CENTRAL SOUTH UNIVERSITY

SCHOOL OF TRAFFIC AND TRANSPORTATION

ENGINEERING

Functional Safety in Automated Driving.

BY

WAKILI THEOPHILUS USMAN

L112190107

SUBMITTED TO

Prof. Habil. Hui liu

COURSE

ARTIFICIAL INTELLIGENCE

JUNE 21, 2020

Abstract
The current advancement in automation capacities of intelligent vehicles are becoming complex
and are highly driven by the rapid evolution of inbuilt systems used for data acquisition,
perception, processing, interconnections and networking of communication systems in already
existing Automated Driving Assistance Systems (ADAS), elevating the automation process to a
higher plane of operation through the exchange of information and interaction with its
environment. In this respect all the desired interaction that the system is vulnerable to execute
must be determined in order to enable the detection and control of any fault in the System.
Redundant connections radically alter the perception of any failure in an undesired operational
state of systems and hence brings about the necessity of functional safety for the management
and control of unaccepted risk in complex automotive system. Safety is one of the major factors
that must be considered in automated vehicle development. The newly introduced vehicle
functionalities serve not only for driver assistance functions but also as an active and passive
safety systems as well and the needs to provide a token that all reasonable system safety
requirements are attained. This paper examines the general framework of the ISO 26262
standard, with particular focus on hardware and safety software development. It outlines how
automation-based tools can help address specific challenges in the efficient development of
functional safety in automation driving, significantly transforming both the quality and efficiency
of the verification process, and outlining the activities necessary to satisfy the ISO 26262
standard.

Keywords

ISO 21448 (SOTIF), ISO 26262 ADAS, Automated driving, Functional Safety, Fail-safe, Fail-

Operational.
Introduction

Today, Artificial intelligence (AI) and machine learning play a major role in the development of

automated driving. But there are new safety challenges that automated and semi-automated

vehicle software developers are facing. “Think about the modern car. It’s more complex than

ever, with increasing electronics and millions of lines of code running it.  As our car becomes

more automated, the complexity will continue to rise.” [1]. As such, SOTIF (ISO/PAS 21448)

was formerly developed.

SOTIF basically means Safety Of The Intended Functionality and shorthand for ISO/PAS 21448.

ISO 21448 radically applies to functionality that requires an appropriate conditional awareness in

order to ensure safety. The standard is majorly focused on the assurance of the intended

functionality safety. SOTIF is mainly considered in the absence of a fault, and not fully in

correspondence with the traditional functional safety, which is mainly concerned with

minimizing risk due to failure of systems.

SOTIF ensures guidance on design, verification, and validation technique. Through application

of these techniques achieve safety in various situations without failure can be achieved.

Some practical scenarios that ISO 21448 provides: Design techniques: requirement for sensor

performance, Verification techniques: test cases with high coverage of scenarios, Validation

technique: simulations.
Relation between ISO 21448 and ISO 26262

ISO 26262 is only applicable to serve as functional safety in cases where there are system

failures, and does not cover safety hazards that result without system failure. This explains the

necessity of ISO 21448 in automated driving.

In fact, ISO 21448 was initially intended to be ISO 26262: Part 14; But because of the

complications to ensure safety in situations without a system failure, SOTIF is now a standard on

its own.

ISO 26262 is now commonly applied to established systems, such as dynamic stability control

(DSC) systems or airbags. For these systems, safety is ensured by minimizing the risk level of

system failure.

ISO 21448 mostly used in systems such as emergency intervention systems and advanced driver

assistance systems (ADAS). This system could be equipped with safety hazards and yet without

system failure. Hence, we can say that ISO 21448 complements ISO 26262.
The Importance of SOTIF

The validation and verification of automated systems is a complicated task and automated

systems have large volumes of data; And that data is forwarded to complex algorithms. AI and

machine learning are critical for developing these systems.

In order to prevent potential safety hazards, AI will need to make decisions. This includes cases

that require situational awareness. The use of ISO 21448 will be the solution to ensure that AI is

able to make proper decisions and prevent safety hazards.

Practical Applications Of SOTIF

SOTIF widely applies to safety hazards that occur without the failure of a system.

