Risk Structures: Concepts, Purpose, and the Causality Problem - Mario Gleirscher University of York, UK June 26, 2019
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Risk Structures: Concepts, Purpose, and the Causality Problem Mario Gleirscher University of York, UK June 26, 2019 Shonan, JP
Part I
Risk-aware Systems:
Abstraction by Example
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 52Example: Air-traffic Collision Avoidance System (TCAS) Example: Safe Autonomous Vehicle (SAV) 4.0 / Gleirscher / Shonan, JP/ June 26, 2019 53
Risk Mitigation / Intervention / Enforcement
Test
Risk Active model
Structure synthesised Monitor
from
abstracts
conforms
from
to
Approach: Active
safety monitors, System/
MDP, Active Implemen
enforcement Process
LTS, HA Monitor tation
Model
monitors
pr orce s/
ab om
en nise
s
str
y
og
fr
ert
ac
rec
f
ts
op
Monitored
Process
RQ: How to build a mitigation monitor? / Which model to use?
/ Which abstraction? / What do we need to verify?
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 56Example: Air-traffic Collision Avoidance System (TCAS)
Example: Traffic Collision Avoidance System (TCAS) Ego
21Risk
RiskSpace
Risk Factors
Factor
near-collision before
ncoll, coll collision
tmo v{el ncoll u mov
t
e {ecoll u
t
l nc
0ncoll co ol
l
Risk Model R start tp1 , p3 ,
e ncoll
start
0 coll
coll
tp2 , p5 u tp1 , p6 u tp4 u
p4 , p6 u
coll
ncoll,t0
tmov{finu ěm 0ncoll , coll t?u
e nc ll
ol co Σztmov{finu
abstracts l
e
m v {fin
Σzttmov{finu Σztmov{ecoll u
nc
tm ncoll
from Σzttmov{e u
oll “
m“ a4
o
0ncoll , 0coll
mov{fin
l p4 rl4 , u4 q
col
1`severity
Process Model P e.g. red
(TCAS move)
” : e ą
1`benefit
c p4 rl, uq
Λ 4
p2 tmov Λ5 : e ncoll oll
: c p5
ll
nco
e rl5 , u5 q
Λ2 : Λ Λ
p1 mov p1 mov 6 :
start a3 fin
1´
1´
Λ2 :
fin
Λ
a2 a1 p3
: fi
n
p6
p6
a5
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 57Example: Traffic Collision Avoidance System (TCAS) Ego
21Risk
RiskSpace
Risk Factors
Factor
near-collision before
ncoll, coll collision
tmo v{el ncoll u mov
t
e {ecoll u
t
l nc
0ncoll co ol
l
Risk Model R start tp1 , p3 ,
e ncoll
start
0 coll
coll
tp2 , p5 u tp1 , p6 u tp4 u
p4 , p6 u
coll
ncoll,t0
tmov{finu ěm 0ncoll , coll t?u
e nc ll
ol co Σztmov{finu
abstracts l
e
m v {fin
Σzttmov{finu Σztmov{ecoll u
nc
tm ncoll
from Σzttmov{e u
oll “
m“ a4
o
0ncoll , 0coll
mov{fin
l p4 rl4 , u4 q
col
1`severity
Process Model P e.g. red
(TCAS move)
” : e ą
1`benefit
c p4 rl, uq
Λ 4
p2 tmov Λ5 : e ncoll oll
: c p5
ll
nco
e rl5 , u5 q
Λ2 : Λ Λ
p1 mov p1 mov 6 :
start a3 fin
1´
1´
Λ2 :
fin
Λ
a2 a1 p3
: fi
n
p6
p6
a5
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 58Example: Traffic Collision Avoidance System (TCAS) Ego
