A New Architecture of Autonomous Vehicles: Redundant Architecture to Improve Operational Safety

The internet of things allows having the comfort of these users. However, the number of connected objects is increasing exponentially. There is therefore a risk of degrading the quality of comfort by the phenomena of the non-availability of communication services. These days, with digital networking and agility in the words, autonomous vehicles, are a particular case of the Internet of Things, represent the vehicles of tomorrow, to increaseapenetrationrateintothemarketandmakemarketed(level5)in EV(Electricvehicle).Wemustthinktostudyitsreliabilityandavailability. Autonomousvehiclesthathavealevel5autonomousdrivesystem,must exhibitahighdegreeofreliability.Inthispaper,weproposeanewarchi-tecturebasedonredundancy,toincreasethedependabilityandminimize theriskofhavingabreakdown.Wealsoproposeacommunicationstrat-egyallowingtheminimizationofthemessagerateabandonedbysharing messagesonadifferentnetworkandswitchingbetweenDSRCandC-V2X.


Introduction
Given the growing capacity of computers and embedded computing [1] as well as the development of artificial intelligence [2], first part. On the other part, the number of accidents increases exponentially and more than 95% of accidents are due to human drivers [3] [4]. Autonomous vehicles [5] are a good candidate for minimizing human driver interventions, or eliminate the role of human driver and the electronic control unit (ECU) takes over the management of all vehicles: this is the 5th level of autonomous drive [6].
Fully autonomous vehicles [7] they are systems that work in real time. These are very sensitive systems (we are not allowed to make mistakes) where the decision-making (trajectory scheduling [8], control and execution, speed) must be done in a very short time. A bad decision can lead to an accident [9].
The major problem preventing researchers and manufacturers from having a cooperative management system [19] robust and reliable, these are the communication problems [13] which is summarized in the scope of which is around 300m in urban areas [20], the high rate of abandoned messages; and the unavailability of the network. As we mentioned that autonomous vehicles are sensitive to the availability of autonomous systems (hardware part, software part, and communication). In addition, we are not allowed to make mistakes. If for example in circulation in the form of Platoons [13] the leader who manages who manages the members of the Platoon is failing, the drive system may subsequently cause anomalies in road traffic. For AVs circulating in the road safely, we must mainly meet the following objective: the increase in the availability and reliability of the control/command system that drives the AVs, which has not been studied before.
AVs must make the right decision at the right time, a wrong decision can lead to dangerous situations [21]. These decisions are primarily the choice of travel speed and longitudinal and lateral direction [22] [23]. So to make good decisions, you have to improve the availability of the system.
In [24], the authors they analysed the instantaneous availability of serial repairable systems in a cyberwar environment. They have validated their models through simulations that show that the maintenance capability and improved repair rate of the fundamental components of systems, improves system availability.
In [25], the authors they proposed a model of instantaneous availability taking into account the failure of the repair equipment in system maintenance by exploring the problem of holding wire of several units of this model is validated on a transmission system fiber optic.
In literature [24] [25], the instant availability of the system is high if the repair rate is high. As the maintenance and repair of system components requires time that will influence the instant availability.
To our knowledge, there is no work that addresses the problem of instantaneous system availability (communication, hardware, and software), as well as reliability. In this article, we will propose a solution to ensure availability and reliability in AVs based on redundancy to increase safety of operation as well as the rate of penetration of AVs in the road.Key contributions to research are summarized as follows: • Improving the availability of communication services between vehicles, which is a fundamental part of the circulation of AVs. Since if a data is retrieved with a delay of time, can cause dangerous situations. Improved communication quality is achieved by switching from DSRC to C-V2X, when a connectivity failure is detected.
• Software redundancy to improve the availability of data processing to make good decisions even in the event of a vehicle ECU failure.
• Reduce communication network traffic by assigning a communication network for each class of messages to be transmitted.
This paper is organized in two parts. In the first part, we present the current architecture (hardware and software) for AVs. We will then propose our architecture, which is based on redundancy hardware and software to increase the availability of AV functionality. In the second part, we will discuss the simulation results, which show that redundancy increases the operational safety of AVs. Finally a conclusion.

System Model
Autonomous vehicles consist mainly of two parts: hardware part and software part. In AVs, the software part allows the hardware part to operate in complete safety. As autonomous vehicles, they are complex systems and they are managed by the software part so we must ensure operational safety [26][5], of AVs, which primarily includes reliability and availability. Since 80% of the failures are due to the software part [27].

