A runtime safety analysis concept for open adaptive systems

© Springer Nature Switzerland AG 2019. In the automotive industry, modern cyber-physical systems feature cooperation and autonomy. Such systems share information to enable collaborative functions, allowing dynamic component integration and architecture reconfiguration. Given the safety-critical nature of the applications involved, an approach for addressing safety in the context of reconfiguration impacting functional and non-functional properties at runtime is needed. In this paper, we introduce a concept for runtime safety analysis and decision input for open adaptive systems. We combine static safety analysis and evidence collected during operation to analyse, reason and provide online recommendations to minimize deviation from a system’s safe states. We illustrate our concept via an abstract vehicle platooning system use case

Reasoning about the Reliability of Diverse Two-Channel Systems in which One Channel is "Possibly Perfect"

This paper considers the problem of reasoning about the reliability of fault-tolerant systems with two "channels" (i.e., components) of which one, A, supports only a claim of reliability, while the other, B, by virtue of extreme simplicity and extensive analysis, supports a plausible claim of "perfection." We begin with the case where either channel can bring the system to a safe state. We show that, conditional upon knowing pA (the probability that A fails on a randomly selected demand) and pB (the probability that channel B is imperfect), a conservative bound on the probability that the system fails on a randomly selected demand is simply pA.pB. That is, there is conditional independence between the events "A fails" and "B is imperfect." The second step of the reasoning involves epistemic uncertainty about (pA, pB) and we show that under quite plausible assumptions, a conservative bound on system pfd can be constructed from point estimates for just three parameters. We discuss the feasibility of establishing credible estimates for these parameters. We extend our analysis from faults of omission to those of commission, and then combine these to yield an analysis for monitored architectures of a kind proposed for aircraft

International White Book on DER Protection : Review and Testing Procedures

This white book provides an insight into the issues surrounding the impact of increasing levels of DER on the generator and network protection and the resulting necessary improvements in protection testing practices. Particular focus is placed on ever increasing inverter-interfaced DER installations and the challenges of utility network integration. This white book should also serve as a starting point for specifying DER protection testing requirements and procedures. A comprehensive review of international DER protection practices, standards and recommendations is presented. This is accompanied by the identifi cation of the main performance challenges related to these protection schemes under varied network operational conditions and the nature of DER generator and interface technologies. Emphasis is placed on the importance of dynamic testing that can only be delivered through laboratory-based platforms such as real-time simulators, integrated substation automation infrastructure and fl exible, inverter-equipped testing microgrids. To this end, the combination of fl exible network operation and new DER technologies underlines the importance of utilising the laboratory testing facilities available within the DERlab Network of Excellence. This not only informs the shaping of new protection testing and network integration practices by end users but also enables the process of de-risking new DER protection technologies. In order to support the issues discussed in the white paper, a comparative case study between UK and German DER protection and scheme testing practices is presented. This also highlights the level of complexity associated with standardisation and approval mechanisms adopted by different countries

Thrombolytic removal of intraventricular haemorrhage in treatment of severe stroke: results of the randomised, multicentre, multiregion, placebo-controlled CLEAR III trial

Background: Intraventricular haemorrhage is a subtype of intracerebral haemorrhage, with 50% mortality and serious disability for survivors. We aimed to test whether attempting to remove intraventricular haemorrhage with alteplase versus saline irrigation improved functional outcome. Methods: In this randomised, double-blinded, placebo-controlled, multiregional trial (CLEAR III), participants with a routinely placed extraventricular drain, in the intensive care unit with stable, non-traumatic intracerebral haemorrhage volume less than 30 mL, intraventricular haemorrhage obstructing the 3rd or 4th ventricles, and no underlying pathology were adaptively randomly assigned (1:1), via a web-based system to receive up to 12 doses, 8 h apart of 1 mg of alteplase or 0·9% saline via the extraventricular drain. The treating physician, clinical research staff, and participants were masked to treatment assignment. CT scans were obtained every 24 h throughout dosing. The primary efficacy outcome was good functional outcome, defined as a modified Rankin Scale score (mRS) of 3 or less at 180 days per central adjudication by blinded evaluators. This study is registered with ClinicalTrials.gov, NCT00784134. Findings: Between Sept 18, 2009, and Jan 13, 2015, 500 patients were randomised: 249 to the alteplase group and 251 to the saline group. 180-day follow-up data were available for analysis from 246 of 249 participants in the alteplase group and 245 of 251 participants in the placebo group. The primary efficacy outcome was similar in each group (good outcome in alteplase group 48% vs saline 45%; risk ratio [RR] 1·06 [95% CI 0·88–1·28; p=0·554]). A difference of 3·5% (RR 1·08 [95% CI 0·90–1·29], p=0·420) was found after adjustment for intraventricular haemorrhage size and thalamic intracerebral haemorrhage. At 180 days, the treatment group had lower case fatality (46 [18%] vs saline 73 [29%], hazard ratio 0·60 [95% CI 0·41–0·86], p=0·006), but a greater proportion with mRS 5 (42 [17%] vs 21 [9%]; RR 1·99 [95% CI 1·22–3·26], p=0·007). Ventriculitis (17 [7%] alteplase vs 31 [12%] saline; RR 0·55 [95% CI 0·31–0·97], p=0·048) and serious adverse events (114 [46%] alteplase vs 151 [60%] saline; RR 0·76 [95% CI 0·64–0·90], p=0·002) were less frequent with alteplase treatment. Symptomatic bleeding (six [2%] in the alteplase group vs five [2%] in the saline group; RR 1·21 [95% CI 0·37–3·91], p=0·771) was similar. Interpretation: In patients with intraventricular haemorrhage and a routine extraventricular drain, irrigation with alteplase did not substantially improve functional outcomes at the mRS 3 cutoff compared with irrigation with saline. Protocol-based use of alteplase with extraventricular drain seems safe. Future investigation is needed to determine whether a greater frequency of complete intraventricular haemorrhage removal via alteplase produces gains in functional status

