ISO 19725:2026

International
Standard
ISO 19725
First edition
Road vehicles — Steer-by-wire
2026-05
systems — System safety guidelines
Véhicules routiers — Systèmes de direction électronique — Lignes
directrices sur la sécurité du système
Reference number
© ISO 2026
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 List of symbols . 4
5 Derivation of the safety goals. 4
5.1 System boundary . .4
5.2 SbW malfunctioning behaviours .7
5.3 Safety goals .7
5.3.1 General .7
5.3.2 Safety goal SG1: Self-steering shall be prevented while driving .8
5.3.3 Safety goal SG2: Loss of steerability shall be prevented while driving .9
5.3.4 Safety goal SG3: Loss of feedback torque to the driver shall be prevented while
driving .10
5.3.5 Safety goal SG4: Unintentional blocking of the steering wheel shall be prevented
while driving .11
5.3.6 Safety goal SG5: Unintended loss of synchronization between the SbW actuators
shall be prevented while driving . 12
6 System availability requirements .13
6.1 Availability requirements . 13
6.2 Availability requirements after fault .14
6.3 Availability requirements for mechanical system parts . 15
7 Controllability in the event of a first fault .15
7.1 Introduction and general information on controllability . 15
7.2 Failure pattern .16
7.2.1 General .16
7.2.2 Malfunction behaviours .16
7.2.3 Failure source .16
7.2.4 Failure type .16
7.2.5 Failure characteristics with the associated physical values .17
7.2.6 Failure pattern with loss of actively generated feedback torque - supplementary
instruction . 22
7.3 Failure pattern matrix . 23
7.4 Assessment of controllability in case of a fault .24
7.4.1 General .24
7.4.2 Failure pattern-driving manoeuvre combinations . . 25
7.4.3 Controllability thresholds . 25
7.4.4 Subjective controllability assessment and related objective vehicle dynamics
characteristics . 26
7.5 Driving manoeuvres and test execution for the assessment of controllability in the
event of a fault .27
8 Minimum requirements for operating behaviour after a fault .27
8.1 Introduction and general description of the degradation concept .27
8.2 Degradations and transitions . 29
8.2.1 Normal operation N . 29
8.2.2 Transition x-2 and Degradation 2 . 29
8.2.3 Transition 2-3 and Degradation 3 . 30
8.2.4 Transition x-emergency stop . 30
8.2.5 Transition N-1 and Degradation 1 . 30
8.2.6 Transition x-3 . 30
8.3 General requirements of the degradation concept.31

iii
8.3.1 Controllability during degradations and transitions .31
8.3.2 Electrical power supply system .31
8.3.3 Shortened transitions .31
8.3.4 Performance requirements for the vehicle lateral acceleration .32
8.3.5 Unrestricted continued driving before an automated speed reduction.32
8.3.6 Overriding the automated speed reduction and speed limiter . 33
8.3.7 Braking during the automated speed reduction. 33
8.4 Differentiation of vehicle systems . . 33
8.5 Minimum requirements for degradations and transitions . 33
8.5.1 General . 33
8.5.2 System integrity and speed limitations . 34
8.5.3 Requirements for ASIL capability . 40
8.5.4 Time-limited usage .41
8.5.5 Re-transitioning and its conditions .43
8.5.6 Requirements for the warning concept . 46
8.5.7 Minimum requirements for lateral control and controllability of the vehicle .47
8.6 Manoeuvre sequences and their requirements . 48
8.6.1 General explanations . 48
8.6.2 Goals of the manoeuvre sequences and associated manoeuvres . 48
8.6.3 General requirements . 50
Annex A (normative) Driving manoeuvres for assessment of controllability .52
Annex B (normative) Tests to verify vehicle lateral control and controllability in the
degradations and transitions .62
Annex C (informative) Development responsibility .86
Annex D (informative) Experience values from test series during the preparation of the
standard .91
Annex E (informative) Explanation of degradation concept .94
Bibliography .100

iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 33, Vehicle
dynamics, chassis components and driving automation systems testing.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

v
Introduction
Steer-by-Wire (SbW) systems represent the next generation of technology in vehicle steering. They enable
new interior concepts and pave the way for further innovations in vehicle technology. In the context of
automated driving, mechanical decoupling between the steering wheel and the steered wheels is becoming
increasingly important. To date, there is no experience of widespread use of this technology in the market
for large-series passenger cars.
Compared to conventional steering systems, SbW technology results in additional requirements for the
safety concept of the vehicle for safe operation.
This document represents a description of a minimal set of safety aspects developed by vehicle manufacturers
and system suppliers.
This document considers:
— the description and system boundary of an SbW system,
— basic safety goals,
— general availability requirements,
— requirements for controllability in the event of a first fault, and
— requirements for the operational behaviour after a fault event.

