A motor vehicle (MV) is controlled to drive autonomously in agreement with a nominal path in response to nominal control signals (NCS) from a bank of control units (1 10). Safety policies (P) are provided via a first data-interface unit (163). The safety policies (P) describe mission-related rules to be followed during operation of the motor vehicle (MV). The safety policies (P) are based on a safety case (SC) stipulating how the motor vehicle (MV) shall be controlled to meet a functional safety standard. A watch unit (160) receives sensor signals (SS) from the motor vehicle (MV), and based thereon repeatedly generates commands ({cmd}) to update the boundary conditions ({bc}) aiming at confining the nominal path within limits that are given by the sensor signals (SS) and the at least one safety policy (P). The bank of control units reads out the set of boundary conditions ({bc}) and controls the motor vehicle (MV) to move in such a manner that the nominal path satisfies the boundary conditions ({bc}), and is thus be considered to be safe.