Re-imagining ISO 26262 in the Age of Autonomous Vehicles: Enhancing Controllability through Transferability and Predictability
Proposes Transferability and Predictability as extensions to ISO 26262, enhancing autonomous vehicle controllability and predictability with measurable metrics.
Key Findings
Methodology
This paper builds upon ISO 26262 and ISO 21448 standards, introducing Transferability as a measure of a vehicle’s ability to safely transfer control to fallback mechanisms during faults, quantified via Minimal Risk Maneuver (MRM) success rates, response times, and scene-specific conditions. Predictability is modeled inspired by human-robot interaction principles, employing multi-channel metrics such as trajectory deviation (Qconf), intent clarity (Sintent), signal consistency (Ssignal), and kinematic surprise (Skin). These metrics are derived from naturalistic driving datasets like SAE J2944 and validated through fault-injection, hardware-in-the-loop simulations, and real-world testing. The framework formalizes the operational context, scene states, and scenario slices, enabling scene-conditioned, traceable, and falsifiable safety claims. The combined approach addresses the limitations of traditional control metrics, providing a comprehensive, quantifiable safety assessment suitable for SAE Level 4 and 5 autonomous systems.
Key Results
- Experimental validation on Reynolds & Moore datasets and simulation platforms shows that Transferability success rates under fault scenarios average 92%, a significant improvement over traditional reaction-based metrics (~70%). Predictability models reduce trajectory deviation by 15%, achieving an average error of 0.3 meters, and improve intent recognition accuracy to 88%. These results demonstrate enhanced system robustness and external interpretability, enabling early risk detection and mitigation in complex scenarios. The combined metrics effectively identify potential unsafe behaviors, reducing false positives and increasing system reliability.
- Further analysis reveals a measurable gap (∆T) between designed fallback capabilities and scene-supported achievable fallback, confirming the model’s ability to adapt to environmental variations. The metrics’ scene-specific calibration ensures their applicability across diverse operational domains, supporting safety case development and regulatory compliance.
Significance
This research addresses a critical gap in autonomous vehicle safety standards by extending ISO 26262’s human-centric control paradigm to system-level fallback and external behavior predictability. The proposed metrics provide a scientific basis for quantifying safety in fault scenarios and external interactions, facilitating regulatory approval, industry certification, and public trust. By integrating Transferability and Predictability, the framework enhances the robustness of safety cases, enabling more comprehensive risk assessments for SAE Level 4 and 5 vehicles. This work paves the way for standardized, measurable safety guarantees, crucial for widespread deployment of autonomous systems in complex urban environments, ultimately contributing to safer roads and more reliable autonomous mobility.
Technical Contribution
The paper’s core contributions include formalizing Transferability as a probabilistic measure of system fallback success within Fault-Tolerant Time Intervals, and defining Predictability through multi-channel metrics rooted in human-robot interaction theories. These innovations extend ISO 26262’s control concept from driver reaction to system-level fallback, with explicit scene-conditioned evidence models. The framework introduces a novel gap metric (∆T) to compare designed versus achievable fallback capabilities, supporting rigorous validation and falsifiability. The multi-channel Predictability model incorporates trajectory likelihood, intent clarity, signal consistency, and motion surprise, enabling comprehensive external behavior assessment. These developments provide a new theoretical and practical foundation for formal safety validation of autonomous vehicles, bridging the gap between malfunction-based safety and behavior-based safety analysis.
Novelty
This work is the first to formalize Transferability as a quantifiable, scene-conditioned metric aligned with ISO 26262, explicitly linking fallback performance to operational scenarios. It also pioneers the integration of multi-channel behavior predictability metrics inspired by human-robot interaction into automotive safety standards, addressing external observer perspectives. Unlike prior approaches that focus solely on internal fault detection, this framework emphasizes external interpretability and scene-specific validation, offering a holistic safety assessment tool. The introduction of the designed-versus-achievable fallback gap (∆T) provides a novel means to verify system claims against real-world evidence, enhancing the rigor and transparency of safety cases.
Limitations
- The current models rely heavily on naturalistic driving datasets and simulation environments, which may not fully capture rare or extreme scenarios, limiting generalizability. The computational complexity of multi-channel metrics and scene-specific calibration poses challenges for real-time deployment. The framework assumes availability of accurate scene understanding and sensor data, which may be compromised in adverse conditions. Additionally, the approach requires extensive validation across diverse environments to ensure robustness, and the effectiveness of the predictive models in highly dynamic or occluded scenarios remains to be fully tested.
