1
/
of
12
www.ChineseStandard.us -- Field Test Asia Pte. Ltd.
GB/Z 42285-2022 English PDF (GB/Z42285-2022)
GB/Z 42285-2022 English PDF (GB/Z42285-2022)
Regular price
$755.00
Regular price
Sale price
$755.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GBZ42285-2022:
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GBZ42285-2022 (Self-service in 1-minute)
Historical versions (Master-website): GBZ42285-2022
Preview True-PDF (Reload/Scroll-down if blank)
GB/Z 42285-2022
GB
GUIDANCE TECHNICAL DOCUMENT FOR
STANDARDIZATION OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 43.040
CCS T 35
Road vehicles - ASIL determination guidelines for electrical
and electronic system
ISSUED ON: DECEMBER 30, 2022
IMPLEMENTED ON: JULY 01, 2023
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Hazard analysis and risk assessment ... 6
4.1 Identification of hazards ... 6
4.2 Risk assessment ... 8
4.3 Relationship between safety goals and safety status ... 17
Appendix A (Informative) Movement at whole vehicle level ... 19
Appendix B (Informative) Guidelines for severity rating ... 21
B.1 General introduction ... 21
B.2 Description... 24
Appendix C (Informative) Example of hazard analysis and risk assessment of
steering function ... 27
C.1 General ... 27
C.2 Definition of dependent items: Overview of functional concepts ... 27
C.3 HAZOP analysis ... 27
C.4 Hazard analysis and risk assessment ... 28
Appendix D (Informative) Example of hazard analysis and risk assessment for drive
and transmission functions ... 31
D.1 General ... 31
D.2 Definition of dependent items: Overview of functional concepts ... 31
D.3 Hazard and operability analysis ... 32
D.4 Hazard analysis and risk assessment ... 33
D.5 Example details ... 42
Appendix E (Informative) Example of hazard analysis and risk assessment for
suspension control function ... 48
E.1 Introduction ... 48
E.2 Definition of dependent items: Overview of functional concepts ... 48
E.3 Hazard analysis ... 48
E.4 Hazard analysis and risk assessment ... 49
E.5 Other considerations ... 51
Appendix F (Informative) Example of hazard analysis and risk assessment for
braking and parking brake functions ... 52
F.1 General ... 52
F.2 Definition of dependent items: Overview of functional concepts ... 52
F.3 HAZOP analysis ... 53
F.4 Hazard analysis and risk assessment ... 55
F.5 Explanation and detail description of example ... 58
References ... 60
Road vehicles - ASIL determination guidelines for electrical
and electronic system
1 Scope
This document presents methods for determining the ASIL (Automotive Safety
Integrity Level) of electrical and electronic systems in road vehicles. Determining
ASIL (Automotive Safety Integrity Level) of electrical and electronic systems is
required by GB/T 34590.3-2022.
This document applies to safety-related systems, which incorporate one or more
electrical/electronic systems, as installed on mass-produced road vehicles other than
mopeds.
2 Normative references
The contents of the following documents constitute the essential provisions of this
document through normative references in the text. Among them, for dated
references, only the version corresponding to the date applies to this document; for
undated references, the latest version (including all amendments) applies to this
document.
GB/T 34590 (all parts) Road vehicles - Functional safety
GB/T 34590.1-2022 Road vehicles - Functional safety - Part 1: Vocabulary (ISO
26262-1:2018, MOD)
GB/T 34590.3-2022 Road vehicles - Functional safety - Part 3: Concept phase
(ISO 26262-3:2018, MOD)
3 Terms and definitions
The terms and definitions as defined in GB/T 34590.1-2022, as well as the following
terms and definitions, apply to this document.
4 Hazard analysis and risk assessment
4.1 Identification of hazards
Hazard analysis and risk assessment (HARA) is an analysis process, that identifies
potential hazards and combines them with operating scenarios, to form a set of
specific hazard events, assessing the risk of each hazard event, to determine its ASIL
level and safety goals.
