Safety_Dependabilty_Durability_Requirements_EPS_BL_3_0.doc

EPS Safety Dependability and durability requirements
EPS Safety Dependability and durability requirements Date : 10/12/2014 Page n°: 1/49
DRD/DCTC/ICDV/AFDH Réf. : 01452_13_00052
Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
3- Confidentiel restreint
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Safety dependability and durability requirements
Electric Power Steering (EPS)
Generic
Reference 01452_13_00052
Version number BL 3.0
Document status For authorized company use only
Date 2014, December 10th

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Written By Checked by Approved by
Aziz LAZAAR
DRD/DCTC/ICDV/AFDH
Date:
Signature:
Abdelhak MHAOUEL
DRD/DCTC/ICDV/AFDH
Date:
Signature:
Benoit LEVIN
DRD/DSEE/CIAE/SDFE/SDFG
Date:
Signature:
René Tathy
ITLINK /IPSIS SDFG
Antoine GAUTIER
DRD/DCTC/ICDV/AFDH/ACSD
Date:
Signature:
Clément HUBERT
DRD/DCTC/ICDV/AFDH
Date:
Signature:
Fabien LAVILLENIE
Date:
Signature:
Franck MARTINEAU
Date:
Signature:
Nicolas BECKER
DRD/DAPF/ARFS
Date:
Signature:

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Revision Chart and History Log
Version Date Author Changes and/or raison
0.1 24/01/2013
A. Lazaar
B. Levin
Creation
0.2 08/02/2013 B.Levin Correction of the expected FIT for the Safety output critical events
1.0 31/03/2014
A. LAZAAR
A. MHAOUEL
§6 update of generic requirements.
§7 update of EPS Safety Requirements (the safety goal and safety
functional critical event).
§11 update of work products.
1.1 19/09/2014
A.LAZAAR
A.MHAOUEL
chapter §7.6 for Safety requirements LXA Added
Update of §6,§7 and §11

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
2 10/12/2014
A.LAZAAR
A.MHAOUEL
§7.1.1 update of Safety goal to avoid excessive steering effort
for “Curves with lateral acceleration up to 0,1g” deleted from
SG1_DIR_4_01
§7.1.3 update of critical event Auto steer
for “It shall include also unintended recover of assistance” deleted
from ERO_EPS_4.02
for “Probabilistic target mechanical” deleted from ERO_EPS_4.02
§7.1.6 update of Safety goal to avoid a sudden loss of steering
assist
deleted “Curves with lateral acceleration up to 0,1g” deleted from
SG1_DA_4_01
Requirements added : TSR_EPS_4.07.02.01_07
Requirements deleted (duplicate) : TSR_EPS_4.07.02.01_01
§ 7.6 update of traceability requirements
Traceability requirements deleted form critical events: ERO-LKA-
EPS-94 (1.1), ERO-LKA-EPS-95 (1.1), and FST-LKA-EPS-106 (1.0).
§7.6.1 update of functional safety requirements LXA
Requirements deleted : FSR-LKA-EPS-97 (1.0), FSR-LKA-EPS-98
(1.0), FSR-LKA-EPS-99 (1.3)
Requirements added : FSR_EPS_ LXA_4.01.01, FSR_EPS_
LXA_4.01.02, FSR_EPS_ LXA_4.01.03, FSR_EPS_ LXA_4.01.04,
FSR_EPS_ LXA_4.01.05, FSR_EPS_ LXA_4.01.06, FSR_EPS_
FSR_EPS_ LXA_4.01.10, FSR_EPS_ LXA_4.01.11
FSR_EPS_ LXA_4.02.01, FSR_EPS_ LXA_4.02.02, FSR_EPS_
FSR_EPS_ LXA_4.02.06, FSR_EPS_ LXA_4.02.07.
Critical event ERO_EPS_LKA_4.02 updated ( ASIL B ald QM) : to
cover LxA
§7.6.2 update of functional safety requirements LXA
Requirements deleted : FST-LKA-EPS-101 (1.0), FSR-LKA-EPS-102
(1.0), FST-LKA-EPS-104 (1.0), FST-LKA-EPS-105 (1.0)
Requirements added : FSR_EPS_LXA_4.03_01,
FSR_EPS_LXA_4.03_02, FSR_EPS_LXA_4.03_03
§7.6.3 update of functional safety requirements
Requirements deleted : FST-LKA-EPS-107 (1.0),
Requirements added : FSR_EPS_LXA_4.04_01,
FSR_EPS_LXA_4.04_02
Safety goal SG1_LXA_4_02 to updated (ASIL D ald ASILA) : to cover
LxA
§ 7.6, §7.6.1, §7.6.2, §7.6.3 updated these chapter to due LxA
§11. Milestones of work products updated.

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
2.1 03/08/2015 A.MHAOUEL
§7.6. update of functional safety requirements LxA
Requirements updated : FSR_EPS_ LxA_4.01.02, FSR_EPS_
LxA_4.01.03, FSR_EPS_ LxA_4.01.04 , FSR_EPS_ LxA_4.01.05,
FSR_EPS_ LxA_4.01.06, FSR_EPS_ LxA_4.01.10
Requirements deleted : FSR_EPS_ LXA_4.01.07, FSR_EPS_
LXA_4.01.09
Requirements added : FSR_EPS_ LxA_4.01.12, FSR_EPS_
LxA_4.01.13
2.2 08/03/2016
A.MHAOUEL
R.TATHY
Chapter §7.3.3 absolute steering angle (SAS virtual) is added for
Safety requirements Absolute steering angle in case SAS virtual.
2.3 07/10/2016
A.MHAOUEL
A.VIALAS
C.HUBERT
Chapter §7.5 City Park Function
Reference of document added to new safety requirements for City
Park function.

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
3.0 30/06/2017
A.VIALAS
A.COLAS
§7.1. update of functional safety requirements to steer
Requirement split in 3 requirements + addition of a nota:
FSR_EPS_4.07.02 -> FSR_EPS_4.07.02 + FSR_EPS_4.07.02.01 +
FSR_EPS_4.07.02.02
§7.2. update of functional safety requirements STTd
Requirements ID change:
FSR_EPS_4.08.01 -> FSR_ARAMTH_012
New requirement added:
FSR_ARAMTH_014
FSR_ARAMTH_019
FSR_ARAMTH_020
FSR_ARAMTH_021
§7.3.3 update of safety requirements for virtual CAV3
Requirements updated :
DAE_VIRTUAL_CAV3_0013
Requirement Deleted:
ERO_EPS_XXXX (Tbd) (= DAE_VIRTUAL_CAV3_0015)
Requirements ID change:
ERO_EPS_4.31 -> DAE_VIRTUAL_CAV3_0015
ERO_EPS_XXX (Tbd) -> DAE_VIRTUAL_CAV3_0021
Chapter §7.5 City Park Function
Technical Safety Concept EPS for City Park function update version
v1.1 to v2.0.

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
§7.6. update of functional safety requirements LxA
SG description added :
SG1_LXA_DIR_4_06
SG1_LXA_DIR_4_01
SG1_LXA_DIR_4_02
Requirements updated :
FSR_EPS_4.07.02
FSR_EPS_ LxA_4.01.04
FSR_EPS_ LXA_4.01.06
ASIL downgraded D to B:
ERO_EPS_LXA_4.04
FSR_EPS_LxA_4.04_01
FSR_EPS_LxA_4.04_02
New requirements added :
FSR_LxA_01.14.a
FSR_LxA_01.15.a
FSR_LxA_01.18.a
FSR_LxA_03.2.a

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Table of Contents
SOMMAIRE
SOMMAIRE............................................................................................................................................. 8
1. Purpose of Document.................................................................................................................. 9
2. Reference and applicable Documents ........................................................................................ 9
3. Acronyms..................................................................................................................................... 9
4. Product description.................................................................................................................... 10
5. Terminology............................................................................................................................... 10
6. Generic requirements ................................................................................................................ 11
6.1. General compliance with the standard ISO 26262.................................................................... 11
6.2. Safety planning.......................................................................................................................... 11
6.3. Safe design and safety activities ............................................................................................... 14
6.4. Verification Integration and Validation activities ........................................................................ 20
6.5. Release for production .............................................................................................................. 21
6.6. Traceability ................................................................................................................................ 21
6.7. Safety case................................................................................................................................ 21
7. EPS Safety Requirements allocated to EPS ............................................................................. 22
7.1. Function: To steer...................................................................................................................... 22
7.2. Function: STTd .......................................................................................................................... 31
7.3. Safety output critical events....................................................................................................... 31
7.3.1. Column angle (in case of AVA function): ................................................................................ 31
7.3.2. Absolute steering angle (in case of the SAS is integrated in the EPS): ................................. 33
7.3.3. Absolute steering angle (in case virtual SAS):........................................................................ 34
7.3.4. Request for warning lamp ....................................................................................................... 34
7.4. Multi-mode function ................................................................................................................... 35
7.5. City Park function....................................................................................................................... 35
7.6. LxA function............................................................................................................................... 36
7.7. Safety threat / attack critical events........................................................................................... 42
7.8. FTA requirements...................................................................................................................... 42
8. Reliability and availability requirements .................................................................................... 43
8.1. Gravity 3 critical events ............................................................................................................. 43
8.2. Reliability, availability requirements and quantitative target...................................................... 45
9. Degraded mode and safe state ................................................................................................. 46
10. Validation of the Objectives ....................................................................................................... 46
10.1. Principle of the method ........................................................................................................... 46
10.2. Steps of the method................................................................................................................ 47
11. Work products............................................................................................................................ 48

