SOTIF: Fine tuning highly automated vehicle and automated vehicle safety
The number of highly automated and self-driving cars is increasing rapidly, and their technology is speeding ahead of regulation. However, strong public concerns about their safety have prompted the sector to increase safety standards beyond the item-based ISO 26262 to achieve safety goals compliance.
The Safety of the Intended Functionality (SOTIF) will likely become the highly automated vehicle (HAV) and automated vehicle (AV) standard in the coming years as the industry moves towards ultimate safety completeness. Here we explore what this means for the automotive industry.
Playing it safe
The US Department of Transportation has just eased federal oversight on HAVs and AVs, giving the nod to OEMs and tech companies like Aurora and Waymo to further their tests on public roads. Also, Europe’s Transport Commission announced earlier this year that it aims to make the continent a world leader in autonomous vehicles systems, with a €450m investment in road and telecoms networks to help catch up with China and the American markets.
However, one big question remains – what are the next safety standard steps to fully comply with the Safety Goals (SG) beyond ISO 26262 and E/E systems functionality? Perhaps SOTIF is the long-awaited answer?
The SOTIF initiative aims to provide guidance for how to apply safety requirement completeness for AV artificial intelligence systems out on the streets. This will be achieved by developing a more integral standard that mainly involves the sensing systems in charge of sorting all possible dangerous situations – even without any fault in the sensing system itself.
According to industry and academy experts from Volvo and the SP Research Institute of Sweden, “The cause [of an accident] might be that the processing algorithm takes a hazardous decision about the environment… so the SOTIF initiative aims at providing guidance to manage such a violation of a SG.”
In this regard, SOTIF is a more holistic standard that transcends – or complements – ISO 26262 E/E system standardization.
SOTIF originated as a sub-working group within ISO 26262’s second revision. According to experts at Volvo and the SP Research Institute of Sweden, it is also the result of inadequate safety requirement fine-tuning and of improper item definitions:
“Our position is that ISO 26262 needs to be complemented to explicitly prescribe activities, e.g. refinement verification, and corresponding work products for refinement, on every existing level of the reference lifecycle.”
David Landoll, solutions architect at OneSpin Solutions, asserted to the portal semiengineering.com that “in addition to the ISO 26262 second revision that will be released later this year, and all the other established functional safety standards like IEC 61508, IEC 61511, EN 5012X series, DO-254, etc., a new regulatory framework is emerging.”
And that framework is, indeed, SOTIF.
Ashish Darbari, director of product management at OneSpin Solutions supports the safety standard approach and its slight twist:
“For safety there are compliance things to be met. There is more documentation for ISO 26262 compliance and for random faults there is extra work that has to be done. But for systematic failure analysis, you just need a slightly more inclusive mindset than you have for functional verification.”
Further, SOTIF’s new safety standard approach was crucially triggered by the HAVs and AV interaction with the road in mind.
Arteris IP’s Kurt Shuler says “There are a number of unknown and unsafe conditions out there that affect how an AV responds, which the SOTIF standard is going to address.”
And what’s more important is that its introduction will pose an innovative take on safety standardization.
From System Failure to System Complexity
SOTIF has been released under the ISO designation PAS 21448 and covers “the validation and the verification of systems with complex sensing and algorithms, whose limitations in performance could cause safety hazards in the absence of a malfunction,” says Darbari.
It focuses on verifying and demonstrating the safety of a system, not only from its functional verification perspective but also from its sheer complexity. And this is the true value of the new standard.
In the days when AV accidents – Uber and others – are deterring end-consumers from embracing self-driving technology, SOTIF is a gargantuan yet complimentary effort to deliver safety completeness.
“The complexity problem will then be possible to master by introducing safety requirements in so many steps that each step can be verified with regards to [safety] correctness and completeness,” as pointed to by Volvo and the SP Research Institute of Sweden experts.
Forbes recently reported that Volvo Cars and Chinese internet giant Baidu had announced the development of electric cars capable of Level 4 – one down from the ultimate Level 5 where a driver has no involvement at all with driving – for the robotaxi market in Asia.
However, many questions still remain as to the safety challenges that the industry faces to apply automated driving systems on the street: from how will the new and more complex artificial intelligence adapt and respond to the road environment and offer a safe vehicle personality to how will OEMs deal with the recurrent system updates as a car gains mileage?
For now, SOTIF is still the beginning of a new and exciting part of the automotive industry’s next big development. It begins to answer some of the key questions facing the automotive industry as autonomy increases, and many more will be discussed at Automotive IQ’s The SOTIF Conference, part of its Safety and Security week of events.