// === Description === // Adaptive Cruise Control — Laengsregelung fuer Kraftfahrzeuge. Haelt // die vom Fahrer vorgewaehlte Wunschgeschwindigkeit, verringert sie // aber automatisch, sobald ein langsameres Fahrzeug im Zeitabstand // (Time Gap) erkannt wird. Erkennung ueber 77-GHz-Radar und Front- // kamera mit Sensor-Fusion, Ansteuerung ueber Motor-Drehmoment- und // Bremsdruck-Anforderung. Bremsverzoegerung maximal 0,2 g gemaess // ISO 15622; bei Systemfehler wird ACC deaktiviert und der Fahrer zur // Uebernahme aufgefordert. Redundante CAN-Busse und Stromversorgung. // Sicherheitsziel ASIL C nach ISO 26262, Bremskoordination konform // UN-ECE R13-H. // === End Description === // FtaDSL Adaptive Cruise Control (ACC) // // Autor: Wolfgang Freese, Overath (Germany) // April 2026 // Version 2.0 - vollstaendiger Neuaufbau auf Basis recherchierter Quellen // // Systemklassifikation: // ASIL C gemaess ISO 26262 (branchenuebliche Einordnung fuer ACC) // // Anwendbare Normen (per Web-Recherche April 2026 verifiziert): // ISO 15622:2018 - ACC Performance Requirements and Test Procedures // (inkl. FSRA und LSRA Varianten; DIS-Revision in Vorbereitung) // ISO 22179:2009 - Full Speed Range ACC (FSRA) // Hinweis: FSRA reagiert nicht auf stehende/langsame Objekte // UN-ECE R13-H - Bremsenregelung (Konformitaet erforderlich) // ISO 26262 - Road vehicles - Functional Safety // // Quantitative Eigenschaften laut ISO 15622 / ISO 22179: // - Maximale ACC-Verzoegerung: 0.2 g (harte Obergrenze; LIT-EXACT) // - FSRA: Standstill bis System-Hoechstgeschwindigkeit // - FSRA ist nicht verpflichtet auf stehende Objekte zu reagieren // // Sensor-Architektur (Bosch / Wikipedia ACC): // - 77 GHz Radar (Reichweite ~160 m, Distanz + Relativgeschwindigkeit) // - Front-Kamera (hier: Mono-Kamera gewaehlt; LLM-INFERRED Auswahl) // - Sensor-Fusion erzeugt Objektliste // // Regel-Architektur: // - ACC-Controller berechnet Zeitluecke und Zielgeschwindigkeit // - Ausgabe an Engine Control (Torque) und Brake Control (Deceleration) // - Bremslicht-Aktivierung bei Verzoegerung (Teil der Brake Control, hier nicht modelliert) // - Kommunikation ueber CAN-Bus (typ. A/B redundant fuer ASIL C) // // Hazards (aus Industrie-Sicherheitsanalysen): // - Radar fehlinterpretiert Abstand (metallische Interferenz, Wetter) // - Software-Verzoegerung bei Bremsbefehl // - Hardware-Fehler im Bremsaktuator // - Kamera verdeckt / geblendet (Sonne, Regen, Schmutz) // - Nichtreaktion auf stehendes Objekt = bekannte FSRA-Grenze (kein Fehler) // // Failure-Reaction (ISO 15622): // - ACC deaktivieren // - Fahrer warnen (visuell; optional akustisch) // - Hand-Over an Fahrer // // Fault Modes (konsistent verwendet): // Distance_Misread - Abstandsmessung fehlerhaft (Radar) // Velocity_Misread - Relativgeschwindigkeit fehlerhaft (Radar) // Sensor_Blinded - Sensor geblendet (Wetter, Sonne, Schmutz) // Object_Misclassified - Objektklasse falsch (Kamera) // Object_NotDetected - Zielobjekt nicht erkannt // Object_Ghost - Falscherkennung (false positive) // Data_Stale - Daten veraltet // TimeGap_Miscalculated - Zeitluecke falsch berechnet // Speed_Misread - Geschwindigkeit fehlerhaft // Decel_Exceeded - Angeforderte Verzoegerung ueber 0.2 g // BrakeCmd_Missing - Bremsbefehl fehlt (TLE-Event) // BrakeCmd_Spurious - ungewollter Bremsbefehl // BrakeCmd_Weak - Bremsbefehl zu schwach // ThrottleCmd_Runaway - Gasanforderung unkontrolliert hoch // Warning_Missing - Warnung an Fahrer fehlt // HandOver_Missing - Uebergabe an Fahrer fehlt // Power_Lost - Spannungsversorgung verloren // Bus_Silent - CAN-Bus ohne Kommunikation // Bus_Stuck - CAN-Bus auf festem Wert // // Top Level Event (TLE): // SafeDistanceNotMaintained - der vom ACC geforderte Bremsbefehl erreicht // die Bremse nicht, obwohl der Abstand unterschritten wird. // Single-Literal auf BrakeRequest.BrakeCmd_Missing (primaere ASIL-C-Gefaehrdung). // Warnungs-Faults werden NICHT in die TLE aufgenommen (ASIL A/B, nicht das // Sicherheitsziel; analog zur AEB-Begruendung). // // MCSA-Aufruf: // mcsa ACC/ACC.txt 3 FUNCTION ACC INPUT RadarReturn INPUT CameraImage INPUT VehicleSpeed_Raw INPUT YawRate_Raw INPUT DriverSetSpeed INPUT DriverGapSetting INPUT BrakePedalSensor INPUT AcceleratorPedalSensor INPUT ABS_Status INPUT Pwr_A_Feed INPUT Pwr_B_Feed INPUT CAN_A_Traffic INPUT CAN_B_Traffic OUTPUT BrakeRequest OUTPUT ThrottleRequest OUTPUT ACC_Status OUTPUT Warning_Visual OUTPUT Warning_Acoustic // ================================================================ // Sensor Layer // ================================================================ FUNCTION Radar_Sensor INPUT RadarIn OUTPUT RadarTrack FUNCTION Radar_SignalCond INPUT InRaw OUTPUT OutCond // Provenance: LLM-INFERRED - typische Signal-Konditionierung (Anti-Aliasing, Framing) vor dem Tracker OIM OutCond.Sensor_Blinded.InRaw.Sensor_Blinded // Provenance: LLM-INFERRED - Stale-Weiterleitung OIM OutCond.Data_Stale.InRaw.Data_Stale END FUNCTION FUNCTION Radar_Internal INPUT InRaw OUTPUT OutTrack // Provenance: LIT-GENERAL - 77 GHz Radar liefert Distanz+Relativgeschwindigkeit (Bosch/Wikipedia); Blinding (Wetter) aus Industrie-HARA OIM OutTrack.Distance_Misread.OR(InRaw.Sensor_Blinded; InRaw.Data_Stale) // Provenance: LIT-GENERAL - Radar liefert Doppler-Geschwindigkeit; Ausfall bei Blinding oder stale OIM OutTrack.Velocity_Misread.OR(InRaw.Sensor_Blinded; InRaw.Data_Stale) // Provenance: LIT-GENERAL - Blinding ist dokumentierter Radar-Hazard (metallische Interferenz, Wetter) OIM OutTrack.Sensor_Blinded.InRaw.Sensor_Blinded // Provenance: LLM-INFERRED - Ghost-Detection bei Blinding (common radar failure mode, nicht namentlich in Quellen) OIM OutTrack.Object_Ghost.InRaw.Sensor_Blinded // Provenance: LIT-GENERAL - Nicht-Erkennung bei Blinding oder stale Daten OIM OutTrack.Object_NotDetected.OR(InRaw.Sensor_Blinded; InRaw.Data_Stale) // Provenance: LLM-INFERRED - Stale propagiert direkt OIM OutTrack.Data_Stale.InRaw.Data_Stale END FUNCTION INT ifRadar_Cond_In.Radar_Sensor.IN.RadarIn.Radar_SignalCond.IN.InRaw INT ifRadar_Cond_Out.Radar_SignalCond.OUT.OutCond.Radar_Internal.IN.InRaw INT ifRadar_Track.Radar_Internal.OUT.OutTrack.Radar_Sensor.OUT.RadarTrack END FUNCTION FUNCTION Camera_Sensor INPUT CamIn OUTPUT CameraTrack FUNCTION Camera_SignalCond INPUT InRaw OUTPUT OutCond // Provenance: LLM-INFERRED - typische Kamera-Signalkonditionierung (Debayering, AGC) vor der Klassifikation OIM OutCond.Sensor_Blinded.InRaw.Sensor_Blinded // Provenance: LLM-INFERRED - Stale-Weiterleitung OIM OutCond.Data_Stale.InRaw.Data_Stale END FUNCTION FUNCTION Camera_Internal INPUT InRaw OUTPUT OutTrack // Provenance: LIT-GENERAL - Kamera-Blinding durch Sonne, Regen, Schmutz (Industrie-HARA, Wikipedia ACC) OIM OutTrack.Sensor_Blinded.InRaw.Sensor_Blinded // Provenance: LIT-GENERAL - Objektklassifikation ist Kern-Aufgabe der Kamera; Fehler bei Blinding/stale OIM OutTrack.Object_Misclassified.OR(InRaw.Sensor_Blinded; InRaw.Data_Stale) // Provenance: LIT-GENERAL - Kamera-Nichterkennung bei Blinding/stale OIM OutTrack.Object_NotDetected.OR(InRaw.Sensor_Blinded; InRaw.Data_Stale) // Provenance: LLM-INFERRED - Ghost bei Blinding (typische Kamera-False-Positive-Ursache) OIM OutTrack.Object_Ghost.InRaw.Sensor_Blinded // Provenance: LLM-INFERRED - Stale propagiert direkt OIM OutTrack.Data_Stale.InRaw.Data_Stale END FUNCTION INT ifCam_Cond_In.Camera_Sensor.IN.CamIn.Camera_SignalCond.IN.InRaw INT ifCam_Cond_Out.Camera_SignalCond.OUT.OutCond.Camera_Internal.IN.InRaw INT ifCam_Track.Camera_Internal.OUT.OutTrack.Camera_Sensor.OUT.CameraTrack END FUNCTION FUNCTION ObjectTracker INPUT RadarIn INPUT CameraIn OUTPUT TrackedObjects // Provenance: LIT-GENERAL - Tracker verliert Objekt wenn beide Sensoren es verlieren (ISO 26262 HARA Praxis) OIM TrackedObjects.Object_NotDetected.AND(RadarIn.Object_NotDetected; CameraIn.Object_NotDetected) // Provenance: LLM-INFERRED - Ghost-Zurueckweisung, wenn nur ein Sensor Ghost meldet; Ghost ueberlebt nur bei Uebereinstimmung OIM TrackedObjects.Object_Ghost.AND(RadarIn.Object_Ghost; CameraIn.Object_Ghost) // Provenance: LIT-GENERAL - Distanz primaer aus Radar (Kamera-Ausfall propagiert nur, wenn Radar ebenfalls ausfaellt) OIM TrackedObjects.Distance_Misread.RadarIn.Distance_Misread // Provenance: LIT-GENERAL - Relativgeschwindigkeit primaer aus Radar-Doppler OIM TrackedObjects.Velocity_Misread.RadarIn.Velocity_Misread // Provenance: LLM-INFERRED - Stale wenn beide Quellen stale OIM TrackedObjects.Data_Stale.AND(RadarIn.Data_Stale; CameraIn.Data_Stale) END FUNCTION FUNCTION SensorFusion INPUT RadarIn INPUT CameraIn INPUT TrackerIn OUTPUT ObjectList // Provenance: LIT-GENERAL - Konsens-Fusion: Objekt-Verlust erfordert uebereinstimmenden Ausfall aller Quellen (ISO 26262 HARA Praxis) OIM ObjectList.Object_NotDetected.AND(RadarIn.Object_NotDetected; CameraIn.Object_NotDetected; TrackerIn.Object_NotDetected) // Provenance: LIT-GENERAL - Ghost-Unterdrueckung durch Kreuzpruefung OIM ObjectList.Object_Ghost.TrackerIn.Object_Ghost // Provenance: LIT-GENERAL - Distanzfehler propagiert vom Radar (Primaerquelle) OIM