How do you architect a fail-operational system for L4/L5 autonomous driving?

Fail-operational architecture design: 1) Redundancy strategy - identify functions requiring fail-operational capability (steering, braking, perception, compute), define redundancy level (dual, triple); 2) Independence - separate power supplies, physically separated sensors, independent compute units, diverse algorithms/implementations; 3) Monitoring and arbitration - fault detection mechanisms, voting or arbitration between redundant channels, health monitoring; 4) Graceful degradation - define degraded modes (reduced speed, hand-back to driver, safe stop), transition logic; 5) Network architecture - redundant communication buses, deterministic protocols (TSN), separation of safety-critical and convenience functions. Challenges include cost, complexity, common cause failures, and latent fault detection. Architecture must meet ASIL D requirements for highest safety integrity functions.