The safety of a product, i.e., not causing harm, is a crucial property for its persistent success on the market and avoidance of legal risks for the manufacturer. However, since perfect safety is typically not achievable, the question what defines acceptable safety and what defines acceptable risks, i.e., risk acceptance criteria (RAC), arises.
October 14, 2025
© Fraunhofer IKS
Quantitative risk acceptance criteria are part of the set of all acceptance criteria. They typically are to be interpreted within some context and refer to some but not all safety relevant properties of a system.
In the presentation at Safetronic a new risk reference targeting effectively no fleet incidents (ENFLI) is introduced. This is motivated by an inconsistency in all known approaches from the literature (like MEM, GAMAB, ALARP, PRB) compared to field incident statistics of mature, safety critical automotive systems. These approaches established in the literature have in common that some rate of critical events (e.g., fatalities) is used as a risk reference, for example 10-9 fatalities /h. However, while this looks very small from the perspective of an individual vehicle user (or non-user), there is a serious implication if an Advanced Driver Assistance Systems (ADAS) that just achieves this target rate were released in a vehicle fleet with the typical fleet size for privately-owned vehicles. Simple calculations with the number of vehicles (e.g., >100.000) and the average usage time of the ADAS per vehicle over its lifetime (e.g., >1.000 h) yield that the probability of at least one accident caused by the ADAS over the entire fleet is far from zero.
Therefore, the risk-based principle ENFLI outlined in the presentation aims to make the probability of a critical event so small that in a realistic series application such an event is not expected to occur over the lifetime of the product. The method is conceptually derived from quantitative risk assessments that are performed to evaluate potential field issues.
To achieve this, and in contrast to the known approaches, reference to accidents or harm is not a preferred choice. It is possible to extend the method to address this, but the preferred approach is to apply the notions of ISO 26262: 2018, the notion of safety goals and Automotive Safety Integrity Level (ASIL) and to restrict the application of the ENFLI method to hazardous behavior that can also be described within the context of ISO 26262. The to be counted event is referring to the violation of safety goals. But as not all safety goals are equally critical – e.g. the ASIL allows a distinction of criticality – an adjustment according to the criticality of the safety goal is made. It is justified to require less stringent numbers for a safety goal with lower criticality. This is done by a normalization with respect to criticality. The method then aims to derive a criterion from the consideration of “Criticality Normalized Safety Goal Violations (CNSGV)”.
The normalization essentially estimates the percentage of safety goal violations in the considered system that have a comparably critical consequence like a worst-case automotive malfunction. For the normalization typically expert judgement will be involved, similar as for the S, E, C parameters in the ASIL determination. A rationale for the concrete normalization proposal is part of the application of the method. If in a concrete example no reasonable expert judgement is possible the ENFLI method might not be usable. The following graphic depicts the chain of causes leading to a criticality normalized violation of a safety goal:
© Dr. Susanne Ebel
A violation of the safety goal can be caused by a system internal condition, such as a functional insufficiency activated by a triggering condition (see ISO 21448:2022). In most cases, however, external conditions (e.g. fleet size being deployed) can also be considered, which reduce the function's risk in field. For this reason, it is referred to as Criticality Normalized Safety Goal Violations.
The easiest way to do such a normalization is by using the ASIL (see ISO 26262: 2018) of the safety goal. Then an ASIL D malfunction can be used with a normalization factor of 1, and every ASIL reduction gives one order of magnitude. This is one of the potential options. To a limited extent this may be compared with the reduction of PMHF target values (Probabilistic Metric for Random Hardware Failures) when going from ASIL D to ASIL C. But ASIL determination is often guided by worst case considerations and not following the average-oriented approach used here. In addition, malfunctions with the same ASIL may still have significant differences in the correlation to causing human damage, also because this factor does not reflect other forms of safety relevance such as the SOTIF. Therefore, a more finetuned normalization procedure can be justified in application cases. The examples below give insights how this may be done and justified.
Join the international conference on holistic safety for road vehicles on November 12-13 in Stuttgart | Leinfelden-Echterdingen.
Book your ticket now. The program agenda can be found here.
The presentation will also include example calculations of Risk Acceptance Criteria (RAC) based on the ENFLI approach. This approach is a mandatory part of the SafeAI Framework, which is currently under development. The framework consists of activities, guiding principles, and even organizational elements. The result of these activities may lead to methods, tools, best practices, analysis technologies, or other means that can be considered part of the framework. The determination of the safety load on the AI using ENFLI is the starting point to derive, consolidate and continuously improve relevant safety qualities of an AI including definition of acceptance criteria.
