Autonomous Vehicle

System Decomposition Report — Generated 2026-03-27 — UHT Journal / universalhex.org

About this report

This report was generated autonomously by the UHT Journal systems engineering loop. An AI agent decomposed the system into subsystems and components, classified each using the Universal Hex Taxonomy (a 32-bit ontological classification system), generated traced requirements in AIRGen, and built architecture diagrams — all without human intervention.

Every component and subsystem is assigned an 8-character hex code representing its ontological profile across 32 binary traits organised in four layers: Physical (bits 1–8), Functional (9–16), Abstract (17–24), and Social (25–32). These codes enable cross-domain comparison — components from unrelated systems that share a hex code or high Jaccard similarity are ontological twins, meaning they occupy the same structural niche despite belonging to different domains.

Duplicate hex codes are informative, not errors. When two components share the same code, it means UHT classifies them as the same kind of thing — they have identical trait profiles. This reveals architectural patterns: for example, a fire control computer and a sensor fusion engine may share the same hex because both are powered, synthetic, signal-processing, state-transforming, system-essential components. The duplication signals that requirements, interfaces, and verification approaches from one may transfer to the other.

Requirements follow the EARS pattern (Easy Approach to Requirements Syntax) and are traced through a derivation chain: Stakeholder Needs (STK) → System Requirements (SYS) → Subsystem Requirements (SUB) / Interface Requirements (IFC) → Verification Plan (VER). The traceability matrices at the end of this report show every link in that chain.

Referenced Standards

Standard	Title
IEEE 1609.2	—
IEEE 802.11p	—
IEEE 802.1Q	—
IEEE 802.1Qbv	—
ISO 26262	Road vehicles — Functional safety

Acronyms & Abbreviations

Acronym	Expansion
ARC	Architecture Decisions
BSM	Basic Safety Messages
CCCS	Completeness, Consistency, Correctness, Stability
EARS	Easy Approach to Requirements Syntax
IFC	Interface Requirements
STK	Stakeholder Requirements
SUB	Subsystem Requirements
SYS	System Requirements
UHT	Universal Hex Taxonomy
VER	Verification Plan

116

Requirements

Classified Entities

Subsystems

Diagrams

101

Relationships

System Context

flowchart TB
  n0["system<br>Autonomous Vehicle"]
  n1["actor<br>Passengers"]
  n2["actor<br>Road Infrastructure"]
  n3["actor<br>Other Road Users"]
  n4["actor<br>Fleet Management"]
  n5["actor<br>Regulatory Authority"]
  n6["actor<br>Passengers"]
  n7["actor<br>Road Infrastructure"]
  n8["actor<br>Other Road Users"]
  n9["actor<br>Fleet Management"]
  n10["actor<br>Regulatory Authority"]
  n0 -->|Trip status, ride comfort| n6
  n7 -->|Traffic signals, road geometry| n0
  n8 -->|Presence, trajectories| n0
  n0 -->|Telemetry, diagnostics| n9
  n10 -->|Compliance constraints| n0

Autonomous Vehicle — Context

System Decomposition

flowchart TB
  n0["system<br>Autonomous Vehicle"]
  n1["subsystem<br>Perception Subsystem"]
  n2["subsystem<br>Localization and Mapping Subsystem"]
  n3["subsystem<br>Planning and Decision Subsystem"]
  n4["subsystem<br>Vehicle Control Subsystem"]
  n5["subsystem<br>Communication Subsystem"]
  n6["subsystem<br>Safety and Monitoring Subsystem"]
  n0 --> n1
  n0 --> n2
  n0 --> n3
  n0 --> n4
  n0 --> n5
  n0 --> n6

Autonomous Vehicle — Decomposition

Decomposition Tree

Autonomous Vehicle D7F7725D
- Perception Subsystem 55F73209
  - LiDAR Processing Unit 51F73219
  - Camera Vision Pipeline 71F73319
  - Radar Processing Unit D1F73019
  - Sensor Fusion Engine 51F73319
  - Object Tracker 51B73309
- Localization and Mapping Subsystem 51F73019
  - GNSS Receiver D5F77019
  - Inertial Measurement Unit D4F51018
  - SLAM Engine 41F73309
  - HD Map Manager 40A53109
  - Pose Estimator 41F73309
- Planning and Decision Subsystem 51B73B19
  - Behavior Planner 41F77B19
  - Motion Planner 41F73B19
  - Prediction Module 51F77319
  - Route Planner 41B73B09
  - Risk Assessor 41B73B09
- Vehicle Control Subsystem 51F73A19
  - Steering Controller D5F77819
  - Throttle and Brake Controller D5F73A19
  - Drive-by-Wire Gateway 51F57819
  - Vehicle Dynamics Monitor 55F53318
  - Actuator Health Manager 45B77A19
- Communication Subsystem 51F57319
  - V2X Communication Module D4F47219
  - Telemetry and Fleet Gateway 50E55219
  - OTA Update Manager 41B77B18
  - In-Vehicle Network Router D4B57218
  - Communication Security Manager 40B57979
- Safety and Monitoring Subsystem 51B77A59
  - Fault Detection and Isolation Module 41B77B19
  - Minimal Risk Condition Controller 51F77A59
  - Safety Integrity Monitor 51B73859
  - Event Data Recorder D0A53259
  - Vehicle Cybersecurity Gateway 51B77859

Stakeholder Requirements (STK)

Ref	Requirement	V&V	Tags
STK-STAKEHOLDERNEEDS-001	The Autonomous Vehicle SHALL transport passengers to their destination without collision or injury under all conditions within its operational design domain.	—	stakeholder, safety, session-161
STK-STAKEHOLDERNEEDS-002	The Autonomous Vehicle SHALL be available for passenger service at least 95% of scheduled operating hours.	—	stakeholder, availability, session-161
STK-STAKEHOLDERNEEDS-003	The Autonomous Vehicle SHALL comply with all applicable national and regional traffic regulations and vehicle safety standards.	—	stakeholder, regulatory, session-161
STK-STAKEHOLDERNEEDS-004	The Autonomous Vehicle SHALL provide a comfortable ride experience with smooth acceleration, braking, and cornering comparable to an experienced human driver.	—	stakeholder, comfort, session-161
STK-STAKEHOLDERNEEDS-005	The Autonomous Vehicle SHALL support remote monitoring and over-the-air software updates without requiring physical access to the vehicle.	—	stakeholder, fleet, session-161
STK-STAKEHOLDERNEEDS-006	The Autonomous Vehicle SHALL operate in rain, fog, and nighttime conditions within the defined operational design domain without degradation below minimum safety thresholds.	—	stakeholder, environment, session-161

System Requirements (SYS)

Ref	Requirement	V&V	Tags
SYS-SYSTEM-LEVELREQUIREMENTS-001	The Autonomous Vehicle SHALL detect and classify all objects within a 200-metre forward range and 80-metre lateral range with a probability of detection of at least 99.9% for objects larger than 0.3 metres.	—	system, perception, session-161
SYS-SYSTEM-LEVELREQUIREMENTS-002	The Autonomous Vehicle SHALL maintain localization accuracy within 10 centimetres laterally and 30 centimetres longitudinally relative to the HD map reference frame.	—	system, localization, session-161
SYS-SYSTEM-LEVELREQUIREMENTS-003	When a critical fault is detected in any subsystem, the Autonomous Vehicle SHALL execute a minimal risk condition manoeuvre bringing the vehicle to a safe stop within 5 seconds.	—	system, safety, session-161
SYS-SYSTEM-LEVELREQUIREMENTS-004	The Autonomous Vehicle SHALL generate smooth, jerk-limited trajectories with lateral acceleration not exceeding 3 m/s² and longitudinal acceleration not exceeding 2.5 m/s² during normal operation.	—	system, planning, session-161
SYS-SYSTEM-LEVELREQUIREMENTS-005	The Autonomous Vehicle SHALL support V2X communication compliant with ETSI ITS-G5 or C-V2X PC5 standards for cooperative awareness messaging at a minimum rate of 10 Hz.	—	system, communication, session-161
SYS-SYSTEM-LEVELREQUIREMENTS-006	The Autonomous Vehicle SHALL accept and install over-the-air software updates while parked, with rollback capability within 60 seconds if the update fails post-installation verification.	—	system, fleet, session-161
SYS-SYSTEM-LEVELREQUIREMENTS-007	While operating in rain with intensity up to 50 mm/h, the Autonomous Vehicle SHALL maintain perception detection range of at least 120 metres forward.	—	system, environment, session-161
SYS-SYSTEM-LEVELREQUIREMENTS-008	The Autonomous Vehicle SHALL execute the complete sense-plan-act cycle from sensor input to actuator command within 100 milliseconds end-to-end latency.	—	system, control, session-161
SYS-SYSTEM-LEVELREQUIREMENTS-009	The Autonomous Vehicle SHALL achieve a mean time between critical failures of at least 10,000 operating hours for the integrated autonomous driving system.	—	system, reliability, session-161
SYS-SYSTEM-LEVELREQUIREMENTS-010	The Autonomous Vehicle SHALL be designed and verified to ASIL D per ISO 26262 for all safety-critical functions including steering, braking, and emergency stop.	—	system, safety, iso26262, session-161

Subsystem Requirements (SUB)

