pith. sign in

arxiv: 1907.01024 · v1 · pith:5YDAF4ISnew · submitted 2019-07-01 · 💻 cs.SE

Kayotee: A Fault Injection-based System to Assess the Safety and Reliability of Autonomous Vehicles to Faults and Errors

Saurabh Jha , Timothy Tsai , Siva Hari , Michael Sullivan , Zbigniew Kalbarczyk , Stephen W. Keckler , Ravishankar K. Iyer This is my paper

Pith reviewed 2026-05-25 11:33 UTC · model grok-4.3

classification 💻 cs.SE
keywords autonomous vehiclesfault injectionsafety assessmentreliabilityautonomous driving systemerror propagationvehicle dynamics
0
0 comments X

The pith

Kayotee is a fault injection tool that systematically tests how errors in autonomous driving systems affect safety and reliability at hardware, software, dynamics, and traffic levels.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents Kayotee, a tool that injects faults into the software and hardware components of an autonomous driving system to measure how those faults propagate and whether they produce safety violations. It pairs the tool with an ontology model that classifies the resulting errors and their impact on vehicle behavior. A sympathetic reader would care because fully autonomous vehicles are projected to dominate roads and the economy, making concrete ways to quantify their resilience to faults a practical need for manufacturers and regulators. The work demonstrates the approach on a proprietary Nvidia ADS and notes ongoing use on open-source systems. If the method works, it supplies a repeatable way to compare resiliency across different autonomy stacks.

Core claim

Kayotee is a fault injection-based tool developed to inject faults into software and hardware components of the ADS to assess the safety and reliability of AVs to faults and errors, together with an ontology model to characterize errors and safety violations. The tool characterizes fault propagation and resiliency at four levels: hardware, software, vehicle dynamics, and traffic resilience.

What carries the argument

Kayotee, a fault injection tool that injects controlled faults into ADS components and tracks their effects through hardware, software, vehicle dynamics, and traffic layers.

If this is right

  • Manufacturers can locate weak components in an ADS by measuring which injected faults reach vehicle dynamics or traffic levels.
  • The same tool can be applied to both proprietary and open-source autonomy stacks for direct comparison of resiliency.
  • Traffic-level characterization supplies data on how individual vehicle faults affect surrounding vehicles and overall road safety.
  • An ontology of errors and violations gives a shared vocabulary for reporting safety findings across different ADS implementations.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The tool could be combined with existing vehicle simulators to generate large-scale statistics on rare fault scenarios that are hard to observe on public roads.
  • Repeated application across many ADS versions might reveal common architectural patterns that make certain autonomy designs more or less sensitive to specific fault classes.
  • Regulators could require Kayotee-style fault-injection reports as one input when certifying an ADS for public deployment.

Load-bearing premise

Faults injected inside the controlled tool environment will produce the same propagation patterns and safety outcomes as faults that arise during real-world autonomous vehicle operation.

What would settle it

A side-by-side test in which the same ADS experiences both Kayotee-injected faults and naturally occurring hardware or software faults, showing statistically different rates or types of safety violations.

Figures

Figures reproduced from arXiv: 1907.01024 by Michael Sullivan, Ravishankar K. Iyer, Saurabh Jha, Siva Hari, Stephen W. Keckler, Timothy Tsai, Zbigniew Kalbarczyk.

Figure 1
Figure 1. Figure 1: End-to-end safety and reliability evaluation of ADS using Kayotee [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Simulation results of a single run without fault [PITH_FULL_IMAGE:figures/full_fig_p002_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Experimental Strategy and (c) in vehicle dynamics and traffic. For each of these characterizations, we built a corresponding injector capable of injecting faults such that errors manifest in the corresponding locations. In the case of GPUs, we used the GPU injector to inject architectural-state faults (see Section III-C), and SLI (Section III-D) to inject into the inputs and outputs of the ADS kernels (or … view at source ↗
Figure 4
Figure 4. Figure 4: Ontology model for fault manifestation in AVs [PITH_FULL_IMAGE:figures/full_fig_p004_4.png] view at source ↗
read the original abstract

Fully autonomous vehicles (AVs), i.e., AVs with autonomy level 5, are expected to dominate road transportation in the near-future and contribute trillions of dollars to the global economy. The general public, government organizations, and manufacturers all have significant concern regarding resiliency and safety standards of the autonomous driving system (ADS) of AVs . In this work, we proposed and developed (a) `Kayotee' - a fault injection-based tool to systematically inject faults into software and hardware components of the ADS to assess the safety and reliability of AVs to faults and errors, and (b) an ontology model to characterize errors and safety violations impacting reliability and safety of AVs. Kayotee is capable of characterizing fault propagation and resiliency at different levels - (a) hardware, (b) software, (c) vehicle dynamics, and (d) traffic resilience. We used Kayotee to study a proprietary ADS technology built by Nvidia corporation and are currently applying Kayotee to other open-source ADS systems.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript introduces Kayotee, a fault injection-based tool and associated ontology for assessing the safety and reliability of autonomous driving systems (ADS). Kayotee injects faults into hardware and software components to characterize propagation and resiliency across four levels: hardware, software, vehicle dynamics, and traffic. The authors report applying the tool to Nvidia's proprietary ADS and extending it to open-source ADS stacks.

