Formal analysis of feature degradation in fault-tolerant automotive systems

Safety critical fault-tolerant embedded systems have to react properly on failures of internal system elements to avoid failure propagation and finally a harmful external failure at the system boundary. Beside failure detection, actions for failure handling are essential to cover safety requirements. Actions reach from enabling fail-silent, fail-safe or fail-operational behavior of system elements, or also hybrids of this in a mixed criticality system design. Graceful degradation can be applied when system resources become insufficient, reducing the set of provided functional features. In this paper, we address mixed criticality and mixed reliability automotive systems. We consider mixed reliability by functional features having different fail-operational requirements. Beside pure fail-operational features, we also consider degradations of functional features, called fail-degraded features. We describe a formal system model that contains, i.a., the functional features of a vehicle, possible feature degradations, software components that realize the features, as well as the deployment of software components to execution units. We provide a structural analysis of the level of degradation on system level and feature level, which is required in scenarios of failing execution units and/or software components. Combined with this analysis, we synthesize valid deployments of software components to execution units, incorporating an adequate level of redundancy to meet the fail-operational requirements, if feasible. We apply our approach to a constructed automotive example.