ISO/TR 5340:2023

FINAL
TECHNICAL ISO/DTR
DRAFT
REPORT 5340
ISO/TC 22/SC 38
Motorcycles — Consideration for
Secretariat: UNI
use cases of ISO 26262-12 MSIL
Voting begins on:
2023-02-24 classification
Voting terminates on:
Motocycles — Considération des cas d'usages de l'ISO 26262-12
2023-04-21
Classification MSIL
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/DTR 5340:2023(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO 2023

---------------------- Page: 1 ----------------------
ISO/DTR 5340:2023(E)
FINAL
TECHNICAL ISO/DTR
DRAFT
REPORT 5340
ISO/TC 22/SC 38
Motorcycles — Consideration for
Secretariat: UNI
use cases of ISO 26262-12 MSIL
Voting begins on:
classification
Voting terminates on:
Motocycles — Considération des cas d'usages de l'ISO 26262-12
Classification MSIL
COPYRIGHT PROTECTED DOCUMENT
© ISO 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
ISO copyright office
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
CP 401 • Ch. de Blandonnet 8
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
CH-1214 Vernier, Geneva
DOCUMENTATION.
Phone: +41 22 749 01 11
IN ADDITION TO THEIR EVALUATION AS
Reference number
Email: copyright@iso.org
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/DTR 5340:2023(E)
Website: www.iso.org
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
Published in Switzerland
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
ii
  © ISO 2023 – All rights reserved
NATIONAL REGULATIONS. © ISO 2023

---------------------- Page: 2 ----------------------
ISO/DTR 5340:2023(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative reference .1
3 Terms and definitions . 1
4 General topics for MSIL classification . 2
5 Use case of hazard analysis and risk assessment . 2
5.1 Overview . 2
5.1.1 Item definition . 2
5.1.2 Hazard identification . 2
5.1.3 Risk assessment . 4
5.2 Examples of HARA . 4
5.2.1 General . 4
5.2.2 Example for HARA procedure . 4
5.2.3 Safety goal determination. 5
5.2.4 Examples of HARA method . 5
5.2.5 HARA example 1 . 6
5.2.6 HARA example 2 . 8
5.2.7 HARA example 3 . 10
Bibliography .16
iii
© ISO 2023 – All rights reserved

---------------------- Page: 3 ----------------------
ISO/DTR 5340:2023(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non­governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 38,
Motorcycles and mopeds.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
iv
  © ISO 2023 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/DTR 5340:2023(E)
Introduction
0.1  General
The ISO 26262 series is intended to be applied to safety-related systems that include one or more
electrical and/or electronic (E/E) systems and that are installed in series production road vehicles,
excluding mopeds. The ISO 26262 series does not address unique E/E systems in special vehicles such
as E/E systems designed for drivers with disabilities.
ISO 26262-12:2018 is the standard to address the sector-specific needs of E/E systems within series
production motorcycles. The motorcycle industry recognizes the need to use appropriate safety-related
techniques to avoid unreasonable risk resulting from random or systematic faults of E/E systems.
Motorcycle safety integrity level (MSIL) is the output of hazard analysis and risk assessment (HARA).
This is then apportioned between the risk­reduction mechanisms and measures assigned to E/E
systems using automotive safety integrity level (ASIL) and the risk reduction taken care of by external
measures and/or other technologies. Specifically in the motorcycle industry, a greater proportion of the
overall risk reduction is generally apportioned to external measures (for example, riding rules, training/
qualification of riders, personal protective equipment, e.g. helmets and infrastructure features).
The worldwide established level of technology (“state-of-the-art”) in the motorcycle industry suggests
that ASIL requirements are not appropriate for motorcycles. This is addressed through the alignment
between MSIL and ASIL. It is acknowledged that product development processes and technical solutions
within the motorcycle industry are inhomogeneous with those of the automobile industry; therefore,
the difference between MSIL and ASIL has been made to accommodate worldwide capability.
0.2  Objectives
Publicly-available research documents and references relating to the functional safety of motorcycles
are fewer in number than those for passenger cars. The purpose of this document is to contribute to the
functional safety of motorcycles by internationally collecting and providing examples for motorcycle
HARA. This document provides an overview of the principles behind HARA using simplified examples
to the concepts.
A prerequisite for HARA is the item definition, which is not the subject of this document. It also does not
cover the safety goals of the item. This document takes examples of some items on motorcycles, but is
also not exhaustive in terms of their function.
This document presents examples of potential accident scenarios and risk assessments, from the
behaviour of an item when it fails and the hazard at vehicle level to its potential accident scenarios.
Several methods have been published for each of these, and the aim is to provide a side-by-side
comparison to assist in the implementation of HARA.
0.3  Points to note
In using this document, please note the following.
The hazard analysis results and MSIL described in this document is just a collection and does not specify
the MSIL of a specific item. Although some examples are given in this document, they are the result of
several approaches and do not specify the MSIL for a particular item. The same applies even if only one
example is given for an item. Also, the information presented in this document is neither exhaustive nor
complete. However, introducing some cases (i.e. analytical approaches and results) will help shape the
image for applying the ISO 26262 series.
This document has taken as faithfully as possible the descriptions from published documents. Although
there are formatting differences from the original text for the purpose of side-by-side comparison,
severity(S), exposure(E), controllability(C) and MSIL described have not been altered or harmonised
in any way. The information contained in this document is only part of the published material, and it is
recommended to consult the original when referring to it in implementation. The use of these methods
is neither mandatory nor recommended and is to be used at the user's own responsibility.
v
© ISO 2023 – All rights reserved

