Complete Learning Module

SotIF for the Functional Safety Engineer

12 chapters A FuSi-engineer handbook for extending HARA, FSC, TSC, FMEDA and the safety case into ISO 21448 (SotIF), ISO/PAS 8800 and ISO/IEC TR 5469. Triggering conditions, acceptance criteria, statistical validation, ML-aware FuSi and field monitoring with a continuous AEB worked example.

Start Learning View Curriculum

How You Learn

Video and text stay in sync. As you scroll through the chapter, the video jumps to the matching explanation automatically.

Scroll SyncVideo follows your reading position

Click to JumpClick any cue to jump the video

Chapter NavNavigate from video or content

BookmarksSave sections, resume anytime

iso26262.academy/concepts/sotif-for-the-functional-safety-engineer

...

Saved

08:12

Ch 2

Synced to reading position

Learning Objectives

Route Issues with the Decision Tree

Apply the three-question fault vs insufficiency triage to classify every safety issue to ISO 26262, ISO 21448 or ISO/PAS 8800 with defensible reasoning.

Extend HARA with Triggering Conditions

Add SotIF columns to your existing HARA, populate the TC catalog via HAZOP and inductive analysis, and decompose acceptance targets per hazardous event.

Derive SotIF Acceptance Targets

Select an acceptance philosophy (GAMAB, MEM, ALARP, PRB), apply the three-factor risk decomposition, and derive quantitative targets from NHTSA-style baselines.

Specify Functional Modifications

Classify countermeasures into the five SotIF response categories and write a driving policy with traceable rules linked to triggering conditions.

Chapters

Why FuSi Engineers Need SotIF

The scope gap between ISO 26262 faults and ISO 21448 functional insufficiencies.

ISO 21448:2022 Clause-by-Clause

Lifecycle mapping with V-model alignment and joint vs separate work products.

From Faults to Functional Insufficiencies

Eighteen SotIF terms in six families, mapped to their ISO 26262 equivalents.

Fault vs Insufficiency Decision Tree

Three-question triage that routes every issue to 26262, SotIF or SotIF + 8800.

Extending HARA with Triggering Conditions

HARA extended with SotIF columns, HAZOP guide-words and VLSS tiering.

SotIF Risk Model & Targets

Acceptance philosophies, the three-factor risk decomposition and NHTSA-baseline targets.

Functional Modifications as Safety Mechanisms

Five SotIF response categories, driving policy and sensor-fusion performance budgets.

Verification with Triggering Conditions

Five-level BV/APV/VIV/TTV/ORV pipeline and FMEDA, FTA, STPA repurposed for SotIF.

Validation: Statistical Acceptance

Area 2 vs Area 3, NHTSA severity baselines and the zero-event Poisson stopping rule.

ML-Aware FuSi (8800 & TR 5469)

Responsibility split across 26262, 21448 and 8800 with KPI sufficiency rules.

Joint 26262 + 21448 + 8800 Safety Case

One GSN tree, five defensibility principles and UL 4600 integration.

Field Monitoring & Continuous Safety

Clause 13 observation channels, re-evaluation SLAs and OTA safety playbooks.

Interactive Diagrams & Worksheets

Fault vs Insufficiency Decision Tree

Three-question triage (E/E deviation, performance vs specification, ML involved) with verdict colour-coding for 26262, SotIF, SotIF+8800 and cybersecurity, plus 10 worked scenarios.

HARA + SotIF Extension Worksheet

AEB HARA base table extended with triggering conditions, FI classification, P_E|HB / P_C|E / P_S|C factors, VLSS tier and acceptance target, plus a HAZOP guide-word workbook.

SotIF Risk-Decomposition Formula

P_H = P_E|HB x P_C|E x P_S|C with parameter definitions, plus the four-step AEB target derivation from NHTSA GES baseline through functional-modification coverage.

5-Level Verification Pipeline

BV, APV, VIV, TTV, ORV cards showing scope, infrastructure, pros, cons, and 26262 analog, with a combined fault-injection + TC activation + OoD probing test plan example.

ML Responsibility Matrix

Twelve-row matrix splitting KPI definition, KPI achievement, dataset bias, OoD, model calibration and drift across ISO 26262, ISO 21448 and ISO/PAS 8800 with FuSi notes.

Joint GSN Safety Case Tree

AEB safety case skeleton with three branches (26262 faults, 21448 insufficiencies, 8800 ML KPI), six GSN node types, defensibility principles and standard-source colour badges.

Continuous Worked Example

AEB From HARA to Field Monitoring

A single AEB function carried through every chapter so vocabulary, triage, HARA extension, validation and monitoring all reinforce one example.

