Safety Bag for complex systems.

Summary Autonomous vehicles are critical systems. Indeed, their failures can cause catastrophic damage to humans and to the environment in which they operate. The control of robotic autonomous vehicles is a complex function with many potential failure modes. In the case of experimental platforms that have not followed the development methods and certification cycle required for industrial systems, the probability of failure is much higher. Indeed, these experimental vehicles face two problems that hinder their dependability, i.e. the justified confidence that one can have in their correct behavior. First of all, they are used in open environments, with a very large execution context. This makes their validation very complex, since many hours of testing would be necessary, without any guarantee that all the faults of the system are detected and then corrected. Moreover, their behavior is often very difficult to predict or to model. This may be due to the use of artificial intelligence software to solve complex problems such as navigation or perception, but also to the multiplicity of systems or components interacting and complicating the behavior of the final system, for example by generating emergent behaviors. One technique to increase the safety of these autonomous systems is the implementation of an independent safety component, called "Safety-Bag". This system is integrated between the control-command application and the vehicle's actuators, allowing it to check online a set of safety requirements, which are properties necessary to ensure the system's safety. Each safety requirement consists of a triggering condition and a safety intervention applied when the triggering condition is violated. This intervention consists of either a safety inhibition that prevents the system from evolving to a risky state or a safety action to return the autonomous vehicle to a safe state. The definition of safety requirements must follow a rigorous method to be systematic. To do this, we have carried out in our work a study of operational safety based on two methods of fault prediction: FMECA (Failure Modes, Effects and Criticality Analysis) and HazOp-UML (Hazard and Operability Study) which focus respectively on the internal hardware and software components of the system and on the road environment and the driving process. The result of these risk analyses is a set of safety requirements. Some of these safety requirements can be translated into safety requirements that can be implemented and verified by the safety bag. Others cannot, so that the Safety-Bag system remains a relatively simple and validatable component. Then, we performed experiments based on fault injection in order to validate some safety requirements and evaluate the behavior of our Safety-Bag. These experiments were done on our Fluence type robotized vehicle in our laboratory in two different settings, first on the real SEVILLE track and then on the virtual track simulated by the Scanner Studio software on the VILAD bench. The Safety-Bag remains a promising but partial solution for industrial autonomous vehicles. On the other hand, it meets most of the needs to ensure the safety of experimental autonomous vehicles.