Description of the current AV architecture
Currently the AVs are composed of a set of sensors (Lidar, camera) whose purpose is to collect local information and send it to Modbus to the ECU for processing a single ECU for processing data that comes from sensors and communication system, and decision making. And a transmitter/receiver compatible with either DSRC communication [14], is compatible with C-V2X cellular communication, the purpose of which is to collect information from neighboring vehicles, in order to have an autonomous driving system. However, this is not always the case since the rate of abandoned messages is high and degrades the quality of the decisions taken; thereafter the operational safety of the AVs is called into question. In addition, we must opt for another architecture that promotes reliability and availability to guarantee operational safety.

Proposed Architecture
As AVs with drive level 5 have not achieved even with the evolution of in-car systems technology. This is caused by several problems such as: • The sensors: From the sensors that the AVs can discover the traffic environment. In situations, these sensors become blind and question the reliability and availability of AVS functionality; • Communication: for the computer to process the correct information on time, connectivity must be ensured. The AVs based on DSRC communication sulfur very high rate of dropped packets. The quality of connectivity deteriorates in dense scenario; • Availability: in level 5 the driver cannot intervene on decisions. The vehicle is taken over by the ECU. For this, we must have a powerful and highly available calculator; • The ringer effects: given the enormous amount of noise in the road, we cannot differentiate whether it is a police stop sign or a passenger in the road; The degree of automation of systems is increasing for all processes, in particular for autonomous vehicles whose objective is to reach level 5 automation where vehicle management does not require driver intervention. In this case, the major drawback is that we are dependent on the availability of automation systems. Any failure of the ECU, resulting for example from the failure of the ECU or the driving program, can lead to high damage due to wrong choice or the unavailability of the necessary data in an adequate time for making decisions and the vehicle in question becomes blind and accidents can occur. As the circulation is in the form of Platoons so an error occurs when the discussion will be amplified on all the vehicles that make up the Platoon, and this error can also be amplified on the other follower Platoons. To increase the reliability and availability of autonomous driving systems for AVs, in our solution we propose to make a new architecture ( Fig. 1) based on hardware redundancy at ECU level and communication. Moreover, software redundancy.
The master controller processes the information received from the I/O unit (Sensors, actuator) via the local network (Modbus) and traffic environment information via one of the DSRC, C-V2X, NDN networks. The processed data is saved locally on the storage medium. As traffic data has a large capacity, we keep only the information necessary for instant circulation, and the other data is saved in the cloud. The processed data is displayed on the IMH to inform the driver of the condition of his vehicle and the tasks to be performed.

Hardware Redundancy
The concept of redundancy is duplication, triplication, etc. one or more components of a system that perform the same function. There are two types of redundancy: hardware redundancy and software redundancy. Regarding hardware redundancy, this can involve several components such as ECU, power supply, communication bus, input/output modules (sensors and actuators), communication module, etc.
From a material point of view, the major risk is the unavailability of the computer. In circulation in the form of centralized Platoons, the leader manages all the Platoon member vehicles. If there is a fault with the leader computer, accidents can occur, since the inter-vehicle distance is very short. You can only react to brake when you detect that the leader computer is damaged, thereafter there is a risk of demining the flow of road traffic. Therefore, we propose to have two ECUs: One master ECU and the other in reserve. If an anomaly has been detected, the switchover takes place automatically to the reserve ECU. We can also make a redundancy at the level of the sensors, but since the vehicles are connected so if there is an anomaly in a sensor information can be obtained from the network by interpolating the values received from the vehicles which precede it and the one which follows it. A redundant power supply must also be provided, because generally autonomous vehicles are of the electric type, so that the vehicle does not run out of fuel (depleted energy), there must be another source of energy allowing circulation to the less until the next charging point, which is beyond the scope of this article's consideration.
As autonomous vehicles are connected and connectivity is paramount to ensure smooth operation. Therefore, there are two transmitters/receivers. A transmitter/receiver compatible with DSRC technology, it works primarily for V2V communication between Platoon vehicles if you do not have DSRC coverage, the switchover is automatic to the other transceiver which is compatible with the 5G network, the failover procedure is shown in Fig. 2. If DSRC coverage returns, the switchover from 5G to DSRC is automatic to minimize the additional overhead costs of 5G communication. If DSRC coverage returns, the switchover from 5G to DSRC is automatic to minimize the additional overhead costs of 5G communication.
For reasons of wear and in order to increase the lifespan of the ECUs installed in the AV, in normal operation, the changeover occurs periodically from one to the other during the first trip that follows 8 hours of driving as shown in Fig. 2. We can make even days and odd days, but since we do not have, any indication of the driving time is what it is equal between even and odd days, another solution is to share the charges from one ECU to the other trip but the trips are not the same duration. Therefore, the best solution is to do the changeover during drive time.

