To enable highly automated vehicles where the driver is no longer a safety backup, the vehicle must deal with various Functional Insufficiencies (FIs). Thus-far, there is no widely accepted functional architecture that maximizes the availability of autonomy and ensures safety in complex vehicle operational design domains. In this paper, we present a survey of existing methods that strive to prevent or handle FIs. We observe that current design-time methods of preventing FIs lack completeness guarantees. Complementary solutions for on-line handling cannot suitably increase safety without seriously impacting availability of journey continuing autonomous functionality. To fill this gap, we propose the Safety Shell, a scalable multi-channel architecture and arbitration design, built upon preexisting functional safety redundant channel architectures. We compare this novel approach to existing architectures using numerical case studies. The results show that the Safety Shell architecture allows the automated vehicle to be as safe or safer compared to alternatives, while simultaneously improving availability of vehicle autonomy, thereby increasing the possible coverage of on-line functional insufficiency handling.

翻译：为实现驾驶员不再作为安全备份的高度自动化车辆，车辆必须应对各种功能不足。迄今为止，在复杂车辆运行设计域中，尚缺乏被广泛接受的既能最大化自主驾驶可用性又能确保安全的功能架构。本文对现有预防或处理功能不足的方法进行了综述。我们发现，当前设计阶段预防功能不足的方法缺乏完备性保证。在线处理功能的补充方案在未严重损害继续自主行驶功能可用性的前提下，难以有效提升安全性。为填补这一空白，我们提出安全壳——一种基于现有功能安全冗余通道架构的可扩展多通道架构与仲裁设计方案。通过数值案例研究，我们将这一创新方法与现有架构进行对比。结果表明，安全壳架构在使自动驾驶车辆达到与替代方案同等或更高安全水平的同时，还能提升车辆自主性的可用性，从而扩大在线功能不足处理的覆盖范围。