Eric Verhulst

TIRAN: Flexible and Portable Fault Tolerance Solutions for Cost Effective Dependable Applications

Available solutions for fault tolerance in embedded automation are often based on strong customisation, have impacts on the whole life-cycle, and require highly specialised design teams, thus making dependable embedded systems costly and difficult to develop and maintain. The TIRAN project develops a framework which provides fault tolerance capabilities to automation systems, with the goal of allowing portable, reusable and cost-effective solutions. Application developers are allowed to select, configure and integrate in their own environment a variety of software-based functions for error detection, confinement and recovery provided by the framework.

Towards a model-based evolutionary chain of evidence for compliance with safety standards

Compliance with safety standards can greatly increase the development cost and time of critical systems. Major problems arise when evolutions to a system entail reconstruction of the body of safety evidence. When changes occur in the development or certification processes, identification of the new evidence to provide, the evidence that is no longer adequate, or the evidence that can be reused poses some challenges. Therefore, practitioners need support to identify how a chain of evidence evolves as a result of the changes. Otherwise, execution of the above activities can be very costly, and it can even result in abandonment of certification efforts. This paper outlines a solution to deal with these challenges. The solution is based on the use of model-driven engineering technology, which has already been applied for safety certification but not from an evolutionary chain of evidence-based perspective. The paper also sets the background for developing the solution, describes real situations in which the solution can help industry, and discusses possible challenges for developing it. The solution will be developed as part of OPENCOSS, a research project on cross-domain evolutionary certification.

The TIRAN approach to reusing software implemented fault tolerance

Available solutions for fault tolerance in embedded automation are often based on strong customisation, have impacts on the whole life-cycle, and require highly specialised design teams, thus making dependable embedded systems costly and difficult to develop and maintain. The TIRAN project develops a framework which provides fault tolerance capabilities to automation systems, with the goal of allowing portable, reusable and cost-effective solutions. Application developers are allowed to select, configure and integrate in their own environment a variety of software-based functions for error detection, confinement and recovery provided by the framework.

Simulation and formal modelling of yaw control in a drive-by-wire application

Cyberphysical systems, with their interdependence between physical behaviour and digital control, need insights from frequency domain control engineering, state space control engineering and discrete formal systems theory for their proper description. Neglecting any of these, results in descriptions that omit essential details. Hybrid Event-B is a formalism that enables all the relevant detail to be assimilated. A case study based on yaw control for the KURT e-vehicle is used as a testbed to explore the effective interaction between the various needed disciplines in exploring a specific design issue, the formalisation of yaw control discretization, using Hybrid Event-B.

An Industrial Case: Pitfalls and Benefits of Applying Formal Methods to the Development of a Network-Centric RTOS

This paper describes a project to develop a network-centric RTOS from scratch using formal methods. The (initial) purposes of the project was to get acquainted with the use of formal methods for software engineering and to obtain a trustworthy RTOS as a component for building networked embedded systems. The work was done by a small, distributed team that had no prior experience on using formal methods and with a small budget. The outcome is that the use of formal methods is most useful as an architectural design method, perhaps more than as a formal verification of software code. The resulting software has many properties that were not anticipated at the beginning and would likely not have been achieved without the use of Formal Methods.

ARRL: A criterion for compositional safety and systems engineering: A normative approach to specifying components

Safety engineering standards define rigorous and controllable processes for system development. Nevertheless, safety standards differences from distinct domains are non-negligible. We focus in particular on the aviation, automotive and railway standards, all related to the transportation market. We argue that the Safety Integrity Levels are not sufficient to be used as a top level requirement for developing a safety critical system. We argue that Quality of Service is a more generic criterion that takes the trustworthiness as perceived by users into deeper account. In addition safety engineering standards provide very little guidance on how to compose safe systems from components, while this is the established engineering practice. We develop a novel normative concept called Assured Reliability and Resilience Level as a criterion that takes the industrial practice into account and show how it complements the Safety Integrity Level concept. An important difference is that it requires a component to carry a contract and the supporting evidence. ARRL can make a significant contribution to foster cross-domain safety engineering.

Interacting Entities Modelling Methodology for Robust Systems Design

This paper describes the theoretical principles and the practical implementation of OpenCookbook, an environment for systems engineering. The environment guides and supports developers during requirements and specification capturing over architectural modelling and work plan development till validation and final release. It features a coherent and unified system engineering methodology based on the interacting entities paradigm. In order to implement it, a generic web portal was developed. Targeting embedded systems, it nevertheless was proven to be an effective tool for a wide range of other system domains. OpenCookbook can be tailored to the needs of a specific organisation as well as accommodate engineering standards like IEC61508.

OpenComRTOS: an ultra-small network centric embedded RTOS designed using formal modeling

OpenComRTOS is one of the few Real-Time Operating Systems (RTOS) for embedded systems that was developed using formal modeling techniques. The goal was to obtain a proven trustworthy component with a clean and high performance architecture useable on a wide range of networked embedded systems. The result is a scalable communication system with real-time capabilities. Besides a rigorous formal verification of the kernel algorithms, the resulting architecture has several properties that enhance the safety and real-time properties of the RTOS. The code size in particular is very small and typically 10 times less than a typical equivalent single processor RTOS.

Specifying a framework for evaluating requirements Engineering Technology: Challenges and lessons learned

Evaluating requirements engineering technology is a challenging activity. It becomes even more difficult when having to evaluate the technology and thus to show its suitability in real settings, as access to industrial resources might be limited and the target domain might be complex or very sensitive. This paper reports on our experience in specifying an evaluation framework for requirements engineering technology. The technology aims to improve safety assurance and certification practices, and is being developed in the scope of a large-scale European research project. We focus on presenting the challenges encountered and the lessons learned while specifying the framework. These lessons summarise how we addressed, plan to address, or propose to address the challenges. This information can be useful for other researchers and practitioners that have to evaluate requirements engineering technology in general, and with industry and for safety assurance and certification in particular.

Antifragility: systems engineering at its best

Systems engineering has emerged because of the growing complexity of systems and the growing need for systems to provide a reliable service. The latter has to be defined in a wider context of trustworthiness and covering aspects like safety, security, human–machine interface design and even privacy. What the user expects is an acceptable quality of service (QoS), a property that is difficult to measure as it is a qualitative one. In this paper, we present a novel criterion, called assured reliability and resilience level (ARRL) that defines QoS in a normative way, largely by taking into account how the system deals with faults. ARRL defines 7 levels of which the highest one can be described as the level where the system becomes antifragile.