Road vehicles -- Extended Vehicle (ExVe) time critical applications -- General requirements, definitions and classification methodology of time-constrained situations related to Road and ExVe Safety (RExVeS)

This document defines the classification methodology of time-constrained situations and their requirements, that are to be addressed by the "ExVe time critical interfaces" described in ISO 20077‑1. Time-constrained situations include safety-critical situations. It is important for the design of the vehicle to have priority management of "ExVe time critical interface" resources in order to comply with time constrained situations requirements. The methodology provides a classification, which determines application priorities for optimal vehicle resource allocation.

Véhicules routiers -- Applications temps critiques du véhicule étendu (ExVe) -- Exigences générales, définitions et méthodologie de classification des situations sous contrainte de temps liées à la sécurité routière et à la sûreté du véhicule étendu (RExVeS)

General Information

Status
Published
Publication Date
09-Jul-2020
Current Stage
5060 - Close of voting Proof returned by Secretariat
Start Date
17-Jun-2020
Completion Date
16-Jun-2020
Ref Project

Buy Standard

Standard
ISO 23132:2020 - Road vehicles -- Extended Vehicle (ExVe) time critical applications -- General requirements, definitions and classification methodology of time-constrained situations related to Road and ExVe Safety (RExVeS)
English language
23 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/FDIS 23132 - Road vehicles -- Extended Vehicle (ExVe) time critical applications -- General requirements, definitions and classification methodology of time-constrained situations related to Road and ExVe Safety (RExVeS)
English language
24 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO
STANDARD 23132
First edition
2020-07
Road vehicles — Extended Vehicle
(ExVe) time critical applications —
General requirements, definitions and
classification methodology of time-
constrained situations related to Road
and ExVe Safety (RExVeS)
Véhicules routiers — Applications temps critiques du véhicule
étendu (ExVe) — Exigences générales, définitions et méthodologie
de classification des situations sous contrainte de temps liées à la
sécurité routière et à la sûreté du véhicule étendu (RExVeS)
Reference number
ISO 23132:2020(E)
ISO 2020
---------------------- Page: 1 ----------------------
ISO 23132:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 23132:2020(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Symbols and abbreviated terms ........................................................................................................................................................... 3

5 Conventions and guidelines for specifying RExVeS-related requirements..............................................3

6 The RExVeS methodology ............................................................................................................................................................................ 3

6.1 General ........................................................................................................................................................................................................... 3

6.2 Analysis of RExVeS-related scenarios ................................................................................................................................. 4

6.3 Classification of RExVeS-related time-constrained and safety-critical situations ........................ 5

6.3.1 Classification scheme ................................................................................................................................................... 5

6.3.2 Classes of severity ........................................................................................................................................................... 6

6.3.3 Classes of probability of exposure .................................................................................................................... 6

6.3.4 Classes of controllability ........................................................................................................................................... 6

6.3.5 Determination of the priority class of a RExVeS-related time-constrained

situation ........................................................................................................................................... ........................................ 7

6.3.6 Template for the description and priority class assignment of a RExVeS-

related situation ............................................................................................................................................................... 8

7 Connected vehicle design prerequisites ...................................................................................................................................... 8

Annex A (normative) Template for the description and priority class assignment of RExVeS-

related situations (including safety-critical situations) ............................................................................................. 9

Annex B (informative) Example 1 of use of the RExVeS template ........................................................................................10

Annex C (informative) Example 2 of use of the RExVeS template ........................................................................................14

Annex D (informative) Example 3 of use of the RExVeS template .......................................................................................18

Annex E (informative) List of use-cases ..........................................................................................................................................................21

Bibliography .............................................................................................................................................................................................................................23

© ISO 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 23132:2020(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see

www .iso .org/ iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 31,

Data communication.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 23132:2020(E)
Introduction

Preventing death and serious injury in road traffic crashes is a global priority. With the advent of

vehicular data communications, road vehicles become connected vehicles, and safety is one of the key

issues in the development of such road vehicles. ISO 26262-1 defines the vehicle safety as the absence

of unreasonable risks that arise from malfunctions of the E/E system. The absence of unreasonable

risk due to these potentially hazardous behaviours related to specific limitations (identified in

[7]

ISO/PAS 21448 ) is defined as the safety of the intended functionality (SOTIF). Functional safety

(addressed by the ISO 26262 series) and SOTIF are distinct and complementary aspects of safety.

This document defines a complementary methodology for the prioritization of safety-related external

communication use-cases to help to design extended vehicle time-critical interfaces described in the

ISO 20077-1.

NOTE 1 ISO 20077-1 defines the concepts and terms related to the extended vehicle (ExVe), whereas

ISO 20077-2 specifies general rules and basic principles that the manufacturer of the ExVe considers when

elaborating its own design method.

NOTE 2 ISO 20077-1 defines an "extended vehicle" (ExVe) as an "entity, still in accordance with the

specifications of the vehicle manufacturer, that extends beyond the physical boundaries of the road vehicle and

consists of the road vehicle, off-board systems, external interfaces, and the data communication between the

road vehicle and the off-board systems". Road vehicles without off-board systems and road vehicles equipped

with telematics units are extended vehicles.

