Let's Talk
Let's Talk
logotype
Autonomous Systems
Home Archive by Category "Autonomous Systems"

Category: Autonomous Systems

04/11/25

Demystifying SOTIF Acceptance Criteria and Validation Targets – Part 3

In our previous blog entry, we explored the building blocks of acceptance criteria in detail. To make these actionable, we need to know how many hours or miles of virtual and/or real-world testing is needed to be convinced that our Advanced Driver Assistance System (ADAS) or Automated Driving System (ADS) is “safe enough” for large-scale real-world deployment.

In this entry, we will work to translate the SOTIF acceptance criteria at the vehicle level into concrete, testable validation targets at the lower abstraction levels. In upcoming Part 4, we will explore the mathematical frameworks with the help of an example. 

From Acceptance Criteria to Validation Targets: Designing Tests for Known and Unknown Scenarios

Once acceptance criteria are defined and broken down into specific quantitative targets, the next challenge is planning how to validate that the system meets them. This is where validation targets come into play. A validation target is essentially a concrete goal for testing or analysis that, if met, gives confidence that the acceptance criteria are satisfied. ISO 21448:2022 makes it very clear – validation targets are the bridge between establishing theoretical criteria and showcasing real-world evidence.

Defining Validation Targets

The SOTIF standard does not prescribe one universal approach to set validation targets – it varies depending on the validation method used. For each method (whether it’s virtual simulation, controlled track testing, real-world driving, analytical modeling, etc.), you should determine an appropriate scope and depth/ effort of testing. For instance, if virtual simulation is a chosen method, a validation target might be running a certain number of randomized simulations covering diverse operational scenarios. If track testing is leveraged, the target might be a specific number of hours of testing under pre-defined scenarios/ maneuvers. The key is that there must be a rationale connecting that effort to the acceptance criteria. It’s simply not enough to say “we’ll test our ADS-equipped vehicle for 100 hours” – you need to explain why 100 hours is sufficient given the acceptance criteria (perhaps based on statistical confidence arguments like the one above, or based on coverage of scenarios).

We must carefully consider factors like the number of relevant scenarios, the distribution of test cases, and distance or time driven while testing when formulating validation targets. For instance, if our acceptance criterion is about the rate of a certain false positive (FP) event like unintended AEB activation, our validation target might be something along the lines of “demonstrate fewer than X false positives in Y miles of driving”. This ties directly to evidence – drive Y miles (in real or simulated environments) and count the occurrences of that hazardous event/ behavior.

Known vs Unknown Hazard Scenarios

In Part 1, we introduced the concept of SOTIF “Scenario Area 2” (known hazardous scenarios) and “Area 3” (unknown hazardous scenarios). These areas influence how we approach validation targets:

  • For known hazardous scenarios (Area 2), the acceptance criteria for those scenarios are explicitly defined. We know what can go wrong and how often we’ll accept it. Validation targets here typically involve designing specific test cases to replicate those hazardous scenarios and show the system can handle them or that their occurrence is below an acceptable threshold. For instance, if a known hazardous scenario is “a pedestrian crossing at night on an unlit road in front of the ego vehicle” and our acceptance criterion is that our vehicle must avoid collision in 99 out of 100 such encounters, then our validation target might be to actually test 100 instances of that scenario (or use appropriate statistical tests) and confirm at most 1 collision. Essentially, you challenge the ADAS/ADS system directly with the known challenging situations and see if it meets the acceptance criteria.
  • For unknown hazardous scenarios (Area 3), by definition we don’t have a complete list – there are going to be edge case situations or rare combinations of environmental/ operational factors that weren’t identified during development. Here, acceptance criteria have to naturally be broader (e.g., “the residual risk from encountering unknown scenarios must be sufficiently low”) without a specific numeric target per scenario. Instead of a preset threshold per scenario, the validation target often takes the form of a testing campaign objective. An approach described in Annex C of the ISO 21448 standard is to iteratively expand the test space until the rate of finding new unique hazardous scenarios drops to an acceptably low level. The idea is that by aggressively testing varied scenarios (through virtual simulation, fuzzing sensor inputs, performing combinatorial variation of environmental factors, etc.), we gain confidence that if there were easy-to-trigger unknown hazards, we would have found them. If we don’t find any after extensive testing, we infer that remaining unknown risks are very unlikely to occur in real-world operation.

