文件名称:
ISO-PAS_21448-2019 【高清版】.pdf
开发工具:
文件大小: 10.59mb
下载次数: 1
上传时间: 2019-07-19
详细说明:ISO-PAS_21448-2019 【高清版}功能安全经过两轮迭代后无法试用于自动驾驶 SOTIF应运而生lso/PAS21448:2019(E
Contents
Page
Foreword
Introduction
Scope
1234
Normative references
Terms and definitions
116
Overview of this document's activities in the development process
非目主11上道1非主1和能1
Functional and system specification (intended functionality content)....11
5.1 Objectives
5.2 Functional description
5.3 Consideration on system design and architecture
…12
Identification and Evaluation of hazards caused by the intended functionality
.13
6. 1 Objectives........13
6.2 Hazard identification……111
14
6.3 Hazard analysis
15
6.4 Risk evaluation of the intended function
16
6. 5 Specification of a validation target
16
Identification and Evaluation of triggering events
17
7. 1 Objectives......m..17
7. 2 Analysis of triggering events
7.2.1 Triggering events related to algorithms
.17
7.2.2 Triggering events related to sensors and actuators
.18
7.3 Acceptability of the triggering events
19
8
Functional modifications to reduce otif related risks
19
8. 1 Objectives..
福科有车丰器福丰等若不福4
和存福
19
8.2 General
8.
Measures to improve the otif
.20
8. 4 Updating the system specification
……112
9 Definition of the verification and validation strategy
22
9.1 Objectives
………2
9.2 Planning and specification of integration and testin
23
10 Verification of the SOTIF (Arca 2)
23
10.1 Objectives
10.2 Sensor verification
24
10.3 Decision algorithm verification
10. Actuation verification
于于是上世他十把世
“1世于十世世土世把于世牙
25
10.5 Integrated system verification
25
11 Validation of the SOTIF (Area 3).
26
11.1 Objectives
.26
11.2 Evaluation of residual risk……11
26
11.3 Validation test parameters
26
12 Methodology and criteria for SOTIF release............27
12.1 Objectives..
27
12.2 Methodology for evaluating SOTIF for release
27
12.3 Criteria for Sotif release
28
Annex A (informative) Examples of the application of SoTIF activities
30
Annex B (informative) Example for definition and validation of an acceptable false alarm
rate in AEB systems…
33
Annex C (informative) Validation of SoTIF applicable systems
41
O ISo 2019-All rights reserved
1so/PAS21448:2019(E
Annex D (informative) Automotive perception systems verification and validation
43
Annex E (informative) Method for deriving SOTIF misuse scenarios
946
Annex F(informative) Example construction of scenario for SOTIF safety analysis method.mmm.49
Annex G(informative) Implications for off-line training
52
Bibliography.…
54
C ISo 2019-All rights reserved
lso/PAS21448:2019(E
Foreword
ISo (the International Organization for Standardization) is a worldwide federation of national standards
bodies (IsO member bodies). The work of preparing International Standards is normally carried out
through Iso technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISo, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission(IEC)on all matters of
electrotechnical standardization
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different ty pes of ISO documents should be noted. This document was drafted in accordance with the
editorialrulesoftheISo/IECDirectives,Part2(seewww.isoorg/directives)
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
ontheIsOlistofpatentdeclarationsreceived(seewww.iso.org/patents)
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement
For an explanation of the voluntary nature of standards, the meaning of Iso specific terms and
expressions rclated to conformity assessment, as well as information about isos adherence to the
WorldTradeOrganization(wtOprinciplesintheTechnicalBarrierstotrAde(tbt)seEwww.iso
.org/iso/foreword.htm
This document was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 32,
Electrical and electronic components and general system aspects.
Any feedback or questions on this document should be directed to the users national standards body. A
completelistingofthesebodiescanbefoundatwww.iso.org/members.html
C IS0 2019-All rights reserve
1so/PAS21448:2019(E
Introduction
The safety of road vehicles during their operation phase is of paramount concern for the road vehicles
industry. Recent years have seen a large increase in the number of advanced functionalities included
in vehicles. These rely on sensing, processing of complex algorithms and actuation implemented by
electrical and/or electronic(E/E) systems.
