Decomposition and Quantification of SOTIF Requirements for Perception Systems of Autonomous Vehicles

TL;DR

This work addresses the scarcity of quantitative guidance for Safety of the Intended Functionality (SOTIF) in autonomous vehicles by proposing a risk-decomposition framework that translates acceptance criteria into actionable perception requirements. It introduces a two-tier approach: subsystem-level requirements derived from risk and collision-severity models within an intended-behavior framework, and component-level requirements allocated via a model-agnostic Shapley-value decomposition applied to a MOT system. The subsystem-level methods include a Bayesian risk model with distance-partitioned existence uncertainty and a collision-severity model linking state uncertainty to collision outcomes, while the component-level method operationalizes SHAP to distribute safety requirements across input/output metrics. Experimental results on AD4CHE and MOT benchmarks demonstrate that the approach can produce intuitive, verifiable SOTIF requirements, with RSS-based behavior modeling chosen for demonstration and quantitative evidence that component-level allocations can meet targeted subsystem-level safety criteria. The proposed framework advances practical SOTIF verification by enabling quantitative, scenario-aware safety requirements and clarified responsibility allocation among perception components, with implications for sensor selection, fusion, and testing strategies in AV development.

Abstract

Ensuring the safety of autonomous vehicles (AVs) is paramount before they can be introduced to the market. More specifically, securing the Safety of the Intended Functionality (SOTIF) poses a notable challenge; while ISO 21448 outlines numerous activities to refine the performance of AVs, it offers minimal quantitative guidance. This paper endeavors to decompose the acceptance criterion into quantitative perception requirements, aiming to furnish developers with requirements that are not only understandable but also actionable. This paper introduces a risk decomposition methodology to derive SOTIF requirements for perception. More explicitly, for subsystemlevel safety requirements, we define a collision severity model to establish requirements for state uncertainty and present a Bayesian model to discern requirements for existence uncertainty. For component-level safety requirements, we proposed a decomposition method based on the Shapley value. Our findings indicate that these methods can effectively decompose the system-level safety requirements into quantitative perception requirements, potentially facilitating the safety verification of various AV components.

Figures (13)

• Figure 1: Requirements decomposition: a validation target is derived from a predefined Operational Design Domain (ODD) and then decomposed to requirements for subsystems or functions, which are finally verified and validated in the ODD.
• Figure 2: The implementation process of the proposed methodology to derive SOTIF requirements.
• Figure 3: The concept of decomposing system-level risk into SOTIF requirements for perception.
• Figure 4: The concept of the distance-based model to derive the requirements for existence uncertainty in each distance partition.
• Figure 5: MOT algorithm is treated as a function characterized by predefined input and output data evaluation metrics, where numerical inputs and outputs are used to reflect changes in algorithm performance. Next, based on the variations in these input metrics, we generate a sample dataset that captures a range of possible performance scenarios. A weighted linear model is then optimized on this dataset to identify model parameters that minimize the loss function. These parameters, representing the Shapley values, quantify the influence of each input metric on the output metric. Finally, component-level safety requirements are allocated based on these calculated Shapley values.