The vision of a self-driving car is transforming the automotive industry. The main obstacles in autonomous driving that must be tackled in the near future are assured safety without a supervising driver and the validation of the vehicle’s safe behavior in diverse traffic scenarios. Dealing effectively with these challenges in SAE level 4 automation requires a new architecture for autonomous driving.

Today, advanced computer and sensor technologies make it possible to support an attentive driver in routine situations and help to reduce the number of traffic accidents. In the next phase, a new type of car that drives fully autonomously—without an attentive human driver— from the start of a journey to its destination is envisioned.

At the moment, Level 2 vehicles, with advanced driver assistance systems, are widely available on the market and have been on the road for more than ten years. The field record of the safety improvement of Level 2 autonomous vehicles is positive, and our society expects that a Level 4 Driving Automation System’s safety record should even be substantially better. But the construction of a safe self-driving car will require the conception of a novel architecture that can achieve the required level of safety without the support of an attentive human driver.

I recently proposed a novel approach to such an architecture. It is characterized by a strict separation of the subsystem providing the functions for the vehicle’s autonomous operation in a normal environment from the subsystems responsible for maintaining the safety of a car. The Driving Automation System is decomposed into a number of concurrently operating, nearly independent subsystems with extremely simple and well-defined interfaces.

The proposed architecture partitions an SAE level 4 system into a computer-controlled driving automation (CCDSS) subsystem, which is a minor adaptation of an existing SAE level 2 system, and a new independent and redundant safety assurance subsystem (SASS). The SASS performs the functions that are provided by the human driver at SAE level 2. The safety assurance subsystem (SASS) comprises three independent fault-containment units: a monitoring subsystem (MSS), a simple fault-tolerant decision subsystem (FTDSS), and a critical-event handling subsystem (CEHSS). Each one of these subsystems for Driving Automation has a unique purpose and should be developed and validated by an independent design team, since the architecture requires design diversity to mask the residual design faults in complex software.

This novel architecture also opens the route to industry-wide cooperation. For example, the self-contained CEHSS with its own sensors is entirely independent of the CCDSS and the MSS and has only a small interface to the simple FTDSS. It can be integrated with minimal effort in many different proprietary driving automation systems.

The greatest advantages of this new architecture relate to the enhanced safety, the reduced system validation effort and the support of the evolution of a Driving Automation System to meet new future functions.

To get a deep insight, download here the entire research paper.


By Hermann Kopetz

Professor Emeritus

Hermann Kopetz is a pioneer in dependable real-time computing systems. After working in the computer process control industry, he switched to academia, first at the Technical University in Berlin and then at the Vienna University of Technology to develop the “time-triggered technology” for the design of safety-critical real-time systems. With the time-triggered protocols TTP and TT-Ethernet at its core, this technology is widely used in aerospace. He focuses now on the conception of safe architectures for complex applications, such as driving automation.