ObjectList.Distance_Misread.RadarIn.Distance_Misread // Provenance: LIT-GENERAL - Geschwindigkeitsfehler propagiert vom Radar OIM ObjectList.Velocity_Misread.RadarIn.Velocity_Misread // Provenance: LIT-GENERAL - Misklassifikation propagiert von der Kamera OIM ObjectList.Object_Misclassified.CameraIn.Object_Misclassified // Provenance: LLM-INFERRED - Stale nur bei gemeinsamer Veralterung OIM ObjectList.Data_Stale.AND(RadarIn.Data_Stale; CameraIn.Data_Stale) END FUNCTION // ================================================================ // Vehicle State Sources // ================================================================ FUNCTION VehicleSpeedSource INPUT VSp_Raw OUTPUT VSp // Provenance: LLM-INFERRED - Standard Sensor-Source-Pattern OIM VSp.Speed_Misread.VSp_Raw.Data_Stale // Provenance: LLM-INFERRED - Stale propagiert direkt OIM VSp.Data_Stale.VSp_Raw.Data_Stale END FUNCTION FUNCTION YawRateSource INPUT YR_Raw OUTPUT YR // Provenance: LLM-INFERRED - Standard Sensor-Source-Pattern OIM YR.Data_Stale.YR_Raw.Data_Stale END FUNCTION // ================================================================ // Driver Input Layer // ================================================================ FUNCTION DriverInputMonitor INPUT SetSpeedIn INPUT GapSettingIn OUTPUT DriverRequest // Provenance: LLM-INFERRED - Fahrerwunsch kann veralten (keine normative Quelle fuer diese Boolean-Form) OIM DriverRequest.Data_Stale.OR(SetSpeedIn.Data_Stale; GapSettingIn.Data_Stale) END FUNCTION FUNCTION DriverPedalMonitor INPUT BrakePedalIn INPUT AccelPedalIn OUTPUT PedalStatus // Provenance: LIT-GENERAL - ISO 15622 fordert Fahrer-Override; Bremspedal verlangt ACC-Deaktivierung OIM PedalStatus.BrakeCmd_Spurious.BrakePedalIn.BrakeCmd_Missing // Provenance: LLM-INFERRED - unerkannter Brems-Override blockiert Bremsanforderung OIM PedalStatus.BrakeCmd_Missing.BrakePedalIn.BrakeCmd_Missing // Provenance: LLM-INFERRED - unerkannter Gas-Override kann Throttle-Runaway begunstigen OIM PedalStatus.ThrottleCmd_Runaway.AccelPedalIn.Data_Stale END FUNCTION // ================================================================ // Control Layer // ================================================================ FUNCTION TimeGapController INPUT ObjIn INPUT VSpIn INPUT DriverIn OUTPUT GapCmd // Provenance: LIT-GENERAL - Zeitluecke beruht auf Objektdistanz und Fahrzeuggeschwindigkeit (ISO 15622 Time-Gap-Konzept) OIM GapCmd.TimeGap_Miscalculated.OR(ObjIn.Distance_Misread; ObjIn.Velocity_Misread; VSpIn.Speed_Misread; DriverIn.Data_Stale) // Provenance: LIT-GENERAL - Keine Bremsung bei Object_NotDetected (bekannte Ursache fuer BrakeCmd_Missing) OIM GapCmd.BrakeCmd_Missing.ObjIn.Object_NotDetected // Provenance: LIT-GENERAL - Ghost-Objekt loest ungewollte Bremsung aus OIM GapCmd.BrakeCmd_Spurious.ObjIn.Object_Ghost // Provenance: LLM-INFERRED - Stale-Weiterleitung von upstream OIM GapCmd.Data_Stale.OR(ObjIn.Data_Stale; VSpIn.Data_Stale) END FUNCTION FUNCTION SpeedController INPUT VSpIn INPUT DriverIn OUTPUT SpeedCmd // Provenance: LIT-GENERAL - Zielgeschwindigkeit aus Fahrerwunsch und Ist-Geschwindigkeit (ISO 15622) OIM SpeedCmd.Speed_Misread.OR(VSpIn.Speed_Misread; DriverIn.Data_Stale) // Provenance: LLM-INFERRED - Throttle-Runaway bei veralteten Geschwindigkeitsdaten (common failure mode) OIM SpeedCmd.ThrottleCmd_Runaway.VSpIn.Data_Stale // Provenance: LLM-INFERRED - Stale-Weiterleitung von upstream OIM SpeedCmd.Data_Stale.OR(VSpIn.Data_Stale; DriverIn.Data_Stale) END FUNCTION FUNCTION DecelerationLimiter INPUT GapIn OUTPUT LimitedCmd // Provenance: LIT-EXACT - ISO 15622 / ISO 22179 begrenzen ACC-Verzoegerung auf 0.2 g OIM LimitedCmd.Decel_Exceeded.GapIn.TimeGap_Miscalculated // Provenance: LIT-GENERAL - Limiter propagiert BrakeCmd_Missing unveraendert (keine Abschwaechung moeglich) OIM LimitedCmd.BrakeCmd_Missing.GapIn.BrakeCmd_Missing // Provenance: LIT-EXACT - Durch 0.2 g Cap koennen zu grosse Bremsanforderungen auf BrakeCmd_Weak herabgesetzt werden OIM LimitedCmd.BrakeCmd_Weak.GapIn.TimeGap_Miscalculated // Provenance: LIT-GENERAL - Spurious Brake propagiert OIM LimitedCmd.BrakeCmd_Spurious.GapIn.BrakeCmd_Spurious END FUNCTION FUNCTION PlausibilityMonitor INPUT ObjIn INPUT GapIn INPUT VSpIn OUTPUT PlausStatus // Provenance: LLM-INFERRED - Plausibilitaetsmonitor ist branchen-typisch, keine direkte Quelle fuer diese Boolean-Form OIM PlausStatus.BrakeCmd_Spurious.OR(ObjIn.Object_Ghost; GapIn.BrakeCmd_Spurious) // Provenance: LLM-INFERRED - Warnungs-Flag bei veralteten Eingaengen OIM