Thursday 2 June
Th.1.A.110:00add Th.1.A.1 to agenda
A testing approach for safety-critical Machine Learning systems
In order to be used into critical systems, any software or hard-ware component must come with strong evidences that the de-signer’s intents have been correctly captured and implemented. This activity is already complex and expensive for classical sys-tems despite a very large corpus of verification methods and tools. But it is even more complicated for systems embedding Machine Learning (ML) algorithms due to the very nature of the functions being implemented using ML and the very nature of the ML algorithms. This paper focuses on one specific verifica-tion technique, testing, for which we propose a four-pronged approach combining performance testing, robustness testing, worst-case testing, and bias testing.
Th.1.A.210:30add Th.1.A.2 to agenda
Can we reconcile safety objectives with machine learning performances?
The strong demand for more automated transport systems with enhanced safety, in conjunction with the explosion of technologies and products implementing machine learning (ML) techniques, has led to a fundamental questioning of the trust placed in machine learning. In particular, do state-of-the-art ML models allow us to reach such safety objectives? We explore this question through two practical examples from the railway and automotive industries, showing that ML performances are currently far from those required by safety objectives. We then describe and question several techniques aimed at reducing the error rate of ML components: model diversification, monitoring, classification with a reject option, conformal prediction, and temporal redundancy. Taking inspiration from a historical example, we finally discuss when and how new ML-based technologies could be introduced.
Th.1.B.110:00add Th.1.B.1 to agenda
Hijacking an autonomous delivery drone equipped with the ACAS-Xu system
Abstract—In this paper, we want to show that automated anti- collision systems in aeronautical industry such as ACAS-Xu are vulnerable to hijacking threats in a urban environment which is less controlled than conventional airspace. Using reinforcement learning methods, we demonstrate the possibility to hijack the mission of a delivery drone equipped with the ACAS-Xu system in a simulated environment. Our objectives are first, to illustrate the security (interception) vulnerabilities of autonomous system and secondly, to enrich reinforcement learning benchmarks with a new one that comes from an industrial aeronautical application.
Th.1.B.210:30add Th.1.B.2 to agenda
Practical Trust x Performance Metrics for Block Cipher Evaluation in Automotive Environments
With several interconnected Electronic Control Units (ECUs), modern automobiles are networks on wheels and an easy target for cyber-attacks. To achieve confidentiality, integrity and authenticity of network communication, security measures based on block ciphers can be employed. These block ciphers should have sufficiently low latencies to meet the strict requirements of the automotive environment. Most block ciphers developed today are extensively scrutinized and provide strong security guarantees. At a high-level, the security offered by these ciphers are at a par. It is thus a challenge for a designer to pick the right cipher for securing communication in the automotive network. This paper addresses this challenge by (a) providing a methodology to quantify the trust in a cipher and (b) studying the execution latencies on popular automotive platforms. The trust metrics are based on assessing the potency of the known attacks on a cipher, such as the threat of the attacks in real-world environments. Second, it also provides a measure that quantifies world-wide scrutiny and adoption of a cipher based on heuristics such as the number of citations for the cipher. Together, the trust metrics and the execution latencies provide the designers with a systematic approach to choose block ciphers for automotive environments.
Th.1.C.110:00add Th.1.C.1 to agenda
A dynamic reference architecture to achieve planned determinism for automotive applications
With the evolution of modern cars towards more distributed architectures, and towards an increase of data volume transfer, we see the clear need to introduce determinism in all types of communications: inter-tasks, inter-core, inter-partitions, inter-ecus. In parallel, to master the classical cost/quality/time-to-market tryptic, platform approaches are needed more than ever, to gain the benefits of standardization. Our purpose in this submission is to describe how to combine these 2 constraints (determinism and standardization), in the automotive domain, and what should be put in place in term of architecture and design patterns. Therefore, we describe our vision and experience of a dynamic reference architecture, as a “real time framework” for straightforward development and faster integration of functions on one side, and for more flexible projects configuration & easier validation on the other side. We explain the different levels of detail required by different users, the variability management, and the needed tool-support. Then, we clarify what level of determinism we are talking about and compare different approaches like Time Determinism (TD), Logical Execution Time (LET), and a new combination of LET and SW clustering going in the direction of system-LET. In a next section, we will present the basis of a deterministic reference architecture, that combines the 2 above-mentioned objectives. We explain its main principles, and the underlying constraints on the design of the functions. With such approach, we claim to achieve a certain degree of planned determinism (in opposition to a “inherited” one). Finally, we illustrate our paper with practical cases taken from industrial projects, mostly from powertrain domain controllers.
