DocsGo to Lemmatica
Use Cases

Autonomous vehicles

Driver-assistance and highly automated driving systems break the assumptions that ISO 26262 was built on. A correctly-functioning lane-keep assist can still fail catastrophically if the camera misclassifies a road sign — no malfunction, just the system doing what it was designed to do in conditions it wasn't designed for.

That gap is what SOTIF and UL 4600 exist to close. The argument structure they prescribe is genuinely different from a classical ISO 26262 case, and GSN is one of the better-suited notations for representing it.

The standards stack

  • UL 4600 — Standard for Safety for the Evaluation of Autonomous Products. Explicitly assurance-case-driven; doesn't tell you what to argue, but does demand that you argue it.
  • ISO 21448 (SOTIF) — Safety of the intended functionality. Hazards from performance limitations, not malfunctions.
  • ISO 26262 — Still applies to the underlying functional safety of E/E systems.
  • ISO/TR 4804 — Safety and cybersecurity for automated driving systems (informative; useful as a process reference).

What's different about AV assurance

A traditional safety case argues about failure modes you can enumerate. An AV safety case has to argue about a much harder thing: that the system behaves acceptably across an Operational Design Domain (ODD) that includes long-tail edge cases, machine-learning components whose decisions can't be fully explained, and environmental conditions that don't have closed-form models.

The argument has three uncomfortable shapes that GSN handles well:

  • ODD as Context: every claim has to be scoped by the operating conditions it applies to. A correctly-decomposed AV argument has Context nodes attached to most Goals.
  • Performance limitations as Hazards: SOTIF reframes hazards as "the system did the right thing in the wrong situation". Decomposition strategies typically argue over identified triggering conditions, not over component failures.
  • ML uncertainty as a defeasible claim: a Goal like "the perception system correctly classifies pedestrians at sub-1e-7 misclassification rate" is empirically defensible but inherently challengeable. GSN's dialectic extension is the right place to record those challenges and their resolution.

An example fragment

A fragment of an argument for a freeway-only Level 3 system, decomposed by SOTIF triggering condition:

G1L3 freeway pilot is acceptably safe within its ODD
C1ODD: dual-carriageway highway, 60–110 km/h, daylight, no road works
↓ supported by
S1Argument over SOTIF triggering conditions in the ODD
↓ supported by
G2Pedestrian/cyclist detection adequate in ODD lighting
↓ supported by
Sn1Sim + closed-course evaluation
G3Lane-marking recognition robust to wear
↓ supported by
Sn2Sensor-fusion verification
G4Emergency-vehicle response handled
↓ supported by
Sn3Edge-case scenario battery

Each sub-Goal can either be developed further (a sub-argument over how the claim is achieved) or terminated with Solutions — large-scale simulation results, road-test miles in the ODD, formal verification of the safety-critical subsystems.

Where Lemmatica fits

  • ODD definition as first-class Context lets you scope claims explicitly, rather than burying them in 200-page operational manuals.
  • Dialectic extension (planned) gives you a structured way to record edge-case challenges — "what if the road is wet and a pedestrian is wearing white?" — and their resolution within the argument itself.
  • Modular sub-cases via away goals let perception, planning, and control sub-arguments live in separate documents while linking back to the top-level claim.
  • Continuous validation is especially valuable for ODD-heavy arguments — orphaned Context nodes and undeveloped triggering-condition branches show up immediately rather than during a regulator review.