---------------------- Page: 5 ----------------------
TECHNICAL REPORT ISO/DTR 5340:2023(E)
Motorcycles — Consideration for use cases of ISO 26262-12
MSIL classification
1 Scope
This document is intended to be applied to safety-related systems that include one or more electrical
and/or electronic (E/E) systems and that are installed in series production motorcycles. This document
does not address unique E/E systems in special vehicles such as E/E systems designed for drivers with
disabilities.
NOTE The series production motorcycle is the vehicle that is intended to be used for public roads and is not a
prototype.
This document covers HARA for one or more E/E systems installed in motorcycles. The approach of
HARA defined in ISO 26262-12:2018, Clause 8 is applied to them in a motorcycle environment.
The intended user of this document is a functional-safety analyst complying with requirements in
ISO 26262-12:2018. Therefore, this document does not intend to provide further necessary knowledge
or guidelines in related fields including, but not limited to, item-specific knowledge, user and road
profiling, medicine, statistics, accident research and human factors. Instead, it is intended to be related
to the field of functional safety with the focus on the HARA examples only. It is the responsibility of
the functional-safety analyst to achieve detailed knowledge about the item under investigation and the
target application environment.
In this document, the values shown are for reference only. Any new HARA can use the latest relevant
data and analyses. The values shown in this document were derived based on some, but not all segments
of information expected within an item description, and thus are not considered as an item definition.
The ISO 26262 series requires that a HARA be based on a specific item definition. This document is not
to be constructed to suggest that conducting a HARA without a specific item definition is acceptable.
The scope of the ISO 26262 series is limited to functional safety which is one aspect of the overall
system safety assessment in safety risk management.
As for any risk assessment method, the methods mentioned in this document have inherent limitations.
The HARA describes a simplified model of the real world, which is neither complete nor fully accurate.
Although each assessment is based on available or applicable data as well as on expert judgment, the
interpretation of such data can vary among analyses. For these reasons, the user of this document can
bear in mind these limitations and judge the applicability of this document in any particular case.
2 Normative reference
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 26262­1, Road vehicles — Functional safety — Part 1: Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 26262-1 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
1
© ISO 2023 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/DTR 5340:2023(E)
— IEC Electropedia: available at https:// www .electropedia .org/
4 General topics for MSIL classification
Hazard analysis, risk assessment and MSIL determination are used to determine the safety goals for the
item. For this, the item is evaluated with regard to its potential hazardous events. Safety goals and their
assigned MSIL are determined by a systematic evaluation of hazardous events. The MSIL is determined
by considering severity, probability of exposure and controllability. It is based on the item’s functional
behaviour; therefore, the detailed design of the item does not need to be known.
The dynamic behaviour of motorcycles differs greatly from that of other vehicles within the scope of
the ISO 26262 series, and that controllability of motorcycle specific hazardous events could place more
emphasis on the rider. It is recognised that the method of performing risk assessment requires to best
suit motorcycle specific hazardous events.
ISO 26262-12:2018, Annex B gives a general explanation of the hazard analysis and risk assessment.
5 Use case of hazard analysis and risk assessment
5.1 Overview
This clause presents examples of HARA in motorcycles.
HARA is a method to identify and categorize hazardous events of items and to specify safety goals and
MSILs related to the prevention or mitigation of the associated hazards in order to avoid unreasonable
risk.
The method of performing a HARA is the same as that of a passenger car, but different hazardous
events (such as falls down) can be identified depending on the situation peculiar to a motorcycle
and the difference in controllability. Evaluation of severity and exposure to driver and others differs
significantly from the case of passenger cars.
The case presented below is an example of analysing a scenario in a situation peculiar to motorcycles.
These are just a few of the situations that motorcycles encounter, and each item can have other serious
hazards. Also, the MSIL shown in the case is just the result of the case study and does not specify the
MSIL of the item in general.
Safety goals are top-level safety requirements for the item. Safety goals are not expressed in terms
of technological solutions, but in terms of functional objectives. This document does not mention the
items of functional objectives and safety goals.
5.1.1 Item definition
HARA is based on the item definition. The item without internal safety mechanisms is evaluated during
the hazard analysis and risk assessment, i.e. safety mechanisms intended to be implemented or that
have already been implemented in predecessor items are not considered in HARA.
5.1.2 Hazard identification
The purpose of hazard identification is to identify the potential source of harm caused by the
malfunctioning behaviour of the item.
Hazards caused by malfunctioning behaviour of the item are defined at the vehicle level.
The hazards are determined systematically based on the possible malfunctioning behaviour of the
item. Failure mode and effects analysis (FMEA) approaches and hazard and operability (HAZOP) are
suitable to support hazard identification at the item level. These can be supported by brainstorming,
2
  © ISO 2023 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/DTR 5340:2023(E)
checklists, quality history, and field studies. One example to identify a possible malfunction behaviour
with the HAZOP method can be to ask what can happen to the rider or other person if:
— the function is active when it is expected to be deactivated;
— the function is not active when it is expected to be activated;
— the output of the function is unintended to high;
— the output of the function is unintended to low;
— the output of the function came too late;
— the output of the function is changing too fast;
— the output of the function is in the wrong direction;
— the output of the function is alternating.
The identified malfunction behaviour that can cause harm to the rider or other person can be
documented as relevant malfunction with their consequences.
The relevant situations can be identified by analysing the expected usage and the expected misuse
of the motorcycle. The relevant situations can differ due to the design (e.g. superbike, enduro) or
3 3
performance (e.g. 125 cm /10 kW, 1 000 cm /150 kW) of the analysed motorcycle. Be aware of the
specific behaviour of a motorcycle (e.g. lean angle, separated front and rear brake), special manoeuvres
(e.g. wheelie, stoppie) and misuses (e.g. towing other vehicle, overloaded luggage in the top case).
One approach to identify all relevant situation is to build-up a list with possible parameters raised from,
for example:
Driving operation:
— driving speed;
— lean angle; and
— braking.
Road type:
— location (e.g. motorway, urban, crossing road); and
— road surface condition (e.g. dry, wet, ice).
Situations:
— overtaking;
— parking;
— wheelie;
— crash.