Recent developments in the field of connected vehicles, in various parts of the world, bring hope of being

able to improve road safety, e.g. by reducing the number of road fatalities through collision avoidance

cooperation. Connected vehicles taking into account ISO 20077-1 and ISO 20077-2 take their part in this

global effort.

Due to the limited per design embedded resources, a priority management is necessary to apply these

resources to the function and request with the highest criticality.

For these connected vehicles, the use of the “ExVe time critical interfaces" is firstly associated with

safety-critical functions (e.g. emergency braking, steering) that are functions for which the priorities

are based on a criticality concept.

It is important that all the functions using the “ExVe time critical interfaces” take into account the

capabilities of the vehicles in which they are installed.

During the design phase, the connected vehicle behaviour regarding all safety-critical situations and its

interactions with the external environment should be defined. Its implementation can be based on the

methodology proposed in this document.
© ISO 2020 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 23132:2020(E)
Road vehicles — Extended Vehicle (ExVe) time critical
applications — General requirements, definitions and
classification methodology of time-constrained situations
related to Road and ExVe Safety (RExVeS)
1 Scope

This document defines the classification methodology of time-constrained situations and their

requirements, that are to be addressed by the “ExVe time critical interfaces" described in ISO 20077-1.

Time-constrained situations include safety-critical situations.

It is important for the design of the vehicle to have priority management of "ExVe time critical interface"

resources in order to comply with time constrained situations requirements.

The methodology provides a classification, which determines application priorities for optimal vehicle

resource allocation.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 20077-1, Road Vehicles — Extended vehicle (ExVe) methodology — Part 1: General information

ISO 20077-2, Road Vehicles — Extended vehicle (ExVe) methodology — Part 2: Methodology for designing

the extended vehicle
ISO 26262-1, Road vehicles — Functional safety — Part 1: Vocabulary
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 20077-1, ISO 20077-2,

ISO 26262-1 and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
road and ExVe safety
RExVeS

set of means (e.g. use cases), conditions and requirements to be considered by the “ExVe time-critical

interfaces” described in ISO 20077-1, including time-constrained and safety-critical situations (3.4)

Note 1 to entry: The intent is to minimise risk of harm (as described in ISO 26262-1) in road safety-related

situations.

Note 2 to entry: In the context of RExVeS, a use case is a set of scenarios (3.2) that have a common goal.

© ISO 2020 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO 23132:2020(E)
3.2
scenario

sequence of connected vehicle (3.11) actions, events, reactions, and interactions, in a road

safety setting
3.3
time-constrained situation

combination of a road safety-related connected vehicle (3.11) scenario (3.2) and RExVeS-

related time constraints, in which lack of communication capability or excessive (communication)

latency can lead to malfunctions or other injurious consequences
3.4
safety-critical situation

combination of a road safety-related connected vehicle (3.11) scenario (3.2) and an

unacceptable risk of harm
3.5
situation priority class

one of six situation priority classes (P1, P2, P3, P4, P5 or P6) determined according to the

severity, the probability of exposure, and the controllability associated with an evaluated time-

constrained situation (3.3)
3.6
safety-critical situation priority class

one of the four situation priority classes (3.5) (P3, P4, P5 or P6) determined according to the

severity, the probability of exposure, and the controllability associated with an evaluated safety-critical

situation (3.4)
3.7
time-constrained safety-related function

function under strict time constraints that contributes to the achievement of safety objectives

[1] [2]

EXAMPLE "CAM generation" (see ETSI EN 302 637-2 ) and "BSM generation" (see SAE J2735 and SAE

[3] [4]

J2945 ). "DENM generation" (see ETSI EN 302 637-3 ) is another example of time-constrained safety-related

function.
3.8
peri-vehicular
near or around a vehicle
3.9
peri-vehicular data communication
vehicular data communications in the geographic vicinity of a vehicle
3.10
safety-critical situation reaction time interval

time-interval from the detection of a safety-critical situation (3.4) to the broadcast to

neighbouring road users at risk of an appropriate safety-critical message via time-constrained safety-

related functions (3.7) and peri-vehicular data communications (3.9)
3.11
connected vehicle
road vehicle using peri-vehicular data communications (3.9)
2 © ISO 2020 – All rights reserved
---------------------- Page: 7 ----------------------
ISO 23132:2020(E)
4 Symbols and abbreviated terms
ADAS Advanced Driver-Assistance Systems
BSM Basic Safety Message
CAM Cooperative Awareness Message
DENM Decentralized Environmental Notification Message
ExVe Extended Vehicle
RExVeS Road and ExVe safety
TAI International Atomic Time
UTC Coordinated Universal Time
5 Conventions and guidelines for specifying RExVeS-related requirements
In this document, requirements are formalized as follow:
REQ Number RExVeS – Name
Description
“Number” represents the individual requirement number.
“Name” is the name of requirement, if needed.
“Description” is the requirement itself.