Ref	Requirement	V&V	Tags
SUB-SUBSYSTEMREQUIREMENTS-001	The Perception Subsystem SHALL process LiDAR point cloud data at a minimum rate of 10 frames per second with 360-degree coverage and angular resolution of 0.1 degrees.	—	subsystem, perception, lidar, session-161
SUB-SUBSYSTEMREQUIREMENTS-002	The Perception Subsystem SHALL classify detected objects into at least 12 categories including vehicle, pedestrian, cyclist, traffic sign, traffic light, lane marking, barrier, construction zone, animal, debris, emergency vehicle, and unknown.	—	subsystem, perception, classification, session-161
SUB-SUBSYSTEMREQUIREMENTS-003	The Perception Subsystem SHALL fuse data from LiDAR, camera, and radar sensors and produce a unified object list within 30 milliseconds of sensor data acquisition.	—	subsystem, perception, fusion, session-161
SUB-SUBSYSTEMREQUIREMENTS-004	While operating in fog with visibility below 100 metres, the Perception Subsystem SHALL increase radar weighting in the fusion algorithm and report a perception confidence metric below 0.7 to the Planning Subsystem.	—	subsystem, perception, weather, session-161
SUB-SUBSYSTEMREQUIREMENTS-005	The Perception Subsystem SHALL perform continuous self-diagnostics on all sensors and report any sensor degradation or failure to the Safety and Monitoring Subsystem within 200 milliseconds of detection.	—	subsystem, perception, diagnostics, session-161
SUB-SUBSYSTEMREQUIREMENTS-006	The Perception Subsystem SHALL track at least 200 simultaneous objects with unique track identifiers, maintaining track continuity across sensor occlusions of up to 2 seconds.	—	subsystem, perception, tracking, session-161
SUB-SUBSYSTEMREQUIREMENTS-007	The Behavior Planner SHALL evaluate and select a tactical driving action within 20 milliseconds of receiving an updated prediction and route input.	—	subsystem, planning, behavior-planner, session-162
SUB-SUBSYSTEMREQUIREMENTS-008	The Motion Planner SHALL generate a kinematically feasible trajectory of at least 50 waypoints over a 5-second horizon, with lateral acceleration not exceeding 3 m/s² and longitudinal jerk not exceeding 1.5 m/s³.	—	subsystem, planning, motion-planner, session-162
SUB-SUBSYSTEMREQUIREMENTS-009	The Prediction Module SHALL forecast trajectories for all tracked objects over a minimum 5-second prediction horizon with position error below 1.0 metre at 3 seconds.	—	subsystem, planning, prediction-module, session-162
SUB-SUBSYSTEMREQUIREMENTS-010	When the Risk Assessor determines that no candidate trajectory maintains a time-to-collision above 2 seconds, the Planning and Decision Subsystem SHALL issue a minimal risk condition request to the Safety and Monitoring Subsystem within 10 milliseconds.	—	subsystem, planning, risk-assessor, session-162
SUB-SUBSYSTEMREQUIREMENTS-011	When a route segment becomes blocked or a traffic incident is reported, the Route Planner SHALL compute an alternative route within 500 milliseconds using the current HD map graph.	—	subsystem, planning, route-planner, session-162
SUB-SUBSYSTEMREQUIREMENTS-012	The Prediction Module SHALL classify the intent of each tracked road user into at least 6 categories including lane-keeping, lane-change-left, lane-change-right, braking, accelerating, and turning with classification accuracy above 90%.	—	subsystem, planning, prediction-module, session-162
SUB-SUBSYSTEMREQUIREMENTS-013	The Motion Planner SHALL complete trajectory optimisation within 30 milliseconds from receipt of a behaviour decision, ensuring the planning subsystem contribution to the sense-plan-act cycle remains below 50 milliseconds.	—	subsystem, planning, motion-planner, session-162
SUB-SUBSYSTEMREQUIREMENTS-014	The Steering Controller SHALL track the commanded steering angle with a steady-state error not exceeding 0.5 degrees and transient response settling time below 150 milliseconds.	—	subsystem, vehicle-control, steering-controller, session-163
SUB-SUBSYSTEMREQUIREMENTS-015	The Throttle and Brake Controller SHALL execute longitudinal acceleration commands with jerk not exceeding 1.5 m/s³ during normal operation and shall achieve commanded deceleration within 100 milliseconds of request.	—	subsystem, vehicle-control, throttle-brake, session-163
SUB-SUBSYSTEMREQUIREMENTS-016	The Drive-by-Wire Gateway SHALL translate software control commands to CAN bus actuator messages within 5 milliseconds and SHALL verify message delivery acknowledgement for every safety-critical command.	—	subsystem, vehicle-control, drive-by-wire, session-163
SUB-SUBSYSTEMREQUIREMENTS-017	The Vehicle Dynamics Monitor SHALL estimate vehicle velocity with accuracy within 0.1 m/s, yaw rate within 0.5 deg/s, and lateral acceleration within 0.05 m/s² at an update rate of at least 100 Hz.	—	subsystem, vehicle-control, dynamics-monitor, session-163
SUB-SUBSYSTEMREQUIREMENTS-018	When any actuator reports a fault condition or fails to acknowledge a command within 10 milliseconds, the Actuator Health Manager SHALL classify the fault severity and initiate the corresponding degradation mode within 50 milliseconds.	—	subsystem, vehicle-control, actuator-health, session-163
SUB-SUBSYSTEMREQUIREMENTS-019	The Drive-by-Wire Gateway SHALL implement a hardware watchdog timer with a timeout period not exceeding 50 milliseconds; when the watchdog expires, the gateway SHALL command all actuators to a safe default state.	—	subsystem, vehicle-control, drive-by-wire, safety, session-163
SUB-SUBSYSTEMREQUIREMENTS-020	While the Actuator Health Manager signals a steering degradation mode, the Steering Controller SHALL limit maximum steering rate to 50% of nominal and SHALL reject any commanded angle exceeding the mechanically safe range.	—	subsystem, vehicle-control, steering-controller, degradation, session-163
SUB-SUBSYSTEMREQUIREMENTS-021	The Pose Estimator SHALL produce a fused six-degree-of-freedom ego-pose at a minimum rate of 100 Hz with end-to-end latency not exceeding 10 milliseconds from the most recent sensor input.	—	subsystem, localization, pose-estimator, session-164
SUB-SUBSYSTEMREQUIREMENTS-022	The GNSS Receiver SHALL achieve horizontal position accuracy within 2 centimetres circular error probable when RTK correction data is available, and within 1.5 metres circular error probable in standalone GNSS mode.	—	subsystem, localization, gnss-receiver, session-164
SUB-SUBSYSTEMREQUIREMENTS-023	When GNSS signal is lost, the Inertial Measurement Unit SHALL maintain dead reckoning position accuracy within 0.1 percent of distance travelled for a minimum of 30 seconds.	—	subsystem, localization, imu, session-164
SUB-SUBSYSTEMREQUIREMENTS-024	The SLAM Engine SHALL match LiDAR scans against stored map features at a minimum update rate of 10 Hz with lateral position error not exceeding 5 centimetres in structured environments.	—	subsystem, localization, slam-engine, session-164
SUB-SUBSYSTEMREQUIREMENTS-025	The HD Map Manager SHALL load and index map tiles within 50 milliseconds for a query covering a 500-metre radius around the current vehicle position.	—	subsystem, localization, hd-map-manager, session-164
SUB-SUBSYSTEMREQUIREMENTS-026	The Pose Estimator SHALL detect and reject GNSS multipath errors exceeding 1 metre by performing consistency cross-checks against IMU and SLAM localization sources.	—	subsystem, localization, pose-estimator, integrity, session-164
SUB-SUBSYSTEMREQUIREMENTS-027	While any single localization source is unavailable, the Pose Estimator SHALL maintain ego-pose lateral accuracy within 30 centimetres using the remaining sources and SHALL report the degraded integrity level to the Planning and Decision Subsystem.	—	subsystem, localization, pose-estimator, degradation, session-164
SUB-SUBSYSTEMREQUIREMENTS-028	The Fault Detection and Isolation Module SHALL detect any single-point fault in a monitored subsystem within 50 milliseconds of the fault occurrence and issue a fault report to the Minimal Risk Condition Controller.	—	subsystem, safety-monitoring, fdi, session-165
SUB-SUBSYSTEMREQUIREMENTS-029	When a critical fault report is received from the Fault Detection and Isolation Module, the Minimal Risk Condition Controller SHALL initiate a minimal risk condition manoeuvre within 100 milliseconds, bringing the vehicle to a controlled stop or safe pullover.	—	subsystem, safety-monitoring, mrc, session-165
SUB-SUBSYSTEMREQUIREMENTS-030	The Safety Integrity Monitor SHALL execute an independent watchdog cycle at a rate of at least 100 Hz, verifying the execution timing and control flow integrity of all ASIL D rated functions.	—	subsystem, safety-monitoring, sim, session-165
SUB-SUBSYSTEMREQUIREMENTS-031	The Event Data Recorder SHALL continuously record sensor inputs, planning decisions, and actuator commands at a minimum aggregate data rate of 100 Mbps in a crash-survivable storage medium compliant with UN Regulation 157 data storage survival requirements.	—	subsystem, safety-monitoring, edr, session-165
SUB-SUBSYSTEMREQUIREMENTS-032	The Vehicle Cybersecurity Gateway SHALL monitor all in-vehicle network traffic and detect anomalous message patterns indicative of intrusion within 10 milliseconds, blocking unauthorised messages before they reach safety-critical domains.	—	subsystem, safety-monitoring, csg, session-165
SUB-SUBSYSTEMREQUIREMENTS-033	The Fault Detection and Isolation Module SHALL detect and independently classify up to 3 concurrent faults across different subsystems, prioritising them by safety impact severity to determine the appropriate response level.	—	subsystem, safety-monitoring, fdi, session-165
SUB-SUBSYSTEMREQUIREMENTS-034	The Minimal Risk Condition Controller SHALL support at least 3 graduated response levels: reduced speed operation, controlled lane-holding pullover, and immediate emergency stop, selecting the appropriate level based on the fault severity classification.	—	subsystem, safety-monitoring, mrc, session-165
SUB-SUBSYSTEMREQUIREMENTS-035	The Event Data Recorder SHALL maintain a rolling pre-incident buffer of at least 30 seconds duration, preserving all recorded data channels for the period immediately preceding any detected safety event or collision.	—	subsystem, safety-monitoring, edr, session-165
SUB-SUBSYSTEMREQUIREMENTS-036	The LiDAR Processing Unit SHALL segment raw point cloud data into ground plane and non-ground clusters within 20 milliseconds per scan cycle, rejecting ground returns with a false-positive rate below 2 percent.	—	subsystem, perception, lidar, session-166
SUB-SUBSYSTEMREQUIREMENTS-037	The Camera Vision Pipeline SHALL detect and classify objects from at least 8 camera streams simultaneously, achieving a mean average precision of 0.85 or higher across all 12 required object categories at frame rates above 30 fps.	—	subsystem, perception, camera, session-166
SUB-SUBSYSTEMREQUIREMENTS-038	While operating in rain with intensity exceeding 25 mm/h or fog with visibility below 100 metres, the Radar Processing Unit SHALL maintain a detection probability of 0.95 or higher for vehicles within 150 metres.	—	subsystem, perception, radar, session-166
SUB-SUBSYSTEMREQUIREMENTS-039	The Sensor Fusion Engine SHALL complete probabilistic data association and state update for all correlated tracks within 15 milliseconds of receiving a new detection set from any sensor pipeline.	—	subsystem, perception, fusion, session-166
SUB-SUBSYSTEMREQUIREMENTS-040	The Object Tracker SHALL maintain persistent identity for tracked objects across at least 5 consecutive occlusion frames, with an identity switch rate below 1 percent per 1000 tracked object-frames.	—	subsystem, perception, tracker, session-166
SUB-SUBSYSTEMREQUIREMENTS-041	The V2X Communication Module SHALL transmit and receive Basic Safety Messages (BSM) with an end-to-end latency not exceeding 100 milliseconds under nominal channel load.	—	subsystem, communication, session-167
SUB-SUBSYSTEMREQUIREMENTS-042	The V2X Communication Module SHALL support simultaneous operation on DSRC (IEEE 802.11p) and C-V2X (3GPP PC5) radio interfaces with automatic protocol selection based on infrastructure availability.	—	subsystem, communication, session-167
SUB-SUBSYSTEMREQUIREMENTS-043	The Telemetry and Fleet Gateway SHALL transmit vehicle health and position telemetry to the fleet management cloud at a minimum rate of 1 Hz over 4G/5G cellular with automatic failover between carriers.	—	subsystem, communication, session-167
SUB-SUBSYSTEMREQUIREMENTS-044	The OTA Update Manager SHALL verify the cryptographic signature and integrity hash of every software update package before initiating installation on any target ECU.	—	subsystem, communication, session-167
SUB-SUBSYSTEMREQUIREMENTS-045	When an OTA update installation fails or post-update diagnostics detect a fault, the OTA Update Manager SHALL automatically rollback to the previous software version within 30 seconds.	—	subsystem, communication, session-167
SUB-SUBSYSTEMREQUIREMENTS-046	The In-Vehicle Network Router SHALL guarantee worst-case frame delivery latency of 500 microseconds for safety-critical traffic classes using IEEE 802.1Qbv time-aware shaping.	—	subsystem, communication, session-167
SUB-SUBSYSTEMREQUIREMENTS-047	The Communication Security Manager SHALL maintain a certificate store supporting IEEE 1609.2 pseudonym certificates with automatic renewal and revocation list updates at intervals not exceeding 24 hours.	—	subsystem, communication, session-167
SUB-SUBSYSTEMREQUIREMENTS-048	The In-Vehicle Network Router SHALL support aggregate throughput of at least 10 Gbps across all automotive Ethernet ports with VLAN isolation between safety-critical and infotainment domains.	—	subsystem, communication, session-167
SUB-SUBSYSTEMREQUIREMENTS-049	While cellular connectivity is unavailable, the Telemetry and Fleet Gateway SHALL buffer telemetry data in non-volatile storage for at least 72 hours and retransmit upon connectivity restoration.	—	subsystem, communication, session-167
SUB-SUBSYSTEMREQUIREMENTS-050	The Communication Security Manager SHALL store all private keys in a hardware security module (HSM) with FIPS 140-2 Level 2 certification, preventing key extraction by any software process.	—	subsystem, communication, session-167

