SlideShare a Scribd company logo
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 1/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Safety dependability and durability requirements
Electric Power Steering (EPS)
Generic
Reference 01452_13_00052
Version number BL 3.0
Document status For authorized company use only
Date 2014, December 10th
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 2/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Written By Checked by Approved by
Aziz LAZAAR
DRD/DCTC/ICDV/AFDH
Date:
Signature:
Abdelhak MHAOUEL
DRD/DCTC/ICDV/AFDH
Date:
Signature:
Benoit LEVIN
DRD/DSEE/CIAE/SDFE/SDFG
Date:
Signature:
René Tathy
ITLINK /IPSIS SDFG
Antoine GAUTIER
DRD/DCTC/ICDV/AFDH/ACSD
Date:
Signature:
Clément HUBERT
DRD/DCTC/ICDV/AFDH
Date:
Signature:
Fabien LAVILLENIE
DRD/DCTC/ICDV/AFDH/ACSD
Date:
Signature:
Franck MARTINEAU
DRD/DCTC/ICDV/AFDH/ACSD
Date:
Signature:
Nicolas BECKER
DRD/DAPF/ARFS
Date:
Signature:
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 3/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Revision Chart and History Log
Version Date Author Changes and/or raison
0.1 24/01/2013
A. Lazaar
B. Levin
Creation
0.2 08/02/2013 B.Levin Correction of the expected FIT for the Safety output critical events
1.0 31/03/2014
A. LAZAAR
A. MHAOUEL
§6 update of generic requirements.
§7 update of EPS Safety Requirements (the safety goal and safety
functional critical event).
§11 update of work products.
1.1 19/09/2014
A.LAZAAR
A.MHAOUEL
chapter §7.6 for Safety requirements LXA Added
Update of §6,§7 and §11
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 4/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
2 10/12/2014
A.LAZAAR
A.MHAOUEL
§7.1.1 update of Safety goal to avoid excessive steering effort
for “Curves with lateral acceleration up to 0,1g” deleted from
SG1_DIR_4_01
§7.1.3 update of critical event Auto steer
for “It shall include also unintended recover of assistance” deleted
from ERO_EPS_4.02
for “Probabilistic target mechanical” deleted from ERO_EPS_4.02
§7.1.6 update of Safety goal to avoid a sudden loss of steering
assist
deleted “Curves with lateral acceleration up to 0,1g” deleted from
SG1_DA_4_01
Requirements added : TSR_EPS_4.07.02.01_07
Requirements deleted (duplicate) : TSR_EPS_4.07.02.01_01
§ 7.6 update of traceability requirements
Traceability requirements deleted form critical events: ERO-LKA-
EPS-94 (1.1), ERO-LKA-EPS-95 (1.1), and FST-LKA-EPS-106 (1.0).
§7.6.1 update of functional safety requirements LXA
Requirements deleted : FSR-LKA-EPS-97 (1.0), FSR-LKA-EPS-98
(1.0), FSR-LKA-EPS-99 (1.3)
Requirements added : FSR_EPS_ LXA_4.01.01, FSR_EPS_
LXA_4.01.02, FSR_EPS_ LXA_4.01.03, FSR_EPS_ LXA_4.01.04,
FSR_EPS_ LXA_4.01.05, FSR_EPS_ LXA_4.01.06, FSR_EPS_
LXA_4.01.07, FSR_EPS_ LXA_4.01.08, FSR_EPS_ LXA_4.01.09,
FSR_EPS_ LXA_4.01.10, FSR_EPS_ LXA_4.01.11
FSR_EPS_ LXA_4.02.01, FSR_EPS_ LXA_4.02.02, FSR_EPS_
LXA_4.02.03, FSR_EPS_ LXA_4.02.04, FSR_EPS_ LXA_4.02.05,
FSR_EPS_ LXA_4.02.06, FSR_EPS_ LXA_4.02.07.
Critical event ERO_EPS_LKA_4.02 updated ( ASIL B ald QM) : to
cover LxA
§7.6.2 update of functional safety requirements LXA
Requirements deleted : FST-LKA-EPS-101 (1.0), FSR-LKA-EPS-102
(1.0), FST-LKA-EPS-104 (1.0), FST-LKA-EPS-105 (1.0)
Requirements added : FSR_EPS_LXA_4.03_01,
FSR_EPS_LXA_4.03_02, FSR_EPS_LXA_4.03_03
§7.6.3 update of functional safety requirements
Requirements deleted : FST-LKA-EPS-107 (1.0),
Requirements added : FSR_EPS_LXA_4.04_01,
FSR_EPS_LXA_4.04_02
Safety goal SG1_LXA_4_02 to updated (ASIL D ald ASILA) : to cover
LxA
§ 7.6, §7.6.1, §7.6.2, §7.6.3 updated these chapter to due LxA
§11. Milestones of work products updated.
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 5/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
2.1 03/08/2015 A.MHAOUEL
§7.6. update of functional safety requirements LxA
Requirements updated : FSR_EPS_ LxA_4.01.02, FSR_EPS_
LxA_4.01.03, FSR_EPS_ LxA_4.01.04 , FSR_EPS_ LxA_4.01.05,
FSR_EPS_ LxA_4.01.06, FSR_EPS_ LxA_4.01.10
Requirements deleted : FSR_EPS_ LXA_4.01.07, FSR_EPS_
LXA_4.01.09
Requirements added : FSR_EPS_ LxA_4.01.12, FSR_EPS_
LxA_4.01.13
2.2 08/03/2016
A.MHAOUEL
R.TATHY
Chapter §7.3.3 absolute steering angle (SAS virtual) is added for
Safety requirements Absolute steering angle in case SAS virtual.
2.3 07/10/2016
A.MHAOUEL
A.VIALAS
C.HUBERT
Chapter §7.5 City Park Function
Reference of document added to new safety requirements for City
Park function.
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 6/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
3.0 30/06/2017
A.VIALAS
A.COLAS
§7.1. update of functional safety requirements to steer
Requirement split in 3 requirements + addition of a nota:
FSR_EPS_4.07.02 -> FSR_EPS_4.07.02 + FSR_EPS_4.07.02.01 +
FSR_EPS_4.07.02.02
§7.2. update of functional safety requirements STTd
Requirements ID change:
FSR_EPS_4.08.01 -> FSR_ARAMTH_012
New requirement added:
FSR_ARAMTH_014
FSR_ARAMTH_019
FSR_ARAMTH_020
FSR_ARAMTH_021
§7.3.3 update of safety requirements for virtual CAV3
Requirements updated :
DAE_VIRTUAL_CAV3_0013
Requirement Deleted:
ERO_EPS_XXXX (Tbd) (= DAE_VIRTUAL_CAV3_0015)
Requirements ID change:
ERO_EPS_4.31 -> DAE_VIRTUAL_CAV3_0015
ERO_EPS_4.32 -> DAE_VIRTUAL_CAV3_0016
ERO_EPS_4.33 -> DAE_VIRTUAL_CAV3_0017
ERO_EPS_4.35 -> DAE_VIRTUAL_CAV3_0018
ERO_EPS_4.38 -> DAE_VIRTUAL_CAV3_0019
ERO_EPS_4.39 -> DAE_VIRTUAL_CAV3_0020
ERO_EPS_XXX (Tbd) -> DAE_VIRTUAL_CAV3_0021
ERO_EPS_XXX (Tbd) -> DAE_VIRTUAL_CAV3_0022
ERO_EPS_XXX (Tbd) -> DAE_VIRTUAL_CAV3_0023
Chapter §7.5 City Park Function
Technical Safety Concept EPS for City Park function update version
v1.1 to v2.0.
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 7/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
§7.6. update of functional safety requirements LxA
SG description added :
SG1_LXA_DIR_4_06
SG1_LXA_DIR_4_01
SG1_LXA_DIR_4_02
Requirements updated :
FSR_EPS_4.07.02
FSR_EPS_ LxA_4.01.04
FSR_EPS_ LXA_4.01.06
FSR_EPS_ LXA_4.01.08
FSR_EPS_ LxA_4.01.10
FSR_EPS_ LxA_4.01.11
ASIL downgraded D to B:
ERO_EPS_LXA_4.04
FSR_EPS_LxA_4.04_01
FSR_EPS_LxA_4.04_02
New requirements added :
FSR_LxA_01.14.a
FSR_LxA_01.15.a
FSR_LxA_01.18.a
FSR_LxA_03.2.a
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 8/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Table of Contents
SOMMAIRE
SOMMAIRE............................................................................................................................................. 8
1. Purpose of Document.................................................................................................................. 9
2. Reference and applicable Documents ........................................................................................ 9
3. Acronyms..................................................................................................................................... 9
4. Product description.................................................................................................................... 10
5. Terminology............................................................................................................................... 10
6. Generic requirements ................................................................................................................ 11
6.1. General compliance with the standard ISO 26262.................................................................... 11
6.2. Safety planning.......................................................................................................................... 11
6.3. Safe design and safety activities ............................................................................................... 14
6.4. Verification Integration and Validation activities ........................................................................ 20
6.5. Release for production .............................................................................................................. 21
6.6. Traceability ................................................................................................................................ 21
6.7. Safety case................................................................................................................................ 21
7. EPS Safety Requirements allocated to EPS ............................................................................. 22
7.1. Function: To steer...................................................................................................................... 22
7.2. Function: STTd .......................................................................................................................... 31
7.3. Safety output critical events....................................................................................................... 31
7.3.1. Column angle (in case of AVA function): ................................................................................ 31
7.3.2. Absolute steering angle (in case of the SAS is integrated in the EPS): ................................. 33
7.3.3. Absolute steering angle (in case virtual SAS):........................................................................ 34
7.3.4. Request for warning lamp ....................................................................................................... 34
7.4. Multi-mode function ................................................................................................................... 35
7.5. City Park function....................................................................................................................... 35
7.6. LxA function............................................................................................................................... 36
7.7. Safety threat / attack critical events........................................................................................... 42
7.8. FTA requirements...................................................................................................................... 42
8. Reliability and availability requirements .................................................................................... 43
8.1. Gravity 3 critical events ............................................................................................................. 43
8.2. Reliability, availability requirements and quantitative target...................................................... 45
9. Degraded mode and safe state ................................................................................................. 46
10. Validation of the Objectives ....................................................................................................... 46
10.1. Principle of the method ........................................................................................................... 46
10.2. Steps of the method................................................................................................................ 47
11. Work products............................................................................................................................ 48
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 9/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
1. Purpose of Document
The purpose of this document is to provide safety dependability and durability requirements for The Electric Power Steering
(EPS).
2. Reference and applicable Documents
[R3010] ST Véhicule - Diriger le Véhicule et Assister la Direction
[701] Detailed Technical Specification Electric Power Steering.
[A003] Hardware specification
[A004] Software specification
[R1] Safety Requirements CPK allocated to the EPS (from Valeo) [00858_15_01879] V1.1
3. Acronyms
EPS Electric Power Steering
FMEA Failure Mode and Effect Analysis
FMEDA Failure Mode Effect and Diagnostic Analysis
FTA Fault Tree Analysis
NVH Noise Vibration and Harshness
EMC ElectroMagnetic Compatibility
ASIL Automotive Safety Integrity Level
BSI Body controller Unit
CAN Controller Area Network
CMB Dashboard
CMM Multifunction Engine Controller
ECU Electronic Control Unit
EE Electric and Electronic
ER Critical Event
ERF Critical Event at Functional level
FSC Functional Safety Concept
FSR Functional Safety Requirement
GMP Engine group
IHM Human Computeur Interface
LAS Ground connection
STT Stop and sTart
LxA Lane (x= Keeping or positioning) Assist
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 10/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
4. Product description
The product, limits, life situations, service functions, constraint function and mission profile are described in the document
[701]
5. Terminology
ISO 26262 makes extensive use of a specialized vocabulary. In general, we assume that the supplier is familiar with the
terms and definitions used within the standard.
Furthermore, PSA manipulates the term of critical event defined as bellow
Critical Event (ER): event due to a failure having an impact on the customer or his environment (undesired event).
Critical Events Gravity Classification:
« Gravity » rating is linked to the effect of the ER in term of disturbance for the user:
Level Definition Comments
1
Dissatisfaction or deterioration of one function of
the vehicle.
General vehicle performances kept. User can continue to use his
vehicle. No intervention (maintenance) is rapidly needed.
2 Loss of one vehicle function.
Apparition of unpleasant de symptoms. User can continue to use
his vehicle but an intervention (maintenance) is rapidly needed.
3 Unavailability of the vehicle for the user.
Unavailability of the vehicle due to the loss of an important
function or the non-respect of regulation (risk of being in breach of
the law).
Impossibility to park the vehicle in its state (risk of inviolability)
Voluntary stop by the user caused by the sentiment of insecurity
(i.e. important noises or vibrations)
4 Risk of corporal damages for human.
Can lead to an accident or corporal damages.
G4 are safety critical events.
Gravity 4 ER are classified following the ASIL scale according to
ISO WD 26262.
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 11/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
6. Generic requirements
6.1. General compliance with the standard ISO 26262
Requirement Number Rev Requirement
GEN-SAFETY-CLAUSE_1.001 0 The supplier shall comply with the ISO26262 standard.
GEN-SAFETY-CLAUSE_1.002 0 If the supplier is working with subsequent Tier supplier(s), the supplier is still responsible
to satisfy PSA safety requirements and shall be responsible to ensure that the
subsequent Tier supplier(s) comply with the ISO26262 standard.
6.2. Safety planning
Requirement Number Rev Requirement
GEN-SAFETY-CLAUSE_2. 001 0 The supplier shall deliver a detailed safety and dependability plan
The supplier safety plan shall describe and identify the safety activities to make effective
the application of a safety lifecycle according to the workflow required by the ISO 26262
standard. This plan shall describe at least:
- Safety process & activities :
o the safety process definition,
o the safety & dependability activities to be carried out,
o the work products for each safety and dependability activity, and
documents to deliver to PSA.
- Roles & responsibilities:
o the organization and the responsibilities to carry out the development
activities for safety and dependability studies,
o the resources allocated to safety tasks and risk mitigation
o staff competencies, skills and experience matrix
- Confirmation measures plan :
o planning of confirmation measures,
o persons appointed to carry out confirmation measures
o check lists for confirmation measures
- Safety case :
o the content of the safety case
o the coordination of the safety case
- Safety Timing Plan:
o the planning of safety activities,
o the planning of the work product and delivery documents,
o the planning of safety reviews
o the planning of development of safety case.
If separate plans are produced for each domain (system, mechanical, hardware, and
software) all of them shall be coordinated.
The supplier shall refine progressively the safety plan according to the needs of each
phase of the safety lifecycle.
(Output work product WP_Safety_1.001).
GEN-SAFETY-CLAUSE_2. 002 0 The supplier shall perform the confirmation review of safety plan.
The supplier shall deliver the review report of confirmation review of safety plan.
(Output work product WP_Safety_1.001CR).
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 12/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Requirement Number Rev Requirement
GEN-SAFETY-CLAUSE_2. 003 0 PSA and the supplier shall complete the development interface agreement (DIA).
The aim is to agree on the job split between PSA and its partner. A check-list shall be
performed, adapted to the project under development, and allocated to PSA and/or its
partner. The relevant information shall be exchanged between PSA and its supplier.
The development interface agreement will be deployed using the support document
[01452_13_00067]
(Output work product WP_Safety_1.002).
GEN-SAFETY-CLAUSE_2. 004 0
Supplier shall provide the compliance matrix establishing the compliance with the
requirements of this document “EPS Safety Dependability and durability requirements”.
(Output work product WP_Safety_1.003).
GEN-SAFETY-CLAUSE_2. 005 0 The supplier shall carry out and provide integration and testing plan.
The supplier integration shall cover the planning of integration, the testing strategies,
testing activities and the determination of appropriate methods and measures for
verifications (testing) at the HW level, at the SW level and at the system level (HW-SW
integration)
The supplier shall refine progressively the integration and testing plan according to the
needs of each phase of the safety lifecycle.
(Output work product WP_Safety_1.004).
GEN-SAFETY-CLAUSE_2. 006 0 The supplier shall perform the confirmation review of integration and testing plan.
The supplier shall deliver the review report of confirmation review of integration and
testing plan.
(Output work product WP_Safety_1.004CR).
GEN-SAFETY-CLAUSE_2. 007 0 The supplier and PSA shall create jointly the safety validation plan.
The safety validation plan shall describe :
- the safety validation planning,
- the safety validation activities,
- the configuration of the item subjected to validation including its calibration data,
- the safety validation specifications (validation procedures, test cases, driving
maneuvers, and acceptance criteria). These specifications shall describe at least:
o the fault or error injected.
o the operating mode or life situation.
o the safety barrier or error detection mechanism.
o the reaction of the system (the specified reaction of the system).
o the testing facilities allowing the validation of the definitions.
The supplier can be involved to specify some tests to be done by PSA (e.g. internal faults
injection tests not covered by the supplier integration tests) or to define test procedures
The supplier shall refine progressively the integration and testing plan according to the
needs of each phase of the safety lifecycle.
(Output work product WP_Safety_1.005).
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 13/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Requirement Number Rev Requirement
GEN-SAFETY-CLAUSE_2. 008 0 The supplier shall perform the confirmation review of safety validation plan.
The supplier shall deliver the review report of confirmation review of safety validation
plan.
(Output work product WP_Safety_1.005CR).
GEN-SAFETY-CLAUSE_2. 009 0 The supplier and PSA shall create jointly the functional safety assessment plan (The
functional safety assessment plan should be a collaborative effort by PSA and the
supplier)
The functional safety assessment plan shall describe :
- the functional safety activities,
- the planning of functional safety assessment activities,
- the persons appointed to carry out the functional safety assessment,
- the specific topics to be addressed by the functional safety assessment,
If the supplier performs internal functional safety assessment, the functional safety
assessment plan shall be delivered or addressed in the safety plan.
The supplier shall refine progressively the functional safety assessment plan according to
the needs of each phase of the safety lifecycle
(Output work product WP_Safety_1.006).
GEN-SAFETY-CLAUSE_2. 010 0 The functional safety assessment shall be conducted as planed following generic
checklist agreed upon.
GEN-SAFETY-CLAUSE_2. 011 0 PSA and the supplier shall agree on the safety plan and supporting processes plan prior
to contract signing.
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 14/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
6.3. Safe design and safety activities
Requirement Number Rev Requirement
GEN-SAFETY-CLAUSE_3.001 0 PSA and supplier shall define jointly the item
The "item definition" shall include at least:
I. Item overview
1) Elements of item.
2) Boundary of the item.
3) Internal and external interfaces.
4) Interaction with other items and elements.
5) Operational and environmental constraints.
6) Operating modes and operating states.
II. Functional concept and its purpose functionality.
III. Non-functional requirements of the item.
IV. Behavior achieved by similar functions, items or elements;
V. Assumptions on behavior expected from the item.
VI. Potential consequences of behavior shortfalls including known failure modes and
hazards.
VII. Legal Requirements and standards.
The item definition should be a collaborative effort by PSA and the supplier to describe
the item, with regard to its functionality, interfaces, environmental conditions, legal
requirements, known hazards, etc. The boundary of the item and its interfaces, as well as
assumptions concerning other items, elements, systems and components are
determined.
(Output work product: WP_Safety_1.007).
GEN-SAFETY-CLAUSE_3.002 0 The supplier shall perform hazard analysis and risk assessment.
The supplier shall deliver a mapping matrix between PSA safety goals, critical events and
the supplier safety goals and critical events.
(Output work product: WP_Safety_1.008).
GEN-SAFETY-CLAUSE_3.003 0 PSA and the supplier shall define jointly the functional safety concept.
The functional safety concept shall address:
- fault detection and failure mitigation;
- transitioning to a safe state;
- fault tolerance mechanisms,
- fault detection and driver warning in order to reduce the risk exposure time to an
acceptable interval (repair request, stop request);
- arbitration logic to select the most appropriate control request from multiple
requests generated simultaneously by different functions; and
- safety requirements are allocated to elements of other technologies
If during the product development the functional safety concept is updated, the update
must be accepted by PSA.
(Output work product: WP_Safety_1.009).
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 15/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Requirement Number Rev Requirement
GEN-SAFETY-CLAUSE_3.004 0 The supplier shall deliver the specification of safety requirements allocated to the input
signals of the product (wired information, CAN signals and power supply) and mechanical
interfaces in order to reach the requirements on safety goals.
The safety requirements allocated to inputs signal shall address:
- the list of failure modes
- the effect before detection for each failure mode and the ASIL level
- the detection strategies or safety barriers and the detection time for each failure
mode
- the effect after detection and the degraded mode for each failure mode
- the target in term of ASIL and failure rate
- the recovery conditions
If during the product development the requirements on the inputs are updated, the
update shall be accepted by PSA.
(Output work product: WP_Safety_1.010).
GEN-SAFETY-CLAUSE_3.005 0 The supplier shall perform and deliver the internal functional analysis (system
description).
The internal functional analysis shall contain a detailed description of the system, its
functionalities and its components. It should include the elements that compose the
system: ECU elements, sensors, actuators, mechanical parts, etc. It should include both
an architectural scheme with the links between these elements (e.g. external information
exchanged the product and its interface, internal information exchanged between product
elements) and the description of the functions of each element; it should also include the
consistency and links with the black-box functions.
If during the product development the internal functional analysis is updated, the refined
internal functional analysis shall be delivered.
(Output work product: WP_Safety_1.011).
GEN-SAFETY-CLAUSE_3.006 0 The supplier shall carry out the specification of technical safety requirements.
The supplier shall specify the technical safety requirements by refining the functional
safety concept, considering both the functional concept and the preliminary architectural
assumptions. The technical safety requirements have to be defined during architecture
and system design and measures for fault avoidance (systematic faults and hardware
random faults) and mitigation have to be described during hardware and software
components design.
The supplier shall verify the consistency and traceability between functional safety
requirements and technical safety requirements.
The supplier shall define technical safety concepts that comply with the functional
requirements, and the technical safety requirements specification
The supplier shall deliver the technical safety concepts of its perimeter.
If during the product development the technical safety concept and/or technical safety
requirements are updated, the update shall be accepted by PSA.
(Output work product: WP_Safety_1.012).
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 16/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Requirement Number Rev Requirement
GEN-SAFETY-CLAUSE_3.007 0 If the supplier applies ASIL decomposition, the use of this method shall be justified: the
independence analysis shall be available for review at the supplier premises and an
agreement shall be met between supplier and customer.
(Output work product: WP_Safety_1.013).
GEN-SAFETY-CLAUSE_3.008 0 The supplier shall deliver the diagnostic data list (diagnostic matrix).
The diagnostic data list shall include at least:
- the fault codes (supplier & PSA)
- the description of the failure
- the monitoring description
- the detection time
- the detection conditions
- the associated degraded mode
- the recovery conditions
(Output work product: WP_Safety_1.014).
GEN-SAFETY-CLAUSE_3.009 0
The supplier shall deliver safety requirements for production (at PSA plant) and for
maintenance operation.
(Output work product: WP_Safety_1.015).
GEN-SAFETY-CLAUSE_3.010 0 The supplier shall perform and present safety analysis to support the derivation and
definition of safety requirements and their allocation.
At least the supplier shall perform:
1. The system functional FMEA: This analysis shall provide information to evaluate
hazards, identify safety critical areas, and provide inputs to safety design criteria
and procedures with provisions and alternatives to eliminate or control all
unacceptable and undesirable hazards. The system functional FMEA shall
address for each internal signal and external signal for each function:
o the list of failure modes
o the effect before detection for each failure mode.
o the detection strategies or safety barriers and the detection time for each
failure mode
o the target in term of ASIL level and failure rates.
o the effect after detection and the degraded mode for each failure mode
o the root causes
o the recovery conditions
If the System FMEA is updated, the update must be accepted by PSA.
The supplier shall provide the system functional FMEA
(Output work product: WP_Safety_1.016).
2. The FTA: this analysis shall support the verification of requirements and their
allocation to functions as well as to logical or technical elements.
The supplier shall provide the FTA.
(Output work product: WP_Safety_1.017).
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 17/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Requirement Number Rev Requirement
GEN-SAFETY-CLAUSE_3.011 0 The supplier shall perform and present safety analysis (Inductive and deductive) to
support the design verification.
At least the following safety analysis shall take place during the Design phase:
- FTA (qualitative and quantitative):
o this analysis shall enable the identification of multiple point faults and
their causes in the design, the verification that safety controls are
provided as required in the design and the verification of common cause
failure modes in the design.
o the FTA can also be used for the hardware integrity analysis which
verifies that the minimal cut-set and the diagnostics coverage provided
by the diagnostics satisfy qualitative hardware integrity metrics.
o the quantitative FTA analysis shall be conducted to verify compliance
against quantitative hardware integrity targets.
