The proliferation of active safety devices being inserted into vehicles (rear-end collision avoidance, lane departure, etc.) argues strongly that a separate Safety Supervisory System needs to be responsible for the overall safety of the vehicle ...

The Safety Supervisory System will resolve ambiguities and conflicts between active safety request commands and determine the sequences of control commands that will be applied to the real-time control system.

GRAHAM HELLESTRAND
Chief Executive Officer

Home > Solutions > Active Safety in Vehicles and Traffic > Automotive Active Safety Subsystems

Automotive Active Safety Subsystems

By definition, automotive Active Safety subsystems will be capable, in the main, of warning drivers of some subset of existing or impending unsafe conditions in time for the driver to react. And, ideally, will autonomously assume the real-time control of a vehicle in order to prevent, or at least minimize, harm to humans and property when the presenting danger is judged to be imminent in a time interval that is less than the reaction latency of an average driver (~1.5-3 seconds).

Avoiding collisions with other mobile objects (intelligent or otherwise) requires even shorter reaction times in which to select and deploy avoidance measures. When the impending collision is with another intelligent vehicle (or vehicles) it is necessary that multiple vehicles do not adopt avoidance countermeasures which together will induce collisions that might not have otherwise occurred. This implies the requirement for communication and joint decision making between such vehicles.

Active safety subsystems require verified, predictable behaviour, especially in extreme situations – to ensure they do not cause fatalities instead of preventing them. Active safety subsystems - due to the short latencies during which they are required to recognize threats - trigger an intent, and command a critical response from the vehicle’s real-time control system, either directly or, more rationally, indirectly via the safety supervisory system, if it exists.

The Paradox of the no action Paradox

A vehicle’s real-time control system requires more than the traditional thought experiments and ad-hoc thinking in the formulation of their Requirements and derivation of their Specifications. This is where wide-ranging, unbridled experimentation using hypotheses, scenarios and data covering the many thousands of traffic situations, and the scientific method, are a necessity. The outcome will be experimentally justified Requirements, tested derived Specifications, and investigation of the Architecture space capable of yielding optimal architectures that are the blue-prints for design, development and physical realization - see EST’s un-V Systems Engineering Process. There is one type of technology and methodology capable of delivering high fidelity model-based design and high performance simulation - EST’s ESSE Systems Engineering Workbench possesses this capability.

Verifying Adaptive Cruise Control Subsystem in Convoy - Sensors: Radar and DSRC mobile WiFi
Verifying Adaptive Cruise Control Subsystem in Convoy - Sensors: Radar and DSRC mobile WiFi

A critical feature of active safety subsystems is that they must be, at least, capable of autonomously directing the real-time control system of a vehicle. Even when the latency between the detection of a threat, the selection of a disambiguated avoidance and/or mitigation response, and the consequential actions ordered from the underlying real-time control system is less than the typical reaction latency of the driver. Disambiguating action requires communication amongst all vehicles involved in the critical threat scenario in order to ensure that avoidance or mitigation measures taken by one vehicle will not result in a greater threat to the other vehicles involved. However, this is not sufficient. Even reverting to default actions - such as, returning control to the driver, may result in death and injury when the time to collision is less than the driver’s reaction time.

There may be no safe actions associated with these situations but a careful examination of the thousands of scenarios that might give rise to such decision making across the large set of potential, say, least cost actions, will permit rational discourse of the risk, legal, economic, social and political issues. The paradox is that no action – which includes surrendering control to the driver when the driver is incapable of taking control – is itself an action of the control system and hence already is subject to rational discourse and consequent decision making. Electronic stability control (ESC) is an active safety function that is mired in the issues addressed above, including the no action action paradox, and its actions have been mandated for classes of vehicles via political injunction. The same route to approval will follow for other active safety functions – hopefully, the decision making will be illuminated by the extensive data and analysis available from comprehensive modelling and simulation.

Active Safety, Functional Safety and Fault Tolerance

Only applying Functional Safety (ISO 26262) to the design of a dependable Active Safety system is inappropriate. When a monitoring system and its active safety system produce discrepant results, one of 4 rational outcomes should occur. The active safety system (i) becomes a warning system for the driver to take over control; (ii) triggers a default failure behaviour  – such as stop where you are; (iii) assumes the monitor is faulty and deploys - if it can; and (iv) does nothing. This set of outcomes, although complete, may produce a worse outcome in the control of the vehicle than that which would occur in the absence of the Active Safety system. This is inconsistent with the expected behaviour of a dependable safety system. Dependable Active Safety systems must be fault tolerant – that is they must exhibit no less safety than a vehicle with no active safety device (i) in the face of two errors and (ii) with an increase in safety in the face of one. A hazard analysis, such as that for Functional Safety, must guarantee that the probability of two errors is sufficiently low to warrant deployment of the device.

The Need for a Safety Supervisory System

Active Safety systems are special – they need to be designed not to increase the probability of  an outcome that is worse than would be achieved by a vehicle without such a system. These systems will typically assume that the components of the real-time control system of a vehicle – drivetrain, braking, steering and suspension – that they require to carry out their functions is operating correctly.  Increasingly this will not be a good assumption, as functional safety designs are applied across the real-time control system and provide status information about the current operational status of subsystems within the real-time control system. Such status is likely to qualify the actions and therefore the expected effect of active safety systems. The proliferation of active safety devices being inserted into vehicles (rear-end collision avoidance, lane departure, etc.) argues strongly that a separate Safety Supervisory System (SSS) needs to be responsible for the overall safety of the vehicle. Status of the vehicle’s real-time control system, active safety commands, safety communication with external entities, and external detection sensor information (radar, infra-red, video, etc.) will be input to the SSS. The SSS will resolve ambiguities and conflicts between active safety request commands and determine the sequences of control commands that will be applied to the real-time control system.

Both the SSS and its active safety systems need to be fault tolerant. The real-time control systems and plant, which the SSS monitors and controls in emergencies, need sufficient redundancy to ensure that vehicles are acceptably safe.

Continue on Active Safety: