Road vehicles — Extended Vehicle (ExVe) time critical applications — General requirements, definitions and classification methodology of time-constrained situations related to Road and ExVe Safety (RExVeS)

This document defines the classification methodology of time-constrained situations and their requirements, that are to be addressed by the "ExVe time critical interfaces" described in ISO 20077‑1. Time-constrained situations include safety-critical situations. It is important for the design of the vehicle to have priority management of "ExVe time critical interface" resources in order to comply with time constrained situations requirements. The methodology provides a classification, which determines application priorities for optimal vehicle resource allocation.

Véhicules routiers — Applications temps critiques du véhicule étendu (ExVe) — Exigences générales, définitions et méthodologie de classification des situations sous contrainte de temps liées à la sécurité routière et à la sûreté du véhicule étendu (RExVeS)

General Information

Status
Published
Publication Date
09-Jul-2020
Current Stage
6060 - International Standard published
Start Date
10-Jul-2020
Due Date
07-Dec-2020
Completion Date
10-Jul-2020
Ref Project

Buy Standard

Standard
ISO 23132:2020 - Road vehicles -- Extended Vehicle (ExVe) time critical applications -- General requirements, definitions and classification methodology of time-constrained situations related to Road and ExVe Safety (RExVeS)
English language
23 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/FDIS 23132 - Road vehicles -- Extended Vehicle (ExVe) time critical applications -- General requirements, definitions and classification methodology of time-constrained situations related to Road and ExVe Safety (RExVeS)
English language
24 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO
STANDARD 23132
First edition
2020-07
Road vehicles — Extended Vehicle
(ExVe) time critical applications —
General requirements, definitions and
classification methodology of time-
constrained situations related to Road
and ExVe Safety (RExVeS)
Véhicules routiers — Applications temps critiques du véhicule
étendu (ExVe) — Exigences générales, définitions et méthodologie
de classification des situations sous contrainte de temps liées à la
sécurité routière et à la sûreté du véhicule étendu (RExVeS)
Reference number
ISO 23132:2020(E)
©
ISO 2020

---------------------- Page: 1 ----------------------
ISO 23132:2020(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2020 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 23132:2020(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 3
5 Conventions and guidelines for specifying RExVeS-related requirements.3
6 The RExVeS methodology . 3
6.1 General . 3
6.2 Analysis of RExVeS-related scenarios . 4
6.3 Classification of RExVeS-related time-constrained and safety-critical situations . 5
6.3.1 Classification scheme . 5
6.3.2 Classes of severity . 6
6.3.3 Classes of probability of exposure . 6
6.3.4 Classes of controllability . 6
6.3.5 Determination of the priority class of a RExVeS-related time-constrained
situation . . 7
6.3.6 Template for the description and priority class assignment of a RExVeS-
related situation . 8
7 Connected vehicle design prerequisites . 8
Annex A (normative) Template for the description and priority class assignment of RExVeS-
related situations (including safety-critical situations) . 9
Annex B (informative) Example 1 of use of the RExVeS template .10
Annex C (informative) Example 2 of use of the RExVeS template .14
Annex D (informative) Example 3 of use of the RExVeS template .18
Annex E (informative) List of use-cases .21
Bibliography .23
© ISO 2020 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 23132:2020(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www .iso .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 31,
Data communication.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO 2020 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 23132:2020(E)