Interface Requirements (IFC)

Ref	Requirement	V&V	Tags
IFC-INTERFACEDEFINITIONS-001	The interface between the Perception Subsystem and the Planning and Decision Subsystem SHALL transmit a fused object list containing object class, position, velocity, heading, dimensions, and confidence score at a minimum rate of 20 Hz over a shared-memory IPC channel.	—	interface, perception-planning, session-161
IFC-INTERFACEDEFINITIONS-002	The interface between the Planning and Decision Subsystem and the Vehicle Control Subsystem SHALL transmit trajectory waypoints as a time-stamped sequence of position, velocity, and curvature at a minimum rate of 50 Hz with maximum latency of 10 milliseconds.	—	interface, planning-control, session-161
IFC-INTERFACEDEFINITIONS-003	The interface between the Perception Subsystem and the Safety and Monitoring Subsystem SHALL transmit sensor health status messages including temperature, calibration drift, and signal-to-noise ratio for each sensor at a minimum rate of 1 Hz.	—	interface, perception-safety, session-161
IFC-INTERFACEDEFINITIONS-004	The interface between the Prediction Module and the Behavior Planner SHALL transmit predicted trajectories as a sequence of time-stamped position and velocity pairs for each tracked object, with intent classification label and confidence, at a minimum rate of 10 Hz.	—	interface, planning, prediction-behavior, session-162
IFC-INTERFACEDEFINITIONS-005	The interface between the Behavior Planner and the Motion Planner SHALL transmit a driving action command comprising action type, target lane, target speed, and urgency flag with maximum latency of 5 milliseconds.	—	interface, planning, behavior-motion, session-162
IFC-INTERFACEDEFINITIONS-006	The interface between the Risk Assessor and the Motion Planner SHALL provide a safety verdict for each candidate trajectory comprising a pass/fail flag, minimum time-to-collision value, and required deceleration margin, evaluated within 5 milliseconds of trajectory submission.	—	interface, planning, risk-motion, session-162
IFC-INTERFACEDEFINITIONS-007	The interface between the Vehicle Dynamics Monitor and the Steering Controller SHALL transmit vehicle state data (yaw rate, lateral acceleration, steering angle feedback) as a structured message at 100 Hz with end-to-end latency not exceeding 2 milliseconds.	—	interface, vehicle-control, dynamics-steering, session-163
IFC-INTERFACEDEFINITIONS-008	The interface between the control algorithms (Steering Controller, Throttle and Brake Controller) and the Drive-by-Wire Gateway SHALL use a dual-redundant CAN FD bus operating at 500 kbit/s with message authentication codes on all safety-critical frames.	—	interface, vehicle-control, can-bus, session-163
IFC-INTERFACEDEFINITIONS-009	The interface between the Drive-by-Wire Gateway and the Actuator Health Manager SHALL report actuator telemetry (motor temperature, position feedback, current draw, pressure readings) at 50 Hz, with the Health Manager returning a fault status word within one telemetry cycle.	—	interface, vehicle-control, health-telemetry, session-163
IFC-INTERFACEDEFINITIONS-010	The interface between the GNSS Receiver and the Pose Estimator SHALL transmit position fixes in NMEA 0183 GGA format at a minimum rate of 10 Hz, including fix quality indicator, number of satellites, and horizontal dilution of precision.	—	interface, localization, gnss, pose-estimator, session-164
IFC-INTERFACEDEFINITIONS-011	The interface between the Inertial Measurement Unit and the Pose Estimator SHALL transmit three-axis acceleration and three-axis angular rate measurements at a minimum rate of 200 Hz with timestamps synchronised to the vehicle time base within 1 microsecond.	—	interface, localization, imu, pose-estimator, session-164
IFC-INTERFACEDEFINITIONS-012	The interface between the Pose Estimator and the Planning and Decision Subsystem SHALL transmit the fused ego-pose as a stamped message containing position (x, y, z), orientation (quaternion), linear velocity, angular velocity, and a 6x6 covariance matrix at a minimum rate of 100 Hz.	—	interface, localization, pose-estimator, planning, session-164
IFC-INTERFACEDEFINITIONS-013	The interface between the Fault Detection and Isolation Module and the Minimal Risk Condition Controller SHALL transmit fault reports containing fault type, affected subsystem, severity classification, and recommended isolation action, delivered within 10 milliseconds of fault confirmation.	—	interface, safety-monitoring, fdi-mrc, session-165
IFC-INTERFACEDEFINITIONS-014	The interface between the Safety Integrity Monitor and the Fault Detection and Isolation Module SHALL transmit runtime integrity verdicts at 100 Hz, each verdict containing a pass/fail status and the function identifier being monitored.	—	interface, safety-monitoring, sim-fdi, session-165
IFC-INTERFACEDEFINITIONS-015	The interface between the Safety and Monitoring Subsystem components and the Event Data Recorder SHALL transmit all fault events and emergency action commands as time-stamped messages with microsecond resolution, using a non-blocking write protocol that does not impede safety-critical processing.	—	interface, safety-monitoring, edr, session-165
IFC-INTERFACEDEFINITIONS-016	The interface between the Vehicle Cybersecurity Gateway and the Fault Detection and Isolation Module SHALL transmit intrusion detection alerts containing the affected network domain, attack classification, and blocked message count, with alert delivery latency not exceeding 5 milliseconds.	—	interface, safety-monitoring, csg-fdi, session-165
IFC-INTERFACEDEFINITIONS-017	The interface between the LiDAR Processing Unit, Camera Vision Pipeline, Radar Processing Unit, and the Sensor Fusion Engine SHALL use a timestamped detection message format containing sensor identity, detection confidence, bounding geometry, and measurement covariance, transmitted at a rate matching each sensor's native cycle rate.	—	interface, perception, session-166
IFC-INTERFACEDEFINITIONS-018	The interface between the Sensor Fusion Engine and the Object Tracker SHALL deliver fused detection updates containing track-to-detection association hypotheses, innovation vectors, and updated state covariance matrices at each fusion cycle.	—	interface, perception, session-166
IFC-INTERFACEDEFINITIONS-019	The interface between the Object Tracker and the Planning and Decision Subsystem SHALL provide a tracked object list containing object identity, classification, kinematic state vector, and predicted trajectory at a minimum rate of 20 Hz.	—	interface, perception-planning, session-166
IFC-INTERFACEDEFINITIONS-020	The interface between the In-Vehicle Network Router and the V2X Communication Module SHALL carry IEEE 802.11p and PC5 protocol frames over a dedicated 1 Gbps Ethernet link with IEEE 802.1Q VLAN tag 100.	—	interface, communication, session-167
IFC-INTERFACEDEFINITIONS-021	The interface between the V2X Communication Module and the Communication Security Manager SHALL support message signing requests and certificate lookups with a response latency not exceeding 5 milliseconds per operation.	—	interface, communication, session-167
IFC-INTERFACEDEFINITIONS-022	The interface between the In-Vehicle Network Router and the Telemetry and Fleet Gateway SHALL multiplex telemetry streams from all subsystems onto a prioritized queue with configurable bandwidth allocation per data class.	—	interface, communication, session-167
IFC-INTERFACEDEFINITIONS-023	The interface between the OTA Update Manager and the Communication Security Manager SHALL provide update package signature verification returning a signed verification verdict within 2 seconds for packages up to 500 MB.	—	interface, communication, session-167
IFC-INTERFACEDEFINITIONS-024	The interface between the Pose Estimator and the Vehicle Dynamics Monitor SHALL transmit the fused vehicle pose (position, heading, velocity) at a minimum rate of 50 Hz over the in-vehicle Ethernet backbone. The message SHALL include a validity flag and an estimated position covariance matrix to enable the Vehicle Dynamics Monitor to weight localization data against its own inertial estimates.	—	interface, localization-control, pose-dynamics, session-168

