ISO/PAS 19695:2015

PUBLICLY ISO/PAS
AVAILABLE 19695
SPECIFICATION
First edition
2015-12-01
Motorcycles — Functional safety
Motocycles — Sécurité fonctionnelle
Reference number
©
ISO 2015
© ISO 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2015 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms, definitions, and abbreviated terms . 1
4 Safety management during the concept phase and the product development .2
4.1 Objective . 2
4.2 General . 2
4.3 Input to this Clause . 2
4.3.1 Prerequisites . 2
4.3.2 Further supporting information . 2
4.4 Requirements and recommendations . 3
4.4.1 General. 3
4.4.2 Confirmation measures: Types, independency, and authority . 3
4.5 Work products . 5
5 Hazard analysis and risk assessment . 5
5.1 Objective . 5
5.2 General . 5
5.3 Input to this Clause . 6
5.3.1 Prerequisites . 6
5.3.2 Further supporting information . 6
5.4 Requirements and recommendations . 6
5.4.1 Initiation of the hazard analysis and risk assessment . 6
5.4.2 Situation analysis and hazard identification. 6
5.4.3 Classification of hazardous events . 7
5.4.4 Determination of MSIL . 9
5.4.5 Determination of ASIL and safety goals .10
5.4.6 Verification .11
5.5 Work products .11
6 Vehicle integration and testing .11
6.1 Objectives.11
6.2 General .12
6.3 Input to this Clause .12
6.3.1 Prerequisites .12
6.3.2 Further supporting information .12
6.4 Requirements and recommendations .12
6.4.1 Vehicle integration .12
6.4.2 Test goals and test methods during vehicle testing .12
6.5 Work products .15
7 Safety Validation .15
7.1 Objectives.15
7.2 General .15
7.3 Inputs to this Clause .15
7.3.1 Prerequisites .15
7.3.2 Further supporting information .16
7.4 Requirements and recommendation .16
7.4.1 Validation environment .16
7.4.2 Planning of validation .16
7.4.3 Execution of validation .16
7.4.4 Evaluation .17
7.5 Work products .17
Annex A (informative) Hazard analysis and risk assessment for motorcycles .18
Annex B (informative) Example of controllability classification techniques .28
Bibliography .32
iv © ISO 2015 – All rights reserved

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 22, Road vehicles, Subcommittee SC 38,
Motorcycles and mopeds.
Introduction
This Publicly Available Standard is the adaptation of ISO 26262:2011 (all parts) to comply with needs
specific to the application sector of electrical and/or electronic (E/E) systems installed in motorcycles,
and provides the partial tailoring activities of ISO 26262-2:2011, Clause 6, ISO 26262-3:2011, Clause 7,
and ISO 26262-4:2011, Clauses 8 and 9.
ISO 26262:2011 (all parts) is intended to be applied to safety-related systems that include one or more
E/E systems and that are installed in series production passenger cars with a maximum gross vehicle
mass up to 3 500 kg. ISO 26262:2011 (all parts) does not address unique E/E systems in special purpose
vehicles such as vehicles designed for drivers with disabilities.
The motorcycle industry recognizes the need to use appropriate safety-related techniques to avoid
unreasonable risk resulting from random or systematic faults of E/E systems.
Many of the requirements specified in ISO 26262:2011 (all parts) are applicable for E/E systems
produced for the motorcycle industry and therefore it was accepted by SC 22 (superseded to SC 38) that
the E/E systems developed for motorcycles should be within the scope of ISO 26262:2011 (all parts).
However, the adoption of ISO 26262:2011 (all parts) can lead to an inappropriate estimation of
motorcycle risk. Therefore, some existing ISO 26262:2011 (all parts) requirements are considered
infeasible for the motorcycle industry, e.g. user test under real-life conditions.
Motorcycle Safety Integrity Level (MSIL) is the output of hazard analysis and risk assessment. This is
then apportioned between the risk reduction mechanisms and measures assigned to E/E systems using
Automotive Safety Integrity Level (ASIL) and the risk reduction taken care of by external measures
and/or other technologies [which are outside the scope of ISO 26262:2011 (all parts) and this Publicly
Available Standard].
