HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (6 Oct 2024)

GB/Z 42285-2022 PDF in English


GB/Z 42285-2022 (GB/Z42285-2022, GBZ 42285-2022, GBZ42285-2022)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/Z 42285-2022English755 Add to Cart 0-9 seconds. Auto-delivery. Road vehicles -- ASIL determination guidelines for electrical and electronic system Valid
Standards related to (historical): GB/Z 42285-2022
PDF Preview

GB/Z 42285-2022: PDF in English (GBZ 42285-2022)

GB/Z 42285-2022 GB GUIDANCE TECHNICAL DOCUMENT FOR STANDARDIZATION OF THE PEOPLE’S REPUBLIC OF CHINA ICS 43.040 CCS T 35 Road vehicles - ASIL determination guidelines for electrical and electronic system ISSUED ON: DECEMBER 30, 2022 IMPLEMENTED ON: JULY 01, 2023 Issued by: State Administration for Market Regulation; Standardization Administration of PRC. Table of Contents Foreword ... 4 1 Scope ... 5 2 Normative references ... 5 3 Terms and definitions ... 5 4 Hazard analysis and risk assessment ... 6 4.1 Identification of hazards ... 6 4.2 Risk assessment ... 8 4.3 Relationship between safety goals and safety status ... 17 Appendix A (Informative) Movement at whole vehicle level ... 19 Appendix B (Informative) Guidelines for severity rating ... 21 B.1 General introduction ... 21 B.2 Description... 24 Appendix C (Informative) Example of hazard analysis and risk assessment of steering function ... 27 C.1 General ... 27 C.2 Definition of dependent items: Overview of functional concepts ... 27 C.3 HAZOP analysis ... 27 C.4 Hazard analysis and risk assessment ... 28 Appendix D (Informative) Example of hazard analysis and risk assessment for drive and transmission functions ... 31 D.1 General ... 31 D.2 Definition of dependent items: Overview of functional concepts ... 31 D.3 Hazard and operability analysis ... 32 D.4 Hazard analysis and risk assessment ... 33 D.5 Example details ... 42 Appendix E (Informative) Example of hazard analysis and risk assessment for suspension control function ... 48 E.1 Introduction ... 48 E.2 Definition of dependent items: Overview of functional concepts ... 48 E.3 Hazard analysis ... 48 E.4 Hazard analysis and risk assessment ... 49 E.5 Other considerations ... 51 Appendix F (Informative) Example of hazard analysis and risk assessment for braking and parking brake functions ... 52 F.1 General ... 52 F.2 Definition of dependent items: Overview of functional concepts ... 52 F.3 HAZOP analysis ... 53 F.4 Hazard analysis and risk assessment ... 55 F.5 Explanation and detail description of example ... 58 References ... 60 Road vehicles - ASIL determination guidelines for electrical and electronic system 1 Scope This document presents methods for determining the ASIL (Automotive Safety Integrity Level) of electrical and electronic systems in road vehicles. Determining ASIL (Automotive Safety Integrity Level) of electrical and electronic systems is required by GB/T 34590.3-2022. This document applies to safety-related systems, which incorporate one or more electrical/electronic systems, as installed on mass-produced road vehicles other than mopeds. 2 Normative references The contents of the following documents constitute the essential provisions of this document through normative references in the text. Among them, for dated references, only the version corresponding to the date applies to this document; for undated references, the latest version (including all amendments) applies to this document. GB/T 34590 (all parts) Road vehicles - Functional safety GB/T 34590.1-2022 Road vehicles - Functional safety - Part 1: Vocabulary (ISO 26262-1:2018, MOD) GB/T 34590.3-2022 Road vehicles - Functional safety - Part 3: Concept phase (ISO 26262-3:2018, MOD) 3 Terms and definitions The terms and definitions as defined in GB/T 34590.1-2022, as well as the following terms and definitions, apply to this document. 4 Hazard analysis and risk assessment 4.1 Identification of hazards Hazard analysis and risk assessment (HARA) is an analysis process, that identifies potential hazards and combines them with operating scenarios, to form a set of specific hazard events, assessing the risk of each hazard event, to determine its ASIL level and safety goals. The definition of dependent item is a prerequisite for HARA. Hazard identification can be achieved, through different hazard analysis techniques. This document gives examples of hazard identification, using Hazard and Operability Analysis (HAZOP) techniques. HAZOP is an exploratory analysis method, which can be used to identify and evaluate the abnormal performance of dependent items; helps to check the operation of dependent items at the vehicle level, in a structured and systematic way. This analysis method adds appropriate introductory words to each function of dependent item, to assume its different abnormal performance, which can lead to hazards, meanwhile the hazards may be harmful to the occupants of the target vehicle, other vehicles and their occupants, or other persons at risk, for example, the potential hazards to the pedestrians, cyclists, or maintenance personnel in the vicinity of the target vehicle. Other effective methods can also be used, to identify relevant hazards. This document does not recommend or support a specific hazard identification method. Hazard identification is part of hazard analysis and risk assessment. Appendix A describes the motion behavior of the vehicle, along different axes. The following is an example of the application of a simple HAZOP method, to identify hazards, which are caused by potential abnormal performance of dependent items. For example, based on the function described in the definition of dependent item, consider the role and capability of the dependent item actuator, then assume the following abnormal function of the dependent item. a) Loss of function - When required, no function is provided. b) Provide wrong function, when required: 1) Wrong functions - More than expected; 2) Wrong functions - Less