This content is not included in
your SAE MOBILUS subscription, or you are not logged in.
A Formally Verified Fail-Operational Safety Concept for Automated Driving
Journal Article
12-05-01-0002
ISSN: 2574-0741, e-ISSN: 2574-075X
Sector:
Topic:
Citation:
Fu, Y., Terechko, A., Groote, J., and Saberi, A., "A Formally Verified Fail-Operational Safety Concept for Automated Driving," SAE Intl. J CAV 5(1):7-21, 2022, https://doi.org/10.4271/12-05-01-0002.
Language:
English
Abstract:
Modern Automated Driving (AD) systems rely on safety measures to handle faults
and to bring the vehicle to a safe state. To eradicate lethal road accidents,
car manufacturers are constantly introducing new perception as well as control
systems. Contemporary automotive design and safety engineering best practices
are suitable for analyzing system components in isolation, whereas today’s
highly complex and interdependent AD systems require a novel approach to ensure
resilience to multiple-point failures. We present a holistic and cost-effective
safety concept unifying advanced safety measures for handling multiple-point
faults. Our proposed approach enables designers to focus on more pressing issues
such as handling fault-free hazardous behavior associated with system
performance limitations. To verify our approach, we developed an executable
model of the safety concept in the formal specification language mCRL2. The
model behavior is governed by a four-mode degradation policy-controlling
distributed processors, redundant communication networks, and virtual machines
(VMs). To keep the vehicle as safe and cost effective as possible, our
degradation policy can reduce driving comfort or AD system’s availability using
additional low-cost driving channels. We formalized five safety requirements in
the modal μ-calculus and proved them against our mCRL2 model, which is
intractable to accomplish exhaustively using traditional road tests or
simulation techniques. In conclusion, our formally proven safety concept defines
a holistic and cost-effective design pattern for AD systems.