Worst-Case Failover Timing Analysis of Distributed Fail-Operational Automotive Applications
Philipp Weiss1,a, Sherif Elsabbahy1,b, Andreas Weichslgartner2 and Sebastian Steinhorst1,c
1Technical University of Munich, Germany
aPhilipp.Weiss@tum.de
bSherif.Elsabbahy@tum.de
cSebastian.Steinhorst@tum.de
2AUDI AG, Germany
andreas.weichslgartner@audi.de
ABSTRACT
Enabling fail-operational behavior of safety-critical software is essential to achieve autonomous driving. At the same time, automotive vendors have to regularly deliver over-the-air software updates. Here, the challenge is to enable a flexible and dynamic system behavior while offering, at the same time, a predictable and deterministic behavior of time-critical software. Thus, it is necessary to verify that timing constraints can be met even during failover scenarios. For this purpose, we present a formal analysis to derive the worst-case application failover time. Without such an automated worst-case failover timing analysis, it would not be possible to enable a dynamic behavior of safetycritical software within safe bounds. We support our formal analysis by conducting experiments on a hardware platform using a distributed fail-operational neural network. Our randomly generated worst-case results are as close as 6.0% below our analytically derived exact bound. Overall, our presented worstcase failover timing analysis allows to conduct an automated analysis at run-time to verify that the system operates within the bounds of the failover timing constraint such that a dynamic and safe behavior of autonomous systems can be ensured.
