[B]
Operational Domain Model
[FF]
Key features of Environment Outside ODM
[JJ]
ODM Transition Model
[LL]
Stakeholder Risk Acceptance Definition
[PP]
Out of Context Operation Assurance Argument Pattern
22. Assess AS Operation Outside ODM
23. Assure the Recognition of ODM Boundary
24. Assure Transitions In and Out of ODM
25. Define and Validate a Minimum Risk Strategy for AS Outside ODM
26. Demonstrate Risk Strategy is Satisfied Outside ODM
27. Instantiate Out of Context Operation Assurance Argument Pattern
[GG]
Out of Context Analysis Report
[HH]
Interpretation of ODM Boundary
[II]
ODM Boundary Assessment Report
[KK]
Transition Assessment Report
[MM]
Outside ODM Minimum Risk Strategy
[NN]
Outside ODM Strategy Justification Report
[OO]
Outside ODM Verification Report
[QQ]
Out of Context Operational Assurance Argument
Navigation
Minimap of introduction diagram
Minimap of stage diagram
[B]
Operational Domain Model
[FF]
Key features of Environment Outside ODM
[JJ]
ODM Transition Model
[LL]
Stakeholder Risk Acceptance Definition
[PP]
Out of Context Operation Assurance Argument Pattern
22. Assess AS Operation Outside ODM
23. Assure the Recognition of ODM Boundary
24. Assure Transitions In and Out of ODM
25. Define and Validate a Minimum Risk Strategy for AS Outside ODM
26. Demonstrate Risk Strategy is Satisfied Outside ODM
27. Instantiate Out of Context Operation Assurance Argument Pattern
[GG]
Out of Context Analysis Report
[HH]
Interpretation of ODM Boundary
[II]
ODM Boundary Assessment Report
[KK]
Transition Assessment Report
[MM]
Outside ODM Minimum Risk Strategy
[NN]
Outside ODM Strategy Justification Report
[OO]
Outside ODM Verification Report
[QQ]
Out of Context Operational Assurance Argument
View Diagram

SACE outline

Example 1 - Delivery robot
Example 2 - Self‐driving car
Note 1 - Defining capabilities
Note 2 - Iterative process
AS concept definition [A]

Example 3 - Autonomous cars
Example 4 - Office environment
Example 5 - Defining people
Note 3 - Challenges when defining an ODM

Example 6 - Office environment
Example 7 - Autonomous vehicle scenario
Note 4 - Scenes and scenarios
Note 5 - Resilience

AS operating context assurance argument pattern [G]

Example 8 - ODM and identified interactions
Note 8 - Mission and non-mission interactions

Example 9 - Decision point for an autonomous robot
Example 10 - Enumerated situations for an autonomous robot
Example 11 - Autonomous car turning at a roundabout
Example 12 - Autonomous insulin pump
Example 13 - Autonomous robot
Example 14 - Autonomous car
Example 15 - Autonomous insulin pump

Example 16 - Hazardous scenarios
Note 9 - System environmental belief state

AS hazardous scenarios assurance case pattern [I]

Example 17 - Autonomous car braking requirement
Example 18 - SOC for autonomous car on construction site
Example 19 - Autonomous insulin infusion pump
Example 20 - Autonomous passenger shuttle
Example 21 - Autonomous insulin infusion pump
Example 22 - Autonomous car in emergency roadworks
Note 10 - Requirements syntax
Note 11 - System-level safety requirements
Note 12 - Sufficient mitigation for hazardous scenarios
Definition of sufficiently safe [K]

Note 13 - Simulation

SOC argument pattern [N]

Example 24 - Different tiers of an autonomous system
Note 14 - Intent of the safety requirements
Note 15 - Decomposing safety requirements
Note 16 - Link between safety requirements and the design process
Note 17 - Machine learning

Note 18 - Relationships between safety requirements

Safety requirements argument pattern [S]

Note 19 - Definition of system architecture
Note 20 - Logical and physical structure of the system
Note 21 - Diversity in architecture redundancy
Note 22 - Fault tolerance approaches
Design process for tier n [X]

Note 23 - Independent reviewers

AS design assurance argument pattern [U]

Example 25 - Autonomous passenger shuttle
Note 24 - HAZOP analysis

Example 26 - Sensors for autonomous robot

AS hazardous failures argument pattern [DD]

Example 34 - In‐the‐loop simulation

AS verification Log [SS]

AS verification argument pattern [UU]

Assess AS operation outside ODM

In assessing the operation of an AS outside its ODM, it is important to understand the characteristics of the outside ODM environment relevant to the AS and its behaviours. Therefore this activity requires a description of the relevant key features that are anticipated in the environment outside of the ODM ([FF]). This is used to establish the scenarios that may arise due to excursions outside of the ODM.

Example 29 - Drone in severe weather conditions

A drone may be blown out to sea due to severe weather conditions and lose contact with its base station. It must be aware that it is now outside of its defined ODM, and that a landing on water may not be appropriate.

Those scenarios shall then be analysed to determine those which may be hazardous. There are a number of techniques that can be applied for this analysis such as Hazop [17], STAMP/STPA [28] or FRAM [13]. The analysis should involve personnel who understand the operating environments and can establish the most likely hazards for the AS if outside of the ODM. The identified hazardous scenarios due to excursions outside the ODM shall be documented in the Out of Context Analysis Report ([GG]) along with details of the analysis performed and any limitations on the analysis, e.g. assumptions regarding the environment outside the ODM.

Continue to: Artefact FF. Description of key features of environment outside ODM
  • Assuring Autonomy logo
  • Lloyd's Register Foundation Logo
  • University of York logo

Our site depends on cookies to provide our service to you. If you continue to use this site we will assume that you are happy with that. View our privacy policy.