16 research outputs found
OnTrack: Reflecting on domain specific formal methods for railway designs
OnTrack is a tool that supports workflows for railway verification that has been implemented using model driven engineering frameworks. Starting with graphical scheme plans and finishing with automatically generated formal models set-up for verification, OnTrack allows railway engineers to interact with verification procedures through encapsulating formal methods. OnTrack is grounded on a domain specification language (DSL) capturing scheme plans and supports generation of various formal models using model transformations. In this paper, we detail the role model driven engineering takes within OnTrack and reflect on the use of model driven engineering concepts for developing domain specific formal methods toolsets
Probabilistic Risk Assessment of an Obstacle Detection System for GoA 4 Freight Trains
In this paper, a quantitative risk assessment approach is discussed for the
design of an obstacle detection function for low-speed freight trains with
grade of automation (GoA)~4. In this 5-step approach, starting with single
detection channels and ending with a three-out-of-three (3oo3) model
constructed of three independent dual-channel modules and a voter, a
probabilistic assessment is exemplified, using a combination of statistical
methods and parametric stochastic model checking. It is illustrated that, under
certain not unreasonable assumptions, the resulting hazard rate becomes
acceptable for specific application settings. The statistical approach for
assessing the residual risk of misclassifications in convolutional neural
networks and conventional image processing software suggests that high
confidence can be placed into the safety-critical obstacle detection function,
even though its implementation involves realistic machine learning
uncertainties
Complete Agent-driven Model-based System Testing for Autonomous Systems
In this position paper, a novel approach to testing complex autonomous
transportation systems (ATS) in the automotive, avionic, and railway domains is
described. It is intended to mitigate some of the most critical problems
regarding verification and validation (V&V) effort for ATS. V&V is known to
become infeasible for complex ATS, when using conventional methods only. The
approach advocated here uses complete testing methods on the module level,
because these establish formal proofs for the logical correctness of the
software. Having established logical correctness, system-level tests are
performed in simulated cloud environments and on the target system. To give
evidence that 'sufficiently many' system tests have been performed with the
target system, a formally justified coverage criterion is introduced. To
optimise the execution of very large system test suites, we advocate an online
testing approach where multiple tests are executed in parallel, and test steps
are identified on-the-fly. The coordination and optimisation of these
executions is achieved by an agent-based approach. Each aspect of the testing
approach advocated here is shown to either be consistent with existing
standards for development and V&V of safety-critical transportation systems, or
it is justified why it should become acceptable in future revisions of the
applicable standards.Comment: In Proceedings FMAS 2021, arXiv:2110.1152
Development of a Formal Verification Methodology for B Specifications using PERF formal toolkit. Application to safety requirements of railway systems.
The design of complex systems involves several design models supporting different analysis techniques for validation and verification purposes. These activities lead to the definition of heterogeneous modelling languages and analysis techniques. In this setting, meeting certification standards becomes a key issue in system engineering. Reducing heterogeneity due to the presence of different modelling languages can be addressed by providing an integrated framework in which involved modelling languages and techniques are formalised. In such a framework, checking global requirements fulfilment on heterogeneous models of a complex critical system becomes possible in many cases. The work presented in this thesis addresses the problem of integrated verification of system design models in the context of transportation systems, in particular railway systems. It has been achieved in context of the B-PERFect project of RATP (Parisian Public Transport Operator and Maintainer) aiming at applying formal verification using the PERF approach on the integrated safety-critical models of embedded software related to railway domain expressed in a single unifying modelling language: High Level Languge (HLL). We also discuss integrated verification at the system level. The proposed method for verification of safety-critical software is a bottom-up approach, starting from the source code to the high-level specification. This work addresses the particular case of the B method. It presents a certified translation of B formal models to HLL models. The proposed approach uses Isabelle/HOL as a unified logical framework to describe the formal semantics and to formalise the transformation relation between both modelling languages. The developed Isabelle/HOL models are proved in order to guarantee the correctness of our translation process. Moreover, we have also used weakbisimulation relation to check semantic preservation after transformations. In this thesis, we also present the implementation of the defined transformation syntactic rules as the B2HLL tool. Moreover, we show the model animation process we set up to validate the B2HLL translator tool with respect to the formalised transformation rules we defined in Isabelle/HOL. This approach helps us to validate definitions, lemmas and theorems of our formalised specifications. We have used the B2HLL tool to translate multiple B models, and we also show that when models are translated into this unified modelling language, HLL, it becomes possible to handle verification of properties expressed across different models
A Stochastic Approach to Classification Error Estimates in Convolutional Neural Networks
This technical report presents research results achieved in the field of
verification of trained Convolutional Neural Network (CNN) used for image
classification in safety-critical applications. As running example, we use the
obstacle detection function needed in future autonomous freight trains with
Grade of Automation (GoA) 4. It is shown that systems like GoA 4 freight trains
are indeed certifiable today with new standards like ANSI/UL 4600 and ISO 21448
used in addition to the long-existing standards EN 50128 and EN 50129.
