Navigation
Minimap of introduction diagram
Minimap of stage diagram
View Diagram

SACE outline

Example 1 - Delivery robot
Example 2 - Self‐driving car
Note 1 - Defining capabilities
Note 2 - Iterative process
AS concept definition [A]

Example 3 - Autonomous cars
Example 4 - Office environment
Example 5 - Defining people
Note 3 - Challenges when defining an ODM

Example 6 - Office environment
Example 7 - Autonomous vehicle scenario
Note 4 - Scenes and scenarios
Note 5 - Resilience

AS operating context assurance argument pattern [G]

Example 8 - ODM and identified interactions
Note 8 - Mission and non-mission interactions

Example 9 - Decision point for an autonomous robot
Example 10 - Enumerated situations for an autonomous robot
Example 11 - Autonomous car turning at a roundabout
Example 12 - Autonomous insulin pump
Example 13 - Autonomous robot
Example 14 - Autonomous car
Example 15 - Autonomous insulin pump

Example 16 - Hazardous scenarios
Note 9 - System environmental belief state

AS hazardous scenarios assurance case pattern [I]

Example 17 - Autonomous car braking requirement
Example 18 - SOC for autonomous car on construction site
Example 19 - Autonomous insulin infusion pump
Example 20 - Autonomous passenger shuttle
Example 21 - Autonomous insulin infusion pump
Example 22 - Autonomous car in emergency roadworks
Note 10 - Requirements syntax
Note 11 - System-level safety requirements
Note 12 - Sufficient mitigation for hazardous scenarios
Definition of sufficiently safe [K]

Note 13 - Simulation

SOC argument pattern [N]

Example 24 - Different tiers of an autonomous system
Note 14 - Intent of the safety requirements
Note 15 - Decomposing safety requirements
Note 16 - Link between safety requirements and the design process
Note 17 - Machine learning

Note 18 - Relationships between safety requirements

Safety requirements argument pattern [S]

Note 19 - Definition of system architecture
Note 20 - Logical and physical structure of the system
Note 21 - Diversity in architecture redundancy
Note 22 - Fault tolerance approaches
Design process for tier n [X]

Note 23 - Independent reviewers

AS design assurance argument pattern [U]

Example 29 - Drone in severe weather conditions
Description of key features of environment outside ODM [FF]

Example 30 - Autonomous car leaving a motorway
Example 31 - Car's rainfall sensor
Note 27 - Challenges to recognising the ODM boundary

Example 32
ODM transition model [JJ]

Example 33 - Satellite ‘safe modes’
Note 28 - Handover
Stakeholder risk acceptance definition [LL]

AS Hazardous Scenarios Assurance Case Pattern PP [PP]

Example 34 - In‐the‐loop simulation

AS verification Log [SS]

AS verification argument pattern [UU]

Identify potential AS hazardous failures at tier n

The proposed design of the AS at each tier shall be analysed to identify the potential hazardous failures that could arise as a result of that design. Although an AS has been developed to satisfy the identified safety requirements, it still may be the case that the AS may be capable of doing something else, under certain conditions, that may be hazardous. Such hazardous failures can often not be identified until detail of the design solution, and in particular the characteristics of the system components is understood.

Potentially hazardous failures are identified by considering possible deviations from intended behaviour that may arise for the AS. Analysis shall be undertaken based upon the information regarding the design at the current tier under consideration ([VW]). The analysis shall consider information about the particular components proposed as part of that design. In particular the known limitations of the components, their known failure modes, and the conditions under which the components may fail, or under which their performance may deteriorate, shall be considered in the analysis.

Example 25 - Autonomous passenger shuttle Automotive

The cameras chosen to be used on an autonomous passenger shuttle to determine its distance from the footpaths adjacent to the road are found to not function well in conditions that present sunlight that is both of high intensity, and at an acute angle to the road. This is a potentially hazardous failure since it may mean that the shuttle drives too close to the footpath.

Analysing the AS design for possible deviations must be undertaken predictively at higher levels of abstraction where specific component solutions have not been chosen. For this analysis, a technique such as HAZOP [17] that uses a set of defined guidewords applied to elements of the design in order to prompt the identification of possible deviations, can be applied. For more detailed levels of design, once the properties of the actual components used are known a more specific deviation analysis techique such as failure modes and effects analysis (FMEA) [6] can be used, perhaps in combination with Fault Tree Analysis [26] in order to understand the causal path. Safety analysis such as this forms part of traditional safety engineering processes. For AS it is important that deviations are specifically identified relating to the autonomy of the system (particularly understanding and decision making deviations).

Note 24 - HAZOP analysis

Although a fairly traditional HAZOP analysis may be applicable to AS, particular attention must be paid to subtle deviations when interpreting the guidewords. For example, when analysing a proposed perception component, careful consideration must be given to how the following guidewords may be defined and interpreted:

  • More (more than one object detected when only one is present)
  • Less (less objects are detected than are actually present)
  • As well as (an extra area is classified as navigable as well as the intended route)
  • Part of (only part of an object is detected)
  • Other than (an object is classified other than what it is)

It may also be the case that additional guidewords are required when considering AS such as:

  • Intermittent (considers intermittent detection and/or classification)
  • Erroneous but credible (elicits failure conditions relating to information that is incorrect but ‘believable’)

Having identified the possible deviations, the hazardous failures are determined by considering which of the deviations, if they occurred in the AS, could result in a hazardous outcome.

The results of the analyses, including the identified hazardous failures shall be documented in the safety analysis report ([BB]). The safety analysis report shall also provide a justification for the sufficiency of the analysis approach used, including the suitability of the approach for the particular tier under consideration and the appropriateness of any modifications made to existing techniques to consider autonomy related deviations.

Continue to: Activity 20. Define mitigations for identified hazardous failures
  • Assuring Autonomy logo
  • Lloyd's Register Foundation Logo
  • University of York logo

Our site depends on cookies to provide our service to you. If you continue to use this site we will assume that you are happy with that. View our privacy policy.