User stories - Safety Engineer: Safe states and OpenODD subspaces must be in synch
As a safety engineer i want to be able to match AD safe states from all system levels defined in my safety concept to subspaces of OpenODD specification.
Safety critical systems must define safe states and being safe is the situation of the system being at any given time in a safe state.
During and/or after a specific drive, the drive itself can be said to be safe, if the vehicle was in a safe state at any given time of the drive. This should lead to a time-sequence of safe state visits without gaps.
safe drive = ordered set (drive states), where all drive states are safe states.
unsafe drive = ordered set (drive states), where not all drive states are safe states.
Set of drive states is the superset of all internal and external states, safe or unsafe.
Number of safe subspaces of OpenODD must be equal to the number of safe states of the system.
The safe subspaces of OpenODD must not be mutually exclusive, they can be intersecting.
Reasoning:
- Safety assessment of a product may not ignore any level of the system an unsafe control action can take place. All are relevant.
- Safety assessment of a product may not ignore if an unsafe control action happens around a static or dynamic task. All are relevant.