DANSK DSF/ISO/FDIS 21448 PDF

This document provides a general argumentation framework and guidance on measures to ensure the safety of the intended functionality (SOTIF), i.e. the absence of unreasonable risk due to a hazard caused by: a. the insufficiencies of specification of the intended functionality at the vehicle level, or b. the insufficiencies of specification or performance limitations in the implementation of E/E elements in the system NOTE – Depending on the application, elements of other technologies can be relevant when evaluating the SOTIF. These hazards can be triggered by specific conditions of a scenario, including reasonably foreseeable misuse of the intended functionality or in combination with other functions at the vehicle level (e.g. activation of the parking brake while the automated driving function is active). NOTE – Information provided by the infrastructure (e.g. Car2x communication, maps) is also part of the evaluation of functional insufficiencies if it can have an impact on the SOTIF. This document provides guidance on the applicable design, verification and validation measures, as well as activities during the operation phase, needed to achieve the SOTIF. This document is applicable to an intended functionality where proper situational awareness is essential to safety and where such situational awareness is derived from complex sensors and processing algorithms, especially emergency intervention systems and systems having automation levels from 1 to 5. This document is applicable to intended functionalities that include one or more electrical and/or electronic (E/E) systems and that are installed in series production road vehicles, excluding mopeds. This document does not apply to faults covered by the ISO 26262 series. This document does not apply to hazards directly caused by the system technology (e.g. eye damage from a laser sensor). This document does not address hazards related to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar hazards, unless directly caused by the intended functionality of safety-related E/E systems. This document does not apply to attacks exploiting vehicle security vulnerabilities. This document considers local driving laws, policies, or road norms only as far as they can impact the SOTIF, specifically where not following laws and rules of the road could lead to safety hazards. However, this document does not address legal compliance to driving laws and/or policies. Furthermore, functions of existing systems for which well-established and well-trusted design, verification and validation (V&V) measures exist (e.g. Dynamic Stability Control (DSC) systems, airbag) are exempt from the scope of this document. EXAMPLE a system for which there is an existing standard 133 sufficient to ensure safety Some measures described in this document are applicable to newly designed functions or elements of existing systems, if situational awareness derived from complex sensors and processing algorithms is part of the design. EXAMPLE Complex sensing and fusion of the road and cabin environment might replace current accelerometer (or similar) based triggering mechanisms for airbags. SOTIF activities can be relevant, due to that change requiring situational awareness. Reasonably foreseeable misuse, which could lead directly to potentially hazardous behaviour, is in the scope of this document as a possible triggering condition. This is defined as “reasonably foreseeable direct misuse”. Reasonably foreseeable misuse that prevents controllability by the driver of the system’s hazardous behaviour, representing an unreasonable level of risk, is in scope of this document. This is defined as “reasonably foreseeable indirect misuse”. An intentional action that clearly violates the system’s intended use is considered feature abuse. This is out of scope of this document. EXAMPLE: Applying a substitute hand to fool a “hands on wheel” detection safety measure.