Requirements in this document are generic and technology agnostic. No actual testing is to be done

against them, but they should be used as a guide to define the technology-dependent requirements.

Some technology-dependent requirements may not enable to address all priority classes of RExVeS-

related time-constrained situations (see 6.3.5).

Unless otherwise stated, the requirements in this document apply to all priority classes.

6 The RExVeS methodology
6.1 General

The RExVeS methodology brings forward means to identify and classify time-constrained situations

(safety-critical or not) that are addressed by the “ExVe time critical interfaces” described in ISO 20077-1.

The methodology provides an automotive-specific risk-based approach to determine the priority class

[5]

of a RExVeS-related time-constrained situation. It is adapted from ISO 26262-3 hazard analysis and

risk assessment (HARA) and enriched with systems-theoretic process analysis (STPA) insights. The

[5]

major difference is that in ISO 26262-3 , the results of the analysis are ASILs while in this document

the results are time-constrained situation priority classes.

NOTE 1 The appropriate use of the RExVeS methodology is intended to fulfil RExVeS-related requirements

and a set of connected vehicle design prerequisites (see Clause 7).

NOTE 2 Unless otherwise stated, in this document, connected vehicle means connected vehicle taking into

account ISO 20077-1 and ISO 20077-2.

The RExVeS methodology starts with the analysis of road safety-related connected vehicle scenarios

in which time-constrained situations (safety-critical or not) may occur. Then, a systematic evaluation

© ISO 2020 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO 23132:2020(E)

of each identified time-constrained situation is performed to determine the RExVeS-related situation

priority class to which it pertains. The RExVeS-related situation priority class is determined by

considering severity, probability of exposure and controllability criteria.

Figure 1 provides an example of use of the RExVeS methodology in the context of the ExVe design

methodology.

Figure 1 — The RExVeS methodology in the ExVe design methodology context (example)

The RExVeS methodology complements ISO 20077-1 and ISO 20077-2 guidelines for the design of an

extended vehicle, from which a vehicle manufacturer can derive its own methods and procedures to

design an extended vehicle that addresses a specific set of use cases and scenarios. These methods and

procedures remain part of the know-how of each vehicle manufacturer.

According to ISO 20077-2, any ExVe functionality request is described through use cases and scenarios

(see ISO 20077-2 template for technical request), in order to support a precise description of the need.

Detailed descriptions of relevant RExVeS-related scenarios are important in this respect.

According to ISO 20077-2, for a given use case and scenario, the ExVe manufacturer is responsible

for defining the appropriate extended vehicle’s interfaces for the considered functionality (see

ISO 20077-2). When an ExVe time critical interface is considered, the identified time-constrained

situations can be analysed with the RExVeS methodology. As a result, the criticality of the situations is

evaluated (severity, probability of exposure, controllability) and, along with any applicable regulations,

it gives an indication of relevance and priority to the vehicle manufacturer considering the development

of the functionality with an ExVe time-critical interface.

NOTE 3 As RExVeS-related scenarios with safety-critical situations give the biggest causes for concern, they

are considered first in the methodology description and dealt with in more detail.

6.2 Analysis of RExVeS-related scenarios

Complex and dynamic processes and interactions are often involved in road accidents. RExVeS-related

safety-critical situations may occur when processes or interactions do not meet safety objectives, e.g.

because appropriate objectives have not been selected.

The goal of the analysis of RExVeS-related scenarios is to identify time-constrained situations (safety-

critical or not) that are to be addressed by the “ExVe time critical interfaces” described in ISO 20077-1.

This requires accumulating information about how such situations can occur.

A RExVeS-related time-constrained situation is a combination of a road safety-related connected vehicle

scenario and RExVeS-related time constraints, in which a lack of communication capability or excessive

4 © ISO 2020 – All rights reserved
---------------------- Page: 9 ----------------------
ISO 23132:2020(E)

(communication) latency can lead to malfunctions or other injurious consequences. In a RExVeS-related

safety-critical situation, there is additionally an unacceptable risk of harm.

NOTE 1 There is not necessarily an unacceptable risk of harm in all time-constrained situations.

Rapidly changing environments where there is a potential for safety-critical situations are examples of

RExVeS-related scenarios. "Imminent collision" is a characteristic of many RExVeS-related problematic

scenarios. "Loss of vehicle control" is a less recurring one, but it is important to take it into account.

An imminent front collision with another vehicle at high speed on a country road is an example of a

RExVeS-related safety-critical situation.

Even when the vehicle is stationary, a RExVeS-related safety-critical situation can be present if it is

stopped in an unsafe location.

RExVeS-related use cases and scenarios where safety-critical situations can happen, and where a

worst-case set of environmental conditions may lead to "loss of vehicle control" or "imminent collision",

should be analysed before taking action.

NOTE 2 RExVeS-related use cases encompass all connected vehicle use cases (including cooperative collision

avoidance use cases) where at least one RExVeS-related problematic scenario exists. As a result, RExVeS-related

use cases are not limited to already identified and standardized connected vehicle and road safety use cases (in

ISO, SAE, ETSI etc.). The potential applicability of RExVeS-related requirements is much broader.

