From Abstract to Action: Tailored Environment Taxonomies for More Complete ADS Safety Analyses

Different safety engineering processes of automated driving systems (ADS), such as hazard identification and risk assessment (HARA) or SOTIF analyses, require a model of the system’s operational environment. Environment taxonomies like ISO 34503 and the "PEGASUS Six-Layer Model" can serve as a basis to derive such models. To ensure comprehensive coverage applicable for different ADS and operational design domains, these taxonomies must be defined at a generic abstract level. However, creating effective environment models relies on the engineer’s ability to adapt a base taxonomy for a specific system, operational design domain, and safety analysis scope. This study examines how a base environment taxonomy can be tailored to enhance a specific safety engineering process. Our proposed method involves deriving guide questions from the process’s quality requirements. Engineers then use these questions to systematically refine a given taxonomy for use in the safety process. We applied this method in a case study, adapting the ISO 34503 taxonomy to improve HARA quality for an autonomous last-mile delivery vehicle in urban intersection scenarios. The tailored taxonomy was compared with the generic baseline in identifying relevant situation elements for HARA. Industry experts interviewed post-study reported that the tailored taxonomy better structured the situation space exploration than the generic baseline. The detailed guide questions also revealed critical situation elements not identified with the generic taxonomy alone. This paper argues that the developed taxonomy tailoring method improves the quality of safety engineering processes. The case study confirmed the hypotheses that engineers profit from a guided analysis approach, especially in complex situation spaces and that, in consequence, critical situation elements can be identified with less dependence on the engineer’s experience. Thus, we conclude that although the approach cannot guarantee a complete coverage of the situation space, it evidently improves the quality of safety engineering processes.