CPDS Requirements


A) Definitions and timing constants

T_DETECT = 10 s (from ignition-off to initial child presence decision)
T_ACK_1 = 5 min (driver response window after initial driver notification)
T_ACK_2 = 5 min (after exterior lights and horn)
T_ACK_3 = 5 min (after HVAC intervention starts)
T_ACK_4 = 10 min (after carers are notified)
SAFE_TEMP_RANGE is [18 °C, 26 °C] unless otherwise calibrated for local policy.
SOC_CRIT = 15% (critical battery state of charge threshold)
Direct sensors: camera, UWB radar, microphone.
Indirect sensors: door/hood/trunk closure, window position, seat-belt latch and tension, seat pressure, ignition state, key proximity.
T_SNOOZE = 10 min

BDD note: Treat each constant as a step parameter so you can generate both nominal and boundary tests.


B) States

S0 Off – CPDS not monitoring.
S1 Armed/Scanning – ignition off, doors closed, key out of range, direct and indirect sensors active.
S2 Child Confirmed – fusion confirms unattended child.
S3 Notify Driver – app and/or key fob alert running.
S4 Exterior Alert – lights and horn intermittent.
S5 HVAC Intervention – automatic climate stabilization.
S6 Notify Carers – messages or calls to predefined contacts.
S7 Allow Access – doors unlocked for emergency access.
S8 Emergency Services – call placed with metadata.
S9 Standby – monitoring idle state after resolution.
S_Fault – degraded operation due to sensor or comms fault.




Req_CPDS_00: Start, Arm, and Finalization

Req_CPDS_00.1 (Initial state): When vehicle ignition switches off and all doors are closed, CPDS shall transition from S0 Off to S1 Armed/Scanning within 5 s if the key is out of proximity range.
BDD anchor: Given ignition is off and doors are closed and key is not near, When 5 s elapse, Then CPDS state is S1.

Req_CPDS_00.2 (Standby final state): If at any escalation stage the system verifies no child present for a continuous 30 s window, CPDS shall transition to S9 Standby and stop all alerts within 5 s.
BDD anchor: Given any active stage, When no child is detected for 30 s, Then state becomes S9 and alerts cease.

Req_CPDS_00.3 (Cancel on adult intervention): Opening a door or switching ignition on shall suspend escalation immediately and force re-verification (Req_CPDS_01) before any return to S9.
BDD anchor: Given an active alert, When a door opens or ignition turns on, Then alerts pause and detection restarts.

Req_CPDS_00.4 (Cycle end): After any successful resolution (child absent confirmed or emergency hand-off), CPDS shall re-enter S1 Armed/Scanning once doors are closed and key leaves proximity, otherwise S0 Off.
BDD anchor: Given resolution, When doors close and key leaves, Then state becomes S1; else S0.



Req_CPDS_01: Unattended Child Detection and Fusion

Req_CPDS_01.1: On entry to S1, CPDS shall activate direct and indirect sensors within 5 s.

Req_CPDS_01.2 (Fusion rule): CPDS shall confirm unattended child (transition S1→S2) only if within T_DETECT it obtains either
a) at least 2 direct positives, or
b) 1 direct positive plus at least 3 indirect indicators consistent with unattended occupancy,
and no contradictory adult-presence evidence is present.
BDD anchors: boundary cases for 2/3 and 1/3 thresholds; contradictory evidence includes front-seat adult pressure and adult voice classifier.

Req_CPDS_01.3 (Alone verification): A confirmed front-seat adult presence shall block S1→S2 and keep CPDS in S1.
BDD: Given adult detected, Then no escalation starts.

Req_CPDS_01.4 (Re-check on movement): If fusion is inconclusive at T_DETECT, CPDS shall continue scanning and re-evaluate every 2 s until either S2 or S9 is reached or 30 min elapse, after which it enters S_Fault and notifies at next ignition-on.



