ChapterPDF Available

Abstract and Figures

Coexistence or even cooperation of autonomous mobile robots (AMR) and humans is a key ingredient for future visions of production, warehousing and smart logistic. Before these visions can become reality one of the fundamental challenges to be tackled is safety assurance. Existing safety concepts have significant drawbacks, they either physically separate operation spaces completely or stop the AMR if its planned trajectory overlaps with a risk area constructed around a human worker based on a worst-case assumption. In the best case, this leads to only less-than-optimal performance, in the worst case an application idea might prove to be completely unfeasible. A general solution is to replace static worst-case assumptions with dynamic safety reasoning capabilities. This paper introduces a corresponding solution concept based on dynamic risk and capability models which enables safety assurance and at the same time allows for continuous optimization of performance properties.KeywordsDynamic risk managementSituational awarenessAutomated guided vehiclesRuntime safety monitorDynamic risk assessmentModel-based safety engineeringCyber-physical system
Content may be subject to copyright.
Engineering Dynamic Risk and Capability
Models to Improve Cooperation Efficiency
Between Human Workers and Autonomous
Mobile Robots in Shared Spaces
Jan Reich1, Pascal Gerber1, Nishanth Laxman1, Daniel Schneider1,
Takehito Ogata2, Satoshi Otsuka3, and Tasuku Ishigooka3
1Fraunhofer Institute for Experimental Software Engineering IESE,
Kaiserslautern, Germany
2European Research and Development Centre, Hitachi Europe GmbH,
Munich, Germany
3Research and Development Group, Hitachi Ltd., Ibaraki, Japan
Abstract. Coexistence or even cooperation of autonomous mobile robots
(AMR) and humans is a key ingredient for future visions of production,
warehousing and smart logistic. Before these visions can become reality
one of the fundamental challenges to be tackled is safety assurance. Ex-
isting safety concepts have significant drawbacks, they either physically
separate operation spaces completely or stop the AMR if its planned
trajectory overlaps with a risk area constructed around a human worker
based on a worst-case assumption. In the best case, this leads to only less-
than-optimal performance, in the worst case an application idea might
prove to be completely unfeasible. A general solution is to replace static
worst-case assumptions with dynamic safety reasoning capabilities. This
paper introduces a corresponding solution concept based on dynamic risk
and capability models which enables safety assurance and at the same
time allows for continuous optimization of performance properties.
Keywords: dynamic risk management ·situational awareness ·auto-
mated guided vehicles ·runtime safety monitor ·dynamic risk assessment
·model-based safety engineering ·cyber-physical system
1 Introduction
Autonomous systems such as autonomous mobile robots (AMR) have an enor-
mous potential to improve further economic efficiency in application domains
such as production or smart logistics. There are, however, numerous scenarios
in which a spatial co-existence or even cooperation of autonomous systems and
human workers is required. Safety thus needs to be assured, whereas existing
safety concepts either physically separate operation spaces completely or stop
2 J. Reich et al.
the AMR if its planned trajectory overlaps with a risk area constructed around
a human worker based on a worst-case assumption. This leads to unnecessary
AMR stops, which impacts the overall performance or even the general feasibility
of AMR applications.
A general solution is to replace static worst-case assumptions with dynamic
safety reasoning capabilities. Systems are empowered to monitor relevant prop-
erties of themselves and their context, extrapolate to a certain extent into the
future, and reason about the implications that can be deduced from this infor-
mation concerning the current risk. Worst-case assumptions are thus replaced by
actual knowledge about the current situation augmented by future predictions
for specific properties. Relevant context comprises the physical environment,
including human workers and co-existing or cooperating systems. The context
information is either attained directly by the system’s sensors or by communi-
cation with third parties, such as infrastructure/edge/cloud devices cooperating
systems or even humans. Reliance on such situational awareness and reasoning
mechanisms necessitates that the safety of those mechanisms can be argued con-
vincingly. While this is a challenge in itself, we believe in the general feasibility
and that the benefits will, in many cases, significantly outweigh the additional
effort and complexity.
In this work, we specifically focus on an industrial AMR application and
use context information in terms of specific situation features, such as dynamic
variations of human worker behavior, to dynamically assess the risk of the op-
erational situation. At the same time, we dynamically assess the AMR’s safety-
related capabilities, which are also subject to change due to internal failures,
sensor limitations, and fluctuations in physical context properties. Finally, we
use the attained knowledge about both aspects, the current risk, and the cur-
rent capabilities, to dynamically scale safety areas around humans and AMRs,
as they have been conceived in previous work on Symbiotic Safety Systems [3].
