Autonomous driving systems (ADSs) integrate sensing, perception, drive control, and several other critical tasks in autonomous vehicles, motivating research into techniques for assessing their safety. While there are several approaches for testing and analysing them in high-fidelity simulators, ADSs may still encounter additional critical scenarios beyond those covered once they are deployed on real roads. An additional level of confidence can be established by monitoring and enforcing critical properties when the ADS is running. Existing work, however, is only able to monitor simple safety properties (e.g., avoidance of collisions) and is limited to blunt enforcement mechanisms such as hitting the emergency brakes. In this work, we propose REDriver, a general and modular approach to runtime enforcement, in which users can specify a broad range of properties (e.g., national traffic laws) in a specification language based on signal temporal logic (STL). REDriver monitors the planned trajectory of the ADS based on a quantitative semantics of STL, and uses a gradient-driven algorithm to repair the trajectory when a violation of the specification is likely. We implemented REDriver for two versions of Apollo (i.e., a popular ADS), and subjected it to a benchmark of violations of Chinese traffic laws. The results show that REDriver significantly improves Apollo's conformance to the specification with minimal overhead.

翻译：自动驾驶系统整合了感知、环境识别、驾驶控制及多项关键任务，推动了相关安全性评估技术的研究。尽管已有多种方法可在高保真模拟器中测试分析自动驾驶系统，但当系统实际部署于真实道路时，仍可能遭遇超出测试范围的临界场景。通过在系统运行过程中监控并强制关键属性，可进一步增强置信度。然而现有工作仅能监控简单安全属性（如避碰），且局限于紧急制动等粗暴强制机制。本文提出REDriver——一种通用模块化运行时强制方法，允许用户基于信号时序逻辑规范语言描述广泛属性（如国家交通法规）。REDriver基于STL定量语义监控自动驾驶系统规划轨迹，并在可能出现违规时采用梯度驱动算法修复轨迹。我们在阿波罗系统两个版本上实现REDriver，并基于中国交通法规违规基准进行测试。结果表明，REDriver以极低开销显著提升了阿波罗系统的规范符合性。