The supplier shall provide the FTA.
(Output work product: WP_Safety_1.017).
- System and Component(s) DFMEA:
o the Design FMEA (DFMEA) shall identify and evaluate the potential
single point failure modes in the design that are safety-critical and verify
that the identified critical failure modes can be mitigated by design
validation, or other safety mechanisms.
o the failure analysis of the Design potential FMEA shall be according to a
known standard such [VDA standard].
o the quotation scale (S,O,D) and the acceptance criteria must be
accepted by PSA ( PSA acceptance criteria are : S=10 and O=1 and
D=1,S=9 and O≤2,S=8 and O≤2, O<=4).
o the Design FMEA shall address special characteristics (CTF/CSE).
o the classification of special characteristics must be accepted by PSA.
The supplier shall provide the synthesis of DFMEAs.
The synthesis of DFMEAs shall contain at least :
o a cover sheet including the authors, the assessors and the evolution of
the document.
o pareto of RPN before and after action plan.
o criticality matrix (S vs O) and ( S vs D)
o FMEA extract (FMEA lines) with the critical risks identified before action
plan. For PSA, the critical are defined according to the following criteria:
RPN>=100; S=10 et (O>1 or D>1); S=9 et O>=2; S=8 et O>=3 ; O>=4.
o the list of the recommended or additional actions and their status.
o the supplier quotation scale of the severity (S), the occurrence (O) and
the probability of non-Detection (D).
o the supplier rules to reduce the severity S, the Occurrence (O) and the
detection (D)
o acronyms list used in FMEA synthesis
(Output work product: WP_Safety_1.018)
The supplier shall perform and provide detailed pin-out FMEA
(Output work product: WP_Safety_1.019)
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 18/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Requirement Number Rev Requirement
- FMEDA: to verify via quantitative estimation (single point fault, latent fault metrics
and probability of failure) that the violation of safety goal is compliant according to
ISO 26262 quantitative targets.
(Output work product: WP_Safety_1.013)
- System Software FMEA: This analysis shall assess the vulnerability of the
software architecture to potential processor and other hardware interface failure
modes and shall evaluate if the safety concept designed in the software meets
safety requirements.
(Output work product: WP_Safety_1.020)
- Common Cause/Mode Analysis: Based on the FTA and the FMEA this analysis
shall be conducted to identify and to evaluate the potential common cause
failures, common mode failures and cascading failures in the design.
(Output work product: WP_Safety_1.013)
GEN-SAFETY-CLAUSE_3.012 0 The supplier shall provide the reliability prediction for all components.
The work product shall include:
- Reliability calculation methods EE parts and mechanical parts
- Estimation of reliability for each EE HW and mechatronic component:
o the failure rate
o the origin of the failure rate (standard, field feedback…)
o the hypothesis used for the failure rate estimation (mission profile,
temperature….)
o failure mode
o the repartition (%) of the failure mode
o the origin of the repartition
- Estimation of reliability for mechanical parts :
o the probability of failure on the reference period (unreliability in 15
years for example)
(Output work product: WP_Safety_1.021)
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 19/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Requirement Number Rev Requirement
GEN-SAFETY-CLAUSE_3.013 0 The supplier shall provide the RAMS report, it must including at least:
- The cover sheet including the authors, the reviewers, the approval committee, and
the evolution of the document.,
- The list of product evolutions,
- The list of PSA critical event with,
 For each critical event;
o the associated objective,
o the result obtained without contribution of PSA basic events
o the result obtained with contribution of PSA basic events
 For each PSA critical event;
o all the minimal cut set with the failure rate corresponding to each
minimal cut set and the contribution percentage of each minimal cut
set to the critical event
 For each PSA safety critical event (functional and outputs);
o the justification of each minimal cut set of order 1
o the justification of quantitative data used for each basic event.
o the justification of independency of inputs for every AND gate
o the demonstration that the ASIL is achieved by applying appropriate
techniques and measures in the design, implementation, verification
and validation.
o the demonstration that the required functional safety is achieved
during the production process.
 For threat attack critical event:
o the design measures applied in order to prevent the non functional
critical events
o the validations applied in order to ensure a sufficient and acceptable
level of safety being achieved.
o the requirements to the process in order to ensure the achievement
during the production process
(Output work product: WP_Safety_1.013)
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 20/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
6.4. Verification Integration and Validation activities
Requirement Number Rev Requirement
GEN-SAFETY-CLAUSE_4.001 0 The supplier shall conduct system design verification to ensure compliance and
completeness with regard to the technical safety concept and to verify that the system
safety requirements are valid and the system satisfies those requirements.
(Output work product: WP_Safety_1.022)
GEN-SAFETY-CLAUSE_4.002 0 The supplier shall conduct the system validation to verify that the system safety
requirements are valid and the system satisfies those requirements. This validation shall
be done based on the safety validation plan, and verification procedures which are defined
against requirements.
The supplier shall conduct the system/subsystem verification to verify the correct
implementation of the technical safety requirement at the system/subsystem level. This
verification shall be done based on integration and testing plan, and verification
procedures which are defined against requirements.
The supplier shall conduct the component verification to verify the correct implementation
of safety requirements at mechanical, hardware and software level. This verification shall
be done based on the component verification plan, and verification procedures which are
defined against requirements.
The supplier shall deliver the system safety verification and validation report providing
detailed results for testing which is related to system, hardware, or software.
(Output work product WP_Safety_1.005).
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 21/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
6.5. Release for production
Requirement Number Rev Requirement
GEN-SAFETY-CLAUSE.5001 0 Supplier shall deliver a release for production ensuring its ability to produce the item in
compliance with the safety level achieved during the design phase.
GEN-SAFETY-CLAUSE.5002 0 The final assessment of the system safety case and its referenced inputs to evaluate that
the product design has satisfied the safety requirements and safety goals is mandatory
for release for production.
This assessment will also assess the residual risk (if any) for the system.
6.6. Traceability
Requirement Number Rev Requirement
GEN-SAFETY-CLAUSE.6001 0 The supplier must ensure the traceability of the safety requirements. Full, bi-directional
traceability and communication of safety requirements shall be demonstrated.
6.7. Safety case
Requirement Number Rev Requirement
GEN-SAFETY-CLAUSE.7001 0 The safety case shall be developed and maintained by supplier.
GEN-SAFETY-CLAUSE.7002 0 The safety case shall progressively compile the work products generated during the
safety lifecycle.
GEN-SAFETY-CLAUSE.7003 0 The safety case shall provide a clear, comprehensive and defensible argument,
supported by evidence, that an item is free from unreasonable risk when operated in an
intended context
(Output work product: WP_Safety_1.023)
GEN-SAFETY-CLAUSE_7.004 0 The supplier must provide a safety report.
The safety report summarizes the results of safety analysis performed and the steps
taken to reduce potential risks, identifies the potential risk remaining, and describes why
this level of risk is acceptable by PSA.
The safety report shall address :
- the residual risks,
- the exception list
The final version of safety report must take into account the potential risks due to the
process.
(Output work product: WP_Safety_1.024)
GEN-SAFETY-CLAUSE_7.005 0 The whole of work product under supplier’s responsibility must be available at least in the
supplier premises
GEN-SAFETY-CLAUSE_7.006 0 The supplier shall be responsible of safety case of its suppliers.
GEN-SAFETY-CLAUSE_7.007 0 The safety case shall be stored for 15 years after the last vehicle produced and all the
documents of the safety case shall be readable.
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 22/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7. EPS Safety Requirements allocated to EPS
7.1. Function: To steer
7.1.1. To avoid excessive steering effort (Max ASIL D)
a) Safety goal requirement
Safety Goal SG1_DIR_4_01: To avoid excessive steering effort (ASIL D)
Description
When vehicle is moving, the steering item:
- Is locked or stuck in a specific position and does not respond to the driver request.
- Provides torque actuation in the opposite direction to the driver request.
Operating mode
- Vehicle is moving (Velocity > 5kph);
- Steering wheel speed up to 300°/s.
FTTI 100ms
Hazard metrics Excessive steering effort is defined when steering efforts exceed manual steering efforts (without
steering assistant) by 3 Nm.
Other information
The hazard at vehicle level is loss of vehicle lateral motion control. The driver unable to turn or steer
the vehicle. Potential for vehicle to depart the intended path/lane and the vehicle continues motion in
the last position of the steering item and the road wheels.
Note: This safety goal is applicable to steering torque or angle control functions and covers both
electrical and mechanical integrity.
b) Critical events
# ERO
Rev
ERO name ASIL
Probabilistic target
mechanical
ERO_EPS_4.01
0 Steer Lock
excessive steering effort
D 10-6 in 15 years or 240000 km
ERO_EPS_4.04
0 Reversed steering assistance
steering in the opposite direction than intended
D 10-6 in 15 years or 240000 km
c) Derived safety requirements allocated to the EPS
# FSR Rev Functional safety requirement ASIL
FSR_EPS_4.01.01
0 The EPS shall be designed to reduce the risk mechanical steering lock
(mechanical integrity) to be compliant with the probabilistic target of 10-6 in
15 years or 240000 km.
FSR_EPS_4.01.02 0 The EPS shall avoid electrical steering lock (electrical integrity) D
FSR_EPS_4.04.01
0 The EPS shall avoid reverse steering (steering in the opposite direction than
intended)
D
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 23/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.1.2. To avoid a steering disconnect (ASIL D)
a) Safety goal requirement
Safety Goal SG1_DIR_4_02: To avoid a steering disconnect (ASIL D)
Description Disconnected steering occurs when there is no steering torque transmission between the hand wheel
and the road wheels and no further vehicle steering control is possible.
Operating mode Vehicle is moving (Velocity > 5kph)
FTTI Not applicable
Hazard metrics No steering torque transmission between the hand wheel and the road wheels
Other information
The hazard at vehicle level is loss of vehicle lateral motion control.
This safety goal is purely mechanical.
b) Critical event
# ERO
Rev
ERO name ASIL
Probabilistic target
mechanical
ERO_EPS_4.03 0 Steering disconnect D
10-6 in 15 years or 240000
km
c) Derived safety requirements allocated to the EPS
# FSR Rev Functional safety requirement ASIL
FSR_EPS_4.03.01
0 The EPS shall be designed to reduce the risk of mechanical
disconnect to be compliant with the probabilistic target of 10-6 in 15
years or 240000 km
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 24/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.1.3. To avoid an unintended assist torque (Max ASIL D)
a) Safety goal requirement
Safety Goal SG1_DIR_4_06: To avoid an unintended assist torque (ASIL D)
Description While driving, the steering item provides torque actuation unexpectedly when there is no driver
request.
Operating mode
- When vehicle is moving (Velocity > 12kph)
- Hands on the steering wheel
FTTI 20 ms
Hazard metrics
EPS design criteria:
The unintended steering wheel Torque shall not exceed 3 Nm.
Vehicle validation criteria:
- Path deviation criteria: The maximum path deviation shall not exceed 25cm.
- Lateral motion criteria: The unintended lateral acceleration shall not exceed |0.13|g.
Other information
The hazard at the vehicle level is unintended vehicle lateral motion or unintended yaw moment.
The steering assistance applied without driver input is a potential hazard if the condition causes a
sudden change in direction of the vehicle. This potential hazard may cause a vehicle path deviation
that is too quick for the driver to be able to counter before the vehicle departs from its lane.
This safety Goal is applicable to steering torque or angle control functions
Safety Goal SG1_DIR_4_07: To avoid unintended steering wheel motion during driving without hands on steering
wheel (ASIL A).
Description While driving, the steering item provides torque actuation unexpectedly when there is no driver
request.
Operating mode
When vehicle is moving (Velocity > 12kph) with no hands on the steering wheel
FTTI 20 ms
Hazard metrics
EPS design criteria:
- The unintended steering wheel Torque shall not exceed 3 Nm.
- Unintended Steering Wheel movement shall not exceed 15 degrees.
- Unintended Steering Wheel Velocity shall not exceed 180 deg/sec within the 15 degree
unintended steering wheel movement.
Vehicle validation criteria
- Path deviation criteria: The maximum path deviation shall not exceed 25cm
- Lateral motion criteria: The unintended lateral acceleration shall not exceed |0.13|g.
Other information
The hazard at the vehicle level is unintended vehicle lateral motion or unintended yaw moment.
The steering assistance applied without driver input is a potential hazard if the condition causes a
sudden change in direction of the vehicle. This potential hazard may cause a vehicle path deviation
that is too quick for the driver to be able to counter before the vehicle departs from its lane.
This safety Goal is applicable to steering torque or angle control functions
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 25/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Safety Goal
SG1_DIR_4_08: unintended steering wheel motion in the hoist “during service and maintenance”
(ASIL B)
Description During service and maintenance, the steering item provides torque actuation unexpectedly when there
is no request.
Operating mode Hoist (during service and maintenance)
FTTI 20 ms
Hazard metrics
- Unintended Steering Wheel movement shall not exceed 15 degrees.
- Unintended Steering Wheel Velocity shall not exceed 180 deg/sec within the 15 degrees
unintended steering wheel movement.
- Unintended Steering Wheel Torque shall not exceed 3Nm
Other information
The hazard at the vehicle level is operator harm in the workshop situation.
The hazardous situation is the risk of operator being trapped by moving part if steering system moves
unexpectedly.
This safety Goal is applicable to steering torque or angle control functions
b) Critical event
# ERO Rev ERO name ASIL
ERO_EPS_4.02
1 Auto steer
This potential hazard refers to the EPS system applying steering assistance
without driver input.
D
c) Derived safety requirements allocated to the EPS
# FSR Rev Functional safety requirement ASIL
FSR_EPS_4.02.01 0 The EPS shall avoid stuck or unintended steering assistance torque D
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 26/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.1.4. To avoid critical steering over-assistance (ASIL C)
a) Safety goal requirement
Safety Goal SG1_DA_4_02: To avoid critical steering over-assistance (ASIL C)
Description
When the vehicle is moving, the steering item provides steering assistance more than the design
intent. The resulting steering torque is greater than required (the steering feels lighter than normal) but
the assistance is in the correct direction.
Operating mode Curves with lateral acceleration up to 0,2g
FTTI 100ms
Hazard metrics
The system provides more than an additional 3Nm at the steering wheel (the delta steering wheel
torque must be less than 3Nm compared to the nominal assistance).
Other information
An extreme situation of excessive gain in the torque control could possibly result in vehicle instability
(Unintended vehicle lateral motion or unintended yaw moment).
b) Critical event
# ERO Rev ERO name ASIL
ERO_EPS_4.06
0 Critical Over assistance
This potential hazard covers the cases steering wheel torque decrease( the EPS
system supplies more assistance than required)
C
ERO_EPS_4.09
0 Unintended Assistance recovery
This potential hazard covers the cases when the assistance is recovered
unexpectedly
C
c) Derived safety requirements allocated to the EPS
# FSR Rev Functional safety requirement ASIL
FSR_EPS_4.06.01 0 The EPS shall avoid too high steering assistance torque C
FSR_EPS_4.06.02
0 The EPS shall avoid too low vehicle speed with ASIL C
This requirement covers the corruption of the vehicle in the EPS and means that the
acquisition, the conditioning and the processing of vehicle speed shall comply with
the ASIL C.
C
FSR_EPS_4.06.03
0 The EPS shall detect faulty vehicle speed, shall use a default vehicle speed (that
allows a safe operation of the vehicle) and the transition to operate with a reduced
level of assist shall be controlled (slope shall be defined)
C
FSR_EPS_4.09.01 0 The EPS shall avoid unintended assistance recovery C
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 27/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.1.5. To avoid a large variation (ASIL C)
a) Safety goal requirement
Safety Gaol SG1_DA_4_03: To avoid a large variation (ASIL C)
Description
When the vehicle is moving, the steering item provides erratic/intermittent steering assistance torque.
The resulting steering torque is unexpectedly fluctuating.
The EPS System generates assistance torque of variable and incorrect magnitude (erratic) or correct
magnitude but on/off (intermittent).
Note: For high frequencies and low frequencie, the large variation is not safety relevant.
Operating mode Curves with lateral acceleration up to 0,2g
FTTI 200ms
Hazard metrics The delta steering wheel torque compared to nominal assistance shall be less than 3Nm.
Other information
A persistent erratic or inconsistent steering assist level may make it difficult to control the vehicle
trajectory (unintended vehicle lateral motion or unintended yaw moment).
b) Critical event
# ERO Rev ERO name ASIL
ERO_EPS_4.05 0 Critical random/erratic assistance
This potential hazard covers the unexpected steering wheel torque fluctuation.
C
a) Derived safety requirements allocated to the EPS
# FSR Rev Functional safety requirement ASIL
FSR_EPS_4.05.01 0 The EPS shall avoid random/erratic steering assistance torque C
FSR_EPS_4.05.02
0 The EPS shall avoid random/erratic vehicle speed with ASIL C
This requirement covers the corruption of the vehicle in the EPS and means that the
acquisition, the conditioning and the processing of vehicle speed shall comply with
the ASIL C.
C
FSR_EPS_4.06.03
0 The EPS shall detect faulty vehicle speed, shall use a default vehicle speed (that
allows a safe operation of the car) and the transition to operate with a reduced level
of assist shall be controlled (slope shall be defined)
C
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 28/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.1.6. To avoid a sudden loss of steering assist (ASIL B).
a) Safety goal requirement
Safety Goal SG1_DA_4_01: To avoid a sudden loss of steering assist (ASIL B).
Description
When the vehicle is moving, there is sudden loss of steering assistance or reduced steering assist
leading to steering wheel torque increase.
The steering effort (Manual steer) required varies significantly from one vehicle platform to another,
and may vary within a platform due to front axle weight or steering geometry changes).
Operating mode
- When vehicle is moving (velocity > 10 kph).
- Hand wheel velocity up to 300°/s.
FTTI 100ms
Hazard metrics
- Max steering wheel torque shall be less than 10Nm
- Manual steer.
Other information
The vehicle hazard is increased effort on the steering wheel.
A sudden loss of steering assistance torque causes higher steering effort, especially at low vehicle
speeds and for rapid steering at any vehicle speed.
The safety goal includes the ‘sudden’ aspect (e;g loss of assistance without warning).
b) Critical event
# ERO
Rev
ERO name ASIL
Probabilistic target
mechanical
ERO_EPS_4.07 0 Loss of assistance
This potential hazard covers the cases when the
steering wheel torque increases. It concerns the
following cases:
- Complete loss of assistance
- Critical under assistance (the EPS supplies less
assistance than required)
- No reactivation or inopportune deactivation of
assistance (STTd Function)
B
10-4 in 15 years or 240000
km
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 29/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
c) Derived safety requirements allocated to the EPS
# FSR Rev Functional safety requirement ASIL
FSR_EPS_4.07.01 0 The EPS shall avoid sudden loss of steering assistance (ASIL B) B
FSR_EPS_4.07.02
1 FSR_EPS_4.07.02 :The EPS shall avoid unwanted deactivation or no
reactivation of assistance (activation / deactivation conditions and STTd
conditions):
Note: These thresholds could be changed during design phase.
B
FSR_EPS_4.07.02.01
0 To response to requirement FSR_EPS_4.07.02: If assistance has been
activated, in case of failure of one the interface signals ignition (stuck at off),
engine state (lost, invalid or not running) or power cut request (lost or stuck at
“demand”), the EPS shall not deactivate the assistance if vehicle speed is
over a threshold. (ASIL B).
Note: These thresholds could be changed during design phase.
B
FSR_EPS_4.07.02.02:
0 To response to requirement FSR_EPS_4.07.02: If assistance has been
deactivated and conditions for its safe reactivation are fulfilled then the EPS
shall reactivate with a slope the assistance when Vehicle speed is over a
threshold. (ASIL B)
Note: These thresholds could be changed during design phase.
B
FSR_EPS_4.07.03
0 The EPS shall be designed to provide assistance with ASIL B:
- The EPS shall avoid no steering assistance torque with ASIL B.
- The EPS shall avoid too low steering assistance torque with ASIL B
B
FSR_EPS_4.07.04
0 The EPS shall avoid incorrect setting of ignition signal with ASIL A(B)
This requirement covers the corruption of ignition in the EPS and covers the
acquisition, the conditioning and the processing of the ignition
A(B)
FSR_EPS_4.07.05
0 The EPS shall avoid incorrect setting of engine state signal with QM (B)
This requirement covers the corruption of engine state in the EPS and covers
the acquisition, the conditioning and the processing of the engine state
QM(B)
FSR_EPS_4.07.06
0 The EPS shall avoid incorrect setting of power cut request signal to “request”
with QM (B)
This requirement covers the corruption of power cut request in the EPS and
covers the acquisition, the conditioning and the processing of the power cut
request signal
QM(B)
FSR_EPS_4.07.07
0 Sufficient independence between ignition, engine state and vehicle speed
shall be ensured in the EPS with ASIL B
B
FSR_EPS_4.07.08
0 Sufficient independence between power cut request and vehicle speed shall
be ensured in the EPS with ASIL B
B
FSR_EPS_4.07.09
0 The requirements allocated to inputs signals (FSR_EPS_4.07.04 to
FSR_EPS_4.07.08) are related to the strategy specified by PSA. The
supplier shall provide its requirements to these inputs signal if these signals
are used by the supplier strategies.
# TSR Rev Technical safety requirement ASIL
TSR_EPS_4.07.02.01_01
0 If assistance has been activated, in case of failure of Engine state
(incorrect setting of engine state at [lost, CUT, STARTING or NOT
VALID] instead of Running or STT state), the EPS shall ramp down the
assistance after a defined delay (T_A2) only if vehicle speed is lower
than threshold (ASIL B).
B
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 30/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
TSR_EPS_4.07.02.01_02
0 If assistance has been activated, in case of failure of ignition (incorrect
setting of Ignition at off), the EPS shall ramp down the assistance after a
defined delay (T_A1) only if vehicle speed is lower than threshold and
engine state is [lost, invalid, not running or not in STT states (ASIL B).
B
TSR_EPS_4.07.02.01_03
0 If assistance has been activated, in case of failure of ignition and Vehicle
speed (failure mode: unwanted transition on invalid vehicle speed and
incorrect setting of Ignition at off ), the EPS shall ramp down the
assistance after a defined delay (T_A3) only if engine state is off [loss,
CUT, STARTING or NOT VALID] (ASIL B)
B
TSR_EPS_4.07.02.01_04
0 If assistance has been activated, in case of failure of Engine state and
ignition (failure mode: incorrect setting of engine state at [loss, CUT,
STARTING or NOT VALID] instead of Running or STT state and
incorrect setting of Ignition at off ), the EPS shall ramp down the
assistance after a defined delay (T_A1) only if vehicle speed is under a
threshold (ASIL B).
B
TSR_EPS_4.07.02.01_05
0 If assistance has been activated, in case of failure of Engine state and
Vehicle speed (failure mode: loss or invalid vehicle speed, incorrect
setting of engine state at [loss, CUT, STARTING or NOT VALID] instead
of Running or STT state and incorrect setting of Ignition at off ), the EPS
shall ramp down the assistance after a defined delay (T_A3) only
ignition is off (ASIL B)
B
TSR_EPS_4.07.02.01_06
0 If assistance has been activated, in case of failure of Engine state,
ignition and Vehicle speed (failure mode: Invalid vehicle speed and
incorrect setting of engine state at [loss, CUT, STARTING or NOT
VALID] instead of Running or STT state and incorrect setting of Ignition
at off), the EPS shall ramp down the assistance only after a defined
delay (T_A3) (ASIL B).
B
TSR_EPS_4.07.02.01_07
If assistance has been activated, in case of failure of power cut request,
the EPS shall ramp down the assistance only if vehicle speed is lower
than a threshold (ASIL B)
B
TSR_EPS_4.07.02.02_01
0 When assistance is deactivated due to power cut request the EPS shall
ramp up the assistance if vehicle speed is higher than threshold.(ASIL B)
Note: this requirement means: in case of power cut request stuck at
“demand” the EPS shall ramp up the assistance over a threshold of
vehicle speed.
B
TSR_EPS_4.07.02.02_02
0 When assistance is deactivated due to engine state, the EPS shall ramp
up the assistance if vehicle speed is higher than threshold (ASIL B)
Note: this requirement means: in case when assistance is ramped down
and ECU is still awake without presence of failure the EPS shall ramp up
the assistance over a threshold of vehicle speed (e.g after engine
stalling, the assistance is ramped up on vehicle speed even if engine
doesn’t restart).
B
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 31/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.2. Function: STTd
Id. Rev Critical events ASIL
ERO_EPS_4.08 0 No deactivation or inopportune activation of assistance (STTd function)
This requirement concerns the safety goal the avoid collapse power network
A
# FSR Rev Functional safety requirement ASIL
FSR_ARAMTH_012
0 The EPS shall avoid incorrect setting of power cut request “No request” with ASIL
A
This requirement covers the corruption of power cut request in the EPS and
covers the acquisition, the conditioning and the processing of the power cut
request signal
A
FSR_ARAMTH_014
0 The requirement “STTd_EPS_11.0“of the functional specification shall response to
an ASIL A.
(See chap 5.2 Power cut request validity of STT Functional specification
01452_09_00092)
A
FSR_ARAMTH_019 0 The EPS shall provide the correct signal Autorisation_arret_moteur. A
FSR_ARAMTH_020 0 The EPS shall provide the correct signal Demande_Redem_moteur. A
FSR_ARAMTH_021
0 The requirement “STTd_EPS_3.1“of the functional specification shall response to
an ASIL B.
(See chap 4.6.4 Compute Engine restart request of STT Functional specification
01452_09_00092)
B
Id. Rev Outputs critical events ASI
L
FIT
ERO_EPS_4.41 0 Erroneous information “Autorisation_arret_moteur”
Failure modes:
- Erroneous to “authorisation” instead of “no authorisation”,
A 10
ERO_EPS_4.42 0 Erroneous information “Demande_Redem_moteur”
Failure modes:
- Erroneous to “restarting not needed”,
A 10
7.3. Safety output critical events
7.3.1. Column angle (in case of AVA function):
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 32/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Id. Rev Outputs critical events ASIL FIT