Introduction
Preventing death and serious injury in road traffic crashes is a global priority. With the advent of
vehicular data communications, road vehicles become connected vehicles, and safety is one of the key
issues in the development of such road vehicles. ISO 26262-1 defines the vehicle safety as the absence
of unreasonable risks that arise from malfunctions of the E/E system. The absence of unreasonable
risk due to these potentially hazardous behaviours related to specific limitations (identified in
[7]
ISO/PAS 21448 ) is defined as the safety of the intended functionality (SOTIF). Functional safety
(addressed by the ISO 26262 series) and SOTIF are distinct and complementary aspects of safety.
This document defines a complementary methodology for the prioritization of safety-related external
communication use-cases to help to design extended vehicle time-critical interfaces described in the
ISO 20077-1.
NOTE 1 ISO 20077-1 defines the concepts and terms related to the extended vehicle (ExVe), whereas
ISO 20077-2 specifies general rules and basic principles that the manufacturer of the ExVe considers when
elaborating its own design method.
NOTE 2 ISO 20077-1 defines an "extended vehicle" (ExVe) as an "entity, still in accordance with the
specifications of the vehicle manufacturer, that extends beyond the physical boundaries of the road vehicle and
consists of the road vehicle, off-board systems, external interfaces, and the data communication between the
road vehicle and the off-board systems". Road vehicles without off-board systems and road vehicles equipped
with telematics units are extended vehicles.
Recent developments in the field of connected vehicles, in various parts of the world, bring hope of being
able to improve road safety, e.g. by reducing the number of road fatalities through collision avoidance
cooperation. Connected vehicles taking into account ISO 20077-1 and ISO 20077-2 take their part in this
global effort.
Due to the limited per design embedded resources, a priority management is necessary to apply these
resources to the function and request with the highest criticality.
For these connected vehicles, the use of the “ExVe time critical interfaces" is firstly associated with
safety-critical functions (e.g. emergency braking, steering) that are functions for which the priorities
are based on a criticality concept.
It is important that all the functions using the “ExVe time critical interfaces” take into account the
capabilities of the vehicles in which they are installed.
During the design phase, the connected vehicle behaviour regarding all safety-critical situations and its
interactions with the external environment should be defined. Its implementation can be based on the
methodology proposed in this document.
© ISO 2020 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 23132:2020(E)
Road vehicles — Extended Vehicle (ExVe) time critical
applications — General requirements, definitions and
classification methodology of time-constrained situations
related to Road and ExVe Safety (RExVeS)
1 Scope
This document defines the classification methodology of time-constrained situations and their
requirements, that are to be addressed by the “ExVe time critical interfaces" described in ISO 20077-1.
Time-constrained situations include safety-critical situations.
It is important for the design of the vehicle to have priority management of "ExVe time critical interface"
resources in order to comply with time constrained situations requirements.
The methodology provides a classification, which determines application priorities for optimal vehicle
resource allocation.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 20077-1, Road Vehicles — Extended vehicle (ExVe) methodology — Part 1: General information
ISO 20077-2, Road Vehicles — Extended vehicle (ExVe) methodology — Part 2: Methodology for designing
the extended vehicle
ISO 26262-1, Road vehicles — Functional safety — Part 1: Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 20077-1, ISO 20077-2,
ISO 26262-1 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
road and ExVe safety
RExVeS
set of means (e.g. use cases), conditions and requirements to be considered by the “ExVe time-critical
interfaces” described in ISO 20077-1, including time-constrained and safety-critical situations (3.4)
Note 1 to entry: The intent is to minimise risk of harm (as described in ISO 26262-1) in road safety-related
situations.
Note 2 to entry: In the context of RExVeS, a use case is a set of scenarios (3.2) that have a common goal.
© ISO 2020 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO 23132:2020(E)

3.2
scenario
sequence of connected vehicle (3.11) actions, events, reactions, and interactions, in a road
safety setting
3.3
time-constrained situation
combination of a road safety-related connected vehicle (3.11) scenario (3.2) and RExVeS-
related time constraints, in which lack of communication capability or excessive (communication)
latency can lead to malfunctions or other injurious consequences
3.4
safety-critical situation
combination of a road safety-related connected vehicle (3.11) scenario (3.2) and an
unacceptable risk of harm
3.5
situation priority class
one of six situation priority classes (P1, P2, P3, P4, P5 or P6) determined according to the
severity, the probability of exposure, and the controllability associated with an evaluated time-
constrained situation (3.3)
3.6
safety-critical situation priority class
one of the four situation priority classes (3.5) (P3, P4, P5 or P6) determined according to the
severity, the probability of exposure, and the controllability associated with an evaluated safety-critical
situation (3.4)
3.7
time-constrained safety-related function
function under strict time constraints that contributes to the achievement of safety objectives
[1] [2]
EXAMPLE "CAM generation" (see ETSI EN 302 637-2 ) and "BSM generation" (see SAE J2735 and SAE
[3] [4]
J2945 ). "DENM generation" (see ETSI EN 302 637-3 ) is another example of time-constrained safety-related
function.
3.8
peri-vehicular
near or around a vehicle
3.9
peri-vehicular data communication
vehicular data communications in the geographic vicinity of a vehicle
3.10
safety-critical situation reaction time interval
time-interval from the detection of a safety-critical situation (3.4) to the broadcast to
neighbouring road users at risk of an appropriate safety-critical message via time-constrained safety-
related functions (3.7) and peri-vehicular data communications (3.9)
3.11
connected vehicle
road vehicle using peri-vehicular data communications (3.9)
2 © ISO 2020 – All rights reserved

---------------------- Page: 7 ----------------------
ISO 23132:2020(E)

