|
N°
|
ID
|
Name
|
Description
|
Kind
|
ASIL
|
Time constraint
|
Physical constraint
|
Comment
|
Traced FTA Events
|
Status
|
Related Goals
|
Contributions
|
Contributes To
|
Allocations
|
|
1
|
SR001
|
[a] Prevent exposure to unintended high voltage to passengers, drivers, and other nearby people
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G001 (ASIL D)
|
|
|
• Master controller
|
|
2
|
SR002
|
[b] Detect presence of unintended high-voltage / leakage
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G001 (ASIL D)
|
|
|
• Master controller
|
|
2.1
|
SR058
|
Exposure to high voltage shall be detected within xxx s
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G001 (ASIL D)
|
|
|
|
|
3
|
SR003
|
[c] Safe state: Completely disable battery output until vehicle has been serviced
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G001 (ASIL D)
|
• SR008 (ASIL D)
|
|
• Master controller
|
|
4
|
SR004
|
[e] Degraded state: In case of detection of unintended high voltage, do not allow vehicle operation for more than xx kmph / yy minutes
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G001 (ASIL D)
|
|
|
• Master controller
|
|
5
|
SR005
|
[d] Unintended exposure to high voltage fault shall not exist in the system for more than xxx seconds
|
FTTI, the maximum time the fault should be allowed to exist.
In this case, this value shall be taken as the max. time the weakest human can handle at the max battery voltage before it causes any temporary or permanent injury.
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G001 (ASIL D)
|
|
|
• Master controller
|
|
6
|
SR006
|
[f, g] Notify driver with a warning indication within xxx seconds of detection of high voltage exposure risk
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G001 (ASIL D)
|
|
|
• Master controller
|
|
6.1
|
SR010
|
The driver shall be notified upon entry into Degraded state
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G001 (ASIL D)
|
|
|
• Master controller
|
|
6.2
|
SR011
|
The driver shall be notified upon entry into safe state
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G001 (ASIL D)
|
|
|
• Master controller
|
|
6.2.1
|
SR009
|
The driver should be notified if system is unable to enter safe state
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G001 (ASIL D)
|
|
|
• Master controller
|
|
7
|
SR007
|
[i] Fault through Exposure to high voltage error shall override all other vehicle-level functions
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G001 (ASIL D)
|
|
|
• Master controller
|
|
8
|
SR008
|
In case of emergency, driver should be able to emergency disconnect the battery from the vehicle
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G001 (ASIL D)
|
|
• SR003 (ASIL D)
|
• Emergency switch
• Master controller
|
|
9
|
SR012
|
Prevent battery from operating outside temperature SOA
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
• SR015 (ASIL D)
• SR017 (ASIL D)
• SR019 (ASIL D)
• SR020 (ASIL D)
• SR023 (ASIL D)
• SR025 (ASIL D)
• SR024 (ASIL D)
• SR060 (ASIL D)
|
|
• Master controller
|
|
10
|
SR013
|
Prevent battery from operating outside voltage SOA
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
• SR032 (ASIL D)
• SR029 (ASIL D)
• SR027 (ASIL D)
• SR035 (ASIL D)
• SR036 (ASIL D)
• SR028 (ASIL D)
• SR037 (ASIL D)
• SR061 (ASIL D)
|
|
• Master controller
|
|
11
|
SR014
|
Ptrevent battery from operating outside current SOA
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
• SR043 (ASIL D)
• SR040 (ASIL D)
• SR038 (ASIL D)
• SR046 (ASIL D)
• SR047 (ASIL D)
• SR039 (ASIL D)
• SR048 (ASIL D)
• SR062 (ASIL D)
|
|
• Master controller
|
|
12
|
SR015
|
[a] Implement methods to avoid battery operation in temperatures outside safe operating ranges
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR012 (ASIL D)
|
• Master controller
|
|
13
|
SR017
|
[b] Detect when battery is operating in over or under temperature
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR012 (ASIL D)
|
• Master controller
• Slave board(s)
|
|
13.1
|
SR018
|
Detect battery when in undertemperature condition
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
|
• Master controller
• Slave board(s)
|
|
13.2
|
SR016
|
Detect battery when in overtemperature condition
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
|
• Master controller
• Slave board(s)
|
|
13.3
|
SR057
|
Detect battery when in entering / about to enter thermal runaway
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
|
|
|
14
|
SR019
|
[c] Safe state: disconnect the battery when operating outside safe operating range
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR012 (ASIL D)
|
• Master controller
• Contactors
|
|
14.1
|
SR022
|
The BMS shall transition to a safe state within XXX seconds when an under-temperature condition is detected
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
|
• Master controller
• Contactors
|
|
14.2
|
SR021
|
The BMS shall transition to a safe state within XXX seconds when an over-temperature condition is detected
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
|
• Master controller
• Contactors
|
|
15
|
SR020
|
[d] Battery shall not be allowed to operated in overtemperature or undertemperature conditions for more than xxx seconds
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR012 (ASIL D)
|
• Master controller
|
|
16
|
SR023
|
[e] Degradation: limit battery charging and discharging currents when battery is approaching over and untertemperature conditions
|
Maximum allowed battery charging and discharging current shall be defined based on a map of battery temperature vs. max allowed currents
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR012 (ASIL D)
|
• Master controller
|
|
17
|
SR025
|
[f] Notify: notify driver when battery has breached safe operating temperature ranges
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR012 (ASIL D)
|
• Master controller
|
|
18
|
SR024
|
[g] Notify driver when battery is approaching temperature range violations
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR012 (ASIL D)
|
• Master controller
|
|
19
|
SR027
|