The definition of dependent item is a prerequisite for HARA. Hazard identification
can be achieved, through different hazard analysis techniques. This document gives
examples of hazard identification, using Hazard and Operability Analysis (HAZOP)
techniques. HAZOP is an exploratory analysis method, which can be used to identify
and evaluate the abnormal performance of dependent items; helps to check the
operation of dependent items at the vehicle level, in a structured and systematic way.
This analysis method adds appropriate introductory words to each function of
dependent item, to assume its different abnormal performance, which can lead to
hazards, meanwhile the hazards may be harmful to the occupants of the target
vehicle, other vehicles and their occupants, or other persons at risk, for example, the
potential hazards to the pedestrians, cyclists, or maintenance personnel in the vicinity
of the target vehicle.
Other effective methods can also be used, to identify relevant hazards. This
document does not recommend or support a specific hazard identification method.
Hazard identification is part of hazard analysis and risk assessment. Appendix A
describes the motion behavior of the vehicle, along different axes.
The following is an example of the application of a simple HAZOP method, to
identify hazards, which are caused by potential abnormal performance of dependent
items. For example, based on the function described in the definition of dependent
item, consider the role and capability of the dependent item actuator, then assume the
following abnormal function of the dependent item.
a) Loss of function - When required, no function is provided.
b) Provide wrong function, when required:
1) Wrong functions - More than expected;
2) Wrong functions - Less than expected;
3) Wrong function - Opposite direction.
c) Unexpected functions - Provide functions when not required.
e) When evaluating certain vehicle operating scenarios, a combination of factors
may be required, to cause a hazard to cause a specific injury. A vehicle
operation scenario may be composed of several factors; some of these factors
may be closely related. For the combination of factors that form the
prerequisites of a hazardous event, the correct value of the exposure
probability can only be calculated, after identifying the relationship between
each factor.
Example: For a scene with snow and ice, there is a high correlation with the
reduction of pavement friction. If the exposure probability of the scene with snow or
ice for the reduction of road friction is considered to be E2 levels independently of
each other, THEN without these two exposure probability factors rated as E2, an
exposure probability lower than E2 is equivalent (for scenes with snow and ice).
Treating these linked scenarios as independent might lead to inappropriate
downgrading of the exposure probability.
f) In the hazard analysis and risk assessment, do not consider the hazards that
have been covered by the safety regulations of the workplace for maintenance
personnel, as well as all hazards caused by dependent items that are being
repaired (see Note 1 in 4.1).
g) The defined hazardous events shall be specific enough, to ensure accurate
definition of the degree of harm and determination of controllability.
● A scene can be divided into several newly added specific scenes (may lead to
different S and C parameters);
● If the analysis results of multiple scenarios related to the same hazard are
similar or identical, these scenarios shall be combined for analysis;
● The above guidelines shall not be used, to artificially increase or decrease
exposure probability factors;
● This does not require an exhaustive examination of every possible
combination, it is sufficient to consider typical vehicle operating scenarios
and include those that lead to the highest ASIL level.
4.2.3 Step 2: Determine severity
4.2.3.1 General information
According to GB/T 34590 (all parts), the "severity" level of potential harm, which is
caused by a specific hazardous event, can be defined as one of the four levels shown
in Table 5. These "severity" levels are a general classification, to provide guidance
on assigning an ASIL for a given hazardous event.
Often, "severity" levels are difficult to define exactly. Because, the "severity" result
hazard event. The development of this hypothetical scenario involves multiple
sources of information, including but not limited to expert analysis and judgment,
analysis of technical reports, particularly relevant accidents or analysis of test,
simulation and historical accident data. Appendix B provides some general
information, that can be used to assign the appropriate "severity" level to motion
control hazards, at a given vehicle level.
