Safety System Assessment Case Study of Automated Vehicle Shuttle

: Automated vehicle (AV) minibuses, i.e., AV shuttles, are gaining popularity in the testing of new types of transportation services in real trafﬁc conditions. AV shuttles have moved from closed test areas to low-trafﬁc public sites such as local residential areas, technology parks, university campuses, etc. These types of vehicles are usually low-speed and rely on a lidar-camera sensor set and a self-driving software stack. These new use cases are increasing these systems’ safety demands. In addition to functional safety, many other aspects need to be considered. In this study, a risk analysis model is developed, combining the fuzzy analytical hierarchy process and the Technique for Order of Preference by Similarity to Ideal Solution method. The proposed model is utilized to prioritize risks corresponding to the particular case study, based on real AV shuttle bus development, and focuses on the low-level hardware/software safety issues and improvements.


Introduction
Automated driving technology development is under active investigation in many different industrial sectors, such as the automotive industry, mining, machinery, etc. The automotive industry is constantly developing new autonomous driving aid system features and functionalities. The general target is to reach fully autonomous driving by the end of this decade. Many car manufacturers, such as Tesla, Ford, etc., have declared in recent years that they will reach fully autonomous driving cars very soon [1] but have had to postpone their announced deadlines many times [2]. At the same time, several IT giants are trying to develop autonomous driving, with Waymo from Google and Apple's selfdriving car project being the most well-known, but the challenges involved have been higher than initially predicted, and because of this their deadlines have been prolonged. Companies in the manufacturing industry and warehouse logistics have tested and applied automated mobile robots to make industrial processes more efficient and flexible. The Industry 4.0 and 5.0 philosophies rely heavily on connected and automated systems with seamless connectivity. Several studies have focused on the integration of AV shuttles into industrial processes as part of the Industry 4.0 concept [3]. All these efforts related to automated driving and vehicle developments face rather similar challenges. Functional safety and cybersecurity are often the main concerns when implementing and deploying automated vehicles.
Automated vehicle (AV) shuttles are a new type of transportation, targeted at solving the last-mile public transport gap. AV shuttles are mostly low-speed 6-12 seat minibuses with SAE level 4 [4] autonomy. This means that the vehicles are fully automated, without having any on-board human control devices, but are operating in a defined operational domain. The operational design domain (ODD) sets the limits in which the conditions of the vehicle are designed to operate, in terms of geographical area, weather and road as a column material was especially effective for columns, with additional longitudinal reinforcement, and the load-bearing capacity was up to 15%.
However, the problem considered in the current study has some specific features. The evaluations (judgments) provided by decision makers include uncertainty. The evolutionary multicriteria optimization methods described in the previous section have been applied with success in solving a wide class of engineering design problems [13][14][15][16][17][18][19][20][21][22]. However, despite their stochastic nature, these evolutionary algorithms are not well suited for handling judgements involving uncertainty. For this reason, in the following, multicriteria decision-making (MCDM) methods are utilized.
Firstly, for the prioritization of the criteria, the fuzzy analytic hierarchy process (FAHP) is applied. The Fuzzy AHP was introduced as a combination of fuzzy sets and AHP [23]. The FAHP has an obvious advantage over AHP; it simplifies decision makers' evaluations by replacing fixed-value judgments with interval judgments.
Secondly, for the prioritization of risks, the Technique for Order of Preference by Similarity to Ideal Solution (TOPSIS) is applied. According to TOPSIS, the most preferred alternatives should have the shortest distance from the positive ideal solution (PIS) and the farthest distance from the negative ideal solution (NIS) [24]. The TOPSIS method has found wide use in transportation and intelligent vehicle systems [11,25,26]. In [26], a hybrid approach was employed, combining the TOPSIS and AHP methods.
