New safety standard for driver assistance systems

It has been almost ten years since the ISO Standard 26262, which specifies how to ensure the functional safety of automotive control devices, was issued. For many new systems such as driver assistance systems, however, the standard is insufficient. That is why ISO 21448 “Road Vehicles - Safety of the Intended Functionality” (SOTIF) was published in 2019. To find out more about why it is needed and which process changes it requires in the development of level 1 and level 2 systems, we talked to Josef Horstkötter, Dipl.Ing., shareholder and managing director of F+S Fleckner and Simon Informationstechnik GmbH.

Josef HorstkötterMr. Horstkötter, why is ISO 26262 insufficient for driver assistance systems?

Josef Horstkötter, Dipl.-Ing.: ISO 26262 assumes that a system will function safely if it is not defective. Many new systems are potentially unsafe if they cannot correctly assess a driving situation. They therefore require complex sensors, such as cameras or radar sensors, as well as artificial intelligence (AI) in some cases. All components are limited in their performance capacity, which means that not all driving situations can be assessed correctly.

Obviously, a camera sees no more than a driver in foggy conditions, and a radar sensor covered with slush is limited in its detection capabilities. Even when the sensors are functioning correctly, AI systems can accurately interpret only foreseeable driving situations. Which means that systems with no defects are not necessarily safe.

And what can be done about this?

Horstkötter:The development engineers have to identify scenarios and situations in which the system can no longer correctly assess the driving situation, and then take measures to prevent accidents. It may be necessary, for example, to deactivate the system and notify the driver before such a situation occurs.

What is so difficult about that?

Horstkötter: To build a car 100 years ago was not so difficult, it took only a few mechanics. But the many details of modern cars require the expertise of thousands of engineers.

Due to the complexity of the environment and technology it is not easy to imagine every potential driving situation and every possible environmental influence. But that is only the first requirement. It is also necessary to determine the limits of the system and when it has to be deactivated if a certain combination of parameters occurs, for example on the basis of variance between the sensors or other traffic participants.

Is it even possible then to develop such a system that is really safe?

Horstkötter: Yes and no; that depends on how you define safe. Both ISO 26262 and ISO 21448 require the elimination of excessive risks, with the acceptance of a small residual risk.

What are the specific additional requirements on the part of the engineers?

They have to precisely specify all situations and derive scenarios that are then verified and validated to determine the combination of parameters at which the system can still correctly assess the driving situation. The results can be used to improve the sensors and algorithms or to identify the limits of the system and enter a safe condition when those limits are exceeded. And of course, that all has to be repeated until the residual risk is negligible.

We can visualise this on the basis of set theory if we imagine two intersecting sets. The first describes the set of known driving situations (1); the rest of the world is unknown. The second describes the situations in which the system is unsafe (2). The intersection comprises the situations that are known to the engineers and in which the system is unsafe (3). The second area and the intersection should be as small as possible. For the sake of completeness I would like to mention the fourth area – everything which does not belong to the first three sets (4). Here, everything is unknown, but safe, which means we don’t have to worry about it.

SOTIF Picture

You can easily imagine that the unknown area can be reduced by means of suitable tests. And for the known, unsafe area one can implement design measures to ensure that the system does not enter this area (for example by deactivating the system and notifying the driver).

Is ISO 26262 still needed?

Horstkötter: Of course; ISO 21448 only starts where ISO 26262 leaves off. “Classic safety” – compliance with ISO 26262 – is just as important as compliance with ISO 21434 “Road Vehicles - Cybersecurity Engineering”, which is under development.

Anyone can purchase the standard, but what added value do you offer your customers?

Horstkötter: ISO 26262 can also be purchased by anyone. Automotive SPICE is even available at no charge. Nevertheless, our customers ask us for assistance. The truly difficult part is understanding the standards and implementing them in pragmatic processes in accordance with the requirements of the particular enterprise, and this requires a very good understanding of all processes and standards. With more than 20 years of experience in automotive process consulting we also support our customers in the concrete implementation of ISO 21448.

Can one use your processes to develop safe systems for autonomous driving?

Horstkötter: No, the standard applies only to level 1 and level 2 driver assistance systems; the responsibility is still on the shoulders of the driver. Higher levels of autonomous driving will require additional safety measures. Although we are also working on this, there is no state-of-the-art solution as of yet. Research is still underway in this area, see the whitepaper SaFAD or the federally funded Pegasus project.

In terms of functionality, autonomous driving is already very advanced (see press reports), but there are still many gaps in the safety of these functions. Only when these gaps have been eliminated and the residual risk has been reduced to a socially accepted level, can one introduce the systems and expect people to use them.

Then we wish you luck, in the hope that drivers will overcome any reservations they may have about autonomous systems!