This document provides a general argument framework and guidance on measures to ensure the safety of the intended functionality (SOTIF), which is the absence of unreasonable risk due to a hazard caused by functional insufficiencies, i.e.: This document provides guidance on the applicable design, verification and validation measures, as well as activities during the operation phase, that are needed to achieve and maintain the SOTIF. This document is applicable to intended functionalities where proper situational awareness is essential to safety and where such situational awareness is derived from complex sensors and processing algorithms, especially functionalities of emergency intervention systems and systems having levels of driving automation from 1 to 5[2]. This document is applicable to intended functionalities that include one or more E/E systems installed in series production road vehicles, excluding mopeds. Reasonably foreseeable misuse is in the scope of this document. In addition, operation or assistance of a vehicle by a remote user or communication with a back office that can affect vehicle decision making is in scope of this document when it can lead to safety hazards. This document does not apply to: This document is not intended for functions of existing systems for which well-established and well-trusted design, verification and validation (V&V) measures exist (e.g. dynamic stability control systems, airbags).
Sisällysluettelo
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Overview and organization of SOTIF activities
4.1 General
4.2 SOTIF principles
4.3 Use of this document
4.4 Management of SOTIF activities and supporting processes
5 Specification and design
5.1 Objectives
5.2 Specification of the functionality and considerations for the design
5.3 System design and architecture considerations
5.4 Performance insufficiencies and countermeasures considerations
5.5 Work products
6 Identification and evaluation of hazards
6.1 Objectives
6.2 General
6.3 Hazard identification
6.4 Risk evaluation
6.5 Specification of acceptance criteria for the residual risk
6.6 Work products
7 Identification and evaluation of potential functional insufficiencies and potential triggering conditions
7.1 Objectives
7.2 General
7.3 Analysis of potential functional insufficiencies and triggering conditions
7.4 Estimation of the acceptability of the system's response to the triggering conditions