Significance. If the tool performs the multi-layer characterizations as described, it would offer a systematic framework for evaluating AV fault resiliency, addressing a pressing need in a domain with substantial safety and economic implications. The ontology component could help standardize error classification, and the support for both proprietary and open-source stacks increases potential utility for the community.

major comments (2)
  1. [Case Study] Case Study section: The manuscript states that Kayotee was used to study Nvidia's proprietary ADS, yet no quantitative results, metrics on fault propagation, or data on resiliency at the four claimed levels are presented; this absence directly undermines the central capability claim.
  2. [Ontology Model] Ontology Model section: The ontology is positioned as a core contribution for characterizing errors and safety violations, but no formal definition, schema, example instantiations, or integration details with the injection mechanism are provided, leaving the characterization mechanism unsupported.
minor comments (2)
  1. [Abstract] Abstract: The statement that Kayotee is 'currently applying' to open-source systems lacks any detail on which systems or preliminary observations, reducing clarity on the tool's demonstrated scope.
  2. [Introduction] Introduction: Claims about trillions of dollars in economic contribution and level-5 dominance would benefit from citations to supporting reports or forecasts.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the detailed review and constructive comments. We address each major point below, providing clarifications on the manuscript's scope and our plans for revision where appropriate.

read point-by-point responses

  1. Referee: [Case Study] Case Study section: The manuscript states that Kayotee was used to study Nvidia's proprietary ADS, yet no quantitative results, metrics on fault propagation, or data on resiliency at the four claimed levels are presented; this absence directly undermines the central capability claim.

    Authors: The manuscript's primary contribution is the design of the Kayotee tool and ontology for multi-level fault characterization. The case study on Nvidia's proprietary ADS is mentioned to demonstrate applicability, but detailed quantitative metrics are omitted due to the proprietary and confidential nature of the system under test. We cannot disclose specific fault propagation data or resiliency numbers without violating agreements. The text focuses on the methodology rather than empirical outcomes from this particular deployment. We will add an explicit statement clarifying this limitation in the revised manuscript. revision: partial

  2. Referee: [Ontology Model] Ontology Model section: The ontology is positioned as a core contribution for characterizing errors and safety violations, but no formal definition, schema, example instantiations, or integration details with the injection mechanism are provided, leaving the characterization mechanism unsupported.

    Authors: We agree that the ontology section would benefit from greater formality. The current description provides a conceptual overview of error and safety violation characterization across levels. In the revision, we will add a formal schema definition, example instantiations, and details on how the ontology integrates with the fault injection engine to support the claims. revision: yes

standing simulated objections not resolved
  • Detailed quantitative results, metrics, or data from the application of Kayotee to Nvidia's proprietary ADS cannot be provided or expanded upon due to confidentiality constraints.

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper describes the design and use of the Kayotee fault-injection tool and an associated ontology for characterizing error propagation across hardware, software, vehicle dynamics, and traffic layers. No mathematical derivations, equations, fitted parameters, or predictions appear in the provided text. Claims are capability statements about the tool itself rather than results derived from prior equations or self-citations. The methodology is presented as a direct construction of the framework, with no load-bearing steps that reduce to inputs by definition or renaming. This is a standard tool-description paper with no circularity patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No mathematical content; the paper is a systems description of a tool and model with no free parameters, axioms, or invented entities in the formal sense.

pith-pipeline@v0.9.0 · 5741 in / 1043 out tokens · 30002 ms · 2026-05-25T11:33:56.310646+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

20 extracted references · 20 canonical work pages · 1 internal anchor

  1. [1]

    Hands off the wheel in autonomous vehicles?: A systems perspective on over a million miles of field data,

    S. S. Banerjee, S. Jha, J. Cyriac, Z. T. Kalbarczyk, and R. K. Iyer, “Hands off the wheel in autonomous vehicles?: A systems perspective on over a million miles of field data,” in 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) . IEEE, 2018

    work page 2018

  2. [2]

    Understanding Error Propagation in Deep Learning Neural Network (DNN) Accelerators and Applications,

    G. Li, S. K. S. Hari, M. Sullivan, T. Tsai, K. Pattabiraman, J. Emer, and S. W. Keckler, “Understanding Error Propagation in Deep Learning Neural Network (DNN) Accelerators and Applications,” in Proc. International Conf. for High Performance Computing, Networking, Storage and Analysis , 2017, pp. 8:1–8:12

    work page 2017

  3. [3]

    DeepXplore: Automated whitebox testing of deep learning systems,

    K. Pei, Y . Cao, J. Yang, and S. Jana, “DeepXplore: Automated whitebox testing of deep learning systems,” in Proc. of the 26th Symposium on Operating Systems Principles , 2017, pp. 1–18

    work page 2017

  4. [4]