4.2.3.2 Guidance on assignment of "severity" to crash-related hazards
During the hazard analysis and risk assessment process, assigning a "severity" level
requires expert assessment and consideration of a representative sample of various
traffic conditions, vehicle speeds, road conditions. Due to continued advances in
vehicle road and crash-related active and passive safety technologies, as well as
increased education and law enforcement on road user safety behaviors, analysis of
historical accident data tends to overestimate future measures targeting injury risk
AND may also do not contain suitable data for a new and different scenario. In these
cases, models can be used, to incorporate new scenarios in the context of historical
data, in order to better predict outcomes.
In general, the risk of injury to road users increases as the collision speed increases.
For planar collisions, the estimation of the velocity difference (ΔV), before and after
the collision, which is available in some historical accident databases, can assist the
evaluation of the "severity" of the accident. Consideration may be given to replacing
ΔV with other pre- and post-crash estimators (e.g., energy-equivalent velocity,
relative vehicle/object velocity), and to account for other crash characteristics such
as vehicle overlap and crush/intrusion. Appendix B provides some general guidance,
that may assist in the "severity" rating. For non-planar crashes, such as rollovers,
other available criteria depending on the hazard scenario can be used for the
"severity" assessment. The examples given in GB/T 34590.3-2022 can also be used,
as a reference for the assignment of "severity".
When determining the likely "severity" level of a crash from historical data, the
available data relevant to the system under development shall be analyzed. For
example, the balance between driver and vehicle control is changing, due to the
introduction of new active safety features, that automatically intervene in vehicle
dynamics, in certain specific crash-imminent environments. Therefore, as new
features are applied, current data may not reflect suitable results. When determining
the "severity" and ASIL level, the vehicle or system manufacturer shall analyze all
technologies, that are applied to a specific vehicle.
The "severity" levels of the hazardous events, that are representative of the various
scenarios considered, are to be documented in the hazard analysis and risk
assessment document.
Note 1: The "probability of exposure" needs to be considered to set the "severity" level
related to it. For a certain driving condition, if a value higher than the "severity" level
accidents, due to abnormal performance of the new system, if applicable, can be
compared with existing relevant accident data. The test subject's response behavior
to the hazard can then be assessed, to derive a preliminary level of controllability.
Overestimation of severity, probability of exposure, controllability parameters and
derived ASIL levels needs to be avoided, which may result in the reduction, or even
elimination, of functions or features that are beneficial to overall safety. Also avoid
underestimating severity, probability of exposure, controllability parameters, derived
ASIL level; otherwise, it may lead to insufficient safety requirements.
Appendix C provides examples of hazard analysis and risk assessment for electric
power steering (EPS) assistance functions.
Appendix D provides examples of hazard analysis and risk assessment for drive and
transmission functions.
Appendix E provides an example of a hazard analysis and risk assessment for a
suspension control function.
Appendix F provides examples of hazard analysis and risk assessment for brake and
parking brake functions.
4.3 Relationship between safety goals and safety status
When performing a Hazard Analysis and Risk Assessment, the output is a set of
safety objectives to ensure safe operation. The definition of these safety goals
considers avoiding or mitigating the potential harm, that may be caused by the
abnormal function of dependent items; the controllability measurement can be used
for the definition of safety goals. In a functional safety concept or a technical safety
concept, a safe state and associated safety measures are appropriately defined, to
achieve safety goals in the event of a failure of the dependent item. A "hazard
analysis and risk assessment" for a safe state is not always required, although the
hazards of a safe state can be derived from a "hazard analysis and risk assessment",
when the safe state coincides with a specific failure at the dependent item level.
Therefore, inconsistencies may arise, as both the safety goal and the safety state are
derived from consideration of failure behavior, at different points in the safety life
cycle. For the consistency of the safety profile, it is recommended to avoid the safety
state from violating the safety goal. This recommendation can be achieved, by
different formulations of safety goals and individual safety states. For example, a
safety goal could be "avoiding loss of the emergency braking function without
warning", whilst a safety state could be "disabling the function and notifying the
driver that the function is not available". In this safe state, an alarm mitigates the
consequences of loss of function, because the driver becomes aware that the...
