An Architecture for Safe Driving Automation

Abstract

This paper presents a novel distributed computer architecture that supports the incremental development and validation of a safe and secure SAE level-four Driving Automation System out of an existing SAE level-two driver assistance system (called L2-system). A strict separation—both logical and physical—of the functional concerns from the safety and security concerns characterizes this architecture. An existing L2-system is enhanced by a new independent safety assurance system that performs the functions that are provided by the human driver at SAE level two. The safety assurance system comprises three independent fault-containment units: a monitoring subsystem (M-system) that checks the trajectory provided by the L2-system, a fallback subsystem (F-system) that calculates a trajectory that brings the car from a critical state to a safe state, and a simple decision subsystem (D-system), that decides whether the trajectory from the L2-system or the trajectory from the F-system must be sent to the actuators. A single failure of any one of the three complex subsystems (the L2-system, the F-system or the M-system) caused by either a hardware failure, a design error in the software, or an intrusion, is detected and mitigated by the redundancy and design diversity that is inherent in the proposed architecture. Since the architecture restores autonomously the normal operation of the vehicle after the successful mitigation of a transient fault, it reduces significantly the number of disengagements of a vehicle. We give an estimate of the Safety-Improvement Factor of this architecture over an existing SAE level-two Driving Automation System.