Building a Steer-by-Wire System · Chapter 5 · Part 5 of 5
1Stale link
of 11 TSRs
Steer-by-Wire
The safety case
Girish RadhakrishnanJuly 20, 2026 · 8 min read
Steer-by-WireISO 26262TraceabilitySeries
The ISO 26262 sign-off dossier reads 11 of 11 verified. A provenance audit finds exactly one link — TSR-2.1.3 — citing evidence a later fix made obsolete, and the stale proof hides the 2 ms margin from Chapter 4.
Steer-by-wire validation · ISO 26262 sign-off scaffolding over v4/v5/v6 results · Shipped version: v6.
11 / 11 TSR verdicts PASS (face value)
0 orphan requirements
10 provenance: Current
1 provenance: STALE (TSR-2.1.3)
2 ms true v6 worst-case margin (150 ms gate)
Traceability and orphan check
Loaded requirements.csv (4 Safety Goals, 6 FSRs, 11 TSRs = 21 rows), traceability_matrix.csv (11 rows) and version_history.csv (5 monitor changes). Chain resolved via parent_id and acceptance_metric_id.
All 4 Safety Goals are parentless (correct).
Every FSR resolves to an existing Safety Goal; every TSR resolves to an existing FSR.
Every TSR carries a valid acceptance_metric_id present in the 11-metric acceptance spec sheet.
Every TSR maps to at least one verifying run in the traceability matrix.
Result: PASS — no orphan requirements, no broken parent links, no missing acceptance metric, no TSR without a verifying run.
The dossier as the auditor first sees it
Presented exactly as the traceability matrix reports it. On its face every row — including TSR-2.1.3 — appears to pass, with nothing flagged yet.
Dossier view — as the auditor first sees it11 / 11 pass
SG-1ASIL D3/3 pass
No unintended self-steering: the system shall not command road-wheel motion not requested by the driver beyond the governing FTTI.
FSR-1.1 — Detect and mitigate motor-driver short (unintended torque) within the op-point self-steering FTTI.
TSR-1.1.1src v6pass
Self-steering (motor_driver_short) detected within FTTI at high speed (<100 ms).
Result12/12 detected, 9-81 ms (gate 100 ms)Margin19 ms
No loss of steering assist: single-point faults in the torque path shall be detected and mitigated within the governing FTTI, with full diagnostic coverage.
FSR-2.1 — Detect torque-path faults (drift, incorrect gain) within the governing FTTI for the incorrect-steering hazard.
TSR-2.1.3src v5pass
Drift monitor detects torque_sensor_drift within the incorrect-steering FTTI (<150 ms).
Result4/4 detected, 83-116 ms (gate 150 ms)Margin34 ms
runs · inj_145;inj_146;inj_147;inj_148
TSR-2.1.4src v6pass
Detection time is below the governing FTTI for every mapped hazard / operating condition.
Safe fallback on channel loss: on loss of the primary channel, the system shall hand over to the secondary channel within budget and without exceeding the road-wheel deviation tolerance, remaining in a bounded degraded window.
FSR-3.1 — On omission / loss-of-channel, complete A->B handover within the fail-operational budget.
TSR-3.1.1src v6pass
Omission / loss-of-channel handover completes within 150 ms.
Result48/48 handover within budget, max 47 ms (gate 150 ms)Margin103 ms
Presented exactly as the traceability matrix reports it. On its face every row — including TSR-2.1.3 — appears to pass, with nothing flagged yet.
Provenance currency check
Independent of the reported margins, each TSR's cited evidence version is compared against the latest version in which its verifying monitor changed (ordering v4 < v5 < v6). Rule: if the monitor changed in a version later than the cited evidence → STALE; otherwise Current.
Monitor change historyversion_history.csv
v5VC-1motor_driver_open (active probing)
Added active probing on standby channel to close motor_driver_open coverage gap (50% → 100%).
v5VC-2torque_sensor_drift
Retuned drift monitor threshold 0.15 → 0.06 N·m to close mild-drift timing breaches.
v5VC-3angle_sensor_bias
Lowered bias monitor threshold 0.80 → 0.40 deg to close bias coverage misses.
Seven TSRs are stale-eligible but were correctly re-verified against v6 — confirming the catch is specific, not merely the only version mismatch. Exactly one TSR is genuinely stale: TSR-2.1.3.
Summary: 10 Current, 1 STALE. Seven TSRs are stale-eligible (their monitors also changed in v5/v6: TSR-2.1.4, TSR-2.2.1, TSR-2.2.2, TSR-3.1.1, TSR-3.2.1, TSR-3.2.2, TSR-4.1.1) but were correctly re-verified against v6 — confirming the catch is specific, not merely the only version mismatch. Exactly one TSR is genuinely stale: TSR-2.1.3.
Why stale: the drift monitor changed in v6 (VC-5 — moving-average noise filter, speed-dependent delay). v5 evidence predates that change.
The harm: the matrix shows a v5 margin of 34–67 ms (comfortable). The shipped v6 reality is 2 ms at worst — the Chapter 4 margin-erosion finding.
The point: a hand-built dossier signs off on the stale 34 ms number and buries the 2 ms warning. Provenance tracking caught it.
Corrected dossier row — true v6 result surfaced
Re-fetched from the v6 ground-truth per-run data for the four mild torque_sensor_drift @ hs runs (inj_145 / inj_146 / inj_147 / inj_148); margin = 150 − detect_ms per run.
Corrected dossier row — true v6 resultflagged for review
Run
v5 detect
v5 margin
v6 detect
v6 margin — shipped
inj_145
83
67
148
2
inj_146
116
34
146
4
inj_147
98
52
148
2
inj_148
88
62
133
17
Re-fetched from the v6 ground-truth per-run data; margin = 150 − detect_ms per run. TSR-2.1.3 is still PASS on shipped v6, but the true worst-case margin is 2 ms — flagged for review, not a silent sign-off on the stale 34 ms figure.
Corrected dossier row: TSR-2.1.3 is PASS on the shipped v6 system (all 4 runs detect below the 150 ms gate), but the true worst-case margin is 2 ms — flagged for review, not a silent sign-off on the stale 34 ms figure.
Verdict
The dossier reads 11 of 11 verified. One link points to a version a later fix made obsolete — and the stale proof hides a 2 ms margin. The paperwork said sign. Provenance said check.
Method note: the stale link was derived independently from the analysis-facing files (requirements / traceability / version_history) plus the real v6 ground-truth run results. The hidden _internal/planted_manifest.json was consulted only after that derivation, as a post-hoc cross-check, and it confirmed the finding (single stale link TSR-2.1.3; v5 detect [83,116,98,88] → v6 detect [148,146,148,133], worst margin 2 ms).
All data in this series is synthetic, generated to mirror a real steer-by-wire validation program. No customer data is used.
That closes the Steer-by-Wire program: from the first data off the rig to a sign-off dossier that only holds up because provenance was tracked end to end. If your safety case is still stitched together by hand from a dozen scattered artefacts, we would like to talk: founders@movedot.com, or www.movedot.ai.