On Perception Safety Requirements and Multi Sensor Systems for Automated Driving Systems 2020-01-0101

One major challenge in designing SAE level 3-5 Automated Driving Systems (ADS) is to define requirements for the perception system that would enable argumentation for safe operation. The safety requirements on the perception system can only be fulfilled through redundancy in the sensor hardware. It is, however, a challenge to specify the redundancy that is required in the sensor system. Safe operation for an ADS is significantly more difficult compared to advanced driver assistance systems (ADAS). The safety argumentation for ADAS typically argues that in case of a failure in the sensor array a fail-silent behavior is acceptable because the human driver can take control of the vehicle back. This argumentation however is not possible when developing level 4 or higher automation. This paper investigates prerequisites for applying a systematic methodology for analyzing redundancy in a multi-sensor system and the relation to a conceptual ADS functional architecture. This analysis must address the complexity that comes with partially overlapping sensor data from different sensors and considers variations in performance and characteristics due to changes in the environmental conditions. The paper introduces the term incomplete redundancy and presents a systematic methodology for analyzing redundancy. The aim is to provide arguments for how several sensors in a system, when appropriately combined, meet an assigned safety requirement on a higher level. Each sensor will then be assigned a certain responsibility and contributes with a sub-set of information. A set of questions of importance to address as a foundation for such a methodology are defined and discussed. The definitions of redundancy and independence between sensors are discussed as well as contract-based functional safety to adapt to different environmental and operating conditions.