Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Analysis of Functional Insufficiencies and Triggering Conditions to Improve the SOTIF of an MPC-based Trajectory Planner

Mirko Conrad, Georg Schildbach

TL;DR

The paper addresses safety gaps in MPC-based trajectory planning for automated driving by applying the ISO21448 SOTIF framework. It treats the MPC-TP as a SOTIF-related Element out of Context (SOTIF-EooC) and systematically identifies Functional Insufficiencies (FIs) and Triggering Conditions (TCs) across ODDs, scenarios, system architecture, and algorithms. The analysis yields a refined MPC-TP design with a Backup MPC, a reaction horizon, and driving modes, plus an updated ODD and integration requirements to improve SOTIF compliance. The work advances practical safety guidance for ADS planners and highlights future directions in interaction-aware MPC and higher-fidelity vehicle modeling for extreme conditions.

Abstract

Automated and autonomous driving has made a significant technological leap over the past decade. In this process, the complexity of algorithms used for vehicle control has grown significantly. Model Predictive Control (MPC) is a prominent example, which has gained enormous popularity and is now widely used for vehicle motion planning and control. However, safety concerns constrain its practical application, especially since traditional procedures of functional safety (FS), with its universal standard ISO26262, reach their limits. Concomitantly, the new aspect of safety-of-the-intended-function (SOTIF) has moved into the center of attention, whose standard, ISO21448, has only been released in 2022. Thus, experience with SOTIF is low and few case studies are available in industry and research. Hence this paper aims to make two main contributions: (1) an analysis of the SOTIF for a generic MPC-based trajectory planner and (2) an interpretation and concrete application of the generic procedures described in ISO21448 for determining functional insufficiencies (FIs) and triggering conditions (TCs). Particular novelties of the paper include an approach for the out-of-context development of SOTIF-related elements (SOTIF-EooC), a compilation of important FIs and TCs for a MPC-based trajectory planner, and an optimized safety concept based on the identified FIs and TCs for the MPC-based trajectory planner.

Analysis of Functional Insufficiencies and Triggering Conditions to Improve the SOTIF of an MPC-based Trajectory Planner

TL;DR

The paper addresses safety gaps in MPC-based trajectory planning for automated driving by applying the ISO21448 SOTIF framework. It treats the MPC-TP as a SOTIF-related Element out of Context (SOTIF-EooC) and systematically identifies Functional Insufficiencies (FIs) and Triggering Conditions (TCs) across ODDs, scenarios, system architecture, and algorithms. The analysis yields a refined MPC-TP design with a Backup MPC, a reaction horizon, and driving modes, plus an updated ODD and integration requirements to improve SOTIF compliance. The work advances practical safety guidance for ADS planners and highlights future directions in interaction-aware MPC and higher-fidelity vehicle modeling for extreme conditions.

Abstract

Automated and autonomous driving has made a significant technological leap over the past decade. In this process, the complexity of algorithms used for vehicle control has grown significantly. Model Predictive Control (MPC) is a prominent example, which has gained enormous popularity and is now widely used for vehicle motion planning and control. However, safety concerns constrain its practical application, especially since traditional procedures of functional safety (FS), with its universal standard ISO26262, reach their limits. Concomitantly, the new aspect of safety-of-the-intended-function (SOTIF) has moved into the center of attention, whose standard, ISO21448, has only been released in 2022. Thus, experience with SOTIF is low and few case studies are available in industry and research. Hence this paper aims to make two main contributions: (1) an analysis of the SOTIF for a generic MPC-based trajectory planner and (2) an interpretation and concrete application of the generic procedures described in ISO21448 for determining functional insufficiencies (FIs) and triggering conditions (TCs). Particular novelties of the paper include an approach for the out-of-context development of SOTIF-related elements (SOTIF-EooC), a compilation of important FIs and TCs for a MPC-based trajectory planner, and an optimized safety concept based on the identified FIs and TCs for the MPC-based trajectory planner.
Paper Structure (43 sections, 3 equations, 10 figures, 7 tables)

This paper contains 43 sections, 3 equations, 10 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Model Predictive Control
  3. Safety of the Intended Function (SOTIF)
  4. Content and Contributions
  5. Initial Concept for Vehicle Level Control System
  6. Functional Architecture
  7. Encompassing Vehicle Control System
  8. Operational Design Domain (ODD)
  9. Assumptions about the Functionality and the Vehicle Class
  10. Initial Concept of the MPC-TP
  11. Input Interface / Perception
  12. Output Interface / Reference Trajectory
  13. Specification and Design of the MPC-TP
  14. Hazards at the Vehicle Level, Safety Goals, and SOTIF Requirements
  15. SOTIF Background
  16. ...and 28 more sections

Figures (10)

  • Figure 1: Overview of system architecture.
  • Figure 2: Initial, single-block MPC-TP architecture.
  • Figure 3: Illustration of the layered road model in ISO 34503 PEGASUS:2019.
  • Figure 4: Illustration of the reference trajectory.
  • Figure 5: Overview of the SOTIF lifecycle ISO21448:2022 (Red frames indicate the activities covered in this paper).
  • ...and 5 more figures