This document is developed in accordance with the rules given in GB/T 1.1-2020 Directives for standardization—Part 1: Rules for the structure and drafting of standardizing documents.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This document was proposed by the Ministry of Industry and Information Technology of the People's Republic of China.
This document is under the jurisdiction of the National Technical Committee of Auto Standardization (SAC/TC 114).
Road vehicles—ASIL determination guidelines for electrical and electronic system
1 Scope
This document proposes the method to determine the ASIL (automotive safety integrity level) of the electronic and electrical system of road vehicles. The ASIL (automotive safety integrity level) determination for electrical and electronic system is required by GB/T 34590.3-2022.
This document is applicable to safety-related systems including one or more electrical/electronic systems installed on mass production road vehicles other than mopeds.
2 Normative references
The following documents contain requirements which, through reference in this text, constitute indispensable requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition (including any amendments) applies.
GB/T 34590 (All parts) Road vehicles—Functional safety
GB/T 34590.1-2022 Road vehicles—Functional safety—Part 1: Vocabulary
GB/T 34590.3-2022 Road vehicles—Functional safety—Part 3: Concept phase
3 Terms and definitions
For the purpose of this document, the terms and definitions given in GB/T 34590.1-2022 apply.
4 Hazard analysis and risk assessment
4.1 Hazard identification
Hazard analysis and risk assessment (HARA) is an analysis process, which is to identify potential hazards and combine with the operation scenario to form a group of specific hazardous events, evaluate the risk of each hazardous event to determine its ASIL and safety objectives.
The definition of related items is a prerequisite for HARA. Hazard identification may be achieved by different hazard analysis techniques. This document gives an example of hazard identification using hazard and operability analysis (HAZOP) technology. HAZOP is an exploratory analysis method, which may be used to identify and evaluate the abnormal functional performance of related items, and help to check the operation of related items at the complete vehicle level in a structured and systematic way. This analysis method assumes different abnormal functional performance of related items by adding appropriate guide words to each function, which can lead to hazards, and may cause potential injuries to the drivers and passengers of the target vehicle, other vehicles and their passengers, or other people at risk, such as pedestrians, cyclists or maintenance personnel near the target vehicle.
Other effective methods may also be used to identify relevant hazards. This document does not recommend or support a specific hazard identification method. Hazard identification is a part of hazard analysis and risk assessment. Annex A describes the motion of vehicles along different axes.
The following is a simple application example of HAZOP method, which is used to identify the hazards caused by the potential abnormal functional performance of related items. For example, based on the functions described in the definition of related items, the functions and capabilities of related item executors are considered, and then the following abnormal functional performance of related item is assumed.
a) Loss of function——function is not provided when required.
b) The wrong function is provided when required:
1) Wrong function——more than expected;
2) Wrong function——less than expected;
3) Wrong function——opposite in direction.
c) Unexpected functions——function is provided when not required.
d) The output is stuck at a fixed value——the function cannot be updated as expected.
Note 1: When the function of related items is abnormal, the damage to maintenance personnel when performing tasks unrelated to the maintenance of related items may be considered. However, the damage to maintenance personnel caused by the existing faults of related items is not considered for hazard analysis and risk assessment when repairing the existing failure, damaged or disassembled related items. For example, the electric power steering has a safety mechanism to turn off the assistance function in the event of steering assistance oscillation. When maintaining, the maintenance personnel may force the assistance function to identify the cause of the fault. This situation can not be analyzed by hazard analysis and risk assessment method, because it is deliberately operated by maintenance personnel for maintenance.
Note 2: According to GB/T 34590 (all parts), hazard analysis and risk assessment are based on the abnormal functional performance of related items.
Note 3: Not all HAZOP guide words are applicable to all analysis, and the guide words need to be tailored according to the scope and content of analysis. The user can select a special set of HAZOP guide words for analysis.
For two functions of the vehicle, steering assistance and brake control, Table 1 provides an example of identifying abnormal functional performance using HAZOP method.