Architecture Decisions (ARC)

Ref	Requirement	V&V	Tags
ARC-ARCHITECTUREDECISIONS-001	The Vehicle Control Subsystem SHALL use dual-redundant CAN FD buses for all safety-critical actuator command paths. Rationale: Single-bus failure must not result in loss of vehicle control. The primary bus carries real-time commands while the secondary bus provides hot standby with automatic failover within 5 ms. This decision derives from ISO 26262 ASIL-D requirements for steering and braking functions.	—	architecture, vehicle-control, redundancy, session-168
ARC-ARCHITECTUREDECISIONS-002	The Perception Subsystem SHALL perform all sensor fusion centrally in the Sensor Fusion Engine before forwarding the unified object list to the Planning and Decision Subsystem. Rationale: Centralised fusion avoids conflicting object representations across subsystems and ensures a single authoritative world model. Track-level fusion using an extended Kalman filter was selected over raw-level fusion due to lower computational cost and proven reliability in automotive applications.	—	architecture, perception, sensor-fusion, session-168
ARC-ARCHITECTUREDECISIONS-003	The Planning and Decision Subsystem SHALL separate tactical decision-making (Behavior Planner) from trajectory generation (Motion Planner) as distinct components with a well-defined interface. Rationale: Decoupling tactical decisions from trajectory optimisation allows independent verification of safety-critical maneuver selection logic at ASIL-D, while the trajectory generator operates at ASIL-B with tighter real-time constraints. This separation also enables independent algorithm updates without cross-impact.	—	architecture, planning, separation-of-concerns, session-168
ARC-ARCHITECTUREDECISIONS-004	The Safety and Monitoring Subsystem SHALL operate on a physically independent compute node from the Planning and Vehicle Control subsystems. Rationale: An independent safety monitor cannot be compromised by the same software faults or hardware failures that affect the primary compute stack. The Safety Integrity Monitor runs on a separate ARM Cortex-R lockstep processor with its own power supply, implementing a checker-shadow pattern to validate that planning outputs remain within the operational design domain.	—	architecture, safety-monitoring, independence, session-168
ARC-ARCHITECTUREDECISIONS-005	The Vehicle Control Subsystem SHALL use dual-redundant CAN FD buses for all safety-critical actuator command paths. Rationale: Single-bus failure must not result in loss of vehicle control.	—	architecture, vehicle-control, redundancy, session-168

Verification Plan (VER)

Ref	Requirement	V&V	Tags
VER-VERIFICATIONMETHODS-001	The LiDAR processing rate and coverage SHALL be verified by injecting recorded point cloud datasets at rated frame rates and measuring processing latency and angular coverage completeness against SUB-SUBSYSTEMREQUIREMENTS-001.	—	verification, perception, test, session-161
VER-VERIFICATIONMETHODS-002	Sensor fusion latency SHALL be verified by timestamping raw sensor inputs and fusion output, measuring end-to-end delay across 10,000 cycles under peak load conditions against SUB-SUBSYSTEMREQUIREMENTS-003.	—	verification, perception, latency, session-161
VER-VERIFICATIONMETHODS-003	The Perception-to-Planning interface data rate SHALL be verified by monitoring the shared-memory IPC channel under simulated traffic scenarios with 200 tracked objects and confirming sustained 20 Hz delivery against IFC-INTERFACEDEFINITIONS-001.	—	verification, interface, test, session-161
VER-VERIFICATIONMETHODS-004	The Behavior Planner decision cycle time SHALL be verified by measuring wall-clock latency from prediction input timestamp to action output timestamp across 50,000 decision cycles under peak traffic scenarios with 200 tracked objects, against SUB-SUBSYSTEMREQUIREMENTS-007.	—	verification, planning, behavior-planner, session-162
VER-VERIFICATIONMETHODS-005	The Risk Assessor minimal risk condition handoff SHALL be verified by injecting failure scenarios where all candidate trajectories violate the 2-second time-to-collision threshold and measuring response latency and correct MRC request issuance, against SUB-SUBSYSTEMREQUIREMENTS-010.	—	verification, planning, risk-assessor, session-162
VER-VERIFICATIONMETHODS-006	The Prediction Module trajectory forecast accuracy SHALL be verified by replaying recorded urban driving datasets and computing position error at 3-second and 5-second horizons across vehicle, pedestrian, and cyclist categories, against SUB-SUBSYSTEMREQUIREMENTS-009.	—	verification, planning, prediction-module, session-162
VER-VERIFICATIONMETHODS-007	The Steering Controller steady-state error and settling time (SUB-VEHICLECONTROLSUBSYSTEM-014) SHALL be verified by hardware-in-the-loop test with a calibrated steering angle sensor, injecting step and ramp commands across the full operating range at ambient temperatures from -20°C to +60°C.	—	verification, vehicle-control, session-163
VER-VERIFICATIONMETHODS-008	The Drive-by-Wire Gateway watchdog mechanism (SUB-VEHICLECONTROLSUBSYSTEM-019) SHALL be verified by fault injection test that interrupts the control software heartbeat and measures time to actuator safe-state transition, confirming it occurs within the 50 ms watchdog period.	—	verification, vehicle-control, safety, session-163
VER-VERIFICATIONMETHODS-009	The dual-redundant CAN FD interface (IFC-INTERFACEDEFINITIONS-008) SHALL be verified by protocol conformance test including bus-off recovery, message authentication validation, and single-bus-failure failover test confirming no command dropout exceeds one cycle.	—	verification, vehicle-control, interface, session-163
VER-VERIFICATIONMETHODS-010	The Fault Detection and Isolation Module fault detection latency (SUB-028) SHALL be verified by hardware-in-the-loop testing with calibrated fault injection at each monitored subsystem interface, measuring detection time against the 50 ms threshold across 1000 fault injection cycles.	—	verification, safety-monitoring, fdi, session-165
VER-VERIFICATIONMETHODS-011	The Minimal Risk Condition Controller safe-stop execution (SUB-029) SHALL be verified by closed-course vehicle testing with simulated critical faults, confirming MRC initiation within 100 ms and vehicle reaching a safe state in all test scenarios including highway, urban, and intersection contexts.	—	verification, safety-monitoring, mrc, session-165
VER-VERIFICATIONMETHODS-012	The Safety Integrity Monitor watchdog cycle (SUB-030) SHALL be verified by analysis of execution traces and by injecting timing violations and control flow corruptions into ASIL D functions, confirming detection within one watchdog cycle.	—	verification, safety-monitoring, sim, session-165
VER-VERIFICATIONMETHODS-013	The Event Data Recorder continuous recording and crash survivability (SUB-031) SHALL be verified by recording at sustained 100 Mbps throughput for 8 hours followed by a physical crash simulation per UN R157 Annex 1, confirming data integrity and readback of pre-incident buffer.	—	verification, safety-monitoring, edr, session-165
VER-VERIFICATIONMETHODS-014	The Vehicle Cybersecurity Gateway intrusion detection (SUB-032) SHALL be verified by penetration testing with a standardised attack suite covering CAN bus injection, Ethernet MITM, and replay attacks, confirming detection and blocking within 10 ms for all attack vectors.	—	verification, safety-monitoring, csg, session-165
VER-VERIFICATIONMETHODS-015	SUB-041 (V2X latency): Verify by test — inject BSM messages on RF channel simulator and measure end-to-end latency across 10,000 message cycles under nominal and congested channel conditions.	—	verification, communication, session-167
VER-VERIFICATIONMETHODS-016	SUB-044 (OTA integrity): Verify by test — present update packages with valid signatures, corrupted signatures, and revoked certificates. Confirm acceptance of valid packages and rejection of all tampered or revoked packages.	—	verification, communication, session-167
VER-VERIFICATIONMETHODS-017	SUB-046 (TSN latency): Verify by test — measure frame delivery latency on all safety-critical VLAN paths using precision time protocol (PTP) synchronized traffic generators with 99.999th percentile analysis.	—	verification, communication, session-167
VER-VERIFICATIONMETHODS-018	SUB-050 (HSM key isolation): Verify by inspection — review HSM FIPS 140-2 Level 2 certification documentation and verify by test that no software API permits private key export or direct read access.	—	verification, communication, session-167
VER-VERIFICATIONMETHODS-019	The Pose Estimator fused position accuracy (SUB-SUBSYSTEMREQUIREMENTS-021) SHALL be verified by test using a reference-grade RTK-GNSS/INS system on a closed test track. The Pose Estimator output SHALL be compared against RTK ground truth over 100 km of driving across urban, suburban, and highway scenarios. Pass criteria: lateral error less than 10 cm RMS, heading error less than 0.1 degrees RMS.	—	verification, localization, pose-estimator, session-168
VER-VERIFICATIONMETHODS-020	The Pose Estimator GNSS spoofing detection (SUB-SUBSYSTEMREQUIREMENTS-026) SHALL be verified by test using a GNSS signal simulator injecting spoofed signals with position offsets of 1 m to 100 m. The system SHALL detect and reject spoofed signals within 2 seconds for offsets greater than 5 m. Test SHALL include both gradual drift and sudden jump spoofing attack profiles.	—	verification, localization, gnss-spoofing, session-168
VER-VERIFICATIONMETHODS-021	The Inertial Measurement Unit dead-reckoning capability during GNSS loss (SUB-SUBSYSTEMREQUIREMENTS-023) SHALL be verified by test in a controlled tunnel environment. GNSS signal SHALL be occluded for intervals of 30, 60, and 120 seconds at vehicle speeds of 30 and 60 km/h. Pass criteria: position drift less than 1 m after 30 s, less than 5 m after 60 s, and less than 15 m after 120 s of GNSS denial.	—	verification, localization, imu, dead-reckoning, session-168