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
1. Purpose of Document
The purpose of this document is to provide safety dependability and durability requirements for The Electric Power Steering
(EPS).
2. Reference and applicable Documents
[R3010] ST Véhicule - Diriger le Véhicule et Assister la Direction
[701] Detailed Technical Specification Electric Power Steering.
[A003] Hardware specification
[A004] Software specification
[R1] Safety Requirements CPK allocated to the EPS (from Valeo) [00858_15_01879] V1.1
3. Acronyms
EPS Electric Power Steering
FMEA Failure Mode and Effect Analysis
FMEDA Failure Mode Effect and Diagnostic Analysis
FTA Fault Tree Analysis
NVH Noise Vibration and Harshness
EMC ElectroMagnetic Compatibility
ASIL Automotive Safety Integrity Level
BSI Body controller Unit
CAN Controller Area Network
CMB Dashboard
CMM Multifunction Engine Controller
ECU Electronic Control Unit
EE Electric and Electronic
ER Critical Event
ERF Critical Event at Functional level
FSC Functional Safety Concept
FSR Functional Safety Requirement
GMP Engine group
IHM Human Computeur Interface
LAS Ground connection
STT Stop and sTart
LxA Lane (x= Keeping or positioning) Assist

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
4. Product description
The product, limits, life situations, service functions, constraint function and mission profile are described in the document
[701]
5. Terminology
ISO 26262 makes extensive use of a specialized vocabulary. In general, we assume that the supplier is familiar with the
terms and definitions used within the standard.
Furthermore, PSA manipulates the term of critical event defined as bellow
Critical Event (ER): event due to a failure having an impact on the customer or his environment (undesired event).
Critical Events Gravity Classification:
« Gravity » rating is linked to the effect of the ER in term of disturbance for the user:
Level Definition Comments
1
Dissatisfaction or deterioration of one function of
the vehicle.
General vehicle performances kept. User can continue to use his
vehicle. No intervention (maintenance) is rapidly needed.
2 Loss of one vehicle function.
Apparition of unpleasant de symptoms. User can continue to use
his vehicle but an intervention (maintenance) is rapidly needed.
3 Unavailability of the vehicle for the user.
Unavailability of the vehicle due to the loss of an important
function or the non-respect of regulation (risk of being in breach of
the law).
Impossibility to park the vehicle in its state (risk of inviolability)
Voluntary stop by the user caused by the sentiment of insecurity
(i.e. important noises or vibrations)
4 Risk of corporal damages for human.
Can lead to an accident or corporal damages.
G4 are safety critical events.
Gravity 4 ER are classified following the ASIL scale according to
ISO WD 26262.

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
6. Generic requirements
6.1. General compliance with the standard ISO 26262
Requirement Number Rev Requirement
GEN-SAFETY-CLAUSE_1.001 0 The supplier shall comply with the ISO26262 standard.
GEN-SAFETY-CLAUSE_1.002 0 If the supplier is working with subsequent Tier supplier(s), the supplier is still responsible
to satisfy PSA safety requirements and shall be responsible to ensure that the
subsequent Tier supplier(s) comply with the ISO26262 standard.
6.2. Safety planning
GEN-SAFETY-CLAUSE_2. 001 0 The supplier shall deliver a detailed safety and dependability plan
The supplier safety plan shall describe and identify the safety activities to make effective
the application of a safety lifecycle according to the workflow required by the ISO 26262
standard. This plan shall describe at least:
- Safety process & activities :
o the safety process definition,
o the safety & dependability activities to be carried out,
o the work products for each safety and dependability activity, and
documents to deliver to PSA.
- Roles & responsibilities:
o the organization and the responsibilities to carry out the development
activities for safety and dependability studies,
o the resources allocated to safety tasks and risk mitigation
o staff competencies, skills and experience matrix
- Confirmation measures plan :
o planning of confirmation measures,
o persons appointed to carry out confirmation measures
o check lists for confirmation measures
- Safety case :
o the content of the safety case
o the coordination of the safety case
- Safety Timing Plan:
o the planning of safety activities,
o the planning of the work product and delivery documents,
o the planning of safety reviews
o the planning of development of safety case.
If separate plans are produced for each domain (system, mechanical, hardware, and
software) all of them shall be coordinated.
The supplier shall refine progressively the safety plan according to the needs of each
phase of the safety lifecycle.
(Output work product WP_Safety_1.001).
GEN-SAFETY-CLAUSE_2. 002 0 The supplier shall perform the confirmation review of safety plan.
The supplier shall deliver the review report of confirmation review of safety plan.
(Output work product WP_Safety_1.001CR).

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
GEN-SAFETY-CLAUSE_2. 003 0 PSA and the supplier shall complete the development interface agreement (DIA).
The aim is to agree on the job split between PSA and its partner. A check-list shall be
performed, adapted to the project under development, and allocated to PSA and/or its
partner. The relevant information shall be exchanged between PSA and its supplier.
The development interface agreement will be deployed using the support document
[01452_13_00067]
GEN-SAFETY-CLAUSE_2. 004 0
Supplier shall provide the compliance matrix establishing the compliance with the
requirements of this document “EPS Safety Dependability and durability requirements”.
GEN-SAFETY-CLAUSE_2. 005 0 The supplier shall carry out and provide integration and testing plan.
The supplier integration shall cover the planning of integration, the testing strategies,
testing activities and the determination of appropriate methods and measures for
verifications (testing) at the HW level, at the SW level and at the system level (HW-SW
integration)
The supplier shall refine progressively the integration and testing plan according to the
needs of each phase of the safety lifecycle.
GEN-SAFETY-CLAUSE_2. 006 0 The supplier shall perform the confirmation review of integration and testing plan.
The supplier shall deliver the review report of confirmation review of integration and
testing plan.
GEN-SAFETY-CLAUSE_2. 007 0 The supplier and PSA shall create jointly the safety validation plan.
The safety validation plan shall describe :
- the safety validation planning,
- the safety validation activities,
- the configuration of the item subjected to validation including its calibration data,
- the safety validation specifications (validation procedures, test cases, driving
maneuvers, and acceptance criteria). These specifications shall describe at least:
o the fault or error injected.
o the operating mode or life situation.
o the safety barrier or error detection mechanism.
o the reaction of the system (the specified reaction of the system).
o the testing facilities allowing the validation of the definitions.
The supplier can be involved to specify some tests to be done by PSA (e.g. internal faults
injection tests not covered by the supplier integration tests) or to define test procedures
The supplier shall refine progressively the integration and testing plan according to the
needs of each phase of the safety lifecycle.

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
GEN-SAFETY-CLAUSE_2. 008 0 The supplier shall perform the confirmation review of safety validation plan.
The supplier shall deliver the review report of confirmation review of safety validation
plan.
GEN-SAFETY-CLAUSE_2. 009 0 The supplier and PSA shall create jointly the functional safety assessment plan (The
functional safety assessment plan should be a collaborative effort by PSA and the
supplier)
The functional safety assessment plan shall describe :
- the functional safety activities,
- the planning of functional safety assessment activities,
- the persons appointed to carry out the functional safety assessment,
- the specific topics to be addressed by the functional safety assessment,
If the supplier performs internal functional safety assessment, the functional safety
assessment plan shall be delivered or addressed in the safety plan.
The supplier shall refine progressively the functional safety assessment plan according to
the needs of each phase of the safety lifecycle
GEN-SAFETY-CLAUSE_2. 010 0 The functional safety assessment shall be conducted as planed following generic
checklist agreed upon.
GEN-SAFETY-CLAUSE_2. 011 0 PSA and the supplier shall agree on the safety plan and supporting processes plan prior
to contract signing.

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
6.3. Safe design and safety activities
GEN-SAFETY-CLAUSE_3.001 0 PSA and supplier shall define jointly the item
The "item definition" shall include at least:
I. Item overview
1) Elements of item.
2) Boundary of the item.
3) Internal and external interfaces.
4) Interaction with other items and elements.
5) Operational and environmental constraints.
6) Operating modes and operating states.
II. Functional concept and its purpose functionality.
III. Non-functional requirements of the item.
IV. Behavior achieved by similar functions, items or elements;
V. Assumptions on behavior expected from the item.
VI. Potential consequences of behavior shortfalls including known failure modes and
hazards.
VII. Legal Requirements and standards.
The item definition should be a collaborative effort by PSA and the supplier to describe
the item, with regard to its functionality, interfaces, environmental conditions, legal
requirements, known hazards, etc. The boundary of the item and its interfaces, as well as
assumptions concerning other items, elements, systems and components are
determined.
(Output work product: WP_Safety_1.007).
GEN-SAFETY-CLAUSE_3.002 0 The supplier shall perform hazard analysis and risk assessment.
The supplier shall deliver a mapping matrix between PSA safety goals, critical events and
the supplier safety goals and critical events.
GEN-SAFETY-CLAUSE_3.003 0 PSA and the supplier shall define jointly the functional safety concept.
The functional safety concept shall address:
- fault detection and failure mitigation;
- transitioning to a safe state;
- fault tolerance mechanisms,
- fault detection and driver warning in order to reduce the risk exposure time to an
acceptable interval (repair request, stop request);
- arbitration logic to select the most appropriate control request from multiple
requests generated simultaneously by different functions; and
- safety requirements are allocated to elements of other technologies
If during the product development the functional safety concept is updated, the update
must be accepted by PSA.

