Book a demo

Cut patent&paper research from weeks to hours with PatSnap Eureka AI!

Try now

Fail-Operational Architecture for L4 AVs — PatSnap Eureka

Fail-Operational Architecture for L4 AVs — PatSnap Eureka
ISO 26262 · Level 4 AV Safety

Fail-Operational Electronic Architecture for Level 4 Autonomous Vehicles

Designing driverless systems that sustain safe operation after any single-point fault requires a fundamental shift from fail-silent to fail-operational architectures—grounded in ASIL decomposition, multi-lane compute redundancy, and pre-computed Minimal Risk Maneuvers. This analysis draws on over 55 active patents across 7 jurisdictions.

Explore AV Safety Patents on Eureka Explore Architecture Patterns
Patent Filing Distribution by Architecture Category: Multi-Lane Redundant Compute 32%, Hierarchical Safety Supervision 28%, Actuator-Level Redundancy 22%, Fallback/MRM Planning 18% Distribution of 55+ fail-operational L4 AV architecture patents across four dominant technical categories, analysed via PatSnap Eureka. Multi-lane redundant compute is the most patented category at 32%. 55+ patents analysed Multi-Lane Compute 32% Hierarchical Supervision 28% Actuator Redundancy 22% Fallback / MRM Planning 18% Source: PatSnap Eureka · 55+ patents · 2017–2026
By PatSnap Intelligence Team · · 14 min read
Verified by PatSnap Eureka Data
55+
Active & pending patents analysed
7
Jurisdictions: US, DE, CN, EP, JP, FR, KR
<100ms
MRM initiation latency target for hot-standby failover
ASIL-D
Maximum integrity level under ISO 26262
The Fundamental Design Imperative

From Fail-Silent to Fail-Operational: Why the Shift Is Non-Negotiable

The transition from fail-silent to fail-operational architectures is the defining technical challenge for SAE Level 4 autonomous vehicles, where no human driver is available to intervene after a system fault. Unlike lower automation levels (L1–L3), an L4 vehicle must autonomously sustain safe operation—or execute a controlled Minimal Risk Maneuver (MRM)—following any single-point failure.

As documented in SAIC's 2024 patent filing: "For L4 and above intelligent driving tasks, a Fail-Silent intelligent driving controller is no longer sufficient; because the driver is no longer required to monitor the autonomous driving system at all times, the intelligent driving system must be responsible for bringing the vehicle to a safe state, requiring a Fail-Operational redundant intelligent driving controller."

The ISO 26262 standard's ASIL classification scheme—ranging from QM to ASIL-D—provides the normative framework. Qualcomm's 2025 processor-based system explicitly references this: "ASIL-D requires the SoC to move the vehicle to a minimum safe operating mode when any safety-critical functional fault is detected." The safety island consists of a secondary domain with reduced hardware complexity that checkpoints vehicle information processed by both the main and safety island domains.

Marelli Europe's 2025 vehicle ECU design formalizes a three-mode response hierarchy: nominal operation mode, degraded emergency operation mode (triggered on fault detection, maintains basic vehicle control at reduced performance), and safe state mode (triggered when emergency functions fail to meet their safety goals). This graduated response directly implements ISO 26262's concept of safe states without requiring immediate hard stops that could imperil vehicle controllability.

Three-Mode Response Hierarchy
MODE 1
Nominal Operation
Full AV stack active, all sensors nominal
MODE 2
Degraded Emergency Mode
Fault detected; basic control at reduced performance
MODE 3
Safe State Mode
Emergency functions fail safety goals; MRM executed
ASIL-D
Highest ISO 26262 integrity level required for L4
QM
Minimum quality-managed path in ASIL decomposition
<4
Max diverse implementations per Valeo decomposition rule
2016
Year Valeo formalized ASIL decomposition math in patents
Multi-Lane Compute Topologies

Redundant Compute Architectures and Multi-Lane Control

The most extensively patented architectural pattern for fail-operational AVs is the multi-lane or multi-channel compute topology, where at least two independent processing paths simultaneously generate or validate control outputs.

