Verifiably-safe software-defined networks for CPS

Next generation cyber-physical systems (CPS) are expected to be deployed in domains which require scalability as well as performance under dynamic conditions. This scale and dynamicity will require that CPS communication networks be programmatic (i.e., not requiring manual intervention at any stage), but still maintain iron-clad safety guarantees. Software-defined networking standards like OpenFlow provide a means for scalably building tailor-made network architectures, but there is no guarantee that these systems are safe, correct, or secure. In this work we propose a methodology and accompanying tools for specifying and modeling distributed systems such that existing formal verification techniques can be transparently used to analyze critical requirements and properties prior to system implementation. We demonstrate this methodology by iteratively modeling and verifying an OpenFlow learning switch network with respect to network correctness, network convergence, and mobility-related properties. We posit that a design strategy based on the complementary pairing of software-defined networking and formal verification would enable the CPS community to build next-generation systems without sacrificing the safety and reliability that these systems must deliver

Modeling and Testing a Family of Surgical Robots: An Experience Report

Safety-critical applications often use dependability cases to validate that specified properties are invariant, or to demonstrate a counter example showing how that property might be violated. However, most dependability cases are written with a single product in mind. At the same time, software product lines (families of related software products) have been studied with the goal of modeling variability and commonality, and building family based techniques for both analysis and testing. However, there has been little work on building an end to end dependability case for a software product line (where a property is modeled, a counter example is found and then validated as a true positive via testing), and none that we know of in an emerging safety-critical domain, that of robotic surgery. In this paper, we study a family of surgical robots, that combine hardware and software, and are highly configurable, representing over 1300 unique robots. At the same time, they are considered safety-critical and should have associated dependability cases. We perform a case study to understand how we can bring together lightweight formal analysis, feature modeling, and testing to provide an end to end pipeline to find potential violations of important safety properties. In the process, we learned that there are some interesting and open challenges for the research community, which if solved will lead towards more dependable safety-critical cyber-physical systems

Testing safety-critical systems using Model-based Systems Engineering (MBSE)

Model-based Systems Engineering (MBSE) provides features for behavioral analysis, requirements traceability, system architecture, simulation, testing, and performance analysis that are imperative for the testing of safety-critical systems. In this report, we present a case study of a simple safety-critical system, and model the system using UML (Unified Modeling Language), SysML (Systems Modeling Language), and AADL (Architecture Analysis and Design Language). We then extend the AADL model with user-defined properties and annexes to augment additional analysis and reporting capabilities relevant to safety-critical systems. As safety and security expectations grow in concert with system complexity, MBSE will become increasingly ingrained in the workflow of the systems and software engineering communities.Electrical and Computer Engineerin

Statistical reliability assessment of software-based systems

ABSTRACT Plant vendors nowadays propose software-based systems even for the most critical safety functions. The reliability estimation of safety critical software-based systems is difficult since the conventional modeling techniques do not necessarily apply to the analysis of these systems, and the quantification seems to be impossible. Due to lack of operational experience and due to the nature of software faults, the conventional reliability estimation methods can not be applied. New methods are therefore needed for the safety assessment of software-based systems. In the research project “Programmable automation systems in nuclear power plants (OHA)”, financed together by the Finnish Centre for Radiation and Nuclear Safety, the Ministry of Trade and Industry and the Technical Research Centre of Finland, various safety assessment methods and tools for software based systems are developed and evaluated. This volume in the OHA-report series deals with the statistical reliability assessment of software based systems on the basis of dynamic test results and qualitative evidence from the system design process. Other reports to be published later on in OHA-report series will handle the diversity requirements in safety critical software-based systems, generation of test data from operational profiles and handling of programmable automation in plant PSA-studies.TIIVISTELMÄ Ydinvoimalaitosten toimittajat tarjoavat nykyään ohjelmoitavaa tekniikkaa kaikkein turvallisuuskriittisimpiinkin turvatoimintoihin. Turvallisuuskriittisten ohjelmoitavien järjestelmien luotettavuuden arviointi on vaikeaa koska tavanomaiset mallinnusmenetelmät eivät välttämättä sovellu näiden analyysiin, ja luotettavuuden kvantifiontia pidetään mahdottomana. Käyttökokemusten puute ja ohjelmistovikojen luonne aiheuttavat sen, että tavanomaisia luotettavuuden arviointimenetelmiä ei voida soveltaa. Uusia menetelmiä tarvitaan näinollen ohjelmoitavien järjestelmien turvallisuuden arviointiin. ”Ydinvoimalaitosten ohjelmoitavat automaatiojärjestelmät (OHA)” -tutkimushankkeessa kehitetään ja arvioidaan erilaisia ohjelmoitavien järjestelmien turvallisuuden arviointimenetelmiä. Hanketta rahoittavat Säteilyturvakeskus (STUK), Kauppa- ja teollisuusministeriö (KTM) sekä Valtion teknillinen tutkimuskeskus (VTT). OHA-projektin raporttisarjan tämä osa käsittelee ohjelmoitavien järjestelmien luotettavuuden tilastollista arviointia järjestelmän dynaamisten testien tulosten ja sen suunnitteluprosessin laatua kuvaavan kvalitatiivisen evidenssin avulla. Myöhemmin julkaistavissa sarjan muissa raporteissa käsitellään turvallisuuskriittisten ohjelmoitavien järjestelmien diversiteettivaatimuksia, testidatan generointia käyttöprofiileista sekä ohjelmoitavien järjestelmien käsittelyä laitoksen PSA-tutkimuksissa.1. paino

