Multilevel Runtime Verification for Safety and Security Critical Cyber Physical Systems from a Model Based Engineering Perspective

Advanced embedded system technology is one of the key driving forces behind the rapid growth of Cyber-Physical System (CPS) applications. CPS consists of multiple coordinating and cooperating components, which are often software-intensive and interact with each other to achieve unprecedented tasks. Such highly integrated CPSs have complex interaction failures, attack surfaces, and attack vectors that we have to protect and secure against. This dissertation advances the state-of-the-art by developing a multilevel runtime monitoring approach for safety and security critical CPSs where there are monitors at each level of processing and integration. Given that computation and data processing vulnerabilities may exist at multiple levels in an embedded CPS, it follows that solutions present at the levels where the faults or vulnerabilities originate are beneficial in timely detection of anomalies. Further, increasing functional and architectural complexity of critical CPSs have significant safety and security operational implications. These challenges are leading to a need for new methods where there is a continuum between design time assurance and runtime or operational assurance. Towards this end, this dissertation explores Model Based Engineering methods by which design assurance can be carried forward to the runtime domain, creating a shared responsibility for reducing the overall risk associated with the system at operation. Therefore, a synergistic combination of Verification & Validation at design time and runtime monitoring at multiple levels is beneficial in assuring safety and security of critical CPS. Furthermore, we realize our multilevel runtime monitor framework on hardware using a stream-based runtime verification language

Methodology to accelerate diagnostic coverage assessment: MADC

Tese (doutorado) - Universidade Federal de Santa Catarina, Centro Tecnológico, Programa de Pós-Graduação em Engenharia Elétrica, Florianópolis, 2016.Os veículos da atualidade vêm integrando um número crescente de eletrônica embarcada, com o objetivo de permitir uma experiência mais segura aos motoristas. Logo, a garantia da segurança física é um requisito que precisa ser observada por completo durante o processo de desenvolvimento. O padrão ISO 26262 provê medidas para garantir que esses requisitos não sejam negligenciados. Injeção de falhas é fortemente recomendada quando da verificação do funcionamento dos mecanismos de segurança implementados, assim como sua capacidade de cobertura associada ao diagnóstico de falhas existentes. A análise exaustiva não é obrigatória, mas evidências de que o máximo esforço foi feito para acurar a cobertura de diagnóstico precisam ser apresentadas, principalmente durante a avalição dos níveis de segurança associados a arquitetura implementada em hardware. Estes níveis dão suporte às alegações de que o projeto obedece às métricas de segurança da integridade física exigida em aplicações automotivas. Os níveis de integridade variam de A à D, sendo este último o mais rigoroso. Essa Tese explora o estado-da-arte em soluções de verificação, e tem por objetivo construir uma metodologia que permita acelerar a verificação da cobertura de diagnóstico alcançado. Diferentemente de outras técnicas voltadas à aceleração de injeção de falhas, a metodologia proposta utiliza uma plataforma de hardware dedicada à verificação, com o intuito de maximizar o desempenho relativo a simulação de falhas. Muitos aspectos relativos a ISO 26262 são observados de forma que a presente contribuição possa ser apreciada no segmento automotivo. Por fim, uma arquitetura OpenRISC é utilizada para confirmar os resultados alcançados com essa solução proposta pertencente ao estado-da-arte.Abstract : Modern vehicles are integrating a growing number of electronics to provide a safer experience for the driver. Therefore, safety is a non-negotiable requirement that must be considered through the vehicle development process. The ISO 26262 standard provides guidance to ensure that such requirements are implemented. Fault injection is highly recommended for the functional verification of safety mechanisms or to evaluate their diagnostic coverage capability. An exhaustive analysis is not required, but evidence of best effort through the diagnostic coverage assessment needs to be provided when performing quantitative evaluation of hardware architectural metrics. These metrics support that the automotive safety integrity level ? ranging from A (lowest) to D (strictest) levels ? was obeyed. This thesis explores the most advanced verification solutions in order to build a methodology to accelerate the diagnostic coverage assessment. Different from similar techniques for fault injection acceleration, the proposed methodology does not require any modification of the design model to enable acceleration. Many functional safety requisites in the ISO 26262 are considered thus allowing the contribution presented to be a suitable solution for the automotive segment. An OpenRISC architecture is used to confirm the results achieved by this state-of-the-art solution

Design of an integrated airframe/propulsion control system architecture

The design of an integrated airframe/propulsion control system architecture is described. The design is based on a prevalidation methodology that uses both reliability and performance. A detailed account is given for the testing associated with a subset of the architecture and concludes with general observations of applying the methodology to the architecture

High-speed civil transport flight- and propulsion-control technological issues

Technology advances required in the flight and propulsion control system disciplines to develop a high speed civil transport (HSCT) are identified. The mission and requirements of the transport and major flight and propulsion control technology issues are discussed. Each issue is ranked and, for each issue, a plan for technology readiness is given. Certain features are unique and dominate control system design. These features include the high temperature environment, large flexible aircraft, control-configured empennage, minimizing control margins, and high availability and excellent maintainability. The failure to resolve most high-priority issues can prevent the transport from achieving its goals. The flow-time for hardware may require stimulus, since market forces may be insufficient to ensure timely production. Flight and propulsion control technology will contribute to takeoff gross weight reduction. Similar technology advances are necessary also to ensure flight safety for the transport. The certification basis of the HSCT must be negotiated between airplane manufacturers and government regulators. Efficient, quality design of the transport will require an integrated set of design tools that support the entire engineering design team

