Methods for Modeling of Product Lines for Safety-critical Systems

Zhang, Xiaodi

January 2013

Software product line engineering is a proposed methodology that enables software products and software-intensive systems to be developed at lower cost, higher quality and less time to market. The structured and managed artifacts reuse among different products in development is the main target of software product line engineering. As a key-method of the product line engineering approach, the commonality and variability analysis is a technique that identifies the potential artifacts for reuse. But the reuse poses challenges for delivering safety-critical products from the product line and achieving product line functional safety. In order to analyze the product line and provide more valuable information for its safety analysis, we make use of established product line modeling techniques, which model the product line commonality and variability from different perspectives. In this report, we investigate the product line modeling techniques. The product modeling analysis process covers two aspects: 1. Study different product line modeling techniques and find the ones suitable for product line modeling. We choose the modeling techniques that can be implemented to discuss in detail. 2. We implement the industrial wheel loader product line with two modeling techniques. Comprehensive models and detailed modeling process explanation are presented. The product line functional safety analysis covers three aspects: 1. Investigate the different safety analysis techniques and choose the fault tree analysis as the main technique. 2. Extend the single system fault tree to the product line fault tree. 3. Investigate the contributions of the product line modeling techniques to the product line functional safety analysis. Specifically, we map the product line models to the product line fault tree. Furthermore, we evaluate the product line modeling techniques from their performance in domain analysis and safety analysis.

Product line modeling

Safety-critical system

Paving the Way for Self-driving Cars - Software Testing for Safety-critical Systems Based on Machine Learning : A Systematic Mapping Study and a Survey

gao, shenjian, Tan, Yanwen

January 2017

Context: With the development of artificial intelligence, autonomous vehicles are becoming more and more feasible and the safety of Automated Driving (AD) system should be assured. This creates a need to analyze the feasibility of verification and validation approaches when testing safety-critical system that contains machine learning (ML) elements. There are many studies published in the context of verification and validation (V&V) research area related to safety-critical components. However, there are still blind spots of research to identify which test methods can be used to test components with deep learning elements for AD system. Therefore, research should focus on researching the relation of test methods and safety-critical components, also need to find more feasible V&V testing methods for AD system with deep learning structure. Objectives: The main objectives of this thesis is to understand the challenges and solution proposals related to V&V of safety-critical systems that rely on machine learning and provide recommendations for future V&V of AD based on deep learning, both for research and practice. Methods: We performed a Systematic Literature Review (SLR) through a snowballing method, based on the guidelines from Wohlin [1], to identify research on V&V methods development for machine learning. A web-based survey was used to complement the result of literature review and evaluate the V&V challenge and methods for machine learning system. We identified 64 peer-reviewed papers and analysed the methods and challenges of V&V for testing machine learning components. We conducted an industrial survey that was answered by 63 subjects. We analyzed the survey results with the help of descriptive statistics and Chi-squared tests. Result: Through the SLR we identified two peaks for research on V&V of machine learning. Early research focused on the aerospace field and in recent years the research has been more active in other fields like automotive and robotics. 21 challenges during V&V safety-critical systems have been described and 32 solution proposals are addressing the challenges have been identified. To find the relationship between challenges and methods, a classification has been done that seven different type of challenges and five different type of solution proposals have been identified. The classification and mapping of challenges and solution methods are included in the survey questionnaire. From the survey, it was observed that some solution proposals which have attracted much research are not considered as particularly promising by practitioners. On the other hand, some new solution methods like simulated test cases are extremely promising to support V&V for safety-critical systems. Six suggestions are provided to both researchers and practitioners. Conclusion: To conclude the thesis, our study presented a classification of challenges and solution methods for V&V of safety-critical ML-based systems. We also provide a mapping for helping practitioners understand the different kinds of challenges the respective solution methods address. Based on our findings, we provide suggestions to both researchers and practitioners. Thus, through the analysis, we have given the most concern on types of challenges and solution proposals for AD systems that use deep learning, which provides certain help to design processes for V&V of safety-critical ML-based systems in the future.

