Joseph Sifakis

DOI: https://doi.org/10.1109/jproc.2015.2484060

IF: 20.6

2015-11-01

Proceedings of the IEEE

Abstract:Electronic design automation (EDA) has enabled the integrated circuit industry to sustain exponentially increasing product complexity growth until today, while maintaining consistent product development timeline and costs. We argue that the success of EDA-based design relies on the application of four interrelated principles: 1) separation of concerns implying a decomposition of a design flow into steps, each step dealing with specific aspects, namely user requirements, functional design, and implementation; 2) component-based design enabling the reasoned construction of complex systems as the composition of components; 3) semantic coherency meaning that descriptions used in successive design steps are semantically related through adequate semantic mappings; this implies, in particular, that the formalisms used at each design step are rooted in well-defined semantics; and 4) correctness by construction meaning that it is possible to guarantee essential properties of the designed system incrementally and compositionally along the design process. The paper discusses to what extent the EDA paradigm can be adapted to general mixed hardware/software (HW/SW) systems design through the application of these principles. It presents an overview of the problems raised by the rigorous system design of mixed HW/SW systems. Then, it presents a unified abstract framework for addressing these problems by identifying main research avenues.

engineering, electrical & electronic

D. Richard Kuhn

DOI: https://doi.org/10.1109/tr.2024.3366814

IF: 5.883

2024-03-09

IEEE Transactions on Reliability

Abstract:This article summarizes some recent novel approaches to the problem of verification, testing, and assurance of autonomous systems. These include proxy verification and combinatorial methods for input space coverage measurement, which also has applications to explainable artificial intelligence. The ideas are evolving rapidly and likely to lead to interesting advances in reliability engineering.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Eun-Young Kang,Dongrui Mu,Li Huang,Qianqing Lan

DOI: https://doi.org/10.48550/arXiv.1803.06103

2018-03-16

Software Engineering

Abstract:The software development for Cyber-Physical Systems (CPS), e.g., autonomous vehicles, requires both functional and non-functional quality assurance to guarantee that the CPS operates safely and effectively. EAST-ADL is a domain specific architectural language dedicated to safety-critical automotive embedded system design. We have previously modified EAST-ADL to include energy constraints and transformed energy-aware real-time (ERT) behaviors modeled in EAST-ADL/STATEFLOW into UPPAAL models amenable to formal verification. Previous work is extended in this paper by including support for SIMULINK and an integration of Simulink/Stateflow within a same tool-chain. Simulink/Stateflow models are transformed, based on extended ERT constraints in EAST-ADL, into verifiable UPPAAL models with stochastic semantics and integrate the translation with formal statistical analysis techniques: Probabilistic extension of EAST-ADL constraints is defined as a semantics denotation. A set of mapping rules is proposed to facilitate the guarantee of translation. Formal analysis on both functional- and non-functional properties is performed using SIMULINK DESIGN VERIFIER/UPPAAL-SMC. The analysis techniques are validated and demonstrated on the autonomous traffic sign recognition vehicle case study.

Chuchu Fan,Bolun Qi,Sayan Mitra

DOI: https://doi.org/10.48550/arXiv.1704.06406

2017-04-21

Systems and Control

Abstract:We present an overview of recently developed data-driven tools for safety analysis of autonomous vehicles and advanced driver assist systems. The core algorithms combine model-based, hybrid system reachability analysis with sensitivity analysis of components with unknown or inaccessible models. We illustrate the applicability of this approach with a new case study of emergency braking systems in scenarios with two or three vehicles. This problem is representative of the most common type of rear-end crashes, which is relevant for safety analysis of automatic emergency braking (AEB) and forward collision avoidance systems. We show that our verification tool can effectively prove the safety of certain scenarios (specified by several parameters like braking profiles, initial velocities, uncertainties in position and reaction times), and also compute the severity of accidents for unsafe scenarios. Through hundreds of verification experiments, we quantified the safety envelope of the system across relevant parameters. These results show that the approach is promising for design, debugging and certification. We also show how the reachability analysis can be combined with statistical information about the parameters, to assess the risk level of the control system, which in turn is essential, for example, for determining Automotive Safety Integrity Levels (ASIL) for the ISO26262 standard.