Be aware that a combination of parameters can change the consequences, because it can lead to an
inappropriate lowering of the MSIL.
The relevant situations where the identified malfunction can cause harm the rider or other person are
the hazardous events for the risk assessment. The consequences of hazardous events are identified.
EXAMPLE An unintended too-high torque output of the engine on a dry country road in a curve with large
lean angle can lead to leaving the road lane and to a collision with obstacles.
3
© ISO 2023 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/DTR 5340:2023(E)
For a detailed description of the approach, refer to the ISO 26262­3:2018, 6.4.2 and ISO 26262­12:2018,
8.4.2.
5.1.3 Risk assessment
Risk assessment is a series of classifications of potential harms caused by hazards in terms of severity,
probability of exposure, or controllability.
The severity of the potential harm is estimated based on a defined rationale for each hazardous event.
The severity is assigned to one of the severity classes: S0, S1, S2 or S3.
The probability of exposure of each operational situation is estimated based on a defined rationale for
each hazardous event. The probability of exposure is assigned to one of the probability classes: E0, E1,
E2, E3 or E4.
The controllability of each hazardous event, by the rider or other persons involved in the operational
situation is estimated based on a defined rationale for each hazardous event. The controllability is
assigned to one of the controllability classes: C0, C1, C2 or C3.
An MSIL is determined for each hazardous event based on the classification of severity, probability of
exposure and controllability. Four MSILs are defined: MSIL A, MSIL B, MSIL C and MSIL D, where MSIL
A is representing the least stringent and MSIL D the most stringent level. QM is not an MSIL, but can be
specified in the hazard analysis and risk assessment.
Each assessment is based on available or applicable data as well as on expert judgment, the
interpretation of such data can vary among analyses.
5.2 Examples of HARA
5.2.1 General
There are different approaches possible for selecting the appropriate values of E, S and C. Possible
sources for values can be guidelines, technical papers, ISO 26262-12:2018 Annex B, government
statistics, expert judgements or measured data from equivalent motorcycles. The source can be selected
according to worldwide use or limited to the expected homologation areas.
For example, the maximum allowed motorway speed can differ in different countries and can change
over time (e.g. India: 80 km/h, England: 110 km/h, Japan: 120 km/h, Italy: 130 km/h, USA: 137 km/h,
Germany: partly >250 km/h allowed).
NOTE See Reference [6], Table A4: Speed Laws and Enforcement by Country / Area.
Different teams can use different approaches and can come to different results of what can be correct.
The use of the data sources must be conservative and correspond to the vehicle, item and target market.
Each selected value of E, S and C can be argued. So, it is possible to follow the selection and the value can
be adapted if there is a change.
5.2.2 Example for HARA procedure
a) Hazard identification
Unintended acceleration of TBW function
b) Operational situation
Driving on a German motorway with >130 km/h in close distance to vehicle in front (heavy traffic),
0°­5° lean angle
4
  © ISO 2023 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/DTR 5340:2023(E)
c) Affected persons
Rider and passenger
d) Classification of exposure
Duration E3; E4 for driving on motorway due to commuting use of the analysed motorcycle but
-1 due to “close distance to vehicle in front (heavy traffic)” = E3; driving data records from an
equivalent motorcycle have shown a driving duration of much less than 10 % at a speed >130 km/h
= E3
e) Classification of severity
S3; serious injuries due to falling down with >130 km/h; no traffic in opposite direction expected
on motorways = no increase
f) Classification of controllability
C3; rider can handle the brakes or engine stop switch to reduce the acceleration and can steer to
avoid collision but not more than 90 % of all riders can react fast enough in this situation (heavy
traffic)
5.2.3 Safety goal determination
To determine the safety goal, the MSIL for each hazard event is identified in accordance with
ISO 26262-12:2018, 8.4.3.10 and the corresponding malfunction that must be prevented with a safety
concept.
The safety goal can have the following information:
— it can be named what can be avoided by the safety function;
— the maximum ASIL can be named;
— the safe state can be defined (e.g. switch off function output for fail safe systems);
2
— the error threshold for the controllability estimation (e.g, acceleration more than 2,6 m/s ) can be
defined; and
— the fault tolerant time interval (e.g. 300 ms) can be defined.
The safety goal, its information and the safe state can be validated according to ISO 26262-12:2018,
Clause 10. The transition to safe state and the safe state itself can provide sufficient controllability. If
a test is used to validate the information or the safe state, the safety of the test rider has the highest
priority.
5.2.4 Examples of HARA method
In this document, examples of HARA for some items are shown. These items are widely used in
motorcycles, and there are also published examples of HARA research reports. By quoting and
organizing them, it will help to understand in implementing HARA in practice.
[4] [3]
This document cites ANCMA guidelines and SAE technical paper .
In some tables, there are expressions of "Method (1)" and "Method (2)". This means that:
a) Method (1): is the approach shown in Reference [4];
b) Method (2): is the approach shown in Reference [3].
5
© ISO 2023 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/DTR 5340:2023(E)
Each reference has its own features. For example, in HARA of TBW (throttle by wire), method (1) defines
an item as a device that generates driving force regardless of whether it is an internal combustion
engine or an electric motor, while method (2) defines an item that focuses on throttle body control.
It also covers scenarios that are not considered as significant risks for motor vehicles, because those
scenarios could be the serious hazards for motorcycles.
In the method (2), driving data for some real-world traffic environments for motorcycle has been
studied to provide an estimate for the exposure. In some cases, the controllability was estimated by the
subjective evaluation of the expert rider which is accepted in the standard as one of the methods. The
severity was estimated based on official real-world traffic accident statistics.
The reason for clarifying the two approaches is that the abstraction and quantitative differences in the
information they deal with affect MSIL.
EXAMPLE The difference in acceleration in the scenario.
More detailed techniques and information can be found in References [3] and [4].
To prevent these examples from being misunderstood as a requirement of each item, safety goals are
not described in this document.
Example 1 describes the hazard analysis and risk assessment of the TBW in 5.2.5.
Example 2 describes the hazard analysis and risk assessment of the ABS (anti-lock braking system) single
channel in 5.2.6.
Example 3 describes the hazard analysis and risk assessment of the ABS double channel in 5.2.7.
5.2.5 HARA example 1
Example of hazard analysis and risk assessment approach in TBW.
5.2.5.1 Item definition
The item definition of TBW shows as is shown in Table 1.
Both methods are based basically on same item definition. The degree of refinement (e.g. type of
sensors) is not of major relevance for HARA.
Table 1 — Item definition of TBW
Item Function overview
TBW Method To detect rider request and to torque up to the actuator
(1)
Example 1

