Navigation
Minimap of introduction diagram
Minimap of stage diagram
View Diagram

SACE outline

Example 1 - Delivery robot
Example 2 - Self‐driving car
Note 1 - Defining capabilities
Note 2 - Iterative process
AS concept definition [A]

Example 3 - Autonomous cars
Example 4 - Office environment
Example 5 - Defining people
Note 3 - Challenges when defining an ODM

Example 6 - Office environment
Example 7 - Autonomous vehicle scenario
Note 4 - Scenes and scenarios
Note 5 - Resilience

AS operating context assurance argument pattern [G]

Example 8 - ODM and identified interactions
Note 8 - Mission and non-mission interactions

Example 9 - Decision point for an autonomous robot
Example 10 - Enumerated situations for an autonomous robot
Example 11 - Autonomous car turning at a roundabout
Example 12 - Autonomous insulin pump
Example 13 - Autonomous robot
Example 14 - Autonomous car
Example 15 - Autonomous insulin pump

Example 16 - Hazardous scenarios
Note 9 - System environmental belief state

AS hazardous scenarios assurance case pattern [I]

Example 17 - Autonomous car braking requirement
Example 18 - SOC for autonomous car on construction site
Example 19 - Autonomous insulin infusion pump
Example 20 - Autonomous passenger shuttle
Example 21 - Autonomous insulin infusion pump
Example 22 - Autonomous car in emergency roadworks
Note 10 - Requirements syntax
Note 11 - System-level safety requirements
Note 12 - Sufficient mitigation for hazardous scenarios
Definition of sufficiently safe [K]

Note 13 - Simulation

SOC argument pattern [N]

Example 24 - Different tiers of an autonomous system
Note 14 - Intent of the safety requirements
Note 15 - Decomposing safety requirements
Note 16 - Link between safety requirements and the design process
Note 17 - Machine learning

Note 18 - Relationships between safety requirements

Safety requirements argument pattern [S]

Note 19 - Definition of system architecture
Note 20 - Logical and physical structure of the system
Note 21 - Diversity in architecture redundancy
Note 22 - Fault tolerance approaches
Design process for tier n [X]

Note 23 - Independent reviewers

AS design assurance argument pattern [U]

Example 25 - Autonomous passenger shuttle
Note 24 - HAZOP analysis

Example 26 - Sensors for autonomous robot

AS hazardous failures argument pattern [DD]

Example 34 - In‐the‐loop simulation

AS verification Log [SS]

AS verification argument pattern [UU]

Out of context operation assurance

Objectives

  1. Demonstrate that the AS will be aware if it is leaving the defined autonomous operating context
  2. Implement a strategy that ensures the AS remains sufficiently safe even if it leaves the defined autonomous operating context
  3. Instantiate the out of context operation assurance argument pattern

Inputs to the stage

  • [B] : Operational domain model
  • [FF] : Key features of environment outside ODM
  • [JJ] : ODM transition model
  • [LL] : Stakeholder risk acceptance definition
  • [PP] : Out of context operation assurance argument pattern

Outputs of the stage

  • [GG] : Out of context analysis report
  • [HH] : Interpretation of ODM boundary
  • [II] : ODM boundary assessment report
  • [KK] : Transition assessment report
  • [MM] : Outside ODM minimum risk strategy
  • [NN] : Outside ODM strategy justification report
  • [OO] : Outside ODM verification report
  • [QQ] : Out of context operation assurance argument

Description of the stage

As shown in Figure 26 above, this stage consists of six activities that are performed to define and validate the safe out of context operation for an AS. The artefacts generated from this stage are used to instantiate the out of context operation assurance argument pattern as part of Activity 27. An AS may spend some time operating outside the defined ODM ([B]) whilst still be operating autonomously. This could be unsafe, since autonomous operation is only assured for safety within the defined ODM. There are several situations where operation outside the ODM may occur:

  1. The environment or context of the AS suddenly changes without warning (see example 28 below).
  2. The AS fails to recognise the boundary of the ODM (see example 29 in Activity 22).
  3. The boundary of the ODM is poorly defined, ambiguous or has dynamically changed. As in example 29, the transition between classes of weather conditions may for example be ambiguously defined.
  4. The AS does not recognise the boundary of the ODM within an acceptable period of time.
  5. The AS recognises the boundary but is unable to hand over to another function or an operator (either because none are available or the transition itself fails) and therefore continuation in autonomous mode is the safest option.
  6. The AS fails to transition out of autonomous mode quickly enough (this could take seconds or even minutes).

Example 27 - Autonomous car - flash floods Automotive

An autonomous road vehicle encounters flash flooding on the road. Such flood conditions are not within the ODM as they cannot be handled safely by the autonomous driving function. Since the flash flood conditions arise suddenly and unexpectedly it is not possible for the vehicle to anticipate and avoid these conditions.

Example 28 - Agricultural robot Agriculture

The ODM for an agricultural robot includes rain but not snow as the robot cannot operate safely in snowy conditions. During operation in heavy rain, the low temperature causes the rain to become sleet, followed by a transition to snow. The AS is unclear as to when sleet becomes snow and hence when it has moved outside of the ODM.

Note 25 - Time spent in autonomous mode

It is expected that time spent in autonomous mode outside the ODM should be limited, or indeed transient. Note that one option for dealing with outside ODM operating is to get back within the ODM as soon as possible.

Continue to: Activity 22. Assess AS operation outside ODM
  • Assuring Autonomy logo
  • Lloyd's Register Foundation Logo
  • University of York logo

Our site depends on cookies to provide our service to you. If you continue to use this site we will assume that you are happy with that. View our privacy policy.