Transmitted by the expert from EC for subgroup 2a
Document: VMAD-05- 06
Draft Annex on audit/assessment to the new UN Regulation on Automated Lane Keeping systems (ALKS)
As agreed at the last VMAD meeting, this text was drafted as an Annex to the new regulation on Automated Lane Keeping systems (ALKS) to address the “audit/assessment/simulation/in use reporting” pillar when applied to Automated Lane Keeping Systems. The track changes show the amendments to the current Annex to UN Regulation 79 (steering systems) on Complexed Electronic Systems (CEL) as lastly amended.
Main changes to current CEL Annex are the following:
-Tailor it to Automated driving functions (i.e. ALKS), not a generic annex for any electronic/driver assistant systems.
-Cover operational safety and not only functional safety
-Clarify the safety target (free from unreasonable risk for humans)
- Clarify that the type-approval authority is main responsible authority (or the technical service on their behalf) for the audit as it is the case for the rest of the type approval.
-Clarify that manufacturer is main responsible for safety
-Documentation layout and transparency of information across authorities
-Competences of the auditor.
-Content of the manufacturer safety management system (safety culture) including lifetime/lifecycle aspects
-Basic requirements for the use virtual testing/ simulation tools
This text is in line with the 3 other papers submitted by subgroup 2a to VMAD at this session, namely the concept paper and the proposed building blocks for audit/assessment reporting pillar. However compared to the building blocks some elements have not been included at this stage due to the time constraints:
-Independent demonstration of safety of subsystems by suppliers
-Several steps of assessment (e.g. at design and at production stages)
- Renewal of the assessment/audit. Monitoring by the authority.
-Rating of audit (major/minor failure,etc).
The discussion on this text is still on-going in subgroup 2a. However a number of issues would benefit from the discussion in VMAD, namely:
-the interaction with the work of other groups in particular with the groups dealing with physical testing (subgroup 2b and ACSF informal group dealing with the ALKS regulation).
-whether some requirements fit better in this annex of as part of the main part of the ALKS regulation.
-whether this annex shall be drafted only for ALKS or already for future AD systems.
-Scope and limits of the inspection done by authorities and responsibility of manufacturers in terms of safety.
-Whether ‘free of unreasonable risk’ can be used instead of ‘shall not induce safety critical risk’. Whether we can go beyond
-Level of information to shared amongst authorities and what shall kept at manufacturer level.
Special requirements to be applied to
safety aspects of
complex electronic vehicle control
This annex defines the special requirements for documentation, fault strategy and verification with respect to the safety aspects of Electronic System(s) (paragraph 2.3.) and Complex Electronic Vehicle Control System(s) (paragraph 2.4. below) as far as this UN Regulation is concerned.
does not specify the performance criteria for "The System" but
covers the methodology applied to the design process and
which must be disclosed
, for type approval purposes
that "The System"
respects, under non-fault and fault conditions,
performance requirements specified
in this UN Regulation
to operate in such a way that
does not induce safety critical risks.
The applicant (e.g. the manufacturer) may provide evidence that an Auxiliary Steering Equipment (ASE) (if fitted) has previously been assessed as part of an approval in accordance with the requirements of Annex 4 of this UN Regulation (as required under the original
version of this UN Regulation, its 01 or its 02 series of amendments). In this case, the requirements of this Annex shall not be applied to that ASE for the purposes of an approval in accordance with the 03 series of amendments.
For the purposes of this annex,
an electronic control system or
electronic control system
or forms part of the control transmission of
other system covered in the scope of this Regulation, as well as
transmission links to or from other systems that are outside the scope of this Regulation, that acts on
function to which this Regulation applies.
is a description of the measures designed into the system, for example within the electronic units, so
address system integrity and thereby
ensure safe operation under fault and non-fault conditions, including in the event of an electrical failure
The possibility of a fall-back to partial operation or even to a back-up system for vital vehicle functions may be a part of the safety concept.
2.3. " Electronic control system " means a combination of units, designed to co-operate in the production of the stated vehicle control function by electronic data processing. Such systems, commonly controlled by software, are built from discrete functional components such as sensors, electronic control units and actuators and connected by transmission links. They may include mechanical, electro-pneumatic or electro-hydraulic elements.
Complex Electronic Vehicle Control Systems
" are those electronic control systems in which a function
controlled by an electronic system or the driver may be over-ridden by a higher level electronic control system/function. A function which is over-ridden become
part of the complex system, as well as any overriding system/function within the scope of
The transmission links to and from overriding systems/function outside of the scope of
Regulation shall also be included."