vi
International Standard ISO 19725:2026(en)
Road vehicles — Steer-by-wire systems — System safety
guidelines
1 Scope
This document specifies necessary but not sufficient safety requirements for the use of SbW systems in
passenger cars and light commercial vehicles for series application.
This document does not replace the full application of the ISO 26262 series of standards and their
implementation in safety-related measures.
This document defines requirements for manual driving where the driver holds the steering wheel.
NOTE Misuse of hands-free driving is not considered.
This document does not contain any requirements for the use of automated lateral vehicle control functions.
The requirements consider systems consisting of a road wheel actuator (RWA), hand wheel actuator (HWA),
and a steering wheel for driver input. Deviating concepts need to be analysed by the user for transferability.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 15037-1:2019, Road vehicles — Vehicle dynamics test methods — Part 1: General conditions for passenger
cars
ISO 15037-1, Road vehicles — Vehicle dynamics test methods — Part 1: General conditions for passenger cars
ISO 26262-1, Road vehicles — Functional safety — Part 1: Vocabulary
ISO 26262-3, Road vehicles — Functional safety — Part 3: Concept phase
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 26262-1 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
degradation
degradation stage
DEG
operating conditions of the vehicle within the framework of the degradation concept (3.2)
Note 1 to entry: Due to the operating condition of the steering system or supporting systems, a degradation condition
can lead to restrictions in the use of the vehicle, e.g. speed limitations. Normal operation N is treated as degradation
condition in this document.
3.2
degradation concept
all operating states of the vehicle, including the operating states of the steering system and the supporting
vehicle systems after initial and subsequent faults
Note 1 to entry: Operating states include both transition and degradation states after faults, as well as the fault-free
normal operation N.
3.3
drive cycle
time span from start to end of a trip
Note 1 to entry: In this document, the term is used in the context of re-transitioning between degradation states.
3.4
expert driver
person who has above-average vehicle dynamics knowledge, skills, ability to assess controllability, capability
to conduct the vehicle tests and has regular driving experience
3.5
feedback torque
torque on the steering wheel
Note 1 to entry: An actively generated feedback torque occurs when at least one drive unit of the HWA is active. A
passively generated feedback torque occurs when no drive unit of the HWA is active and the driver performs a steering
wheel rotation. The feedback torque is used, among other things, to represent the steering feel.
3.6
hand wheel actuator
HWA
component(s) sensing the steering wheel angle and providing a feedback torque (3.5)
3.7
immobilization
process in which a stationary vehicle is secured against rolling away
3.8
lane
lateral limited area for the movement of the vehicle, within which the driving task is to be accomplished
3.9
manoeuvre
specified road test
3.10
vehicle lateral manoeuvrability
ability of the vehicle to convert the steering wheel angle request of the driver into a minimal lateral motion
reaction while driving below 10 km/h
3.11
manoeuvre sequence
MS
specific group of tests
3.12
normal driver
person who does not have special skills to drive a vehicle
Note 1 to entry: Used to distinguish from expert driver.

