Reliability of fault-tolerant system architectures for automated driving systems Tim M. Julitz Chair for Product Safety and Quality Engineering University of Wuppertal Germany.

2025-04-29 0 0 451.56KB 12 页 10玖币
侵权投诉
Reliability of fault-tolerant system architectures for automated driving systems
Tim M. Julitz
Chair for Product Safety and Quality Engineering, University of Wuppertal, Germany.
E-mail: julitz@uni-wuppertal.de
Antoine Tordeux
Chair for Reliability and Traffic Safety, University of Wuppertal, Germany. E-mail: tordeux@uni-wuppertal.de
Manuel L¨
ower
Chair for Product Safety and Quality Engineering, University of Wuppertal, Germany.
E-mail: loewer@uni-wuppertal.de
Automated driving functions at high levels of autonomy operate without driver supervision. The system itself must
provide suitable responses in case of hardware element failures. This requires fault-tolerant approaches using domain
ECUs and multicore processors operating in lockstep mode. The selection of a suitable architecture for fault-tolerant
vehicle systems is currently challenging. Lockstep CPUs enable the implementation of majority redundancy or M-
out-of-N (MooN) architectures. In addition to structural redundancy, diversity redundancy in the ECU architecture
is also relevant to fault tolerance. Two fault-tolerant ECU architecture groups exist: architectures with one ECU
(system on a chip) and architectures consisting of multiple communicating ECUs. The single-ECU systems achieve
higher reliability, whereas the multi-ECU systems are more robust against dependent failures, such as common-cause
or cascading failures, due to their increased potential for diversity redundancy. Yet, it remains not fully understood
how different types of architectures influence the system reliability. The work aims to design architectures with
respect to CPU and sensor number, MooNexpression, and hardware element reliability. The results enable a direct
comparison of different architecture types. We calculate their reliability and quantify the effort to achieve high
safety requirements. Markov processes allow comparing sensor and CPU architectures by varying the number of
components and failure rates. The objective is to evaluate systems’ survival probability and fault tolerance and design
suitable sensor-CPU architectures. The results show that the system architecture strongly influences the reliability.
However, a suitable system architecture must have a trade-off between reliability and self-diagnostics that parallel
systems without majority redundancies do not provide.
Keywords: Autonomous driving, Advanced driver-assistance system, Fault tolerance, Fail operational, Hardware
architecture, Markov process
arXiv:2210.04040v1 [cs.CY] 8 Oct 2022
2T.M. Julitz, A. Tordeux and M. L¨
ower
1. Introduction
The draft law amending the road traffic code and the compulsory vehicle insurance in Germany takes the
development of automated vehicle systems to the next level (Ludewig and Grieser, 2021). The law creates
the conditions for the use of highly automated vehicles (SAE level 4, On-Road Automated Driving
(ORAD) Committee (2021)) in public road traffic. Already in 2017, the eighth amendment to the road
traffic code came into force, enabling the operation of level 3 vehicles. The beginnings of research on
vehicle automation go back to the PROMETHEUS project, which started in 1986 and laid the foundations
of today’s commercial driver assistance systems up to level 2 (Williams, 1988). Some examples are the
distance cruise control Distronic Plus and the emergency brake assistant Pre-Safe from Daimler. The
next milestones in the development of autonomous vehicles were achieved with the launch of the DARPA
Challenges in 2004. In 2005, driverless vehicles made their way over 212 km through the Mojave Desert,
focusing on autonomous navigation (Crane, 2007). In the follow-up project in 2007, urban traffic was
simulated on an abandoned Air Force base (Buehler et al., 2009).
A large number of software architectures emerged from the DARPA Challenges, which have one
essential thing in common: The architectures are divided into modules that fulfil different functions.
The modules essentially consist of localisation, perception and vehicle control (Reke et al., 2020). The
2005 winning vehicle team identified some significant problems. The developed vehicle was able to
successfully drive in a static environment, but navigation through road traffic is not possible due to
the insufficient reliability of the system (Thrun et al., 2006). The hardware architecture of the vehicle
consisted of six computers that performed various functions. Watchdogs monitored the states of software
and hardware to restart the system in case of failure.
