ISO 21448:2022 Road vehicles Safety of the intended functionality
https://www.iso.org/standard/77490.html
ISO/PAS 21448:2019 Road vehicles Safety of the intended functionality
https://www.iso.org/standard/70939.html
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Overview and organization of SOTIF activities
4.1 General
4.2 SOTIF principles
4.2.1 SOTIF-related hazardous event model
4.2.2 The four scenario areas
4.2.3 Sense-Plan-Act model
4.3 Use of this document
4.3.1 Flow chart and structure of this document
4.3.2 Normative clauses4.3.3 Interpretation of tables
4.4 Management of SOTIF activities and supporting processes
4.4.1 Quality management, systems engineering and functional safety
4.4.2 Distributed SOTIF development activities
4.4.3 SOTIF-related element out of context
5 Specification and design
5.1 Objectives
5.2 Specification of the functionality and considerations for the design
5.3 System design and architecture considerations
5.4 Performance insufficiencies and countermeasures considerations
5.5 Work products
6 Identification and evaluation of hazards
6.1 Objectives
6.2 General6.3 Hazard identification
6.4 Risk evaluation
6.5 Specification of acceptance criteria for the residual risk
6.6 Work products
7 Identification and evaluation of potential functional insufficiencies and potential triggering conditions
7.1 Objectives
7.2 General
7.3 Analysis of potential functional insufficiencies and triggering conditions
7.4 Estimation of the acceptability of the system's response to the triggering conditions
7.5 Work products
8 Functional modifications addressing SOTIF-related risks
8.1 Objectives
8.2 General
8.3 Measures to improve the SOTIF
8.4 Updating the input information for “Specification and design”
8.5 Work products
9 Definition of the verification and validation strategy
9.1 Objectives
9.2 General
9.3 Specification of integration and testing
9.4 Work products
10 Evaluation of known scenarios
10.1 Objectives
10.2 General
10.3 Sensing verification1
0.4 Planning algorithm verification
10.5 Actuation verification
10.6 Integrated system verification
10.7 Evaluation of the residual risk due to known hazardous scenarios
10.8 Work products
11 Evaluation of unknown scenarios
11.1 Objectives
11.2 General
11.3 Evaluation of residual risk due to unknown hazardous scenarios
11.4 Work products
12 Evaluation of the achievement of the SOTIF
12.1 Objectives
12.2 General
12.3 Methods and criteria for evaluating the SOTIF
12.4 Recommendation for SOTIF release
12.5 Work products
13 Operation phase activities
13.1 Objectives
13.2 General
13.3 Topics for observation
13.4 SOTIF issue evaluation and resolution process
13.5 Work products
Annex A General guidance on SOTIF
A.1 Examples of structuring the SOTIF argument with GSN
A.1.1 General
A.1.2 GSN example 1
A.1.3 GSN example 2
A.2 Explanations regarding the interaction between functional safety according to the ISO 26262 series and this document
A.2.1 General
A.2.2 Scope of the ISO 26262 series versus the scope of this document
A.2.2.1 General
A.2.2.2 The three-circle behavioural model
A.2.2.3 The causality classification view of safety issues
A.2.3 Alignment of this document with the ISO 26262 series activities
A.2.4 Item definition and specification of the functionality at the vehicle level
A.2.5 HARA and identification and evaluation of hazards caused by the intended functionality
A.2.5.1 General
A.2.5.2 ISO 26262-3 Hazard analysis and risk assessment (HARA)
A.2.5.3 Identification and evaluation of hazards caused by the intended functionality
A.2.5.4 Conclusion
A.2.6 Functional safety concept and SOTIF functional specification
A.2.7 Technical safety concept and SOTIF
A.2.8 Safety analysis
A.2.9 Supporting processes
A.2.10 Verification and validation
A.3 Simplified SOTIF application examples
Annex B Guidance on scenario and system analyses
B.1 Method for deriving SOTIF misuse scenarios
B.1.1 Overview