than expected; 3) Wrong function - Opposite direction. c) Unexpected functions - Provide functions when not required. e) When evaluating certain vehicle operating scenarios, a combination of factors may be required, to cause a hazard to cause a specific injury. A vehicle operation scenario may be composed of several factors; some of these factors may be closely related. For the combination of factors that form the prerequisites of a hazardous event, the correct value of the exposure probability can only be calculated, after identifying the relationship between each factor. Example: For a scene with snow and ice, there is a high correlation with the reduction of pavement friction. If the exposure probability of the scene with snow or ice for the reduction of road friction is considered to be E2 levels independently of each other, THEN without these two exposure probability factors rated as E2, an exposure probability lower than E2 is equivalent (for scenes with snow and ice). Treating these linked scenarios as independent might lead to inappropriate downgrading of the exposure probability. f) In the hazard analysis and risk assessment, do not consider the hazards that have been covered by the safety regulations of the workplace for maintenance personnel, as well as all hazards caused by dependent items that are being repaired (see Note 1 in 4.1). g) The defined hazardous events shall be specific enough, to ensure accurate definition of the degree of harm and determination of controllability. ● A scene can be divided into several newly added specific scenes (may lead to different S and C parameters); ● If the analysis results of multiple scenarios related to the same hazard are similar or identical, these scenarios shall be combined for analysis; ● The above guidelines shall not be used, to artificially increase or decrease exposure probability factors; ● This does not require an exhaustive examination of every possible combination, it is sufficient to consider typical vehicle operating scenarios and include those that lead to the highest ASIL level. 4.2.3 Step 2: Determine severity 4.2.3.1 General information According to GB/T 34590 (all parts), the "severity" level of potential harm, which is caused by a specific hazardous event, can be defined as one of the four levels shown in Table 5. These "severity" levels are a general classification, to provide guidance on assigning an ASIL for a given hazardous event. Often, "severity" levels are difficult to define exactly. Because, the "severity" result hazard event. The development of this hypothetical scenario involves multiple sources of information, including but not limited to expert analysis and judgment, analysis of technical reports, particularly relevant accidents or analysis of test, simulation and historical accident data. Appendix B provides some general information, that can be used to assign the appropriate "severity" level to motion control hazards, at a given vehicle level. 4.2.3.2 Guidance on assignment of "severity" to crash-related hazards During the hazard analysis and risk assessment process, assigning a "severity" level requires expert assessment and consideration of a representative sample of various traffic conditions, vehicle speeds, road conditions. Due to continued advances in vehicle road and crash-related active and passive safety technologies, as well as increased education and law enforcement on road user safety behaviors, analysis of historical accident data tends to overestimate future measures targeting injury risk AND may also do not contain suitable data for a new and different scenario. In these cases, models can be used, to incorporate new scenarios in the context of historical data, in order to better predict outcomes. In general, the risk of injury to road users increases as the collision speed increases. For planar collisions, the estimation of the velocity difference (ΔV), before and after the collision, which is available in some historical accident databases, can assist the evaluation of the "severity" of the accident. Consideration may be given to replacing ΔV with other pre- and post-crash estimators (e.g., energy-equivalent velocity, relative vehicle/object velocity), and to account for other crash characteristics such as vehicle overlap and crush/intrusion. Appendix B provides some general guidance, that may assist in the "severity" rating. For non-planar crashes, such as rollovers, other available criteria depending on the hazard scenario can be used for the "severity" assessment. The examples given in GB/T 34590.3-2022 can also be used, as a reference for the assignment of "severity". When determining the likely "severity" level of a crash from historical data, the available data relevant to the system under development shall be analyzed. For example, the balance between driver and vehicle control is changing, due to the introduction of new active safety features, that automatically intervene in vehicle dynamics, in certain specific crash-imminent environments. Therefore, as new features are applied, current data may not reflect suitable results. When determining the "severity" and ASIL level, the vehicle or system manufacturer shall analyze all technologies, that are applied to a specific vehicle. The "severity" levels of the hazardous events, that are representative of the various scenarios considered, are to be documented in the hazard analysis and risk assessment document. Note 1: The "probability of exposure" needs to be considered to set the "severity" level related to it. For a certain driving condition, if a value higher than the "severity" level accidents, due to abnormal performance of the new system, if applicable, can be compared with existing relevant accident data. The test subject's response behavior to the hazard can then be assessed, to derive a preliminary level of controllability. Overestimation of severity, probability of exposure, controllability parameters and derived ASIL levels needs to be avoided, which may result in the reduction, or even elimination, of functions or features that are beneficial to overall safety. Also avoid underestimating severity, probability of exposure, controllability parameters, derived ASIL level; otherwise, it may lead to insufficient safety requirements. Appendix C provides examples of hazard analysis and risk assessment for electric power steering (EPS) assistance functions. Appendix D provides examples of hazard analysis and risk assessment for drive and transmission functions. Appendix E provides an example of a hazard analysis and risk assessment for a suspension control function. Appendix F provides examples of hazard analysis and risk assessment for brake and parking brake functions. 