Here’s an example of conditional awareness and decision.

The road is icy. An AI-based system might be unable to detect the situation and respond

properly. This impedes the vehicle’s ability to operate safely. Without sensing the icy road

condition, a automated driving vehicle might drive at a faster speed than is safe for the condition.

Inducing the effect of ISO 21448 means taking that situation into consideration and making

decisions based on probability.

Furthermore, the goal of SOTIF is to minimize potential unknown and unsafe conditions.
Advanced Driver Assistance System (ADAS)

The Advanced Driver Assistance Systems is a wide spectrum of technologies that improve

enhance the safety of vehicles by helping drivers prevent accidents. There are a few categorized

classes of ADAS systems; some supervise and inform drivers to potential safety risks, whereas

others carry out the prevention of impending accidents. Example of Some common ADAS

technologies include adaptive cruise control (ACC), traffic sign recognition (TSR), and forward

collision warning (FCW).

These technologies are driven by advanced computing, including artificial intelligence (AI),

computer vision, and edge computing. This computing components is the reason why ADAS

technologies has a better advantage than other safety systems; they can detect, supervise, inform,

and sometimes even prevent safety-critical incidents in real time.

Currently, we have numerous varieties of ADAS Technologies making it difficult to classify all

of them under “ADAS.” However, we can generally categorize ADAS technologies into four

different types of ADAS systems: adaptive, automated, monitoring, and warning.

TYPE OF ADAS SYSTEM DESCRIPTION EXAMPLE OF ADAS

TECHNOLOGY
 Adaptive Adaptive System help vehicles . Adaptive cruise control (ACC)

make small adjustment to drive uses radar or laser sensors to

more safely based on data from detect the distance between

the surrounding environment. vehicles and automatically adjust

vehicle speed to maintain an

optimal distance.
Automated Automated system can take over Automatic emergency braking

and control the vehicle in case of (AEB) alerts a driver to an

an impending collision. imminent crash and

automatically applies the brakes

to help avoid a collision.

Monitoring Monitoring systems use cameras Traffic sign recognition (TSR)

and sensors to provide increased uses advanced camera

visibility into safety-critical data, technology to recognize traffic

like harsh braking, rolling signs and provide information to

through stops, and collisions. drivers or safety managers.

Warning Warning systems are automated, Forward collision warning

in-cab alerts that help drivers (FCW) measures the distance,

anticipate possible safety risks in angle, and relative speed

real time. between vehicles and other

objects in the road to warn

drivers of impending collisions

with audio alerts.

One factor that could influence the adaptation of ADAS is the rate at which the technology

advances. Although OEMs and other participants have made relevant enhancements in the past

few years, there is much room for other improvement. For instance, forward-collision warning

systems experience some difficulties in identifying objects when a vehicle is running at high

speeds.

Functional Safety
The idea of functional safety is not new in todays’ automotive world, but migrating to an

enhanced performance within the automotive environment due to Advanced Driver Assistance

Systems (ADAS). Propelled by the need to be absolutely certain that electronic systems function

as desired, without malfunctioning.  Functional safety implies that conditions that are potentially

hazardous are detected, further activating preventive or corrective mechanisms to stop or reduce

the hazardous event.

The need for safety in automotive software development has always been critical. “Functional

Safety is key to ensure that products operate safely — and even if they fail, they are still capable

of entering in a controlled safe operation mode.” [1]. Ensuring functional safety remains critical

for automated driving. Currently, vehicles operate with a traditional fail-safe system control unit

architecture. It assists in the detection of faults and bringing the system to a safe state but at the

end, allows the driver to still take control of the vehicle. According to a report in the 2018 survey

Nearly 85 percent of respondents think people should always have the option to drive themselves

even in a self-driving vehicle, compared with 16 percent who would feel comfortable letting an

autonomous vehicle drive them without the ability to take control [2].
With the gradual change of electronic systems to the 4 th and 5th Levels, there is little or no

dependence on the driver, as the vehicle has adequate redundancy and diversity to keep operating

normally despite the detection of a fault. A recent report according to Rand Corporation,

Notwithstanding consumer sentiment, concluded that hundreds of thousands of lives could be

saved with the widespread adoption of autonomous vehicles, even though they may not yet be

accident-proof [3]. Below are some key procedures to ensure functional safety in automated

driving systems.

