Fail-operational behavior of safety-critical software for autonomous driving is essential as there is no driver available as a backup solution. In a failure scenario, safety-critical tasks can be restarted on other available hardware resources. Here, graceful degradation can be used as a cost-efficient solution where hardware resources are redistributed from non-critical to safety-critical tasks at run-time. We allow non-critical tasks to actively use resources that are reserved as a backup for critical tasks, which would be otherwise unused and which are only required in a failure scenario. However, in such a scenario, it is of paramount importance to achieve a predictable timing behavior of safety-critical applications to allow a safe operation. Here, it has to be ensured that even after the restart of safety-critical tasks a guarantee on execution times can be given. In this paper, we propose a graceful degradation approach using composable scheduling. We use our approach to present, for the first time, a performance analysis which is able to analyze timing constraints of fail-operational distributed applications using graceful degradation. Our method can verify that even during a critical Electronic Control Unit failure, there is always a backup solution available which adheres to end-to-end timing constraints. Furthermore, we present a dynamic decentralized mapping procedure which performs constraint solving at run-time using our analytical approach combined with a backtracking algorithm. We evaluate our approach by comparing mapping success rates to state-of-the-art approaches such as active redundancy and an approach based on resource availability. In our experimental setup our graceful degradation approach can fit about double the number of critical applications on the same architecture compared to an active redundancy approach. Combined, our approaches enable, for the first time, a dynamic and fail-operational behavior of gracefully degrading automotive systems with cost-efficient backup solutions for safety-critical applications.

自动驾驶安全关键软件的故障操作行为至关重要，因为没有可用的驱动程序作为备份解决方案。在故障情况下，安全关键任务可以在其他可用硬件资源上重新启动。在这里，优雅降级可以用作一种经济高效的解决方案，其中硬件资源在运行时从非关键任务重新分配到安全关键任务。我们允许非关键任务主动使用为关键任务保留的资源，否则这些资源将不会被使用，并且仅在故障情况下才需要。然而，在这种情况下，实现安全关键应用的可预测时序行为以实现安全操作至关重要。这里，必须确保即使在安全关键任务重启后也可以保证执行时间。在本文中，我们提出了一种使用可组合调度的优雅降级方法。我们首次使用我们的方法进行性能分析，该分析能够使用优雅降级分析故障操作分布式应用程序的时序约束。我们的方法可以验证，即使在严重的电子控制单元故障期间，也始终有一个遵守端到端时序约束的备用解决方案可用。此外，我们提出了一个动态分散映射程序，该程序使用我们的分析方法结合回溯算法在运行时执行约束求解。我们通过将映射成功率与最先进的方法（例如主动冗余和基于资源可用性的方法）进行比较来评估我们的方法。在我们的实验设置中，与主动冗余方法相比，我们的优雅降级方法可以在同一架构上容纳大约两倍数量的关键应用程序。结合起来，我们的方法首次实现了优雅降级汽车系统的动态和故障操作行为，并为安全关键应用程序提供了具有成本效益的备份解决方案。