Higher-Level Electronic Control
employ additional processing and/or sensing provisions to modify vehicle behaviour by commanding variations in the function(s) of the vehicle control system. This allows complex systems to automatically change their objectives with a priority which depends on the sensed circumstances.
2.6. " Units " are the smallest divisions of system components which will be considered in this annex, since these combinations of components will be treated as single entities for purposes of identification, analysis or replacement.
2.7. " Transmission links " are the means used for inter-connecting distributed units for the purpose of conveying signals, operating data or an energy supply. This equipment is generally electrical but may, in some part, be mechanical, pneumatic or hydraulic.
2.8. " Range of control " refers to an output variable and defines the range over which the system is likely to exercise control.
2.10. " Safety Related Function " means a function of "The System" that is capable of changing the dynamic behaviour of the vehicle. "The System" may be capable of performing more than one safety related function. [ 039]
2.11. " Control strategy " means a strategy to ensure robust and safe operation of the function(s) of "The System" in response to a specific set of ambient and/or operating conditions (such as road surface condition, traffic intensity and other road users, adverse weather conditions, etc.). This may include the automatic deactivation of a function or temporary performance restrictions (e.g. a reduction in the maximum operating speed, etc.). [ 0310]
The manufacturer shall provide a documentation package which gives access to the basic design of "The System" and the means by which it is linked to other vehicle systems or by which it directly controls output variables.
The function(s) of "The System", including the control strategies, and the safety concept, as laid down by the manufacturer, shall be explained.
Documentation shall be brief, yet provide evidence that the design and development has had the benefit of expertise from all the system fields which are involved.
For periodic technical inspections, the documentation shall describe how the current operational status of "The System" can be checked.
shall assess the documentation package to show that "The System"
to operate, under non-fault and fault conditions, in such a way that it
not induce safety critical
Respects, under non-fault and fault conditions,
performance requirements specified elsewhere in this UN Regulation;
(c) Was developed according to the development process/method declared by the manufacturer and that this includes at least the steps listed in paragraph 3.4.4.
Documentation shall be made available in
(a) [ 0315]
The formal documentation package for the approval, containing the material listed in
3. (with the exception of that of paragraph
.) which shall be supplied to the
at the time of submission of the type approval application. This documentation package shall be used by the
as the basic reference for the verification process set out in paragraph
4. of this annex.
shall ensure that this documentation package remains available for a period determined
in agreement with the Approval Authority. This period shall
at least 10 years counted from the time when production of the vehicle is definitely discontinued.
Additional material and analysis data of paragraph 3.4.4. which shall be retained by the manufacturer, but made open for inspection at the time of type approval. The manufacturer shall ensure that this material and analysis data remains available for a period of 10 years counted from the time when production of the vehicle is definitely discontinued.
3.2. Description of the functions of "The System" including control strategies
A description shall be provided which gives a simple explanation of all the functions including control strategies of "The System" and the methods employed to achieve the objectives [ 0316] , including a statement of the mechanism(s) by which control is exercised.
Any described function that can be over-ridden shall be identified and a further description of the changed rationale of the function’s operation provided.
Any enabled or disabled
assistance to the driver
as defined in paragraph 2.3.4. of this UN Regulation
3.2.1. A list of all input and sensed variables shall be provided and the working range of these defined, along with a description of how each variable affects system behaviour."
3.2.2. A list of all output variables which are controlled by "The System" shall be provided and an indication given, in each case, of whether the control is direct or via another vehicle system. The range of control (paragraph 2.7.) exercised on each such variable shall be defined.
Limits defining the boundaries of functional operation
shall be stated where appropriate to system performance.
3.3. System layout and schematics
3.3.1. Inventory of components.
A list shall be provided, collating all the units of
and mentioning the other vehicle systems which are needed to achieve the control function in question.
An outline schematic showing these units in combination, shall be provided with both the equipment distribution and the interconnections made clear.
3.3.2. Functions of the units
The function of each unit of
shall be outlined and the signals linking it with other units or with other vehicle systems shall be shown. This may be provided by a labelled block diagram or other schematic, or by a description aided by such a diagram.
shall be shown by a circuit diagram for the electric transmission links, by a piping diagram for pneumatic or hydraulic transmission equipment and by a simplified diagrammatic layout for mechanical linkages. The transmission links both to and from other systems shall also be shown.
