Professional Documents
Culture Documents
BY
SUBMITTED TO
COURSE
ARTIFICIAL INTELLIGENCE
Keywords
ISO 21448 (SOTIF), ISO 26262 ADAS, Automated driving, Functional Safety, Fail-safe, Fail-
Operational.
Introduction
Today, Artificial intelligence (AI) and machine learning play a major role in the development of
automated driving. But there are new safety challenges that automated and semi-automated
vehicle software developers are facing. “Think about the modern car. It’s more complex than
ever, with increasing electronics and millions of lines of code running it. As our car becomes
more automated, the complexity will continue to rise.” [1]. As such, SOTIF (ISO/PAS 21448)
SOTIF basically means Safety Of The Intended Functionality and shorthand for ISO/PAS 21448.
ISO 21448 radically applies to functionality that requires an appropriate conditional awareness in
order to ensure safety. The standard is majorly focused on the assurance of the intended
functionality safety. SOTIF is mainly considered in the absence of a fault, and not fully in
correspondence with the traditional functional safety, which is mainly concerned with
SOTIF ensures guidance on design, verification, and validation technique. Through application
of these techniques achieve safety in various situations without failure can be achieved.
Some practical scenarios that ISO 21448 provides: Design techniques: requirement for sensor
performance, Verification techniques: test cases with high coverage of scenarios, Validation
technique: simulations.
Relation between ISO 21448 and ISO 26262
ISO 26262 is only applicable to serve as functional safety in cases where there are system
failures, and does not cover safety hazards that result without system failure. This explains the
In fact, ISO 21448 was initially intended to be ISO 26262: Part 14; But because of the
complications to ensure safety in situations without a system failure, SOTIF is now a standard on
its own.
ISO 26262 is now commonly applied to established systems, such as dynamic stability control
(DSC) systems or airbags. For these systems, safety is ensured by minimizing the risk level of
system failure.
ISO 21448 mostly used in systems such as emergency intervention systems and advanced driver
assistance systems (ADAS). This system could be equipped with safety hazards and yet without
system failure. Hence, we can say that ISO 21448 complements ISO 26262.
The Importance of SOTIF
The validation and verification of automated systems is a complicated task and automated
systems have large volumes of data; And that data is forwarded to complex algorithms. AI and
In order to prevent potential safety hazards, AI will need to make decisions. This includes cases
that require situational awareness. The use of ISO 21448 will be the solution to ensure that AI is
SOTIF widely applies to safety hazards that occur without the failure of a system.
The road is icy. An AI-based system might be unable to detect the situation and respond
properly. This impedes the vehicle’s ability to operate safely. Without sensing the icy road
condition, a automated driving vehicle might drive at a faster speed than is safe for the condition.
Inducing the effect of ISO 21448 means taking that situation into consideration and making
Furthermore, the goal of SOTIF is to minimize potential unknown and unsafe conditions.
Advanced Driver Assistance System (ADAS)
The Advanced Driver Assistance Systems is a wide spectrum of technologies that improve
enhance the safety of vehicles by helping drivers prevent accidents. There are a few categorized
classes of ADAS systems; some supervise and inform drivers to potential safety risks, whereas
others carry out the prevention of impending accidents. Example of Some common ADAS
technologies include adaptive cruise control (ACC), traffic sign recognition (TSR), and forward
These technologies are driven by advanced computing, including artificial intelligence (AI),
computer vision, and edge computing. This computing components is the reason why ADAS
technologies has a better advantage than other safety systems; they can detect, supervise, inform,
Currently, we have numerous varieties of ADAS Technologies making it difficult to classify all
of them under “ADAS.” However, we can generally categorize ADAS technologies into four
TECHNOLOGY
Adaptive Adaptive System help vehicles . Adaptive cruise control (ACC)
optimal distance.
Automated Automated system can take over Automatic emergency braking
advances. Although OEMs and other participants have made relevant enhancements in the past
few years, there is much room for other improvement. For instance, forward-collision warning
systems experience some difficulties in identifying objects when a vehicle is running at high
speeds.
