From ASIL D to ASIL E: A Unified Framework for Driver-Out Functional Safety

This article addressed the absence of human controllability in highly automated driving by proposing an extension to automotive functional safety that introduced a driver-out controllability class and required a uniform, one- level escalation of integrity targets. The aim was to establish a coherent basis for demonstrating safety without a human fallback by aligning hazard analysis, verifiable evidence, and lifecycle governance within a single framework. The study employed an extended hazard analysis and risk assessment that included an explicit driver-out decision with a corresponding escalation rule. It derived obligations for an integrity tier beyond current practice and integrated Safety of the Intended Functionality and the Underwriters Laboratories 4600 safety-case framework. Mandatory analyses comprised System-Theoretic Process Analysis for control-structure hazards, systematic identification of triggering conditions that degrade nominal performance, and construction of a structured safety case with traceable evidence. The approach was illustrated through a worked example on night-time pedestrian non-detection to show requirement flow- down and a verification and validation plan. Results indicated that the driver-out classification elevated all hazards by one integrity level and produced an obligation set that exceeded prior thresholds. The framework specified higher diagnostic- coverage targets, architectural redundancy with fail-operational behaviour, stricter latency and availability requirements, runtime monitoring with minimal-risk transitions, and post-deployment governance using telemetry, drift detection, incident response, and gated software updates. An evaluation workflow connected claims to evidence across development, testing, and operation, and the case study demonstrated measurable Performance targets and auditable traceability. The proposed extension offered a transparent and reviewable route to establish acceptable safety for driver-out operation, while maintaining compatibility with established practice and enabling continuous assurance in service.