A motor vehicle can be controlled by a highly automated driving function. The function is called highly automated if a driver of the motor vehicle does not have to permanently monitor the function and thus is not available as fallback level, or only to some extent. For example, the driver may be assured of a takeover time of 15 seconds, of which he may avail himself in order to assume control of the motor vehicle from the highly automated driving function. This gives the driver the possibility to attend to matters not related to driving, or to sleep, for instance, while the vehicle is driving.
It cannot be expected that the components of a highly automated driving function operate completely without fault at all times. The driving function is usually made up of software components and/or hardware components. Each one of these components may fail; a hardware component such as a sensor, for instance, may have an electrical fault, or a software component may be operated outside its specification. However, the system as a whole must always be able to maintain a safe driving operation in the presence of such individual faults.
Some of these malfunctions are able to be diagnosed during the ongoing operation, and in the case of a fault, a switchover may take place from a first function component to a second function component, which then realizes an emergency operation (fallback).
The document WO 00 2013 060 530 A1 relates to a traffic jam assistance system, the proper functioning of which is monitored with the aid of an additional system, for instance an ACC system or a lane keeping assistant. If a predefined system limit is exceeded, then the traffic jam assistant is automatically deactivated.