Navigation
Minimap of introduction diagram
Minimap of stage diagram
View Diagram

SACE outline

Example 1 - Delivery robot
Example 2 - Self‐driving car
Note 1 - Defining capabilities
Note 2 - Iterative process
AS concept definition [A]

Example 3 - Autonomous cars
Example 4 - Office environment
Example 5 - Defining people
Note 3 - Challenges when defining an ODM

Example 6 - Office environment
Example 7 - Autonomous vehicle scenario
Note 4 - Scenes and scenarios
Note 5 - Resilience

AS operating context assurance argument pattern [G]

Example 8 - ODM and identified interactions
Note 8 - Mission and non-mission interactions

Example 9 - Decision point for an autonomous robot
Example 10 - Enumerated situations for an autonomous robot
Example 11 - Autonomous car turning at a roundabout
Example 12 - Autonomous insulin pump
Example 13 - Autonomous robot
Example 14 - Autonomous car
Example 15 - Autonomous insulin pump

Example 16 - Hazardous scenarios
Note 9 - System environmental belief state

AS hazardous scenarios assurance case pattern [I]

Example 17 - Autonomous car braking requirement
Example 18 - SOC for autonomous car on construction site
Example 19 - Autonomous insulin infusion pump
Example 20 - Autonomous passenger shuttle
Example 21 - Autonomous insulin infusion pump
Example 22 - Autonomous car in emergency roadworks
Note 10 - Requirements syntax
Note 11 - System-level safety requirements
Note 12 - Sufficient mitigation for hazardous scenarios
Definition of sufficiently safe [K]

Note 13 - Simulation

SOC argument pattern [N]

Example 24 - Different tiers of an autonomous system
Note 14 - Intent of the safety requirements
Note 15 - Decomposing safety requirements
Note 16 - Link between safety requirements and the design process
Note 17 - Machine learning

Note 18 - Relationships between safety requirements

Safety requirements argument pattern [S]

Note 19 - Definition of system architecture
Note 20 - Logical and physical structure of the system
Note 21 - Diversity in architecture redundancy
Note 22 - Fault tolerance approaches
Design process for tier n [X]

Note 23 - Independent reviewers

AS design assurance argument pattern [U]

Example 25 - Autonomous passenger shuttle
Note 24 - HAZOP analysis

Example 26 - Sensors for autonomous robot

AS hazardous failures argument pattern [DD]

Example 34 - In‐the‐loop simulation

AS verification Log [SS]

AS verification argument pattern [UU]

Assure the Recognition of the ODM Boundary

Safe operation of an AS requires that the ODM boundary is correctly recognised. If the AS is unaware that its operation has moved outside of the ODM as defined in Activity 2 then its safety may not be assured.

Example 30 - Autonomous car leaving a motorway Automotive

A car is only capable of operating autonomously on a motorway, but during operation there are lane closures and move to a minor road running due to an accident. In this case the car must recognise that this situation represents an ODM boundary, as minor roads are not included in the ODM.

The approach that the AS will use during operation to determine and interpret the ODM boundary shall be determined based upon a consideration of the capability of the AS to sense and understand the ODM. Since perfect recognition of the ODM boundary will not be possible, it will always be necessary to make approximations and assumptions to reflect the AS sensing capabilities. In some cases it may not be possible to directly detect the ODM features using the sensors available to the AS. In such cases it may be that “proxy” measurements are required to be used to recognise the ODM boundary.

Example 31 - Car's rainfall sensor Automotive

The ODM for an autonomous car specifies a maximum permitted intensity of rainfall. The car is fitted with a rainfall sensor as part of the automatic windscreen wiper system. The vehicle makes use of this sensor for recognising the ODM boundary. As such the rapid wiper threshold is used as a proxy for the maximum rainfall intensity permitted by the ODM. Since the rapid wiper threshold is less than the intensity defined for the ODM this is determined to be acceptable to use for ODM recognition.

Note 27 - Challenges to recognising the ODM boundary

Recognition of the ODM boundary is often challenging for a number of reasons including:

  • Many parameters may interact to form the ODM boundary, such as weather conditions, speed etc. For instance, an autonomous vehicle may only be able to progress through fog when visibility is at least 10 metres, during daytime, when speed is less than 60mph.
  • There may be a complex boundary shape/envelope/volume with ‘holes’ or difficult geometry. For example a medical image recognition system which can be used for detection of tumours in radiological images only for patient age ranges 40‐45 and 65‐85 (due to the extent of the available training data).
  • The AS itself may have to use an interpretation of the boundary which may be a different, or simplified approximation of the actual ODM boundary, to give appropriate margins. For example instead of a more complex boundary condition where a drone is able to fly in wind speeds less than 15 km/h and gusts of up to 20 km/h, the interpretation of the boundary the drone uses is wind speeds less than 12 km/h.
  • It may take some time for the processing and analysis of the sensor data to establish whether the AS is near or has crossed the ODM boundary.
  • The sensor data used to determine the ODM boundary may be approximate, noisy or subject to infrequent updates. All sensors have an accuracy, resolution and a reading lag time; some also have a polling interval. Sensors may age and deteriorate and readings drift or become subject to bias or noise over time. Individual sensor data may be subject to errors or variations and may have to be averaged with others or over time. This is particularly a problem in harsh environments such as marine, automotive or aviation. In this case the sensing of the ODM may be delayed, or incorrect for some time. Margins therefore have to be implemented for operation, i.e. working to a smaller ODM, so that in all reasonable scenarios the actual ODM boundary can be sensed.
  • ‘Flip‐flopping’ between boundary states may occur, i.e rapid switching between in and out detections. The maximum rate at which changes with respect to the ODM boundary are detected by the AS must be considered. It may be better to indicate the AS as outside of ODM for a minimum period of time if there are likely to be many boundary detection events in a short period of time. Hysteresis biased towards early recognition, i.e. conservative detection, may be needed.

The approach for determining the ODM boundary during operation shall be documented ([HH]) together with any assumptions and approximations made. It shall be demonstrated that the AS is able to recognise the ODM boundary as interpreted during operation. This will involve consideration of at least four recognition cases:

  1. AS is approaching the ODM boundary from within the ODM.
  2. AS is crossing the ODM boundary.
  3. AS is approaching the ODM boundary from outside the ODM.
  4. AS is re‐entering the ODM from outside.

For each of the four cases above, it shall be determined how these may be unsafe through consideration of:

  1. Timeliness ‐ ODM boundary recognised too early or too late.
  2. Accuracy ‐ false positive recognition (ODM boundary recognised mistakenly) or false negative recognition (ODM boundary not recognised when it should be).
  3. Hysteresis ‐ AS holds on to a ODM boundary recognition state for too short or too long a period.

For any of the cases that are determined to be potentially hazardous it shall be demonstrated that those cases are sufficiently mitigated by the AS. There are a number of approaches for this including testing of scenarios relating to each of these cases. Testing alone however may not be able to provide sufficient evidence where the ODM boundary is complex (as testing can only sample the boundary space). Simulations and analysis of the ODM boundary recognition may therefore also be needed (see Stage 8 for further guidance on this).

The results of the ODM boundary recognition assessment shall be documented ([II]).

Continue to: Activity 24. Assure transitions in and out of ODM
  • Assuring Autonomy logo
  • Lloyd's Register Foundation Logo
  • University of York logo

Our site depends on cookies to provide our service to you. If you continue to use this site we will assume that you are happy with that. View our privacy policy.