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GBZ42285-2022 (Self-service in 1-minute)
Historical versions (Master-website): GBZ42285-2022
Preview True-PDF (Reload/Scroll-down if blank)
GB/Z 42285-2022
GB
GUIDANCE TECHNICAL DOCUMENT FOR
STANDARDIZATION OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 43.040
CCS T 35
Road vehicles - ASIL determination guidelines for electrical
and electronic system
ISSUED ON: DECEMBER 30, 2022
IMPLEMENTED ON: JULY 01, 2023
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Hazard analysis and risk assessment ... 6
4.1 Identification of hazards ... 6
4.2 Risk assessment ... 8
4.3 Relationship between safety goals and safety status ... 17
Appendix A (Informative) Movement at whole vehicle level ... 19
Appendix B (Informative) Guidelines for severity rating ... 21
B.1 General introduction ... 21
B.2 Description... 24
Appendix C (Informative) Example of hazard analysis and risk assessment of
steering function ... 27
C.1 General ... 27
C.2 Definition of dependent items: Overview of functional concepts ... 27
C.3 HAZOP analysis ... 27
C.4 Hazard analysis and risk assessment ... 28
Appendix D (Informative) Example of hazard analysis and risk assessment for drive
and transmission functions ... 31
D.1 General ... 31
D.2 Definition of dependent items: Overview of functional concepts ... 31
D.3 Hazard and operability analysis ... 32
D.4 Hazard analysis and risk assessment ... 33
D.5 Example details ... 42
Appendix E (Informative) Example of hazard analysis and risk assessment for
suspension control function ... 48
E.1 Introduction ... 48
E.2 Definition of dependent items: Overview of functional concepts ... 48
E.3 Hazard analysis ... 48
E.4 Hazard analysis and risk assessment ... 49
E.5 Other considerations ... 51
Appendix F (Informative) Example of hazard analysis and risk assessment for
braking and parking brake functions ... 52
F.1 General ... 52
F.2 Definition of dependent items: Overview of functional concepts ... 52
F.3 HAZOP analysis ... 53
F.4 Hazard analysis and risk assessment ... 55
F.5 Explanation and detail description of example ... 58
References ... 60
Road vehicles - ASIL determination guidelines for electrical
and electronic system
1 Scope
This document presents methods for determining the ASIL (Automotive Safety
Integrity Level) of electrical and electronic systems in road vehicles. Determining
ASIL (Automotive Safety Integrity Level) of electrical and electronic systems is
required by GB/T 34590.3-2022.
This document applies to safety-related systems, which incorporate one or more
electrical/electronic systems, as installed on mass-produced road vehicles other than
mopeds.
2 Normative references
The contents of the following documents constitute the essential provisions of this
document through normative references in the text. Among them, for dated
references, only the version corresponding to the date applies to this document; for
undated references, the latest version (including all amendments) applies to this
document.
GB/T 34590 (all parts) Road vehicles - Functional safety
GB/T 34590.1-2022 Road vehicles - Functional safety - Part 1: Vocabulary (ISO
26262-1:2018, MOD)
GB/T 34590.3-2022 Road vehicles - Functional safety - Part 3: Concept phase
(ISO 26262-3:2018, MOD)
3 Terms and definitions
The terms and definitions as defined in GB/T 34590.1-2022, as well as the following
terms and definitions, apply to this document.
4 Hazard analysis and risk assessment
4.1 Identification of hazards
Hazard analysis and risk assessment (HARA) is an analysis process, that identifies
potential hazards and combines them with operating scenarios, to form a set of
specific hazard events, assessing the risk of each hazard event, to determine its ASIL
level and safety goals.