Compliance with Functional Safety Standards

Notwithstanding, ISO 21448 will also be important for functional safety in automated driving.

But compliance with established functional safety standards will be necessary too. Especially

ISO 26262.

Optimal practices and approval based on Automotive Safety Integrity Level (ASIL) under the

ISO 26262 will still need to be properly followed to ensure safe software for automated vehicles.
And also enhance the automotive functional safety requirements, such as ISO 26262. The

application of ISO 26262 is specific to the fields of application, for passenger vehicles,

motorcycles and commercial motor vehicles, and more specifically to the practice and

enhancement of functional safety. “Car manufacturers use compliance to ISO 26262 as a means

to qualify components and potential suppliers of E/E components.” [1]. In this standard,

standard risk is determined and Interpreted using the Automotive Safety Integrity Levels (ASIL),

a risk classification system for the functional safety of road vehicles. There are four ASILs

classified by the standard: A, B, C and D. ASIL A denotes the lowest level and ASIL D the

highest level of automotive hazard. ranging from A to D. The real life example of functional

safety is understood by an E/E fault leading to a failure at the system-level modes and functions

will contribute to incorrect steering or braking, which are considered to be the highest safety-

related risk of ASIL D. Errors is likely to be introduced by the development tools used for

system chips design and verification. ISO 26262 requires the assessment of tool confidence level

(TCL), based on whether a tool malfunction can introduce an error and the confidence that such

a malfunction would be detected by the development process. The classification may result in

two main outcomes: TCL1, for which no tool classification is needed, and TCL2/3, for which

tool qualification is needed [4].

 Recommended Approach for verification depends on the desired ASIL.

Fundamental Modes of an Automated Driving System

In order to ensure safety, an automated driving system has to have a fundamental set of system

properties that are specified as its functional modes. Currently, SAE International acknowledge

five levels of vehicle automation, ranging from Level 0 (human-only control) to Level 5 (no

steering wheels, pedals and human control), encompassing the three modes. The following

modes should be considered and ensured in order to confirm that the overall system is safe.

These modes are divided into fail-safe (FS) mode, fail-silent mode, and fail-operational mode.
Fail-safe mode

This provides and enables customers’ confidence, promotes vehicle integrity. Fail-safe mode can

be omitted, because the safety relevance of their unavailability is low enough or is met by the

fail-degraded mode.

The architectural design of a fail-safe mode enables the power supply to deliver and monitor

over- and under-voltage to the microcontroller and the other hardware devices. It is also control

the detection and evaluation of the MCU safety operation through the watchdog and HW Fault

monitoring functions. If a fault is detected, the system transits to safe state (powered by the

safety power supply) which confirms that the function is being operated in a known and defined

state (not uncontrolled).

Fail-Silent Mode

This type of system is able to detect that it is receiving the wrong signal due to a fault, so the

ongoing operation switches to degraded mode.

Fail-Operational/ Fault-Tolerant Mode

With the development of vehicle beyond the fundamental levels of automation, advanced fail-

operational system designs are expected to add more functionality to the vehicle. Hence Fail-

operational systems allows the full or degraded operation of a function even if there is a failure.

In this respect, the main applications are considered as needing high-performance, a high level of

safety integrity and a high level of availability. Fault detection and system reconfiguration (to

compensate for the fault) is controlled by independent hardware since a fail-operational system

requires minimum two fail-silent units.  In order to realize fully-automated driving on the path to

the accident-free future, redundancy in safety-critical systems such as braking and steering is an

absolute [5]. To eliminate common cause failures, even the supply is ensured by redundant and

independent batteries (VBAT1 and VBAT2).

Based on the SAE level set by the manufacturer of the vehicle, the backup function can be

applied for a considerable timeframe until a final Minimal Risk Condition (MRC), allowing

deactivation, is attained. The 3rd Level of automation enables the system to inform the driver, if

there is a failure and to take back the control of the vehicle. Beginning from the 4 th level, the

system no longer informs the driver but enable the vehicle to park in a safe area for the occupants

of the vehicle and other road users. Hence safety architectures and system design aim to achieve

full redundancy in order to facilitate higher levels of automation driving and fault tolerance when

there is a failure.