An acceptable level of safety for road vehicles requires the avoidance of unreasonable risk caused by
every hazard associated with the intended functionality and its implementation, especially those not
due to failures, e. g. due to performance limitations. 150 26262-1 defines the vehicle safety as the absence
of unreasonable risks that arise from malfunctions of the e/E system. ISo 26262-3 specifies a Hazard
Analysis and Risk Assessment to determine vehicle level hazards. This evaluates the potential risks due
to malfunctioning behaviour of the item and enables the definition of top-level safety requirements,
i.e. the safety goals, necessary to mitigate the risks. The other parts of the ISo 26262 series provide
requirements and recommendations to avoid and control random hardware failures and systematic
failures that could violate safety goals
For some systems, which rely on sensing the external or internal environment, there can be potentially
hazardous behaviour caused by the intended functionality or performance limitation of a system that is
frcc from the faults addressed in the iso 26262 series Examples of such limitations include:
The inability of the function to correctly comprehend the situation and operate safely this also
includes functions that use machine learning algorithms
Insufficient robustness of the function with respect to sensor input variations or diverse
environmental conditions
The absence of unreasonable risk due to these potentially hazardous behaviours related to such
limitations is defined as the safety of the intended functionality (SOTIF). Functional safety (addressed
by the iso 26262 series) and SOtiF are distinct and complementary aspects of safety.
To address the SOTif, activities are implemented during the following phases
Measures in the design phase;
EXAMPLE Requirement on sensor performance.
Measures in the verification phase;
EXAMPLE Technical Reviews, test cases with a high coverage of relevant scenarios, injection of
potential triggering events, in the loop testing (e.g. SIL/ HIL/ MIL of selected SOTIF are relevant use cases
Measures in the Validation phase.
EXAMPLE
Long term vehicle test, simulations
a proper understanding of the function by the user, its behaviour and its limitations (including the
human/machine interface) is the key to ensuring safety
In many instances, a triggering event is necessary to cause a potentially hazardous behaviour; hence
the importance of analysing hazards in the context of particular use cases
In this document the hazards caused by a potentially hazardous system behaviour, due to a triggering
event, are considered both for use cases when the vehicle is correctly used and for use cases when it
is incorrectly used in a reasonably foreseeable way (this excludes intentional alterations made to the
system s operation
EXAMPLE Lack of driver attention while using a level 2 driving automation
In addition, reasonably foreseeable misuse, which could lead directly to potentially hazardous system
behaviour, is also considered as a possible triggering event
C ISo 2019-All rights reserved
lso/PAS21448:2019(E
A successful attack exploiting vehicle security vulnerabilities can also have very serious consequences
(. e. data or identity theft, privacy violation, etc. ) Although security risks can also lead to potentially
hazardous behaviour that needs to be addressed, security is not addressed by this document
It is assumed that the E/E random hardware faults and systematic faults of the e/E system are
addressed using the Iso 26262 series The activities mentioned in this document are complementary to
those given in the Iso 26262 series.
Table 1 illustrates how the passible causes of hazardous event map to existing standards.
Table 1- Overview of safety relevant topics addressed by different Iso standards
Source
Cause of hazardous event
Within scope of
E/E System failures
ISo 26262 series
Performance limitations or insufficient situa
tional awareness, with or without reasonably ISO/PAS 21448
foreseeable misuse
ISO/PAS 21448
System
Reasonably foreseeable misuse, incorrect HMI/IS0 26262 series
(e.g. user confusion, user overload)
European statement of principal
on the design of human-ma
thine-interfa
Hazards caused by the system technology
Specific standards
successful attack exploiting vehicle security
vulnerabilities
ISo 21434a or SAE J3061
Impact from active Infrastructure and or vehi
External
cle to vehicle communication, external devices IS0 20077 series; IS0 26262 series
factor
and cloud services
Impact from car surroundings(other users, ISO/PAS 21448
passive" infrastructure, environmental condi-
tions: weather, Electro-Magnetic Interference.
IS0 26262 series
a Under preparation Stage at the time of publication: ISO/SAE CD 21434.
NOTE Options for automated driving level definitions(from NHTSA, SAE and OICA, etc. are discussed in the
ITS-Informal Group ECE/ TRANS/WP29
C IS0 2019-All rights reserve
PUBLICLY AVAILABLE SPECIFICATION
ISO/PAS21448:2019(E
Road vehicles- Safety of the intended functionality
1 Scope
The absence of unreasonable risk due to hazards resulting from functional insufficiencies of the
intended functionality or by reasonably foreseeable misuse by persons is referred to as the safety
Of The Intended Functionality (SOTIF. This document provides guidance on the applicable design,
verification and validation measures needed to achieve the SoTiF. This document does not apply to
faults covered by the IS0 26262 scrics or to hazards directly caused by the system technology (e.g. cyc
damage from a laser sensor).