[5]

NOTE 3 ISO 26262-3:2018 , Annex B provides examples of RExVeS-related scenarios and of safety-critical

situations.

Factors to be considered in the hazard analysis and risk assessment of RExVeS-related scenarios

include:

— vehicle usage scenarios, for example high speed driving, urban driving, parking, off-road;

— environmental conditions, for example rain, snow, wind, road surface condition;

— reasonably foreseeable driver use and misuse;

— interactions between operational systems, particularly those implementing RExVeS-related time-

constrained safety-related functions;

— cybersecurity attacks leading to malicious communications or default of the vehicle ITS station. See

[6]1)
also ISO/SAE 21434 ;

— if there is an impact, timing constraints resulting from functional safety, “safety of the intended

functionality” and cybersecurity activities;

— in this analysis, the vehicle and its communication capabilities are considered by default in working

[7]
order. See also ISO/PAS 21448 .
REQ 23132-01 RExVeS – 01

The consequences of each evaluated RExVeS-related time-constrained situation shall be identified, focus-

ing on the harm to each person potentially at risk, including the driver and the passengers of the vehicle,

but also the other persons potentially at risk such as cyclists, pedestrians or occupants of other vehicles.

6.3 Classification of RExVeS-related time-constrained and safety-critical situations

6.3.1 Classification scheme

The classification scheme comprises the determination of the severity, the probability of exposure, and

the controllability associated with the RExVeS-related time-constrained situations (safety-critical or not).

1) Under preparation. Stage at the time of publication: ISO/SAE DIS 21434:2020.
© ISO 2020 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO 23132:2020(E)

The severity represents an estimate of the potential harm in a particular situation, while the probability

of exposure depends on how frequently and for how long individuals find themselves in such a RExVeS-

related scenario. The controllability rates how easy or difficult it is for the driver or other road traffic

participant to avoid the considered accident type in the considered scenario. It is the intention that

severity, probability of exposure and controllability estimates are consistent with those coming from

functional safety activities.

NOTE Depending on the number of related hazardous events, the classification can result in one or more

combinations of severity, probability of exposure, and controllability.
6.3.2 Classes of severity

The potential injuries that result from a time-constrained situation (safety-critical or not) are evaluated

for the driver, passengers and people around the vehicle, or in surrounding vehicles to determine the

severity class.

The severity of potential harm is estimated based on a defined rationale for each evaluated situation

and is assigned to one of the severity classes: S0 (no injuries), S1 (light and moderate injuries), S2

(severe and life-threatening injuries with survival probable) or S3 (life-threatening injuries with

survival uncertain or fatal injuries).
[5]

NOTE ISO 26262-3:2018 , Annex B presents examples of consequences which can occur for a given safety-

critical situation, together with the corresponding severity class for each consequence.

For instance, a pedestrian accident with low speed, that can result in severe and life-threatening

injuries with survival probable, may be classified S2.
6.3.3 Classes of probability of exposure

The probability of exposure to a RExVeS-related scenario is estimated based on a defined rationale

for each evaluated situation (safety-critical or not). The probability of exposure is assigned to one of

the probability classes: E1 (very low probability, e.g. occurs less often than once a year for the great

majority of drivers), E2 (low probability, e.g. occurs a few times a year for the great majority of drivers),

E3 (medium probability, e.g. occurs once a month or more often for an average driver) or E4 (high

probability, e.g. occurs during almost every drive on average).
[5]

NOTE ISO 26262-3:2018 , Annex B presents examples of scenarios classified by duration and frequency,

together with typical exposure rankings.

For instance, driving a vehicle on a wet city street with heavy "stop and go" traffic may be classified E3

(occurs once a month or more often for an average driver).
6.3.4 Classes of controllability

The controllability class for a given time-constrained situation (safety-critical or not) is determined

by estimating the likelihood that representative drivers, potentially assisted by advanced driver-

assistance systems (ADAS), will be able to retain or regain control of the vehicle if the situation were to

occur, or that individuals in the vicinity will contribute to the avoidance of the situation by their actions.

NOTE 1 Controllability is influenced by a number of factors including use of ADAS, driver profiles for the

target market, individuals’ age, eye-hand coordination, driving experience, cultural background, etc.

NOTE 2 Estimations take into account local laws and regulations, as well as reasonably foreseeable misuse

(e.g. not keeping the required distance to the vehicle in front).

The controllability of each evaluated situation, by the driver or other persons involved in the situation,

is estimated based on a defined rationale for each situation. The controllability is assigned to one of

the controllability classes: C0 (controllable in general), C1 (simply controllable, e.g. more than 99 %

of the average drivers or other traffic participants are able to avoid harm), C2 (normally controllable,

e.g. between 90 % an 99 % of the average drivers or other traffic participants are able to avoid harm)

6 © ISO 2020 – All rights reserved
---------------------- Page: 11 ----------------------
ISO 23132:2020(E)

or C3 (difficult to control or uncontrollable, e.g. less than 90 % of the average drivers or other traffic

participants are able to avoid harm).