Moreover, we present a quantitative analysis of the system-level hazard rate to
be expected from an obstacle detection function. It is shown that using
sensor/perceptor fusion, the fused detection system can meet the tolerable
hazard rate deemed to be acceptable for the safety integrity level to be
applied (SIL-3). A mathematical analysis of CNN models is performed which
results in the identification of classification clusters and equivalence
classes partitioning the image input space of the CNN. These clusters and
classes are used to introduce a novel statistical testing method for
determining the residual error probability of a trained CNN and an associated
upper confidence limit. We argue that this greybox approach to CNN
verification, taking into account the CNN model's internal structure, is
essential for justifying that the statistical tests have covered the trained
CNN with its neurons and inter-layer mappings in a comprehensive way
Complete Model-Based Testing Applied to the Railway Domain
Testing is the most important verification technique to assert the correctness of an embedded system. Model-based testing (MBT) is a popular approach that generates test cases from models automatically. For the verification of safety-critical systems, complete MBT strategies are most promising. Complete testing strategies can guarantee that all errors of a certain kind are revealed by the generated test suite, given that the system-under-test fulfils several hypotheses. This work presents a complete testing strategy which is based on equivalence class abstraction. Using this approach, reactive systems, with a potentially infinite input domain but finitely many internal states, can be abstracted to finite-state machines. This allows for the generation of finite test suites providing completeness. However, for a system-under-test, it is hard to prove the validity of the hypotheses which justify the completeness of the applied testing strategy. Therefore, we experimentally evaluate the fault-detection capabilities of our equivalence class testing strategy in this work. We use a novel mutation-analysis strategy which introduces artificial errors to a SystemC model to mimic typical HW/SW integration errors. We provide experimental results that show the adequacy of our approach considering case studies from the railway domain (i.e., a speed-monitoring function and an interlocking-system controller) and from the automotive domain (i.e., an airbag controller). Furthermore, we present extensions to the equivalence class testing strategy. We show that a combination with randomisation and boundary-value selection is able to significantly increase the probability to detect HW/SW integration errors
Safety and Reliability - Safe Societies in a Changing World
The contributions cover a wide range of methodologies and application areas for safety and reliability that contribute to safe societies in a changing world. These methodologies and applications include: - foundations of risk and reliability assessment and management
- mathematical methods in reliability and safety
- risk assessment
- risk management
- system reliability
- uncertainty analysis
- digitalization and big data
- prognostics and system health management
- occupational safety
- accident and incident modeling
- maintenance modeling and applications
- simulation for safety and reliability analysis
- dynamic risk and barrier management
- organizational factors and safety culture
- human factors and human reliability
- resilience engineering
- structural reliability
- natural hazards
- security
- economic analysis in risk managemen