Safety-critical system

Machine learning

Software testing

Software Engineering

Programvaruteknik

SYSTEMATIC LITERATURE REVIEW OF SAFETY-RELATED CHALLENGES FOR AUTONOMOUS SYSTEMS IN SAFETY-CRITICAL APPLICATIONS

Ojdanic, Milos

January 2019

An increased focus on the development of autonomous safety-critical systems requiresmore attention at ensuring safety of humans and the environment. The mainobjective of this thesis is to explore the state of the art and to identify the safetyrelatedchallenges being addressed for using autonomy in safety-critical systems. Inparticular, the thesis explores the nature of these challenges, the different autonomylevels they address and the type of safety measures as proposed solutions. Above all,we focus on the safety measures by a degree of adaptiveness, time of being activeand their ability of decision making. Collection of this information is performedby conducting a Systematic Literature Review of publications from the past 9 years.The results showed an increase in publications addressing challenges related to theuse of autonomy in safety-critical systems. We managed to identify four high-levelclasses of safety challenges. The results also indicate that the focus of research wason finding solutions for challenges related to full autonomous systems as well assolutions that are independent of the level of autonomy. Furthermore, consideringthe amount of publications, results show that non-learning solutions addressing theidentified safety challenges prevail over learning ones, active over passive solutionsand decisive over supportive solutions.

Safety challenges

autonomous systems

safety-critical system

autonomy levels

safety measures

Engineering and Technology

Teknik och teknologier

Conception d'un système de verrouillage sur de fonctionnement pour les collisionneurs linéaires / Design of a dependable Interlock System for linear colliders

Nouvel, Patrice

18 December 2013

Pour les accélérateurs de particules à hautes énergies, le système de verrouillage est une partie clé de la protection de la machine. Le verrouillage de la machine est l’inhibition du faisceau dès lors qu’un équipement critique tombe en panne et/ou qu’un faisceau est de faible qualité. Pour un système de verrouillage, sa sûreté de fonctionnement est la caractéristique la plus importante. Cette thèse présente le développement d’un système de verrouillage pour les collisionneurs linéaires avec une application au projet CLIC (Compact Linear Collider). Son élaboration s’appuie sur la norme d’ingénierie IEEE 1220 et se décline en quatre parties. Tout d’abord, les spécifications sont établies. Une attention particulière est portée sur la sûreté de fonctionnement, plus précisément, la fiabilité et la disponibilité du système. La deuxième étape est la proposition d’un design. Celui-ci est basé sur une analyse fonctionnelle, les interfaces du système et l’architecture du CLIC. Troisièmement, une étude de faisabilité est effectuée en appliquant les concepts dans un environnement opérationnel. Finalement, la dernière étape est la vérification matérielle. Le but est de prouver que le design proposé est capable de remplir le cahier des charges établi. / For high energy accelerators, the interlock system is a key part of the machine protection. The interlock principle is to inhibit the beam either on failure of critical equipment and/or on low beam quality evaluation. The dependability of such a system is the most critical parameter. This thesis presents the design of an dependable interlock system for linear collider with an application to the CLIC (Compact Linear Collider) project. This design process is based on the IEEE 1220 standard and is is divided in four steps. First,the specifications are established, with a focus on the dependability, more precisely the reliability and the availability of the system. The second step is the design proposal based on a functional analysis, the CLIC and interfaced systems architecture. Third, the feasibility study is performed, applying the concepts in an accelerator facility. Finally, the last step is the hardware verification. Its aim is to prove that the proposed design is able to reach the requirements.

Système critique

Collisionneurs linéaires

Cern

Fiabilité

Protection machine

Critical system

Linear collider

Cern

Reliability

Machine protection

A Case Study of Critical System Heuristics in a Student Project Setting

Zawahri, Lawrence

January 2022

This thesis aims to study the use of Critical System Heuristic (CSH) in the requirements engineering (RE) process of a student software project. We have studied a software project within the framework of the TDDD96 course at Linköping University. The project consisted of a group of computer science students working with a representative from a company. As part of the course, the students had done the sustainability exercise SusAF, in which they evaluated their project based on multiple sustainability metrics. We have conducted one round of interviews with the RE student, the company representative, and an expert in the area. The answers were encoded and mapped to 12 CSH questions before being presented in the Ideal map table. The results produced by CSH show the many benefits of integrating CSH into the course. We have proposed different ways of integrating CSH with the SusAF exercise. From the result, we realized the importance of consulting a third party that could provide an outside perspective on different issues. However, an essential aspect of using CSH is to consult the appropriate party. To this end, we found that CSH could be used internally to point in the right direction.

