Dependability assessment of by-wire control systems using fault injection

This paper is focused on the validation by means of physical fault injection at pin-level of a time-triggered communication controller: the TTP/C versions C1 and C2. The controller is a commercial off-the-shelf product used in the design of by-wire systems. Drive-by-wire and fly-by-wire active safety controls aim to prevent accidents. They are considered to be of critical importance because a serious situation may directly affect user safety. Therefore, dependability assessment is vital in their design. This work was funded by the European project `Fault Injection for TTA¿ and it is divided into two parts. In the first part, there is a verification of the dependability specifications of the TTP communication protocol, based on TTA, in the presence of faults directly induced in communication lines. The second part contains a validation and improvement proposal for the architecture in case of data errors. Such errors are due to faults that occurred during writing (or reading) actions on memory or during data storage.Blanc Clavero, S.; Bonastre Pina, AM.; Gil, P. (2009). Dependability assessment of by-wire control systems using fault injection. Journal of Systems Architecture. 55(2):102-113. doi:10.1016/j.sysarc.2008.09.003S10211355

Dependability Evaluation of Time Triggered Architecture Using Simulation

The method presented in this paper uses a generic C-language written simulation model of an embedded distributed computer system aimed for a safety-critical control application. The considered system is built using Time Triggered Architecture (TTA) concepts. The aim of the presented simulation method is to evaluate the system capability to tolerate a chosen category of faults. The model, being written in ANSI-C, is portable and machine-independent. Its structure is modular and flexible, so that the system to be studied and the experiment setting can easily be changed. The functionality of this model is demonstrated on a set of fault injection experiments aimed mainly to evaluate the correctness of the Time Triggered Protocol (TTP/C) that implements the abstract concepts of TTA. These experiments were done within the EU/IST project Fault Injection for Time triggered architecture (FIT)

A Design Framework for Reactive and Time-triggered Embedded Systems via the UML-SystemC bridge

Ph.DDOCTOR OF PHILOSOPH

Design and implementation of a modular controller for robotic machines

This research focused on the design and implementation of an Intelligent Modular Controller (IMC) architecture designed to be reconfigurable over a robust network. The design incorporates novel communication, hardware, and software architectures. This was motivated by current industrial needs for distributed control systems due to growing demand for less complexity, more processing power, flexibility, and greater fault tolerance. To this end, three main contributions were made. Most distributed control architectures depend on multi-tier heterogeneous communication networks requiring linking devices and/or complex middleware. In this study, first, a communication architecture was proposed and implemented with a homogenous network employing the ubiquitous Ethernet for both real-time and non real-time communication. This was achieved by a producer-consumer coordination model for real-time data communication over a segmented network, and a client-server model for point-to-point transactions. The protocols deployed use a Time-Triggered (TT) approach to schedule real-time tasks on the network. Unlike other TT approaches, the scheduling mechanism does not need to be configured explicitly when controller nodes are added or removed. An implicit clock synchronization technique was also developed to complement the architecture. Second, a reconfigurable mechanism based on an auto-configuration protocol was developed. Modules on the network use this protocol to automatically detect themselves, establish communication, and negotiate for a desired configuration. Third, the research demonstrated hardware/software co-design as a contribution to the growing discipline of mechatronics. The IMC consists of a motion controller board designed and prototyped in-house, and a Java microcontroller. An IMC is mapped to each machine/robot axis, and an additional IMC can be configured to serve as a real-time coordinator. The entire architecture was implemented in Java, thus reinforcing uniformity, simplicity, modularity, and openness. Evaluation results showed the potential of the flexible controller to meet medium to high performance machining requirements

Vulnerability Analysis and Mitigation of Directed Timing Inference Based Attacks on Time-Triggered Systems

Much effort has been put into improving the predictability of real-time systems, especially in safety-critical environments, which provides designers with a rich set of methods and tools to attest safety in situations with no or a limited number of accidental faults. However, with increasing connectivity of real-time systems and a wide availability of increasingly sophisticated exploits, security and, in particular, the consequences of predictability on security become concerns of equal importance. Time-triggered scheduling with offline constructed tables provides determinism and simplifies timing inference, however, at the same time, time-triggered scheduling creates vulnerabilities by allowing attackers to target their attacks to specific, deterministically scheduled and possibly safety-critical tasks. In this paper, we analyze the severity of these vulnerabilities by assuming successful compromise of a subset of the tasks running in a real-time system and by investigating the attack potential that attackers gain from them. Moreover, we discuss two ways to mitigate direct attacks: slot-level online randomization of schedules, and offline schedule-diversification. We evaluate these mitigation strategies with a real-world case study to show their practicability for mitigating not only accidentally malicious behavior, but also malicious behavior triggered by attackers on purpose

