Fail-operational architecture with functional safety monitors for automated driving system

What is claimed is: 1. A computer-implemented method of safely navigating an autonomous driving vehicle (ADV) having an automated driving system and a safety monitor system that operates in parallel with the automated driving system, the method comprising: determining, by the automated driving system, a route to navigate the ADV based at least in part upon localizing the ADV in a high-definition (HD) map in view of one or more objects surrounding the ADV perceived using a plurality of sensors of the ADV; while the automated driving system navigates the ADV along the route, performing, by the safety monitor system: receiving, from the automated driving system, localization information and a list of the one or more objects surrounding the ADV perceived using the plurality of sensors; monitoring and dynamically adjusting stored effective sensor coverage area of each of the plurality of sensors of the ADV; defining one or more safe drivable areas, based at least in part on the route and based on other drivable areas not on the route in a region of interest around the ADV, and based on the dynamically adjusted effective sensor coverage area of each of the plurality of sensors of the ADV; and modifying one or more of a plurality of navigation control inputs of the automated driving system in response to determining, by the safety monitor system, that a fail-operational safety action is required based on monitoring the dynamically adjusted effective sensor coverage area and the localization information. 2. The method of claim 1 , wherein modifying one or more of the plurality of navigation control inputs comprises: determining that a localization system of the automated driving system fails to correctly locate the ADV within the HD map; and modifying one or more control inputs to stop the ADV. 3. The method of claim 1 , wherein modifying one or more of the plurality of navigation control inputs comprises: determining that the monitored and dynamically adjusted effective sensor coverage area of a sensor in a perception system of the automated driving system is too small for a current speed of the ADV; and reducing a throttle input, and/or increasing a braking input, of the plurality of navigation control inputs, to reduce the current speed of the ADV. 4. The method of claim 1 , further comprising, in response to determining that the fail-operational safety action is not required, executing the plurality of control inputs of the automated driving system to navigate the ADV along the route. 5. The method of claim 1 , wherein monitoring and dynamically adjusting the stored effective sensor coverage area of each of the plurality of sensors of the ADV includes comparing, for each static object in the list of one or more objects, a location of the static object in the HD map and an ability of the sensor to correctly identify and locate the static object; and wherein defining safe drivable areas further comprises: identifying a plurality of objects representing obstacles to the ADV along the route; generating a plurality of safety critical objects surrounding the ADV, based at least in part on the plurality of objects and the effective sensor coverage area of each of the plurality of sensors of the ADV, and; determining a plurality of safe areas to navigate the ADV taking into account the plurality of safety-critical objects. 6. The method of claim 1 , wherein the safe drivable areas comprise areas that are in addition to areas considered by an ADV planning module when generating the route. 7. The method of claim 1 , wherein modifying one or more of the plurality of navigation control inputs comprises generating control inputs to perform one of: navigating to one of the safe drivable areas and stopping the ADV; or stopping the ADV. 8. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations of safely navigating an autonomous driving vehicle (ADV) having an automated driving system and a safety monitor system that operates in parallel with the automated driving system, the operations comprising: determining, by the automated driving system, a route to navigate the ADV based at least in part upon localizing the ADV in a high-definition (HD) map in view of one or more objects surrounding the ADV perceived by a plurality of sensors of the ADV; while the automated driving system navigates the ADV along the route, performing, by the safety monitor system: receiving, from the automated driving system, localization information and a list of the one or more objects surrounding the ADV perceived using the plurality of sensors; monitoring and dynamically adjusting stored effective sensor coverage area of each of the plurality of sensors of the ADV; defining one or more safe drivable areas, based at least in part on the route and on other drivable areas in a region of interest around the ADV, and based on the dynamically adjusted effective sensor coverage area of each of the plurality of sensors of the ADV; and modifying one or more of a plurality of navigation control inputs of the automated driving system in response to the safety monitor system determining, by the safety monitor system, that a fail-operational safety action is required based on monitoring the dynamically adjusted effective sensor coverage area and the localization information. 9. The medium of claim 8 , wherein modifying one or more of the plurality of navigation control inputs comprises: determining that a localization system of the automated driving system fails to correctly locate the ADV within the HD map; and modifying one or more control inputs to stop the ADV. 10. The medium of claim 8 , wherein modifying one or more of the plurality of navigation control inputs comprises: determining that the monitored and dynamically adjusted effective sensor coverage area of a sensor in a perception system of the automated driving system is too small for a current speed of the ADV; and reducing a throttle input, and/or increasing a braking input, of the plurality of navigation control inputs, to reduce the current speed of the ADV. 11. The medium of claim 8 , further comprising, in response to determining that the fail-operational safety action is not required, executing the plurality of control inputs of the automated driving system to navigate the ADV along the route. 12. The medium of claim 8 , wherein the monitoring and dynamically adjusting the stored effective sensor coverage area of each of the plurality of sensors of the ADV includes comparing, for each static object in the list of one or more objects, a location of the static object in the HD map and an ability of the sensor to correctly identify and locate the static object; and wherein defining safe drivable areas further comprises: identifying a plurality of objects representing obstacles to the ADV along the route; generating a plurality of safety critical objects surrounding the ADV, based at least in part on the plurality of objects and the effective sensor coverage area of each of the plurality of sensors of the ADV, and; determining a plurality of safe areas to navigate the ADV taking into account the plurality of safety-critical objects. 13. The medium of claim 8 , wherein the safe drivable areas comprise areas that are in addition to areas considered by an ADV planning module when generating the route to navigate the ADV. 14. The medium of claim 8 , wherein modifying one or more of the plurality of navigation control inputs comprises generating control inputs to perform one of: navigating to one of th