Uber / UATC · 2021–2024

Fault-Tolerant Multi-Lane Control Architecture

A system with at least a first and second control lane, each independently capable of implementing a vehicle motion plan. When faults are detected in one lane—whether in motion plan generation or execution—the system adjusts vehicle motion via fault reaction parameters associated with the specific fault type. The architecture distinguishes between faults in the primary lane, secondary lane, and motion planning subsystem, enabling tailored responses rather than uniform fallback.

Foundational multi-lane patent family · WO, US, continuation filings through 2024
Volkswagen AG · 2021

FDIR Pattern Adapted from Aviation

Fault Detection, Isolation, and Recovery (FDIR) distributed across multiple compute nodes. When a fault is detected, the system switches to redundant application instances and immediately reconfigures to restore predetermined redundancy and isolation conditions. If reconfiguration fails—due to inability to satisfy isolation conditions, time budget exceedance, or irrecoverable failures—a dedicated failover device with its own trajectory planner and separate signal/control lines transitions the vehicle to a safe state via an emergency trajectory.

Dedicated failover device with independent sensor signal lines
Suzhou Yuannao · 2025

Heterogeneous SoC Hot-Standby Failover

A primary SoC and a fault-tolerant SoC run identical autonomous driving algorithms synchronously. An MCU (e.g., TC497) communicates with both SoCs and selects responses according to a pre-configured arbitration strategy, defaulting to the primary SoC but seamlessly switching to the fault-tolerant SoC on hardware or communication failure. This design enables hot-standby failover with sub-100ms switching latency.

Sub-100ms switching latency via MCU arbitration
Zhitu Shanghai · 2025

Four-Lane Control Topology with Three Fault-Tolerance Layers

A first master controller and a second master controller each independently command two sets of sub-controllers, yielding four distinct control chains (primary/primary, primary/backup, backup/primary, backup/backup) prioritized in descending order. An arbitration unit dynamically selects the active chain and switches among chains upon detecting faults, providing up to three fault-tolerance layers before autonomous driving must be exited.

4 control chains · 3 fault-tolerance layers
Patent Intelligence

Map the full multi-lane compute patent landscape

Search 55+ fail-operational architecture patents across Uber, VW, Qualcomm, SAIC, and more with PatSnap Eureka.

Search AV Architecture Patents
Patent Landscape Data

Filing Trends and Assignee Activity in AV Safety Architecture

Analysis of over 55 active and pending patents across US, DE, CN, EP, JP, FR, and KR jurisdictions reveals a clear evolution in fail-operational design from 2017 to 2026.

AV Fail-Operational Architecture Patent Filing Trend (2017–2026)

Filing volume shows accelerating growth from 4 patents in 2017 to 16 in 2025, reflecting the industry's push toward multi-layer hierarchical architectures with silicon-level safety islands.

AV Fail-Operational Architecture Patent Filings 2017–2026: 4, 5, 7, 8, 9, 10, 12, 14, 16, 6 patents per year Year-by-year patent filing counts for fail-operational L4 AV safety architectures from PatSnap Eureka analysis. Filings grew from 4 in 2017 to a peak of 16 in 2025, reflecting industry maturation. 2026 shows partial-year data only. 18 14 10 6 0 2017 2019 2021 2023 2025 2026* *Partial year · Source: PatSnap Eureka

Top Assignees by Patent Scope in Fail-Operational Architecture

Robert Bosch leads with the broadest cross-domain coverage, followed by ZF Friedrichshafen, Uber/UATC, KIAPI, and Qualcomm across hardware and software safety architecture patents.

Top AV Safety Architecture Assignees by Patent Scope: Robert Bosch (broadest), ZF Friedrichshafen, Uber/UATC, KIAPI, Qualcomm, Chinese OEMs cluster Relative patent scope scores for leading fail-operational L4 AV architecture assignees based on PatSnap Eureka analysis of 55+ patents across 7 jurisdictions. Bosch leads in cross-domain coverage spanning ISO 26262 and ISO 21448. Bosch Broadest ZF Dual-network HW Uber/UATC Multi-lane compute KIAPI Edge-infra fallback Qualcomm Safety island SoC Relative patent scope · Source: PatSnap Eureka · 55+ patents · 2017–2026

Want to run your own analysis of fail-operational AV architecture patents?

