Developing safe autonomous driving systems is a major scientific and technical challenge. Existing AI-based end-to-end solutions do not offer the necessary safety guarantees, while traditional systems engineering approaches are defeated by the complexity of the problem. We study a method for building compositionally safe autonomous driving systems, based on the assumption that the capability to drive boils down to the coordinated execution of a given set of driving operations. The assumption is substantiated by a compositionality result considering that autopilots are dynamic systems receiving a small number of types of driving configurations as input, each configuration defining a free space in its neighborhood. It is shown that safe driving for each type of configuration in the corresponding free space, implies safe driving for any possible scenario under some easy-to-check conditions concerning the transition between configurations. The designed autopilot comprises distinct control policies one per type of driving configurations, articulated in two consecutive phases. The first phase consists of carefully managing a potentially risky situation by virtually reducing speed, while the second phase consists of exiting the situation by accelerating. The autopilots designed use for their predictions simple functions characterizing the acceleration and deceleration capabilities of the vehicles. They cover the main driving operations, including entering a main road, overtaking, crossing intersections protected by traffic lights or signals, and driving on freeways. The results presented reinforce the case for solutions that incorporate mathematically elegant and robust decision methods that are safe by construction.

翻译：开发安全的自动驾驶系统是一项重大的科学与技术挑战。现有基于人工智能的端到端解决方案无法提供必要的安全保障，而传统的系统工程方法则受限于问题的复杂性。我们研究了一种构建组合式安全自动驾驶系统的方法，该方法基于一个基本假设：驾驶能力可归结为对一组给定驾驶操作的协调执行。这一假设通过一个组合性结果得以证实，该结果认为自动驾驶系统是接收少量类型驾驶配置作为输入的动态系统，每种配置定义了其邻域内的自由空间。研究表明，在满足关于配置间转换的易于验证条件下，若每种配置类型在其对应自由空间内均能实现安全驾驶，则意味着在任何可能场景下都能实现安全驾驶。所设计的自动驾驶系统包含针对每种驾驶配置类型的独立控制策略，这些策略分两个连续阶段执行：第一阶段通过虚拟降速谨慎处理潜在风险情境，第二阶段通过加速脱离该情境。所设计的自动驾驶系统使用表征车辆加减速能力的简单函数进行预测。这些策略涵盖了主要驾驶操作，包括汇入主干道、超车、通过交通信号灯或标志保护的交叉路口以及在高速公路上行驶。本文结果进一步论证了融合数学上优雅且鲁棒的决策方法的重要性，这类方法通过构造本身确保安全性。