Internal Diagrams

flowchart TB
  n0["component<br>Route Planner"]
  n1["component<br>Prediction Module"]
  n2["component<br>Behavior Planner"]
  n3["component<br>Motion Planner"]
  n4["component<br>Risk Assessor"]
  n5["external<br>Perception Subsystem"]
  n6["external<br>Vehicle Control Subsystem"]
  n7["external<br>Localization and Mapping Subsystem"]
  n5 -->|fused object list| n1
  n7 -->|HD map + position| n0
  n1 -->|predicted trajectories| n2
  n0 -->|reference path| n2
  n2 -->|driving decisions| n3
  n4 -->|safety verdicts| n3
  n3 -->|trajectory waypoints| n6

Planning and Decision Subsystem — Internal

flowchart TB
  n0["system<br>Localization and Mapping Subsystem"]
  n1["component<br>GNSS Receiver"]
  n2["component<br>Inertial Measurement Unit"]
  n3["component<br>SLAM Engine"]
  n4["component<br>HD Map Manager"]
  n5["component<br>Pose Estimator"]
  n6["actor<br>Perception Input"]
  n7["actor<br>Planning Subsystem"]
  n1 -->|Position fixes| n5
  n2 -->|Inertial data| n5
  n3 -->|Relative pose and map match| n5
  n4 -->|Map priors| n5
  n4 -->|Map tiles| n3
  n6 -->|LiDAR point clouds| n3
  n5 -->|Fused ego-pose| n7

Localization and Mapping Subsystem — Internal

flowchart TB
  n0["component<br>Fault Detection and Isolation Module"]
  n1["component<br>Minimal Risk Condition Controller"]
  n2["component<br>Safety Integrity Monitor"]
  n3["component<br>Event Data Recorder"]
  n4["component<br>Vehicle Cybersecurity Gateway"]
  n2 -->|integrity verdicts| n0
  n0 -->|fault reports| n1
  n0 -->|fault events| n3
  n4 -->|intrusion alerts| n0
  n1 -->|emergency actions| n3

Safety and Monitoring Subsystem — Internal

flowchart TB
  n0["component<br>LiDAR Processing Unit"]
  n1["component<br>Camera Vision Pipeline"]
  n2["component<br>Radar Processing Unit"]
  n3["component<br>Sensor Fusion Engine"]
  n4["component<br>Object Tracker"]
  n0 -->|point cloud detections| n3
  n1 -->|image detections| n3
  n2 -->|radar detections| n3
  n3 -->|fused detections| n4

Perception Subsystem — Internal

flowchart TB
  n0["component<br>Steering Controller"]
  n1["component<br>Throttle and Brake Controller"]
  n2["component<br>Drive-by-Wire Gateway"]
  n3["component<br>Vehicle Dynamics Monitor"]
  n4["component<br>Actuator Health Manager"]
  n3 -->|vehicle state| n0
  n3 -->|vehicle state| n1
  n0 -->|steering commands| n2
  n1 -->|throttle/brake commands| n2
  n2 -->|actuator telemetry| n4
  n4 -->|health status| n0