Run Patent Landscape Analysis on Eureka
Layered Architecture Design

Hierarchical Safety Supervision: Independent Override Layers

Beyond compute redundancy, fail-operational architectures require a supervisory safety layer that operates independently of—and can override—the primary autonomous driving stack. Multiple assignees have converged on a layered architecture separating execution from protection.

🛡️

Robert Bosch: Three-Layer Protection Architecture (2025)

Three distinct layers: an implementation layer generating primary control signals, a protection layer positioned between the implementation layer and the hardware layer, and a hardware layer interfacing with actuators. The protection layer contains detector modules that identify special cases within safety-critical situations requiring a third, distinct system response—enabling the architecture to handle both ISO 26262 (functional safety) and ISO 21448 (SOTIF) fault modes through differentiated response signals.

🔗

ZF Friedrichshafen: Dual-Network QM + Safety-Rated Architecture (2022)

A primary quality-managed (QM) network processes high-bandwidth sensor data through a high-performance ECU for complex motion control, while a second hierarchical redundant network—comprising a Perception Safety ECU, a Ground Truth Sensing Device, and an HMI/Remote Machine Interface with an emergency stop switch—operates over secure connections. The motion control ECU receives redundant control signals (at least two independent signals) from the safety network.

🔄

Pony.ai: Bounded-Time Fail-Operational Window (2024)

The main vehicle computing platform generates control commands and future trajectory information, continuously forwarding both to a vehicle safety system, which in turn relays commands to the vehicle actuation system. When the main platform fails, the safety system possesses the last-transmitted trajectory and can execute it autonomously for a bounded time window—typically sufficient to complete a pull-over MRM. This bounded-time fail-operational window means the backup system only needs to sustain safe operation long enough to reach a minimal risk condition.

⚙️

Robert Bosch: Runtime Dynamic Safety Architecture Configuration (2024)

During automated driving, the system repeatedly determines safety requirements for the current driving situation, determines current system capabilities to fulfill those requirements, and reconfigures the safety architecture accordingly. This enables the architecture to adapt ASIL allocations dynamically—for instance, degrading gracefully when a sensor suite becomes partially unavailable rather than triggering a full MRM. Static ASIL allocation is insufficient for handling perception-level SOTIF failures.

🔒
Unlock Software Isolation & ASIL Network Design Patterns
Access ARM TrustZone partitioning details and ASIL-based directed graph methodologies from Changan and Hanyang University patents.
TrustZone SoC partitioning ASIL directed graph + more
Access Full Analysis on Eureka →
Braking, Steering & Power Supply

Actuator-Level Redundancy: Independent Electrical Paths to Safety-Critical Systems

A fail-operational architecture is only as robust as its actuator interfaces. Patents consistently show that compute-layer redundancy must be matched by independent electrical paths to safety-critical actuators. According to Knorr-Bremse's 2020 patent, dual electrically isolated power supply circuits are specified: the Electronic Pneumatic Service Brake (EBS) system is supplied by a first energy source, while the electromechanical steering system is supplied by a second independent energy source. Both systems share a common backup supply path. This power domain isolation ensures that a single power supply failure cannot simultaneously disable braking and steering.

Volvo Trucks' 2021 system separates longitudinal and lateral control responsibilities between a primary control unit (normal operation) and a secondary backup control unit (emergency mode). When emergency mode is activated, the secondary unit executes backup longitudinal control (braking) while the primary unit—if still functional for lateral tasks—handles backup steering. A heartbeat signal from the secondary unit continuously informs the primary unit and the automated decision control unit of backup unit availability.

Kodiak Robotics' 2025 redundant ACE system formalizes the separation of nominal and fallback motion plans at the actuation interface: the main computing system generates both a nominal motion plan and a fallback motion plan for each time interval, continuously transmitting both to the redundant ACE system. When the redundant ACE detects an abnormal condition, it immediately executes the last received fallback motion plan to navigate the vehicle to a safe stop—without requiring any computation from the main system—ensuring the actuation layer can act within milliseconds of main-system failure.