ERO_EPS_4.11 0 Erroneous information “EPS column angle”
Threshold of error must be less than 10°
Latency time: 100ms
The failure modes:
- Too high (permanent/transient/unwanted transition),
- Too low (permanent/transient/unwanted transition),
NB: This critical event concerns the EPS transmitting frame 2F5 (SWS
Class 1)
D 1
ERO_EPS_4.12 0 Erroneous information “EPS column Speed”
Threshold of error must be less than 64°/s.
Latency time 100ms
The failure modes:
- too high (permanent/transient/unwanted transition),
- too low (permanent/transient/unwanted transition).
NB: This critical event concerns the EPS transmitting frame 2F5 (SWS
Class 1)
D 1
ERO_EPS_4.13 0 Loss or invalid “EPS column angle”
This critical output must include all the failures leading to:
loss of frame 2F5 or frame 2F5 too short
Invalid information “EPS column angle”
Out of range
B 10
ERO_EPS_4.14 0 Loss or invalid “EPS column speed”
This critical output must include all the failures leading to:
loss of frame 2F5 or frame 2F5 too short
Invalid information “EPS column speed”
Out of range
B 10
ERO_EPS_4.20 0 Erroneous “Etat secu angle colonne”
Erroneous to column angle secured
D 1
ERO_EPS_4.21 0 Loss of “Etat secu angle colonne”
This critical output must include all the failures leading to:
loss of frame 2F5 or frame 2F5 too short
D 1
ERO_EPS_4.22 0 Erroneous “Etat secu angle colonne”
Erroneous to column angle not secured
B 10
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 33/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.3.2. Absolute steering angle (in case of the SAS is integrated in the EPS):
Id. Rev Outputs critical events ASIL FIT
ERO_EPS_4.30 0 Erroneous information “Absolute steering angle”
Threshold of error must be less than 15°
Latency time 100ms
The failure modes:
- too high (permanent/transient/unwanted transition),
- too low (permanent/transient/unwanted transition)
NB: This critical event concerns the case when the EPS provide the CAN output
signal “Absolute steering angle” transmitted on the frame 305 (SWS class 3 is
integrated in the EPS).
D 1
ERO_EPS_4.31 0 Loss or invalid “Absolute steering angle”
This critical output must include all the failures leading to:
loss of frame 305 or frame 305 too short
Invalid information “Absolute steering angle”
Out of range
B 10
ERO_EPS_4.32 0 Erroneous information “Steering wheel rotation Speed”
Threshold of error must be less than 64°/s.
Latency time 100ms
The failure modes:
- too high (permanent/transient/unwanted transition),
- too low (permanent/transient/unwanted transition).
NB: This critical event concerns the EPS transmitting frame 305 (SWS class 3 is
integrated in the EPS)
B 10
ERO_EPS_4.33 0 Loss or invalid “Steering wheel rotation Speed”
This critical output must include all the failures leading to:
loss of frame 305 or frame 305 too short
Invalid information “Steering wheel rotation Speed”
Out of range
B 10
ERO_EPS_4.34 0 Loss of “Steering wheel sensor direction (SENS_ROT_VOL)”
This critical output must include all the failures leading to:
loss of frame 305 or frame 305 too short
A(B) 10
ERO_EPS_4.35 0 Erroneous information “Steering wheel sensor direction (SENS_ROT_VOL)”
Failure modes:
- Erroneous to sens horaire
- Erroneous to sens trigo
NB: This critical event concerns the EPS transmitting frame 305 (SWS class 3 is
integrated in the EPS)
D 1
ERO_EPS_4.36 0 Erroneous information “Calibration VOL”
The failure modes:
- Erroneous to “calibrated”,
- Erroneous to “uncalibrated”,
NB: This critical event concerns the case when the EPS provide the CAN output
signal “Absolute steering angle” transmitted on the frame 305 (SWS class 3 is
integrated in the EPS).
D 1
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 34/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
ERO_EPS_4.37 0 Erroneous information “TRIM VOL”
The failure modes:
- Erroneous to “ajusté”,
NB: This critical event concerns the case when the EPS provide the CAN output
signal “Absolute steering angle” transmitted on the frame 305 (SWS class 3 is
integrated in the EPS).
B 10
ERO_EPS_4.38 0 Erroneous information “SAS State”
The failure modes:
- Erroneous to “failure detected”,
NB: This critical event concerns the case when the EPS provide the CAN output
signal “Absolute steering angle” transmitted on the frame 305 (SWS class 3 is
integrated in the EPS).
A(B) 10
ERO_EPS_4.39 0 Erroneous information “SAS State”
The failure modes:
- Erroneous to “no failure”,
NB: This critical event concerns the case when the EPS provide the CAN output
signal “Absolute steering angle” transmitted on the frame 305 (SWS class 3 is
integrated in the EPS).
B(D) 10
These requirements will be refined depending on the technical proposition “virtual SAS”.
7.3.3. Absolute steering angle (in case virtual SAS):
Document Name Applicable version Reference
Technical Safety requirements EPS for virtual SAS V1.0 20655_17_00130
7.3.4. Request for warning lamp
Id. Rev Outputs critical events ASIL FIT
ERO_EPS_4.19 0 No request to switch on the warning lamp
Failure modes :
- Loss of information
- Erroneous to “warning lamp not needed”
- Erroneous to the reserved value
This critical event concerns the CAN output “Power steering status” and the
particular failure mode Power steering status erroneous to 00 "No request to light
lamp” instead of 01 “request to light lamp”
B 10
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 35/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.4. Multi-mode function
Id. Rev critical events ASIL
ERO_Mm_4.01 0 Unintended transition to normal mode
This critical event is related to over assistance
C
# FSR Rev Functional safety requirement ASIL
FSR_Mm_4.01.01 0 The EPS shall avoid unintended or incorrect transition between multimode states C
7.5. City Park function
Requirement Number Rev Requirement
CPK-SAFETY-CLAUSE.0001 0
The impact of the CPK function shall be taken into account by the supplier on all
safety and reliability analysis.
Note: The requirements about City Park function are provided by the main system manufacturer Valeo
and Valeo is responsible for the requirements below (Cf Document: 0).
Document Name Applicable version Reference
Technical Safety Concept EPS for CPK V2.0 00858_15_01879
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 36/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.6. LxA function
7.6.1. SG1_LxA_DIR_4_06: Avoid an inopportune steering wheel rotation (ASIL D)
a) Safety goal requirement
Safety Goal SG1_LXA_DIR_4_06: Avoid an inopportune steering wheel rotation (ASIL D)
Critical scenarios
- Internal EPS failure leading to unwanted LXA regulation
- Erroneous yaw rate compensation sent to STEER System
- Erroneous LXA correction setpoint sent to STEER System
Validation criteria
The hazard at the vehicle level is a path deviation.
EPS shall limit the vehicle lateral dynamics induced by the LKA control.
This limitation is translated in maximum absolute lateral acceleration and a minimum time before
reaching a lateral acceleration threshold.
Threshold:
- Reaching a +1m/s² lateral acceleration increase shall require at least 0.5s for for vehicle speed
lower than 50 kph.
- Reaching a +2m/s² lateral acceleration increase shall require at least 0.5s for for vehicle speed
higher than 50 kph.
These thresholds shall be taken into account when calibrating the maximum steering wheel speed
limitation in the EPS.
PSA can accept a maximum lateral acceleration variation of 2.5 m/s² during 500ms.
Initial operating mode:
LXA selected, lateral control in progress (hand On +hand Off).
b) Critical event
Id Rev Critical event (ERO) ASIL
ERO_EPS_LxA_4.01 0 Unwanted or too high LxA intervention D
ERO_EPS_LxA_4.02 0 Unwanted LxA intervention during ABS/ESC intervention or during
ABS/ESC unavailability
B
c) Derived safety requirements allocated to the EPS
Id Rev Functional safety requirement ASIL
FSR_EPS_ LxA_4.01.01 0 The EPS shall apply LxA additional torque only if it is requested D
FSR_EPS_ LxA_4.01.02
1 During LxA intervention, the EPS shall limit LxA additional torque at threshold
(LXA_Add-On_safe_threshold)
LXA_Add-On_safe_threshold = 4Nm
Note: These thresholds could be changed during design phase.
D
FSR_EPS_ LxA_4.01.03
1 During LxA intervention,If the LxA additionnal torque exceed a threshold
(LXA_Add-On_safe_threshold) during more than duration (LXA_ADD-
TQ_DELAY) , the EPS shall ramp down the LxA function according to a
D
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 37/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
defined slope (LXA _Add-On_SAFE_SLOPE).
LXA_Add-On_safe_threshold = 4Nm.
Latency time = 20 ms
Note: These thresholds could be changed during design phase.
FSR_EPS_ LxA_4.01.04
2 During LxA intervention, the EPS shall rampdown LxA control if the variation of
Hw torque more than duration (LxA _HWT_DELAY) exceed
LXA_HWT_threshold
LXA_HWT_threshold = +/-3 Nm
LxA _HWT_DELAY= 500 ms
Note: These thresholds could be changed during design phase.
D
FSR_EPS_LxA_4.01.05
1 During LxA intervention, If the hand-wheel torque exceed a threshold
(LXA_HWT_SAFE_THRESHOLD) during more than duration (LxA
_HWT_DELAY) , the EPS shall ramp down the LxA function according to a
defined slope (LXA _HWT_SAFE_SLOPE).
LXA_HWT_SAFE_THRESHOLD = 2.8Nm
LXA _HWT_DELAY = 20 ms
LXA _HWT_SAFE_SLOPE =1Nm/s.
Note: These thresholds could be changed during design phase
D
FSR_EPS_ LxA_4.01.06
3 During LxA intervention, the EPS shall rampdown (with defined slope
LXA_SWV_SLOPE ) LxA function if steering wheel velocity is higher than
LXA_SWV_safe_threshold during more than LXA_SWV_DELAY
LXA_SWV_safe_threshold is defined depending on vehicle speed
(see functional specification 00998_12_01589)
LXA_SWV_DELAY is depending on steering wheel speed and vehicle speed
(Maximum values is 800 ms).
LXA_SWV_SLOPE To be calibrated during design phase.
Note :
-These parameters setting could be changed during design phase.
B
FSR_EPS_ LXA_4.01.08
1 The EPS shall avoid too high or too low steering wheel speed
Note : These parameters setting could be changed during design phase.
B
FSR_EPS_ LxA_4.01.10
3 During LxA intervention, the EPS shall rampdown (with defined slope
LXA_SWA_SLOPE ) LxA function if steering wheel angle is higher than
LXA_SWA_safe_threshold during more than LXA_SWA_DELAY
LXA_SWA_safe_threshold is defined depending on vehicle speed (target:
lateral acceleration max: 3m.s-², reaching a +2m/s² lateral acceleration
increase shall require at least 0.5s).
The threschold need to be deffined from the following criteria : lateral
acceleration 0,3g (3m/s²).
LXA_SWA_DELAY = 200 ms.
LXA_SWA_SLOPE To be calibreted during design phase
B
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 38/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Note : These parameters setting could be changed during design phase.
FSR_EPS_ LxA_4.01.11
1 The EPS shall avoid too high or too low steering wheel angle.
The fault amplitude and FTTi need to be defined from the following criteria :
lateral acceleration 0,3g (3 m/s²).
Note : These parameters setting could be changed during design phase.
B
FSR_EPS_ LxA_4.01.12
0 The EPS shall limit the gradient of COLUMN_ANGLE_SETPOINT
(see functional specification 00998_12_01589)
B
FSR_EPS_ LxA_4.01.13
0 The EPS shall limit the variation of LKA_TRQ_FACT_REQ
(see functional specification 00998_12_01589)
B
FSR_EPS_ LxA_4.02.01
0 The EPS shall apply LxA request only if ABS/ESC is available (no fault and no
driver deactivation) and no ABS/ESC intervention.
B
FSR_EPS_ LxA_4.02.02
0 In case of ABS/ESC intervention during LxA intervention, the EPS shall ramp
down the LxA function with a defined slope and warn the driver.
B
FSR_EPS_ LxA_4.02.03
0 In case of ABS/ESC unavailability during LxA intervention, the EPS shall ramp
down the LxA function with a defined slope and warn the driver
B
FSR_EPS_ LxA_4.02.04
0 In case of ABS/ESC intervention, the EPS shall inform the vehicle that no LXA
regulation possible (EPS_STATE_LXA =000 “unauthorized”).
B
FSR_EPS_ LxA_4.02.05
0 In case of ABS/ESC unavailability, the EPS shall inform the vehicle that no
LXA regulation possible (EPS_STATE_LXA =000 “unauthorized”).
B
FSR_EPS_ LxA_4.02.06
0 In case of detected communication failures between ESC and the EPS, the
EPS shall inform the vehicle that no LXA regulation is possible
(EPS_STATE_LXA=100 : “the defect state" ).
B
FSR_EPS_ LxA_4.02.07
0 The recovery is allowed only if ABS/ESP available and no ESC regulation in
progress and no communication failures between ESC and EPS
B
FSR_LxA_01.14.a
0 EPS shall avoid sending an erroneous column speed (vitesse_colonne) and
steering wheel torque optimized (cple_volant_optimise) to BSI.
B
FSR_LxA_01.15.a
0 EPS shall avoid not deactivating LxA when requested by BSI (LxA_state set as
deactivated).
A(B)
FSR_LxA_01.18.a
0 EPS ensure no common cause failure between limiting the vehicle lateral
dynamics (FSR_LxA_01.8.a), sending erroneous column speed and steering
wheel torque to BSI (FSR_LxA_01.14.a) and not deactivating on BSI request
(FSR_LxA_01.15.a), at ASIL B.
Nota : in this specification :
FSR_LxA_01.8.a = FSR_EPS _LxA_4.01.06 + FSR_EPS _LxA_4.01.10
B
FSR_LxA_03.2.a
0 EPS shall avoid not informing BSI that no LxA control is possible in case of
internal failure (EPS_state_LXA), at ASIL QM
QM
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 39/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
SG1_LxA_4_01 The driver shall always be able to keep the control of the vehicle
trajectory during LxA trajectory correction (ASIL B)
a) Safety goal requirement
Safety Goal SG1_LXA_4_01 : The driver shall always be able to keep the control of the vehicle trajectory during
LXA trajectory correction (ASIL B)
Critical scenarios
- Erroneous yaw rate compensation sent to STEER System
- Erroneous LXA correction setpoint sent to STEER System
- ABS/ESP not available or data from ABS/ESP not available
- Driver do not have steering wheel in hands.
Validation criteria
The hazard at the vehicle level is a path deviation.
EPS shall limit the vehicle lateral dynamics induced by the LKA control.
This limitation is translated in maximum absolute lateral acceleration and a minimum time before
reaching a lateral acceleration threshold.
Threshold:
- Reaching a +1m/s² lateral acceleration increase shall require at least 0.5s for for vehicle speed
lower than 50 kph.
- Reaching a +2m/s² lateral acceleration increase shall require at least 0.5s for for vehicle speed
higher than 50 kph.
These thresholds shall be taken into account when calibrating the maximum steering wheel speed
limitation in the EPS.
PSA can accept a maximum lateral acceleration variation of 2.5 m/s² during 500ms.
Initial operating mode:
LXA selected, lateral control in progress (hand On +hand Off).
b) Critical event
# ERO Rev Critical event (ERO) ASIL
ERO_EPS_LxA_4.03 0 Erroneous LxA torque correction leading to path deviation (due to
EPS failures)
B
c) Derived safety requirements allocated to the EPS
Id Rev Functional safety requirement ASIL
FSR_EPS_LxA_4.03_01
0 The EPS shall detect a driving situation without hand during 10s and
provide signals to inhibit LxA function (EPS_STATE_LXA=000
“unauthorized state” and STEERWHL_HOLD_BY_DRV =0 “no steering
activity detected from the driver torque”).
A(B)
FSR_EPS_LxA_4.03_02
0 If the EPS detects drive situation without hand on the steering wheel during
more than 10s, the EPS shall inform the driver
(see functional specification 00998_12_01589)
A(B)
FSR_EPS_LxA_4.03_03
0 If the EPS detects drive situation without hand on the steering wheel during
more than 3s after the driver warning , the EPS shall ramp down the LxA
A(B)
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 40/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
function with a defined slope (Slope = 1Nm/s)
7.6.2. SG1_LxA_4_02: LXA function shall ensure the controllability of the vehicle in
case of LxA deactivation (ASIL D )
a) Safety goal requirement
Safety Goal SG1_LXA_4_02: LXA function shall ensure the controllability of the vehicle in case of LXA deactivation
(ASIL B )
Critical scenarios - Trajectory correction deactivation
Validation criteria
The hazard at the vehicle level is a path deviation.
EPS shall limit the vehicle lateral dynamics induced by the LKA control.
This limitation is translated in maximum absolute lateral acceleration and a minimum time before
reaching a lateral acceleration threshold.
Threshold:
- Reaching a +1m/s² lateral acceleration increase shall require at least 0.5s for for vehicle speed
lower than 50 kph.
- Reaching a +2m/s² lateral acceleration increase shall require at least 0.5s for for vehicle speed
higher than 50 kph.
These thresholds shall be taken into account when calibrating the maximum steering wheel speed
limitation in the EPS.
PSA can accept a maximum lateral acceleration variation of 2.5 m/s² during 500ms.
Initial operating mode:
LXA selected, lateral control in progress (hand On +hand Off).
b) Critical event
# ERO Rev ERO name ASIL
ERO_EPS_LxA_4.04 1 Brutal LxA deactivation (due to EPS failure)
B
c) Derived safety requirements allocated to the EPS
# FSR Rev Functional safety requirement ASIL
FSR_EPS_LxA_4.04_01
1 The EPS shall ramp down LxA function with a defined slope to avoid brutal
LxA deactivation
B
FSR_EPS_LxA_4.04_02
1 The EPS shall avoid erroneous a slope :
- slope higher than 7,5Nm/s or
- slope lower than 1Nm/s
Note : The safe rang for slope is [1Nm/s 7,5Nm/s]
B
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 41/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Output requirements LXA
Id. ERO Critical Event ASIL FIT
ERO-LXA-EPS-SDF.0016 (1.0) Unwanted transition to active or authorized or available
This critical event concerns the output signal
EPS_STATE_LXA transmitted on the frame IS_DAT_DIRA_495/ /
EPS_STATE_LXA
QM(D) 100
ERO-LXA-EPS-SDF.0017 (1.0) Impossible transition to defect
This critical event concerns the output signal
EPS_STATE_LXA transmitted on the frame IS_DAT_DIRA_495/ /
EPS_STATE_LXA
QM(D) 100
ERO-LXA-EPS-SDF.0018 (1.0) Impossible transition to defect of EPS_STATE_LXA and wrong values
of LXA_REQUIRED_ADDIT_STEER_WL_TORQUE
This critical event concerns the output signal
Common mode EPS_STATE_LXA and
LXA_REQUIRED_ADDIT_STEER_WL_TORQUE transmitted on frame
IS_DAT_DIRA_495/ / EPS_STATE_LXA
B(D) 10
ERO-LXA-EPS-SDF.0019 (1.0) Impossible transition to unauthorized
This critical event concerns the output signal
EPS_STATE_LXA transmitted on the frame IS_DAT_DIRA_495/ /
EPS_STATE_LXA
QM(B) 100
ERO-LXA-EPS-SDF.0020 (1.0) Impossible transition to unauthorized
and REGUL_ESP erroneous to "no regulation"
This critical event concerns the output signal
Common mode EPS_STATE_LXA and REGUL_ESP transmitted on the
frame IS_DAT_DIRA_495/ / EPS_STATE_LXA
B 10
ERO-LXA-EPS-SDF.0021 (1.0) Impossible transition to "no steering activity detected from the driver
torque"
This critical event concerns the output signal
STEERWHL_HOLD_BY_DRV transmitted on the frame IS_DAT_DIRA_495/
/ STEERWHL_HOLD_BY_DRV
QM(A) 100
ERO-LXA-EPS-SDF.0022 (1.0) Loss/Absence
This critical event concerns the output signal
STEERWHL_HOLD_BY_DRV transmitted on the frame
IS_DAT_DIRA_495/ / STEERWHL_HOLD_BY_DRV
QM(A) 100
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 42/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.7. Safety threat / attack critical events
Id. Threat/Attack Critical Event
ERO_EPS_4.21 EMC susceptibility
This critical event covers the EMC immunity.
ERO_EPS_4.22 Disturbance of the surrounding systems due to EMC emissions
ERO_EPS_4.23 Thermal event
This critical event is related to the CCA topic.
7.8. FTA requirements
Id. Rev Requirement
GEN-SAFETY-
CLAUSE-G4.0001
0
For Each safety critical event, the reference period must be 15 years or 240000 km (first criterion
reached).
The confidence level required for validation of the failure modes leading to a safety critical event is
75%.
GEN-SAFETY-
CLAUSE-G4.0002
0
The supplier must perform the FTA for each safety critical event
For functional safety critical events and for output critical events (defined in this document) the
qualitative and quantitative fault tree analyses are mandatory.
The qualitative fault tree are mandatory for safety threat/Attack critical event
The qualitative fault tree analysis shall be used to investigate the random failures and systematic
failures.
The quantitative fault tree shall be used to estimate the probability of the hazard. The quantitative fault
analysis must cover the random failures and mechanical failures.
The Fault tree must take into account all the combinations of failures leading to each safety critical
event.
The fault tree must take into account all techniques and measures applied to control random faults
leading to each critical event.
GEN-SAFETY-
CLAUSE-G4.0003
0
The quantitative result on each critical event must be expressed for:
- HW random failures in term of failure rate per hour, SPFM and LFM.
- Mechanical failures in term of probability of failure during the reference period.
GEN-SAFETY-
CLAUSE-G4.0004
0
Each functional critical event (defined in §7.1) shall reach the quantitative target expressed in the table
1.
The target for each functional critical event must be reached with the inputs data reliability values (of
PSA responsibility).
GEN-SAFETY-
CLAUSE-G4.0005
0
Each output critical event (defined in §7.2) must reach the failure rate per hour required for each
output critical event and the SPFM/LFM expressed in the table 1.
The target of each output critical event must be reached with the inputs data reliability values of PSA
responsibility
GEN-SAFETY-
CLAUSE-G4.0006
0
For HW random failures, the calculation must be based on official data base (see ISO 26262-5). If the
supplier uses his RETEX (Field Feedback), the target to reach is divided by factor 10 (for example, for
target with official data base at 10-8, the target will be 10-9).
GEN-SAFETY-
CLAUSE-G4.0007
0 The supplier must justify each HW failure rate and probability failure on reference period for
mechanical failures used for the quantification.
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 43/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
GEN-SAFETY-
CLAUSE-G4.0008
0
The supplier must provide the requirements on the inputs data (of PSA responsibility) and interfaces in
order to reach the target on each safety critical event.
The requirements on inputs data and interfaces must be accepted by PSA.
GEN-SAFETY-
CLAUSE-G4.0009
0 For each safety critical event, the supplier must justify all single HW random failure and residual
failures.
GEN-SAFETY-
CLAUSE-G4.0010
0 For each safety critical event, the supplier must justify all single mechanical failures.
GEN-SAFETY-
CLAUSE-G4.0011
0
It is forbidden that a single fault vs. threat / attack leads to gravity 4. The technical design shall fulfil
this principle. If auto protection is not sufficient, a justification document must be delivered by the
supplier (justification on multi-barrier principle…).
GEN-SAFETY-
CLAUSE-G4.0012
0
For each safety critical event, the supplier must justify the fulfilment of the requirement in term of ASIL
for systematic failures.
The justification is achieved by applying techniques and measure, for avoidance of systematic failures
according to the standard is 26262.
ASIL
EE Failures Mechanical failures
Failure rate
(FIT)
SPFM LFM
Probability of failure on the
period (15 years / 240000km)
A 1000 10-3
B 100 90% 60% 10-4
C 100 97% 80% 10-5
D 10 99% 90% 10-6
Table 1
8. Reliability and availability requirements
8.1. Gravity 3 critical events
Id. Critical events Comments
ERO_EPS_3.01 Degraded steering due to EPS failures
This critical event includes all the failures leading to degradation
of steering wheel torque (friction, backlash,..)
ERO_EPS_3.02 Lack of assistance No assist at the start-up
ERO_EPS_3.03 Non critical under assistance
ERO_EPS_3.04 Non critical over assistance
ERO_EPS_3.05 Non critical random assistance
ERO_EPS_3.06 EPS failures leading to over consumption
This critical event includes :
- Quiescent current more than 100 µA.
- Standby current more than 500 mA
- Operating current erroneous too high.
- Unwanted wake up (ECU doesn’t go too sleep,
inopportune ECU wake up)
-
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 44/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Id. Critical events Comments
ERO_EPS_3.07
Unwanted request to switch on the
warning lamp
This critical event concerns the CAN output “Power steering
status” and the particular failure mode power steering status
erroneous to 01 “request to light lamp” instead of 00 "No request
to light lamp”
ERO_EPS_3.08 No request to restart the engine.
This critical event concerns the frame 495
Engine restart requested by sub system DA erroneous to 0 “No
need of restart” instead of 1 “Restart request”
ERO_EPS_3.09
Unwanted Engine stop authorization by
EPS
This critical event concerns the frame 495 Engine stop
authorization by sub system DA erroneous 1 3Stop
authorization3 INSTEAD OF à “No stop authorization”
ERO_EPS_3.10 NVH due to EPS failures
This critical event includes
- Severe Airborne noise (includes rattle)
- Structure-borne noise
- EPS vibration generation.
Id. Critical events Comments
ERO-LXA-EPS-108
(1.0)
No LXA correction when needed due to
EPS failures
ERO-LXA-EPS-109
(1.0)
Unwanted stop of LXA torque correction
during a correction due to EPS failures
ERO-LXA-EPS-110
(1.0)
Unwanted LXA torque correction due to
EPS failures
ERO-LXA-EPS-111
(1.0)
Erroneous LXA state display to the driver
(LXA is displayed as able to correct
trajectory while it is not) due to EPS
failures
ERO-LXA-EPS-112
(1.0)
Erroneous LXA takeover alert to the
driver (alert is not displayed while
needed) due to EPS failures
Id. ERO Critical Event Cumulated
probability
ERO-LXA-EPS-SDF.0006 (1.0)
Loss/Absence due to EPS failures
This critical event concerns the output signal
COMMUNICATION CAN I/S
D(7ans 150000km)
<10-4
ERO-LXA-EPS-SDF.0007 (1.0)
Impossible transition to "available" or "authorized" or "active" due to EPS
failures
This critical event concerns the output signal
EPS_STATE_LXA transmitted on the frame IS_DAT_DIRA_495/ /
EPS_STATE_LXA
D(7ans 150000km)
<10-4
ERO-LXA-EPS-SDF.0008 (1.0)
Untimely transition to defect due to EPS failures
This critical event concerns the output signal
EPS_STATE_LXA transmitted on the frame IS_DAT_DIRA_495/ /
EPS_STATE_LXA
D(7ans 150000km)
<10-4
ERO-LXA-EPS-SDF.0009 (1.0)
Impossible transition to defect due to EPS failures
This critical event concerns the output signal
EPS_STATE_LXA transmitted on the frame IS_DAT_DIRA_495/ /
EPS_STATE_LXA
D(7ans 150000km)
<10-4
EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 45/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Id. ERO Critical Event Cumulated
probability
ERO-LXA-EPS-SDF.0010 (1.0)
Loss/Absence due to EPS failures
This critical event concerns the output signal
EPS_STATE_LXA transmitted on the frame IS_DAT_DIRA_495/ /
EPS_STATE_LXA
D(7ans 150000km)
<10-4
ERO-LXA-EPS-SDF.0011 (1.0)
untimely transition to "no steering activity detected from the driver torque"
due to EPS failures
STEERWHL_HOLD_BY_DRV transmitted on the frame
IS_DAT_DIRA_495/ / STEERWHL_HOLD_BY_DRV
D(7ans 150000km)
<10-4
8.2. Reliability, availability requirements and quantitative target
Id. Rev Requirement
GEN-SAFETY-CLAUSE-
G3.0001
0
For gravity 3 critical events, the reference period is 7 years or 150000 km (first criterion reached).
The confidence level required for validation of the failure modes leading to a safety critical event
is 75%.
GEN-SAFETY-CLAUSE-
G3.0002
0
For each gravity 3 critical event the quantitative target is defined by the probability of failure on
the reference period <10-3
For random failures this target is equivalent to failure rate less than 10-7/h.
GEN-SAFETY-CLAUSE-
G3.0003
0
For Gravity 3 critical event the supplier must provide a justification for the quantitative results.
The results must be provided for EE random failures and for mechanical failures
GEN-SAFETY-CLAUSE-
G3.0004
0
The quantitative requirements are to be fulfilled with inputs data reliability values (of PSA
responsibility).
GEN-SAFETY-CLAUSE-
G2-G1.0001
0
For gravity 2 and gravity 1 critical events, the reference period is 3 years or 60000 km (first
criterion reached).
The confidence level required for validation of the failure modes leading to a safety critical event
is 50%.
GEN-SAFETY-CLAUSE-
G2-G1.0002
0
For each gravity 2 and gravity 1 critical event the quantitative target is defined by the probability
of failure on the reference period <10-3
For random failures this target is equivalent to failure rate less than 10-7/h.
GEN-SAFETY-CLAUSE-
G2-G1.0003
0
For gravity 2 and gravity 1 critical event the supplier must provide a justification for the
quantitative results.
The results must be provided for EE random failures and for mechanical failures
GEN-SAFETY-CLAUSE-
G2-G1.0004
0
The quantitative requirements are to be fulfilled with inputs data reliability values (of PSA
responsibility).
Safety_Dependabilty_Durability_Requirements_EPS_BL_3_0.doc
Safety_Dependabilty_Durability_Requirements_EPS_BL_3_0.doc
Safety_Dependabilty_Durability_Requirements_EPS_BL_3_0.doc
Safety_Dependabilty_Durability_Requirements_EPS_BL_3_0.doc

