SAE規格 J2980, 2023: Considerations for ISO 26262 ASIL Hazard Classification

Description

This SAE Recommended Practice presents a method and example results for determining the Automotive Safety Integrity Level (ASIL) for automotive motion control electrical and/or electronic (E/E) systems. The ASIL determination activity is required by ISO 26262-3, and it is intended that the process and results herein are consistent with ISO 26262. The technical focus of this document is on vehicle motion control systems. The scope of this SAE Recommended Practice is limited to collision-related hazards associated with motion control systems. This SAE Recommended Practice focuses on motion control systems since the hazards they can create generally have higher ASIL ratings, as compared to the hazards non-motion control systems can create. Because of this, the Functional Safety Committee decided to give motion control systems a higher priority and focus exclusively on them in this SAE Recommended Practice. ISO 26262 has a wider scope than SAE J2980, covering other functions and accidents (not just motion control or collisions as in SAE J2980).

Purpose
This SAE Recommended Practice is intended to provide guidance for identifying and classifying hazardous events, which are defined at the vehicle level utilizing the ISO 26262 Hazard Analysis and Risk Assessment (HARA) method. This SAE Recommended Practice is intended as a guide toward standard practice and is subject to change to keep pace with experience and technical advances. It is not intended to be a substitute for the concept phase activities of ISO 26262. All the examples and samples contained in this document are intended to aid the reader in understanding the guidance provided in this document and are not intended to be exhaustive or complete references. Therefore, they do not substitute for a corresponding analysis of the specific item to which the reader is attempting to apply ISO 26262.

Background
ASIL classification is a result of the HARA which is initiated during the concept phase of the item development. The HARA is conducted to identify vehicle-level hazards and evaluate the ASIL of each hazardous event. The ASIL classification is determined by assessing the parameters Severity (S), Exposure (E), and Controllability (C) associated with each hazardous event. Guidelines for determining the hazards at the vehicle level and, once determined, the Exposure, Severity and Controllability for a given hazardous event in accordance with ISO 26262 are provided in this document. In case of conflicts between SAE J2980 and ISO 26262, ISO 26262 has precedence. This SAE Recommended Practice uses terminology consistent with ISO 26262 when discussing vehicle-level hazards and HARA development.

The intended user of this SAE Recommended Practice is a functional safety analyst complying with requirements in ISO 26262-3, 6.4. Therefore, this SAE Recommended Practice does not intend to provide further necessary knowledge or guidelines in related fields including, but not limited to, item specific knowledge, user and road profiling, medicine, statistics, accident research and human factors. Instead, it is intended to be related to the field of functional safety with the focus on the HARA method only.

In the examples and appendices, the values shown are for reference only. Any new HARA can use the latest relevant data and analyses. The values shown in this document were created based on some, but not all segments of information expected within an item definition (refer to ISO 26262-3, 6.4), and thus should not be considered as an item definition. ISO 26262 requires that a HARA be based on a specific item definition. This document is not to be construed to suggest that creating a HARA without a specific item definition is acceptable—such a practice is not recommended. The scope of ISO 26262 is limited to functional safety which is one aspect of the overall system safety assessment in safety risk management.

Limitations
As for any risk assessment method, the methods mentioned in this document have inherent limitations. The HARA describes a simplified model of the real world, which is neither complete nor fully accurate. Although each assessment is based on available or applicable data as well as on expert judgment, the interpretation of such data can vary among analyses. For these reasons, the user of this document should bear in mind these limitations and judge the applicability of SAE J2980 in any particular case.