Minimap of introduction diagram
Minimap of stage diagram

SACE outline

AS Hazardous Scenarios Assurance Case Pattern PP

The argument pattern relating to this stage is shown in Figure 29 below and key elements from the pattern are described in the following sections.

Figure 29: [PP] : Argument pattern for out of context operation assurance

The top claim in this argument pattern is that the AS will remain sufficiently safe even if it were to move outside of the defined autonomous operating context. This is achieved through consideration of the defined ODM ([B]). It is firstly demonstrated that the AS is aware of when it is leaving the ODM (G7.1). Secondly it is demonstrated that if the AS does leave the ODM, a strategy is implemented that ensures the AS remains sufficiently safe (G7.2). Lastly it must also be demonstrated that the AS remains safe as it transitions across the ODM boundary.

To demonstrate that the AS is aware when it’s leaving the defined ODM, it must be shown that the way in which the AS interprets the boundary to the ODM (defined in [HH]) is appropriate. An explicit justification for this must be provided as part of the argument (J7.1) that should take account of the capability that the AS has to sense and understand the operating environment. It must be shown that any failures in recognising the ODM boundary that may be hazardous have been identified, and that sufficient mitigation is provided for those failures. The ODM boundary assessment report ([I]) provides evidence for this.

To demonstrate that the AS remains safe when operating outside of the defined ODM, the results of the out of context analysis ([GG]) provide evidence that the hazardous scenarios arising from such excursions have been identified. It is then shown using the outside ODM strategy justification report ([NN]) that the chosen strategy minimises the risk associated with those hazardous scenarios to an acceptable level. The outside ODM verification report ([OO]) is used to demonstrate that the minimum risk strategy has been correctly implemented.

To demonstrate that the AS will remain safe as it transitions across the ODM boundary, it must be shown that unsafe transitions are identified (G7.11) and the risk of those transitions is minimised (G7.12). The transition assessment report ([KK]) is used as evidence that the unsafe transitions are identified cor‐ rectly through analysis of the transition model. It is also used to demonstrate that the transition model itself is correct in the way it models the transitions and the conditions under which those transitions occur.

Continue to: Stage 8. AS verification assurance

Our site depends on cookies to provide our service to you. If you continue to use this site we will assume that you are happy with that. View our privacy policy.