The Safety Shell: an Architecture to Handle Functional Insufficiencies in Automated Driving

To enable highly automated vehicles where the driver is no longer a safety backup, the vehicle must deal with various Functional Insufficiencies (FIs). Thus-far, there is no widely accepted functional architecture that maximizes the availability of autonomy and ensures safety in complex vehicle operational design domains. In this paper, we present a survey of existing methods that strive to prevent or handle FIs. We observe that current design-time methods of preventing FIs lack completeness guarantees. Complementary solutions for on-line handling cannot suitably increase safety without seriously impacting availability of journey continuing autonomous functionality. To fill this gap, we propose the Safety Shell, a scalable multi-channel architecture and arbitration design, built upon preexisting functional safety redundant channel architectures. We compare this novel approach to existing architectures using numerical case studies. The results show that the Safety Shell architecture allows the automated vehicle to be as safe or safer compared to alternatives, while simultaneously improving availability of vehicle autonomy, thereby increasing the possible coverage of on-line functional insufficiency handling.Comment: 18 pages, 23 figures, 6 tables --> 21/11/2023 resubmitted with new content based on reviews, removed erroneously included formattin

Evaluation of the Safety Shell Architecture for Automated Driving in a Realistic Simulator

The transition from advanced driver assistance systems to highly automated vehicles proves to be difficult, as the driver is no longer a safety fallback for the latter systems. One of the main challenges is formed by edge cases in the encountered driving scenarios that trigger functional insufficiencies in automated driving (AD) systems. Functional insufficiencies, for the sake of understanding, may be viewed as an inappropriate understanding of or response to a scenario in an AD system, which in turn causes dangerous vehicle behavior. Prior research suggests that using an architecture capable of including redundant heterogeneous AD systems as separate channels, such as the Safety Shell, can mitigate some of these functional insufficiencies. However, this benefit has only been evaluated in limited and deterministic simulation environments. To overcome this, our objectives in this paper are to (i) develop an experimental method for extensive testing of such architectures, and (ii) to assess the suitability of the Safety Shell architecture to handle edge cases with this new method. Using the developed experimental setup we observe a significant safety and availability increase of the Safety Shell compared to the included individual AD channels in the tested scenarios. Finally, our study provides insight into the requirements for the evaluated AD channels.</p

Characterization and Mitigation of Insufficiencies In Automated Driving Systems

Automated Driving (AD) systems have the potential to increase safety, comfort and energy efficiency. Recently, major automotive companies have started testing and validating AD systems (ADS) on public roads. Nevertheless, the commercial deployment and wide adoption of ADS have been moderate, partially due to system functional insufficiencies (FI) that undermine passenger safety and lead to hazardous situations on the road. In contrast to system faults that are analyzed by the automotive functional safety standard ISO 26262, FIs are defined in ISO 21448 Safety Of The Intended Functionality (SOTIF). FIs are insufficiencies in sensors, actuators and algorithm implementations, including neural networks and probabilistic calculations. Examples of FIs in ADS include inaccurate ego-vehicle localization on the road, incorrect prediction of a cyclist maneuver, unreliable detection of a pedestrian in rainy weather using cameras and image processing algorithms, etc. The main goal of the study is to formulate a generic architectural design pattern, which is compatible with existing methods and ADS, to improve FI mitigation and enable faster commercial deployment of ADS. First, the authors studied the 2021 autonomous vehicles disengagement reports published by the California Department of Motor Vehicles (DMV). The data clearly show that disengagements are five times more often caused by FIs rather than by system faults. They then made a comprehensive list of insufficiencies and their characteristics by analyzing over 10 hours of publicly available road test videos. In particular, the authors identified insufficiency types in four major categories: world model, motion plan, traffic rule, and operational design domain. The insufficiency characterization helps making the SOTIF analyses of triggering conditions more systematic and comprehensive. To handle faults, modern ADS already integrate multiple AD channels, where each channel is composed of sensors and processors running AD software. The characterization study triggered a hypothesis that these heterogeneous channels can also complement each other’s capabilities to mitigate insufficiencies in vehicle operation. To verify the hypothesis, the authors built an open-loop automated driving simulation environment based on the LG SVL simulator. Three realistic AD channels (Baidu Apollo, Autoware.Auto, and comma.ai openpilot) were tested in the same driving scenario. The experiments suggest that even advanced AD channels have insufficiencies that can be mitigated by switching control to another (possibly less advanced) AD channel at the right moment. Based on the FI characterization, simulation experiments and literature survey, the authors define a novel generic architectural design pattern Daruma to dynamically select the channel that is least likely to have a FI at the moment. The key component of the pattern does cross-channel analysis, in which planned trajectories and world models from different AD channels are mutually evaluated. The output of the cross-channel analysis is combined with more traditional fault detections in a safety fusion component. The safety fusion then feeds an aggregated per-channel safety score to the high-level arbiter, which eventually selects the AD channel to control the vehicle. The formulated architectural pattern can help manufactures of autonomous vehicles in mitigating FIs. Limitations of the study suggest interesting future work, including algorithmic research on cross-channel analysis and safety fusion, as well as evaluation of the cross-channel analysis in simulations and road tests

Higher incidence of clear cell adenocarcinoma of the cervix and vagina among women born between 1947 and 1971 in the United States