21Risk
RiskSpace
Risk Factors
Factor
near-collision before
ncoll, coll collision
tmo v{el ncoll u mov
t
e {ecoll u
t
l nc
0ncoll co ol
l
Risk Model R start tp1 , p3 ,
e ncoll
start
0 coll
coll
tp2 , p5 u tp1 , p6 u tp4 u
p4 , p6 u
coll
ncoll,t0
tmov{finu ěm 0ncoll , coll t?u
e nc ll
ol co Σztmov{finu
abstracts l
e
m v {fin
Σzttmov{finu Σztmov{ecoll u
nc
tm ncoll
from Σzttmov{e u
oll “
m“ a4
o
0ncoll , 0coll
mov{fin
l p4 rl4 , u4 q
col
1`severity
Process Model P e.g. red
(TCAS move)
” : e ą
1`benefit
c p4 rl, uq
Λ 4
p2 tmov Λ5 : e ncoll oll
: c p5
ll
nco
e rl5 , u5 q
Λ2 : Λ Λ
p1 mov p1 mov 6 :
start a3 fin
1´
1´
Λ2 :
fin
Λ
a2 a1 p3
: fi
n
p6
p6
a5
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 58Example: Safe Autonomous Vehicle (SAV)
Risk Mitigation / Intervention / Enforcement
Test
Risk Active model
Structure synthesised Monitor
from
abstracts
conforms
from
to
Approach: Active
safety monitors, System/
MDP, Active Implemen
enforcement Process
LTS, HA Monitor tation
Model
monitors
pr orce s/
ab om
en nise
s
str
y
og
fr
ert
ac
rec
f
ts
op
Process
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 62SAV: Low Level Vehicle Dynamics
turn
rp9 “ v, rp9 “ v, drive at rα9 “ f s left
max speed 0ăyă5
yą |ą
|v| 0
accel v=l
^
0
v9 “ as v9 “ 0s
yą
ą
|v
0
0ăvăl v“l
α9
0
^
0
^ “
“
^
“
^aą0 a ^a“0
0
α
neutral move
0
α9
α
‰
ą
0
aă0
aą0
straight
0
rα9 “ 0s rα9 “ 0s
halt
a start
ď α“0 α‰0
0
rp9 “ 0, rp9 “ v,
α
0
^
0
“
“
v9 “ 0s v9 “ as decel
‰
α9
start
yă |ą
0
|v| 0
α9
k
^
0
α
“
0ăvăl
yă
v“0 v=0
ą
|v
^
0
rα9 “ f s
0
^a“0 ^aď0
´5 ă y ă 0 turn
^
0
right
Longitudinal dynamics LoD Lateral dynamics LaD
drive
(relative to route segment)
accel
turn
left
drive
at max
halt
speed move
neutral
straight
decel
turn
right
Overall low-level dynamics: drive k LaD
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 63SAV: Situational Perspective of Urban Driving
Mode model of the driving activity: Integration with
basic || supplyPower
low level
drive dynamics:
driveAtL4 || requestTakeOverByDr driveAtL1 || operateVehicle
In each mode,
driveThroughCrossing exitTunnel manuallyOvertake
driveAtL4Generic
verify contract:
halt
autoOvertake driveAtL1Generic inv ^ pre ñ
wppdrive k LaD,
driveAtLowSpeed
inv ^ postq
steerThroughTrafficJam parkWithRemote manuallyPark
autoLeaveParkingLot leaveParkingLot
start
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 64SAV: Risk Identification and Assessment
Knowledge sources for risk/hazard identification, e.g.
• accident reports
• domain experts
• situation/activity model
• local dynamics model
• control system architecture
• control software
Analysis techniques, e.g.