Specifically in the motorcycle industry, a greater proportion of the overall risk reduction is generally
apportioned to external measures (for example, riding rules, training/qualification of riders, personal
protective equipment, e.g. helmets and infrastructure features).
The worldwide established level of technology (“state-of-the-art”) in the motorcycle industry suggests
that ASIL requirements are not appropriate for motorcycles. This is addressed through the alignment
between MSIL and ASIL.
It is acknowledged that product development processes and technical solutions within the motorcycle
industry are inhomogeneous with those of the automobile industry; therefore, the difference between
MSIL and ASIL has been made to accommodate worldwide capability.
It can be necessary to modify certain requirements, methods, and measures of ISO 26262:2011 (all
parts) in order to adapt the standards’ best practices to match state-of-the-art practices for motorcycle
functional safety.
Other areas of ISO 26262:2011 (all parts) which would be affected by inclusion of motorcycles within
the scope of the standard have also been identified and necessary changes recommended. The content
of this Publicly Available Standard requires consideration and acceptance by SC 32 in order to facilitate
the inclusion of motorcycles within the scope of ISO 26262:2011 (all parts) Edition 2.
Figure 1 shows the structure and relation of this Publicly Available Standard and ISO 26262:2011 (all
parts).
vi © ISO 2015 – All rights reserved

Figure 1 — Overview of this Publicly Available Standard and the relation to ISO 26262:2011 (all
parts)
PUBLICLY AVAILABLE SPECIFICATION ISO/PAS 19695:2015(E)
Motorcycles — Functional safety
1 Scope
This Publicly Available Standard is intended to be applied to safety-related systems that include one
or more electrical and/or electronic (E/E) systems and that are installed in series production two-
wheeled or three-wheeled motorcycles.
This Publicly Available Standard does not address unique E/E systems in special purpose vehicles, such
as vehicles designed for competition.
This Publicly Available Standard addresses possible hazards caused by malfunctioning behaviour of E/E
safety-related systems, including interaction of these systems. It does not address hazards related to
electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy,
and similar hazards, unless directly caused by malfunctioning behaviour of E/E safety-related systems.
This Publicly Available Standard does not address the nominal performance of E/E systems, even if
dedicated functional performance standards exist for these systems.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 26262-1:2011, Road vehicles — Functional safety — Part 1: Vocabulary
ISO 26262-2:2011, Road vehicles — Functional safety — Part 2: Management of functional safety
ISO 26262-3:2011, Road vehicles — Functional safety — Part 3: Concept phase
ISO 26262-4:2011, Road vehicles — Functional safety — Part 4: Product development at the system level
ISO 26262-5:2011, Road vehicles — Functional safety — Part 5: Product development at the hardware level
ISO 26262-6:2011, Road vehicles — Functional safety — Part 6: Product development at the software level
ISO 26262-8:2011, Road vehicles — Functional safety — Part 8: Supporting processes
ISO 26262-9:2011, Road vehicles — Functional safety — Part 9: Automotive Safety Integrity Level (ASIL)-
oriented and safety-oriented analyses
3 Terms, definitions, and abbreviated terms
For the purposes of this document, the terms and definitions given in ISO 26262-1:2011 and the
following apply
3.1
expert rider
role filled by persons capable of evaluating controllability classifications based on operation of
actual motorcycles
Note 1 to entry: An expert rider is a rider who has the
— skill to evaluate controllability,
— capability to conduct the vehicle test, and
— knowledge to evaluate motorcycle controllability characteristics with respect to a representative rider’s
riding capability.
Note 2 to entry: See Annex B for information relating to the use of expert riders.
3.2
motorcycle safety integrity level
MSIL
one of four levels that specify the item’s or element’s necessary ISO 26262:2011 (all parts) risk reduction
requirements and safety measures to apply for avoiding unreasonable residual risk for items and
elements used specifically in motorcycle applications, with D representing the most stringent and A the
least stringent level
4 Safety management during the concept phase and the product development
4.1 Objective
The objective of this Clause is to define the independency requirements of confirmation measures
associated with ASIL, converted from MSIL.
