System Design Description (SyDD) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.5
Generated 2026-03-27 — UHT Journal / universalhex.org
flowchart TB n0["system<br>Autonomous Vehicle"] n1["subsystem<br>Perception Subsystem"] n2["subsystem<br>Localization and Mapping Subsystem"] n3["subsystem<br>Planning and Decision Subsystem"] n4["subsystem<br>Vehicle Control Subsystem"] n5["subsystem<br>Communication Subsystem"] n6["subsystem<br>Safety and Monitoring Subsystem"] n0 --> n1 n0 --> n2 n0 --> n3 n0 --> n4 n0 --> n5 n0 --> n6
Autonomous Vehicle — Decomposition
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-SUBSYSTEMREQUIREMENTS-001 | The Perception Subsystem SHALL process LiDAR point cloud data at a minimum rate of 10 frames per second with 360-degree coverage and angular resolution of 0.1 degrees. | — | subsystem, perception, lidar, session-161 |
| SUB-SUBSYSTEMREQUIREMENTS-002 | The Perception Subsystem SHALL classify detected objects into at least 12 categories including vehicle, pedestrian, cyclist, traffic sign, traffic light, lane marking, barrier, construction zone, animal, debris, emergency vehicle, and unknown. | — | subsystem, perception, classification, session-161 |
| SUB-SUBSYSTEMREQUIREMENTS-003 | The Perception Subsystem SHALL fuse data from LiDAR, camera, and radar sensors and produce a unified object list within 30 milliseconds of sensor data acquisition. | — | subsystem, perception, fusion, session-161 |
| SUB-SUBSYSTEMREQUIREMENTS-004 | While operating in fog with visibility below 100 metres, the Perception Subsystem SHALL increase radar weighting in the fusion algorithm and report a perception confidence metric below 0.7 to the Planning Subsystem. | — | subsystem, perception, weather, session-161 |
| SUB-SUBSYSTEMREQUIREMENTS-005 | The Perception Subsystem SHALL perform continuous self-diagnostics on all sensors and report any sensor degradation or failure to the Safety and Monitoring Subsystem within 200 milliseconds of detection. | — | subsystem, perception, diagnostics, session-161 |
| SUB-SUBSYSTEMREQUIREMENTS-006 | The Perception Subsystem SHALL track at least 200 simultaneous objects with unique track identifiers, maintaining track continuity across sensor occlusions of up to 2 seconds. | — | subsystem, perception, tracking, session-161 |
| SUB-SUBSYSTEMREQUIREMENTS-007 | The Behavior Planner SHALL evaluate and select a tactical driving action within 20 milliseconds of receiving an updated prediction and route input. | — | subsystem, planning, behavior-planner, session-162 |
| SUB-SUBSYSTEMREQUIREMENTS-008 | The Motion Planner SHALL generate a kinematically feasible trajectory of at least 50 waypoints over a 5-second horizon, with lateral acceleration not exceeding 3 m/s² and longitudinal jerk not exceeding 1.5 m/s³. | — | subsystem, planning, motion-planner, session-162 |
| SUB-SUBSYSTEMREQUIREMENTS-009 | The Prediction Module SHALL forecast trajectories for all tracked objects over a minimum 5-second prediction horizon with position error below 1.0 metre at 3 seconds. | — | subsystem, planning, prediction-module, session-162 |
| SUB-SUBSYSTEMREQUIREMENTS-010 | When the Risk Assessor determines that no candidate trajectory maintains a time-to-collision above 2 seconds, the Planning and Decision Subsystem SHALL issue a minimal risk condition request to the Safety and Monitoring Subsystem within 10 milliseconds. | — | subsystem, planning, risk-assessor, session-162 |
| SUB-SUBSYSTEMREQUIREMENTS-011 | When a route segment becomes blocked or a traffic incident is reported, the Route Planner SHALL compute an alternative route within 500 milliseconds using the current HD map graph. | — | subsystem, planning, route-planner, session-162 |
| SUB-SUBSYSTEMREQUIREMENTS-012 | The Prediction Module SHALL classify the intent of each tracked road user into at least 6 categories including lane-keeping, lane-change-left, lane-change-right, braking, accelerating, and turning with classification accuracy above 90%. | — | subsystem, planning, prediction-module, session-162 |
| SUB-SUBSYSTEMREQUIREMENTS-013 | The Motion Planner SHALL complete trajectory optimisation within 30 milliseconds from receipt of a behaviour decision, ensuring the planning subsystem contribution to the sense-plan-act cycle remains below 50 milliseconds. | — | subsystem, planning, motion-planner, session-162 |
| SUB-SUBSYSTEMREQUIREMENTS-014 | The Steering Controller SHALL track the commanded steering angle with a steady-state error not exceeding 0.5 degrees and transient response settling time below 150 milliseconds. | — | subsystem, vehicle-control, steering-controller, session-163 |
| SUB-SUBSYSTEMREQUIREMENTS-015 | The Throttle and Brake Controller SHALL execute longitudinal acceleration commands with jerk not exceeding 1.5 m/s³ during normal operation and shall achieve commanded deceleration within 100 milliseconds of request. | — | subsystem, vehicle-control, throttle-brake, session-163 |
| SUB-SUBSYSTEMREQUIREMENTS-016 | The Drive-by-Wire Gateway SHALL translate software control commands to CAN bus actuator messages within 5 milliseconds and SHALL verify message delivery acknowledgement for every safety-critical command. | — | subsystem, vehicle-control, drive-by-wire, session-163 |
| SUB-SUBSYSTEMREQUIREMENTS-017 | The Vehicle Dynamics Monitor SHALL estimate vehicle velocity with accuracy within 0.1 m/s, yaw rate within 0.5 deg/s, and lateral acceleration within 0.05 m/s² at an update rate of at least 100 Hz. | — | subsystem, vehicle-control, dynamics-monitor, session-163 |
| SUB-SUBSYSTEMREQUIREMENTS-018 | When any actuator reports a fault condition or fails to acknowledge a command within 10 milliseconds, the Actuator Health Manager SHALL classify the fault severity and initiate the corresponding degradation mode within 50 milliseconds. | — | subsystem, vehicle-control, actuator-health, session-163 |