PlausStatus.Warning_Missing.OR(GapIn.Data_Stale; VSpIn.Data_Stale) END FUNCTION // ================================================================ // Arbitration // ================================================================ FUNCTION BrakeRequest_Arbitrator INPUT LimitedIn INPUT PlausIn INPUT PedalIn INPUT ABSIn INPUT PwrIn INPUT BusIn OUTPUT BrakeReq // Provenance: LIT-GENERAL - UN-R13-H fordert Arbitrierung ACC vs ABS/ESC; Ausfall kann Brems-Ausfall bewirken OIM BrakeReq.BrakeCmd_Missing.OR(LimitedIn.BrakeCmd_Missing; PedalIn.BrakeCmd_Missing; PwrIn.Power_Lost; BusIn.Bus_Silent; BusIn.Bus_Stuck) // Provenance: LIT-GENERAL - Plausibilitaets-Trigger oder ABS-Konflikt koennen Spurious Brake ausloesen OIM BrakeReq.BrakeCmd_Spurious.OR(LimitedIn.BrakeCmd_Spurious; PlausIn.BrakeCmd_Spurious; PedalIn.BrakeCmd_Spurious; ABSIn.Data_Stale) // Provenance: LIT-EXACT - 0.2 g Cap kann Bremsbefehl abschwaechen (ISO 15622) OIM BrakeReq.BrakeCmd_Weak.OR(LimitedIn.BrakeCmd_Weak; LimitedIn.Decel_Exceeded; PwrIn.Power_Lost) END FUNCTION FUNCTION EngineTorque_Arbitrator INPUT SpeedIn INPUT PedalIn INPUT PwrIn INPUT BusIn OUTPUT TorqueReq // Provenance: LLM-INFERRED - Throttle-Arbitrierung ist branchen-typisch, keine direkte Norm-Klausel OIM TorqueReq.ThrottleCmd_Runaway.OR(SpeedIn.ThrottleCmd_Runaway; PedalIn.ThrottleCmd_Runaway) // Provenance: LLM-INFERRED - Stale-Weiterleitung von upstream OIM TorqueReq.Data_Stale.OR(SpeedIn.Data_Stale; BusIn.Data_Stale; PwrIn.Power_Lost) END FUNCTION // ================================================================ // Supervision Layer // ================================================================ FUNCTION WatchDog INPUT PwrIn INPUT BusIn OUTPUT WdStatus // Provenance: LLM-INFERRED - Watchdog-Pattern ist branchen-typisch fuer ASIL-C-Systeme, keine Normklausel benannt OIM WdStatus.Warning_Missing.OR(PwrIn.Power_Lost; BusIn.Bus_Silent; BusIn.Bus_Stuck) // Provenance: LLM-INFERRED - HandOver-Trigger bei Power- oder Bus-Ausfall OIM WdStatus.HandOver_Missing.OR(PwrIn.Power_Lost; BusIn.Bus_Silent) END FUNCTION FUNCTION TakeOver_Monitor INPUT WdIn INPUT PlausIn INPUT DriverIn INPUT HealthIn OUTPUT HandOver // Provenance: LIT-GENERAL - ISO 15622 fordert Hand-Over an Fahrer bei Fehler OIM HandOver.HandOver_Missing.OR(WdIn.HandOver_Missing; DriverIn.Data_Stale; HealthIn.HandOver_Missing) // Provenance: LIT-GENERAL - ISO 15622 fordert Fahrerwarnung bei Fehler OIM HandOver.Warning_Missing.OR(WdIn.Warning_Missing; PlausIn.Warning_Missing; HealthIn.Warning_Missing) END FUNCTION FUNCTION SafetyStateMachine INPUT BrakeIn INPUT TorqueIn INPUT HandIn OUTPUT SafeBrake OUTPUT SafeTorque OUTPUT SafeStatus // Provenance: LIT-GENERAL - Ausfallreaktion "ACC deaktivieren" propagiert BrakeCmd_Missing durch die State Machine (ISO 15622) OIM SafeBrake.BrakeCmd_Missing.OR(BrakeIn.BrakeCmd_Missing; HandIn.HandOver_Missing) // Provenance: LIT-GENERAL - Spurious propagiert unveraendert OIM SafeBrake.BrakeCmd_Spurious.BrakeIn.BrakeCmd_Spurious // Provenance: LIT-GENERAL - Weak propagiert unveraendert (keine Verstaerkung durch State Machine moeglich) OIM SafeBrake.BrakeCmd_Weak.BrakeIn.BrakeCmd_Weak // Provenance: LLM-INFERRED - Torque-Ausgang spiegelt Throttle-Runaway und State-Machine-Fehler OIM SafeTorque.ThrottleCmd_Runaway.TorqueIn.ThrottleCmd_Runaway // Provenance: LIT-GENERAL - ACC-Status signalisiert Abschaltung OIM SafeStatus.Warning_Missing.HandIn.Warning_Missing // Provenance: LIT-GENERAL - HandOver-Status propagiert OIM SafeStatus.HandOver_Missing.HandIn.HandOver_Missing END FUNCTION // ================================================================ // HMI Layer // ================================================================ FUNCTION WarningCoordinator INPUT SafeIn INPUT HandIn INPUT PwrIn OUTPUT WarnVisual OUTPUT WarnAcoustic // Provenance: LIT-GENERAL - ISO 15622 fordert visuelle Warnung OIM WarnVisual.Warning_Missing.OR(SafeIn.Warning_Missing; HandIn.Warning_Missing; PwrIn.Power_Lost) // Provenance: LIT-GENERAL - ISO 15622 erlaubt optional akustische Warnung OIM WarnAcoustic.Warning_Missing.OR(SafeIn.Warning_Missing; HandIn.Warning_Missing; PwrIn.Power_Lost) END FUNCTION FUNCTION HMI_Cluster INPUT WarnIn INPUT PwrIn OUTPUT ClusterOut // Provenance: LIT-GENERAL - Cluster-Visual-Warnung ist Standard-Auslieferung fuer ACC-Status (ISO 15622) OIM ClusterOut.Warning_Missing.OR(WarnIn.Warning_Missing; PwrIn.Power_Lost) END FUNCTION FUNCTION HMI_Chime INPUT WarnIn INPUT PwrIn OUTPUT ChimeOut // Provenance: LIT-GENERAL - Akustische Warnung optional per ISO 15622 OIM