Guaranteeing functional safety: design for provability and computer-aided verification

When autonomous robots begin to share the human living and working spaces, safety becomes paramount. It is legally required that the safety of such systems is ensured, e. g. by certification according to relevant standards such as IEC 61508. However, such safety considerations are usually not addressed in academic robotics. In this paper we report on one such successful endeavour, which is concerned with designing, implementing, and certifying a collision avoidance safety function for autonomous vehicles and static obstacles. The safety function calculates a safety zone for the vehicle, depending on its current motion, which is as large as required but as small as feasible, thus ensuring safety against collision with static obstacles. We outline the algorithm which was specifically designed with safety in mind, and present our verification methodology which is based on formal proof and verification using the theorem prover Isabelle. The implementation and our methodology have been certified for use in applications up to SIL 3 of IEC 61508 by a certification authority (TÜV Süd Rail GmbH, Germany). Throughout, issues we recognised as being important for a successful application of formal methods in robotics are highlighted. Moreover, we argue that formal Research supported by the German Ministry for Research and Technology (BMBF) under grants no. 01 IM F02 A and 01IS09044B and Deutsche Forschungsgemeinschaft (DFG) under grant FR 2620/1-1. Holger Täubig, Christoph Lüth, Dennis Walter Cyber-Physical Systems, German Research Center for Artificial Intelligence (DFKI), Bremen, Germany. E-mail: {holger.taeubig,christoph.lueth,dennis.walter}@dfki.de Udo Frese, Christoph Hertzberg, Elena Vorobev FB 3 — Computer Science, University of Bremen, Bremen, Germany. E-mail: {ufrese,chtz,elenav}@informatik.uni-bremen.de Stefan Mohr Leuze electronic, Fürstenfeldbruck, Germany. E-mail: [email protected] analysis deepens the understanding of the algorithm, and hence is valuable even outside the safety context.