| SUB-SUBSYSTEMREQUIREMENTS-019 | The Drive-by-Wire Gateway SHALL implement a hardware watchdog timer with a timeout period not exceeding 50 milliseconds; when the watchdog expires, the gateway SHALL command all actuators to a safe default state. | — | subsystem, vehicle-control, drive-by-wire, safety, session-163 |
| SUB-SUBSYSTEMREQUIREMENTS-020 | While the Actuator Health Manager signals a steering degradation mode, the Steering Controller SHALL limit maximum steering rate to 50% of nominal and SHALL reject any commanded angle exceeding the mechanically safe range. | — | subsystem, vehicle-control, steering-controller, degradation, session-163 |
| SUB-SUBSYSTEMREQUIREMENTS-021 | The Pose Estimator SHALL produce a fused six-degree-of-freedom ego-pose at a minimum rate of 100 Hz with end-to-end latency not exceeding 10 milliseconds from the most recent sensor input. | — | subsystem, localization, pose-estimator, session-164 |
| SUB-SUBSYSTEMREQUIREMENTS-022 | The GNSS Receiver SHALL achieve horizontal position accuracy within 2 centimetres circular error probable when RTK correction data is available, and within 1.5 metres circular error probable in standalone GNSS mode. | — | subsystem, localization, gnss-receiver, session-164 |
| SUB-SUBSYSTEMREQUIREMENTS-023 | When GNSS signal is lost, the Inertial Measurement Unit SHALL maintain dead reckoning position accuracy within 0.1 percent of distance travelled for a minimum of 30 seconds. | — | subsystem, localization, imu, session-164 |
| SUB-SUBSYSTEMREQUIREMENTS-024 | The SLAM Engine SHALL match LiDAR scans against stored map features at a minimum update rate of 10 Hz with lateral position error not exceeding 5 centimetres in structured environments. | — | subsystem, localization, slam-engine, session-164 |
| SUB-SUBSYSTEMREQUIREMENTS-025 | The HD Map Manager SHALL load and index map tiles within 50 milliseconds for a query covering a 500-metre radius around the current vehicle position. | — | subsystem, localization, hd-map-manager, session-164 |
| SUB-SUBSYSTEMREQUIREMENTS-026 | The Pose Estimator SHALL detect and reject GNSS multipath errors exceeding 1 metre by performing consistency cross-checks against IMU and SLAM localization sources. | — | subsystem, localization, pose-estimator, integrity, session-164 |
| SUB-SUBSYSTEMREQUIREMENTS-027 | While any single localization source is unavailable, the Pose Estimator SHALL maintain ego-pose lateral accuracy within 30 centimetres using the remaining sources and SHALL report the degraded integrity level to the Planning and Decision Subsystem. | — | subsystem, localization, pose-estimator, degradation, session-164 |
| SUB-SUBSYSTEMREQUIREMENTS-028 | The Fault Detection and Isolation Module SHALL detect any single-point fault in a monitored subsystem within 50 milliseconds of the fault occurrence and issue a fault report to the Minimal Risk Condition Controller. | — | subsystem, safety-monitoring, fdi, session-165 |
| SUB-SUBSYSTEMREQUIREMENTS-029 | When a critical fault report is received from the Fault Detection and Isolation Module, the Minimal Risk Condition Controller SHALL initiate a minimal risk condition manoeuvre within 100 milliseconds, bringing the vehicle to a controlled stop or safe pullover. | — | subsystem, safety-monitoring, mrc, session-165 |
| SUB-SUBSYSTEMREQUIREMENTS-030 | The Safety Integrity Monitor SHALL execute an independent watchdog cycle at a rate of at least 100 Hz, verifying the execution timing and control flow integrity of all ASIL D rated functions. | — | subsystem, safety-monitoring, sim, session-165 |
| SUB-SUBSYSTEMREQUIREMENTS-031 | The Event Data Recorder SHALL continuously record sensor inputs, planning decisions, and actuator commands at a minimum aggregate data rate of 100 Mbps in a crash-survivable storage medium compliant with UN Regulation 157 data storage survival requirements. | — | subsystem, safety-monitoring, edr, session-165 |
| SUB-SUBSYSTEMREQUIREMENTS-032 | The Vehicle Cybersecurity Gateway SHALL monitor all in-vehicle network traffic and detect anomalous message patterns indicative of intrusion within 10 milliseconds, blocking unauthorised messages before they reach safety-critical domains. | — | subsystem, safety-monitoring, csg, session-165 |
| SUB-SUBSYSTEMREQUIREMENTS-033 | The Fault Detection and Isolation Module SHALL detect and independently classify up to 3 concurrent faults across different subsystems, prioritising them by safety impact severity to determine the appropriate response level. | — | subsystem, safety-monitoring, fdi, session-165 |
| SUB-SUBSYSTEMREQUIREMENTS-034 | The Minimal Risk Condition Controller SHALL support at least 3 graduated response levels: reduced speed operation, controlled lane-holding pullover, and immediate emergency stop, selecting the appropriate level based on the fault severity classification. | — | subsystem, safety-monitoring, mrc, session-165 |
| SUB-SUBSYSTEMREQUIREMENTS-035 | The Event Data Recorder SHALL maintain a rolling pre-incident buffer of at least 30 seconds duration, preserving all recorded data channels for the period immediately preceding any detected safety event or collision. | — | subsystem, safety-monitoring, edr, session-165 |
| SUB-SUBSYSTEMREQUIREMENTS-036 | The LiDAR Processing Unit SHALL segment raw point cloud data into ground plane and non-ground clusters within 20 milliseconds per scan cycle, rejecting ground returns with a false-positive rate below 2 percent. | — | subsystem, perception, lidar, session-166 |
| SUB-SUBSYSTEMREQUIREMENTS-037 | The Camera Vision Pipeline SHALL detect and classify objects from at least 8 camera streams simultaneously, achieving a mean average precision of 0.85 or higher across all 12 required object categories at frame rates above 30 fps. | — | subsystem, perception, camera, session-166 |