• hazard identification: FHA, PHL, …
• process/scenario analysis: HazOp, LOPA, BA, STPA, …
• causal reasoning: ETA, FMEA, FTA, Bowties, …
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 65SAV: Situational Perspective of Urban Driving
Mode model of the driving activity: Risk factors
basic || supplyPower
(Yap script):
drive 1 HazardModel for "drive"
{
driveAtL4 || requestTakeOverByDr driveAtL1 || operateVehicle
3 OC alias "on occupied
driveThroughCrossing exitTunnel manuallyOvertake course"
;
driveAtL4Generic 5 CR alias "increased
collision risk"
autoOvertake driveAtL1Generic ;
halt 7 CC alias "on collision
course"
;
driveAtLowSpeed 9 ICS alias "inevitable
steerThroughTrafficJam parkWithRemote manuallyPark collision state"
;
11 Coll alias "actual
autoLeaveParkingLot leaveParkingLot collision"
;
13 ES alias "perception
system fault"
start
;
15 }
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 66Risk Structures: Tool Support and Recent Publications
Coll 1 OperationalSituation "generic" {}
3 ControlLoop "Robot" for "generic" {
eColl emgBr alias "Emergency Brake";
5 }
7 HazardModel for "generic" {
nColl nColl alias "near-collision"
9 mitigatedBy (PREVENT_CRASH.emgBr)
direct;
enColl prvcnColl 11 Coll alias "collision"
requires (nColl)
13 mishap;
0 }
From Hazard Analysis to Hazard Mitigation
Planning: The Automated Driving Case
Mario Gleirscher(B) and Stefan Kugele
Technische Universität München, Munich, Germany
{mario.gleirscher,stefan.kugele}@tum.de
8.4 Strukturen für die Gefahren §§ Erfahrungen in der Architekturabsicherung komplexer einge-
Run-Time Risk Mitigation in Automated Vehicles: erkennung und -behandlung in betteter Systeme1 und
§§ der Beobachtung, dass einige Empfehlungen für die Gewähr- R ISK S TRUCTURES : T OWARDS E NGINEERING R ISK - AWARE
Abstract. Vehicle safety depends on (a) the range of identified hazards A Model for Studying Preparatory Steps autonomen Maschinen leistung von AM-Sicherheit nicht eindeutig und vollständig AUTONOMOUS S YSTEMS
and (b) the operational situations for which mitigations of these hazards sind.2
are acceptably decreasing risk. Moreover, with an increasing degree of Mario Gleirscher Dr. Mario Gleirscher
autonomy, risk ownership is likely to increase for vendors towards regula- Department of Computer Science, University of York und A P REPRINT
tory certification. Hence, highly automated vehicles have to be equipped Faculty of Informatics Fakultät für Informatik, Technische Universität München 2 Hintergrund
Technical University of Munich
arXiv:submit/2663380 [cs.SE] 23 Apr 2019
with verified controllers capable of reliably identifying and mitigating Munich, Germany Mario Gleirscher
In diesem Abschnitt werden einige Begriffe aus der Literatur und Computer Science Department, University of York, York, UK∗
hazards in all possible operational situations. To this end, available meth- mario.gleirscher@tum.de
In diesem Abschnitt werden hochautomatisierte – insbesondere Vorarbeiten des Autors dargestellt, auf denen die spätere Diskus-
ods for the design and verification of automated vehicle controllers have autonom handelnde – Maschinen (AM) wie zum Beispiel autono- sion aufbaut.
to be supported by models for hazard analysis and mitigation. me mobile Roboter betrachtet. Man erwartet von solchen Syste- April 23, 2019
We assume that autonomous or highly automated driving (AD) will be accompanied by tough assur-
In this paper, we describe (1) a framework for the analysis and design ance obligations exceeding the requirements of even recent revisions of ISO 26262 or SOTIF. Hence, men, dass deren Regelungen in Gefahrensituationen ebenso 2.1 Allgemeine Grundlagen
of planners (i.e., high-level controllers) capable of run-time hazard iden- automotive control and safety engineers have to (i) comprehensively analyze the driving process and nützliche Handlungsalternativen bieten wie im Normalbetrieb. A BSTRACT
tification and mitigation, (2) an incremental algorithm for constructing its control loop, (ii) identify relevant hazards stemming from this loop, (iii) establish feasible auto- Ausgehend von dieser Problemstellung wird nun eine werkzeug- In der Risikoanalyse wird bewertet, inwiefern eine Gefahrenquel-