4.2 General
Safety management includes the responsibility to ensure that the confirmation measures are
performed. Depending on the applicable ASIL, some confirmation measures require independence
regarding resources, management, and release authority (see 4.4).
Confirmation measures include confirmation reviews, functional safety audits, and functional
safety assessments.
— The confirmation reviews are intended to check the compliance of selected work products to the
corresponding requirements of ISO 26262 (all parts).
— A functional safety audit evaluates the implementation of the processes required for the functional
safety activities.
— A functional safety assessment evaluates the functional safety achieved by the item.
In addition to the confirmation measures, verification reviews are performed. These reviews, which
are required in other parts of ISO 26262, are intended to verify that the associated work products fulfil
the project requirements, and the technical requirements with respect to use cases and failure modes.
Table 1 lists the required confirmation measures. ISO 26262-2:2011, Annex D lists the reviews
concerning verification and refers to the applicable parts of ISO 26262.
4.3 Input to this Clause
4.3.1 Prerequisites
See applicable prerequisites of the relevant phases of the safety lifecycle in which confirmation
measures are planned or carried out.
4.3.2 Further supporting information
See applicable further supporting information of the relevant phases of the safety lifecycle in which
confirmation measure is planned or carried out.
2 © ISO 2015 – All rights reserved

4.4 Requirements and recommendations
4.4.1 General
The organizations involved in the execution of the safety lifecycle shall comply with 4.4.2 for items that
have at least one safety goal with an ASIL A, B, or C, unless stated otherwise.
4.4.2 Confirmation measures: Types, independency, and authority
4.4.2.1 The confirmation measures specified in Table 1 shall be performed, in accordance with the
required level of independency as specified in ISO 26262-2:2011, Table 2, 6.4.3.5 i), 6.4.8, and 6.4.9.
NOTE 1 The confirmation reviews are performed for those work products that are specified in Table 1 and
required by the safety plan.
NOTE 2 A confirmation review includes the checking of correctness with respect to formality, contents,
adequacy, and completeness regarding the requirements of ISO 26262:2011 (all parts).
NOTE 3 Table 1 includes the confirmation measures. An overview of the verification reviews is given in
ISO 26262-2:2011, Annex D.
NOTE 4 A report that is a result of a confirmation measure includes the name and revision number of the work
products or process documents analysed (see ISO 26262-8:2011, 10.4.5).
NOTE 5 If the item changes subsequent to the completion of confirmation reviews or functional safety
assessments, then these will be repeated or supplemented (see ISO 26262-8:2011, 8.4.5.2).
NOTE 6 The aim of each confirmation measure is given in ISO 26262-2:2011, Annex C.
NOTE 7 Confirmation measures such as confirmation reviews and functional safety audits can be merged and
combined with the functional safety assessment to support the handling of comparable variants of an item.
Table 1 — Required confirmation measures, including the required level of independency
Degree of
a
independency
Confirmation measures applies to ASIL, con- Scope
verted from MSIL
A B C
Confirmation review of the hazard analysis
The scope of this review shall include
and risk assessment of the item (see Clause 5,
the correctness of the determined
ISO 26262-3:2011, Clauses 5, and if applicable,
ASILs and quality management (QM)
I2 I2 I2
ISO 26262-8:2011, Clause 5)
ratings of the identified hazardous
events for the item, and a review of
Independence with regard to those generating
the safety goals
the work product
a
The notations are defined as follows:
— —:  no requirement and no recommendation for or against regarding this confirmation measure;
— I0:  the confirmation measure should be performed; however, if the confirmation measure is performed, it shall be
performed by a different person;
— I1:  the confirmation measure shall be performed, by a different person;
— I2:  the confirmation measure shall be performed, by a person from a different team, i.e. not reporting to the same direct
superior.
b
A software tool development is outside the item’s safety lifecycle whereas the qualification of such a tool is an activity
of the safety lifecycle.