4 Symbols and abbreviated terms
ADAS Advanced Driver-Assistance Systems
BSM Basic Safety Message
CAM Cooperative Awareness Message
DENM Decentralized Environmental Notification Message
ExVe Extended Vehicle
RExVeS Road and ExVe safety
TAI International Atomic Time
UTC Coordinated Universal Time
5 Conventions and guidelines for specifying RExVeS-related requirements
In this document, requirements are formalized as follow:
REQ Number RExVeS – Name
Description
“Number” represents the individual requirement number.
“Name” is the name of requirement, if needed.
“Description” is the requirement itself.
Requirements in this document are generic and technology agnostic. No actual testing is to be done
against them, but they should be used as a guide to define the technology-dependent requirements.
Some technology-dependent requirements may not enable to address all priority classes of RExVeS-
related time-constrained situations (see 6.3.5).
Unless otherwise stated, the requirements in this document apply to all priority classes.
6 The RExVeS methodology
6.1 General
The RExVeS methodology brings forward means to identify and classify time-constrained situations
(safety-critical or not) that are addressed by the “ExVe time critical interfaces” described in ISO 20077-1.
The methodology provides an automotive-specific risk-based approach to determine the priority class
[5]
of a RExVeS-related time-constrained situation. It is adapted from ISO 26262-3 hazard analysis and
risk assessment (HARA) and enriched with systems-theoretic process analysis (STPA) insights. The
[5]
major difference is that in ISO 26262-3 , the results of the analysis are ASILs while in this document
the results are time-constrained situation priority classes.
NOTE 1 The appropriate use of the RExVeS methodology is intended to fulfil RExVeS-related requirements
and a set of connected vehicle design prerequisites (see Clause 7).
NOTE 2 Unless otherwise stated, in this document, connected vehicle means connected vehicle taking into
account ISO 20077-1 and ISO 20077-2.
The RExVeS methodology starts with the analysis of road safety-related connected vehicle scenarios
in which time-constrained situations (safety-critical or not) may occur. Then, a systematic evaluation
© ISO 2020 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO 23132:2020(E)

of each identified time-constrained situation is performed to determine the RExVeS-related situation
priority class to which it pertains. The RExVeS-related situation priority class is determined by
considering severity, probability of exposure and controllability criteria.
Figure 1 provides an example of use of the RExVeS methodology in the context of the ExVe design
methodology.
Figure 1 — The RExVeS methodology in the ExVe design methodology context (example)
The RExVeS methodology complements ISO 20077-1 and ISO 20077-2 guidelines for the design of an
extended vehicle, from which a vehicle manufacturer can derive its own methods and procedures to
design an extended vehicle that addresses a specific set of use cases and scenarios. These methods and
procedures remain part of the know-how of each vehicle manufacturer.
According to ISO 20077-2, any ExVe functionality request is described through use cases and scenarios
(see ISO 20077-2 template for technical request), in order to support a precise description of the need.
Detailed descriptions of relevant RExVeS-related scenarios are important in this respect.
According to ISO 20077-2, for a given use case and scenario, the ExVe manufacturer is responsible
for defining the appropriate extended vehicle’s interfaces for the considered functionality (see
ISO 20077-2). When an ExVe time critical interface is considered, the identified time-constrained
situations can be analysed with the RExVeS methodology. As a result, the criticality of the situations is
evaluated (severity, probability of exposure, controllability) and, along with any applicable regulations,
it gives an indication of relevance and priority to the vehicle manufacturer considering the development
of the functionality with an ExVe time-critical interface.
NOTE 3 As RExVeS-related scenarios with safety-critical situations give the biggest causes for concern, they
are considered first in the methodology description and dealt with in more detail.
6.2 Analysis of RExVeS-related scenarios
Complex and dynamic processes and interactions are often involved in road accidents. RExVeS-related
safety-critical situations may occur when processes or interactions do not meet safety objectives, e.g.
because appropriate objectives have not been selected.
The goal of the analysis of RExVeS-related scenarios is to identify time-constrained situations (safety-
critical or not) that are to be addressed by the “ExVe time critical interfaces” described in ISO 20077-1.
This requires accumulating information about how such situations can occur.
A RExVeS-related time-constrained situation is a combination of a road safety-related connected vehicle
scenario and RExVeS-related time constraints, in which a lack of communication capability or excessive
4 © ISO 2020 – All rights reserved

---------------------- Page: 9 ----------------------
ISO 23132:2020(E)

