Derive Safety Requirements for Automated Driving
Written: March 2019
Purpose: This pattern describes a scenario- and fault-tree-based technique for functional safety analysis according to the ISO 26262. The application context (e.g. valet parking) is decomposed into functional scenarios that can occur during operation. Potential malfunctions are identified for each scenario within a hazard analysis and risk assessment (HARA). Elaborated safety goals from a hazard analysis and risk assessment (HARA) are broad and require to be broken down into safety requirements. A structure for a fault tree-based approach to derive safety requirements from safety goals systematically according to the international standard of functional safety for road vehicles is presented. The approach simplifies the breakdown of complex safety goals and provides a more complete set of safety requirements. Thereafter, test cases for safety validation can be derived based on safety requirements.
Context/Pre-Conditions: Safety analysis / validation according to ISO 26262 for automated driving required.
To consider: The generation of a scenario catalog requires knowledge of dynamic and static aspects of traffic scenarios (covered by other patterns). Safety requirements require defined specifications.
Sense/Plan/Act Safety Analysis:
Participants and Important Artefacts
V&V Expert(s): In principle, every activity in this pattern is carried out by human experts, who need to have experience in both safety analysis (HARA) and the application domain.
Application contex: The target application environment, in which the SUT shall finally be used. For instance, valet parking or turning left on crossings.
Scenarios: Specific situations assumed to be a proxy for the real world, e.g. handing over at begin of valet parking.
Safety Goals: Top-level safety requirements which has to be further broken down.
Safety Requirements: Some Safety goals are broad and more challenging to break down into safety requirements. The presented fault-tree-based approach can be used to derive safety requirements for automated driving according ISO 26262.
(1) Item Definition:: the application context is split into a manageable amount of relevant functional scenarios to decrease complexity. The scenarios serve as an input to perform a situational analysis for each scenario in the Hazard Analysis and Risk Assessment (HARA) more specifically.
(2) Hazard Analysis and Risk Assessment:: The objective of the HARA is the identification of potential malfunctions to determine related safety goals. Elaborated safety goals inherit the hazard’s Automotive Safety Integrity Level (ASIL) with ASIL D representing the highest and quality management (QM) the lowest safety risk. Thereby, the ASIL determination is a function f of severity S, exposure E and controllability C.
(3) Breakdown of Safety Goals into Safety Requirements with respect to the main tasks Sense, Plan, Act of an ADS (Autonomous Driving System):
Sense: According to Dietmayer et al.  detecting static and dynamic objects and physically measuring them as precisely as possible, leads to three uncertainty domains:
State uncertainty: Represents the measuring errors of physical measured variables, especially the object’s dimensions (length, width, height), the object’s pose and the object’s velocity.
Existence uncertainty: Outlines the uncertainty whether an object captured by the sensors and mapped into the representation actually exists. This concerns mainly false negatives.
Class uncertainty: Describes uncertainty of the capability to classify the object’s membership in order to predict the object’s behavior. Type of object might be for example pedestrians, bicyclists, trucks or cars.
Plan: According to Lotz  the transportation mission can be split into 5 tasks which are computed by today’s navigation systems:
Mission Planning: In the first step a mission has to be planned from the current location to the destination.
Route Planning: A route has to be determined in order to get to the destination.
Lane Assignment: Once the route is determined corresponding lanes to take are specified.
Maneuver Planning: For assigned lanes maneuvers such as lane changes have to be executed.
Trajectory Planning: A trajectory has to be calculated to perform necessary maneuvers.
Act: The Act block represents the execution of the planned trajectory. For performing longitudinal and lateral vehicle dynamics, the following vehicle control inputs are required: steering, shifting, accelerating and braking.
(4) Safety validation:: Deriving test cases for elaborated safety requirements in order to validate the safety concept.
Benefits: A pattern to reduce complexity. A more complete set of safety requirements.
Limitation: Fault-tree-based approach is applicable to safety goals which follow the sense, plan and act procedure.
 K. Dietmayer, “Predicting of machine perception for automated driving”, in Autonomous Driving: Technical, Legal and Social Aspects, M. Maurer, J. C. Gerdes, B. Lenz, and H. Winner, Eds.: Springer, 2016, pp. 407-424.
 F. Lotz, „Entwicklung einer Referenzarchitektur für die assistierte und automatisierte Fahrzeugführung mit Fahrereinbindung“, PhD thesis, Technische Universität Darmstadt, Darmstadt, Germany, 2017, pp. 85-87
ENABLE-S3 Use Case 6 “Valet Parking”: Developing a safety concept for a distributed system (parking management system and automated vehicle) which share responsibilities. E.g.
Derivation of sense safety requirements for the safety goal: “The system shall prevent a collision between automated vehicles and persons.”
– “The system shall localize the object’s pose pobj in its minimum required sensor range.”
– “The system shall determine the object’s dimensions length lobj, width wobj, height hobj in – its minimum required sensor range.“
– “The system shall determine the object’s velocity vobj in its minimum required sensor range.”
Relations to other Patterns
|Abstract Scenario Mining||Identification of scenarios for the Item Definition|
|Abstract Scenario DB Design||Identification of scenarios for the Item Definition|
|Security Risk Assessment with Attack Trees||That pattern uses similar tree-based analysis techniques (attack trees)|
* “this pattern” denotes the pattern described here, “that pattern” denotes the related pattern