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
GEN-SAFETY-CLAUSE_3.004 0 The supplier shall deliver the specification of safety requirements allocated to the input
signals of the product (wired information, CAN signals and power supply) and mechanical
interfaces in order to reach the requirements on safety goals.
The safety requirements allocated to inputs signal shall address:
- the list of failure modes
- the effect before detection for each failure mode and the ASIL level
- the detection strategies or safety barriers and the detection time for each failure
mode
- the effect after detection and the degraded mode for each failure mode
- the target in term of ASIL and failure rate
- the recovery conditions
If during the product development the requirements on the inputs are updated, the
update shall be accepted by PSA.
GEN-SAFETY-CLAUSE_3.005 0 The supplier shall perform and deliver the internal functional analysis (system
description).
The internal functional analysis shall contain a detailed description of the system, its
functionalities and its components. It should include the elements that compose the
system: ECU elements, sensors, actuators, mechanical parts, etc. It should include both
an architectural scheme with the links between these elements (e.g. external information
exchanged the product and its interface, internal information exchanged between product
elements) and the description of the functions of each element; it should also include the
consistency and links with the black-box functions.
If during the product development the internal functional analysis is updated, the refined
internal functional analysis shall be delivered.
GEN-SAFETY-CLAUSE_3.006 0 The supplier shall carry out the specification of technical safety requirements.
The supplier shall specify the technical safety requirements by refining the functional
safety concept, considering both the functional concept and the preliminary architectural
assumptions. The technical safety requirements have to be defined during architecture
and system design and measures for fault avoidance (systematic faults and hardware
random faults) and mitigation have to be described during hardware and software
components design.
The supplier shall verify the consistency and traceability between functional safety
requirements and technical safety requirements.
The supplier shall define technical safety concepts that comply with the functional
requirements, and the technical safety requirements specification
The supplier shall deliver the technical safety concepts of its perimeter.
If during the product development the technical safety concept and/or technical safety
requirements are updated, the update shall be accepted by PSA.

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
GEN-SAFETY-CLAUSE_3.007 0 If the supplier applies ASIL decomposition, the use of this method shall be justified: the
independence analysis shall be available for review at the supplier premises and an
agreement shall be met between supplier and customer.
GEN-SAFETY-CLAUSE_3.008 0 The supplier shall deliver the diagnostic data list (diagnostic matrix).
The diagnostic data list shall include at least:
- the fault codes (supplier & PSA)
- the description of the failure
- the monitoring description
- the detection time
- the detection conditions
- the associated degraded mode
- the recovery conditions
GEN-SAFETY-CLAUSE_3.009 0
The supplier shall deliver safety requirements for production (at PSA plant) and for
maintenance operation.
GEN-SAFETY-CLAUSE_3.010 0 The supplier shall perform and present safety analysis to support the derivation and
definition of safety requirements and their allocation.
At least the supplier shall perform:
1. The system functional FMEA: This analysis shall provide information to evaluate
hazards, identify safety critical areas, and provide inputs to safety design criteria
and procedures with provisions and alternatives to eliminate or control all
unacceptable and undesirable hazards. The system functional FMEA shall
address for each internal signal and external signal for each function:
o the list of failure modes
o the effect before detection for each failure mode.
o the detection strategies or safety barriers and the detection time for each
failure mode
o the target in term of ASIL level and failure rates.
o the effect after detection and the degraded mode for each failure mode
o the root causes
o the recovery conditions
If the System FMEA is updated, the update must be accepted by PSA.
The supplier shall provide the system functional FMEA
2. The FTA: this analysis shall support the verification of requirements and their
allocation to functions as well as to logical or technical elements.
The supplier shall provide the FTA.

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
GEN-SAFETY-CLAUSE_3.011 0 The supplier shall perform and present safety analysis (Inductive and deductive) to
support the design verification.
At least the following safety analysis shall take place during the Design phase:
- FTA (qualitative and quantitative):
o this analysis shall enable the identification of multiple point faults and
their causes in the design, the verification that safety controls are
provided as required in the design and the verification of common cause
failure modes in the design.
o the FTA can also be used for the hardware integrity analysis which
verifies that the minimal cut-set and the diagnostics coverage provided
by the diagnostics satisfy qualitative hardware integrity metrics.
o the quantitative FTA analysis shall be conducted to verify compliance
against quantitative hardware integrity targets.
The supplier shall provide the FTA.
- System and Component(s) DFMEA:
o the Design FMEA (DFMEA) shall identify and evaluate the potential
single point failure modes in the design that are safety-critical and verify
that the identified critical failure modes can be mitigated by design
validation, or other safety mechanisms.
o the failure analysis of the Design potential FMEA shall be according to a
known standard such [VDA standard].
o the quotation scale (S,O,D) and the acceptance criteria must be
accepted by PSA ( PSA acceptance criteria are : S=10 and O=1 and
D=1,S=9 and O≤2,S=8 and O≤2, O<=4).
o the Design FMEA shall address special characteristics (CTF/CSE).
o the classification of special characteristics must be accepted by PSA.
The supplier shall provide the synthesis of DFMEAs.
The synthesis of DFMEAs shall contain at least :
o a cover sheet including the authors, the assessors and the evolution of
the document.
o pareto of RPN before and after action plan.
o criticality matrix (S vs O) and ( S vs D)
o FMEA extract (FMEA lines) with the critical risks identified before action
plan. For PSA, the critical are defined according to the following criteria:
RPN>=100; S=10 et (O>1 or D>1); S=9 et O>=2; S=8 et O>=3 ; O>=4.
o the list of the recommended or additional actions and their status.
o the supplier quotation scale of the severity (S), the occurrence (O) and
the probability of non-Detection (D).
o the supplier rules to reduce the severity S, the Occurrence (O) and the
detection (D)
o acronyms list used in FMEA synthesis
(Output work product: WP_Safety_1.018)
The supplier shall perform and provide detailed pin-out FMEA

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
- FMEDA: to verify via quantitative estimation (single point fault, latent fault metrics
and probability of failure) that the violation of safety goal is compliant according to
ISO 26262 quantitative targets.
- System Software FMEA: This analysis shall assess the vulnerability of the
software architecture to potential processor and other hardware interface failure
modes and shall evaluate if the safety concept designed in the software meets
safety requirements.
- Common Cause/Mode Analysis: Based on the FTA and the FMEA this analysis
shall be conducted to identify and to evaluate the potential common cause
failures, common mode failures and cascading failures in the design.
GEN-SAFETY-CLAUSE_3.012 0 The supplier shall provide the reliability prediction for all components.
The work product shall include:
- Reliability calculation methods EE parts and mechanical parts
- Estimation of reliability for each EE HW and mechatronic component:
o the failure rate
o the origin of the failure rate (standard, field feedback…)
o the hypothesis used for the failure rate estimation (mission profile,
temperature….)
o failure mode
o the repartition (%) of the failure mode
o the origin of the repartition
- Estimation of reliability for mechanical parts :
o the probability of failure on the reference period (unreliability in 15
years for example)

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
GEN-SAFETY-CLAUSE_3.013 0 The supplier shall provide the RAMS report, it must including at least:
- The cover sheet including the authors, the reviewers, the approval committee, and
the evolution of the document.,
- The list of product evolutions,
- The list of PSA critical event with,
 For each critical event;
o the associated objective,
o the result obtained without contribution of PSA basic events
o the result obtained with contribution of PSA basic events
 For each PSA critical event;
o all the minimal cut set with the failure rate corresponding to each
minimal cut set and the contribution percentage of each minimal cut
set to the critical event
 For each PSA safety critical event (functional and outputs);
o the justification of each minimal cut set of order 1
o the justification of quantitative data used for each basic event.
o the justification of independency of inputs for every AND gate
o the demonstration that the ASIL is achieved by applying appropriate
techniques and measures in the design, implementation, verification
and validation.
o the demonstration that the required functional safety is achieved
during the production process.
 For threat attack critical event:
o the design measures applied in order to prevent the non functional
critical events
o the validations applied in order to ensure a sufficient and acceptable
level of safety being achieved.
o the requirements to the process in order to ensure the achievement
during the production process

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
6.4. Verification Integration and Validation activities
GEN-SAFETY-CLAUSE_4.001 0 The supplier shall conduct system design verification to ensure compliance and
completeness with regard to the technical safety concept and to verify that the system
safety requirements are valid and the system satisfies those requirements.
GEN-SAFETY-CLAUSE_4.002 0 The supplier shall conduct the system validation to verify that the system safety
requirements are valid and the system satisfies those requirements. This validation shall
be done based on the safety validation plan, and verification procedures which are defined
against requirements.
The supplier shall conduct the system/subsystem verification to verify the correct
implementation of the technical safety requirement at the system/subsystem level. This
verification shall be done based on integration and testing plan, and verification
procedures which are defined against requirements.
The supplier shall conduct the component verification to verify the correct implementation
of safety requirements at mechanical, hardware and software level. This verification shall
be done based on the component verification plan, and verification procedures which are
defined against requirements.
The supplier shall deliver the system safety verification and validation report providing
detailed results for testing which is related to system, hardware, or software.