ChimeOut.Warning_Missing.OR(WarnIn.Warning_Missing; PwrIn.Power_Lost) END FUNCTION // ================================================================ // Infrastructure (Power and Bus) // ================================================================ FUNCTION PowerSupply_A INPUT PwrInA OUTPUT PwrOutA // Provenance: LLM-INFERRED - redundante Versorgung fuer ASIL C, typisches Architektur-Pattern OIM PwrOutA.Power_Lost.PwrInA.Power_Lost END FUNCTION FUNCTION PowerSupply_B INPUT PwrInB OUTPUT PwrOutB // Provenance: LLM-INFERRED - redundante Versorgung fuer ASIL C, typisches Architektur-Pattern OIM PwrOutB.Power_Lost.PwrInB.Power_Lost END FUNCTION FUNCTION PowerDistribution INPUT InA INPUT InB OUTPUT OutRail // Provenance: LLM-INFERRED - Verteilung einer Rail aus redundanten Quellen; Ausfall nur bei beidseitigem Power-Lost OIM OutRail.Power_Lost.AND(InA.Power_Lost; InB.Power_Lost) END FUNCTION FUNCTION HealthMonitor INPUT RadarIn INPUT CameraIn INPUT PwrIn OUTPUT HealthStatus // Provenance: LLM-INFERRED - Gesundheitsmonitor fasst Sensor- und Power-Ausfaelle zu einem Warnungs-Flag zusammen OIM HealthStatus.Warning_Missing.OR(RadarIn.Sensor_Blinded; CameraIn.Sensor_Blinded; PwrIn.Power_Lost) // Provenance: LLM-INFERRED - Hand-Over-Signal wenn beide Sensoren geblendet sind OIM HealthStatus.HandOver_Missing.AND(RadarIn.Sensor_Blinded; CameraIn.Sensor_Blinded) END FUNCTION FUNCTION CAN_A INPUT BusInA INPUT PwrIn OUTPUT BusOutA // Provenance: LLM-INFERRED - redundanter CAN-Bus fuer ASIL C, typisches Architektur-Pattern OIM BusOutA.Bus_Silent.OR(BusInA.Bus_Silent; PwrIn.Power_Lost) // Provenance: LLM-INFERRED - Bus-Stuck-Weiterleitung OIM BusOutA.Bus_Stuck.BusInA.Bus_Stuck // Provenance: LLM-INFERRED - Stale-Weiterleitung OIM BusOutA.Data_Stale.BusInA.Data_Stale END FUNCTION FUNCTION CAN_B INPUT BusInB INPUT PwrIn OUTPUT BusOutB // Provenance: LLM-INFERRED - redundanter CAN-Bus fuer ASIL C, typisches Architektur-Pattern OIM BusOutB.Bus_Silent.OR(BusInB.Bus_Silent; PwrIn.Power_Lost) // Provenance: LLM-INFERRED - Bus-Stuck-Weiterleitung OIM BusOutB.Bus_Stuck.BusInB.Bus_Stuck // Provenance: LLM-INFERRED - Stale-Weiterleitung OIM BusOutB.Data_Stale.BusInB.Data_Stale END FUNCTION // ================================================================ // Signal Interfaces (INT) // ================================================================ // Sensor inputs from ACC boundary INT ifRadarIn.ACC.IN.RadarReturn.Radar_Sensor.IN.RadarIn INT ifCamIn.ACC.IN.CameraImage.Camera_Sensor.IN.CamIn // Vehicle state sources INT ifVSpIn.ACC.IN.VehicleSpeed_Raw.VehicleSpeedSource.IN.VSp_Raw INT ifYRIn.ACC.IN.YawRate_Raw.YawRateSource.IN.YR_Raw // Driver inputs INT ifDrvSetSpd.ACC.IN.DriverSetSpeed.DriverInputMonitor.IN.SetSpeedIn INT ifDrvGap.ACC.IN.DriverGapSetting.DriverInputMonitor.IN.GapSettingIn INT ifDrvBrake.ACC.IN.BrakePedalSensor.DriverPedalMonitor.IN.BrakePedalIn INT ifDrvAccel.ACC.IN.AcceleratorPedalSensor.DriverPedalMonitor.IN.AccelPedalIn // Power feeds from boundary INT ifPwrA_In.ACC.IN.Pwr_A_Feed.PowerSupply_A.IN.PwrInA INT ifPwrB_In.ACC.IN.Pwr_B_Feed.PowerSupply_B.IN.PwrInB // Power distribution (combined rail from A/B, used as sensor health feed) INT ifPD_A.PowerSupply_A.OUT.PwrOutA.PowerDistribution.IN.InA INT ifPD_B.PowerSupply_B.OUT.PwrOutB.PowerDistribution.IN.InB // Bus feeds from boundary INT ifBusA_In.ACC.IN.CAN_A_Traffic.CAN_A.IN.BusInA INT ifBusB_In.ACC.IN.CAN_B_Traffic.CAN_B.IN.BusInB INT ifCANA_Pwr.PowerSupply_A.OUT.PwrOutA.CAN_A.IN.PwrIn INT ifCANB_Pwr.PowerSupply_B.OUT.PwrOutB.CAN_B.IN.PwrIn // ObjectTracker inputs (Radar + Camera) INT ifOT_Radar.Radar_Sensor.OUT.RadarTrack.ObjectTracker.IN.RadarIn INT ifOT_Cam.Camera_Sensor.OUT.CameraTrack.ObjectTracker.IN.CameraIn // SensorFusion inputs (Radar + Camera + Tracker) INT ifSF_Radar.Radar_Sensor.OUT.RadarTrack.SensorFusion.IN.RadarIn INT ifSF_Cam.Camera_Sensor.OUT.CameraTrack.SensorFusion.IN.CameraIn INT ifSF_Track.ObjectTracker.OUT.TrackedObjects.SensorFusion.IN.TrackerIn // TimeGapController inputs INT ifTG_Obj.SensorFusion.OUT.ObjectList.TimeGapController.IN.ObjIn INT ifTG_VSp.VehicleSpeedSource.OUT.VSp.TimeGapController.IN.VSpIn INT ifTG_Drv.DriverInputMonitor.OUT.DriverRequest.TimeGapController.IN.DriverIn // SpeedController inputs INT ifSC_VSp.VehicleSpeedSource.OUT.VSp.SpeedController.IN.VSpIn INT ifSC_Drv.DriverInputMonitor.OUT.DriverRequest.SpeedController.IN.DriverIn // DecelerationLimiter INT ifDL_Gap.TimeGapController.OUT.GapCmd.DecelerationLimiter.IN.GapIn // PlausibilityMonitor inputs INT ifPM_Obj.SensorFusion.OUT.ObjectList.PlausibilityMonitor.IN.ObjIn