The main contributions presented in this paper are (1) the definition of an
abstract behavior causality ontology to express and analyze critical behavior
deviations for human workers and AMR, (2) the integration of the models in
a dynamic safety monitoring architecture and (3) an exemplary evaluation of
the expected efficiency boost potential when using the resulting dynamic safety
monitors in passing and overtaking scenarios. The paper is structured as follows:
Section 2 puts the challenge of safe human-robot cooperation into a smart logis-
tics context, reviews different possible safety concepts and related work for be-
havior and capability prediction. Section 3 subsequently introduces a method to
engineer situation-aware risk and capability models based on a behavior causal-
ity ontology. In addition, it outlines the integration of the risk and capability
monitor into the Symbiotic Safety System architecture. Section 4 evaluates the
expected efficiency benefit of using the dynamic models in passing and overtak-
ing scenarios between AMR and human workers compared to using worst-case
movement assumptions. Finally, Section 5 concludes the paper and lays out fu-
ture work directions.
Dynamic Risk and Capability Models to Improve Cooperation Efficiency 3
2 Safe Human-Robot Cooperation
2.1 Safe Human-Robot Cooperation in Smart Logistics
The main task of a logistics warehouse is to efficiently carry in, store the
goods appropriately, and carry out on-demand to be dispatched to a customer.
First, goods must be carried in from trucks into a sorting area, where they are
unpacked, inspected, and sorted to be transferred to an optimal storage place.
Then, upon the dispatch request, the goods are picked up in the storage area,
moved into the packaging area, prepared for dispatch, and carried out into trucks
again. In smart logistics warehouses, these tasks are not only performed
by human workers and human-operated machines like forklifts, but automation
concepts are used to relieve humans from tedious work and make warehouse
operations more efficient (Fig. 1). Although autonomous mobile robots (AMR)
or autonomous forklifts (AFL) can be beneficially used for the efficient trans-
port of goods, human workers can much better inspect and label the quality of
goods. Thus, the optimal operation of a logistics warehouse requires the coop-
eration of humans and autonomous machines in shared spaces. However, this
efficiency boost can only be realized if the residual collision risk between robots
and humans is acceptably low.
Different safety concepts exist to address this challenge with varying con-
sequences on assurance effort and resulting efficiency. The most straightfor-
ward idea is assigning distinct static work areas for human workers
and AMRs, e.g., by physical barriers like fences or traditional safety func-
tions like light curtains. As AMRs pick up goods directly at the location where
humans inspect them, physical separation is not optimal. A more efficient
safety concept is to make the distinct movement areas dynamic, i.e., to
dynamically construct a so-called risk area around human actors, which repre-
sents the short-term movement space and constantly moves along with an actor
during operation (Fig. 1 right). The AMR is designed in a way that overlaps
between its intended trajectory and the risk area of a nearby human and will
immediately lead to a safe stop until the overlap ceases to exist. Since there are
several influences like malfunctions or functional inefficiencies that may cause
an AMR to deviate from its intended trajectory, a so-called capability area is
dynamically constructed around an AMR, accounting for the impact of those
influences. Thus, capability and risk areas built for a short-term time horizon
are dynamically checked, and exclusive possession right is granted to human
actors during overlap. The efficiency of this dynamic safety concept is depen-
dent on the adequacy of predicted risk and capability areas to match real actor
movement as adequately as possible, in particular, that it is not wrongly deter-
mined as smaller than reality. As such, the adequate determination of risk and
capability area extents is decisive for safety and efficiency.
One common approach to solve this problem is to use worst-case
assumptions regarding the operational situation, i.e., the risk area extents are
selected based on human worker behavior leading to the most critical situation
conceivable. An example for an assumed maximum radial approximation speeds
4 J. Reich et al.
Fig. 1. Left: Smart Logistics Warehouse Tasks in sorting area. Right: Illustration of
safety challenge with spatial overlap between human worker and AMR action ranges.
of humans towards machines in factory contexts is given in ISO 13855 with 1,6
m/s [1]. Although this approach leads to provable safety if the assumption is
valid, it inevitably leads to an efficiency loss since worst-case situations rarely
occur, and the AMR will often stop unnecessarily.
To run operations more efficiently without arriving at a higher collision risk,
we have to eliminate conservative AMR behavior in low-risk situations.
Detecting situation features indicating a high likelihood of uncritical behavior
of human workers enables AMRs to be less conservative. Compared to search-
ing the most critical situations within the operational domain, the consideration
of specific low-risk situations adds more complexity to engineering an adequate
situation detection mechanism and its safety assurance. Thus, the efficiency po-
tential comes with the cost of increased assurance effort. However, by choosing
the worst-case assumption as a baseline and detecting situation features indi-
cating lower risk to inform risk area extent decrease, we relieve ourselves from
having to deliver a completeness argument for the situation analysis. Instead,
new features can be gradually added to detect low risk and improve efficiency.