More Related Content

More from azrfdstgdgdfh

150615_Nexteer_Visit_(1).pdf June 2015 visit
150615_Nexteer_Visit_(1).pdf June 2015 visit150615_Nexteer_Visit_(1).pdf June 2015 visit
150615_Nexteer_Visit_(1).pdf June 2015 visit
azrfdstgdgdfh
 
NEXTEER_-_Concept_optimization_2015-08-11_V2.pdf
NEXTEER_-_Concept_optimization_2015-08-11_V2.pdfNEXTEER_-_Concept_optimization_2015-08-11_V2.pdf
NEXTEER_-_Concept_optimization_2015-08-11_V2.pdf
azrfdstgdgdfh
 
TS_Produce_RCA_with_estimated_and_memorized_offset_CAV3_virtual_EPS_part.doc
TS_Produce_RCA_with_estimated_and_memorized_offset_CAV3_virtual_EPS_part.docTS_Produce_RCA_with_estimated_and_memorized_offset_CAV3_virtual_EPS_part.doc
TS_Produce_RCA_with_estimated_and_memorized_offset_CAV3_virtual_EPS_part.doc
azrfdstgdgdfh
 
CSAR_Issue_1.0.pdf cybersecurité exigences
CSAR_Issue_1.0.pdf cybersecurité exigencesCSAR_Issue_1.0.pdf cybersecurité exigences
CSAR_Issue_1.0.pdf cybersecurité exigences
azrfdstgdgdfh
 
02016_15_04619_1.0_DC_TI_703_TS_UDS_Configuration_Baseline_3_0_Filtre_DAE_EMP...
02016_15_04619_1.0_DC_TI_703_TS_UDS_Configuration_Baseline_3_0_Filtre_DAE_EMP...02016_15_04619_1.0_DC_TI_703_TS_UDS_Configuration_Baseline_3_0_Filtre_DAE_EMP...
02016_15_04619_1.0_DC_TI_703_TS_UDS_Configuration_Baseline_3_0_Filtre_DAE_EMP...
azrfdstgdgdfh
 
01552_17_06910_Diversity_Management_EPS_K5_Application_Note.pdf
01552_17_06910_Diversity_Management_EPS_K5_Application_Note.pdf01552_17_06910_Diversity_Management_EPS_K5_Application_Note.pdf
01552_17_06910_Diversity_Management_EPS_K5_Application_Note.pdf
azrfdstgdgdfh
 
Nexteer_Grey_Box_2015-09-02.pdf status next step
Nexteer_Grey_Box_2015-09-02.pdf status next stepNexteer_Grey_Box_2015-09-02.pdf status next step
Nexteer_Grey_Box_2015-09-02.pdf status next step
azrfdstgdgdfh
 
02016_12_09368_v1_0_DC_TI_71_Application_Flash_Eprom___REFERENCE_A_5.0__A__DA...
02016_12_09368_v1_0_DC_TI_71_Application_Flash_Eprom___REFERENCE_A_5.0__A__DA...02016_12_09368_v1_0_DC_TI_71_Application_Flash_Eprom___REFERENCE_A_5.0__A__DA...
02016_12_09368_v1_0_DC_TI_71_Application_Flash_Eprom___REFERENCE_A_5.0__A__DA...
azrfdstgdgdfh
 
02016_12_09367_v1_0_DC_TI_70_Reprogrammation_des_UCEs_-__REFERENCE_A__9.0_DAE...
02016_12_09367_v1_0_DC_TI_70_Reprogrammation_des_UCEs_-__REFERENCE_A__9.0_DAE...02016_12_09367_v1_0_DC_TI_70_Reprogrammation_des_UCEs_-__REFERENCE_A__9.0_DAE...
02016_12_09367_v1_0_DC_TI_70_Reprogrammation_des_UCEs_-__REFERENCE_A__9.0_DAE...
azrfdstgdgdfh
 
IASV_COFS08_1406_CityPark_Function_rev4_(based_on_IASV_COFS08_1020_rev3_Engli...
IASV_COFS08_1406_CityPark_Function_rev4_(based_on_IASV_COFS08_1020_rev3_Engli...IASV_COFS08_1406_CityPark_Function_rev4_(based_on_IASV_COFS08_1020_rev3_Engli...
IASV_COFS08_1406_CityPark_Function_rev4_(based_on_IASV_COFS08_1020_rev3_Engli...
azrfdstgdgdfh
 
02016_12_09366_v1_0_DC_TI_72_Integration_des_services_de_communication_-_REFE...
02016_12_09366_v1_0_DC_TI_72_Integration_des_services_de_communication_-_REFE...02016_12_09366_v1_0_DC_TI_72_Integration_des_services_de_communication_-_REFE...
02016_12_09366_v1_0_DC_TI_72_Integration_des_services_de_communication_-_REFE...
azrfdstgdgdfh
 
01552_17_06899_1.0__K5_EPS_RCD_Applicative_TS.doc
01552_17_06899_1.0__K5_EPS_RCD_Applicative_TS.doc01552_17_06899_1.0__K5_EPS_RCD_Applicative_TS.doc
01552_17_06899_1.0__K5_EPS_RCD_Applicative_TS.doc
azrfdstgdgdfh
 
01452_12_00155_EPS_Assistance_Power_up_down.doc
01452_12_00155_EPS_Assistance_Power_up_down.doc01452_12_00155_EPS_Assistance_Power_up_down.doc
01452_12_00155_EPS_Assistance_Power_up_down.doc
azrfdstgdgdfh
 
01554_10_00970_2.0_STE_SECURISATION_TRAMES_9659842699_G.pdf
01554_10_00970_2.0_STE_SECURISATION_TRAMES_9659842699_G.pdf01554_10_00970_2.0_STE_SECURISATION_TRAMES_9659842699_G.pdf
01554_10_00970_2.0_STE_SECURISATION_TRAMES_9659842699_G.pdf
azrfdstgdgdfh
 
02016_12_09369_v1_0_DC_TI_73_Integration_electronique___REFERENCE_A_6.0__A__D...
02016_12_09369_v1_0_DC_TI_73_Integration_electronique___REFERENCE_A_6.0__A__D...02016_12_09369_v1_0_DC_TI_73_Integration_electronique___REFERENCE_A_6.0__A__D...
02016_12_09369_v1_0_DC_TI_73_Integration_electronique___REFERENCE_A_6.0__A__D...
azrfdstgdgdfh
 
01552_17_06897_1.0__K5_EPS_Annex_CAN_Messaging_and_FH_01552_17_06896.doc
01552_17_06897_1.0__K5_EPS_Annex_CAN_Messaging_and_FH_01552_17_06896.doc01552_17_06897_1.0__K5_EPS_Annex_CAN_Messaging_and_FH_01552_17_06896.doc
01552_17_06897_1.0__K5_EPS_Annex_CAN_Messaging_and_FH_01552_17_06896.doc
azrfdstgdgdfh
 
170915_BVH1_Ecotech_Roadmap powerpoint with attached documents
170915_BVH1_Ecotech_Roadmap powerpoint with attached documents170915_BVH1_Ecotech_Roadmap powerpoint with attached documents
170915_BVH1_Ecotech_Roadmap powerpoint with attached documents
azrfdstgdgdfh
 
K5 SW Requirements Packs for Request for Quotation
K5 SW Requirements Packs for Request for QuotationK5 SW Requirements Packs for Request for Quotation
K5 SW Requirements Packs for Request for Quotation
azrfdstgdgdfh
 
CSEE_APPT09_0282_6.0_01551_10_00043_ST_generique_Gerer_les_Phases_de_vie_orga...
CSEE_APPT09_0282_6.0_01551_10_00043_ST_generique_Gerer_les_Phases_de_vie_orga...CSEE_APPT09_0282_6.0_01551_10_00043_ST_generique_Gerer_les_Phases_de_vie_orga...
CSEE_APPT09_0282_6.0_01551_10_00043_ST_generique_Gerer_les_Phases_de_vie_orga...
azrfdstgdgdfh
 

More from azrfdstgdgdfh (19)

150615_Nexteer_Visit_(1).pdf June 2015 visit
150615_Nexteer_Visit_(1).pdf June 2015 visit150615_Nexteer_Visit_(1).pdf June 2015 visit
150615_Nexteer_Visit_(1).pdf June 2015 visit
 
NEXTEER_-_Concept_optimization_2015-08-11_V2.pdf
NEXTEER_-_Concept_optimization_2015-08-11_V2.pdfNEXTEER_-_Concept_optimization_2015-08-11_V2.pdf
NEXTEER_-_Concept_optimization_2015-08-11_V2.pdf
 
TS_Produce_RCA_with_estimated_and_memorized_offset_CAV3_virtual_EPS_part.doc
TS_Produce_RCA_with_estimated_and_memorized_offset_CAV3_virtual_EPS_part.docTS_Produce_RCA_with_estimated_and_memorized_offset_CAV3_virtual_EPS_part.doc
TS_Produce_RCA_with_estimated_and_memorized_offset_CAV3_virtual_EPS_part.doc
 
CSAR_Issue_1.0.pdf cybersecurité exigences
CSAR_Issue_1.0.pdf cybersecurité exigencesCSAR_Issue_1.0.pdf cybersecurité exigences
CSAR_Issue_1.0.pdf cybersecurité exigences
 
02016_15_04619_1.0_DC_TI_703_TS_UDS_Configuration_Baseline_3_0_Filtre_DAE_EMP...
02016_15_04619_1.0_DC_TI_703_TS_UDS_Configuration_Baseline_3_0_Filtre_DAE_EMP...02016_15_04619_1.0_DC_TI_703_TS_UDS_Configuration_Baseline_3_0_Filtre_DAE_EMP...
02016_15_04619_1.0_DC_TI_703_TS_UDS_Configuration_Baseline_3_0_Filtre_DAE_EMP...
 
01552_17_06910_Diversity_Management_EPS_K5_Application_Note.pdf
01552_17_06910_Diversity_Management_EPS_K5_Application_Note.pdf01552_17_06910_Diversity_Management_EPS_K5_Application_Note.pdf
01552_17_06910_Diversity_Management_EPS_K5_Application_Note.pdf
 
Nexteer_Grey_Box_2015-09-02.pdf status next step
Nexteer_Grey_Box_2015-09-02.pdf status next stepNexteer_Grey_Box_2015-09-02.pdf status next step
Nexteer_Grey_Box_2015-09-02.pdf status next step
 
02016_12_09368_v1_0_DC_TI_71_Application_Flash_Eprom___REFERENCE_A_5.0__A__DA...
02016_12_09368_v1_0_DC_TI_71_Application_Flash_Eprom___REFERENCE_A_5.0__A__DA...02016_12_09368_v1_0_DC_TI_71_Application_Flash_Eprom___REFERENCE_A_5.0__A__DA...
02016_12_09368_v1_0_DC_TI_71_Application_Flash_Eprom___REFERENCE_A_5.0__A__DA...
 
02016_12_09367_v1_0_DC_TI_70_Reprogrammation_des_UCEs_-__REFERENCE_A__9.0_DAE...
02016_12_09367_v1_0_DC_TI_70_Reprogrammation_des_UCEs_-__REFERENCE_A__9.0_DAE...02016_12_09367_v1_0_DC_TI_70_Reprogrammation_des_UCEs_-__REFERENCE_A__9.0_DAE...
02016_12_09367_v1_0_DC_TI_70_Reprogrammation_des_UCEs_-__REFERENCE_A__9.0_DAE...
 