B.1.2 Flow of safety analysis method for misuse
B.2 Example construction of scenario factors for SOTIF safety analysis method
B.3 Examples of adaptation of safety analyses to identify and evaluate the potential triggering conditions and functional insufficiencies
B.3.1 Analysis methods for systematic identification of triggering conditions
B.3.2 Example of cause tree analysis
B.3.3 Example of inductive SOTIF analysis
B.4 Applying STPA in the context of SOTIF for ADAS and automated vehicles
B.4.1 Introduction
B.4.2 STPA step 1: defining the purpose and scope of the analysis
B.4.3 STPA step 2: modelling of the control structure
B.4.4 STPA step 3: identification of unsafe control actions
B.4.5 STPA step 4: identification of causal scenarios
B.4.6 Identify controls and mitigations, improve the system design and derive requirements
Annex C Guidance on SOTIF verification and validation
C.1 Purpose of the verification and validation strategy
C.2 Derivation of validation targets
C.2.1 Meeting the acceptance criteria using rate of the hazardous behaviour
C.2.2 Example for definition and validation of an acceptable false positive activation rate in AEB systems
C.2.2.1 ObjectiveC.2.2.2 Possible causes of the hazardous events
C.2.2.3 Modelling of the hazardous event
C.2.2.4 Analysis of traffic statistics
C.2.2.5 Definition of the test scenarios
C.2.2.6 Benchmark considerations
C.3 Validation of SOTIF applicable systems
C.4 Perception system verification and validation
C.4.1 Perception system verification and validation framework
C.4.1.1 General
C.4.1.2 Bench verification
C.4.1.3 Algorithm performance verification
C.4.1.4 Vehicle integration verification
C.4.1.5 Test track verification
C.4.1.6 Open road validation
C.4.2 Stochastic sensors models
C.5 Guidance on scenario parameterization and sampling
C.6 Considerations for reducing validation testing
C.6.1 Evaluation of the coverage of the tested scenarios
C.6.2 Sufficient conditions for a component relative to the quantitative target
C.6.3 Impact of the system architecture on validation
C.6.3.1 General
C.6.3.2 Example: statistical modular safety argument using sufficient conditions
C.6.3.3 Redundancy and independence considerations
Annex D Guidance on specific aspects of SOTIF
D.1 Guidance for driving policy specification
D.1.1 Objective and structure
D.1.2 Driving policy design
D.1.2.1 Overview of an example driving policy design
D.1.2.2 Areas of concern derived from the ADS-operated vehicle operating environment
D.1.2.3 Areas of concern derived from ADS-operated vehicle transitioning to a degraded mode of operation
D.1.2.4 Areas of concern derived from the interactions between the ADS-operated vehicle and other traffic participants
D.1.3 Vehicle-level SOTIF strategy and driving policy verification and validation
D.1.4 Driving policy field operation
D.2 Implications for machine learning
D.2.1 General
D.2.2 Machine learning ISO 26262 versus SOTIF implications
D.2.3 Achieving safety when the intended functionality is utilizing ML
D.2.4 Implications for off-line training of machine learning algorithms
D.2.5 Analysis of the off-line training process of machine learning a lgorithms
D.3 SOTIF considerations for maps
D.3.1 Introduction to SOTIF considerations for maps
D.3.2 Maps specification and design
D.3.3 Maps SOTIF implications
D.4 SOTIF considerations for V2X
D.4.1 Introduction to SOTIF considerations for V2X
D.4.2 V2X communication specification and design
D.4.3 V2X SOTIF implementation
Bibliography
参考資料
ISO/WD TR 7964 Road vehicles Future directions for vehicle EMC validation Adapting to emerging complex systems and safety considerations (including functional safety and SOTIF)
https://www.iso.org/standard/82974.html
なぜ、発行までに至らなかったのか、関係者の記録をさがし中。
文書履歴(document history)
ver. 0.01 初稿 20231104
最後までおよみいただきありがとうございました。
いいね 💚、フォローをお願いします。
Thank you very much for reading to the last sentence.
Please press the like icon 💚 and follow me for your happy life.