Table 1 (continued)
Degree of
a
independency
Confirmation measures applies to ASIL, con- Scope
verted from MSIL
A B C
Confirmation review of the safety plan (see
ISO 26262-2:2011, 6.5.1)
Applies to the highest ASIL among the
— I1 I2
safety goals of the item
Independence with regard to those generating
the work product
Confirmation review of the item integration
and testing plan (see ISO 26262-4:2011)
Applies to the highest ASIL among the
I0 I1 I2
safety goals of the item
Independence with regard to those generating
the work product
Confirmation review of the validation plan (see
ISO 26262-4:2011)
Applies to the highest ASIL among the
I0 I1 I2
safety goals of the item
Independence with regard to those generating
the work product
Confirmation review of the safety analyses (see
ISO 26262-9:2011, Clause 8)
Applies to the highest ASIL among the
I1 I1 I2
safety goals of the item
Independence with regard to those generating
the work product
Confirmation review of the software tool qual-
b
ification report (see ISO 26262-8:2011, Clause
Applies to the highest ASIL of the
11)
— I0 I1 requirements that can be violated by
the use of the tool
Independence with regard to the persons per-
forming the qualification of the software tool
Confirmation review of the proven in use
Applies to the ASIL of the safety goal
arguments (analysis, data, and credit) of the
or requirement related to the con-
candidates (see ISO 26262-8:2011, Clause 14)
I0 I1 I2
sidered behaviour, or function, of the
Independence with regard to those developing
candidate
the argument
Confirmation review of the completeness of the
safety case (see ISO 26262-2:2011, 6.5.3)
Applies to the highest ASIL among the
I0 I1 I2
safety goals of the item
Independence with regard to those developing
the safety case
Functional safety audit in accordance with
ISO 26262-2:2011, 6.4.8
Applies to the highest ASIL among the
— I0 I2
safety goals of the item
Independence with regard to the developers of
the item and project management
a
The notations are defined as follows:
— —:  no requirement and no recommendation for or against regarding this confirmation measure;
— I0:  the confirmation measure should be performed; however, if the confirmation measure is performed, it shall be
performed by a different person;
— I1:  the confirmation measure shall be performed, by a different person;
— I2:  the confirmation measure shall be performed, by a person from a different team, i.e. not reporting to the same direct
superior.
b
A software tool development is outside the item’s safety lifecycle whereas the qualification of such a tool is an activity
of the safety lifecycle.
4 © ISO 2015 – All rights reserved

Table 1 (continued)
Degree of
a
independency
Confirmation measures applies to ASIL, con- Scope
verted from MSIL
A B C
Functional safety assessment in accordance
with ISO 26262-2:2011, 6.4.9
Applies to the highest ASIL among the
— I0 I2
safety goals of the item
Independence with regard to the developers of
the item and project management
a
The notations are defined as follows:
— —:  no requirement and no recommendation for or against regarding this confirmation measure;
— I0:  the confirmation measure should be performed; however, if the confirmation measure is performed, it shall be
performed by a different person;
— I1:  the confirmation measure shall be performed, by a different person;
— I2:  the confirmation measure shall be performed, by a person from a different team, i.e. not reporting to the same direct
superior.
b
A software tool development is outside the item’s safety lifecycle whereas the qualification of such a tool is an activity
of the safety lifecycle.
4.4.2.2 The persons who carry out a confirmation measure shall have access to, and shall be supported
by, the persons and organizational entities that carry out safety activities during the item development.
4.4.2.3 The persons who carry out a confirmation measure shall have access to the relevant
information and tools.
4.5 Work products
Confirmation measure reports, resulting from 4.4.2 and ISO 26262-2:2011, Table 2, 6.4.8 and 6.4.9
5 Hazard analysis and risk assessment
5.1 Objective
This Clause provides a tailoring of ISO 26262-3:2011, Clause 7 for motorcycles.
The objective of the hazard analysis and risk assessment for motorcycles is to identify and to categorize
the hazards that malfunctions in the item can trigger and to formulate the safety goals related to the
prevention or mitigation of the hazardous events, in order to avoid unreasonable risk.
The objective of this Clause is to specify the necessary requirements that need to be complied with in
order to perform a motorcycle specific hazard analysis and risk assessment.