Problem Statement. The efficiency of dynamic safety concepts relying
on worst-case assumptions can be improved by dynamically detecting low-risk
situations and adapting the AMR behavior accordingly based on modified risk
and capability area extents. To that end, model-based methods for risk-driven
situation analysis and integrating the resulting risk and capability models into
runtime monitors are required.
2.2 Related Work
For dynamic safety assurance of AMR in cyber-physical systems, conceptual
approaches to model and predict the relationship between situation features and
behaviors at runtime were proposed.
Uncontrollable actors. Behavior prediction in the context of risk-sensitive
motion planning, e.g., [2], or trajectory verification, e.g., [5]: In both approach
classes, external actor trajectories are predicted to check Spatio-temporal overlap
with an ego trajectory. However, predicting high-accuracy trajectories requires
very fine-granular/continuous input feature resolution so that a high-integrity
perception of those features is hardly assurable. In addition, changes in risk are
Dynamic Risk and Capability Models to Improve Cooperation Efficiency 5
typically initiated by events on the tactical level, so a causal risk relationship
on a more abstract (=non-trajectory) level would be favorable to increase assur-
ability of feature perception, i.e., to use coarse-grained state distinction rather
than continuous input feature detection. Initial approaches have been proposed
to raise the abstraction level of dynamic risk monitors [4, 8]. The source of risk
relationships in these approaches are hazard and risk assessment activities car-
ried out during design time safety engineering. Here, the risk model is not related
to a trajectory but captures the abstract relationship between situation features
on the tactical level and the presence of behaviors leading to the presence or
absence of hazardous events. The respective approaches claim their assurability
by not having to specify safety criteria in the spatio-temporal situation space
but in a less complex tactical situation space.
Controllable actors. In contrast to non-controllable actors, the determi-
nation of the extent of an AMR’s movement space (i.e., its capability area) is a
simpler problem, like the AMR’s design and intended system behavior is known.
Dynamic capability assessment approaches focus on modeling the relationship
between events causing deviating system behavior from intention. These mod-
els serve as input for dynamic monitoring of system operation and its quality
guarantees. Ability and skill graphs are models that represent what the system
must do (skill) and how well (ability) to fulfilling its functional specification.
These models can be used to synthesize runtime monitors enabling a dynamic as-
sessment of capability availability through self-awareness [7]. Conditional Safety
Certificates (ConSerts) [9] are Boolean success trees relating functional safety-
related events with safety guarantees based on predefined and precertified safety
concept variants. ConSerts represent dynamic, variable, and modular safety con-
cepts, where safety guarantees can be inferred at runtime based on the state of
runtime evidence.
Apart from the concrete techniques for risk and capability prediction, more
generic model-based frameworks for modeling and safety analysis of cyber-physical
systems exist, too. SafeConcert [6] provides a metamodel for the safety analysis
of socio-technical systems consisting of technical elements, humans and even or-
ganizations. Although SafeConcert has a large overlap with the ontology in this
paper, the most important difference is that the risk area prediction in this paper
treats the human as an element of the operational situation whose controllabil-
ity is predicted by means of behavior prediction. In SafeConcert, the human is
treated as part of the system and consequentially can have ”failure modes” that
are addressed by safety concepts. In addition, SafeConcert is a pure design-time
modeling and analysis approach to building a safe system, while the purpose in
this paper is the engineering of runtime safety monitors.
In summary, for the problem of modeling the relationship between situation
features and critical human worker behaviors on the one hand and situation
features and critical AMR behaviors on the other hand, several approaches exist.
However, to the best of the authors’ knowledge, no model-based approach exists
that combines both concepts in a holistic framework with the aim of engineering
6 J. Reich et al.
Fig. 2. Methodological steps for engineering distributed runtime safety monitors.
dynamic safety monitors. This paper intends to fill this research gap with the
following contributions:
1. A holistic modeling concept combining risk and capability models to account
for behavioral variability of uncontrollable and controllable actors.
2. A behavior causality ontology applicable to both humans and machines pro-
viding systematic guidance for situation feature identification during behav-
ior safety analysis with the aim to synthesize runtime safety monitors.
3. An exemplary evaluation of the expected benefit of using the approach in
passing and overtake scenarios in contrast to using worst-case assumptions.
3 Situation-Aware Behavior Safety Analysis
3.1 Method Overview
This section describes the methodological big picture to engineer dynamic risk
and capability models, which realize a behavior safety concept and are finally
processed by a distributed runtime safety monitoring component (Fig. 2).
The behavior safety concept defines a behavior specification satisfying
the safety goal “Perform safe stop, when predicted dynamic risk and capability
areas overlap”. In this paper, we use a dynamic behavior safety concept, which
predicts movement areas around uncontrollable actors like human workers (risk
area) and controllable actors like AMR (capability area).