Critical System Heuristics

Critical thinking

Requirements Engineering

Sustainability awareness framework

Ethical requirements

Computer Sciences

Datavetenskap (datalogi)

Cleared for Takeoff

Berglin, Rebecka

January 2024

This thesis project, conducted in collaboration with Scandinavian Airlines (SAS), investigates how safety-critical internal systems can be designed to enhance usability and user experience through an examination of the Aerodrome Approval system at SAS. Employing a research-through-design approach and utilizing heuristic evaluations, semi-structured interviews, contextual inquiries, and a redesign process, several guidelines for improving usability and user experience have been identified. Key insights reveal that optimizing login functionalities can enhance security and role-specific access, thereby reducing errors and improving the user experience. Consistency in design elements and adherence to standards play a critical role in usability, aiding in error prevention and improving system navigation efficiency. Additionally, effective strategies for error prevention, such as contextual warnings tailored to specific conflicts, help maintain workflow efficiency and prevent user fatigue, whereas ensuring a balanced and timely presentation of information is essential to prevent information overload while still ensuring access to critical data. The project illustrates how multiple usability principles are interconnected yet sometimes conflicting and emphasizes the need to further investigate safety-critical internal systems to a broader extent to be able to identify more generalizable design guidelines in the future.

Safety Critical System

Internal System

Research Through Design

User Interface Design

Design

Design

Human Aspects of ICT

Mänsklig interaktion med IKT

Especificação e verificação formal de requisitos para sistemas de tráfego aéreo. / Formal specification and verification of requirements for air traffic systems.

Aguchiku, Fábio Seiti

03 August 2018

A evolução de sistemas de gerenciamento de tráfego aéreo é pesquisada para suportar o crescimento na demanda por transporte aéreo. Uma alternativa para essa evolução é o aumento no grau de automação. Os sistemas automatizados precisam ser tão seguros quanto os sistemas em operação atualmente. Com o uso de técnicas de especificação e verificação formal é possível avaliar os requisitos de sistemas. Neste trabalho, é proposto um ciclo de especificação formal, que consiste em um conjunto de diretrizes para aplicação de técnicas de métodos formais em requisitos escritos em linguagem natural. O resultado esperado da aplicação deste ciclo é um conjunto de requisitos escritos em linguagem natural verificados formalmente. O ciclo é composto pelas etapas: levantamento de requisitos do sistema e classificação em padrões de especificação; mapeamento dos requisitos para as linguagens de especificação formal LTL (Linear Temporal Logic) e CTL (Computation Tree Logic); verificação formal da especificação com o verificador NuSMV; ajustes na especificação baseada nos resultados da verificação; ajustes nos requisitos baseados nos ajustes na especificação. As diretrizes propostas são definidas com a análise da verificação formal do Automated Airspace Concept (AAC), padrões de especificação e diretrizes para uso do verificador NuSMV. Os resultados esperados são obtidos na aplicação do ciclo de especificação em dois estudos de caso. A principal contribuição do trabalho é o conjunto de diretrizes para elaboração de expressões escritas em linguagem de especificação formal baseadas em requisitos escritos em linguagem natural e que podem ser verificadas formalmente. / Air traffic management systems evolution is being researched to support air transportation demand growth. An evolution alternative is system automation degree increase. Automated systems need to be as safe as current operating systems. It is possible to analyze system requirements with the application of formal specification and formal verification techniques. In this work, a specification cycle is proposed. The specification cycle is a set of guidelines to use formal method techniques on requirements written in natural language. The specification cycle application expected result is a set of formally verified requirements written in natural language. This cycle is comprised of the following stages: system requirements elicitation and specification pattern classification; requirements mapping to LTL (Linear Temporal Logic) and CTL (Computation Tree Logic) formal specification languages; specification formal verification using the NuSMV verifier; formal specification adjustment based on verification results; requirements adjustment based on formal specification adjustment. The proposed guidelines are defined with the Automated Airspace Concept (AAC) formal verification analysis, specification patterns and guidelines for the NuSMV formal verifier use. The expected results are accomplished in the specification cycle application on two study cases. The main contribution of this work is the set of guidelines applied to formulate formally verifiable expressions specified in formal specification languages based on system requirements written in natural language.