NOTE 3 If class C0 is assigned, there is no requirement to assign a priority class to the evaluated situation and

therefore, Table 1 does not take C0 into account.
[5]

NOTE 4 ISO 26262-3:2018 , Annex B provides examples of driving situations and the assumptions about the

corresponding control behaviours that would avoid harm. These situations are mapped to the controllability

rankings, clarifying the 90 % and 99 % breakpoint levels for judging controllability.

For instance, maintaining intended driving path while being distracted may be classified C1 (simply

controllable).

6.3.5 Determination of the priority class of a RExVeS-related time-constrained situation

To classify the RExVeS-related time-constrained situations (safety-critical or not), six priority classes

(P1, P2, P3, P4, P5 and P6) are defined according to the risks of harm involved, with P6 representing the

most stringent class (i.e. used to protect against the highest risks).
To de
...

FINAL
INTERNATIONAL ISO/FDIS
DRAFT
STANDARD 23132
ISO/TC 22/SC 31
Road vehicles — Extended Vehicle
Secretariat: DIN
(ExVe) time critical applications —
Voting begins on:
2020­04­21 General requirements, definitions and
classification methodology of time-
Voting terminates on:
2020­06­16
constrained situations related to Road
and ExVe Safety (RExVeS)
Véhicules routiers — Applications temps critiques du véhicule
étendu (ExVe) — Exigences générales, définitions et méthodologie
de classification des situations sous contrainte de temps liées à la
sécurité routière et à la sûreté du véhicule étendu (RExVeS)
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/FDIS 23132:2020(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. ISO 2020
---------------------- Page: 1 ----------------------
ISO/FDIS 23132:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH­1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/FDIS 23132:2020(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Symbols and abbreviated terms ........................................................................................................................................................... 3

5 Conventions and guidelines for specifying RExVeS-related requirements..............................................3

6 The RExVeS methodology ............................................................................................................................................................................ 3

6.1 General ........................................................................................................................................................................................................... 3

6.2 Analysis of RExVeS-related scenarios ................................................................................................................................. 4

6.3 Classification of RExVeS-related time-constrained and safety-critical situations ........................ 5

6.3.1 Classification scheme ................................................................................................................................................... 5

6.3.2 Classes of severity ........................................................................................................................................................... 6

6.3.3 Classes of probability of exposure .................................................................................................................... 6

6.3.4 Classes of controllability ........................................................................................................................................... 6

6.3.5 Determination of the priority class of a RExVeS-related time-constrained

situation ........................................................................................................................................... ........................................ 7

6.3.6 Template for the description and priority class assignment of a RExVeS-

related situation ............................................................................................................................................................... 8

7 Connected vehicle design prerequisites ...................................................................................................................................... 8

Annex A (normative) Template for the description and priority class assignment of RExVeS-

related situations (including safety-critical situations) ............................................................................................. 9

Annex B (informative) Example 1 of use of the RExVeS template ........................................................................................10

Annex C (informative) Example 2 of use of the RExVeS template ........................................................................................14

Annex D (informative) Example 3 of use of the RExVeS template .......................................................................................18

Annex E (informative) List of use-cases ..........................................................................................................................................................21

Bibliography .............................................................................................................................................................................................................................23

© ISO 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/FDIS 23132:2020(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non­governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see

www .iso .org/ iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 31,

Data communication.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/FDIS 23132:2020(E)
Introduction

Preventing death and serious injury in road traffic crashes is a global priority. With the advent of

vehicular data communications, road vehicles become connected vehicles, and safety is one of the key

issues in the development of such road vehicles. ISO 26262-1 defines the vehicle safety as the absence

of unreasonable risks that arise from malfunctions of the E/E system. The absence of unreasonable

risk due to these potentially hazardous behaviours related to specific limitations (identified in

[7]

ISO/PAS 21448 ) is defined as the safety of the intended functionality (SOTIF). Functional safety

(addressed by the ISO 26262 series) and SOTIF are distinct and complementary aspects of safety.

This document defines a complementary methodology for the prioritization of safety-related external

communication use-cases to help to design extended vehicle time-critical interfaces described in the

ISO 20077­1.

NOTE 1 ISO 20077-1 defines the concepts and terms related to the extended vehicle (ExVe), whereas

ISO 20077-2 specifies general rules and basic principles that the manufacturer of the ExVe considers when

elaborating its own design method.

NOTE 2 ISO 20077-1 defines an "extended vehicle" (ExVe) as an "entity, still in accordance with the

specifications of the vehicle manufacturer, that extends beyond the physical boundaries of the road vehicle and

consists of the road vehicle, off-board systems, external interfaces, and the data communication between the

road vehicle and the off-board systems". Road vehicles without off-board systems and road vehicles equipped

with telematics units are extended vehicles.

Recent developments in the field of connected vehicles, in various parts of the world, bring hope of being

able to improve road safety, e.g. by reducing the number of road fatalities through collision avoidance

cooperation. Connected vehicles taking into account ISO 20077­1 and ISO 20077­2 take their part in this

global effort.

