Tech

|

02 May 2024

A comprehensive approach to automotive safety

Looking closer at functional safety, SOTIF, and position integrity

functional safety, sotif, and position integrity

Conversations about autonomous driving are ubiquitous nowadays, inundating our news. Companies such as Nvidia, Qualcomm, and Mobileye lead the charge in software autonomous innovation. Their narrative suggests that with ongoing improvements, we will soon witness the widespread deployment of autonomous vehicles; in fact, OEMs such as Mercedes have recently deployed the first Level 3 semi-autonomous fleet. In addition, autonomous driving services have already landed on the streets of cities like Las Vegas, San Francisco, and California.

Bringing fully automated cars to reality is indeed a top priority for many of the major vehicle manufacturers, as they engage in a race to achieve this goal as fast as possible. Considering the changes vehicles have undergone over the past few decades, a driver may soon be unnecessary.

In this race towards autonomy, one idea constantly resonates. Most likely, you have thought about it as well: Will it be safe to step into one of these vehicles?

While the question may seem to warrant a simple yes or no answer, the actual question we should be asking to delve deeper into the topic is: How do OEMs address the safety of passengers? A thorough answer to this second question requires consideration of three key points.

The safety of a vehicle considering the manufacturer

The constant degradation, exposure to heat, and the vibrations provoked by the interaction of components are some factors that can physically affect a vehicle's performance. For these reasons, automotive developers must design systems that comply with safety criteria and constantly prove low fault risks in both a vehicle's hardware and software.   

Initially supported by standards like ISO 3779, published in 1977 primarily for identification purposes, safety criteria have evolved over the past decades to become the primary standards that all vehicles must adhere to before their release into the market.

Since the 1990s, there has been a clear shift toward integrating safety criteria into vehicle ISO standards. Advancements in safety technology, regulatory requirements, and consumer demand for safer vehicles have been key drivers behind these changes. For example, ISO 26262 and ISO 21448 specify functional safety for automotive systems, while ISO 9001 includes quality management systems for automotive manufacturing. All three incorporate safety criteria for vehicles.

Today, ISO 26262 is the standard governing vehicle safety in terms of hardware and software.

The safety of a vehicle considering the environment

One thing is to build a vehicle following strict measurements to ensure safety. Another different aspect is to ensure that the car remains safe even when considering external environmental conditions.

Until the 2000s, vehicle companies primarily focused on safety within the framework of functional safety. More recently, there has been a shift in approach, with a broader focus now encompassing environmental conditions. This represents one of the most significant safety considerations for the automotive industry in recent decades.

But how does this take place? Another way to phrase this question is: How does a vehicle gather data from the external environment? Today’s AD applications collect sensor data from multiple sources, including radar, lidar, video, ultrasonic, camera, GNSS, IMU, and map data. These inputs enable perception and location algorithms to provide a comprehensive view of the vehicle’s surroundings and precise location, which in turn are used to calculate a safe trajectory.

It would seem logical that integrating various technologies into the vehicle that provide information from external environmental conditions would enhance its safety, wouldn’t it? The answer is yes, although there is a catch.  

The main issue is that sensors are not always 100% accurate, leading to data uncertainties that unavoidably impact trustworthiness. The assessment of sensor data in relation to the overall system and its environment is known as SOTIF (Safety of the Intended Function), governed by the ISO-21448 automotive standard.

Where exactly is the vehicle?

Most likely, keen readers have already noticed that an element central to achieving safe car decisions must be in place. Where is the vehicle? Autonomous vehicles must always know their exact location to make the right decisions.  

One key protagonist to achieve this is none other than the Global Navigation Satellite System (GNSS) receiver. This is the only sensor that provides absolute position information down to a decimeter level, enabling an autonomous vehicle to maneuver even with lane-level accuracy.  

Absolute positioning based on GNSS is beneficial for detecting specific Operational Design Domain (ODD) to enable ADL2 or ADL3 features, for example. It is also a crucial component that complements other sensors to achieve precise and trustworthy vehicle localization in local environments. 

Furthermore, absolute positioning is necessary to share the vehicle’s status with traffic infrastructure and nearby cars. This data can generate a collective perception, such as the one supported by the 5G/V2X standard.

Let’s call statistics to make sure we are safe

Anyone who has ever taken a probability and statistics course should have heard that nothing is 100% certain in life. We indeed live in a probabilistic world where nothing is absolutely certain. The good news is that we can deal with this uncertainty by measuring it and then making the best choices.

This is precisely what the aviation industry did when it came up with the concept of integrity. To accurately define this concept in the context of positioning, the industry used four more concepts: Protection Level (PL), Alert Limit (AL), Actual Error (AE), and Target Integrity Risk (TIR).

The PL is an instantaneous actual error bound based on precise statistical modeling of the positioning error. It encompasses a region within which the true position of the vehicle falls with a certain probability. The AL is the maximum acceptable error bound for a specific application.

The concept of position integrity

In this context, TIR represents the maximum tolerable rate of hazardous misleading events. These events are undetected instances where the actual error exceeds the AL while the calculated error bound (PL) remains lower than the maximum acceptable limit (AL).

Typically, a high automation level demands a high level of integrity. For example, the maximum tolerable rate of hazardous misleading events could be defined as not exceeding 10-6/h. In other words, a system should guarantee less than one hazardous misleading event for every 1,000,000 driving hours.   

In the context of positioning, integrity is thus a measure of trust for the information supplied by the positioning solution.

Remember, safety first

We hope we have clarified the many layers that are now in place to define what safety means for autonomous driving.

Functional safety and SOTIF are both necessary concepts.

Functional safety, a prerequisite for SOTIF and integrity, forms the foundational framework for ensuring the reliable operation of systems within predefined safety parameters. It emphasizes the prevention and mitigation of hazards resulting from system malfunctions or failures.

Considering SOTIF, which addresses the unintended behaviors of systems operating correctly within their intended function, functional safety establishes a reliability baseline essential for identifying and managing potential hazards stemming from these unforeseen behaviors.

Moreover, data and functional integrity rely on functional safety measures to maintain the trustworthiness and reliability of systems. This ensures they perform as intended and resist unauthorized alterations or malicious attacks.

Functional safety is an indispensable prerequisite that ensures addressing the challenges posed by SOTIF and upholding system integrity. The key message to take with you is that position integrity can be achieved only through the combination of functional safety and SOTIF elements.

position integrity

Remember that u-blox addresses automotive safety with u-safe. Our end-to-end (E2E) functional safety solution for automated and autonomous vehicles includes a correction service, a host-based positioning engine, and a chipset or module hardware solution to ensure satellite signal reception.

Our solution is flexible and offers different types of integration depending on the E/E architecture. It is certified according to the ISO 26262 standard (ASIL B) as a Safety Element out of Context. Centered on the SOTIF concept, the solution achieves integrity levels down to 10-7/h. A mature solution, with its components already deployed on roads today, providing high-integrity performance and reliable lane positioning for leading global OEMs. Have we sparked your interest? Contact us

Stefania Sesia

Global Head of Application Marketing - Automotive, u-blox

Linkedin

You might also be interested in