5.2 General
Due to the fact that the dynamic behaviour of motorcycles differs greatly from that of passenger cars,
and that controllability of motorcycle specific hazardous events could place more emphasis on the
rider, it is recognized that the method of performing risk assessment requires a degree of tailoring to
best suit motorcycle specific hazardous events.
Hazard analysis, risk assessment, and MSIL determination are used to determine the safety goals
for the item such that an unreasonable risk is avoided. For this, the item is evaluated with regard to
its potential hazardous events. Safety goals and their assigned MSIL are determined by a systematic
evaluation of hazardous events. The MSIL is determined by considering the estimate of the impact
factors, i.e. severity, probability of exposure, and controllability. It is based on the item’s functional
behaviour; therefore, the detailed design of the item does not necessarily need to be known.
5.3 Input to this Clause
5.3.1 Prerequisites
The following information shall be available:
— item definition in accordance with ISO 26262-3:2011, 5.5.
5.3.2 Further supporting information
The following information can be considered:
— impact analysis, if applicable (see ISO 26262-3:2011, 6.5.1);
— relevant information on other independent items (from external source).
5.4 Requirements and recommendations
5.4.1 Initiation of the hazard analysis and risk assessment
5.4.1.1 The hazard analysis and risk assessment shall be based on the item definition.
5.4.1.2 The item without internal safety mechanisms shall be evaluated during the hazard analysis
and risk assessment, i.e. safety mechanisms intended to be implemented or that have already been
implemented in predecessor items shall not be considered in the hazard analysis and risk assessment.
NOTE 1 In the evaluation of an item, available and sufficiently independent external measures can be beneficial.
NOTE 2 Safety mechanisms of the item that are intended to be implemented or that have already been
implemented are incorporated as part of the functional safety concept.
5.4.2 Situation analysis and hazard identification
5.4.2.1 Situation analysis
5.4.2.1.1 The operational situations and operating modes in which an item’s malfunctioning behaviour
will result in a hazardous event shall be described, both for cases when the vehicle is correctly used and
when it is incorrectly used in a foreseeable way.
NOTE The operational situation addresses the limits within which the item is expected to behave in a safe
manner.
EXAMPLE 1 A normal motorcycle is not expected to travel on unimproved or unpaved surfaces at high speed.
EXAMPLE 2 A normal motorcycle is not expected to be used for road race, motocross, or trial events.
5.4.2.2 Hazard identification
5.4.2.2.1 The hazards shall be determined systematically by using adequate techniques.
NOTE Techniques such as brainstorming, checklists, review of quality history, analysis of accident data,
FMEA, and field studies can be used for the extraction of hazards at the item level.
6 © ISO 2015 – All rights reserved

5.4.2.2.2 Hazards shall be defined in terms of the conditions or behaviour that can be observed at the
vehicle level.
NOTE 1 In general, each hazard will have a variety of potential causes related to the item’s implementation but
they do not need to be considered in the hazard analysis and risk assessment for the definition of the conditions
or behaviour, which result from a functional behavior of the item.
NOTE 2 Only hazards associated with the item itself can be considered, every other system (external measure)
is presumed to be functioning correctly provided it is sufficiently independent.
5.4.2.2.3 The hazardous events shall be determined for relevant combinations of operational
situations and hazards.
5.4.2.2.4 It shall be ensured that the chosen level of detail of the list of operational situations does not
lead to an inappropriate lowering of the MSIL.
NOTE A very detailed list of operational situations (see 5.4.2.1) for one hazard, with regard to the vehicle
state, road conditions, and environmental conditions, can lead to a very granular classification of hazardous
events. This can make it easier to rate controllability and severity. However, a larger number of different
operational situations can lead to a consequential reduction of the respective classes of exposure, and thus to an
inappropriate lowering of the MSIL.
5.4.2.2.5 The consequences of hazardous events shall be identified.
NOTE If failures at an item level induce the loss of several functions of the item, then the situation analysis
and hazard identification considers the resulting hazardous events from the combined malfunctional behaviour
of the item or vehicle.
EXAMPLE Failure of the vehicle electrical power supply system can cause the simultaneous loss of a number
of functions including “engine torque” and “forward illumination”.