Tsinghua University's 2019 patent applies HARA (Hazard Analysis and Risk Assessment) methodology specifically to L3+ steering systems. Four steering scenarios and six failure modes are analyzed to produce ASIL ratings and corresponding functional safety goals, mapped to safety requirements. This represents the first systematic HAZOP-based steering architecture framework for L3+ published in the Chinese patent record. More details on automotive functional safety methodology are available from the SAE International and IEEE standards bodies.

Actuator Redundancy Key Requirements
  • Dual, electrically isolated power supply circuits for braking and steering
  • Common backup supply path shared between primary circuits
  • Separate longitudinal (braking) and lateral (steering) control responsibilities
  • Heartbeat signal for continuous backup unit availability monitoring
  • Pre-computed fallback motion plan delivered to independent ACE system
  • Sub-millisecond actuation response on main-system failure detection
  • HARA analysis covering all steering failure modes with ASIL mapping
  • Real-time actuator state monitoring with fault severity classification
Key Patent: Kodiak Robotics ACE (2025)

Redundant Actuator Control Engine continuously receives both nominal and fallback motion plans. On abnormal condition detection, immediately executes fallback plan without main-system computation.

View Patent on Eureka
MRM Execution & ODD Management

Fallback Planning, MRM Execution, and Operational Design Domain Management

A critical design requirement for fail-operational L4 systems is the ability to execute a Minimal Risk Maneuver autonomously, even when primary computing resources are severely degraded.

Luminar Technologies · 2019

Motion Primitives for Perception-Independent Safe Path Construction

The computing system continuously generates a normal path plan alongside a separate safe path plan by concatenating pre-validated motion primitives. When a fault condition occurs, the system immediately transitions from the normal path to the pre-computed safe path without requiring fresh environment perception—enabling safe stopping even when the perception pipeline has failed.

Safe path without perception dependency
Robert Bosch · 2023

Parallel HD-Map and Map-Free Fallback Modes

A normal mode using HD map-based environmental modeling runs simultaneously with a safety/fallback mode using map-free sensor-only environmental modeling. When HD map localization becomes inaccurate or unavailable, the system switches to safety mode—enabling continued controlled maneuvering before stopping, rather than executing a sudden emergency brake. Particularly relevant for road construction zones where HD map data is stale.

Map-free fallback for stale HD map scenarios
Nokia Technologies · 2023

Dynamic Active Failsafe Home for Communication Faults

Establishes a dynamically updated "active failsafe home"—a physical location satisfying visibility constraints and operational area restrictions. The AV is continuously configured to navigate to the active failsafe home upon communication fault detection, with the active home updated as the vehicle's location changes. Provides a guaranteed safe destination even when V2X or remote monitoring communication is unavailable.

Guaranteed safe destination on V2X failure
KIAPI · 2023 (EP)

Edge Infrastructure-Assisted Fallback for Geofenced Domains

Offloads fallback safety processing to edge infrastructure when onboard systems detect a fallback situation (sensor failure, system defect, network error, ODD violation). The safety controller transmits fallback situation and passenger location through the edge infrastructure, enabling infrastructure-assisted vehicle control during periods when the onboard AV stack is compromised. Supplements—rather than replaces—onboard redundancy for geofenced operational domains.

Edge-assisted fallback for geofenced ODD
🔒
Unlock Hyundai & May Mobility Fallback Architectures
Access step-by-step escalation frameworks and agent-independent safety platform designs from Hyundai Motor and May Mobility patent analysis.
Progressive escalation Agent-independent platform + more
Unlock Full MRM Analysis →

Map the complete MRM & fallback patent landscape

Search Luminar, Nokia, KIAPI, Hyundai, and 50+ other assignees with PatSnap Eureka's AI-powered patent intelligence.

Search Fallback Architecture Patents
Competitive Landscape

Key Players, Innovation Trends, and ASIL Decomposition in Practice

Analysis of assignee frequency and patent scope reveals a multi-tier competitive landscape evolving from simple ECU switchover toward multi-layer hierarchical architectures with silicon-level safety islands.