3.13
normal operation
N
condition of the steering system and the supporting vehicle systems without safety-critical faults
Note 1 to entry: Minor, non-safety critical deviations within the nominal application range are permissible. The
deviation of the behaviour of the steering system and the vehicle relative to the nominal behaviour is within the range
expected by the driver.
3.14
passive fallback level
〈HWA〉 operating condition at which no active feedback torque is generated
Note 1 to entry: A passive fallback of an HWA can be mechanical base friction or a damping (e.g. electromagnetic,
magneto-resistive, back EMF).
3.15
positive diagnostic re-check
diagnostic measure that confirms a previously detected fault is no longer present
3.16
road wheel actuator
RWA
component(s) for actuating the required road wheel angle on the front axle
3.17
steerability
ability of the SbW system to convert the steering wheel angle request of the driver into a design-intended
steering movement of the road wheels of the vehicle
3.18
system integrity
characteristics of the SbW system including ASIL capability to meet functional and availability requirements
Note 1 to entry: Functional requirements concern e.g. steering performance, feedback torque and synchronicity.
Availability requirements concern e.g. redundancies to maintain steering capability.
Note 2 to entry: Degradation of steering performance or loss of redundancy can reduce the ASIL capability .
3.19
test configuration
combination of the configuration of the test vehicle (see Annex B, B.2.2) and the configurations of the
respective vehicle systems (see Annex B, B.2.3) for the tests to demonstrate steerability or vehicle lateral
control and controllability in the degradations and transitions
3.20
transition
TR
change between degradation states
Note 1 to entry: A transition represents a time-limited state of a steering system and vehicle. Due to the system state
of the steering system or supporting systems, a transition can lead to restrictions in the use of the vehicle, e.g. speed
limits.
3.21
vehicle lateral control
ability of the vehicle to convert the steering wheel angle request of the driver into an expected vehicle
trajectory according to the available friction coefficient between the tire and the road surface
Note 1 to entry: A trajectory change is also realized by other vehicle systems (e.g. brake, drivetrain, powertrain etc.)
beyond the SbW system.
3.22
warning concept
technical measures to warn the driver and the environment in case of faults
3.23
warning symbol
standardized symbol for feedback to the driver of a failure or a degradation state of the SbW system
4 List of symbols
Table 1 — List of used symbols
Size Symbol Unit
Vehicle lateral acceleration a m/s
y
Vehicle longitudinal acceleration a m/s
x
Distance a m
Vehicle width B m
Lane width b m
Wheelbase L m
Pylons distance d m
Circle radius R/R m
i
Track length S m
Vehicle speed v km/h
x
Vehicle speed at the beginning of the
v km/h
x Start
manoeuvre
Vehicle speed at the end of the ma-
v km/h
x End
noeuvre
Disturbance yaw rate
°/s
Δ
Disturbance lateral acceleration Δa m/s
y
Fault duration t s
Fault
5 Derivation of the safety goals
5.1 System boundary
SbW is a steering system in which the driver's steering intention is detected by a sensor system and
transmitted exclusively electrically to the actuator system to apply the road wheel angle. The steering feel is
represented to the driver by means of an HWA.
Compared with conventional steering systems (e.g. electromechanical steering, superimposed steering),
there is no mechanical connection between the steering wheel and the steered wheels in an SbW system. This
conceptual difference results in additional safety requirements and safety-related availability requirements
for the steering system in the vehicle.
For an SbW system, steerability or vehicle lateral control shall be maintained during driving despite an
electrical fault in the SbW system or in other supporting systems in the vehicle (e.g. vehicle power supply
system, vehicle communication).
Figure 1 shows an example of the item SbW according to ISO 26262-1 with the system boundaries of the
item, the interfaces to the vehicle as well as functional elements. In addition, the control chains of the two
main functions of an SbW system are also shown:
— provide steerability and
— provide feedback torque.
Key
1 measurement of the steering wheel angle
2 actuation of feedback torque via steering wheel (steering feel including haptic warning)
3 target road wheel angle
4 measured variables of actuators
5 road wheel angle (transmission through the mechanical linkage via tie rod and steering linkage to the front
wheels)
6 visual or audible information and warnings from the SbW system
7 interaction between wheels and road
8 power supply
9 information exchange
Figure 1 — Definition of item for SbW
An SbW system with the specified functions is defined as one item according to the definition in ISO 26262-1
[1]
and ISO 26262-5 .
The item SbW can either be defined as one system or as a combination of several systems according to
[1]
ISO 26262-1 and ISO 26262-5 , see Figure 2 and Figure 3.

Key
1 steering wheel input
2 feedback torque (steering feel including haptic warning)
3 road wheel angle
[2]
Figure 2 — Option 1: Definition of system(s) for SbW according to the ISO 26262 series
Key
1 steering wheel input
2 feedback torque (steering feel including haptic warning)
3 road wheel angle
4 information exchange between systems
[2]
NOTE The definition "1 item = n systems (2 ≤ n ≤ 10)" follows the requirements of the ISO 26262 series .
[2]
Figure 3 — Option 2: Definition of system(s) for SbW according to the ISO 26262 series
An example of breakdown in physical system architecture(s) for both variants and for the share of
development responsibilities between OEM and supplier is given in Annex C.

