SOTIF: Safety of the Intended Functionality

• SOTIF is a regulatory standard (ISO 21448) that defines safe automated driving by mitigating risks from performance limitations and foreseeable misuse.
• It employs expert-driven models, Bayesian networks, and simulation-based testing to systematically identify triggering conditions and functional insufficiencies.
• Quantitative validation methods, including risk decomposition and performance maps, achieve up to 97.71% warning accuracy in real-world autonomous driving scenarios.

Safety of the Intended Functionality (SOTIF) is a foundational concept and regulatory standard within automated and autonomous driving, formalized as ISO 21448. SOTIF addresses the absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or by reasonably foreseeable misuse—explicitly covering those safety issues that arise not from discrete faults or malfunctions, but from limitations in sensing, perception, specification, planning, or human interaction, even when systems operate as designed. SOTIF complements conventional functional safety (ISO 26262) by targeting hazards introduced by open-world complexity, incomplete specifications, and edge-case environmental or user conditions that exceed the tested scope of autonomous driving systems.

1. Formal Definition, Scope, and Key Concepts

The standard ISO 21448 defines SOTIF as “the absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or from reasonably foreseeable misuse.” This scope explicitly covers:

• Hazards arising from gaps in system specification (specification insufficiency);
• Hazards stemming from performance limitations in sensors, perception, prediction, or control modules (performance insufficiency);
• Risks due to human misuse or misunderstanding of system boundaries (e.g., over-reliance, delayed take-over).

SOTIF focuses primarily on Operational Design Domain (ODD) scenarios classified as:

• Area 2: Known, Hazardous
• Area 3: Unknown, Hazardous

The objective is to mitigate both identified and residual risks via design, analytical models, simulation, and empirical test evidence (Patel et al., 4 Mar 2025).

Key terms (ISO 21448 §3 (Czarnecki et al., 2023)):

• Hazardous Behavior (HB): A deviation from intended policy that may lead to harm.
• Triggering Condition (TC): A scenario condition activating a functional insufficiency.
• Functional Insufficiency (FI): Shortcoming in sensor, algorithm, or specification causing risk, even when fault-free (Fu et al., 2024).
• Foreseeable Misuse (FM): Use outside intended scope that can be anticipated by design analysis (Patel et al., 5 Mar 2025).
• Residual Risk: The risk remaining after all known mitigations are applied.

SOTIF’s process encompasses hazard identification, risk assessment, verification, and iterative refinement, extending into the full development cycle of automated driving (Collin et al., 2021, Conrad et al., 2024).

2. Hazard Identification, Triggering Conditions, and Functional Insufficiencies

The identification and systematic modeling of triggering conditions (conditions under which functional insufficiencies can be activated) is a central pillar of SOTIF compliance. Multiple methodologies exist:

• Expert-in-the-loop BN modeling: Scenario factors (weather, occlusion, illumination, road condition, etc.) are causally linked to perception limitations using expert-elicited Bayesian Networks, which are then validated, refined, and expanded through p-value hypothesis testing on real data (Adee et al., 2023, Adee et al., 2023). This process flags rare, high-risk scenes that drive targeted identification of novel triggering conditions.
• Ontological Triggering Condition databases: Standardized taxonomies (e.g., based on ISO 21448 Annex C and BSI 1883) facilitate comprehensive enumeration and scenario-generation for edge-case hazards (e.g., heavy snow, misplaced objects, missing lane markings) (Jiménez et al., 2023, Jiménez et al., 2023).
• Data-driven scenario abstraction: Probabilistic, copula-based modeling of fleet driving data enables empirical quantification of scenario type probabilities, parameter distributions, and sub-population risks for both known and unknown scenario classes (Reichenbächer et al., 2024).

Functional insufficiencies are systematically categorized by the affected module:

• World model (perception/localization): Missed or ghost objects, misclassified road geometry, erroneous maps (Fu et al., 2024).
• Planning/Prediction: Unsafe, indeterminate, or non-human-like motion plans.
• Traffic-rule reasoning: Violations or misinterpretations of codified rules.
• ODD boundaries: Unrecognized environmental or operational boundary violations.

