ISO 21448 SOTIF for Autonomous Driving

Domain Context: SOTIF, ISO 26262, and ASIL

ISO 26262, the road-vehicle functional-safety standard, frames safety as the absence of unreasonable risk due to malfunctioning behavior of electrical and electronic systems. Its conceptual core is the Automotive Safety Integrity Level (ASIL) classification, which derives a development rigor from the severity, exposure, and controllability of hazards arising from system faults. ASIL-A through ASIL-D processes have governed automotive electronics development for more than a decade and have produced a mature audit and certification ecosystem. Their domain, however, is bounded: ISO 26262 addresses what happens when the system fails. It does not address what happens when the system functions exactly as designed and the design itself is the hazard.

ISO 21448, originally published as a Publicly Available Specification in 2019 and elevated to a full International Standard in 2022, fills that gap. SOTIF addresses functional insufficiencies — situations in which there is no fault, no degraded component, no broken sensor, and yet the integrated function produces hazardous behavior. The canonical examples are perception failures (a camera-based detector that fails on a particular combination of lighting and clothing color, a radar that ghost-targets in a tunnel, a LiDAR that returns degraded points in heavy rain), prediction failures (a planner that misjudges a cyclist's trajectory in an unmodelled traffic context), and decision failures (a control law that responds correctly to scenarios in its training distribution and incorrectly to scenarios outside it). SOTIF further distinguishes between false detection (the system perceives something that is not there) and missing detection (the system fails to perceive something that is there), each carrying distinct hazard signatures.

For SAE Level 3 and above, where the human is no longer the immediate fallback, SOTIF is now the binding regulatory constraint in major markets. Type approval under UN Regulation 157 for Automated Lane Keeping Systems, the EU General Safety Regulation 2019/2144, and the emerging US NHTSA framework for automated driving systems all reference SOTIF or its substantive equivalents. ISO 21448 and ISO 26262 are intended to be applied jointly: a Level 4 driving function must satisfy both, with ASIL-derived rigor for the fault-handling pathway and SOTIF-derived rigor for the functional-insufficiency pathway.

Architectural Requirement

A SOTIF-compliant architecture must express three properties that an ISO 26262-only architecture does not. First, scenario-class awareness: the system must distinguish between situations within its validated operational design domain and situations outside it, and must behave in a structurally bounded manner in the latter. Second, residual-risk treatment: because functional insufficiencies cannot be eliminated, only bounded, the system must convert residual risk into a quantified and traceable property of each actuation decision rather than an unmodelled tail. Third, graceful behavior under perceived insufficiency: when the system's own self-assessment indicates degraded confidence, the response must be a measured reduction in the consequence of action rather than an abrupt mode change that itself introduces hazard.

These are properties of the actuation architecture, not of any individual sensor, planner, or control law. They cannot be retrofitted by tightening the validation of components that were architected without them. A perception subsystem can report calibrated uncertainty, but unless the actuation pathway is built to admit perception confidence as a structural input to mode selection, the calibrated uncertainty terminates at a log line. A planner can produce a distribution of trajectories rather than a point estimate, but unless the controller is built to admit a distribution and emit a graduated-authority command, the distribution collapses at the actuator interface. SOTIF compliance is a whole-stack architectural property; its absence at any layer voids the property at every layer above it.

The standard further demands traceability between the safety case argued in the SOTIF analysis and the behavior produced at runtime. This traceability is itself an architectural property: it requires that the runtime emit, at every actuation, a record that identifies which scenario class the system believed itself to be in, which mode the actuation was admitted at, what reversibility class applied, and what residual-risk weight was attached. A system that cannot emit such a record cannot demonstrate SOTIF traceability except by reconstruction from incomplete logs, and reconstruction is not the same as evidence.

Why Procedural Compliance Fails

The SOTIF clause structure prescribes a process: identify triggering conditions, analyze hazardous behaviors, evaluate scenarios, derive verification and validation strategies, demonstrate that residual risk is acceptable. The process is sound, and procedural compliance against the clause structure produces an audit-grade work product. The work product, however, lives in documents and test reports. It does not live in the actuation path.

When a perception subsystem encounters an emerging scenario at runtime — a class of object the validation campaign did not anticipate, a weather condition outside the training distribution, an environmental geometry no scenario library covered — the SOTIF documentation does not participate in the resulting actuation decision. What participates is whatever the planner and control law happened to produce given the degraded perception input. Procedural SOTIF compliance can demonstrate that the residual-risk argument was constructed correctly. It cannot demonstrate that the in-vehicle actuation decision in that emerging scenario reflected the residual-risk argument. The link between the safety case and the actuation has to be architectural; if it is only procedural, it breaks at exactly the moment it is needed.