(communication) latency can lead to malfunctions or other injurious consequences. In a RExVeS-related
safety-critical situation, there is additionally an unacceptable risk of harm.
NOTE 1 There is not necessarily an unacceptable risk of harm in all time-constrained situations.
Rapidly changing environments where there is a potential for safety-critical situations are examples of
RExVeS-related scenarios. "Imminent collision" is a characteristic of many RExVeS-related problematic
scenarios. "Loss of vehicle control" is a less recurring one, but it is important to take it into account.
An imminent front collision with another vehicle at high speed on a country road is an example of a
RExVeS-related safety-critical situation.
Even when the vehicle is stationary, a RExVeS-related safety-critical situation can be present if it is
stopped in an unsafe location.
RExVeS-related use cases and scenarios where safety-critical situations can happen, and where a
worst-case set of environmental conditions may lead to "loss of vehicle control" or "imminent collision",
should be analysed before taking action.
NOTE 2 RExVeS-related use cases encompass all connected vehicle use cases (including cooperative collision
avoidance use cases) where at least one RExVeS-related problematic scenario exists. As a result, RExVeS-related
use cases are not limited to already identified and standardized connected vehicle and road safety use cases (in
ISO, SAE, ETSI etc.). The potential applicability of RExVeS-related requirements is much broader.
[5]
NOTE 3 ISO 26262-3:2018 , Annex B provides examples of RExVeS-related scenarios and of safety-critical
situations.
Factors to be considered in the hazard analysis and risk assessment of RExVeS-related scenarios
include:
— vehicle usage scenarios, for example high speed driving, urban driving, parking, off-road;
— environmental conditions, for example rain, snow, wind, road surface condition;
— reasonably foreseeable driver use and misuse;
— interactions between operational systems, particularly those implementing RExVeS-related time-
constrained safety-related functions;
— cybersecurity attacks leading to malicious communications or default of the vehicle ITS station. See
[6]1)
also ISO/SAE 21434 ;
— if there is an impact, timing constraints resulting from functional safety, “safety of the intended
functionality” and cybersecurity activities;
— in this analysis, the vehicle and its communication capabilities are considered by default in working
[7]
order. See also ISO/PAS 21448 .
REQ 23132-01 RExVeS – 01
The consequences of each evaluated RExVeS-related time-constrained situation shall be identified, focus-
ing on the harm to each person potentially at risk, including the driver and the passengers of the vehicle,
but also the other persons potentially at risk such as cyclists, pedestrians or occupants of other vehicles.
6.3 Classification of RExVeS-related time-constrained and safety-critical situations
6.3.1 Classification scheme
The classification scheme comprises the determination of the severity, the probability of exposure, and
the controllability associated with the RExVeS-related time-constrained situations (safety-critical or not).
1) Under preparation. Stage at the time of publication: ISO/SAE DIS 21434:2020.
© ISO 2020 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO 23132:2020(E)

The severity represents an estimate of the potential harm in a particular situation, while the probability
of exposure depends on how frequently and for how long individuals find themselves in such a RExVeS-
related scenario. The controllability rates how easy or difficult it is for the driver or other road traffic
participant to avoid the considered accident type in the considered scenario. It is the intention that
severity, probability of exposure and controllability estimates are consistent with those coming from
functional safety activities.
NOTE Depending on the number of related hazardous events, the classification can result in one or more
combinations of severity, probability of exposure, and controllability.
6.3.2 Classes of severity
The potential injuries that result from a time-constrained situation (safety-critical or not) are evaluated
for the driver, passengers and people around the vehicle, or in surrounding vehicles to determine the
severity class.
The severity of potential harm is estimated based on a defined rationale for each evaluated situation
and is assigned to one of the severity classes: S0 (no injuries), S1 (light and moderate injuries), S2
(severe and life-threatening injuries with survival probable) or S3 (life-threatening injuries with
survival uncertain or fatal injuries).
[5]
NOTE ISO 26262-3:2018 , Annex B presents examples of consequences which can occur for a given safety-
critical situation, together with the corresponding severity class for each consequence.
For instance, a pedestrian accident with low speed, that can result in severe and life-threatening
injuries with survival probable, may be classified S2.
6.3.3 Classes of probability of exposure
The probability of exposure to a RExVeS-related scenario is estimated based on a defined rationale
for each evaluated situation (safety-critical or not). The probability of exposure is assigned to one of
the probability classes: E1 (very low probability, e.g. occurs less often than once a year for the great
majority of drivers), E2 (low probability, e.g. occurs a few times a year for the great majority of drivers),
E3 (medium probability, e.g. occurs once a month or more often for an average driver) or E4 (high
probability, e.g. occurs during almost every drive on average).
[5]
NOTE ISO 26262-3:2018 , Annex B presents examples of scenarios classified by duration and frequency,
together with typical exposure rankings.
For instance, driving a vehicle on a wet city street with heavy "stop and go" traffic may be classified E3
(occurs once a month or more often for an average driver).
6.3.4 Classes of controllability
The controllability class for a given time-constrained situation (safety-critical or not) is determined
by estimating the likelihood that representative drivers, potentially assisted by advanced driver-
assistance systems (ADAS), will be able to retain or regain control of the vehicle if the situation were to
occur, or that individuals in the vicinity will contribute to the avoidance of the situation by their actions.
NOTE 1 Controllability is influenced by a number of factors including use of ADAS, driver profiles for the
target market, individuals’ age, eye-hand coordination, driving experience, cultural background, etc.
NOTE 2 Estimations take into account local laws and regulations, as well as reasonably foreseeable misuse
(e.g. not keeping the required distance to the vehicle in front).
The controllability of each evaluated situation, by the driver or other persons involved in the situation,
is estimated based on a defined rationale for each situation. The controllability is assigned to one of
the controllability classes: C0 (controllable in general), C1 (simply controllable, e.g. more than 99 %
of the average drivers or other traffic participants are able to avoid harm), C2 (normally controllable,
e.g. between 90 % an 99 % of the average drivers or other traffic participants are able to avoid harm)
6 © ISO 2020 – All rights reserved