Table 1 Application example of HAZOP method
Functions Guide words
Loss of function The wrong function is provided when required Unexpected functions (function is provided when not required) The output is stuck at a fixed value (the function cannot be updated as expected)
Wrong functions (more than expected) Wrong functions (less than expected) Wrong functions (opposite in direction)
Steering assistance function Loss of assistance Excessive assistance Insufficient assistance Reverse assistance Unexpected assistance Steering lock (steering output is stuck at fixed value or fixed position)
Brake control function (traditional brake function) Loss of braking force Excessive braking force Insufficient braking force — Unexpected braking Brake lock (brake output is stuck at fixed value or fixed position)
Note 4: The interaction between different functions of the vehicle is analyzed during safety concept design or subsequent confirmation of relevant items. For example, by itself, the loss of function of related items may be regarded as a degraded mode, but considering the interaction and dependency of related items, it may not be a safe state at the complete vehicle level.
Once the potential abnormal performance of a function is assumed, hazard analysis will continue to be carried out to analyze the hazards of each abnormal functional performance at the complete vehicle level. In this analysis process, it is necessary to consider the operation scenarios of vehicles, including all stages of the life cycle of related items (for example, operation, service and scrapping stages).
The abnormal performance of the same function may cause multiple hazards at the complete vehicle levels, which depends on the behavior of vehicles in different operation scenarios. For example, unexpected or excessive braking may cause unexpected deceleration and unexpected lateral motion of the vehicle, depending on the driving scenario.
In addition, different abnormal functional performance of related items may cause same hazards at the complete vehicle level. Hazard analysis and risk assessment is an iterative process. Considering different vehicle operation scenarios and life cycle stages of related items, the abnormal functional performance of related items and corresponding hazards at the complete vehicle level will also be updated continuously during hazard analysis and risk assessment.
Tables 2 and 3 give examples of mapping the abnormal functional performance identified based on complete vehicle functions in Table 1 to the hazard at the complete vehicle level. The mapping varies with the driving scenarios considered for the abnormal functional performance (for example, the loss of braking will lead to the loss of deceleration capability, vehicle sliding, etc.).
Table 2 Example of mapping the abnormal performance of the steering assistance function to the hazard at the complete vehicle level
Abnormal functional performance Hazards at the complete vehicle level
Unexpected assistance Unexpected vehicle lateral motion/unexpected yaw
Excessive assistance
Reverse assistance
Steering lock (steering output is stuck at fixed value or fixed position) Loss of vehicle lateral motion control
Insufficient assistance Heavy steering (increased hand torque)
Loss of assistance
Table 3 Example of mapping the abnormal performance of the brake control function to the hazard at the complete vehicle level
Abnormal functional performance Hazards at the complete vehicle level
Unexpected braking Unexpected vehicle deceleration
Excessive braking force
Brake lock (brake output is stuck at fixed value or fixed position)
Loss of braking force Unexpected reduction of vehicle deceleration capability
Insufficient braking force
Unexpected braking Unexpected vehicle lateral motion
Excessive braking force
Brake lock (brake output is stuck at fixed value or fixed position)
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Hazard analysis and risk assessment
Annex A (Informative) Motion at the complete vehicle level
Annex B (Informative) Guidelines for severity grading
Annex C (Informative) Example of hazard analysis and risk assessment of steering function
Annex D (Informative) Examples of hazard analysis and risk assessment of drive and transmission function
Annex E (Informative) Example of hazard analysis and risk assessment of suspension control function
Annex F (Informative) Example of hazard analysis and risk assessment of brake and parking brake function
Bibliography
Standard
GB/Z 42285-2022 Road vehicles—ASIL determination guidelines for electrical and electronic system (English Version)
Standard No.
GB/Z 42285-2022
Status
valid
Language
English
File Format
PDF
Word Count
25000 words
Price(USD)
750.0
Implemented on
2023-7-1
Delivery
via email in 1~5 business day
Detail of GB/Z 42285-2022
Standard No.
