Jun Li, Wenbo Shao, Hong Wang

Tsinghua Intelligent Vehicle Design and Safety Research Institute, School of Vehicle and Mobility, Tsinghua University, Beijing 100084, China

Intelligent connected vehicles (ICVs) [1] represent a crucial strategic focus for global automobile industrial transformation and advancement.ICVs also play a significant role in enhancing driving safety, improving traffic efficiency, and enabling lowcarbon transportation.Consequently, numerous countries worldwide are expediting their efforts to establish a strong foundation for ICVs, progressing from technology research, development, and testing to widespread application and commercialization.This global momentum has resulted in a thriving ICV industry, demonstrating substantial growth and encouraging prospects.

In developing ICVs,one of the original intentions was to reduce traffic accidents caused by human error,which account for approximately 94% of total accidents.In recent years, an increasing focus on ICV safety by governments, enterprises, and academia has emerged resulting in the implementation of various policies,regulations,technical products,and research findings.However,significant challenges remain for ICV safety, particularly regarding functional safety (FuSa), cybersecurity, and safety of the intended function(SOTIF)issues.FuSa has been addressed to a certain extent through the application of mature standards and regulations,while cybersecurity is being reinforced by government legislation.However, as ICV systems increase in complexity and intelligence, with more dynamic and challenging operating environments, the SOTIF problem arising from functional insufficiencies of the intended functionality or its implementation has emerged as one of the most critical obstacles in ICV research and commercialization.Since 2016,some ICV-related traffic accidents have been reported worldwide, as illustrated in Table 1.The main causes of these accidents include insufficient perception, prediction, decision-making functions, and reasonably foreseeable misuse, all of which are categorized as typical SOTIF problems [2].Furthermore, as shown in Fig.1 [3], over 90% of intelligent driving system disengagements are attributable to SOTIF-related software issues.The SOTIF problem has become a pressing concern in ICV development, necessitating effective SOTIF solution proposals to ensure smooth industrialization progress.

1.Key challenges for SOTIF in ICVs

ICV can be classified as a multidisciplinary subject area that encompasses various traditional and emerging research fields,including mechanics, communication, electronics, computer science, and artificial intelligence (AI).Consequently, addressing SOTIF problems in ICVs necessitates collaborative efforts from stakeholders spanning multiple domains.Since the initiation of the development of International Organization for Standardization(ISO) 21448 [4] in 2016, research on SOTIF has made some advancements [5].However, significant challenges persist in transitioning from simple and specific to complex,open scenarios,from low-level to high-level automation, and from laboratory research to industrial applications.Three key challenges are highlighted as follows.

1.1.The ICV long-tail scenario problem

During ICV industrialization and deployment, long-tail challenges were inevitably encountered in the real world [6].Such real-world scenarios are complex, including special road conditions, extreme weather conditions, and unexpected road user behaviors, which can all trigger SOTIF-related hazards.Moreover,real-world scenarios exhibit significant diversity and variation in traffic conditions, and different driving habits have been observed across different countries, cities, and rural areas.Furthermore, the real world is dynamic,with the publication of policies and regulations, infrastructure developments, and the introduction of new technologies to the evolving characteristics of driving scenarios.These factors collectively contribute to the challenges associated with long-tail scenarios in SOTIF research.Specifically, long-tail scenarios that are difficult to anticipate effectively can evolve into numerous unknown and potentially dangerous situations,substantially increasing the complexity of safety analysis and design during the ICV development process.Long-tail scenarios pose obstacles to ensuring sufficient ICV safety test coverage, becauseconducting testing spanning billions of kilometers [7] is impractical in terms of cost and feasibility.Failure to effectively address long-tail scenarios challenges the proactive mitigation of unknown risks arising from real-world operations,thus,significantly impeding ICV industrialization.Furthermore,remarkably,researchers are also increasing focus on the ‘‘long tail” problem, which is evident based on a steady increase observed in the number of publications on related topics in recent years.

Table 1SOTIF-related intelligent vehicle safety accidents.

1.2.ICV system complexity and diversity

ICVs are highly complex systems that integrate software and hardware [8,9].Equipped with advanced onboard sensors, controllers, and actuators, they employ various intelligent algorithms and integrate modern communication and network technologies,whose overall complexity is significantly higher than that of traditional vehicles.To illustrate, considering solely the Baidu Apollo system code volume, Apollo 1.0 comprised only 35 000 lines of code,whereas Apollo 8.0 exceeded 750 000.Moreover,the possible adoption of an ICV foundation model can cause a sharp increase in system complexity.This elevated complexity significantly increases the difficulty of SOTIF design, development, testing, certification, and online protection [10].Furthermore, currently no consensus has emerged as yet from academia or industry regarding the technical approach that should be adopted for ICVs.Variation also exists in terms of sensor configurations, system architectures,and functional modules.According to a report by GreyB [11], over 250 companies worldwide were actively striving to achieve autonomous driving, with each company’s product undergoing rapid iteration, similar to different Apollo system versions.Additionally,ICV research continually introduces new paradigms and algorithms.This level of system diversity contributes toward the unfortunate absence of a unified SOTIF development process and specification.

