CARVE: Certified Affordable Repair of Vetoed Maneuvers via Envelopes for Interactive Driving
Title: CARVE: Certified Affordable Repair of Vetoed Maneuvers via Envelopes for Interactive Driving
Abstract: Standard rule-aware autonomous driving systems often overlook a specific failure mode inherent to interactive driving: an ego vehicle’s candidate maneuver may be deemed infeasible due to a negative hard-rule margin, even though a minor lawful adjustment by a non-priority agent could restore viability. While existing safety mechanisms like rulebooks, shields, and reachability filters excel at rejecting unsafe actions, and prediction-based planners anticipate probable responses, neither provides a runtime proof object. Such an object is necessary to specify which bounded, multi-agent edit repairs the maneuver, identify the responsible party, confirm if the request is affordable within right-of-way constraints, and define the ego vehicle’s fallback if the request goes unheeded.
To address this gap, we introduce interactive repair certification and present CARVE, a prediction-free certificate layer built upon a finite lattice of tactical operators owned by either the ego vehicle or other agents. Agent-initiated requests are permitted only within $B_j(s) = \beta(\pi_j)\alpha_j^{\max}(s)$, a cooperation envelope that distinguishes kinematic reachability from normative priority. The resulting certificate documents the binding rule, repair category, repair set, responsibility-weighted cost allocation, and fallback strategy.
Evaluation on 589 INTERACTION replay episodes, grounded in Lanelet2 geometry, demonstrates that CARVE-Greedy accepts 98.64% of initially vetoed maneuvers and successfully recovers 370 out of 378 false vetoes resolved by humans. Crucially, it maintains 589/589 instances of right-of-way respect, achieves zero false positives for priority agents, and correctly handles all 400 negative-stress vetoes. We formally prove the soundness of the certificate, ensuring structural right-of-way respect, exact finite-lattice minimality, fallback contingency, and blame consistency. CARVE does not rely on predicting or assuming other drivers’ compliance; instead, it certifies whether a proposed interaction is bounded, attributable, and normatively admissible under stated assumptions.
Source: arXiv Generated at: 2026-06-03 00:00:00 UTC