Other popular MCDM methods include Elimination and Choice Translating Reality (ELECTRE), Vlsekriterijumska optimizacija IKompromisno Resenje (VIKOR), Preference-Ranking Organization Method for Enrichment Evaluations (PROMETHEE), the weighted sum model (WSM) and weighted product model, etc. The ELECTRE method is used to develop a solution based on an outranking relationship between two alternatives [27]. The implementation of the ELECTRE algorithms is estimated to be rather complex. The VIKOR method determines the optimal solution based on estimating the closeness of alternatives to an ideal alternative [27]. This method may become challenging in the case of conflicting scenarios. The PROMETHEE method belongs to the class of outranking methods and it is based on the comparison of the amplitude of the deviations between the evaluations of the alternatives within each criterion [27]. In the case of this method, an extra tool is needed for the evaluation of the weights of the criteria. According to the weighted sum model (WSM) the optimal solution is determined as the one with the best value of the weighted sum. In the case of the weighted product model (WPM) the summation is replaced by multiplication [27].
The reasons for the selection of the TOPSIS method the current study can be outlined as follows.

•
TOPSIS is simple to implement; • TOPSIS provide robust solutions, it tends to provide a positive ideal solution, but avoid a negative ideal solution; and • TOPSIS has been utilized with success in the study of intelligent vehicle systems.
In the following, the fuzzy AHP and TOPSIS approaches are combined for the prioritization of the criteria and risks, respectively. The proposed fuzzy sets-based approach allows us to apply linguistic assessments corresponding to the natural representation of the judgment [23,24]. This paper focuses on providing a practical approach to the implementation of a cyber-physical system on autonomous vehicles, focusing on the AV shuttle in particular. The safety issues are studied in the context of considered problems. The risks and their evaluation criteria are developed for a particular class of problems.

Background of Key Automotive Standards
Technological innovations and progress in the automotive industry, especially with the introduction of driver-assist and automated driving systems, have brought about a need for standards that define functional safety and functions that contribute to the prevention of accidents in emergency situations. Functional safety is a method of reducing risks to an acceptable level to ensure safety by devising functions. Among many other standards, not limited to the automotive field, ISO 26262 is a functional de facto safety standard for electrical and electronic systems in road vehicles, based on IEC 61508. ISO 26262-A, B, C, and D define ASIL as a risk classification system. A represents the lowest degree, and D represents the highest degree of automotive hazard. It is mainly used as a basis to perform hazard analysis and risk assessment for vehicle electronic control units (ECUs). It is possible to measure severity, exposure, and controllability and provide classifications. Each classification is broken down into sub-classes. These classifications and sub-classes are analyzed and combined to determine the required ASIL [28,29].
Manufacturers must meet a list of specific industry standards throughout the component manufacturing and testing process in order for the automotive to qualify. The IATF 16949/ISO 9001 international standard defines the requirements for a quality management system for organizations in the automotive industry, including automotive production, service, and accessory parts organizations [30].
The durability standards of automotive electronic components are defined by the component type. AEC-Q100 is a failure mechanism-based stress test qualification for packaged integrated circuits. An AEC-Q100-qualified device means that the device has passed the specified stress tests and guarantees a certain level of quality/reliability [31]. AEC-Q200 is a global stress resistance standard set for all passive electronic components. Five temperature ranges are defined. Parts are deemed to be AEC-Q200-qualified if they have passed the stringent suite of stress tests [32]. SAE USCAR2 is a standard that covers the performance testing of road vehicle electrical terminals and connectors [33].

Risk Evaluation Model Development
Safety is one of the most critical issues in the development of mobile robots and selfdriving vehicles, since a high price can be paid for shortcomings in this area, depending on the safety topics involved. The risk analysis presented here provides an overview of the current situation and forms a basis for safety improvements in future solutions. The proposed risk evaluation model includes three main modules:
The first module covers the formulation of the criteria and risks for considered mobile robot types. It was introduced by authors in [34] and is described as follows.
Mission computer and AI performance (C1): This criterion refers to the reliability of the mission computer and AI system. Situations in which the AV vehicle is unable to perform the tasks assigned to it may lead to the cessation of production or interruption of the transportation of passengers and goods.
Cybersecurity (C2): This criterion refers to all sorts of hacking of automated systems. Remote-control attacks are one of the prioritized security threats. Autonomous passenger transport carries the risk of the passenger gaining access to the vehicle's internal network or computer viruses finding their way into the system.