Both areas can be perceived as convex hulls of the possible actor behaviors for
a given time horizon in the current situation. We are interested in distinguishing
critical from uncritical behaviors instead of trajectories, because risk varies more
significantly through unsafe behaviors than for the unsafe trajectory planning
for a given safe behavior. Thus, we deem an abstraction suitable to account
for this aspect. To formally realize it, we model risk and capability areas with
geometric shapes with just enough parameters to express the presence or absence
of critical behavior intents. The selected type of shapes, e.g. ellipses, circles or
triangles, may differ for different actor types depending on the behavioral degrees
of freedom. In Fig. 2 on the right, distinguishing critical lateral from uncritical
longitudinal behaviors can be modeled with the semi-axis length parameters of
an ellipsis to vary longitudinal and lateral extents independently.
Dynamic Risk and Capability Models to Improve Cooperation Efficiency 7
With such simplified models, safety can be achieved if the model extents
are predicted accurately and if a risk and capability area overlap triggers a safe
AMR stop. However, unsafe situations can emerge if either of both areas are
predicted smaller than they actually are. The behavior safety analysis step
aims at systematically analyzing causal influence factors capable of indicating
the likelihood of actor behavior options in a given situation. The resulting arti-
fact of this analysis and modeling is the actor behavior causality model, which
captures causal relationships between situation features and their influence on
the actor behaviors to be distinguished regarding their risk potential. The op-
erational context is systematically analyzed for situation factors by means of
an abstract behavior causality ontology, which models the different steps of a
generic cognitive decision-making process. Since autonomous systems try to imi-
tate defined human behaviors, this cognitive process can be interpreted to guide
the causal analysis of both human and machine behaviors. The difference lies
in the interpretation scheme and in the types of risk-relevant situation features.
For instance, the capability area of a controlled actor such as an AMR is mainly
affected by the component failures or environmental factors affecting sensor per-
formance. In contrast, the risk area of an uncontrolled actor such as a human
worker is mainly affected by features indicating situational awareness or control-
lability of potentially unsafe situations.
The result of the behavior safety analysis is a set of models linking behavior-
influencing situation features to different risk and capability area sizes for dif-
ferent actor types. However, the features need to be prioritized to achieve an
optimal cost-benefit ratio. As such, the feature selection aims at finding the
set of features that provide the maximum efficiency benefit for a particular tech-
nical architecture of the warehouse system given the cost constraints of adding
a feature. While a particular feature may have, in general, a high-efficiency po-
tential, it could still be excluded from usage. For instance, if there is no sensor
available yet for reliable or cost-effective measurement of a feature or if mea-
suring helpful features would violate human privacy rights, this can lead to the
decision not to use a particular feature. Since future developments may change
this, having realization-independent behavior causality models enables step-wise
inclusion of features into realization and, therefore, a step-wise improvement of
efficiency in line with technological innovation for feature sensors
The models engineered during behavior safety analysis are qualitative and as
such, they are not formally inferrable yet. Thus, in order to turn the prediction
models processable by a runtime safety monitor, a modeling formalism with
automated inference support is required. Different modeling formalisms exist
in literature, ranging from simple Boolean logic models to more sophisticated
model types with supporting temporal dependencies and probabilistic uncer-
tainty propagation. In this paper, we use Boolean logic to express causal rela-
tionships between situation features and area parameters. Based on the model
and inference algorithm, a runtime safety monitor component deployed to an
AMR dynamically determines the state of situation features. Furthermore, it in-
fers both risk and capability area extent parameters. To do that, infrastructure
8 J. Reich et al.
Fig. 3. Behavior causality ontology as a blueprint for situation analysis.
or human worker sensing devices can extend the perception capabilities of the
AMR’s sensors as will be shown in Section 3.3.
3.2 Behavior Causality Model Engineering
In order to engineer situation-specific risk and capability models used in a safety-
critical function, two requirements need to be met: First, we need to express how
situation features lead to variations in assumed actor movement, and second, we
need to argue about the risk associated with the presence or absence of situation
features. The latter is needed, because behavior intents can be affected in mul-
tiple ways by the same situation feature, leading to different risks in different
scenarios. The behavior causality ontology (Fig. 3) aims at fulfilling the require-
ments by providing elements to express the complete causal chain of behavior
emergence for different actors with a particular focus on capability-impairing
situation features.
