Level 4 Automated Driving Systems (ADS) must be fail-operational. Thus, any safe ADS must be a distributed fault-tolerant computer system in which subsystems cooperate to achieve the overall system’s purpose. However, a faulty subsystem may hinder the system from achieving it. Thus, in this talk, I’ll first present a method using the SAL model checker that analyses the system-wide impact of a faulty subsystem. Next, I will show for a concrete ADS that as long as only one subsystem fails, the system will work correctly. However, all bets are off, when more than one subsystem fails. Therefore, I will present a second method using the PRISM model checker to calculate the mean time to system failure, i.e., when multiple subsystems fail.
Wilfried Steiner received a degree of Doctor of Technical Sciences and the Venia Docendi in Computer Science, both from the Vienna University of Technology, Austria (in 2005 and 2018, respectively). From 2009 to 2012, he was awarded a Marie Curie International Outgoing Fellowship hosted by SRI International in Menlo Park, CA. His research is focused on dependable cyber-physical systems for which he designs algorithms and network protocols with real-time, dependability, and security requirements. Wilfried Steiner has been the SAE AS6802 (Time-Triggered Ethernet) editor and served multiple years as a voting member in the IEEE 802.1, standardizing time-sensitive networking (TSN). He is the Director of the TTTech Labs, which acts as the center for strategic research within the TTTech Group.