Sotif vs Functional Safety (ISO26262)

• Functional safety attempts to mitigate faults in the system that violate safety goals

• Sotif aims at mitigating the consquences of unintended use or unintended behaviours resulting from (potentially unaddressable) technological shortcomings with respect to safety goals

The knife example however, doesn’t get into those aspects which are especially relevant for autonomous driving - escaping the consequences of foreseeable technological shortcomings. It is worth noting that for the driving case, those technological shortcomings are never completely addressable, either via hardware or software. The driving environment is a factor - regardless of what sensing is available on the car and how good the perception stack is, it will never be able to deliver conclusions about that environment to 100% (or within an epsilon) certainty. Traffic awareness is another factor - the system simply cannot sense much of what it needs (cannot see inside other human driver’s heads) to deliver predictions with certainty. As a result, what you have is a fault-less technological system that can and will provide incorrect information leading to unintended situations. What happens in those situations, whether they violate safety goals and what you can do to mitigate the consequences of those situations is a large part of what Sotif is about.