IASV_COFS08_1406_CityPark_Function_rev4_(based_on_IASV_COFS08_1020_rev3_Engli...
IASV_COFS08_1406_CityPark_Function_rev4_(based_on_IASV_COFS08_1020_rev3_Engli...IASV_COFS08_1406_CityPark_Function_rev4_(based_on_IASV_COFS08_1020_rev3_Engli...
IASV_COFS08_1406_CityPark_Function_rev4_(based_on_IASV_COFS08_1020_rev3_Engli...
 
02016_12_09366_v1_0_DC_TI_72_Integration_des_services_de_communication_-_REFE...
02016_12_09366_v1_0_DC_TI_72_Integration_des_services_de_communication_-_REFE...02016_12_09366_v1_0_DC_TI_72_Integration_des_services_de_communication_-_REFE...
02016_12_09366_v1_0_DC_TI_72_Integration_des_services_de_communication_-_REFE...
 
01552_17_06899_1.0__K5_EPS_RCD_Applicative_TS.doc
01552_17_06899_1.0__K5_EPS_RCD_Applicative_TS.doc01552_17_06899_1.0__K5_EPS_RCD_Applicative_TS.doc
01552_17_06899_1.0__K5_EPS_RCD_Applicative_TS.doc
 
01452_12_00155_EPS_Assistance_Power_up_down.doc
01452_12_00155_EPS_Assistance_Power_up_down.doc01452_12_00155_EPS_Assistance_Power_up_down.doc
01452_12_00155_EPS_Assistance_Power_up_down.doc
 
01554_10_00970_2.0_STE_SECURISATION_TRAMES_9659842699_G.pdf
01554_10_00970_2.0_STE_SECURISATION_TRAMES_9659842699_G.pdf01554_10_00970_2.0_STE_SECURISATION_TRAMES_9659842699_G.pdf
01554_10_00970_2.0_STE_SECURISATION_TRAMES_9659842699_G.pdf
 
02016_12_09369_v1_0_DC_TI_73_Integration_electronique___REFERENCE_A_6.0__A__D...
02016_12_09369_v1_0_DC_TI_73_Integration_electronique___REFERENCE_A_6.0__A__D...02016_12_09369_v1_0_DC_TI_73_Integration_electronique___REFERENCE_A_6.0__A__D...
02016_12_09369_v1_0_DC_TI_73_Integration_electronique___REFERENCE_A_6.0__A__D...
 
01552_17_06897_1.0__K5_EPS_Annex_CAN_Messaging_and_FH_01552_17_06896.doc
01552_17_06897_1.0__K5_EPS_Annex_CAN_Messaging_and_FH_01552_17_06896.doc01552_17_06897_1.0__K5_EPS_Annex_CAN_Messaging_and_FH_01552_17_06896.doc
01552_17_06897_1.0__K5_EPS_Annex_CAN_Messaging_and_FH_01552_17_06896.doc
 
170915_BVH1_Ecotech_Roadmap powerpoint with attached documents
170915_BVH1_Ecotech_Roadmap powerpoint with attached documents170915_BVH1_Ecotech_Roadmap powerpoint with attached documents
170915_BVH1_Ecotech_Roadmap powerpoint with attached documents
 
K5 SW Requirements Packs for Request for Quotation
K5 SW Requirements Packs for Request for QuotationK5 SW Requirements Packs for Request for Quotation
K5 SW Requirements Packs for Request for Quotation
 
CSEE_APPT09_0282_6.0_01551_10_00043_ST_generique_Gerer_les_Phases_de_vie_orga...
CSEE_APPT09_0282_6.0_01551_10_00043_ST_generique_Gerer_les_Phases_de_vie_orga...CSEE_APPT09_0282_6.0_01551_10_00043_ST_generique_Gerer_les_Phases_de_vie_orga...
CSEE_APPT09_0282_6.0_01551_10_00043_ST_generique_Gerer_les_Phases_de_vie_orga...
 

Recently uploaded

Ec330b Lc Volvo Excavator Service Manual
Ec330b Lc Volvo Excavator Service ManualEc330b Lc Volvo Excavator Service Manual
Ec330b Lc Volvo Excavator Service Manual
Excavator
 
Girls Call Versova 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call Versova 9910780858 Provide Best And Top Girl Service And No1 in CityGirls Call Versova 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call Versova 9910780858 Provide Best And Top Girl Service And No1 in City
maigasapphire
 
Small Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And...
Small Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And...Small Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And...
Small Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And...
sharonblush
 
What Causes Audi Car Battery Failures Solutions and Maintenance Tips
What Causes Audi Car Battery Failures Solutions and Maintenance TipsWhat Causes Audi Car Battery Failures Solutions and Maintenance Tips
What Causes Audi Car Battery Failures Solutions and Maintenance Tips
Woodinville Sports Cars
 
Girls Call Mumbai 9967584737 Provide Best And Top Girl Service And No1 in City
Girls Call Mumbai 9967584737 Provide Best And Top Girl Service And No1 in CityGirls Call Mumbai 9967584737 Provide Best And Top Girl Service And No1 in City
Girls Call Mumbai 9967584737 Provide Best And Top Girl Service And No1 in City
kavitakumariok138
 
Flinders University degree offer diploma Transcript
Flinders University degree offer diploma TranscriptFlinders University degree offer diploma Transcript
Flinders University degree offer diploma Transcript
hnugnoy
 
EC160CL Volvo Excavator Service Repair Manual.pdf
EC160CL Volvo Excavator Service Repair Manual.pdfEC160CL Volvo Excavator Service Repair Manual.pdf
EC160CL Volvo Excavator Service Repair Manual.pdf
Excavator
 
High Girls Call Bangalore 000XX00000 Provide Best And Top Girl Service And No...
High Girls Call Bangalore 000XX00000 Provide Best And Top Girl Service And No...High Girls Call Bangalore 000XX00000 Provide Best And Top Girl Service And No...
High Girls Call Bangalore 000XX00000 Provide Best And Top Girl Service And No...
jimmigarg6
 
DSA Re-launch.pptx for loans for finance
DSA Re-launch.pptx for loans for financeDSA Re-launch.pptx for loans for finance
DSA Re-launch.pptx for loans for finance
SuryaReddy270237
 
HiFi Girls Call Coimbatore 000XX00000 Provide Best And Top Girl Service And N...
HiFi Girls Call Coimbatore 000XX00000 Provide Best And Top Girl Service And N...HiFi Girls Call Coimbatore 000XX00000 Provide Best And Top Girl Service And N...
HiFi Girls Call Coimbatore 000XX00000 Provide Best And Top Girl Service And N...
gajnagarg
 
Crain's Detroit Business - Today's Michigan business news
Crain's Detroit Business - Today's Michigan business newsCrain's Detroit Business - Today's Michigan business news
Crain's Detroit Business - Today's Michigan business news
babulkumar76508
 
Female Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service And N...
Female Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service And N...Female Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service And N...
Female Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service And N...
kimmi singla$A17
 
Latest Car Models with Prices and Specs - Visit Ccarprice.com
Latest Car Models with Prices and Specs - Visit Ccarprice.comLatest Car Models with Prices and Specs - Visit Ccarprice.com
Latest Car Models with Prices and Specs - Visit Ccarprice.com
Ccarprice .com
 
Girls Call Ahemdabad 000XX00000 Provide Best And Top Girl Service And No1 in ...
Girls Call Ahemdabad 000XX00000 Provide Best And Top Girl Service And No1 in ...Girls Call Ahemdabad 000XX00000 Provide Best And Top Girl Service And No1 in ...
Girls Call Ahemdabad 000XX00000 Provide Best And Top Girl Service And No1 in ...
solankikamal004
 
Accenture Song Design for Car Phygital.pdf
Accenture Song Design for Car Phygital.pdfAccenture Song Design for Car Phygital.pdf
Accenture Song Design for Car Phygital.pdf
SuryaKarthikeyan5
 
Exclusive Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service An...
Exclusive Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service An...Exclusive Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service An...
Exclusive Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service An...
kimmi singla$A17
 
EC180C L Volvo Service Repair Manual.pdf
EC180C L Volvo Service Repair Manual.pdfEC180C L Volvo Service Repair Manual.pdf
EC180C L Volvo Service Repair Manual.pdf
Excavator
 
VVIP Girls Call Guwahati 000XX00000 Provide Best And Top Girl Service And No1...
VVIP Girls Call Guwahati 000XX00000 Provide Best And Top Girl Service And No1...VVIP Girls Call Guwahati 000XX00000 Provide Best And Top Girl Service And No1...
VVIP Girls Call Guwahati 000XX00000 Provide Best And Top Girl Service And No1...
gargshuriti
 
Volvo L70F Wheel Loader Engine Service Manual
Volvo L70F Wheel Loader Engine Service ManualVolvo L70F Wheel Loader Engine Service Manual
Volvo L70F Wheel Loader Engine Service Manual
Excavator
 
ALPHARD, VELLFIRE PILOT SEAT CATALOG.pdf
ALPHARD, VELLFIRE PILOT SEAT CATALOG.pdfALPHARD, VELLFIRE PILOT SEAT CATALOG.pdf
ALPHARD, VELLFIRE PILOT SEAT CATALOG.pdf
kenyong0701
 

Recently uploaded (20)

Ec330b Lc Volvo Excavator Service Manual
Ec330b Lc Volvo Excavator Service ManualEc330b Lc Volvo Excavator Service Manual
Ec330b Lc Volvo Excavator Service Manual
 
Girls Call Versova 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call Versova 9910780858 Provide Best And Top Girl Service And No1 in CityGirls Call Versova 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call Versova 9910780858 Provide Best And Top Girl Service And No1 in City
 
Small Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And...
Small Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And...Small Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And...
Small Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And...
 
What Causes Audi Car Battery Failures Solutions and Maintenance Tips
What Causes Audi Car Battery Failures Solutions and Maintenance TipsWhat Causes Audi Car Battery Failures Solutions and Maintenance Tips
What Causes Audi Car Battery Failures Solutions and Maintenance Tips
 
Girls Call Mumbai 9967584737 Provide Best And Top Girl Service And No1 in City
Girls Call Mumbai 9967584737 Provide Best And Top Girl Service And No1 in CityGirls Call Mumbai 9967584737 Provide Best And Top Girl Service And No1 in City
Girls Call Mumbai 9967584737 Provide Best And Top Girl Service And No1 in City
 
Flinders University degree offer diploma Transcript
Flinders University degree offer diploma TranscriptFlinders University degree offer diploma Transcript
Flinders University degree offer diploma Transcript
 
EC160CL Volvo Excavator Service Repair Manual.pdf
EC160CL Volvo Excavator Service Repair Manual.pdfEC160CL Volvo Excavator Service Repair Manual.pdf
EC160CL Volvo Excavator Service Repair Manual.pdf
 
High Girls Call Bangalore 000XX00000 Provide Best And Top Girl Service And No...
High Girls Call Bangalore 000XX00000 Provide Best And Top Girl Service And No...High Girls Call Bangalore 000XX00000 Provide Best And Top Girl Service And No...
High Girls Call Bangalore 000XX00000 Provide Best And Top Girl Service And No...
 
DSA Re-launch.pptx for loans for finance
DSA Re-launch.pptx for loans for financeDSA Re-launch.pptx for loans for finance
DSA Re-launch.pptx for loans for finance
 
HiFi Girls Call Coimbatore 000XX00000 Provide Best And Top Girl Service And N...
HiFi Girls Call Coimbatore 000XX00000 Provide Best And Top Girl Service And N...HiFi Girls Call Coimbatore 000XX00000 Provide Best And Top Girl Service And N...
HiFi Girls Call Coimbatore 000XX00000 Provide Best And Top Girl Service And N...
 
Crain's Detroit Business - Today's Michigan business news
Crain's Detroit Business - Today's Michigan business newsCrain's Detroit Business - Today's Michigan business news
Crain's Detroit Business - Today's Michigan business news
 
Female Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service And N...
Female Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service And N...Female Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service And N...
Female Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service And N...
 
Latest Car Models with Prices and Specs - Visit Ccarprice.com
Latest Car Models with Prices and Specs - Visit Ccarprice.comLatest Car Models with Prices and Specs - Visit Ccarprice.com
Latest Car Models with Prices and Specs - Visit Ccarprice.com
 
Girls Call Ahemdabad 000XX00000 Provide Best And Top Girl Service And No1 in ...
Girls Call Ahemdabad 000XX00000 Provide Best And Top Girl Service And No1 in ...Girls Call Ahemdabad 000XX00000 Provide Best And Top Girl Service And No1 in ...
Girls Call Ahemdabad 000XX00000 Provide Best And Top Girl Service And No1 in ...
 
Accenture Song Design for Car Phygital.pdf
Accenture Song Design for Car Phygital.pdfAccenture Song Design for Car Phygital.pdf
Accenture Song Design for Car Phygital.pdf
 
Exclusive Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service An...
Exclusive Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service An...Exclusive Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service An...
Exclusive Girls Call Delhi 🛵🚡9711199171 💃 Choose Best And Top Girl Service An...
 
EC180C L Volvo Service Repair Manual.pdf
EC180C L Volvo Service Repair Manual.pdfEC180C L Volvo Service Repair Manual.pdf
EC180C L Volvo Service Repair Manual.pdf
 
VVIP Girls Call Guwahati 000XX00000 Provide Best And Top Girl Service And No1...
VVIP Girls Call Guwahati 000XX00000 Provide Best And Top Girl Service And No1...VVIP Girls Call Guwahati 000XX00000 Provide Best And Top Girl Service And No1...
VVIP Girls Call Guwahati 000XX00000 Provide Best And Top Girl Service And No1...
 
Volvo L70F Wheel Loader Engine Service Manual
Volvo L70F Wheel Loader Engine Service ManualVolvo L70F Wheel Loader Engine Service Manual
Volvo L70F Wheel Loader Engine Service Manual
 
ALPHARD, VELLFIRE PILOT SEAT CATALOG.pdf
ALPHARD, VELLFIRE PILOT SEAT CATALOG.pdfALPHARD, VELLFIRE PILOT SEAT CATALOG.pdf
ALPHARD, VELLFIRE PILOT SEAT CATALOG.pdf
 