4.3 Relationship between safety goals and safety status When performing a Hazard Analysis and Risk Assessment, the output is a set of safety objectives to ensure safe operation. The definition of these safety goals considers avoiding or mitigating the potential harm, that may be caused by the abnormal function of dependent items; the controllability measurement can be used for the definition of safety goals. In a functional safety concept or a technical safety concept, a safe state and associated safety measures are appropriately defined, to achieve safety goals in the event of a failure of the dependent item. A "hazard analysis and risk assessment" for a safe state is not always required, although the hazards of a safe state can be derived from a "hazard analysis and risk assessment", when the safe state coincides with a specific failure at the dependent item level. Therefore, inconsistencies may arise, as both the safety goal and the safety state are derived from consideration of failure behavior, at different points in the safety life cycle. For the consistency of the safety profile, it is recommended to avoid the safety state from violating the safety goal. This recommendation can be achieved, by different formulations of safety goals and individual safety states. For example, a safety goal could be "avoiding loss of the emergency braking function without warning", whilst a safety state could be "disabling the function and notifying the driver that the function is not available". In this safe state, an alarm mitigates the consequences of loss of function, because the driver becomes aware that the function is no longer available. The safety concept and HARA shall be consistent; otherwise, it will have a negative impact on the safety file. If the safety status of this safety goal Appendix B (Informative) Guidelines for severity rating B.1 General introduction This Appendix contains general information on assigning severity levels to vehicle movement control hazards, that form part of the hazard analysis and risk assessment. However, the content in this Appendix is not exhaustive and complete, which shall be noted in the application. The assignment of severity levels may involve a variety of sources of information, including (but not mandatory or limited to): expert analysis and judgment, analysis of specific relevant crash or crash test technical reports, simulation tests, or historical crash data. Crash accidents, lab tests, road tests and other test data provide objective, reliable, repeatable results. Simulation testing can provide direction, for pre-crash scenarios and the relative contributions of many factors and interactions that typically occur in crash events. Analysis of historical traffic accident data can provide overall guidance on accident frequency and injury likelihood, for various crash accident scenarios. However, inherent limitations make it impossible to make precise predictions about future conditions. For scenarios based on vehicle collision accidents, GB/T 34590.3-2022 defines the concept of severity levels, based on the injuries suffered by personnel in collision accidents (see Table B.1). GB/T 34590.3-2022 refers to the Abbreviated Injury Scale (AIS) (which assigns a severity score of 0 ~ 6 to a single injury); takes the "probability of injury" of a specific AIS level as an example, for assigning S0 ~ S3 severity levels. AIS that determines injuries to some or all road users, which are involved in traffic accidents within a geographic location, is provided in some historical accident databases. The collection of these accident data is usually a small sample size; the case selection criteria vary by location. In order to properly use damage ratings, which are derived from available accident databases, the inherent limitations of the data sources shall be analyzed. The use of accident data to support severity ratings requires a solid understanding of the data collected and the limitations of the data available, to ensure that appropriate methods are used and results are properly interpreted. In general, literature publications and real-world analysis of different global crash accident databases reveal the principle, that crash severity increases with relative speed. For this reason, a higher driving speed may increase the possibility of a collision accident, at a higher relative speed, which consequently lead to an increase in the possibility of injury. However, there may be wide variation, when considering the definition of speed intervals for the allocation of S0 ~ S3, based on different sources of accident history data and specific crash screening criteria. These variations may be due to regional differences in the traffic environment, changes in sampling criteria for accident history data, or consideration of other factors such as available crash attributes, crash types, occupant restraints equipped or used. Technical and practical considerations, for the use of historical accident data available in the literature or in specially developed analyzes to support severity ratings, include: - For deep accident databases, case sampling criteria and collected data vary globally. The discrepancy