In practice, a combination of structured (deterministic) tests and stochastic exploration is used. Structured tests target the known scenario triggering conditions and associated functional insufficiencies, while stochastic or varied testing searches for unknown problems. For example, we could use a large-scale simulation setup to generate thousands of random traffic scenarios within our Operational Design Domain (ODD). A validation target might be set like: “Run 1 million miles worth of randomized simulation covering varied ODD conditions and observe no hazardous events beyond a frequency of Z”.

Coming Back to Acceptance Criteria

No matter the approach we pursue, every validation target must ultimately support an argument that the acceptance criterion is met. Let’s say our acceptance criterion was the earlier example “The AEB-equipped vehicle should have no more than one unintended emergency braking incident per 100,000 miles”. Then, a corresponding validation strategy might be — use a combination of field testing and simulation to accumulate, say, 200,000 miles of driving exposure across diverse scenarios, including those most likely to cause crashes with trailing vehicles, and observe zero such collisions. Statistically, this outcome would provide strong evidence that the true collision rate is below 1 per 100,000 miles (with some confidence level). 

Researchers from RAND have noted that demonstrating extremely low collision rates by driving alone requires enormous mileage – potentially hundreds of millions of miles – if we wait for actual crashes to measure safety. Therefore, validation targets often leverage accelerated testing in simulation or controlled proving grounds to accumulate the equivalent exposure needed. By focusing on the hazardous behaviors (like unintended braking or missed detections) rather than actual collisions, we can drastically reduce the testing time and mileage required.

It’s also common to break down validation targets by subsystem or component. For example, one acceptance criterion might be at the vehicle level (“less than X hazardous events per hour of driving”), but validation targets to support it could include things like: “the perception system must detect pedestrians with at least 99.9% accuracy, the braking system must respond within Y milliseconds 99.99% of the time”, etc. Each of these component-level validation targets provides evidence that, in combination, the overall system meets the top-level acceptance criteria.

Importance of Iterations

Safety assurance is always an iterative process. As product development progresses, new insights or incident data will emerge, requiring updates to acceptance criteria and/or validation targets. The SOTIF process workflow is meant to be repeated several times for successful outcomes. 

Verification and Validation results in functional modifications (to be interpreted as design improvements) per ISO 21448:2022, Clause 8. All the while, keeping solid documentation of the rationales, the achieved test coverage, and the results is crucial. In the end, a SOTIF safety argument for release will reference these acceptance criteria and validation outcomes to show that the residual risk is as low as required and no unreasonable risk remains. 

At SRES, we use the following thought-starters while specifying validation targets:

  • What are specific and measurable objectives that will demonstrate our system meets defined acceptance criteria?
  • What types of scenarios will we use for testing, and how can we ensure comprehensive coverage of the operational design domain (ODD)?
  • How can we define test scenarios that expose potential limitations of the system?
  • How will we utilize both real-world and simulation environments for validation? What is an appropriate split?
  • How will we allocate the test effort across different validation activities?
  • For unknown scenarios, how can we ensure that the residual risk meets acceptance criteria with sufficient confidence?

In this and the previous blog entry, we only briefly touched on the mathematical frameworks that underpin the correct specification of acceptance criteria and validation targets. In Part 4, we will discuss the mathematical approaches used in the standard for developing defensible validation targets to meet acceptance criteria with the help of a simplified example.

Want to learn more? 