Malfunction of AV mechanical component (C3): The mechanical components of an autonomous vehicle may fail, which creates the risk of accidents and further damage.
The sensor system (C4): This criterion refers to the reliability of the sensors. The sensors may stop working due to mechanical breakdown or electrical failure. The operation of the sensors can maliciously interfere with lasers, radio jammers, and other devices.  Low-level cyber-physical system performance (C7): This criterion refers to low-level cyber-physical system performance and failure, which also creates the risk of accidents and further damage.
Mechanical failure risk (A1): This risk category refers to the failure of the mechanical components due to normal wear and tear, manufacturing or design errors, corrosion, vandalism, mishandling, or an accident.
Electrical failure (A2): This risk category refers to the failure of the electrical components. Electrical components can be divided roughly into ECUs, wiring harness, batteries, sensors, and mechanical actuators. Failure may occur due to manufacturing or design errors, corrosion, short circuit, overheating, software failure, or hacking. Mechanical damage is also possible. These types of faults can lead to greater damage, such as fire or accident.
Information shortage (A3): This risk category refers to the failure relating to the loss of communication. As the vehicle or robot should operate autonomously, this type of error does not directly cause major damage. However, if an attempt is made to stop or drive the vehicle due to a previous malfunction, an information shortage may result in an accident.
Autonomous driving software failure (A4): This risk category refers to the failure of autonomous driving software. This is one of the most prioritized security threats, which could lead to an accident. This type of failure is difficult to detect and correct from the lower side and requires urgent intervention by the remote-control center.
Low-level software failure (A5): This risk category refers to a low-level software failure, mainly due to programming or design errors. This risk is controllable by making the right design choices in the cyber-physical architecture. However, the occurrence of these failures is dangerous, as the actuators can move unpredictably, and the vehicle may undergo high acceleration, causing a crash. The actuators and the electrical system may be damaged due to overload or due to signals occurs in the wrong order.
Communication bandwidth shortage (A6): As the vehicle should operate autonomously, this type of error does not directly cause major damage. However, if an attempt is made to stop or drive the vehicle due to a previous malfunction, a communication bandwidth shortage may result in an accident. This risk category refers to the fact that the remote-control center may lose access to the vehicle overview information and the remote-control option.
Cyber-hacking (A7): This risk category is involved with the deliberate exploitation of automated vehicle systems by unauthorized entities. The target of the attack can vary, ranging from an attack on software to managing the system. Remote-control attacks are one of the highly prioritized security threats, and could be considered the most dangerous type of attack.
Interruption of uplink (A8): As the vehicle should operate autonomously, this type of error does not directly cause major damage, but the remote-control center may lose access to the vehicle overview information and the remote-control option.
A drastic change of environment (A9): A drastic change in the environment may pose a risk. For example, snow may accumulate on the sensor's surfaces, and heavy rain or snowing may disturb the operation of the sensors. An inside environment may contain dust, food, and other substances which may cover sensors or block mechanical actuators. An accident may occur if dire circumstances coincide. A significant drop in temperature may cause an electrical system failure.
Loss of localization (A10): In this case, the vehicle does not know where it is located. An accident may occur if the vehicle tries to move. With appropriate design choices for autonomous driving software, this risk should be minimized. In addition, if the vehicle is unable to restore its localization, the remote-control center should take control.
Based on the above-defined criteria and risks, a decision hierarchy tree for the considered mobile autonomous systems can be established, as shown in Figure 1.
autonomous driving software, this risk should be minimized. In addition, if the vehicle is unable to restore its localization, the remote-control center should take control.
Based on the above-defined criteria and risks, a decision hierarchy tree for the considered mobile autonomous systems can be established, as shown in Figure 1. In the following section, the last two modules of the risk evaluation model are described.

Criteria Prioritization Using Fuzzy AHP
In the following, the fuzzy AHP approach, based on triangular fuzzy numbers (TFN), is applied to prioritize the criteria introduced above.
