A fault in an ADF may occur at any time, independent of the current operating mode or the driving scenario of the vehicle. At each possible operating mode an appropriate safety mechanism must keep the vehicle in a safe state in the event of a failure. To achieve this there are several options; Switch off the function and inform the driver (not applicable for Level 4 systems), Provide a backup with full functionality for a limited amount of time, or switch to a degraded mode.
For different operating modes and failure scenarios the ADF’s reaction may be different to achieve a safe vehicle reaction. Operating modes that are generally applicable for all ADF (ADF on / off, inside / outside ODD, handover driver-ADF etc.) as well as function-specific modes, such as diagnostic mode or decommissioning, should be considered. These modes might be part of an Minimal Risk Manoeuvre (MRM) (see Req_11).
Main Question:
Are function reactions specified that transition the function to a safe state in the presence of a fault (depending on the kind of fault)?
Sub-Questions:
- Is degraded operation or transition to a safe state (for example to a Minimial Risk Condition (MRC) via a Minimal Risk Manoeuvre (MRM)) sufficiently safe for the specific failure scenarios?
- Are restrictions to the function behaviour specified, which result from the transition to the safe state (e.g. reduction of the ODD while operating in a safe state or operating a function for a limited amount of time before further transitioning to a final safe state)?