5.4.2.2.6 If there are hazards identified in 5.4.2.2 that are outside of the scope of this Publicly Available
Standard (see Clause 1), then the need for appropriate measures to mitigate or control these hazards
shall be highlighted and reported to the responsible persons.
NOTE As these hazards are outside the scope of this Publicly Available Standard, hazard classification is
not necessary.
5.4.3 Classification of hazardous events
5.4.3.1 All hazardous events identified in 5.4.2.2.3 shall be classified, except those that are outside the
scope of this Publicly Available Standard.
NOTE If classification of a given hazard with respect to severity, probability of exposure, or controllability
is difficult to make, it is classified conservatively, i.e. whenever there is reasonable doubt, a higher S, E, or C
classification is given rather than a lower.
5.4.3.2 The severity of potential harm shall be estimated based on a defined rationale for each
hazardous event. The severity shall be assigned to one of the severity classes S0, S1, S2, or S3 in
accordance with Table 2.
NOTE 1 The risk assessment of hazardous events focuses on the harm to each person potentially at risk,
including the rider or the passengers of the vehicle causing the hazardous event, and other persons potentially
at risk such as cyclists, pedestrians, or occupants of other vehicles. The description of the Abbreviated Injury
Scale (AIS) can be used for characterising the severity and can be found in Annex A. For informative examples
of different types of severity and accidents, see Annex A. Where available, motorcycle appropriate accident
databases can be used to provide a basis for determining severity levels.
NOTE 2 The severity class can be based on a combination of injuries and this can lead to a higher evaluation of
the severity than would result from just looking at single injuries.
NOTE 3 The estimate considers reasonable sequences of events for the situation being evaluated.
NOTE 4 The severity determination is based on a representative sample of individuals for the target markets.
NOTE 5 Standard protective equipment (e.g. helmet, protective jacket, gloves, and boots) as prescribed in the
vehicle user manual is assumed to be in use.
Table 2 — Classes of severity
Class
S0 S1 S2 S3
Description No injuries Light and moderate Severe and life- Life-threatening
injuries threatening injuries injuries (survival
(survival probable) uncertain), fatal inju-
ries
5.4.3.3 The severity class S0 may be assigned if the hazard analysis determines that the consequences
of a malfunctioning behaviour of the item are clearly limited to material damage and do not involve harm
to persons. If a hazard is assigned to severity class S0, no MSIL assignment is required.
5.4.3.4 The probability of exposure of each operational situation shall be estimated based on a defined
rationale for each hazardous event. The probability of exposure shall be assigned to one of the probability
classes, E0, E1, E2, E3, and E4, in accordance with Table 3.
NOTE 1 For classes E1 to E4, the difference in probability from one E class to the next is an order of magnitude.
NOTE 2 The exposure determination is based on a representative sample of operational situations for the
target markets.
NOTE 3 For details and examples related to the probability of exposure, see Annex A.
Table 3 — Classes of probability of exposure regarding operational situations
Class
E0 E1 E2 E3 E4
Description Extremely low Very low Low probability Medium High
probability probability probability probability
5.4.3.5 The number of vehicles equipped with the item shall not be considered when estimating the
probability of exposure.
NOTE The evaluation of the probability of exposure is performed assuming each vehicle is equipped with
the item. This means that the argument “the probability of exposure can be reduced, because the item is not
present in every vehicle (as only some vehicles are equipped with the item)” is not valid.
5.4.3.6 Class E0 may be used for those situations that are suggested during hazard analysis and risk
assessment, but which are considered to be extremely unusual and therefore not followed up. A rationale
shall be recorded for the exclusion of these situations. If a hazard is assigned to exposure class E0, no
MSIL assignment is required.
EXAMPLE E0 can be used in the case of “force majeure” risk (see A.3).
5.4.3.7 The controllability of each hazardous event, by the person(s) potentially at risk, shall be
estimated based on a defined rationale for each hazardous event. The controllability shall be assigned to
one of the controllability classes C0, C1, C2, and C3, in accordance with Table 4.
8 © ISO 2015 – All rights reserved

NOTE 1 The evaluation of the controllability is an estimate of the probability that the person(s) potentially at
risk are able to gain sufficient control of the hazardous event, such that they are able to avoid the specific harm.