SafeDrones: Real-Time Reliability Evaluation of UAVs using Executable Digital Dependable Identities

The use of Unmanned Arial Vehicles (UAVs) offers many advantages across a variety of applications. However, safety assurance is a key barrier to widespread usage, especially given the unpredictable operational and environmental factors experienced by UAVs, which are hard to capture solely at design-time. This paper proposes a new reliability modeling approach called SafeDrones to help address this issue by enabling runtime reliability and risk assessment of UAVs. It is a prototype instantiation of the Executable Digital Dependable Identity (EDDI) concept, which aims to create a model-based solution for real-time, data-driven dependability assurance for multi-robot systems. By providing real-time reliability estimates, SafeDrones allows UAVs to update their missions accordingly in an adaptive manner

What Characterizes Safety of Ambient Assisted Living Technologies?

Ambient assisted living (AAL) technologies aim at increasing an individual's safety at home by early recognizing risks or events that might otherwise harm the individual. A clear definition of safety in the context of AAL is still missing and facets of safety still have to be shaped. The objective of this paper is to characterize the facets of AAL-related safety, to identify opportunities and challenges of AAL regarding safety and to identify open research issues in this context. Papers reporting aspects of AAL-related safety were selected in a literature search. Out of 395 citations retrieved, 28 studies were included in the current review. Two main facets of safety were identified: user safety and system safety. System safety concerns an AAL system's reliability, correctness and data quality. User safety reflects impact on physical and mental health of an individual. Privacy, data safety and security issues, sensor quality and integration of sensor data, as well as technical failures of sensors and systems are reported challenges. To conclude, there is a research gap regarding methods and metrics for measuring user and system safety in the context of AAL technologies

Combining behavioural types with security analysis

Today's software systems are highly distributed and interconnected, and they increasingly rely on communication to achieve their goals; due to their societal importance, security and trustworthiness are crucial aspects for the correctness of these systems. Behavioural types, which extend data types by describing also the structured behaviour of programs, are a widely studied approach to the enforcement of correctness properties in communicating systems. This paper offers a unified overview of proposals based on behavioural types which are aimed at the analysis of security properties

Robust, Practical Adaptive Control for Launch Vehicles

A modern mechanization of a classical adaptive control concept is presented with an application to launch vehicle attitude control systems. Due to a rigorous flight certification environment, many adaptive control concepts are infeasible when applied to high-risk aerospace systems; methods of stability analysis are either intractable for high complexity models or cannot be reconciled in light of classical requirements. Furthermore, many adaptive techniques appearing in the literature are not suitable for application to conditionally stable systems with complex flexible-body dynamics, as is often the case with launch vehicles. The present technique is a multiplicative forward loop gain adaptive law similar to that used for the NASA X-15 flight research vehicle. In digital implementation with several novel features, it is well-suited to application on aerodynamically unstable launch vehicles with thrust vector control via augmentation of the baseline attitude/attitude-rate feedback control scheme. The approach is compatible with standard design features of autopilots for launch vehicles, including phase stabilization of lateral bending and slosh via linear filters. In addition, the method of assessing flight control stability via classical gain and phase margins is not affected under reasonable assumptions. The algorithm s ability to recover from certain unstable operating regimes can in fact be understood in terms of frequency-domain criteria. Finally, simulation results are presented that confirm the ability of the algorithm to improve performance and robustness in realistic failure scenarios