System Architecture

Component Architecture

Need: (ARCH) The Thermal Sensor Interface Module (TSIM) shall consist of three components: Sensor Driver, Temperature Filter, and State Machine. ARCH_001 _images/arrow-right-circle.svg
status: active
tags: architecture, components
links outgoing: REQ_SAFETY_001, REQ_SAFETY_002, REQ_SAFETY_003
links incoming: REQ_SAFETY_001, ARCH_SEOOC_002, TEST_METHOD_002, TEST_END_TO_END_001, CODE_IMPL_001

@startuml TSIM_Component_Architecture !define COMPONENT_COLOR #E1F5FF !define INTERFACE_COLOR #FFF9C4 !define EXTERNAL_COLOR #FFCCBC skinparam backgroundColor #FAFAFA title TSIM Component Architecture\n(Domain-Agnostic Safety Element) package "Thermal Sensor Interface Module (TSIM)" { component SensorDriver as "Sensor Driver\nARCH_FUNC_001" component TempFilter as "Temperature Filter\nARCH_FUNC_002" component StateMachine as "State Machine\nARCH_FUNC_003" } package "Integration (SEooC Assumptions)" { component SensorHW as "Sensor Hardware\n±2°C Accuracy" component SystemCtrl as "System Controller\n<1s Response" } SensorHW --> SensorDriver : Analog Signal (100Hz) SensorDriver --> TempFilter : ADC Value TempFilter --> StateMachine : Filtered Temp StateMachine --> SystemCtrl : Safe/Unsafe State note right of SensorDriver ADC to °C Conversion Range: -40 to +125°C REQ_FUNC_001 end note note right of TempFilter 5-Sample Moving Average Noise Rejection (≥90%) REQ_FUNC_002, 003, 004 end note note right of StateMachine Hysteresis State Machine UNSAFE ≥100°C SAFE ≤95°C REQ_SAFETY_002, 003 end note note left of SystemCtrl Integrator Responsibility: Shutdown Logic Error Handling Domain-Specific Action ARCH_SEOOC_002 end note @enduml

TSIM Component Architecture - Links: (ARCH) The Thermal Sensor I... (ARCH_001), (ARCH) The Sensor Driver sh... (ARCH_FUNC_001), (ARCH) The Temperature Filt... (ARCH_FUNC_002), (ARCH) The State Machine sh... (ARCH_FUNC_003)

Data Flow & Timing

@startuml TSIM_DataFlow !define PROCESS_COLOR #B3E5FC !define STORE_COLOR #C8E6C9 !define DATA_COLOR #FFF9C4 skinparam backgroundColor #FAFAFA title TSIM Data Flow Diagram\nWith 100ms Latency Budget (REQ_SAFETY_002) rectangle "Timing Budget: 0-100ms" #FFE0B2 { rectangle "0-10ms: Sensor Read" #B3E5FC { component "ADC Input" as ADC1 component "Convert to °C" as Conv } rectangle "10-20ms: Filter" #B3E5FC { component "5-Sample Buffer" as Buf component "Moving Average" as Avg } rectangle "20-50ms: State Machine" #B3E5FC { component "Threshold Check\n(≥100°C?)" as Thresh component "Hysteresis\n(≤95°C?)" as Hyst component "Output State" as Out } rectangle "50-100ms: Safety Margin" #FFCDD2 { note right Reserved for: Real-time delays Integration overhead end note } } ADC1 --> Conv : Raw 12-bit\nARCH_SIGNAL_001 Conv --> Buf : Temperature\nARCH_FUNC_001 Buf --> Avg : Buffer Full Avg --> Thresh : Filtered Temp\nARCH_SIGNAL_002 Thresh --> Hyst : Temperature\nARCH_FUNC_002 Hyst --> Out : State Decision\nARCH_FUNC_003 Out --> Out : SAFE/UNSAFE\nARCH_SIGNAL_003 note bottom of Conv REQ_FUNC_001 Range: -40 to +125°C end note note bottom of Avg REQ_FUNC_002 Noise Rejection end note note bottom of Out REQ_SAFETY_002: Within 100ms REQ_SAFETY_003: Safe/Unsafe REQ_FUNC_003: ≥100°C REQ_FUNC_004: ≤95°C (hysteresis) end note @enduml

TSIM Data Flow (Budget: (SR) The system shall detec... (REQ_SAFETY_002) @ 100ms) - Architecture: (ARCH) The Sensor Driver sh... (ARCH_FUNC_001), (ARCH) The Temperature Filt... (ARCH_FUNC_002), (ARCH) The State Machine sh... (ARCH_FUNC_003)

The diagram above shows the complete data flow from sensor input through each processing stage, with timing allocations required by (SR) The system shall detec... (REQ_SAFETY_002).

Need: (ARCH) The Sensor Driver shall read analog input at 100Hz sampling rate. ARCH_FUNC_001 _images/arrow-right-circle.svg
status: active
tags: sampling, timing
links outgoing: REQ_FUNC_001
links incoming: REQ_FUNC_001, TEST_METHOD_001, TEST_CONVERSION_001, CODE_IMPL_001

Rationale: 100Hz > 2× highest temperature change rate expected in any domain.