[a] Implement methods to avoid battery operation in voltage outside safe operating ranges
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR013 (ASIL D)
|
• Master controller
• Slave board(s)
|
|
20
|
SR028
|
[g] Notify driver when battery is approaching voltage range violations
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR013 (ASIL D)
|
• Master controller
|
|
21
|
SR029
|
[d] Battery shall not be allowed to charge or discharge for more than its FTTI time when the voltage is outside SOA
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR013 (ASIL D)
|
• Master controller
• Contactors
|
|
21.1
|
SR030
|
The BMS shall transition to a safe state within XXX seconds when an over-voltage condition is detected
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
|
• Master controller
• Contactors
|
|
21.2
|
SR031
|
The BMS shall transition to a safe state within XXX seconds when an under-voltage condition is detected
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
|
• Master controller
• Contactors
|
|
22
|
SR032
|
[b] Detect when battery is operating in over or under voltage
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR013 (ASIL D)
|
• Master controller
• Slave board(s)
|
|
22.1
|
SR033
|
Detect battery when in undervoltage condition
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
|
• Master controller
• Slave board(s)
|
|
22.2
|
SR034
|
Detect battery when in overvoltagecondition
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
|
• Master controller
• Slave board(s)
|
|
23
|
SR035
|
[c] Safe state: disconnect the battery when operating outside safe operating voltage range
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR013 (ASIL D)
|
• Master controller
• Contactors
|
|
24
|
SR036
|
[e] Degradation: limit battery charging and discharging currents when battery is approaching over and unter-voltage conditions
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR013 (ASIL D)
|
• Master controller
|
|
25
|
SR037
|
[f] Notify: notify driver when battery has breached safe operating voltage ranges
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR013 (ASIL D)
|
• Master controller
|
|
26
|
SR038
|
[a] Avoidance: Provide max permissible charging and discharging current
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR014 (ASIL D)
|
• Master controller
|
|
27
|
SR039
|
[g] Notify driver when battery is approaching current range violations
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR014 (ASIL D)
|
• Master controller
|
|
28
|
SR040
|
[d] Overcurrent during charge and discharge shall be allowed for not more than xxx seconds continuously
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR014 (ASIL D)
|
• Master controller
• Current sense
|
|
28.1
|
SR041
|
The BMS shall transition to a safe state within XXX seconds when an over-current during charging condition is detected
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
|
• Master controller
• Current sense
|
|
28.2
|
SR042
|
The BMS shall transition to a safe state within XXX seconds when an under-current during discharging condition is detected
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
|
• Master controller
• Current sense
|
|
29
|
SR043
|
[b] Detect when battery is operating in over current condition during charging and discharging
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR014 (ASIL D)
|
• Master controller
• Current sense
|
|
29.1
|
SR050
|
Detect over current condition during discharging
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
|
• Master controller
• Current sense
|
|
29.2
|
SR049
|
Detect over current condition during charging
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
|
• Master controller
• Current sense
|
|
30
|
SR046
|
[c] Safe state: disconnect the battery when operating outside safe operating range
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR014 (ASIL D)
|
• Master controller
• Contactors
|
|
31
|
SR047
|
[e] Degradation: limit battery charging and discharging currents when battery is approaching over-voltage and over-temperature conditions
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR014 (ASIL D)
|
• Master controller
|
|
32
|
SR048
|
[f] Notify: notify driver when battery has breached safe operating current limit
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR014 (ASIL D)
|
• Master controller
|
|
33
|
SR051
|
[a] Provide alterate path of communication for critical signals
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G003 (ASIL D)
|
|
|
• Master controller
|
|
34
|
SR052
|
[b] Provide mechanism to detect faulty hardware and software signals
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G003 (ASIL D)
|
|
|
• Master controller
|
|
35
|
SR053
|
[c, e] Transition vehicle to limp mode upon detection of faulty signals
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G003 (ASIL D)
|
|
|
• Master controller
|
|
36
|
SR054
|
[d] Fault tolerance (TBD)
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G003 (ASIL D)
|
|
|
|
|
37
|
SR055
|
[f] Notify driver upon encountering communication failures
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G003 (ASIL D)
|
|
|
• Master controller
|
|
38
|
SR056
|
Prevent battery from operating outside Pressure SOA
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
|
|
|
39
|
SR059
|
[h] The battery shall enter safe state in a maximum of xxx seconds
|
Note: the FHTI shall be less than FTTI [d]
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G001 (ASIL D)
|
|
|
|
|
40
|
SR060
|
[h] Battery shall be put in safe state within xxx seconds of the detection of temperature SOA breach fault
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR012 (ASIL D)
|
|
|
41
|
SR061
|
[h] Battery shall be put in safe state within xxx seconds of the detection of voltage SOA breach fault
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR013 (ASIL D)
|
|
|
42
|
SR062
|
[h] Transition to safe state within xxx seconds of detection of current limit breach
|
|
FUNCTIONAL
|
D
|
|
|
|
no traced events
|
PROPOSED
|
• G002 (ASIL D)
|
|
• SR014 (ASIL D)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|