Page - 66 - in The Future of Software Quality Assurance

66 T.Linz • Infringementofuninvolvedthirdpartiesby theautonomouslymovingsystem • Theviolationofdirectusers,operators,orpassengersof theautonomoussystem • Injury to animalsor damage to objectsor infrastructure in the track or operating radiusof thesystem bythe system • Damagetootherobjectscausedbyobjectsthat thesystemhandlesorhashandled • Damage to thesystem itself, for example,due toa maneuveringerror Sincehumaninterventionmaytakeplace too late inadangeroussituationor(for systems with a high autonomy level) is not planned at all, the autonomous system itself must be sufficiently safe. In the overall life cycle of an autonomous system (from development to deployment to decommissioning), the topic of “safety” thereforehasanextraordinarilyhighpriority. Theassociatedsafety levels(SILlevels)aredefinedin theseriesofstandards[8]. The term“safety” isdefined thereas: • Freedom from unacceptable risk ofphysical injuryorofdamage to thehealthofpeople, eitherdirectly, or indirectly asa result ofdamage toproperty or to the environment. [9]. To ensuresufficient safety,a systemmust have“functionalsafety”: • Functional safety is thepart of the overall safety thatdepends on a system orequipment operating correctly in response to its inputs. Functional safety is the detection of a potentially dangerous condition resulting in the activation of a protective or corrective device or mechanism to prevent hazardous events arising or providing mitigation to reduce the consequence of the hazardous event ... • ... The aimof Functional safety is tobring risk down to a tolerable level and to reduce itsnegative impact. [9]. 3.1 Safety in NormalOperation The dangers described above primarily result from the movement of the system or system components (e.g., a gripping arm). The level of danger or the associated riskofdamagedependsonthespeedandmassofthesystemandthecomplexityand variabilityof itsenvironment(EnvironmentalComplexity).Thefollowingexamples illustrate this: • With a semi-autonomous, automatic lawn mower, the area to be mown is bordered, for example, by a signal wire. The movement space garden is a controlledenvironment.The robot’smovementspeed and movementenergyare low. Contact-based collision detection is sufficient for obstacle detection. The risk posed by the rotating cutting knife is protected to an acceptable level (for operation within the controlled environment) by the housing and by sensors whichdetect liftingof the robotorblockingof theknife. • Forafullyautonomouscar, therangeofmotionisopen.Motionspeedandkinetic energycanbeveryhigh.Thecarmovessimultaneouslytomanyother roadusers in a confinedspace. Obstaclesof anykindcan“appear” in the routeat any time. Evasionisanecessarypartof“normaloperation.”Forsafedrivingincompliance