Safety_Dependabilty_Durability_Requirements_EPS_BL_3_0.doc

  • 1. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 1/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Safety dependability and durability requirements Electric Power Steering (EPS) Generic Reference 01452_13_00052 Version number BL 3.0 Document status For authorized company use only Date 2014, December 10th
  • 2. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 2/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Written By Checked by Approved by Aziz LAZAAR DRD/DCTC/ICDV/AFDH Date: Signature: Abdelhak MHAOUEL DRD/DCTC/ICDV/AFDH Date: Signature: Benoit LEVIN DRD/DSEE/CIAE/SDFE/SDFG Date: Signature: René Tathy ITLINK /IPSIS SDFG Antoine GAUTIER DRD/DCTC/ICDV/AFDH/ACSD Date: Signature: Clément HUBERT DRD/DCTC/ICDV/AFDH Date: Signature: Fabien LAVILLENIE DRD/DCTC/ICDV/AFDH/ACSD Date: Signature: Franck MARTINEAU DRD/DCTC/ICDV/AFDH/ACSD Date: Signature: Nicolas BECKER DRD/DAPF/ARFS Date: Signature:
  • 3. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 3/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Revision Chart and History Log Version Date Author Changes and/or raison 0.1 24/01/2013 A. Lazaar B. Levin Creation 0.2 08/02/2013 B.Levin Correction of the expected FIT for the Safety output critical events 1.0 31/03/2014 A. LAZAAR A. MHAOUEL §6 update of generic requirements. §7 update of EPS Safety Requirements (the safety goal and safety functional critical event). §11 update of work products. 1.1 19/09/2014 A.LAZAAR A.MHAOUEL chapter §7.6 for Safety requirements LXA Added Update of §6,§7 and §11
  • 4. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 4/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 2 10/12/2014 A.LAZAAR A.MHAOUEL §7.1.1 update of Safety goal to avoid excessive steering effort for “Curves with lateral acceleration up to 0,1g” deleted from SG1_DIR_4_01 §7.1.3 update of critical event Auto steer for “It shall include also unintended recover of assistance” deleted from ERO_EPS_4.02 for “Probabilistic target mechanical” deleted from ERO_EPS_4.02 §7.1.6 update of Safety goal to avoid a sudden loss of steering assist deleted “Curves with lateral acceleration up to 0,1g” deleted from SG1_DA_4_01 Requirements added : TSR_EPS_4.07.02.01_07 Requirements deleted (duplicate) : TSR_EPS_4.07.02.01_01 § 7.6 update of traceability requirements Traceability requirements deleted form critical events: ERO-LKA- EPS-94 (1.1), ERO-LKA-EPS-95 (1.1), and FST-LKA-EPS-106 (1.0). §7.6.1 update of functional safety requirements LXA Requirements deleted : FSR-LKA-EPS-97 (1.0), FSR-LKA-EPS-98 (1.0), FSR-LKA-EPS-99 (1.3) Requirements added : FSR_EPS_ LXA_4.01.01, FSR_EPS_ LXA_4.01.02, FSR_EPS_ LXA_4.01.03, FSR_EPS_ LXA_4.01.04, FSR_EPS_ LXA_4.01.05, FSR_EPS_ LXA_4.01.06, FSR_EPS_ LXA_4.01.07, FSR_EPS_ LXA_4.01.08, FSR_EPS_ LXA_4.01.09, FSR_EPS_ LXA_4.01.10, FSR_EPS_ LXA_4.01.11 FSR_EPS_ LXA_4.02.01, FSR_EPS_ LXA_4.02.02, FSR_EPS_ LXA_4.02.03, FSR_EPS_ LXA_4.02.04, FSR_EPS_ LXA_4.02.05, FSR_EPS_ LXA_4.02.06, FSR_EPS_ LXA_4.02.07. Critical event ERO_EPS_LKA_4.02 updated ( ASIL B ald QM) : to cover LxA §7.6.2 update of functional safety requirements LXA Requirements deleted : FST-LKA-EPS-101 (1.0), FSR-LKA-EPS-102 (1.0), FST-LKA-EPS-104 (1.0), FST-LKA-EPS-105 (1.0) Requirements added : FSR_EPS_LXA_4.03_01, FSR_EPS_LXA_4.03_02, FSR_EPS_LXA_4.03_03 §7.6.3 update of functional safety requirements Requirements deleted : FST-LKA-EPS-107 (1.0), Requirements added : FSR_EPS_LXA_4.04_01, FSR_EPS_LXA_4.04_02 Safety goal SG1_LXA_4_02 to updated (ASIL D ald ASILA) : to cover LxA § 7.6, §7.6.1, §7.6.2, §7.6.3 updated these chapter to due LxA §11. Milestones of work products updated.
  • 5. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 5/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 2.1 03/08/2015 A.MHAOUEL §7.6. update of functional safety requirements LxA Requirements updated : FSR_EPS_ LxA_4.01.02, FSR_EPS_ LxA_4.01.03, FSR_EPS_ LxA_4.01.04 , FSR_EPS_ LxA_4.01.05, FSR_EPS_ LxA_4.01.06, FSR_EPS_ LxA_4.01.10 Requirements deleted : FSR_EPS_ LXA_4.01.07, FSR_EPS_ LXA_4.01.09 Requirements added : FSR_EPS_ LxA_4.01.12, FSR_EPS_ LxA_4.01.13 2.2 08/03/2016 A.MHAOUEL R.TATHY Chapter §7.3.3 absolute steering angle (SAS virtual) is added for Safety requirements Absolute steering angle in case SAS virtual. 2.3 07/10/2016 A.MHAOUEL A.VIALAS C.HUBERT Chapter §7.5 City Park Function Reference of document added to new safety requirements for City Park function.
  • 6. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 6/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 3.0 30/06/2017 A.VIALAS A.COLAS §7.1. update of functional safety requirements to steer Requirement split in 3 requirements + addition of a nota: FSR_EPS_4.07.02 -> FSR_EPS_4.07.02 + FSR_EPS_4.07.02.01 + FSR_EPS_4.07.02.02 §7.2. update of functional safety requirements STTd Requirements ID change: FSR_EPS_4.08.01 -> FSR_ARAMTH_012 New requirement added: FSR_ARAMTH_014 FSR_ARAMTH_019 FSR_ARAMTH_020 FSR_ARAMTH_021 §7.3.3 update of safety requirements for virtual CAV3 Requirements updated : DAE_VIRTUAL_CAV3_0013 Requirement Deleted: ERO_EPS_XXXX (Tbd) (= DAE_VIRTUAL_CAV3_0015) Requirements ID change: ERO_EPS_4.31 -> DAE_VIRTUAL_CAV3_0015 ERO_EPS_4.32 -> DAE_VIRTUAL_CAV3_0016 ERO_EPS_4.33 -> DAE_VIRTUAL_CAV3_0017 ERO_EPS_4.35 -> DAE_VIRTUAL_CAV3_0018 ERO_EPS_4.38 -> DAE_VIRTUAL_CAV3_0019 ERO_EPS_4.39 -> DAE_VIRTUAL_CAV3_0020 ERO_EPS_XXX (Tbd) -> DAE_VIRTUAL_CAV3_0021 ERO_EPS_XXX (Tbd) -> DAE_VIRTUAL_CAV3_0022 ERO_EPS_XXX (Tbd) -> DAE_VIRTUAL_CAV3_0023 Chapter §7.5 City Park Function Technical Safety Concept EPS for City Park function update version v1.1 to v2.0.
  • 7. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 7/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ §7.6. update of functional safety requirements LxA SG description added : SG1_LXA_DIR_4_06 SG1_LXA_DIR_4_01 SG1_LXA_DIR_4_02 Requirements updated : FSR_EPS_4.07.02 FSR_EPS_ LxA_4.01.04 FSR_EPS_ LXA_4.01.06 FSR_EPS_ LXA_4.01.08 FSR_EPS_ LxA_4.01.10 FSR_EPS_ LxA_4.01.11 ASIL downgraded D to B: ERO_EPS_LXA_4.04 FSR_EPS_LxA_4.04_01 FSR_EPS_LxA_4.04_02 New requirements added : FSR_LxA_01.14.a FSR_LxA_01.15.a FSR_LxA_01.18.a FSR_LxA_03.2.a
  • 8. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 8/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Table of Contents SOMMAIRE SOMMAIRE............................................................................................................................................. 8 1. Purpose of Document.................................................................................................................. 9 2. Reference and applicable Documents ........................................................................................ 9 3. Acronyms..................................................................................................................................... 9 4. Product description.................................................................................................................... 10 5. Terminology............................................................................................................................... 10 6. Generic requirements ................................................................................................................ 11 6.1. General compliance with the standard ISO 26262.................................................................... 11 6.2. Safety planning.......................................................................................................................... 11 6.3. Safe design and safety activities ............................................................................................... 14 6.4. Verification Integration and Validation activities ........................................................................ 20 6.5. Release for production .............................................................................................................. 21 6.6. Traceability ................................................................................................................................ 21 6.7. Safety case................................................................................................................................ 21 7. EPS Safety Requirements allocated to EPS ............................................................................. 22 7.1. Function: To steer...................................................................................................................... 22 7.2. Function: STTd .......................................................................................................................... 31 7.3. Safety output critical events....................................................................................................... 31 7.3.1. Column angle (in case of AVA function): ................................................................................ 31 7.3.2. Absolute steering angle (in case of the SAS is integrated in the EPS): ................................. 33 7.3.3. Absolute steering angle (in case virtual SAS):........................................................................ 34 7.3.4. Request for warning lamp ....................................................................................................... 34 7.4. Multi-mode function ................................................................................................................... 35 7.5. City Park function....................................................................................................................... 35 7.6. LxA function............................................................................................................................... 36 7.7. Safety threat / attack critical events........................................................................................... 42 7.8. FTA requirements...................................................................................................................... 42 8. Reliability and availability requirements .................................................................................... 43 8.1. Gravity 3 critical events ............................................................................................................. 43 8.2. Reliability, availability requirements and quantitative target...................................................... 45 9. Degraded mode and safe state ................................................................................................. 46 10. Validation of the Objectives ....................................................................................................... 46 10.1. Principle of the method ........................................................................................................... 46 10.2. Steps of the method................................................................................................................ 47 11. Work products............................................................................................................................ 48
  • 9. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 9/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 1. Purpose of Document The purpose of this document is to provide safety dependability and durability requirements for The Electric Power Steering (EPS). 2. Reference and applicable Documents [R3010] ST Véhicule - Diriger le Véhicule et Assister la Direction [701] Detailed Technical Specification Electric Power Steering. [A003] Hardware specification [A004] Software specification [R1] Safety Requirements CPK allocated to the EPS (from Valeo) [00858_15_01879] V1.1 3. Acronyms EPS Electric Power Steering FMEA Failure Mode and Effect Analysis FMEDA Failure Mode Effect and Diagnostic Analysis FTA Fault Tree Analysis NVH Noise Vibration and Harshness EMC ElectroMagnetic Compatibility ASIL Automotive Safety Integrity Level BSI Body controller Unit CAN Controller Area Network CMB Dashboard CMM Multifunction Engine Controller ECU Electronic Control Unit EE Electric and Electronic ER Critical Event ERF Critical Event at Functional level FSC Functional Safety Concept FSR Functional Safety Requirement GMP Engine group IHM Human Computeur Interface LAS Ground connection STT Stop and sTart LxA Lane (x= Keeping or positioning) Assist
  • 10. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 10/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 4. Product description The product, limits, life situations, service functions, constraint function and mission profile are described in the document [701] 5. Terminology ISO 26262 makes extensive use of a specialized vocabulary. In general, we assume that the supplier is familiar with the terms and definitions used within the standard. Furthermore, PSA manipulates the term of critical event defined as bellow Critical Event (ER): event due to a failure having an impact on the customer or his environment (undesired event). Critical Events Gravity Classification: « Gravity » rating is linked to the effect of the ER in term of disturbance for the user: Level Definition Comments 1 Dissatisfaction or deterioration of one function of the vehicle. General vehicle performances kept. User can continue to use his vehicle. No intervention (maintenance) is rapidly needed. 2 Loss of one vehicle function. Apparition of unpleasant de symptoms. User can continue to use his vehicle but an intervention (maintenance) is rapidly needed. 3 Unavailability of the vehicle for the user. Unavailability of the vehicle due to the loss of an important function or the non-respect of regulation (risk of being in breach of the law). Impossibility to park the vehicle in its state (risk of inviolability) Voluntary stop by the user caused by the sentiment of insecurity (i.e. important noises or vibrations) 4 Risk of corporal damages for human. Can lead to an accident or corporal damages. G4 are safety critical events. Gravity 4 ER are classified following the ASIL scale according to ISO WD 26262.
  • 11. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 11/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 6. Generic requirements 6.1. General compliance with the standard ISO 26262 Requirement Number Rev Requirement GEN-SAFETY-CLAUSE_1.001 0 The supplier shall comply with the ISO26262 standard. GEN-SAFETY-CLAUSE_1.002 0 If the supplier is working with subsequent Tier supplier(s), the supplier is still responsible to satisfy PSA safety requirements and shall be responsible to ensure that the subsequent Tier supplier(s) comply with the ISO26262 standard. 6.2. Safety planning Requirement Number Rev Requirement GEN-SAFETY-CLAUSE_2. 001 0 The supplier shall deliver a detailed safety and dependability plan The supplier safety plan shall describe and identify the safety activities to make effective the application of a safety lifecycle according to the workflow required by the ISO 26262 standard. This plan shall describe at least: - Safety process & activities : o the safety process definition, o the safety & dependability activities to be carried out, o the work products for each safety and dependability activity, and documents to deliver to PSA. - Roles & responsibilities: o the organization and the responsibilities to carry out the development activities for safety and dependability studies, o the resources allocated to safety tasks and risk mitigation o staff competencies, skills and experience matrix - Confirmation measures plan : o planning of confirmation measures, o persons appointed to carry out confirmation measures o check lists for confirmation measures - Safety case : o the content of the safety case o the coordination of the safety case - Safety Timing Plan: o the planning of safety activities, o the planning of the work product and delivery documents, o the planning of safety reviews o the planning of development of safety case. If separate plans are produced for each domain (system, mechanical, hardware, and software) all of them shall be coordinated. The supplier shall refine progressively the safety plan according to the needs of each phase of the safety lifecycle. (Output work product WP_Safety_1.001). GEN-SAFETY-CLAUSE_2. 002 0 The supplier shall perform the confirmation review of safety plan. The supplier shall deliver the review report of confirmation review of safety plan. (Output work product WP_Safety_1.001CR).
  • 12. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 12/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Requirement Number Rev Requirement GEN-SAFETY-CLAUSE_2. 003 0 PSA and the supplier shall complete the development interface agreement (DIA). The aim is to agree on the job split between PSA and its partner. A check-list shall be performed, adapted to the project under development, and allocated to PSA and/or its partner. The relevant information shall be exchanged between PSA and its supplier. The development interface agreement will be deployed using the support document [01452_13_00067] (Output work product WP_Safety_1.002). GEN-SAFETY-CLAUSE_2. 004 0 Supplier shall provide the compliance matrix establishing the compliance with the requirements of this document “EPS Safety Dependability and durability requirements”. (Output work product WP_Safety_1.003). GEN-SAFETY-CLAUSE_2. 005 0 The supplier shall carry out and provide integration and testing plan. The supplier integration shall cover the planning of integration, the testing strategies, testing activities and the determination of appropriate methods and measures for verifications (testing) at the HW level, at the SW level and at the system level (HW-SW integration) The supplier shall refine progressively the integration and testing plan according to the needs of each phase of the safety lifecycle. (Output work product WP_Safety_1.004). GEN-SAFETY-CLAUSE_2. 006 0 The supplier shall perform the confirmation review of integration and testing plan. The supplier shall deliver the review report of confirmation review of integration and testing plan. (Output work product WP_Safety_1.004CR). GEN-SAFETY-CLAUSE_2. 007 0 The supplier and PSA shall create jointly the safety validation plan. The safety validation plan shall describe : - the safety validation planning, - the safety validation activities, - the configuration of the item subjected to validation including its calibration data, - the safety validation specifications (validation procedures, test cases, driving maneuvers, and acceptance criteria). These specifications shall describe at least: o the fault or error injected. o the operating mode or life situation. o the safety barrier or error detection mechanism. o the reaction of the system (the specified reaction of the system). o the testing facilities allowing the validation of the definitions. The supplier can be involved to specify some tests to be done by PSA (e.g. internal faults injection tests not covered by the supplier integration tests) or to define test procedures The supplier shall refine progressively the integration and testing plan according to the needs of each phase of the safety lifecycle. (Output work product WP_Safety_1.005).
  • 13. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 13/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Requirement Number Rev Requirement GEN-SAFETY-CLAUSE_2. 008 0 The supplier shall perform the confirmation review of safety validation plan. The supplier shall deliver the review report of confirmation review of safety validation plan. (Output work product WP_Safety_1.005CR). GEN-SAFETY-CLAUSE_2. 009 0 The supplier and PSA shall create jointly the functional safety assessment plan (The functional safety assessment plan should be a collaborative effort by PSA and the supplier) The functional safety assessment plan shall describe : - the functional safety activities, - the planning of functional safety assessment activities, - the persons appointed to carry out the functional safety assessment, - the specific topics to be addressed by the functional safety assessment, If the supplier performs internal functional safety assessment, the functional safety assessment plan shall be delivered or addressed in the safety plan. The supplier shall refine progressively the functional safety assessment plan according to the needs of each phase of the safety lifecycle (Output work product WP_Safety_1.006). GEN-SAFETY-CLAUSE_2. 010 0 The functional safety assessment shall be conducted as planed following generic checklist agreed upon. GEN-SAFETY-CLAUSE_2. 011 0 PSA and the supplier shall agree on the safety plan and supporting processes plan prior to contract signing.
  • 14. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 14/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 6.3. Safe design and safety activities Requirement Number Rev Requirement GEN-SAFETY-CLAUSE_3.001 0 PSA and supplier shall define jointly the item The "item definition" shall include at least: I. Item overview 1) Elements of item. 2) Boundary of the item. 3) Internal and external interfaces. 4) Interaction with other items and elements. 5) Operational and environmental constraints. 6) Operating modes and operating states. II. Functional concept and its purpose functionality. III. Non-functional requirements of the item. IV. Behavior achieved by similar functions, items or elements; V. Assumptions on behavior expected from the item. VI. Potential consequences of behavior shortfalls including known failure modes and hazards. VII. Legal Requirements and standards. The item definition should be a collaborative effort by PSA and the supplier to describe the item, with regard to its functionality, interfaces, environmental conditions, legal requirements, known hazards, etc. The boundary of the item and its interfaces, as well as assumptions concerning other items, elements, systems and components are determined. (Output work product: WP_Safety_1.007). GEN-SAFETY-CLAUSE_3.002 0 The supplier shall perform hazard analysis and risk assessment. The supplier shall deliver a mapping matrix between PSA safety goals, critical events and the supplier safety goals and critical events. (Output work product: WP_Safety_1.008). GEN-SAFETY-CLAUSE_3.003 0 PSA and the supplier shall define jointly the functional safety concept. The functional safety concept shall address: - fault detection and failure mitigation; - transitioning to a safe state; - fault tolerance mechanisms, - fault detection and driver warning in order to reduce the risk exposure time to an acceptable interval (repair request, stop request); - arbitration logic to select the most appropriate control request from multiple requests generated simultaneously by different functions; and - safety requirements are allocated to elements of other technologies If during the product development the functional safety concept is updated, the update must be accepted by PSA. (Output work product: WP_Safety_1.009).
  • 15. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 15/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Requirement Number Rev Requirement GEN-SAFETY-CLAUSE_3.004 0 The supplier shall deliver the specification of safety requirements allocated to the input signals of the product (wired information, CAN signals and power supply) and mechanical interfaces in order to reach the requirements on safety goals. The safety requirements allocated to inputs signal shall address: - the list of failure modes - the effect before detection for each failure mode and the ASIL level - the detection strategies or safety barriers and the detection time for each failure mode - the effect after detection and the degraded mode for each failure mode - the target in term of ASIL and failure rate - the recovery conditions If during the product development the requirements on the inputs are updated, the update shall be accepted by PSA. (Output work product: WP_Safety_1.010). GEN-SAFETY-CLAUSE_3.005 0 The supplier shall perform and deliver the internal functional analysis (system description). The internal functional analysis shall contain a detailed description of the system, its functionalities and its components. It should include the elements that compose the system: ECU elements, sensors, actuators, mechanical parts, etc. It should include both an architectural scheme with the links between these elements (e.g. external information exchanged the product and its interface, internal information exchanged between product elements) and the description of the functions of each element; it should also include the consistency and links with the black-box functions. If during the product development the internal functional analysis is updated, the refined internal functional analysis shall be delivered. (Output work product: WP_Safety_1.011). GEN-SAFETY-CLAUSE_3.006 0 The supplier shall carry out the specification of technical safety requirements. The supplier shall specify the technical safety requirements by refining the functional safety concept, considering both the functional concept and the preliminary architectural assumptions. The technical safety requirements have to be defined during architecture and system design and measures for fault avoidance (systematic faults and hardware random faults) and mitigation have to be described during hardware and software components design. The supplier shall verify the consistency and traceability between functional safety requirements and technical safety requirements. The supplier shall define technical safety concepts that comply with the functional requirements, and the technical safety requirements specification The supplier shall deliver the technical safety concepts of its perimeter. If during the product development the technical safety concept and/or technical safety requirements are updated, the update shall be accepted by PSA. (Output work product: WP_Safety_1.012).
  • 16. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 16/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Requirement Number Rev Requirement GEN-SAFETY-CLAUSE_3.007 0 If the supplier applies ASIL decomposition, the use of this method shall be justified: the independence analysis shall be available for review at the supplier premises and an agreement shall be met between supplier and customer. (Output work product: WP_Safety_1.013). GEN-SAFETY-CLAUSE_3.008 0 The supplier shall deliver the diagnostic data list (diagnostic matrix). The diagnostic data list shall include at least: - the fault codes (supplier & PSA) - the description of the failure - the monitoring description - the detection time - the detection conditions - the associated degraded mode - the recovery conditions (Output work product: WP_Safety_1.014). GEN-SAFETY-CLAUSE_3.009 0 The supplier shall deliver safety requirements for production (at PSA plant) and for maintenance operation. (Output work product: WP_Safety_1.015). GEN-SAFETY-CLAUSE_3.010 0 The supplier shall perform and present safety analysis to support the derivation and definition of safety requirements and their allocation. At least the supplier shall perform: 1. The system functional FMEA: This analysis shall provide information to evaluate hazards, identify safety critical areas, and provide inputs to safety design criteria and procedures with provisions and alternatives to eliminate or control all unacceptable and undesirable hazards. The system functional FMEA shall address for each internal signal and external signal for each function: o the list of failure modes o the effect before detection for each failure mode. o the detection strategies or safety barriers and the detection time for each failure mode o the target in term of ASIL level and failure rates. o the effect after detection and the degraded mode for each failure mode o the root causes o the recovery conditions If the System FMEA is updated, the update must be accepted by PSA. The supplier shall provide the system functional FMEA (Output work product: WP_Safety_1.016). 2. The FTA: this analysis shall support the verification of requirements and their allocation to functions as well as to logical or technical elements. The supplier shall provide the FTA. (Output work product: WP_Safety_1.017).