Architecture-driven fault-based testing for software safety

Ankara : The Department of Computer Engineering and the Graduate School of Engineering and Science of Bilkent University, 2014.Thesis (Master's) -- Bilkent University, 2014.Includes bibliographical references leaves 159-166.A safety-critical system is defined as a system in which the malfunctioning of software could result in death, injury or damage to environment. To mitigate these serious risks the architecture of safety-critical systems need to be carefully designed and analyzed. A common practice for modeling software architecture is the adoption of architectural perspectives and software architecture viewpoint approaches. Existing approaches tend to be general purpose and do not explicitly focus on safety concern in particular. To provide a complementary and dedicated support for designing safety-critical systems we propose safety perspective and an architecture framework approach for software safety. Once the safety-critical systems are designed it is important to analyze these for fitness before implementation, installation and operation. Hereby, it is important to ensure that the potential faults can be identified and cost-effective solutions are provided to avoid or recover from the failures. In this context, one of the most important issues is to investigate the effectiveness of the applied safety tactics to safety-critical systems. Since the safety-critical systems are complex systems, testing of these systems is challenging and very hard to define proper test suites for these systems. Several fault-based software testing approaches exist that aim to analyze the quality of the test suites. Unfortunately, these approaches do not directly consider safety concern and tend to be general purpose and they doesn’t consider the applied the safety tactics. We propose a fault-based testing approach for analyzing the test suites using the safety tactic and fault knowledge.Gürbüz, Havva GülayM.S

A hazard analysis via an improved timed colored petri net with time–space coupling safety constraint

AbstractPetri nets are graphical and mathematical tools that are applicable to many systems for modeling, simulation, and analysis. With the emergence of the concept of partitioning in time and space domains proposed in avionics application standard software interface (ARINC 653), it has become difficult to analyze time–space coupling hazards resulting from resource partitioning using classical or advanced Petri nets. In this paper, we propose a time–space coupling safety constraint and an improved timed colored Petri net with imposed time–space coupling safety constraints (TCCP-NET) to fill this requirement gap. Time–space coupling hazard analysis is conducted in three steps: specification modeling, simulation execution, and results analysis. A TCCP-NET is employed to model and analyze integrated modular avionics (IMA), a real-time, safety-critical system. The analysis results are used to verify whether there exist time–space coupling hazards at runtime. The method we propose demonstrates superior modeling of safety-critical real-time systems as it can specify resource allocations in both time and space domains. TCCP-NETs can effectively detect underlying time–space coupling hazards

Architecture framework for software safety

Currently, an increasing number of systems are controlled by soft- ware and rely on the correct operation of software. In this context, a safety- critical system is defined as a system in which malfunctioning software could result in death, injury or damage to environment. To mitigate these serious risks, the architecture of safety-critical systems needs to be carefully designed and analyzed. A common practice for modeling software architecture is the adoption of software architecture viewpoints to model the architecture for par- ticular stakeholders and concerns. Existing architecture viewpoints tend to be general purpose and do not explicitly focus on safety concerns in particular. To provide a complementary and dedicated support for designing safety critical systems, we propose an architecture framework for software safety. The archi- tecture framework is based on a metamodel that has been developed after a tho- rough domain analysis. The framework includes three coherent viewpoints, each of which addressing an important concern. The application of the view- points is illustrated for an industrial case of safety-critical avionics control computer system. © Springer International Publishing Switzerland 2014

Variability management in safety‐critical systems design and dependability analysis

Safety-critical systems are of paramount importance for many application domains, where safety properties are a key driver to engineer critical aspects and avoid system failures. For the benefits of large-scale reuse, software product lines (SPL) have been adopted in critical systems industry. However, the integration of safety analysis in the SPL development process is nontrivial. Also, the different usage contexts of safety-critical systems complicates component fault modeling tasks and the identification of potential hazards. In this light, better methods become necessary to estimate the impact of dependability properties during Hazard Analysis and Risk Assessment. Existing methods incorporating the analysis of safety properties in SPL are limited as they do not include hazard analysis and component fault modeling. In this paper, we present the novel DEPendable Software Product Line Engineering (DEPendable-SPLE) approach, which extends traditional SPL processes to support the reuse of safety assets. We also present a detailed analysis of the impact of product and context features on the SPL design, safety analysis, and safety requirements. We applied DEPendable-SPLE to a realistic case study from the aerospace domain to illustrate how to model and reuse safety properties. DEPendable-SPLE reduced the effort of safety analysis for certifying system variants

Reliability and Safety Modeling of a Digital Feed Water Control System

Much digital instrumentation and control systems embedded in the critical medical healthcare equipment aerospace devices and nuclear industry have obvious consequence of different failure modes. These failures can affect the behavior of the overall safety critical digital system and its ability to deliver its dependability attributes if any defected area that could be a hardware component or software code embedded inside the digital system is not detected and repaired appropriately. The safety and reliability analysis of safety critical systems can be accomplished with Markov modeling techniques which could express the dynamic and regenerative behavior of the digital control system. Certain states in the system represent system failure while others represent fault free behavior or correct operation in the presence of faults. This paper presents the development of a safety and reliability modeling of a digital feedwater control system using Markov based chain models. All the Markov states and the transitions between these states were assumed and calculated from the control logic for the digital control system. Finally based on the simulation results of modeling the digital feedwater control system the system does meet its reliability requirement with the probability of being in fully operational states is 0.99 over a 6 months time.Comment: 13 pages, 7 figures, conferenc