Thomas E. Fuhrman

Experiences with a CANoe-based fault injection framework for AUTOSAR

Standardized software architectures, such as AUTomotive Open System ARchitecture (AUTOSAR), are being pursued within the automotive industry in order to reduce the cost of developing new vehicle features. Many of these features will need to be highly dependable. Fault injection plays an important role during the dependability analysis of such software. This work evaluates the feasibility of leveraging the CANoe simulation environment to develop software-based methods for injecting faults into AUTOSAR applications. We describe a proof-of-concept fault-injection framework with example fault-injection scenarios, as well as implementation issues faced and addressed, lessons learned, and the suitability of using CANoe as a fault-injection environment.

Industrial extensions to university high level synthesis tools: Making it work in the real world

University research in high level synthesis has resulted in a number of prototype tools which have the potentiat to dramatically reduce the design time for digital integrated circuits and systems. So far, however, these tools have been largely untested on industrial d~igns. This paper describes an industrial project in high level synthesis in which a university tool is enhanced to make it suitable for production designs. Flexibility in data-vs..control tradeoffs, control over timing of I/O operations, and new interfaces to commercial logic synthesis and datapath compiler tools are added. The resulting system is then used to design three chips in parallel with production desigsi teams. The synthesfsed chips are found to stmtdate correctly and to have reasonable densities.

Monitor Based Oracles for Cyber-Physical System Testing: Practical Experience Report

Testing Cyber-Physical Systems is becoming increasingly challenging as they incorporate advanced autonomy features. We investigate using an external runtime monitor as a partial test oracle to detect violations of critical system behavioral requirements on an automotive development platform. Despite limited source code access and using only existing network messages, we were able to monitor a hardware-in-the-loop vehicle simulator and analyze prototype vehicle log data to detect violations of high-level critical properties. Interface robustness testing was useful to further exercise the monitors. Beyond demonstrating feasibility, the experience emphasized a number of remaining research challenges, including: approximating system intent based on limited system state observability, how to best balance the simplicity and expressiveness of the specification language used to define monitored properties, how to warm up monitoring of system variable state after mode change discontinuities, and managing the differences between simulation and real vehicles when conducting such tests.

On the Effective Use of Fault Injection for the Assessment of AUTOSAR Safety Mechanisms

The automotive safety standard ISO 26262 strongly recommends the use of fault injection (FI) for the assessment of safety mechanisms that typically span composite dependability and real-time operations. However, with the standard providing very limited guidance on the actual design, implementation and execution of FI experiments, most AUTOSAR FI approaches use standard fault models (e.g., bit flips and data type based corruptions), and focus on using simulation environments. Unfortunately, the representation of timing faults using standard fault models, and the representation of real-time properties in simulation environments are hard, rendering both inadequate forthe comprehensive assessment of AUTOSARs safety mechanisms. The actual development of ISO 26262 advocated FI is further hampered by the lack of representative software fault models and the lack of an openly accessible AUTOSAR FI framework. We address these gaps by (a) adapting the open source FI framework GRINDER to AUTOSAR and (b) showing how to effectively apply it for the assessment of AUTOSARs safety mechanisms.

Diagnostic Fusion for Time-Triggered Automotive Networks

Modern vehicles with semi-autonomous (driver-assistance systems) and autonomous capabilities require sophisticated on-board and off-board diagnostics for safe operation, and to reduce unnecessary component replacements at the service garage. We present a diagnostic approach that strategically fuses different sources of instrumentation available in a time-triggered automotive network (Flex Ray) for vehicle control, and learns patterns or signatures of different faults. These patterns ease the classification of faults during runtime or in the service garage. We evaluate our approach through fault-injection experiments on an automotive test bench, and demonstrate that by fusing different sources of instrumentation we can diagnose protocol-level and physical faults with over 98% accuracy. We also show that our approach is applicable across different network topologies.

Formal Analysis of Predictable Data Flow in Fault-Tolerant Multicore Systems

The need to integrate large and complex functions into today’s vehicle electronic control systems requires high performance computing platforms, while at the same time the manufacturers try to reduce cost, power consumption and ensure safety. Traditionally, safety isolation and fault containment of software tasks have been achieved by either physically or temporally segregating them. This approach is reliable but inefficient in terms of processor utilization. Dynamic approaches that achieve better utilization without sacrificing safety isolation and fault containment appear to be of increasing interest. One of these approaches relies on predictable data flow introduced in PharOS and Giotto. In this paper, we extend the work on leveraging predictable data flow by addressing the problem of how the predictability of data flow can be proved formally for mixed criticality systems that run on multicore platforms and are subject to failures. We consider dynamic tasks where the timing attributes vary from one period to another. Our setting also allows for sporadic deadline overruns and accounts for criticality during fault handling. A user interface was created to allow automatic generation of the models as well as visualization of the analysis results, whereas predictability is verified using the Spin model checker.