Software Safety Requirements Specification

Document ID	Rev	Date	Classification
ISO-SSR-001 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +7 more ↓ Traces Down FM-001 IT-030 QT-002 UT-012	1.0	2026-03-21	Confidential

Revision History

Rev	Date	Author	Reviewer	Description
1.0	2026-03-21	An Dao	--	Initial release

1. Purpose

This document specifies the software safety requirements for the foxBMS 2 POSIX port per ISO 26262 Part 6 Clause 6. It defines the safety goals, derives Fault Tolerant Time Intervals (FTTI) from the DIAG configuration, and documents the diagnostic coverage provided by the threshold counter mechanism.

2. Scope

Safety requirements for all ASIL D software functions in the BMS, including voltage, current, and temperature monitoring, contactor control, and fault management.

3. References

ID	Title
[SYS.2-001]	System Requirements Specification
[SWE.1-001]	Software Requirements Specification
[SWE.3-001]	Software Detailed Design
ISO 26262:2018	Part 6, Clauses 6-10
ISO 26262:2018	Part 5, Clause 7 (HSI)

4. Definitions

Term	Definition
FTTI	Fault Tolerant Time Interval -- maximum time from fault occurrence to reaching a safe state
Safe state	Contactors open, battery disconnected from load
Diagnostic coverage	Percentage of faults detectable by the diagnostic mechanism
Single-point fault	A fault that directly leads to a safety goal violation

5. Safety Goals

The following safety goals are derived from the hazard and risk analysis for a battery management system. Each is classified ASIL D.

🔒 HITL-LOCK: SAFETY-GOALS

ID	Safety Goal	ASIL	Safe State
SG-001 ↓ Traces Down HZ-001 SSR-001 SSR-020 SSR-021 SSR-030 SSR-031 SSR-032 SSR-040 +2 more	Prevent battery cell overvoltage leading to thermal runaway	D	Open all contactors
SG-002 ↓ Traces Down HZ-002 SSR-002 SSR-009 SSR-042	Prevent battery cell undervoltage leading to cell damage or reversal	D	Open all contactors
SG-003 ↓ Traces Down HZ-003 SSR-003 SSR-004 SSR-010 SSR-041 SSR-052	Prevent battery overcurrent leading to thermal damage	D	Open all contactors
SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more	Prevent operation outside safe temperature range	D	Open all contactors
SG-005 ↓ Traces Down HZ-005 SSR-009 SSR-022 SSR-023 SSR-024 SSR-033 SSR-050 SSR-051	Prevent unintended battery re-energization after fault	D	Maintain contactors open; require dual-condition exit

6. Fault Tolerant Time Interval (FTTI) Analysis

The FTTI for each safety-relevant fault is derived from the DIAG configuration: threshold count, evaluation delay, and the 100 ms BMS task cycle.

FTTI = (threshold x delay) + BMS_task_cycle + contactor_open_time

Where: - threshold is the DIAG counter limit - delay is the minimum re-evaluation interval - BMS_task_cycle = 100 ms (worst case for BMS to read FATAL flag) - contactor_open_time = 10 ms (contactor driver response)

6.1 FTTI Calculation Table

Safety Goal	DIAG ID	Threshold	Delay (ms)	Max Detection Time (ms)	BMS Cycle (ms)	Contactor (ms)	FTTI (ms)
SG-001 ↓ Traces Down HZ-001 SSR-001 SSR-020 SSR-021 SSR-030 SSR-031 SSR-032 SSR-040 +2 more (OV)	CELL_VOLTAGE_OVERVOLTAGE_MSL	50	200	10000	100	10	10110
SG-002 ↓ Traces Down HZ-002 SSR-002 SSR-009 SSR-042 (UV)	CELL_VOLTAGE_UNDERVOLTAGE_MSL	50	200	10000	100	10	10110
SG-003 ↓ Traces Down HZ-003 SSR-003 SSR-004 SSR-010 SSR-041 SSR-052 (OC discharge)	OVERCURRENT_DISCHARGE_CELL_MSL	10	100	1000	100	10	1110
SG-003 ↓ Traces Down HZ-003 SSR-003 SSR-004 SSR-010 SSR-041 SSR-052 (OC charge)	OVERCURRENT_CHARGE_CELL_MSL	10	100	1000	100	10	1110
SG-003 ↓ Traces Down HZ-003 SSR-003 SSR-004 SSR-010 SSR-041 SSR-052 (String OC)	STRING_OVERCURRENT_DISCHARGE_MSL	10	100	1000	100	10	1110
SG-003 ↓ Traces Down HZ-003 SSR-003 SSR-004 SSR-010 SSR-041 SSR-052 (Pack OC)	PACK_OVERCURRENT_DISCHARGE_MSL	10	100	1000	100	10	1110
SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more (OT disch)	TEMP_OVERTEMPERATURE_DISCHARGE_MSL	500	1000	500000	100	10	500110
SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more (UT disch)	TEMP_UNDERTEMPERATURE_DISCHARGE_MSL	500	1000	500000	100	10	500110
SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more (OT charge)	TEMP_OVERTEMPERATURE_CHARGE_MSL	500	1000	500000	100	10	500110
SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more (UT charge)	TEMP_UNDERTEMPERATURE_CHARGE_MSL	500	1000	500000	100	10	500110
SG-005 ↓ Traces Down HZ-005 SSR-009 SSR-022 SSR-023 SSR-024 SSR-033 SSR-050 SSR-051 (deep disch)	DEEP_DISCHARGE_DETECTED	1	100	100	100	10	210

