Robust Designs, Inventive Problem Solving, and Safety of the Intended Functionality (SOTIF)

<span>Achieving Robust Designs is the foundation of developing Dependable, Reliable, and Affordable Autonomous Vehicles satisfying safety requirements. The first part of the ISO26262 includes the Hazard Analysis and Risk Assessment, which evaluates the potential risks due to malfunctions in the item to define top-level safety requirements: the safety...</span>
Achieving Robust Designs is the foundation of developing Dependable, Reliable, and Affordable Autonomous Vehicles satisfying safety requirements. The first part of the ISO26262 includes the Hazard Analysis and Risk Assessment, which evaluates the potential risks due to malfunctions in the item to define top-level safety requirements: the safety goals. The subsequent parts of ISO26262 provide requirements and guidance to avoid and control the random hardware and systematic faults that could violate the safety goal. However, for some systems that rely on environment sensors, there can be safety violations with a system free from faults if the sensor or the processing algorithm takes a hazardous decision about the environment. There is a need to provide guidance to manage these violations. Depending on the functional concept, several aspects of the intended functionality may be safety-related, for example:


A new version of the road functional safety standard, the Second Edition of ISO 26262, arrived last year (year 2018). It included a lot of upgrades, eliminated the weight limit (maximum gross weight of 3,500kg), and thus expanded its coverage to other vehicle categories besides passenger vehicles, including heavier road cars, trucks, busses, and motorcycles. Notably, the second edition also includes guidelines on the design and use of semiconductors in an automotive functional safety context.

What remained missing from ISO 26262:2018, however, is detail on how to handle the development of autonomous vehicles. This missing topic will be addressed in a new standard to follow the second ISO 26262 release, ISO/PAS 21448. It is more commonly referred to as SOTIF, standing for ‘Safety of the Intended Functionality’.

The new world of autonomous vehicles is posing many challenges to road safety. A robust system begins with robust sensors. When arguing safety for an autonomous road vehicle it is considered very hard to show that the sensing capability is sufficient for all possible scenarios that might occur. Already for today’s manually driven road vehicles equipped with Advanced Driver Assistance Systems (ADAS), it is far from trivial how to argue that the sensor systems are sufficiently capable of enabling a safe behavior. In this paper, we argue that the transition from ADAS to Automated Driving Systems (ADS) enables new solution patterns for the safety argumentation dependent on the sensor systems. A key factor is that the ADS itself can compensate for a lower sensor capability, by for example lowering the speed or increasing the distances. The robust design strategy allocates safety requirements on the sensors to determine their own capability. This capability is then to be balanced by the tactical decisions of the ADS equipped road vehicle. The SOTIF standard, still currently in development, will provide guidelines for Level-0, Level-1, and Level-2 autonomous drive (AD) vehicles. Even these levels of autonomy still have the world’s AD experts struggling to define the safety goals related to SOTIF.

The considerations ultimately addressed by future updated of ISO 26262 and SOTIF will touch on all parts of the automotive supply chain. The design automation software, for example, will be required to address the quality and reliability of the components in an automotive product environment.

Autonomous vehicles must be safe even when they do not fail but interact with the application/usage environment incorrectly. So the SOTIF standard is being drafted to provide guidance that assures an autonomous vehicle functions and acts safely during normal operation by assessing the intended functions' interaction with the application/usage environment. Limiting or disabling certain ADAS or autonomous functions when a sensor is faulty, unavailable or cannot do its job, is viewed as standard practice. Scenarios to be considered might include accident damage, ice build-up on a front-mounted radar, snow obscuring road lane markings, or a dead insect on the windscreen obscuring a camera. All can be handled by a combination of sensor diagnostics and processing intelligence.

The unique safety demands of Autonomous Vehicles (AV) will undoubtedly be a challenge for road safety, but the emergence of new international standards is setting the direction the development of AV will have to take. Topics covered in SOTIF will therefore include:

As functional safety will play a large part in ensuring robust autonomous systems, standards such as ISO 26262 will need to address autonomy. In the first edition of the standard there was very little specific content related to autonomy. The perspective of the First Edition of ISO 26262 (ISO 26262: 2011) was constrained by the Vienna Convention requirement for the driver to maintain control of the vehicle at all times and with an assumption that electronic systems could therefore “fail silent” in the case of a malfunction.