The conceptual backbone of the ontology is a decomposition of behaviors
into cognitive steps, which enable actors to enact a behavioral decision based
on capabilities for situation perception, reasoning and plan execution. The gen-
eral idea is that there is a sequence of cognitive steps an actor follows to safely
and efficiently accomplish a specific behavior or sequence of behaviors (=work-
ing task). Popular cognition models usable for both humans and machines are
Sense-Plan-Act or, more fine-grained, Sense-Understand-Decide-Act. Risk can
be associated with the likelihood and consequences of a particularly required
capability being impaired or not present, represented by the capability devia-
tion. A capability deviation is influenced by the presence or absence of situation
features in an operational situation. Situation features can be grouped, as they
contribute to similar abstract deviation influence concepts, which have similar
effects on a particular capability deviation. For instance, the deviation influence
concept “occlusion” affects the capability “Localize other actors” and occlusion
Dynamic Risk and Capability Models to Improve Cooperation Efficiency 9
Fig. 4. Exemplary behavior causality model instances for AMR and human worker.
can be caused by a variety of different situation features such as unobservable
corners, blocking objects, or lighting conditions (Fig. 4). These behavior model
elements are composed in a behavior causality model. The behavior causality
model thus captures the semantic meaning of capabilities required to render be-
havior and the impact of situation features on the presence or absence of these
capabilities. In contrast, the qualitative causal model represents a generic graph
with nodes and relationships, which model cause-effect relationships between be-
havior model elements. Qualitative causal models, as well as behavior causality
models, are composed in a behavior causality package.
Fig. 4 shows an exemplary instantiation of the behavior causality ontology
for human workers and AMRs in the logistics warehouse context. For both actor
types, ellipses are used to envelop the movement space around planned behav-
iors representing working tasks. The abstract behavior causality model in the
middle of Fig. 4 is the exemplary result of a behavior safety analysis performed
on capabilities required for both actors to execute their behaviors safely. For the
identification of situation features (SF in Fig. 4) potentially affecting the pres-
ence of a capability, engineers have to interpret the abstract deviation influence
(DI) concepts in the context of actor behavior in a situation. Concretely, the en-
gineer systematically goes through each capability of the actor cognitive model
and analyzes situation influences. For AMRs, these influences can be analyzed
in common safety analysis activities, which are already carried out during func-
10 J. Reich et al.
tional and operational safety assurance today. For human workers, we followed
a scenario-based analysis approach in this study, because no established meth-
ods exist for the interpretation of the deviation influence concepts for human
behavior. The key benefits of engineering behavior causality models with the
presented approach are:
More constrained analysis scope for feature identification: During the in-
terpretation of deviation influence concepts in concrete scenarios, it was
perceived much easier by the involved engineering experts to answer the
template question “Which <situation features>lead to <deviation influence
concept>affecting <capability>in the context of <behavior>of <actor>?”
than the more generic question “Which <situation features>lead to critical
deviations of <behavior>of <actor>?”
Possibility to link situation features to design-time risk assessment: When
using situation features to predict risk and capability areas at runtime, they
should be traceable to design-time safety engineering processes so that in-
tegrity requirements for the perception of situation features can be expressed.
This is possible via linking situation features to explicitly modeled capabili-
ties and their deviations, for which the risk can be assessed.
Systematic generation of a comprehensive collection of situation features
that differentiate critical from uncritical actor behaviors. These features are
thus candidates to be used as indicators to switch the extents of dynamic
risk and capability areas within dynamic behavior safety concept realizations
to improve operation efficiency (see Section 4).
3.3 Dynamic Safety Monitoring Architecture Integration
Having means to model the influence of situation features on risk and capability
areas as described in the previous subsections, Fig. 5 shows the integration of the
prediction component into the Symbiotic Safety System architecture. The Symbi-
otic Safety System realizes Dynamic Collision Avoidance on the warehouse level
based on information provided by various sources as part of the Field Digitiza-
tion. The core component is the determination of risk and capability area overlap
and the assignment of an exclusive area on overlap, i.e. the AMR is instructed to
safely stop, if an area is exclusively assigned to a HW. In previous work, [3], the
extents of risk and capability areas were statically defined based on worst-case
assumptions. The dynamic risk and capability area prediction introduced in this
paper is highlighted in orange in Fig. 5 and feeds the dynamic area extents into
the exclusive area assignment component. Safety Control on the one hand su-
pervises safe stopping based on information about current positions of AMR and
HWs and on the other hand indicates safety-relevant information to HWs. This
can either happen through the audio-visual signaling capabilities of the AMR
or directly be sent to HMI glasses worn by the HW, if available. The aim is to
actively improve the HW’s controllability by improving situational awareness.
The situation features, which are needed for the dynamic risk and capability
area prediction can be reliably detected by a combination of AMR-local sensors
Dynamic Risk and Capability Models to Improve Cooperation Efficiency 11
Fig. 5. Integration of Dynamic Risk / Capability Area Prediction (indicated in orange)
into symbiotic safety system architecture.
