Navigating SOTIF and Ensuring Safety in Autonomous Driving
Article by Chaitanya Shinde,
Senior Systems Engineer - AV Safety at Cruise
Understanding SOTIF (ISO 21448)
ISO 21448, formally known as "Road vehicles — Safety of the intended functionality" (SOTIF), which is the absence of unreasonable risk due to a hazard caused by functional insufficiencies, such as:
● The insufficiencies of specification of the intended functionality at the vehicle level
● The insufficiencies of specification or performance insufficiencies in the implementation of electric and/or electronic (E/E) elements in the system.
ISO 21448 is a standard specifically designed to address the safety challenges associated with external factors affecting the inherent weakness (insufficiency) of the function. Unlike traditional safety standards that focus on functional safety, ISO 21448 is dedicated to ensuring the safety of the intended function (SOTIF) of these highly complex systems. It recognises that even if a vehicle functions correctly according to its design, unexpected behaviors can still arise, posing potential safety risks. It provides guidance on the applicable design, verification and validation measures, as well as activities during the operation phase, that are needed to achieve and maintain the SOTIF.
In the world of autonomous vehicles, where human drivers are gradually becoming passengers, the need to define and understand the intended operational design domain (ODD) becomes paramount. ISO 21448 provides a structured approach to identify, assess, and mitigate hazards related to the intended functionality of autonomous driving systems.
The automotive industry is hurtling towards a future dominated by autonomous driving technology. As we witness the rapid evolution of self-driving vehicles, the paramount concern is ensuring the safety of these advanced systems. One crucial standard, ISO 21448, has emerged as a beacon for addressing safety challenges in autonomous driving. In this article, we explore the intricacies of ISO 21448 and its indispensable role in shaping the future of self-driving vehicles.
Image: Springer Link
The Need for SOTIF in Autonomous Driving
As autonomous driving technology advances, traditional safety standards, like ISO 26262 (Functional Safety), are still necessary but not sufficient to address the unique challenges posed by self-driving systems. ISO 21448 (SOTIF) fills this crucial gap by introducing the concept of SOTIF, acknowledging that safety considerations extend beyond the vehicle's functional aspects. For instance, a self-driving car might operate perfectly within its defined parameters but encounter unforeseen issues when entering a new operational domain, such as extreme weather conditions or complex urban environments.
Real-world examples underscore the importance of ISO 21448. Consider an autonomous vehicle navigating a city street. While traditional safety standards would focus on the vehicle's ability to avoid collisions and adhere to traffic rules, ISO 21448 emphasises the importance of understanding and mitigating risks associated with the intended function. This could involve addressing uncertainties arising from ambiguous lane markings, unpredictable pedestrian behavior, or unexpected road construction.
Key Components of SOTIF
ISO 21448 introduces several key components to enhance safety in autonomous driving:
Operational Design Domain (ODD): This refers to the specific conditions and scenarios in which the autonomous driving system is designed to operate safely. For example, a self-driving car might be designed for highway driving under normal weather conditions but could face challenges in heavy rain or snow.
Safety of the Intended Function (SOTIF): Unlike functional safety, which focuses on the defects or failures in the system's components, SOTIF addresses the overall safety of the intended function. It considers scenarios where the system might operate correctly but still pose safety risks due to unforeseen circumstances like weather changes, misuse by the passenger, etc.
Risk Assessments and Mitigation Strategies: ISO 21448 emphasizes the importance of rigorous risk assessments to identify potential hazards. This involves evaluating scenarios beyond the ODD and implementing effective mitigation strategies to ensure safety. For instance, if an autonomous vehicle encounters a scenario outside its predefined operational domain, it should have mechanisms to safely hand over control to the human driver or safely come to a stop.
Real-world examples of SOTIF
Level 2 ADAS (Advanced Driver Assistance Systems): Adaptive Cruise Control (ACC) is a common feature in Level 2 ADAS that automatically adjusts the vehicle's speed to maintain a safe following distance from the vehicle ahead. In the context of ACC, SOTIF ensures that the system operates safely and predictably under various conditions, including scenarios beyond its operational design domain (ODD). For instance, ACC may encounter challenges when the vehicle it is following suddenly changes lanes or exits the roadway unexpectedly.
In such cases, SOTIF principles require robust risk assessments and mitigation strategies to ensure the system's safe operation. Automotive manufacturers implementing ACC systems under SOTIF guidelines may develop advanced sensor fusion algorithms capable of detecting sudden lane changes or exits by closely monitoring the behavior of surrounding vehicles. Additionally, ACC systems may incorporate redundant sensor systems and fail-safe mechanisms to mitigate the risk of unintended behaviour.
