Fail-Operational Automotive Software Design Using Agent-Based Graceful Degradation
Philipp Weiss1,a, Andreas Weichslgartner2, Felix Reimann3 and Sebastian Steinhorst1,b
1Technical University of Munich
aphilipp.weiss@tum.de
bsebastian.steinhorst@tum.de
2Audi Electronics Venture GmbH
andreas.weichslgartner@audi.de
3AUDI AG
felix.reimann@audi.de
ABSTRACT
Ensuring fail-operational behavior is critical to enable autonomous driving. With the absence of a driver as a fallback in a failure scenario it will not be sufficient to use stateof-the-art fail-safe approaches. Here, instead of costly hardware redundancy, graceful-degradation can be used by repurposing the allocated resources of non-critical applications for safetycritical applications. However, solving the mapping problem with a state-of-the-art design-time analysis leads to semi-static solutions, where the mapping is fixed and the task activation is chosen at run-time. Therefore, such solutions are unsuited for future automotive architectures that will be highly customizable and which will include frequent software updates. In this paper we introduce and analyze the effectiveness of an agent-based approach that finds application mappings at run-time, ensures the fail-operational behaviour of safety-critical applications by using graceful degradation, and reconfigures itself after ECU failures. Our results indicate that the number of tolerated ECU failures until a safety-critical application fails can be significantly improved without adding any redundant hardware resources.