INT ifPM_Gap.TimeGapController.OUT.GapCmd.PlausibilityMonitor.IN.GapIn INT ifPM_VSp.VehicleSpeedSource.OUT.VSp.PlausibilityMonitor.IN.VSpIn // BrakeRequest_Arbitrator inputs INT ifBA_Lim.DecelerationLimiter.OUT.LimitedCmd.BrakeRequest_Arbitrator.IN.LimitedIn INT ifBA_Plaus.PlausibilityMonitor.OUT.PlausStatus.BrakeRequest_Arbitrator.IN.PlausIn INT ifBA_Pedal.DriverPedalMonitor.OUT.PedalStatus.BrakeRequest_Arbitrator.IN.PedalIn INT ifBA_ABS.ACC.IN.ABS_Status.BrakeRequest_Arbitrator.IN.ABSIn INT ifBA_Pwr.PowerSupply_A.OUT.PwrOutA.BrakeRequest_Arbitrator.IN.PwrIn INT ifBA_Bus.CAN_A.OUT.BusOutA.BrakeRequest_Arbitrator.IN.BusIn // EngineTorque_Arbitrator inputs INT ifTA_Spd.SpeedController.OUT.SpeedCmd.EngineTorque_Arbitrator.IN.SpeedIn INT ifTA_Pedal.DriverPedalMonitor.OUT.PedalStatus.EngineTorque_Arbitrator.IN.PedalIn INT ifTA_Pwr.PowerSupply_B.OUT.PwrOutB.EngineTorque_Arbitrator.IN.PwrIn INT ifTA_Bus.CAN_B.OUT.BusOutB.EngineTorque_Arbitrator.IN.BusIn // WatchDog inputs INT ifWD_Pwr.PowerSupply_A.OUT.PwrOutA.WatchDog.IN.PwrIn INT ifWD_Bus.CAN_A.OUT.BusOutA.WatchDog.IN.BusIn // HealthMonitor inputs (Radar + Camera health + combined power rail) INT ifHM_Radar.Radar_Sensor.OUT.RadarTrack.HealthMonitor.IN.RadarIn INT ifHM_Cam.Camera_Sensor.OUT.CameraTrack.HealthMonitor.IN.CameraIn INT ifHM_Pwr.PowerDistribution.OUT.OutRail.HealthMonitor.IN.PwrIn // TakeOver_Monitor inputs INT ifTO_Wd.WatchDog.OUT.WdStatus.TakeOver_Monitor.IN.WdIn INT ifTO_Plaus.PlausibilityMonitor.OUT.PlausStatus.TakeOver_Monitor.IN.PlausIn INT ifTO_Drv.DriverInputMonitor.OUT.DriverRequest.TakeOver_Monitor.IN.DriverIn INT ifTO_Health.HealthMonitor.OUT.HealthStatus.TakeOver_Monitor.IN.HealthIn // SafetyStateMachine inputs INT ifSSM_Brake.BrakeRequest_Arbitrator.OUT.BrakeReq.SafetyStateMachine.IN.BrakeIn INT ifSSM_Torque.EngineTorque_Arbitrator.OUT.TorqueReq.SafetyStateMachine.IN.TorqueIn INT ifSSM_Hand.TakeOver_Monitor.OUT.HandOver.SafetyStateMachine.IN.HandIn // WarningCoordinator inputs INT ifWC_Safe.SafetyStateMachine.OUT.SafeStatus.WarningCoordinator.IN.SafeIn INT ifWC_Hand.TakeOver_Monitor.OUT.HandOver.WarningCoordinator.IN.HandIn INT ifWC_Pwr.PowerSupply_A.OUT.PwrOutA.WarningCoordinator.IN.PwrIn // HMI_Cluster / HMI_Chime INT ifHC_Warn.WarningCoordinator.OUT.WarnVisual.HMI_Cluster.IN.WarnIn INT ifHC_Pwr.PowerSupply_A.OUT.PwrOutA.HMI_Cluster.IN.PwrIn INT ifHCh_Warn.WarningCoordinator.OUT.WarnAcoustic.HMI_Chime.IN.WarnIn INT ifHCh_Pwr.PowerSupply_B.OUT.PwrOutB.HMI_Chime.IN.PwrIn // Top-level outputs INT ifOutBrake.SafetyStateMachine.OUT.SafeBrake.ACC.OUT.BrakeRequest INT ifOutTorque.SafetyStateMachine.OUT.SafeTorque.ACC.OUT.ThrottleRequest INT ifOutStat.SafetyStateMachine.OUT.SafeStatus.ACC.OUT.ACC_Status INT ifOutWV.HMI_Cluster.OUT.ClusterOut.ACC.OUT.Warning_Visual INT ifOutWA.HMI_Chime.OUT.ChimeOut.ACC.OUT.Warning_Acoustic // ================================================================ // Top Level Event // ================================================================ TLE SafeDistanceNotMaintained.BrakeRequest.BrakeCmd_Missing END FUNCTION // ============================================================ // Fehlerraten // ISF: Normalverteilung mu=1.0e-6, sigma=2.5e-7 // SF: Normalverteilung mu=2.5e-7, sigma=1.375e-7 // TF: Normalverteilung mu=5.0e-8, sigma=1.5e-8 // Wissenschaftliche Notation, 3 Nachkommastellen, verschiedene Werte // ============================================================ // --- ISF (externe Inputs an ACC-Grenze) --- ISF ACC.RadarReturn.Sensor_Blinded 1.247e-06 ISF ACC.RadarReturn.Data_Stale 8.731e-07 ISF ACC.CameraImage.Sensor_Blinded 1.382e-06 ISF ACC.CameraImage.Data_Stale 7.615e-07 ISF ACC.VehicleSpeed_Raw.Data_Stale 1.074e-06 ISF ACC.YawRate_Raw.Data_Stale 1.128e-06 ISF ACC.DriverSetSpeed.Data_Stale 9.487e-07 ISF ACC.DriverGapSetting.Data_Stale 8.216e-07 ISF ACC.BrakePedalSensor.BrakeCmd_Missing 1.193e-06 ISF ACC.AcceleratorPedalSensor.Data_Stale 1.056e-06 ISF ACC.ABS_Status.Data_Stale 9.842e-07 ISF ACC.Pwr_A_Feed.Power_Lost 7.318e-07 ISF ACC.Pwr_B_Feed.Power_Lost 6.947e-07 ISF ACC.CAN_A_Traffic.Bus_Silent 9.513e-07 ISF ACC.CAN_A_Traffic.Bus_Stuck 7.892e-07 ISF ACC.CAN_A_Traffic.Data_Stale 1.089e-06 ISF ACC.CAN_B_Traffic.Bus_Silent 9.174e-07 ISF ACC.CAN_B_Traffic.Bus_Stuck 8.362e-07 ISF ACC.CAN_B_Traffic.Data_Stale 1.021e-06 // --- SF (systemische Fehlerraten der Subfunktionen) --- SF Radar_SignalCond.OutCond.Sensor_Blinded 1.744e-07 SF Radar_SignalCond.OutCond.Data_Stale 1.623e-07 SF Camera_SignalCond.OutCond.Sensor_Blinded 1.891e-07 SF