---------------------- Page: 11 ----------------------
ISO 23132:2020(E)

or C3 (difficult to control or uncontrollable, e.g. less than 90 % of the average drivers or other traffic
participants are able to avoid harm).
NOTE 3 If class C0 is assigned, there is no requirement to assign a priority class to the evaluated situation and
therefore, Table 1 does not take C0 into account.
[5]
NOTE 4 ISO 26262-3:2018 , Annex B provides examples of driving situations and the assumptions about the
corresponding control behaviours that would avoid harm. These situations are mapped to the controllability
rankings, clarifying the 90 % and 99 % breakpoint levels for judging controllability.
For instance, maintaining intended driving path while being distracted may be classified C1 (simply
controllable).
6.3.5 Determination of the priority class of a RExVeS-related time-constrained situation
To classify the RExVeS-related time-constrained situations (safety-critical or not), six priority classes
(P1, P2, P3, P4, P5 and P6) are defined according to the risks of harm involved, with P6 representing the
most stringent class (i.e. used to protect against the highest risks).
To de
...

FINAL
INTERNATIONAL ISO/FDIS
DRAFT
STANDARD 23132
ISO/TC 22/SC 31
Road vehicles — Extended Vehicle
Secretariat: DIN
(ExVe) time critical applications —
Voting begins on:
2020­04­21 General requirements, definitions and
classification methodology of time-
Voting terminates on:
2020­06­16
constrained situations related to Road
and ExVe Safety (RExVeS)
Véhicules routiers — Applications temps critiques du véhicule
étendu (ExVe) — Exigences générales, définitions et méthodologie
de classification des situations sous contrainte de temps liées à la
sécurité routière et à la sûreté du véhicule étendu (RExVeS)
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/FDIS 23132:2020(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
©
NATIONAL REGULATIONS. ISO 2020

---------------------- Page: 1 ----------------------
ISO/FDIS 23132:2020(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH­1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2020 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/FDIS 23132:2020(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 3
5 Conventions and guidelines for specifying RExVeS-related requirements.3
6 The RExVeS methodology . 3
6.1 General . 3
6.2 Analysis of RExVeS-related scenarios . 4
6.3 Classification of RExVeS-related time-constrained and safety-critical situations . 5
6.3.1 Classification scheme . 5
6.3.2 Classes of severity . 6
6.3.3 Classes of probability of exposure . 6
6.3.4 Classes of controllability . 6
6.3.5 Determination of the priority class of a RExVeS-related time-constrained
situation . . 7
6.3.6 Template for the description and priority class assignment of a RExVeS-
related situation . 8
7 Connected vehicle design prerequisites . 8
Annex A (normative) Template for the description and priority class assignment of RExVeS-
related situations (including safety-critical situations) . 9
Annex B (informative) Example 1 of use of the RExVeS template .10
Annex C (informative) Example 2 of use of the RExVeS template .14
Annex D (informative) Example 3 of use of the RExVeS template .18
Annex E (informative) List of use-cases .21
Bibliography .23
© ISO 2020 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/FDIS 23132:2020(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non­governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www .iso .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 31,
Data communication.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO 2020 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/FDIS 23132:2020(E)

Introduction
Preventing death and serious injury in road traffic crashes is a global priority. With the advent of
vehicular data communications, road vehicles become connected vehicles, and safety is one of the key
issues in the development of such road vehicles. ISO 26262-1 defines the vehicle safety as the absence
of unreasonable risks that arise from malfunctions of the E/E system. The absence of unreasonable
risk due to these potentially hazardous behaviours related to specific limitations (identified in
[7]
ISO/PAS 21448 ) is defined as the safety of the intended functionality (SOTIF). Functional safety
(addressed by the ISO 26262 series) and SOTIF are distinct and complementary aspects of safety.
This document defines a complementary methodology for the prioritization of safety-related external
communication use-cases to help to design extended vehicle time-critical interfaces described in the
ISO 20077­1.
NOTE 1 ISO 20077-1 defines the concepts and terms related to the extended vehicle (ExVe), whereas
ISO 20077-2 specifies general rules and basic principles that the manufacturer of the ExVe considers when
elaborating its own design method.
NOTE 2 ISO 20077-1 defines an "extended vehicle" (ExVe) as an "entity, still in accordance with the
specifications of the vehicle manufacturer, that extends beyond the physical boundaries of the road vehicle and
consists of the road vehicle, off-board systems, external interfaces, and the data communication between the
road vehicle and the off-board systems". Road vehicles without off-board systems and road vehicles equipped
with telematics units are extended vehicles.
Recent developments in the field of connected vehicles, in various parts of the world, bring hope of being
able to improve road safety, e.g. by reducing the number of road fatalities through collision avoidance
cooperation. Connected vehicles taking into account ISO 20077­1 and ISO 20077­2 take their part in this
global effort.
Due to the limited per design embedded resources, a priority management is necessary to apply these
resources to the function and request with the highest criticality.
For these connected vehicles, the use of the “ExVe time critical interfaces" is firstly associated with
safety-critical functions (e.g. emergency braking, steering) that are functions for which the priorities
are based on a criticality concept.
It is important that all the functions using the “ExVe time critical interfaces” take into account the
capabilities of the vehicles in which they are installed.
During the design phase, the connected vehicle behaviour regarding all safety-critical situations and its
interactions with the external environment should be defined. Its implementation can be based on the
methodology proposed in this document.
© ISO 2020 – All rights reserved v

