Engineering and Hardening of Functional Fail-Operational Architectures for Highly Automated Driving

Rising automation levels in the automotive domain demand a shift from the fail-safe to the fail-operational paradigm. Fail-operational architectures and behaviors are inherently more complex and thus require special diligence from a safety engineering point of view. In this work, we present how we tailored and applied a methodology that facilitates the design of fail-operational architectures from early design stages on by enabling informed judgment regarding the gradually evolved architecture's fitness for purpose. The method specifically considers resilience regarding dynamic changes in environmental conditions, including V2X aspects and internal capabilities. In this paper, we summarize our experiences in applying the methodology in a highway pilot case study. Furthermore, we present essential extensions of the methodology for modeling and evaluating the operational design domain.