  • 17. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 17/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Requirement Number Rev Requirement GEN-SAFETY-CLAUSE_3.011 0 The supplier shall perform and present safety analysis (Inductive and deductive) to support the design verification. At least the following safety analysis shall take place during the Design phase: - FTA (qualitative and quantitative): o this analysis shall enable the identification of multiple point faults and their causes in the design, the verification that safety controls are provided as required in the design and the verification of common cause failure modes in the design. o the FTA can also be used for the hardware integrity analysis which verifies that the minimal cut-set and the diagnostics coverage provided by the diagnostics satisfy qualitative hardware integrity metrics. o the quantitative FTA analysis shall be conducted to verify compliance against quantitative hardware integrity targets. The supplier shall provide the FTA. (Output work product: WP_Safety_1.017). - System and Component(s) DFMEA: o the Design FMEA (DFMEA) shall identify and evaluate the potential single point failure modes in the design that are safety-critical and verify that the identified critical failure modes can be mitigated by design validation, or other safety mechanisms. o the failure analysis of the Design potential FMEA shall be according to a known standard such [VDA standard]. o the quotation scale (S,O,D) and the acceptance criteria must be accepted by PSA ( PSA acceptance criteria are : S=10 and O=1 and D=1,S=9 and O≤2,S=8 and O≤2, O<=4). o the Design FMEA shall address special characteristics (CTF/CSE). o the classification of special characteristics must be accepted by PSA. The supplier shall provide the synthesis of DFMEAs. The synthesis of DFMEAs shall contain at least : o a cover sheet including the authors, the assessors and the evolution of the document. o pareto of RPN before and after action plan. o criticality matrix (S vs O) and ( S vs D) o FMEA extract (FMEA lines) with the critical risks identified before action plan. For PSA, the critical are defined according to the following criteria: RPN>=100; S=10 et (O>1 or D>1); S=9 et O>=2; S=8 et O>=3 ; O>=4. o the list of the recommended or additional actions and their status. o the supplier quotation scale of the severity (S), the occurrence (O) and the probability of non-Detection (D). o the supplier rules to reduce the severity S, the Occurrence (O) and the detection (D) o acronyms list used in FMEA synthesis (Output work product: WP_Safety_1.018) The supplier shall perform and provide detailed pin-out FMEA (Output work product: WP_Safety_1.019)
  • 18. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 18/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Requirement Number Rev Requirement - FMEDA: to verify via quantitative estimation (single point fault, latent fault metrics and probability of failure) that the violation of safety goal is compliant according to ISO 26262 quantitative targets. (Output work product: WP_Safety_1.013) - System Software FMEA: This analysis shall assess the vulnerability of the software architecture to potential processor and other hardware interface failure modes and shall evaluate if the safety concept designed in the software meets safety requirements. (Output work product: WP_Safety_1.020) - Common Cause/Mode Analysis: Based on the FTA and the FMEA this analysis shall be conducted to identify and to evaluate the potential common cause failures, common mode failures and cascading failures in the design. (Output work product: WP_Safety_1.013) GEN-SAFETY-CLAUSE_3.012 0 The supplier shall provide the reliability prediction for all components. The work product shall include: - Reliability calculation methods EE parts and mechanical parts - Estimation of reliability for each EE HW and mechatronic component: o the failure rate o the origin of the failure rate (standard, field feedback…) o the hypothesis used for the failure rate estimation (mission profile, temperature….) o failure mode o the repartition (%) of the failure mode o the origin of the repartition - Estimation of reliability for mechanical parts : o the probability of failure on the reference period (unreliability in 15 years for example) (Output work product: WP_Safety_1.021)
  • 19. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 19/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Requirement Number Rev Requirement GEN-SAFETY-CLAUSE_3.013 0 The supplier shall provide the RAMS report, it must including at least: - The cover sheet including the authors, the reviewers, the approval committee, and the evolution of the document., - The list of product evolutions, - The list of PSA critical event with,  For each critical event; o the associated objective, o the result obtained without contribution of PSA basic events o the result obtained with contribution of PSA basic events  For each PSA critical event; o all the minimal cut set with the failure rate corresponding to each minimal cut set and the contribution percentage of each minimal cut set to the critical event  For each PSA safety critical event (functional and outputs); o the justification of each minimal cut set of order 1 o the justification of quantitative data used for each basic event. o the justification of independency of inputs for every AND gate o the demonstration that the ASIL is achieved by applying appropriate techniques and measures in the design, implementation, verification and validation. o the demonstration that the required functional safety is achieved during the production process.  For threat attack critical event: o the design measures applied in order to prevent the non functional critical events o the validations applied in order to ensure a sufficient and acceptable level of safety being achieved. o the requirements to the process in order to ensure the achievement during the production process (Output work product: WP_Safety_1.013)
  • 20. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 20/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 6.4. Verification Integration and Validation activities Requirement Number Rev Requirement GEN-SAFETY-CLAUSE_4.001 0 The supplier shall conduct system design verification to ensure compliance and completeness with regard to the technical safety concept and to verify that the system safety requirements are valid and the system satisfies those requirements. (Output work product: WP_Safety_1.022) GEN-SAFETY-CLAUSE_4.002 0 The supplier shall conduct the system validation to verify that the system safety requirements are valid and the system satisfies those requirements. This validation shall be done based on the safety validation plan, and verification procedures which are defined against requirements. The supplier shall conduct the system/subsystem verification to verify the correct implementation of the technical safety requirement at the system/subsystem level. This verification shall be done based on integration and testing plan, and verification procedures which are defined against requirements. The supplier shall conduct the component verification to verify the correct implementation of safety requirements at mechanical, hardware and software level. This verification shall be done based on the component verification plan, and verification procedures which are defined against requirements. The supplier shall deliver the system safety verification and validation report providing detailed results for testing which is related to system, hardware, or software. (Output work product WP_Safety_1.005).
  • 21. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 21/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 6.5. Release for production Requirement Number Rev Requirement GEN-SAFETY-CLAUSE.5001 0 Supplier shall deliver a release for production ensuring its ability to produce the item in compliance with the safety level achieved during the design phase. GEN-SAFETY-CLAUSE.5002 0 The final assessment of the system safety case and its referenced inputs to evaluate that the product design has satisfied the safety requirements and safety goals is mandatory for release for production. This assessment will also assess the residual risk (if any) for the system. 6.6. Traceability Requirement Number Rev Requirement GEN-SAFETY-CLAUSE.6001 0 The supplier must ensure the traceability of the safety requirements. Full, bi-directional traceability and communication of safety requirements shall be demonstrated. 6.7. Safety case Requirement Number Rev Requirement GEN-SAFETY-CLAUSE.7001 0 The safety case shall be developed and maintained by supplier. GEN-SAFETY-CLAUSE.7002 0 The safety case shall progressively compile the work products generated during the safety lifecycle. GEN-SAFETY-CLAUSE.7003 0 The safety case shall provide a clear, comprehensive and defensible argument, supported by evidence, that an item is free from unreasonable risk when operated in an intended context (Output work product: WP_Safety_1.023) GEN-SAFETY-CLAUSE_7.004 0 The supplier must provide a safety report. The safety report summarizes the results of safety analysis performed and the steps taken to reduce potential risks, identifies the potential risk remaining, and describes why this level of risk is acceptable by PSA. The safety report shall address : - the residual risks, - the exception list The final version of safety report must take into account the potential risks due to the process. (Output work product: WP_Safety_1.024) GEN-SAFETY-CLAUSE_7.005 0 The whole of work product under supplier’s responsibility must be available at least in the supplier premises GEN-SAFETY-CLAUSE_7.006 0 The supplier shall be responsible of safety case of its suppliers. GEN-SAFETY-CLAUSE_7.007 0 The safety case shall be stored for 15 years after the last vehicle produced and all the documents of the safety case shall be readable.
  • 22. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 22/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 7. EPS Safety Requirements allocated to EPS 7.1. Function: To steer 7.1.1. To avoid excessive steering effort (Max ASIL D) a) Safety goal requirement Safety Goal SG1_DIR_4_01: To avoid excessive steering effort (ASIL D) Description When vehicle is moving, the steering item: - Is locked or stuck in a specific position and does not respond to the driver request. - Provides torque actuation in the opposite direction to the driver request. Operating mode - Vehicle is moving (Velocity > 5kph); - Steering wheel speed up to 300°/s. FTTI 100ms Hazard metrics Excessive steering effort is defined when steering efforts exceed manual steering efforts (without steering assistant) by 3 Nm. Other information The hazard at vehicle level is loss of vehicle lateral motion control. The driver unable to turn or steer the vehicle. Potential for vehicle to depart the intended path/lane and the vehicle continues motion in the last position of the steering item and the road wheels. Note: This safety goal is applicable to steering torque or angle control functions and covers both electrical and mechanical integrity. b) Critical events # ERO Rev ERO name ASIL Probabilistic target mechanical ERO_EPS_4.01 0 Steer Lock excessive steering effort D 10-6 in 15 years or 240000 km ERO_EPS_4.04 0 Reversed steering assistance steering in the opposite direction than intended D 10-6 in 15 years or 240000 km c) Derived safety requirements allocated to the EPS # FSR Rev Functional safety requirement ASIL FSR_EPS_4.01.01 0 The EPS shall be designed to reduce the risk mechanical steering lock (mechanical integrity) to be compliant with the probabilistic target of 10-6 in 15 years or 240000 km. FSR_EPS_4.01.02 0 The EPS shall avoid electrical steering lock (electrical integrity) D FSR_EPS_4.04.01 0 The EPS shall avoid reverse steering (steering in the opposite direction than intended) D
  • 23. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 23/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 7.1.2. To avoid a steering disconnect (ASIL D) a) Safety goal requirement Safety Goal SG1_DIR_4_02: To avoid a steering disconnect (ASIL D) Description Disconnected steering occurs when there is no steering torque transmission between the hand wheel and the road wheels and no further vehicle steering control is possible. Operating mode Vehicle is moving (Velocity > 5kph) FTTI Not applicable Hazard metrics No steering torque transmission between the hand wheel and the road wheels Other information The hazard at vehicle level is loss of vehicle lateral motion control. This safety goal is purely mechanical. b) Critical event # ERO Rev ERO name ASIL Probabilistic target mechanical ERO_EPS_4.03 0 Steering disconnect D 10-6 in 15 years or 240000 km c) Derived safety requirements allocated to the EPS # FSR Rev Functional safety requirement ASIL FSR_EPS_4.03.01 0 The EPS shall be designed to reduce the risk of mechanical disconnect to be compliant with the probabilistic target of 10-6 in 15 years or 240000 km
  • 24. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 24/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 7.1.3. To avoid an unintended assist torque (Max ASIL D) a) Safety goal requirement Safety Goal SG1_DIR_4_06: To avoid an unintended assist torque (ASIL D) Description While driving, the steering item provides torque actuation unexpectedly when there is no driver request. Operating mode - When vehicle is moving (Velocity > 12kph) - Hands on the steering wheel FTTI 20 ms Hazard metrics EPS design criteria: The unintended steering wheel Torque shall not exceed 3 Nm. Vehicle validation criteria: - Path deviation criteria: The maximum path deviation shall not exceed 25cm. - Lateral motion criteria: The unintended lateral acceleration shall not exceed |0.13|g. Other information The hazard at the vehicle level is unintended vehicle lateral motion or unintended yaw moment. The steering assistance applied without driver input is a potential hazard if the condition causes a sudden change in direction of the vehicle. This potential hazard may cause a vehicle path deviation that is too quick for the driver to be able to counter before the vehicle departs from its lane. This safety Goal is applicable to steering torque or angle control functions Safety Goal SG1_DIR_4_07: To avoid unintended steering wheel motion during driving without hands on steering wheel (ASIL A). Description While driving, the steering item provides torque actuation unexpectedly when there is no driver request. Operating mode When vehicle is moving (Velocity > 12kph) with no hands on the steering wheel FTTI 20 ms Hazard metrics EPS design criteria: - The unintended steering wheel Torque shall not exceed 3 Nm. - Unintended Steering Wheel movement shall not exceed 15 degrees. - Unintended Steering Wheel Velocity shall not exceed 180 deg/sec within the 15 degree unintended steering wheel movement. Vehicle validation criteria - Path deviation criteria: The maximum path deviation shall not exceed 25cm - Lateral motion criteria: The unintended lateral acceleration shall not exceed |0.13|g. Other information The hazard at the vehicle level is unintended vehicle lateral motion or unintended yaw moment. The steering assistance applied without driver input is a potential hazard if the condition causes a sudden change in direction of the vehicle. This potential hazard may cause a vehicle path deviation that is too quick for the driver to be able to counter before the vehicle departs from its lane. This safety Goal is applicable to steering torque or angle control functions
  • 25. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 25/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Safety Goal SG1_DIR_4_08: unintended steering wheel motion in the hoist “during service and maintenance” (ASIL B) Description During service and maintenance, the steering item provides torque actuation unexpectedly when there is no request. Operating mode Hoist (during service and maintenance) FTTI 20 ms Hazard metrics - Unintended Steering Wheel movement shall not exceed 15 degrees. - Unintended Steering Wheel Velocity shall not exceed 180 deg/sec within the 15 degrees unintended steering wheel movement. - Unintended Steering Wheel Torque shall not exceed 3Nm Other information The hazard at the vehicle level is operator harm in the workshop situation. The hazardous situation is the risk of operator being trapped by moving part if steering system moves unexpectedly. This safety Goal is applicable to steering torque or angle control functions b) Critical event # ERO Rev ERO name ASIL ERO_EPS_4.02 1 Auto steer This potential hazard refers to the EPS system applying steering assistance without driver input. D c) Derived safety requirements allocated to the EPS # FSR Rev Functional safety requirement ASIL FSR_EPS_4.02.01 0 The EPS shall avoid stuck or unintended steering assistance torque D
  • 26. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 26/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 7.1.4. To avoid critical steering over-assistance (ASIL C) a) Safety goal requirement Safety Goal SG1_DA_4_02: To avoid critical steering over-assistance (ASIL C) Description When the vehicle is moving, the steering item provides steering assistance more than the design intent. The resulting steering torque is greater than required (the steering feels lighter than normal) but the assistance is in the correct direction. Operating mode Curves with lateral acceleration up to 0,2g FTTI 100ms Hazard metrics The system provides more than an additional 3Nm at the steering wheel (the delta steering wheel torque must be less than 3Nm compared to the nominal assistance). Other information An extreme situation of excessive gain in the torque control could possibly result in vehicle instability (Unintended vehicle lateral motion or unintended yaw moment). b) Critical event # ERO Rev ERO name ASIL ERO_EPS_4.06 0 Critical Over assistance This potential hazard covers the cases steering wheel torque decrease( the EPS system supplies more assistance than required) C ERO_EPS_4.09 0 Unintended Assistance recovery This potential hazard covers the cases when the assistance is recovered unexpectedly C c) Derived safety requirements allocated to the EPS # FSR Rev Functional safety requirement ASIL FSR_EPS_4.06.01 0 The EPS shall avoid too high steering assistance torque C FSR_EPS_4.06.02 0 The EPS shall avoid too low vehicle speed with ASIL C This requirement covers the corruption of the vehicle in the EPS and means that the acquisition, the conditioning and the processing of vehicle speed shall comply with the ASIL C. C FSR_EPS_4.06.03 0 The EPS shall detect faulty vehicle speed, shall use a default vehicle speed (that allows a safe operation of the vehicle) and the transition to operate with a reduced level of assist shall be controlled (slope shall be defined) C FSR_EPS_4.09.01 0 The EPS shall avoid unintended assistance recovery C
  • 27. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 27/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 7.1.5. To avoid a large variation (ASIL C) a) Safety goal requirement Safety Gaol SG1_DA_4_03: To avoid a large variation (ASIL C) Description When the vehicle is moving, the steering item provides erratic/intermittent steering assistance torque. The resulting steering torque is unexpectedly fluctuating. The EPS System generates assistance torque of variable and incorrect magnitude (erratic) or correct magnitude but on/off (intermittent). Note: For high frequencies and low frequencie, the large variation is not safety relevant. Operating mode Curves with lateral acceleration up to 0,2g FTTI 200ms Hazard metrics The delta steering wheel torque compared to nominal assistance shall be less than 3Nm. Other information A persistent erratic or inconsistent steering assist level may make it difficult to control the vehicle trajectory (unintended vehicle lateral motion or unintended yaw moment). b) Critical event # ERO Rev ERO name ASIL ERO_EPS_4.05 0 Critical random/erratic assistance This potential hazard covers the unexpected steering wheel torque fluctuation. C a) Derived safety requirements allocated to the EPS # FSR Rev Functional safety requirement ASIL FSR_EPS_4.05.01 0 The EPS shall avoid random/erratic steering assistance torque C FSR_EPS_4.05.02 0 The EPS shall avoid random/erratic vehicle speed with ASIL C This requirement covers the corruption of the vehicle in the EPS and means that the acquisition, the conditioning and the processing of vehicle speed shall comply with the ASIL C. C FSR_EPS_4.06.03 0 The EPS shall detect faulty vehicle speed, shall use a default vehicle speed (that allows a safe operation of the car) and the transition to operate with a reduced level of assist shall be controlled (slope shall be defined) C
  • 28. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 28/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 7.1.6. To avoid a sudden loss of steering assist (ASIL B). a) Safety goal requirement Safety Goal SG1_DA_4_01: To avoid a sudden loss of steering assist (ASIL B). Description When the vehicle is moving, there is sudden loss of steering assistance or reduced steering assist leading to steering wheel torque increase. The steering effort (Manual steer) required varies significantly from one vehicle platform to another, and may vary within a platform due to front axle weight or steering geometry changes). Operating mode - When vehicle is moving (velocity > 10 kph). - Hand wheel velocity up to 300°/s. FTTI 100ms Hazard metrics - Max steering wheel torque shall be less than 10Nm - Manual steer. Other information The vehicle hazard is increased effort on the steering wheel. A sudden loss of steering assistance torque causes higher steering effort, especially at low vehicle speeds and for rapid steering at any vehicle speed. The safety goal includes the ‘sudden’ aspect (e;g loss of assistance without warning). b) Critical event # ERO Rev ERO name ASIL Probabilistic target mechanical ERO_EPS_4.07 0 Loss of assistance This potential hazard covers the cases when the steering wheel torque increases. It concerns the following cases: - Complete loss of assistance - Critical under assistance (the EPS supplies less assistance than required) - No reactivation or inopportune deactivation of assistance (STTd Function) B 10-4 in 15 years or 240000 km
  • 29. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 29/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ c) Derived safety requirements allocated to the EPS # FSR Rev Functional safety requirement ASIL FSR_EPS_4.07.01 0 The EPS shall avoid sudden loss of steering assistance (ASIL B) B FSR_EPS_4.07.02 1 FSR_EPS_4.07.02 :The EPS shall avoid unwanted deactivation or no reactivation of assistance (activation / deactivation conditions and STTd conditions): Note: These thresholds could be changed during design phase. B FSR_EPS_4.07.02.01 0 To response to requirement FSR_EPS_4.07.02: If assistance has been activated, in case of failure of one the interface signals ignition (stuck at off), engine state (lost, invalid or not running) or power cut request (lost or stuck at “demand”), the EPS shall not deactivate the assistance if vehicle speed is over a threshold. (ASIL B). Note: These thresholds could be changed during design phase. B FSR_EPS_4.07.02.02: 0 To response to requirement FSR_EPS_4.07.02: If assistance has been deactivated and conditions for its safe reactivation are fulfilled then the EPS shall reactivate with a slope the assistance when Vehicle speed is over a threshold. (ASIL B) Note: These thresholds could be changed during design phase. B FSR_EPS_4.07.03 0 The EPS shall be designed to provide assistance with ASIL B: - The EPS shall avoid no steering assistance torque with ASIL B. - The EPS shall avoid too low steering assistance torque with ASIL B B FSR_EPS_4.07.04 0 The EPS shall avoid incorrect setting of ignition signal with ASIL A(B) This requirement covers the corruption of ignition in the EPS and covers the acquisition, the conditioning and the processing of the ignition A(B) FSR_EPS_4.07.05 0 The EPS shall avoid incorrect setting of engine state signal with QM (B) This requirement covers the corruption of engine state in the EPS and covers the acquisition, the conditioning and the processing of the engine state QM(B) FSR_EPS_4.07.06 0 The EPS shall avoid incorrect setting of power cut request signal to “request” with QM (B) This requirement covers the corruption of power cut request in the EPS and covers the acquisition, the conditioning and the processing of the power cut request signal QM(B) FSR_EPS_4.07.07 0 Sufficient independence between ignition, engine state and vehicle speed shall be ensured in the EPS with ASIL B B FSR_EPS_4.07.08 0 Sufficient independence between power cut request and vehicle speed shall be ensured in the EPS with ASIL B B FSR_EPS_4.07.09 0 The requirements allocated to inputs signals (FSR_EPS_4.07.04 to FSR_EPS_4.07.08) are related to the strategy specified by PSA. The supplier shall provide its requirements to these inputs signal if these signals are used by the supplier strategies. # TSR Rev Technical safety requirement ASIL TSR_EPS_4.07.02.01_01 0 If assistance has been activated, in case of failure of Engine state (incorrect setting of engine state at [lost, CUT, STARTING or NOT VALID] instead of Running or STT state), the EPS shall ramp down the assistance after a defined delay (T_A2) only if vehicle speed is lower than threshold (ASIL B). B
  • 30. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 30/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ TSR_EPS_4.07.02.01_02 0 If assistance has been activated, in case of failure of ignition (incorrect setting of Ignition at off), the EPS shall ramp down the assistance after a defined delay (T_A1) only if vehicle speed is lower than threshold and engine state is [lost, invalid, not running or not in STT states (ASIL B). B TSR_EPS_4.07.02.01_03 0 If assistance has been activated, in case of failure of ignition and Vehicle speed (failure mode: unwanted transition on invalid vehicle speed and incorrect setting of Ignition at off ), the EPS shall ramp down the assistance after a defined delay (T_A3) only if engine state is off [loss, CUT, STARTING or NOT VALID] (ASIL B) B TSR_EPS_4.07.02.01_04 0 If assistance has been activated, in case of failure of Engine state and ignition (failure mode: incorrect setting of engine state at [loss, CUT, STARTING or NOT VALID] instead of Running or STT state and incorrect setting of Ignition at off ), the EPS shall ramp down the assistance after a defined delay (T_A1) only if vehicle speed is under a threshold (ASIL B). B TSR_EPS_4.07.02.01_05 0 If assistance has been activated, in case of failure of Engine state and Vehicle speed (failure mode: loss or invalid vehicle speed, incorrect setting of engine state at [loss, CUT, STARTING or NOT VALID] instead of Running or STT state and incorrect setting of Ignition at off ), the EPS shall ramp down the assistance after a defined delay (T_A3) only ignition is off (ASIL B) B TSR_EPS_4.07.02.01_06 0 If assistance has been activated, in case of failure of Engine state, ignition and Vehicle speed (failure mode: Invalid vehicle speed and incorrect setting of engine state at [loss, CUT, STARTING or NOT VALID] instead of Running or STT state and incorrect setting of Ignition at off), the EPS shall ramp down the assistance only after a defined delay (T_A3) (ASIL B). B TSR_EPS_4.07.02.01_07 If assistance has been activated, in case of failure of power cut request, the EPS shall ramp down the assistance only if vehicle speed is lower than a threshold (ASIL B) B TSR_EPS_4.07.02.02_01 0 When assistance is deactivated due to power cut request the EPS shall ramp up the assistance if vehicle speed is higher than threshold.(ASIL B) Note: this requirement means: in case of power cut request stuck at “demand” the EPS shall ramp up the assistance over a threshold of vehicle speed. B TSR_EPS_4.07.02.02_02 0 When assistance is deactivated due to engine state, the EPS shall ramp up the assistance if vehicle speed is higher than threshold (ASIL B) Note: this requirement means: in case when assistance is ramped down and ECU is still awake without presence of failure the EPS shall ramp up the assistance over a threshold of vehicle speed (e.g after engine stalling, the assistance is ramped up on vehicle speed even if engine doesn’t restart). B
  • 31. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 31/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 7.2. Function: STTd Id. Rev Critical events ASIL ERO_EPS_4.08 0 No deactivation or inopportune activation of assistance (STTd function) This requirement concerns the safety goal the avoid collapse power network A # FSR Rev Functional safety requirement ASIL FSR_ARAMTH_012 0 The EPS shall avoid incorrect setting of power cut request “No request” with ASIL A This requirement covers the corruption of power cut request in the EPS and covers the acquisition, the conditioning and the processing of the power cut request signal A FSR_ARAMTH_014 0 The requirement “STTd_EPS_11.0“of the functional specification shall response to an ASIL A. (See chap 5.2 Power cut request validity of STT Functional specification 01452_09_00092) A FSR_ARAMTH_019 0 The EPS shall provide the correct signal Autorisation_arret_moteur. A FSR_ARAMTH_020 0 The EPS shall provide the correct signal Demande_Redem_moteur. A FSR_ARAMTH_021 0 The requirement “STTd_EPS_3.1“of the functional specification shall response to an ASIL B. (See chap 4.6.4 Compute Engine restart request of STT Functional specification 01452_09_00092) B Id. Rev Outputs critical events ASI L FIT ERO_EPS_4.41 0 Erroneous information “Autorisation_arret_moteur” Failure modes: - Erroneous to “authorisation” instead of “no authorisation”, A 10 ERO_EPS_4.42 0 Erroneous information “Demande_Redem_moteur” Failure modes: - Erroneous to “restarting not needed”, A 10 7.3. Safety output critical events 7.3.1. Column angle (in case of AVA function):