Due to the limited per design embedded resources, a priority management is necessary to apply these

resources to the function and request with the highest criticality.

For these connected vehicles, the use of the “ExVe time critical interfaces" is firstly associated with

safety-critical functions (e.g. emergency braking, steering) that are functions for which the priorities

are based on a criticality concept.

It is important that all the functions using the “ExVe time critical interfaces” take into account the

capabilities of the vehicles in which they are installed.

During the design phase, the connected vehicle behaviour regarding all safety-critical situations and its

interactions with the external environment should be defined. Its implementation can be based on the

methodology proposed in this document.
© ISO 2020 – All rights reserved v
---------------------- Page: 5 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/FDIS 23132:2020(E)
Road vehicles — Extended Vehicle (ExVe) time critical
applications — General requirements, definitions and
classification methodology of time-constrained situations
related to Road and ExVe Safety (RExVeS)
1 Scope

This document defines the classification methodology of time-constrained situations and their

requirements, that are to be addressed by the “ExVe time critical interfaces" described in ISO 20077-1.

Time-constrained situations include safety-critical situations.

It is important for the design of the vehicle to have priority management of "ExVe time critical interface"

resources in order to comply with time constrained situations requirements.

The methodology provides a classification, which determines application priorities for optimal vehicle

resource allocation.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 20077­1, Road Vehicles — Extended vehicle (ExVe) methodology — Part 1: General information

ISO 20077­2, Road Vehicles — Extended vehicle (ExVe) methodology — Part 2: Methodology for designing

the extended vehicle
ISO 26262­1, Road vehicles — Functional safety — Part 1: Vocabulary
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 20077-1, ISO 20077-2,

ISO 26262-1 and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
road and ExVe safety
RExVeS

set of means (e.g. use cases), conditions and requirements to be considered by the “ExVe time-critical

interfaces” described in ISO 20077-1, including time-constrained and safety-critical situations (3.4)

Note 1 to entry: The intent is to minimise risk of harm (as described in ISO 26262-1) in road safety-related

situations.

Note 2 to entry: In the context of RExVeS, a use case is a set of scenarios (3.2) that have a common goal.

© ISO 2020 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/FDIS 23132:2020(E)
3.2
scenario

sequence of connected vehicle (3.11) actions, events, reactions, and interactions, in a road

safety setting
3.3
time-constrained situation

combination of a road safety-related connected vehicle (3.11) scenario (3.2) and RExVeS-

related time constraints, in which lack of communication capability or excessive (communication)

latency can lead to malfunctions or other injurious consequences
3.4
safety-critical situation

combination of a road safety-related connected vehicle (3.11) scenario (3.2) and an

unacceptable risk of harm
3.5
situation priority class

one of six situation priority classes (P1, P2, P3, P4, P5 or P6) determined according to the

severity, the probability of exposure, and the controllability associated with an evaluated time-

constrained situation (3.3)
3.6
safety-critical situation priority class

one of the four situation priority classes (3.5) (P3, P4, P5 or P6) determined according to the

severity, the probability of exposure, and the controllability associated with an evaluated safety-critical

situation (3.4)
3.7
time-constrained safety-related function

function under strict time constraints that contributes to the achievement of safety objectives

[1] [2]

EXAMPLE "CAM generation" (see ETSI EN 302 637-2 ) and "BSM generation" (see SAE J2735 and SAE

[3] [4]

J2945 ). "DENM generation" (see ETSI EN 302 637-3 ) is another example of time-constrained safety-related

function.
3.8
peri-vehicular
near or around a vehicle
3.9
peri-vehicular data communication
vehicular data communications in the geographic vicinity of a vehicle
3.10
safety-critical situation reaction time interval

time-interval from the detection of a safety-critical situation (3.4) to the broadcast to

neighbouring road users at risk of an appropriate safety-critical message via time-constrained safety-

related functions (3.7) and peri-vehicular data communications (3.9)
3.11
connected vehicle
road vehicle using peri-vehicular data communications (3.9)
2 © ISO 2020 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/FDIS 23132:2020(E)
4 Symbols and abbreviated terms
ADAS Advanced Driver-Assistance Systems
BSM Basic Safety Message
CAM Cooperative Awareness Message
DENM Decentralized Environmental Notification Message
ExVe Extended Vehicle
RExVeS Road and ExVe safety
TAI International Atomic Time
UTC Coordinated Universal Time
5 Conventions and guidelines for specifying RExVeS-related requirements
In this document, requirements are formalized as follow:
REQ Number RExVeS – Name
Description
“Number” represents the individual requirement number.
“Name” is the name of requirement, if needed.
“Description” is the requirement itself.

Requirements in this document are generic and technology agnostic. No actual testing is to be done

against them, but they should be used as a guide to define the technology-dependent requirements.

Some technology-dependent requirements may not enable to address all priority classes of RExVeS-

related time­constrained situations (see 6.3.5).

Unless otherwise stated, the requirements in this document apply to all priority classes.

