Risk and Mitigation of Nondeterminism in Distributed Cyber-Physical Systems

Asynchronous frameworks for distributed embedded systems, like ROS and MQTT, are increasingly used in safety-critical applications such as autonomous driving, where the cost of unintended behavior is high. The loose coordination between the components in these frameworks gives rise to nondeterminism, where factors such as communication timing can lead to arbitrary ordering in the handling of messages. In this paper, we show that this problem compromises safety and complicates system design in Autoware. Auto 1.0, a popular open-source autonomous driving framework based on ROS 2. We extend the Lingua Franca coordination language to support distributed execution, port Autoware.Auto to Lingua Franca, and show that our solution avoids the identified problems. We assess the performance of our federated runtime implementation and show that it is competitive for this application. We also compare our achievable throughput to ROS 2 and MQTT using microbenchmarks and find that we can match or exceed the throughput of those frameworks while preserving determinism.