This Annex defines the special requirements for documentation, fault strategy and verification with respect to the safety aspects of complex electronic vehicle control systems for the purposes of this Regulation.
This Annex may also be applied for safety related functions which are controlled by electronic system(s).
This Annex does not specify the performance criteria for complex electronic vehicles control systems but covers the methodology applied to the design process and the information which must be disclosed to the technical service for type-approval purposes.
That information shall show that a complex electronic vehicle control system respects, under normal and fault conditions, all the appropriate performance requirements set out in this Regulation.
For the purposes of this Annex, the following definitions shall apply:
‘Safety concept’ means a description of the measures designed into the system, for example within the electronic units, so as to address system integrity and thereby ensure safe operation even in the event of an electrical failure.
The possibility of a fall-back to partial operation or even to a back-up system for vital vehicle functions may be a part of the safety concept.
‘Electronic control system’ means a combination of units, designed to co-operate in the production of the stated vehicle control function by electronic data processing.
Such systems, often controlled by software, are built from discrete functional components such as sensors, electronic control units and actuators and connected by transmission links. They may include mechanical, electro-pneumatic or electro-hydraulic elements.
‘Complex electronic vehicle control systems’ mean those electronic control systems which are subject to a hierarchy of control in which a controlled function may be over-ridden by a higher level electronic control system/function.
‘Higher-level control systems/functions’ mean those systems/functions which employ additional processing and/or sensing provisions to modify vehicle behaviour by commanding variations in the normal function(s) of the vehicle control system.
This allows complex systems to automatically change their objectives with a priority which depends on the sensed circumstances.
‘Units’ mean the smallest divisions of system components covered by this Annex: those combinations of components will be treated as single entities for purposes of identification, analysis or replacement.
‘Transmission links’ mean the means used for inter-connecting distributed units for the purpose of conveying signals, operating data or an energy supply.
This equipment is generally electrical but may, in some part, be mechanical, pneumatic, hydraulic or optical.
‘Range of control’ means an output variable corresponding to the range over which the system is likely to exercise control.
‘Boundary of functional operation’ means the boundaries of the external physical limits within which the system is able to maintain control.
The manufacturer shall provide a documentation package which gives access to the basic design of the complex electronic vehicle control system for which type-approval is applied (hereinafter referred to as ‘the System’) and the means by which it is linked to other vehicle systems or by which it directly controls output variables.
The function(s) of ‘the System’ and the safety concept, as laid down by the manufacturer, shall be explained.
Documentation shall be brief, yet provide evidence that the design and development has had the benefit of expertise from all the system fields which are involved.
For periodic technical inspections, the documentation shall describe how the current operational status of ‘the System’ can be checked.
the formal documentation package for the approval, containing the material listed in Section 3 (with the exception of that of point 3.4.4) which shall be supplied to the technical service at the time of submission of the type-approval application. This will be taken as the basic reference for the verification process set out in point 4;
additional material and analysis data referred to in point 3.4.4, which shall be retained by the manufacturer, but made open for inspection at the time of type-approval.
A description shall be provided which gives a simple explanation of all the control functions of ‘the System’ and the methods employed to achieve the objectives, including a statement of the mechanism(s) by which control is exercised.
A list shall be provided, collating all the units of ‘the System’ and mentioning the other vehicle systems which are needed to achieve the control function in question.
An outline schematic showing those units in combination shall be provided with both the equipment distribution and the interconnections made clear.
The function of each unit of ‘the System’ shall be outlined and the signals linking it with other units or with other vehicle systems shall be shown. This may be provided by a labelled block diagram or other schematic, or by a description aided by such a diagram.
Interconnections within ‘the System’ shall be shown by a circuit diagram for the electric transmission links, by an optical-fibre diagram for optical links, by a piping diagram for pneumatic or hydraulic transmission equipment and by a simplified diagrammatic layout for mechanical linkages.
There shall be a clear correspondence between these transmission links and the signals carried between units.
Priorities of signals on multiplexed data paths shall be stated wherever priority may be an issue affecting performance or safety for the purpose of this Regulation.
Each unit shall be clearly and unambiguously identifiable (e.g. by marking for hardware and marking or software output for software content) to provide corresponding hardware and documentation association.
Where functions are combined within a single unit or within a single computer, but shown in multiple blocks in the block diagram for clarity and ease of explanation, only a single hardware identification marking shall be used.
The manufacturer shall, by the use of this identification, affirm that the equipment supplied conforms to the corresponding document.
fall-back to operation using a partial system;
change-over to a separate back-up system;
removal of the high level function.
In case of a failure, the driver shall be warned for example by warning signal or message display. When the system is not deactivated by the driver, e.g. by turning the ignition (run) switch to ‘off’, or by switching off that particular function if a special switch is provided for that purpose, the warning shall be present as long as the fault condition persists.
This may be based on a Failure Mode and Effect Analysis (FMEA), a Fault Tree Analysis (FTA) or any similar process appropriate to system safety considerations.
The chosen analytical approach(es) shall be established and maintained by the manufacturer and shall be made open for inspection by the technical service at the time of the type-approval.
As the means of establishing the normal operational levels, verification of the performance of the vehicle system under non-fault conditions shall be conducted against the manufacturer’s basic benchmark specification unless this is subject to a specified performance test as part of the approval procedure set out in this Regulation.
The reaction of ‘the System’ shall, at the discretion of the approval authority, be checked under the influence of a failure in any individual unit by applying corresponding output signals to electrical units or mechanical elements in order to simulate the effects of internal faults within the unit.
The verification results shall correspond with the documented summary of the failure analysis, to a level of overall effect such that the safety concept and execution are confirmed as being adequate.