ODRE Workshop: Using SIL Arithmetic to Design Safe and Secure Systems

© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.In a safety-critical system each service has a specific level of safety criticality. Safety standards use classifications like Safety Integrity Levels (SIL), to describe the design requirements for the individual services of a system. Techniques like redundancy can be used to achieve a higher overall dependability than the used individual components provide. Using the notion of SIL, this can be called SIL arithmetic. In this paper we describe the concept of SIL arithmetic and point out how different safety standards provide hints for their support of using SIL arithmetic. We highlight the principal benefits of SIL arithmetic and provide simple examples. But the use of SIL arithmetic in a concrete system design can also have its pitfalls, which we also discuss in this paper. We specifically discuss these issues in the context of scheduling techniques for mixed-criticality systems, where resource shortages are to be handled by the scheduler

Finding traitors in secure networks using Byzantine agreements

Secure networks rely upon players to maintain security and reliability. However not every player can be assumed to have total loyalty and one must use methods to uncover traitors in such networks. We use the original concept of the Byzantine Generals Problem by Lamport [8], and the more formal Byzantine Agreement describe by Linial [10], to find traitors in secure networks. By applying general fault-tolerance methods to develop a more formal design of secure networks we are able to uncover traitors amongst a group of players. We also propose methods to integrate this system with insecure channels. This new resiliency can be applied to broadcast and peer-to-peer secure com- munication systems where agents may be traitors or be- come unreliable due to faults

Routing Optimization of AVB Streams in TSN Networks

In this paper we are interested in safety-critical real-time applications implemented on distributed architectures using the Time-Sensitive Networking (TSN) standard. The ongoing standardization of TSN is an IEEE effort to bring deterministic real-time capabilities into the IEEE 802.1 Ethernet standard supporting safety-critical systems and guaranteed Quality-of-Service. TSN will support Time-Triggered (TT) communication based on schedule tables, Audio-Video-Bridging (AVB) streams with bounded end-to-end latency as well as Best-Effort messages. We consider that we know the topology of the network as well as the routes and schedules of the TT streams. We are interested to determine the routing of the AVB streams such that all frames are schedulable and their worst-case end-to-end delay is minimized. We have proposed a search-space reduction technique and a Greedy Randomized Adaptive Search Procedure (GRASP)-based heuristic for this routing optimization problem. The proposed approaches has been evaluated using several test cases. </jats:p

Formal verification of a group membership protocol using model checking

The development of safety-critical embedded applications in domains such as automotive or avionics is an exceedingly challenging intellectual task. This task can, however, be significantly simplified through the use of middleware that offers specialized fault-tolerant services. This middleware must provide a high assurance level that it operates correctly. In this paper, we present a formal verification of a protocol for one such service, a Group Membership Service, using model checking. Through this verification we discovered that although the protocol specification is correct, a previously proposed implementation is not

Traffic class assignment for mixed-criticality frames in TTEthernet

In this paper we are interested in mixed-criticality applications, which have functions with different timing requirements, i.e., hard real-time (HRT), soft real-time (SRT) and functions that are not time-critical (NC). The applications are implemented on distributed architectures that use the TTEthernet protocol for communication. TTEthernet supports three traffic classes: Time-Triggered (TT), where frames are transmitted based on static schedule tables; Rate Constrained (RC), for dynamic frames with a guaranteed bandwidth and bounded delays; and Best Effort (BE), for which no timing guarantees are provided. HRT messages have deadlines, whereas for SRT messages we capture the quality-of-service using "utility functions". Given the network topology, the set of application messages and their routing, we are interested to determine the traffic class of each message, such that all HRT messages are schedulable and the total utility for SRT messages is maximized. For the TT frames we decide their schedule tables, and for the RC frames we decide their bandwidth allocation. We propose aTabu Search-based metaheuristic to solve this optimization problem. The proposed approach has been evaluated using several benchmarks, including two realistic test cases.</jats:p

ATMP-CA: Optimising Mixed-Criticality Systems Considering Criticality Arithmetic

© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/)Many safety-critical systems use criticality arithmetic, an informal practice of implementing a higher-criticality function by combining several lower-criticality redundant components or tasks. This lowers the cost of development, but existing mixed-criticality schedulers may act incorrectly as they lack the knowledge that the lower-criticality tasks are operating together to implement a single higher-criticality function. In this paper, we propose a solution to this problem by presenting a mixed-criticality mid-term scheduler that considers where criticality arithmetic is used in the system. As this scheduler, which we term ATMP-CA, is a mid-term scheduler, it changes the configuration of the system when needed based on the recent history of deadline misses. We present the results from a series of experiments that show that ATMP-CA’s operation provides a smoother degradation of service compared with reference schedulers that do not consider the use of criticality arithmeticPeer reviewe

High-Intensity Radiated Field Fault-Injection Experiment for a Fault-Tolerant Distributed Communication System

Safety-critical distributed flight control systems require robustness in the presence of faults. In general, these systems consist of a number of input/output (I/O) and computation nodes interacting through a fault-tolerant data communication system. The communication system transfers sensor data and control commands and can handle most faults under typical operating conditions. However, the performance of the closed-loop system can be adversely affected as a result of operating in harsh environments. In particular, High-Intensity Radiated Field (HIRF) environments have the potential to cause random fault manifestations in individual avionic components and to generate simultaneous system-wide communication faults that overwhelm existing fault management mechanisms. This paper presents the design of an experiment conducted at the NASA Langley Research Center's HIRF Laboratory to statistically characterize the faults that a HIRF environment can trigger on a single node of a distributed flight control system