Req_CPDS_02: Initial Driver Notification

Req_CPDS_02.1: On S2 entry, CPDS shall transition to S3 and notify the driver via mobile app push plus key-fob (if available) within 10 s, including vehicle location and a countdown for T_ACK_1.

Req_CPDS_02.2 (Acknowledgment gate): Acknowledgment is accepted only if either the driver’s device is within 20 m BLE range or a door opens within the acknowledgment window. Otherwise the system proceeds as no response.
Rationale: prevents remote dismiss without action.

Req_CPDS_02.3: If the driver acknowledges within T_ACK_1 and child absence is verified per Req_CPDS_00.2, CPDS shall go to S9 Standby. If acknowledgment occurs without verified child absence by T_ACK_1, proceed to Req_CPDS_03.

Req_CPDS_02.4: Driver “Snooze” option: Precondition: CPDS is in S3 Notify Driver; an unattended child is confirmed.
Availability: Snooze can be requested only during S3 and only once per incident.
Proximity guard: Snooze is valid only if the driver device is within 20 m or a door opens within the request window.
Duration: Define T_SNOOZE = 10 min. Snooze extends the S3 acknowledgment deadline by T_SNOOZE.
Behavior: On valid snooze, escalation is paused for T_SNOOZE while monitoring continues; HVAC may intervene if safety bounds require it.
Safety guards: Snooze is blocked if SOC < SOC_CRIT, if child distress cues are detected, or if a regional policy forbids delay. If any guard becomes true during snooze, cancel snooze immediately and resume the escalation timeline.
Expiry: If no valid acknowledgment occurs by the extended deadline, proceed to S4 Exterior Alert.
Resolution: Any valid acknowledgment during snooze resolves as in Req_CPDS_02.3.
Logging: Log snooze request, acceptance/denial reason, start/end timestamps.

Req_CPDS_03: Exterior Lights and Horn Escalation

Req_CPDS_03.1: If no valid acknowledgment per Req_CPDS_02.2 by T_ACK_1, CPDS shall enter S4 and activate exterior hazard lights and horn intermittently for T_ACK_2 (pattern: 5 s on, 25 s off).

Req_CPDS_03.2: If valid acknowledgment occurs within T_ACK_2 and child absence is verified, CPDS shall return to S9; else continue to Req_CPDS_04.





Req_CPDS_04: HVAC Adjustment Intervention

Req_CPDS_04.1: If no valid acknowledgment by T_ACK_2, CPDS shall enter S5 and control HVAC to maintain SAFE_TEMP_RANGE while preserving battery safety limits.

Req_CPDS_04.2 (Battery guard): If traction or 12 V battery state of charge is below a calibrated threshold, CPDS shall prioritize minimal-energy cooling or ventilation and continue escalation. If SOC < SOC_CRIT, Req_CPDS_04.4 takes precedence.

Req_CPDS_04.3: If valid acknowledgment occurs within T_ACK_3 and child absence is verified, CPDS shall return to S9; else continue to Req_CPDS_05.

Req_CPDS_04.4: Critical battery override If CPDS is in S2, S3, S4, S5, or S6 and the traction or 12 V battery SOC drops below SOC_CRIT, the system shall bypass any remaining acknowledgment timers and immediately:(i) Enter S8 Emergency Services and place the call within 10 s, tagging the payload with “critical battery,” (ii) Execute Req_CPDS_06.1 in parallel (unlock for access), (iii) Disable HVAC except minimal ventilation to conserve energy, (iv) Remain in S7/S8 until emergency hand-off or child absence is verified, then transition per Req_CPDS_06.3.



Req_CPDS_05: Carers Notification

Req_CPDS_05.1: If no valid acknowledgment by T_ACK_3, CPDS shall enter S6 and notify all predefined carers by at least two channels (SMS and call or push) within 60 s, including location, current cabin temperature, and elapsed time.

Req_CPDS_05.2: If any carer acknowledges within T_ACK_4 and arrives within BLE range or opens a door, and child absence is verified, CPDS shall return to S9; else continue to Req_CPDS_06.