mated measures for the effective mitigation of these hazards or the alleviation of their consequences. gestützte Herangehensweise le (Aggressor) ein Risiko für ein Schutzziel (zum Beispiel Safety, Inspired by widely-used techniques of causal modelling in risk, failure, and accident analysis, this
planning models from hazard analysis, and (3) an exemplary application work discusses a com positional framework for risk modelling. Risk models capture fragments of
By studying an example, this article investigates some achievements in the modeling for the Security, körperliche Unversehrtheit) eines Schutzobjekts (im
to the design of a fail-operational controller based on a given control sys- the space of risky events likely to occur when operating a machine in a given environment. More-
steps (i), (ii), and (iii), amenable to formal verification of desired properties derived from potential i. für die Modellierung von Gefahrensituationen sowie Englischen: asset) darstellt und inwieweit ein Schutzmechanis- over, one can build such models into machines such as autonomous robots, to equip them with the
tem architecture. Our approach equips the safety engineer with concepts assurance obligations such as the global existence of an effective mitigation strategy. In addition, the mus (auch Beschützer, Sicherheitsfunktion) dieses Risiko wenigs- ability of risk-aware perception, monitoring, decision making, and control. With the notion of a
and steps to (2a) elaborate scenarios of endangerment and (2b) design proposed approach is meant for step-wise refinement towards the automated synthesis of AD safety risk factor as the modelling primitive, the framework provides several means to construct and shape
ii. für die Bewertung der Plausibilität und Vollständigkeit tens auf ein akzeptables Restrisiko3 reduzieren kann. Häufig wird
controllers implementing such properties. risk models. Relational and algebraic properties are investigated and proofs support the validity and
operational strategies for mitigating such scenarios. solcher Modelle dazu eine Menge wahrscheinlicher Szenarien in Form von poten-
consistency of these properties over the corresponding models. Several examples throughout the
ziell unendlichen Ursache-Wirkungs-Ereignisketten betrachtet, discussion illustrate the applicability of the concepts. Overall, this work focuses on the qualitative
1 Introduction anhand eines Beispiels aus dem Bereich des automatisierten wobei die ultimativen und unerwünschten Auswirkungen als Un- treatment of risk with the outlook of transferring these results to probabilistic refinements of the
Keywords: Risk analysis · Hazard mitigation · Safe state · Controller Fahrens (AF) diskutiert. glücks-, Unfalls- oder Schadensereignis und alle Ereignisse auf discussed framework.
design · Autonomous vehicle · Automotive system · Modeling · Planning For many people, driving a car is a difficult task even after guided training and many years of driving diesem Wege als Zusammensetzung von potenziell verursachen-
Keywords Causal modelling · risk · analysis · modelling · safety monitoring · risk mitigation · robots · autonomous
practice: This statement gets more tangible when driving in dense urban traffic, complex road settings, den Faktoren beschrieben werden. Hierzu wird weiter unten von systems
road construction zones, unknown areas, with hard-to-predict traffic co-participants (i.e., cars, trucks, 1 Motivation Kausalfaktoren und -strukturen gesprochen. Ein kompatibler Be-
cyclists, pedestrians), bothersome congestion, or driving a defective car. Consequently, hazards such as griffsrahmen wird in den Kapiteln 3/Schnieder und Schnieder,
1 Challenges, Background, and Contribution drivers misjudging situations and making poor decisions have had a long tradition. Hence, road vehicles Im Rahmen der gefahrenreduzierenden Absicherung von Syste- 5/Beyerer und Geisler sowie 7.1/Vieweg ausführlicher
Contents
have been equipped with many sorts of safety mechanisms, most recently, with functions for “safety men ist es eine Herausforderung, möglichst starke Sicherheits behandelt.