1.3.AI algorithm inexplicability and uncertainty

With outstanding advantages for handling complex tasks, AI algorithms have been widely adopted in functional modules such as ICV perception, prediction, and decision-making, and produced significant performance improvements[12].However,as complexity including the number of model parameters continues to increase,the AI interpretability[13]issue has become increasingly prominent.In particular, deep learning models, which have recently demonstrated significant performance benefits,frequently function as opaque black boxes,posing challenges for the specification, analysis, verification, and validation of relevant modules.For example,the lack of AI model interpretability impedes the effective identification of its limitations, hampers the establishment of reliable safety analysis methods, significantly raises the challenge of verification and validation, and hinders the explicit modeling and targeted mitigation of AI-related SOTIF risks.In recent years, concepts such as trustworthy AI have increasingly gained traction,particularly in safety-critical fields such as ICVs.In addition,AI models are predominantly learned based on a significant amount of data and frequently show high uncertainty [14] with insufficient data or when the learning processes or models are unreasonable,which leads to unpredictable performance degradation.These circumstances are not conducive to the requirement of adequate protection for SOTIF in ICVs.

2.Chinese solutions for SOTIF in ICVs

As shown in Fig.2,to effectively ensure ICV safety and management of SOTIF risks within acceptable limits, Chinese solutions have been proposed to form a full lifecycle SOTIF research foundation for an offline safety development, online safety control, and active ongoing learning system.It is anticipated that these topics will ignite valuable discussion and further research in the SOTIF community.

Fig.1.Statistics on causes of intelligent driving systems disengagement [3].

Fig.2.Chinese solutions for SOTIF in ICVs.

2.1.Offline safety design and development

Constructing a systematic, comprehensive, and actionable SOTIF design and development process represents a fundamental step in addressing the aforementioned key challenges.While standards such as ISO 21448 introduce the fundamental SOTIF activities, a lack of sufficient detail and practical guidance remains.Regarding traditional FuSa, a mature development process has been established, accompanied by a range of supporting methods and technologies, including fault tree analysis (FTA) and failure mode and effect analysis (FMEA).However, owing to the differentiation, complexity, and uncertainty associated with SOTIF development, the applicability of traditional processes and methods is considerably limited.In response to the specific requirements for ICV development, it is essential to explore SOTIF forward design and development specifications and technologies.This involves clarifying ICV SOTIF goals, identifying safety risks alongside their contributing factors,establishing safety metrics and design criteria,developing computer-aided engineering (CAE) tools for safety analysis, and completing a SOTIF forward closed-loop design.The final step before release,namely,testing and certification,occupies a crucial role in determining whether an ICV can be formally approved for market entry.Therefore,testing and certification processes and results directly affect the accident rate and societal acceptance of approved ICVs.However,SOTIF testing and certification is a complex issue that cannot be solved from within a single group.This requires collaborative efforts from governments, standards organizations, enterprises, and universities to appropriately address this challenge in an effective manner.Furthermore, for future AI,there is a necessity for effective interpretability methods to assist in the system development process, which includes AI model explanation before, during, and after the modeling phase.This is expected to ultimately improve the transparency and controllability of models used during the development process.

2.2.Online safety monitoring and protection

The long-tail scenarios and uncertainty of autonomous driving complicate the elimination of residual risks during development.Therefore, it is necessary to ensure SOTIF through effective risk monitoring and protection during the operational phase.To address potential functional insufficiencies that may arise during autonomous driving control system operation, a parallel SOTIF real-time protection system is designed, to act as the ICV ‘‘safety control system”.This system continuously monitors Object and Event Detection and Response (OEDR) accuracy, AI model health status,and ICV compliance with road regulations in real time,thereby providing effective protection strategies.Moreover, for unavoidable risks or accidents that may occur during ICV driving,online monitoring,and recording are utilized to capture SOTIF risk sources,trigger conditions, system failure causes, real-time compliance with road regulations assessments, and other pertinent information in autonomous driving mode.This information is subsequently used to enable timely interventions and support accident cause identification and appropriate oversight by public safety departments.

2.3.Active ongoing learning

It is difficult for a fixed ICV safety system to manage constantly emergent long-tail scenarios, dynamically changing driving environments,and increasing functional requirements.Thus,establishing a flexible and efficient SOTIF improvement mechanism is crucial for advancing ICVs in this respect.In recent years, both industry and academia have explored various approaches in the field of autonomous driving learning and growth.Examples include Tesla’s fleet learning, Cruise’s continuous learning machine,and research topics such as continuous learning that have garnered significant attention.This study proposes the construction of a discovery mechanism for unknown-unsafe scenarios and a safety continuous learning growth model for continuous improvement of SOTIF in ICV.This aims to enhance the efficiency of identifying unknown-unsafe high-value scenarios and address the problem of ‘‘catastrophic forgetting”, where a model may forget previously learned information when learning from new data.By establishing a trinity of learning and growth processes encompassing data, models, and platforms, ICV’s continuous learning capability can be realized.Furthermore,the ongoing learning experience can be continuously and instantly fed back to offline design and development departments, offering real-time guidance for iterative upgrades in the development process.This closed-loop approach facilitates the establishment of comprehensive solutions to address SOTIF in ICVs.

In summary, although ICVs must confront multiple challenges from the external environment and the system itself, the pursuit of SOTIF solutions has been relentless and has yielded some advancement.The proposed solutions for SOTIF in ICVs present notable advantages.Through the integration of key elements, the solutions ensure a systematic design and development process,real-time protection, and ongoing risk reduction, thereby expediting the safe industrialization of ICVs.In addition, the collaborative efforts of industry, universities, and research institutes, under the leadership of the government, serve to enhance the effectiveness and applicability of the solution.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (NSFC; 52072215, U1964203, and 52221005), the National Key Research and Development Program of China (2022YFB2503003 and 2020YFB1600303), and the State Key Laboratory of Intelligent Green Vehicle and Mobility.