Trustworthy Autonomous Vehicles: Let us Learn from Live

Identifying an general understanding of Trust in Systems Engineering in an interdisciplinary approach. Application domain is autonomous vehicles

Contract-Based Specification of Mode-Dependent Timing Behavior

The design of safety-critical systems calls for rigorous application of specification and verification methods. In this context, a comprehensive consideration of safety aspects, which inevitably include timing properties, requires explicit addressing of operating modes and their transitions in the system model as well as in the respective specifications. As a side effect, this helps to reduce verification complexity. This paper presents an extension of a framework for the specification of timing properties following the contract-based design paradigm. It provides enhancements of the underlying specification language, which enables specifying modes, mode transitions, and mode-dependent behavior. A formal semantics is given in order to enable reasoning about such specifications as well as about contract operations like refinement and composition, thus enabling to make statements about mode composition. The results are discussed using a real-world example

Towards a Congruent Interpretation of Traffic Rules for Automated Driving - Experiences and Challenges

The homologation of automated driving systems for public roads requires a rigorous safety case. Regulations of the United Nations demand to demonstrate the compliance of the developed system with local traffic rules. Hence, evidences for this have to be delivered by means of formal proofs, online monitoring, and other verification techniques in the safety case. In order for such methods to be applicable traffic rules have to be made machine-interpretable. However, that pursuit is highly challenging. This work reports on our practical experiences regarding the formalization of a non-trivial part of the German road traffic act. We identify a central issue when formalizing traffic rules within a development process, coined as the congruence problem, which is concerned with the semantic equality of the legal and system interpretation of traffic rules. As our main contribution, we delineate potential challenges arising from the congruence problem, hence impeding a congruent yet formal interpretation of traffic rules. Finally, we aim to initiate discussions by highlighting steps to partially address these challenges

Evaluating the Impact of Integrating a Security Module on the Real-Time Properties of a System

Part 8: Real-Time Aspects in Distributed SystemsInternational audienceWith a rise in the deployment of electronics in today’s systems especially in automobiles, the task of securing them against various attacks has become a major challenge. In particular, the most vulnerable points are: (i) communication paths between the Electronic Control Units (ECUs) and between sensors & actuators and the ECU, (ii) remote software updates from the manufacturer and the in-field system. However, when including additional mechanisms to secure such systems, especially real-time systems, there will be a major impact on the real-time properties and on the overall performance of the system. Therefore, the goal of this work is to deploy a minimal security module in a target real-time system and to analyze its impact on the aforementioned properties of the system, while achieving the goals of secure communication and authentic system update. From this analysis, it has been observed that, with the integration of such a security module into the ECU, the response time of the system is strictly dependent on the utilized communication interface between the ECU processor and the security module. The analysis is performed utilizing the security module operating at different frequencies and communicating over two different interfaces i.e., Low-Pin-Count (LPC) bus and Memory-Mapped I/O (MMIO) method

Safe Modular Online Updates and Upgrades for Mixed-Criticality Systems

Safety-critical systems face an increase in critical software functions that require high-performance hardware platforms. This situation fosters - also in the automotive domain - an ongoing trend away from many small towards few but powerful processing elements. It inevitably comes with a concentration of the deployed functionality, which imposes challenges to the system design. A major issue in designing safety-critical system is to ensure segregation and isolation of the individual system functions of mixed-criticalities (w.r.t. different Design Assurance Levels (DAL) or Safety Integrity Levels (SIL)), which becomes more costly and harder to achieve the more functionality is executed at the same platform. At the same time, Over-The-Air Software Updates (OTASU) become necessary for modern embedded systems as updates and feature enhancements, safety and security fixes, or adaptations to other components become inevitable during their lifetime. Ensuring compliance with safety regulations thus requires an ever-increasing effort up to the point where it is economically not feasible anymore. The talk gives an overview of a domain-independent software paradigm for the development and integration of software applications on mixed-critical cyber-physical systems along the product lifecycle, which enables modular certification and supports secure OTASU. This paradigm is implemented and demonstrated through a new proof-of-concept software architecture and development process that enables remote deployment of updated as well as new applications on heterogeneous computing platforms. In addition, we provide a strategy for future certification of the approach with respect to safety (e.g., IEC-61508, ISO 26262) and security (IEC-62443, ISO 21434) through specific concepts that build on composability, modularity, and observability as key properties to enable dynamic validation of safety and security properties after deployment in the operational environment

Contract-Based Compositional Scheduling Analysis for Evolving Systems

Part 6: Real-Time SystemsInternational audienceThe objective of this work is the analysis and verification of distributed real-time systems. Such systems have to work in a timely manner in order to deliver the desired services. We consider a system architecture with multiple computation resources. The aim is to work out a compositional state-based analysis technique to determine exact response times and to validate end-to-end deadlines. Further, we consider such systems in a larger context, where a set of systems work in a collaborative and distributed fashion. A major aspect of such collaborative systems is the dynamic evolution. New systems can participate, existing systems may leave because of failures, or properties may change. We use contracts to encapsulate systems which work in a collaborative manner. These contracts define sound timing bounds on services offered to the environment. When some systems evolve, only those parts which changed need to be re-validated

Contracts for Schedulability Analysis

International audienceIn this paper we propose a framework of Assume / Guarantee contracts for schedulability analysis. Unlike previous work addressing compositional scheduling analysis, our objective is to provide support for the OEM / supplier subcontracting relation. The adaptation of Assume / Guarantee contracts to schedulability analysis requires some care, due to the handling of conflicts caused by shared resources. We illustrate our framework in the context of Autosar methodology now popular in the automotive industry sector

Providing Evidence for Correct and Timely Functioning of Software Safety Mechanisms

In many application domains, the development of safety-critical systems must follow standards that define process steps and artifacts to establish a comprehensive safety argumentation. Commonly, this involves the identification of hazards and risks as well as the formulation of a safety concept to mitigate these risks. The concept is decomposed into safety requirements, which are finally implemented in hardware and software. All steps must be covered by analyses to ensure that the concept is effective and correctly implemented. This work focuses on timing aspects of the safety concept, i.e., on how it can be ensured that risk mitigation occurs in time. Based on an industrial use case, we show how consistent timing specifications can be derived, decomposed, and implemented in a complete and sound way. The approach extends previous work on contract-based design and investigates on explicating failure modes and fault detection in contract specifications. Finally, we show how model checking can support the verification of safety concepts and their implementation