 Example 2

6
  © ISO 2023 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/DTR 5340:2023(E)
TTabablele 1 1 ((ccoonnttiinnueuedd))
Item Function overview
Method To detect rider operation and to control throttle valve to adjust engine out­
(2) put corresponding to rider's intention

5.2.5.2 Hazard identification
The hazard identification of TBW shows as is shown in Table 2.
Table 2 — Hazard identification of TBW
Item Malfunction (behaviour) and hazard
TBW Method (1) Unwanted sudden acceleration without driver request or far above driv­
er request
Method (2) Unintended accel
...

© ISO 2022 – All rights reserved
ISO/DTR 5340:20222023(E)
ISO TC 22/SC 38/WG 3
Secretariat: JISCUNI
Date: 2023-02
Motorcycles — Consideration for use cases of ISO 26262 Part -12 MSIL classification

DTR stage

Warning for WDs and CDs
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to
change without notice and may not be referred to as an International Standard.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of
which they are aware and to provide supporting documentation.

---------------------- Page: 1 ----------------------
© ISO 2022

---------------------- Page: 2 ----------------------
ISO/DTR 5340:2023(E)
© ISO 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation,
no part of this publication may be reproduced or utilized otherwise in any form or by any means,
electronic or mechanical, including photocopying, or posting on the internet or an intranet,
without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.orgwww.iso.org
Published in Switzerland
© ISO 2022 – All rights reserved
iv © ISO 2023 – All rights reserved

---------------------- Page: 3 ----------------------
ISO/DTR 5340:2023(E)
Contents
Foreword . iv
Introduction. v
1 Scope . 1
2 Normative reference . 1
3 Terms and definitions . 1
4 General topics for MSIL classification . 2
5 Use case of hazard analysis and risk assessment . 2
5.1 Overview . 2
5.2 Examples of HARA . 4
Bibliography . 18
© ISO 2022 – All rights reserved © ISO 2023 – All rights v
reserved

