The Safety Shell: an Architecture to Handle Functional Insufficiencies in Automated Driving

TL;DR

This work tackles the persistent challenge of Functional Insufficiencies in highly automated driving by analyzing limitations of design-time FI handling and introducing the Safety Shell, a scalable multi-channel arbitration architecture. The Safety Shell performs online risk assessment across heterogeneous AD channels, using a principled arbitration that combines Last Safe Intervention Time with a dynamic channel preference order to select mission-continuing trajectories or fallback escape maneuvers. Extensive numerical simulations compare Safety Shell variants (SaS2, SaS3) against single-channel and other FI-handling architectures, demonstrating improved safety and substantially higher availability, especially in complex multi-FI scenarios. The results suggest that multi-channel arbitration can meaningfully extend autonomous capability while maintaining safety, though further work is needed to validate in more realistic settings and to address potential deadlocks and ethical risk considerations.

Abstract

To enable highly automated vehicles where the driver is no longer a safety backup, the vehicle must deal with various Functional Insufficiencies (FIs). Thus-far, there is no widely accepted functional architecture that maximizes the availability of autonomy and ensures safety in complex vehicle operational design domains. In this paper, we present a survey of existing methods that strive to prevent or handle FIs. We observe that current design-time methods of preventing FIs lack completeness guarantees. Complementary solutions for on-line handling cannot suitably increase safety without seriously impacting availability of journey continuing autonomous functionality. To fill this gap, we propose the Safety Shell, a scalable multi-channel architecture and arbitration design, built upon preexisting functional safety redundant channel architectures. We compare this novel approach to existing architectures using numerical case studies. The results show that the Safety Shell architecture allows the automated vehicle to be as safe or safer compared to alternatives, while simultaneously improving availability of vehicle autonomy, thereby increasing the possible coverage of on-line functional insufficiency handling.

Figures (24)

• Figure 1: The distinction between Faults and Functional Insufficiencies, reused from Fu2023 with permission.
• Figure 2: A simplified automated vehicle system architecture. Sensors (shared and channel specific) feed information through the World Model to the Motion Planning functions to create trajectory plans. These provide actuation setpoints, as executed by low-level and actuators.
• Figure 3: Abstract representation of the heterogeneous ODDs of functions, represented by the shaded areas. The gaps in the shaded areas represent remaining unknown FIs, with the oblique lines indicating FIs that are undetectable during run-time.
• Figure 4: Representation of the single-channel Monitor-Actuator architecture, with the Safety Test feedback lines in blue.
• Figure 5: Representation of a Monitor-Actuator architecture with a nominal and a safety channel. The mode switch indicates a transition from mission-continuing ADS functionality to a safe-state attaining fallback function.