6 The RExVeS methodology
6.1 General

The RExVeS methodology brings forward means to identify and classify time-constrained situations

(safety-critical or not) that are addressed by the “ExVe time critical interfaces” described in ISO 20077-1.

The methodology provides an automotive-specific risk-based approach to determine the priority class

[5]

of a RExVeS-related time-constrained situation. It is adapted from ISO 26262-3 hazard analysis and

risk assessment (HARA) and enriched with systems-theoretic process analysis (STPA) insights. The

[5]

major difference is that in ISO 26262-3 , the results of the analysis are ASILs while in this document

the results are time-constrained situation priority classes.

NOTE 1 The appropriate use of the RExVeS methodology is intended to fulfil RExVeS-related requirements

and a set of connected vehicle design prerequisites (see Clause 7).

NOTE 2 Unless otherwise stated, in this document, connected vehicle means connected vehicle taking into

account ISO 20077­1 and ISO 20077­2.

The RExVeS methodology starts with the analysis of road safety-related connected vehicle scenarios

in which time-constrained situations (safety-critical or not) may occur. Then, a systematic evaluation

© ISO 2020 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/FDIS 23132:2020(E)

of each identified time-constrained situation is performed to determine the RExVeS-related situation

priority class to which it pertains. The RExVeS-related situation priority class is determined by

considering severity, probability of exposure and controllability criteria.

Figure 1 provides an example of use of the RExVeS methodology in the context of the ExVe design

methodology.

Figure 1 — The RExVeS methodology in the ExVe design methodology context (example)

The RExVeS methodology complements ISO 20077-1 and ISO 20077-2 guidelines for the design of an

extended vehicle, from which a vehicle manufacturer can derive its own methods and procedures to

design an extended vehicle that addresses a specific set of use cases and scenarios. These methods and

procedures remain part of the know­how of each vehicle manufacturer.

According to ISO 20077-2, any ExVe functionality request is described through use cases and scenarios

(see ISO 20077-2 template for technical request), in order to support a precise description of the need.

Detailed descriptions of relevant RExVeS-related scenarios are important in this respect.

According to ISO 20077-2, for a given use case and scenario, the ExVe manufacturer is responsible

for defining the appropriate extended vehicle’s interfaces for the considered functionality (see

ISO 20077-2). When an ExVe time critical interface is considered, the identified time-constrained

situations can be analysed with the RExVeS methodology. As a result, the criticality of the situations is

evaluated (severity, probability of exposure, controllability) and, along with any applicable regulations,

it gives an indication of relevance and priority to the vehicle manufacturer considering the development

of the functionality with an ExVe time-critical interface.

NOTE 3 As RExVeS-related scenarios with safety-critical situations give the biggest causes for concern, they

are considered first in the methodology description and dealt with in more detail.

6.2 Analysis of RExVeS-related scenarios

Complex and dynamic processes and interactions are often involved in road accidents. RExVeS-related

safety-critical situations may occur when processes or interactions do not meet safety objectives, e.g.

because appropriate objectives have not been selected.

The goal of the analysis of RExVeS-related scenarios is to identify time-constrained situations (safety-

critical or not) that are to be addressed by the “ExVe time critical interfaces” described in ISO 20077-1.

This requires accumulating information about how such situations can occur.

A RExVeS-related time-constrained situation is a combination of a road safety-related connected vehicle

scenario and RExVeS-related time constraints, in which a lack of communication capability or excessive

4 © ISO 2020 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/FDIS 23132:2020(E)

(communication) latency can lead to malfunctions or other injurious consequences. In a RExVeS-related

safety-critical situation, there is additionally an unacceptable risk of harm.

NOTE 1 There is not necessarily an unacceptable risk of harm in all time-constrained situations.

Rapidly changing environments where there is a potential for safety-critical situations are examples of

RExVeS-related scenarios. "Imminent collision" is a characteristic of many RExVeS-related problematic

scenarios. "Loss of vehicle control" is a less recurring one, but it is important to take it into account.

An imminent front collision with another vehicle at high speed on a country road is an example of a

RExVeS-related safety-critical situation.

Even when the vehicle is stationary, a RExVeS-related safety-critical situation can be present if it is

stopped in an unsafe location.

RExVeS-related use cases and scenarios where safety-critical situations can happen, and where a

worst-case set of environmental conditions may lead to "loss of vehicle control" or "imminent collision",

should be analysed before taking action.

NOTE 2 RExVeS-related use cases encompass all connected vehicle use cases (including cooperative collision

avoidance use cases) where at least one RExVeS-related problematic scenario exists. As a result, RExVeS-related

use cases are not limited to already identified and standardized connected vehicle and road safety use cases (in

ISO, SAE, ETSI etc.). The potential applicability of RExVeS-related requirements is much broader.

[5]

NOTE 3 ISO 26262­3:2018 , Annex B provides examples of RExVeS-related scenarios and of safety-critical

situations.

