FSR / TSR 写作工程化深度 — 8/10 字段模板 + 双向 traceability + 5 反模式

按 Tier-1 中型主驱项目 8-12 周分段:

• ① HARA review(1 周)— FSR 不能凭空写,必须从 HARA 输出的 SG 衍生。先 review HARA 完整性(每条 SG 有 ASIL + FTTI + Safe State),无 SG 不能起 FSR
• ② FSR v0.1(2-3 周)— 每条 SG 拆 3-8 条 FSR;Safety Engineer 单人写第一版。重点是**"系统应该感知什么 + 在什么时间内反应"**,不下沉到 HW / SW 细节
• ③ TSR allocate(2-3 周)— 每条 FSR 分配到 HW path + SW path;Safety Engineer + System Architect 协作。关键决策:哪部分 HW 做(detect / actuate),哪部分 SW 做(decision / monitor);FTTI 预算分配给 HW / SW / 接口
• ④ Multi-team Review(1-2 周)— 3 个 reviewer 各自看:HW lead 看 TSR HW 部分能否 implement / FMEDA 数字能否达;SW lead 看 RTOS 调度 + 资源是否够;Safety Manager 看 ASIL + ISO 26262 合规
• ⑤ v1.0 Lock(1 周)— Polarion / DOORS lock + traceability matrix 100% 覆盖 + 三方签字。lock 后任何改动必走 ECN(参 HSI 写作深度)

写作总工时 ~4-5 FTE × 月 Tier-1 中型主驱。最大风险在 ② → ③ 之间 — FSR 写得太具体(下沉到 HW 细节)导致 TSR 没什么可分配,或 FSR 太抽象(像哲学)导致 TSR 写不下手。

FSR / TSR 最大写错原因是"边界不清"。下表把 4 个维度的区分一次列清,review 时按这 4 维查每条需求是否归错类:

判断规则:一条 requirement 如果不下沉到具体 component / signal / API,是 FSR;下沉到了就是 TSR。若一条句子"系统级 + 具体数字"混着写,拆成 2 条(一条 FSR + 一条 TSR)。

下表把每字段 + 为何不可省 一次列清,FSR 起草时照表填:

下面把 8 字段在主驱 SG-1 "Unintended torque < 200 ms" 的 FSR-12 上跑完整一遍。这条 worked 可直接复制到 FSC 文档:

FSR-12 (FSC §4.2 — Fault Detection and Safe State Transition)

  ID                : FSR-12
  SG Link           : derives from SG-1 (HARA Hazard HZ-001)
  Statement         : The traction inverter shall transition to STO (Safe Torque Off)
                      within FTTI = 200 ms upon detection of any safety-critical fault
                      (including but not limited to: short circuit, gate driver failure,
                       current sensor failure, position sensor failure).
  FTTI              : 200 ms (allocated from SG-1 reaction time budget)
  ASIL              : D (inherited from SG-1)
  Scope             : applies to 800V SiC traction inverter (IDD-TI-2026-A §3.1);
                      AUX 12V DC-DC and OBC are out of scope for this FSR.
  Verification Method:
                      - L1: HIL fault injection (TC-FSR-012-HIL, all 12 fault classes)
                      - L2: Vehicle-level test (TC-FSR-012-V, 3 driving scenarios)
                      - L3: FMEDA verification (sum of per-fault FTTI ≤ 200 ms)
  Dependencies      : Item Definition IDD-TI-2026-A v1.0
                      Operating Conditions OC-INV-2026 §4 (temperature, supply, vibration)
  Rationale         : Without 200 ms FTTI, unintended torque event can reach 50% rated
                      torque in 350 ms (per HARA worst case analysis), causing loss of
                      vehicle controllability per S3/E4/C3 classification.

写法 tips:

• "shall" + 系统级动词("transition" / "detect" / "ensure"),禁 "should" / "may" — ASIL D 项目 FSR 全 shall
• Statement 不写具体 HW component(避免下沉 TSR 层),只写"系统层"行为
• FTTI 写绝对数值 + 引 SG 来源("allocated from SG-1");不写"快速" / "及时"
• Verification Method 必列 L1 / L2 / L3 多层(HIL / vehicle / FMEDA);单一层 verification 是 ASIL D 大忌
• Rationale 是 optional 但推荐写;reviewer 看到 "200 ms" 会问"为什么不是 150 ms",Rationale 提前回答

FSR 写错的 5 种最常见模式都是"边界混淆 + 形容词代数字"。下表把反模式 + 修法 一次列清,review 阶段照表查:

下表把每字段 + 为何不可省 一次列清,TSR 起草时照表填(本表与 §2.1 FSR 8 字段对偶,加 ★ 标 TSR 独有字段):

下面把 10 字段在 TSR-3.4 driver IC 过流 SM 上跑完整一遍:

TSR-3.4 (TSC §3.4 — Driver IC Fault Detection and Safe Torque Off)

