In highly automated driving, it is imperative for safety reasons to monitor the trajectory calculated by the vehicle prior to driving on it. If such monitoring detects an error in the system, the manner in which the system reacts to this error is of great importance. It has been established as state of the art that the trajectory, which is to be traveled in case of emergency, is already calculated together with the normal trajectory by the primary function. This approach has many advantages (in particular, the computing power for the trajectory calculation only has to be made available once (in the primary function)). However, this approach also has disadvantages with regard to the behavior of the vehicle in the event of a system error. Thus, the vehicle would not react to events which happen after the emergency-operation trajectory has been calculated. In particular, this is the case in the context of longer braking distances and higher speeds.
Moreover, halting on the roadway is not the “safest state” in every situation, but rather always a decision based on a concession between additional expenditure and risk.
In particular, it is also state of the art that there is a fixed strategy in the fallback mode, and it is already fixed at the moment of programming.