Level 4 Autonomous Driving: Level 4 Urban Autonomous Driving represents a significant leap towards fully autonomous vehicles capable of operating without human intervention in specific environments, such as urban areas. In urban driving scenarios, vehicles encounter a wide range of dynamic and unpredictable conditions, including heavy traffic, pedestrians, cyclists, and complex road geometries.
In Level 4 autonomous driving, SOTIF principles are crucial for ensuring the safe operation of the vehicle's intended functions within the designated operational design domain (ODD). Urban environments present numerous challenges, such as ambiguous lane markings, uncontrolled intersections, and pedestrians crossing at non-designated locations. SOTIF requires autonomous driving systems to anticipate and respond to these challenges while prioritising safety.
Automotive manufacturers developing Level 4 autonomous driving systems for urban environments under SOTIF guidelines implement a range of strategies to address potential hazards. For example, advanced perception algorithms analyse sensor data from cameras, lidars, and radars to accurately detect and classify various objects and road users in complex urban scenes. Moreover, Level 4 autonomous vehicles incorporate redundancy and fail-safe mechanisms to ensure safe operation in the event of sensor failures or unexpected environmental conditions. Additionally, real-time monitoring and validation of the vehicle's operational status help ensure that it remains within its intended operational design domain, minimising the likelihood of unsafe behaviour.
SOTIF V&V
V&V strategy for SOTIF is driven by the comprehensive testing of known-unsafe scenarios and unknown-unsafe scenarios using following steps:
● Develop a comprehensive test plan that covers a wide range of operational scenarios, including both expected and unexpected conditions.
● Implement simulation-based testing to evaluate the system's behaviour under various environmental conditions, sensor failures, and edge cases.
● Conduct scenario-based testing to assess the system's response to critical events and safety-critical scenarios.
● Utilise real-world testing to validate the system's performance in actual driving conditions and verify its ability to operate safely within the defined ODD.
● Establish verification procedures to ensure that the autonomous driving system meets the safety requirements specified in ISO 21448.
● Verify compliance with safety goals and requirements through a combination of analytical techniques, such as FTA, FMEA, STPA, etc.
● Conduct formal verification of safety mechanisms and mitigation strategies to ensure their effectiveness in reducing the risk of hazardous events.
Continuous Monitoring and Improvement
● Implement mechanisms for continuous monitoring of the autonomous driving system's safety performance throughout its lifecycle.
● Collect and analyse data from real-world deployments to identify potential safety issues and assess the system's overall safety performance.
● Incorporate feedback from monitoring activities to refine the system's behavior, update safety requirements, and enhance safety mechanisms as needed.
Challenges and Opportunities
Implementing ISO 21448 in autonomous driving systems comes with its set of challenges. The complexity of real-world scenarios, the need for accurate risk assessment and safety validation targets, and the integration of SOTIF concepts into existing development processes present hurdles for automotive manufacturers. However, these challenges also bring forth opportunities for innovation and improvement in safety.
Consider the challenge of addressing unpredictable human behavior on the road. ISO 21448 encourages the development of advanced perception systems that can better anticipate and respond to human actions, enhancing the overall safety of autonomous vehicles. This not only benefits the vehicle occupants but also contributes to the safety of pedestrians and other road users.
Moreover, ISO 21448 creates opportunities for collaboration among industry stakeholders. As companies work towards compliance, knowledge sharing and collaborative research become essential. This collaborative approach not only accelerates the adoption of ISO 21448 but also fosters a culture of safety across the automotive industry.
Case studies of companies successfully implementing ISO 21448 provide valuable insights into overcoming challenges and leveraging opportunities. For instance, a leading autonomous vehicle manufacturer might share its experiences in developing robust risk assessment frameworks and integrating SOTIF considerations into the entire product lifecycle. Such case studies serve as beacons of best practices for the wider industry.
Global Impact and Adoption
The impact of ISO 21448 extends globally, as autonomous driving is not limited by geographical boundaries. Regulatory bodies play a crucial role in endorsing and enforcing ISO 21448 compliance to ensure a standardised approach to safety across different regions.
In the United States, for example, the National Highway Traffic Safety Administration (NHTSA) has been actively engaging with industry stakeholders to establish guidelines for the safe deployment of autonomous vehicles. ISO 21448 aligns with these efforts by providing a comprehensive framework that complements existing regulatory initiatives.
