Automatic Deduction of the Impact of Context Variability on System Safety Goals

Autonomous systems, such as trains with a high grade of automation, need to function safely in their operational context. One hindrance to the development of such systems is the high degree of variability of this context: Different context variants can have a substantial impact on the safety goals the system must fulfill to function with sufficiently low residual risk.In this paper, we propose a method for modeling and reasoning about the context variability of an autonomous system and its impact on the system’s safety. We build upon contextual goal models to model the refinement of safety goals and their dependence on the environment. By introducing an explicit model of the context variability to be expected, we transform the challenge of safety in variable environments to a satisfaction modulo theories problem. This allows us to find inconsistencies and check whether a concrete context variant would allow for safe operation of the system. We demonstrate our approach with a use case from the railway domain and show its applicability to an automatic train operation system in different contexts based on map data.