Fig. 6. Passing (left) and overtake (right) scenarios evaluated in the case study.
(e.g. for fault diagnosis or localization), HW-local sensors like the HMI glasses
(e.g. for HW view direction), infrastructure sensors (e.g. for localization) and the
warehouse task database (e.g. for deriving assumptions from the working task
like the higher expectation of view obstruction, when the HW currently carries
a box).
4 Expected Efficiency Benefit Evaluation
This section exemplarily evaluates the expected benefit of using dynamic risk
area prediction models in passing and overtaking scenarios compared to using
fixed area extents based on worst-case assumptions. The efficiency metric used
in the evaluation is the time an AMR needs to pass safely through a corridor.
4.1 Passing Scenario
In the passing scenario, AMR and human worker (HW) move with speeds vAMR
and vHW in opposite directions along a corridor with length l(Fig. 6 left).
12 J. Reich et al.
Fig. 7. Dynamic risk area model for the HW (left) and dynamic capability area model
for AMR (right).
By making use of the behavior safety analysis method described in Sec-
tion 3, Boolean behavior causality models have been derived for the scenario
for dynamically detecting varying risk area and capability area extents (Fig. 7).
Two modes with different assumed width extents are modeled for the risk area
models. The worst-case risk area extent is always selected with width wcunless
the risk-decreasing situation features “not carrying a box” and “eye contact” are
present, where we assume w0to be the risk area’s width. Both situation features
in combination indicate the absence of occlusion and a basic level of awareness,
leading to the hypothesis that the human worker notices the AMR and will take
this into account for behaving safely. This turns the situation into a non-worst
case situation and represents the efficiency potential. For the AMR’s capabil-
ity area extents, three modes with varying assumed capability area widths have
been modeled accordingly, where wcrepresents the worst-case, and w0and w1
represent the area widths resulting from different situation feature combinations.
In workshops with our industry partners from Hitachi, we ensured that se-
lected situation features were reliably detectable at runtime with state-of-the-art
sensors and algorithms assumed to be available in smart logistics warehouses.
These include HMI devices worn by human workers to indicate eye gaze and
present working tasks, as well as AMR-local and infrastructure sensors to deter-
mine tire, illumination and failure conditions.
As an evaluation benchmark, we compute the average AMR’s corridor passing
time t0
W C (Eq. 1) by assuming the constant presence of HW risk area width wc,
where the AMR needs to stop and can only continue to move after the HW
has stepped out of his capability area. For this computation, assumptions are
required for the likelihood of a HW being present in the corridor simultaneously
to the AMR P(H W ), speeds of AMR vAMR and HW vH W , the length of the
AMR dAMR and the corridor length l.
W C =P(H W )l
vAMR +P(HW )l
vHW (1)
Dynamic Risk and Capability Models to Improve Cooperation Efficiency 13
By assuming P(H W )=0.7, vHW = 1.6m
s, vAMR = 5.0m
s, dAMR = 0.85m, l =
42m, the benchmark average AMR corridor passing time is t0
W C = 8.77s.
In our best-case scenario, the absence of carrying boxes and the presence of
eye contact are taken into account to adapt the risk area extent to w0leading
to no required stop for the AMR, i.e., driving with maximum vAMR along the
full corridor length. In addition to the parameters of Eq. 1, further assumptions
about for the likelihood that an occlusion is present P(OC) and the conditional
probability that eye-contact is present given no occlusion P(EC|OC ) are re-
quired for the average passing time t0
DY N , given by Eq. 2.
DY N =P(HW ) + P(H W )P(EC|OC )P(OC)l
vAMR (2)
+P(H W )(P(EC|OC)P(OC) + P(OC )l
By assuming similar parameter values for P(HW ), vH W , vAMR , dAM R , l and ad-
ditionally P(OC)=0.5, P(EC |OC)=0.8, the average AMR corridor passing
time with dynamic risk area models is t0
DY N = 8.62s.
4.2 Overtake Scenario
In the overtake scenario (Fig. 6 right), AMR and HW are moving in the same
longitudinal direction. With the worst-case assumed risk area around the HW,
the AMR cannot overtake the HW with vAM R. Instead, the AMR will constantly
drive behind the HW with a maximum speed vHW until the end of the corridor.
Hereby, the first term describes the time required by the AMR to reach an
arbitrary location son the corridor, with its regular speed vAM R . From location
son, it must reduce its speed to that of the HW, ensuring a sufficient distance to
the HW over the remaining distance of the corridor. By using the same variables
like in Eq. 1, the average passing time of an AMR t1
W C is given by Eq. 3.
W C =P(H W )1
ds +P(H W )l
By assuming parameter values for P(HW ), vH W , vAM R, l like in Eq. 1, the av-
erage AMR corridor passing time with worst-case assumptions is t1
W C = 14.65s.