Review of selection criteria for sensor and actuator configurations suitable for internal combustion engines

This literature review considers the problem of finding a suitable configuration of sensors and actuators for the control of an internal combustion engine. It takes a look at the methods, algorithms, processes, metrics, applications, research groups and patents relevant for this topic. Several formal metric have been proposed, but practical use remains limited. Maximal information criteria are theoretically optimal for selecting sensors, but hard to apply to a system as complex and nonlinear as an engine. Thus, we reviewed methods applied to neighboring fields including nonlinear systems and non-minimal phase systems. Furthermore, the closed loop nature of control means that information is not the only consideration, and speed, stability and robustness have to be considered. The optimal use of sensor information also requires the use of models, observers, state estimators or virtual sensors, and practical acceptance of these remains limited. Simple control metrics such as conditioning number are popular, mostly because they need fewer assumptions than closed-loop metrics, which require a full plant, disturbance and goal model. Overall, no clear consensus can be found on the choice of metrics to define optimal control configurations, with physical measures, linear algebra metrics and modern control metrics all being used. Genetic algorithms and multi-criterial optimisation were identified as the most widely used methods for optimal sensor selection, although addressing the dimensionality and complexity of formulating the problem remains a challenge. This review does present a number of different successful approaches for specific applications domains, some of which may be applicable to diesel engines and other automotive applications. For a thorough treatment, non-linear dynamics and uncertainties need to be considered together, which requires sophisticated (non-Gaussian) stochastic models to establish the value of a control architecture

Assessment of avionics technology in European aerospace organizations

This report provides a summary of the observations and recommendations made by a technical panel formed by the National Aeronautics and Space Administration (NASA). The panel, comprising prominent experts in the avionics field, was tasked to visit various organizations in Europe to assess the level of technology planned for use in manufactured civil avionics in the future. The primary purpose of the study was to assess avionics systems planned for implementation or already employed on civil aircraft and to evaluate future research, development, and engineering (RD&E) programs, address avionic systems and aircraft programs. The ultimate goal is to ensure that the technology addressed by NASa programs is commensurate with the needs of the aerospace industry at an international level. The panel focused on specific technologies, including guidance and control systems, advanced cockpit displays, sensors and data networks, and fly-by-wire/fly-by-light systems. However, discussions the panel had with the European organizations were not limited to these topics

A method for mapping between ASMs and implementation language

Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Aeronautics and Astronautics, 2010.Cataloged from PDF version of thesis.Includes bibliographical references (p. 193-196).One of the challenges of model-based engineering is traceability: the ability to relate the set of models developed during the design stages to the implemented system. This thesis develops a language specific method for creating bidirectional traceability, a mapping between model and implementation, suitable for tracing requirements from model through implementation and vice versa. The mapping is created as a byproduct of code generation and reverse engineering, and can be used to subsequently synchronize changes between the model and implementation. The creation of the mapping is specifically demonstrated through generating Java code from an abstract state machine (ASM) based modeling language, called the Timed Abstract State Machine (TASM) language. This code generation process involves a series of three transformations. The first transformation creates a specialised System Dependency Graph (SDG) called a TASM SDG from a TASM specification.(cont.) The second uses Triple Graph Grammars to transform the TASM SDG to a Java SDG (JSDG). The applied grammars are saved as the mapping information. The third transformation procedurally generates Java code. In order to make this methodology possible, this thesis introduces the TASM SDG, as well as a novel algorithm, generally applicable to ASM languages, that explicates state transitions. The approach presented extends the bidirectional traceability capabilities inherent in the TASM language to Java. The code generation technique is demonstrated using an industrial case study from the automotive domain, an Electronic Throttle Controller (ETC).by David Cheng-Ping Wang.S.M

AUTOMATED DIESEL ENGINE CONDITION & PERFORMANCE MONITORING & THE APPLICATION OF NEURAL NETWORKS TO FAULT DIAGNOSIS

The overall aim of this research was to design, configure and validate a system which was capable of on-line performance monitoring and fault diagnosis of a diesel engine. This thesis details the development and evaluation of a comprehensive engine test facility and automated engine performance monitoring package. Results of a diesel engine fault study were used to ascertain commonly occurring faults and their realistic severities are discussed. The research shows how computer simulation and rig testing can be applied to validate the effects of faults on engine performance and quantify fault severities. A substantial amount of engine test work has been conducted to investigate the effects of various faults on high speed diesel engine performance. A detailed analysis of the engine test data has led to the development of explicit fault-symptom relationships and the identification of key sensors that may be fitted to a diesel engine for diagnostic purposes. The application of a neural network based approach to diesel engine fault diagnosis has been investigated. This work has included an assessment of neural network performance at engine torques and speeds where it was not trained, noisy engine data, faulty sensor data, varying fault severities and novel faults which were similar to those which the network had been trained on. The work has shown that diagnosis using raw neural network outputs under operational conditions would be inadequate. To overcome these inadequacies a new technique using an on-line diagnostic database incorporating 'weight adjusting' and 'confidence factor' algorithms has been developed and validated. The results show a neural network combined with an on-line diagnostic database can be successfully used for practical diesel engine fault diagnosis to offer a realistic alternative to current fault diagnosis techniques.The Ministry Of Defenc