Vehicle Control Subsystem — Components

Classified Entities

Entity	Hex Code	Description
Actuator Health Manager	45B77A19	Fault management module in an autonomous vehicle's Vehicle Control Subsystem that continuously monitors actuator health status (steering motor temperature, brake pressure sensors, throttle position feedback), detects degradation or failures, and manages graceful degradation modes including limp-home and safe-stop
Autonomous Vehicle	D7F7725D	A self-driving ground vehicle system integrating perception, planning, control, and communication subsystems to navigate public roads without human intervention. Operates in mixed traffic with pedestrians, cyclists, and other vehicles. SAE Level 4 autonomy within a defined operational design domain.
Behavior Planner	41F77B19	High-level decision-making module within an autonomous vehicle's Planning and Decision Subsystem. Evaluates tactical driving options such as lane changes, intersection negotiation, merge manoeuvres, and yielding based on traffic rules, road context, and predicted behaviour of surrounding agents. Outputs discrete driving actions to the motion planner.
Camera Vision Pipeline	71F73319	Component of an autonomous vehicle perception subsystem that processes multi-camera image streams using deep neural networks for 2D/3D object detection, semantic segmentation, lane marking recognition, and traffic sign classification at frame rates above 30 fps.
Communication Security Manager	40B57979	Cryptographic service module managing PKI certificates, session keys, and message authentication for all external communication channels. Implements IEEE 1609.2 security for V2X, TLS for cellular links, and secure boot chain verification for OTA payloads.
Communication Subsystem	51F57319	Vehicle-to-everything (V2X) communication subsystem of an autonomous vehicle providing vehicle-to-vehicle, vehicle-to-infrastructure, and cellular connectivity. Supports cooperative perception, traffic signal priority, over-the-air software updates, and fleet management telemetry.
Drive-by-Wire Gateway	51F57819	Hardware-software interface gateway in an autonomous vehicle that translates high-level control commands into CAN bus messages for physical vehicle actuators (steering motor, brake calipers, throttle body), providing signal integrity monitoring and watchdog supervision
Event Data Recorder	D0A53259	Black-box data logging unit within an autonomous vehicle that continuously records sensor inputs, planning decisions, actuator commands, and fault events in a crash-survivable storage medium. Supports post-incident analysis and regulatory compliance.
Fault Detection and Isolation Module	41B77B19	Software module within an autonomous vehicle safety subsystem that monitors health telemetry from all vehicle subsystems, performs real-time anomaly detection using threshold and model-based methods, and isolates faulty components to prevent cascading failures. ASIL D rated.
GNSS Receiver	D5F77019	Satellite navigation receiver providing absolute geodetic position fixes using GPS, GLONASS, Galileo, and BeiDou constellations with RTK correction capability for centimetre-level accuracy in autonomous vehicle localization
HD Map Manager	40A53109	Software component that stores, indexes, and queries high-definition pre-built maps containing lane geometry, road markings, traffic signs, and semantic features, providing the Pose Estimator with map priors for localization matching in an autonomous vehicle
In-Vehicle Network Router	D4B57218	Central Ethernet/TSN router providing deterministic, time-sensitive networking between vehicle compute nodes. Manages VLAN segmentation, QoS prioritization, and traffic shaping for safety-critical and best-effort data flows across automotive Ethernet backbone.
Inertial Measurement Unit	D4F51018	Six-axis inertial sensor package with three-axis accelerometer and three-axis gyroscope providing high-rate dead reckoning between GNSS fixes and bridging GNSS outages in tunnels or urban canyons for autonomous vehicle localization
LiDAR Processing Unit	51F73219	Component of an autonomous vehicle perception subsystem that ingests raw 3D point cloud data from multiple LiDAR sensors, performs ground-plane segmentation, clustering, and geometric feature extraction to produce object candidate bounding volumes at 10 Hz or faster.
Localization and Mapping Subsystem	51F73019	Subsystem of an autonomous vehicle responsible for determining the vehicle's precise position and orientation using GPS, IMU, wheel odometry, and high-definition map matching. Maintains a localization estimate with centimetre-level accuracy for safe navigation.
Minimal Risk Condition Controller	51F77A59	Safety-critical controller within an autonomous vehicle that executes emergency manoeuvres such as controlled stops, lane-holding pullover, or hazard-light activation when a fault or unsafe state is detected. Implements the fallback strategy mandated by ISO 22737 and SAE J3016 for Level 4 autonomy.
Motion Planner	41F73B19	Trajectory generation component within an autonomous vehicle's Planning and Decision Subsystem. Converts high-level behaviour decisions into smooth, kinematically feasible trajectories expressed as time-stamped waypoints with position, velocity, and curvature constraints. Optimises for comfort, safety margins, and dynamic vehicle limits.
Object Tracker	51B73309	Component of an autonomous vehicle perception subsystem that maintains persistent identity and kinematic state (position, velocity, heading, acceleration) for up to 200 simultaneously tracked objects using multi-hypothesis tracking and Kalman filtering across sensor fusion cycles.
OTA Update Manager	41B77B18	Over-the-air software update manager responsible for secure download, verification, and staged deployment of firmware and software updates to vehicle ECUs. Implements A/B partition schemes and rollback capability.
Perception Subsystem	55F73209	Sensor fusion subsystem of an autonomous vehicle integrating LiDAR, camera, radar, and ultrasonic sensors to detect and classify objects, lanes, traffic signs, and road conditions in the vehicle's environment. Produces a unified world model for downstream planning.
Planning and Decision Subsystem	51B73B19	Autonomous vehicle subsystem that performs route planning, behavioral planning, and motion planning. Takes the world model from perception and localization data to generate safe, legal, and efficient trajectories through complex traffic scenarios including intersections, merges, and pedestrian crossings.
Pose Estimator	41F73309	Central sensor fusion algorithm that combines GNSS fixes, IMU dead reckoning, SLAM map-matching, and HD map priors using an Extended Kalman Filter to produce a single high-confidence 6-DOF ego-pose estimate for the autonomous vehicle at 100 Hz
Prediction Module	51F77319	Predictive analytics component within an autonomous vehicle's Planning and Decision Subsystem. Forecasts future trajectories and intentions of surrounding road users including vehicles, pedestrians, and cyclists over a 3-8 second horizon using learned motion models and contextual cues from the HD map.
Radar Processing Unit	D1F73019	Component of an autonomous vehicle perception subsystem that processes returns from millimetre-wave radar arrays to detect range, velocity, and angle of surrounding objects, providing robust detections in adverse weather conditions including rain, fog, and dust.
Risk Assessor	41B73B09	Safety evaluation component within an autonomous vehicle's Planning and Decision Subsystem. Continuously evaluates the risk of candidate trajectories by computing time-to-collision, required deceleration, and safety envelope violations. Vetoes unsafe plans and triggers minimal risk condition handoff to the safety subsystem when no safe trajectory exists.
Route Planner	41B73B09	Global path planning component within an autonomous vehicle's Planning and Decision Subsystem. Computes optimal routes from origin to destination using the HD map graph, considering traffic conditions, road closures, and energy efficiency. Provides the reference path that the behaviour planner follows tactically.
Safety and Monitoring Subsystem	51B77A59	Autonomous vehicle subsystem responsible for system health monitoring, fault detection and isolation, emergency fallback manoeuvres, and occupant protection. Implements safety integrity levels per ISO 26262, monitors all other subsystems for degradation, and triggers minimal risk conditions when faults are detected.
Safety Integrity Monitor	51B73859	Independent hardware and software watchdog within an autonomous vehicle safety subsystem that performs runtime verification of safety-critical functions, checks execution timing, memory integrity, and control flow. Acts as an independent safety element per ISO 26262.
Sensor Fusion Engine	51F73319	Component of an autonomous vehicle perception subsystem that combines detections from LiDAR, camera, and radar processing pipelines using probabilistic data association and state estimation to produce a unified, high-confidence environmental model with correlated object tracks.
SLAM Engine	41F73309	Simultaneous Localization and Mapping software engine that processes LiDAR point clouds and camera images to build and update environmental maps while estimating the vehicle's position relative to those maps in real time
Steering Controller	D5F77819	Electronic control unit within an autonomous vehicle's Vehicle Control Subsystem that converts lateral path-following commands from the motion planner into precise steering actuator signals, implementing torque overlay and angle control with fail-operational redundancy
Telemetry and Fleet Gateway	50E55219	Cellular communication gateway providing 4G/5G uplink for real-time telemetry reporting, fleet management commands, and remote monitoring. Aggregates vehicle health, position, and operational data for cloud-based fleet orchestration.
Throttle and Brake Controller	D5F73A19	Longitudinal control unit in an autonomous vehicle's Vehicle Control Subsystem that manages acceleration and deceleration by commanding electronic throttle and brake-by-wire actuators, enforcing jerk limits and emergency braking authority
V2X Communication Module	D4F47219	Vehicle-to-everything communication module implementing DSRC (IEEE 802.11p) and C-V2X (3GPP PC5) protocols for vehicle-to-vehicle, vehicle-to-infrastructure, and vehicle-to-pedestrian messaging. Handles BSM, SPaT, MAP, and TIM message types with sub-100ms latency.
Vehicle Control Subsystem	51F73A19	Subsystem of an autonomous vehicle that translates planned trajectories into physical actuator commands for steering, throttle, and braking. Implements low-level feedback control loops to track the desired path while maintaining vehicle stability and ride comfort.
Vehicle Cybersecurity Gateway	51B77859	Network security component within an autonomous vehicle safety subsystem that monitors in-vehicle Ethernet and CAN bus networks for intrusion attempts, validates message authenticity using AUTOSAR SecOC, and enforces network segmentation between safety-critical and non-critical domains per ISO/SAE 21434.
Vehicle Dynamics Monitor	55F53318	Real-time monitoring module in an autonomous vehicle's Vehicle Control Subsystem that fuses IMU, wheel speed, and steering angle sensor data to estimate vehicle state including velocity, yaw rate, slip angle, and lateral acceleration for closed-loop feedback

Decomposition Relationships

Part-Of

Component	Belongs To
Perception Subsystem	Autonomous Vehicle
Localization and Mapping Subsystem	Autonomous Vehicle
Planning and Decision Subsystem	Autonomous Vehicle
Vehicle Control Subsystem	Autonomous Vehicle
Communication Subsystem	Autonomous Vehicle
Safety and Monitoring Subsystem	Autonomous Vehicle
Behavior Planner	Planning and Decision Subsystem
Motion Planner	Planning and Decision Subsystem
Prediction Module	Planning and Decision Subsystem
Route Planner	Planning and Decision Subsystem
Risk Assessor	Planning and Decision Subsystem
Steering Controller	Vehicle Control Subsystem
Throttle and Brake Controller	Vehicle Control Subsystem
Drive-by-Wire Gateway	Vehicle Control Subsystem
Vehicle Dynamics Monitor	Vehicle Control Subsystem
Actuator Health Manager	Vehicle Control Subsystem
GNSS Receiver	Localization and Mapping Subsystem
Inertial Measurement Unit	Localization and Mapping Subsystem
SLAM Engine	Localization and Mapping Subsystem
HD Map Manager	Localization and Mapping Subsystem
Pose Estimator	Localization and Mapping Subsystem
Fault Detection and Isolation Module	Safety and Monitoring Subsystem
Minimal Risk Condition Controller	Safety and Monitoring Subsystem
Safety Integrity Monitor	Safety and Monitoring Subsystem
Event Data Recorder	Safety and Monitoring Subsystem
Vehicle Cybersecurity Gateway	Safety and Monitoring Subsystem
LiDAR Processing Unit	Perception Subsystem
Camera Vision Pipeline	Perception Subsystem
Radar Processing Unit	Perception Subsystem
Sensor Fusion Engine	Perception Subsystem
Object Tracker	Perception Subsystem
V2X Communication Module	Communication Subsystem
Telemetry and Fleet Gateway	Communication Subsystem
OTA Update Manager	Communication Subsystem
In-Vehicle Network Router	Communication Subsystem
Communication Security Manager	Communication Subsystem

Connections

From	To
Perception Subsystem	Planning and Decision Subsystem
Planning and Decision Subsystem	Vehicle Control Subsystem
Perception Subsystem	Safety and Monitoring Subsystem
Prediction Module	Behavior Planner
Behavior Planner	Motion Planner
Route Planner	Behavior Planner
Risk Assessor	Motion Planner
Steering Controller	Drive-by-Wire Gateway
Throttle and Brake Controller	Drive-by-Wire Gateway
Vehicle Dynamics Monitor	Steering Controller
Vehicle Dynamics Monitor	Throttle and Brake Controller
Actuator Health Manager	Drive-by-Wire Gateway
GNSS Receiver	Pose Estimator
Inertial Measurement Unit	Pose Estimator
Pose Estimator	Planning and Decision Subsystem
Fault Detection and Isolation Module	Minimal Risk Condition Controller
Safety Integrity Monitor	Fault Detection and Isolation Module
Fault Detection and Isolation Module	Event Data Recorder
Vehicle Cybersecurity Gateway	Fault Detection and Isolation Module
LiDAR Processing Unit	Sensor Fusion Engine
Camera Vision Pipeline	Sensor Fusion Engine
Radar Processing Unit	Sensor Fusion Engine
Sensor Fusion Engine	Object Tracker
Object Tracker	Planning and Decision Subsystem
V2X Communication Module	Communication Security Manager
Telemetry and Fleet Gateway	Communication Security Manager
OTA Update Manager	Communication Security Manager
In-Vehicle Network Router	V2X Communication Module
In-Vehicle Network Router	Telemetry and Fleet Gateway
Pose Estimator	Vehicle Dynamics Monitor

Produces

Component	Output
Behavior Planner	tactical driving decisions
Motion Planner	time-stamped trajectory waypoints
Prediction Module	predicted agent trajectories
Route Planner	global reference path
Risk Assessor	trajectory safety verdicts
Steering Controller	steering torque commands
Throttle and Brake Controller	longitudinal force commands
Drive-by-Wire Gateway	CAN bus actuator messages
Vehicle Dynamics Monitor	vehicle state estimates
Actuator Health Manager	actuator health status and degradation mode commands
GNSS Receiver	geodetic position fix with RTK correction
Inertial Measurement Unit	six-axis inertial measurements at 200 Hz
SLAM Engine	relative pose estimate and environmental point cloud map
Pose Estimator	fused 6-DOF ego-pose at 100 Hz
HD Map Manager	lane-level map tiles with semantic features
Fault Detection and Isolation Module	fault diagnosis reports with isolation recommendations
Minimal Risk Condition Controller	safe-stop trajectory commands and hazard warnings
Safety Integrity Monitor	runtime safety integrity verdicts and watchdog heartbeats
Event Data Recorder	time-stamped incident recordings in crash-survivable storage
Vehicle Cybersecurity Gateway	authenticated network traffic and intrusion alerts
LiDAR Processing Unit	3D object candidate bounding volumes from segmented point clouds
Camera Vision Pipeline	2D/3D object detections with semantic labels and lane geometry
Radar Processing Unit	range-velocity-angle detection lists with Doppler measurements
Sensor Fusion Engine	unified high-confidence environmental model with correlated tracks
Object Tracker	persistent object identities with kinematic state vectors at fusion rate
V2X Communication Module	cooperative awareness messages and hazard notifications to nearby vehicles and infrastructure
Telemetry and Fleet Gateway	aggregated telemetry streams and fleet command acknowledgments via cellular uplink
OTA Update Manager	verified and staged software update packages with rollback checkpoints
In-Vehicle Network Router	deterministic time-sensitive network frames with QoS-guaranteed delivery
Communication Security Manager	authenticated message envelopes and certificate validation verdicts
Drive-by-Wire Gateway	CAN FD actuator messages
Actuator Health Manager	actuator health status and degradation signals
Prediction Module	probabilistic trajectory forecasts
Risk Assessor	collision probability assessments
Route Planner	global route waypoints

Traceability Matrix — Derivation

Source	Target	Type
SYS-SYSTEM-LEVELREQUIREMENTS-006	IFC-INTERFACEDEFINITIONS-023	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	IFC-INTERFACEDEFINITIONS-022	derives
SYS-SYSTEM-LEVELREQUIREMENTS-005	IFC-INTERFACEDEFINITIONS-021	derives
SYS-SYSTEM-LEVELREQUIREMENTS-005	IFC-INTERFACEDEFINITIONS-020	derives
SYS-SYSTEM-LEVELREQUIREMENTS-010	IFC-INTERFACEDEFINITIONS-016	derives
SYS-SYSTEM-LEVELREQUIREMENTS-009	IFC-INTERFACEDEFINITIONS-015	derives
SYS-SYSTEM-LEVELREQUIREMENTS-010	IFC-INTERFACEDEFINITIONS-014	derives
SYS-SYSTEM-LEVELREQUIREMENTS-003	IFC-INTERFACEDEFINITIONS-013	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	IFC-INTERFACEDEFINITIONS-012	derives
SYS-SYSTEM-LEVELREQUIREMENTS-002	IFC-INTERFACEDEFINITIONS-011	derives
SYS-SYSTEM-LEVELREQUIREMENTS-002	IFC-INTERFACEDEFINITIONS-010	derives
SYS-SYSTEM-LEVELREQUIREMENTS-009	IFC-INTERFACEDEFINITIONS-009	derives
SYS-SYSTEM-LEVELREQUIREMENTS-003	IFC-INTERFACEDEFINITIONS-008	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	IFC-INTERFACEDEFINITIONS-007	derives
SYS-SYSTEM-LEVELREQUIREMENTS-003	IFC-INTERFACEDEFINITIONS-006	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	IFC-INTERFACEDEFINITIONS-005	derives
SYS-SYSTEM-LEVELREQUIREMENTS-001	IFC-INTERFACEDEFINITIONS-004	derives
SYS-SYSTEM-LEVELREQUIREMENTS-009	IFC-INTERFACEDEFINITIONS-003	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	IFC-INTERFACEDEFINITIONS-002	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	IFC-INTERFACEDEFINITIONS-001	derives
SYS-SYSTEM-LEVELREQUIREMENTS-006	SUB-SUBSYSTEMREQUIREMENTS-044	derives
SYS-SYSTEM-LEVELREQUIREMENTS-010	SUB-SUBSYSTEMREQUIREMENTS-050	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	SUB-SUBSYSTEMREQUIREMENTS-048	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	SUB-SUBSYSTEMREQUIREMENTS-046	derives
SYS-SYSTEM-LEVELREQUIREMENTS-009	SUB-SUBSYSTEMREQUIREMENTS-049	derives
SYS-SYSTEM-LEVELREQUIREMENTS-009	SUB-SUBSYSTEMREQUIREMENTS-043	derives
SYS-SYSTEM-LEVELREQUIREMENTS-006	SUB-SUBSYSTEMREQUIREMENTS-045	derives
SYS-SYSTEM-LEVELREQUIREMENTS-001	SUB-SUBSYSTEMREQUIREMENTS-001	derives
SYS-SYSTEM-LEVELREQUIREMENTS-001	SUB-SUBSYSTEMREQUIREMENTS-002	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	SUB-SUBSYSTEMREQUIREMENTS-003	derives
SYS-SYSTEM-LEVELREQUIREMENTS-007	SUB-SUBSYSTEMREQUIREMENTS-004	derives
SYS-SYSTEM-LEVELREQUIREMENTS-009	SUB-SUBSYSTEMREQUIREMENTS-005	derives
SYS-SYSTEM-LEVELREQUIREMENTS-001	SUB-SUBSYSTEMREQUIREMENTS-006	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	SUB-SUBSYSTEMREQUIREMENTS-007	derives
SYS-SYSTEM-LEVELREQUIREMENTS-004	SUB-SUBSYSTEMREQUIREMENTS-008	derives
SYS-SYSTEM-LEVELREQUIREMENTS-001	SUB-SUBSYSTEMREQUIREMENTS-009	derives
SYS-SYSTEM-LEVELREQUIREMENTS-003	SUB-SUBSYSTEMREQUIREMENTS-010	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	SUB-SUBSYSTEMREQUIREMENTS-011	derives
SYS-SYSTEM-LEVELREQUIREMENTS-001	SUB-SUBSYSTEMREQUIREMENTS-012	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	SUB-SUBSYSTEMREQUIREMENTS-013	derives
SYS-SYSTEM-LEVELREQUIREMENTS-004	SUB-VEHICLECONTROLSUBSYSTEM-014	derives
SYS-SYSTEM-LEVELREQUIREMENTS-004	SUB-VEHICLECONTROLSUBSYSTEM-015	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	SUB-VEHICLECONTROLSUBSYSTEM-016	derives
SYS-SYSTEM-LEVELREQUIREMENTS-004	SUB-VEHICLECONTROLSUBSYSTEM-017	derives
SYS-SYSTEM-LEVELREQUIREMENTS-003	SUB-VEHICLECONTROLSUBSYSTEM-018	derives
SYS-SYSTEM-LEVELREQUIREMENTS-003	SUB-VEHICLECONTROLSUBSYSTEM-019	derives
SYS-SYSTEM-LEVELREQUIREMENTS-010	SUB-VEHICLECONTROLSUBSYSTEM-020	derives
SYS-SYSTEM-LEVELREQUIREMENTS-002	SUB-SUBSYSTEMREQUIREMENTS-021	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	SUB-SUBSYSTEMREQUIREMENTS-021	derives
SYS-SYSTEM-LEVELREQUIREMENTS-002	SUB-SUBSYSTEMREQUIREMENTS-022	derives
SYS-SYSTEM-LEVELREQUIREMENTS-002	SUB-SUBSYSTEMREQUIREMENTS-023	derives
SYS-SYSTEM-LEVELREQUIREMENTS-002	SUB-SUBSYSTEMREQUIREMENTS-024	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	SUB-SUBSYSTEMREQUIREMENTS-025	derives
SYS-SYSTEM-LEVELREQUIREMENTS-002	SUB-SUBSYSTEMREQUIREMENTS-026	derives
SYS-SYSTEM-LEVELREQUIREMENTS-010	SUB-SUBSYSTEMREQUIREMENTS-026	derives
SYS-SYSTEM-LEVELREQUIREMENTS-002	SUB-SUBSYSTEMREQUIREMENTS-027	derives
SYS-SYSTEM-LEVELREQUIREMENTS-003	SUB-SUBSYSTEMREQUIREMENTS-027	derives
SYS-SYSTEM-LEVELREQUIREMENTS-003	SUB-SUBSYSTEMREQUIREMENTS-028	derives
SYS-SYSTEM-LEVELREQUIREMENTS-003	SUB-SUBSYSTEMREQUIREMENTS-029	derives
SYS-SYSTEM-LEVELREQUIREMENTS-010	SUB-SUBSYSTEMREQUIREMENTS-030	derives
SYS-SYSTEM-LEVELREQUIREMENTS-009	SUB-SUBSYSTEMREQUIREMENTS-031	derives
SYS-SYSTEM-LEVELREQUIREMENTS-010	SUB-SUBSYSTEMREQUIREMENTS-032	derives
SYS-SYSTEM-LEVELREQUIREMENTS-009	SUB-SUBSYSTEMREQUIREMENTS-033	derives
SYS-SYSTEM-LEVELREQUIREMENTS-003	SUB-SUBSYSTEMREQUIREMENTS-034	derives
SYS-SYSTEM-LEVELREQUIREMENTS-009	SUB-SUBSYSTEMREQUIREMENTS-035	derives
SYS-SYSTEM-LEVELREQUIREMENTS-001	SUB-SUBSYSTEMREQUIREMENTS-036	derives
SYS-SYSTEM-LEVELREQUIREMENTS-001	SUB-SUBSYSTEMREQUIREMENTS-037	derives
SYS-SYSTEM-LEVELREQUIREMENTS-007	SUB-SUBSYSTEMREQUIREMENTS-038	derives
SYS-SYSTEM-LEVELREQUIREMENTS-008	SUB-SUBSYSTEMREQUIREMENTS-039	derives
SYS-SYSTEM-LEVELREQUIREMENTS-001	SUB-SUBSYSTEMREQUIREMENTS-040	derives
SYS-SYSTEM-LEVELREQUIREMENTS-005	SUB-SUBSYSTEMREQUIREMENTS-041	derives
SYS-SYSTEM-LEVELREQUIREMENTS-005	SUB-SUBSYSTEMREQUIREMENTS-042	derives
SYS-SYSTEM-LEVELREQUIREMENTS-005	SUB-SUBSYSTEMREQUIREMENTS-047	derives
STK-STAKEHOLDERNEEDS-001	SYS-SYSTEM-LEVELREQUIREMENTS-001	derives
STK-STAKEHOLDERNEEDS-001	SYS-SYSTEM-LEVELREQUIREMENTS-001	derives
STK-STAKEHOLDERNEEDS-003	SYS-SYSTEM-LEVELREQUIREMENTS-010	derives
STK-STAKEHOLDERNEEDS-002	SYS-SYSTEM-LEVELREQUIREMENTS-009	derives
STK-STAKEHOLDERNEEDS-001	SYS-SYSTEM-LEVELREQUIREMENTS-008	derives
STK-STAKEHOLDERNEEDS-006	SYS-SYSTEM-LEVELREQUIREMENTS-007	derives
STK-STAKEHOLDERNEEDS-005	SYS-SYSTEM-LEVELREQUIREMENTS-006	derives
STK-STAKEHOLDERNEEDS-003	SYS-SYSTEM-LEVELREQUIREMENTS-005	derives
STK-STAKEHOLDERNEEDS-004	SYS-SYSTEM-LEVELREQUIREMENTS-004	derives
STK-STAKEHOLDERNEEDS-001	SYS-SYSTEM-LEVELREQUIREMENTS-003	derives
STK-STAKEHOLDERNEEDS-001	SYS-SYSTEM-LEVELREQUIREMENTS-002	derives
STK-STAKEHOLDERNEEDS-001	SYS-SYSTEM-LEVELREQUIREMENTS-001	derives