There shall be a clear correspondence between transmission links and the signals carried between Units. Priorities of signals on multiplexed data paths shall be stated wherever priority may be an issue affecting performance or safety.
3.3.5. Identification of units
Each unit shall be clearly and unambiguously identifiable (e.g. by marking for hardware, and marking or software output for software content) to provide corresponding hardware and documentation association.
Where functions are combined within a single unit or indeed within a single computer, but shown in multiple blocks in the block diagram for clarity and ease of explanation, only a single hardware identification marking shall be used. The manufacturer shall, by the use of this identification, affirm that the equipment supplied conforms to the corresponding document.
188.8.131.52. The identification defines the hardware and software version and, where the latter changes such as to alter the function of the Unit as far as this Regulation is concerned, this identification shall also be changed.
3.4. Safety concept of the manufacturer
The Manufacturer shall provide a statement which affirms that the
strategy chosen to achieve
prejudice the safe o
peration of the vehicle
3.4.2. In respect of software employed in "The System", the outline architecture shall be explained and the design methods and tools used shall be identified. The manufacturer shall show evidence of the means by which they determined the realisation of the system logic, during the design and development process.
The Manufacturer shall provide the Technical Service with an explanation of the design provisions built into "The System" so as to
generate safe operation under
. Possible design provisions
in "The System" are for example:
Change-over to a
Removal of the
In case of a failure
, the driver shall be warned for example by warning signal or message display. When the system is not deactivated by the driver, e.g. by turning the ignition (run) switch to "off", or by switching off that particular function if a special switch is provided for that purpose, the warning shall be present as long as the fault condition persists
If the chosen provision selects a partial performance mode of operation under certain
conditions, then these conditions shall be stated and the resulting limits of effectiveness defined.
184.108.40.206. If the chosen provision selects a second (back-up) means to realise the vehicle control system objective, the principles of the change-over mechanism, the logic and level of redundancy and any built in back-up checking features shall be explained and the resulting limits of back-up effectiveness defined.
If the chosen provision selects the removal of the Higher Level Function,
ll the corresponding output control signals associated with this function shall be inhibited, and in such a manner as to limit the transition disturbance.
The documentation shall be supported, by an analysis which shows, in overall terms, how the system will behave on the occurrence of any of those hazards or faults which will have a bearing on
vehicle control performance
at the time of the type approval.
shall perform an assessment of the application of the analytical approach
The assessment shall include:
interactions with other vehicle systems;
Malfunctions of the system
, within the scope of this UN
For functions defined in paragraph 2.3.4. of this UN
ituations when a system free from faults may create safety critical risks (e.g. due to a lack of or wrong comprehension of the vehicle environment);
Reasonably foreseeable misuse by the driver;
Intentional modification of the system.
This approach shall be based on a Hazard / Risk analysis appropriate to system safety.
Inspection of the safety approach at the system level
may be based on a Failure Mode and Effect Analysis (FMEA), a Fault Tree Analysis (FTA)
Inspection of the
plans and results
. This shall include validation testing appropriate for validation, for example, Hardware in the Loop (HIL) testing, vehicle on-road operational testing, or any other testing appropriate for validation
shall consist of spot checks of selected hazards
to establish that argumentation supporting the safety concept is understandable and logical
validation plans are
and have been completed.
require to perform tests as specified in paragraph 4. to verify the safety concept.
220.127.116.11. This documentation shall itemize the parameters being monitored and shall set out, for each fault condition of the type defined in paragraph 3.4.4. of this annex, the warning signal to be given to the driver and/or to service/technical inspection personnel.
This documentation shall
describe the measures in place to ensure the "The System"
does not prejudice the safe operation of the vehicle
when the performance of "The System" is affected by environmental conditions e.g. climatic, temperature, dust ingress, water ingress, ice packing.
4. Verification and test
4.1. The functional operation of "The System", as laid out in the documents required in paragraph 3., shall be tested as follows:
4.1.1. Verification of the function of “The System”
shall verify "The System" under non-fault conditions by testing
a number of selected functions from those
by the manufacturer in paragraph 3.2. above
For complex electronic systems,
hese tests shall include scenarios whereby
a declared function
18.104.22.168. The verification results shall correspond with the description, including the control strategies, provided by the manufacturer in paragraph 3.2.
