The advancement of automated vehicles introduces complex safety challenges, particularly in dynamic and unpredictable environments where AI-enabled perception systems must operate reliably. Ensuring compliance with safety standards such as ISO 26262 and ISO/PAS 21448 (SOTIF) is essential for addressing system malfunctions and mitigating unsafe behavior in unknown scenarios. However, as automation levels increase, vehicles must go beyond conventional functional safety by incorporating fail-operational capabilities that enable continued safe operation during system or component failures and the handling of unfamiliar or degraded operational conditions. To address these safety concerns, we propose the Connected Dependability Cage, an architectural framework designed to enable hierarchical fail-operational behavior in AI-enabled perception systems. This framework integrates two complementary monitoring mechanisms: a Function Monitor that oversees multiple heterogeneous AI-based perception pipelines and detects inconsistencies through a voting mechanism, and an Anomaly Monitor that evaluates the reliability of AI perception by detecting unknown or novel objects in scenes that may be excluded from the training dataset. In the presence of critical discrepancies, the system supports graceful degradation, ultimately enabling a transition to a minimal-risk maneuver strategy. Furthermore, whenever either monitor raises a safety flag, an automated data recording process is initiated to facilitate iterative system development and continuous improvement. Both monitors have been implemented and validated through extensive vehicle testing, demonstrating their practical effectiveness in real-world applications.

翻译：自动驾驶汽车的发展带来了复杂的安全挑战，特别是在人工智能感知系统必须在动态且不可预测的环境中可靠运行的情况下。确保符合ISO 26262和ISO/PAS 21448（SOTIF）等安全标准，对于解决系统故障以及缓解未知场景下的不安全行为至关重要。然而，随着自动化水平的提高，车辆必须超越传统的功能安全，通过整合“故障可运行”能力来实现在系统或组件故障期间继续安全运行，并处理不熟悉或退化的运行条件。为了解决这些安全问题，我们提出了“互联可靠性笼”——一种旨在为基于人工智能的感知系统实现分层故障可运行行为的架构框架。该框架集成了两种互补的监控机制：功能监控器，负责监督多个异构的基于AI的感知流程，并通过投票机制检测不一致性；以及异常监控器，通过检测场景中可能被排除在训练数据集之外的未知或新型物体来评估AI感知的可靠性。当存在关键性差异时，系统支持优雅降级，最终能够过渡到最小风险操纵策略。此外，无论哪个监控器发出安全标志，都会启动自动数据记录过程，以促进系统的迭代开发和持续改进。这两个监控器均已通过广泛的车辆测试进行实施和验证，证明了它们在现实应用中的实际有效性。