Minimap of introduction diagram
Minimap of stage diagram

SACE outline

Define mitigations for identified hazardous failures

Mitigations shall be defined for all the identified potential hazardous AS failures ([BB]). The mitigations could take various forms such as:

  • defining required design changes
  • limitations to the operating concept
  • deriving additional safety requirements

Where changes are made to the AS design in order to mitigate identified hazardous failures then Activity 19 shall be repeated to ensure additional hazardous failures have not been introduced by those changes. The suitability of the design changes shall be justified as part of the design justification report ([Y]).

Limitations on the operating concept may include changes to the reduced operating domain (ROD) for the AS to provide additional constraints. The changes to the ROD shall be reflected in the safe operating concept (SOC) definition ([L]).

Any additional safety requirements that are derived shall be added to the existing safety requirements definition ([Q]) for implementation. For some of the identified potential hazardous failures it may be determined that the existing design is already sufficient to mitigate those failures (such as through redundancy in the architecture). Where this is the case, this justification shall be documented as part of the design justification report ([Y]).

Example 26 - Sensors for autonomous robot

For an autonomous robot operating in an office building, a potential hazardous failure identified from analysis of an object detection component is it may under certain conditions fail to detect walls made of translucent material. In mitigation to this, a design change is proposed to add an additional sensor of a different type.

Continue to: Activity 21. Instantiate hazardous failures argument pattern

Our site depends on cookies to provide our service to you. If you continue to use this site we will assume that you are happy with that. View our privacy policy.