5.2 SbW malfunctioning behaviours
Based on the functions of the SbW system listed in 5.1:
— provide steerability, and
— provide feedback torque,
the following SbW malfunctioning behaviours are considered:
— self-steering;
— loss of steerability;
— loss of feedback torque;
— blocking of the steering system;
— loss of synchronization between steering wheel angle and road wheel angle.
The malfunctioning behaviours are defined from driver's perspective, that means they represent a faulty
behaviour as it can be experienced by the driver:
— "self-steering" can occur if the road wheels are unintentionally moved
— due to a fault in the function "Provide steerability" (e.g. faults in the measurement, signal processing,
actuation), or
— due to a fault in the function "Provide feedback torque" (e.g. faults in the measurement, signal
processing, actuation) leading to an unintended movement of the steering wheel,
— "loss of steerability" can occur if the driver's intention is not actuated at the road wheels;
— "loss of feedback torque" can occur if no or insufficient torque is applied to the steering wheel;
— "blocking of the steering system" can occur if the forces to rotate the steering wheel are too high for the
driver;
— "loss of synchronization between steering wheel angle and road wheel angle" can occur if the road wheel
angle and steering wheel angle are misaligned, e.g. due to
— delayed road wheel angle actuation,
— misalignment at vehicle wake-up.
In addition to the above listed malfunctions, a complete analysis of all E/E malfunctions in accordance with
ISO 26262-3 as well as mechanical failures shall be conducted for a specific SbW system.
5.3 Safety goals
5.3.1 General
The following safety goals and their criticality ratings are derived from the SbW malfunctioning behaviours
listed in 5.2:
— SG1: Self-steering shall be prevented while driving.
— SG2: Loss of steerability shall be prevented while driving.
— SG3: Loss of feedback torque to the driver shall be prevented while driving.
— SG4: Unintentional blocking of the steering wheel shall be prevented while driving.
— SG5: Unintended loss of synchronization between the SbW actuators shall be prevented while driving.

Table 2 shows the allocation of the SbW malfunctioning behaviours to the safety goals.
Table 2 — Allocation of SbW malfunctions to safety goals
Function of SbW system SbW malfunction Safety goals
Provide steerability Self-steering (RWA) SG1
Loss of steerability SG2
Blocking of the steering system
(RWA)
Loss of synchronization between SG5
steering wheel angle and road wheel
angle
Provide feedback torque Self-Steering (HWA) SG1
Loss of feedback torque SG3
Blocking of the steering system SG4
(HWA)
NOTE 1 In the context of the safety goals, "while driving" means that the vehicle is in a state where the driver has
lateral and longitudinal control of the vehicle. The criticality (ASIL rating) of a safety goal violation is speed dependent.
At very low speeds (e.g. 10 km/h with a corresponding warning concept), the risk is much lower than at higher speeds
due to the significantly reduced kinetic energy.
NOTE 2 This document evaluates the criticality of the safety goals for E/E faults with Automotive Safety Integrity
[2]
Level (ASIL) according to ISO 26262 series .
NOTE 3 The SbW malfunction “blocking of the steering system” as per 5.2 can be caused by blocking of the HWA
(SG4) or blocking of the RWA (SG2).
The listed safety goals are not derived from a complete hazard analysis and risk assessment according to
[2]
ISO 26262 series but are based on the generic failure modes. Therefore, the listed safety goals represent
only a minimum set of safety goals.
This document does not relieve the user from performing a complete HARA according to ISO 26262-3 for a
specific SbW system.
5.3.2 Safety goal SG1: Self-steering shall be prevented while driving
5.3.2.1 Explanation
Self-steering is an unintended steering angle change (RWA and/or HWA) caused by a unintended force of the
RWA or an unintended torque of the HWA. The safety goal is classified as ASIL D.
EXAMPLE Possible causes for an unintended RWA force or an unintended feedback torque including failures in
the entire control path: sensors, communication, control and actuators. The type of unintended actuator control can
follow different failure patterns, e.g. wrong amplitude, overshoot, wrong direction, superimposed, oscillating.
5.3.2.2 Acceptance criteria
Faults in an SbW system which can lead to the violation of the safety goal shall be mitigated in a suitable
manner. It has to be ensured that the vehicle can be kept in the lane (see Clause 7).
5.3.2.3 Safe state vehicle
The safe state on vehicle level for the function "provide steerability" is reached when the vehicle speed is
reduced to ≤ 10 km/h with a corresponding warning.