| SUB-SUBSYSTEMREQUIREMENTS-038 | While operating in rain with intensity exceeding 25 mm/h or fog with visibility below 100 metres, the Radar Processing Unit SHALL maintain a detection probability of 0.95 or higher for vehicles within 150 metres. | — | subsystem, perception, radar, session-166 |
| SUB-SUBSYSTEMREQUIREMENTS-039 | The Sensor Fusion Engine SHALL complete probabilistic data association and state update for all correlated tracks within 15 milliseconds of receiving a new detection set from any sensor pipeline. | — | subsystem, perception, fusion, session-166 |
| SUB-SUBSYSTEMREQUIREMENTS-040 | The Object Tracker SHALL maintain persistent identity for tracked objects across at least 5 consecutive occlusion frames, with an identity switch rate below 1 percent per 1000 tracked object-frames. | — | subsystem, perception, tracker, session-166 |
| SUB-SUBSYSTEMREQUIREMENTS-041 | The V2X Communication Module SHALL transmit and receive Basic Safety Messages (BSM) with an end-to-end latency not exceeding 100 milliseconds under nominal channel load. | — | subsystem, communication, session-167 |
| SUB-SUBSYSTEMREQUIREMENTS-042 | The V2X Communication Module SHALL support simultaneous operation on DSRC (IEEE 802.11p) and C-V2X (3GPP PC5) radio interfaces with automatic protocol selection based on infrastructure availability. | — | subsystem, communication, session-167 |
| SUB-SUBSYSTEMREQUIREMENTS-043 | The Telemetry and Fleet Gateway SHALL transmit vehicle health and position telemetry to the fleet management cloud at a minimum rate of 1 Hz over 4G/5G cellular with automatic failover between carriers. | — | subsystem, communication, session-167 |
| SUB-SUBSYSTEMREQUIREMENTS-044 | The OTA Update Manager SHALL verify the cryptographic signature and integrity hash of every software update package before initiating installation on any target ECU. | — | subsystem, communication, session-167 |
| SUB-SUBSYSTEMREQUIREMENTS-045 | When an OTA update installation fails or post-update diagnostics detect a fault, the OTA Update Manager SHALL automatically rollback to the previous software version within 30 seconds. | — | subsystem, communication, session-167 |
| SUB-SUBSYSTEMREQUIREMENTS-046 | The In-Vehicle Network Router SHALL guarantee worst-case frame delivery latency of 500 microseconds for safety-critical traffic classes using IEEE 802.1Qbv time-aware shaping. | — | subsystem, communication, session-167 |
| SUB-SUBSYSTEMREQUIREMENTS-047 | The Communication Security Manager SHALL maintain a certificate store supporting IEEE 1609.2 pseudonym certificates with automatic renewal and revocation list updates at intervals not exceeding 24 hours. | — | subsystem, communication, session-167 |
| SUB-SUBSYSTEMREQUIREMENTS-048 | The In-Vehicle Network Router SHALL support aggregate throughput of at least 10 Gbps across all automotive Ethernet ports with VLAN isolation between safety-critical and infotainment domains. | — | subsystem, communication, session-167 |
| SUB-SUBSYSTEMREQUIREMENTS-049 | While cellular connectivity is unavailable, the Telemetry and Fleet Gateway SHALL buffer telemetry data in non-volatile storage for at least 72 hours and retransmit upon connectivity restoration. | — | subsystem, communication, session-167 |
| SUB-SUBSYSTEMREQUIREMENTS-050 | The Communication Security Manager SHALL store all private keys in a hardware security module (HSM) with FIPS 140-2 Level 2 certification, preventing key extraction by any software process. | — | subsystem, communication, session-167 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-INTERFACEDEFINITIONS-001 | The interface between the Perception Subsystem and the Planning and Decision Subsystem SHALL transmit a fused object list containing object class, position, velocity, heading, dimensions, and confidence score at a minimum rate of 20 Hz over a shared-memory IPC channel. | — | interface, perception-planning, session-161 |
| IFC-INTERFACEDEFINITIONS-002 | The interface between the Planning and Decision Subsystem and the Vehicle Control Subsystem SHALL transmit trajectory waypoints as a time-stamped sequence of position, velocity, and curvature at a minimum rate of 50 Hz with maximum latency of 10 milliseconds. | — | interface, planning-control, session-161 |
| IFC-INTERFACEDEFINITIONS-003 | The interface between the Perception Subsystem and the Safety and Monitoring Subsystem SHALL transmit sensor health status messages including temperature, calibration drift, and signal-to-noise ratio for each sensor at a minimum rate of 1 Hz. | — | interface, perception-safety, session-161 |
| IFC-INTERFACEDEFINITIONS-004 | The interface between the Prediction Module and the Behavior Planner SHALL transmit predicted trajectories as a sequence of time-stamped position and velocity pairs for each tracked object, with intent classification label and confidence, at a minimum rate of 10 Hz. | — | interface, planning, prediction-behavior, session-162 |
| IFC-INTERFACEDEFINITIONS-005 | The interface between the Behavior Planner and the Motion Planner SHALL transmit a driving action command comprising action type, target lane, target speed, and urgency flag with maximum latency of 5 milliseconds. | — | interface, planning, behavior-motion, session-162 |
| IFC-INTERFACEDEFINITIONS-006 | The interface between the Risk Assessor and the Motion Planner SHALL provide a safety verdict for each candidate trajectory comprising a pass/fail flag, minimum time-to-collision value, and required deceleration margin, evaluated within 5 milliseconds of trajectory submission. | — | interface, planning, risk-motion, session-162 |