Step 1. The criteria were evaluated in terms of linguistic variables. First, the linguistic variables were introduced, as shown in Table 1, to simplify the evaluation process of the importance of criteria [35]. Next, the expert group of decision-makers filled the pairwise comparison matrix criteria vs. criteria in terms of linguistic variables. Table 2 presents the linguistic "grades" given by one expert as an example.  In the following section, the last two modules of the risk evaluation model are described.

Criteria Prioritization Using Fuzzy AHP
In the following, the fuzzy AHP approach, based on triangular fuzzy numbers (TFN), is applied to prioritize the criteria introduced above.
Step 1. The criteria were evaluated in terms of linguistic variables. First, the linguistic variables were introduced, as shown in Table 1, to simplify the evaluation process of the importance of criteria [35]. Next, the expert group of decision-makers filled the pairwise comparison matrix criteria vs. criteria in terms of linguistic variables. Table 2 presents the linguistic "grades" given by one expert as an example. Step 2. The linguistic scales were transferred to triangular fuzzy numbers (TFN) based on Table 1. These individual tables are omitted herein for the sake of brevity.
Step 3. The aggregated evaluation matrix, presented in Table 3, was computed by applying a fuzzy geometric mean (1) In Equation (1), c ijn stands for the fuzzy comparison value in terms of the TFN of criteria i to criteria j given by the n-th expert and N is the total number of decision-makers involved. The computed values of the pairwise comparison matrix r ij are given in Table 3.
Here r ij = l ij , m ij , u ij are triangular Fuzzy numbers, where l, m, and u stand for lower, medium, and upper values, respectively. Step 4. Next, the aggregation was applied with respect to each row of the aggregated comparison matrix given in Table 3. As a result, the fuzzy comparison values r i = (l i , m i , u i ) can be evaluated as: In Equation (2) Ncrit stands for the number of criteria used.
Step 5. The triangular fuzzy weight w i of criteria i is determined as the normalized value of the r i .
Step 6. Finally, the crisp weights can be obtained by applying defuzzification for fuzzy weights as (different approaches for defuzzification can be found in [36]).
In Table 4 are presented the fuzzy and crisp weights, as well as the final ranks of the criteria. Step 7. The criteria were prioritized based on normalized crisp weights given in column 5 of Table 4. The consistency ratio (CR) of the defuzzified matrix was calculated and validated (should be <0.1). The normalized crisp weights and ranks of criteria can be considered as final results of the fuzzy AHP implemented above.

Risk Prioritization Using Fuzzy TOPSIS
In the following, the risk evaluation was performed by taking into account the results of the applied fuzzy AHP and utilizing the fuzzy TOPSIS approach.
Step 1. The pairwise comparison risk vs. criteria analysis was performed by the same expert group who performed the evaluation of the criteria. Similarly to above, the triangular fuzzy numbers and the linguistic variables were employed [37]. The linguistic variables for the evaluation of the importance of the risks with respect to criteria are presented in Table 5. Step 2. The risk evaluation with respect to criteria was performed. The sample results of one decision-maker are shown in Table 6. Step 3. The linguistic "grades" given by decision-makers (see Table 6) were transferred to triangular fuzzy numbers (TFN) based on the relations given in Table 5.
The aggregation of the decision-makers' evaluation matrices was performed by applying the fuzzy arithmetic mean (in the case of Fuzzy AHP was applied geometric mean) as: where N is the number of decision-makers and x ijn stands for the rating of risk i to criterion j given by the n-th decision-maker. The computed fuzzy triangular numbers x ij = l ij , m ij , u ij are presented in Table 7. Step 4. The aggregated fuzzy decision matrix was normalized. The fuzzy weights of the criteria obtained by applying fuzzy AHP (see Table 4) were utilized to compute the weighted normalized decision matrix given in Table 8. Step 5. The distances of each risk to positive and negative ideal solutions were computed as where and Step 6. Based on the positive and negative ideal solution, the similarities were calculated as The risks were ranked based on the values of the similarities. Table 9 presents the positive and negative ideal solutions, the similarities, and the final ranking of the risks. The estimation of a number of different types of risks and the evaluation of multiple criteria is a challenging task in the development of AV systems. The fuzzy AHP-TOPSISbased risk analysis approach proposed here provides estimates of the ranks of criteria and risks. Cyber hacking, low-level software failure, and electrical failure appear to be the most critical risks in the current case study. The weights of criteria and similarity values of the risks are another valuable piece of information for the further improvement of AV systems.
