This content is not included in your SAE MOBILUS subscription, or you are not logged in.
On Perception Safety Requirements and Multi Sensor Systems for Automated Driving Systems
- Anders Cassel - Qamcom Research and Technology AB ,
- Carl Bergenhem - Qamcom Research and Technology AB ,
- Ole Martin Christensen - Qamcom Research and Technology AB ,
- Hans-Martin Heyn - Volvo Technology AB ,
- Susanna Leadersson-Olsson - Veoneer Sweden AB ,
- Mario Majdandzic - Semcon Sweden AB ,
- Peng Sun - Veoneer Sweden AB ,
- Anders Thorsén - RISE Research Institutes of Sweden ,
- Jörgen Trygvesson - Comentor AB
ISSN: 2641-9637, e-ISSN: 2641-9645
Published April 14, 2020 by SAE International in United States
Citation: Cassel, A., Bergenhem, C., Christensen, O., Heyn, H. et al., "On Perception Safety Requirements and Multi Sensor Systems for Automated Driving Systems," SAE Int. J. Adv. & Curr. Prac. in Mobility 2(6):3035-3043, 2020, https://doi.org/10.4271/2020-01-0101.
One major challenge in designing SAE level 3-5 Automated Driving Systems (ADS) is to define requirements for the perception system that would enable argumentation for safe operation. The safety requirements on the perception system can only be fulfilled through redundancy in the sensor hardware. It is, however, a challenge to specify the redundancy that is required in the sensor system. Safe operation for an ADS is significantly more difficult compared to advanced driver assistance systems (ADAS). The safety argumentation for ADAS typically argues that in case of a failure in the sensor array a fail-silent behavior is acceptable because the human driver can take control of the vehicle back. This argumentation however is not possible when developing level 4 or higher automation. This paper investigates prerequisites for applying a systematic methodology for analyzing redundancy in a multi-sensor system and the relation to a conceptual ADS functional architecture. This analysis must address the complexity that comes with partially overlapping sensor data from different sensors and considers variations in performance and characteristics due to changes in the environmental conditions. The paper introduces the term incomplete redundancy and presents a systematic methodology for analyzing redundancy. The aim is to provide arguments for how several sensors in a system, when appropriately combined, meet an assigned safety requirement on a higher level. Each sensor will then be assigned a certain responsibility and contributes with a sub-set of information. A set of questions of importance to address as a foundation for such a methodology are defined and discussed. The definitions of redundancy and independence between sensors are discussed as well as contract-based functional safety to adapt to different environmental and operating conditions.