Th.1.C.210:30add Th.1.C.2 to agenda
The synchronous Logical Execution Time Paradigm
Real-Time industrial systems are not so much of those that have to perform tasks incredibly fast, but in a time- predictable manner; they rather focus on meeting previously specified timing requirements in a provable way. Consequently, time must be taken into account from the very start of the design. However, exact timing constants may not be available yet in early design stages as they may depend on the target. In answer, formalisms based on the Multiform Logical Time have been introduced to abstract real-time durations. The Synchronous- Reactive (SR) approach introduced a discretized abstraction of time on which computations happen logically instantaneously. Contrary to SR, Logical Execution Time (LET) mandates to specify the actual logical duration a task has to fulfill. This allows a more efficient compilation, at the price of a lower expressiveness. Classical LET (i.e. as introduced in Giotto/TDL) sticks to uniform pseudo-physical time, i.e. based on one logical clock mapped to the real-time. In this paper, we introduce a new paradigm called synchronous Logical Execution Time (sLET) that builds upon both SR and LET paradigms. It keeps the idea of logical durations coming from the LET paradigm, while having logical instants based on logical clocks. This extends the expressivity of LET, as time is totally abstracted as sequences of events. The various schedulings provide physically timed versions that, while having distinct non-functional properties (in terms of performance mostly), remain mutually functionally equivalent (in the logical time realm). A particular instance, where computations are executed ”in a single instant”, and then time is advanced (as in classical event-driven simulation), can lead to a direct translation into synchronous formalisms (in our case Esterel). We started inquiring how this could open new ways of verification and analysis on PsyC program
Th.2.A.111:30add Th.2.A.1 to agenda
A Bottom-Up Formal Verification Approach for Common Criteria Certification: Application to JavaCard Virtual Machine
Ensuring the quality and security of critical software is nowadays a major concern. A Common Criteria (CC) certificate is a public proof of a successful evaluation at a given assurance level (from EAL1 up to EAL7). Starting from EAL6, CC require a formal Security Policy Model (SPM) and the associated mathematical proof of the system design correctness. Historically, since real-life code verification was not feasible for large industrial projects, the certification usually followed a top-down approach, where a separate abstract model —rather than the real-life code— was used to verify the specified security properties, and then refined to the code. In a recent EAL6 certification project of a smart card product, conducted by THALES and evaluated by ANSSI (the French national certification authority) and LETI (the evaluation center), we propose a novel methodology relying on verification of the real-life code using the Frama-C verification platform. It provides expressive means to specify necessary security properties (integrity, confidentiality) required by CC. We describe the specifics of this bottom-up approach for the CC certification, discuss its benefits and challenges and compare it to the previous top-down approaches.
