João Carlos Cunha

A study of failure models in feedback control systems

Feedback control systems have a peculiar behavior that allows them to compensate for disturbances in the controlled application. This paper investigates whether this resilience also extends to disturbances originating from faults in the controller itself. The question of what kind of failure model is more effective in this type of system is addressed, with three different models being studied: arbitrary failure, fail-silent, and fail-bounded. The study is conducted essentially by experimental fault injection in the controller of one of the best known and most demanding of the benchmarks used in the control systems area: an inverted pendulum. The considered failure models are compared according to criteria based on the quality of the control action. Other insights gained from the experiments made are described, for instance on how to significantly increase dependability at a very low cost in the feedback controllers, and on the need for a different kind of real-time scheduling algorithm.

On the use of disaster prediction for failure-tolerance in feedback control systems

Feedback control algorithms are inherently designed to compensate for external disturbances that the controlled system may suffer. This resilience is also extensible to late or wrong control actions produced by a failed controller computer, providing a degree of fault tolerance without the use of any particular mechanism. However, some controller failures, due to their duration or value, may indeed collapse the system, and thus other recovery measures must be taken. This paper proposes the inclusion of an Oracle that calculates, in a timely manner, the controlled system behavior under a failed controller, and triggers recovery when the control algorithm is predictably no more able to compensate for a particular controller failure. The systems so built follow the Fail-Bounded model. The main contribution of this paper is to show how this model can be implemented in a practical way for the very important class of applications based on feedback control, thus turning that model into a technique that can be used effectively to build production systems. The method was validated experimentally through fault injection on the controller computer of an inverted pendulum, one of the most time-demanding control system benchmarks.

A view on the past and future of fault injection

Fault injection is a well-known technology that enables assessing dependability attributes of computer systems. Many works on fault injection have been developed in the past, and fault injection has been used in different application domains. This fast abstract briefly revises previous applications of fault injection, especially for embedded systems, and puts forward ideas on its future use, both in terms of application areas and business markets.

FIRED -- Fault Injector for Reconfigurable Embedded Devices

Reconfigurable embedded devices built on SRAM-based Field Programmable Gate Arrays (FPGA) are being increasingly used in critical embedded applications. However, the susceptibility of such memory cells to Single Event Upsets (SEU) requires the use of fault tolerant designs, for which fault injection is still the most accepted verification technique. This paper describes FIRED, a fault injector targeted at SRAM-based FPGAs for dependability evaluation of critical systems. This tool is able to perform hardware fault injection in real-time, by inserting bitflips at the SRAM cells through partial dynamic reconfiguration. These faults may produce errors in the design of the VHDL or Verilog modules deployed in the FPGA. A case study of a fault injection campaign in a PID-based cruise control system is used to evaluate the capabilities of FIRED, namely its capacity of injecting faults while a physical application is being controlled.

Reset-Driven Fault Tolerance

A common approach in embedded systems to achieve fault-tolerance is to reboot the computer whenever some non-permanent error is detected. All the system code and data are recreated from scratch, and a previously established checkpoint, hopefully not corrupted, is used to restart the application data. The confidence is thus restored on the activity of the computer. The idea explored in this paper is that of unconditionally resetting the computer in each control frame (the classic read sensors → calculate control action → update actuators cycle). A stable-storage based in RAM is used to preserve the systems state between consecutive cleanups and a standard watchdog timer guarantees that a reset is forced whenever an error crashes the system. We have evaluated this approach by using fault-injection in the controller of a standard temperature control system. The experimental observations show that the Reset-Driven Fault Tolerance is a very simple yet effective technique to improve reliability at an extremely low cost since it is a conceptually simple, software only solution with the advantage of being application independent.

Towards Certification of Automotive Software

During the last decade, common automotive vehicles received an increased number of electronic components running embedded software, enabling them to become more efficient, comfortable, safer and usable, unfortunately this is also causing an increase of vehicle recalls to fix software defects. Aware of this problem, the automotive industry has been adopting software development and safety standards from other industries, as well as developing its own. However, none has been used so-far as base for certification processes, meaning that there is no obligation to have independent parties attesting that the best development, safety or architectural practices are being followed. With the publication of ISO 26262, manufacturers, suppliers and automotive organizations are finally able to agree on a common schema for the certification of automotive software. This paper describes the most relevant standards that have been used in the automotive industry, namely for software development, stressing the development and safety lifecycle. It then addresses software certification and some of the main challenges it poses to this industry.

Implementing Software Effort Estimation in a Medium-sized Company

Effort estimation in software development projects is far from being an easy task. In fact, despite the several effort estimation techniques available in the literature and the need for companies to perform such task in a daily basis, most small and medium-sized companies still suffer from the problem of incorrect estimations that often result in losing the contract bid or in failure during project execution. In this paper we present and discuss the implementation of a software effort estimation process in a medium-sized company, currently recognized as CMMI Level 5. The paper contextualizes the problem and the company, introduces the estimation techniques used, and presents some preliminary results, showing that software effort estimation can be successfully applied in medium-sized companies at low cost, allowing the reduction of project uncertainty and increasing the probability of success during bidding and execution.

A field study on root cause analysis of defects in space software

Abstract Critical systems, such as space systems, are developed under strict requirements envisaging high integrity in accordance to specific standards. For such software systems, an independent assessment is put into effect (Independent Software Verification and Validation – ISVV) after the regular development lifecycle and V&V activities, aiming at finding residual faults and raising confidence in the software. However, it has been observed that there is still a significant number of defects remaining at this stage, questioning the effectiveness of the previous engineering processes. This paper presents a root cause analysis of 1070 defects found in four space software projects during ISVV, by applying an improved Orthogonal Defect Classification (ODC) taxonomy and examining the defect types, triggers and impacts, in order to identify why they reached such a later stage in the development. The paper also puts forward proposals for modifications to both the software development (to prevent defects) and the V&V activities (to better detect defects) and an assessment methodology for future works on root cause analysis.

On Applying FMEA to SOAs: A Proposal and Open Challenges

Service Oriented Architectures (SOAs) are being increasingly used to support business-critical systems, raising natural concerns regarding dependability and security attributes. In critical applications, Verification and Validation (V&V) practices are used during system development to achieve the desired level of quality. However, most V&V techniques suit a structured and documented development lifecycle, and assume that the system does not evolve after deployment, contrarily to what happens with SOA. Runtime V&V practices represent one possible solution for this problem, but they are not possible to implement without the adjustment of traditional V&V techniques.

Evaluating Xilinx SEU Controller Macro for fault injection

This paper presents a preliminary evaluation of the SEU Controller Macro, a VHDL component developed by Xilinx for the detection and recovery of single event upsets, as a building block of an FPGA fault-injector. We found that this SEU Controller Macro is extremely effective for injecting faults into the FPGA configuration memory, as single and double bit-flips, with precise location, virtually no intrusiveness, and coarse timing accuracy. We present some clues on how to extend its functionalities to build a fully-fledge FPGA fault injector.