Towards Fail-Operational Systems on Controller Level Using Heterogeneous Multicore SoC Architectures and Hardware Support

In recent automotive systems, more and more applications are classified as safety related and hence are assigned an automotive safety integrity level (ASIL) according to ISO26262. Especially in the context of advanced driver assistance systems (ADAS) and automated driving, safety, reliability and availability requirements are ever increasing. In upcoming systems, a classical fail-safe design will not be sufficient in order to fulfill these requirements, and hence fail-operational systems will be essential. This holds especially true when it comes to automated driving levels 4 and 5. On the other hand, well-known approaches from the avionics industry are ill-suited for the use in automotive systems due to space, weight and power (SWAP) restrictions. This motivates the research on new, lightweight approaches for embedded fail-operational systems. In this contribution, an approach that allows for dynamic migration of safety functions at runtime from an application system to a stand-by fallback system is presented and evaluated. The concept claims to be a fail-operational architecture on controller-level, not dealing with the integration in the whole (sub-) system context. It makes use of a heterogeneous multicore architecture with reconfigurable logic as well as lock-step cores for a proof of concept and a prototypical implementation. In response to detected faults within the application cores, a switch to a safety back-up system is triggered and the system state is handed over. It is shown that the approach is working with low overhead in software and is transparent for the software developer. Finally, the needed latencies for the switchover to the fallback system are examined and presented.