To improve the efficiency in the overtaking scenario, a different set of situa-
tion features have been selected for the dynamic risk area model based on the
method described in Section 3 (see Fig. 7 left bottom). Based on the analysis,
a reduction of the risk area width from worst-case mode wcto best-case mode
w0is hypothesized to be safe, if it can be assumed that the HW is aware of the
AMR arriving from the back. This is achieved by issuing an active audio-visual
signal to the HW and detecting the HW’s turn-around reaction as an indicator of
awareness. The result of extending Eq. 3 with an additional parameter P(AW )
indicating the likelihood of HW awareness of AMR (=successful turn-around af-
ter active AMR signaling) leads to the average AMR corridor passing time with
14 J. Reich et al.
dynamic risk area models t1
DY N (Eq. 4).
DY N =P(HW )1
P(AW |H W )s
vHW ds (4)
+P(AW |H W )P(HW )l
+P(H W )l
By assuming similar parameter values for P(HW ), vH W , vAMR , l and addition-
ally P(AW |H W ) = 0.5, the average AMR corridor passing time with dynamic
risk area models is t1
DY N = 11.52s.
5 Conclusion
In this paper, we aimed to answer the research question of how to systemati-
cally engineer risk and capability models that can be used within the Symbiotic
Safety System to optimize efficiency while still guaranteeing safety dynamically.
To that end, we introduced a holistic modeling approach combining risk and
capability models to account for behavioral variability of uncontrollable (human
workers) and controllable actors (AMR) during dynamic safety monitoring. The
modeling approach is accompanied by a method for situation-aware behavior
safety analysis providing systematic guidance for risk-relevant situation feature
identification during behavior safety analysis. We exemplarily applied the en-
gineering approach for a concrete industrial AMR use case and thus evaluated
the feasibility and applicability of the engineering approach. The key benefits of
engineering behavior causality models with the presented approach are:
More constrained analysis scope and thus guidance for domain experts to
identify risk-relevant situation features more easily
Possibility to link situation features to design-time risk assessment and there-
fore having formal traceability to design-time safety engineering activities
required for arguing safety standard compliance for the dynamic safety mon-
itoring mechanisms
Systematic generation of a comprehensive collection of situation features
that differentiate critical from uncritical actor behaviors. These features are
candidates to be used as indicators to switch the extents of dynamic risk
and capability areas within dynamic behavior safety concept realizations to
improve operational efficiency.
Further, we evaluated the dynamic safety approach in the context of passing
and overtake scenarios inside a logistics warehouse and obtained evidence regard-
ing its expected benefit in contrast to static safety concepts based on worst-case
assumptions. The expected runtime benefit evaluation demonstrated that, given
the used parameter assumptions, the dynamic safety monitoring approach pre-
sented in this paper can provide a relative efficiency improvement compared to
worst-case parameters of (t0
W C t0
DY N )/t0
W C 2% in passing scenarios and of
W C t1
DY N )/t1
W C 21% in overtaking scenarios. Thus, we conclude that using
Dynamic Risk and Capability Models to Improve Cooperation Efficiency 15
a dynamic monitoring approach has more efficiency boost potential in overtaking
scenarios than for passing scenarios. However, the evaluation results can only be
a rough estimate of the true efficiency potential, as the parameter assumptions
were selected based on expert knowledge. In reality, these assumptions will likely
vary in different instances of smart logistic warehouses and have to be contin-
uously validated based on data both during design-time and operation time.
Accounting for this vital aspect, i.e., to identify, validate and monitor condi-
tional probabilistic assumptions of the dynamic risk and capability area models
and a more accurate quantification of efficiency improvement, is planned to be
the subject of future work. A concrete starting point is to support uncertainties
by extending the Boolean models used in this paper to probabilistic inference
models like Bayesian networks. Further, cooperative scenarios involving differ-
ent systems of different manufacturers imply additional challenges to be tackled,
i.e., the safety-related properties and capabilities of the cooperation partners are
typically not fully known through distribution, and safety-related information is
not shared to the extent that would be desirable. We used the ConSert approach
[9] to address this issue within this project, but details could not be included in
this paper due to space restrictions and are thus planned to be the subject of
another publication.
