Navigation
View Diagram

SACE outline

Example 1 - Delivery robot
Example 2 - Self‐driving car
Note 1 - Defining capabilities
Note 2 - Iterative process
AS concept definition [A]

Example 3 - Autonomous cars
Example 4 - Office environment
Example 5 - Defining people
Note 3 - Challenges when defining an ODM

Example 6 - Office environment
Example 7 - Autonomous vehicle scenario
Note 4 - Scenes and scenarios
Note 5 - Resilience

AS operating context assurance argument pattern [G]

Example 8 - ODM and identified interactions
Note 8 - Mission and non-mission interactions

Example 9 - Decision point for an autonomous robot
Example 10 - Enumerated situations for an autonomous robot
Example 11 - Autonomous car turning at a roundabout
Example 12 - Autonomous insulin pump
Example 13 - Autonomous robot
Example 14 - Autonomous car
Example 15 - Autonomous insulin pump

Example 16 - Hazardous scenarios
Note 9 - System environmental belief state

AS hazardous scenarios assurance case pattern [I]

Example 17 - Autonomous car braking requirement
Example 18 - SOC for autonomous car on construction site
Example 19 - Autonomous insulin infusion pump
Example 20 - Autonomous passenger shuttle
Example 21 - Autonomous insulin infusion pump
Example 22 - Autonomous car in emergency roadworks
Note 10 - Requirements syntax
Note 11 - System-level safety requirements
Note 12 - Sufficient mitigation for hazardous scenarios
Definition of sufficiently safe [K]

Note 13 - Simulation

SOC argument pattern [N]

Example 24 - Different tiers of an autonomous system
Note 14 - Intent of the safety requirements
Note 15 - Decomposing safety requirements
Note 16 - Link between safety requirements and the design process
Note 17 - Machine learning

Note 18 - Relationships between safety requirements

Safety requirements argument pattern [S]

Note 19 - Definition of system architecture
Note 20 - Logical and physical structure of the system
Note 21 - Diversity in architecture redundancy
Note 22 - Fault tolerance approaches
Design process for tier n [X]

Note 23 - Independent reviewers

AS design assurance argument pattern [U]

Example 25 - Autonomous passenger shuttle
Note 24 - HAZOP analysis

Example 26 - Sensors for autonomous robot

AS hazardous failures argument pattern [DD]

Example 29 - Drone in severe weather conditions
Description of key features of environment outside ODM [FF]

Example 30 - Autonomous car leaving a motorway
Example 31 - Car's rainfall sensor
Note 27 - Challenges to recognising the ODM boundary

Example 32
ODM transition model [JJ]

Example 33 - Satellite ‘safe modes’
Note 28 - Handover
Stakeholder risk acceptance definition [LL]

AS Hazardous Scenarios Assurance Case Pattern PP [PP]

Example 34 - In‐the‐loop simulation

AS verification Log [SS]

AS verification argument pattern [UU]

Overview of SACE

The SACE process runs in parallel to and complements the activities undertaken as part of an existing systems engineering and associated system safety assurance process. We assume that such a system safety assurance process is in place and that the activities described as part of the SACE process are modifications, enhancements or additions to that system safety process to specifically deal with the safety assurance challenges of an autonomous system operating in a complex environment. In this guidance we do not describe what that baseline system safety assurance process is, however, neither do we assume that any particular system safety process is adopted, instead we define certain characteristics that the safety assurance process should have. Figure 1 below provides a model of this baseline safety process that illustrates the following required features:

  • Safety requirements are identified at multiple levels of decomposition of the AS design based on analysis of the system.
  • The safety requirements at each level of decomposition preserve the intent of, and are traceable to the safety requirements at preceding levels.
  • The safety requirements are allocated to components that implement those requirements.
  • Verification and assessment at each level of integration provide evidence that the allocated safety requirements are satisfied.
  • Throughout the process analysis is performed to identify potential common cause failures, which are reflected in the safety requirements.

These features are influenced by established good practice system safety processes such as the Aerospace Recommended Practice ARP 4754A [2].

Note that the system safety assurance process itself runs in parallel to, is informed by, and informs, the system development process. In addition, the development of the safety case for the system also runs in parallel to this process. The safety case process is discussed in more detail below. For clarity we do not show either the development process or the safety case development process in Figure 1.

This SACE guidance covers only part of this overall system safety assurance process, as indicated by the SACE box in Figure 1. SACE starts at the beginning of the development process when a concept for the AS has been determined and continues down to the derivation of requirements for the sub‐systems of the AS. SACE also considers verification of the AS at the sub‐system and system level. SACE does not include the development of requirements for the individual system components, or the implementation of those components. These issues are considered as part of other guidance documents. For example, safety assurance of components implemented using machine learning is considered as part of the AMLAS (Assurance of Machine Learning for Autonomous Systems) guidance [20], as indicated in Figure 1 below.

Figure 1: The scope of the SACE process

There are other safety assurance aspects that are not within the scope of the SACE guidance. Firstly, the safety assurance activities considered by SACE are only those that are applied during the development phase of the AS lifecycle, that is activities carried out prior to deployment of the AS into operation. Although the SACE activities will have consideration for safety assurance during later lifecycle phases such as operation and maintenance, the safety assurance activities that are actually undertaken during these later phases (often referred to as operational safety management) are not within the scope of this document. Secondly, SACE focuses on safety assurance for an individual AS. Although this involves consideration of the interaction of that AS with other agents (including other AS), SACE does not explicitly consider the additional safety assurance implications of multiple collaborating ASs (see [14] for examples of safety approaches for collaborative robots). Thirdly, SACE does not provide guidance on the legal and ethical considerations surrounding the development and operation of AS. Such issues will be considered as part of separate guidance [38]. SACE takes as an input the output from such considerations in the form of defined acceptance criteria. This input to the SACE process is discussed when describing Stage 2.

Continue to: AS safety case
  • Assuring Autonomy logo
  • Lloyd's Register Foundation Logo
  • University of York logo

Our site depends on cookies to provide our service to you. If you continue to use this site we will assume that you are happy with that. View our privacy policy.