| IFC-INTERFACEDEFINITIONS-007 | The interface between the Vehicle Dynamics Monitor and the Steering Controller SHALL transmit vehicle state data (yaw rate, lateral acceleration, steering angle feedback) as a structured message at 100 Hz with end-to-end latency not exceeding 2 milliseconds. | — | interface, vehicle-control, dynamics-steering, session-163 |
| IFC-INTERFACEDEFINITIONS-008 | The interface between the control algorithms (Steering Controller, Throttle and Brake Controller) and the Drive-by-Wire Gateway SHALL use a dual-redundant CAN FD bus operating at 500 kbit/s with message authentication codes on all safety-critical frames. | — | interface, vehicle-control, can-bus, session-163 |
| IFC-INTERFACEDEFINITIONS-009 | The interface between the Drive-by-Wire Gateway and the Actuator Health Manager SHALL report actuator telemetry (motor temperature, position feedback, current draw, pressure readings) at 50 Hz, with the Health Manager returning a fault status word within one telemetry cycle. | — | interface, vehicle-control, health-telemetry, session-163 |
| IFC-INTERFACEDEFINITIONS-010 | The interface between the GNSS Receiver and the Pose Estimator SHALL transmit position fixes in NMEA 0183 GGA format at a minimum rate of 10 Hz, including fix quality indicator, number of satellites, and horizontal dilution of precision. | — | interface, localization, gnss, pose-estimator, session-164 |
| IFC-INTERFACEDEFINITIONS-011 | The interface between the Inertial Measurement Unit and the Pose Estimator SHALL transmit three-axis acceleration and three-axis angular rate measurements at a minimum rate of 200 Hz with timestamps synchronised to the vehicle time base within 1 microsecond. | — | interface, localization, imu, pose-estimator, session-164 |
| IFC-INTERFACEDEFINITIONS-012 | The interface between the Pose Estimator and the Planning and Decision Subsystem SHALL transmit the fused ego-pose as a stamped message containing position (x, y, z), orientation (quaternion), linear velocity, angular velocity, and a 6x6 covariance matrix at a minimum rate of 100 Hz. | — | interface, localization, pose-estimator, planning, session-164 |
| IFC-INTERFACEDEFINITIONS-013 | The interface between the Fault Detection and Isolation Module and the Minimal Risk Condition Controller SHALL transmit fault reports containing fault type, affected subsystem, severity classification, and recommended isolation action, delivered within 10 milliseconds of fault confirmation. | — | interface, safety-monitoring, fdi-mrc, session-165 |
| IFC-INTERFACEDEFINITIONS-014 | The interface between the Safety Integrity Monitor and the Fault Detection and Isolation Module SHALL transmit runtime integrity verdicts at 100 Hz, each verdict containing a pass/fail status and the function identifier being monitored. | — | interface, safety-monitoring, sim-fdi, session-165 |
| IFC-INTERFACEDEFINITIONS-015 | The interface between the Safety and Monitoring Subsystem components and the Event Data Recorder SHALL transmit all fault events and emergency action commands as time-stamped messages with microsecond resolution, using a non-blocking write protocol that does not impede safety-critical processing. | — | interface, safety-monitoring, edr, session-165 |
| IFC-INTERFACEDEFINITIONS-016 | The interface between the Vehicle Cybersecurity Gateway and the Fault Detection and Isolation Module SHALL transmit intrusion detection alerts containing the affected network domain, attack classification, and blocked message count, with alert delivery latency not exceeding 5 milliseconds. | — | interface, safety-monitoring, csg-fdi, session-165 |
| IFC-INTERFACEDEFINITIONS-017 | The interface between the LiDAR Processing Unit, Camera Vision Pipeline, Radar Processing Unit, and the Sensor Fusion Engine SHALL use a timestamped detection message format containing sensor identity, detection confidence, bounding geometry, and measurement covariance, transmitted at a rate matching each sensor's native cycle rate. | — | interface, perception, session-166 |
| IFC-INTERFACEDEFINITIONS-018 | The interface between the Sensor Fusion Engine and the Object Tracker SHALL deliver fused detection updates containing track-to-detection association hypotheses, innovation vectors, and updated state covariance matrices at each fusion cycle. | — | interface, perception, session-166 |
| IFC-INTERFACEDEFINITIONS-019 | The interface between the Object Tracker and the Planning and Decision Subsystem SHALL provide a tracked object list containing object identity, classification, kinematic state vector, and predicted trajectory at a minimum rate of 20 Hz. | — | interface, perception-planning, session-166 |
| IFC-INTERFACEDEFINITIONS-020 | The interface between the In-Vehicle Network Router and the V2X Communication Module SHALL carry IEEE 802.11p and PC5 protocol frames over a dedicated 1 Gbps Ethernet link with IEEE 802.1Q VLAN tag 100. | — | interface, communication, session-167 |
| IFC-INTERFACEDEFINITIONS-021 | The interface between the V2X Communication Module and the Communication Security Manager SHALL support message signing requests and certificate lookups with a response latency not exceeding 5 milliseconds per operation. | — | interface, communication, session-167 |
| IFC-INTERFACEDEFINITIONS-022 | The interface between the In-Vehicle Network Router and the Telemetry and Fleet Gateway SHALL multiplex telemetry streams from all subsystems onto a prioritized queue with configurable bandwidth allocation per data class. | — | interface, communication, session-167 |
| IFC-INTERFACEDEFINITIONS-023 | The interface between the OTA Update Manager and the Communication Security Manager SHALL provide update package signature verification returning a signed verification verdict within 2 seconds for packages up to 500 MB. | — | interface, communication, session-167 |
