Barbara J. Czerny

A System-Safety Process For By-Wire Automotive Systems

Steer-by-wire and other “by-wire” systems (as defined in this article) offer many passive and active safety advantages. To help ensure these advantages are achieved, a comprehensive system-safety process should be followed. Here we review standard elements of system safety processes that are widely applied in several industries and describe the main elements of our proposed analysis process for by-wire systems. The process steps include: 1) creating a program plan to act as a blueprint for the process, 2) performing a variety of hazard analysis and risk assessment tasks as specified in the program plan, 3) designing and verifying a set of hazard controls that help mitigate risk, and 4) summarizing the findings. Vehicle manufacturers and suppliers need to work together to create and follow such a process. A distinguishing feature of the process is the explicit linking of hazard controls to the hazards they cover, permitting coveragebased risk assessment.

Specification and analysis of intercomponent communication

The correctness, safety and robustness of the specification of a critical system are assessed through a combination of rigorous specification capture and inspection, formal analysis of the specification, and execution and simulation of the specification. Any integrated approach to specifying critical systems should support all three activities. Embedded systems pose special challenges to the specification and analysis of intercomponent communication. The authors present a formal approach which lets the interface specifications serve as kernels that enforce safety and simple liveness constraints.

Survey of Software Failsafe Techniques for Safety-Critical Automotive Applications

A requirement of many modern safety-critical automotive applications is to provide failsafe operation. Several analysis methods are available to help confirm that automotive safety-critical systems are designed properly and operate as intended to prevent potential hazards from occurring in the event of system failures. One element of safety-critical system design is to help verify that the software and microcontroller are operating correctly. The task of incorporating failsafe capability within an embedded microcontroller design may be achieved via hardware or software techniques. This paper surveys software failsafe techniques that are available for application within a microcontroller design suitable for use with safety-critical automotive systems. Safety analysis techniques are discussed in terms of how to identify adequate failsafe coverage. Software failsafe techniques are surveyed relative to their targeted failure detection, architecture dependencies, and implementation tradeoffs. Lastly, certain failsafe strategies for a Delphi Brake Controls application are presented as examples.

A Comprehensive Hazard Analysis Technique for Safety-Critical Automotive Systems

Hazard analysis plays an important role in the development of safety-critical systems. Hazard analysis techniques have been used in the development of automotive systems become more sophisticated in functionality, design, and applied technology, the need for a more comprehensive hazard analysis approach has arisen. In this paper, we describe a comprehensive hazard analysis approach for system safety programs. This comprehensive approach involves applying a number of hazard analysis techniques and then integrating their results. This comprehensive approach attempts to overcome the narrower scope of individual techniques while obtaining the benefits of all of them.

Checking properties of safety critical specifications using efficient decision procedures

Abstract : The increasing use of software in safety critical systems entails increasing complexity, challenging the safety of these systems. Although formal specifications of real-life systems are orders of magnitude simpler than the system implementations, they are still quite complex. It is easy to overlook problems in a specification, ultimately compromising the safety of the implementation. Since it is error-prone and time consuming to check large specifications manually, mechanical support is needed. The challenge is to find the right combination of deductive power (i.e., how rich a logic and what theories are decided) and efficiency to complete the verification in reasonable time. In addition, it must be possible to explain why a proof fails. As an initial approach to solving this problem, we have adapted the Stanford Validity Checker (SVC), a highly efficient, general-purpose decision procedure for quantifier-free first-order logic with linear arithmetic, to check the consistency of specifications written in Requirements State Machine Language (RSML). We have concentrated on a small but complex part of version 6.04a of the specification of the (air) Traffic alert and Collision Avoidance System (TCAS II). SVC was extended to produce a counter-example in terms of the original specification. The efforts discovered an undesired inconsistency in the specification, which the maintainers of the specification independently discovered and subsequently fixed in the most recent version. The case study demonstrates the practicality of uncovering problems in real-life specifications with a modest effort, by selective application of state-of-that-art formal methods and tools. The logic of SVC was sufficiently expressive for the properties that we checked, but more work is needed to extend the class of formulae that SVC decides to cover the properties found in other parts of the TCAS II specification.

Effective Application of Software Safety Techniques for Automotive Embedded Control Systems

Execution of a software safety program is an accepted best practice to help verify that potential software hazards are identified and their associated risks are mitigated. Successful execution of a software safety program involves selecting and applying effective analysis methods and tasks that are appropriate for the specific needs of the development project and that satisfy software safety program requirements. This paper describes the effective application of a set of software safety methods and tasks that satisfy software safety program requirements for many applications. A key element of this approach is a tightly coupled fault tree analysis and failure modes and effects analysis. The approach has been successfully applied to several automotive embedded control systems with positive results.

Automated integrative analysis of state-based requirements

Statically analyzing requirements specifications to assure that they possess desirable properties is an important activity in any rigorous software development project. The analysis is performed on an abstraction of the original requirements specification. Abstractions in the model may lead to spurious errors in the analysis output. Spurious errors are conditions that are reported as errors, but information abstracted out of the model precludes the reported conditions from being satisfied. A high ratio of spurious errors to true errors in the analysis output makes it difficult, error-prone, and time consuming to find and correct the true errors. We describe an iterative and integrative approach for analyzing state-based requirements that capitalizes on the strengths of a symbolic analysis component and a reasoning component while circumventing their weaknesses. The resulting analysis method is fast enough and automated enough to be used on a day-to-day basis by practicing engineers, and generates analysis reports with a small ratio of spurious errors to true errors.

On the analysis needs when verifying state-based software requirements: an experience report

Abstract In a previous investigation we formally defined procedures for analyzing hierarchical state-based requirements specifications for two properties: (1) completeness with respect to a set of criteria related to robustness (a response is specified for every possible input and input sequence) and (2) consistency (the specification is free from conflicting requirements and undesired nondeterminism). Informally, the analysis involves determining if large Boolean expressions are tautologies. We implemented the analysis procedures in a prototype tool and evaluated their effectiveness and efficiency on a large real world requirements specification expressed in an hierarchical state-based language called Requirements State Machine Language. Although our initial approach was largely successful, there were some drawbacks with the original tools. In our initial implementation we abstracted all formulas to propositional logic. Unfortunately, since we are manipulating the formulas without interpreting any of the functions in the individual predicates, the abstraction can lead to large numbers of spurious (or false) error reports. To increase the accuracy of our analysis we have continually refined our tool with decision procedures and, finally, come to the conclusion that theorem proving is often needed to avoid large numbers of spurious error reports. This paper discusses the problems with spurious error reports and describes our experiences analyzing a large commercial avionics system for completeness and consistency.

Identifying and Understanding Relevant System Safety Standards for use in the Automotive Industry

A new generation of software-controlled vehicle systems promises to help enhance vehicle safety, performance and comfort. As these new, often complex systems are added, system safety programs are followed to help eliminate potential hazards. An important part of planning for a safety program is to understand applicable standards. This paper identifies, reviews, categorizes, and summarizes the importance of several applicable standards for incorporation in a system safety program.

An adaptable software safety process for automotive safety-critical systems

This paper reviews existing software safety standards, guidelines, and other software safety documents within the area of automotive engineering. Common software safety elements from certain documents are identified, and an adaptable software safety process for automotive safety-critical systems is detailed that is based on these common elements. The process specifies high-level requirements and recommended practices for satisfying the requirements. It is also described how the proposed process may be integrated into a proposed system safety process and within an existing software development process.