The safe state on vehicle level for the function "Provide feedback torque" is reached when general
controllability (C0 controllability) is given or when the vehicle speed is reduced to ≤ 10 km/h with
appropriate warning.
[3]
NOTE UN Regulation No. 79 refers to the threshold of ≤ 10 km/h in the event of a fault. Depending on driving
situations, furthermore the degradation concept defines the transition of the vehicle into vehicle standstill within the
vehicle safe state.
When transitioning the vehicle to the safe state, the requirements of the degradation concept shall be met
(see Clause 8).
The safe state at vehicle level can only be reached and ensured by considering systems outside the SbW
system or considering the driver.
5.3.2.4 Safe state SbW system
The safe state on SbW system level for the function "Provide steerability" is to continue the operation
of the function until the safe state is reached at the vehicle level. Faulty components shall be isolated or
deactivated. Remaining required redundancies are to be activated or maintained.
The safe state on SbW system level for the function "Provide feedback torque" is to continue the operation of
the function until the safe state at the vehicle level is reached or internal SbW mechanism exists where the
functionality of the active feedback torque is no longer required for safety reasons. Faulty components shall
be isolated or deactivated. Remaining required redundancies shall be activated or kept active or alternative
mitigation measures shall be applied.
EXAMPLE Example mitigation measures can be increased mechanical friction or damping.
In order to prevent violation of other safety goals, following additional measures shall be considered:
— remaining redundant control and power supply channels shall be activated or kept active;
— minimum steering performance according to the degradation concept shall be ensured.
5.3.3 Safety goal SG2: Loss of steerability shall be prevented while driving
5.3.3.1 Explanation
Loss of the steerability is a failure in the SbW system that leads to the loss of the function “Provide
steerability” and cannot be sufficiently compensated by other systems for vehicle lateral control. The safety
goal is classified as ASIL D.
EXAMPLE Possible failure causes for a failure of the steerability include the entire control path: sensors,
communication, control, actuators, power supply, as well as mechanical components.
5.3.3.2 Acceptance criteria
In the event of faults in an SbW system which can lead to the violation of the safety goal shall be mitigated
in a suitable manner. It shall be ensured that the vehicle can be kept in the lane (see Clause 7). The minimum
steering performance shall be ensured in accordance with the degradation concept (see Clause 8).
5.3.3.3 Safe state vehicle
The safe state on vehicle level is reached when the vehicle speed is reduced to ≤ 10km/h with appropriate
warning.
[3]
NOTE 1 UN Regulation No. 79 refers to the threshold of ≤ 10 km/h in the event of a fault. Depending on driving
situations, furthermore the degradation concept defines the transition of the vehicle into vehicle standstill within
the vehicle safe state. The safe state with corresponding driver warning is a sufficient risk mitigation according to
[2]
ISO 26262 series . The residual risk of a loss of steerability at vehicle speeds ≤ 10km/h with corresponding driver
warning does not lead to an ASIL classification.