| IFC-INTERFACEDEFINITIONS-024 | The interface between the Pose Estimator and the Vehicle Dynamics Monitor SHALL transmit the fused vehicle pose (position, heading, velocity) at a minimum rate of 50 Hz over the in-vehicle Ethernet backbone. The message SHALL include a validity flag and an estimated position covariance matrix to enable the Vehicle Dynamics Monitor to weight localization data against its own inertial estimates. | — | interface, localization-control, pose-dynamics, session-168 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-ARCHITECTUREDECISIONS-001 | The Vehicle Control Subsystem SHALL use dual-redundant CAN FD buses for all safety-critical actuator command paths. Rationale: Single-bus failure must not result in loss of vehicle control. The primary bus carries real-time commands while the secondary bus provides hot standby with automatic failover within 5 ms. This decision derives from ISO 26262 ASIL-D requirements for steering and braking functions. | — | architecture, vehicle-control, redundancy, session-168 |
| ARC-ARCHITECTUREDECISIONS-002 | The Perception Subsystem SHALL perform all sensor fusion centrally in the Sensor Fusion Engine before forwarding the unified object list to the Planning and Decision Subsystem. Rationale: Centralised fusion avoids conflicting object representations across subsystems and ensures a single authoritative world model. Track-level fusion using an extended Kalman filter was selected over raw-level fusion due to lower computational cost and proven reliability in automotive applications. | — | architecture, perception, sensor-fusion, session-168 |
| ARC-ARCHITECTUREDECISIONS-003 | The Planning and Decision Subsystem SHALL separate tactical decision-making (Behavior Planner) from trajectory generation (Motion Planner) as distinct components with a well-defined interface. Rationale: Decoupling tactical decisions from trajectory optimisation allows independent verification of safety-critical maneuver selection logic at ASIL-D, while the trajectory generator operates at ASIL-B with tighter real-time constraints. This separation also enables independent algorithm updates without cross-impact. | — | architecture, planning, separation-of-concerns, session-168 |
| ARC-ARCHITECTUREDECISIONS-004 | The Safety and Monitoring Subsystem SHALL operate on a physically independent compute node from the Planning and Vehicle Control subsystems. Rationale: An independent safety monitor cannot be compromised by the same software faults or hardware failures that affect the primary compute stack. The Safety Integrity Monitor runs on a separate ARM Cortex-R lockstep processor with its own power supply, implementing a checker-shadow pattern to validate that planning outputs remain within the operational design domain. | — | architecture, safety-monitoring, independence, session-168 |
| ARC-ARCHITECTUREDECISIONS-005 | The Vehicle Control Subsystem SHALL use dual-redundant CAN FD buses for all safety-critical actuator command paths. Rationale: Single-bus failure must not result in loss of vehicle control. | — | architecture, vehicle-control, redundancy, session-168 |
flowchart TB n0["component<br>Route Planner"] n1["component<br>Prediction Module"] n2["component<br>Behavior Planner"] n3["component<br>Motion Planner"] n4["component<br>Risk Assessor"] n5["external<br>Perception Subsystem"] n6["external<br>Vehicle Control Subsystem"] n7["external<br>Localization and Mapping Subsystem"] n5 -->|fused object list| n1 n7 -->|HD map + position| n0 n1 -->|predicted trajectories| n2 n0 -->|reference path| n2 n2 -->|driving decisions| n3 n4 -->|safety verdicts| n3 n3 -->|trajectory waypoints| n6
Planning and Decision Subsystem — Internal
flowchart TB n0["system<br>Localization and Mapping Subsystem"] n1["component<br>GNSS Receiver"] n2["component<br>Inertial Measurement Unit"] n3["component<br>SLAM Engine"] n4["component<br>HD Map Manager"] n5["component<br>Pose Estimator"] n6["actor<br>Perception Input"] n7["actor<br>Planning Subsystem"] n1 -->|Position fixes| n5 n2 -->|Inertial data| n5 n3 -->|Relative pose and map match| n5 n4 -->|Map priors| n5 n4 -->|Map tiles| n3 n6 -->|LiDAR point clouds| n3 n5 -->|Fused ego-pose| n7
Localization and Mapping Subsystem — Internal
flowchart TB n0["component<br>Fault Detection and Isolation Module"] n1["component<br>Minimal Risk Condition Controller"] n2["component<br>Safety Integrity Monitor"] n3["component<br>Event Data Recorder"] n4["component<br>Vehicle Cybersecurity Gateway"] n2 -->|integrity verdicts| n0 n0 -->|fault reports| n1 n0 -->|fault events| n3 n4 -->|intrusion alerts| n0 n1 -->|emergency actions| n3
Safety and Monitoring Subsystem — Internal
flowchart TB n0["component<br>LiDAR Processing Unit"] n1["component<br>Camera Vision Pipeline"] n2["component<br>Radar Processing Unit"] n3["component<br>Sensor Fusion Engine"] n4["component<br>Object Tracker"] n0 -->|point cloud detections| n3 n1 -->|image detections| n3 n2 -->|radar detections| n3 n3 -->|fused detections| n4
Perception Subsystem — Internal
flowchart TB n0["component<br>Steering Controller"] n1["component<br>Throttle and Brake Controller"] n2["component<br>Drive-by-Wire Gateway"] n3["component<br>Vehicle Dynamics Monitor"] n4["component<br>Actuator Health Manager"] n3 -->|vehicle state| n0 n3 -->|vehicle state| n1 n0 -->|steering commands| n2 n1 -->|throttle/brake commands| n2 n2 -->|actuator telemetry| n4 n4 -->|health status| n0
Vehicle Control Subsystem — Components
| Entity | Hex Code | Description |
|---|---|---|
| Actuator Health Manager | 45B77A19 | Fault management module in an autonomous vehicle's Vehicle Control Subsystem that continuously monitors actuator health status (steering motor temperature, brake pressure sensors, throttle position feedback), detects degradation or failures, and manages graceful degradation modes including limp-home and safe-stop |