GB/Z 42285-2022
English Name
Road vehicles—ASIL determination guidelines for electrical and electronic system
This document is developed in accordance with the rules given in GB/T 1.1-2020 Directives for standardization—Part 1: Rules for the structure and drafting of standardizing documents.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This document was proposed by the Ministry of Industry and Information Technology of the People's Republic of China.
This document is under the jurisdiction of the National Technical Committee of Auto Standardization (SAC/TC 114).
Road vehicles—ASIL determination guidelines for electrical and electronic system
1 Scope
This document proposes the method to determine the ASIL (automotive safety integrity level) of the electronic and electrical system of road vehicles. The ASIL (automotive safety integrity level) determination for electrical and electronic system is required by GB/T 34590.3-2022.
This document is applicable to safety-related systems including one or more electrical/electronic systems installed on mass production road vehicles other than mopeds.
2 Normative references
The following documents contain requirements which, through reference in this text, constitute indispensable requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition (including any amendments) applies.
GB/T 34590 (All parts) Road vehicles—Functional safety
GB/T 34590.1-2022 Road vehicles—Functional safety—Part 1: Vocabulary
GB/T 34590.3-2022 Road vehicles—Functional safety—Part 3: Concept phase
3 Terms and definitions
For the purpose of this document, the terms and definitions given in GB/T 34590.1-2022 apply.
4 Hazard analysis and risk assessment
4.1 Hazard identification
Hazard analysis and risk assessment (HARA) is an analysis process, which is to identify potential hazards and combine with the operation scenario to form a group of specific hazardous events, evaluate the risk of each hazardous event to determine its ASIL and safety objectives.
The definition of related items is a prerequisite for HARA. Hazard identification may be achieved by different hazard analysis techniques. This document gives an example of hazard identification using hazard and operability analysis (HAZOP) technology. HAZOP is an exploratory analysis method, which may be used to identify and evaluate the abnormal functional performance of related items, and help to check the operation of related items at the complete vehicle level in a structured and systematic way. This analysis method assumes different abnormal functional performance of related items by adding appropriate guide words to each function, which can lead to hazards, and may cause potential injuries to the drivers and passengers of the target vehicle, other vehicles and their passengers, or other people at risk, such as pedestrians, cyclists or maintenance personnel near the target vehicle.
Other effective methods may also be used to identify relevant hazards. This document does not recommend or support a specific hazard identification method. Hazard identification is a part of hazard analysis and risk assessment. Annex A describes the motion of vehicles along different axes.
The following is a simple application example of HAZOP method, which is used to identify the hazards caused by the potential abnormal functional performance of related items. For example, based on the functions described in the definition of related items, the functions and capabilities of related item executors are considered, and then the following abnormal functional performance of related item is assumed.
a) Loss of function——function is not provided when required.
b) The wrong function is provided when required:
1) Wrong function——more than expected;
2) Wrong function——less than expected;
3) Wrong function——opposite in direction.
c) Unexpected functions——function is provided when not required.
d) The output is stuck at a fixed value——the function cannot be updated as expected.
Note 1: When the function of related items is abnormal, the damage to maintenance personnel when performing tasks unrelated to the maintenance of related items may be considered. However, the damage to maintenance personnel caused by the existing faults of related items is not considered for hazard analysis and risk assessment when repairing the existing failure, damaged or disassembled related items. For example, the electric power steering has a safety mechanism to turn off the assistance function in the event of steering assistance oscillation. When maintaining, the maintenance personnel may force the assistance function to identify the cause of the fault. This situation can not be analyzed by hazard analysis and risk assessment method, because it is deliberately operated by maintenance personnel for maintenance.
Note 2: According to GB/T 34590 (all parts), hazard analysis and risk assessment are based on the abnormal functional performance of related items.