Air traffic management systems

Formal methods

Lógica temporal

Métodos formais

Safety-critical system

Sistemas críticos

Temporal logic

Property driven verification framework : application to real time property for UML MARTE software design / Les outils de vérification dédiés à partir des familles de propriétés : une application aux propriétés temps réel pour les modèles UML-MARTE

Ge, Ning

13 May 2014

Les techniques formelles de la famille « vérification de modèles » (« model checking ») se heurtent au problème de l’explosion combinatoire. Ceci limite les perspectives d’exploitation dans des projets industriels. Ce problème est provoqué par la combinatoire dans la construction de l’espace des états possibles durant l’exécution des systèmes modélisés. Le nombre d’états pour des modèles de systèmes industriels réalistes dépasse régulièrement les capacités des ressources disponibles en calcul et stockage. Cette thèse défend l’idée qu’il est possible de réduire cette combinatoire en spécialisant les outils pour des familles de propriétés. Elle propose puis valide expérimentalement un ensemble de méthodes pour le développement de ce type d’outils en suivant une approche guidée par les propriétés appliquée au contexte temps réel. Il s’agit donc de construire des outils d’analyse performants pour des propriétés temps réel qui soient exploitables pour des modèles industriels de taille réaliste. Les langages considérés sont, d’une part UML étendu par le profil MARTE pour la modélisation par les utilisateurs, et d’autre part les réseaux de Petri temporisés comme support pour la vérification. Les propositions sont validées sur un cas d’étude industriel réaliste issu du monde avionique : l’étude de la latence et la fraicheur des données dans un système de gestion des alarmes exploitant les technologies d’Avionique Modulaire Intégrée. Ces propositions ont été mise en oeuvre comme une boite à outils qui intègre les cinq contributions suivantes: la définition de la sémantique d’exécution spécifiques aux propriétés temps réel pour les modèles d’architecture et de comportement spécifiés en UML/MARTE; la spécification des exigences temps réel en s’appuyant sur un ensemble de patrons de vérification atomiques dédiés aux propriété temps réel; une méthode itérative d’analyse à base d’observateurs pour des réseaux de Petri temporisés; des techniques de réduction de l’espace d’états spécifiques aux propriétés temps réel pour des Réseaux de Petri temporisés; une approche pour l’analyse des erreurs détectées par « vérification des modèles » en s’appuyant sur des idées inspirées de la « fouille de données » (« data mining »). / Automatic formal verification such as model checking faces the combinatorial explosion issue. This limits its application in indus- trial projects. This issue is caused by the explosion of the number of states during system’s execution , as it may easily exceed the amount of available computing or storage resources. This thesis designs and experiments a set of methods for the development of scalable verification based on the property-driven approach. We propose efficient approaches based on model checking to verify real-time requirements expressed in large scale UML-MARTE real-time system designs. We rely on the UML and its profile MARTE as the end-user modeling language, and on the Time Petri Net (TPN) as the verification language. The main contribution of this thesis is the design and implementation of a property-driven verification prototype toolset dedicated to real-time properties verification for UML-MARTE real-time software designs. We validate this toolset using an avionic use case and its user requirements. The whole prototype toolset includes five contributions: definition of real-time property specific execution semantics for UML-MARTE architecture and behavior models; specification of real- time requirements relying on a set of verification dedicated atomic real- time property patterns; real-time property specific observer-based model checking approach in TPN; real-time property specific state space reduction approach for TPN; and fault localization approach in model checking.

Système temps réel critique

Spécification

Vérification

Propriété temps réel

Model checking

Sémantique exécutable

Real-time critical system

Specification

Verification

Real-time property

Model checking

Executable semantics

L'expérience GUINEVERE : Détermination de la réactivité d'un réacteur sous-critique piloté par accélérateur par la méthode 'K prompt' / The GUINEVERE Experiment : Determination of the reactivity of an accelerator driven sub-critical reactor using the 'k prompt' method