Romain Cuer,Laurent Piétrac,Eric Niel,Saidou Diallo,Nicoleta Minoiu-Enache,Christophe Dang-Van-Nhan

DOI: https://doi.org/10.1016/j.ress.2018.01.014

2018-06-01

Abstract:The autonomous vehicle is meant to drive by itself, without any driver intervention (for the levels 4 and 5 of automated driving, according to the National Highway Traffic Safety Administration(NHTSA)). This car includes a new function, called Autonomous Driving (AD) function, in charge of driving the vehicle when it is authorized. This function may be in different states (basically active or inactive), that shall be managed by a sub-function, named supervision. The main focus of this work is to ensure that the supervision of a function, performed by a safety critical embedded automotive control system (controlled systems are not considered), respects functional and safety requirements. Usually two processes are involved in the system design: the systems engineering process and the safety one. The first process defines the functional requirements on the function while the safety one specifies redundant sub-functions (realizing together the function) allowing to ensure a continuous service under failure. Since two different aspects of the system are specified, it is a major challenge to make all requirements consistent, from the outset of the design process. In this paper, a method is precisely proposed to address this issue. A progressive reinforcement of the treated requirements is achieved by means of formal state models. In fact, the proposed approach permits to build state models from requirements initially expressed in natural language. Potential ambiguities, incompletenesses or undertones in requirements are in this way gradually deleted. The enrichment of conventional formal verification of control properties with safety requirements constitutes the main originality of the deployed method and contributes to solve inconsistencies between functional and safety verification processes. In addition, the application of the method to the design of AD function supervision highlights its efficiency in an industrial context.

engineering, industrial,operations research & management science

Michael D. Wagner,P. Koopman

DOI: https://doi.org/10.1109/MITS.2016.2583491

IF: 5.293

2017-01-18

IEEE Intelligent Transportation Systems Magazine

Abstract:Ensuring the safety of fully autonomous vehicles requires a multi-disciplinary approach across all the levels of functional hierarchy, from hardware fault tolerance, to resilient machine learning, to cooperating with humans driving conventional vehicles, to validating systems for operation in highly unstructured environments, to appropriate regulatory approaches. Significant open technical challenges include validating inductive learning in the face of novel environmental inputs and achieving the very high levels of dependability required for full-scale fleet deployment. However, the biggest challenge may be in creating an end-to-end design and deployment process that integrates the safety concerns of a myriad of technical specialties into a unified approach.

Engineering,Environmental Science,Computer Science

Eun-Young Kang,Li Huang,Dongrui Mu

DOI: https://doi.org/10.48550/arXiv.1803.06075

2018-03-16

Software Engineering

Abstract:Modeling and analysis of nonfunctional requirements is crucial in automotive systems. EAST-ADL is an architectural language dedicated to safety-critical automotive system design. We have previously modified EAST-ADL to include energy constraints and transformed energy-aware timed (ET) behaviors modeled in SIMULINK/STATEFLOW into UPPAAL models amenable to formal verification. Previous work is extended in this paper by including support for SIMULINK DESIGN VERIFIER (SDV), i.e., the ET constraints are translated into proof objective models that can be verified using SDV. Furthermore, probabilistic extension of EAST-ADL constraints is defined and the semantics of the extended constraints is translated into verifiable UPPAAL models with stochastic semantics for formal verification. A set of mapping rules are proposed to facilitate the guarantee of translation. Verification & Validation are performed on the extended timing and energy constraints using SDV and UPPAAL-SMC. Our approach is demonstrated on a cooperative automotive system case study.

Sneha Sudhir Shetiya,Vikas Vyas,Shreyas Renukuntla

2024-11-20

Abstract:This paper describes how to proficiently prevent software defects in autonomous vehicles, discover and correct defects if they are encountered, and create a higher level of assurance in the software product development phase. It also describes how to ensure high assurance on software reliability.

