This study addresses the dual challenges of functional safety and Safety of the Intended Functionality (SOTIF) in high-level automated driving systems operating in dynamic, unknown environments, where reliable performance is difficult to ensure under system failures or exposure to scenarios absent from training data. The authors propose a hierarchical fault-tolerant architecture that, for the first time, integrates a functional monitor—based on voting consensus among multi-channel heterogeneous AI perception modules—and an anomaly monitor designed to detect unknown or novel objects within a unified framework. This integration enables runtime-triggered minimal-risk maneuvers, safe degradation, and data logging, thereby establishing a closed-loop safety enhancement mechanism spanning development and operational phases. Real-world vehicle tests demonstrate that this dual-monitor approach significantly improves system robustness and safety in unseen scenarios while complying with ISO 26262 and SOTIF requirements.

The advancement of automated vehicles introduces complex safety challenges, particularly in dynamic and unpredictable environments where AI-enabled perception systems must operate reliably. Ensuring compliance with safety standards such as ISO 26262 and ISO/PAS 21448 (SOTIF) is essential for addressing system malfunctions and mitigating unsafe behavior in unknown scenarios. However, as automation levels increase, vehicles must go beyond conventional functional safety by incorporating fail-operational capabilities that enable continued safe operation during system or component failures and the handling of unfamiliar or degraded operational conditions. To address these safety concerns, we propose the Connected Dependability Cage, an architectural framework designed to enable hierarchical fail-operational behavior in AI-enabled perception systems. This framework integrates two complementary monitoring mechanisms: a Function Monitor that oversees multiple heterogeneous AI-based perception pipelines and detects inconsistencies through a voting mechanism, and an Anomaly Monitor that evaluates the reliability of AI perception by detecting unknown or novel objects in scenes that may be excluded from the training dataset. In the presence of critical discrepancies, the system supports graceful degradation, ultimately enabling a transition to a minimal-risk maneuver strategy. Furthermore, whenever either monitor raises a safety flag, an automated data recording process is initiated to facilitate iterative system development and continuous improvement. Both monitors have been implemented and validated through extensive vehicle testing, demonstrating their practical effectiveness in real-world applications.