Fail-Safe Testing of Safety-Critical Systems

This dissertation proposes an approach for testing of safety-critical systems. It is based on a behavioral and a fault model. The two models are analyzed for compatibility and necessary changes are identified to make them compatible. Then transformation rules are used to transform the fault model into the same model type as the behavioral model. Integration rules define how to combine them. This approach results in an integrated model which then can be used to generate tests using a variety of testing criteria. The dissertation illustrates this general framework using a CEFSM for the behavioral model and a Fault Tree for the fault model. We apply the technique to a variety of applications such as a Gas burner, an Aerospace Launch System, and a Railroad Crossing Control System. We also investigate the scalability of the approach and compare its efficiency with integrating a state chart and a fault tree. Construction and Analysis of Distributed Processes (CADP) has been used as a supporting tool for this approach to generate test cases from the integrated model and to analyze the integrated model for some properties such as deadlock and livelock

Applying Safety Concepts and Principles in Vital Controller Design

A vital controller is safety critical and its failures, if not mitigated in time, can contribute to hazards in the application system. With electronics advancing and automation increasing, the expanding complexity of a vital controller creates challenges in designing it and assessing its safety integrity level. Typically, traditional safety engineering approaches are not effective for providing systematic guidance to design vital controllers and also not cost efficient for justifying their safety integrity. Through practice on developing multiple Communications-Based Train Control systems, we have identified an approach to using a set of safety concepts as guidance for both safety critical controller design and its safety integrity assessment. These safety concepts are categorized as intrinsic fail-safe, reactive fail-safe, and composite fail-safe. An effective combination of them is applying the composite fail-safe concept in checked redundancy techniques for designing the architecture of a controller, the reactive safety concept for identifying self-testing and monitoring mechanisms in each checked redundant channel, and the intrinsic fail-safe concept for ensuring safe interfaces to other controllers and controlled devices. This paper presents the approach for using these safety concepts and discusses their application principles and verification factors for achieving high safety integrity level of a controller

Identification of test cases for Automated Driving Systems using Bayesian optimization

With advancements in technology, the automotive industry is experiencing a paradigm shift from assisted driving to highly automated driving. However, autonomous driving systems are highly safety critical in nature and need to be thoroughly tested for a diverse set of conditions before being commercially deployed. Due to the huge complexities involved with Advanced Driver Assistance Systems (ADAS) and Automated Driving Systems (ADS), traditional software testing methods have well-known limitations. They also fail to cover the infinite number of adverse conditions that can occur due to a slight change in the interactions between the environment and the system. Hence, it is important to identify test conditions that push the vehicle under test to breach its safe boundaries. Hazard Based Testing (HBT) methods, inspired by Systems-Theoretic Process Analysis (STPA), identify such parameterized test conditions that can lead to system failure. However, these techniques fall short of discovering the exact parameter values that lead to the failure condition. The presented paper proposes a test case identification technique using Bayesian Optimization. For a given test scenario, the proposed method learns parameter values by observing the system's output. The identified values create test cases that drive the system to violate its safe boundaries. STPA inspired outputs (parameters and pass/fail criteria) are used as inputs to the Bayesian Optimization model. The proposed method was applied to an SAE Level-4 Low Speed Automated Driving (LSAD) system which was modelled in a driving simulator

Software safety : a definition and some preliminary thoughts

Software safety is the subject of a research project in its initial stages at the University of California Irvine. This research deals with critical real-time software where the cost of an error is high, e.g. human life. In this paper software techniques having a bearing on safety are described and evaluated. Initial definitions of software safety concepts are presented along with some preliminary thoughts and research questions

Reasoning about the Reliability of Diverse Two-Channel Systems in which One Channel is "Possibly Perfect"

This paper considers the problem of reasoning about the reliability of fault-tolerant systems with two "channels" (i.e., components) of which one, A, supports only a claim of reliability, while the other, B, by virtue of extreme simplicity and extensive analysis, supports a plausible claim of "perfection." We begin with the case where either channel can bring the system to a safe state. We show that, conditional upon knowing pA (the probability that A fails on a randomly selected demand) and pB (the probability that channel B is imperfect), a conservative bound on the probability that the system fails on a randomly selected demand is simply pA.pB. That is, there is conditional independence between the events "A fails" and "B is imperfect." The second step of the reasoning involves epistemic uncertainty about (pA, pB) and we show that under quite plausible assumptions, a conservative bound on system pfd can be constructed from point estimates for just three parameters. We discuss the feasibility of establishing credible estimates for these parameters. We extend our analysis from faults of omission to those of commission, and then combine these to yield an analysis for monitored architectures of a kind proposed for aircraft

Building safe software

Murphy is a set of techniques and tools under investigation for their potential in enhancing the safety of software. This paper describes some of the work which has been done and some which is planned

Reasoning About the Reliability of Multi-version, Diverse Real-Time Systems

This paper is concerned with the development of reliable real-time systems for use in high integrity applications. It advocates the use of diverse replicated channels, but does not require the dependencies between the channels to be evaluated. Rather it develops and extends the approach of Little wood and Rush by (for general systems) by investigating a two channel system in which one channel, A, is produced to a high level of reliability (i.e. has a very low failure rate), while the other, B, employs various forms of static analysis to sustain an argument that it is perfect (i.e. it will never miss a deadline). The first channel is fully functional, the second contains a more restricted computational model and contains only the critical computations. Potential dependencies between the channels (and their verification) are evaluated in terms of aleatory and epistemic uncertainty. At the aleatory level the events ''A fails" and ''B is imperfect" are independent. Moreover, unlike the general case, independence at the epistemic level is also proposed for common forms of implementation and analysis for real-time systems and their temporal requirements (deadlines). As a result, a systematic approach is advocated that can be applied in a real engineering context to produce highly reliable real-time systems, and to support numerical claims about the level of reliability achieved

Managing Well Integrity using Reliability Based Models

Imperial Users onl