Communication System
To ensure proper functioning of autonomous vehicles it must be ensured that all the functionalities are present and functioning correctly. The functions which must be performed by the AVs and which are related to communication are: • Perception: the stain of perception [28] uses the sensors installed in the vehicle, allowing the analysis and monitoring of the traffic environment at all times. Which is then used to share the condition of each vehicle with these neighbors; • Scheduling: scheduling [29] consists of determining possible and safe routes for the vehicle in question, depending on perception and HD card; • Decision-making: the decision making task [29] is to choose the optimal route based on all the possible routes of the previous task.
The types of networks for AVs are (Table 1): • DSRC: DSRC technology has a low latency time, which is equal to 10ms. But, this technology has a short range that does not exceed 300m in urban areas. As the AVs circulate in the form of Platoons so the inter-vehicle distance is low, so even with these limits we will use this technology as a priority for V2V communication, for sending CAM messages and alarm messages. If a communication break is detected, which can cause traffic anomalies i.e. a communication break greater than 500ms, we switch to the C-V2X communication and we activate a test function, which makes it possible to test whether the DSRC communication is resumed; • C-V2X: C-V2X communication has a low latency time, which is equal to 15ms. Also has a high range. Nevertheless, these characteristics deteriorate exponentially in heavy traffic. For this, we will reserve the C-V2X communication for the inter-Platoon communication;  [30]: It is a data base network where information is independent of its producer [31]. We can get the information from the nearest neighbor who used this information. Usually vehicles do not know where to look for information, but they do know the information they are looking for. Therefore, the NDN network is suitable for the vehicular network [30]. This network is characterized by discontinuous connectivity, does not require the transmitter and receiver to be connected at the same time. This justifies that the latency time is variable and is of the order of a few seconds, which does not meet the requirements of AVs. On the other hand, in view of these important characteristics of this network we will benefit from them in the spots where time is not a primary factor. As in the localization which is done off line. Another point gained by the use of NDN makes it easier to update HD maps [5]. Since the frequency of changing lanes is low, and to make the update it is necessary that the vehicles cross this road. Using NDN the update is even done by a smartphone that has used the information, therefore, the detection of change in the road becomes easy and the update is done quickly; The use of NDN network minimizes traffic on the DSRC and C-V2X network, subsequently increases the rate of non-abandoned messages also solves the problem of overload at the level of cellular network base stations.

Software Redundancy
A priori, failures in on-board computer systems such as autonomous vehicles autonomous can either be of material origin (computer, communication system, sensors, etc.), either of software origin (autonomous driving system, perception, planning, etc.). In practice, more than 80% are of software origin. To increase the operational reliability of AVs, it is proposed to make software redundancy in addition to hardware redundancy.
The switchover takes place automatically from the master controller to the reserve controller. This leads us to manage the software part. Since the ECU switching to the other is automatic is in real time. For this switchover to take place instantly, the data to be processed must be shared between the two ECUs. Our solution is software redundancy. The high availability part of the program is loaded both in the master ECU and in the reserve ECU. When it is being processed in the master ECU computer, it is not processed in the reserve ECU computer. The corresponding jump in the reserve ECU avoids possible discrepancies between the two parts of the program caused e.g. security messages. The program is thus ready on the reserve station for further processing. The flowchart below in Fig. 4 shows the operating principle of software redundancy from the aspect of the master and backup ECU.  In order for the driving system to become highly available, it is not necessary to start all over again in the event of a master ECU failure; the latter continuously transfers the treatment data to the reserve station.

Operational Reliability
AVs are a system made up of a set of components interacting intended to accomplish the task of comfort and safety making it possible to ensure a departure trip to the destination in optimum time. The operational safety of AVs is the property, which allows its users to place a justified trust in the service it provides them, for example, it is also said that dependability is the science of failure management in trajectory planning. A system fails when it can no longer deliver the expected service. Failure is the state of the system resulting from a failure. Operational safety comprises 5 components: reliability, availability, maintainability, security-harmlessness and security-confidentiality.

Reliability
Reliability is the characteristic of the system expressed by the probability, that it delivers the expected service under given conditions and for a specific period in timing. Reliability expresses the ability for continuity of service. Software reliability assessment methods vary depending on the nature of the information available. These are closely related to the software life cycle, as seen in Table 2 [27].
The types of errors in the different phases are: • Analysis: the software does not meet users expectations; • Design: poor translation of specifications; • Coding and testing: programming or correction errors; • Operational life: error in system updates such as the update of HD maps [32][33] [34], which are used for collection, and scheduling [29].
The reliability of an on-board computer system such as AVs at time t is the function Rt defined by: In other words, R t (τ; n, t 1 , ..., t n ) is the probability that the system works without failures for a period at least equal to τ after t after t (we look for t au tends to infinity), knowing that there were exactly n failures between 0 and t (we look for n = 0), at instants t 1 , ..., t n . The first writing states that the next failure will occur after t + t au and the second states that there will be no failure between t and t + τ.
When we look at the instant t n of the last failure, we are interested in predicting the duration X n+1 to wait before the next failure. Its probability law can be influenced by the past of the failure process, therefore we will rather focus on the distribution of X n+1 knowing [T 1 = t 1 , ..., T n = t n ]. This law has the failure rate hX n+1 |T 1 = t 1 , ..., T n = t n (x).
The fault intensity of an on-board computer system at time t is the function λt given by: Monitoring the intensity of failure over time therefore amounts to studying the successive conditional failure rates of the X i knowing the past. We then speak of failure rate concatenation. We show that the failure intensity is also written:

