Page 42 - EE Times Europe Magazine - June 2025
P. 42
42 EE|Times EUROPE
Safe Automated Driving Starts with Architecture
• Sufficient independence evaluation.
A key challenge in AD architecture is
determining whether subsystems are
truly independent and can be treated
as distinct FCUs. The report will offer
a new scheme for assessing when such
independence can be deemed “suffi-
cient.” It looks to resolve one of the
most relevant conflicts in designing
AD systems: developing truly safe
architectures (which need sufficiently
independent subsystems) while creating
a cost-efficient solution using hardware
and software components of identical
type in the redundant channels. The
scheme addresses coupling factors
Conceptual system architectures provide guidance on fault containment and redundancy and the associated dependent failure
management. (Source: TTTech Auto) initiators. It then provides examples
of strategies to resolve each of them,
such as specific ways to prevent their
architectures in three broad categories: monitored by the Checker. If the Checker root causes, control their effects, or
monolithic, symmetric, and asymmetric: considers the Doer’s output unsafe, it asks reduce the coupling altogether. Finally,
• In monolithic architectures, just a single the Selector to suppress it. If the Doer has an Independence Metric is proposed to
subsystem performs all tasks. been silenced, the Fallback, which usually assess the “independence coverage” of
• In symmetric architectures, multiple sub- runs in hot standby, takes over and brings resolution strategies, analogous to
systems provide similar functionality. the vehicle to a safe stop. ISO 26262’s diagnostic coverage con-
• In asymmetric architectures, subsystems cept. Resolution strategies may need to
can have different roles. SNEAK PEEK: WHAT’S COMING IN THE be combined to achieve high indepen-
To evaluate and compare these conceptual SECOND EDITION dence coverage.
system architectures, the Working Group The Safety & Architecture Working Group Architecture is not just an implemen-
applied the concept of fault containment continues its work. Since the release of the tation detail; it is a central enabler of
units (FCUs): Each subsystem is assumed first report, new conceptual system architec- safe automated driving. By focusing on
to have defined failure modes that do not tures have emerged, along with additional conceptual system architectures, industry
spread to other subsystems as long as inde- industry examples that enable more com- stakeholders can collaborate meaningfully
pendence between them can be established. prehensive comparisons. The upcoming without compromising proprietary knowl-
To achieve safety, a suitable architecture second edition, scheduled for release at The edge. The efforts of The Autonomous and
must ensure that outputs of the AD system Autonomous Main Event in September 2025, its Safety & Architecture Working Group
remain correct and available when an FCU will feature two major updates: highlight a practical way to design AD
fails or performs inadequately. For high- • Expanded standards analysis. Beyond systems that are not only intelligent but
speed use cases, the system should continue ISO 26262 and ISO 21448, the updated inherently resilient. ■
to react dynamically to the traffic situation. report will examine how other safety
Only in rare cases, such as simultaneous standards, such as UNECE R157, UL 4600, Georg Niedrist is a senior fellow and
failures in multiple FCUs, might simpler ISO/TS 5083, and the AI-focused Technology & Innovation safety consultant;
fallback actions such as “blind” braking be ISO/PAS 8800 and ISO/IEC TR 5469, affect Moritz Antlanger is a senior safety engineer;
acceptable. the applicability of the various proposed and Sascha Drenkelforth is principal safety
The Working Group used a set of 13 qual- architectures. consultant, all at TTTech Auto.
itative evaluation criteria clustered in six
attributes to compare proposed conceptual
system architectures. While monolithic and
symmetric architectures are less well-suited
for complex AD use cases, asymmetric
architectures stood out for their robustness
and efficiency. Because of their intrinsic
diversity, they not only reduce the risk of
common-cause faults but also can lower the
implementation effort and cost by duplicat-
ing only essential functionality.
Asymmetric architectures often employ
the Doer/Checker/Fallback combined
architectural design pattern, ensuring
both correctness and availability of the AD
system. The Doer performs the nominal
functionality and is usually in control of Asymmetric architectures often employ the Doer/Checker/Fallback combined architectural
the vehicle. Its output is independently design pattern. (Source: TTTech Auto)
JUNE 2025 | www.eetimes.eu