1 Introduction 2
Automated and autonomous vehicles (AV) are responsible for avoiding mishaps decision support” [7], driving assistance, and monitor-actuator designs, all aiming at reducing operational eigenschaften für autonome, hochautomatisierte Maschinen
schon zum Entwurfszeitpunkt festzulegen und Regler solcher Dieser vielfach diskutierte Begriffsrahmen lässt sich auf ganz un- 1.1 Abstractions for Machine Safety and Risk Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . 3
and even for mitigating hazardous situations in as many operational situations risk or making a driver’s role less critical. In AD, more highly automated mechanisms will have to
contribute to risk mitigation at run-time and, thus, constitute even stronger assurance obligations [7]. Maschinen für die Einhaltung dieser Eigenschaften zur Laufzeit terschiedliche Bereiche anwenden, zum Beispiel technische An- 1.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
as possible. Hence, AVs are examples of systems where the identification (2a) zu entwerfen. Im Folgenden werden formale Strukturen, welche lagen, IT-Systeme, in der Patientenbehandlung im Krankenhaus,
In Sec. 1.1, we introduce basic terms for risk analysis and (run-time) mitigation (RAM) for automated 1.3 Contributions and Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
and mitigation (2b) of hazards have to be highly automated. This circumstance vehicles (AV) as discussed in this work. Sec. 1.2 elaborates some of these assurance obligations. für die Modellbildung und später für die detaillierte Entwicklung im unternehmerischen Projektmanagement, in Arbeitsprozessen
makes these systems even more complex and difficult to design. Thus, safety von Reglern hilfreich sind, besprochen. Die Motivation, solche im Hochbau oder an Flughäfen (siehe Kapitel 8.1/Wolf und 2 Background 7
engineers require specific models and methods for risk analysis and mitigation. Strukturen zu nutzen, resultiert aus Lichte sowie 8.2/Deutschmann et al.). Je nach Art des Schutz- 2.1 Notions of Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.1 Background and Terminology
ziels und -objekts gibt es spezifische Herangehensweisen zur RA
As an example, we consider manned road vehicles in road traffic with an §§ Bestrebungen, die Risikobewertung und den Verlässlich-
2.2 The Risk of Undesired Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
According to control theory, a control loop L comprises a (physical) process P to be controlled and sowie verschiedene Bezeichnungen, wie zum Beispiel funktiona-
autopilot (AP) feature. Such vehicles are able to automatically conduct a ride a controller C, i.e., a system in charge of controlling this process according to some laws defined by keitsnachweis für allgemeine Systemklassen durch speziali- le Sicherheit in der Mechatronik und Automatisierungstechnik4 2.3 Formal Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
only given some valid target and minimizing human intervention. The following an application and an operator [20]. The engineering of safety-critical control loops typically involves sierte Modellbildung zu unterstützen (siehe Kapitel 4/ oder Cyber Security für stark vernetzte IT-Systeme.5 Regelmäßig
Bertscheet al.), wird versucht, Erkenntnisse aus verschiedenen Arbeitsfeldern 3 Risk Elements 9
AV-level (S)afety (G)oal specifies the problem we want to focus on in this paper: reducing hazards by making controllers safe in their intended function (SOTIF), resilient (i.e., tolerate
∗ Correspondence and offprint requests to: Mario Gleirscher, Univerity of York, Deramore Lane, Heslington, York YO10 5GH,
disturbances), dependable (i.e., tolerate faults), and secure (i.e., tolerate misuse).
UK. e-mail: mario.gleirscher@york.ac.uk
SG: The AV can always reach a safest possible state σ wrt. the hazards In automated driving, the process under consideration is the driving process which we decompose This work is supported by the Deutsche Forschungsgemeinschaft (DFG) under Grants no. GL 915/1-
into a set of driving situations S , see Sec. 2. Taxonomies of such situations have been published in, e.g. 1 and GL 915/1-2. c 2019. This manuscript is made available under the CC-BY-NC-ND 4.0 license
identified and present in a specific operational situation os . 1| Vgl. Kugele et al. 2017. http://creativecommons.org/licenses/by-nc-nd/4.0/.
2| Vgl. Alexander et al. 2009. Reference Format: Gleirscher, M.. Risk Structures: Towards Engineering Risk-aware Autonomous Systems (April 23, 2019).
c Springer International Publishing AG 2017 L. Bulwahn, M. Kamali, S. Linker (Eds.): First Workshop on c M. Gleirscher 3| Vgl. McDermid 2001 und Kumamoto 2007 diskutieren „As Low As Reasonably Practicable“ (ALARP). Unpublished working paper. Department of Computer Science, University of York, United Kingdom.
C. Barrett et al. (Eds.): NFM 2017, LNCS 10227, pp. 310–326, 2017. Formal Verification of Autonomous Vehicles (FVAV 2017). This work is licensed under the 4| Vgl. Schnieder/Schnieder 2009, Schnieder/Schnieder 2008, Schnieder/Drewes 2008.