Req_CPDS_06: Allow Access and Emergency Services

Req_CPDS_06.1 (Allow access): If no valid acknowledgment by T_ACK_4, CPDS shall enter S7 and unlock all doors, flash hazards, and keep doors unlocked until S8 completes or child absence is verified.

Req_CPDS_06.2 (Emergency call): Concurrently with S7, CPDS shall enter S8 and place an emergency call to local services with vehicle location, make/model, plate or VIN last 6, sensor snapshot, and escalation history.
BDD anchor: validate payload fields.

Req_CPDS_06.3 (Post-event relock and Standby): 
Req_CPDS_06.3.1 – Post-event relock after emergency services acknowledgment: Precondition: CPDS is in S7 Allow Access.
Trigger: An acknowledgment from emergency services is received for the active emergency call. Shall: Within 10 seconds of the trigger, CPDS shall relock the vehicle, terminate the active emergency call, and transition to S9 Standby. Guards: If any door is still open, defer relock until all doors are closed, then complete the actions within 10 seconds. If child presence becomes true again before relock, abort this requirement and return to the escalation flow.

Req_CPDS_06.3.2 – Post-event relock after safe removal and door closure: Precondition: CPDS is in S7 Allow Access. Trigger: All doors are closed and child absence has been verified continuously for 30 seconds.
Shall: Within 10 seconds, CPDS shall relock, terminate any active emergency call, and transition to S9 Standby.





Req_CPDS_07: No Child Path

Req_CPDS_07.1: If direct and indirect sensors do not confirm an unattended child within T_DETECT, CPDS shall remain in S1 Armed/Scanning and shall not initiate notifications.

Req_CPDS_07.2 (Standby idle): If S1 persists for 30 min with no positive indications, CPDS may transition to S9 Standby to reduce power, resuming S1 on any door event or key departure/arrival.




Req_CPDS_08: Manual Controls and Safety Guards

Req_CPDS_08.1 (Manual cancel in supervised stay): If an adult explicitly sets “Supervised Stay” at ignition-off, CPDS shall remain in S9 for 30 min unless direct sensors detect distress cues (e.g., crying classifier), in which case standard escalation applies.

Req_CPDS_08.2 (Tamper detection): If sensors indicate tampering (e.g., camera covered) while S1 is active, CPDS shall enter S_Fault and notify the driver at next ignition-on and via app immediately.

Req_CPDS_08.3 (Connectivity loss): If mobile connectivity is unavailable at S3 or S6, CPDS shall proceed with on-vehicle alerts and HVAC and shall retry notifications every 60 s.

Req_CPDS_08.4 (Geo or horn restrictions): If horn use is disabled by regional setting, CPDS shall substitute repeated hazard light patterns and HMI messages while keeping the escalation timeline.






Req_CPDS_09: Fault Handling

Req_CPDS_09.1 (Self-test): On entry to S1, CPDS shall self-test all sensors and communication paths. Any critical failure sets S_Fault.

Req_CPDS_09.2 (Degraded confirmation): In S_Fault, if at least one direct sensor positively detects a child for ≥ 3 consecutive samples, CPDS shall continue with the full escalation chain despite degraded status.

Req_CPDS_09.3 (Driver notification of fault): S_Fault shall generate an in-vehicle message at next ignition-on and an app notification within 60 s of detection.




Req_CPDS_10: Data, Security, and Traceability

Req_CPDS_10.1 (Event log): CPDS shall record a timestamped event log for each cycle (state transitions, acknowledgments, sensor snapshots, temperature, battery SOC, notifications, call result).

Req_CPDS_10.2 (Privacy): Logs shall exclude images and audio unless user opt-in is present; only derived features and hashes are stored by default.

Req_CPDS_10.3 (Identifiers): Each requirement Req_CPDS_xx.x maps one-to-one to at least one BDD scenario named Scenario: CPDS_xx_x_*. The event log shall include the scenario ID when a test harness triggers the behavior.