  • 32. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 32/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Id. Rev Outputs critical events ASIL FIT ERO_EPS_4.11 0 Erroneous information “EPS column angle” Threshold of error must be less than 10° Latency time: 100ms The failure modes: - Too high (permanent/transient/unwanted transition), - Too low (permanent/transient/unwanted transition), NB: This critical event concerns the EPS transmitting frame 2F5 (SWS Class 1) D 1 ERO_EPS_4.12 0 Erroneous information “EPS column Speed” Threshold of error must be less than 64°/s. Latency time 100ms The failure modes: - too high (permanent/transient/unwanted transition), - too low (permanent/transient/unwanted transition). NB: This critical event concerns the EPS transmitting frame 2F5 (SWS Class 1) D 1 ERO_EPS_4.13 0 Loss or invalid “EPS column angle” This critical output must include all the failures leading to: loss of frame 2F5 or frame 2F5 too short Invalid information “EPS column angle” Out of range B 10 ERO_EPS_4.14 0 Loss or invalid “EPS column speed” This critical output must include all the failures leading to: loss of frame 2F5 or frame 2F5 too short Invalid information “EPS column speed” Out of range B 10 ERO_EPS_4.20 0 Erroneous “Etat secu angle colonne” Erroneous to column angle secured D 1 ERO_EPS_4.21 0 Loss of “Etat secu angle colonne” This critical output must include all the failures leading to: loss of frame 2F5 or frame 2F5 too short D 1 ERO_EPS_4.22 0 Erroneous “Etat secu angle colonne” Erroneous to column angle not secured B 10
  • 33. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 33/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 7.3.2. Absolute steering angle (in case of the SAS is integrated in the EPS): Id. Rev Outputs critical events ASIL FIT ERO_EPS_4.30 0 Erroneous information “Absolute steering angle” Threshold of error must be less than 15° Latency time 100ms The failure modes: - too high (permanent/transient/unwanted transition), - too low (permanent/transient/unwanted transition) NB: This critical event concerns the case when the EPS provide the CAN output signal “Absolute steering angle” transmitted on the frame 305 (SWS class 3 is integrated in the EPS). D 1 ERO_EPS_4.31 0 Loss or invalid “Absolute steering angle” This critical output must include all the failures leading to: loss of frame 305 or frame 305 too short Invalid information “Absolute steering angle” Out of range B 10 ERO_EPS_4.32 0 Erroneous information “Steering wheel rotation Speed” Threshold of error must be less than 64°/s. Latency time 100ms The failure modes: - too high (permanent/transient/unwanted transition), - too low (permanent/transient/unwanted transition). NB: This critical event concerns the EPS transmitting frame 305 (SWS class 3 is integrated in the EPS) B 10 ERO_EPS_4.33 0 Loss or invalid “Steering wheel rotation Speed” This critical output must include all the failures leading to: loss of frame 305 or frame 305 too short Invalid information “Steering wheel rotation Speed” Out of range B 10 ERO_EPS_4.34 0 Loss of “Steering wheel sensor direction (SENS_ROT_VOL)” This critical output must include all the failures leading to: loss of frame 305 or frame 305 too short A(B) 10 ERO_EPS_4.35 0 Erroneous information “Steering wheel sensor direction (SENS_ROT_VOL)” Failure modes: - Erroneous to sens horaire - Erroneous to sens trigo NB: This critical event concerns the EPS transmitting frame 305 (SWS class 3 is integrated in the EPS) D 1 ERO_EPS_4.36 0 Erroneous information “Calibration VOL” The failure modes: - Erroneous to “calibrated”, - Erroneous to “uncalibrated”, NB: This critical event concerns the case when the EPS provide the CAN output signal “Absolute steering angle” transmitted on the frame 305 (SWS class 3 is integrated in the EPS). D 1
  • 34. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 34/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ ERO_EPS_4.37 0 Erroneous information “TRIM VOL” The failure modes: - Erroneous to “ajusté”, NB: This critical event concerns the case when the EPS provide the CAN output signal “Absolute steering angle” transmitted on the frame 305 (SWS class 3 is integrated in the EPS). B 10 ERO_EPS_4.38 0 Erroneous information “SAS State” The failure modes: - Erroneous to “failure detected”, NB: This critical event concerns the case when the EPS provide the CAN output signal “Absolute steering angle” transmitted on the frame 305 (SWS class 3 is integrated in the EPS). A(B) 10 ERO_EPS_4.39 0 Erroneous information “SAS State” The failure modes: - Erroneous to “no failure”, NB: This critical event concerns the case when the EPS provide the CAN output signal “Absolute steering angle” transmitted on the frame 305 (SWS class 3 is integrated in the EPS). B(D) 10 These requirements will be refined depending on the technical proposition “virtual SAS”. 7.3.3. Absolute steering angle (in case virtual SAS): Document Name Applicable version Reference Technical Safety requirements EPS for virtual SAS V1.0 20655_17_00130 7.3.4. Request for warning lamp Id. Rev Outputs critical events ASIL FIT ERO_EPS_4.19 0 No request to switch on the warning lamp Failure modes : - Loss of information - Erroneous to “warning lamp not needed” - Erroneous to the reserved value This critical event concerns the CAN output “Power steering status” and the particular failure mode Power steering status erroneous to 00 "No request to light lamp” instead of 01 “request to light lamp” B 10
  • 35. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 35/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 7.4. Multi-mode function Id. Rev critical events ASIL ERO_Mm_4.01 0 Unintended transition to normal mode This critical event is related to over assistance C # FSR Rev Functional safety requirement ASIL FSR_Mm_4.01.01 0 The EPS shall avoid unintended or incorrect transition between multimode states C 7.5. City Park function Requirement Number Rev Requirement CPK-SAFETY-CLAUSE.0001 0 The impact of the CPK function shall be taken into account by the supplier on all safety and reliability analysis. Note: The requirements about City Park function are provided by the main system manufacturer Valeo and Valeo is responsible for the requirements below (Cf Document: 0). Document Name Applicable version Reference Technical Safety Concept EPS for CPK V2.0 00858_15_01879
  • 36. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 36/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 7.6. LxA function 7.6.1. SG1_LxA_DIR_4_06: Avoid an inopportune steering wheel rotation (ASIL D) a) Safety goal requirement Safety Goal SG1_LXA_DIR_4_06: Avoid an inopportune steering wheel rotation (ASIL D) Critical scenarios - Internal EPS failure leading to unwanted LXA regulation - Erroneous yaw rate compensation sent to STEER System - Erroneous LXA correction setpoint sent to STEER System Validation criteria The hazard at the vehicle level is a path deviation. EPS shall limit the vehicle lateral dynamics induced by the LKA control. This limitation is translated in maximum absolute lateral acceleration and a minimum time before reaching a lateral acceleration threshold. Threshold: - Reaching a +1m/s² lateral acceleration increase shall require at least 0.5s for for vehicle speed lower than 50 kph. - Reaching a +2m/s² lateral acceleration increase shall require at least 0.5s for for vehicle speed higher than 50 kph. These thresholds shall be taken into account when calibrating the maximum steering wheel speed limitation in the EPS. PSA can accept a maximum lateral acceleration variation of 2.5 m/s² during 500ms. Initial operating mode: LXA selected, lateral control in progress (hand On +hand Off). b) Critical event Id Rev Critical event (ERO) ASIL ERO_EPS_LxA_4.01 0 Unwanted or too high LxA intervention D ERO_EPS_LxA_4.02 0 Unwanted LxA intervention during ABS/ESC intervention or during ABS/ESC unavailability B c) Derived safety requirements allocated to the EPS Id Rev Functional safety requirement ASIL FSR_EPS_ LxA_4.01.01 0 The EPS shall apply LxA additional torque only if it is requested D FSR_EPS_ LxA_4.01.02 1 During LxA intervention, the EPS shall limit LxA additional torque at threshold (LXA_Add-On_safe_threshold) LXA_Add-On_safe_threshold = 4Nm Note: These thresholds could be changed during design phase. D FSR_EPS_ LxA_4.01.03 1 During LxA intervention,If the LxA additionnal torque exceed a threshold (LXA_Add-On_safe_threshold) during more than duration (LXA_ADD- TQ_DELAY) , the EPS shall ramp down the LxA function according to a D
  • 37. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 37/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ defined slope (LXA _Add-On_SAFE_SLOPE). LXA_Add-On_safe_threshold = 4Nm. Latency time = 20 ms Note: These thresholds could be changed during design phase. FSR_EPS_ LxA_4.01.04 2 During LxA intervention, the EPS shall rampdown LxA control if the variation of Hw torque more than duration (LxA _HWT_DELAY) exceed LXA_HWT_threshold LXA_HWT_threshold = +/-3 Nm LxA _HWT_DELAY= 500 ms Note: These thresholds could be changed during design phase. D FSR_EPS_LxA_4.01.05 1 During LxA intervention, If the hand-wheel torque exceed a threshold (LXA_HWT_SAFE_THRESHOLD) during more than duration (LxA _HWT_DELAY) , the EPS shall ramp down the LxA function according to a defined slope (LXA _HWT_SAFE_SLOPE). LXA_HWT_SAFE_THRESHOLD = 2.8Nm LXA _HWT_DELAY = 20 ms LXA _HWT_SAFE_SLOPE =1Nm/s. Note: These thresholds could be changed during design phase D FSR_EPS_ LxA_4.01.06 3 During LxA intervention, the EPS shall rampdown (with defined slope LXA_SWV_SLOPE ) LxA function if steering wheel velocity is higher than LXA_SWV_safe_threshold during more than LXA_SWV_DELAY LXA_SWV_safe_threshold is defined depending on vehicle speed (see functional specification 00998_12_01589) LXA_SWV_DELAY is depending on steering wheel speed and vehicle speed (Maximum values is 800 ms). LXA_SWV_SLOPE To be calibrated during design phase. Note : -These parameters setting could be changed during design phase. B FSR_EPS_ LXA_4.01.08 1 The EPS shall avoid too high or too low steering wheel speed Note : These parameters setting could be changed during design phase. B FSR_EPS_ LxA_4.01.10 3 During LxA intervention, the EPS shall rampdown (with defined slope LXA_SWA_SLOPE ) LxA function if steering wheel angle is higher than LXA_SWA_safe_threshold during more than LXA_SWA_DELAY LXA_SWA_safe_threshold is defined depending on vehicle speed (target: lateral acceleration max: 3m.s-², reaching a +2m/s² lateral acceleration increase shall require at least 0.5s). The threschold need to be deffined from the following criteria : lateral acceleration 0,3g (3m/s²). LXA_SWA_DELAY = 200 ms. LXA_SWA_SLOPE To be calibreted during design phase B
  • 38. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 38/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Note : These parameters setting could be changed during design phase. FSR_EPS_ LxA_4.01.11 1 The EPS shall avoid too high or too low steering wheel angle. The fault amplitude and FTTi need to be defined from the following criteria : lateral acceleration 0,3g (3 m/s²). Note : These parameters setting could be changed during design phase. B FSR_EPS_ LxA_4.01.12 0 The EPS shall limit the gradient of COLUMN_ANGLE_SETPOINT (see functional specification 00998_12_01589) B FSR_EPS_ LxA_4.01.13 0 The EPS shall limit the variation of LKA_TRQ_FACT_REQ (see functional specification 00998_12_01589) B FSR_EPS_ LxA_4.02.01 0 The EPS shall apply LxA request only if ABS/ESC is available (no fault and no driver deactivation) and no ABS/ESC intervention. B FSR_EPS_ LxA_4.02.02 0 In case of ABS/ESC intervention during LxA intervention, the EPS shall ramp down the LxA function with a defined slope and warn the driver. B FSR_EPS_ LxA_4.02.03 0 In case of ABS/ESC unavailability during LxA intervention, the EPS shall ramp down the LxA function with a defined slope and warn the driver B FSR_EPS_ LxA_4.02.04 0 In case of ABS/ESC intervention, the EPS shall inform the vehicle that no LXA regulation possible (EPS_STATE_LXA =000 “unauthorized”). B FSR_EPS_ LxA_4.02.05 0 In case of ABS/ESC unavailability, the EPS shall inform the vehicle that no LXA regulation possible (EPS_STATE_LXA =000 “unauthorized”). B FSR_EPS_ LxA_4.02.06 0 In case of detected communication failures between ESC and the EPS, the EPS shall inform the vehicle that no LXA regulation is possible (EPS_STATE_LXA=100 : “the defect state" ). B FSR_EPS_ LxA_4.02.07 0 The recovery is allowed only if ABS/ESP available and no ESC regulation in progress and no communication failures between ESC and EPS B FSR_LxA_01.14.a 0 EPS shall avoid sending an erroneous column speed (vitesse_colonne) and steering wheel torque optimized (cple_volant_optimise) to BSI. B FSR_LxA_01.15.a 0 EPS shall avoid not deactivating LxA when requested by BSI (LxA_state set as deactivated). A(B) FSR_LxA_01.18.a 0 EPS ensure no common cause failure between limiting the vehicle lateral dynamics (FSR_LxA_01.8.a), sending erroneous column speed and steering wheel torque to BSI (FSR_LxA_01.14.a) and not deactivating on BSI request (FSR_LxA_01.15.a), at ASIL B. Nota : in this specification : FSR_LxA_01.8.a = FSR_EPS _LxA_4.01.06 + FSR_EPS _LxA_4.01.10 B FSR_LxA_03.2.a 0 EPS shall avoid not informing BSI that no LxA control is possible in case of internal failure (EPS_state_LXA), at ASIL QM QM
  • 39. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 39/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ SG1_LxA_4_01 The driver shall always be able to keep the control of the vehicle trajectory during LxA trajectory correction (ASIL B) a) Safety goal requirement Safety Goal SG1_LXA_4_01 : The driver shall always be able to keep the control of the vehicle trajectory during LXA trajectory correction (ASIL B) Critical scenarios - Erroneous yaw rate compensation sent to STEER System - Erroneous LXA correction setpoint sent to STEER System - ABS/ESP not available or data from ABS/ESP not available - Driver do not have steering wheel in hands. Validation criteria The hazard at the vehicle level is a path deviation. EPS shall limit the vehicle lateral dynamics induced by the LKA control. This limitation is translated in maximum absolute lateral acceleration and a minimum time before reaching a lateral acceleration threshold. Threshold: - Reaching a +1m/s² lateral acceleration increase shall require at least 0.5s for for vehicle speed lower than 50 kph. - Reaching a +2m/s² lateral acceleration increase shall require at least 0.5s for for vehicle speed higher than 50 kph. These thresholds shall be taken into account when calibrating the maximum steering wheel speed limitation in the EPS. PSA can accept a maximum lateral acceleration variation of 2.5 m/s² during 500ms. Initial operating mode: LXA selected, lateral control in progress (hand On +hand Off). b) Critical event # ERO Rev Critical event (ERO) ASIL ERO_EPS_LxA_4.03 0 Erroneous LxA torque correction leading to path deviation (due to EPS failures) B c) Derived safety requirements allocated to the EPS Id Rev Functional safety requirement ASIL FSR_EPS_LxA_4.03_01 0 The EPS shall detect a driving situation without hand during 10s and provide signals to inhibit LxA function (EPS_STATE_LXA=000 “unauthorized state” and STEERWHL_HOLD_BY_DRV =0 “no steering activity detected from the driver torque”). A(B) FSR_EPS_LxA_4.03_02 0 If the EPS detects drive situation without hand on the steering wheel during more than 10s, the EPS shall inform the driver (see functional specification 00998_12_01589) A(B) FSR_EPS_LxA_4.03_03 0 If the EPS detects drive situation without hand on the steering wheel during more than 3s after the driver warning , the EPS shall ramp down the LxA A(B)
  • 40. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 40/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ function with a defined slope (Slope = 1Nm/s) 7.6.2. SG1_LxA_4_02: LXA function shall ensure the controllability of the vehicle in case of LxA deactivation (ASIL D ) a) Safety goal requirement Safety Goal SG1_LXA_4_02: LXA function shall ensure the controllability of the vehicle in case of LXA deactivation (ASIL B ) Critical scenarios - Trajectory correction deactivation Validation criteria The hazard at the vehicle level is a path deviation. EPS shall limit the vehicle lateral dynamics induced by the LKA control. This limitation is translated in maximum absolute lateral acceleration and a minimum time before reaching a lateral acceleration threshold. Threshold: - Reaching a +1m/s² lateral acceleration increase shall require at least 0.5s for for vehicle speed lower than 50 kph. - Reaching a +2m/s² lateral acceleration increase shall require at least 0.5s for for vehicle speed higher than 50 kph. These thresholds shall be taken into account when calibrating the maximum steering wheel speed limitation in the EPS. PSA can accept a maximum lateral acceleration variation of 2.5 m/s² during 500ms. Initial operating mode: LXA selected, lateral control in progress (hand On +hand Off). b) Critical event # ERO Rev ERO name ASIL ERO_EPS_LxA_4.04 1 Brutal LxA deactivation (due to EPS failure) B c) Derived safety requirements allocated to the EPS # FSR Rev Functional safety requirement ASIL FSR_EPS_LxA_4.04_01 1 The EPS shall ramp down LxA function with a defined slope to avoid brutal LxA deactivation B FSR_EPS_LxA_4.04_02 1 The EPS shall avoid erroneous a slope : - slope higher than 7,5Nm/s or - slope lower than 1Nm/s Note : The safe rang for slope is [1Nm/s 7,5Nm/s] B
  • 41. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 41/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Output requirements LXA Id. ERO Critical Event ASIL FIT ERO-LXA-EPS-SDF.0016 (1.0) Unwanted transition to active or authorized or available This critical event concerns the output signal EPS_STATE_LXA transmitted on the frame IS_DAT_DIRA_495/ / EPS_STATE_LXA QM(D) 100 ERO-LXA-EPS-SDF.0017 (1.0) Impossible transition to defect This critical event concerns the output signal EPS_STATE_LXA transmitted on the frame IS_DAT_DIRA_495/ / EPS_STATE_LXA QM(D) 100 ERO-LXA-EPS-SDF.0018 (1.0) Impossible transition to defect of EPS_STATE_LXA and wrong values of LXA_REQUIRED_ADDIT_STEER_WL_TORQUE This critical event concerns the output signal Common mode EPS_STATE_LXA and LXA_REQUIRED_ADDIT_STEER_WL_TORQUE transmitted on frame IS_DAT_DIRA_495/ / EPS_STATE_LXA B(D) 10 ERO-LXA-EPS-SDF.0019 (1.0) Impossible transition to unauthorized This critical event concerns the output signal EPS_STATE_LXA transmitted on the frame IS_DAT_DIRA_495/ / EPS_STATE_LXA QM(B) 100 ERO-LXA-EPS-SDF.0020 (1.0) Impossible transition to unauthorized and REGUL_ESP erroneous to "no regulation" This critical event concerns the output signal Common mode EPS_STATE_LXA and REGUL_ESP transmitted on the frame IS_DAT_DIRA_495/ / EPS_STATE_LXA B 10 ERO-LXA-EPS-SDF.0021 (1.0) Impossible transition to "no steering activity detected from the driver torque" This critical event concerns the output signal STEERWHL_HOLD_BY_DRV transmitted on the frame IS_DAT_DIRA_495/ / STEERWHL_HOLD_BY_DRV QM(A) 100 ERO-LXA-EPS-SDF.0022 (1.0) Loss/Absence This critical event concerns the output signal STEERWHL_HOLD_BY_DRV transmitted on the frame IS_DAT_DIRA_495/ / STEERWHL_HOLD_BY_DRV QM(A) 100
  • 42. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 42/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ 7.7. Safety threat / attack critical events Id. Threat/Attack Critical Event ERO_EPS_4.21 EMC susceptibility This critical event covers the EMC immunity. ERO_EPS_4.22 Disturbance of the surrounding systems due to EMC emissions ERO_EPS_4.23 Thermal event This critical event is related to the CCA topic. 7.8. FTA requirements Id. Rev Requirement GEN-SAFETY- CLAUSE-G4.0001 0 For Each safety critical event, the reference period must be 15 years or 240000 km (first criterion reached). The confidence level required for validation of the failure modes leading to a safety critical event is 75%. GEN-SAFETY- CLAUSE-G4.0002 0 The supplier must perform the FTA for each safety critical event For functional safety critical events and for output critical events (defined in this document) the qualitative and quantitative fault tree analyses are mandatory. The qualitative fault tree are mandatory for safety threat/Attack critical event The qualitative fault tree analysis shall be used to investigate the random failures and systematic failures. The quantitative fault tree shall be used to estimate the probability of the hazard. The quantitative fault analysis must cover the random failures and mechanical failures. The Fault tree must take into account all the combinations of failures leading to each safety critical event. The fault tree must take into account all techniques and measures applied to control random faults leading to each critical event. GEN-SAFETY- CLAUSE-G4.0003 0 The quantitative result on each critical event must be expressed for: - HW random failures in term of failure rate per hour, SPFM and LFM. - Mechanical failures in term of probability of failure during the reference period. GEN-SAFETY- CLAUSE-G4.0004 0 Each functional critical event (defined in §7.1) shall reach the quantitative target expressed in the table 1. The target for each functional critical event must be reached with the inputs data reliability values (of PSA responsibility). GEN-SAFETY- CLAUSE-G4.0005 0 Each output critical event (defined in §7.2) must reach the failure rate per hour required for each output critical event and the SPFM/LFM expressed in the table 1. The target of each output critical event must be reached with the inputs data reliability values of PSA responsibility GEN-SAFETY- CLAUSE-G4.0006 0 For HW random failures, the calculation must be based on official data base (see ISO 26262-5). If the supplier uses his RETEX (Field Feedback), the target to reach is divided by factor 10 (for example, for target with official data base at 10-8, the target will be 10-9). GEN-SAFETY- CLAUSE-G4.0007 0 The supplier must justify each HW failure rate and probability failure on reference period for mechanical failures used for the quantification.
  • 43. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 43/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ GEN-SAFETY- CLAUSE-G4.0008 0 The supplier must provide the requirements on the inputs data (of PSA responsibility) and interfaces in order to reach the target on each safety critical event. The requirements on inputs data and interfaces must be accepted by PSA. GEN-SAFETY- CLAUSE-G4.0009 0 For each safety critical event, the supplier must justify all single HW random failure and residual failures. GEN-SAFETY- CLAUSE-G4.0010 0 For each safety critical event, the supplier must justify all single mechanical failures. GEN-SAFETY- CLAUSE-G4.0011 0 It is forbidden that a single fault vs. threat / attack leads to gravity 4. The technical design shall fulfil this principle. If auto protection is not sufficient, a justification document must be delivered by the supplier (justification on multi-barrier principle…). GEN-SAFETY- CLAUSE-G4.0012 0 For each safety critical event, the supplier must justify the fulfilment of the requirement in term of ASIL for systematic failures. The justification is achieved by applying techniques and measure, for avoidance of systematic failures according to the standard is 26262. ASIL EE Failures Mechanical failures Failure rate (FIT) SPFM LFM Probability of failure on the period (15 years / 240000km) A 1000 10-3 B 100 90% 60% 10-4 C 100 97% 80% 10-5 D 10 99% 90% 10-6 Table 1 8. Reliability and availability requirements 8.1. Gravity 3 critical events Id. Critical events Comments ERO_EPS_3.01 Degraded steering due to EPS failures This critical event includes all the failures leading to degradation of steering wheel torque (friction, backlash,..) ERO_EPS_3.02 Lack of assistance No assist at the start-up ERO_EPS_3.03 Non critical under assistance ERO_EPS_3.04 Non critical over assistance ERO_EPS_3.05 Non critical random assistance ERO_EPS_3.06 EPS failures leading to over consumption This critical event includes : - Quiescent current more than 100 µA. - Standby current more than 500 mA - Operating current erroneous too high. - Unwanted wake up (ECU doesn’t go too sleep, inopportune ECU wake up) -
  • 44. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 44/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Id. Critical events Comments ERO_EPS_3.07 Unwanted request to switch on the warning lamp This critical event concerns the CAN output “Power steering status” and the particular failure mode power steering status erroneous to 01 “request to light lamp” instead of 00 "No request to light lamp” ERO_EPS_3.08 No request to restart the engine. This critical event concerns the frame 495 Engine restart requested by sub system DA erroneous to 0 “No need of restart” instead of 1 “Restart request” ERO_EPS_3.09 Unwanted Engine stop authorization by EPS This critical event concerns the frame 495 Engine stop authorization by sub system DA erroneous 1 3Stop authorization3 INSTEAD OF à “No stop authorization” ERO_EPS_3.10 NVH due to EPS failures This critical event includes - Severe Airborne noise (includes rattle) - Structure-borne noise - EPS vibration generation. Id. Critical events Comments ERO-LXA-EPS-108 (1.0) No LXA correction when needed due to EPS failures ERO-LXA-EPS-109 (1.0) Unwanted stop of LXA torque correction during a correction due to EPS failures ERO-LXA-EPS-110 (1.0) Unwanted LXA torque correction due to EPS failures ERO-LXA-EPS-111 (1.0) Erroneous LXA state display to the driver (LXA is displayed as able to correct trajectory while it is not) due to EPS failures ERO-LXA-EPS-112 (1.0) Erroneous LXA takeover alert to the driver (alert is not displayed while needed) due to EPS failures Id. ERO Critical Event Cumulated probability ERO-LXA-EPS-SDF.0006 (1.0) Loss/Absence due to EPS failures This critical event concerns the output signal COMMUNICATION CAN I/S D(7ans 150000km) <10-4 ERO-LXA-EPS-SDF.0007 (1.0) Impossible transition to "available" or "authorized" or "active" due to EPS failures This critical event concerns the output signal EPS_STATE_LXA transmitted on the frame IS_DAT_DIRA_495/ / EPS_STATE_LXA D(7ans 150000km) <10-4 ERO-LXA-EPS-SDF.0008 (1.0) Untimely transition to defect due to EPS failures This critical event concerns the output signal EPS_STATE_LXA transmitted on the frame IS_DAT_DIRA_495/ / EPS_STATE_LXA D(7ans 150000km) <10-4 ERO-LXA-EPS-SDF.0009 (1.0) Impossible transition to defect due to EPS failures This critical event concerns the output signal EPS_STATE_LXA transmitted on the frame IS_DAT_DIRA_495/ / EPS_STATE_LXA D(7ans 150000km) <10-4
  • 45. EPS Safety Dependability and durability requirements EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 45/49 DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052 Niveau de classification 0- Pas de classification 1- Usage interne PSA/DPTA/ 2 - Confidentiel PSA/DPTA/ 3- Confidentiel restreint PSA/DPTA/ 4- Confidentiel enregistré PSA/DPTA/ Id. ERO Critical Event Cumulated probability ERO-LXA-EPS-SDF.0010 (1.0) Loss/Absence due to EPS failures This critical event concerns the output signal EPS_STATE_LXA transmitted on the frame IS_DAT_DIRA_495/ / EPS_STATE_LXA D(7ans 150000km) <10-4 ERO-LXA-EPS-SDF.0011 (1.0) untimely transition to "no steering activity detected from the driver torque" due to EPS failures STEERWHL_HOLD_BY_DRV transmitted on the frame IS_DAT_DIRA_495/ / STEERWHL_HOLD_BY_DRV D(7ans 150000km) <10-4 8.2. Reliability, availability requirements and quantitative target Id. Rev Requirement GEN-SAFETY-CLAUSE- G3.0001 0 For gravity 3 critical events, the reference period is 7 years or 150000 km (first criterion reached). The confidence level required for validation of the failure modes leading to a safety critical event is 75%. GEN-SAFETY-CLAUSE- G3.0002 0 For each gravity 3 critical event the quantitative target is defined by the probability of failure on the reference period <10-3 For random failures this target is equivalent to failure rate less than 10-7/h. GEN-SAFETY-CLAUSE- G3.0003 0 For Gravity 3 critical event the supplier must provide a justification for the quantitative results. The results must be provided for EE random failures and for mechanical failures GEN-SAFETY-CLAUSE- G3.0004 0 The quantitative requirements are to be fulfilled with inputs data reliability values (of PSA responsibility). GEN-SAFETY-CLAUSE- G2-G1.0001 0 For gravity 2 and gravity 1 critical events, the reference period is 3 years or 60000 km (first criterion reached). The confidence level required for validation of the failure modes leading to a safety critical event is 50%. GEN-SAFETY-CLAUSE- G2-G1.0002 0 For each gravity 2 and gravity 1 critical event the quantitative target is defined by the probability of failure on the reference period <10-3 For random failures this target is equivalent to failure rate less than 10-7/h. GEN-SAFETY-CLAUSE- G2-G1.0003 0 For gravity 2 and gravity 1 critical event the supplier must provide a justification for the quantitative results. The results must be provided for EE random failures and for mechanical failures GEN-SAFETY-CLAUSE- G2-G1.0004 0 The quantitative requirements are to be fulfilled with inputs data reliability values (of PSA responsibility).