Software Engineering,Artificial Intelligence

Christian Berger,Bernhard Rumpe

DOI: https://doi.org/10.48550/arXiv.1409.6579

2014-09-22

Abstract:A larger number of people with heterogeneous knowledge and skills running a project together needs an adaptable, target, and skill-specific engineering process. This especially holds for a project to develop a highly innovative, autonomously driving vehicle to participate in the 2007 DARPA Urban Challenge. In this contribution, we present essential elements of a software and systems engineering process to develop a so-called artificial intelligence capable of driving autonomously in complex urban situations. The process itself includes agile concepts, like a test first approach, continuous integration of all software modules, and a reliable release and configuration management assisted by software tools in integrated development environments. However, one of the most important elements for an efficient and stringent development is the ability to efficiently test the behavior of the developed system in a flexible and modular system simulation for urban situations both interactively and unattendedly. We call this the simulate first approach.

Software Engineering

Andreas Schwierz,Håkan Forsberg

DOI: https://doi.org/10.48550/arXiv.1803.09427

2018-03-26

Software Engineering

Abstract:Dealing with Commercial off-the-shelf (COTS) com- ponents is a daily business for avionic system manufacturers. They are necessary ingredients for hardware designs, but are not built in accordance with the avionics consensus standard DO- 254 for Airborne Electronic Hardware (AEH) design. Especially for complex COTS hardware components used in safety critical AEH, like Microcontroller Units (MCUs), additional assurance activities have to be performed. All of them together shall form a convincing confident, that the hardware is safe in its intended operation environment. The focus of DO-254 is one approach called Design Assurance (DA). Its aim is to reduce design errors by adherence of prescribed process objectives for the entire design life cycle. The effort for certain COTS assurance activities could be reduced if it is possible to demonstrate, that the COTS design process is based on similar effective design process guide- lines to minimize desgin errors. In the last years, semiconductor manufacturers released safety MCUs in compliance to the ISO 26262 standard, dedicated for the development of functional safe automotive systems. These products are COTS components in the sense of avionics, but they are also developed according to a process that focuses on reduction of design errors. In this paper an evaluation is performed to figure out if the ISO 26262 prescribes a similar DA approach as the DO-254, in order to reduce the COTS assurance effort for coming avionic systems.

Muzammil Shahbaz,Robert Eschbach

DOI: https://doi.org/10.1007/978-3-642-15585-7_18

2010-01-01

Abstract:Modern vehicular systems include Electronic Control Units (ECUs) equipped with software that implements vehicle functions. The composition and validation of ECUs is a complex task since they include propriety software in which functional details are often unspecified. These details also vary from one supplier to another which has a greater impact on the behavior of the entire composed system. This paper presents the application of model inference approach for automatic discovery of unspecified behaviors in an electronic door control unit supplied by our industrial partner. The final results can be used to address the problem of selecting quality components, validation and maintenance of component variants and their integration in embedded control systems.

Francisco Eiras,Morteza Lahijanian,Marta Kwiatkowska

DOI: https://doi.org/10.1109/CAVS.2019.8887768

2019-07-23

Abstract:Research into safety in autonomous and semi-autonomous vehicles has, so far, largely been focused on testing and validation through simulation. Due to the fact that failure of these autonomous systems is potentially life-endangering, formal methods arise as a complementary approach. This paper studies the application of formal methods to the verification of a human driver model built using the cognitive architecture ACT-R, and to the design of correct-by-construction Advanced Driver Assistance Systems (ADAS). The novelty lies in the integration of ACT-R in the formal analysis and an abstraction technique that enables finite representation of a large dimensional, continuous system in the form of a Markov process. The situation considered is a multi-lane highway driving scenario and the interactions that arise. The efficacy of the method is illustrated in two case studies with various driving conditions.

