Automated driving systems can be helpful in a wide range of societal challenges, e.g., mobility-on-demand and transportation logistics for last-mile delivery, by aiding the vehicle driver or taking over the responsibility for the dynamic driving task partially or completely. Ensuring the safety of automated driving systems is no trivial task, even more so for those systems of SAE Level 3 or above. To achieve this, mechanisms are needed that can continuously monitor the system's operating conditions, also denoted as the system's operational design domain. This paper presents a safety concept for automated driving systems which uses a combination of onboard runtime monitoring via connected dependability cage and off-board runtime monitoring via a remote command control center, to continuously monitor the system's ODD. On one side, the connected dependability cage fulfills a double functionality: (1) to monitor continuously the operational design domain of the automated driving system, and (2) to transfer the responsibility in a smooth and safe manner between the automated driving system and the off-board remote safety driver, who is present in the remote command control center. On the other side, the remote command control center enables the remote safety driver the monitoring and takeover of the vehicle's control. We evaluate our safety concept for automated driving systems in a lab environment and on a test field track and report on results and lessons learned.

翻译：自动驾驶系统可通过辅助车辆驾驶员或部分/完全接管动态驾驶任务的责任，应对广泛的社会挑战（例如按需出行和最后一英里运输物流）。确保自动驾驶系统的安全性并非易事，尤其对于SAE L3级及以上系统更是如此。为实现这一目标，需要能够持续监控系统运行条件（亦称系统的操作设计域）的机制。本文提出一种面向自动驾驶系统的安全概念，该概念结合车载运行时监控（通过联网可信赖笼）与非车载运行时监控（通过远程指挥控制中心），实现对系统操作设计域的持续监控。一方面，联网可信赖笼具有双重功能：（1）持续监控自动驾驶系统的操作设计域，（2）在自动驾驶系统与位于远程指挥控制中心的非车载远程安全驾驶员之间实现平稳安全的责任交接。另一方面，远程指挥控制中心使远程安全驾驶员能够监控并接管车辆控制权。我们在实验室环境与试验场测试轨道上评估了该自动驾驶系统安全概念，并报告了相关结果与经验教训。