Beyond Functional Safety: Exploring SOTIF for Autonomous Parking
As the hype bubble around fully autonomous vehicles have slightly withered due to recent safety accidents (think Cruise pedestrian dragging mishap, Tesla firetruck collision, Waymo pole crash), ensuring safety of autonomous driving systems becomes more critical than ever. In the world of automotive safety, Functional Safety (FuSa) standard ISO 26262 has long been the cornerstone. But what happens when, even with all systems running reliably, accidents still occur? This is where Prof. Dr. Bogdan Pavkovic, CTO of Safety, Security, and Quality Consultancy at NIT Institute, comes in. In his upcoming talk, titled “Going beyond FuSa: SOTIF Analysis for Autonomous Parking,” he will dive into how we can push beyond traditional safety approaches to address previously unseen risks in autonomous systems.
Figure 1 Complementary nature of several automotive standards Source: CertX.com
What’s Can Still Go Wrong with Reliable Systems?
FuSa focuses on preventing risks that arise from unintended failures of item functionalities. Whether it’s an electric or electronic component, FuSa ensures the system operates safely even when faced with random or systematic failures at system, hardware, and/or software level. Overall safety is conducted through initial establishment of risk through a meticulous process of hazard analysis and risk assessment and consequently through execution of safety process to minimize the risk to an acceptable level.
However, there’s more to safety than just preventing component failures. Imagine an autonomous car parking itself. Even if the vehicle's sensors and controls perform perfectly according to design specifications, the vehicle could still find itself in dangerous situations. These hazards might stem from driver misuse, such as misunderstanding when and how to properly engage the parking system (think of activations at higher speeds). Or the system may falter in challenging environments, like blinding sunlight that distorts the image seen by the car’s camera. Worse still, functional insufficiencies - such as poorly selected sensors or algorithms - could create unseen safety gaps.
This is where Safety of the Intended Functionality (SOTIF) steps in. Introduced under the ISO 21448 standard, SOTIF focuses on ensuring the system behaves safely even when no technical failures are present. It addresses hazards that result not from a component breakdown but from limitations in system design or interactions with its environment.
The Power of STPA in SOTIF: A New Approach to Hazard Analysis
At the heart of SOTIF is the System-Theoretic Process Analysis (STPA), a method designed to find and mitigate hazards related to system behavior and functionality. STPA goes beyond conventional safety methods based on linear causality chains (Swiss Cheese, Domino, or Bowtie model) by factoring rich interactions within a system, with users and operators, and surrounding environment. The paradigm shift is illustrated in saying “The whole is greater than the sum of the parts”. Holistically examining control interactions can bring benefits compared to isolated event chain analysis. Prof. Pavkovic’s talk will explore how STPA is applied to autonomous parking systems and demonstrate how it can mitigate hidden risks.
Figure 2 STPA: four stage process Source: STPA Handbook
STPA is a four-step process, each vital to uncovering potential hazards and making systems safer:
- Define Purpose of the Analysis: The first step is to define the purpose of the analysis – it can go beyond safety and focus on security, quality, efficiency, to name the few. Furthermore, losses to be avoided are defined, as well as system hazards and constraints.
- Model the System’s Control Structure: Here, we map out the control system’s architecture, identifying every component involved in autonomous parking: sensors, actuators, and the decision-making algorithms that control vehicle movement. Remote human operators, or control communication infrastructure (think valet parking) can be added as well.
- Identify Unsafe Control Actions: Similarly to other safety analyses we are focusing on discrete pre-loaded deviations from the control actions that might lead to accidents: specifically, four types of deviations are examined - not providing the control action, providing the control action, wrong timing or order, wrong duration or intensity.
The last case provides novelty compared to FFA or HAZOP key words. Unsafe control actions (UCAs) are identified, such as the car failing to stop when an obstacle is detected or parking too close to other vehicles due to sensor limitations. - Identify Loss Scenarios: This is where things get interesting. STPA looks for the causal factors that can lead to the unsafe control actions and to hazards. For example, a bright sun glare could interfere with the car’s camera, causing it to misjudge the proximity of a nearby vehicle. Furthermore, the vehicle can have the inconsistent process model e.g., believing that there are no obstacles due to incorrect or missing information from the sensors. Loss scenario step helps us determine where UCAs might emerge within the system control flows.
Design Countermeasures to Prevent or Mitigate Hazards: once four steps are completed, the next step is to adjust the design. For example, if sensor limitations are discovered, alternative sensors or sensor-fusion techniques might be recommended to reduce the chance of misjudging distances or obstacles. STPA analysis can be iteratively repeated with intermediate corrections applied between the rounds.
Autonomous Parking as a Case Study
Figure 3 Exemplary overview of the autonomous parking system Source: LEGO Education
Prof. Pavkovic’s lecture will explore these steps using the example of autonomous parking. Autonomous parking systems, while incredibly convenient, are also prone to hazards not related to traditional failures. Imagine a car confidently pulling into a parking spot with no technical malfunctions—yet it misinterprets the space’s boundaries due to lighting conditions or fails to account for a small child running past due to wrong control process model state. The STPA process, paired with SOTIF, uncovers these risks and nips them in the bud before they become dangerous.
By the end of the session, participants will have a clear understanding of how to apply STPA to real-world systems, using the autonomous parking use case as a prime example. Furthermore, suggestions for reading materials and free online STPA tools will be shared.
Final Thoughts: Moving Toward a Safer Future
As vehicles become increasingly autonomous, the way we approach safety must evolve. Functional Safety remains vital, but as Prof. Pavkovic will explain, SOTIF offers the next layer of protection, addressing the unique challenges of intelligent systems. His talk promises to deliver an insightful look at how we can move beyond component reliability and ensure the overall safety of the intended functionality.
Don’t miss this exciting opportunity to learn how advanced safety techniques like SOTIF and STPA are shaping the future of automotive innovation. Reserve your place for the event on October 9th at 6:00 PM, Fruškogorska 1, NTP (Science and Technology Park) Novi Sad.
See you at NITUP #6