Thyébault, Henry-Emmanuel

08 July 2014

En vue de permettre l'incinération des déchets nucléaires à vie longue, les réacteurs sous-critiques pilotés par accélérateur, plus communément dénommés ADS (Accelerator Driven System), sont l'une des solutions envisagées. Afin de permettre le monitorage de la puissance et donc le pilotage de tels systèmes, de multiples méthodes d'extraction de la réactivité ont été développées pendant les soixante dernières années. La méthode « kprompt », dernière en date, a démontré de multiples avantages et avait donné d'excellents résultats lors de l'expérience MUSE-4 dans le début des années 2000. Cette méthode, reposant sur la détermination de la distribution du temps de vie de fission intergénération, ne nécessite pas l'accès à la configuration critique pour la calibration (comme dans la méthode MSM) mais également l'investigation des taux de comptage sur de longs temps (comme dans la méthode des Aires). Sa robustesse, vis-à-vis de plusieurs facteurs physico-chimico-géométriques, a été éprouvée et confirmée pour le cas de l'expérience GUINEVERE. Par comparaison des résultats obtenus avec les méthodes usuelles de détermination de la réactivité, nous avons réussi à appliquer la méthode « kprompt » de façon satisfaisante aux différentes expériences dynamiques que sont les PNS et les Beam Trips. Finalement, suite à cette transposition de la méthode « kprompt » avec succès à l'expérience GUINEVERE, l'étape suivante consistera en son application au démonstrateur de puissance que sera le projet MYRRHA. / In order to allow the incineration of the long-lived nuclear wastes, the sub-critical reactors, more commonly named ADS (Accelerator Driven System), is one of the proposed solutions. To allow the monitoring of the power and therefore the control of such systems, several methods, developed during the last sixty years, give the reactivity. The last in date method, called « kprompt » method, has demonstrated many advantages and gave excellent results during the MUSE-4 experiment in the early 2000s. This method, based on the determination of the intergeneration fission lifetime distribution, does not require the access to the critical configuration for calibration (as for the MSM method) and the investigation of the counting rate on long times (as for the Area method). Its robustness, regarding several physical-chemical-geometrical factors, was tested and confirmed in the case of the GUINEVERE experience. By comparing the results obtained with the usual methods of reactivity determination, we applied adequately the « kprompt » method to the different dynamical experiments, the so-called PNS and Beam Trips. Finally, following the successfully transposition of the « kprompt » method to the GUINEVERE experience, the next step, in its application, will be to the power demonstrator MYRRHA.

Réacteur nucleaire

Systeme sous-critique

Réactivité

ADS

Réacteur rapide modéré plomb

Nuclear reactor

Sub-critical system

Reactivity

ADS

Lead-moderated fast reactor

530

Especificação e verificação formal de requisitos para sistemas de tráfego aéreo. / Formal specification and verification of requirements for air traffic systems.

Fábio Seiti Aguchiku

03 August 2018

A evolução de sistemas de gerenciamento de tráfego aéreo é pesquisada para suportar o crescimento na demanda por transporte aéreo. Uma alternativa para essa evolução é o aumento no grau de automação. Os sistemas automatizados precisam ser tão seguros quanto os sistemas em operação atualmente. Com o uso de técnicas de especificação e verificação formal é possível avaliar os requisitos de sistemas. Neste trabalho, é proposto um ciclo de especificação formal, que consiste em um conjunto de diretrizes para aplicação de técnicas de métodos formais em requisitos escritos em linguagem natural. O resultado esperado da aplicação deste ciclo é um conjunto de requisitos escritos em linguagem natural verificados formalmente. O ciclo é composto pelas etapas: levantamento de requisitos do sistema e classificação em padrões de especificação; mapeamento dos requisitos para as linguagens de especificação formal LTL (Linear Temporal Logic) e CTL (Computation Tree Logic); verificação formal da especificação com o verificador NuSMV; ajustes na especificação baseada nos resultados da verificação; ajustes nos requisitos baseados nos ajustes na especificação. As diretrizes propostas são definidas com a análise da verificação formal do Automated Airspace Concept (AAC), padrões de especificação e diretrizes para uso do verificador NuSMV. Os resultados esperados são obtidos na aplicação do ciclo de especificação em dois estudos de caso. A principal contribuição do trabalho é o conjunto de diretrizes para elaboração de expressões escritas em linguagem de especificação formal baseadas em requisitos escritos em linguagem natural e que podem ser verificadas formalmente. / Air traffic management systems evolution is being researched to support air transportation demand growth. An evolution alternative is system automation degree increase. Automated systems need to be as safe as current operating systems. It is possible to analyze system requirements with the application of formal specification and formal verification techniques. In this work, a specification cycle is proposed. The specification cycle is a set of guidelines to use formal method techniques on requirements written in natural language. The specification cycle application expected result is a set of formally verified requirements written in natural language. This cycle is comprised of the following stages: system requirements elicitation and specification pattern classification; requirements mapping to LTL (Linear Temporal Logic) and CTL (Computation Tree Logic) formal specification languages; specification formal verification using the NuSMV verifier; formal specification adjustment based on verification results; requirements adjustment based on formal specification adjustment. The proposed guidelines are defined with the Automated Airspace Concept (AAC) formal verification analysis, specification patterns and guidelines for the NuSMV formal verifier use. The expected results are accomplished in the specification cycle application on two study cases. The main contribution of this work is the set of guidelines applied to formulate formally verifiable expressions specified in formal specification languages based on system requirements written in natural language.

Lógica temporal

Métodos formais

Sistemas críticos

Air traffic management systems

Formal methods

Safety-critical system

Temporal logic