ISO 21434 之 标准解读

1. Introduction

为了解决SOTIF问题，相关活动在以下几个方面展开：

• the specification and design phase
• the verification and validation phase
• the operation phase
  ISO 26262中的前提假设是预期功能是安全的；
  针对功能相关失效对应的解决方案标准：
  

2. Terms and definition

safety of the intended functionality (SOTIF): absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or its implementation.

acceptance criterion: criterion representing the absence of an unreasonable level of risk.

• The acceptance criterion can be of qualitative as well as quantitative nature

dynamic driving task (DDT): real-time operational and tactical functions required to operate a vehicle in traffic.

DDT fallback: response by the driver or automation system to either perform the dynamic driving task (DDT) (3.4) or transition to a minimal risk condition (MRC) (3.16) after the occurrence of a failure(s) or detection of a functional insufficiency (3.8) or upon detection of a potentially hazardous behaviour.

functional insufficiency: insufficiency of specification or performance insufficiency.

• Functional insufficiencies lead to hazardous behaviour or inability to prevent or detect and mitigate a reasonably foreseeable misuse by definition.

  
  insufficiency of specification: specification, possibly incomplete, contributing to either a hazardous behaviour or an inability to prevent or detect and mitigate a reasonably foreseeable indirect misuse when activated by one or more triggering conditions.

miniamal risk condition (MRC): vehicle state in order to reduce the risk, when a given trip cannot be completed.

misuse: usage in a way not intended by the manufacturer or the service provider

• Direct misuse：could be a cause for the occurrence of a hazardous behaviour of the system, is considered to be a potential triggering condition
  • 可能会直接导致hazard behavirour的发生，因此，可以看作是triggering condition.
  • 或者是triggering condition的一部分，需要叠加上场景等附加条件，才会导致hazard behaviour.
  • Reasonably foreseeable direct misuse is considered as a potential triggering condition
• Indirect misuse: Indirect misuse leads to a reduced controllability of the hazardous behaviour, to a potentially increased severity of an occurring accident, or a combination of both
  • 非直接误用会影响可控性以及严重度
  • 非直接误用不会直接导致hazardous behaviour的发生，不能看作是triggering condition.
  • When identifying the hazardous events, intended use and reasonably foreseeable indirect misuse are also considered in combination with hazardous behaviour resulting from insufficiencies of specification or performance insufficiencies.
    object and event detection and response (OEDR): tasks of the dynamic driving task (DDT) that include monitoring the driving environment and executing an appropriate response to objects and events to complete the DDT and/or the DDT fallback.

performance insufficiency: limitation of the technical capability contributing to a hazardous behaviour or inability to prevent or detect and mitigate reasonably foreseeable indirect misuse when activated by one or more triggering conditions.

triggering condition: specific condition of a scenario that serves as an initiator for a subsequent system reaction contributing to either a hazardous behaviour or an inability to prevent or detect and mitigate a reasonably foreseeable indirect misuse.

3. Overview and organization of SOTIF activities

3.1 SOTIF-related hazardous event model

3.2 The four scenario area

3.3 The ultimate goal of SOTIF

• Area2风险评估，并将area2的风险降低到可以接受的水平
• 降低Area3的风险到可以接受的水平–通过合适的V&V
  
  
  

3.4 Flow chart of ISO21448 activities

4. Specification and design

Aspects for consideration including:

• the description of the intended functionality and the functionalities of the supporting subsystems and components
• the design of the relevant system and its elements implementing the intended functionality
• the performance targets of the installed sensors, controllers, actuators or other inputs and components enabling the intended functionality
• the dependencies of the intended functionality on, and interactions or interfaces with …
• the reasonably foreseeable misuse (direct and indirect)
• the potential performance insufficiencies, identified triggering conditions and countermeasures of the system and its elements
  the system and vehicle architectures implementing the intended functionality
• the warning and degradation concept
• the procedures supporting data collection and monitoring during and after development of the intended functionality
• the mechanism, design and requirements that support risk mitigation abilities during operation

The specification and design can be split into or linked to several documents such as: requirement specifications, functional specifications and design specifications of the SOTIF-related systems.

5. Identification and evaluation of hazards

5.1 Objective

To define:

• The hazards arising from the intended functionality.
• The risk that arises from the hazardous behaviour of the intended functionality, and the corresponding scenarios in which the hazardous behaviour can lead to harm.
• The acceptance criteria for the residual risk shall be specified.

5.2 Hazard identification

5.3 Risk evaluation

The risk evaluation aims to evaluate the risk due to hazardous behaviour in given scenarios; this helps to specify the acceptance criteria of a SOTIF-related risk.

只有可控性C=0或者严重度S=0，可以认为是absence of unreasonable risk；其他情况均是SOTIF-related.

5.4 Specification of acceptance criteria for the residual risk

If the risk parameters are not evaluated as S=0 or C=0, then acceptance criteria are specified for the risks associated with the hazardous behaviour.

Approaches that can be considered when specifying acceptance criteria include: (确定acceptance criteria的方法：)

• the available traffic data for the target market (e.g. accident statistics, traffic analyses)，目标市场的交通数据
• pre-existing criteria from similar functions operating in the field，类似已有功能的标准

Appropriate quantitative acceptance criteria can be chosen provided that a valid rationale is given.