1. ISO 13855:2010, Safety of machinery Positioning of safeguards with respect to
the approach speeds of parts of the human body
2. Eggert, J.: Risk estimation for driving support and behavior planning in intelligent
vehicles. at - Automatisierungstechnik 66(2), 119–131 (2018)
3. Ishigooka, T., Yamada, H., Otsuka, S., Kanekawa, N., Takahashi, J.: Symbiotic
safety: Safe and efficient human-machine collaboration by utilizing rules. In: Design,
Automation and Test in Europe (DATE) Conference 2022. pp. 280–281. IEEE (2022)
4. Khastgir, S., Sivencrona, H., Dhadyalla, G., Billing, P., Birrell, S., Jennings, P.:
Introducing asil inspired dynamic tactical safety decision framework for automated
vehicles. In: 2017 IEEE 20th International Conference on Intelligent Transportation
Systems (ITSC). pp. 1–6. Yokohama, Japan (2017)
5. Mehmed, A., Steiner, W., Antlanger, M., Punnekkat, S.: System architecture and
application-specific verification method for fault-tolerant automated driving sys-
tems. In: IEEE Intelligent Vehicles Symposium (IV). Paris, France (2019)
6. Montecchi, L., Gallina, B.: Safeconcert: A metamodel for a concerted safety mod-
eling of socio-technical systems. In: Bozzano, M., Papadopoulos, Y. (eds.) Model-
Based Safety and Assessment. pp. 129–144. Springer Int. Publishing, Cham (2017)
7. Nolte, M., Bagschik, G., Jatzkowski, I., Stolte, T., Reschka, A., Maurer, M.: To-
wards a skill- and ability-based development process for self-aware automated road
vehicles. In: 2017 IEEE 20th International Conference on Intelligent Transportation
Systems (ITSC). pp. 1–6. Yokohama, Japan (2017)
8. Reich, J., Trapp, M.: SINADRA: Towards a Framework for Assurable Situation-
Aware Dynamic Risk Assessment of Autonomous Vehicles. In: 2020 16th European
Dependable Computing Conference (EDCC). pp. 47–50. IEEE (2020)
9. Schneider, D., Trapp, M.: Conditional safety certification of open adaptive systems.
ACM Transactions on Autonomous and Adaptive Systems 8(2), 1–20 (2013)
ResearchGate has not been able to resolve any citations for this publication.
Conference Paper
Full-text available
The development of fully automated vehicles imposes new challenges in the development process and during the operation of such vehicles. As traditional design methods are not sufficient to account for the huge variety of scenarios which will be encountered by (fully) automated vehicles, approaches for designing safe systems must be extended in order to allow for an ISO~26262 compliant development process. During operation of vehicles implementing SAE Levels 3+ safe behavior must always be guaranteed, as the human driver is not or not immediately available as a fall-back. Thus, the vehicle must be aware of its current performance and remaining abilities at all times. In this paper we combine insights from two research projects for showing how a skill- and ability-based approach can provide a basis for the development phase and operation of self-aware automated road vehicles.
Vehicles will be equipped with sensors and functions for highly automated driving in the foreseeable future. A big topic of research on the way to this goal is how to convey to these vehicles an understanding of the driving situations that is comparable to that of humans. For safe driving, this requires predicting how a scene will evolve and anticipating how dangerous it will potentially be. Risk estimation is a central ingredient in this process. In this paper, we describe how risk modeling frameworks help in managing the complexity of the driving task. We approach risk from the perspective of rare probabilistic events in environments where predictions might be inherently uncertain, and explain how this leads to a survival-based formulation which allows to model different types of risks encountered in driving situations within a single unified concept. In addition, we show how the framework can be used for driving behavior evaluation and risk-avoiding trajectory planning.
Conference Paper
Socio-technical systems are characterized by the interplay of heterogeneous entities i.e., humans, organizations, and technologies. Application domains such as petroleum, e-health, and many others rely on solutions based on safety-critical socio-technical systems. To ensure a safe operation of these interacting heterogeneous entities, multifaceted and integrated modeling and analysis capabilities are needed. Currently, such capabilities are not at disposal. To contribute to the provision of such capabilities, in this paper we propose SafeConcert, a metamodel that offers constructs to model socio-technical entities and their safety-related properties. SafeConcert also represents a unified and harmonized language that supports the integrated application of qualitative as well as quantitative safety analyses techniques. To support our claims we briefly report about the evaluation that was conducted and documented in the context of the EU CONCERTO project.
In recent years it has become more and more evident that openness and adaptivity are key characteristics of next-generation distributed systems. The reason for this is not least due to the advent of computing trends like ubiquitous computing, ambient intelligence, and cyber-physical systems, where systems are usually open for dynamic integration and able to react adaptively to changing situations. Despite being open and adaptive, it is a common requirement for such systems to be safe. However, traditional safety assurance techniques, both state-of-the-practice and state-of-the-art ones, are not sufficient in this context. We have recently developed some initial solution concepts based on conditional safety certificates and corresponding runtime analyses. In this article we show how to operationalize these concepts. To this end, we present in detail how to specify conditional safety certificates, how to transform them into suitable runtime models, and how these models finally support dynamic safety evaluations.