The absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or by reasonably foreseeable misuse by persons is referred to as the Safety Of The Intended Functionality (SOTIF). This document provides guidance on the applicable design, verification and validation measures needed to achieve the SOTIF. This document does not apply to faults covered by the ISO 26262 series or to hazards directly caused by the system technology (e.g. eye damage from a laser sensor).<\/p>\n
This document is intended to be applied to intended functionality where proper situational awareness is critical to safety, and where that situational awareness is derived from complex sensors and processing algorithms; especially emergency intervention systems (e.g. emergency braking systems) and Advanced Driver Assistance Systems (ADAS) with levels 1 and 2 on the OICA\/SAE standard J3016 automation scales. This edition of the document can be considered for higher levels of automation, however additional measures might be necessary. This document is not intended for functions of existing systems for which well-established and well-trusted design, verification and validation (V&V) measures exist at the time of publication (e.g. Dynamic Stability Control (DSC) systems, airbag, etc.). Some measures described in this document are applicable to innovative functions of such systems, if situational awareness derived from complex sensors and processing algorithms is part of the innovation.<\/p>\n
Intended use and reasonably foreseeable misuse are considered in combination with potentially hazardous system behaviour when identifying hazardous events.<\/p>\n
Reasonably foreseeable misuse, which could lead directly to potentially hazardous system behaviour, is also considered as a possible event that could directly trigger a SOTIF-related hazardous event.<\/p>\n
Intentional alteration to the system operation is considered feature abuse. Feature abuse is not in scope of this document.<\/p>\n
| PDF Pages<\/th>\n | PDF Title<\/th>\n<\/tr>\n | ||||||
|---|---|---|---|---|---|---|---|
| 2<\/td>\n | undefined <\/td>\n<\/tr>\n | ||||||
| 7<\/td>\n | Foreword <\/td>\n<\/tr>\n | ||||||
| 8<\/td>\n | Introduction <\/td>\n<\/tr>\n | ||||||
| 11<\/td>\n | 1 Scope 2 Normative references 3 Terms and definitions <\/td>\n<\/tr>\n | ||||||
| 16<\/td>\n | 4 Overview of this document\u2019s activities in the development process <\/td>\n<\/tr>\n | ||||||
| 21<\/td>\n | 5 Functional and system specification (intended functionality content) 5.1 Objectives 5.2 Functional description <\/td>\n<\/tr>\n | ||||||
| 22<\/td>\n | 5.3 Consideration on system design and architecture <\/td>\n<\/tr>\n | ||||||
| 23<\/td>\n | 6 Identification and Evaluation of hazards caused by the intended functionality 6.1 Objectives <\/td>\n<\/tr>\n | ||||||
| 24<\/td>\n | 6.2 Hazard identification <\/td>\n<\/tr>\n | ||||||
| 25<\/td>\n | 6.3 Hazard analysis <\/td>\n<\/tr>\n | ||||||
| 26<\/td>\n | 6.4 Risk evaluation of the intended function 6.5 Specification of a validation target <\/td>\n<\/tr>\n | ||||||
| 27<\/td>\n | 7 Identification and Evaluation of triggering events 7.1 Objectives 7.2 Analysis of triggering events 7.2.1 Triggering events related to algorithms <\/td>\n<\/tr>\n | ||||||
| 28<\/td>\n | 7.2.2 Triggering events related to sensors and actuators <\/td>\n<\/tr>\n | ||||||
| 29<\/td>\n | 7.3 Acceptability of the triggering events 8 Functional modifications to reduce SOTIF related risks 8.1 Objectives 8.2 General <\/td>\n<\/tr>\n | ||||||
| 30<\/td>\n | 8.3 Measures to improve the SOTIF <\/td>\n<\/tr>\n | ||||||
| 32<\/td>\n | 8.4 Updating the system specification 9 Definition of the verification and validation strategy 9.1 Objectives <\/td>\n<\/tr>\n | ||||||
| 33<\/td>\n | 9.2 Planning and specification of integration and testing 10 Verification of the SOTIF (Area 2) 10.1 Objectives <\/td>\n<\/tr>\n | ||||||
| 34<\/td>\n | 10.2 Sensor verification 10.3 Decision algorithm verification <\/td>\n<\/tr>\n | ||||||
| 35<\/td>\n | 10.4 Actuation verification 10.5 Integrated system verification <\/td>\n<\/tr>\n | ||||||
| 36<\/td>\n | 11 Validation of the SOTIF (Area 3) 11.1 Objectives 11.2 Evaluation of residual risk 11.3 Validation test parameters <\/td>\n<\/tr>\n | ||||||
| 37<\/td>\n | 12 Methodology and criteria for SOTIF release 12.1 Objectives 12.2 Methodology for evaluating SOTIF for release <\/td>\n<\/tr>\n | ||||||
| 38<\/td>\n | 12.3 Criteria for SOTIF release <\/td>\n<\/tr>\n | ||||||
| 40<\/td>\n | Annex A (informative) Examples of the application of SOTIF activities <\/td>\n<\/tr>\n | ||||||
| 43<\/td>\n | Annex B (informative) Example for definition and validation of an acceptable false alarm rate in AEB systems <\/td>\n<\/tr>\n | ||||||
| 51<\/td>\n | Annex C (informative) Validation of SOTIF applicable systems <\/td>\n<\/tr>\n | ||||||
| 53<\/td>\n | Annex D (informative) Automotive perception systems verification and validation <\/td>\n<\/tr>\n | ||||||
| 56<\/td>\n | Annex E (informative) Method for deriving SOTIF misuse scenarios <\/td>\n<\/tr>\n | ||||||
| 59<\/td>\n | Annex F (informative) Example construction of scenario for SOTIF safety analysis method <\/td>\n<\/tr>\n | ||||||
| 62<\/td>\n | Annex G (informative) Implications for off-line training <\/td>\n<\/tr>\n | ||||||
| 64<\/td>\n | Bibliography <\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":" Road vehicles. Safety of the intended functionality<\/b><\/p>\n |