Driving Automation Systems (DAS) are subject to complex road environments and vehicle behaviors and increasingly rely on sophisticated sensors and Artificial Intelligence (AI). These properties give rise to unique safety faults stemming from specification insufficiencies and technological performance limitations, where sensors and AI introduce errors that vary in magnitude and temporal patterns, posing potential safety risks. The Safety of the Intended Functionality (SOTIF) standard emerges as a promising framework for addressing these concerns, focusing on scenario-based analysis to identify hazardous behaviors and their causes. Although the current standard provides a basic cause-and-effect model and high-level process guidance, it lacks concepts required to identify and evaluate hazardous errors, especially within the context of AI. This paper introduces two key contributions to bridge this gap. First, it defines the SOTIF Temporal Error and Failure Model (STEAM) as a refinement of the SOTIF cause-and-effect model, offering a comprehensive system-design perspective. STEAM refines error definitions, introduces error sequences, and classifies them as error sequence patterns, providing particular relevance to systems employing advanced sensors and AI. Second, this paper proposes the Model-based SOTIF Analysis of Failures and Errors (MoSAFE) method, which allows instantiating STEAM based on system-design models by deriving hazardous error sequence patterns at module level from hazardous behaviors at vehicle level via weakest precondition reasoning. Finally, the paper presents a case study centered on an automated speed-control feature, illustrating the practical applicability of the refined model and the MoSAFE method in addressing complex safety challenges in DAS.

翻译：自动驾驶系统（DAS）面临复杂的道路环境和车辆行为，且日益依赖精密传感器与人工智能（AI）。这些特性引发了源于规范不足和技术性能局限的特殊安全故障——传感器和AI引入的误差在量级与时序模式上均存在变化，构成潜在安全风险。预期功能安全（SOTIF）标准为应对此类问题提供了有效框架，其核心是通过基于场景的分析识别危险行为及其成因。尽管现行标准提供了基础因果关系模型及高层次流程指导，但在识别与评估危险错误（特别是AI场景中）方面尚缺乏必要概念。本文提出两项关键贡献以填补此空白：首先，定义SOTIF时序错误与失效模型（STEAM），作为SOTIF因果关系模型的精细化改进，提供全面的系统设计视角。STEAM细化错误定义、引入错误序列并将其分类为错误序列模式，尤其适用于采用先进传感器与AI的系统。其次，提出基于模型的SOTIF失效与错误分析方法（MoSAFE），该方法通过最弱前置条件推理，从车辆层级危险行为推导模块层级危险错误序列模式，实现基于系统设计模型的STEAM实例化。最后，通过以自动速度控制功能为中心的案例研究，展示精细化模型与MoSAFE方法在应对DAS复杂安全挑战中的实际应用价值。