Issues for the automatic generation of safety critical software

Abstract Advanced classical Probabilistic Risk Assessment (PRA) effectively combines various methods for quantitative risk evaluation, such as event trees, fault trees, and Bayesian networks. PRA methods and tools provide the means for the qualitative reliability evaluation (e.g., cut sets) and the computation of quantitative reliability metrics (e.g., end states probabilities). Modern safety-critical systems from various industrial domains tend toward a high level of autonomy and demand not only reliability but also resilience, the ability to recover from degraded or failed states. The numerical resilience analysis of such dynamic systems requires more flexible methods. These methods shall enable the analysis of the systems with sophisticated software parts and dynamic feedback loops. A suitable candidate is the Dual-graph Error Propagation Model (DEPM) that can capture nontrivial failure scenarios and dynamic fault-tolerance mechanisms. The DEPM exploits the method for the automatic generation of Markov chain models and the application of probabilistic model checking techniques. Moreover, the DEPM enables the analysis of highly-customizable system resilience metrics, e.g., “the probability of system recovery to a particular state after a specified system failure during a defined time interval.” In this paper, we show how DEPM-based resilience analysis can be integrated with the general PRA methodology for resilience evaluations. The proposed methodology is demonstrated on a safety-critical autonomous UAV system.

Download Full-text

Models for automatic generation of safety-critical real-time systems

The Second International Conference on Availability, Reliability and Security (ARES'07) ◽

10.1109/ares.2007.106 ◽

2007 ◽

Cited By ~ 6

Author(s):

Christian Buckl ◽

Matthias Regensburger ◽

Alois Knoll ◽

Gerhard Schrott

Keyword(s):

Real Time ◽

Automatic Generation ◽

Real Time Systems ◽

Safety Critical ◽

Time Systems

Download Full-text

Automatic generation of high quality test sets via CBMC

10.29007/zbb8 ◽

2018 ◽

Author(s):

Emanuele Di Rosa ◽

Enrico Giunchiglia ◽

Massimo Narizzano ◽

Gabriele Palma ◽

Alessandra Puddu

Keyword(s):

Test Generation ◽

Automatic Generation ◽

Control Flow ◽

Quality Test ◽

High Quality ◽

Test Set ◽

Domain Experts ◽

Safety Critical ◽

Branch Coverage ◽

Test Sets

Software Testing is the most used technique for software verification in industry. In the case of safety critical software, the test set can be required to cover a high percentage (up to 100%) of the software code according to some metrics. Unfortunately, attaining such high percentages is not easy using standard automatic tools for tests generation, and manual generation by domain experts is often necessary, thereby significantly increasing the associated costs.In previous papers, we have shown how it is possible to automatize the test generation process of C programs via the bounded model checker CBMC. In particular, we have shown how it is possible to productively use CBMC for the automatic generation of test sets covering 100% of branches of 5 modules of ERTMS/ETCS, a safety critical industrial software by Ansaldo STS. Unfortunately, the test set we automatically generated, is of lower "quality" if compared to the test set manually generated by domain experts: Both test sets attained the desired 100% branch coverage, but the sizes of the automatically generated test sets are roughly twice the sizes of the corresponding manually generated ones. Indeed, the automatically generated test sets contain redundant tests, i.e. tests that do not contribute to reach the desired 100% branch coverage. These redundant tests are useless from the perspective of the branch coverage, are not easy to detect and then to eliminate a posteriori, and, if maintained, imply additional costs during the verification process.In this paper we present a new methodology for the automatic generation of "high quality" test sets guaranteeing full branch coverage. Given an initially empty test set T, the basic idea is to extend T with a test covering as many as possible of the branches which are not covered by T. This requires an analysis of the control flow graph of the program in order to first individuate a path p with the desired property, and then the run of a tool (CBMC in our case) able to return either a test causing the execution of p or that such a test does not exist (under the given assumptions). We have experimented the methodology on 31 modules of the Ansaldo STS ERTMS/ETCS software, thus greatly extending the benchmarking set. For 27 of the 31 modules we succeeded in our goal to automatically generate "high quality" test sets attaining full branch coverage: All the feasible branches are executed by at least one test and the sizes of our test sets are significantly smaller than the sizes of the test sets manually generated by domain experts (and thus are also significantly smaller than the test sets automatically generated with our previous methodology). However, for 4 modules, we have been unable to automatically generate test sets attaining full branch coverage: These modules contain complex functions falling out of CBMC capacity.Our analysis on 31 modules greatly extends our previous analysis based on 5 modules, confirming that automatic test generation tools based on CBMC can be productively used in industry for attaining full branch coverage. Further, the methodology presented in this paper leads to a further increase in the productivity by substantially reducing the number of generated tests and thus the costs of the testing phase.

