Reliability of fault-tolerant system architectures for automated driving systems

TL;DR

This paper evaluates how different fault-tolerant architectures for automated driving systems impact overall reliability, emphasizing the importance of design choices in sensor and CPU configurations for safety-critical applications.

Contribution

It provides a comparative analysis of single and multi-ECU architectures using Markov models to quantify their reliability and fault tolerance in automated driving systems.

Findings

Multi-ECU architectures offer better robustness against dependent failures.

Reliability is highly dependent on system architecture and component failure rates.

Trade-offs exist between reliability and self-diagnostics in different architectures.

Abstract

Automated driving functions at high levels of autonomy operate without driver supervision. The system itself must provide suitable responses in case of hardware element failures. This requires fault-tolerant approaches using domain ECUs and multicore processors operating in lockstep mode. The selection of a suitable architecture for fault-tolerant vehicle systems is currently challenging. Lockstep CPUs enable the implementation of majority redundancy or M-out-of-N ($M$oo$N$) architectures. In addition to structural redundancy, diversity redundancy in the ECU architecture is also relevant to fault tolerance. Two fault-tolerant ECU architecture groups exist: architectures with one ECU (system on a chip) and architectures consisting of multiple communicating ECUs. The single-ECU systems achieve higher reliability, whereas the multi-ECU systems are more robust against dependent failures, such as common-cause or cascading failures, due to their increased potential for diversity redundancy. Yet, it remains not fully understood how different types of architectures influence the system reliability. The work aims to design architectures with respect to CPU and sensor number, $M$oo$N$ expression, and hardware element reliability. The results enable a direct comparison of different architecture types. We calculate their reliability and quantify the effort to achieve high safety requirements. Markov processes allow comparing sensor and CPU architectures by varying the number of components and failure rates. The objective is to evaluate systems' survival probability and fault tolerance and design suitable sensor-CPU architectures. The results show that the system architecture strongly influences the reliability. However, a suitable system architecture must have a trade-off between reliability and self-diagnostics that parallel systems without majority redundancies do not provide.