Now with Edition 2 of the standard (ISO 26262: 2018), has this changed? One area of improvement incorporated in the new edition is related to “fail operational” systems, as some control systems may require a degree of availability in order to maintain safe operation. The standard now considers how to design systems that can continue operation in the presence of failures. Another development area, for inclusion in a later revision of the standard, is around “safety of the intended functionality” – how factors such as sensor performance can be addressed; for example, a false-positive detection of an obstacle by a forward-looking radar. For a function such as Autonomous Emergency Braking (AEB) we want to avoid an un-demanded brake application. One potential cause of this event is that the radar sensor reports the presence of an object that isn’t another vehicle; instead, it is a metal plate on the road during construction works. The challenge is in how we ensure that the sensor correctly discriminates between targets that should cause brake application, and those that should not.

Despite the significant improvements over the First Edition, the Second Edition of ISO 26262 is still firmly grounded in the constraints of a traditional vehicle. As such, there is further work that needs to be done before it fully addresses the unique requirements brought about by autonomy. This includes hazard analysis and availability. Hazard analysis considers driver “controllability”, which needs reinterpreting for a highly automated function. To assure functional safety, hazard analysis, needs to consider whether an average driver will be able to maintain control or take some action to mitigate the effects of a failure if one occurs. For a highly automated function, the driver may not be able to take action within a reasonable period of time. As such, a different approach to hazard analysis may be required. Furthermore, additional consideration must focus on the architectures and concepts for assuring the availability of autonomous systems. As vehicles become fully autonomous, this requirement will stretch from an extended period of time to the extent of a complete arbitrary vehicle journey. This will comprise the foundations of an AV methodology. Next, comes the implementation. Autonomous verification and validation must meet many tests, from simulation to full vehicle, which include factors encompassing the entire 4D environment such as weather, road condition, surrounding landscape, object texture, and possible driver misuse.

Coupled with these changes is the potential shift in liabilities – autonomous systems are being publicized as removing driver error, cited as being the most common cause of traffic accidents. If such a system fails, however, to whom does this responsibility shift? Some manufacturers are already suggesting they might assume liability in the event of a highly automated system failing – the practicality of this will require further consideration – whilst others are taking a more cautious view. In either case, this only underlines the need to have a high degree of assurance and resilience in the systems that deliver highly automated driving functions. SOTIF would provide many methods and guidelines for the inclusion of environmental scenarios for use during advance concept analysis and, later on, validation. SOTIF would guide users through the documentation of different scenarios, the safety analysis of those scenarios, the verification of both safety scenarios and various trigger events, and the validation of the vehicle in the environment with applied safe systems. These factors will be paramount to compliance with the upcoming standard on AV.

In summary, we are on the road to making fully autonomous vehicles a reality, and while ISO 26262 sets out the basis on which such systems will be developed, there is more work to do to extend its concepts to deal with such vehicles’ unique safety requirements. In the meantime, expert guidance and adaptation to existing standards is required to cover the development and testing of these systems. Along with SOTIF, advanced concepts, evaluations, and tests will go well beyond previous development processes. With that in mind, the reliance on inventive problem solving, test platforms, software tools, digital-twin simulations, or hardware in the loop, is set to become more important than ever.

Computer Science & Engineering, Engineering - Electrical, Engineering - General, Engineering - Industrial & Manufacturing, Engineering - Mechanical, Ergonomics & Human Factors, Information Technology, Nanoscience & Technology, Occupational Health & Safety, Public Administration & Public Policy, Statistics

  • The ability of the function to correctly comprehend the situation and behave safely

  • The robustness of the function sufficient with regard to signal noise

  • Detail on advanced concepts of the AV architecture
  • How to evaluate SOTIF hazards that are different from ISO 26262 hazards;

  • How to identify and evaluate scenarios and trigger events;

  • How to reduce SOTIF related risks;

  • How to verify and validate SOTIF related risks; and

  • The criteria to meet before releasing an autonomous vehicle.