As the results point out, low-level software failures are one of the highest risk factors and thus require a high level of attention during the system design stage and implementation stage. The following case study covers low-level system safety improvements for the TalTech iseAuto AV shuttle, which was designed and manufactured for research and educational purposes by the Autonomous Vehicles lab at Tallinn University of Technology.

Low-Level Communication and Safety Architecture for the AV Shuttle Based on the Risk Evaluation Model
The iseAuto AV shuttle was designed to be a minibus, with the aim of operating primarily on the territory of the university campus. Therefore, the speed of the minibus was limited to 20 km/h. The architecture of the vehicle CPS was first explained in [34], and it is divided into layers as described in Figure 2. The AI and high-level decisionmaking layer make autonomous driving decisions based on the sensor's input layer. The various controlling commands are sent to the actuator layer, which has a mission-critical functionality to take care of the robot's actual control.
primarily on the territory of the university campus. Therefore, the speed of the minibus was limited to 20 km/h. The architecture of the vehicle CPS was first explained in [34], and it is divided into layers as described in Figure 2. The AI and high-level decision-making layer make autonomous driving decisions based on the sensor's input layer. The various controlling commands are sent to the actuator layer, which has a mission-critical functionality to take care of the robot's actual control. The shuttle's control logic is divided into two layers-the master controller layer and the function-based controller layer. The main task of the master controller is to act as a central gateway between all the nodes. Function-based controllers are classified as critical or non-critical. Critical controllers are involved in the direct control of the vehicle or the control of the traction battery and its charging. For safety reasons, separate safety controllers have been added to stop the vehicle when a fault is detected. The communication is shared between three CAN buses: • CAN 1 for all system controllers; • CAN 2 for safety-related controllers and for duplicating critical system messages; and • CAN 3 for vehicle body-related and other low-priority controllers.
The correct design of critical CAN networks is important. First, is it essential to choose the correct package IDs for CAN bus data frames. The data frames have an ID that can be used to separate data frames, and data frames are ranked in order of importance using this ID. Data frames with a lower ID are preferred [38]. An extra checksum and counter value can be added into critical data frames. The controller using the data frames will only do so if the checksum is correct. A possible reason for this is hacking because the CAN network is not encrypted. A 15-bit CRC checksum is added to every CAN message via a hardware layer anyway, but it is harder to inject the messages into the network if there is an extra checksum. Counter values are used to check if some data frame loss has occurred. For faster system diagnostics and error detection, a diagnostic data frame should be sent out by the ECU. For example, if the expected data frame does not arrive at the correct time interval, if the supply voltage limit is exceeded, or something else happens, the flag is set. Every diagnostic data frame on the CAN bus can carry 8 bytes of data The shuttle's control logic is divided into two layers-the master controller layer and the function-based controller layer. The main task of the master controller is to act as a central gateway between all the nodes. Function-based controllers are classified as critical or non-critical. Critical controllers are involved in the direct control of the vehicle or the control of the traction battery and its charging. For safety reasons, separate safety controllers have been added to stop the vehicle when a fault is detected. The communication is shared between three CAN buses: • CAN 1 for all system controllers; • CAN 2 for safety-related controllers and for duplicating critical system messages; and • CAN 3 for vehicle body-related and other low-priority controllers.
