7/9/24, 12:06 PM What Is SOTIF?

What Is SOTIF?
M O B I L I T Y I N S I D E R | April 11, 2024

Safety of the intended functionality (SOTIF) is the implementation of safety measures to prevent or mitigate
hazardous events at the vehicle level caused by functional insufficiencies, foreseeable feature misuses by a driver and
unexpected conditions within the operational design domain (ODD).

SOTIF differs from functional safety (FuSa), which focuses on mitigating risks from systematic software faults and
systematic and random hardware faults in electrical/electronic systems.

To understand the difference between FuSa and SOTIF, consider the hazardous event of unintended deceleration,
which can have numerous causes. If a malfunctioning behavior in the underlying hardware or software of the vehicle’s
propulsion system causes the unintended deceleration, then FuSa processes are responsible for mitigating the risks
involved. However, if the unintended deceleration is caused by a weakness of a sensor, that falls under the purview of
SOTIF.

Given their roles in the safe operation of automated features, incorporating SOTIF and FuSa helps make a vehicle
more appealing to consumers.

The ISO 21448 standard provides automotive manufacturers and their suppliers with best practices to help ensure
that SOTIF is achieved at every stage of a system’s lifecycle.

Hazard analysis and risk assessment

Many of the practices used for achieving SOTIF come from FuSa, such as the hazard analysis and risk assessment
(HARA) done at the beginning of a system’s development. During HARA activity, engineers are challenged to think
about how the combination of hazards and operational scenarios may collectively lead to hazardous events at the
vehicle level.

After the potential hazardous events have been identified, they are evaluated based on three factors:

The severity (S) factor takes into account the potential harm to all endangered people within the scenario,
including the driver and passengers in the vehicles involved, cyclists, pedestrians, and first responders. An
abbreviated injury scale is often used to define the severity, ranging from “no injuries” to “extremely critical or
fatal injuries.”
The exposure (E) factor takes into account how often the scenario for a given hazardous event could occur,
which is rated from “incredible” (rare) to “high probability.”
The controllability (C) factor takes into account how easy it would be for a driver and/or the other people within
the scenario to avoid the hazardous event and is rated from “controllable in general” to “difficult to control.”

Based on the S, E and C ratings for a given hazardous event, a criticality level is calculated using the Automotive
Safety Integrity Level (ASIL) risk classification scheme, which ranges from A to D; ASIL-A is the least stringent, and
1
ASIL-D is the most stringent. A corresponding safety goal is created to address the hazardous event and may include
metrics — known as SOTIF KPIs — that must be met to achieve SOTIF.

https://www.aptiv.com/en/insights/article/what-is-sotif 1/6
7/9/24, 12:06 PM What Is SOTIF?

Deriving safety requirements

The safety goals and SOTIF KPIs drive the creation of the SOTIF concept, which comprises requirements that define
the safety measures needed to prevent or mitigate hazardous events.

Like FuSa, SOTIF has an iterative workflow, and utilizes the V-model throughout development. As a result, revisions
are made to the concept, requirements and/or design where appropriate, and tests are run repeatedly until all of the
safety goals, including the SOTIF KPIs, are achieved.

Many of the analysis techniques applied in FuSa can be used to arrive at these safety measures. However, because of
SOTIF’s focus on specification insufficiencies and driver misuse, additional techniques are also required, including
searching for and identifying specific conditions that could trigger potentially hazardous events.

For example, forward-facing camera systems must be able to distinguish lane markings from other marks on the road,
such as tire skids. The appearance of skid marks would be considered a triggering condition, and the limit of the
system’s ability to recognize lane markings would be considered a functional insufficiency.

https://www.aptiv.com/en/insights/article/what-is-sotif 2/6
7/9/24, 12:06 PM What Is SOTIF?

Vehicles must distinguish lane markings from other marks on the road.

Testing on the road and with simulations

Real-world tests and simulations can be performed to characterize components that the system will be using. Even if a
system as a whole has not yet been fully developed, the sensors and actuators within it might be ready, and those
components can be run through different facets of the ODD to try to expose triggering conditions that have not yet
been documented.

Simulations and real-world tests can also be used to understand drivers’ interactions with vehicles in different
scenarios, leading to the definition of additional safety measures. For systems that fall into the range of Levels 0 to 3
on the Society of Automotive Engineers’ six levels of driving automation, the driver is expected to be in control or to
be able to take control of the vehicle (albeit to varying degrees, depending on the level). Therefore, it is critical to
1
determine how to keep the driver properly engaged, how to return their full attention to the task of driving in a safe
amount of time and what types of cues are needed to facilitate that return.

https://www.aptiv.com/en/insights/article/what-is-sotif 3/6
7/9/24, 12:06 PM What Is SOTIF?

Continuous testing, integration and deployment

Even after the vehicle is in operation, maintaining SOTIF through software updates is essential to keeping up with the
changing world. Advancements in over-the-air updates open the door to continuous improvements but require
software development environments that can enable the seamless verification, validation and deployment of those
updates to vehicles in the field.

Overall, SOTIF must be practiced hand-in-hand with FuSa to provide a holistically safe system, which is why these
activities are usually carried out by members of the same team. Aptiv’s experience with practicing both of these
disciplines in varying project scopes helps us to develop systems that meet the safety objectives of our customers
over the life of a vehicle.

Share:    

READ MORE ABOUT ADAS

CAREERS

Shape the future of mobility. Join our team to help create vehicles that are safer, greener and more connected.

V I E W R E L AT E D J O B S

SUBSCRIBE

S TAY I N F O R M E D W I T H T H E L AT E S T O N
ADAS

Sign up and we’ll notify you when we post a new

article on ADAS.

Email address

By subscribing, you agree that we may process your

information as described in our Aptiv Privacy Statement.

SUBMIT

MORE LIKE THIS

https://www.aptiv.com/en/insights/article/what-is-sotif 4/6
7/9/24, 12:06 PM What Is SOTIF?

What Is Automotive Functional Safety?

MOBILITY INSIDER

What Is ASIL-D?

MOBILITY INSIDER

What Are Operational Design Domains?

MOBILITY INSIDER

Stay up to date.
Want to keep pace with where mobility is going? Sign up for our Aptiv newsletter here.

S I G N U P T O G E T U P D AT E S

https://www.aptiv.com/en/insights/article/what-is-sotif 5/6
7/9/24, 12:06 PM What Is SOTIF?

Don't worry. We won't flood your inbox or share your email.

https://www.aptiv.com/en/insights/article/what-is-sotif 6/6