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
6.5. Release for production
GEN-SAFETY-CLAUSE.5001 0 Supplier shall deliver a release for production ensuring its ability to produce the item in
compliance with the safety level achieved during the design phase.
GEN-SAFETY-CLAUSE.5002 0 The final assessment of the system safety case and its referenced inputs to evaluate that
the product design has satisfied the safety requirements and safety goals is mandatory
for release for production.
This assessment will also assess the residual risk (if any) for the system.
6.6. Traceability
GEN-SAFETY-CLAUSE.6001 0 The supplier must ensure the traceability of the safety requirements. Full, bi-directional
traceability and communication of safety requirements shall be demonstrated.
6.7. Safety case
GEN-SAFETY-CLAUSE.7001 0 The safety case shall be developed and maintained by supplier.
GEN-SAFETY-CLAUSE.7002 0 The safety case shall progressively compile the work products generated during the
safety lifecycle.
GEN-SAFETY-CLAUSE.7003 0 The safety case shall provide a clear, comprehensive and defensible argument,
supported by evidence, that an item is free from unreasonable risk when operated in an
intended context
GEN-SAFETY-CLAUSE_7.004 0 The supplier must provide a safety report.
The safety report summarizes the results of safety analysis performed and the steps
taken to reduce potential risks, identifies the potential risk remaining, and describes why
this level of risk is acceptable by PSA.
The safety report shall address :
- the residual risks,
- the exception list
The final version of safety report must take into account the potential risks due to the
process.
GEN-SAFETY-CLAUSE_7.005 0 The whole of work product under supplier’s responsibility must be available at least in the
supplier premises
GEN-SAFETY-CLAUSE_7.006 0 The supplier shall be responsible of safety case of its suppliers.
GEN-SAFETY-CLAUSE_7.007 0 The safety case shall be stored for 15 years after the last vehicle produced and all the
documents of the safety case shall be readable.

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7. EPS Safety Requirements allocated to EPS
7.1. Function: To steer
7.1.1. To avoid excessive steering effort (Max ASIL D)
a) Safety goal requirement
Safety Goal SG1_DIR_4_01: To avoid excessive steering effort (ASIL D)
Description
When vehicle is moving, the steering item:
- Is locked or stuck in a specific position and does not respond to the driver request.
- Provides torque actuation in the opposite direction to the driver request.
Operating mode
- Vehicle is moving (Velocity > 5kph);
- Steering wheel speed up to 300°/s.
FTTI 100ms
Hazard metrics Excessive steering effort is defined when steering efforts exceed manual steering efforts (without
steering assistant) by 3 Nm.
Other information
The hazard at vehicle level is loss of vehicle lateral motion control. The driver unable to turn or steer
the vehicle. Potential for vehicle to depart the intended path/lane and the vehicle continues motion in
the last position of the steering item and the road wheels.
Note: This safety goal is applicable to steering torque or angle control functions and covers both
electrical and mechanical integrity.
b) Critical events
# ERO
Rev
ERO name ASIL
Probabilistic target
mechanical
ERO_EPS_4.01
0 Steer Lock
excessive steering effort
D 10-6 in 15 years or 240000 km
ERO_EPS_4.04
0 Reversed steering assistance
steering in the opposite direction than intended
D 10-6 in 15 years or 240000 km
c) Derived safety requirements allocated to the EPS
# FSR Rev Functional safety requirement ASIL
FSR_EPS_4.01.01
0 The EPS shall be designed to reduce the risk mechanical steering lock
(mechanical integrity) to be compliant with the probabilistic target of 10-6 in
15 years or 240000 km.
FSR_EPS_4.01.02 0 The EPS shall avoid electrical steering lock (electrical integrity) D
FSR_EPS_4.04.01
0 The EPS shall avoid reverse steering (steering in the opposite direction than
intended)
D

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.1.2. To avoid a steering disconnect (ASIL D)
Safety Goal SG1_DIR_4_02: To avoid a steering disconnect (ASIL D)
Description Disconnected steering occurs when there is no steering torque transmission between the hand wheel
and the road wheels and no further vehicle steering control is possible.
Operating mode Vehicle is moving (Velocity > 5kph)
FTTI Not applicable
Hazard metrics No steering torque transmission between the hand wheel and the road wheels
Other information
The hazard at vehicle level is loss of vehicle lateral motion control.
This safety goal is purely mechanical.
b) Critical event
# ERO
Rev
ERO name ASIL
mechanical
ERO_EPS_4.03 0 Steering disconnect D
10-6 in 15 years or 240000
km
FSR_EPS_4.03.01
0 The EPS shall be designed to reduce the risk of mechanical
disconnect to be compliant with the probabilistic target of 10-6 in 15
years or 240000 km

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.1.3. To avoid an unintended assist torque (Max ASIL D)
Safety Goal SG1_DIR_4_06: To avoid an unintended assist torque (ASIL D)
Description While driving, the steering item provides torque actuation unexpectedly when there is no driver
request.
Operating mode
- When vehicle is moving (Velocity > 12kph)
- Hands on the steering wheel
FTTI 20 ms
Hazard metrics
EPS design criteria:
The unintended steering wheel Torque shall not exceed 3 Nm.
Vehicle validation criteria:
- Path deviation criteria: The maximum path deviation shall not exceed 25cm.
- Lateral motion criteria: The unintended lateral acceleration shall not exceed |0.13|g.
Other information
The hazard at the vehicle level is unintended vehicle lateral motion or unintended yaw moment.
The steering assistance applied without driver input is a potential hazard if the condition causes a
sudden change in direction of the vehicle. This potential hazard may cause a vehicle path deviation
that is too quick for the driver to be able to counter before the vehicle departs from its lane.
This safety Goal is applicable to steering torque or angle control functions
Safety Goal SG1_DIR_4_07: To avoid unintended steering wheel motion during driving without hands on steering
wheel (ASIL A).
Description While driving, the steering item provides torque actuation unexpectedly when there is no driver
request.
Operating mode
When vehicle is moving (Velocity > 12kph) with no hands on the steering wheel
FTTI 20 ms
Hazard metrics
EPS design criteria:
- The unintended steering wheel Torque shall not exceed 3 Nm.
- Unintended Steering Wheel movement shall not exceed 15 degrees.
- Unintended Steering Wheel Velocity shall not exceed 180 deg/sec within the 15 degree
unintended steering wheel movement.
Vehicle validation criteria
- Path deviation criteria: The maximum path deviation shall not exceed 25cm
- Lateral motion criteria: The unintended lateral acceleration shall not exceed |0.13|g.
Other information
The hazard at the vehicle level is unintended vehicle lateral motion or unintended yaw moment.
The steering assistance applied without driver input is a potential hazard if the condition causes a
sudden change in direction of the vehicle. This potential hazard may cause a vehicle path deviation
that is too quick for the driver to be able to counter before the vehicle departs from its lane.

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Safety Goal
SG1_DIR_4_08: unintended steering wheel motion in the hoist “during service and maintenance”
(ASIL B)
Description During service and maintenance, the steering item provides torque actuation unexpectedly when there
is no request.
Operating mode Hoist (during service and maintenance)
FTTI 20 ms
Hazard metrics
- Unintended Steering Wheel movement shall not exceed 15 degrees.
- Unintended Steering Wheel Velocity shall not exceed 180 deg/sec within the 15 degrees
unintended steering wheel movement.
- Unintended Steering Wheel Torque shall not exceed 3Nm
Other information
The hazard at the vehicle level is operator harm in the workshop situation.
The hazardous situation is the risk of operator being trapped by moving part if steering system moves
unexpectedly.
b) Critical event
# ERO Rev ERO name ASIL
ERO_EPS_4.02
1 Auto steer
This potential hazard refers to the EPS system applying steering assistance
without driver input.
D
FSR_EPS_4.02.01 0 The EPS shall avoid stuck or unintended steering assistance torque D