DOI: 10.1007/978-3-319-57288-8 23 EPTCS 257, 2017, pp. 75–90, doi:10.4204/EPTCS.257.8 Creative Commons Attribution License. 5| Vgl. Lund et al. 2011.
154
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 67Risk Factors (Basic Phase Model)
ofm …mitigated operation
f
recovery… mfr mf …mitigation
endanger-
ment … ef
ofn ofe
ef …endangerment
nominal 0f f …endangered
operation… operation
mfd …direct mitigation
Purposes:
• Modelling primitive for risk space exploration
• Semantics of basic events in DFTs or DFRTs
• Synthesis of local enforcement monitors
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 68SAV: Situational Risk Space
CCOCICSCollCR
e OC e ICS e Coll e CR e CC
Vehicle Vehicle Vehicle Vehicle Vehicle
CCICSCollCR CCOCCollCR CCOCICSCR CCOCICSColl OCICSCollCR
e ICS e Coll e CR e CC e OC e Coll e CR e CC e OC e ICS e CR e CC e OC e ICS e Coll e CC e OC e ICS e Coll e CR
Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle
CCCollCR CCICSCR CCICSColl ICSCollCR CCOCCR CCOCColl OCCollCR CCOCICS OCICSCR OCICSColl
e Coll e CR e CC e ICS e CR e CC e ICS e Coll e CC e ICS e Coll e CR e OC e CR e CC e OC e Coll e CC e OC e Coll e CR e OC e ICS e CC e OC e ICS e CR e OC e ICS e Coll
Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle
CCCR CCColl CollCR CCICS ICSCR ICSColl CCOC OCCR OCColl OCICS
e CR e CC e Coll e CC e Coll e CR e ICS e CC e ICS e CR e ICS e Coll e OC e CC e OC e CR e OC e Coll e OC e ICS
Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle
CC CR Coll ICS OC
e CC e CR e Coll e ICS e OC
Vehicle Vehicle Vehicle Vehicle Vehicle
0
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 69SAV: Situational Risk Space (zoomed)
CCOCICSCollCR
e OC e ICS e Coll e CR
Vehicle Vehicle Vehicle Vehicle
CCOCCollCR CCOCICSCR CCOC
e OC e Coll e CR e CC e OC e ICS e CR e CC e OC
Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle
lCR CCOCCR CCOCColl OCCollCR
e Coll e CR e OC e CR e CC e OC e Coll e CC e OC e C
Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle
ICSCR ICSColl CCOC OCCR
e CC e ICS e CR e ICS e Coll e OC e CC e OC e CR
Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle Vehicle
CR Coll ICS OC
e CC e CR e Coll e ICS e OC
Vehicle Vehicle Vehicle Vehicle Vehicle
0
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 69Causality (Lewis 1973)
Definition (Counterfactual Conditional)
A 2Ñ C is nonvacuously true iff C holds at all the closest
A-worlds.
What are the closest A-worlds?