What Governed Actuation Provides

The governed-actuation primitive supplies three structural elements that close the procedural gap. First, graduated actuation modes: each candidate actuation is admitted at a mode that reflects the system's current confidence in its perception and prediction. High-confidence nominal scenarios admit full-authority actuation; degraded-confidence scenarios admit reduced-authority actuation that is bounded in lateral and longitudinal aggressiveness; emerging scenarios outside the validated domain admit only minimum-risk-maneuver-class actuation. The mode selection is structural — it derives from the perception-confidence and scenario-class inputs — rather than being a procedural override invoked by a fault-handler.

Second, reversibility-aware execution. Each actuation candidate is classified by the reversibility of its consequence: a steering input that can be reversed in the next planning cycle is treated structurally differently from a brake input that commits the vehicle to a trajectory from which return is bounded. SOTIF's residual-risk treatment is expressed as a higher admissibility threshold for less reversible actuations, encoded in the actuation pathway itself.

Third, harm-minimization logic at the moment of admission. When the system enters an emerging scenario, the actuation choice is selected to minimize the expected harm given the current uncertainty rather than to maximize task progress. This is the SOTIF safety case made operational: the residual-risk argument constructed in the safety analysis becomes the objective function of the runtime admission decision.

The primitive is disclosed under USPTO provisional 64/049,409 as a closed five-property chain. Authority-credentialed observation requires that perception, prediction, and scenario-classification inputs to the actuation pathway arrive as observations signed by credentialed sources within a published authority taxonomy — calibrated cameras, type-approved radars, certified prediction modules — so that an uncalibrated or out-of-taxonomy input cannot enter the chain unweighted. Evidential weighting composes the credentialed observations with operational context (weather class, ODD class, traffic class) into a structured contribution rather than a binary admit/reject. Composite admissibility evaluates the weighted observations against the candidate actuation and produces the graduated mode selection. Governed actuation produces the resulting commitment with reversibility evaluation and post-actuation verification. Lineage-recorded provenance records every observation, weighting, decision, and verification with credentials, supporting forensic reconstruction of any past state — including the post-incident reconstruction that regulatory bodies and litigants will demand.

Compliance Mapping

Graduated actuation modes map to SOTIF's operational design domain framing: the validated domain is the region in which full-authority modes admit, and the boundary of the domain is the boundary at which mode transitions are forced. Reversibility-aware execution maps to SOTIF's residual-risk classification: less reversible actuations carry higher residual-risk weight and correspondingly higher admission thresholds. Harm-minimization logic maps to the SOTIF requirement that the response to a perceived functional insufficiency be the minimization of consequence rather than the continuation of nominal behavior. Toward ISO 26262, the same primitive integrates without conflict — graduated modes interact cleanly with ASIL decomposition, since the highest-authority mode carries the highest ASIL allocation and lower-authority modes admit reduced ASIL allocations against the same hazard. Toward UN R157 and the emerging type-approval frameworks, the architecture supplies traceable evidence that the safety case is enforced in the actuation pathway, not only argued in the documentation.

Adoption Pathway

Adoption proceeds in three stages, structured to align with the type-approval cycle of an OEM or Tier-1 autonomous-driving program. First, the governed-actuation substrate is introduced as a parallel admission record alongside the existing planner and control stack: each candidate actuation is annotated with its mode, reversibility class, and harm-minimization score, without yet gating execution on the substrate. This produces the SOTIF traceability artifact as a byproduct of normal operation and exposes drift between the documented safety case and the implemented behavior. Second, the substrate gates a defined subset of high-consequence actuations: irreversible commits (heavy braking, evasive lane change, gap acceptance into oncoming traffic) are admitted only through the substrate. Third, the substrate becomes the authoritative admission layer for the entire actuation surface, with the legacy planner reduced to a candidate generator and the control law reduced to an executor of admitted intent.

The convergence is visible across the major autonomous-driving programs. ISO 21448 enforcement is maturing; the integration with ISO 26262 is being formalized in joint working groups; the emerging UN R157 amendments and the NHTSA automated driving system framework all push in the same direction. The architectural answer arrives at the same point procedural compliance has been pointing toward.

Honest framing — the governed-actuation primitive does not eliminate functional insufficiency; functional insufficiency is a property of any imperfect perception system and cannot be eliminated by any architecture. What the primitive does is make the response to functional insufficiency a structural property of the actuation pathway rather than a procedural argument made adjacent to it. The residual risk does not disappear; it becomes traceable, weighted, and bounded, which is what SOTIF asks for and what procedural compliance alone cannot deliver. Deployment requires substantial type-approval engineering, OEM-specific integration, and validation campaigns that are not within the scope of this article, and nothing here substitutes for that work.