The definition of dependent item is a prerequisite for HARA. Hazard identification
can be achieved, through different hazard analysis techniques. This document gives
examples of hazard identification, using Hazard and Operability Analysis (HAZOP)
techniques. HAZOP is an exploratory analysis method, which can be used to identify
and evaluate the abnormal performance of dependent items; helps to check the
operation of dependent items at the vehicle level, in a structured and systematic way.
This analysis method adds appropriate introductory words to each function of
dependent item, to assume its different abnormal performance, which can lead to
hazards, meanwhile the hazards may be harmful to the occupants of the target
vehicle, other vehicles and their occupants, or other persons at risk, for example, the
potential hazards to the pedestrians, cyclists, or maintenance personnel in the vicinity
of the target vehicle.
Other effective methods can also be used, to identify relevant hazards. This
document does not recommend or support a specific hazard identification method.
Hazard identification is part of hazard analysis and risk assessment. Appendix A
describes the motion behavior of the vehicle, along different axes.
The following is an example of the application of a simple HAZOP method, to
identify hazards, which are caused by potential abnormal performance of dependent
items. For example, based on the function described in the definition of dependent
item, consider the role and capability of the dependent item actuator, then assume the
following abnormal function of the dependent item.
a) Loss of function - When required, no function is provided.
b) Provide wrong function, when required:
1) Wrong functions - More than expected;
2) Wrong functions - Less than expected;
3) Wrong function - Opposite direction.
c) Unexpected functions - Provide functions when not required.
e) When evaluating certain vehicle operating scenarios, a combination of factors
may be required, to cause a hazard to cause a specific injury. A vehicle
operation scenario may be composed of several factors; some of these factors
may be closely related. For the combination of factors that form the
prerequisites of a hazardous event, the correct value of the exposure
probability can only be calculated, after identifying the relationship between
each factor.
Example: For a scene with snow and ice, there is a high correlation with the
reduction of pavement friction. If the exposure probability of the scene with snow or
ice for the reduction of road friction is considered to be E2 levels independently of
each other, THEN without these two exposure probability factors rated as E2, an
exposure probability lower than E2 is equivalent (for scenes with snow and ice).
Treating these linked scenarios as independent might lead to inappropriate
downgrading of the exposure probability.
f) In the hazard analysis and risk assessment, do not consider the hazards that
have been covered by the safety regulations of the workplace for maintenance
personnel, as well as all hazards caused by dependent items that are being
repaired (see Note 1 in 4.1).
g) The defined hazardous events shall be specific enough, to ensure accurate
definition of the degree of harm and determination of controllability.
● A scene can be divided into several newly added specific scenes (may lead to
different S and C parameters);
● If the analysis results of multiple scenarios related to the same hazard are
similar or identical, these scenarios shall be combined for analysis;
● The above guidelines shall not be used, to artificially increase or decrease
exposure probability factors;
● This does not require an exhaustive examination of every possible
combination, it is sufficient to consider typical vehicle operating scenarios
and include those that lead to the highest ASIL level.
4.2.3 Step 2: Determine severity
4.2.3.1 General information
According to GB/T 34590 (all parts), the "severity" level of potential harm, which is
caused by a specific hazardous event, can be defined as one of the four levels shown
in Table 5. These "severity" levels are a general classification, to provide guidance
on assigning an ASIL for a given hazardous event.
Often, "severity" levels are difficult to define exactly. Because, the "severity" result
hazard event. The development of this hypothetical scenario involves multiple
sources of information, including but not limited to expert analysis and judgment,
analysis of technical reports, particularly relevant accidents or analysis of test,
simulation and historical accident data. Appendix B provides some general
information, that can be used to assign the appropriate "severity" level to motion
control hazards, at a given vehicle level.