Quantitatively, a risk function can be formalized as: $$R = \sum_{i\in S} \rho(s_i) \cdot P_h(s_i) \cdot \mu(s_i)$$ where $\rho(s_i)$ is hazard severity, $P_h(s_i)$ is the probability of hazardous behavior in scenario $s_i$, and $\mu(s_i)$ reflects real-world scenario frequency (Jiménez et al., 2023, Putze et al., 2023).

3. Quantitative SOTIF Validation and Risk Decomposition

SOTIF validation requires quantitative argumentation that the residual risk is below pre-defined acceptance criteria:

• Risk decomposition approach: System-level accident rate $\lambda$ is decomposed by module, performance limitation, and scenario class: $$\lambda = \sum_{j\in \text{modules}}\sum_{k=1}^N p^{j,k}_{\text{PL}} \cdot p^{j,k}_{E|PL} \cdot p_{C|E} \cdot p_{S|C}$$ where $p_{\text{PL}}$ is the rate of a particular performance limitation, $p_{E|PL}$ the probability of entering a scenario triggering the PL, $p_{C|E}$ the probability that the system cannot control the event, and $p_{S|C}$ the probability that loss of control leads to harm (Yu et al., 17 Jan 2025, Putze et al., 2023).
• Safety requirement allocation: Subsystem- and component-level safety requirements (e.g., maximum acceptable FN rates by object distance, maximum allowable position/velocity error) can be determined (17 m positional error, 10 km/h velocity error, with per-distance-band FN rates $\leq 5.08\times 10^{-6}/\mathrm{h}$ for [0–25 m], etc.) (Yu et al., 17 Jan 2025).
• Performance-limitation maps: Bayesian networks yield spatial maps (PLMs/CPLMs) for the probability of undesired perception failures conditioned on scenario variables; these inform scenario selection and mitigation (Adee et al., 2023).
• Scenario coverage: Coverage metrics quantify the fraction of all identified SOTIF-relevant scenarios exercised in tests, enabling argumentation about both known and unknown risk regions (Jiménez et al., 2023, Jiménez et al., 2023, Reichenbächer et al., 2024).

Acceptance is determined by comparison to standards such as ALARP (As Low As Reasonably Practicable) or MEM (Minimal Endogenous Mortality) (Putze et al., 2023, Yu et al., 17 Jan 2025).

4. SOTIF-Oriented Testing, Verification, and Mitigation

Testing in SOTIF moves beyond statistical pass/fail rates in nominal conditions:

• Closed-loop Hardware-in-the-Loop (HiL) and simulation: Systematically generated scenarios, incorporating edge-case conditions (adverse weather, occlusions, complex interactions), are deployed to exercise full-stack behaviors on real or virtual platforms (Peng et al., 2022, Li et al., 2024, Patel et al., 5 Mar 2025).
• SOTIF Entropy and Online Risk Quantification: Real-time monitoring of perception (epistemic) uncertainty via ensemble-based entropy (e.g., $E_{pe}$ formulas for YOLOv5) allows downstream planners to modulate behavior based on real-time risk levels, propagating uncertainty through potential/safety fields (Peng et al., 2022).
• Architectural mitigation: Redundant channel selection (e.g., the Daruma pattern) dynamically fuses multiple perception/planning stacks, using cross-channel similarity and risk metrics to minimize the probability that all active channels suffer a correlated functional insufficiency (Fu et al., 2024).
• Driver–Vehicle Interface validation: For foreseeable misuse, simulation-based studies (e.g., time-to-takeover, false recognition rates) and quantification with confusion-matrix-derived accuracy (FMEM metrics) are employed (Patel et al., 5 Mar 2025, Patel et al., 5 Mar 2025).
• Rulebooks: Rule-based hierarchies formally encode traffic, comfort, and safety rules as a lexicographically ordered objective, supporting specification, verification, and validation under SOTIF principles (Collin et al., 2021).