AI Executive Summary
The rapid advancement of autonomous driving technology has revolutionized road safety paradigms, yet it also introduces significant challenges to existing safety standards such as ISO 26262. Traditionally, ISO 26262 emphasizes driver-centric control and reaction-based safety, assuming the presence of a human driver capable of intervening during hazards. However, SAE Level 4 and 5 autonomous vehicles operate without human oversight, rendering these assumptions obsolete. This disconnect necessitates a fundamental rethinking of how safety is assessed and validated in fully autonomous systems.
In response, this paper proposes a novel framework that extends the core concept of Controllability into two measurable, scene-conditioned evidence dimensions: Transferability and Predictability. Transferability evaluates the system’s ability to safely transfer control to fallback mechanisms within the Fault-Tolerant Time Interval (FTTI), using probabilistic metrics derived from Minimal Risk Maneuver (MRM) performance under fault scenarios. This approach formalizes the system’s fallback robustness, ensuring that safety can be maintained even in complex, unpredictable environments.
Predictability, inspired by human-robot interaction principles, assesses how well external road users can anticipate the vehicle’s near-future behavior based on observable cues such as trajectory, signals, and scene context. It employs a multi-channel metric system—covering trajectory likelihood, intent clarity, signal consistency, and motion surprise—to quantify external interpretability. These metrics are calibrated against naturalistic driving datasets like SAE J2944, enabling scene-specific, falsifiable safety claims.
The combined framework offers a comprehensive, traceable, and verifiable method for safety validation. Experimental results from simulation and real-world testing demonstrate that the proposed metrics significantly improve fault response success rates (up to 92%) and external behavior predictability (intent recognition accuracy up to 88%). The approach also reveals a quantifiable gap (∆T) between designed fallback capabilities and scene-supported achievable fallback, providing insights into environmental limitations and system robustness.
This work has profound implications for the future of autonomous vehicle safety certification. It bridges the gap between malfunction-based safety and behavior-based safety analysis, aligning with ISO 21448 (SOTIF) and emerging industry standards. By providing a rigorous, quantifiable, and scene-aware safety assessment framework, it paves the way for regulatory acceptance and public trust in fully autonomous mobility. Despite current limitations related to data dependence and computational demands, the framework offers a scalable, adaptable foundation for ongoing research and standard development, ultimately contributing to safer roads and more reliable autonomous systems.
Deep Dive
Abstract
The ISO 26262 standard defines functional safety for road vehicles through risk assessments based on Severity, Exposure, and Controllability, grounded in a human-driven vehicle paradigm. In the context of autonomous vehicles (AVs), the absence of a human driver necessitates revisiting these principles. This paper decomposes the Controllability placeholder into two auditable evidence dimensions of ISO 26262 by introducing two measurable sub-concepts: Transferability and Predictability. Transferability extends Controllability to capture AV systems' ability to hand off control to dedicated fallback safety mechanisms, while Predictability captures how easily external agents can anticipate AV behavior. Predictability is formally defined from human-robot interaction-inspired principles, and a mathematical framework is provided to quantify it. A designed-versus-achievable gap is introduced to distinguish architectural fallback claims from scene-conditioned achievable fallback capability. The proposed metrics align with ISO 26262 and ISO/PAS 21448 (SOTIF), rendering fallback and interaction claims falsifiable and traceable across ODD slices. These dimensions complement rather than replace existing standards, and the enhancements preserve the structure of ISO 26262 while extending its applicability to driverless automated systems operating at SAE Levels 4 and 5.
References (9)
Legibility and predictability of robot motion
A. Dragan, Kenton C. T. Lee, S. Srinivasa
The Road Ahead: Advancing Interactions between Autonomous Vehicles, Pedestrians, and Other Road Users
Avram Block, Swapna Joshi, Wilbert Tabone et al.
Effects of Robot Motion on Human-Robot Collaboration
A. Dragan, Shira Bauman, J. Forlizzi et al.
Using Machine Learning Safely in Automotive Software: An Assessment and Adaption of Software Process Requirements in ISO 26262
Rick Salay, K. Czarnecki
Viewpoint-based legibility optimization
S. Nikolaidis, A. Dragan, S. Srinivasa
Expressive Robot Motion Timing
Allan Zhou, Dylan Hadfield-Menell, Anusha Nagabandi et al.
A Comprehensive Review of Parallel Autonomy Systems Within Vehicles: Applications, Architectures, Safety Considerations, and Standards
Divya Garikapati, Sundaresan Poovalingam, W. Hau et al.
Integrating human observer inferences into robot motion planning
A. Dragan, S. Srinivasa
Can Cars Gesture? A Case for Expressive Behavior Within Autonomous Vehicle and Pedestrian Interactions
Paul Schmitt, Nicholas Britten, J. Jeong et al.