Note 3: Not all HAZOP guide words are applicable to all analysis, and the guide words need to be tailored according to the scope and content of analysis. The user can select a special set of HAZOP guide words for analysis.
For two functions of the vehicle, steering assistance and brake control, Table 1 provides an example of identifying abnormal functional performance using HAZOP method.
Table 1 Application example of HAZOP method
Functions Guide words
Loss of function The wrong function is provided when required Unexpected functions (function is provided when not required) The output is stuck at a fixed value (the function cannot be updated as expected)
Wrong functions (more than expected) Wrong functions (less than expected) Wrong functions (opposite in direction)
Steering assistance function Loss of assistance Excessive assistance Insufficient assistance Reverse assistance Unexpected assistance Steering lock (steering output is stuck at fixed value or fixed position)
Brake control function (traditional brake function) Loss of braking force Excessive braking force Insufficient braking force — Unexpected braking Brake lock (brake output is stuck at fixed value or fixed position)
Note 4: The interaction between different functions of the vehicle is analyzed during safety concept design or subsequent confirmation of relevant items. For example, by itself, the loss of function of related items may be regarded as a degraded mode, but considering the interaction and dependency of related items, it may not be a safe state at the complete vehicle level.
Once the potential abnormal performance of a function is assumed, hazard analysis will continue to be carried out to analyze the hazards of each abnormal functional performance at the complete vehicle level. In this analysis process, it is necessary to consider the operation scenarios of vehicles, including all stages of the life cycle of related items (for example, operation, service and scrapping stages).
The abnormal performance of the same function may cause multiple hazards at the complete vehicle levels, which depends on the behavior of vehicles in different operation scenarios. For example, unexpected or excessive braking may cause unexpected deceleration and unexpected lateral motion of the vehicle, depending on the driving scenario.
In addition, different abnormal functional performance of related items may cause same hazards at the complete vehicle level. Hazard analysis and risk assessment is an iterative process. Considering different vehicle operation scenarios and life cycle stages of related items, the abnormal functional performance of related items and corresponding hazards at the complete vehicle level will also be updated continuously during hazard analysis and risk assessment.
Tables 2 and 3 give examples of mapping the abnormal functional performance identified based on complete vehicle functions in Table 1 to the hazard at the complete vehicle level. The mapping varies with the driving scenarios considered for the abnormal functional performance (for example, the loss of braking will lead to the loss of deceleration capability, vehicle sliding, etc.).
Table 2 Example of mapping the abnormal performance of the steering assistance function to the hazard at the complete vehicle level
Abnormal functional performance Hazards at the complete vehicle level
Unexpected assistance Unexpected vehicle lateral motion/unexpected yaw
Excessive assistance
Reverse assistance
Steering lock (steering output is stuck at fixed value or fixed position) Loss of vehicle lateral motion control
Insufficient assistance Heavy steering (increased hand torque)
Loss of assistance
Table 3 Example of mapping the abnormal performance of the brake control function to the hazard at the complete vehicle level
Abnormal functional performance Hazards at the complete vehicle level
Unexpected braking Unexpected vehicle deceleration
Excessive braking force
Brake lock (brake output is stuck at fixed value or fixed position)
Loss of braking force Unexpected reduction of vehicle deceleration capability
Insufficient braking force
Unexpected braking Unexpected vehicle lateral motion
Excessive braking force
Brake lock (brake output is stuck at fixed value or fixed position)
Contents of GB/Z 42285-2022
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Hazard analysis and risk assessment
Annex A (Informative) Motion at the complete vehicle level
Annex B (Informative) Guidelines for severity grading
Annex C (Informative) Example of hazard analysis and risk assessment of steering function
Annex D (Informative) Examples of hazard analysis and risk assessment of drive and transmission function
Annex E (Informative) Example of hazard analysis and risk assessment of suspension control function
Annex F (Informative) Example of hazard analysis and risk assessment of brake and parking brake function
Bibliography
