resolution time: 10ms. |
Exclusion of drive and brake actuation with conflicting targets. Hardware interlocks prevent simultaneous brake and drive application >10% torque. |
Power Supply FSRs¶
Continuous and sufficient power supply for all safety-critical actuators. Redundant power sources with automatic failover. Minimum hold-up time: 500ms. |
Continuous and sufficient power supply for VDC and WRDC. Independent power domains with galvanic isolation. Voltage monitoring and brown-out protection. |
Implementation Notes¶
These FSRs form the foundation for Technical Safety Requirements (TSRs) that specify implementation details including:
Hardware architecture and redundancy concepts
Software safety mechanisms (checksums, watchdogs, voting)
Diagnostic coverage targets per ASIL D requirements
Safety response times and fail-safe behaviors
See also
ISO 26262-4:2018 - Product development at the system level
ISO 26262-6:2018 - Product development at the software level
Research paper: Stolte et al., “Safety Goals and Functional Safety Requirements for Actuation Systems of Automated Vehicles,” IEEE ITSC 2016