Developing safe autonomous driving systems is a major scientific and technical challenge. Existing AI-based end-to-end solutions do not offer the necessary safety guarantees, while traditional systems engineering approaches are defeated by the complexity of the problem. Currently, there is an increasing interest in hybrid design solutions, integrating machine learning components, when necessary, while using model-based components for goal management and planning. We study a method for building safe by design autonomous driving systems, based on the assumption that the capability to drive boils down to the coordinated execution of a given set of driving operations. The assumption is substantiated by a compositionality result considering that autopilots are dynamic systems receiving a small number of types of vistas as input, each vista defining a free space in its neighborhood. It is shown that safe driving for each type of vista in the corresponding free space, implies safe driving for any possible scenario under some easy-to-check conditions concerning the transition between vistas. The designed autopilot comprises distinct control policies one per type of vista, articulated in two consecutive phases. The first phase consists of carefully managing a potentially risky situation by virtually reducing speed, while the second phase consists of exiting the situation by accelerating. The autopilots designed use for their predictions simple functions characterizing the acceleration and deceleration capabilities of the vehicles. They cover the main driving operations, including entering a main road, overtaking, crossing intersections protected by traffic lights or signals, and driving on freeways. The results presented reinforce the case for hybrid solutions that incorporate mathematically elegant and robust decision methods that are safe by design.

翻译：开发安全的自主驾驶系统是一项重大的科学与技术挑战。现有基于人工智能的端到端解决方案无法提供必要的安全保障，而传统系统工程方法又因问题的复杂性而难以奏效。目前，学界对混合设计方案的兴趣日益增长，该方案在必要情况下整合机器学习组件，同时采用基于模型的组件进行目标管理与规划。我们研究了一种构建“设计安全”的自主驾驶系统的方法，其核心假设是：驾驶能力可归结为一组给定驾驶操作的协调执行。该假设通过一个组合性结果得到证实，即自动导航系统是输入少量类型场景的动态系统，每个场景在其邻域内定义了一个自由空间。研究表明：对于各类场景，若能在对应的自由空间中实现安全驾驶，则在满足场景间转换的某些易于验证条件的前提下，即可保证任何可能场景下的安全驾驶。所设计的自动导航系统包含针对每类场景的独立控制策略，这些策略由两个连续阶段组成：第一阶段通过虚拟减速谨慎管理潜在风险，第二阶段则通过加速脱离当前情景。该自动导航系统的预测功能仅使用表征车辆加速与减速能力的简单函数，涵盖主要驾驶操作，包括进入主干道、超车、通过红绿灯或交通信号控制的路口以及高速公路行驶。本文结果进一步论证了混合方案的可行性——该方法融合了数学上优雅且鲁棒的决策机制，实现本质安全的设计。