---------------------- Page: 5 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/FDIS 23132:2020(E)
Road vehicles — Extended Vehicle (ExVe) time critical
applications — General requirements, definitions and
classification methodology of time-constrained situations
related to Road and ExVe Safety (RExVeS)
1 Scope
This document defines the classification methodology of time-constrained situations and their
requirements, that are to be addressed by the “ExVe time critical interfaces" described in ISO 20077-1.
Time-constrained situations include safety-critical situations.
It is important for the design of the vehicle to have priority management of "ExVe time critical interface"
resources in order to comply with time constrained situations requirements.
The methodology provides a classification, which determines application priorities for optimal vehicle
resource allocation.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 20077­1, Road Vehicles — Extended vehicle (ExVe) methodology — Part 1: General information
ISO 20077­2, Road Vehicles — Extended vehicle (ExVe) methodology — Part 2: Methodology for designing
the extended vehicle
ISO 26262­1, Road vehicles — Functional safety — Part 1: Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 20077-1, ISO 20077-2,
ISO 26262-1 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
road and ExVe safety
RExVeS
set of means (e.g. use cases), conditions and requirements to be considered by the “ExVe time-critical
interfaces” described in ISO 20077-1, including time-constrained and safety-critical situations (3.4)
Note 1 to entry: The intent is to minimise risk of harm (as described in ISO 26262-1) in road safety-related
situations.
Note 2 to entry: In the context of RExVeS, a use case is a set of scenarios (3.2) that have a common goal.
© ISO 2020 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/FDIS 23132:2020(E)

3.2
scenario
sequence of connected vehicle (3.11) actions, events, reactions, and interactions, in a road
safety setting
3.3
time-constrained situation
combination of a road safety-related connected vehicle (3.11) scenario (3.2) and RExVeS-
related time constraints, in which lack of communication capability or excessive (communication)
latency can lead to malfunctions or other injurious consequences
3.4
safety-critical situation
combination of a road safety-related connected vehicle (3.11) scenario (3.2) and an
unacceptable risk of harm
3.5
situation priority class
one of six situation priority classes (P1, P2, P3, P4, P5 or P6) determined according to the
severity, the probability of exposure, and the controllability associated with an evaluated time-
constrained situation (3.3)
3.6
safety-critical situation priority class
one of the four situation priority classes (3.5) (P3, P4, P5 or P6) determined according to the
severity, the probability of exposure, and the controllability associated with an evaluated safety-critical
situation (3.4)
3.7
time-constrained safety-related function
function under strict time constraints that contributes to the achievement of safety objectives
[1] [2]
EXAMPLE "CAM generation" (see ETSI EN 302 637-2 ) and "BSM generation" (see SAE J2735 and SAE
[3] [4]
J2945 ). "DENM generation" (see ETSI EN 302 637-3 ) is another example of time-constrained safety-related
function.
3.8
peri-vehicular
near or around a vehicle
3.9
peri-vehicular data communication
vehicular data communications in the geographic vicinity of a vehicle
3.10
safety-critical situation reaction time interval
time-interval from the detection of a safety-critical situation (3.4) to the broadcast to
neighbouring road users at risk of an appropriate safety-critical message via time-constrained safety-
related functions (3.7) and peri-vehicular data communications (3.9)
3.11
connected vehicle
road vehicle using peri-vehicular data communications (3.9)
2 © ISO 2020 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/FDIS 23132:2020(E)

4 Symbols and abbreviated terms
ADAS Advanced Driver-Assistance Systems
BSM Basic Safety Message
CAM Cooperative Awareness Message
DENM Decentralized Environmental Notification Message
ExVe Extended Vehicle
RExVeS Road and ExVe safety
TAI International Atomic Time
UTC Coordinated Universal Time
5 Conventions and guidelines for specifying RExVeS-related requirements
In this document, requirements are formalized as follow:
REQ Number RExVeS – Name
Description
“Number” represents the individual requirement number.
“Name” is the name of requirement, if needed.
“Description” is the requirement itself.
Requirements in this document are generic and technology agnostic. No actual testing is to be done
against them, but they should be used as a guide to define the technology-dependent requirements.
Some technology-dependent requirements may not enable to address all priority classes of RExVeS-
related time­constrained situations (see 6.3.5).
Unless otherwise stated, the requirements in this document apply to all priority classes.
6 The RExVeS methodology
6.1 General
The RExVeS methodology brings forward means to identify and classify time-constrained situations
(safety-critical or not) that are addressed by the “ExVe time critical interfaces” described in ISO 20077-1.
The methodology provides an automotive-specific risk-based approach to determine the priority class
[5]
of a RExVeS-related time-constrained situation. It is adapted from ISO 26262-3 hazard analysis and
risk assessment (HARA) and enriched with systems-theoretic process analysis (STPA) insights. The
[5]
major difference is that in ISO 26262-3 , the results of the analysis are ASILs while in this document
the results are time-constrained situation priority classes.
NOTE 1 The appropriate use of the RExVeS methodology is intended to fulfil RExVeS-related requirements
and a set of connected vehicle design prerequisites (see Clause 7).
NOTE 2 Unless otherwise stated, in this document, connected vehicle means connected vehicle taking into
account ISO 20077­1 and ISO 20077­2.
The RExVeS methodology starts with the analysis of road safety-related connected vehicle scenarios
in which time-constrained situations (safety-critical or not) may occur. Then, a systematic evaluation
© ISO 2020 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/FDIS 23132:2020(E)