    On the Resilience of RTL NN Accelerators: Fault Characterization and Mitigation

    B. Salami, O. Unsal, and A. Cristal, “On the resilience of rtl nn accelerators: Fault characterization and mitigation,” arXiv preprint arXiv:1806.09679, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  5. [5]

    Ares: a framework for quantifying the resilience of deep neural networks,

    B. Reagen, U. Gupta, L. Pentecost, P. Whatmough, S. K. Lee, N. Mulholland, D. Brooks, and G.-Y . Wei, “Ares: a framework for quantifying the resilience of deep neural networks,” in Proceedings of the 55th Annual Design Automation Conference . ACM, 2018, p. 17

    work page 2018

  6. [6]

    Avfi: Fault injection for autonomous vehicles,

    S. Jha, S. S. Banerjee, J. Cyriac, Z. T. Kalbarczyk, and R. K. Iyer, “Avfi: Fault injection for autonomous vehicles,” in 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W) . IEEE, 2018

    work page 2018

  7. [7]

    Experimental re- silience assessment of an open-source driving agent,

    A. H. M. Rubaiyat, Y . Qin, and H. Alemzadeh, “Experimental resilience assessment of an open-source driving agent,” arXiv preprint arXiv:1807.06172, 2018

    work page arXiv 2018

  8. [8]

    CARLA: An open urban driving simulator,

    A. Dosovitskiy, G. Ros, F. Codevilla, A. Lopez, and V . Koltun, “CARLA: An open urban driving simulator,” in Proc. of the 1st Annual Conf. on Robot Learning, 2017, pp. 1–16

    work page 2017

  9. [9]

    OpenPilot: Open Source Driving Agent,

    CommaAI, “OpenPilot: Open Source Driving Agent,” https://github.com/ commaai/openpilot, Accessed: 2018-09-12

    work page 2018

  10. [10]

    Apollo Open Platform,

    Baidu, “Apollo Open Platform,” http://apollo.auto, Accessed: 2018-09-02

    work page 2018

  11. [11]

    End-to-end driving via conditional imitation learning,

    F. Codevilla, M. M ¨uller, A. L ´opez, V . Koltun, and A. Dosovitskiy, “End-to-end driving via conditional imitation learning,” in Proc. of International Conf. on Robotics and Automation (ICRA) , 2018

    work page 2018

  12. [12]

    SAE International, Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles , Sep 2016

    work page 2016

  13. [13]

    NVIDIA Drive Simulation,

    NVIDIA, “NVIDIA Drive Simulation,” https://www.nvidia.com/en-us/ self-driving-cars/drive-constellation/, Accessed: 2018-09-02

    work page 2018

  14. [14]

    Drive Pegasus,

    Nvidia Corporation, “Drive Pegasus,” https://www.nvidia.com/en-us/self- driving-cars/drive-platform/, Accessed: 2018-09-12

    work page 2018

  15. [15]

    Sassifi: An architecture-level fault injection tool for gpu application resilience evaluation,

    S. K. S. Hari, T. Tsai, M. Stephenson, S. W. Keckler, and J. Emer, “Sassifi: An architecture-level fault injection tool for gpu application resilience evaluation,” in Performance Analysis of Systems and Software (ISPASS), 2017 IEEE International Symposium on . IEEE, 2017, pp. 249–258

    work page 2017

  16. [16]

    Robust statistics–how not to reject outliers. part 1. basic concepts,

    A. M. Committee et al. , “Robust statistics–how not to reject outliers. part 1. basic concepts,” Analyst, vol. 114, no. 12, pp. 1693–1697, 1989

    work page 1989

  17. [17]

    Driving Safely,

    California DMV, “Driving Safely,” https://www.dmv.ca.gov/portal/ dmv/?1dmy&urile=wcm:path:/dmv content en/dmv/pubs/cdl htm/sec2, Accessed: 2018-08-05

    work page 2018

  18. [18]

    Safe driving envelopes for path tracking in autonomous vehicles,

    M. Brown, J. Funke, S. Erlien, and J. C. Gerdes, “Safe driving envelopes for path tracking in autonomous vehicles,” Control Engineering Practice, vol. 61, pp. 307–316, 2017

    work page 2017

  19. [19]

    Test analysis and theoretical calculation on braking distance of automobile with abs,

    D. Wu, J. Li, X. Shu, X. Zha, and B. Xu, “Test analysis and theoretical calculation on braking distance of automobile with abs,” in International Conference on Computer and Computing Technologies in Agriculture . Springer, 2010, pp. 521–527

    work page 2010

  20. [20]

    Emergency braking control with an observer-based dynamic tire/road friction model and wheel angular velocity measurement,

    J. Yi, L. Alvarez, X. Claeys, and R. Horowitz, “Emergency braking control with an observer-based dynamic tire/road friction model and wheel angular velocity measurement,” Vehicle system dynamics, vol. 39, no. 2, pp. 81–97, 2003

    work page 2003