Graceful Degradation Design Process for Autonomous Driving System

An autonomous driving system requires the safety and availability of automated driving. For example, an autonomous driving system with automation level 3 requires the functions to request the driver to take over driving and to sustain safe automated driving until the driver accepts the request if a hardware failure occurs. However, there is a demand to continue automated driving if the system maintains sufficient performance for automated driving after the failure occurs. Therefore, we propose a graceful degradation design process to improve the automated driving continuation rate by defining degradation functions against performance limitation and hardware failure. The process integrates and extends ISO/PAS 21448 and ISO26262 and carries out these tasks in the order of system-level, ECU-level, and microcontroller-level degradation design. Furthermore, we propose a framework to calculate worst-case mode switch time (WCMST), which means the time duration from failure detection to degradation processing, by utilizing degradation design results. To evaluate the proposed process and framework, we applied them to the prototype system with automation level 3. The evaluation results showed that the designed system can sustain automated driving against 86.1% of performance degradation factors and that the framework can improve the calculation accuracy of WCMST by 35.3%.