of each identified time-constrained situation is performed to determine the RExVeS-related situation
priority class to which it pertains. The RExVeS-related situation priority class is determined by
considering severity, probability of exposure and controllability criteria.
Figure 1 provides an example of use of the RExVeS methodology in the context of the ExVe design
methodology.
Figure 1 — The RExVeS methodology in the ExVe design methodology context (example)
The RExVeS methodology complements ISO 20077-1 and ISO 20077-2 guidelines for the design of an
extended vehicle, from which a vehicle manufacturer can derive its own methods and procedures to
design an extended vehicle that addresses a specific set of use cases and scenarios. These methods and
procedures remain part of the know­how of each vehicle manufacturer.
According to ISO 20077-2, any ExVe functionality request is described through use cases and scenarios
(see ISO 20077-2 template for technical request), in order to support a precise description of the need.
Detailed descriptions of relevant RExVeS-related scenarios are important in this respect.
According to ISO 20077-2, for a given use case and scenario, the ExVe manufacturer is responsible
for defining the appropriate extended vehicle’s interfaces for the considered functionality (see
ISO 20077-2). When an ExVe time critical interface is considered, the identified time-constrained
situations can be analysed with the RExVeS methodology. As a result, the criticality of the situations is
evaluated (severity, probability of exposure, controllability) and, along with any applicable regulations,
it gives an indication of relevance and priority to the vehicle manufacturer considering the development
of the functionality with an ExVe time-critical interface.
NOTE 3 As RExVeS-related scenarios with safety-critical situations give the biggest causes for concern, they
are considered first in the methodology description and dealt with in more detail.
6.2 Analysis of RExVeS-related scenarios
Complex and dynamic processes and interactions are often involved in road accidents. RExVeS-related
safety-critical situations may occur when processes or interactions do not meet safety objectives, e.g.
because appropriate objectives have not been selected.
The goal of the analysis of RExVeS-related scenarios is to identify time-constrained situations (safety-
critical or not) that are to be addressed by the “ExVe time critical interfaces” described in ISO 20077-1.
This requires accumulating information about how such situations can occur.
A RExVeS-related time-constrained situation is a combination of a road safety-related connected vehicle
scenario and RExVeS-related time constraints, in which a lack of communication capability or excessive
4 © ISO 2020 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/FDIS 23132:2020(E)

(communication) latency can lead to malfunctions or other injurious consequences. In a RExVeS-related
safety-critical situation, there is additionally an unacceptable risk of harm.
NOTE 1 There is not necessarily an unacceptable risk of harm in all time-constrained situations.
Rapidly changing environments where there is a potential for safety-critical situations are examples of
RExVeS-related scenarios. "Imminent collision" is a characteristic of many RExVeS-related problematic
scenarios. "Loss of vehicle control" is a less recurring one, but it is important to take it into account.
An imminent front collision with another vehicle at high speed on a country road is an example of a
RExVeS-related safety-critical situation.
Even when the vehicle is stationary, a RExVeS-related safety-critical situation can be present if it is
stopped in an unsafe location.
RExVeS-related use cases and scenarios where safety-critical situations can happen, and where a
worst-case set of environmental conditions may lead to "loss of vehicle control" or "imminent collision",
should be analysed before taking action.
NOTE 2 RExVeS-related use cases encompass all connected vehicle use cases (including cooperative collision
avoidance use cases) where at least one RExVeS-related problematic scenario exists. As a result, RExVeS-related
use cases are not limited to already identified and standardized connected vehicle and road safety use cases (in
ISO, SAE, ETSI etc.). The potential applicability of RExVeS-related requirements is much broader.
[5]
NOTE 3 ISO 26262­3:2018 , Annex B provides examples of RExVeS-related scenarios and of safety-critical
situations.
Factors to be considered in the hazard analysis and risk assessment of RExVeS-related scenarios
include:
— vehicle usage scenarios, for example high speed driving, urban driving, parking, off-road;
— environmental conditions, for example rain, snow, wind, road surface condition;
— reasonably foreseeable driver use and misuse;
— interactions between operational systems, particularly those implementing RExVeS-related time-
constrained safety-related functions;
— cybersecurity attacks leading to malicious communications or default of the vehicle ITS station. See
[6]1)
also ISO/SAE 21434 ;
— if there is an impact, timing constraints resulting from functional safety, “safety of the intended
functionality” and cybersecurity activities;
— in this analysis, the vehicle and its communication capabilities are considered by default in working
[7]
order. See also ISO/PAS 21448 .
REQ 23132­01 RExVeS – 01
The consequences of each evaluated RExVeS-related time-constrained situation shall be identified, focus­
ing on the harm to each person potentially at risk, including the driver and the passengers of the vehicle,
but also the other persons potentially at risk such as cyclists, pedestrians or occupants of other vehicles.
6.3 Classification of RExVeS-related time-constrained and safety-critical situations
6.3.1 Classification scheme
The classification scheme comprises the determination of the severity, the probability of exposure, and
the controllability associated with the RExVeS-related time-constrained situations (safety-critical or not).
1) Under preparation. Stage at the time of publication: ISO/SAE DIS 21434:2020.
© ISO 2020 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/FDIS 23132:2020(E)

