Automotive Industry Insights

ISO 21448 SOTIF

Description
ISO 21448 is about ensuring the safety of the intended functionality (SOTIF). This is referred to as the absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or by reasonably foreseeable misuse by persons. ISO 21448 is a necessary extension to global safety standards like ISO 26262 due to the increased introduction of complex technologies like advanced driver-assistance systems (ADAS) or automated driving (AD) to the automotive development process. For these technologies, situational awareness is drawn from a complex interaction of sensors and software. Verifying and validating proper functionality and interaction is therefore safety critical. In this context, the main goal of ISO 21448 is the reduction of residual risk to a reasonable minimum and providing evidence of system behavior within a known environment. The foundation for this is proof that within known scenarios the driving function behaves safely and the likelihood of encountering additional unknown and unsafe scenarios is sufficiently low.

The SOTIF process is a highly iterative process through the three phases design, verification, and validation. Achieving the SOTIF is mainly based on identifying risks that are triggering conditions for system insufficiency. Triggering conditions are specific conditions of a driving scenario that serve as an initiator for a subsequent system reaction, possibly leading to a hazardous event. Based on the system specifications and the operational design domain, a use-cases-based analysis is conducted. The critical triggering conditions that are found in this phase are the basis for system design improvements and the verification phases. To identify the residual risk of the system, ISO 21448 suggests scenario-based tests to validate the system in real-life use cases.

Status
ISO 21448 was published as a publicly available specification (PAS) in 2019. Currently the final ISO 21448 “Road Vehicles – Safety of the Intended Functionality,” which will then replace the current PAS. Because of the industry-wide recognition of the problems that ISO 21448 addresses, there is already significant interest in the standard from many players, with the intention of establishing long-term viable and safe development processes for ADAS/AD functions.

Current role and relevance with regard to ADAS/AD
In contrast to ISO 26262, ISO 21448 does not deal with hazards directly caused by malfunctioning E/E systems (e.g. sensor damage to a camera). Instead, SOTIF focuses on hazards resulting from functional insufficiencies of the intended functionality or from reasonably foreseeable misuse by persons. In regard to ADAS/AD, ISO 21448 is rightfully pushing the need for scenario-based testing, because of the fact that in contrast for example to a steering rod, the complex interactions between sensor and software of an ADAS/AD function cannot be tested in real life. Limiting factors are not only reproducibility, but also the impossibility to complete an exhaustive execution of all possible scenarios that may occur. The solution to this problem is extensive virtual testing, which is what ISO 21448 is tackling. The standard is therefore closely related to the successful development of ADAS/AD functionalities. SOTIF however does not provide details on how these virtual testing and simulation approaches should be combined with proving ground tests and real driving, although this combination is crucial.

Study group summary of ISO 21448
ISO 21448 is one source for the test strategy blueprint. As the standard is still under development the currently available committee draft is considered. As it also states the combination of several test methods including virtual and simulation-based procedures, this is aligned with the findings in the study group. ISO 21448 will be one pillar for the homologation and therefore it is crucial to consider the requirements when it comes to the release of ADAS/AD functions on the road. The test strategy blueprint defined by the study group is the basis to define an ISO 21448-compliant verification and validation strategy.

As the testing approaches of the study group results and the committee draft of ISO 21448 are already well aligned, it should be considered to reference each other in the final version of the standard to communicate a full view of testing and enable readers to implement such an approach. The test procedures defined in ISO 21448 are a subset of the test strategy blueprint of the study group.