Introduction to SOTIF

Introduction to SOTIF

The future of the automotive industry is moving fast towards the development of autonomous vehicles (AV). With a lot of investments and innovation going on, we expect to see autonomous vehicles on the road in the years to come.

It is important to ensure the safety of autonomous vehicles during the development and operation phase. As autonomous vehicles need to sense the environment and build situational awareness, detection and mitigation of E/E faults addressed in the ISO 26262 series alone will not be sufficient.

To sufficiently address the faults which are not covered by the existing ISO 26262 series of standards, the automotive industry has introduced the Safety Of The Intended Functionality (SOTIF) or ISO/DIS 21448:2021 (the current state of standard). To learn more about this, please visit SOTIF Crash Course to join our crash course on SOTIF!

What is SOTIF?

By definition, it is the absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or from reasonably foreseeable misuse by persons.

This means that the function can be controlled in all situations in relation to their operation and can be managed by the user in a safe manner. This concludes that a reasonable risk can be tolerated.

The situational awareness is derived from complex sensors and processing algorithms; especially emergency intervention systems such as the most famous example of emergency braking systems and ADAS levels 1 and 2. It is also applicable to innovative functions if situational awareness from complex sensors and processing algorithms are part of the innovation.

SOTIF aims to reduce threats to automotive safety such as:

• Residual risk of the intended function through analysis
• Unintended behavior in known situations through verification
• Residual unknown situations that could cause unintended behavior through validation of verification scenarios

The idea of creating ISO 21448

Before there was SOTIF, companies developing autonomous vehicles lacked a universal safety standard. Now, the important factor that the automotive industry has to consider is the public concern over driverless cars or autonomous vehicles.

Making people trust autonomous vehicles is very hard. This lack of trust is somewhat a hindrance to the innovation and adoption of the technology, so both developers and regulators have agreed to have comprehensive standards to guarantee safety requirement completeness in autonomous vehicles.

SOTIF is considered one of the most important challenges for Advanced Driver Assistance Systems or ADAS and other automated driving functions. You need to go through a lot of phases. There is a requirement for applicable design, verification and validation measures in order to achieve it.

Why do we need SOTIF?

There are trigger events that can lead to unwanted behavior of the system. These triggering events include weather conditions, misinterpretation of images or signs, and a lot more which may lead to accidents. These may lead to functional insufficiencies in systems.

In autonomous vehicles, unintended use and reasonably foreseeable misuse could lead to potentially hazardous system behavior. It is considered as a possible event that could trigger the aforementioned SOTIF-related hazardous events.

Also, autonomous cars are based on Artificial Intelligence so they are considered complex systems. They need to learn from driving scenarios that happen in real life such as what to do in a certain environment.

If autonomous cars can learn to react in different scenarios, they have to do it in a safe manner because their advanced functionalities are built based on sensing, processing of algorithms, and actuating in E/E systems.

Here are some of the measures as per SOTIF to address functional insufficiencies and foreseeable misuse:

• Design measures such as requirements for sensor performance.
• Verification measures such as test cases with high coverage of scenarios.
• Validation measures such as simulations.

The knife metaphor

For ordinary people, using a knife as an example helps to better understand how SOTIF works.

In this example, the intended function of the knife is that it can cut something. The question you would ask is if the function of cutting is really safe. Of course, you know that it's not safe because you can cut yourself.

So, to make it safe, you would then have to take measures. One example of a safety measure is that kids will not have access to the knives and you should keep them in the drawers. That is what SOTIF signifies.

Functional safety (FuSa), on the other hand, is the possibility that the knife can actually break when you cut something with it. It can end up injuring you.

To summarize, the intention of building a knife is to cut, but you can use it for any purpose other than intended or you may misuse it. That is what you want to prevent and it is what SOTIF is all about.

With the knife example, you already have ideas on how to prevent this hazard of cutting yourself or someone else. To connect it with automated driving and ADAS function, it means that automotive engineers can also try to design the system in a way that it cannot hurt or endanger people.

Difference of FuSa and SOTIF

Functional Safety and Safety of the Intended Functionality have commonalities and both work for the safety of the vehicle. Here are the key differences between FuSa and SOTIF:

FuSa:

• ISO 26262 has been the primary standard in automotive development focusing on functional safety to eliminate electric/electronic (E/E) systems malfunctions.
• It covers hazard analysis and risk assessment, design, verification and validation requirements, and safety management.
• Methods focus on the identification and mitigation of faults that can potentially violate a safety goal.
• It is dependent on the risks associated with malfunctions in the system.

SOTIF:

• Autonomous cars receive data from complex sensor systems, lidars, cameras, radars, etc. which are processed and interpreted by Machine Learning and Artificial Intelligence algorithms that could confuse the system resulting in unsafe behavior.
• This is addressed by SOTIF.
• It covers malfunctions in the absence of faults such as any unintended consequences that result from the technological shortcomings in the design of the system.
• It covers scenario identification including misuses, functional improvements, and verification and validation strategy.
• It is based on triggering events that are analyzed if acceptable or if the function needs to be modified.
• It is an extension of ISO 26262 to cover safety from uncertainties due to weather conditions, misinterpretation of images or signs, etc.
• In autonomous vehicles, the current scope of SOTIF is level 1 or driver assistance and level 2 or partial automation.
• It is applicable at the vehicle level, system level, software component level, and hardware component level.

Why do we need SOTIF if we already have FuSa?

Since SOTIF is more focused on the external triggers that happen outside the vehicle, it is the first step in safety in the real world and it can be done hand-in-hand with Hazard Analysis and Risk Assessment (HARA) in FuSa.

ISO 26262 is leaning more towards providing information on avoiding and controlling hardware and system failures that are not in line with the safety requirements. It also focuses on electronics and software malfunction.

In the real world setting, the driving environment is the most common cause of faults and failures which can only be addressed by SOTIF.

Automotive Testing in SOTIF

A proper understanding of the function, its behavior, and its limitations is the key to ensuring safety. In many instances, a triggering event is necessary to cause potentially hazardous behavior; hence it is important to analyze hazards in the context of particular use cases and perform verification and validation.

To do this, there are several types of testing methods mentioned in the SOTIF standard, which are:

• Verification of system robustness
• Requirement-based test?
• System test under different environmental conditions?
• Verification of system aging effects
• Directed randomized input tests
• Verification of internal and external interfaces

The future for automotive developers

For developers of modern automotive technologies, SOTIF is a broader and in-depth approach to safety. Instead of focusing only on malfunctions, ISO 21448 makes it more complex which requires developers to consider any potential hazards resulting from the complexity of the technologies covered by the standard. As mentioned at the beginning, the automotive industry sees that as the future of safety standardization.

With ISO 21448 in place, automotive developers should increase focus on testing strategies and apply statistical analysis in their safety validation efforts. Virtual simulation or simulating a wide variety of road conditions in a virtual world to verify the intended and safe functioning of their autonomous technologies is fast becoming a fundamental strategy.

Final thoughts

SOTIF is a very important part of automotive safety. It complements ISO 26262 in the sense that it extends safety into autonomous driving and its external scenarios.

SOTIF, together with FuSa, helps autonomous developers avoid hazardous situations both in the presence and in the absence of malfunctions and unintended use cases.

[[JOIN OUR SOTIF CRASH COURSE TO LEARN MORE!]]