During the 2007 DARPA Challenge, significant successes were achieved in the monitored urban
environment. The first-place vehicle system relied on different modes of operation: a normal state and
a recovery state (Urmson et al., 2008). The recovery state is triggered when objects block the planned
path, objects are detected too late, or actions are kinematic infeasible. Four algorithms are used to return
to normal operation, which essentially consist of replanning paths and increasing the safety margin
(Urmson et al., 2008). The software-based solutions allow increasing robustness. The hardware-based
measures consist of a dual-core CPU and the combination of various sensors. However the reliability
and robustness of the vehicle was not sufficient to drive in real road traffic, which is considerably more
complex than the monitored environment. Although the vehicle was able to recover from many fault
Reliability of fault-tolerant system architectures for automated driving systems 3
conditions, the time required to do so was considerable, up to ten minutes, which is not reasonable in the
real environment. Therefore, the developed system cannot be classified with SAE level 4.
In the last ten years, many projects from industrial and academic organisms have further advanced the
state of the art. On the way to SAE Level 4 driverless operation On-Road Automated Driving (ORAD)
Committee (2021), repeated accidents of autonomous vehicles show that further research is needed
to increase the safety, reliability and robustness of the automated driving systems Daily et al. (2017).
The elimination of the human fallback level requires fault-tolerant approaches to system modelling
that cannot be implemented by simple redundancy. The principles of fault tolerance are based on
self-diagnosis, reliability and availability evaluation, reconstruction and error recovery. The reliability
is usually increased by structural redundancy. Availability indicates whether a system is functioning
at a certain point in time and can be influenced by diversity redundancy, operation independence,
or asymmetric system architectures. These principles are already applied in traditional safety-critical
systems, which can be found in aviation, rail transport, space travel, military or nuclear power plants,
among others. They are also becoming increasingly important in the automotive literature, see, e.g.,
Baleani et al. (2003); Kohn et al. (2015); Ishigooka et al. (2018); Schmid et al. (2019); Lin et al. (2018);
Sari (2020). The development of a fault-tolerant system architecture remains nowadays one of the most
important challenges for the market introduction of autonomous vehicles Daily et al. (2017).
In this contribution, we aim to analyse and compare different types of redundant and fault-tolerant
architectures including parallel and MooNsystems using Markovian processes. The contribution is
organised as following. We present the types of considered architecture models in Sec. 2. The modelling
and analysis of the models using Markovian processes are detailed in Sec.3. Numerical results for
different types of architectures are presented in Sec. 4 and discussed in Sec. 5.
2. Architecture models
Many different redundant system architectures exist in the literature. In the databases of Springer, the
IEEE Xplore Digital Library, the Wiley Online Library and the ACM Digital Library, the keywords ”fail
operational”, ”autonomous driving architecture”, ”fallback strategy”, ”MooNredundancy”, ”system on
a chip”, ”reliability” and ”functional safety” are currently frequently used. Indeed, MooNredundancy
configurations allow flexible operation of systems, suitable with recovery and self-diagnose processes.
These characteristics are well adapted to the automation of complex systems, and especially automation
of the driving. In Sari (2020), the hardware components of a fault-tolerant system architecture is defined
摘要:

Reliabilityoffault-tolerantsystemarchitecturesforautomateddrivingsystemsTimM.JulitzChairforProductSafetyandQualityEngineering,UniversityofWuppertal,Germany.E-mail:julitz@uni-wuppertal.deAntoineTordeuxChairforReliabilityandTrafcSafety,UniversityofWuppertal,Germany.E-mail:tordeux@uni-wuppertal.deManu...

展开>> 收起<<
Reliability of fault-tolerant system architectures for automated driving systems Tim M. Julitz Chair for Product Safety and Quality Engineering University of Wuppertal Germany..pdf

共12页,预览3页

还剩页未读, 继续阅读

声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!

相关推荐

更多
立即下载
分类:图书资源 价格:10玖币 属性:12 页 大小:451.56KB 格式:PDF 时间:2025-04-29

开通VIP享超值会员特权

  • 多端同步记录
  • 高速下载文档
  • 免费文档工具
  • 分享文档赚钱
  • 每日登录抽奖
  • 优质衍生服务

作者详情

相关内容

更多

热门标签

人际关系 动力学连接体 力的合成 配电装置 高考理综 全宋诗作者索引 公务员考试
/ 12
评分 收藏
分享
立即下载
客服
关注