Download Full-text

Automatic Generation of Safety-Critical Test Scenarios for Collision Avoidance of Road Vehicles

2018 IEEE Intelligent Vehicles Symposium (IV) ◽

10.1109/ivs.2018.8500374 ◽

2018 ◽

Cited By ~ 20

Author(s):

Matthias Althoff ◽

Sebastian Lutz

Keyword(s):

Collision Avoidance ◽

Automatic Generation ◽

Critical Test ◽

Road Vehicles ◽

Safety Critical ◽

Test Scenarios

Download Full-text

MISSION-ORIENTED SENSOR ARRAYS AND UAVs – A CASE STUDY ON ENVIRONMENTAL MONITORING

ISPRS - International Archives of the Photogrammetry, Remote Sensing and Spatial Information Sciences ◽

10.5194/isprsarchives-xl-1-w4-305-2015 ◽

2015 ◽

Vol XL-1/W4 ◽

pp. 305-312 ◽

Cited By ~ 4

Author(s):

N. M. Figueira ◽

I. L. Freire ◽

O. Trindade ◽

E. Simões

Keyword(s):

Environmental Monitoring ◽

Microphone Array ◽

Sensor Arrays ◽

Automatic Generation ◽

Mission Design ◽

Sound Waves ◽

Thematic Maps ◽

Conservation Areas ◽

Safety Critical

This paper presents a new concept of UAV mission design in geomatics, applied to the generation of thematic maps for a multitude of civilian and military applications. We discuss the architecture of Mission-Oriented Sensors Arrays (MOSA), proposed in Figueira et Al. (2013), aimed at splitting and decoupling the mission-oriented part of the system (non safety-critical hardware and software) from the aircraft control systems (safety-critical). As a case study, we present an environmental monitoring application for the automatic generation of thematic maps to track gunshot activity in conservation areas. The MOSA modeled for this application integrates information from a thermal camera and an on-the-ground microphone array. The use of microphone arrays technology is of particular interest in this paper. These arrays allow estimation of the direction-of-arrival (DOA) of the incoming sound waves. Information about events of interest is obtained by the fusion of the data provided by the microphone array, captured by the UAV, fused with information from the termal image processing. Preliminary results show the feasibility of the on-the-ground sound processing array and the simulation of the main processing module, to be embedded into an UAV in a future work. The main contributions of this paper are the proposed MOSA system, including concepts, models and architecture.

Download Full-text

HyRev: A Tool for the Automatic Generation of Real-Time Routines for Enabling Fail-Safe Control in a Class of Safety-Critical Embedded Systems Using Backwards Reachability Analysis

Formal Methods for Industrial Critical Systems - Lecture Notes in Computer Science ◽

10.1007/978-3-642-41010-9_2 ◽

2013 ◽

pp. 17-31

Author(s):

Hallstein Asheim Hansen

Keyword(s):

Embedded Systems ◽

Real Time ◽

Automatic Generation ◽

Reachability Analysis ◽

Safety Critical ◽

Safe Control ◽

Fail Safe ◽

Backwards Reachability

Download Full-text

The Role of Visual Distractors in the Simon Effect

Experimental Psychology (formerly Zeitschrift für Experimentelle Psychologie) ◽

10.1027/1618-3169/a000382 ◽

2017 ◽

Vol 64 (6) ◽

pp. 387-397 ◽

Cited By ~ 1

Author(s):

Luisa Lugli ◽

Stefania D’Ascenzo ◽

Roberto Nicoletti ◽

Carlo Umiltà

Keyword(s):

Simon Effect ◽

Simon Task ◽

Automatic Generation ◽

Spatial Code ◽

Attentional Model ◽

Previous Evidence ◽

Spatial Stimulus ◽

Attentional Resources ◽

Code Changes

Abstract. The Simon effect lies on the automatic generation of a stimulus spatial code, which, however, is not relevant for performing the task. Results typically show faster performance when stimulus and response locations correspond, rather than when they do not. Considering reaction time distributions, two types of Simon effect have been individuated, which are thought to depend on different mechanisms: visuomotor activation versus cognitive translation of spatial codes. The present study aimed to investigate whether the presence of a distractor, which affects the allocation of attentional resources and, thus, the time needed to generate the spatial code, changes the nature of the Simon effect. In four experiments, we manipulated the presence and the characteristics of the distractor. Findings extend previous evidence regarding the distinction between visuomotor activation and cognitive translation of spatial stimulus codes in a Simon task. They are discussed with reference to the attentional model of the Simon effect.

Download Full-text