SOTIF

from Wikipedia, the free encyclopedia

SOTIF (from English Safety Of The Intended Functionality ; German about Sicherheit der Sollfunktion ) is a sub-area of ​​technical product safety that deals with the dangers of technical systems . Currently, the ISO 21448 standard - Road vehicles - Safety of the intended functionality - is being developed specifically for the automotive sector in order to raise the requirements for a product and the product development process to a uniform standard. SOTIF is therefore part of product safety , which is anchored in law in many countries (albeit very abstractly).

One of the focal points of SOTIF is the indefinite question of how a target function is to be specified, developed, verified and validated so that it can be viewed as sufficiently safe.

Relationship with other vehicle safety standards

If systems already meet the requirements of ...

  • Fulfilling functional safety according to ISO 26262 , this means that they offer intrinsic security against malfunctions. The systems are thus largely protected against malfunctions that they themselves cause, for example software errors, defects due to aging.
  • Cyber ​​security according to ISO / SAE 21434 or SAE J3061 , it means that they are hardened against attacks from outside. The systems are secured against failures and harmful maneuvers, for example provoked steering movements or blocking of the power steering.

It does not cover the case in which a system itself processes environmental data (e.g. camera images) and interprets them incorrectly. For example, this can lead to an emergency stop because a person on a poster next to the route is interpreted as a pedestrian crossing or no braking at all because a crossing semitrailer was not detected (example Tesla accident on May 7, 2016)

SOTIF's focus

When designing a driver assistance system , the following questions in particular that relate to a system must be assessed with regard to SOTIF:

  • What are the limits of the system used?
For example, it is about sufficiently fast processing, recognition ability (sufficient resolution of a camera, light sensitivity) but also the effect of dirt on sensors.
  • What is the effect if the system works outside the specified limits of the target function?
An example could be a lane departure warning system that is used in city traffic, although it was developed for motorway traffic
  • How can the driver use an assistance system incorrectly?
The point refers to the foreseeable misuse, for example anchored in the Product Safety Act in Germany .
  • Which verification and validation measures have to be taken to check the intended function?
This is about the acquisition of real driving data for tests, simulations and test bench tests.
  • Is the operation of the system clear and unambiguous for the driver?
This is about the usability / usability that will not provoke malfunctions.

The term system here includes:

Signals can be exchanged with the vehicle bus, for example.

There are four fields to consider:

  1. Known safe scenarios: The number of these should be maximized through development.
  2. Known unsafe scenarios: These scenarios should be mastered
  3. Unknown secure scenarios do not require any further measures
  4. Unknown uncertain scenarios: Such scenarios should be uncovered and reclassified into the other scenarios through an assessment and measures.

The SOTIF standard understands a scenario to be a combination of various snapshots of a situation, which are then run through in different ways, for example "child at the roadside", then either "stops" or "runs across the street", with and without dynamic elements such as " with oncoming traffic "," without oncoming traffic "etc.

literature

Individual evidence

  1. ISO / PAS 21448 - Road vehicles - Safety of the intended functionality
  2. a b see investigation reports NTSB-Ref. No. HWY16FH018 of the National Transportation Safety Board