Navigation
Minimap of introduction diagram
Minimap of stage diagram
View Diagram

SACE outline

Example 1 - Delivery robot
Example 2 - Self‐driving car
Note 1 - Defining capabilities
Note 2 - Iterative process
AS concept definition [A]

Example 3 - Autonomous cars
Example 4 - Office environment
Example 5 - Defining people
Note 3 - Challenges when defining an ODM

Example 6 - Office environment
Example 7 - Autonomous vehicle scenario
Note 4 - Scenes and scenarios
Note 5 - Resilience

AS operating context assurance argument pattern [G]

Example 8 - ODM and identified interactions
Note 8 - Mission and non-mission interactions

Example 9 - Decision point for an autonomous robot
Example 10 - Enumerated situations for an autonomous robot
Example 11 - Autonomous car turning at a roundabout
Example 12 - Autonomous insulin pump
Example 13 - Autonomous robot
Example 14 - Autonomous car
Example 15 - Autonomous insulin pump

Example 16 - Hazardous scenarios
Note 9 - System environmental belief state

AS hazardous scenarios assurance case pattern [I]

Example 17 - Autonomous car braking requirement
Example 18 - SOC for autonomous car on construction site
Example 19 - Autonomous insulin infusion pump
Example 20 - Autonomous passenger shuttle
Example 21 - Autonomous insulin infusion pump
Example 22 - Autonomous car in emergency roadworks
Note 10 - Requirements syntax
Note 11 - System-level safety requirements
Note 12 - Sufficient mitigation for hazardous scenarios
Definition of sufficiently safe [K]

Note 13 - Simulation

SOC argument pattern [N]

Example 24 - Different tiers of an autonomous system
Note 14 - Intent of the safety requirements
Note 15 - Decomposing safety requirements
Note 16 - Link between safety requirements and the design process
Note 17 - Machine learning

Note 18 - Relationships between safety requirements

Safety requirements argument pattern [S]

Note 19 - Definition of system architecture
Note 20 - Logical and physical structure of the system
Note 21 - Diversity in architecture redundancy
Note 22 - Fault tolerance approaches
Design process for tier n [X]

Note 23 - Independent reviewers

AS design assurance argument pattern [U]

Example 25 - Autonomous passenger shuttle
Note 24 - HAZOP analysis

Example 26 - Sensors for autonomous robot

AS hazardous failures argument pattern [DD]

Example 29 - Drone in severe weather conditions
Description of key features of environment outside ODM [FF]

Example 30 - Autonomous car leaving a motorway
Example 31 - Car's rainfall sensor
Note 27 - Challenges to recognising the ODM boundary

Example 32
ODM transition model [JJ]

Example 33 - Satellite ‘safe modes’
Note 28 - Handover
Stakeholder risk acceptance definition [LL]

AS Hazardous Scenarios Assurance Case Pattern PP [PP]

Determine verification strategy

An appropriate verification strategy shall be adopted. At the highest level this will require a decision on whether verification shall be undertaken using testing, formal verification or a combination of both approaches. The advantages and disadvantages of using either approach for the verification of AS are discussed below.

Testing Testing involves exposing the system to a defined set of inputs and checking that the outputs or behaviour of the system is as specified and safe. The main advantage of using testing is that evidence may be generated against the real system operating in the target environment. This means that demonstrating the relevance of the verification evidence to the AS operation is comparatively straightforward.

Some testing of AS may however be performed in a controlled environment, such as a test site or a laboratory setting, requiring that the similarity to the actual operating environment is demonstrated. The main disadvantage is that testing cannot be carried out exhaustively, so achieving an acceptable level of coverage of the operating domain can be very challenging, particularly for AS in complex operating environments that represent a very large state space. Providing justification for the acceptability of the level of coverage that is achieved is also a major challenge.

Simulation Testing does not always need to be performed using the target AS in its intended operating environment. Particularly for AS, simulation may also be used for the purposes of testing. Simulation may be used for a number of reasons:

  • it can allow verification activities to begin earlier in the development lifecycle, since a fully developed system is not required
  • it can also enable tests to be carried out that would otherwise be difficult to create (due to their rarity in the real world) or dangerous to perform (since they would require exposing people to unnecessary risk)
  • it can also be used as a way of increasing the coverage that can be achieved through testing, by enabling test cases to be created quickly and cheaply.

The disadvantage of using simulation is that all simulations are models of the real world and justifying the representativeness of the simulation models can be challenging. This is discussed further in Activity 29.

“In‐the‐loop” simulation is an approach that can be used as part of the verification of an AS in which real system components are used to provide inputs to the simulation. Using an in‐the‐loop approach can help to ensure that the data used by the simulation during verification is representative of the data to which the AS will be exposed during operation.

Example 34 - In‐the‐loop simulation Automotive

There are many examples that illustrate the use of in‐the‐loop simulations for AS in many different applications, such as autonomous driving ([11]) and unmanned aerial vehicles ([27] and [34]).

Formal verification Formal verification involves using mathematical techniques to prove that a formally specified model of (some aspect of) the AS will always satisfy a set of formally specified properties. The main advantage of using formal verification techniques is that the properties are proved to be true for the entire scope of the model of the AS, meaning that the challenge of demonstrating sufficient coverage that existed for testing is avoided. The disadvantage of using formal analysis is being able to demonstrate that the analysis results are a true reflection of the real system in operation. Firstly, in order to support verification, the formally specified properties that are defined must sufficiently capture the intent of the safety requirements being verified. Secondly, the formal model, upon which the properties are proven to hold, must be sufficiently representative of the system itself, and any elements of the operating environment included in the model. All models require abstractions and assumptions to be made. For complicated AS operating in complex environments demonstrating the acceptability of the abstractions and assumptions made is challenging. Due to these challenges, formal methods should be used with caution for AS, and should be done so in combination with testing. An overview providing further details of different applications of formal methods to AS is available at [30].

The chosen verification strategy shall be documented ([RR]).

Continue to: Activity 29. Prepare and justify verification activities
  • Assuring Autonomy logo
  • Lloyd's Register Foundation Logo
  • University of York logo

Our site depends on cookies to provide our service to you. If you continue to use this site we will assume that you are happy with that. View our privacy policy.