The severity represents an estimate of the potential harm in a particular situation, while the probability
of exposure depends on how frequently and for how long individuals find themselves in such a RExVeS-
related scenario. The controllability rates how easy or difficult it is for the driver or other road traffic
participant to avoid the considered accident type in the considered scenario. It is the intention that
severity, probability of exposure and controllability estimates are consistent with those coming from
functional safety activities.
NOTE Depending on the number of related hazardous events, the classification can result in one or more
combinations of severity, probability of exposure, and controllability.
6.3.2 Classes of severity
The potential injuries that result from a time-constrained situation (safety-critical or not) are evaluated
for the driver, passengers and people around the vehicle, or in surrounding vehicles to determine the
severity class.
The severity of potential harm is estimated based on a defined rationale for each evaluated situation
and is assigned to one of the severity classes: S0 (no injuries), S1 (light and moderate injuries), S2
(severe and life-threatening injuries with survival probable) or S3 (life-threatening injuries with
survival uncertain or fatal injuries).
[5]
NOTE ISO 26262­3:2018 , Annex B presents examples of consequences which can occur for a given safety-
critical situation, together with the corresponding severity class for each consequence.
For instance, a pedestrian accident with low speed, that can result in severe and life­threatening
injuries with survival probable, may be classified S2.
6.3.3 Classes of probability of exposure
The probability of exposure to a RExVeS-related scenario is estimated based on a defined rationale
for each evaluated situation (safety-critical or not). The probability of exposure is assigned to one of
the probability classes: E1 (very low probability, e.g. occurs less often than once a year for the great
majority of drivers), E2 (low probability, e.g. occurs a few times a year for the great majority of drivers),
E3 (medium probability, e.g. occurs once a month or more often for an average driver) or E4 (high
probability, e.g. occurs during almost every drive on average).
[5]
NOTE ISO 26262­3:2018 , Annex B presents examples of scenarios classified by duration and frequency,
together with typical exposure rankings.
For instance, driving a vehicle on a wet city street with heavy "stop and go" traffic may be classified E3
(occurs once a month or more often for an average driver).
6.3.4 Classes of controllability
The controllability class for a given time-constrained situation (safety-critical or not) is determined
by estimating the likelihood that representative drivers, potentially assisted by advanced driver-
assistance systems (ADAS), will be able to retain or regain control of the vehicle if the situation were to
occur, or that individuals in the vicinity will contribute to the avoidance of the situation by their actions.
NOTE 1 Controllability is influenced by a number of factors including use of ADAS, driver profiles for the
target market, individuals’ age, eye-hand coordination, driving experience, cultural background, etc.
NOTE 2 Estimations take into account local laws and regulations, as well as reasonably foreseeable misuse
(e.g. not keeping the required distance to the vehicle in front).
The controllability of each evaluated situation, by the driver or other persons involved in the situation,
is estimated based on a defined rationale for each situation. The controllability is assigned to one of
the controllability classes: C0 (controllable in general), C1 (simply controllable, e.g. more than 99 %
of the average drivers or other traffic participants are able to avoid harm), C2 (normally controllable,
e.g. between 90 % an 99 % of the average drivers or other traffic participants are able to avoid harm)
6 © ISO 2020 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/FDIS 23132:2020(E)

or C3 (difficult to control or uncontrollable, e.g. less than 90 % of the average drivers or other traffic
participants are able to avoid harm).
NOTE 3 If class C0 is assigned, there is no requirement to assign a priority class to the evaluated situation and
therefore, Table 1 does not take C0 into account.
[5]
NOTE 4 ISO 26262­3:2018 , Annex B provides examples of driving situations and the assumptions about the
corresponding control b
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.