6.2 FTTI Justification

Category	FTTI	Justification
Overcurrent	~1.1 s	Current faults progress rapidly; low threshold (10) ensures fast detection
Overvoltage / Undervoltage	~10.1 s	Voltage changes are bounded by charge/discharge rate; moderate threshold (50) balances noise rejection and response time
Temperature	~500 s (~8.3 min)	Thermal events have large time constants (minutes to hours); high threshold (500) with 1 s delay appropriate for physical dynamics
Deep discharge	~0.21 s	Single-event detection; immediate risk of cell reversal at very low voltage
System critical	0.11 s	SYSTEM_MONITORING, FLASHCHECKSUM, ALERT_MODE have threshold=1 and delay=0; immediate detection

7. Software Safety Requirements

7.1 Fault Detection Requirements

🔒 HITL-LOCK: SSR-FAULT-DETECT

ID	Requirement	Safety Goal	ASIL
SSR-001 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +7 more ↓ Traces Down FM-001 IT-030 QT-002 UT-012	The software shall detect cell overvoltage above 2800 mV within the FTTI of 10.1 seconds.	SG-001 ↓ Traces Down HZ-001 SSR-001 SSR-020 SSR-021 SSR-030 SSR-031 SSR-032 SSR-040 +2 more	D
SSR-002 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +6 more ↓ Traces Down FM-002 FM-019 IT-031 QT-003 UT-013	The software shall detect cell undervoltage below 1500 mV within the FTTI of 10.1 seconds.	SG-002 ↓ Traces Down HZ-002 SSR-002 SSR-009 SSR-042	D
SSR-003 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +12 more ↓ Traces Down FM-008 FM-018 IT-036 QT-004 UT-016	The software shall detect cell discharge overcurrent above 180000 mA within the FTTI of 1.1 seconds.	SG-003 ↓ Traces Down HZ-003 SSR-003 SSR-004 SSR-010 SSR-041 SSR-052	D
SSR-004 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +7 more ↓ Traces Down FM-012 FM-013 FM-014 IT-037 QT-004 UT-017	The software shall detect cell charge overcurrent above 180000 mA within the FTTI of 1.1 seconds.	SG-003 ↓ Traces Down HZ-003 SSR-003 SSR-004 SSR-010 SSR-041 SSR-052	D
SSR-005 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +7 more ↓ Traces Down FM-003 IT-032 QT-005 UT-018	The software shall detect overtemperature discharge above 55 deg C within the FTTI of 500.1 seconds.	SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more	D
SSR-006 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +7 more ↓ Traces Down FM-004 IT-033 QT-005 UT-019	The software shall detect undertemperature discharge below -20 deg C within the FTTI of 500.1 seconds.	SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more	D
SSR-007 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +7 more ↓ Traces Down FM-005 IT-034 QT-005 UT-020	The software shall detect overtemperature charge above 45 deg C within the FTTI of 500.1 seconds.	SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more	D
SSR-008 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +6 more ↓ Traces Down FM-006 IT-035 QT-005 UT-021	The software shall detect undertemperature charge below -20 deg C within the FTTI of 500.1 seconds.	SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more	D
SSR-009 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +7 more ↓ Traces Down FM-007 IT-038 QT-003 UT-014	The software shall detect deep discharge (cell voltage <= 1500 mV) within 0.21 seconds and latch the fault.	SG-002 ↓ Traces Down HZ-002 SSR-002 SSR-009 SSR-042 , SG-005 ↓ Traces Down HZ-005 SSR-009 SSR-022 SSR-023 SSR-024 SSR-033 SSR-050 SSR-051	D
SSR-010 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +10 more ↓ Traces Down FM-009 FM-010 FM-011 FM-015 FM-016 FM-017 IT-039	The software shall detect current on an open string within 1.1 seconds.	SG-003 ↓ Traces Down HZ-003 SSR-003 SSR-004 SSR-010 SSR-041 SSR-052	D