The correct design of critical CAN networks is important. First, is it essential to choose the correct package IDs for CAN bus data frames. The data frames have an ID that can be used to separate data frames, and data frames are ranked in order of importance using this ID. Data frames with a lower ID are preferred [38]. An extra checksum and counter value can be added into critical data frames. The controller using the data frames will only do so if the checksum is correct. A possible reason for this is hacking because the CAN network is not encrypted. A 15-bit CRC checksum is added to every CAN message via a hardware layer anyway, but it is harder to inject the messages into the network if there is an extra checksum. Counter values are used to check if some data frame loss has occurred. For faster system diagnostics and error detection, a diagnostic data frame should be sent out by the ECU. For example, if the expected data frame does not arrive at the correct time interval, if the supply voltage limit is exceeded, or something else happens, the flag is set. Every diagnostic data frame on the CAN bus can carry 8 bytes of data or 64 flags. The safety controller monitors these flags and can decide to trigger a safety logic process. A similar logic is used in Tesla vehicles [39].
ECU components should comply with international automotive application standards. The previously used STM32 family microcontroller is not certified for automotive use. A good replacement for the STM32 is the general-purpose STMicroelectronics SPC5 family automotive microcontrollers, which qualify according to the AEC-Q100 standard and have a wide range of automotive interfaces. The chosen specialized hardware should allow the achievement of safety goals [40]. Passive components qualifying to AEC-Q200 and automotive connectors are used in the design of new ECUs. Automotive connectors should be crimp-type connectors in order to establish better connections and save time. For example, the WireLock low-mating-force automotive-grade connector system is a good option and is USCAR-2 V2-compatible.
It is good practice to design the ECU internal electronics as a fortress. This means that over-or undervoltages (provided that they remain within the selected limits), electrical noise, and short circuits applied to power inputs, digital IO, or data interfaces, cannot interrupt the operation of the microcontroller. If the ECU has a power source for the sensors, and if this source is shorted or something draws too much current, microcontroller power should not be affected. Any such errors should be logged, and flags should be set and sent out by the diagnostic data frame on the CAN bus.
Authentication and secret key establishment, providing confidentiality and integrity to the in-vehicle network, makes it possible to design a process that does not violate the real-time constraints of automotive CPS applications even in the presence of errors in computation and transmission [41]. Furthermore, it is possible to integrate both security and dependability principles simultaneously in the design of ECUs with a negligible performance, energy, and resource overhead [42]. The ISO 26262 standard requires that at least one critical fault must be tolerated by the automotive applications to maintain intended functionality or achieve or maintain a safe state [28], and the ASIL, risk classification system, must be used to mitigate the risks when designing every ECU.
The power system can be built using regular automotive fuses. Today's state-of-the-art cars use electronic protection circuits for replacing fuse and relay boxes [43]. Electronic protection circuits are not only faster but also allow faults to be logged as soon as they occur. In addition to feeding the critical controllers, two separately protected supply lines can be added. For example, the steering controller, when power electronics and their controlling circuits are duplicated, is a good candidate. In this case, if one power line is faulty or short-circuited, the other will continue to work.
If something unexpected happens, then the safety logic is triggered, as shown in Figure 3. It is divided into three stages:

1.
Normal braking is usually triggered by a high-level computer or safety lidar. When there is free room regenerative braking can be used, followed by normal braking if needed; 2.
The emergency brake is triggered when the emergency STOP switch is pressed, the front safety lidar sees something that is too close, or when the safety monitoring controller is triggered by some fatal error; 3.
An emergency shutdown may be followed by emergency braking when the emergency STOP switch is pressed (for example, a risk of fire because there is smoke in the cabin), the crash detection system is triggered, or some serious error is detected. Emergency shutdown disables the high-voltage traction battery.