| Autonomous Vehicle | D7F7725D | A self-driving ground vehicle system integrating perception, planning, control, and communication subsystems to navigate public roads without human intervention. Operates in mixed traffic with pedestrians, cyclists, and other vehicles. SAE Level 4 autonomy within a defined operational design domain. |
| Behavior Planner | 41F77B19 | High-level decision-making module within an autonomous vehicle's Planning and Decision Subsystem. Evaluates tactical driving options such as lane changes, intersection negotiation, merge manoeuvres, and yielding based on traffic rules, road context, and predicted behaviour of surrounding agents. Outputs discrete driving actions to the motion planner. |
| Camera Vision Pipeline | 71F73319 | Component of an autonomous vehicle perception subsystem that processes multi-camera image streams using deep neural networks for 2D/3D object detection, semantic segmentation, lane marking recognition, and traffic sign classification at frame rates above 30 fps. |
| Communication Security Manager | 40B57979 | Cryptographic service module managing PKI certificates, session keys, and message authentication for all external communication channels. Implements IEEE 1609.2 security for V2X, TLS for cellular links, and secure boot chain verification for OTA payloads. |
| Communication Subsystem | 51F57319 | Vehicle-to-everything (V2X) communication subsystem of an autonomous vehicle providing vehicle-to-vehicle, vehicle-to-infrastructure, and cellular connectivity. Supports cooperative perception, traffic signal priority, over-the-air software updates, and fleet management telemetry. |
| Drive-by-Wire Gateway | 51F57819 | Hardware-software interface gateway in an autonomous vehicle that translates high-level control commands into CAN bus messages for physical vehicle actuators (steering motor, brake calipers, throttle body), providing signal integrity monitoring and watchdog supervision |
| Event Data Recorder | D0A53259 | Black-box data logging unit within an autonomous vehicle that continuously records sensor inputs, planning decisions, actuator commands, and fault events in a crash-survivable storage medium. Supports post-incident analysis and regulatory compliance. |
| Fault Detection and Isolation Module | 41B77B19 | Software module within an autonomous vehicle safety subsystem that monitors health telemetry from all vehicle subsystems, performs real-time anomaly detection using threshold and model-based methods, and isolates faulty components to prevent cascading failures. ASIL D rated. |
| GNSS Receiver | D5F77019 | Satellite navigation receiver providing absolute geodetic position fixes using GPS, GLONASS, Galileo, and BeiDou constellations with RTK correction capability for centimetre-level accuracy in autonomous vehicle localization |
| HD Map Manager | 40A53109 | Software component that stores, indexes, and queries high-definition pre-built maps containing lane geometry, road markings, traffic signs, and semantic features, providing the Pose Estimator with map priors for localization matching in an autonomous vehicle |
| In-Vehicle Network Router | D4B57218 | Central Ethernet/TSN router providing deterministic, time-sensitive networking between vehicle compute nodes. Manages VLAN segmentation, QoS prioritization, and traffic shaping for safety-critical and best-effort data flows across automotive Ethernet backbone. |
| Inertial Measurement Unit | D4F51018 | Six-axis inertial sensor package with three-axis accelerometer and three-axis gyroscope providing high-rate dead reckoning between GNSS fixes and bridging GNSS outages in tunnels or urban canyons for autonomous vehicle localization |
| LiDAR Processing Unit | 51F73219 | Component of an autonomous vehicle perception subsystem that ingests raw 3D point cloud data from multiple LiDAR sensors, performs ground-plane segmentation, clustering, and geometric feature extraction to produce object candidate bounding volumes at 10 Hz or faster. |
| Localization and Mapping Subsystem | 51F73019 | Subsystem of an autonomous vehicle responsible for determining the vehicle's precise position and orientation using GPS, IMU, wheel odometry, and high-definition map matching. Maintains a localization estimate with centimetre-level accuracy for safe navigation. |
| Minimal Risk Condition Controller | 51F77A59 | Safety-critical controller within an autonomous vehicle that executes emergency manoeuvres such as controlled stops, lane-holding pullover, or hazard-light activation when a fault or unsafe state is detected. Implements the fallback strategy mandated by ISO 22737 and SAE J3016 for Level 4 autonomy. |
| Motion Planner | 41F73B19 | Trajectory generation component within an autonomous vehicle's Planning and Decision Subsystem. Converts high-level behaviour decisions into smooth, kinematically feasible trajectories expressed as time-stamped waypoints with position, velocity, and curvature constraints. Optimises for comfort, safety margins, and dynamic vehicle limits. |
| Object Tracker | 51B73309 | Component of an autonomous vehicle perception subsystem that maintains persistent identity and kinematic state (position, velocity, heading, acceleration) for up to 200 simultaneously tracked objects using multi-hypothesis tracking and Kalman filtering across sensor fusion cycles. |
| OTA Update Manager | 41B77B18 | Over-the-air software update manager responsible for secure download, verification, and staged deployment of firmware and software updates to vehicle ECUs. Implements A/B partition schemes and rollback capability. |
| Perception Subsystem | 55F73209 | Sensor fusion subsystem of an autonomous vehicle integrating LiDAR, camera, radar, and ultrasonic sensors to detect and classify objects, lanes, traffic signs, and road conditions in the vehicle's environment. Produces a unified world model for downstream planning. |