Camera_SignalCond.OutCond.Data_Stale 1.572e-07 SF PowerDistribution.OutRail.Power_Lost 2.146e-07 SF HealthMonitor.HealthStatus.Warning_Missing 1.708e-07 SF HealthMonitor.HealthStatus.HandOver_Missing 1.832e-07 SF Radar_Internal.OutTrack.Distance_Misread 2.518e-07 SF Radar_Internal.OutTrack.Velocity_Misread 2.783e-07 SF Radar_Internal.OutTrack.Sensor_Blinded 1.952e-07 SF Radar_Internal.OutTrack.Object_Ghost 1.984e-07 SF Radar_Internal.OutTrack.Object_NotDetected 2.692e-07 SF Radar_Internal.OutTrack.Data_Stale 2.193e-07 SF Camera_Internal.OutTrack.Sensor_Blinded 3.174e-07 SF Camera_Internal.OutTrack.Object_Misclassified 2.385e-07 SF Camera_Internal.OutTrack.Object_NotDetected 2.738e-07 SF Camera_Internal.OutTrack.Object_Ghost 3.107e-07 SF Camera_Internal.OutTrack.Data_Stale 1.976e-07 SF ObjectTracker.TrackedObjects.Object_NotDetected 1.812e-07 SF ObjectTracker.TrackedObjects.Object_Ghost 1.488e-07 SF ObjectTracker.TrackedObjects.Distance_Misread 2.071e-07 SF ObjectTracker.TrackedObjects.Velocity_Misread 2.288e-07 SF ObjectTracker.TrackedObjects.Data_Stale 1.739e-07 SF SensorFusion.ObjectList.Object_NotDetected 2.075e-07 SF SensorFusion.ObjectList.Object_Ghost 2.192e-07 SF SensorFusion.ObjectList.Distance_Misread 2.328e-07 SF SensorFusion.ObjectList.Velocity_Misread 2.647e-07 SF SensorFusion.ObjectList.Object_Misclassified 1.921e-07 SF SensorFusion.ObjectList.Data_Stale 2.011e-07 SF VehicleSpeedSource.VSp.Speed_Misread 2.489e-07 SF VehicleSpeedSource.VSp.Data_Stale 2.931e-07 SF YawRateSource.YR.Data_Stale 2.568e-07 SF DriverInputMonitor.DriverRequest.Data_Stale 1.876e-07 SF DriverPedalMonitor.PedalStatus.BrakeCmd_Spurious 1.634e-07 SF DriverPedalMonitor.PedalStatus.BrakeCmd_Missing 1.758e-07 SF DriverPedalMonitor.PedalStatus.ThrottleCmd_Runaway 1.628e-07 SF TimeGapController.GapCmd.TimeGap_Miscalculated 2.582e-07 SF TimeGapController.GapCmd.BrakeCmd_Missing 2.119e-07 SF TimeGapController.GapCmd.BrakeCmd_Spurious 2.398e-07 SF TimeGapController.GapCmd.Data_Stale 1.813e-07 SF SpeedController.SpeedCmd.Speed_Misread 2.472e-07 SF SpeedController.SpeedCmd.ThrottleCmd_Runaway 2.084e-07 SF SpeedController.SpeedCmd.Data_Stale 2.511e-07 SF DecelerationLimiter.LimitedCmd.Decel_Exceeded 1.813e-07 SF DecelerationLimiter.LimitedCmd.BrakeCmd_Missing 1.694e-07 SF DecelerationLimiter.LimitedCmd.BrakeCmd_Weak 2.022e-07 SF DecelerationLimiter.LimitedCmd.BrakeCmd_Spurious 1.554e-07 SF PlausibilityMonitor.PlausStatus.BrakeCmd_Spurious 1.876e-07 SF PlausibilityMonitor.PlausStatus.Warning_Missing 1.633e-07 SF BrakeRequest_Arbitrator.BrakeReq.BrakeCmd_Missing 2.268e-07 SF BrakeRequest_Arbitrator.BrakeReq.BrakeCmd_Spurious 1.942e-07 SF BrakeRequest_Arbitrator.BrakeReq.BrakeCmd_Weak 2.106e-07 SF EngineTorque_Arbitrator.TorqueReq.ThrottleCmd_Runaway 1.724e-07 SF EngineTorque_Arbitrator.TorqueReq.Data_Stale 1.893e-07 SF WatchDog.WdStatus.Warning_Missing 1.589e-07 SF WatchDog.WdStatus.HandOver_Missing 1.711e-07 SF TakeOver_Monitor.HandOver.HandOver_Missing 1.842e-07 SF TakeOver_Monitor.HandOver.Warning_Missing 1.578e-07 SF SafetyStateMachine.SafeBrake.BrakeCmd_Missing 2.431e-07 SF SafetyStateMachine.SafeBrake.BrakeCmd_Spurious 2.085e-07 SF SafetyStateMachine.SafeBrake.BrakeCmd_Weak 2.267e-07 SF SafetyStateMachine.SafeTorque.ThrottleCmd_Runaway 1.945e-07 SF SafetyStateMachine.SafeStatus.Warning_Missing 1.782e-07 SF SafetyStateMachine.SafeStatus.HandOver_Missing 1.904e-07 SF WarningCoordinator.WarnVisual.Warning_Missing 1.844e-07 SF WarningCoordinator.WarnAcoustic.Warning_Missing 1.781e-07 SF HMI_Cluster.ClusterOut.Warning_Missing 1.590e-07 SF HMI_Chime.ChimeOut.Warning_Missing 1.468e-07 SF PowerSupply_A.PwrOutA.Power_Lost 3.127e-07 SF PowerSupply_B.PwrOutB.Power_Lost 3.214e-07 SF CAN_A.BusOutA.Bus_Silent 2.452e-07 SF CAN_A.BusOutA.Bus_Stuck 2.183e-07 SF CAN_A.BusOutA.Data_Stale 1.924e-07 SF CAN_B.BusOutB.Bus_Silent 2.510e-07 SF CAN_B.BusOutB.Bus_Stuck 2.276e-07 SF CAN_B.BusOutB.Data_Stale 1.891e-07 // --- TF (Transfer-Fehlerraten der INT-Schnittstellen) --- TF ifRadarIn.Sensor_Blinded 5.126e-08 TF ifRadarIn.Data_Stale 4.892e-08 TF ifCamIn.Sensor_Blinded 5.740e-08 TF ifCamIn.Data_Stale 5.023e-08 TF ifVSpIn.Data_Stale 4.978e-08 TF ifYRIn.Data_Stale 5.101e-08 TF ifDrvSetSpd.Data_Stale 4.748e-08 TF ifDrvGap.Data_Stale 5.106e-08 TF ifDrvBrake.BrakeCmd_Missing 4.924e-08 TF ifDrvAccel.Data_Stale 5.083e-08 TF ifPwrA_In.Power_Lost 5.432e-08 TF ifPwrB_In.Power_Lost 5.589e-08 TF ifPD_A.Power_Lost 5.117e-08 TF ifPD_B.Power_Lost 4.953e-08 TF ifHM_Radar.Sensor_Blinded 4.862e-08 TF ifHM_Cam.Sensor_Blinded 