자율주행 안전 (SOTIF) 용어 정리 - SOTIF

해당 포스팅은 차량 자율주행 안전 표준인 SOTIF 의 정의된 용어 중 SOTIF (Safety Of The Intended Functionality) 에 관한 내용을 정리합니다.

 

Term	Description
acceptance criterion	criterion representing the absence of an unreasonable level of risk Note 1 to entry: The acceptance criterion can be of qualitative as well as quantitative nature, e.g. physical parameters that define when a specific behaviour is considered as hazardous behaviour, maximum number of incidents per hour, ALARP, etc. EXAMPLE 1 From traffic statistics a reasonable level of risk of one accident per X km is derived. EXAMPLE 2 The comparison with an equivalent vehicle level effect that is proven in use to be controllable by the driver can support the definition of an acceptance criterion. For instance, the trajectory perturbation due to an unwanted lane keeping assist function intervention might be compared to a lateral wind gust to define an acceptable level of authority for the function.
safety of the intended functionality SOTIF	absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or its implementation Note 1 to entry: A hazardous behaviour of the system that could lead to such hazard is initiated by a triggering condition of a scenario. Reasonable foreseeable direct misuse is considered as a potential triggering condition. Note 2 to entry: When identifying the hazardous events, intended use and reasonably foreseeable indirect misuse are also considered in combination with hazardous behaviour resulting from insufficiencies of specification or performance limitations.
hazard	potential source of ham caused by the hazardous behaviour of the system
functional insufficiency	insufficiency of specification or performance limitation Note 1 to entry: Functional insufficiencies include the insufficiencies of specification of the intended functionality at the vehicle level, or the insufficiencies of specification or performance limitations of the system elements. Note 2 to entry: SOTIF activities include the identification of functional insufficiencies and the evaluation of their effects. Functional insufficiencies lead to hazardous behaviours by definition. The term "potential functional insufficiency" can be used in the document when the ability to lead to hazardous behaviour is not yet established.
single-point functional insufficiency	functional insufficiency of an element leading directly to hazardous behaviour
multiple-point functional insufficiency	functional insufficiency of an element leading to hazardous behaviour only in conjunction with functional insufficiencies of other elements.
intended functionality	specified functionality Note 1 to entry: Intended functionality is defined at the vehicle level.
intended behaviour	behaviour of the intended functionality Note 1 to entry: See Clause 5 for additional information about the specification of intended behaviour. Note 2 to entry: The intended behaviour is that which the developer considers to be the nominal functionality considering capability limitations due to inherent characteristics of the components and technology used. Note 3 to entry: The intended behaviour specified by the developer, while not representing unreasonable risk, might not match the driver's expectation of the system behaviour. Approach information is used to achieve a proper understanding.
triggering condition	specific conditions of a scenario that serve as an initiator for a subsequent system reaction leading to hazardous behaviour Note 1 to entry: The concept of "triggering" includes the possibility that there can be multiple conditions that can gradually happen leading to hazardous behaviour. Note 2 to entry: A triggering condition of a scenario can initiate a hazardous behaviour of the system resulting from functional insufficiencies. EXAMPLE While operating on a highway, a vehicle's automated emergency braking (AEB) system misidentifies a road sign as a lead lead vehicle resulting in braking at X g for Y seconds. In this example, the triggering conditions is "the road sign while operating on a highway, whereas AEB has the relevant performance limitation" (e.g. low accuracy of perception or misclassification by algorithm). Note 3 to entry: SOTIF activities include the identification of triggering conditions and the evaluation of the response of the system, possibly leading to hazardous behaviour. The term "potential triggering condition" can be used in the document when the ability to initiate a hazardous behaviour is not yet established. Note 4 to entry: Reasonably foreseeable direct misuse, which could directly initiate a hazardous behaviour of the system, is considered as a potential triggering condition.
misuse	usage of the system by a human in a way not intended by the manufacturer or the service provider Note 1 to entry: Misuse includes human behaviour that is not intended but does not include deliberate system alterations or advertent use of the system with the intention to cause harm. Note 2 to entry: Misuse can result from overconfidence in the performance of the system. Note 3 to entry: Depending on the causal relationship to the hazardous behaviour, there are two kinds of misuse, direct and indirect. Note 4 to entry: Direct misuse, which could directly initiate a hazardous behaviour of the system, is considered as a potential triggering condition EXAMPLE 1 Activating a functionality intended for the highway in an urban setting causes a scenario in which the vehicle does not detect red traffic lights. Note 5 to entry: Indirect misuse is considered as a possible cause of reduced controllability or increased severity when evaluating a hazardous event resulting from hazardous behaviour. EXAMPLE 2 The human does not supervise the system as required. Note 6 to entry: Refer to above Figure
misuse scenario	scenario in which misuse occurs
insufficiency of specification	specification, possibly incomplete, leading to hazardous behaviour in combination with one or more triggering conditions EXAMPLE 1 A scenario where the driving function in control of the ego vehicle is not keeping a safe distance to the vehicle in front can result from an insufficiency of specification. EXAMPLE 2 System inability to handle uncommon road signs due to specification gaps Note 1 to entry: Insufficiency of specification can be either known or unknown at a given point in the system lifecycle. Note 2 to entry: SOTIF activities include the identification of insufficiencies of specification and the evaluation of their effects, possibly leading to hazardous behaviour. The term "potential insufficiency of specifciation" can be used in the document when the ability to lead to hazardous behaviour is not yet established. Note 3 to entry: Safety requirements derived from the specification, from the assumptions of other systems or elements, or from systematic analyses (such as those included in Clause 6 or other analyses that elicit design and implementation requirements for the SOTIF) may be included in formal databases to support assurance of verification. These requirements may not be designated as the "specification" in many organizations but are necessary to ensure the SOTIF. The usage of the term "insufficiency of specification" in this standard includes such derived requirements.
performance limitations	limitation of the technical capability leading to hazardous behaviour in combination with one or more triggering conditions Note 1 to entry: Performance limitations can be either known or unknown at a given point in the system lifecyle. Note 2 to entry: Performance limitations are considered for E/E elements of the system Note 3 to entry: SOTIF activities include the identification of performance limitations and the evaluation of their effects, possibly leading to hazardous behaviour. The term "potential performance limitation" can be used in the document when the ability to lead to hazardous behaviour is not yet established. EXAMPLE Limitation of technical capabilities are limited calculation performance, limited perception range of a sensor, limited actuation, etc.
validation target	the value to argue that the acceptance criterion is met Note 1 to entry: The validation targets are derived from the specification of acceptance criteria. Note 2 to entry: The definition of a validation target depends on target markets and operational scenarios. Note 3 to entry: In the context of SOTIF, validation is the assurance, based on examination and tests, that the acceptance criteria (of the identified hazards) are adequate have been achieved with a sufficient level of confidence. EXAMPLE No hazardous behaviour of the functionality during a Y hour endurance run, or one hazardous behaviour with a certain severity during X times parking at a parking lot
vehicle level safety strategy VLSS	set of vehicle level requirements for the intended functionality used to support design, verification and validation activities to achieve the SOTIF Note 1 to entry: A VLSS can be defined for each SOTIF-related system.