Safety-Critical Communication in Avionics

The aircraft of today use electrical fly-by-wire systems for manoeuvring. These safety-critical distributed systems are called flight control systems and put high requirements on the communication networks that interconnect the parts of the systems. Reliability, predictability, flexibility, low weight and cost are important factors that all need to be taken in to consideration when designing a safety-critical communication system. In this thesis certification issues, requirements in avionics, fault management, protocols and topologies for safety-critical communication systems in avionics are discussed and investigated. The protocols that are investigated in this thesis are: TTP/C, FlexRay and AFDX, as a reference protocol MIL-STD-1553 is used. As reference architecture analogue point-to-point is used. The protocols are described and evaluated regarding features such as services, maturity, supported physical layers and topologies.Pros and cons with each protocol are then illustrated by a theoretical implementation of a flight control system that uses each protocol for the highly critical communication between sensors, actuators and flight computers.The results show that from a theoretical point of view TTP/C could be used as a replacement for a point-to-point flight control system. However, there are a number of issues regarding the physical layer that needs to be examined. Finally a TTP/C cluster has been implemented and basic functionality tests have been conducted. The plan was to perform tests on delays, start-up time and reintegration time but the time to acquire the proper hardware for these tests exceeded the time for the thesis work. More advanced testing will be continued here at Saab beyond the time frame of this thesis

Rigorous code generation for distributed real-time embedded systems

This thesis addresses the problem of generating executable code for distributed embedded systems in which computing nodes communicate using the Controller Area Network (CAN). CAN is the dominant network in automotive and factory control systems and is becoming increasingly popular in robotic, medical and avionics applications. The requirements for functional and temporal reliability in these domains are often stringent, and testing alone may not offer the required level of con dence that systems satisfy their specications. Consequently, there has been considerable research interest in additional techniques for reasoning about the behaviour of CAN-based systems. This thesis proposes a novel approach in which system behaviour is specifed in a high-level language that is syntactically similar to Esterel but which is given a formal semantics by translation to bCANDLE, an asynchronous process calculus. The work developed here shows that bCANDLE systems can be translated automatically, via a common intermediate net representation, not only into executable C code but also into timed automaton models that can be used in the formal verification of a wide range of functional and temporal properties. A rigorous argument is presented that, for any system expressed in the high-level language, its timed automaton model is a conservative approximation of the executable C code, given certain well-defined assumptions about system components. It is shownthat an off-the-shelf model-checker (UPPAAL) can be used to verify system properties with a high-level of confidence that those properties will be exhibited by the executable code. The approach is evaluated by applying it to four representative case studies. Our results show that, for small to medium-sized systems, the generated code is sufficiently efficient for execution on typical hardware and the generated timed automaton model is sufficiently small for analysis within reasonable time and memory constraints

MAC Protocols for Wake-up Radio: Principles, Modeling and Performance Analysis

© 2018 IEEE. Personal use of this material is permitted. Permissíon from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertisíng or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.[EN] In wake-up radio (WuR) enabled wireless sensor networks (WSNs), a node triggers a data communication at any time instant by sending a wake-up call (WuC) in an on-demand manner. Such wake-up operations eliminate idle listening and overhearing burden for energy consumption in duty-cycled WSNs. Although WuR exhibits its superiority for light traffic, it is inefficient to handle high traffic load in a network. This paper makes an effort towards improving the performance of WuR under diverse load conditions with a twofold contribution. We first propose three protocols that support variable traffic loads by enabling respectively clear channel assessment (CCA), backoff plus CCA, and adaptive WuC transmissions. These protocols provide various options for achieving reliable data transmission, low latency, and energy efficiency for ultralow power consumption applications. Then, we develop an analytical framework based on an M/G/1/2 queue to evaluate the performance of these WuR protocols. Discrete-event simulations validate the accuracy of the analytical models.The work of V. Pla was supported by the Spanish Ministry of Economy, Industry and Competitiveness under Grant TIN2013-47272-C2-1-R. Paper no. TII-17-2251. (Corresponding author: Frank Y. Li)Ghose, D.; Li, F.; Pla, V. (2018). MAC Protocols for Wake-up Radio: Principles, Modeling and Performance Analysis. IEEE Transactions on Industrial Informatics. 14(5):2294-2306. https://doi.org/10.1109/TII.2018.2805321S2294230614

Power efficient, event driven data acquisition and processing using asynchronous techniques

PhD ThesisData acquisition systems used in remote environmental monitoring equipment and biological sensor nodes rely on limited energy supply soured from either energy harvesters or battery to perform their functions. Among the building blocks of these systems are power hungry Analogue to Digital Converters and Digital Signal Processors which acquire and process samples at predetermined rates regardless of the monitored signal’s behavior. In this work we investigate power efficient event driven data acquisition and processing techniques by implementing an asynchronous ADC and an event driven power gated Finite Impulse Response (FIR) filter. We present an event driven single slope ADC capable of generating asynchronous digital samples based on the input signal’s rate of change. It utilizes a rate of change detection circuit known as the slope detector to determine at what point the input signal is to be sampled. After a sample has been obtained it’s absolute voltage value is time encoded and passed on to a Time to Digital Converter (TDC) as part of a pulse stream. The resulting digital samples generated by the TDC are produced at a rate that exhibits the same rate of change profile as that of the input signal. The ADC is realized in 0.35mm CMOS process, covers a silicon area of 340mm by 218mm and consumes power based on the input signal’s frequency. The samples from the ADC are asynchronous in nature and exhibit random time periods between adjacent samples. In order to process such asynchronous samples we present a FIR filter that is able to successfully operate on the samples and produce the desired result. The filter also poses the ability to turn itself off in-between samples that have longer sample periods in effect saving power in the process