ASIL Decomposition: How ASIL-D Is Achieved via Two-Channel Split

Valeo's 2016 patent formalizes that ASIL-D can be met by ASIL-B + ASIL-A, or ASIL-C by ASIL-B + QM, provided design diversity is maintained and diverse implementations remain below four.

ASIL Decomposition Options: ASIL-D = ASIL-B + ASIL-A; ASIL-C = ASIL-B + QM; Max 4 diverse implementations per Valeo 2016 Visual representation of ISO 26262 ASIL decomposition as formalized in Valeo's 2016 patent. A high-integrity function can be split across two independent channels at lower ASIL ratings, reducing design complexity while maintaining safety integrity for L4 AV compute architectures. ASIL-D Full integrity required decompose into ASIL-B Channel 1 + ASIL-A Channel 2 = ASIL-D ✓ Alternative: ASIL-C decomposition ASIL-B Channel 1 + QM Channel 2 = ASIL-C ✓ Source: Valeo ASIL decomposition patent (2016) · PatSnap Eureka

Innovation Evolution: Simple ECU Switchover → Multi-Layer Hierarchical Architecture

The dataset shows a clear evolution from simple primary/backup ECU switchover (2017–2020) toward multi-layer hierarchical architectures combining runtime ASIL decomposition, dynamic safety configuration, edge-infrastructure integration, and silicon-level safety islands (2022–2026).

AV Safety Architecture Innovation Evolution: 2017-2020 Simple ECU Switchover, 2020-2022 Multi-Lane Compute, 2022-2024 Hierarchical + SOTIF, 2024-2026 Silicon Safety Islands + Edge Integration Timeline of dominant innovation phases in fail-operational L4 AV architecture patents from PatSnap Eureka analysis. Shows progression from basic redundancy to silicon-level safety islands and edge infrastructure integration by 2026. 2017–2020 Simple ECU Switchover Primary/backup 2020–2022 Multi-Lane Compute FDIR patterns 2022–2024 Hierarchical + SOTIF Dynamic ASIL 2024–2026 Silicon Safety Islands Edge integration Source: PatSnap Eureka · 55+ patents · 2017–2026 · 7 jurisdictions

Track emerging assignees in the Chinese AV safety architecture ecosystem with Eureka.

Analyse Chinese AV Patent Clusters
Summary

Key Design Principles for Fail-Operational L4 AV Electronic Architectures

Seven evidence-based principles derived from over 55 patents across 7 jurisdictions, validated by PatSnap Eureka's patent intelligence platform.

Principle 1 · SAIC 2024

Fail-Operational Is Mandatory for L4

Fail-silent architectures cannot meet L4 safety requirements since no human fallback driver is available. A dedicated fail-operational redundant controller is required, as explicitly documented by SAIC's redundant intelligent driving controller design (2024).

Non-negotiable architectural requirement
Principle 2 · Valeo 2016

ASIL Decomposition Enables Scalable Implementation

ISO 26262 ASIL-D requirements can be met by combining two independent channels at lower ASIL ratings, reducing design complexity while maintaining integrity. The number of diverse implementations must remain below four.

ASIL-B + ASIL-A = ASIL-D compliant
Principle 3 · Volkswagen 2024

Independent Signal and Control Line Paths Are Non-Negotiable

Failover devices must have dedicated, separate signal lines from sensors and separate control lines to actuators, physically isolated from the primary compute network. This ensures sensor access is retained even when the primary compute network has failed.

Physical isolation from primary network required
Principle 4 · Kodiak + Luminar

Pre-Computed Fallback Plans Enable Sub-100ms MRM

Continuously updating a fallback motion plan delivered to an independent actuation controller enables sub-100ms safe stop initiation without any main-system computation, as implemented in Kodiak Robotics' redundant ACE system (2025) and Luminar Technologies' motion primitive-based safe path system (2019).