---------------------- Page: 4 ----------------------
ISO/DTR 5340:2023(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national
standards bodies (ISO member bodies). The work of preparing International Standards is normally
carried out through ISO technical committees. Each member body interested in a subject for which a
technical committee has been established has the right to be represented on that committee.
International organizations, governmental and non-governmental, in liaison with ISO, also take part in
the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all
matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 38,
Motorcycles and mopeds.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
© ISO 2022 – All rights reserved
vi © ISO 2023 – All rights reserved

---------------------- Page: 5 ----------------------
ISO/DTR 5340:2023(E)
Introduction
01 0.1  General
The ISO 26262:2018 series is intended to be applied to safety-related systems that include one or more
electrical and/or electronic (E/E) systems and that are installed in series production road vehicles,
excluding mopeds. The ISO 26262:2018 series does not address unique E/E systems in special vehicles
such as E/E systems designed for drivers with disabilities.
The ISO 26262-12:2018 is the standardsstandard to address the sector-specific needs of E/E systems
within series production motorcycles. The motorcycle industry recognizes the need to use appropriate
safety-related techniques to avoid unreasonable risk resulting from random or systematic faults of E/E
systems.
Motorcycle Safety Integrity Levelsafety integrity level (MSIL) is the output of hazard analysis and risk
assessment (HARA). This is then apportioned between the risk-reduction mechanisms and measures
assigned to E/E systems using Automotive Safety Integrity Levelautomotive safety integrity level (ASIL)
and the risk reduction taken care of by external measures and/or other technologies. Specifically in the
motorcycle industry, a greater proportion of the overall risk reduction is generally apportioned to
external measures (for example, riding rules, training/qualification of riders, personal protective
equipment, e.g. helmets and infrastructure features).
The worldwide established level of technology (“state-of-the-art”) in the motorcycle industry suggests
that ASIL requirements are not appropriate for motorcycles. This is addressed through the alignment
between MSIL and ASIL. It is acknowledged that product development processes and technical
solutions within the motorcycle industry are inhomogeneous with those of the automobile industry;
therefore, the difference between MSIL and ASIL has been made to accommodate worldwide capability.
02 0.2  Objectives
Publicly-available research documents and references relating to the functional safety of motorcycles
are fewer in number than those for passenger cars. The purpose of this technical reportdocument is to
contribute to the functional safety of motorcycles by internationally collecting and providing examples
for motorcycle HARA. This document provides an overview of the principles behind HARA using
simplified examples to the concepts.
A prerequisite for HARA is the item definition, which is not the subject of this document. It also does not
cover the safety goals of the item. This document takes examples of some items on motorcycles, but is
also not exhaustive in terms of their function.
This document presents examples of potential accident scenarios and risk assessments, from the
behaviour of an item when it fails and the hazard at vehicle level to its potential accident scenarios.
Several methods have been published for each of these, and the aim is to provide a side-by-side
comparison to assist in the implementation of HARA.
03 0.3  Points to note
In using this document, please note the following.
The hazard analysis results and MSIL described in this document is just a collection and does not
specify the MSIL of a specific item. Although some examples are given in this document, they are the
result of several approaches and do not specify the MSIL for a particular item. The same applies even if
only one example is given for an item. Also, the information presented in this document is neither
exhaustive nor complete. However, introducing some cases (i.e. analytical approaches and results) will
help shape the image for applying the ISO 26262 series.
© ISO 2022 – All rights reserved © ISO 2023 – All rights vii
reserved

---------------------- Page: 6 ----------------------
ISO/DTR 5340:2023(E)
This document has taken as faithfully as possible the descriptions from published documents. Although
there are formatting differences from the original text for the purpose of side-by-side comparison,
Severityseverity(S), Exposureexposure(E), Controllabilitycontrollability(C) and MSIL described have
not been altered or harmonised in any way. The information contained in this document is only part of
the published material, and it is recommended to consult the original when referring to it in
implementation. The use of these methods is neither mandatory nor recommended and is to be used at
the user's own responsibility.
© ISO 2022 – All rights reserved
viii © ISO 2023 – All rights reserved

---------------------- Page: 7 ----------------------
TECHNICAL REPORT ISO/DTR 5340:2023(E)

Motorcycles — Consideration for use cases of ISO 26262 Part -12
MSIL classification
1 Scope
This document is intended to be applied to safety-related systems that include one or more electrical
and/or electronic (E/E) systems and that are installed in series production motorcycles. This document
does not address unique E/E systems in special vehicles such as E/E systems designed for drivers with
disabilities.
NOTE : The series production motorcycle is the vehicle that is intended to be used for public roads and is not a
prototype.
This document covers HARA for one or more E/E systems installed in motorcycles. The approach of
HARA defined in ISO 26262-12:2018, Clause 8 is applied to them in a motorcycle environment.
The intended user of this document is a functional-safety analyst complying with requirements in
ISO 26262-12:2018. Therefore, this document does not intend to provide further necessary knowledge
or guidelines in related fields including, but not limited to, item-specific knowledge, user and road
profiling, medicine, statistics, accident research and human factors. Instead, it is intended to be related
to the field of functional safety with the focus on the HARA examples only. It is the responsibility of the
functional-safety analyst, to achieve detailed knowledge about the item under investigation and the
target application environment.
In this document, the values shown are for reference only. Any new HARA can use the latest relevant
data and analyses. The values shown in this document were derived based on some, but not all
segments of information expected within an item description, and thus canare not be considered as an
item definition. The ISO 26262:2018 series requires that a HARA be based on a specific item definition.
This document is not to be constructed to suggest that conducting a HARA without a specific item
definition is acceptable – such a practice is not recommended. The scope of the ISO 26262:2018 scope
series is limited to functional safety which is one aspect of the overall system safety assessment in
safety risk management.
As for any risk assessment method, the methods mentioned in this document have inherent limitations.
The HARA describes a simplified model of the real world, which is neither complete nor fully accurate.
Although each assessment is based on available or applicable data as well as on expert judgment, the
interpretation of such data can vary among analyses. For these reasons, the user of this document can
bear in mind these limitations and judge the applicability of this document in any particular case.
2 Normative reference
There are no normative references in this document.
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 26262-1, Road vehicles — Functional safety — Part 1: Vocabulary
© ISO 2022 – All rights reserved 1