Tests: (TEST) TEST_CONVERSION_001:... (TEST_CONVERSION_001)
Need: (ARCH) The Temperature Filter shall apply a 5-sample moving average before state evaluation. ARCH_FUNC_002 _images/arrow-right-circle.svg
status: active
tags: filtering, noise-rejection
links outgoing: REQ_FUNC_002
links incoming: REQ_FUNC_002, TEST_METHOD_001, TEST_FILTER_001, CODE_IMPL_001

Tests: (TEST) TEST_FILTER_001: Noi... (TEST_FILTER_001)
Need: (ARCH) The State Machine shall evaluate temperature against thresholds and output state transitions within 50ms of detection. ARCH_FUNC_003 _images/arrow-right-circle.svg
status: active
tags: state-machine, timing, response
links outgoing: REQ_SAFETY_002, REQ_FUNC_003, REQ_FUNC_004
links incoming: REQ_SAFETY_002, REQ_FUNC_003, ARCH_DESIGN_001, TEST_METHOD_001, TEST_METHOD_003, TEST_THRESHOLD_001, TEST_END_TO_END_001, CODE_IMPL_001

Timing Budget: 50ms margin within 100ms requirement ((SR) The system shall detec... (REQ_SAFETY_002)).

Tests: (TEST) TEST_THRESHOLD_001: ... (TEST_THRESHOLD_001), (TEST) TEST_HYSTERESIS_001:... (TEST_HYSTERESIS_001)

Signal Definition

Need: (ARCH) Raw Temperature Signal shall be a 12-bit analog input representing -40°C to +125°C. ARCH_SIGNAL_001 _images/arrow-right-circle.svg
status: active
tags: signal, input
links outgoing: REQ_FUNC_001
links incoming: REQ_FUNC_001, TEST_CONVERSION_001

ADC Resolution: 12-bit (4096 steps)

Range Mapping:

  • 0 LSB → -40°C

  • 2048 LSB → 42.5°C

  • 4095 LSB → ~125°C

Tested by: (TEST) TEST_CONVERSION_001:... (TEST_CONVERSION_001)
Need: (ARCH) Temperature Reading shall be a 16-bit signed integer in units of 0.1°C. ARCH_SIGNAL_002 _images/arrow-right-circle.svg
status: active
tags: signal, intermediate
links outgoing: REQ_FUNC_002
links incoming: REQ_FUNC_002, ARCH_DESIGN_002, TEST_FILTER_001

Range: -400 to +1250 (representing -40.0°C to +125.0°C)

Tested by: (TEST) TEST_FILTER_001: Noi... (TEST_FILTER_001)
Need: (ARCH) State Output shall be a 1-bit signal: 0=SAFE, 1=UNSAFE. ARCH_SIGNAL_003 _images/arrow-right-circle.svg
status: active
tags: signal, output
links outgoing: REQ_SAFETY_002, REQ_SAFETY_003, REQ_FUNC_003, REQ_FUNC_004
links incoming: REQ_SAFETY_002, REQ_SAFETY_003

Tested by: (TEST) TEST_THRESHOLD_001: ... (TEST_THRESHOLD_001), (TEST) TEST_HYSTERESIS_001:... (TEST_HYSTERESIS_001)

Error Handling

Need: (ARCH) If sensor reading is invalid (out of physical bounds), the module shall remain in current state and log an error. ARCH_ERROR_001 _images/arrow-right-circle.svg
status: active
tags: error-handling, robustness
links outgoing: REQ_SAFETY_001
links incoming: TEST_ERROR_RECOVERY_001

Rationale: Conservative approach—hold last safe state rather than guess.
Need: (ARCH) The module shall track sensor read failures; after 10 consecutive failures, it shall enter UNSAFE state. ARCH_ERROR_002 _images/arrow-right-circle.svg
status: active
tags: error-handling, safety
links outgoing: REQ_SAFETY_002, REQ_SAFETY_003
links incoming: REQ_SAFETY_003, TEST_FAIL_SAFE_001

Rationale: Domain-agnostic fail-safe for sensor degradation (medical, industrial, automotive contexts).

Tested by: (TEST) TEST_FAIL_SAFE_001: ... (TEST_FAIL_SAFE_001)

SEooC Boundary Definition

@startuml TSIM_DomainApplicability title TSIM Domain-Agnostic Pattern usecase "TSIM Core" as Core usecase "Medical" as Med usecase "Industrial" as Ind usecase "Automotive" as Auto usecase "Robotics" as Rob Med --> Core Ind --> Core Auto --> Core Rob --> Core note bottom Same TSIM core reused across all domains end note @enduml

Domain-Agnostic SEooC Pattern - Architecture: (ARCH) The TSIM shall be a ... (ARCH_SEOOC_001), (ARCH) TSIM does not implem... (ARCH_SEOOC_002)

Need: (ARCH) The TSIM shall be a Safety Element out of Context (SEooC) assuming the integrating system provides safe shutdown capability. ARCH_SEOOC_001 _images/arrow-right-circle.svg
status: active
tags: seooc, integration, safety-case
links outgoing: REQ_SAFETY_001, REQ_SAFETY_002
links incoming: REQ_SAFETY_001, ARCH_SEOOC_002

Integration Assumptions:

  • Integrating system has verified shutdown mechanism

  • System controller responds to UNSAFE state within 1 second

  • Sensor hardware meets ±2°C accuracy

  • Operating environment is within -40°C to +80°C ambient

Domain Examples (shown above):

  • Medical: Incubator/sterilizer temperature interlock (IEC 60601)

  • Industrial: Process control thermal limits (IEC 61508)

  • Automotive: Battery thermal management (ISO 26262)

  • Robotics: Motor overtemperature protection (ISO 13849)
Need: (ARCH) TSIM does not implement actual shutdown or corrective action; responsibility transfers to integrating system. ARCH_SEOOC_002 _images/arrow-right-circle.svg
status: active
tags: seooc, responsibility
links outgoing: ARCH_SEOOC_001, ARCH_001

Rationale: Enables domain-agnostic reuse across medical (controlled environments), industrial (process control), robotics (motor shutdown), and automotive (powertrain management).