Although the association between in utero exposure to diethylstilbestrol (DES) and clear cell adenocarcinoma of the cervix and vagina (CCA) was first reported among young women, subsequent case reports and cohort studies suggest that an elevated risk for CCA may persist with age. Data from the National Program of Cancer Registries (NPCR) and the Surveillance, Epidemiology and End Results (SEER) Program were used to construct indirect standardized incidence ratios (SIR) comparing CCA risk among women born during the exposure period 1947 through 1971, when DES was prescribed to pregnant women, to the relevant time period for nonexposed women born before or after DES exposure period. CCA incidence among the women born before the DES exposure period (ages 30–54 at diagnosis of CAA) or after the DES exposure period (ages 15–29 at diagnosis) were used to calculate the expected rates for women born during the DES exposure period. Among women aged 15–29 years, CCA risk increased with age and peaked in the 25–29 year age group, but the risk estimates were unstable (SIR = 6.06; 95% CI: 0.97, −251.07, SEER data). Among women aged 40–54 years, CCA risk was greatest in the 40–44 year age group (SIR = 4.55; 95% CI: 1.11, 40.19, SEER data and SIR = 3.94; 95% CI: 1.06, 33.01, NPCR/SEER data) and remained significantly elevated throughout this age group in the combined data set. Risk was not elevated among women aged 30–39 years. The observed risk of CCA, if causally related to DES exposure, reflects a persistent health impact from in utero exposure that is widespread in the general population. When assessing a woman’s cancer risks, whether her mother took DES while pregnant may still be a relevant aspect of the medical history for women born during the period of DES use in pregnancy

Two-year survival and disease recurrence after endosonography with or without confirmatory mediastinoscopy for resectable lung cancer (a short communication of the MEDIASTrial follow-up)

Resectable non-small cell lung cancer (NSCLC) with increased risk of mediastinal nodal involvement requires invasive staging prior to surgical resection. The MEDIASTrial was a multicenter non-inferiority trial randomly assigning patients after negative endosonography to immediate lung tumor resection (n = 178) or to mediastinoscopy first (n = 182), only followed by tumor resection after negative mediastinoscopy. The omission of confirmatory mediastinoscopy after negative endosonography led to a clinically negligible and non-inferior increase in unforeseen N2. We report the two-year overall and disease-free survival (OS and DFS) and the health-related quality-of-life (HRQoL) gathered with the QLQ-C30 and QLQ-LC13 questionnaires. After randomization seven drop-outs were observed in both groups. Time to 80 % OS was 25 months in the immediate resection group versus 20 months in the mediastinoscopy group (adjusted HR 0.8, 95 % CI: 0.5–1.3). Time to 65 % DFS was 25 months in the immediate resection group versus 25 months in the mediastinoscopy group (adjusted HR 0.9, 95 % CI: 0.6–1.4). The HRQoL scores were comparable among the groups during the two-year follow-up. The loss in diagnostic yield by omitting confirmatory mediastinoscopy after negative systematic endosonography has no impact on two-year OS, DFS and HRQoL in patients with resectable NSCLC and an indication for invasive mediastinal nodal staging.</p

Additional Techniques in Serous Effusions

Cytological examination is a valuable diagnostic tool in case of a serous effusion. The firstmanifestation of malignancy may be an effusion of the pleural, pericardial, or peritoneal cavity, especially in carcinoma of the ovary, or lung, and malignant mesothelioma. In other malignancies effusions may occur in the course of the disease. The contribution by Motherby et al. in this issue of ACP focuses on the contribution of image and flow cytometry to establish the presence or absence of malignancy in serous effusions [16]. They point out that the sensitivity of DNA image cytometry in equivocal effusions may be as high as 87.5%, and that for the detection of malignancy, DNA image cytometry is superior to flow cytometry

Detection and Mitigation of Functional Insufficiencies in Autonomous Vehicles:The Safety Shell

Autonomous vehicles (AVs) promise to reduce greenhouse gas emissions, increase comfort and throughput of transportation, while simultaneously significantly reducing traffic deaths. To allow autonomous vehicles to satisfy the high safety levels for unsupervised participation in realistic traffic, the faults and functional insufficiencies of AV systems need to be mitigated during operation. Unfortunately, current state-of-the-art functional insufficiency detection and mitigation methods do not provide large enough safety improvements, without impeding the availability of safe autonomous functionality. To fill this gap, we propose the Safety Shell, an implementable multi-channel architecture and arbitration method. The ability to increase the number of parallel AV function channels allows for a path to safe AV systems, while the novel arbitration method ensures availability for comfortable journey continuation. The flexibility and benefits of the Safety Shell are shown using use case studies.Autonomous vehicles (AVs) promise to reduce greenhouse gas emissions, increase comfort and throughput of transportation, while simultaneously significantly reducing traffic deaths. To allow autonomous vehicles to satisfy the high safety levels for unsupervised participation in realistic traffic, the faults and functional insufficiencies of AV systems need to be mitigated during operation. Unfortunately, current state-of-the-art functional insufficiency detection and mitigation methods do not provide large enough safety improvements, without impeding the availability of safe autonomous functionality. To fill this gap, we propose the Safety Shell, an implementable multi-channel architecture and arbitration method. The ability to increase the number of parallel AV function channels allows for a path to safe AV systems, while the novel arbitration method ensures availability for comfortable journey continuation. The flexibility and benefits of the Safety Shell are shown using use case studies