Functional Safety
The idea of functional safety is not new in todays’ automotive world, but migrating to an
enhanced performance within the automotive environment due to Advanced Driver Assistance
Systems (ADAS). Propelled by the need to be absolutely certain that electronic systems function
as desired, without malfunctioning. Functional safety implies that conditions that are potentially
hazardous are detected, further activating preventive or corrective mechanisms to stop or reduce
The need for safety in automotive software development has always been critical. “Functional
Safety is key to ensure that products operate safely — and even if they fail, they are still capable
of entering in a controlled safe operation mode.” [1]. Ensuring functional safety remains critical
for automated driving. Currently, vehicles operate with a traditional fail-safe system control unit
architecture. It assists in the detection of faults and bringing the system to a safe state but at the
end, allows the driver to still take control of the vehicle. According to a report in the 2018 survey
Nearly 85 percent of respondents think people should always have the option to drive themselves
even in a self-driving vehicle, compared with 16 percent who would feel comfortable letting an
autonomous vehicle drive them without the ability to take control [2].
With the gradual change of electronic systems to the 4 th and 5th Levels, there is little or no
dependence on the driver, as the vehicle has adequate redundancy and diversity to keep operating
normally despite the detection of a fault. A recent report according to Rand Corporation,
saved with the widespread adoption of autonomous vehicles, even though they may not yet be
accident-proof [3]. Below are some key procedures to ensure functional safety in automated
driving systems.
Notwithstanding, ISO 21448 will also be important for functional safety in automated driving.
But compliance with established functional safety standards will be necessary too. Especially
ISO 26262.
Optimal practices and approval based on Automotive Safety Integrity Level (ASIL) under the
ISO 26262 will still need to be properly followed to ensure safe software for automated vehicles.
And also enhance the automotive functional safety requirements, such as ISO 26262. The
application of ISO 26262 is specific to the fields of application, for passenger vehicles,
motorcycles and commercial motor vehicles, and more specifically to the practice and
enhancement of functional safety. “Car manufacturers use compliance to ISO 26262 as a means
to qualify components and potential suppliers of E/E components.” [1]. In this standard,
standard risk is determined and Interpreted using the Automotive Safety Integrity Levels (ASIL),
a risk classification system for the functional safety of road vehicles. There are four ASILs
classified by the standard: A, B, C and D. ASIL A denotes the lowest level and ASIL D the
highest level of automotive hazard. ranging from A to D. The real life example of functional
safety is understood by an E/E fault leading to a failure at the system-level modes and functions
will contribute to incorrect steering or braking, which are considered to be the highest safety-
related risk of ASIL D. Errors is likely to be introduced by the development tools used for
system chips design and verification. ISO 26262 requires the assessment of tool confidence level
(TCL), based on whether a tool malfunction can introduce an error and the confidence that such
a malfunction would be detected by the development process. The classification may result in
two main outcomes: TCL1, for which no tool classification is needed, and TCL2/3, for which
In order to ensure safety, an automated driving system has to have a fundamental set of system
properties that are specified as its functional modes. Currently, SAE International acknowledge
five levels of vehicle automation, ranging from Level 0 (human-only control) to Level 5 (no
steering wheels, pedals and human control), encompassing the three modes. The following
modes should be considered and ensured in order to confirm that the overall system is safe.
These modes are divided into fail-safe (FS) mode, fail-silent mode, and fail-operational mode.
Fail-safe mode
This provides and enables customers’ confidence, promotes vehicle integrity. Fail-safe mode can
be omitted, because the safety relevance of their unavailability is low enough or is met by the
fail-degraded mode.
The architectural design of a fail-safe mode enables the power supply to deliver and monitor
over- and under-voltage to the microcontroller and the other hardware devices. It is also control
the detection and evaluation of the MCU safety operation through the watchdog and HW Fault
monitoring functions. If a fault is detected, the system transits to safe state (powered by the
safety power supply) which confirms that the function is being operated in a known and defined
This type of system is able to detect that it is receiving the wrong signal due to a fault, so the
With the development of vehicle beyond the fundamental levels of automation, advanced fail-
operational system designs are expected to add more functionality to the vehicle. Hence Fail-
operational systems allows the full or degraded operation of a function even if there is a failure.