Sub-100ms MRM without main-system dependency
Principle 5 · ZF / Bosch

Dual-Network Hardware Separation Is the Reference Pattern

Operating a primary high-performance QM network for complex AV functions alongside a physically separate, safety-rated redundant network ensures safe-state reachability even on total primary network failure, as documented by ZF Friedrichshafen's system for safe operation of automated vehicles (2022).

QM + safety-rated dual network
Principle 6 · Marelli 2025

Layered Response Hierarchies Prevent Unnecessary Hard Stops

A graduated three-level response—nominal operation, degraded emergency mode, and safe state—avoids abrupt stops that could themselves create hazards, as specified by Marelli Europe's vehicle ECU design (2025). This directly implements ISO 26262's concept of safe states.

Three-level graduated response hierarchy
Frequently asked questions

Fail-Operational L4 AV Architecture Under ISO 26262 — Key Questions Answered

Still have questions about fail-operational AV architecture? Let PatSnap Eureka search the patent literature for you.

Ask Eureka About AV Safety Patents
PatSnap Eureka

Accelerate Your L4 AV Safety Architecture Research

Join 18,000+ innovators already using PatSnap Eureka to navigate ISO 26262 compliance, map redundancy topologies, and track the full fail-operational patent landscape across 120+ countries.

References

  1. Knorr-Bremse — Highly Available Electrical Braking and Steering Equipment (2020)
  2. Robert Bosch GmbH — Method for Dynamic Configuration of a Safety Architecture for Automated Driving (2024)
  3. Volkswagen AG — Method for Operating an Automated Driving Vehicle (2021)
  4. Luminar Technologies — Autonomous Vehicle Technology for Facilitating Safe Stopping via Separate Paths (2019)
  5. Uber Technologies — Fault-Tolerant Control of an Autonomous Vehicle with Multiple Control Lanes (2021)
  6. Uber Technologies — Fault-Tolerant Control of an Autonomous Vehicle with Multiple Control Lanes (WO, 2019)
  7. UATC, LLC — Fault-Tolerant Control of an Autonomous Vehicle with Multiple Control Lanes (2024)
  8. Nokia Technologies OY — Failsafe Behavior Configuration for Autonomous Navigation (2023)
  9. Tsinghua University — Functional Safety Architecture Design for Distributed Intelligent Electric Vehicle Steering (2019)
  10. Qualcomm — Processor-Based System Using Safety Island Architecture for Fail-Safe Operation (2025)
  11. Robert Bosch GmbH — Hierarchical System Architecture for Controlling Automated Vehicles (2025)
  12. Robert Bosch GmbH — Method for Controlling an Automated Vehicle (2023)
  13. ZF Friedrichshafen AG — System for Safe Operation of Automated Vehicles (2022)
  14. Pony.ai — Vehicle Safety Response Control Hierarchy (EP, 2024)
  15. Kodiak Robotics — Redundant Actuator Control Engine (ACE) System (2025)
  16. KIAPI — Edge Infrastructure-Based Autonomous Driving Safety Control System (EP, 2023)
  17. Valeo — Method for Implementing ASIL-Compliant Motor Vehicle Functions (2016)
  18. Marelli Europe — Vehicle ECU Design with Three-Mode Response Hierarchy (2025)
  19. Volvo Trucks — Autonomous Vehicle Control System (2021)
  20. ISO — ISO 26262: Road Vehicles — Functional Safety
  21. SAE International — SAE J3016: Taxonomy and Definitions for Terms Related to Driving Automation Systems
  22. IEEE — Standards for Autonomous Vehicle Safety and Functional Safety

All data and statistics on this page are sourced from the references above and from PatSnap's proprietary innovation intelligence platform. Patent analysis conducted via PatSnap Eureka across US, DE, CN, EP, JP, FR, and KR jurisdictions.

Ask PatSnap Eureka
Ask PatSnap Eureka
AI innovation intelligence · always on
Ask anything about fail-operational AV architecture.
PatSnap Eureka searches 55+ patents and research to answer instantly.
Try asking
Powered by PatSnap Eureka

© 2026 PatSnap. All rights reserved. Legal | Privacy Policy | Do Not Sell or Share My Personal Information | Modern Slavery Act Transparency Statement