https://www.mdu.se/

Mass-produced passenger vehicles are one of the greatest inventions of the 20^th century that significantly changed human lives. Several safety measures such as traffic signs, traffic lights, mandatory driver education, seat belts, airbags, and anti-lock braking systems were introduced throughout the years. Today, a further increase in safety, comfort, and efficiency is being targeted by developing systems with automated driving capabilities. These systems range from those supporting the driver with a particular function (e.g., ensuring vehicle drives with constant speed while keeping a safe distance to other road participants) to taking all driving responsibilities from the driver (i.e., full driving automation). The development and series production of the former has already been accomplished, whereas reaching full driving automation still presents many challenges.

The main reason is the shift of all driving responsibilities, including the responsibility for the overall vehicle safety, from the human driver to a computer-based system responsible for the automated driving functionality (i.e., the Automated Driving System (ADS)). Such a shift makes the ADS highly safety-critical, and the consensus of cross-domain experts is that there is no “silver bullet” for ensuring the required levels of safety. Instead, a set of complementary safety methods are necessary.

In this context, runtime monitoring that continuously verifies the safe operation of the ADS, once deployed on public roads, is a promising complementary approach for ensuring safety. However, the development of a runtime monitoring solution is a challenge on its own. On a conceptual level, the complex and opaque technology used in ADS often makes researchers doubt “what” a runtime monitor should verify and “how” such verification should be performed.

This thesis proposes novel runtime monitoring solutions for verifying the safe operation of ADS. On a conceptual level, a novel Runtime Verification (RV) approach, namely the Safe Driving Envelope- Verification (SDE-V), answers the “what” and “how” of monitoring an ADS. In particular, the SDE-V approach verifies whether the ADS path planner output (i.e., a trajectory) is safe to be executed by the vehicle’s actuators. To perform this verification, the trajectory is checked against the following safety rules: (i) trajectory not leading into collision with obstacles on the road, and (ii) trajectory not leaving the road edge.

Towards realizing the proposed SDE-V concept into an actual solution, additional concepts, methods, and architectural solutions have been developed. Our contributions in this context include : (i) a concept for reducing the false positive rate of SDE-V, (ii) a method for evaluating the quality of runtime monitors by investigating to what extent they can handle faults related to different classes of real accident scenarios, (iii) a modular and scalable fail-operational architecture which enables integration of multiple RV approaches alongside the SDE-V, (iv) estimation of a “forecast horizon” to ensure the timely execution of emergency actions upon an ADS failure detection by SDE-V, and (v) an approach to tackle the out-of-sequence measurement problem in sensor fusion-based ADS. A prototype implementation of SDV-E has been realized on an automotive-grade embedded platform. Based on its promising results, a future industrial implementation Project has been initiated.