Internationally, collaboration among countries is essential to create a unified approach to autonomous driving safety. Organisations like the International Organisation for Standardisation (ISO) play a pivotal role in facilitating this collaboration, ensuring that ISO 21448 becomes a globally accepted standard for autonomous vehicle safety.
OEMs are leveraging SOTIF guidelines to establish robust safety frameworks for their autonomous driving systems. This involves conducting comprehensive risk assessments, defining clear operational design domains (ODDs), and implementing stringent validation and verification processes and derives vehicle level acceptance criteria to ensure the safety of their vehicles under diverse operating conditions.
Suppliers, on the other hand, play a critical role in providing the necessary components and technologies that enable autonomous driving functionality. From sensors and actuators to control systems and software algorithms, suppliers are aligning their development processes with SOTIF requirements to deliver safe and reliable solutions to OEMs and provide component level validation targets which is then used by the OEMs to meet their vehicle level acceptance criteria.
Collaboration between OEMs and suppliers is essential to ensure seamless integration of SOTIF principles throughout the vehicle development lifecycle. This collaborative approach fosters knowledge sharing, innovation, and best practices, ultimately leading to the production of safer autonomous vehicles.
Future Outlook
Looking ahead, the integration of ISO 21448 into the fabric of autonomous driving development processes is poised to become more seamless. As technology evolves, with advancements in artificial intelligence, sensor technologies, and connectivity, ISO 21448 will need to adapt to new challenges and opportunities.
One aspect to watch is the intersection of ISO 21448 with emerging autonomous vehicle legislation. As governments around the world grapple with regulating self-driving technology, ISO 21448 provides a robust foundation for ensuring safety. Policymakers can leverage the principles outlined in ISO 21448 to inform legislation that fosters innovation while prioritising safety.
The future of autonomous driving safety also hinges on the industry's ability to stay ahead of emerging risks. One critical aspect of future autonomous driving safety is the integration of cybersecurity measures into the existing safety frameworks, such as ISO 26262 and ISO 21448. As vehicles become increasingly connected and reliant on data exchange, they become more vulnerable to cyber threats, including hacking, malware, and data breaches. ISO 26262 addresses safety-related aspects of cybersecurity, such as secure communication protocols and secure boot mechanisms. By considering potential cyber threats and their impact on the intended function of the vehicle, for example jamming or spoofing on radar sensor signals, considering hazardous scenarios from a cyber-attack perspective for SOTIF V&V as per ISO 21448 can help enhance the overall safety of autonomous driving technology.
Another significant challenge in the future of autonomous driving safety lies in the development and deployment of artificial intelligence (AI) algorithms. AI plays a crucial role in enabling autonomous vehicles to perceive their environment, make decisions, and navigate complex scenarios. However, AI systems are inherently complex and can exhibit unpredictable behaviour, posing challenges for safety assurance.
One key challenge is ensuring the transparency and interpretability of AI algorithms used in autonomous driving systems. Unlike traditional software, where the logic is explicitly programmed by humans, AI algorithms often operate based on complex mathematical models and machine learning techniques. As a result, it can be challenging to understand how AI algorithms arrive at their decisions, making it difficult to assess their safety and reliability.
Additionally, AI systems are susceptible to biases and errors, which can have significant implications for safety in autonomous driving. Biases in training data or limitations in AI algorithms can lead to erroneous decisions or unintended behaviours, potentially resulting in accidents or other safety-critical incidents.
Regulators and industry stakeholders are also collaborating to establish guidelines and standards for the safe development and deployment of AI in autonomous vehicles. By addressing the challenges of AI transparency, bias mitigation, and error detection, we can pave the way for safer and more reliable autonomous driving technology in the future.
Conclusion
In conclusion, ISO 21448 stands as a cornerstone in the quest for ensuring the safety of autonomous driving. As the automotive industry hurtles towards a future where self-driving vehicles become a commonplace reality, the principles embedded in ISO 21448 will be instrumental in navigating the complexities of this transformative journey.
The concept of Safety of the Intended Function introduced by ISO 21448 is a paradigm shift, acknowledging that safety considerations transcend the mere functionality of the vehicle. The real-world examples, key components, and insights into challenges and opportunities presented in this article underscore the importance of ISO 21448 in shaping the future landscape of autonomous driving safety.
As global collaboration and industry-wide adoption of ISO 21448 continue to gain momentum, we can anticipate a future where self-driving vehicles not only revolutionise transportation but also do so with an unwavering commitment to safety. The call to action is clear: prioritise safety, embrace innovation, and iteratively improve the product over time through field monitoring and safety updates.
Automotive IQ host conferences on Functional Safety and implementing ISO 26262 and SOTIF in the USA and Europe.