The Application of Secured Development Processes

The issue of security is one of the major challenges with AI and machine learning. There’s so

much to consider with cybersecurity and AI. However, we are considering the basics of getting

security and privacy right in automated driving.

Automotive Cybersecurity

People often classify safety and security, though they cannot clearly explain as to why or how

these fields relate to each other. This classification is basically natural due to the superimposed

properties that these fields are built upon. However, their area of focus is subtly different,

because safety focuses on the appropriate functioning of a system, and security focuses on the

system’s ability to resist some form of intentionally malicious action. This leads security to

utilize additional tools for analysis and technical mechanisms that nevertheless also includes

safety. For example, safety and security both focus strictly on data integrity. Safety often relies

on CRCs to detect damages, but CRCs are not robust enough to act against malicious actors.

Thus, security instead relies on secure hashing algorithms and secrets to detect damages and

intentional theft attempt while resisting attack. Furthermore, security should be embedded with

the possibility that the data may be entirely forged by an unexpected source and should therefore

confirm the data source and integrity to attain an acceptable risk level. Availability is similar:

While safety emphasizes fail safes and degraded modes, security considers prevention of

unavailability where possible, because a fail-safe or degraded mode is likely to provide attackers

an advantage. Security are presently into strict makes use of cryptography, which is mostly

resource-intensive, but active safety systems should be deterministic. Safety-related data

proceeds with the necessity for a short-processing interval, making it difficult to ensure required

levels of data authenticity, confidentiality, etc. Confirming the fact that both safety and security

will affect resources and the architecture.

The Importance of Cybersecurity for Safety

New challenges are being experienced in the automotive industry in regards to the automated

driving due to the diverse connectivity within automated driving vehicles and between those

vehicles and their operating environment. These challenges range from accomplishing regulatory

requirements and ensuring safety to protecting fleets and customers from cybersecurity attacks.

Enhancement of connectivity mainly include new interface between the control functions of

connected vehicles, IT backend systems, and other external information sources. This vulnerable

attack surface creates considerable interest for malicious actors with various aims. In other

words, automated driving has advanced to a level where vehicles cannot maintain a safe state

unless their operations is also secured. Ultimately, cybersecurity principles and practices should

be engaged to ensure that attackers cannot gain arbitrary control of a vehicle’s operation and that

attacks are exceptionally difficult to scale to the point of simultaneously accessing multiple

vehicles.

With the continuous development in vehicle automation, the security measures used to protect

vehicle functions should be able to defend the vehicle against unauthorized access and

manipulation to ensure the integrity of the vehicle, its components and operational safety of its

functions, especially vehicle control functions. It is in our fundamental interest to ensure that the

highest level of safety is attained and to optimally protect vehicle safety, simultaneously

considering the state of the art in technology.

One of the major challenges of cybersecurity that is widely observed is when extending from one

vehicle level to another vehicle level the automated driving functionalities critically depends on
data obtained from surrounding environment, e.g. sensor information, regional maps, location

information, etc. If the integrity or authenticity of this data is negotiated, the fundamental

building blocks of the automated driving functions (Sense – Plan – Act) will use invalid data to

operate the vehicle, which might result to deviations from proper operation. If an automated

vehicle is attacked, great impact will be made, not allowing the person inside the vehicle to

quickly respond and take control. Hence, cybersecurity measures should be critically done and

adequately available to protect automated driving from malicious actors.

Application of Automation to Design, Verification and

Validation

The study fields; Artificial Intelligence, Machine Learning and Automated Driving Vehicles is a

major concern to automotive software developers as they strive to produce safe and enhanced

software, applying automation to design, verification, and validation techniques makes

development teams more effective and efficient. Example of such are:

1. Using a requirement management tool can pave a way to accomplish a requirement for

sensor performance. This contributes to safer design of the software.

2. Using a test case management tool can help to ensure high coverage of diverse scenarios.

This helps with the verification of software.