| Planning and Decision Subsystem | 51B73B19 | Autonomous vehicle subsystem that performs route planning, behavioral planning, and motion planning. Takes the world model from perception and localization data to generate safe, legal, and efficient trajectories through complex traffic scenarios including intersections, merges, and pedestrian crossings. |
| Pose Estimator | 41F73309 | Central sensor fusion algorithm that combines GNSS fixes, IMU dead reckoning, SLAM map-matching, and HD map priors using an Extended Kalman Filter to produce a single high-confidence 6-DOF ego-pose estimate for the autonomous vehicle at 100 Hz |
| Prediction Module | 51F77319 | Predictive analytics component within an autonomous vehicle's Planning and Decision Subsystem. Forecasts future trajectories and intentions of surrounding road users including vehicles, pedestrians, and cyclists over a 3-8 second horizon using learned motion models and contextual cues from the HD map. |
| Radar Processing Unit | D1F73019 | Component of an autonomous vehicle perception subsystem that processes returns from millimetre-wave radar arrays to detect range, velocity, and angle of surrounding objects, providing robust detections in adverse weather conditions including rain, fog, and dust. |
| Risk Assessor | 41B73B09 | Safety evaluation component within an autonomous vehicle's Planning and Decision Subsystem. Continuously evaluates the risk of candidate trajectories by computing time-to-collision, required deceleration, and safety envelope violations. Vetoes unsafe plans and triggers minimal risk condition handoff to the safety subsystem when no safe trajectory exists. |
| Route Planner | 41B73B09 | Global path planning component within an autonomous vehicle's Planning and Decision Subsystem. Computes optimal routes from origin to destination using the HD map graph, considering traffic conditions, road closures, and energy efficiency. Provides the reference path that the behaviour planner follows tactically. |
| Safety and Monitoring Subsystem | 51B77A59 | Autonomous vehicle subsystem responsible for system health monitoring, fault detection and isolation, emergency fallback manoeuvres, and occupant protection. Implements safety integrity levels per ISO 26262, monitors all other subsystems for degradation, and triggers minimal risk conditions when faults are detected. |
| Safety Integrity Monitor | 51B73859 | Independent hardware and software watchdog within an autonomous vehicle safety subsystem that performs runtime verification of safety-critical functions, checks execution timing, memory integrity, and control flow. Acts as an independent safety element per ISO 26262. |
| Sensor Fusion Engine | 51F73319 | Component of an autonomous vehicle perception subsystem that combines detections from LiDAR, camera, and radar processing pipelines using probabilistic data association and state estimation to produce a unified, high-confidence environmental model with correlated object tracks. |
| SLAM Engine | 41F73309 | Simultaneous Localization and Mapping software engine that processes LiDAR point clouds and camera images to build and update environmental maps while estimating the vehicle's position relative to those maps in real time |
| Steering Controller | D5F77819 | Electronic control unit within an autonomous vehicle's Vehicle Control Subsystem that converts lateral path-following commands from the motion planner into precise steering actuator signals, implementing torque overlay and angle control with fail-operational redundancy |
| Telemetry and Fleet Gateway | 50E55219 | Cellular communication gateway providing 4G/5G uplink for real-time telemetry reporting, fleet management commands, and remote monitoring. Aggregates vehicle health, position, and operational data for cloud-based fleet orchestration. |
| Throttle and Brake Controller | D5F73A19 | Longitudinal control unit in an autonomous vehicle's Vehicle Control Subsystem that manages acceleration and deceleration by commanding electronic throttle and brake-by-wire actuators, enforcing jerk limits and emergency braking authority |
| V2X Communication Module | D4F47219 | Vehicle-to-everything communication module implementing DSRC (IEEE 802.11p) and C-V2X (3GPP PC5) protocols for vehicle-to-vehicle, vehicle-to-infrastructure, and vehicle-to-pedestrian messaging. Handles BSM, SPaT, MAP, and TIM message types with sub-100ms latency. |
| Vehicle Control Subsystem | 51F73A19 | Subsystem of an autonomous vehicle that translates planned trajectories into physical actuator commands for steering, throttle, and braking. Implements low-level feedback control loops to track the desired path while maintaining vehicle stability and ride comfort. |
| Vehicle Cybersecurity Gateway | 51B77859 | Network security component within an autonomous vehicle safety subsystem that monitors in-vehicle Ethernet and CAN bus networks for intrusion attempts, validates message authenticity using AUTOSAR SecOC, and enforces network segmentation between safety-critical and non-critical domains per ISO/SAE 21434. |
| Vehicle Dynamics Monitor | 55F53318 | Real-time monitoring module in an autonomous vehicle's Vehicle Control Subsystem that fuses IMU, wheel speed, and steering angle sensor data to estimate vehicle state including velocity, yaw rate, slip angle, and lateral acceleration for closed-loop feedback |
| Component | Belongs To |
|---|---|
| Perception Subsystem | Autonomous Vehicle |
| Localization and Mapping Subsystem | Autonomous Vehicle |
| Planning and Decision Subsystem | Autonomous Vehicle |
| Vehicle Control Subsystem | Autonomous Vehicle |
| Communication Subsystem | Autonomous Vehicle |
| Safety and Monitoring Subsystem | Autonomous Vehicle |
| Behavior Planner | Planning and Decision Subsystem |
| Motion Planner | Planning and Decision Subsystem |