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.1.4. To avoid critical steering over-assistance (ASIL C)
Safety Goal SG1_DA_4_02: To avoid critical steering over-assistance (ASIL C)
Description
When the vehicle is moving, the steering item provides steering assistance more than the design
intent. The resulting steering torque is greater than required (the steering feels lighter than normal) but
the assistance is in the correct direction.
Operating mode Curves with lateral acceleration up to 0,2g
FTTI 100ms
Hazard metrics
The system provides more than an additional 3Nm at the steering wheel (the delta steering wheel
torque must be less than 3Nm compared to the nominal assistance).
Other information
An extreme situation of excessive gain in the torque control could possibly result in vehicle instability
(Unintended vehicle lateral motion or unintended yaw moment).
b) Critical event
ERO_EPS_4.06
0 Critical Over assistance
This potential hazard covers the cases steering wheel torque decrease( the EPS
system supplies more assistance than required)
C
ERO_EPS_4.09
0 Unintended Assistance recovery
This potential hazard covers the cases when the assistance is recovered
unexpectedly
C
FSR_EPS_4.06.01 0 The EPS shall avoid too high steering assistance torque C
FSR_EPS_4.06.02
0 The EPS shall avoid too low vehicle speed with ASIL C
This requirement covers the corruption of the vehicle in the EPS and means that the
acquisition, the conditioning and the processing of vehicle speed shall comply with
the ASIL C.
C
FSR_EPS_4.06.03
0 The EPS shall detect faulty vehicle speed, shall use a default vehicle speed (that
allows a safe operation of the vehicle) and the transition to operate with a reduced
level of assist shall be controlled (slope shall be defined)
C
FSR_EPS_4.09.01 0 The EPS shall avoid unintended assistance recovery C

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.1.5. To avoid a large variation (ASIL C)
Safety Gaol SG1_DA_4_03: To avoid a large variation (ASIL C)
Description
When the vehicle is moving, the steering item provides erratic/intermittent steering assistance torque.
The resulting steering torque is unexpectedly fluctuating.
The EPS System generates assistance torque of variable and incorrect magnitude (erratic) or correct
magnitude but on/off (intermittent).
Note: For high frequencies and low frequencie, the large variation is not safety relevant.
Operating mode Curves with lateral acceleration up to 0,2g
FTTI 200ms
Hazard metrics The delta steering wheel torque compared to nominal assistance shall be less than 3Nm.
Other information
A persistent erratic or inconsistent steering assist level may make it difficult to control the vehicle
trajectory (unintended vehicle lateral motion or unintended yaw moment).
b) Critical event
ERO_EPS_4.05 0 Critical random/erratic assistance
This potential hazard covers the unexpected steering wheel torque fluctuation.
C
a) Derived safety requirements allocated to the EPS
FSR_EPS_4.05.01 0 The EPS shall avoid random/erratic steering assistance torque C
FSR_EPS_4.05.02
0 The EPS shall avoid random/erratic vehicle speed with ASIL C
This requirement covers the corruption of the vehicle in the EPS and means that the
acquisition, the conditioning and the processing of vehicle speed shall comply with
the ASIL C.
C
FSR_EPS_4.06.03
0 The EPS shall detect faulty vehicle speed, shall use a default vehicle speed (that
allows a safe operation of the car) and the transition to operate with a reduced level
of assist shall be controlled (slope shall be defined)
C

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.1.6. To avoid a sudden loss of steering assist (ASIL B).
Safety Goal SG1_DA_4_01: To avoid a sudden loss of steering assist (ASIL B).
Description
When the vehicle is moving, there is sudden loss of steering assistance or reduced steering assist
leading to steering wheel torque increase.
The steering effort (Manual steer) required varies significantly from one vehicle platform to another,
and may vary within a platform due to front axle weight or steering geometry changes).
Operating mode
- When vehicle is moving (velocity > 10 kph).
- Hand wheel velocity up to 300°/s.
FTTI 100ms
Hazard metrics
- Max steering wheel torque shall be less than 10Nm
- Manual steer.
Other information
The vehicle hazard is increased effort on the steering wheel.
A sudden loss of steering assistance torque causes higher steering effort, especially at low vehicle
speeds and for rapid steering at any vehicle speed.
The safety goal includes the ‘sudden’ aspect (e;g loss of assistance without warning).
b) Critical event
# ERO
Rev
ERO name ASIL
mechanical
ERO_EPS_4.07 0 Loss of assistance
This potential hazard covers the cases when the
steering wheel torque increases. It concerns the
following cases:
- Complete loss of assistance
- Critical under assistance (the EPS supplies less
assistance than required)
- No reactivation or inopportune deactivation of
assistance (STTd Function)
B
10-4 in 15 years or 240000
km

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
FSR_EPS_4.07.01 0 The EPS shall avoid sudden loss of steering assistance (ASIL B) B
FSR_EPS_4.07.02
1 FSR_EPS_4.07.02 :The EPS shall avoid unwanted deactivation or no
reactivation of assistance (activation / deactivation conditions and STTd
conditions):
Note: These thresholds could be changed during design phase.
B
FSR_EPS_4.07.02.01
0 To response to requirement FSR_EPS_4.07.02: If assistance has been
activated, in case of failure of one the interface signals ignition (stuck at off),
engine state (lost, invalid or not running) or power cut request (lost or stuck at
“demand”), the EPS shall not deactivate the assistance if vehicle speed is
over a threshold. (ASIL B).
B
FSR_EPS_4.07.02.02:
0 To response to requirement FSR_EPS_4.07.02: If assistance has been
deactivated and conditions for its safe reactivation are fulfilled then the EPS
shall reactivate with a slope the assistance when Vehicle speed is over a
threshold. (ASIL B)
B
FSR_EPS_4.07.03
0 The EPS shall be designed to provide assistance with ASIL B:
- The EPS shall avoid no steering assistance torque with ASIL B.
- The EPS shall avoid too low steering assistance torque with ASIL B
B
FSR_EPS_4.07.04
0 The EPS shall avoid incorrect setting of ignition signal with ASIL A(B)
This requirement covers the corruption of ignition in the EPS and covers the
acquisition, the conditioning and the processing of the ignition
A(B)
FSR_EPS_4.07.05
0 The EPS shall avoid incorrect setting of engine state signal with QM (B)
This requirement covers the corruption of engine state in the EPS and covers
the acquisition, the conditioning and the processing of the engine state
QM(B)
FSR_EPS_4.07.06
0 The EPS shall avoid incorrect setting of power cut request signal to “request”
with QM (B)
This requirement covers the corruption of power cut request in the EPS and
covers the acquisition, the conditioning and the processing of the power cut
request signal
QM(B)
FSR_EPS_4.07.07
0 Sufficient independence between ignition, engine state and vehicle speed
shall be ensured in the EPS with ASIL B
B
FSR_EPS_4.07.08
0 Sufficient independence between power cut request and vehicle speed shall
be ensured in the EPS with ASIL B
B
FSR_EPS_4.07.09
0 The requirements allocated to inputs signals (FSR_EPS_4.07.04 to
FSR_EPS_4.07.08) are related to the strategy specified by PSA. The
supplier shall provide its requirements to these inputs signal if these signals
are used by the supplier strategies.
# TSR Rev Technical safety requirement ASIL
TSR_EPS_4.07.02.01_01
0 If assistance has been activated, in case of failure of Engine state
(incorrect setting of engine state at [lost, CUT, STARTING or NOT
VALID] instead of Running or STT state), the EPS shall ramp down the
assistance after a defined delay (T_A2) only if vehicle speed is lower
than threshold (ASIL B).
B

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
TSR_EPS_4.07.02.01_02
0 If assistance has been activated, in case of failure of ignition (incorrect
setting of Ignition at off), the EPS shall ramp down the assistance after a
defined delay (T_A1) only if vehicle speed is lower than threshold and
engine state is [lost, invalid, not running or not in STT states (ASIL B).
B
TSR_EPS_4.07.02.01_03
0 If assistance has been activated, in case of failure of ignition and Vehicle
speed (failure mode: unwanted transition on invalid vehicle speed and
incorrect setting of Ignition at off ), the EPS shall ramp down the
assistance after a defined delay (T_A3) only if engine state is off [loss,
CUT, STARTING or NOT VALID] (ASIL B)
B
TSR_EPS_4.07.02.01_04
0 If assistance has been activated, in case of failure of Engine state and
ignition (failure mode: incorrect setting of engine state at [loss, CUT,
STARTING or NOT VALID] instead of Running or STT state and
incorrect setting of Ignition at off ), the EPS shall ramp down the
assistance after a defined delay (T_A1) only if vehicle speed is under a
threshold (ASIL B).
B
TSR_EPS_4.07.02.01_05
0 If assistance has been activated, in case of failure of Engine state and
Vehicle speed (failure mode: loss or invalid vehicle speed, incorrect
setting of engine state at [loss, CUT, STARTING or NOT VALID] instead
of Running or STT state and incorrect setting of Ignition at off ), the EPS
shall ramp down the assistance after a defined delay (T_A3) only
ignition is off (ASIL B)
B
TSR_EPS_4.07.02.01_06
0 If assistance has been activated, in case of failure of Engine state,
ignition and Vehicle speed (failure mode: Invalid vehicle speed and
incorrect setting of engine state at [loss, CUT, STARTING or NOT
VALID] instead of Running or STT state and incorrect setting of Ignition
at off), the EPS shall ramp down the assistance only after a defined
delay (T_A3) (ASIL B).
B
TSR_EPS_4.07.02.01_07
If assistance has been activated, in case of failure of power cut request,
the EPS shall ramp down the assistance only if vehicle speed is lower
than a threshold (ASIL B)
B
TSR_EPS_4.07.02.02_01
0 When assistance is deactivated due to power cut request the EPS shall
ramp up the assistance if vehicle speed is higher than threshold.(ASIL B)
Note: this requirement means: in case of power cut request stuck at
“demand” the EPS shall ramp up the assistance over a threshold of
vehicle speed.
B
TSR_EPS_4.07.02.02_02
0 When assistance is deactivated due to engine state, the EPS shall ramp
up the assistance if vehicle speed is higher than threshold (ASIL B)
Note: this requirement means: in case when assistance is ramped down
and ECU is still awake without presence of failure the EPS shall ramp up
the assistance over a threshold of vehicle speed (e.g after engine
stalling, the assistance is ramped up on vehicle speed even if engine
doesn’t restart).
B

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.2. Function: STTd
Id. Rev Critical events ASIL
ERO_EPS_4.08 0 No deactivation or inopportune activation of assistance (STTd function)
This requirement concerns the safety goal the avoid collapse power network
A
FSR_ARAMTH_012
0 The EPS shall avoid incorrect setting of power cut request “No request” with ASIL
A
This requirement covers the corruption of power cut request in the EPS and
covers the acquisition, the conditioning and the processing of the power cut
request signal
A
FSR_ARAMTH_014
0 The requirement “STTd_EPS_11.0“of the functional specification shall response to
an ASIL A.
(See chap 5.2 Power cut request validity of STT Functional specification
01452_09_00092)
A
FSR_ARAMTH_019 0 The EPS shall provide the correct signal Autorisation_arret_moteur. A
FSR_ARAMTH_020 0 The EPS shall provide the correct signal Demande_Redem_moteur. A
FSR_ARAMTH_021
0 The requirement “STTd_EPS_3.1“of the functional specification shall response to
an ASIL B.
(See chap 4.6.4 Compute Engine restart request of STT Functional specification
01452_09_00092)
B
Id. Rev Outputs critical events ASI
L
FIT
ERO_EPS_4.41 0 Erroneous information “Autorisation_arret_moteur”
Failure modes:
- Erroneous to “authorisation” instead of “no authorisation”,
A 10
ERO_EPS_4.42 0 Erroneous information “Demande_Redem_moteur”
Failure modes:
- Erroneous to “restarting not needed”,
A 10
7.3. Safety output critical events
7.3.1. Column angle (in case of AVA function):

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Id. Rev Outputs critical events ASIL FIT
ERO_EPS_4.11 0 Erroneous information “EPS column angle”
Threshold of error must be less than 10°
Latency time: 100ms
The failure modes:
- Too high (permanent/transient/unwanted transition),
- Too low (permanent/transient/unwanted transition),
NB: This critical event concerns the EPS transmitting frame 2F5 (SWS
Class 1)
D 1
ERO_EPS_4.12 0 Erroneous information “EPS column Speed”
Threshold of error must be less than 64°/s.
Latency time 100ms
The failure modes:
- too high (permanent/transient/unwanted transition),
- too low (permanent/transient/unwanted transition).
NB: This critical event concerns the EPS transmitting frame 2F5 (SWS
Class 1)
D 1
ERO_EPS_4.13 0 Loss or invalid “EPS column angle”
This critical output must include all the failures leading to:
loss of frame 2F5 or frame 2F5 too short
Invalid information “EPS column angle”
Out of range
B 10
ERO_EPS_4.14 0 Loss or invalid “EPS column speed”
Invalid information “EPS column speed”
Out of range
B 10
ERO_EPS_4.20 0 Erroneous “Etat secu angle colonne”
Erroneous to column angle secured
D 1
ERO_EPS_4.21 0 Loss of “Etat secu angle colonne”
D 1
ERO_EPS_4.22 0 Erroneous “Etat secu angle colonne”
Erroneous to column angle not secured
B 10

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.3.2. Absolute steering angle (in case of the SAS is integrated in the EPS):
ERO_EPS_4.30 0 Erroneous information “Absolute steering angle”
Threshold of error must be less than 15°
Latency time 100ms
The failure modes:
- too low (permanent/transient/unwanted transition)
NB: This critical event concerns the case when the EPS provide the CAN output
signal “Absolute steering angle” transmitted on the frame 305 (SWS class 3 is
integrated in the EPS).
D 1
ERO_EPS_4.31 0 Loss or invalid “Absolute steering angle”
loss of frame 305 or frame 305 too short
Invalid information “Absolute steering angle”
Out of range
B 10
ERO_EPS_4.32 0 Erroneous information “Steering wheel rotation Speed”
Threshold of error must be less than 64°/s.
Latency time 100ms
The failure modes:
- too low (permanent/transient/unwanted transition).
NB: This critical event concerns the EPS transmitting frame 305 (SWS class 3 is
integrated in the EPS)
B 10
ERO_EPS_4.33 0 Loss or invalid “Steering wheel rotation Speed”
Invalid information “Steering wheel rotation Speed”
Out of range
B 10
ERO_EPS_4.34 0 Loss of “Steering wheel sensor direction (SENS_ROT_VOL)”
A(B) 10
ERO_EPS_4.35 0 Erroneous information “Steering wheel sensor direction (SENS_ROT_VOL)”
Failure modes:
- Erroneous to sens horaire
- Erroneous to sens trigo
NB: This critical event concerns the EPS transmitting frame 305 (SWS class 3 is
integrated in the EPS)
D 1
ERO_EPS_4.36 0 Erroneous information “Calibration VOL”
The failure modes:
- Erroneous to “calibrated”,
- Erroneous to “uncalibrated”,
D 1

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
ERO_EPS_4.37 0 Erroneous information “TRIM VOL”
The failure modes:
- Erroneous to “ajusté”,
B 10
ERO_EPS_4.38 0 Erroneous information “SAS State”
The failure modes:
- Erroneous to “failure detected”,
A(B) 10
ERO_EPS_4.39 0 Erroneous information “SAS State”
The failure modes:
- Erroneous to “no failure”,
B(D) 10
These requirements will be refined depending on the technical proposition “virtual SAS”.
7.3.3. Absolute steering angle (in case virtual SAS):
Document Name Applicable version Reference
Technical Safety requirements EPS for virtual SAS V1.0 20655_17_00130
7.3.4. Request for warning lamp
ERO_EPS_4.19 0 No request to switch on the warning lamp
Failure modes :
- Loss of information
- Erroneous to “warning lamp not needed”
- Erroneous to the reserved value
This critical event concerns the CAN output “Power steering status” and the
particular failure mode Power steering status erroneous to 00 "No request to light
lamp” instead of 01 “request to light lamp”
B 10

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.4. Multi-mode function
Id. Rev critical events ASIL
ERO_Mm_4.01 0 Unintended transition to normal mode
This critical event is related to over assistance
C
FSR_Mm_4.01.01 0 The EPS shall avoid unintended or incorrect transition between multimode states C
7.5. City Park function
CPK-SAFETY-CLAUSE.0001 0
The impact of the CPK function shall be taken into account by the supplier on all
safety and reliability analysis.
Note: The requirements about City Park function are provided by the main system manufacturer Valeo
and Valeo is responsible for the requirements below (Cf Document: 0).
Document Name Applicable version Reference
Technical Safety Concept EPS for CPK V2.0 00858_15_01879

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.6. LxA function
7.6.1. SG1_LxA_DIR_4_06: Avoid an inopportune steering wheel rotation (ASIL D)
Safety Goal SG1_LXA_DIR_4_06: Avoid an inopportune steering wheel rotation (ASIL D)
Critical scenarios
- Internal EPS failure leading to unwanted LXA regulation
- Erroneous yaw rate compensation sent to STEER System
- Erroneous LXA correction setpoint sent to STEER System
Validation criteria
The hazard at the vehicle level is a path deviation.
EPS shall limit the vehicle lateral dynamics induced by the LKA control.
This limitation is translated in maximum absolute lateral acceleration and a minimum time before
reaching a lateral acceleration threshold.
Threshold:
- Reaching a +1m/s² lateral acceleration increase shall require at least 0.5s for for vehicle speed
lower than 50 kph.
higher than 50 kph.
These thresholds shall be taken into account when calibrating the maximum steering wheel speed
limitation in the EPS.
PSA can accept a maximum lateral acceleration variation of 2.5 m/s² during 500ms.
Initial operating mode:
LXA selected, lateral control in progress (hand On +hand Off).
b) Critical event
Id Rev Critical event (ERO) ASIL
ERO_EPS_LxA_4.01 0 Unwanted or too high LxA intervention D
ERO_EPS_LxA_4.02 0 Unwanted LxA intervention during ABS/ESC intervention or during
ABS/ESC unavailability
B
Id Rev Functional safety requirement ASIL
FSR_EPS_ LxA_4.01.01 0 The EPS shall apply LxA additional torque only if it is requested D
1 During LxA intervention, the EPS shall limit LxA additional torque at threshold
(LXA_Add-On_safe_threshold)
LXA_Add-On_safe_threshold = 4Nm
D
1 During LxA intervention,If the LxA additionnal torque exceed a threshold
(LXA_Add-On_safe_threshold) during more than duration (LXA_ADD-
TQ_DELAY) , the EPS shall ramp down the LxA function according to a
D

