Elektriska utrustningar

Ämnesområden: Elektriska utrustningar
Kommittébeteckning: SIS/TK 240 (El- och elektronikutrustning för vägfordon)
Källa: ISO
Svarsdatum: den 5 apr 2021
Se merSe mindre

This document provides a general argumentation framework and guidance on measures to ensure the  safety of the intended functionality (SOTIF), i.e. the absence of unreasonable risk due to a hazard caused  by:  

a. the insufficiencies of specification of the intended functionality at the vehicle level, or  

b. the insufficiencies of specification or performance limitations in the implementation of E/E  elements in the system  

NOTE Depending on the application, elements of other technologies can be relevant when evaluating the SOTIF.

These hazards can be triggered by specific conditions of a scenario, including reasonably foreseeable  misuse of the intended functionality or in combination with other functions at the vehicle level (e.g. activation of the parking brake while the automated driving function is active).

NOTE Information provided by the infrastructure (e.g. Car2x communication, maps) is also part of the evaluation  of functional insufficiencies if it can have an impact on the SOTIF.

This document provides guidance on the applicable design, verification and validation measures, as well  as activities during the operation phase, needed to achieve the SOTIF.

This document is applicable to an intended functionality where proper situational awareness is essential  to safety and where such situational awareness is derived from complex sensors and processing  algorithms, especially emergency intervention systems and systems having automation levels from 1 to  5.

This document is applicable to intended functionalities that include one or more electrical and/or  electronic (E/E) systems and that are installed in series production road vehicles, excluding mopeds.

This document does not apply to faults covered by the ISO 26262 series.

This document does not apply to hazards directly caused by the system technology (e.g. eye damage from  a laser sensor).

This document does not address hazards related to electric shock, fire, smoke, heat, radiation, toxicity,  flammability, reactivity, corrosion, release of energy and similar hazards, unless directly caused by the  intended functionality of safety-related E/E systems.

This document does not apply to attacks exploiting vehicle security vulnerabilities.

This document considers local driving laws, policies, or road norms only as far as they can impact the  SOTIF, specifically where not following laws and rules of the road could lead to safety hazards. However,  this document does not address legal compliance to driving laws and/or policies.

Furthermore, functions of existing systems for which well-established and well-trusted design,  verification and validation (V&V) measures exist (e.g. Dynamic Stability Control (DSC) systems, airbag) are exempt from the scope of this document.

EXAMPLE a system for which there is an existing standard 133 sufficient to ensure safety  Some measures described in this document are applicable to newly designed functions or elements of  existing systems, if situational awareness derived from complex sensors and processing algorithms is  part of the design.

EXAMPLE Complex sensing and fusion of the road and cabin environment might replace current accelerometer (or  similar) based triggering mechanisms for airbags. SOTIF activities can be relevant, due to that change requiring  situational awareness.

Reasonably foreseeable misuse, which could lead directly to potentially hazardous behaviour, is in the  scope of this document as a possible triggering condition. This is defined as “reasonably foreseeable  direct misuse”.

Reasonably foreseeable misuse that prevents controllability by the driver of the system’s hazardous  behaviour, representing an unreasonable level of risk, is in scope of this document. This is defined as  “reasonably foreseeable indirect misuse”.

An intentional action that clearly violates the system’s intended use is considered feature abuse. This is  out of scope of this document.

EXAMPLE: Applying a substitute hand to fool a “hands on wheel” detection safety measure.