| Prediction Module | Planning and Decision Subsystem |
| Route Planner | Planning and Decision Subsystem |
| Risk Assessor | Planning and Decision Subsystem |
| Steering Controller | Vehicle Control Subsystem |
| Throttle and Brake Controller | Vehicle Control Subsystem |
| Drive-by-Wire Gateway | Vehicle Control Subsystem |
| Vehicle Dynamics Monitor | Vehicle Control Subsystem |
| Actuator Health Manager | Vehicle Control Subsystem |
| GNSS Receiver | Localization and Mapping Subsystem |
| Inertial Measurement Unit | Localization and Mapping Subsystem |
| SLAM Engine | Localization and Mapping Subsystem |
| HD Map Manager | Localization and Mapping Subsystem |
| Pose Estimator | Localization and Mapping Subsystem |
| Fault Detection and Isolation Module | Safety and Monitoring Subsystem |
| Minimal Risk Condition Controller | Safety and Monitoring Subsystem |
| Safety Integrity Monitor | Safety and Monitoring Subsystem |
| Event Data Recorder | Safety and Monitoring Subsystem |
| Vehicle Cybersecurity Gateway | Safety and Monitoring Subsystem |
| LiDAR Processing Unit | Perception Subsystem |
| Camera Vision Pipeline | Perception Subsystem |
| Radar Processing Unit | Perception Subsystem |
| Sensor Fusion Engine | Perception Subsystem |
| Object Tracker | Perception Subsystem |
| V2X Communication Module | Communication Subsystem |
| Telemetry and Fleet Gateway | Communication Subsystem |
| OTA Update Manager | Communication Subsystem |
| In-Vehicle Network Router | Communication Subsystem |
| Communication Security Manager | Communication Subsystem |
| From | To |
|---|---|
| Perception Subsystem | Planning and Decision Subsystem |
| Planning and Decision Subsystem | Vehicle Control Subsystem |
| Perception Subsystem | Safety and Monitoring Subsystem |
| Prediction Module | Behavior Planner |
| Behavior Planner | Motion Planner |
| Route Planner | Behavior Planner |
| Risk Assessor | Motion Planner |
| Steering Controller | Drive-by-Wire Gateway |
| Throttle and Brake Controller | Drive-by-Wire Gateway |
| Vehicle Dynamics Monitor | Steering Controller |
| Vehicle Dynamics Monitor | Throttle and Brake Controller |
| Actuator Health Manager | Drive-by-Wire Gateway |
| GNSS Receiver | Pose Estimator |
| Inertial Measurement Unit | Pose Estimator |
| Pose Estimator | Planning and Decision Subsystem |
| Fault Detection and Isolation Module | Minimal Risk Condition Controller |
| Safety Integrity Monitor | Fault Detection and Isolation Module |
| Fault Detection and Isolation Module | Event Data Recorder |
| Vehicle Cybersecurity Gateway | Fault Detection and Isolation Module |
| LiDAR Processing Unit | Sensor Fusion Engine |
| Camera Vision Pipeline | Sensor Fusion Engine |
| Radar Processing Unit | Sensor Fusion Engine |
| Sensor Fusion Engine | Object Tracker |
| Object Tracker | Planning and Decision Subsystem |
| V2X Communication Module | Communication Security Manager |
| Telemetry and Fleet Gateway | Communication Security Manager |
| OTA Update Manager | Communication Security Manager |
| In-Vehicle Network Router | V2X Communication Module |
| In-Vehicle Network Router | Telemetry and Fleet Gateway |
| Pose Estimator | Vehicle Dynamics Monitor |
| Component | Output |
|---|---|
| Behavior Planner | tactical driving decisions |
| Motion Planner | time-stamped trajectory waypoints |
| Prediction Module | predicted agent trajectories |
| Route Planner | global reference path |
| Risk Assessor | trajectory safety verdicts |
| Steering Controller | steering torque commands |
| Throttle and Brake Controller | longitudinal force commands |
| Drive-by-Wire Gateway | CAN bus actuator messages |
| Vehicle Dynamics Monitor | vehicle state estimates |
| Actuator Health Manager | actuator health status and degradation mode commands |
| GNSS Receiver | geodetic position fix with RTK correction |
| Inertial Measurement Unit | six-axis inertial measurements at 200 Hz |
| SLAM Engine | relative pose estimate and environmental point cloud map |
| Pose Estimator | fused 6-DOF ego-pose at 100 Hz |
| HD Map Manager | lane-level map tiles with semantic features |
| Fault Detection and Isolation Module | fault diagnosis reports with isolation recommendations |
| Minimal Risk Condition Controller | safe-stop trajectory commands and hazard warnings |
| Safety Integrity Monitor | runtime safety integrity verdicts and watchdog heartbeats |
| Event Data Recorder | time-stamped incident recordings in crash-survivable storage |
| Vehicle Cybersecurity Gateway | authenticated network traffic and intrusion alerts |
| LiDAR Processing Unit | 3D object candidate bounding volumes from segmented point clouds |
| Camera Vision Pipeline | 2D/3D object detections with semantic labels and lane geometry |
| Radar Processing Unit | range-velocity-angle detection lists with Doppler measurements |
| Sensor Fusion Engine | unified high-confidence environmental model with correlated tracks |
| Object Tracker | persistent object identities with kinematic state vectors at fusion rate |
| V2X Communication Module | cooperative awareness messages and hazard notifications to nearby vehicles and infrastructure |
| Telemetry and Fleet Gateway | aggregated telemetry streams and fleet command acknowledgments via cellular uplink |
| OTA Update Manager | verified and staged software update packages with rollback checkpoints |
| In-Vehicle Network Router | deterministic time-sensitive network frames with QoS-guaranteed delivery |
| Communication Security Manager | authenticated message envelopes and certificate validation verdicts |
| Drive-by-Wire Gateway | CAN FD actuator messages |
| Actuator Health Manager | actuator health status and degradation signals |
| Prediction Module | probabilistic trajectory forecasts |
| Risk Assessor | collision probability assessments |
| Route Planner | global route waypoints |