SOTiF ISO/PAS 21448 vs Functional Safety

SOTiF & Functional Safety : Introduction

SOTiF ISO 21448 scenarios
SOTIF scenarios illustration

ISO 21448 defines SOTIF as “the absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality (insufficiencies of specification of the intended functionality at the vehicle level or insufficiencies of specification or performance insufficiencies in the implementation of electric and/or electronic (E/E) elements in the system) or by reasonably foreseeable misuse.”

The standard also accounts for the operation or assistance of a vehicle that relies on remote drivers/users or communication schemes. These schemes may affect vehicle decision-making and lead to safety hazards. SOTIF only addresses unintended system behavior in the absence of faults. It addresses hazards that can arise from driving conditions that exceed the technology’s limitations or from human factors.

These hazards can be triggered by specific conditions of a scenario, defined as triggering conditions. These conditions can include reasonably foreseeable misuse of the intended functionality. Additionally, the interaction with other functions at the vehicle level can lead to hazards. For example, activating the parking brake while the automated driving function is active within highway driving conditions.

SOTIF vs ISO 26262 Functional Safety

SOTIF does not address faults and failures (covered by the ISO 26262 series), cybersecurity threats (covered under ISO 21434), hazards directly caused by the system technology (such as health damage due to the nature of the technology; laser light emitted from Lidar and possible damage to the human eye, which can be addressed through IEC 60825), or hazards related to electrical shock, fire, smoke, etc., unless these are caused by the intended functionality. It also does not cover deliberate actions that violate the system’s intended use (feature abuse).

Requirement-based approaches to ISO 26262 functional safety (FuSa) have long been approved and accepted. One of their main benefits is that they enable analysis of test coverage of the verification and validation (V&V) activities as planned in the validation strategy. In evaluating coverage of SOTIF-related performance requirements (concerned with perception and decisions), which is the case for ADAS and AD systems, the full control loop, including feedback from the environment of the item under test, is relevant. In other words, the test methodology needs to include input information from the environment state to produce a valid pass/fail result.

SOTiF process and clauses

SOTIF ISO 21448 process
SOTIF ISO 21448 process

The SOTIF process starts with the definition of the functional and system specification (Clause 5). The possible hazardous behaviors of the intended function are subjected to a Hazard Identification and Risk Evaluation (addressed in Clause 6) that identifies potential hazardous events.

  • If it is shown that these potentially hazardous events do not lead to harm, then no improvement is necessary. The intended functionality can be considered free from unreasonable risk (the unreasonable risk classification needs to be supported by argumentation). 
  • If it is shown that harm is possible, then an analysis of the possible hazardous triggering events (e.g., misdetection of certain objects under certain environmental conditions or driver misuse) is conducted. This analysis is tackled by Clause 7. 

Clause 6 focuses only on the evaluation of hazardous events that could result from hazardous intended behavior, and on defining the verification and validation targets to be met.

Clause 7 addresses the analysis of the causes of potentially hazardous behavior and evaluates if the risk resulting from the identified potential functional insufficiencies and triggering conditions is reasonable.

The identified functional insufficiencies are mitigated in Clause 8 through functional improvements, which may include restrictions to the use cases to avoid or reduce the risk. These are then verified and validated in Clauses 9, 10, and 11.

The residual risk is evaluated (Clause 12) considering the results from verification and validation.

Finally, the process to evaluate and resolve possible emerging field operation SOTIF issues is defined in the operation phase (Clause 13).

The three pillars of SOTIF:

SOTIF is based on three main principles.

  • SOTIF related hazardous event modelling,
  • The four scenarios’ areas categories, and
  • The sense – plan – act model.
The hazardous event modelling starts by the understanding and the definition of the different function, system specification and design. These include relevant use cases comprised of several scenarios which may contain triggering conditions that may lead to harm. Those triggering conditions include reasonably foreseeable direct misuse (such as the activation of a system outside of the ODD) and reasonably foreseeable indirect misuse (such as the lack of supervision of the automated vehicle driving task by the safety driver).

SOTIF defines 4 areas based on two metrics; safety and knowledge of the scenarios leading to harm as illustrated in the figure hereafter.

  • Area 1 (known-safe),
  • Area 2 (known-unsafe)
  • Area 3 (unknown-unsafe) are the most relevant since these can be considered as the trigger for SOTIF enhancement either system based, or human based.
  • Area 4 (unknown-safe) is referenced only for completeness.

When considering those areas in the model, it can be useful to imagine their size as representing the proportion of each type of scenario that falls within each respective area. A given use case can include known as well as unknown scenarios.

The goal of the SOTIF activities is to evaluate the SOTIF in these scenarios and to provide a proof that the risk is acceptable by increasing the size of known-safe scenarios proportion while reducing the proportion of unsafe scenarios whether these are known or unknown.

The possible causes of hazard that are considered within the scope of ISO 21448 are those related to.
  • The sensing capabilities that depict a sufficiently accurate image of the environment in which the automated system is evolving (sensing, perception, ego vehicle localization).
  • The reasoning and processing leveraged to take the appropriate decisions (objects recognition, planning safe paths, etc.).
  • The ability to derive accurate actions and execute them in a timely manner on the actuation side while ensuring stability.
This is defined in the sense-plan-act model, and it is essential to design the system in a way that all these three steps can be executed with sufficient computing power, accuracy, and timeliness to ensure that there are no functional insufficiencies.

Share this news


Automotive Brochure

AURIX Brochure

Aerospace Brochure


Subscribe to our Newsletter