---------------------- Page: 8 ----------------------
ISO/DTR 5340:2022(E)
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 26262-1 apply.
ISO and IEC maintain terminologicalterminology databases for use in standardization at the following
addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
4 General topics for MSIL classification
Hazard analysis, risk assessment and MSIL determination are used to determine the safety goals for the
item. For this, the item is evaluated with regard to its potential hazardous events. Safety goals and their
assigned MSIL are determined by a systematic evaluation of hazardous events. The MSIL is determined
by considering severity, probability of exposure and controllability. It is based on the item’s functional
behaviour; therefore, the detailed design of the item does not need to be known.
The dynamic behaviour of motorcycles differs greatly from that of other vehicles within the scope of the
ISO 26262 series of standards, and that controllability of motorcycle specific hazardous events could
place more emphasis on the rider. It is recognised that the method of performing risk assessment
requires to best suit motorcycle specific hazardous events.
ISO 26262-12:2018, Annex B gives a general explanation of the hazard analysis and risk assessment.
5 Use case of hazard analysis and risk assessment
5.1 Overview
This clause presents examples of HARA in motorcycles.
HARA is a method to identify and categorize hazardous events of items and to specify safety goals and
MSILs related to the prevention or mitigation of the associated hazards in order to avoid unreasonable
risk.
The method of performing a HARA is the same as that of a passenger car, but different hazardous events
(such as falls down) maycan be identified depending on the situation peculiar to a motorcycle and the
difference in controllability. Evaluation of severity and exposure to driver and others differs
significantly from the case of passenger cars.
The case presented below is an example of analysing a scenario in a situation peculiar to motorcycles.
These are just a few of the situations that motorcycles encounter, and each item maycan have other
serious hazards. Also, the MSIL shown in the case is just the result of the case study and does not specify
the MSIL of the item in general.
Safety goals are top-level safety requirements for the item. Safety goals are not expressed in terms of
technological solutions, but in terms of functional objectives. This document does not mention the items
of functional objectives and safety goals.
5.1.1 Item definition
HARA is based on the item definition. The item without internal safety mechanisms is evaluated during
the hazard analysis and risk assessment, i.e. safety mechanisms intended to be implemented or that
have already been implemented in predecessor items are not considered in HARA.
2 © ISO 2022 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/DTR 5340:2022(E)
5.1.2 Hazard identification
HazardThe purpose of hazard identification is to identify the potential source of harm caused by the
malfunctioning behaviour of the item.
Hazards caused by malfunctioning behaviour of the item are defined at the vehicle level.
The hazards are determined systematically based on the possible malfunctioning behaviour of the item.
Failure mode and effects analysis (FMEA) approaches and hazard and operability (HAZOP) are suitable
to support hazard identification at the item level. These can be supported by brainstorming, checklists,
quality history, and field studies. One example to identify a possible malfunction behaviour with the
HAZOP method can be to ask what can happen to the rider or other person if:
— the function is active when it is expected to be deactivated;
— the function is not active when it is expected to be activated;
— the output of the function is unintended to high;
— the output of the function is unintended to low;
— the output of the function came totoo late;
— the output of the function is changing totoo fast;
— the output of the function is in the wrong direction;
— the output of the function is alternating; or.
— etc.
The identified malfunction behaviorbehaviour that can cause harm to the rider or other person can be
documented as relevant malfunction with their consequences.
The relevant situations can be identified with analyzingby analysing the expected usage and the
expected misuse of the motorcycle. The relevant situations can differ due to the design (e.g. superbike,
3 3 3
enduro, etc.)) or performance (e.g. 125cm/10kW, 1000cm /150kW, etc.)125 cm /10 kW,
3
1 000 cm /150 kW) of the analysed motorcycle. Be aware of the of the specific behaviour of a
motorcycle (e.g. lean angle, separated front and rear brake, etc.),), special maneuversmanoeuvres (e.g.
wheelie, stoppie, etc.)) and misuses (e.g. towing other vehicle, overloaded luggage in the top case, etc.).
).
One approach to identify all relevant situation is to build-up a list with possible parameters raised from.
e.g.:, for example:
Driving operation:
— driving speed;
— lean angle; and
— braking.
Road type:
— location (e.g. motorway, urban, crossing road, etc.);); and
— road surface condition (e.g. dry, wet, ice, etc.).).
© ISO 2022 – All rights reserved 3

