I am sharing this for educational purposes for those who wish to learn more about autonomous driving. It's taken from the "Safety First for Automated Driving" document. It's spells out the capabilities that all autonomous cars should have:
--------------
The capabilities are divided into fail-safe capabilities (FS) and fail-degraded capabilities (FD). Fail-safe capabilities provide and enable customer value. Fail-safe capabilities can be discontinued, because the safety relevance of their unavailability is low enough or is covered by the fail-degraded capabilities. Fail-degraded capabilities should be performed with a certain performance level, even in the case of a failure, to provide a safe system for a specific time frame until a final Minimal Risk Condition (MRC), allowing deactivation, is reached (see Section 2.1.7).
FS_1: DETERMINE LOCATION The system should be able to determine its location in relation to the ODD. The vehicle should be able to decide if it is inside or outside of a location-specific ODD. The location in the ODD may be required, depending on the item definition.
FS_2: PERCEIVE RELEVANT STATIC AND DYNAMIC OBJECTS IN PROXIMITY TO THE AUTOMATED VEHICLE All entities that an automated driving system requires for its functional behavior should be perceived, optionally pre-processed, and provided correctly. The highest priority is placed on entities with an associated risk of collision. Sample entities include dynamic objects (e.g. (vulnerable) road users and characteristics of the respective movement), static instances (e.g. road boundaries, traffic guidance and communication signals) and obstacles.
FS_3: PREDICT THE FUTURE BEHAVIOR OF RELEVANT OBJECTS The relevant environment model needs to be extended by the predicted future state. The aim is to create a forecast of the environment. The intention of the relevant objects should be interpreted in order to form the basis for predicting future motion.
FS_4: CREATE A COLLISION-FREE AND LAWFUL DRIVING PLAN To ensure a collision-free and lawful driving policy, the following should be respected:
• Maintain a safe lateral and longitudinal distance to other objects.
• Comply with all applicable traffic rules within the ODD.
• Consider potential areas where objects may be occluded.
• In unclear situations the right of way is given, not taken.
• If a crash can be avoided without endangering third parties, traffic rules may be neglected if necessary.
FS_5: CORRECTLY EXECUTE AND ACTUATE THE DRIVING PLAN The corresponding actuation signals for lateral and longitudinal control should be generated based on the driving plan.
FS_6: COMMUNICATE AND INTERACT WITH OTHER (VULNERABLE) ROAD USERS Automated driving vehicles are required to communicate and interact with other (vulnerable) road users, depending on the ODD and the use cases.
FS_7: DETERMINE IF SPECIFIED NOMINAL PERFORMANCE IS NOT ACHIEVED Any element of the automated driving system can, either on its own or in combination with others, result in adverse behavior. Therefore, mechanisms are required to detect the adverse nominal performance of the system. FD_4 covers the reaction to detected adverse behavior.
Typical aspects for influencing the nominal performance are:
• Unwanted human factors, including misuse and manipulations
• Deviation of the intended functionality
• Technological limitations
• Environmental conditions
• Systematic and random failure modes
FD_1: ENSURE CONTROLLABILITY FOR THE VEHICLE OPERATOR The vehicle operator’s level of control varies depending on the automation level as per SAE J3016 and the use case definition and should therefore be ensured.
FD_2: DETECT WHEN DEGRADATION IS NOT AVAILABLE It should be assured that a possible unavailability of the degraded mode is detected. If the degradation strategies depend on the degradation reason, the degradation reason should be identified.
FD_3: ENSURE SAFE MODE TRANSITIONS AND AWARENESS Ensure that mode transitions are performed correctly and controlled by the vehicle operator affected if necessary. The vehicle operator affected should also be aware of the current mode and their responsibility deriving from it. For example, actuating an automated mode is permitted only when inside the ODD, and it will be deactivated prior to leaving the ODD or as a result of the vehicle operator taking control again.
FD_4: REACT TO INSUFFICIENT NOMINAL PERFORMANCE AND OTHER FAILURES VIA DEGRADATION Due to possibly unavailable nominal performance capabilities and other failures (e.g. based on hardware faults), the system should degrade within a well-defined amount of time.
FD_5: REDUCE SYSTEM PERFORMANCE IN THE PRESENCE OF FAILURE FOR THE DEGRADED MODE The reaction in case of failures during degraded mode should be defined.
FD_6: PERFORM DEGRADED MODE WITHIN REDUCED SYSTEM CONSTRAINTS Automated driving system operation in degraded mode is actuated as nominal capabilities with new limits. Multiple degraded modes are possible. The limitations should be defined such that the degraded mode can be stated as safe. Therefore, it may be necessary to avoid a permanent operation. A well-defined time frame for an additional reaction is required.
