Abstract:Driving Automation Systems (DAS) are subject to complex road environments and vehicle behaviors and increasingly rely on sophisticated sensors and Artificial Intelligence (AI). These properties give rise to unique safety faults stemming from specification insufficiencies and technological performance limitations, where sensors and AI introduce errors that vary in magnitude and temporal patterns, posing potential safety risks. The Safety of the Intended Functionality (SOTIF) standard emerges as a promising framework for addressing these concerns, focusing on scenario-based analysis to identify hazardous behaviors and their causes. Although the current standard provides a basic cause-and-effect model and high-level process guidance, it lacks concepts required to identify and evaluate hazardous errors, especially within the context of AI. This paper introduces two key contributions to bridge this gap. First, it defines the SOTIF Temporal Error and Failure Model (STEAM) as a refinement of the SOTIF cause-and-effect model, offering a comprehensive system-design perspective. STEAM refines error definitions, introduces error sequences, and classifies them as error sequence patterns, providing particular relevance to systems employing advanced sensors and AI. Second, this paper proposes the Model-based SOTIF Analysis of Failures and Errors (MoSAFE) method, which allows instantiating STEAM based on system-design models by deriving hazardous error sequence patterns at module level from hazardous behaviors at vehicle level via weakest precondition reasoning. Finally, the paper presents a case study centered on an automated speed-control feature, illustrating the practical applicability of the refined model and the MoSAFE method in addressing complex safety challenges in DAS.

What problem does this paper attempt to address?

### Problems the paper attempts to solve This paper aims to solve the safety problems in the Autonomous Driving System (DAS), especially the safety failures caused by complex road environments and vehicle behaviors. With the wide application of Advanced Driver - Assistance Systems (ADAS) and Autonomous Driving Systems (ADS) in vehicles, the safety of these systems has become particularly important. However, although the existing SOTIF standard (ISO 21448:2022) provides a basic causal model and high - level process guidance, it is insufficient in identifying and evaluating potential dangerous errors introduced by sensors and Artificial Intelligence (AI). Specifically, the paper attempts to solve the following problems: 1. **Deficiencies of the existing SOTIF standard**: - The existing standard lacks detailed definitions and classifications of dangerous errors, especially in the AI context. - There is a lack of specific system architecture analysis methods to identify potential functional deficiencies. - There is no detailed guidance to evaluate the severity of the identified hazards. 2. **Identification and evaluation of complex error patterns**: - Errors introduced by sensors and AI have complex variation patterns in time and space, which may lead to potential safety risks. - For example, an AI - based target detector may have a False Negative (FN) detection in a certain sensor frame. A single FN may not cause a safety risk, but if it is repeated multiple times when approaching an obstacle, it may lead to a collision. ### Main contributions of the paper To make up for the above deficiencies, the paper makes two key contributions: 1. **SOTIF Temporal Error and Failure Model (STEAM)**: - **Refined error definition**: STEAM improves the definition of error, introduces the concept of error sequence, and classifies it into error sequence patterns. - **Introduction of Hazardous Behavior Pattern (HBP)**: At the vehicle level, STEAM defines the Hazardous Behavior Pattern (HBP), which is used to describe the degree and time distribution of vehicle behavior deviating from the expected behavior under specific scenario conditions. - **Introduction of Hazardous Error Pattern (HEP)**: At the component level, STEAM defines the Hazardous Error Pattern (HEP), which is used to describe the error sequence caused by component functional deficiencies and its time distribution. - **Classification of scenario conditions**: STEAM classifies scenario conditions according to their roles in the causal chain, which helps to gradually refine the scenario and system behavior models for safety analysis. 2. **Model - based SOTIF Analysis of Failures and Errors (MoSAFE)**: - **Model - based method**: MoSAFE uses the system design model, scenarios, and harmful events to derive causal error and failure models in specific scenarios. - **Weakest pre - condition analysis**: Through the weakest pre - condition analysis, the hazardous error sequence patterns at the module level are derived from the hazardous behaviors at the vehicle level, allowing for probability analysis of error occurrence, especially in the context of sensors and AI. - **Derivation of safety requirements**: MoSAFE also allows for the derivation of safety requirements for AI component performance as the upper limit of the hazard occurrence rate, and the results of MoSAFE can be used as evidence for safety cases. ### Practical application cases The paper demonstrates the effectiveness and applicability of the STEAM and MoSAFE methods in practical applications through a case study of the automatic speed control function. This case study illustrates how to use these methods to identify and evaluate complex DAS safety challenges. ### Summary In general, by introducing the STEAM and MoSAFE methods, this paper fills the gaps in the existing SOTIF standard in identifying and evaluating complex error patterns introduced by sensors and AI, and provides a more comprehensive and detailed analysis framework for the safety of autonomous driving systems.

STEAM & MoSAFE: SOTIF Error-and-Failure Model & Analysis for AI-Enabled Driving Automation

Control Model of Automated Driving Systems Based on SOTIF Evaluation

A Survey on an Emerging Safety Challenge for Autonomous Vehicles: Safety of the Intended Functionality

Inherent Diverse Redundant Safety Mechanisms for AI-based Software Elements in Automotive Applications

Safety design concepts for statistical machine learning components toward accordance with functional safety standards

Model Predictive Instantaneous Safety Metric for Evaluation of Automated Driving Systems

Runtime unknown unsafe scenarios identification for SOTIF of autonomous vehicles

Road to safe autonomy with data and formal reasoning

SOTIF Entropy: Online SOTIF Risk Quantification and Mitigation for Autonomous Driving

Integrated Modular Safety System Design for Intelligent Autonomous Vehicles

Analysis of Functional Insufficiencies and Triggering Conditions to Improve the SOTIF of an MPC-based Trajectory Planner

Complying with ISO 26262 and ISO/SAE 21434: A Safety and Security Co-Analysis Method for Intelligent Connected Vehicle

Comprehensive Assessment of Artificial Intelligence Tools for Driver Monitoring and Analyzing Safety Critical Events in Vehicles

A framework of safety analysis with temporal feature based on MBSA and case study for ACC system

A Runtime Safety Analysis Concept for Open Adaptive Systems.

Security-Informed Safety Analysis of Autonomous Transport Systems Considering AI-Powered Cyberattacks and Protection

A Formally Verified Fail-Operational Safety Concept for Automated Driving

MOSAT: Finding Safety Violations of Autonomous Driving Systems Using Multi-Objective Genetic Algorithm.

Ergo, SMIRK is safe: a safety case for a machine learning component in a pedestrian automatic emergency brake system

Identifikation auslösender Umstände von SOTIF-Gefährdungen durch systemtheoretische Prozessanalyse

A Safe Control Architecture Based on a Model Predictive Control Supervisor for Autonomous Driving