Imagine you are riding in an autonomous truck on a bright, sunny afternoon. As you approach an overpass, the autonomous truck slows and stops. You look ahead. The lane is completely clear. No obstacle, no hazard, no reason to brake. What brought the vehicle to a standstill was a sharp, dark shadow cast across the road.
The brakes didn’t fail. The sensors didn’t break. Every component performed exactly as designed. And yet, the system did the wrong thing.
So what went wrong?
This is the defining challenge of modern autonomy. As self-driving systems move beyond controlled environments into complex open roads, a new class of safety problem that has nothing to do with broken hardware or faulty code has emerged. We have built a groundbreaking rigorous methodology called the PlusAI Safety Analysis Framework (SAF) to tackle it head-on.
Our goal is to use PlusAI SAF to quantify risk and reduce the region of unknown and unsafe scenarios to an acceptable minimum.
Two Kinds of Safety
For decades, automotive safety has been governed by an international standard called ISO 26262, which defines what the industry calls Functional Safety (FuSa). The central question FuSa asks is: what happens if something in the vehicle breaks? It is a rigorous and essential discipline, covering hardware failures, software bugs, and electrical interference. PlusAI designs its systems to meet FuSa standards to the highest degree. This is the baseline, the non-negotiable foundation.
But autonomous driving introduces a category of hazard that FuSa was never designed to handle. These are situations where nothing is broken. Every component is functioning exactly to specification. And yet the system’s behavior is still unsafe.
Think back to our shadow on the road. The camera performed perfectly. The perception model processed the image correctly. The braking system responded as instructed. The failure wasn’t technical, it was conceptual. The system misunderstood the dark shadow as a physical object, and that misunderstanding had real-world consequences.
To address this gap, the automotive industry created an international standard ISO 21448: Safety of the Intended Functionality, or SOTIF. Where FuSa asks “what happens if this breaks?”, SOTIF asks a harder question: “what happens if everything works, but the system still gets it wrong?”
The Unknown Unsafe
SOTIF introduces a concept that is both simple and unsettling: the region of “unknown unsafe” scenarios. These are situations where the system will behave dangerously, but where we do not yet know those situations exist. The goal of SOTIF analysis is not to eliminate risk entirely, which is impossible, but to systematically shrink this unknown region until it reaches an acceptable minimum.
This is harder than it sounds. A camera-based perception system, for example, might be trained on millions of driving scenarios and perform flawlessly in all of them. But training data has boundaries. The real world doesn’t. Unusual lighting, non-standard signage, debris like a Porta Potty on the road, a horse trotting on the highway—any of these can become a triggering condition that exposes a functional insufficiency the system never encountered in training.
Crucially, SOTIF does not just consider whether a component malfunctions. It considers the full scenario context: what was the environment? What was the triggering condition? Who else was on the road? In our shadow example, the picture becomes complete when we add one more detail: a human-driven vehicle was following closely behind. The autonomous truck’s unexpected stop wasn’t an inconvenience, it was a hazard.
A Hybrid Approach: SOTIF Meets STPA
Addressing SOTIF challenges requires more than a checklist. It demands a systematic way of reasoning about complex systems. It needs to account for the interactions between components, the environments they operate in, and the cascading effects of even small misjudgments.
That is why PlusAI’s safety analysis methodology combines SOTIF with STPA: Systems Theoretic Process Analysis. Where SOTIF defines what we are trying to achieve—the reduction of unknown unsafe scenarios—STPA provides the analytical engine to get there. It treats the autonomous vehicle not as a collection of independent components, but as an interconnected system, and asks how the interactions between those components can lead to unsafe behavior even when each one is functioning correctly.
PlusAI SAF is designed to be a structured, quantifiable approach to a problem that is, by definition, difficult to fully enumerate. We are working to catalog known risks while also building the processes to find the ones we don’t know about yet.
Why This Matters for Trucks
The stakes in autonomous trucking are not the same as in passenger vehicles. A personal car occasionally driving on the highway is a different risk than an 80,000-pound heavy truck that is continuously on the highway, day after day. Autonomous trucking is industrial-grade autonomy, and it must meet the reliability standard of a pacemaker, not a smartphone.
That standard demands more than good average performance. It demands systematic reasoning about the edge cases, the triggering conditions, and the scenarios that only appear once in a thousand miles, but that can be catastrophic when they do. SOTIF is the framework that forces that reasoning into the open, and STPA is the tool that makes it tractable.
In the posts ahead, we will detail how the PlusAI SAF works in practice: how we identify functional insufficiencies, how we define and enumerate triggering conditions, and how we build the evidence needed to demonstrate that the unknown unsafe region has been reduced to an acceptable level.
Because in autonomous trucking, “good enough” is never good enough. And the first step to proving safety is knowing, with rigor and precision, what you don’t yet know.