-----------------
--------------
The capabilities are divided into fail-safe capabilities (FS) and fail-degraded capabilities (FD). Fail-safe capabilities provide and enable customer value. Fail-safe capabilities can be discontinued, because the safety relevance of their unavailability is low enough or is covered by the fail-degraded capabilities. Fail-degraded capabilities should be performed with a certain performance level, even in the case of a failure, to provide a safe system for a specific time frame until a final Minimal Risk Condition (MRC), allowing deactivation, is reached (see Section 2.1.7).
FS_1: DETERMINE LOCATION The system should be able to determine its location in relation to the ODD. The vehicle should be able to decide if it is inside or outside of a location-specific ODD. The location in the ODD may be required, depending on the item definition.
FS_2: PERCEIVE RELEVANT STATIC AND DYNAMIC OBJECTS IN PROXIMITY TO THE AUTOMATED VEHICLE All entities that an automated driving system requires for its functional behavior should be perceived, optionally pre-processed, and provided correctly. The highest priority is placed on entities with an associated risk of collision. Sample entities include dynamic objects (e.g. (vulnerable) road users and characteristics of the respective movement), static instances (e.g. road boundaries, traffic guidance and communication signals) and obstacles.
FS_3: PREDICT THE FUTURE BEHAVIOR OF RELEVANT OBJECTS The relevant environment model needs to be extended by the predicted future state. The aim is to create a forecast of the environment. The intention of the relevant objects should be interpreted in order to form the basis for predicting future motion.
FS_4: CREATE A COLLISION-FREE AND LAWFUL DRIVING PLAN To ensure a collision-free and lawful driving policy, the following should be respected:
• Maintain a safe lateral and longitudinal distance to other objects.
• Comply with all applicable traffic rules within the ODD.
• Consider potential areas where objects may be occluded.
• In unclear situations the right of way is given, not taken.
• If a crash can be avoided without endangering third parties, traffic rules may be neglected if necessary.
FS_5: CORRECTLY EXECUTE AND ACTUATE THE DRIVING PLAN The corresponding actuation signals for lateral and longitudinal control should be generated based on the driving plan.
FS_6: COMMUNICATE AND INTERACT WITH OTHER (VULNERABLE) ROAD USERS Automated driving vehicles are required to communicate and interact with other (vulnerable) road users, depending on the ODD and the use cases.
FS_7: DETERMINE IF SPECIFIED NOMINAL PERFORMANCE IS NOT ACHIEVED Any element of the automated driving system can, either on its own or in combination with others, result in adverse behavior. Therefore, mechanisms are required to detect the adverse nominal performance of the system. FD_4 covers the reaction to detected adverse behavior.
Typical aspects for influencing the nominal performance are:
• Unwanted human factors, including misuse and manipulations
• Deviation of the intended functionality
• Technological limitations
• Environmental conditions
• Systematic and random failure modes
FD_1: ENSURE CONTROLLABILITY FOR THE VEHICLE OPERATOR The vehicle operator’s level of control varies depending on the automation level as per SAE J3016 and the use case definition and should therefore be ensured.
FD_2: DETECT WHEN DEGRADATION IS NOT AVAILABLE It should be assured that a possible unavailability of the degraded mode is detected. If the degradation strategies depend on the degradation reason, the degradation reason should be identified.
FD_3: ENSURE SAFE MODE TRANSITIONS AND AWARENESS Ensure that mode transitions are performed correctly and controlled by the vehicle operator affected if necessary. The vehicle operator affected should also be aware of the current mode and their responsibility deriving from it. For example, actuating an automated mode is permitted only when inside the ODD, and it will be deactivated prior to leaving the ODD or as a result of the vehicle operator taking control again.
FD_4: REACT TO INSUFFICIENT NOMINAL PERFORMANCE AND OTHER FAILURES VIA DEGRADATION Due to possibly unavailable nominal performance capabilities and other failures (e.g. based on hardware faults), the system should degrade within a well-defined amount of time.
FD_5: REDUCE SYSTEM PERFORMANCE IN THE PRESENCE OF FAILURE FOR THE DEGRADED MODE The reaction in case of failures during degraded mode should be defined.
FD_6: PERFORM DEGRADED MODE WITHIN REDUCED SYSTEM CONSTRAINTS Automated driving system operation in degraded mode is actuated as nominal capabilities with new limits. Multiple degraded modes are possible. The limitations should be defined such that the degraded mode can be stated as safe. Therefore, it may be necessary to avoid a permanent operation. A well-defined time frame for an additional reaction is required.
-----------------
