ISO 21448:2022 道路车辆 预期功能的安全性

标准编号：ISO 21448:2022

中文名称：道路车辆 预期功能的安全性

英文名称：Road vehicles — Safety of the intended functionality

发布日期：2022-06

标准范围

本文件提供了关于确保预期功能（SOTIF）安全的措施的一般论证框架和指南，即不存在由于功能不足引起的危险而产生的不合理风险，即:a） 车辆级预期功能规范的不足；或b） 系统中电气和/或电子（E/E）元件实施中的规范不足或性能不足。本文件提供了实现和维护SOTIF所需的适用设计、验证和确认措施以及运行阶段活动的指导。本文件适用于预期功能，其中适当的态势感知对安全至关重要，并且此类态势感知源自复杂的传感器和处理算法，尤其是紧急干预系统和驾驶自动化水平为1到5的系统的功能。本文件适用于预期功能，包括安装在批量生产道路车辆（不包括轻便摩托车）中的一个或多个电子/电气系统。合理可预见的滥用在本文件范围内。此外，远程用户对车辆的操作或协助，或与后台的通信可能会影响车辆决策，当其可能导致安全隐患时，都在本文件的范围内。本文件不适用于:—？ISO涵盖的故障26262系列；—？网络安全威胁；—？系统技术直接造成的危害（例如激光雷达光束对眼睛造成的伤害）；—？与触电、火灾、烟雾、热量、辐射、毒性、易燃性、反应性、能量释放和类似危险有关的危险，除非直接由电气/电子系统的预期功能引起；和—？明显违反系统预期用途的故意行为（被视为功能滥用）。本文件不适用于已有可靠设计、验证和确认（V&V）措施的现有系统（如动态稳定性控制系统、安全气囊）的功能。

This document provides a general argument framework and guidance on measures to ensure the safety of the intended functionality (SOTIF), which is the absence of unreasonable risk due to a hazard caused by functional insufficiencies, i.e.:a) the insufficiencies of specification of the intended functionality at the vehicle level; orb) the insufficiencies of specification or performance insufficiencies in the implementation of electric and/or electronic (E/E) elements in the system.This document provides guidance on the applicable design, verification and validation measures, as well as activities during the operation phase, that are needed to achieve and maintain the SOTIF.This document is applicable to intended functionalities where proper situational awareness is essential to safety and where such situational awareness is derived from complex sensors and processing algorithms, especially functionalities of emergency intervention systems and systems having levels of driving automation from 1 to 5^[2].This document is applicable to intended functionalities that include one or more E/E systems installed in series production road vehicles, excluding mopeds.Reasonably foreseeable misuse is in the scope of this document. In addition, operation or assistance of a vehicle by a remote user or communication with a back office that can affect vehicle decision making is in scope of this document when it can lead to safety hazards.This document does not apply to:—    faults covered by the ISO 26262 series;—    cybersecurity threats;—    hazards directly caused by the system technology (e.g. eye damage from the beam of a lidar);—    hazards related to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, release of energy and similar hazards, unless directly caused by the intended functionality of E/E systems; and—    deliberate actions that clearly violate the system’s intended use, (which are considered feature abuse).This document is not intended for functions of existing systems for which well-established and well-trusted design, verification and validation (V&V) measures exist (e.g. dynamic stability control systems, airbags).

标准预览图