  ID                : TSR-3.4
  FSR Link          : derives from FSR-12 (FSC §4.2)
  Statement         : Driver IC ISO5852S nFAULT signal shall report fault to MCU
                      within 500 ns from VCE_SAT > 10V sustained > 1 µs;MCU shall
                      command STO via GPIO PB3 within 50 µs of EXTI 12 trigger;
                      Driver IC shall execute STO (gate discharge) within 100 µs
                      of receiving STO command.
  Allocation        : HW: driver IC ISO5852S (U7) + MCU EXTI 12 (PA12) +
                          MCU GPIO PB3 (STO output)
                      SW: ISR `PB3_STO_handler()` in RTOS task priority P0
  SM Relation       : implements `mechanism_desat` fault report + STO actuation chain
                      (see SM catalog SM-DRV-001 to SM-DRV-008)
  DC Target         : DC ≥ 99% for SC Type 1 (Hard Switch-On Fault)
                      DC ≥ 95% for SC Type 2 (Load Short During ON)
                      DC ≥ 85% for SC Type 3 (Cross-Phase Failure)
                      (per FMEDA-DRV-2026-04-15 Table 4.3)
  FTTI Portion      : 162 µs (= driver detect 1 µs + nFAULT assert 500 ns +
                      MCU ISR latency 50 µs + STO command output 10 µs +
                      driver STO execute 100 µs); margin to FSR-12 FTTI 200 ms = 1234×
  Verification ID   :
                      - TC-DRV-001: HW bench scope, 3 corners (−40/+25/+150°C)
                        Pass: tD_assert ≤ 500 ns AND tSTO ≤ 110 µs
                      - TC-SW-014: RTOS ISR worst-case latency, 1000 fault injections
                        Pass: tISR ≤ 50 µs at 99.99 percentile
                      - TC-FMEDA-003: paper analysis, FMEDA DC verification
  Shall Severity    : shall (ASIL D)
  Fault Response    : Upon failure to meet 500 ns / 50 µs / 10 µs (any one):
                      - SW shall log DTC P0C7B-xx with timestamp
                      - SW shall retain STO state (NO auto-recovery)
                      - SW shall increment fault counter for SBC watchdog reset chain
                      - SW shall report to VMU via CAN-FD frame ID 0x18FF50E5

写法 tips:

• Statement 必带 component + signal + 数字 + 时间;禁 "fast" / "high" / 任何形容词
• Allocation 显式 HW + SW 双 path(单 path 是大忌,无 partition 决策)
• DC Target 引 FMEDA 报告 ID + Table 行号;reviewer 直接 cross-check
• FTTI Portion 是子预算,必显式算 margin to FSR FTTI(本例 1234×)
• Verification ID 3 类必齐(HW bench + SW unit + FMEDA paper)
• Fault Response 段是 TSR 独有,定义"如果这条 TSR 失效系统怎么办"(meta-safety)

TSR 写错的根因都是"省 allocation + 没 DC 量化 + 没 fault response"。下表把 5 类典型反模式列清:

下面把 SG-1 端到端 5 层链跑完。每层都引上一层 ID + 下一层 ID,Polarion 自动 cross-link:

Layer 1: HARA          SG-1   "Unintended torque < 200 ms, ASIL D"
                              ↓ derives 1:N
Layer 2: FSC           FSR-10 "Detect short circuit faults"
                       FSR-11 "Detect gate driver failures"
                       FSR-12 "Transition to STO within FTTI 200 ms upon fault detection"
                       FSR-13 "Provide redundant torque monitoring (ASIL decomposition)"
                              ↓ allocates 1:N(HW + SW partition)
Layer 3: TSC           TSR-3.1 "Three-phase shunt current sensing ≥ 200 kHz BW"
                       TSR-3.2 "Driver IC ISO5852S desat detection ≤ 1 µs"
                       TSR-3.3 "MCU AURIX TC397 lockstep core safe state"
                       TSR-3.4 "Driver IC nFAULT → MCU STO ≤ 162 µs"
                       TSR-3.5 "Torque plausibility check at 1 ms cycle"
                              ↓ implements via interface contract
Layer 4: HSI / HW / SW HSI §3.4.7 nFAULT signal contract (9 fields)
                       HW datasheet ISO5852S §6.4 Table 6.1 row 5+7
                       SW EXTI 12 ISR PB3_STO_handler() RTOS P0
                              ↓ verifies via test execution
Layer 5: V&V           TC-DRV-001  HW bench scope, 3 corners
                       TC-SW-014   RTOS ISR latency, 1000 injections
                       TC-FMEDA-003 FMEDA paper analysis
                       TC-HIL-FSR-012 HIL fault injection (FSR-12 系统级)
                       TC-VEHICLE-SG-001 vehicle test (SG-1 整车级)

Polarion / DOORS 工具上,每个 traceability link 必双向:

断链类型:

• Orphan TSR(没有 FSR 引)= TSR 是凭空写的,reviewer 立即 reject
• Orphan FSR(没有 SG 引)= FSR 不来自 HARA,可能是 scope creep
• No verification(TSR 无 V&V test case 引)= ASIL D defeater
• No HW/SW allocation(TSR 无 component / unit 引)= TSR 不可实现