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
defined slope (LXA _Add-On_SAFE_SLOPE).
LXA_Add-On_safe_threshold = 4Nm.
Latency time = 20 ms
2 During LxA intervention, the EPS shall rampdown LxA control if the variation of
Hw torque more than duration (LxA _HWT_DELAY) exceed
LXA_HWT_threshold
LXA_HWT_threshold = +/-3 Nm
LxA _HWT_DELAY= 500 ms
D
FSR_EPS_LxA_4.01.05
1 During LxA intervention, If the hand-wheel torque exceed a threshold
(LXA_HWT_SAFE_THRESHOLD) during more than duration (LxA
_HWT_DELAY) , the EPS shall ramp down the LxA function according to a
defined slope (LXA _HWT_SAFE_SLOPE).
LXA_HWT_SAFE_THRESHOLD = 2.8Nm
LXA _HWT_DELAY = 20 ms
LXA _HWT_SAFE_SLOPE =1Nm/s.
Note: These thresholds could be changed during design phase
D
3 During LxA intervention, the EPS shall rampdown (with defined slope
LXA_SWV_SLOPE ) LxA function if steering wheel velocity is higher than
LXA_SWV_safe_threshold during more than LXA_SWV_DELAY
LXA_SWV_safe_threshold is defined depending on vehicle speed
(see functional specification 00998_12_01589)
LXA_SWV_DELAY is depending on steering wheel speed and vehicle speed
(Maximum values is 800 ms).
LXA_SWV_SLOPE To be calibrated during design phase.
Note :
-These parameters setting could be changed during design phase.
B
1 The EPS shall avoid too high or too low steering wheel speed
Note : These parameters setting could be changed during design phase.
B
3 During LxA intervention, the EPS shall rampdown (with defined slope
LXA_SWA_SLOPE ) LxA function if steering wheel angle is higher than
LXA_SWA_safe_threshold during more than LXA_SWA_DELAY
LXA_SWA_safe_threshold is defined depending on vehicle speed (target:
lateral acceleration max: 3m.s-², reaching a +2m/s² lateral acceleration
increase shall require at least 0.5s).
The threschold need to be deffined from the following criteria : lateral
acceleration 0,3g (3m/s²).
LXA_SWA_DELAY = 200 ms.
LXA_SWA_SLOPE To be calibreted during design phase
B

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
1 The EPS shall avoid too high or too low steering wheel angle.
The fault amplitude and FTTi need to be defined from the following criteria :
lateral acceleration 0,3g (3 m/s²).
B
0 The EPS shall limit the gradient of COLUMN_ANGLE_SETPOINT
B
0 The EPS shall limit the variation of LKA_TRQ_FACT_REQ
B
0 The EPS shall apply LxA request only if ABS/ESC is available (no fault and no
driver deactivation) and no ABS/ESC intervention.
B
0 In case of ABS/ESC intervention during LxA intervention, the EPS shall ramp
down the LxA function with a defined slope and warn the driver.
B
0 In case of ABS/ESC unavailability during LxA intervention, the EPS shall ramp
down the LxA function with a defined slope and warn the driver
B
0 In case of ABS/ESC intervention, the EPS shall inform the vehicle that no LXA
regulation possible (EPS_STATE_LXA =000 “unauthorized”).
B
0 In case of ABS/ESC unavailability, the EPS shall inform the vehicle that no
LXA regulation possible (EPS_STATE_LXA =000 “unauthorized”).
B
0 In case of detected communication failures between ESC and the EPS, the
EPS shall inform the vehicle that no LXA regulation is possible
(EPS_STATE_LXA=100 : “the defect state" ).
B
0 The recovery is allowed only if ABS/ESP available and no ESC regulation in
progress and no communication failures between ESC and EPS
B
FSR_LxA_01.14.a
0 EPS shall avoid sending an erroneous column speed (vitesse_colonne) and
steering wheel torque optimized (cple_volant_optimise) to BSI.
B
FSR_LxA_01.15.a
0 EPS shall avoid not deactivating LxA when requested by BSI (LxA_state set as
deactivated).
A(B)
FSR_LxA_01.18.a
0 EPS ensure no common cause failure between limiting the vehicle lateral
dynamics (FSR_LxA_01.8.a), sending erroneous column speed and steering
wheel torque to BSI (FSR_LxA_01.14.a) and not deactivating on BSI request
(FSR_LxA_01.15.a), at ASIL B.
Nota : in this specification :
FSR_LxA_01.8.a = FSR_EPS _LxA_4.01.06 + FSR_EPS _LxA_4.01.10
B
FSR_LxA_03.2.a
0 EPS shall avoid not informing BSI that no LxA control is possible in case of
internal failure (EPS_state_LXA), at ASIL QM
QM

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
SG1_LxA_4_01 The driver shall always be able to keep the control of the vehicle
trajectory during LxA trajectory correction (ASIL B)
Safety Goal SG1_LXA_4_01 : The driver shall always be able to keep the control of the vehicle trajectory during
LXA trajectory correction (ASIL B)
Critical scenarios
- Erroneous yaw rate compensation sent to STEER System
- Erroneous LXA correction setpoint sent to STEER System
- ABS/ESP not available or data from ABS/ESP not available
- Driver do not have steering wheel in hands.
Validation criteria
Threshold:
lower than 50 kph.
higher than 50 kph.
b) Critical event
# ERO Rev Critical event (ERO) ASIL
ERO_EPS_LxA_4.03 0 Erroneous LxA torque correction leading to path deviation (due to
EPS failures)
B
Id Rev Functional safety requirement ASIL
FSR_EPS_LxA_4.03_01
0 The EPS shall detect a driving situation without hand during 10s and
provide signals to inhibit LxA function (EPS_STATE_LXA=000
“unauthorized state” and STEERWHL_HOLD_BY_DRV =0 “no steering
activity detected from the driver torque”).
A(B)
FSR_EPS_LxA_4.03_02
0 If the EPS detects drive situation without hand on the steering wheel during
more than 10s, the EPS shall inform the driver
A(B)
FSR_EPS_LxA_4.03_03
0 If the EPS detects drive situation without hand on the steering wheel during
more than 3s after the driver warning , the EPS shall ramp down the LxA
A(B)

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
function with a defined slope (Slope = 1Nm/s)
7.6.2. SG1_LxA_4_02: LXA function shall ensure the controllability of the vehicle in
case of LxA deactivation (ASIL D )
Safety Goal SG1_LXA_4_02: LXA function shall ensure the controllability of the vehicle in case of LXA deactivation
(ASIL B )
Critical scenarios - Trajectory correction deactivation
Validation criteria
Threshold:
lower than 50 kph.
higher than 50 kph.
b) Critical event
ERO_EPS_LxA_4.04 1 Brutal LxA deactivation (due to EPS failure)
B
FSR_EPS_LxA_4.04_01
1 The EPS shall ramp down LxA function with a defined slope to avoid brutal
LxA deactivation
B
FSR_EPS_LxA_4.04_02
1 The EPS shall avoid erroneous a slope :
- slope higher than 7,5Nm/s or
- slope lower than 1Nm/s
Note : The safe rang for slope is [1Nm/s 7,5Nm/s]
B

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Output requirements LXA
Id. ERO Critical Event ASIL FIT
ERO-LXA-EPS-SDF.0016 (1.0) Unwanted transition to active or authorized or available
This critical event concerns the output signal
EPS_STATE_LXA transmitted on the frame IS_DAT_DIRA_495/ /
EPS_STATE_LXA
QM(D) 100
ERO-LXA-EPS-SDF.0017 (1.0) Impossible transition to defect
EPS_STATE_LXA
QM(D) 100
ERO-LXA-EPS-SDF.0018 (1.0) Impossible transition to defect of EPS_STATE_LXA and wrong values
of LXA_REQUIRED_ADDIT_STEER_WL_TORQUE
Common mode EPS_STATE_LXA and
LXA_REQUIRED_ADDIT_STEER_WL_TORQUE transmitted on frame
IS_DAT_DIRA_495/ / EPS_STATE_LXA
B(D) 10
ERO-LXA-EPS-SDF.0019 (1.0) Impossible transition to unauthorized
EPS_STATE_LXA
QM(B) 100
ERO-LXA-EPS-SDF.0020 (1.0) Impossible transition to unauthorized
and REGUL_ESP erroneous to "no regulation"
Common mode EPS_STATE_LXA and REGUL_ESP transmitted on the
frame IS_DAT_DIRA_495/ / EPS_STATE_LXA
B 10
ERO-LXA-EPS-SDF.0021 (1.0) Impossible transition to "no steering activity detected from the driver
torque"
STEERWHL_HOLD_BY_DRV transmitted on the frame IS_DAT_DIRA_495/
/ STEERWHL_HOLD_BY_DRV
QM(A) 100
ERO-LXA-EPS-SDF.0022 (1.0) Loss/Absence
STEERWHL_HOLD_BY_DRV transmitted on the frame
IS_DAT_DIRA_495/ / STEERWHL_HOLD_BY_DRV
QM(A) 100