Register for our SOTIF (ISO 21448) training: https://sres.ai/training/iso-214482022-safety-of-the-intended-functionality-sotif-training-sgs-tuv-saar/

Reach out to us about our hands-on consulting offerings: https://sres.ai/consulting/automotive/autonomous-product-development/

READ MORE
02/27/25

Demystifying SOTIF Acceptance Criteria and Validation Targets – Part 2

In the first entry of our blog series, we introduced the concepts of acceptance criteria and validation targets in the context of ISO 21448:2022 (Safety of the Intended Functionality, or SOTIF). We discussed how these elements help determine whether an Advanced Driver Assistance System (ADAS) or Automated Driving System (ADS) is “safe enough” for real-world deployment at scale.

In the next two blog entries, we will get into the building blocks that underpin these acceptance criteria and validation targets. In Part 2, we will explore the high-level frameworks for setting risk thresholds and acceptance criteria. In Part 3, we will work to translate the abstract objectives in the standard into concrete, testable validation targets.

From Residual Risk to Acceptance Criteria: Establishing “Safe Enough”

An acceptance criterion in SOTIF defines what level of residual risk is considered acceptable after all feasible SOTIF safety measures i.e., functional modifications have been applied. In other words, it sets the bar for how safe the system needs to be before it can be released. These criteria are crucial because they describe what it means to not pose an unreasonable risk. According to ISO 21448, formulating acceptance criteria should take into account several factors, including relevant existing regulations, the performance of similar existing functions, and even the performance of a very competent human driver. 

For example, if an existing lane-keeping assist system (LKAS) is known to have a certain safety performance, an organization might set its next generation system’s acceptance criteria to meet or exceed that existing benchmark. Likewise, if local traffic laws and/or regulations specify certain safety targets (e.g., a maximum allowed rate of undesired functionality), those become baseline considerations while specifying the acceptance criteria.

The ISO 21448 standard emphasizes that we must judge the risk acceptability from the perspective of all who might be exposed to the risk – including the vehicle occupants, other road users, pedestrians. Ultimately, an acceptance criterion should reflect that the risk posed by the ADAS and ADS is not unreasonable for them. In practice, this often means aiming for a level of safety performance for the ADAS or ADS that is comparable to or better than that of human drivers under similar operational conditions. Of course, the automotive industry is not the first to grapple with this type of problem right?

Risk Tolerability Frameworks

The SOTIF standard points to established risk tolerability principles to help justify and structure acceptance criteria. These principles come from decades of safety engineering experience and provide high-level yardsticks for “how safe is safe enough.” Four key frameworks highlighted in ISO 21448 are:

1. GAMAB (Globalement Au Moins Aussi Bon)

French for “globally at least as good.” This principle essentially dictates that a newly introduced system must not be more dangerous than the existing state of the art. In other words, the residual risk associated with the ADAS or ADS must be no higher than the risk from comparable human-driven vehicles or previous-generation systems. Simply, introduction of new technology shouldn’t make things worse. If human drivers have on average, for instance, one harmful accident per million miles of driving, an automated system following the GAMAB principle should target at most one (but preferably fewer) harmful accidents per million miles of operation.

2. ALARP (As Low As Reasonably Practicable)

ALARP is a classic risk management approach widely used in industries like Railways and Oil & Gas. It acknowledges that while zero risk is unachievable, we should work to reduce risk as much as is reasonably practicable and that further risk reduction would require effort or cost grossly disproportionate to the safety benefit gained. Under ALARP principle, an acceptance criterion might be set to a level where any further improvement would impose unreasonable cost or technical burden relative to the incremental risk reduction achieved. This framework is particularly useful for novel technologies where clear regulatory limits may not exist – it forces us to carefully weigh the residual risk versus the effort to mitigate that risk.

3. MEM (Minimum Endogenous Mortality)

The MEM principle says a new technology should not significantly increase the natural background risk of death in society. It’s a more abstract safety benchmark – it derives acceptable risk levels by looking at the lowest levels of mortality that society experiences from natural causes, and insists that the technology-induced risk must be of the same order of magnitude or lower. For instance, if in a given society the chance of death from natural causes is X per hour of exposure, an automated driving system’s contribution to fatality risk should be well below X per hour. This principle sets a very stringent bar, effectively saying the electrical/ electronic or software system should not make being alive noticeably riskier than it already is. This is the underpinning risk framework we use in ISO 26262 for automotive functional safety.