---------------------- Page: 10 ----------------------
ISO/DTR 5340:2022(E)
Situations:
— Overtaking;
— Parking;
— Wheelie;
— Crash; and
etc— overtaking;
— parking;
— wheelie;
— crash.
Be aware that a combination of parameterparameters can change the consequences, because it maycan
lead to an inappropriate lowering of the MSIL.
The relevant situations where the identified malfunction can cause harm the rider or other person are
the hazardous events for the risk assessment. The consequences of hazardous events are identified.
EXAMPLE : An unintended to too-high torque output of the engine on a dry country road in a curve with large
lean angle can lead to leaving the road lane and to a collision with obstacles.
For a detailed description of the approach, please refer to the ISO 26262-3:2018, 6.4.2 and ISO 26262-
12:2018, 8.4.2.
5.1.3 Risk assessment
Risk assessment is a series of classifications of potential harms caused by hazards in terms of severity,
probability of exposure, or controllability.
The severity of the potential harm is estimated based on a defined rationale for each hazardous event.
The severity is assigned to one of the severity classes: S0, S1, S2 or S3.
The probability of exposure of each operational situation is estimated based on a defined rationale for
each hazardous event. The probability of exposure is assigned to one of the probability classes,: E0, E1,
E2, E3 or E4.
The controllability of each hazardous event, by the rider or other persons involved in the operational
situation is estimated based on a defined rationale for each hazardous event. The controllability is
assigned to one of the controllability classes: C0, C1, C2 or C3.
An MSIL is determined for each hazardous event based on the classification of severity, probability of
exposure and controllability. Four MSILs are defined: MSIL A, MSIL B, MSIL C and MSIL D, where MSIL A
is representing the least stringent and MSIL D the most stringent level. QM is not an MSIL, but maycan
be specified in the hazard analysis and risk assessment.
Each assessment is based on available or applicable data as well as on expert judgment, the
interpretation of such data can vary among analyses.
4 © ISO 2022 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/DTR 5340:2022(E)
5.2 Examples of HARA
5.2.1 General
For There are different approaches possible for selecting the appropriate values of E, S and C are
different approaches possible. Possible sources for values can be guidelines, technical papers, ISO
26262-12:2018 Annex B, government statistics, expert judgements or measured data from equivalent
motorcycles. The source can be selected according to worldwide use or limited to the expected
homologation areas.
For example, the maximum allowed motorway speed can differ in different countries and can change
over time (e.g. India:80km 80 km/h, England:110km 110 km/h, Japan:120km 120 km/h, Italy:130km
130 km/h, USA:137km 137 km/h, Germany: partly >250km250 km/h allowed).
NOTE : See Bibliography [7], TABLE Reference [6], Table A4: SPEED LAWS AND ENFORCEMENT BY COUNTRY
/ AREASpeed Laws and Enforcement by Country / Area.
Different teams can use different approaches and can come to different results of what can be correct.
The use of the data sources must be conservative and correspond to the vehicle, item and target market.
Each selected value of E, S and C can be argued. So, it is possible to follow the selection and the value can
be adapted if there is a change.
5.2.2 Example for HARA procedure
a) Hazard identification
5.2.2.11.1.1.1 Hazard identification
Unintended acceleration of TBW function
b) Operational Situationsituation
Driving on a German motorway with >130km130 km/h in close distance to vehicle in front (heavy
traffic), 0-°-5° lean angle
c) Affected persons
Rider and passenger
d) Classification of exposure
Duration E3; E4 for driving on motorway due to commuting use of the analyzedanalysed
motorcycle but -1 due to “close distance to vehicle in front (heavy traffic)” = E3; Drivingdriving data
records from an equivalent motorcycle have shown a driving duration of much less than 10 % at a
speed >130km130 km/h = E3
e) Classification of severity
S3; Seriousserious injuries due to falling down with >130km130 km/h; Nono traffic in opposite
direction expected on motorways = no increase.
f) Classification of controllability
© ISO 2022 – All rights reserved 5