5.018e-08 TF ifHM_Pwr.Power_Lost 4.934e-08 TF ifTO_Health.Warning_Missing 4.712e-08 TF ifTO_Health.HandOver_Missing 5.064e-08 TF ifBusA_In.Bus_Silent 5.047e-08 TF ifBusA_In.Bus_Stuck 4.712e-08 TF ifBusA_In.Data_Stale 4.981e-08 TF ifBusB_In.Bus_Silent 5.172e-08 TF ifBusB_In.Bus_Stuck 4.859e-08 TF ifBusB_In.Data_Stale 5.031e-08 TF ifCANA_Pwr.Power_Lost 4.658e-08 TF ifCANB_Pwr.Power_Lost 4.723e-08 TF ifRadar_Cond_In.Sensor_Blinded 5.047e-08 TF ifRadar_Cond_In.Data_Stale 4.813e-08 TF ifRadar_Cond_Out.Sensor_Blinded 5.062e-08 TF ifRadar_Cond_Out.Data_Stale 4.759e-08 TF ifRadar_Track.Distance_Misread 5.123e-08 TF ifRadar_Track.Velocity_Misread 4.861e-08 TF ifRadar_Track.Sensor_Blinded 5.092e-08 TF ifRadar_Track.Object_Ghost 5.263e-08 TF ifRadar_Track.Object_NotDetected 4.721e-08 TF ifRadar_Track.Data_Stale 4.782e-08 TF ifCam_Cond_In.Sensor_Blinded 5.065e-08 TF ifCam_Cond_In.Data_Stale 4.828e-08 TF ifCam_Cond_Out.Sensor_Blinded 5.093e-08 TF ifCam_Cond_Out.Data_Stale 4.781e-08 TF ifCam_Track.Sensor_Blinded 5.142e-08 TF ifCam_Track.Object_Misclassified 4.893e-08 TF ifCam_Track.Object_NotDetected 5.078e-08 TF ifCam_Track.Object_Ghost 5.243e-08 TF ifCam_Track.Data_Stale 4.734e-08 TF ifOT_Radar.Object_NotDetected 5.092e-08 TF ifOT_Radar.Object_Ghost 4.856e-08 TF ifOT_Radar.Distance_Misread 5.048e-08 TF ifOT_Radar.Velocity_Misread 4.763e-08 TF ifOT_Radar.Data_Stale 5.216e-08 TF ifOT_Cam.Object_NotDetected 5.163e-08 TF ifOT_Cam.Object_Ghost 4.895e-08 TF ifOT_Cam.Object_Misclassified 5.048e-08 TF ifOT_Cam.Data_Stale 4.752e-08 TF ifSF_Radar.Object_NotDetected 5.114e-08 TF ifSF_Radar.Distance_Misread 4.878e-08 TF ifSF_Radar.Velocity_Misread 5.329e-08 TF ifSF_Radar.Object_Ghost 5.072e-08 TF ifSF_Radar.Data_Stale 4.631e-08 TF ifSF_Cam.Object_NotDetected 5.235e-08 TF ifSF_Cam.Object_Misclassified 4.964e-08 TF ifSF_Cam.Object_Ghost 5.188e-08 TF ifSF_Cam.Data_Stale 4.712e-08 TF ifSF_Track.Object_NotDetected 5.048e-08 TF ifSF_Track.Object_Ghost 4.752e-08 TF ifSF_Track.Distance_Misread 5.294e-08 TF ifSF_Track.Velocity_Misread 4.689e-08 TF ifSF_Track.Data_Stale 5.137e-08 TF ifTG_Obj.Object_NotDetected 5.074e-08 TF ifTG_Obj.Object_Ghost 4.838e-08 TF ifTG_Obj.Distance_Misread 5.153e-08 TF ifTG_Obj.Velocity_Misread 4.796e-08 TF ifTG_Obj.Data_Stale 5.021e-08 TF ifTG_VSp.Speed_Misread 4.748e-08 TF ifTG_VSp.Data_Stale 5.068e-08 TF ifTG_Drv.Data_Stale 4.902e-08 TF ifSC_VSp.Speed_Misread 4.826e-08 TF ifSC_VSp.Data_Stale 5.112e-08 TF ifSC_Drv.Data_Stale 4.848e-08 TF ifDL_Gap.TimeGap_Miscalculated 5.198e-08 TF ifDL_Gap.BrakeCmd_Missing 4.821e-08 TF ifDL_Gap.BrakeCmd_Spurious 5.046e-08 TF ifDL_Gap.Data_Stale 4.737e-08 TF ifPM_Obj.Object_Ghost 4.913e-08 TF ifPM_Obj.Data_Stale 4.745e-08 TF ifPM_Gap.BrakeCmd_Spurious 5.134e-08 TF ifPM_Gap.Data_Stale 4.682e-08 TF ifPM_VSp.Data_Stale 4.758e-08 TF ifBA_Lim.BrakeCmd_Missing 5.168e-08 TF ifBA_Lim.BrakeCmd_Spurious 4.937e-08 TF ifBA_Lim.BrakeCmd_Weak 5.093e-08 TF ifBA_Lim.Decel_Exceeded 4.716e-08 TF ifBA_Plaus.BrakeCmd_Spurious 4.973e-08 TF ifBA_Pedal.BrakeCmd_Spurious 5.028e-08 TF ifBA_Pedal.BrakeCmd_Missing 4.812e-08 TF ifBA_ABS.Data_Stale 4.863e-08 TF ifBA_Pwr.Power_Lost 5.242e-08 TF ifBA_Bus.Bus_Silent 4.914e-08 TF ifBA_Bus.Bus_Stuck 4.829e-08 TF ifTA_Spd.ThrottleCmd_Runaway 5.126e-08 TF ifTA_Spd.Data_Stale 4.693e-08 TF ifTA_Pedal.ThrottleCmd_Runaway 4.892e-08 TF ifTA_Pwr.Power_Lost 5.293e-08 TF ifTA_Bus.Data_Stale 4.812e-08 TF ifWD_Pwr.Power_Lost 5.108e-08 TF ifWD_Bus.Bus_Silent 4.918e-08 TF ifWD_Bus.Bus_Stuck 4.782e-08 TF ifTO_Wd.Warning_Missing 4.748e-08 TF ifTO_Wd.HandOver_Missing 5.019e-08 TF ifTO_Plaus.Warning_Missing 4.729e-08 TF ifTO_Drv.Data_Stale 4.892e-08 TF ifSSM_Brake.BrakeCmd_Missing 5.082e-08 TF ifSSM_Brake.BrakeCmd_Spurious 4.827e-08 TF ifSSM_Brake.BrakeCmd_Weak 5.162e-08 TF ifSSM_Torque.ThrottleCmd_Runaway 4.953e-08 TF ifSSM_Hand.Warning_Missing 4.724e-08 TF ifSSM_Hand.HandOver_Missing 5.043e-08 TF ifWC_Safe.Warning_Missing 4.781e-08 TF ifWC_Safe.HandOver_Missing 4.963e-08 TF ifWC_Hand.Warning_Missing 4.727e-08 TF ifWC_Hand.HandOver_Missing 4.865e-08 TF ifWC_Pwr.Power_Lost 5.199e-08 TF ifHC_Warn.Warning_Missing 4.826e-08 TF ifHC_Pwr.Power_Lost 5.218e-08 TF ifHCh_Warn.Warning_Missing 4.763e-08 TF ifHCh_Pwr.Power_Lost 5.285e-08 TF ifOutBrake.BrakeCmd_Missing 5.107e-08 TF ifOutBrake.BrakeCmd_Spurious 4.891e-08 TF ifOutBrake.BrakeCmd_Weak 5.184e-08 TF ifOutTorque.ThrottleCmd_Runaway 4.974e-08 TF ifOutStat.Warning_Missing 4.731e-08 TF ifOutStat.HandOver_Missing 4.892e-08 TF ifOutWV.Warning_Missing 4.765e-08 TF ifOutWA.Warning_Missing 4.828e-08