3. Using a Static analysis tool   can help to simulate potential run-time scenarios. This helps

with the Validation of software.

Conclusion
The rapid growth of the automation today, requires that the automotive industries make huge

investments to meet up with the diverse intelligent advancement for safety and to bring the

standards to an acceptable application, moving towards achieving systematic automated

development methods at its optimum. Thanks to the current development in the ISO 26262

standards, allowing ease-of-use, embedding a valid confirmation level on vehicle, application of

secured development process to promote safety in term of security against cybercriminals,

application of automation-based design, verification and validation will achieve a wide adoption

in automotive industry. Automation-based verification is generally recognized as an effective

technique to unveil hardware design vulnerabilities that might otherwise escape simulation-based

verification and lead to systematic failures. The most significant advantage of automation-based

tools is the ability to examine all round design behavior, without the need for input stimuli, and

confirms that the design never deviates from its intended function, as stipulated by the design

specification. Even for noncomplex designs, simulation tools cannot produce this level of

precision; Hence, this tool have multiple applications for both systematic and random fault

verification.

Reference

[1] Jean-Philippe Meunier 2018, Automotive functional safety: The evolution of fail safe to fail
operational architecture, Available at: https://blog.nxp.com/automotive/automotive-functional-
safety-the-evolution-of-fail-safe-to-fail-operational-architecture
[2] URVAKSH KARKARIA 2018, Consumer apprehension grows over autonomous tech,
study says. Available at:
https://www.autonews.com/article/20180816/MOBILITY/180819878/consumer-apprehension-
grows-over-autonomous-tech-study-says
[3] Peter Els 2019, Rethinking Autonomous Vehicle Functional Safety Standards: An Analysis
of SOTIF and ISO 26262. Available at: https://www.automotive-iq.com/autonomous-
drive/articles/rethinking-autonomous-vehicle-functional-safety-standards-an-analysis-of-sotif-
and-iso-26262
[4] MARC SERUGHETTI 2019, Ensuring Functional Safety for Self-Driving Cars. Available
at: https://semiengineering.com/ensuring-functional-safety-for-self-driving-cars/
[5] BUSINESS WIRE 2018, Bosch technology enables redundancy needed for automated
driving. Available at: https://www.businesswire.com/news/home/20180115005404/en/Bosch-
technology-enables-redundancy-needed-automated-driving
[6] David Lopez 2018, Three things to know about functional safety. Available at:
https://blog.nxp.com/automotive/three-things-to-know-about-functional-safety
[7] Samara 2020, Advanced Driver Assistance Systems (ADAS) for Commercial Fleets.
Available at: https://www.samsara.com/fleet/dash-cam/adas#section-three
[8] Seunghvuk Choi, Florian Thalmayr, Dominik Wee, and Florian Weig 2016, Advanced
driver-assistance systems: Challenges and opportunities ahead. Available at:
https://www.mckinsey.com/industries/semiconductors/our-insights/advanced-driver-assistance-
systems-challenges-and-opportunities-ahead#
[9] Matthew W., Philipp R., Radboud D., Mohamed H., Jonathon R., Karl R., David W., Toshika
S., Mohamed E., BAIDU S., Yali W., Christian K., David Boymanns., Matthias L., Bernhard D.,
Richard K., Jelena F., Florian R., Miriam., Julia M., Sandro S., Pierre B., Kamil K., Pierre S.,
Thomas W., Stefan P., Kai S., Neil G., David S., Dalong L., Adam T., Marco B., Michael O.,
Michael S., Udo D., Jack W., BS, M.Sc. jack W., Alan T., Bernd D., Philipp S., Philipp T.,
Thomas W., Peter S. 2019, Systematically Developing Dependability To Support Safety By
Design, pages 12-37 in Safety First For Automated Driving. Available at:
https://www.aptiv.com/docs/default-source/white-papers/safety-first-for-automated-driving-
aptiv-white-paper.pdf
[10] Richard Bellair 2019, Why SOTIF (ISO/PAS 21448) Is Key For Safety In Autonomous
Driving. Available at: https://www.perforce.com/blog/qac/sotif-iso-pas-21448-autonomous-
driving