Availability
Availability is expressed by the probability that the system will deliver the expected service under given conditions and at a given time. Availability therefore characterizes the ability of the system to function when it is needed. The availability of AVs is a function of time A (A for availability) such as: ∀t ≥ 0, A(t) = Probability that the autonomous vehicle is operating at time t. The asymptotic availability is given by: ∀t ≥ 0, A(t) = Probability that the autonomous vehicle is operating at time t. The asymptotic availability is given by: The direction of variation of A(t) is not determined. We have systems with increasing availability, others with decreasing availability and every conceivable sense of variation is possible.

Simulation and Performance
To validate our architecture, we performed a simulation in an intersection of two roads; each road is composed of two voices to go and two voices to return. The vehicles circulating form a chain of Platoons on each voice, the leader vehicle communicates with each other via C-V2X technology as a priority. The vehicles of each Platoon communicate with each other using DSRC communication as a priority. Each vehicle is equipped with our redundant architecture.
We assume that a hardware failure has occurred in a Vi vehicle of a Platoon Pi, the changeover to the reserve ECU is studied from the switching time and its influence on the circulation. We assume that a V2V connectivity break exists and we study its switching time from DSRC to C-V2X or vice versa and its influence. Fig. 5 shows that the master ECU is in normal operation for a time T=10, and the other ECU is in standby. At the instant t = T, the self-diagnostic algorithm detects an operating anomaly in the master ECU, the reserve ECU takes over.
The switching time t au = 3ms which is equal to the failure detection time + switching time which is negligible compared to the update period of the information at the vehicle level which is equal to 100ms. t au = 3ms <<< update period so if a breakdown occurs, with our architecture, has no influence on the operation of the vehicle or on road traffic. In the opposite case, with the current architecture the broken down vehicle will treat itself as a vehicle that does not exist, a road accident can occur, and subsequently traffic congestion will increase. The time criterion is essential, and to have a good decision communication between the vehicles of the Platoon must be guaranteed, which provides a global vision of the traffic environment. It is therefore necessary to calculate the maximum time allowed for the connection break. Which is set according to the safety distance between the vehicles of a Platoon which is equal to 18m for a speed of 27m/s which gives a time equal to 666ms.
The braking time is equal to the processing time which is equal to the time of the transmission period (100ms) + decision-making time which is equal to the number of clock dedicated time for task processing which does not exceed 1ms + actuator response time (Motor) is approximately 3ms. This gives a braking time equal to 104ms. The time allowed for the loss of connectivity is equal to 666 − 104 = 562ms. For more safety, this time is multiplied by a safety coefficient less than 1, for example 0.9, which gives a final authorized time for the rupture of 500ms. Fig. 6 shows after detection of a DSRC connection break equal to 500ms, the automatic switching to C-V2X. The switching time is equal to 3ms, as soon as the DSRC connectivity is reestablished, the switching is automatic from C-V2X to DSRC. In a case where C-V2X connectivity is not available, the switching is automatic to DSRC as in Fig. 7. As C-V2X communication is a priority for inter-Platoon communication, the safety distance between the Platoons is greater than the inter-vehicle distance of a Platoon so 500ms to switch to DSRC is enough not to have traffic dangers.
Therefore, from Fig. 5, Fig. 6 and Fig. 7 shows that by using the redundant architecture that we have proposed we improve performance AVs by increasing the availability of these functions. If we increase the rate of CAV transmitted successfully, we then obtain a reliable vision of the environment of circulation, which makes it possible to reach good decisions and we becomes sure to have an available, reliable, robust and optimal operation.

Conclusion
In this article we have proposed a redundant architecture for the operational safety of AVs. We have shown that our architecture allows to increase availability which is an important metric for AVs, but that has not been studied before. We have also shown that our solution allows the rate of my abandoned messages to tend towards zero. The use of NDN network facilitates the task of updating HD maps, which is a major problem.
In our future work we want to improve our proposed solution, whose switching from DSRC to C-V2X is done through machine learning methods such as reinforcement learning that will minimize communication costs. Since communication in the AVs is fundamental, it is therefore