Automated Driving (AD) systems have the potential to increase safety, comfort and energy efficiency. Recently, major automotive companies have started testing and validating AD systems (ADS) on public roads. Nevertheless, the commercial deployment and wide adoption of ADS have been moderate, partially due to system functional insufficiencies (FI) that undermine passenger safety and lead to hazardous situations on the road. FIs are defined in ISO 21448 Safety Of The Intended Functionality (SOTIF). FIs are insufficiencies in sensors, actuators and algorithm implementations, including neural networks and probabilistic calculations. Examples of FIs in ADS include inaccurate ego-vehicle localization on the road, incorrect prediction of a cyclist maneuver, unreliable detection of a pedestrian, etc. The main goal of our study is to formulate a generic architectural design pattern, which is compatible with existing methods and ADS, to improve FI mitigation and enable faster commercial deployment of ADS. First, we studied the 2021 autonomous vehicles disengagement reports published by the California Department of Motor Vehicles (DMV). The data clearly show that disengagements are five times more often caused by FIs rather than by system faults. We then made a comprehensive list of insufficiencies and their characteristics by analyzing over 10 hours of publicly available road test videos. In particular, we identified insufficiency types in four major categories: world model, motion plan, traffic rule, and operational design domain. The insufficiency characterization helps making the SOTIF analyses of triggering conditions more systematic and comprehensive. Based on our FI characterization, simulation experiments and literature survey, we define a novel generic architectural design pattern Daruma to dynamically select the channel that is least likely to have a FI at the moment.

翻译：自动驾驶系统有潜力提升安全性、舒适性和能源效率。近年来，主要汽车公司已开始在公共道路上测试和验证自动驾驶系统。然而，自动驾驶系统的商业部署和广泛采用进展缓慢，部分原因在于系统功能不足会导致乘客安全受损并引发道路危险情况。功能不足在ISO 21448标准《预期功能安全》中定义，涉及传感器、执行器和算法实现（包括神经网络和概率计算）的缺陷。例如，自动驾驶系统中的功能不足包括：自车在道路上的定位不准确、对自行车骑行者行为的错误预测、对行人的不可靠检测等。本研究的主要目标是提出一种通用的架构设计模式，该模式与现有方法和自动驾驶系统兼容，以改善功能不足缓解能力并加速自动驾驶系统的商业部署。首先，我们研究了加州机动车辆管理局发布的2021年自动驾驶车辆脱离报告。数据清晰表明，由功能不足造成的脱离次数是系统故障的5倍。随后，通过分析超过10小时的公开道路测试视频，我们汇总了功能不足及其特征的全面清单，并识别出四类主要不足类型：世界模型、运动规划、交通规则和运行设计域。这种功能不足表征有助于更系统、全面地分析触发条件的预期功能安全。基于功能不足表征、仿真实验及文献综述，我们定义了一种新型通用架构设计模式"Daruma"，用于动态选择当前时刻最不可能发生功能不足的通道。