ANNEX IIIU.K. Special requirements to be applied to the safety aspects of complex electronic vehicle control systems

3.DocumentationU.K.

3.1.RequirementsU.K.

The manufacturer shall provide a documentation package which gives access to the basic design of the complex electronic vehicle control system for which type-approval is applied (hereinafter referred to as ‘the System’) and the means by which it is linked to other vehicle systems or by which it directly controls output variables.

The function(s) of ‘the System’ and the safety concept, as laid down by the manufacturer, shall be explained.

Documentation shall be brief, yet provide evidence that the design and development has had the benefit of expertise from all the system fields which are involved.

For periodic technical inspections, the documentation shall describe how the current operational status of ‘the System’ can be checked.

3.1.1.Documentation shall be made available in the following two parts:U.K.

(a)

the formal documentation package for the approval, containing the material listed in Section 3 (with the exception of that of point 3.4.4) which shall be supplied to the technical service at the time of submission of the type-approval application. This will be taken as the basic reference for the verification process set out in point 4;

(b)

additional material and analysis data referred to in point 3.4.4, which shall be retained by the manufacturer, but made open for inspection at the time of type-approval.

3.2.Description of the functions of ‘the System’U.K.

A description shall be provided which gives a simple explanation of all the control functions of ‘the System’ and the methods employed to achieve the objectives, including a statement of the mechanism(s) by which control is exercised.

3.2.1.A list of all input and sensed variables shall be provided and the working range of these defined.U.K.

3.2.2.A list of all output variables which are controlled by ‘the System’ shall be provided and an indication given, in each case, of whether the control is direct or via another vehicle system. The range of control exercised on each such variable shall be defined.U.K.

3.2.3.Limits defining the boundaries of functional operation shall be stated where appropriate to system performance.U.K.

3.3.System layout and schematicsU.K.

3.3.1.Inventory of componentsU.K.

A list shall be provided, collating all the units of ‘the System’ and mentioning the other vehicle systems which are needed to achieve the control function in question.

An outline schematic showing those units in combination shall be provided with both the equipment distribution and the interconnections made clear.

3.3.2.Functions of the unitsU.K.

The function of each unit of ‘the System’ shall be outlined and the signals linking it with other units or with other vehicle systems shall be shown. This may be provided by a labelled block diagram or other schematic, or by a description aided by such a diagram.

3.3.3.InterconnectionsU.K.

Interconnections within ‘the System’ shall be shown by a circuit diagram for the electric transmission links, by an optical-fibre diagram for optical links, by a piping diagram for pneumatic or hydraulic transmission equipment and by a simplified diagrammatic layout for mechanical linkages.

3.3.4.Signal flow and prioritiesU.K.

There shall be a clear correspondence between these transmission links and the signals carried between units.

Priorities of signals on multiplexed data paths shall be stated wherever priority may be an issue affecting performance or safety for the purpose of this Regulation.

3.3.5.Identification of unitsU.K.

Each unit shall be clearly and unambiguously identifiable (e.g. by marking for hardware and marking or software output for software content) to provide corresponding hardware and documentation association.

Where functions are combined within a single unit or within a single computer, but shown in multiple blocks in the block diagram for clarity and ease of explanation, only a single hardware identification marking shall be used.

The manufacturer shall, by the use of this identification, affirm that the equipment supplied conforms to the corresponding document.

3.3.5.1.The identification defines the hardware and software version and, where the latter changes such as to alter the function of the unit for the purpose of this Regulation, this identification shall also be changed.U.K.

3.4.Safety concept of the manufacturerU.K.

3.4.1.The manufacturer shall provide a statement which affirms that the strategy chosen to achieve ‘the System’ objectives will not, under non-fault conditions, prejudice the safe operation of systems which are subject to the provisions of this Regulation.U.K.

3.4.2.In respect of software used in ‘the System’, the outline architecture shall be explained and the design methods and tools used shall be identified. The manufacturer shall be prepared, if required, to show evidence of the means by which the realisation of the system logic has been determined during the design and development process.U.K.

3.4.3.The manufacturer shall provide the technical authorities with an explanation of the design provisions built into ‘the System’ so as to generate safe operation under fault conditions. Possible design provisions for failure in ‘the System’ are for example:U.K.

(a)

fall-back to operation using a partial system;

(b)

change-over to a separate back-up system;

(c)

removal of the high level function.

In case of a failure, the driver shall be warned for example by warning signal or message display. When the system is not deactivated by the driver, e.g. by turning the ignition (run) switch to ‘off’, or by switching off that particular function if a special switch is provided for that purpose, the warning shall be present as long as the fault condition persists.

3.4.3.1.If the chosen provision selects a partial performance mode of operation under certain fault conditions, then those conditions shall be stated and the resulting limits of effectiveness defined.U.K.

3.4.3.2.If the chosen provision selects a second (back-up) means to realise the vehicle control system objective, the principles of the change-over mechanism, the logic and level of redundancy and any built in back-up checking features shall be explained and the resulting limits of back-up effectiveness defined.U.K.

3.4.3.3.If the chosen provision selects the removal of the higher level function, all the corresponding output control signals associated with this function shall be inhibited, and in such a manner as to limit the transition disturbance.U.K.

3.4.4.The documentation shall be supported, by an analysis which shows, in overall terms, how the system will behave on the occurrence of any one of those specified faults which will have a bearing on vehicle control performance or safety.U.K.

This may be based on a Failure Mode and Effect Analysis (FMEA), a Fault Tree Analysis (FTA) or any similar process appropriate to system safety considerations.

The chosen analytical approach(es) shall be established and maintained by the manufacturer and shall be made open for inspection by the technical service at the time of the type-approval.

3.4.4.1.This documentation shall itemise the parameters being monitored and shall set out, for each fault condition of the type referred to in point 3.4.4, the warning signal to be given to the driver and/or to service/technical inspection personnel.U.K.