Spatiotemporal-Aware Bit-Flip Injection on DNN-based Advanced Driver Assistance Systems

Abstract: Modern advanced driver assistance systems (ADAS) rely on deep neural networks (DNNs) for perception and planning. Since DNNs' parameters reside in DRAM during inference, bit flips caused by cosmic radiation or low-voltage operation may corrupt DNN computations, distort driving decisions, and lead to real-world incidents. This paper presents a SpatioTemporal-Aware Fault Injection (STAFI) framework to locate critical fault sites in DNNs for ADAS efficiently. Spatially, we propose a Progressive Metric-guided Bit Search (PMBS) that efficiently identifies critical network weight bits whose corruption causes the largest deviations in driving behavior (e.g., unintended acceleration or steering). Furthermore, we develop a Critical Fault Time Identification (CFTI) mechanism that determines when to trigger these faults, taking into account the context of real-time systems and environmental states, to maximize the safety impact. Experiments on DNNs for a production ADAS demonstrate that STAFI uncovers 29.56x more hazard-inducing critical faults than the strongest baseline.

• The paper introduces STAFI, a framework combining Progressive Metric-guided Bit Search and Critical Fault Time Identification to detect safety-critical bit-flip faults in DNN-based ADAS.
• It employs spatiotemporal analysis to induce catastrophic hazards with minimal parameter perturbations, achieving high accident rates in simulation scenarios.
• The findings highlight the need for improved safety certification and runtime fault monitoring to manage DRAM-resident vulnerabilities in autonomous vehicle systems.

Spatiotemporal-Aware Bit-Flip Injection on DNN-based ADAS

Introduction

The paper presents a comprehensive framework, STAFI, for uncovering safety-critical vulnerabilities within DNN-based Advanced Driver Assistance Systems (ADAS), focusing on the impact of bit-flip faults in DRAM-resident model parameters. The vulnerability assessment incorporates both spatial (weight criticality) and temporal (driving context) dimensions, reflecting the inherent high-dimensionality and time-dependence of safety risks in autonomous driving systems. The approach is motivated by limitations of prior static and statistical fault injection methods, which are unable to efficiently locate and trigger system-level hazardous behaviors in practical closed-loop settings.

Background and Motivation

Modern ADAS pipelines, exemplified by systems such as OpenPilot's Supercombo, leverage large DNNs for perception and planning. These networks, with millions of parameters stored in DRAM, are susceptible to bit-flip errors due to cosmic radiation, low-voltage operation, or deliberate attacks. As shown in recent studies, such faults can be catastrophic, especially when they interact with critical driving contexts. Traditional uniform or offline fault injection methods, including Taylor-guided importance scores, fail to expose the most consequential parameter faults, as they neglect system dynamics and environmental interplay.

Figure 1: Functional overview of an ADAS showing the closed-loop interaction between sensor fusion, DNN perception, planning, and control.

STAFI Framework

STAFI's novelty is the integration of Progressive Metric-guided Bit Search (PMBS) for spatial fault site identification and Critical Fault Time Identification (CFTI) for context-specific, temporal triggering of faults.

Progressive Metric-Guided Bit Search (PMBS)

Unlike pure gradient or Taylor-based approaches, PMBS combines trajectory-centric importance measures with fault-specific behavioral metrics, iteratively refining bit candidates to identify those that maximally distort safety-critical driving attributes such as longitudinal/lateral deviation, headway time, and lane offset. This process reveals that only a minimal number of sign and exponent bit flips in selected weights can induce drastic control aberrations.

Figure 2: Overview of the STAFI framework—PMBS identifies critical bits, and CFTI triggers injection at hazardous moments.

The analysis reveals that high-impact flips are concentrated among sign and exponent bits—consistent with prior findings regarding parameter sensitivity—but with a more direct correspondence to observable safety deviations.

Figure 4: Heatmap illustrating distribution of critical bit flips; sign and exponent bits overwhelmingly dominate.

