Safety goals for SAE level 3 and level 4 functions, e.g., longitudinal control, lateral control and collision avoidance, are generally classified with ASIL D, depending on the related scenarios. In order to achieve the ASIL D safety goals, the AD processing chain from sensing the environment and traffic participants to the decision making must be implemented within ASIL D. An ASIL D safety goal impacts the entire ADAS/AD processing chain as shown below in below figure.

This means that the sensing of the environment, perception, path planning, decision making and the controlling of the actuators must also be developed in ASIL D. In the following text, this is illustrated with an example which is also detailed in subsection 3.5.3, where some possible safety requirements are also listed.

Malfunction: Missing collision avoidance behavior. The system fails to activate collision avoidance functions when it should. For example, the vehicle does not stop for pedestrian or red traffic light.

Safety goal: Collision avoidance shall be ensured (ASIL D)

Safety requirements: The ADAS/AD function shall ensure the correct control of the actuators, based on the input, to avoid collisions with traffic participants, static obstacles, and dynamic obstacles (ASIL D).

To fulfill this requirement, the ADAS/AD processing chain must be implemented in ASIL D. For example, the ADAS/AD function shall correctly detect and characterize traffic participants and the environment including static and dynamic objects.

The algorithms and corresponding hardware must also be also developed in ASIL D to fulfill this requirement. But the hardware, from the sensors to the high performance chips (graphic processors) where the ADAS/AD algorithms are implemented, is not sufficient to achieve ASIL D. This is why it is necessary to use decomposition to implement ASIL D safety goals for ADAS/AD systems, but the use of decomposition creates some additional challenges for ADAS/AD systems in comparison to conventional systems. The following text illustrates the decomposition concepts for ADAS/AD systems which have been developed in this research.

This approach, showing how decomposition can be used for ADAS/AD systems, is based on the algorithms being performed within sufficiently independent hardware elements, i.e., high performance chips. The independent channels use independent sensor elements because sensors with an ASIL D rating are not on the market. During decomposition, it is important to achieve a minimum risk condition independently for each decomposition path. For conventional systems, the minimum risk condition is fail-safe, which means the system is deactivated so that the vehicle enters a fail-safe state. For ADAS/AD systems, it is important to achieve a fail-operational state. In the case of a failure in one decomposition path, the second decomposition path is used to switch the system to the redundant path. This redundant path is then responsible for further safe driving or used to bring the vehicle to a minimum risk condition.

In the following approach illustrated in below figure, the results of the independent decomposition paths are compared to each other. In case of an inequality, the second decomposition path switches to the redundant path.

As shown in next figure, in this approach it is necessary to use different sensor information, different signals and also different algorithms and functions. These algorithms and functions should be integrated in sufficiently independent hardware elements.

It is not always possible to use different redundant sensors because the sensor data from the camera, radar and lidar, for example, are generally collected in sensor fusion for the perception. There are also some other economical and also technological limitations which prevent having fully independent sensor data. All the sensor data from the camera, radar and lidar is usually used by the perception to detect static and dynamic objects. If the goal is to have fully independent decomposition paths as required by ISO 26262, each sensor must be integrated twice. But, if this is not applicable because of the cost, then the sensor independence shall be proved in a functional manner. Therefore, as shown in below figure, it is recommended to use the same sensor data from the camera, radar and lidar for decomposition paths, but in different ways. The rule is that, if a failure occurs, the system remains safe on a specific decomposition path. For example, while the camera data is used as the main information for perception, the radar and lidar data is used as the main perception information for the other decomposition path.

In contrast to the approach illustrated in Fig below, the signal output/vehicle behavior of the actuators is checked for correlation with the input signals from the sensors within the second decomposition path. If the check results in implausibility, the second decomposition path switches to the redundant path.

As shown in Fig below, it is necessary to develop comprehensive monitoring functions for this architecture concept, to cover all aspects of the main functions and to detect any possible implausibility that could lead to a safety goal violation. These monitoring functions must be integrated in the sufficiently independent hardware elements. It is also necessary to perform a detailed DFA to prove the independence of the decomposition paths, analog to the first approach.

That is all for this sharing, see you next time!