Differences in scope to be covered by FuSa and SOTIF standards


While a scope of FuSa is Item, a scope of SOTIF is Vehicle.

It means that Focusing on FuSa is narrower and SOTIF is wider.

When developing a vehicle, the first step specifies the vehicle requirements, and the next step is to design the vehicle architecture to allocate the vehicle functions to the vehicle architecture. The building block that allocates is the item. Divide a single item into smaller pieces and request to supply to multiple suppliers.

It can be seen from this relationship that SOTIF is a higher level standard than FuSa.

SOTIF defines the requirements for vehicles, which can be changed according to the autonomous driving concept (ODD, driving policy etc.).

As for the function of the vehicle, the procedure for allocating to the item will be required, but the ASIL class is determined through the HARA of FuSa.

FuSa defines the requirements for the item and evaluates the ASIL for the requirements.

What is interesting here is that there is also HARA in SOTIF and HARA in FuSa, and the clarification of this will be discussed next.

How I used Medini in the FuSa project


Today I had a chance to introduce Medini tool for FuSa. During my presentation, I thought that it would be a good to post Medini in this blog.

Medini is a very good tool that guide safety engineers/managers to follow functional safety methodology that the tool supports.

When I execute FuSa process, I tried to set up a few principles for FuSa Execution based on FuSa standard. These are as follows;

  1. Safety requirements shall be mapped to building blocks in the equivalent level of  architecture.
    (For example, a TSR shall be mapped to a system component in the system architecture. A SSR shall be mapped to a SW component in the SW architecture. A HSR shall be mapped to a HW component in the HW architecture)
  2. Building blocks in Architecture can be traceable to FMEA/FTA.
    (if any missing building blocks are found, then it can be considered that it is not complete)
  3. Boundary between System/HW/SW shall be clear. they shall not be overlapped.

Medini can import Enterprise architecture. Safety Engineers need to learn how the tool imports architecture model. It means that imports can fail if architect don’t understand the import mechanism and draws his own way.

When I use this medini for the first time, I tried to manage requirements using Medini, but I learned that there are many better options that I can choose. But Architecture based safety analysis(FMEA/FTA) is still better than any other. So I recommend to use this approach. I bet it helps.

Why do we need SOTIF?


Recently, I’m learning about SOTIF and I have many questions. So I thought that it would be a good if I ask a question to me and answer the question by myself. So the title is my 1st question. Why do we need SOTIF?

I guess many functional safety experts got lessons that ISO26262 is not enough to achieve functional safety. ISO26262 is a good standard to focus on E/E systems with safety requirements identifications by both hazard analysis/Risk Assessment and safety analysis.

But it is very hard to achieve safety if safety requirements are poorly identified, or safety engineers pretend that safety requirements identificatrion is finished even though it is not enough. SOTIF is in progress to cover this problem, but I’m not sure if it can be resolved….anyway.

By the way, I’d like to introduce CNS/ATM(Communication Navigation Surveillance/ Air Traffic Management) domain to get an insight how their functional safety related process are developed. To do this, I cite a paper whose title is “Evaluation of air traffic management procedures—safety assessment in an experimental environment”

The whole set of ATM services can be seen as a single system: there is a large number of elements (human and organizational actors, but also hardware components) and multiple interactions are taking place between them, with feedback loops and complex causal dependencies. What we deem relevant in this definition is the parallel with natural systems (as opposed to mechanical ones). A natural system is largely unpredictable (non-deterministic) and self-producing the causes of its own development. Each part has to be described on its own (because of its own peculiar behavior), but it is also necessary to refer to the interactions with other system’s elements. This causes the system behavior to be to a certain extent unpredictable and far from perfectly known. Unexpected interactions may occur and, in addition, the system behavior can be affected by external factors. In case of a local malfunction, failures are likely to spread very quickly to other parts of the system.

In this citation, ATM system consists of E/E system, operators, and operational process. To avoid a confusion about a term ‘system’, I will use it to refer “ATM system”. For “E/E system”, I will use “E/E element” instead.

A long time ago, there are many E/E elements in the CNS/ATM systems and they are not integrated. As there is a dramatic improvement in the computing technology, old-fashioned E/E can be smarter and they can be integrated. It essentially leads E/E element to take many activities that should be performed by human, and consequently leads to change operational process.

3 elements in the CNS/ATM system are E/E element, operational process, and operators(or human factor). As machines are getting smarter, there is a need to cover operational process and human factor to reduce catastrophic events. Advanced E/E can reduce accident by human factor by agumenting human’s situation awareness power.

In the CNS/ATM domain, there is a FuSa standard for E/E element, but there is also another standard for overall system. The process perspective, there is a hierarchy between the two. a standard for overall system is a higher than a standard for E/E element. That was a trend in the CNS/ATM system.

Back to Automotive, SOTIF is to cover operational process and human factor. So I thought that SOTIF will make higher layer of ISO26262 process. and I expected that SOTIF will make a higher process like a ConOps(operation concepts, or new driving procedures for automated driving) in the CNS/ATM.

But so far, the standard in progress is deviated from my thought. I will follow how their relation will be. Maybe, there is a reason that I don’t know.