FOR PEER REVIEW 13 of 16 Normal and emergency braking is based on brake-by-wire (BBW) technology, which should cooperate with the regenerative braking system controlled by the drive controller ECU. The hydraulic brake system is made controllable by replacing the master cylinder with a gear pump. The intensity of the braking depends on the pressure of the brake fluid. The speed of the pump is controlled according to the feedback from the brake fluid pressure sensor and the required braking force sent by a high-level control system. The valve must be opened to release the brake. One of the biggest disadvantages of this system is that it is difficult to release the brake precisely and smoothly. The solution is to develop a distributed brake-by-wire system, as proposed in [44], which has a hydraulic actuator for every wheel. This provides flexible and precise braking force control with shorter or no brake pipes. A disadvantage of this system is the lack of freely available brake compo- Normal and emergency braking is based on brake-by-wire (BBW) technology, which should cooperate with the regenerative braking system controlled by the drive controller ECU. The hydraulic brake system is made controllable by replacing the master cylinder with a gear pump. The intensity of the braking depends on the pressure of the brake fluid. The speed of the pump is controlled according to the feedback from the brake fluid pressure sensor and the required braking force sent by a high-level control system. The valve must be opened to release the brake. One of the biggest disadvantages of this system is that it is difficult to release the brake precisely and smoothly. The solution is to develop a distributed brake-by-wire system, as proposed in [44], which has a hydraulic actuator for every wheel. This provides flexible and precise braking force control with shorter or no brake pipes. A disadvantage of this system is the lack of freely available brake components. Bosch developed a brake booster system called iBooster, which is used in Tesla and other cars capable of automatic driving. The brake pressurization rate of the iBooster is three times that of the conventional braking system, and it was meant to replace vacuum brake boosters [45]. Bosch iBooster is available as a spare part, but further research and testing are required to control it over the CAN bus. iBooster is compatible with the classic hydraulic braking system. In addition to normal brakes, a parking brake is also available in the iseAuto AV shuttle, controlled by an electric drive. This is intended primarily to prevent the vehicle from moving on its own but can be used in an emergency when the main brake is not working.
Self-driving vehicles do not have a driver who can detect problems directly. One of the most likely problems is a low tire pressure or flat tire. Tire pressure plays an important role in safety and energy consumption. If the AI and high-level decision-making layer of the self-driving vehicle are not alerted to this issue, a dangerous situation can arise. Today's vehicles use a tire-pressure monitoring system (TPMS). The TPMS measures the air pressure inside the pneumatic tires. Inside the stem of every wheel, an electronic unit is located that contains a pressure sensor, microcontroller, radio link, and battery. The TPMS control ECU has a radio receiver that reads pressure information. Methods to implement TPMS systems have been described [46], but in most cases, such systems are intended to warn the driver.
The new iseAuto AV shuttle should be equipped with some sort of TPMS system to make it more secure. As a further development of the TPMS, it is possible to measure dangerous impacts on tires (to measure pressure pikes) when a vehicle accidentally drives against a road curb or against some objects on the road. If TPMS is triggered, the vehicle should probably park safely so as not to obstruct traffic and to call for help.

Conclusions
The final results of the study can be outlined as follows.

•
An MCDM risk evaluation model was developed for safety system assessment; • A list of prioritized risks was developed, as presented in Table 9; • The most critical risks were determined to be cyber hacking, low-level software failure, and electrical failure.
First, the criteria and risks were defined in a previous study by the authors. Drawing on the results of that study, the seven criteria and ten risks were formulated and described.
Next, the criteria were prioritized by applying the fuzzy analytical hierarchy process. As a result, the sensor system (reliability of the sensors), the performance of low-level cyberphysical systems, and the malfunctioning of AV mechanical components were identified as the most important criteria for decision-making.
Finally, the risks were prioritized by utilizing the Technique for Order of Preference by Similarity to Ideal Solution method. As a result, cyber hacking, low-level software failure, and electrical failure were found to be the most critical risks for the current case study.
Based on the analysis of the highest risk affecting full system safety, low-level system safety criteria were selected in this research as an improvement option. The main ideas for testing of the improved solution for the low-level system architecture were proposed and briefly analyzed in the context of a particular AV shuttle-the TalTech iseAuto.
The information provided on the ranking of the criteria and risks consists only of positions, as a rule, without providing detailed information on how far are values from each other, etc. The crisp weights of the criteria and the similarity values of the risks provide more detailed and valuable information for the further improvement of mobile robot systems.
The approach proposed here may be used to simplify decision-maker's judgments and to handle uncertainty caused by these judgments. The risks identified here are rather universal, applicable not only to a specific autonomous shuttle design, but also to similar outdoor mobile robots and other low-speed automated vehicles. The risk evaluation results