A minimum vehicle lateral manoeuvrability shall be ensured while continuing driving within the safe state.
If steerability or vehicle lateral control is completely lost, an automated deceleration to standstill shall be
executed as long as the automated deceleration is still operational (see Clause 8).
NOTE 2 Previous experiences indicate that drivers try to control the vehicle by more steering angle input, instead
of immediately braking. The reaction of the driver to brake the vehicle to standstill can be delayed.
When transitioning the vehicle to the safe state, the requirements of the degradation concept shall be met
(see Clause 8).
The safe state at vehicle level can only be reached and ensured by considering systems outside the SbW
system or considering the driver.
5.3.3.4 Safe state SbW system
The safe state on SbW system level for the function "Provide steerability" is to continue the operation
of the function until the safe state is reached at the vehicle level. Faulty components shall be isolated or
deactivated. Remaining required redundancies shall be activated or maintained.
5.3.4 Safety goal SG3: Loss of feedback torque to the driver shall be prevented while driving
5.3.4.1 Explanation
Loss of feedback torque is a fault in the SbW system that results in a loss of the function "Provide feedback
torque”. The safety goal is classified as minimum ASIL B. The criticality for loss of feedback torque can vary
depending on system design and characteristics of the transfer function (e.g. differences in friction, steering
ratio).
EXAMPLE Possible failure causes for a loss of the feedback torque include the entire control path: sensors,
communication, control, actuators, power supply, as well as mechanical components. The effect of faults can lead to a
partial loss or even to a complete loss of the feedback torque.
5.3.4.2 Acceptance criteria
Two aspects regarding controllability shall be considered in case of faults leading to loss of feedback torque.
Faults in an SbW system that can lead to the violation of the safety goal shall be mitigated in an appropriate
manner. It shall be ensured that the vehicle can be kept in the lane (see Clause 7).
In addition, the remaining substitute functions (e.g. redundancy, friction, damping) shall ensure
controllability of the vehicle to continue driving (see Clause 8).
5.3.4.3 Safe state vehicle
The safe state on vehicle level is reached when general controllability (C0 controllability) is given or when
the vehicle speed is reduced to ≤ 10 km/h with appropriate warning.
[3]
NOTE UN Regulation No. 79 refers to the threshold of ≤ 10 km/h in the event of a fault. Depending on driving
situations, furthermore the degradation concept defines the transition of the vehicle into vehicle standstill within the
vehicle safe state. When transitioning the vehicle to the safe state, the requirements of the degradation concept shall
be met (see Clause 8).
If the safe state cannot be achieved with general controllability, the safe state can only be reached and
ensured at the vehicle level by considering systems outside the SbW system or considering the driver.
5.3.4.4 Safe state SbW system
The safe state on SbW system level for the function "Provide feedback torque" is to continue the operation of
the function until the safe state at the vehicle level is reached or internal SbW mechanism exists where the
functionality of the active feedback torque is no longer required for safety reasons. Faulty components shall

be isolated or deactivated. Remaining required redundancies shall be activated or kept active or alternative
mitigation measures shall be applied.
EXAMPLE Example mitigation measures can be increased mechanical friction or damping.
5.3.5 Safety goal SG4: Unintentional blocking of the steering wheel shall be prevented while driving
5.3.5.1 Explanation
An unintentional excessive feedback torque acting against the driver's steering wheel rotation (high
steering resistance up to blocking of the HWA) shall be prevented. This includes both, electromechanically
and mechanically caused high steering resistance up to blocking. The safety goal is classified as ASIL D.
EXAMPLE 1 Possible electromechanical faults causing excessive feedback torque include the entire control path:
sensors, communication, control, actuators. Examples include simulation of the unintended dynamic end stop due to
an incorrect steering angle or an unintended phase short-circuit in the HWA.
EXAMPLE 2 Possible mechanical causes for excessive feedback torque include the mechanical components, e.g.
wrong mechanical end stop position leading to blocking or increased friction leading to high steering resistance.
NOTE 1 SG4 differs from SG1. Fault leading to violation of SG4 does not lead to any active steering wheel rotation.
The steering wheel rotation by the driver is inhibited or limited.
NOTE 2 SG4 differs from SG2. SG4 is not violated, in case of an intended inhibited steering wheel rotation as
additional mitigation in case of SG2 violation, e.g. blocked RWA.
5.3.5.2 Acceptance criteria
Two aspects regarding controllability shall be considered in case of faults leading to unintentionally blocking
of the steering wheel.
Faults in an SbW system that can lead to the violation of the safety goal shall be mitigated in a suitable
manner. It shall be ensured that the vehicle can be kept in the lane (see Clause 7).
In addition, the remaining substitute functions (e.g. redundancy, friction, damping) shall be ensure
controllability of the vehicle to continue driving (see Clause 8).
5.3.5.3 Safe state vehicle
The safe state on vehicle level is reached when general controllability (C0 controllability) is given or when
the vehicle speed is reduced to ≤ 10 km/h with appropriate warning.
[3]
NOTE UN Regulation No. 79 refers to the threshold of ≤ 10 km/h in the event of a fault. Depending on driving
situations, furthermore the degradation concept defines the transition of the vehicle into vehicle standstill within the
vehicle safe state.
When transitioning the vehicle to the safe state, the requirements of the degradation concept shall be met
(see Clause 8).
If the safe state cannot be achieved by general controllability, the safe state can only be reached and ensured
at the vehicle level by considering systems outside the SbW system or considering the driver.
5.3.5.4 Safe state SbW system
The safe state on SbW system level for the function "Provide feedback torque" is to continue the operation of
the function u
...