Realtime Global Optimization of a Fail-Safe Emergency Stop Maneuver for Arbitrary Electrical / Electronical Failures in Automated Driving

TL;DR

The paper tackles the problem of guaranteeing a fail-safe emergency stop for automated vehicles even when no E/E components operate after failure. It proposes a lightweight real-time planner that preconfigures hydraulic parameters before failure to realize a situation-dependent braking profile, while post-failure dynamics are purely hydraulic/mechanical. The core contribution is a mathematically grounded planning model that accounts for uncertain failure timing by integrating over a failure interval and employs a precomputed antiderivative framework to achieve global optimality with significantly reduced computation (approximately 1/8 of the direct approach). The approach enables a robust, hardware-independent fallback mechanism with practical implications for safety-critical autonomous driving systems, and suggests future extensions to more complex motion models and GPU implementations.

Abstract

In the event of a critical system failures in auto-mated vehicles, fail-operational or fail-safe measures provide minimum guarantees for the vehicle's performance, depending on which of its subsystems remain operational. Various such methods have been proposed which, upon failure, use different remaining sets of operational subsystems to execute maneuvers that bring the vehicle into a safe state under different environmental conditions. One particular such method proposes a fail-safe emergency stop system that requires no particular electric or electronic subsystem to be available after failure, and still provides a basic situation-dependent emergency stop maneuver. This is achieved by preemptively setting parameters to a hydraulic / mechanical system prior to failure, which after failure executes the preset maneuver "blindly". The focus of this paper is the particular challenge of implementing a lightweight planning algorithm that can cope with the complex uncertainties of the given task while still providing a globally optimal solution at regular intervals, based on the perceived and predicted environment of the automated vehicle.

Figures (7)

• Figure 1: Motivating example: The ego vehicle E is equipped with a hydraulic piston accumulator, whose pressure is released onto the brakes in case of a severe system failure. To provide a situation-dependent maneuver, the pressure is controlled by a valve, which is adjusted at periodical intervals $\Delta t_{\mathrm{plan}}$ prior to failure, to prepare for a possible emergency. Since failure can occur any time within the upcoming $\Delta t_{\mathrm{plan}}$ (or never at all), not one single braking trajectory can be planned, but instead a continuous range X of trajectories (and stopping distances) can occur, displaced over failure time. In the given scenario, the safest decision would be to decelerate gently enough to avoid a rear-end collision with car R, yet strongly enough to not enter the road ahead Y. The goal of the proposed algorithm is to minimize the risks $W(t,s)$ over time $t$ and arc length $s$ within the region X with very limited computational effort.
• Figure 2: Overview of the system controlled by the optimization algorithm.
• Figure 3: Areas covered for different choices of $a_{\mathrm{next}}$ overlap, starting with the timing $\sigma(t, t_{\mathrm{now}}, ...)$. This motivates the attempt to use an antiderivative of $W(t,s)$ w.r.t $s$ to determine the expected value of penalties accumulated within the area for a particular choice of $a_{\mathrm{next}}$.
• Figure 4: The set of all possible sub-trajectories for a given transition is composed as follows: The set A of sub-trajectories that have not failed yet (thin light blue line); the set B of sub-trajectories that ensue for failures at some $t_{\mathrm{fail}} \in [t_{\mathrm{now}}, t_{\mathrm{valve}})$ which brake with intermediate accelerations $[a_{\mathrm{prev}}, a_{\mathrm{now}})$; and the set C of sub-trajectories for failures $t_{\mathrm{fail}} \in [t_{\mathrm{valve}}, t_{\mathrm{plan}}]$ that brake with the target deceleration of $a_{\mathrm{next}}$ (hatched green). The latter two we further distinguish into ${\mathbf{B}}_\blacktriangleright$, $\mathbf{B}_\blacksquare$ and $\mathbf{C}_\blacktriangleright$, ${\mathbf{C}}_\blacksquare$ by whether the vehicle already has stopped (indicated by the dashed $[s_\blacksquare, t_\blacksquare]^{\mathsf T}$ line).
• Figure 5: We distinguish between trajectories which have not failed/decelerated yet (A, solid light blue), trajectories where the valve was activated in an intermediate state ($\mathbf{B}$, solid dark blue), and trajectories where the valve was activated in its constant state $a_{\mathrm{next}}$ ($\mathbf{C}$, hatched green). The subsets $\mathbf{B}_1$, $\mathbf{B}_2$ and $\mathbf{C}_1$, $\mathbf{C}_2$ defined to obtain simple boundaries for integration in \ref{['eq:area-p-a']}--\ref{['eq:area-p-c']}.