7.2 Fault Reaction Requirements

🔒 HITL-LOCK: SSR-FAULT-REACT

ID	Requirement	Safety Goal	ASIL
SSR-020 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +14 more ↓ Traces Down IT-024 QT-002 QT-005 UT-033	Upon detection of any MSL violation (FATAL), the software shall transition the BMS to ERROR state.	SG-001 ↓ Traces Down HZ-001 SSR-001 SSR-020 SSR-021 SSR-030 SSR-031 SSR-032 SSR-040 +2 more to SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more	D
SSR-021 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +9 more ↓ Traces Down IT-051 QT-002 UT-034	In ERROR state, the software shall command all three contactors (string+, string-, precharge) to open within one BMS task cycle (100 ms).	SG-001 ↓ Traces Down HZ-001 SSR-001 SSR-020 SSR-021 SSR-030 SSR-031 SSR-032 SSR-040 +2 more to SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more	D
SSR-022 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +6 more ↓ Traces Down IT-025 QT-002 UT-035	The software shall not permit the BMS to exit ERROR state unless the originating fault condition has cleared.	SG-005 ↓ Traces Down HZ-005 SSR-009 SSR-022 SSR-023 SSR-024 SSR-033 SSR-050 SSR-051	D
SSR-023 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +6 more ↓ Traces Down IT-025 QT-002 UT-035	The software shall not permit the BMS to exit ERROR state unless an explicit STANDBY request has been received via CAN.	SG-005 ↓ Traces Down HZ-005 SSR-009 SSR-022 SSR-023 SSR-024 SSR-033 SSR-050 SSR-051	D
SSR-024 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +6 more ↓ Traces Down IT-025 QT-007 UT-036	SSR-022 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +6 more ↓ Traces Down IT-025 QT-002 UT-035 and SSR-023 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +6 more ↓ Traces Down IT-025 QT-002 UT-035 must both be satisfied simultaneously for ERROR exit (AND condition).	SG-005 ↓ Traces Down HZ-005 SSR-009 SSR-022 SSR-023 SSR-024 SSR-033 SSR-050 SSR-051	D

7.3 Diagnostic Coverage Requirements

🔒 HITL-LOCK: SSR-DIAG-COV

ID	Requirement	Safety Goal	ASIL
SSR-030 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +10 more ↓ Traces Down IT-040 QT-007 UT-007	The DIAG module shall provide debounced fault detection with configurable threshold counters per diagnostic ID.	SG-001 ↓ Traces Down HZ-001 SSR-001 SSR-020 SSR-021 SSR-030 SSR-031 SSR-032 SSR-040 +2 more to SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more	D
SSR-031 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +7 more ↓ Traces Down IT-040 IT-041 QT-005 UT-004	The DIAG module shall prevent false FATAL triggers from transient measurement noise through threshold counting.	SG-001 ↓ Traces Down HZ-001 SSR-001 SSR-020 SSR-021 SSR-030 SSR-031 SSR-032 SSR-040 +2 more to SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more	D
SSR-032 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +10 more ↓ Traces Down IT-042 QT-004 UT-001 UT-003	The DIAG module shall detect persistent faults by incrementing the counter on each evaluation cycle until the threshold is reached.	SG-001 ↓ Traces Down HZ-001 SSR-001 SSR-020 SSR-021 SSR-030 SSR-031 SSR-032 SSR-040 +2 more to SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more	D
SSR-033 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +8 more ↓ Traces Down IT-040 QT-002 UT-002	The DIAG module shall allow fault recovery by decrementing the counter when the fault condition clears.	SG-005 ↓ Traces Down HZ-005 SSR-009 SSR-022 SSR-023 SSR-024 SSR-033 SSR-050 SSR-051	D