in the analysis results of different databases may be partly due to the variation of sampling criteria. - The size of the sample size shall be considered, to better understand the uncertainty in the accident sampling process, because the sampling process varies with each available database. In particular, the low frequency of crashes to the highest injury severity, in existing deep accident databases, may limit any injury classification and thus the assignment of supporting severity. - Selection of sample population (level of analysis). For a given set of crashes, the damage ratings for the crash, for the vehicle involved, for the road user, for the vehicle user may vary, based on the highest injury severity recorded. That is to say, for any set of specific crash accidents, the specific severity injury rating, which is calculated at the crash level, vehicle level or occupant level, is different. - According to Note 1 of 6.4.3.2 in GB/T 34590.3-2022, the severity classification should take into account the possible injuries, which are suffered by all participants involved in the accident. - Many data, which is collected after the crash that may be related to the risk of injury, are unknown before the crash, so these data cannot be used in the pre- crash scenario. Examples include occupant characteristics (e.g., older occupants are generally at higher risk of injury than younger occupants, in similar crashes) and crash object characteristics (e.g., lightly loaded versus fully loaded large commercial vehicles, the collision energy potential is different). - Estimation of collision energy after a collision accident (for example: relative vehicle speed, equivalent vehicle speed for obstacle avoidance): ● Calculations are not necessarily performed for each vehicle (for example: in the current case of trailer collision accidents, if the collision object is a medium/heavy truck, no relative speed estimation is available); ● Not necessarily consistent with the occupant impact pulse, which may be - Although accidents are sampled, according to a well-defined method, there are some deviations compared with official statistics, which can be compensated by standardized and published weighting methods. - For the use of the existing database to determine the accident severity of vehicles still under development, it needs to consider the active and passive safety and road infrastructure improvements, that occurred during this period. One possible way to influence this progress is to consider only recent models or vehicles with certain systems (e.g., ABS, ESC, air curtains, pedestrian protection). - A given hazardous condition may lead to a range of possible accident scenarios. Analysts should avoid detailed analysis, that can only be predicted a posteriori and cannot be predicted in hazard analysis and risk assessment. Based on each individual analysis of the above data sources, a discrete set of velocity ranges is generated for severity levels S0 ~ S3. Table B.1 shows the summary results of the independent analysis, defining the minimum and maximum speed ranges for each of the severity levels S0 ~ S3. Those ranges shown in Table B.1 reflect the overlap of discrete velocity ranges, which are produced by different analyses, which may be due to differences in available data sources and analysis methods. These differences may include: - Regional driving mode and environment; - Crash selection criteria for the deep accident database; - Extrapolation from deep accident databases to wider populations; - Composition of regional vehicle teams; - Vehicle selection criteria (for example: vehicle age, equipment for specific vehicle technologies, such as airbags); - Definition of collision type (frontal collision, side collision, rear collision) (for example: damaged plane, direction of impact force); - Classification of collision types (for example: amount of overlap); - Included collision objects and classifications; - Passenger wrapping (e.g., seat position, restraint use); - Occupant characteristics (for example: age); - Included non-occupant injury results (for example: pedestrians, occupants on other vehicles). Appendix C (Informative) Example of hazard analysis and risk assessment of steering function C.1 General This Appendix provides examples of hazard analysis and risk assessment for electric power steering (EPS) assistance functions. C.3 provides a HAZOP analysis, to identify abnormalities in EPS function, that correspond to hazards at the vehicle level. C.4 provides some examples of EPS malfunctions, resulting hazards at the vehicle level, associated ASIL levels. This Appendix does not represent a transition to functionally complete hazard analysis and risk assessment, but rather a subset of functional safety hazards for EPS functions, to provide guidance. Note: This Appendix contains examples of ASIL levels for selected hazardous events. The determination of ASIL level shall be determined, through negotiation between relevant parties. Appendix B of GB 17675-2021 gives the minimum requirements for the steering system. C.2 Definition of dependent items: Overview of functional concepts The EPS function assists the driver in providing directional control of the vehicle to the steering wheels, while reducing the amount of steering effort required by the driver to steer the vehicle. EPS measures driver intent at the steering wheel; processes it simultaneously with other inputs from the vehicle, to provide steering torque assistance. The scope of this analysis is assuming that, the EPS system has a mechanical steering connection; when the power assist function of the EPS is lost, it can still support the driver to steer the vehicle manually. C.3 HAZOP analysis Table C.1 lists the HAZOP analysis, to identify dysfunctional manifestations of the EPS assist function. Table C.2 lists the mapping from EPS functional abnormalities to vehicle hazards. ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.