• GAMAB – Globally at least as good. 不高于已有类似功能所带来的风险
• A positive risk balance – 考虑不同风险的平衡，尽一部分风险增加，但是另外的风险降低，作为整体平衡
• ALARP – 考虑到无法满足零风险，在风险消除方面的投入与风险之间的平衡进行考虑；
• MEM – Minimal endogenous mortality 新技术不应该显著的增加社会死亡率

6. Identification and evaluation of potential functional insufficiencies and potential triggering conditions

Objective:

• Potential insufficiencies of specification, potential performance insufficiencies and potential triggering conditions including reasonably foreseeable direct misuse shall be identified and those leading to a hazardous behaviour shall be determined. 确定功能规范不足，功能性能不足，触发条件等。
• The response of the system shall be evaluated for SOTIF acceptability. 评估系统相应是否能够接受，是否满足accpetance criteria。

6.1 Analysis of potential functional insufficiencies and triggering conditions

Analysis can start from:(正反两个方向)

• the known potential insufficiencies of specification and performance insufficiencies to determine scenarios (containing triggering conditions) leading to identified hazardous behaviour
• the identified environmental conditions and reasonably foreseeable misuse to determine potential insufficiencies of the specification and performance insufficiencies.

Analysis methods:

6.2 Estimation of the acceptability of the system’s response to the triggering conditions

The scenarios containing the identified triggering conditions are evaluated to determine whether the SOTIF is deemed to be achievable.

The SOTIF is deemed as achievable without need of further functional modification if:

• the residual risk of the system causing a hazardous event is shown as being lower than the acceptance criteria
• there is no known scenario that could lead to an unreasonable risk for specific road users

7 Functional modifications addressing SOTIF-related risks

An appropriate combination of “avoidance” or “mitigation” SOTIF measures are selected to achieve the SOTIF-related risk reduction.

• “Avoidance measures” represent inherently safe design measures where the first priority is eliminating the risks.

• “Mitigation measures” are considered to reduce the risk as much as possible when there is known difficulty in avoiding the risk or when it can be judged acceptable.

7.1 System modification

Measures for system modification are aimed at maintaining the intended functionality as much as possible. 通过系统更改来尽可能的保留预期的功能。

• increased sensor performance and/or accuracy
• improved sensor technology;
• improved sensor disturbance detection that triggers an appropriate warning and degradation strategy;
• diverse sensor types;
• improved sensor calibration and installation;
• sensor blockage detection and cleaning methods;
• increased actuator performance and/or accuracy by improving the actuator technology
• increased performance and/or accuracy of the recognition and decision algorithms by algorithmic modifications;
• increasing conspicuousness of the ego vehicle to enhance the controllability of other traffic participants in case of hazardous behaviour of the ego vehicle. （让别的车更容易注意到自车）

7.2 Functional restrictions

Measures for functional restriction are aimed at maintaining a partial functionality by degrading (or limiting) the intended functionality. 通过施加限制，保留部分功能；

• restriction of the intended functionality for specific use cases;
• removal of authority for the intended functionality for specific use cases.

7.3 Handing over authority

Measures for handing over authority from a system to the driver are aimed at increasing controllability at lower levels of driving automation. 通过移交控制权，增加可控性

• modifying the Human-Machine Interface (HMI)
• modifying the user notification and DDT fallback strategy

7.4 Addressing reasonably foreseeable misuse

• customer education (information and training)
• improving the HMI
• implementation of a driver monitoring and warning system
• implementation of measures to prevent misuse

8. Definition of the verification and validation strategy

Objective：

• the verification and validation strategy for SOTIF, including validation targets, shall be defined。确定测试策略
• the rationale for suitability of the selected verification and validation methods and validation targets shall be provided。确定测试方法及其合理性

A verification and validation strategy is defined to provide an argument that the objectives are achieved and how the validation targets are met.

The validation targets are defined to provide evidence that the acceptance criteria are met.

Methods for deriving verification and validation activities

9. Evaluation of known scenarios

Objective:

• identified potentially hazardous scenarios shall be evaluated if they are hazardous or not. 识别风险场景
• the functionality of the system and its elements shall behave as specified for known hazardous scenarios and reasonably foreseeable misuse; 确定各个元素的功能及作用
• the potentially hazardous behaviour due to the specified behaviour at the vehicle level shall be evaluated concerning its acceptability;整车层面可能的风险行为的接受程度
• known scenarios shall be sufficiently covered according to the verification and validation strategy;根据V&V策略覆盖足够多的场景
• the verification results shall demonstrate that the validation targets are met. 证明validation目标满足

9.1 Sensing verification

Methods to demonstrate the correct functional performance, timing, accuracy and robustness of the sensing part for their intended use and reasonably foreseeable misuse can be applied as illustrated.

9.2 Planning algorithm verification

Methods to verify the ability of the planning algorithm to react as required and its ability to avoid unwanted action can be applied as illustrated

9.3 Actuation verification

Methods to verify the actuators for their intended use and reasonably foreseeable misuse can be applied as illustrated

9.4 Integrated system verification

Methods to verify the robustness and the controllability of the system integrated into the vehicle and the correct interaction of the system components within the vehicle can be applied as illustrated.

9.5 Evaluation of the residual risk due to known hazardous scenarios

The verification results demonstrate that the validation targets for known hazardous scenarios are achieved and the residual risk from known hazardous scenarios is not unreasonable.

Known hazardous scenarios are not unreasonable, if:

• the probability of known scenarios causing hazardous behaviour complies with the validation targets;
• there is no known scenario that could lead to an unreasonable risk for specific road users.

10. Evaluation of unknown scenarios

Objectives

The purpose of this clause is that the validation results shall demonstrate that the residual risk from unknown hazardous scenarios meets the acceptance criteria with sufficient confidence.

10.1 Evaluation of residual risk due to unknown hazardous scenarios

Methods to evaluate the residual risk arising from real-life situations, that could trigger a hazardous behaviour of the system when integrated in the vehicle, can be applied as illustrated

11 Evaluation of the achievement of the SOTIF

Objective

11.1 Methods and criteria for evaluating the SOTIF

Each work product is examined for completeness, correctness and consistency.

12 Operation phase activities

Objective