Executive Summary — ISO 21448: Safety of the Intended Functionality (SOTIF)
ISO 21448 ensures that autonomous and ADAS systems behave safely not just when components fail, but when AI perception and decision‑making face ambiguity, edge cases, or misuse.
ISO 21448 defines how to ensure that an autonomous or ADAS system is safe even when everything is working as designed. Unlike ISO 26262, which focuses on failures, SOTIF addresses hazards that arise from functional insufficiencies, limitations in perception, and reasonably foreseeable misuse. Its goal is to reduce residual risk from AI‑driven perception and decision‑making to an acceptable level. ISO – Intern…
Core Purpose
SOTIF ensures that systems relying on complex sensors and algorithms—especially perception stacks—do not behave unsafely due to:
• Incomplete or ambiguous sensor data
• Misinterpretation of the environment
• Edge cases not represented in training
• User misuse that is predictable but not malicious
This is critical for ADAS (SAE L1–L2) and increasingly for higher automation levels. ISO – Intern…
Key Concepts
1. Functional Insufficiency
Hazards that occur without any component failure, such as:
• Misclassifying objects (e.g., “ghost” obstacles)
• Poor performance in rare weather or lighting
• Incorrect predictions of pedestrian or vehicle behavior
These are central to SOTIF’s scope. spkaa.com
2. Reasonably Foreseeable Misuse
User actions that are not intended but predictable, which may trigger unsafe behavior.
3. Known vs. Unknown Hazardous Scenarios
SOTIF requires identifying:
• Known hazards → mitigate or validate
• Unknown hazards → discover through exploration, simulation, and stress testing
ref www.tuvsud.com
Lifecycle Requirements
ISO 21448 mandates a structured process:
1. Hazard Identification
Analyze how perception or decision‑making could lead to unsafe outcomes even when functioning correctly.
2. Scenario Exploration
Use real‑world data, simulation, and adversarial testing to uncover unknown unsafe scenarios.
3. Risk Analysis & Acceptance
Quantify and justify that residual risk is reduced to an acceptable level.
This often requires probabilistic methods due to the open‑world nature of driving. tuvsud.com
4. Verification & Validation
Demonstrate safety through:
• Scenario‑based testing
• Simulation at scale
• Field testing
• Robustness and performance analysis
5. Continuous Improvement
As new scenarios emerge in deployment, the system must be updated and re‑validated.
Relationship to ISO 26262
• ISO 26262: Safety from failures
• ISO 21448: Safety from insufficient intended functionality
Together, they form a holistic safety framework for autonomous and semi‑autonomous systems.
ref www.tuvsud.com