---------------------- Page: 12 ----------------------
ISO/DTR 5340:2022(E)
C3; Riderrider can handle the brakes or engine stop switch to reduce the acceleration and can steer
to avoid collision but not more than 90 % of all riders can react fast enough in this situation (heavy
traffic).)
5.2.3 Safety goal determination
To determine the safety goal, identify the MSIL for each hazard event is identified in accordance with
ISO 26262-12:22018, 8.4.3.10 and the corresponding malfunction that must be prevented with a safety
concept.
The safety goal can have the following information:
— it can be named what can be avoided by the safety function;
— the maximum ASIL can be named;
— the safe state can be defined (e.g.,. switch off function output for fail safe systems);
2
— the error threshold for the controllability estimation (e.g.,, acceleration more than 2.6m,6 m/s ) can
be defined; and
— the fault tolerant time interval (e.g., 300ms. 300 ms) can be defined.
The safety goal, its information and the safe state can be validated according to ISO 26262-12:2018 Sec.,
Clause 10. The transition to safe state and the safe state itself can provide sufficient controllability. If a
test is used to validate the information or the safe state, the safety of the test rider has the highest
priority.
5.2.4 Examples of HARA method
In this document, examples of HARA for some items are shown. These items are widely used in
motorcycles, and there are also published examples of HARA research reports. By quoting and
organizing them, it will help to understand in implementing HARA in practice.
[4] [3]
This document cites ANCMA guidelines [1 and SAE technical paper [2 .
In some tables, there are expressions of "Method (1)" and "Method (2)". They showThis means that:
a) Method (1): Approachis the approach shown in ANCMA guidelinesReference [4];
b) Method (2): Approachis the approach shown in SAE technical paperReference [3].
Each reference has its own features. For example, in HARA of TBW(Throttle By Wire (throttle by wire),
method (1) defines an item as a device that generates driving force regardless of whether it is an
internal combustion engine or an electric motor, while method (2) defines an item that focuses on
throttle body control.
It also covers scenarios that are not considered as significant risks for motor vehicles, because those
scenarios could be the serious hazards for motorcycles.
In the Methodmethod (2)), driving data for some real-world traffic environments for motorcycle has
been studied, to provide an estimate for the exposure. In some cases, the controllability was estimated
by the subjective evaluation of the expert rider which is accepted in the standard as one of the methods.
The severity was estimated based on official real-world traffic accident statistics.
The reason for clarifying the two approaches is that the abstraction and quantitative differences in the
information they deal with affect MSIL.
6 © ISO 2022 – All rights reserved

---------------------- Page: 13 ----------------------
ISO/DTR 5340:2022(E)
EXAMPLE : The difference in acceleration in the scenario.
More detailed techniques and information can be found at ANCMA guidelinesin References [3] and SAE
technical paper.[4].
To prevent these examples from being misunderstood as a requirement of each item, safety goals are
not described in this document.
Example 1 describes the hazard analysis and risk assessment of the TBW in 5.2.5.
Example 2 describes the hazard analysis and risk assessment of the ABS (Antianti-lock Braking Systembraking
system) single channel in 5.2.6.
Example 3 describes the hazard analysis and risk assessment of the ABS double channel in 5.2.7.
5.2.5 5.2.5 HARA example 1
Example of hazard analysis and risk assessment approach in TBW.
5.2.5.1 5.2.5.1 Item definition
The item definition of TBW shows as is shown in Table 1.
As easily seen, are bothBoth methods are based basically on same item definition. The degree of
refinement (e.g. type of sensors) is not of major relevance for HARA.
Table 1 — Item definition of TBW
Item Function overview
TBW Method To detect rider request and to torque up to the actuator.
Split Cells
(1)
Example 1Example 2


  Example 2


 Method To detect rider operation and to control throttle valve to adjust engine output
Split Cells
(2) corresponding to rider's intention
© ISO 2022 – All rights reserved 7

---------------------- Page: 14 ----------------------
ISO/DTR 5340:2022(E)


5.2.5.2 Hazard identification

5.2.5.2 Hazard identification
The hazard identification of TBW shows as is shown in Table 2.
Table 2 — Hazard identification of TBW
Item Malfunction (behaviour) & Hazard
Item Malfunction (behaviour) and hazard
TBW Method (1) Unwanted sudden acceleration without driver request or far above
driver request
Method (2) Unintended acceleration without driver request or far above driver
request

5.2.5.25.2.5.3 5.2.5.3 Risk assessment
Table 3 show examples of risk assessment for TBW.
NOTE: 1 Comparable situations maycan be evaluated in different approach.
Table 3 — Results of TBW risk assessment
Vehicle Level Potential accident Scenarioscenario E C S MSIL
Hazardlevel
hazard
Unintended Method (1) In motorway/highway, high speed in light traffic E4 C2 S3 C
acceleration Possible collision with preceding vehicle
without
Urban intersection on middle lane, low speed in E4 C3 S2 C
driver
heavy traffic
request or
Unwanted crossing of intersection, lateral
far above
collision other vehicles.
driver
request
Extra urban road with uphill curve in the night, no E2 C3 S3 B
good grip
Loss of trajectory, invasion of the opposite lane,
accident with other vehicles in opposite direction.
Urban road, good grip in Zig-Zag maneuver zig-zag E4 C2 S2 B
manoeuvre
Collision and invasion of opposite direction
8 © ISO 2022 – All rights reserved

---------------------- Page: 15 ----------------------
ISO/DTR 5340:2022(E)
Vehicle Level Potential accident Scenarioscenario E C S MSIL
Hazardlevel
hazard
In motorway/highway, high speed in light traffic, E3 C3 S2 B
moving in parallel lanes
Possible collision with oncoming vehicle
Method (2) Unintended acceleration during urban travelling E3 C3 S2 B
and colliding to preceding vehicle

Vehicle speed: 40 km/h Generatedgenerated
2
acceleration: 3.,92 m/s
Unintended acceleration during turning corner E3 C3 S3 C
with urban travelling and colliding to oncoming
vehicle

Vehicle speed: 30 km/h Generatedgenera
...