5. Methodologies for Triggering Condition Discovery and Modeling

Discovery and modeling of triggering conditions (TCs) is critical for SOTIF assurance:

• Bayesian Causal Networks: Expert-elicited BN structures (nodes: weather, occlusion, reflection, etc.) are parameterized on fully labeled real-world sensor data. p-value hypothesis testing across scenes then flags scenarios where empirical behaviors deviate from modeled probabilities—guiding targeted expert review and iterative TC enrichment (Adee et al., 2023, Adee et al., 2023).
• Simulation-augmented search: First-principles physical sensor models (e.g., LiDAR attenuation/backscatter per fog) together with meta-heuristic scenario generators enable systematic corner-case discovery, identifying root causes and informing mitigation requirements (Li et al., 2024).
• Ontology-Driven Validation Suites: Integration of “Triggering Condition” ontologies into scenario-based validation platforms (e.g., AVL SCENIUS) allows propagation of hazard-centric constraints into test generation, execution, and traceability workflows (Jiménez et al., 2023).
• Long-tail dataset curation and semantic evaluation: Construction of scenario corpora (e.g., PeSOTIF) and benchmarking of both classical and large vision-LLMs specifically on SOTIF-relevant degradations enables empirical mapping of functional boundaries (Zhou et al., 30 Jan 2026, Huang et al., 11 May 2025).

6. SOTIF Process Integration, Limitations, and Research Directions

SOTIF integration into ADS development and deployment faces practical and methodological challenges:

• Process integration: SOTIF-specific analysis, verification, and validation activities must be mapped onto established development lifecycles, methodology handoffs, and safety-case construction. The EooC approach allows component-level SOTIF analysis, with integration requirements handled at the OEM/system level (Conrad et al., 2024).
• Data and coverage: The field currently lacks globally-representative, statistically valid, long-tail scenarios, complicating the quantification of risks in unknown/hard-to-enumerate regions (Patel et al., 4 Mar 2025, Reichenbächer et al., 2024).
• Human factors: Human–machine interaction and foreseeable misuse are only partially addressed, and require improved driver modeling, mode management strategies, and interface design (Patel et al., 5 Mar 2025, Patel et al., 5 Mar 2025).
• Theoretical gaps: Existing SOTIF guidance in ISO 21448 provides limited formalization of temporal error patterns, compositional hazard propagation, and fails to fully incorporate nuanced AI/ML failure modes. Refined causal models (e.g., STEAM and MoSAFE frameworks) advance temporal abstraction of errors, supporting system-to-component mapping and requirement allocation (Czarnecki et al., 2023).
• Future research: Key priorities include scalable SOTIF validation frameworks, scenario-based test optimization, robust uncertainty quantification, ML-aligned safety arguments, and unified risk metrics—alongside better integration of human, ethical, and socio-technical considerations (Patel et al., 4 Mar 2025).

7. Representative Results and Case Studies

Several validation studies and real-world case analyses substantiate SOTIF methodologies:

• Entropy-based online SOTIF risk (YOLOv5): Real-time risk monitoring and planning adjustments yield 97.71% warning accuracy, with HIL and field testing confirming the feasibility of uncertainty-aware decision-making (Peng et al., 2022).
• Redundant channel AD architectures (Daruma): Simulation studies show that in every scenario with a channel-level functional insufficiency, at least one alternate channel was FI-free—demonstrating potential to reduce disengagements by cross-channel dynamic arbitration (Fu et al., 2024).
• 3D object detection under diverse weather: KITTI-format LiDAR datasets with 21 weather/time conditions show state-of-the-art 3D detectors exhibit up to 30% false negative rates in hard scenes (night + rain), indicating concrete, quantifiable SOTIF hazards (Patel et al., 5 Mar 2025).
• Perception system requirements decomposition: Collision-severity and Bayesian methods yield precise quantitative thresholds for allowable perception errors, directly translatable into subsystem/component acceptance criteria and verification plans (Yu et al., 17 Jan 2025).
• Triggering condition discovery via BN hypothesis testing: Expert review and iterative BN refinement, driven by p-value flagged scenes, reduce relevant-scene scores by >20% for key TCs, confirming the efficacy of this SOTIF-aligned workflow (Adee et al., 2023).

SOTIF assurance remains an evolving, integrative domain demanding systematic, scenario-driven risk quantification, continuous coverage expansion, functional and architectural mitigations, and formal evidentiary argumentation. The combined corpus of empirical, analytical, and architectural approaches provides a robust, extensible framework for the safe deployment of advanced driving automation.