SOTIF – Field Monitoring Process

The SOTIF activities prior to release are aimed at reducing the risk of the feature or function to an acceptable level at the time of SOTIF release. Post SOTIF release, there may be a need to re-visit the original risk evaluation however, for example:

• If a previously unidentified hazard is discovered post release during operation of the feature or function
• If a previously unidentified functional insufficiency and/or triggering condition is uncovered post release during operation of the functionality
  and/or
• If assumptions such as environmental conditions or traffic regulation change, compared with those defined during the development of the functionality.

To support this risk re-evaluation of the feature or function post release, a field monitoring process is recommended to maintain the SOTIF during the operational phase of the ADF. This process should be defined before release of the ADF. The process should be tailored to the level of driving automation involved, the complexity of the intended functionality and the criticality of hazards. For lower levels of driving automation, market observation can be sufficient (for example safety incidents or lessons learnt). For higher levels of driving automation, additional means can be necessary, such as Data Storage System for Automated Driving / Event Data Recorder (DSSAD/EDR).

The topics for observation can include, but are not limited to:

• Incidents where the functionality has caused or has had the potential to cause harm, or where the functionality has exceeded defined values which might lead to harm in a different situation.
• Publicly available incidents or relevant lessons learnt.
• Changes in environmental conditions or traffic regulations that could affect the SOTIF and might lead to the reconsideration of the SOTIF evaluation (ISO 21448, 2022).

Main Question:

1) Has a field monitoring process to maintain the SOTIF during the operational phase of the ADF been defined before release?

Sub-Questions:

1. Will the field monitoring process be executed to maintain the achievement of the SOTIF during the operation phase?
2. Is the field monitoring process commensurate to the level of driving automation involved, the complexity of the intended functionality and the criticality of hazards?

References

• ISO (2022) 21448: Road vehicles — Safety of the intended functionality. Available at:https://www.iso.org/standard/77490.html (Accessed: 18 October 2023)