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
7.7. Safety threat / attack critical events
Id. Threat/Attack Critical Event
ERO_EPS_4.21 EMC susceptibility
This critical event covers the EMC immunity.
ERO_EPS_4.22 Disturbance of the surrounding systems due to EMC emissions
ERO_EPS_4.23 Thermal event
This critical event is related to the CCA topic.
7.8. FTA requirements
Id. Rev Requirement
GEN-SAFETY-
CLAUSE-G4.0001
0
For Each safety critical event, the reference period must be 15 years or 240000 km (first criterion
reached).
The confidence level required for validation of the failure modes leading to a safety critical event is
75%.
GEN-SAFETY-
CLAUSE-G4.0002
0
The supplier must perform the FTA for each safety critical event
For functional safety critical events and for output critical events (defined in this document) the
qualitative and quantitative fault tree analyses are mandatory.
The qualitative fault tree are mandatory for safety threat/Attack critical event
The qualitative fault tree analysis shall be used to investigate the random failures and systematic
failures.
The quantitative fault tree shall be used to estimate the probability of the hazard. The quantitative fault
analysis must cover the random failures and mechanical failures.
The Fault tree must take into account all the combinations of failures leading to each safety critical
event.
The fault tree must take into account all techniques and measures applied to control random faults
leading to each critical event.
GEN-SAFETY-
CLAUSE-G4.0003
0
The quantitative result on each critical event must be expressed for:
- HW random failures in term of failure rate per hour, SPFM and LFM.
- Mechanical failures in term of probability of failure during the reference period.
GEN-SAFETY-
CLAUSE-G4.0004
0
Each functional critical event (defined in §7.1) shall reach the quantitative target expressed in the table
1.
The target for each functional critical event must be reached with the inputs data reliability values (of
PSA responsibility).
GEN-SAFETY-
CLAUSE-G4.0005
0
Each output critical event (defined in §7.2) must reach the failure rate per hour required for each
output critical event and the SPFM/LFM expressed in the table 1.
The target of each output critical event must be reached with the inputs data reliability values of PSA
responsibility
GEN-SAFETY-
CLAUSE-G4.0006
0
For HW random failures, the calculation must be based on official data base (see ISO 26262-5). If the
supplier uses his RETEX (Field Feedback), the target to reach is divided by factor 10 (for example, for
target with official data base at 10-8, the target will be 10-9).
GEN-SAFETY-
CLAUSE-G4.0007
0 The supplier must justify each HW failure rate and probability failure on reference period for
mechanical failures used for the quantification.

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
GEN-SAFETY-
CLAUSE-G4.0008
0
The supplier must provide the requirements on the inputs data (of PSA responsibility) and interfaces in
order to reach the target on each safety critical event.
The requirements on inputs data and interfaces must be accepted by PSA.
GEN-SAFETY-
CLAUSE-G4.0009
0 For each safety critical event, the supplier must justify all single HW random failure and residual
failures.
GEN-SAFETY-
CLAUSE-G4.0010
0 For each safety critical event, the supplier must justify all single mechanical failures.
GEN-SAFETY-
CLAUSE-G4.0011
0
It is forbidden that a single fault vs. threat / attack leads to gravity 4. The technical design shall fulfil
this principle. If auto protection is not sufficient, a justification document must be delivered by the
supplier (justification on multi-barrier principle…).
GEN-SAFETY-
CLAUSE-G4.0012
0
For each safety critical event, the supplier must justify the fulfilment of the requirement in term of ASIL
for systematic failures.
The justification is achieved by applying techniques and measure, for avoidance of systematic failures
according to the standard is 26262.
ASIL
EE Failures Mechanical failures
Failure rate
(FIT)
SPFM LFM
Probability of failure on the
period (15 years / 240000km)
A 1000 10-3
B 100 90% 60% 10-4
C 100 97% 80% 10-5
D 10 99% 90% 10-6
Table 1
8. Reliability and availability requirements
8.1. Gravity 3 critical events
Id. Critical events Comments
ERO_EPS_3.01 Degraded steering due to EPS failures
This critical event includes all the failures leading to degradation
of steering wheel torque (friction, backlash,..)
ERO_EPS_3.02 Lack of assistance No assist at the start-up
ERO_EPS_3.03 Non critical under assistance
ERO_EPS_3.04 Non critical over assistance
ERO_EPS_3.05 Non critical random assistance
ERO_EPS_3.06 EPS failures leading to over consumption
This critical event includes :
- Quiescent current more than 100 µA.
- Standby current more than 500 mA
- Operating current erroneous too high.
- Unwanted wake up (ECU doesn’t go too sleep,
inopportune ECU wake up)
-

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
ERO_EPS_3.07
Unwanted request to switch on the
warning lamp
This critical event concerns the CAN output “Power steering
status” and the particular failure mode power steering status
erroneous to 01 “request to light lamp” instead of 00 "No request
to light lamp”
ERO_EPS_3.08 No request to restart the engine.
This critical event concerns the frame 495
Engine restart requested by sub system DA erroneous to 0 “No
need of restart” instead of 1 “Restart request”
ERO_EPS_3.09
Unwanted Engine stop authorization by
EPS
This critical event concerns the frame 495 Engine stop
authorization by sub system DA erroneous 1 3Stop
authorization3 INSTEAD OF à “No stop authorization”
ERO_EPS_3.10 NVH due to EPS failures
This critical event includes
- Severe Airborne noise (includes rattle)
- Structure-borne noise
- EPS vibration generation.
ERO-LXA-EPS-108
(1.0)
No LXA correction when needed due to
EPS failures
ERO-LXA-EPS-109
(1.0)
Unwanted stop of LXA torque correction
during a correction due to EPS failures
ERO-LXA-EPS-110
(1.0)
Unwanted LXA torque correction due to
EPS failures
ERO-LXA-EPS-111
(1.0)
Erroneous LXA state display to the driver
(LXA is displayed as able to correct
trajectory while it is not) due to EPS
failures
ERO-LXA-EPS-112
(1.0)
Erroneous LXA takeover alert to the
driver (alert is not displayed while
needed) due to EPS failures
Id. ERO Critical Event Cumulated
probability
ERO-LXA-EPS-SDF.0006 (1.0)
Loss/Absence due to EPS failures
COMMUNICATION CAN I/S
D(7ans 150000km)
<10-4
Impossible transition to "available" or "authorized" or "active" due to EPS
failures
EPS_STATE_LXA
D(7ans 150000km)
<10-4
Untimely transition to defect due to EPS failures
EPS_STATE_LXA
D(7ans 150000km)
<10-4
Impossible transition to defect due to EPS failures
EPS_STATE_LXA
D(7ans 150000km)
<10-4

Niveau de
classification
0- Pas de
classification
1- Usage interne
PSA/DPTA/
2 -
Confidentiel
PSA/DPTA/
PSA/DPTA/
4- Confidentiel
enregistré
PSA/DPTA/
Id. ERO Critical Event Cumulated
probability
Loss/Absence due to EPS failures
EPS_STATE_LXA
D(7ans 150000km)
<10-4
untimely transition to "no steering activity detected from the driver torque"
due to EPS failures
STEERWHL_HOLD_BY_DRV transmitted on the frame
IS_DAT_DIRA_495/ / STEERWHL_HOLD_BY_DRV
D(7ans 150000km)
<10-4
8.2. Reliability, availability requirements and quantitative target
Id. Rev Requirement
GEN-SAFETY-CLAUSE-
G3.0001
0
For gravity 3 critical events, the reference period is 7 years or 150000 km (first criterion reached).
The confidence level required for validation of the failure modes leading to a safety critical event
is 75%.
GEN-SAFETY-CLAUSE-
G3.0002
0
For each gravity 3 critical event the quantitative target is defined by the probability of failure on
the reference period <10-3
For random failures this target is equivalent to failure rate less than 10-7/h.
GEN-SAFETY-CLAUSE-
G3.0003
0
For Gravity 3 critical event the supplier must provide a justification for the quantitative results.
The results must be provided for EE random failures and for mechanical failures
GEN-SAFETY-CLAUSE-
G3.0004
0
The quantitative requirements are to be fulfilled with inputs data reliability values (of PSA
responsibility).
GEN-SAFETY-CLAUSE-
G2-G1.0001
0
For gravity 2 and gravity 1 critical events, the reference period is 3 years or 60000 km (first
criterion reached).
The confidence level required for validation of the failure modes leading to a safety critical event
is 50%.
GEN-SAFETY-CLAUSE-
G2-G1.0002
0
For each gravity 2 and gravity 1 critical event the quantitative target is defined by the probability
of failure on the reference period <10-3
For random failures this target is equivalent to failure rate less than 10-7/h.
GEN-SAFETY-CLAUSE-
G2-G1.0003
0
For gravity 2 and gravity 1 critical event the supplier must provide a justification for the
quantitative results.
The results must be provided for EE random failures and for mechanical failures
GEN-SAFETY-CLAUSE-
G2-G1.0004
0
The quantitative requirements are to be fulfilled with inputs data reliability values (of PSA
responsibility).

Safety_Dependabilty_Durability_Requirements_EPS_BL_3_0.doc

Safety_Dependabilty_Durability_Requirements_EPS_BL_3_0.doc

Recommended

Recommended

More Related Content

More from azrfdstgdgdfh

More from azrfdstgdgdfh (19)

Recently uploaded

Recently uploaded (20)

Safety_Dependabilty_Durability_Requirements_EPS_BL_3_0.doc