In this respect, the main applications are considered as needing high-performance, a high level of
safety integrity and a high level of availability. Fault detection and system reconfiguration (to
compensate for the fault) is controlled by independent hardware since a fail-operational system
requires minimum two fail-silent units. In order to realize fully-automated driving on the path to
the accident-free future, redundancy in safety-critical systems such as braking and steering is an
absolute [5]. To eliminate common cause failures, even the supply is ensured by redundant and
applied for a considerable timeframe until a final Minimal Risk Condition (MRC), allowing
deactivation, is attained. The 3rd Level of automation enables the system to inform the driver, if
there is a failure and to take back the control of the vehicle. Beginning from the 4 th level, the
system no longer informs the driver but enable the vehicle to park in a safe area for the occupants
of the vehicle and other road users. Hence safety architectures and system design aim to achieve
full redundancy in order to facilitate higher levels of automation driving and fault tolerance when
there is a failure.
much to consider with cybersecurity and AI. However, we are considering the basics of getting
Automotive Cybersecurity
People often classify safety and security, though they cannot clearly explain as to why or how
these fields relate to each other. This classification is basically natural due to the superimposed
properties that these fields are built upon. However, their area of focus is subtly different,
because safety focuses on the appropriate functioning of a system, and security focuses on the
system’s ability to resist some form of intentionally malicious action. This leads security to
utilize additional tools for analysis and technical mechanisms that nevertheless also includes
safety. For example, safety and security both focus strictly on data integrity. Safety often relies
on CRCs to detect damages, but CRCs are not robust enough to act against malicious actors.
Thus, security instead relies on secure hashing algorithms and secrets to detect damages and
intentional theft attempt while resisting attack. Furthermore, security should be embedded with
the possibility that the data may be entirely forged by an unexpected source and should therefore
confirm the data source and integrity to attain an acceptable risk level. Availability is similar:
While safety emphasizes fail safes and degraded modes, security considers prevention of
unavailability where possible, because a fail-safe or degraded mode is likely to provide attackers
an advantage. Security are presently into strict makes use of cryptography, which is mostly
proceeds with the necessity for a short-processing interval, making it difficult to ensure required
levels of data authenticity, confidentiality, etc. Confirming the fact that both safety and security
New challenges are being experienced in the automotive industry in regards to the automated
driving due to the diverse connectivity within automated driving vehicles and between those
vehicles and their operating environment. These challenges range from accomplishing regulatory
requirements and ensuring safety to protecting fleets and customers from cybersecurity attacks.
Enhancement of connectivity mainly include new interface between the control functions of
connected vehicles, IT backend systems, and other external information sources. This vulnerable
attack surface creates considerable interest for malicious actors with various aims. In other
words, automated driving has advanced to a level where vehicles cannot maintain a safe state
unless their operations is also secured. Ultimately, cybersecurity principles and practices should
be engaged to ensure that attackers cannot gain arbitrary control of a vehicle’s operation and that
attacks are exceptionally difficult to scale to the point of simultaneously accessing multiple
vehicles.
With the continuous development in vehicle automation, the security measures used to protect
vehicle functions should be able to defend the vehicle against unauthorized access and
manipulation to ensure the integrity of the vehicle, its components and operational safety of its
functions, especially vehicle control functions. It is in our fundamental interest to ensure that the
highest level of safety is attained and to optimally protect vehicle safety, simultaneously
One of the major challenges of cybersecurity that is widely observed is when extending from one
vehicle level to another vehicle level the automated driving functionalities critically depends on
data obtained from surrounding environment, e.g. sensor information, regional maps, location
information, etc. If the integrity or authenticity of this data is negotiated, the fundamental
building blocks of the automated driving functions (Sense – Plan – Act) will use invalid data to
operate the vehicle, which might result to deviations from proper operation. If an automated
vehicle is attacked, great impact will be made, not allowing the person inside the vehicle to
quickly respond and take control. Hence, cybersecurity measures should be critically done and
Validation
The study fields; Artificial Intelligence, Machine Learning and Automated Driving Vehicles is a
major concern to automotive software developers as they strive to produce safe and enhanced
