Introduction to SOTIF
Hasan Ibne Akram, PhD
NIS 2 Compliance with AI Driven Fast Track Tools | Serial Entrepreneur ? | Computer Scientist ?? | Author | Podcaster ??? | Speaker ?? | Life-Long Student ????
Introduction to SOTIF
The future of the automotive industry is moving fast towards the development of autonomous vehicles (AV). With a lot of investments and innovation going on, we expect to see autonomous vehicles on the road in the years to come.
It is important to ensure the safety of autonomous vehicles during the development and operation phase. As autonomous vehicles need to sense the environment and build situational awareness, detection and mitigation of E/E faults addressed in the ISO 26262 series alone will not be sufficient.
To sufficiently address the faults which are not covered by the existing ISO 26262 series of standards, the automotive industry has introduced the Safety Of The Intended Functionality (SOTIF) or ISO/DIS 21448:2021 (the current state of standard). To learn more about this, please visit SOTIF Crash Course to join our crash course on SOTIF!
What is SOTIF?
By definition, it is the absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or from reasonably foreseeable misuse by persons.
This means that the function can be controlled in all situations in relation to their operation and can be managed by the user in a safe manner. This concludes that a reasonable risk can be tolerated.
The situational awareness is derived from complex sensors and processing algorithms; especially emergency intervention systems such as the most famous example of emergency braking systems and ADAS levels 1 and 2. It is also applicable to innovative functions if situational awareness from complex sensors and processing algorithms are part of the innovation.
SOTIF aims to reduce threats to automotive safety such as:
The idea of creating ISO 21448
Before there was SOTIF, companies developing autonomous vehicles lacked a universal safety standard. Now, the important factor that the automotive industry has to consider is the public concern over driverless cars or autonomous vehicles.
Making people trust autonomous vehicles is very hard. This lack of trust is somewhat a hindrance to the innovation and adoption of the technology, so both developers and regulators have agreed to have comprehensive standards to guarantee safety requirement completeness in autonomous vehicles.
SOTIF is considered one of the most important challenges for Advanced Driver Assistance Systems or ADAS and other automated driving functions. You need to go through a lot of phases. There is a requirement for applicable design, verification and validation measures in order to achieve it.
Why do we need SOTIF?
There are trigger events that can lead to unwanted behavior of the system. These triggering events include weather conditions, misinterpretation of images or signs, and a lot more which may lead to accidents. These may lead to functional insufficiencies in systems.
In autonomous vehicles, unintended use and reasonably foreseeable misuse could lead to potentially hazardous system behavior. It is considered as a possible event that could trigger the aforementioned SOTIF-related hazardous events.
Also, autonomous cars are based on Artificial Intelligence so they are considered complex systems. They need to learn from driving scenarios that happen in real life such as what to do in a certain environment.
If autonomous cars can learn to react in different scenarios, they have to do it in a safe manner because their advanced functionalities are built based on sensing, processing of algorithms, and actuating in E/E systems.
Here are some of the measures as per SOTIF to address functional insufficiencies and foreseeable misuse:
The knife metaphor
For ordinary people, using a knife as an example helps to better understand how SOTIF works.
In this example, the intended function of the knife is that it can cut something. The question you would ask is if the function of cutting is really safe. Of course, you know that it's not safe because you can cut yourself.
So, to make it safe, you would then have to take measures. One example of a safety measure is that kids will not have access to the knives and you should keep them in the drawers. That is what SOTIF signifies.
领英推荐
Functional safety (FuSa), on the other hand, is the possibility that the knife can actually break when you cut something with it. It can end up injuring you.
To summarize, the intention of building a knife is to cut, but you can use it for any purpose other than intended or you may misuse it. That is what you want to prevent and it is what SOTIF is all about.
With the knife example, you already have ideas on how to prevent this hazard of cutting yourself or someone else. To connect it with automated driving and ADAS function, it means that automotive engineers can also try to design the system in a way that it cannot hurt or endanger people.
Difference of FuSa and SOTIF
Functional Safety and Safety of the Intended Functionality have commonalities and both work for the safety of the vehicle. Here are the key differences between FuSa and SOTIF:
FuSa:
SOTIF:
Why do we need SOTIF if we already have FuSa?
Since SOTIF is more focused on the external triggers that happen outside the vehicle, it is the first step in safety in the real world and it can be done hand-in-hand with Hazard Analysis and Risk Assessment (HARA) in FuSa.
ISO 26262 is leaning more towards providing information on avoiding and controlling hardware and system failures that are not in line with the safety requirements. It also focuses on electronics and software malfunction.
In the real world setting, the driving environment is the most common cause of faults and failures which can only be addressed by SOTIF.
Automotive Testing in SOTIF
A proper understanding of the function, its behavior, and its limitations is the key to ensuring safety. In many instances, a triggering event is necessary to cause potentially hazardous behavior; hence it is important to analyze hazards in the context of particular use cases and perform verification and validation.
To do this, there are several types of testing methods mentioned in the SOTIF standard, which are:
The future for automotive developers
For developers of modern automotive technologies, SOTIF is a broader and in-depth approach to safety. Instead of focusing only on malfunctions, ISO 21448 makes it more complex which requires developers to consider any potential hazards resulting from the complexity of the technologies covered by the standard. As mentioned at the beginning, the automotive industry sees that as the future of safety standardization.
With ISO 21448 in place, automotive developers should increase focus on testing strategies and apply statistical analysis in their safety validation efforts. Virtual simulation or simulating a wide variety of road conditions in a virtual world to verify the intended and safe functioning of their autonomous technologies is fast becoming a fundamental strategy.
Final thoughts
SOTIF is a very important part of automotive safety. It complements ISO 26262 in the sense that it extends safety into autonomous driving and its external scenarios.
SOTIF, together with FuSa, helps autonomous developers avoid hazardous situations both in the presence and in the absence of malfunctions and unintended use cases.
[[JOIN OUR SOTIF CRASH COURSE TO LEARN MORE!]]
Senior Scientist, Senior Software Safety Engineer, Senior Software Engineer, Chemist
3 年How does SOTIF handle unknown unknowns? What metrics does SOTIF require to support the assertion that all internal and external influences impacting safety are considered and properly mitigated? In the field of civil engineering structures are designed with established safety factors. For instance it is common to design a structure with a safety factor of 3 or 5. Such a safety factor causes the materials and design of the structure to safely support a load 3 times or 5 times the anticipated maximum load for the system. My experience with design of the NASA Orion spacecraft contains an example. The Orion spacecraft is a conical shaped capsule with both parachutes and up-righting balloons stored in an area in the apex (forward bay) of the conical structure. During re-entry into the atmosphere the section of the structure encasing the parachutes and up-righting balloons must be separated from the capsule to allow deployment first of the parachutes, and then upon splash-down in the ocean, deployment of the up-righting parachutes to to ensure the capsule does not remain in an inverted position with its entry-exit hatch under water. The initial design of the system to separate the forward-bay cover was a detonation cord which would burn through the metal of the forward-bay cover, separating the cover from the capsule and allowing deployment of the parachutes and the up-righting balloons. On the first test flight of the vehicle the detonation cord worked as expected. The forward-bay cover was properly separated from the capsule. However, the detonation cord heated the metal of the forward-bay cover so quickly that it caused molten metal to be ejected into the forward bay compartment, damaging the up-righting balloons. The balloons experienced a functional failure and a material failure caused by the correct operation of the mechanism used to separate the forward bay cover.