Safetronic 2024: Preview
Architectures for Safe Automated Driving

The demanding integrity and availability requirements of Highly Automated Driving need to be addressed by suitable architectures.

Safetronic key visual 2022 01 header

Upcoming Highly Automated Driving (HAD) systems allow drivers to temporarily divert their attention to non-driving tasks: they can take their hands off the steering wheel and eyes off the road. But more comfort for the driver means more responsibility for the vehicle. The HAD system now needs to tolerate faults and, at the very least, provide degraded functionality for a limited time frame.

With hardware and software elements becoming increasingly complex, faults can manifest in various and unforeseen ways. To ensure the integrity and availability of the system, these elements need to be combined into a robust system architecture.

Room for collaboration when it comes to the system architecture for HAD

While significant effort is dedicated to developing proprietary hardware and software architectures, which are usually highly specific to an OEM and difficult to compare. In contrast, the overarching logical system architecture is all too often an afterthought.

At this higher level of abstraction, considerations such as fault containment and redundancy management are crucial for ensuring the integrity and availability of an HAD system. Solutions developed at this level are also sufficiently versatile to be applied across a wide range of HAD use cases and implementations. This makes them well-suited for collaborative efforts.

The innovation stream of The Autonomous fosters such collaboration between members from industry and academia. The working group Safety & Architecture was founded in 2021 to define the state of the art for logical system architectures for HAD. This effort consisted of three main steps:


Safetronic 2024

This blog post is a preview of the presentation “Architectures for safe automated driving” at Safetronic in Stuttgart on November 13 at 12:20 p.m. (The complete program can be found here.)
And click here to register:

Registration Pfeil nach rechts

At this higher level of abstraction, considerations such as fault containment and redundancy management are crucial for ensuring the integrity and availability of an HAD system. Solutions developed at this level are also sufficiently versatile to be applied across a wide range of HAD use cases and implementations. This makes them well-suited for collaborative efforts.

The innovation stream of The Autonomous fosters such collaboration between members from industry and academia. The working group Safety & Architecture was founded in 2021 to define the state of the art for logical system architectures for HAD. This effort consisted of three main steps:

The Autonomous

The Autonomous, initiated by TTTech Auto in 2019, is a global community dedicated to shaping the future of safe autonomous mobility by building an ecosystem of diverse stakeholders. Through its Innovation Stream, The Autonomous aims to generate new knowledge and technological solutions to accelerate the market readiness and development of safe self-driving vehicles.


  • Identify logical system architectures for HAD.
  • Describe their structure and behavior at a comparable level of detail.
  • Evaluate them against a set of qualitative criteria. These are related to high-level system requirements, general technological constraints, and best-practice design principles.

At the Safetronic I will give an overview of the first Safety & Architecture report published by The Autonomous in late 2023. This will include the following topics:

  • The set of evaluation criteria. These are related to six relevant attributes: availability, reliability, scalability, simplicity, Safety of the Intended Functionality (SOTIF), and cybersecurity.
  • The architectures identified from literature and commercial publications. These broadly fall into the categories of monolithic, symmetric, and asymmetric architectures.
  • The underlying architectural design patterns. Most architectures share versatile patterns such as Voting, Doer / Checker, Active / Hot Stand-By.
  • The architectures which are evaluated to be suitable for the reference HAD use case. The most suitable ones share the combined Doer/Checker/Fallback pattern. This pattern addresses system availability while facilitating effective ASIL decomposition according to ISO 26262.
  • The considerations identified for implementing logical system architectures in physical HW and SW elements. Ensuring sufficient independence between subsystems poses a key challenge here.

Finally, the working group Safety & Architecture is conceived as a continuous effort to discuss and establish the state of the art when it comes to safe HAD architectures. Jumping off from the first report, we are now looking into three follow-on topics:

  • What strategies can be used to argue sufficient independence between subsystems?
  • What overlap and competition exist between safety and security?
  • How can the integrity and availability of the HAD system be ensured long-term via post-deployment observation?

The following technical report provides further information: "Safe Automated Driving: Requirements and Architectures"

Read next

Autonomous driving
Where driverless cars still have some catching up to do

DSC 5696 web
Reinhard Stolle
Autonomous driving / Fraunhofer IKS
Autonomous driving