Introduction to SOTIF

Introduction to SOTIF

Introduction to SOTIF

The future of the automotive industry is moving fast towards the development of autonomous vehicles (AV). With a lot of investments and innovation going on, we expect to see autonomous vehicles on the road in the years to come.

It is important to ensure the safety of autonomous vehicles during the development and operation phase. As autonomous vehicles need to sense the environment and build situational awareness, detection and mitigation of E/E faults addressed in the ISO 26262 series alone will not be sufficient.

To sufficiently address the faults which are not covered by the existing ISO 26262 series of standards, the automotive industry has introduced the Safety Of The Intended Functionality (SOTIF) or ISO/DIS 21448:2021 (the current state of standard). To learn more about this, please visit SOTIF Crash Course to join our crash course on SOTIF!


What is SOTIF?

By definition, it is the absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or from reasonably foreseeable misuse by persons.

This means that the function can be controlled in all situations in relation to their operation and can be managed by the user in a safe manner. This concludes that a reasonable risk can be tolerated.

The situational awareness is derived from complex sensors and processing algorithms; especially emergency intervention systems such as the most famous example of emergency braking systems and ADAS levels 1 and 2. It is also applicable to innovative functions if situational awareness from complex sensors and processing algorithms are part of the innovation.

SOTIF aims to reduce threats to automotive safety such as:

  • Residual risk of the intended function through analysis
  • Unintended behavior in known situations through verification
  • Residual unknown situations that could cause unintended behavior through validation of verification scenarios


The idea of creating ISO 21448

Before there was SOTIF, companies developing autonomous vehicles lacked a universal safety standard. Now, the important factor that the automotive industry has to consider is the public concern over driverless cars or autonomous vehicles.

Making people trust autonomous vehicles is very hard. This lack of trust is somewhat a hindrance to the innovation and adoption of the technology, so both developers and regulators have agreed to have comprehensive standards to guarantee safety requirement completeness in autonomous vehicles.

SOTIF is considered one of the most important challenges for Advanced Driver Assistance Systems or ADAS and other automated driving functions. You need to go through a lot of phases. There is a requirement for applicable design, verification and validation measures in order to achieve it.


Why do we need SOTIF?

There are trigger events that can lead to unwanted behavior of the system. These triggering events include weather conditions, misinterpretation of images or signs, and a lot more which may lead to accidents. These may lead to functional insufficiencies in systems.

In autonomous vehicles, unintended use and reasonably foreseeable misuse could lead to potentially hazardous system behavior. It is considered as a possible event that could trigger the aforementioned SOTIF-related hazardous events.

Also, autonomous cars are based on Artificial Intelligence so they are considered complex systems. They need to learn from driving scenarios that happen in real life such as what to do in a certain environment.

If autonomous cars can learn to react in different scenarios, they have to do it in a safe manner because their advanced functionalities are built based on sensing, processing of algorithms, and actuating in E/E systems.

Here are some of the measures as per SOTIF to address functional insufficiencies and foreseeable misuse:

  • Design measures such as requirements for sensor performance.
  • Verification measures such as test cases with high coverage of scenarios.
  • Validation measures such as simulations.


The knife metaphor

For ordinary people, using a knife as an example helps to better understand how SOTIF works.

In this example, the intended function of the knife is that it can cut something. The question you would ask is if the function of cutting is really safe. Of course, you know that it's not safe because you can cut yourself.

So, to make it safe, you would then have to take measures. One example of a safety measure is that kids will not have access to the knives and you should keep them in the drawers. That is what SOTIF signifies.

Functional safety (FuSa), on the other hand, is the possibility that the knife can actually break when you cut something with it. It can end up injuring you.

To summarize, the intention of building a knife is to cut, but you can use it for any purpose other than intended or you may misuse it. That is what you want to prevent and it is what SOTIF is all about.

With the knife example, you already have ideas on how to prevent this hazard of cutting yourself or someone else. To connect it with automated driving and ADAS function, it means that automotive engineers can also try to design the system in a way that it cannot hurt or endanger people.


Difference of FuSa and SOTIF

Functional Safety and Safety of the Intended Functionality have commonalities and both work for the safety of the vehicle. Here are the key differences between FuSa and SOTIF:

FuSa:

  • ISO 26262 has been the primary standard in automotive development focusing on functional safety to eliminate electric/electronic (E/E) systems malfunctions.
  • It covers hazard analysis and risk assessment, design, verification and validation requirements, and safety management.
  • Methods focus on the identification and mitigation of faults that can potentially violate a safety goal.
  • It is dependent on the risks associated with malfunctions in the system.

SOTIF:

  • Autonomous cars receive data from complex sensor systems, lidars, cameras, radars, etc. which are processed and interpreted by Machine Learning and Artificial Intelligence algorithms that could confuse the system resulting in unsafe behavior.
  • This is addressed by SOTIF.
  • It covers malfunctions in the absence of faults such as any unintended consequences that result from the technological shortcomings in the design of the system.
  • It covers scenario identification including misuses, functional improvements, and verification and validation strategy.
  • It is based on triggering events that are analyzed if acceptable or if the function needs to be modified.
  • It is an extension of ISO 26262 to cover safety from uncertainties due to weather conditions, misinterpretation of images or signs, etc.
  • In autonomous vehicles, the current scope of SOTIF is level 1 or driver assistance and level 2 or partial automation.
  • It is applicable at the vehicle level, system level, software component level, and hardware component level.


Why do we need SOTIF if we already have FuSa?

Since SOTIF is more focused on the external triggers that happen outside the vehicle, it is the first step in safety in the real world and it can be done hand-in-hand with Hazard Analysis and Risk Assessment (HARA) in FuSa.

ISO 26262 is leaning more towards providing information on avoiding and controlling hardware and system failures that are not in line with the safety requirements. It also focuses on electronics and software malfunction.

In the real world setting, the driving environment is the most common cause of faults and failures which can only be addressed by SOTIF.


Automotive Testing in SOTIF

A proper understanding of the function, its behavior, and its limitations is the key to ensuring safety. In many instances, a triggering event is necessary to cause potentially hazardous behavior; hence it is important to analyze hazards in the context of particular use cases and perform verification and validation.

To do this, there are several types of testing methods mentioned in the SOTIF standard, which are:

  • Verification of system robustness
  • Requirement-based test?
  • System test under different environmental conditions?
  • Verification of system aging effects
  • Directed randomized input tests
  • Verification of internal and external interfaces


The future for automotive developers

For developers of modern automotive technologies, SOTIF is a broader and in-depth approach to safety. Instead of focusing only on malfunctions, ISO 21448 makes it more complex which requires developers to consider any potential hazards resulting from the complexity of the technologies covered by the standard. As mentioned at the beginning, the automotive industry sees that as the future of safety standardization.

With ISO 21448 in place, automotive developers should increase focus on testing strategies and apply statistical analysis in their safety validation efforts. Virtual simulation or simulating a wide variety of road conditions in a virtual world to verify the intended and safe functioning of their autonomous technologies is fast becoming a fundamental strategy.


Final thoughts

SOTIF is a very important part of automotive safety. It complements ISO 26262 in the sense that it extends safety into autonomous driving and its external scenarios.

SOTIF, together with FuSa, helps autonomous developers avoid hazardous situations both in the presence and in the absence of malfunctions and unintended use cases.

[[JOIN OUR SOTIF CRASH COURSE TO LEARN MORE!]]

Jim Rogers

Senior Scientist, Senior Software Safety Engineer, Senior Software Engineer, Chemist

3 年

How does SOTIF handle unknown unknowns? What metrics does SOTIF require to support the assertion that all internal and external influences impacting safety are considered and properly mitigated? In the field of civil engineering structures are designed with established safety factors. For instance it is common to design a structure with a safety factor of 3 or 5. Such a safety factor causes the materials and design of the structure to safely support a load 3 times or 5 times the anticipated maximum load for the system. My experience with design of the NASA Orion spacecraft contains an example. The Orion spacecraft is a conical shaped capsule with both parachutes and up-righting balloons stored in an area in the apex (forward bay) of the conical structure. During re-entry into the atmosphere the section of the structure encasing the parachutes and up-righting balloons must be separated from the capsule to allow deployment first of the parachutes, and then upon splash-down in the ocean, deployment of the up-righting parachutes to to ensure the capsule does not remain in an inverted position with its entry-exit hatch under water. The initial design of the system to separate the forward-bay cover was a detonation cord which would burn through the metal of the forward-bay cover, separating the cover from the capsule and allowing deployment of the parachutes and the up-righting balloons. On the first test flight of the vehicle the detonation cord worked as expected. The forward-bay cover was properly separated from the capsule. However, the detonation cord heated the metal of the forward-bay cover so quickly that it caused molten metal to be ejected into the forward bay compartment, damaging the up-righting balloons. The balloons experienced a functional failure and a material failure caused by the correct operation of the mechanism used to separate the forward bay cover.

要查看或添加评论,请登录

Hasan Ibne Akram, PhD的更多文章

  • Building a Business in Automotive Cybersecurity

    Building a Business in Automotive Cybersecurity

    Let’s say, you have decided to become an entrepreneur. You want to focus on building a business in the automotive…

    1 条评论
  • Making Your Millions in a 9.7 Billion Dollar Industry

    Making Your Millions in a 9.7 Billion Dollar Industry

    The automotive cybersecurity industry is projected to reach $9.7 billion by the year 2030 according to a whitepaper by…

    1 条评论
  • Car Hacking: How To Hack An ECU

    Car Hacking: How To Hack An ECU

    Autonomous driving is the next big thing in the automotive industry. As technology continues to evolve, innovation is…

    3 条评论
  • Car Hacking: Denial of Service Attack

    Car Hacking: Denial of Service Attack

    Along with the latest technological advancements in the automotive industry is the issue that anybody can inject…

    1 条评论
  • Difference Between CAN Bus and Ethernet

    Difference Between CAN Bus and Ethernet

    For a very long time, controller area network (CAN) buses have been at the center of vehicle communications. But as…

    2 条评论
  • The Purpose and Importance of Safety Analysis

    The Purpose and Importance of Safety Analysis

    Being in the automotive industry, the word “safety” is instantly important. But what about safety analysis? What is it…

    3 条评论
  • 3 Myths in Automotive Safety Integrity Level (ASIL)

    3 Myths in Automotive Safety Integrity Level (ASIL)

    In the automotive industry, we often hear a lot of myths about ASIL or Automotive Safety Integrity Level and it is just…

    8 条评论
  • 5 Reasons Why FuSa Experts Need Cybersecurity

    5 Reasons Why FuSa Experts Need Cybersecurity

    In the automotive industry, it is very important that functional safety engineers, managers, and experts must be able…

    1 条评论
  • 6 Steps Towards ISO 21434 Compliance

    6 Steps Towards ISO 21434 Compliance

    In today’s automotive industry, a lot of people are struggling and asking questions about the ISO 21434 or the UNECE…

    4 条评论
  • ISO/SAE 21434 Has Officially Been Published

    ISO/SAE 21434 Has Officially Been Published

    ISO/SAE 21434 Standard: Road Vehicles – Cybersecurity Engineering was officially published by SAE International and the…

    2 条评论

社区洞察

其他会员也浏览了