When accidents occur on a fully automated freeway, driver error will rarely be relevant. Design should not err in ensuring that equipment failure will not cause hazards. An attempt to demonstrate satisfactory methods of requirement specification and hazard analysis is described. The case treated is a single automated lane on a freeway that also has lanes for other vehicles and shares on- and off-ramps with them. When hazards are specified, it appears that the system configuration is determined. A number of concepts have merged and seem likely to be basic to all hazard-avoiding designs. These concepts are identified and described. No method has been found for demonstrating that the set of hazards is complete. Peer criticism of those proposed is therefore earnestly sought because, as explained, these are the axioms on which the logical structure that demonstrates safety is to be based.
Samenvatting