Factors to be considered in the hazard analysis and risk assessment of RExVeS-related scenarios

include:

— vehicle usage scenarios, for example high speed driving, urban driving, parking, off-road;

— environmental conditions, for example rain, snow, wind, road surface condition;

— reasonably foreseeable driver use and misuse;

— interactions between operational systems, particularly those implementing RExVeS-related time-

constrained safety-related functions;

— cybersecurity attacks leading to malicious communications or default of the vehicle ITS station. See

[6]1)
also ISO/SAE 21434 ;

— if there is an impact, timing constraints resulting from functional safety, “safety of the intended

functionality” and cybersecurity activities;

— in this analysis, the vehicle and its communication capabilities are considered by default in working

[7]
order. See also ISO/PAS 21448 .
REQ 23132­01 RExVeS – 01

The consequences of each evaluated RExVeS-related time-constrained situation shall be identified, focus­

ing on the harm to each person potentially at risk, including the driver and the passengers of the vehicle,

but also the other persons potentially at risk such as cyclists, pedestrians or occupants of other vehicles.

6.3 Classification of RExVeS-related time-constrained and safety-critical situations

6.3.1 Classification scheme

The classification scheme comprises the determination of the severity, the probability of exposure, and

the controllability associated with the RExVeS-related time-constrained situations (safety-critical or not).

1) Under preparation. Stage at the time of publication: ISO/SAE DIS 21434:2020.
© ISO 2020 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/FDIS 23132:2020(E)

The severity represents an estimate of the potential harm in a particular situation, while the probability

of exposure depends on how frequently and for how long individuals find themselves in such a RExVeS-

related scenario. The controllability rates how easy or difficult it is for the driver or other road traffic

participant to avoid the considered accident type in the considered scenario. It is the intention that

severity, probability of exposure and controllability estimates are consistent with those coming from

functional safety activities.

NOTE Depending on the number of related hazardous events, the classification can result in one or more

combinations of severity, probability of exposure, and controllability.
6.3.2 Classes of severity

The potential injuries that result from a time-constrained situation (safety-critical or not) are evaluated

for the driver, passengers and people around the vehicle, or in surrounding vehicles to determine the

severity class.

The severity of potential harm is estimated based on a defined rationale for each evaluated situation

and is assigned to one of the severity classes: S0 (no injuries), S1 (light and moderate injuries), S2

(severe and life-threatening injuries with survival probable) or S3 (life-threatening injuries with

survival uncertain or fatal injuries).
[5]

NOTE ISO 26262­3:2018 , Annex B presents examples of consequences which can occur for a given safety-

critical situation, together with the corresponding severity class for each consequence.

For instance, a pedestrian accident with low speed, that can result in severe and life­threatening

injuries with survival probable, may be classified S2.
6.3.3 Classes of probability of exposure

The probability of exposure to a RExVeS-related scenario is estimated based on a defined rationale

for each evaluated situation (safety-critical or not). The probability of exposure is assigned to one of

the probability classes: E1 (very low probability, e.g. occurs less often than once a year for the great

majority of drivers), E2 (low probability, e.g. occurs a few times a year for the great majority of drivers),

E3 (medium probability, e.g. occurs once a month or more often for an average driver) or E4 (high

probability, e.g. occurs during almost every drive on average).
[5]

NOTE ISO 26262­3:2018 , Annex B presents examples of scenarios classified by duration and frequency,

together with typical exposure rankings.

For instance, driving a vehicle on a wet city street with heavy "stop and go" traffic may be classified E3

(occurs once a month or more often for an average driver).
6.3.4 Classes of controllability

The controllability class for a given time-constrained situation (safety-critical or not) is determined

by estimating the likelihood that representative drivers, potentially assisted by advanced driver-

assistance systems (ADAS), will be able to retain or regain control of the vehicle if the situation were to

occur, or that individuals in the vicinity will contribute to the avoidance of the situation by their actions.

NOTE 1 Controllability is influenced by a number of factors including use of ADAS, driver profiles for the

target market, individuals’ age, eye-hand coordination, driving experience, cultural background, etc.

NOTE 2 Estimations take into account local laws and regulations, as well as reasonably foreseeable misuse

(e.g. not keeping the required distance to the vehicle in front).

The controllability of each evaluated situation, by the driver or other persons involved in the situation,

is estimated based on a defined rationale for each situation. The controllability is assigned to one of

the controllability classes: C0 (controllable in general), C1 (simply controllable, e.g. more than 99 %

of the average drivers or other traffic participants are able to avoid harm), C2 (normally controllable,

e.g. between 90 % an 99 % of the average drivers or other traffic participants are able to avoid harm)

6 © ISO 2020 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/FDIS 23132:2020(E)

or C3 (difficult to control or uncontrollable, e.g. less than 90 % of the average drivers or other traffic

participants are able to avoid harm).

NOTE 3 If class C0 is assigned, there is no requirement to assign a priority class to the evaluated situation and

therefore, Table 1 does not take C0 into account.
[5]

NOTE 4 ISO 26262­3:2018 , Annex B provides examples of driving situations and the assumptions about the

corresponding control b
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.