Robotics,Logic in Computer Science

Marius Bozga,Joseph Sifakis

2024-05-20

Abstract:Developing safe autonomous driving systems is a major scientific and technical challenge. Existing AI-based end-to-end solutions do not offer the necessary safety guarantees, while traditional systems engineering approaches are defeated by the complexity of the problem. Currently, there is an increasing interest in hybrid design solutions, integrating machine learning components, when necessary, while using model-based components for goal management and planning. We study a method for building safe by design autonomous driving systems, based on the assumption that the capability to drive boils down to the coordinated execution of a given set of driving operations. The assumption is substantiated by a compositionality result considering that autopilots are dynamic systems receiving a small number of types of vistas as input, each vista defining a free space in its neighborhood. It is shown that safe driving for each type of vista in the corresponding free space, implies safe driving for any possible scenario under some easy-to-check conditions concerning the transition between vistas. The designed autopilot comprises distinct control policies one per type of vista, articulated in two consecutive phases. The first phase consists of carefully managing a potentially risky situation by virtually reducing speed, while the second phase consists of exiting the situation by accelerating. The autopilots designed use for their predictions simple functions characterizing the acceleration and deceleration capabilities of the vehicles. They cover the main driving operations, including entering a main road, overtaking, crossing intersections protected by traffic lights or signals, and driving on freeways. The results presented reinforce the case for hybrid solutions that incorporate mathematically elegant and robust decision methods that are safe by design.

Multiagent Systems

Mohammad Hamad,Sebastian Steinhorst

2023-12-04

Abstract:Autonomous systems are emerging in many application domains. With the recent advancements in artificial intelligence and machine learning, sensor technology, perception algorithms and robotics, scenarios previously requiring strong human involvement can be handled by autonomous systems. With the independence from human control, cybersecurity of such systems becomes even more critical as no human intervention in case of undesired behavior is possible. In this context, this paper discusses emerging security challenges in autonomous systems design which arise in many domains such as autonomous incident response, risk assessment, data availability, systems interaction, trustworthiness, updatability, access control, as well as the reliability and explainability of machine learning methods. In all these areas, this paper thoroughly discusses the state of the art, identifies emerging security challenges and proposes research directions to address these challenges for developing secure autonomous systems.

Cryptography and Security

Naveen Mohan,Martin Törngren,Viacheslav Izosimov,Viktor Kaznov,Per Roos,Johan Svahn,Joakim Gustavsson,Damir Nesic

DOI: https://doi.org/10.1109/WASA.2016.10

2019-12-04

Abstract:Fully automated vehicles will require new functionalities for perception, navigation and decision making -- an Autonomous Driving Intelligence (ADI). We consider architectural cases for such functionalities and investigate how they integrate with legacy platforms. The cases range from a robot replacing the driver -- with entire reuse of existing vehicle platforms, to a clean-slate design. Focusing on Heavy Commercial Vehicles (HCVs), we assess these cases from the perspectives of business, safety, dependability, verification, and realization. The original contributions of this paper are the classification of the architectural cases themselves and the analysis that follows. The analysis reveals that although full reuse of vehicle platforms is appealing, it will require explicitly dealing with the accidental complexity of the legacy platforms, including adding corresponding diagnostics and error handling to the ADI. The current fail-safe design of the platform will also tend to limit availability. Allowing changes to the platforms, will enable more optimized designs and fault-operational behaviour, but will require initial higher development cost and specific emphasis on partitioning and control to limit the influences of safety requirements. For all cases, the design and verification of the ADI will pose a grand challenge and relate to the evolution of the regulatory framework including safety standards.

Robotics,Systems and Control

Thomas Drage,Kai Li Lim,Joey En Hai Koh,David Gregory,Craig Brogle,Thomas Bräunl,Thomas Braunl

DOI: https://doi.org/10.1109/iv48863.2021.9575662

2021-07-11

Abstract:This paper presents an approach to specifying a modularised safety system which comprehensively addresses the safety requirements for highly autonomous (SAE Level 3+) road vehicles featuring advanced sensing and automated navigation. As these requirements are often overlooked in similar autonomous driving system proposals, we present a method of hazard and risk analysis which investigates hardware failures, environmental perception limitations, human interaction and functional requirements for artificial intelligence. We then define a system design which implements the required safeguards and examines the application on two electric autonomous vehicle testbeds: a race car and a shuttle bus. The close-coupling of a safety-oriented architecture and multi-regime Hazard and Risk Assessment process was tested to measure the system's ability to detect and react to pedestrian stimuli, resulting in accurate detections and reactions, thereby confirming its ability to design safety systems for autonomous research vehicles in a scalable and easily assured fashion.

