A Formally Verified Fail-Operational Safety Concept for Automated Driving

TL;DR

This paper introduces a formally verified, holistic safety concept for automated driving systems that manages multi-point faults, ensuring safety through a formal model and proof of safety requirements.

Contribution

It presents a novel safety framework for AD systems that unifies fault handling and formal verification using mCRL2, addressing complex interdependent system resilience.

Findings

Formalized five safety requirements in modal mu-calculus

Developed an executable mCRL2 model with a four-mode degradation policy

Proved safety requirements formally against the model

Abstract

Modern Automated Driving (AD) systems rely on safety measures to handle faults and to bring vehicle to a safe state. To eradicate lethal road accidents, car manufacturers are constantly introducing new perception as well as control systems. Contemporary automotive design and safety engineering best practices are suitable for analyzing system components in isolation, whereas today's highly complex and interdependent AD systems require novel approach to ensure resilience to multi-point failures. We present a holistic safety concept unifying advanced safety measures for handling multiple-point faults. Our proposed approach enables designers to focus on more pressing issues such as handling fault-free hazardous behavior associated with system performance limitations. To verify our approach, we developed an executable model of the safety concept in the formal specification language mCRL2. The model behavior is governed by a four-mode degradation policy controlling distributed processors, redundant communication networks, and virtual machines. To keep the vehicle as safe as possible our degradation policy can reduce driving comfort or AD system's availability using additional low-cost driving channels. We formalized five safety requirements in the modal mu-calculus and proved them against our mCRL2 model, which is intractable to accomplish exhaustively using traditional road tests or simulation techniques. In conclusion, our formally proven safety concept defines a holistic design pattern for designing AD systems.