PreHaz: A Premortem Functional Safety Hazard Assessment Technique for Autonomous Vehicles

摘要

When performing functional safety hazard assessments, the challenge is anticipating all the things that can go wrong during a system’s operation. Hazard assessment tends to be performed in an ad hoc (where do I begin assessing?) and open-ended (when do I stop assessing?) manner. It is difficult for humans to factor in all the variables that affect a system’s nominal interaction with the environment and then predict all the combinational behaviors (good or bad) resulting from those variables. Quite often, after the system is built, a hazardous situation will occur that no one expected, and perhaps even assumed improbable. At those times engineers may employ a postmortem and realize that, with enough forethought, the hazard could have been assessed and anticipated. In contrast to the postmortem, there is the premortem, which tries to assess what can go wrong, before it actually occurs. This paper introduces a technique based on the premortem that can be applied to the development of a product and, in particular, to the assessment of hazardous situations that could arise from the product’s interaction with the environment and/or a human operator using the product. The proposed technique is called PreHaz, which includes a systematic way to reduce the search space from which premortem questions are derived. This reduction occurs by creating a model that represents the domains that interact with a system being developed. The regions where the domains overlap are treated as hazard domains that are then used to derive premortem questions designed to help one or more stakeholders expose potential hazardous situations. Examples of PreHaz are examined as it is applied to the functional safety of autonomous vehicles.