Behavior Trees in Functional Safety Supervisors for Autonomous Vehicles

TL;DR

A novel supervisor architecture based on behavior trees, aligned with established standards and designed to supervise vehicle functional safety in real time is introduced, specifically addresses the integration of algorithms into industrial road vehicles, adhering to the ISO 26262.

Abstract

The rapid advancements in autonomous vehicle software present both opportunities and challenges, especially in enhancing road safety. The primary objective of autonomous vehicles is to reduce accident rates through improved safety measures. However, the integration of new algorithms into the autonomous vehicle, such as Artificial Intelligence methods, raises concerns about the compliance with established safety regulations. This paper introduces a novel software architecture based on behavior trees, aligned with established standards and designed to supervise vehicle functional safety in real time. It specifically addresses the integration of algorithms into industrial road vehicles, adhering to the ISO 26262. The proposed supervision methodology involves the detection of hazards and compliance with functional and technical safety requirements when a hazard arises. This methodology, implemented in this study in a Renault Mégane (currently at SAE level 3 of automation), not only guarantees compliance with safety standards, but also paves the way for safer and more reliable autonomous driving technologies.

Figures (10)

• Figure 1: Industrial procedure for the design of self-driving car's sw. The block diagram is divided into two groups, each corresponding to the safety standard followed. The Supervisor block designed in the article is part of the sw development and depends on the hara and tsc.
• Figure 2: Fault Tree Analysis for hazards related to I_01: HZ_01 and HZ_02.
• Figure 3: Block diagram of the translation from static into dynamic safety analysis proposal. The first phase, indicated with (A) consists of converting fault trees into fmp. Subsequently, the second phase of the translation, (B), gets the information from the hara and from the already designed fmp to generate the fusa supervisor for each os defined in the odd. Finally, the last step, (C), consists of finding the current os, and linking it with the correspondent os fusa supervisor.
• Figure 4: Subtrees of hazards HZ_01 and HZ_02 fault detection, extracted from the translation of the fta presented in Fig. \ref{['fig:FTA']}. They represent the fmp for both hazards. The probabilities of Table \ref{['table:probabilities_fta']} have been considered for the order of event identification.
• Figure 5: Structure of the fault recovery bt, specifically for the scenario $\text{OS}_3$ of item I_01. It is directly extracted from the hara information, described in Table \ref{['tab:HARA']}. Hazard detection subtrees, HZ_01 and HZ_02, are detailed in Fig. \ref{['fig:BT_hazard']}. Hazards are prioritized by asil.