For this purpose, the parameter C is used, with the classes C0, C1, C2, and C3, to classify the potential of avoiding
harm. Some examples, which serve as an interpretation of these classes, are listed in Table A.4. Estimates can be
made using either experimental or analytical procedures.
NOTE 2 For motorcycles, it is assumed that the rider is in an appropriate condition to ride (e.g. he/she is
not tired), has the appropriate riding training (he/she has a rider’s licence), understands the operational
characteristics of the motorcycle in use, and is complying with all applicable legal regulations, including due care
requirements to avoid risks to other traffic participants.
NOTE 3 Where the hazardous event is not related to the control of the vehicle direction and speed, e.g.
potential limb entrapment in moving parts, the controllability can be an estimate of the probability that the
person at risk is able to remove themselves, or to be removed by others from the hazardous situation. When
considering controllability, note that the person at risk might not be familiar with the operation of the item.
NOTE 4 When controllability involves the actions of multiple traffic participants, the controllability
assessment can be based on the controllability of the vehicle with the malfunctioning item, and the likely action
of other participants.
NOTE 5 For motorcycle hazardous events, the evaluation of controllability levels is described in Annex B.
Table 4 — Classes of controllability
Class
C0 C1 C2 C3
Description Controllable in Simply Normally Difficult to control or
general controllable controllable uncontrollable
5.4.3.8 Class C0 is used for hazards addressing the unavailability of the item if they do not affect the
safe operation of the vehicle (e.g. some driver assistance systems). Class C0 may be assigned if dedicated
regulations exist that specify the functional performance with respect to a defined hazard, and C0 is
argued using the corresponding existing experience concerning sufficient controllability. If a hazard is
assigned to the controllability class C0, no MSIL assignment is required.
EXAMPLE A dedicated regulation is the certification of a vehicle system with a precise definition of forces or
acceleration values in the case of a failure.
5.4.4 Determination of MSIL
5.4.4.1 A MSIL shall be determined for each hazardous event using the parameters “severity”,
“probability of exposure” and “controllability” in accordance with Table 5.
NOTE Four MSILs are defined: MSIL A, MSIL B, MSIL C, and MSIL D, where MSIL A is the lowest safety
integrity level and MSIL D the highest safety integrity level.
Table 5 — MSIL determination
Controllability class
Severity class Probability class
C1 C2 C3
E1 QM QM QM
E2 QM QM QM
S1
E3 QM QM A
E4 QM A B
Table 5 (continued)
Controllability class
Severity class Probability class
C1 C2 C3
E1 QM QM QM
E2 QM QM A
S2
E3 QM A B
E4 A B C
E1 QM QM A
E2 QM A B
S3
E3 A B C
E4 B C D
5.4.5 Determination of ASIL and safety goals
5.4.5.1 The conversion of MSIL to ASIL shall be performed in accordance with Table 6, prior to the
definition of the safety goals, so that applicable ISO 26262:2011 (all parts) requirements can be adopted.
NOTE 1 In addition to these three ASILs, the class QM (quality management) denotes no requirement to
comply with ISO 26262:2011 (all parts).
NOTE 2 In order to adopt the necessary risk reduction requirements and safety measures contained in
ISO 26262:2011 (all parts), it is important that MSIL is converted to ASIL so that the most appropriate degree of
rigour is used in avoiding unreasonable residual risk associated with malfunctioning E/E items or elements used
in motorcycle applications.
NOTE 3 To support the integration of this Publicly Available Standard into the ISO 26262:2011 (all parts)
Edition 2, the term ASIL D has been retained within this Publicly Available Standard.
Table 6 — Conversion of MSIL to ASIL
MSIL ASIL
QM QM
A QM
B A
C B
D C
5.4.5.2 A safety goal shall be determined for each hazardous event with an ASIL, converted from MSIL.
If similar safety goals are determined, these may be combined into one safety goal.
NOTE Safety goals are top-level safety requirements for the item. They lead to the functional safety
requirements needed to avoid an unreasonable risk for ea
...