This paper presents a taxonomy that allows to define the fault tolerance regimes "fail-operational", "fail-degraded", and "fail-safe" in the context of automotive systems. Fault tolerance regimes such as these are widely used in recent publications related to automated driving, yet without definitions, which largely holds true for automotive safety standards, too. Moreover, we show that fault tolerance regimes defined in scientific publications related to the automotive domain are partially ambiguous as well as taxonomically unrelated. The presented taxonomy is based on terminology stemming from ISO 26262 as well as from systems engineering and uses four criteria to distinguish fault tolerance regimes. In addition to "fail-operational", "fail-degraded", and "fail-safe", the core terminology consists of "operational" and "fail-unsafe". These terms are supported by definitions of "available performance", "nominal performance", and a novel definition of the "safe state". For verification, we show by means of two examples from the automotive domain that the taxonomy can be applied to hierarchical systems of different complexity. Finally, we relate the definitions to the recently published technical report ISO/TR 4804, which also presents definitions of fault tolerance regimes.

中文翻译：

---

统一汽车系统容错机制的分类法：定义故障运行、故障降级和故障安全

本文提出了一种分类法，允许在汽车系统的上下文中定义容错机制“故障运行”、“故障降级”和“故障安全”。诸如此类的容错机制在最近与自动驾驶相关的出版物中被广泛使用，但没有定义，这在很大程度上也适用于汽车安全标准。此外，我们表明，在与汽车领域相关的科学出版物中定义的容错机制部分含糊不清，并且在分类学上不相关。所提出的分类法基于源自 ISO 26262 和系统工程的术语，并使用四个标准来区分容错机制。除了“故障运行”、“故障降级”和“故障安全”之外，核心术语包括“操作”和“故障不安全”。这些术语得到“可用性能”、“标称性能”和“安全状态”的新定义的支持。为了验证，我们通过汽车领域的两个例子展示了分类法可以应用于不同复杂度的分层系统。最后，我们将定义与最近发布的技术报告 ISO/TR 4804 相关联，该报告还提供了容错机制的定义。我们通过来自汽车领域的两个例子展示了分类法可以应用于不同复杂性的层次系统。最后，我们将定义与最近发布的技术报告 ISO/TR 4804 相关联，该报告还提供了容错机制的定义。我们通过汽车领域的两个例子展示了分类法可以应用于不同复杂度的层次系统。最后，我们将定义与最近发布的技术报告 ISO/TR 4804 相关联，该报告还提供了容错机制的定义。