Arthur Rodrigues,Ricardo Diniz Caldas,Genaína Nunes Rodrigues,Thomas Vogel,Patrizio Pelliccione

DOI: https://doi.org/10.1145/3194133.3194147

2018-04-03

Abstract:The assurance of real-time properties is prone to context variability. Providing such assurance at design time would require to check all the possible context and system variations or to predict which one will be actually used. Both cases are not viable in practice since there are too many possibilities to foresee. Moreover, the knowledge required to fully provide the assurance for self-adaptive systems is only available at runtime and therefore difficult to predict at early development stages. Despite all the efforts on assurances for self-adaptive systems at design or runtime, there is still a gap on verifying and validating real-time constraints accounting for context variability. To fill this gap, we propose a method to provide assurance of self-adaptive systems, at design- and runtime, with special focus on real-time constraints. We combine off-line requirements elicitation and model checking with on-line data collection and data mining to guarantee the system's goals, both functional and non-functional, with fine tuning of the adaptation policies towards the optimization of quality attributes. We experimentally evaluate our method on a simulated prototype of a Body Sensor Network system (BSN) implemented in OpenDaVINCI. The results of the validation are promising and show that our method is effective in providing evidence that support the provision of assurance.

Software Engineering

Shreyas Ramakrishna,Charles Hartsell,Abhishek Dubey,Partha Pal,Gabor Karsai

DOI: https://doi.org/10.48550/arXiv.2003.05388

2020-03-12

Abstract:Safety Case has become an integral component for safety-certification in various Cyber Physical System domains including automotive, aviation, medical devices, and military. The certification processes for these systems are stringent and require robust safety assurance arguments and substantial evidence backing. Despite the strict requirements, current practices still rely on manual methods that are brittle, do not have a systematic approach or thorough consideration of sound arguments. In addition, stringent certification requirements and ever-increasing system complexity make ad-hoc, manual assurance case generation (ACG) inefficient, time consuming, and expensive. To improve the current state of practice, we introduce a structured ACG tool which uses system design artifacts, accumulated evidence, and developer expertise to construct a safety case and evaluate it in an automated manner. We also illustrate the applicability of the ACG tool on a remote-control car testbed case study.

Robotics,Software Engineering

Juan Pimentel

2024-06-12

Abstract:Currently, a major concern is the insufficient level of safety offered by commercial automated vehicles and/or services such self-driving vehicles, self-driving trucks, and robotaxis. Unfortunately, stakeholders do not agree on definitions and characterizations of what is meant by safety of automated vehicles including how to measure it and how to design for it. This paper sheds some light into the answers to important questions about the safety of automated vehicles. In addition, we identify rigor as a significant missing requirement in the current literature, we also provide a discussion of rigor in the design, development, and commercialization of automated vehicles. Furthermore, we discuss software tool requirements at the organizational level to support a rigorous approach for the analysis, design, and commercialization of automated vehicles. An ALM tool, EwQIMS, is introduced emphasizing its rigorous features of its functional safety module that implements much of the ISO 26262 standard.

Systems and Control

Johann Knechtel,Elif Bilge Kavun,Francesco Regazzoni,Annelie Heuser,Anupam Chattopadhyay,Debdeep Mukhopadhyay,Soumyajit Dey,Yunsi Fei,Yaacov Belenky,Itamar Levi,Tim Güneysu,Patrick Schaumont,Ilia Polian

DOI: https://doi.org/10.23919/DATE48585.2020.9116483

2020-01-27

Abstract:Modern electronic systems become evermore complex, yet remain modular, with integrated circuits (ICs) acting as versatile hardware components at their heart. Electronic design automation (EDA) for ICs has focused traditionally on power, performance, and area. However, given the rise of hardware-centric security threats, we believe that EDA must also adopt related notions like secure by design and secure composition of hardware. Despite various promising studies, we argue that some aspects still require more efforts, for example: effective means for compilation of assumptions and constraints for security schemes, all the way from the system level down to the "bare metal"; modeling, evaluation, and consideration of security-relevant metrics; or automated and holistic synthesis of various countermeasures, without inducing negative cross-effects. In this paper, we first introduce hardware security for the EDA community. Next we review prior (academic) art for EDA-driven security evaluation and implementation of countermeasures. We then discuss strategies and challenges for advancing research and development toward secure composition of circuits and systems.

Cryptography and Security