Traceability Matrix — Verification

Requirement	Verified By	Type
IFC-INTERFACEDEFINITIONS-008	VER-VERIFICATIONMETHODS-009	verifies
IFC-INTERFACEDEFINITIONS-001	VER-VERIFICATIONMETHODS-003	verifies
SUB-SUBSYSTEMREQUIREMENTS-023	VER-VERIFICATIONMETHODS-021	verifies
SUB-SUBSYSTEMREQUIREMENTS-026	VER-VERIFICATIONMETHODS-020	verifies
SUB-SUBSYSTEMREQUIREMENTS-021	VER-VERIFICATIONMETHODS-019	verifies
SUB-SUBSYSTEMREQUIREMENTS-050	VER-VERIFICATIONMETHODS-018	verifies
SUB-SUBSYSTEMREQUIREMENTS-046	VER-VERIFICATIONMETHODS-017	verifies
SUB-SUBSYSTEMREQUIREMENTS-044	VER-VERIFICATIONMETHODS-016	verifies
SUB-SUBSYSTEMREQUIREMENTS-041	VER-VERIFICATIONMETHODS-015	verifies
SUB-SUBSYSTEMREQUIREMENTS-032	VER-VERIFICATIONMETHODS-014	verifies
SUB-SUBSYSTEMREQUIREMENTS-031	VER-VERIFICATIONMETHODS-013	verifies
SUB-SUBSYSTEMREQUIREMENTS-030	VER-VERIFICATIONMETHODS-012	verifies
SUB-SUBSYSTEMREQUIREMENTS-029	VER-VERIFICATIONMETHODS-011	verifies
SUB-SUBSYSTEMREQUIREMENTS-028	VER-VERIFICATIONMETHODS-010	verifies
SUB-VEHICLECONTROLSUBSYSTEM-019	VER-VERIFICATIONMETHODS-008	verifies
SUB-VEHICLECONTROLSUBSYSTEM-014	VER-VERIFICATIONMETHODS-007	verifies
SUB-SUBSYSTEMREQUIREMENTS-009	VER-VERIFICATIONMETHODS-006	verifies
SUB-SUBSYSTEMREQUIREMENTS-010	VER-VERIFICATIONMETHODS-005	verifies
SUB-SUBSYSTEMREQUIREMENTS-007	VER-VERIFICATIONMETHODS-004	verifies
SUB-SUBSYSTEMREQUIREMENTS-003	VER-VERIFICATIONMETHODS-002	verifies
SUB-SUBSYSTEMREQUIREMENTS-001	VER-VERIFICATIONMETHODS-001	verifies

Orphan Requirements (no trace links)

Ref	Document	Requirement
IFC-INTERFACEDEFINITIONS-017	interface-requirements	The interface between the LiDAR Processing Unit, Camera Vision Pipeline, Radar Processing Unit, and the Sensor Fusion En...
IFC-INTERFACEDEFINITIONS-018	interface-requirements	The interface between the Sensor Fusion Engine and the Object Tracker SHALL deliver fused detection updates containing t...
IFC-INTERFACEDEFINITIONS-019	interface-requirements	The interface between the Object Tracker and the Planning and Decision Subsystem SHALL provide a tracked object list con...
IFC-INTERFACEDEFINITIONS-024	interface-requirements	The interface between the Pose Estimator and the Vehicle Dynamics Monitor SHALL transmit the fused vehicle pose (positio...
SUB-SUBSYSTEMREQUIREMENTS-014	subsystem-requirements	The Steering Controller SHALL track the commanded steering angle with a steady-state error not exceeding 0.5 degrees and...
SUB-SUBSYSTEMREQUIREMENTS-015	subsystem-requirements	The Throttle and Brake Controller SHALL execute longitudinal acceleration commands with jerk not exceeding 1.5 m/s³ duri...
SUB-SUBSYSTEMREQUIREMENTS-016	subsystem-requirements	The Drive-by-Wire Gateway SHALL translate software control commands to CAN bus actuator messages within 5 milliseconds a...
SUB-SUBSYSTEMREQUIREMENTS-017	subsystem-requirements	The Vehicle Dynamics Monitor SHALL estimate vehicle velocity with accuracy within 0.1 m/s, yaw rate within 0.5 deg/s, an...
SUB-SUBSYSTEMREQUIREMENTS-018	subsystem-requirements	When any actuator reports a fault condition or fails to acknowledge a command within 10 milliseconds, the Actuator Healt...
SUB-SUBSYSTEMREQUIREMENTS-019	subsystem-requirements	The Drive-by-Wire Gateway SHALL implement a hardware watchdog timer with a timeout period not exceeding 50 milliseconds;...
SUB-SUBSYSTEMREQUIREMENTS-020	subsystem-requirements	While the Actuator Health Manager signals a steering degradation mode, the Steering Controller SHALL limit maximum steer...