4.1.2. Verification of the safety concept of paragraph 3.4.
The reaction of "The System" shall be checked under the influence of a failure in an
individual unit by applying corresponding output signals to electrical units or mechanical elements in order to simulate the effects of internal faults within the unit. The
shall conduct this check for at least one individual unit, but shall not check the reaction of "The System" to multiple simultaneous failures of individual units.
shall verify that these tests include aspects that may have an impact on vehicle controllability and user information (HMI aspects
The verification results shall correspond with the documented summary of the
analysis, to a level of overall effect such that the safety concept and execution are confirmed as being adequate
Reporting of the assessment
by the Technical Service
shall be performed in such a manner that allows traceability, e.g. versions of documents inspected are coded and listed in the records of the Technical Service.
An example of a possible layout for the assessment form from the Technical Service to the Type Approval Authority is given in Appendix 1 to this Annex.
- Appendix 1
Model assessment form for
Test report No: ................
1.1. Vehicle make: ..............................................
1.2. Type: ....................................................
1.3. Means of identification of type if marked on the vehicle: ..................
1.4. Location of that marking: .......................................
1.5. Manufacturer’s name and address: .................................
1.6. If applicable, name and address of manufacturer’s representative: .............
1.7. Manufacturer’s formal documentation package:
Documentation reference No: .............
Date of original issue: ..................
Date of latest update: ..................
2. Test vehicle(s)/system(s) description
2.1. General description: ..........................................
2.2. Description of all the control functions of "The System", and methods of operation: .
2.3. Des cription of the components and diagrams of the interconnections within "The System":
2.4. General description: ..........................................
2.5. Description of all the control functions of “The System”, and methods of operation:
2.6. Description of the components and diagrams of the interconnections within “The System”:
3. Manufacturer’s safety concept
3.1. Description of signal flow and operating data and their priorities: .............
The manufacturer(s) ............................................................. affirm(s) that the
strategy chosen to achieve
objectives will not, under non-fault conditions, prejudice the safe operation of the vehicle
3.3. Software outline architecture and the design methods and tools used: ..........
3.4. Explanation of design provisions built into "The System" under fault conditions:
3.5. Documented analyses of the behaviour of "The System" under individual hazard or fault conditions:
3.6. Description of the measures in place for environmental conditions: ............
3.7. Provisions for the periodic technical inspection of "The System": .............
Results of "The System" verification test, as per para. 4.1.1. of Annex
Results of safety concept verification test, as per para. 4.1.2. of Annex
3.10. Date of test: ................................................
This test has been carried out and the results reported in accordance with ….. to UN
as last amended by the ..... series of amendments.
carrying out the test
Signed: ....................................... Date: ........................................
 To be signed by different persons even when the Technical Service and Type Approval Authority are the same or alternatively, a separate Type Approval Authority authorization is issued with the report.
[ 031] Question to VMAD:
specific term for ALKS or generic term for any AD systems?
[ 032] As ageed we start with 1958 Agreement vocabulary. This will need to be changed when drafting 1998 Agreement texts, e.g use “independent auditor” instead of “type approval authority”.
[ 033] looks like circular definition
[ 034] Not clear
[ 035] Not sure we need this
[ 036] Needed. Used in 22.214.171.124.
[ 037] The ADS shall be able to maintain some control even beyond the ODD.
[ 038] NeededCheck if MRM always accompanied by transition
[ 039] Needed?
[ 0310] Check consistency of definition everywhere in the text.
[ 0311] To be defined
[ 0312] Check if non-fault definition is the same as functional safety safety
[ 0313] Already covered in the text of the regulation?
[ 0314] Already covered in the core text or the regulation?
[ 0315] Same document for all CP.
[ 0316] Not clear what is meant here. Objectives of the functions?
[ 0317] Move to 3.3?
[ 0318] Covered in 3.2.4?
[ 0319] Move to 3.3?
[ 0320] Relevant for ALKS? AI?
[ 0321] This paragraph may be redundant.
3.3. requires an overview of all units of the ALKS (including the examples in the bullet-points)
3.3.5. and 126.96.36.199 require that all these units (including HW and SW) are clearly and unambiguously identifiable.
[ 0322] Would malke more sense to start with redundancy for ADS
[ 0323] What about other cases?
[ 0324] Sould be moved to the core text of the regulation
[ 0325] Moved below as it does not only apply to HARA
[ 0326] from VMAD-subgroup 1
[ 0327] Interaction with test section here