7.4 Communication Safety Requirements

🔒 HITL-LOCK: SSR-COMM-SAFETY

ID	Requirement	Safety Goal	ASIL
SSR-040 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +8 more ↓ Traces Down QT-006	The software shall detect loss of CAN communication within the configured FTTI (100 events x 200 ms = 20 seconds).	SG-001 ↓ Traces Down HZ-001 SSR-001 SSR-020 SSR-021 SSR-030 SSR-031 SSR-032 SSR-040 +2 more to SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more	D
SSR-041 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +7 more ↓ Traces Down QT-006	The software shall detect loss of current sensor communication within the configured FTTI (100 events x 200 ms = 20 seconds).	SG-003 ↓ Traces Down HZ-003 SSR-003 SSR-004 SSR-010 SSR-041 SSR-052	D
SSR-042 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +10 more ↓ Traces Down QT-009 QT-014 UT-007	The software shall detect AFE communication failure within the configured FTTI (5 events x 100 ms = 0.5 seconds).	SG-001 ↓ Traces Down HZ-001 SSR-001 SSR-020 SSR-021 SSR-030 SSR-031 SSR-032 SSR-040 +2 more , SG-002 ↓ Traces Down HZ-002 SSR-002 SSR-009 SSR-042 , SG-004 ↓ Traces Down HZ-004 SSR-005 SSR-006 SSR-007 SSR-008 SSR-020 SSR-021 SSR-030 +4 more	D

7.5 Contactor Safety Requirements

🔒 HITL-LOCK: SSR-CONTACTOR

ID	Requirement	Safety Goal	ASIL
SSR-050 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +7 more ↓ Traces Down IT-052 UT-062	The software shall monitor contactor feedback and detect mismatches within the configured FTTI (20 events x 100 ms = 2 seconds).	SG-001 ↓ Traces Down HZ-001 SSR-001 SSR-020 SSR-021 SSR-030 SSR-031 SSR-032 SSR-040 +2 more to SG-005 ↓ Traces Down HZ-005 SSR-009 SSR-022 SSR-023 SSR-024 SSR-033 SSR-050 SSR-051	D
SSR-051 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +8 more ↓ Traces Down IT-021 QT-001 UT-031	The software shall not close contactors unless the BMS is in a state that permits contactor closure (PRECHARGE or NORMAL).	SG-005 ↓ Traces Down HZ-005 SSR-009 SSR-022 SSR-023 SSR-024 SSR-033 SSR-050 SSR-051	D
SSR-052 ↑ Traces Up HZ-001 HZ-002 HZ-003 HZ-004 HZ-005 HZ-006 HZ-007 HZ-008 +7 more ↓ Traces Down IT-051 QT-002 UT-060	The software shall respect the contactor maximum break current limit of 3500 mA during normal disconnect sequences.	SG-003 ↓ Traces Down HZ-003 SSR-003 SSR-004 SSR-010 SSR-041 SSR-052	C

8. Diagnostic Coverage Summary

8.1 Coverage by Fault Category

Fault Category	Detection Mechanism	Diagnostic Coverage	ASIL
Cell overvoltage	SOA voltage check + DIAG counter	High (99%) -- periodic comparison every 100 ms	D
Cell undervoltage	SOA voltage check + DIAG counter	High (99%) -- periodic comparison every 100 ms	D
Overcurrent	SOA current check + DIAG counter	High (99%) -- periodic comparison every 100 ms	D
Overtemperature	SOA temperature check + DIAG counter	High (99%) -- periodic comparison every 100 ms	D
Contactor failure	Feedback pin monitoring + DIAG counter	Medium (90%) -- electromechanical failure modes	D
CAN communication	Timing supervision + DIAG counter	Medium (90%) -- bus-level faults detectable	D
AFE communication	SPI integrity check + DIAG counter	Medium (90%) -- protocol-level faults	D
Deep discharge	Voltage comparison, single-event trigger	High (99%) -- threshold = 1	D

8.2 POSIX Port Diagnostic Coverage

In the POSIX SIL environment, 61 of 85 DIAG IDs (72%) are retained and exercisable. The 24 suppressed IDs cover hardware-specific faults that cannot be meaningfully triggered without physical hardware. This represents 100% coverage of all software-checkable safety paths.

9. Freedom from Interference

9.1 Data Independence

The database module enforces single-writer-per-entry discipline, preventing data corruption between modules of different ASIL levels.

9.2 Execution Independence

The cooperative main loop executes tasks sequentially. There is no preemption, so there are no race conditions or priority inversions. Each task runs to completion before the next begins.

9.3 Temporal Independence

Each DIAG entry has an independent evaluation delay and threshold counter. A fault in one measurement category does not affect the detection timing of another category.

10. Acceptance Criteria

This document is accepted when:

All FTTI values are verified through integration testing (SWE.5-001).
All safety requirements (SSR-xxx) are traced to test cases.
Diagnostic coverage claims are supported by test evidence.
The safety path (SOA -> DIAG -> BMS -> Contactor) is demonstrated end-to-end.

End of Document

← Part 5: FMEA Part 6: FTTI →