4. Positive Risk Balance (PRB)

This principle takes a holistic view – a new autonomous system can be deemed acceptable even if it slightly increases certain specific risks, provided that it decreases other risks enough to yield an overall net safety benefit. Basically, all changes in risk are weighed together. For example, an ADS might introduce a new type of hazard, but if it greatly reduces occurrence of common human driver errors, the total risk might still be lower for the introduction of the system. PRB allows such trade-offs, ensuring that the overall balance of risk is still “positive” (i.e. safety-improving). 

While they may seem intimidating at first, it’s important to remember that these risk frameworks are not mutually exclusive –- they often converge to similar numeric targets for risk acceptance. In fact, standards from other domains (e.g., railway standard EN 50126-2) discuss these principles in detail and we at SRES have worked over the past 10+ years to interpret them for ADAS/ ADS applications.

These risk frameworks serve as rationale to justify why a chosen acceptance criterion is defensible. For example, a company might claim: “Our virtual driver is at least as safe as a human driver (GAMAB) and we’ve reduced risk to ALARP; therefore, our residual risk is acceptable.” Using a combination of these frameworks helps make the case that the acceptance criteria aren’t simply arbitrary, but grounded in generally accepted safety thinking.

Good Data is Everything

In addition to these risk tolerability principles, ISO 21448 pushes development teams to consider credible and concrete data sources while specifying acceptance criteria. These may include but are not limited to real-world traffic accident statistics and performance data from similar systems. If adequate field data exists for how often a certain hazardous behavior occurs in today’s human-operated vehicles, that data can be used to directly inform what “acceptable” looks like for the new system. 

For example, you might have data that in a given country, human-driven vehicles experience, say, one unintended emergency braking incident per 100,000 miles on average. By examining how frequently rear-end crashes occur in human driving, we can set a benchmark for the maximum allowable frequency of such crashes with ADAS engaged. This statistic can help us formulate a baseline acceptance criterion: “The AEB-equipped vehicle should have no more than one unintended emergency braking incident per 100,000 miles”. Using a GAMAB risk framework, an AEB system should demonstrate at least the same performance. This can also be phrased as a probability or rate (e.g., probability of a rear-end collision < 1 per 1E5 miles). In SOTIF terms, this is an acceptance criterion on residual risk – it quantifies the maximum risk we are willing to accept as a society for that hazard. It’s important to remember that SOTIF focuses on hazardous behaviors arising from functional insufficiencies, not random hardware failures – so these criteria relate to things like the frequency of false positive detections of obstacles or inappropriate system response in complex driving scenarios.

As we noted in Part 1 of this blog series, not all acceptance criteria need to be expressed purely as probabilities or rates. Some acceptance criteria might remain qualitative (e.g., “the vehicle’s responses should be perceived as intuitive by expert drivers”). However, even qualitative goals must get translated into quantitative proxies for SOTIF verification. For instance, “intuitive responses” might be partially verified by measuring the frequency of critical interventions by safety drivers or the frequency of disengagements during vehicle testing. The ISO 21448 standard encourages quantification wherever feasible, as quantitative targets enable clear evidence of achievement of safe performance. When quantitative acceptance criteria are chosen, they must come with a rationale – typically based on the principles and data sources we discussed (regulations, human performance, GAMAB/ALARP/MEM, field statistics).

At SRES, we use the following thought-starters while specifying acceptance criteria:

  • Have we systematically identified all potential hazards arising from the intended functionality at the vehicle level?
  • Have we considered both functional insufficiencies and reasonably foreseeable misuse?
  • What parameters define hazardous behavior for the system, and how can we quantify them?
  • What is an acceptable level of residual risk, considering regulations, market standards, and the potential for harm?
  • What existing data or benchmarks can inform our acceptance criteria?
  • Are there specific accident statistics or traffic analyses/ data we should be referencing?

