Industry Research

Appearance

AV Data Recorder and DSSAD Hardware

Last updated: 2026-05-09

Why It Matters

AVs need two different recording systems that are often confused. A DSSAD-style recorder captures a continuous, trustworthy record of automated-driving state, control authority, faults, and key events for incident analysis. A bulk ADAS/AV data logger captures high-rate raw sensor streams for validation, replay, model improvement, and root-cause analysis. One is an accountability record; the other is an engineering data source.

The hardware architecture should keep the DSSAD record small, time-aligned, tamper-evident, and powered through safe stop, while the bulk recorder is sized for worst-case sensor throughput and removable ingest workflows. IEEE 1616.1 defines DSSAD goals, metrics, common requirements, and ADS Level 3-5 data elements; IEEE 802.1AS provides the time-synchronization basis needed to align vehicle events, sensors, and network logs.

Architecture Decisions

DecisionPractical rule
Split recordersKeep DSSAD/event ledger separate from bulk raw sensor logging. The DSSAD path must survive overload or failure of the bulk recorder.
Time sourceUse GNSS/PPS or grandmaster-backed IEEE 802.1AS/gPTP, hardware timestamps where possible, and logged clock-offset/error states.
PowerFeed DSSAD recorder, trusted clock, and minimal gateway from the safe-stop rail with enough hold-up to flush the last event.
Data modelDefine a fixed DSSAD data dictionary: ADS mode, control authority, fallback demand, fault state, vehicle motion, ODD state, command source, and safety-controller status.
Bulk throughputSize ADAS logger interfaces and storage for peak sustained write, not average bitrate. Include cameras, LiDAR, radar, CAN FD, Ethernet, and debug streams.
IntegrityHash event records, sign manifests, encrypt removable media, and maintain chain-of-custody for drive swaps.
PrivacySeparate operational evidence from raw video/audio. Apply retention, access control, and redaction policy before upload or disclosure.

Recommended layout:

DSSAD / event ledger
        +-- safety controller state
        +-- ADS mode and fallback state
        +-- command authority and driver/operator interactions
        +-- faults, time quality, power state
        +-- tamper-evident storage on safe-stop rail

Bulk AV recorder
        +-- raw cameras, LiDAR, radar, CAN FD, Ethernet, GNSS/IMU
        +-- high-throughput NVMe arrays or cartridges
        +-- pre/post-trigger clips and continuous validation logging
        +-- depot ingest station and data lake manifest

Evidence Artifacts

  • DSSAD data dictionary mapped to IEEE 1616.1 concepts, jurisdictional requirements, and the vehicle safety case.
  • Recorder block diagram showing safe-stop power, clock source, network taps, CAN/Ethernet interfaces, storage paths, and isolation from control traffic.
  • Time-synchronization validation: gPTP grandmaster state, offset logs, hardware timestamp accuracy, holdover behavior, and clock-fault flags.
  • Sustained-write test report at peak sensor load, including hot SSDs, full disks, worn drives, and simultaneous event extraction.
  • Power-loss tests proving the last event record and manifest survive brownout, E-stop, and traction power loss.
  • Tamper-evidence and chain-of-custody procedure for removable cartridges, operator access, OBD/service-port access, and depot ingest.
  • Retention and privacy policy covering event records, raw sensor clips, operator notes, faces, license plates, aircraft identifiers, and upload rules.

Acceptance Checks

  • DSSAD recording continues when the bulk recorder is saturated, removed, or rebooting.
  • A power cut during an event preserves the last approved time window, record hash, and recorder health state.
  • All recorder channels can be aligned to the vehicle time base with documented maximum skew.
  • Sustained write remains above measured peak sensor bitrate with at least the approved thermal, wear, and filesystem margin.
  • Missing or degraded time sync is visible in the record and cannot be mistaken for trustworthy timing.
  • Drive swaps produce signed manifests, operator identity, cartridge identity, vehicle identity, and time range.
  • Privacy gates prevent raw camera data from leaving the vehicle or depot outside approved retention and redaction rules.

Failure Modes

Failure modeDetectionSafe response
Bulk recorder backpressureQueue growth, dropped packets, write latency spikePreserve DSSAD path, drop lowest-priority bulk streams, alert fleet.
SSD thermal or wear degradationSMART data, temp, write cliff, bad-block trendDerate bulk recording, schedule cartridge replacement, protect event stream.
Time source lossgPTP grandmaster loss, offset jump, GNSS/PPS faultMark records with degraded time quality and use holdover clock.
Event trigger missedNo clip for safety-controller event, trigger monitor mismatchKeep continuous DSSAD ledger and add watchdog on trigger pipeline.
DSSAD and bulk data conflatedRaw logger failure removes event accountability recordEnforce independent storage, power, process, and health monitoring.
Tamper or unauthorized accessManifest mismatch, signature failure, access log anomalyQuarantine media and preserve audit trail.
Encryption key lossMedia unreadable after incidentUse escrowed key policy and tested recovery procedure.
Removable media mislabelCartridge ID mismatch, duplicate serial, ingest manifest errorBlock ingest and require chain-of-custody reconciliation.

Sources

Public research notes collected from public sources.

Copyright © 2026 kvynlim