1. Using a requirement management tool can pave a way to accomplish a requirement for
2. Using a test case management tool can help to ensure high coverage of diverse scenarios.
3. Using a Static analysis tool can help to simulate potential run-time scenarios. This helps
Conclusion
The rapid growth of the automation today, requires that the automotive industries make huge
investments to meet up with the diverse intelligent advancement for safety and to bring the
development methods at its optimum. Thanks to the current development in the ISO 26262
application of automation-based design, verification and validation will achieve a wide adoption
technique to unveil hardware design vulnerabilities that might otherwise escape simulation-based
verification and lead to systematic failures. The most significant advantage of automation-based
tools is the ability to examine all round design behavior, without the need for input stimuli, and
confirms that the design never deviates from its intended function, as stipulated by the design
specification. Even for noncomplex designs, simulation tools cannot produce this level of
precision; Hence, this tool have multiple applications for both systematic and random fault
verification.
Reference
[1] Jean-Philippe Meunier 2018, Automotive functional safety: The evolution of fail safe to fail
operational architecture, Available at: https://blog.nxp.com/automotive/automotive-functional-
safety-the-evolution-of-fail-safe-to-fail-operational-architecture
[2] URVAKSH KARKARIA 2018, Consumer apprehension grows over autonomous tech,
study says. Available at:
https://www.autonews.com/article/20180816/MOBILITY/180819878/consumer-apprehension-
grows-over-autonomous-tech-study-says
[3] Peter Els 2019, Rethinking Autonomous Vehicle Functional Safety Standards: An Analysis
of SOTIF and ISO 26262. Available at: https://www.automotive-iq.com/autonomous-
drive/articles/rethinking-autonomous-vehicle-functional-safety-standards-an-analysis-of-sotif-
and-iso-26262
[4] MARC SERUGHETTI 2019, Ensuring Functional Safety for Self-Driving Cars. Available
at: https://semiengineering.com/ensuring-functional-safety-for-self-driving-cars/
[5] BUSINESS WIRE 2018, Bosch technology enables redundancy needed for automated
driving. Available at: https://www.businesswire.com/news/home/20180115005404/en/Bosch-
technology-enables-redundancy-needed-automated-driving
[6] David Lopez 2018, Three things to know about functional safety. Available at:
https://blog.nxp.com/automotive/three-things-to-know-about-functional-safety
[7] Samara 2020, Advanced Driver Assistance Systems (ADAS) for Commercial Fleets.
Available at: https://www.samsara.com/fleet/dash-cam/adas#section-three
[8] Seunghvuk Choi, Florian Thalmayr, Dominik Wee, and Florian Weig 2016, Advanced
driver-assistance systems: Challenges and opportunities ahead. Available at:
https://www.mckinsey.com/industries/semiconductors/our-insights/advanced-driver-assistance-
systems-challenges-and-opportunities-ahead#
[9] Matthew W., Philipp R., Radboud D., Mohamed H., Jonathon R., Karl R., David W., Toshika
S., Mohamed E., BAIDU S., Yali W., Christian K., David Boymanns., Matthias L., Bernhard D.,
Richard K., Jelena F., Florian R., Miriam., Julia M., Sandro S., Pierre B., Kamil K., Pierre S.,
Thomas W., Stefan P., Kai S., Neil G., David S., Dalong L., Adam T., Marco B., Michael O.,
Michael S., Udo D., Jack W., BS, M.Sc. jack W., Alan T., Bernd D., Philipp S., Philipp T.,
Thomas W., Peter S. 2019, Systematically Developing Dependability To Support Safety By
Design, pages 12-37 in Safety First For Automated Driving. Available at:
https://www.aptiv.com/docs/default-source/white-papers/safety-first-for-automated-driving-
aptiv-white-paper.pdf
[10] Richard Bellair 2019, Why SOTIF (ISO/PAS 21448) Is Key For Safety In Autonomous
Driving. Available at: https://www.perforce.com/blog/qac/sotif-iso-pas-21448-autonomous-
driving