This paper provides an introduction to SOTIF and Functional Safety and gives an overview of SOTIF activities and their relation with Artificial Intelligence (AI).
About the authors
Marcus Rau, Depute Leader and Operational Manager of GCC Functional Safety, SGS-TüV Saar GmbH Marcus is a member of the German standardization group of ISO 26262 and is an expert functional safety trainer with a degree in EE from Munich University of Applied Science.
Eduard Dojan, Senior Automotive Safety & Security Expert, SGS-TÜV Saar GmbH: Eduard is an Automotive Functional Safety Expert (AFSE) at ISO 26262 and an Automotive Cyber Security Professional (CACSP) with a degree in technical computer science.
In recent years, we have been able to see some videos of the Tesla Autopilot in operation on highways and roads, but it has not been until now that the company has begun to distribute a “Full Self Driving” beta version amongst certain users.
Beta means “beta” —this is something to keep in mind more than ever— but the fact that it has already begun to hit the streets indicates that the company’s trust level in the Autopilot is quite high —maybe a little more than it should.
However, amid the controversy that Tesla’s Autopilot has ignited, elements such as foreseeable misuse or misleading product definition underline the necessity of framing SOTIF and ISO 26262 in a technical and safety context.
Common ground
In this regard, when it comes down to automated driving, Dojan asserts: “Driving is not a matter of ‘if’ but more a matter of ‘when’.” This means that, with automated driving, there will be an impact on nowadays vehicle architectures including new technologies with upcoming or changing risks, which are somehow unknown, yielding more complexity.
Functional Safety and Safety Of The Intended Functionality (SOTIF) based on the standards ISO 26262 and ISO 21448 provide methods and tools to cope with coming requirements.
The SOTIF initiative aims to provide guidance for how to apply safety requirement completeness for AV artificial intelligence systems out on the streets. This will be achieved by developing a more integral standard that mainly involves the sensing systems in charge of sorting all possible dangerous situations – even without any fault in the sensing system itself.
But when drawing comparisons to determine the scope of each standard, Dojan points to several aspects that need to be contemplated in the equation.
SOTIF vs ISO 26262
Dojan says, “SOTIF is inherently a part of Functional Safety —Therefore SOTIF is the logical complement to functional safety as specified in ISO 26262. SOTIF and Functional Safety complement each other to realize the “Overall Functional Safety” from the E/E-perspective.”
In accordance with ISO DIS 21448, SOTIF is applicable for the automation levels 1 to 5 and
covers “functional insufficiencies” on vehicle level —this means insufficiency of specification and performance limitations. Meanwhile, FuSa covers the “malfunctioning behavior” of E/E systems —random HW faults and, systematic HW and SW faults.
But very importantly, Dojan underlines, “SOTIF and FuSa can be developed in parallel if a new function is realized. If FuSa already has been accomplished and SOTIF will be developed afterwards, an ‘impact analysis’ shall be performed to identify issues where SOTIF activities may result in impacts on FuSa.”