Recently, I’m learning about SOTIF and I have many questions. So I thought that it would be a good if I ask a question to me and answer the question by myself. So the title is my 1st question. Why do we need SOTIF?
I guess many functional safety experts got lessons that ISO26262 is not enough to achieve functional safety. ISO26262 is a good standard to focus on E/E systems with safety requirements identifications by both hazard analysis/Risk Assessment and safety analysis.
But it is very hard to achieve safety if safety requirements are poorly identified, or safety engineers pretend that safety requirements identificatrion is finished even though it is not enough. SOTIF is in progress to cover this problem, but I’m not sure if it can be resolved….anyway.
By the way, I’d like to introduce CNS/ATM(Communication Navigation Surveillance/ Air Traffic Management) domain to get an insight how their functional safety related process are developed. To do this, I cite a paper whose title is “Evaluation of air traffic management procedures—safety assessment in an experimental environment”
The whole set of ATM services can be seen as a single system: there is a large number of elements (human and organizational actors, but also hardware components) and multiple interactions are taking place between them, with feedback loops and complex causal dependencies. What we deem relevant in this definition is the parallel with natural systems (as opposed to mechanical ones). A natural system is largely unpredictable (non-deterministic) and self-producing the causes of its own development. Each part has to be described on its own (because of its own peculiar behavior), but it is also necessary to refer to the interactions with other system’s elements. This causes the system behavior to be to a certain extent unpredictable and far from perfectly known. Unexpected interactions may occur and, in addition, the system behavior can be affected by external factors. In case of a local malfunction, failures are likely to spread very quickly to other parts of the system.
In this citation, ATM system consists of E/E system, operators, and operational process. To avoid a confusion about a term ‘system’, I will use it to refer “ATM system”. For “E/E system”, I will use “E/E element” instead.
A long time ago, there are many E/E elements in the CNS/ATM systems and they are not integrated. As there is a dramatic improvement in the computing technology, old-fashioned E/E can be smarter and they can be integrated. It essentially leads E/E element to take many activities that should be performed by human, and consequently leads to change operational process.
3 elements in the CNS/ATM system are E/E element, operational process, and operators(or human factor). As machines are getting smarter, there is a need to cover operational process and human factor to reduce catastrophic events. Advanced E/E can reduce accident by human factor by agumenting human’s situation awareness power.
In the CNS/ATM domain, there is a FuSa standard for E/E element, but there is also another standard for overall system. The process perspective, there is a hierarchy between the two. a standard for overall system is a higher than a standard for E/E element. That was a trend in the CNS/ATM system.
Back to Automotive, SOTIF is to cover operational process and human factor. So I thought that SOTIF will make higher layer of ISO26262 process. and I expected that SOTIF will make a higher process like a ConOps(operation concepts, or new driving procedures for automated driving) in the CNS/ATM.
But so far, the standard in progress is deviated from my thought. I will follow how their relation will be. Maybe, there is a reason that I don’t know.