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 70SAV: Risk Identification and Assessment Yap script
OperationalSituation "drive" excludes (OC)
2 { 26 mitigatedBy (PREVENT_CRASH.EB)
include "envPerc"; ;
4 } 28 CC alias "on collision course"
requires (CR)
6 ControlLoop "Vehicle" for "drive" 30 deniesMit (CR,OC)
{ excludes (CR,OC)
8 replan alias "Slow-down || re-plan 32 mitigatedBy (PREVENT_CRASH.swerve)
route"; ;
brake alias "Standard brake"; 34 ICS alias "inevitable collision state"
10 swerve alias "Short-term circumvention requires (CC)
of obstacle"; 36 excludes (CC,CR,OC)
EB alias "Emergency brake"; causes (Coll)
12 accel alias "Accelerate"; 38 mitigatedBy (PREVENT_CRASH.EB)
airbag alias "Front airbag"; ;
14 } 40 Coll alias "actual collision"
requires (ICS)
16 HazardModel for "drive" 42 excludes (CC,CR,OC,ICS,ES)
{ mitigatedBy (ALLEVIATE.airbag)
18 OC alias "on occupied course" 44 mishap
mitigatedBy (PREVENT_CRASH.replan) ;
20 direct 46 ES alias "perception system fault"
; excludes (CC,CR,OC,ICS)
22 CR alias "increased collision risk" 48 deniesMit (OC,CC)
requires (OC) ;
24 deniesMit (OC) 50 }
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 71SAV: Situational Risk Space
ES Coll
e ES e CollICS
Vehicle Vehicle
e ES
Vehicle CC
e ES e CC
Vehicle Vehicle
e ES
Approach: LOPA/BA to
CR
create chain of possible
Vehicle
e
Vehicle
CR
interventions
OC
e OC
Vehicle
0
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 72SAV: Situational Risk Space
ES
f opES
fb Approach: LOPA/BA to
ES Coll create chain of possible
eES attColl
alv interventions
eES eES CC Coll
eES prvcCC eCollICS Layered intervention
rES eES CR CC pattern for SAV obstacle
ES
e prvcCR e CC mColl
e avoidance
CR mCC
e
mCR
e eCR Nice side-effect: Use
OC pattern as enhanced
eOC prvcOC
phase model for similar
0
risk factors
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 72Taxonomy of Mitigations
Overall
Safety
Safety
Constraints
Preventive Fail-
Stabilization
Safety Safe
Passive
Safety
Pre-Crash Limp- Fail- Fail- Fault Fault
Assistance Home Silent Secure Containment Avoidance
Vigilance Non-
Check Interference
Obstacle Fail- Fault
Shutdown Recovery Masking Redundancy Barrier Substitution Simplicity
Avoidance Operational Detection
Error-
Checking Warning Comparison Repair Reconfiguration Degradation Filter Voting Override Correcting Replication Diversity Protection Separation
Codes
fully partially
realizes realizes
Condition Sanity
Notification Rollback Limiter Interlocking
Monitoring Check
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 73Taxonomy of Mitigations
Preventive Fail-
Safety Safe
Pre-Crash Limp- Fail- Fail- Fault
Assistance Home Silent Secure Containment
Vigilance
Check
Obstacle Fail- Fault
Shutdown Recovery Masking
Avoidance Operational Detection
Checking Warning Comparison Repair Reconfiguration Degradation Filter Votin
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 73
Condition Sanity
Notification RollbackSAV: Situational Risk Space (Monitor Candidate)
ES
f opES
Approach: LOPA/BA to
fb
ES Coll
attColl
create chain of possible
eES alv
eES
eES
CC Coll
interventions
eES prvcCC eCollICS
= Specification of a valid
rES eES CR CC
safe system
eES prvcCR eCC mColl
e
expected order violated
CR mCC
e
mCR eCR
Ñ lack of observability,
e
OC
e OC prvcOC
incomplete monitor,
0
context mismatch?
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 74Risk Structures: Templates for Causal Reasoning
A risk structure R is valid iff for
s, s1 , s2 , s3 P RpFq, s3 P Mishaps, e, m, e1 P Σ˚
@s, s3 P RpFq, t P R Ds1 , s2 P RpFq, m P Σ˚ : t “ eme1 ^
e m e’
s s’ s” s”’
Definition (Mitigation from Counterfactual Perspective)
m is mitigation of cause c ‰ s2 of a mishap s3 iff e1 gets unlikely.
(s2 , e1 form the counterfactual.)
Proof obligations for each t: Check that, from s,
1. s2 is actual cause of s3 ,
2. s1 is recognisable,
3. from s1 , m reduces s2 .
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 75Risk Mitigation / Intervention / Enforcement
Test
Risk Active model
Structure synthesised Monitor
from
abstracts
conforms
from
to
Approach: Active
safety monitors, System/
MDP, Active Implemen
enforcement Process
LTS, HA Monitor tation
Model
monitors
pr orce s/
ab om
en nise
s
str
y
og
fr
ert
ac
rec
f
ts
op
Monitored
Process
4.0 / Gleirscher / Shonan, JP/ June 26, 2019 76You can also read