4.2.3.2 Guidance on assignment of "severity" to crash-related hazards
During the hazard analysis and risk assessment process, assigning a "severity" level
requires expert assessment and consideration of a representative sample of various
traffic conditions, vehicle speeds, road conditions. Due to continued advances in
vehicle road and crash-related active and passive safety technologies, as well as
increased education and law enforcement on road user safety behaviors, analysis of
historical accident data tends to overestimate future measures targeting injury risk
AND may also do not contain suitable data for a new and different scenario. In these
cases, models can be used, to incorporate new scenarios in the context of historical
data, in order to better predict outcomes.
In general, the risk of injury to road users increases as the collision speed increases.
For planar collisions, the estimation of the velocity difference (ΔV), before and after
the collision, which is available in some historical accident databases, can assist the
evaluation of the "severity" of the accident. Consideration may be given to replacing
ΔV with other pre- and post-crash estimators (e.g., energy-equivalent velocity,
relative vehicle/object velocity), and to account for other crash characteristics such
as vehicle overlap and crush/intrusion. Appendix B provides some general guidance,
that may assist in the "severity" rating. For non-planar crashes, such as rollovers,
other available criteria depending on the hazard scenario can be used for the
"severity" assessment. The examples given in GB/T 34590.3-2022 can also be used,
as a reference for the assignment of "severity".
When determining the likely "severity" level of a crash from historical data, the
available data relevant to the system under development shall be analyzed. For
example, the balance between driver and vehicle control is changing, due to the
introduction of new active safety features, that automatically intervene in vehicle
dynamics, in certain specific crash-imminent environments. Therefore, as new
features are applied, current data may not reflect suitable results. When determining
the "severity" and ASIL level, the vehicle or system manufacturer shall analyze all
technologies, that are applied to a specific vehicle.
The "severity" levels of the hazardous events, that are representative of the various
scenarios considered, are to be documented in the hazard analysis and risk
assessment document.
Note 1: The "probability of exposure" needs to be considered to set the "severity" level
related to it. For a certain driving condition, if a value higher than the "severity" level
accidents, due to abnormal performance of the new system, if applicable, can be
compared with existing relevant accident data. The test subject's response behavior
to the hazard can then be assessed, to derive a preliminary level of controllability.
Overestimation of severity, probability of exposure, controllability parameters and
derived ASIL levels needs to be avoided, which may result in the reduction, or even
elimination, of functions or features that are beneficial to overall safety. Also avoid
underestimating severity, probability of exposure, controllability parameters, derived
ASIL level; otherwise, it may lead to insufficient safety requirements.
Appendix C provides examples of hazard analysis and risk assessment for electric
power steering (EPS) assistance functions.
Appendix D provides examples of hazard analysis and risk assessment for drive and
transmission functions.
Appendix E provides an example of a hazard analysis and risk assessment for a
suspension control function.
Appendix F provides examples of hazard analysis and risk assessment for brake and
parking brake functions.
4.3 Relationship between safety goals and safety status
When performing a Hazard Analysis and Risk Assessment, the output is a set of
safety objectives to ensure safe operation. The definition of these safety goals
considers avoiding or mitigating the potential harm, that may be caused by the
abnormal function of dependent items; the controllability measurement can be used
for the definition of safety goals. In a functional safety concept or a technical safety
concept, a safe state and associated safety measures are appropriately defined, to
achieve safety goals in the event of a failure of the dependent item. A "hazard
analysis and risk assessment" for a safe state is not always required, although the
hazards of a safe state can be derived from a "hazard analysis and risk assessment",
when the safe state coincides with a specific failure at the dependent item level.
Therefore, inconsistencies may arise, as both the safety goal and the safety state are
derived from consideration of failure behavior, at different points in the safety life
cycle. For the consistency of the safety profile, it is recommended to avoid the safety
state from violating the safety goal. This recommendation can be achieved, by
different formulations of safety goals and individual safety states. For example, a
safety goal could be "avoiding loss of the emergency braking function without
warning", whilst a safety state could be "disabling the function and notifying the
driver that the function is not available". In this safe state, an alarm mitigates the
consequences of loss of function, because the driver becomes aware that the...
Share