HARA extended with a triggering-condition catalog
Acceptance target derived from NHTSA baseline
Driving policy and sensor-fusion budgets
Combined fault injection, TC activation and OoD probing
Field monitoring with OTA retraining playbook

AEB Triggering-Condition Catalog

Radar multi-path on motorway guardrail produces a phantom stationary target

Unlock the full AEB example

Ready to Extend Your FuSi Skills into SotIF?

Walk through 12 chapters bridging ISO 26262 into ISO 21448, ISO/PAS 8800 and ISO/IEC TR 5469 with a continuous AEB worked example.

Start Learning Now

12 Chapters3 StandardsAEB Worked ExampleGSN Safety Case

SotIF for the Functional Safety Engineer

Learning Objectives

Route Issues with the Decision Tree

Apply the three-question fault vs insufficiency triage to classify every safety issue to ISO 26262, ISO 21448 or ISO/PAS 8800 with defensible reasoning.

Extend HARA with Triggering Conditions

Add SotIF columns to your existing HARA, populate the TC catalog via HAZOP and inductive analysis, and decompose acceptance targets per hazardous event.

Derive SotIF Acceptance Targets

Select an acceptance philosophy (GAMAB, MEM, ALARP, PRB), apply the three-factor risk decomposition, and derive quantitative targets from NHTSA-style baselines.

Specify Functional Modifications

Classify countermeasures into the five SotIF response categories and write a driving policy with traceable rules linked to triggering conditions.

Chapters

Why FuSi Engineers Need SotIF

The scope gap between ISO 26262 faults and ISO 21448 functional insufficiencies.

ISO 21448:2022 Clause-by-Clause

Lifecycle mapping with V-model alignment and joint vs separate work products.

From Faults to Functional Insufficiencies

Eighteen SotIF terms in six families, mapped to their ISO 26262 equivalents.

Fault vs Insufficiency Decision Tree

Three-question triage that routes every issue to 26262, SotIF or SotIF + 8800.

Extending HARA with Triggering Conditions

HARA extended with SotIF columns, HAZOP guide-words and VLSS tiering.

SotIF Risk Model & Targets

Acceptance philosophies, the three-factor risk decomposition and NHTSA-baseline targets.

Functional Modifications as Safety Mechanisms

Five SotIF response categories, driving policy and sensor-fusion performance budgets.

Verification with Triggering Conditions

Five-level BV/APV/VIV/TTV/ORV pipeline and FMEDA, FTA, STPA repurposed for SotIF.

Validation: Statistical Acceptance

Area 2 vs Area 3, NHTSA severity baselines and the zero-event Poisson stopping rule.

ML-Aware FuSi (8800 & TR 5469)

Responsibility split across 26262, 21448 and 8800 with KPI sufficiency rules.

Joint 26262 + 21448 + 8800 Safety Case

One GSN tree, five defensibility principles and UL 4600 integration.

Field Monitoring & Continuous Safety

Clause 13 observation channels, re-evaluation SLAs and OTA safety playbooks.

Interactive Diagrams & Worksheets

Fault vs Insufficiency Decision Tree

Three-question triage (E/E deviation, performance vs specification, ML involved) with verdict colour-coding for 26262, SotIF, SotIF+8800 and cybersecurity, plus 10 worked scenarios.

HARA + SotIF Extension Worksheet

AEB HARA base table extended with triggering conditions, FI classification, P_E|HB / P_C|E / P_S|C factors, VLSS tier and acceptance target, plus a HAZOP guide-word workbook.

SotIF Risk-Decomposition Formula

P_H = P_E|HB x P_C|E x P_S|C with parameter definitions, plus the four-step AEB target derivation from NHTSA GES baseline through functional-modification coverage.

5-Level Verification Pipeline

BV, APV, VIV, TTV, ORV cards showing scope, infrastructure, pros, cons, and 26262 analog, with a combined fault-injection + TC activation + OoD probing test plan example.

ML Responsibility Matrix

Twelve-row matrix splitting KPI definition, KPI achievement, dataset bias, OoD, model calibration and drift across ISO 26262, ISO 21448 and ISO/PAS 8800 with FuSi notes.

Joint GSN Safety Case Tree

AEB safety case skeleton with three branches (26262 faults, 21448 insufficiencies, 8800 ML KPI), six GSN node types, defensibility principles and standard-source colour badges.

AEB From HARA to Field Monitoring

A single AEB function carried through every chapter so vocabulary, triage, HARA extension, validation and monitoring all reinforce one example.

HARA extended with a triggering-condition catalog

Acceptance target derived from NHTSA baseline

Driving policy and sensor-fusion budgets

Combined fault injection, TC activation and OoD probing

Field monitoring with OTA retraining playbook