Critical Fault Time Identification (CFTI)

CFTI operationalizes contextual awareness by continuously monitoring runtime system state and environmental variables (e.g., headway time, relative velocity, lateral position). Using Systems-Theoretic Process Analysis (STPA)-derived rules, CFTI determines precise temporal conditions under which PMBS-identified faults are likely to propagate into accidents or hazardous maneuvers. This closed-loop, event-driven activation enables the injection of faults at their points of maximum influence.

Figure 5: Schematic of typical hazardous driving scenarios used for closed-loop evaluation, such as lane departure and cut-in events.

Experimental Evaluation

The evaluation suite integrates the STAFI framework into the OpenPilot/CARLA simulation stack, applying it under four canonical highway scenarios. Metrics focus on the emergence and types of hazards (e.g., forward collision, side collision, lane departure), as well as time-to-hazard (TTH) and time-to-accident (TTA) following injection.

Figure 3: The OpenPilot system interface, showing pre-fault nominal behavior.

Spatial and Temporal Impact Analysis

PMBS outperforms all spatial baselines: it triggers 29.56× more hazard-inducing critical faults than the strongest baseline, with context-driven activation elevating the hazard rate further. For instance, in the context-aware mode with PMBS, 42.25% of scenarios resulted in forward-collision hazards and 76.00% in lane-departure hazards, with overall accident rates exceeding 85%. In contrast, random and even Taylor-guided (top-20, top-50) baselines produced rates indistinguishable from fault-free runs.

Figure 6: Comparative metric scores for different bit-search strategies; metric-guided PMBS outpaces all baselines, especially as refinement depth increases.

Timing is a dominant factor: CFTI reduces TTH and TTA, demonstrating that hazardous manifestations are highly context-dependent. The same spatial bit-flip, if injected outside critical contexts, frequently fails to produce observable faults.

Fault Type Sensitivity

Acceleration-focused faults (longitudinal corruption) predominantly cause headway-related hazards and forward collisions. Lateral corruption (steer-left/right) rapidly induces lane departures and side collisions, with TTH as low as 1.32s. Combined axis injections yield a broader hazard distribution, indicating strong coupling in the perception-planning-control pipeline.

Figure 7: Ego vehicle acceleration and lateral behavior in response to different bit-flip-induced faults; hazardous deviations become evident under CFTI-triggered activation.

Generalization Across Platforms

STAFI demonstrates strong generalization; on Float16-parameterized, newer OpenPilot versions, PMBS remains effective in causing high hazard and accident rates, validating the structural and numerical robustness of the STAFI methodology.

Implications and Future Directions

The results indicate that safety verification of ADAS and AV compute pipelines must explicitly account for the spatiotemporal structure of fault vulnerability—simple offline or static analysis grossly underestimates risk. The study highlights that minimal bit perturbations, if timed correctly, can undermine both vehicle behavior and built-in safety assurances, underscoring an urgent need for spatiotemporal robustness as a normative requirement in AV safety certification.

Practically, these findings have multifold implications:

• Testing/Certification: Safety standards such as ISO 26262 require system-level hazard analysis; STAFI represents a concrete methodology for parameter-level, closed-loop safety assessment.
• Mitigation/Robustification: Existing ECC mechanisms (e.g., SECDED) are ineffective against the double-bit patterns and DRAM-resident faults STAFI targets. There is a clear need for integrated, metric-aware software-level runtime monitors and redundancy mechanisms.
• Security: The ease of triggering catastrophic faults with minimal, precisely-located bit manipulations presents new vectors for targeted adversarial and backdoor attacks on AV models.

Future research should extend STAFI to multi-modal and cross-component faults, real-vehicle testing, and proactive mitigation via runtime self-monitoring and self-healing.

Conclusion

This work establishes that assessment of DNN-based ADAS reliability necessitates joint consideration of spatial criticality and temporal driving context. The STAFI framework demonstrably surpasses prior methods, enabling highly efficient, context-targeted identification of parameter-level vulnerabilities that manifest as severe system-level hazards. The proposed approach sets a strong foundation for next-generation AV safety evaluation, with significant repercussions for certification, operational risk management, and model robustness engineering.