Setting SOTIF acceptance criteria is not guesswork, but rather a careful choice informed by established safety principles and lots and lots of real-world data. These criteria help us as an engineering community to draw a line in the sand for what is considered “safe enough” in terms of residual risk. Validation targets make these acceptance criteria actionable – they specify how much evidence (in terms of test miles, scenario coverage, statistical confidence, etc.) we need to collect to convince ourselves and our users that our ADAS/ADS system meets the safety benchmark.

In our next entry, we will perform a similar deep dive into the specification of validation targets.

READ MORE
12/16/24

Autonomous Vehicles and Explainable AI (XAI): A Fresh Look

Explore the challenges of Explainable AI (XAI) in Autonomous Vehicles and how ISO standards like ISO/PAS 8800:2024 and ISO/IEC 42001:2023 provide process-based solutions for transparency and assurance.

READ MORE
01/21/25

Demystifying SOTIF Acceptance Criteria and Validation Targets – Part 1

We will discuss the basic concepts of SOTIF acceptance criteria and validation targets per ISO 21448:2022

READ MORE
12/03/24

Interplay between ISO 21448 and ISO 8800 for Autonomous Systems

How do ISO 21448 and ISO 8800 complement each other to enhance safety in autonomous systems? Learn how these standards tackle functional and AI-specific challenges.

READ MORE
11/07/24

October 2024 Recap: How is AI and Autonomy doing?

In August of this year, the EU AI Act was enacted into law. Starting in 2025, enforcement will begin with substantial non-compliance fines, potentially reaching tens of millions of euros.

READ MORE
02/03/25

SOTIF and FuSa Coupling

SOTIF and Functional Safety are distinct but have key areas of overlap. Understanding these connections can make applying SOTIF less daunting.

READ MORE
01/07/25

Requirements as She is Spoke

Learn how to write precise, verifiable requirements by using clear language, removing ambiguity, and ensuring consistency across technical teams.

READ MORE
04/28/24

Digging into the ISO/IEC 5469:2024 – Artificial intelligence: Functional safety and AI systems standard

The ISO/IEC 5469:2024 standard was released in January of 2024, and, unlike ISO/CD PAS 8800, it is not specific to just automotive.

READ MORE
02/07/24

Autonomy Safety Standards in Automotive

The world of standards in the automotive autonomous vehicle industry is continually changing, at least relative to more stable standards in functional safety such as the ISO 26262:2018 standard. It is important to note that this blog has been written at the beginning of February 2024 as there will be changes in the coming months

READ MORE
01/26/24

January Recap: How is AI and Autonomy doing?

Already early in 2024 we’ve seen several AI incidents including Deepfakes of celebrities, both alive and dead, and Chevrolet selling a Tahoe for $1.

READ MORE
12/04/23

November 2023 Recap: How is AI and Autonomy doing?

It’s now been a year since OpenAI released an experimental chatbot dubbed “ChatGPT”. Since then, the terms “ChatGPT” and “AI” have mushroomed, creating a movement of “Citizen Developers” and pages and pages of school reports being created in seconds.

READ MORE
10/26/23

Autonomous Vehicles and Explainable AI (XAI)?

As you have seen in the news on Tuesday, October 24, 2023, the California Department of Motor Vehicles issued a suspension of General Motors’ Cruise autonomous vehicles from California public roads.

READ MORE
10/02/23

Organizational compliance department: a sample framework

Whether you are working in safety, security, AI or other disciplines, it is critical that you show compliance of standards and regulations to your customers and to external regulators. Taking a compliance approach illustrates to everyone internally and externally that you take these requirements seriously and enables the required culture for success. Compliance not only requires training of staff, but also requires the voice from top management. In this blog we discuss an approach to build up a compliance department within your organization.

READ MORE