This document is intended to be applied to intended functionality where proper situational awareness
is critical to safety, and where that situational awareness is derived from complex sensors and
processing algorithms; especially emergency intervention systems (e. g. emergency braking systems
and Advanced Driver Assistance Systems(ADAS)with levels 1 and 2 on the OICA/SAE standard J3016
automation scales. This edition of the document can be considered for higher levels of automation
however additional measures might be necessary. This document is not intended for functions of
existing systems for which well-established and well-trusted design, verification and validation (v&v)
measures exist at the time of publication (e. g. Dynamic Stability Control (DSC) systems, airbag, etc. J
Some measures described in this document are applicable to innovative functions of such systems
if situational awareness derived from complex sensors and processing algorithms is part of the
Innovation
Intended use and reasonably foreseeable misuse are considered in combination with potentially
hazardous system behaviour when identifying hazardous events
Reasonably foreseeable misuse, which could lead directly to potentially hazardous system behaviour, is
also considered as a possible event that could directly trigger a SotiF-related hazardous event
Intentional alteration to the system operation is considered feature abuse Feature abuse is not in scope
of this document
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies For
undated references, the latest edition of the referenced document (including any amendments) applies
IS0 26262-1: 2018, Road vehicles- Functional Safety Part 1: Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in Iso 26262-1: 2018 and the
following apply
ISO and IEC maintain terminological databases for use in standardization at the following addresses
IsOoNlinebrowsingplatformavailableathttps://www.iso,org/obp
IecElectropedia:availableathttp://www.electropedia.org
C IS0 2019-All rights reserve
1So/PAS21448:2019(E
3.1
action
atomic behaviour that is executed by any actor in a scene
Note 1 to entry: The temporal sequence of actions/events and scenes specify a scenario
EXAMPLE Ego vehicle activates the hazard warning light
3.2
erroneous pattern
input that can trigger unintended behaviour
3.3
event
occurrence at a certain place and at a particular point in time
Note 1 to entry: The temporal sequence of actions events and scenes specify a scenario
Note 2 to entry: In particular this document addresses triggering events ( 3. 15) and hazardous events. A hazardous
event is the combination of a hazard (caused hy malfunctioning hehaviour) and a specific operational situation
Refer to Figure 12 for details
EXAMPLE 1 Tree falling on a street 50 m ahead of a vehicle xy.
EXAMPLE 2 Traffic light turning green at time XX: XX.
3.4
functional improvement
modification to a function, system or element specification to reduce risk
3.5
intended behaviour
specified behaviour of the intended functionality including interaction with items
Note 1 to entry: See Clause 5 for additional information about the specification of intended behaviour.
Note 2 to entry: The specified behaviour is the behaviour that the developer of the item considers to be the
nominal (i.e. fault-free] functionality, with its capability limitations due to inherent characteristics of the
components and technology used
3,6
intended functionality
behaviour specified for a system
3.7
Usui
se
usage of the system by a human in a way not intended by the manufacturer of the system
Note 1 to entry: Misuse can result from overcon fidence in the performance of the system.
Note 2 to entry: Misuse includes human behaviour that is not specified but does not include deliberate system
alterations
3.8
misuse scenarIo
scenario in which misuse occurs
3.9
performance limitation
insufficiencies in the implementation of the intended functionality
EXAMPLE Incomplete perception of the scene, insufficiency of the decision algorithm, insufficient
performance of actuation,
C ISo 2019-All rights reserved
(系统自动生成,下载前可以参看下载内容)
下载文件列表
压缩包 : 03df4156b833746d3ec68e8e8341b26e.pdf 列表
相关说明
- 本站资源为会员上传分享交流与学习,如有侵犯您的权益,请联系我们删除.
- 本站是交换下载平台,提供交流渠道,下载内容来自于网络,除下载问题外,其它问题请自行百度。
- 本站已设置防盗链,请勿用迅雷、QQ旋风等多线程下载软件下载资源,下载后用WinRAR最新版进行解压.
- 如果您发现内容无法下载,请稍后再次尝试;或者到消费记录里找到下载记录反馈给我们.
- 下载后发现下载的内容跟说明不相乎,请到消费记录里找到下载记录反馈给我们,经确认后退回积分.
- 如下载前有疑问,可以通过点击"提供者"的名字,查看对方的联系方式,联系对方咨询.