Th.2.A.212:00add Th.2.A.2 to agenda
Obtaining DO-178C Certification Credits by Static Program Analysis
Static analysis has evolved to be a standard method in the software development and verification process. Its formal method, Abstract Interpretation, is one of verification methods covered by the Formal Methods Supplement DO-333 of the DO-178C standard. Static program analysis can contribute to numerous verification goals of DO-178C at various stages of the development process. The main focus of static analysis methods are non-functional software quality hazards, e.g., violations of coding guidelines, violations of software architecture constraints, violations of resource bounds such as stack overflows and real-time deadlines, runtime errors, and data races. This article gives a brief overview of abstract interpretation and its applications to detect different classes of safety hazards. We will review the requirements of DO-178C/DO-333, from High-Level Requirements to requirements for verification of Executable Object Code, and pinpoint aspects that can be covered by static analysis methods. The article concludes with illustrating the relevant requirements for DO-330-compliant tool qualification of static analysis tools. Keywords: DO-178C, DO-330, DO-333,
Th.2.B.111:30add Th.2.B.1 to agenda
Architecture-Supported Audit Processor: Interactive, Query-Driven Assurance
Establishing that safety-critical systems are actually safe requires a large effort and involves a range of tasks, from conducting preliminary hazard analyses to creating detailed assurance cases. This paper introduces the Architecture-Supported Audit Processor, or ASAP, which generates a number of safety-specific system views which deeply integrate a system's architecture and arguments about its safety. These views are generated interactively and automatically using safety-specific extensions to the Architecture Analysis and Design Language (AADL). Though use of the tooling and views do not require the use of any particular process, they align well with a system-theoretic approach. This paper discusses the background and use of ASAP on a demonstrative example.
Th.2.B.212:00add Th.2.B.2 to agenda
Automated Generation of Requirements for the Highly Fault-Tolerant System Behaviour of a Distributed and Integrated Avionics Platform
Fully autonomous Unmanned Aerial Vehicles, Re- motely Piloted Aircraft, Air Taxis, as well as advanced CS-23 aircraft require numerous complex and safety-critical system functions, such as vehicle management and utility functions, automatic take-off and landing or flight control. The development and qualification of the related avionics systems are characterised by a very high effort. The Institute of Aircraft Systems at the University of Stuttgart, in close cooperation with Aviotech GmbH, aims at a highly automated development and verification process for such fault-tolerant avionics systems to significantly reduce development effort, time, and risk and thus costs. For this reason, the Flexible Avionics Platform was developed. It enables the implementation of integrated fly-by-wire platform instances and is characterised by the following key aspects. (1) A platform-based development approach featuring an integrated, distributed, and highly redundant avionics architecture. (2) The platform management, a high-level abstraction layer providing a full abstraction towards integrated applications regarding the distribution, fault-tolerance, and redundancy of a fly-by-wire platform instance including redundant peripherals. (3) The AAA process, a comprehensive automation process for the highly auto- mated generation of development and qualification artefacts, such as an instance of the Platform Management, the corresponding specification at the system and software level, and related test cases and test scripts. This paper presents the basics for the automated requirements generation at the system level with a focus on the specification of the highly fault-tolerant system behaviour of fly-by-wire platform instances based on the Flexible Avionics Platform.
Th.2.C.111:30add Th.2.C.1 to agenda
Digital transformation in the European Space Industry
Digitalisation is a trend in most industrial domains. The Space domain has embarked on it since a couple of years. Starting from Model Based for System Engineering initiative, the discussion between Space Agencies and Industry has intensified with several topical working groups. The scope has enlarged from MBSE to full engineering digitalisation, aiming at producing the enablers that will allow to develop digital twins. The paper will describe and position the ESA digitalisation project, indicating how this is joint Space Community endeavour, proposing a development approach, and giving programmatic elements as well as the initial panorama of MBSE deployment in Space projects.
Th.2.C.212:00add Th.2.C.2 to agenda
Impact of environment on the execution of a real-time Linux process on a multicore platform
This article aims at studying the cohabitation of two or more software applications on the same multi-core hardware platform. These two software applications are designed and developed according to the space context described in the previous section, thus each software application has a criticality level and is produced by a different developers team. Once they are executing on the same hardware platform, we want to assure two fundamental properties: - Execution interferences: the perturbation made by one software on to others should not be greater than an epsilon. This epsilon can be an execution time or a response time depending on the case. This epsilon is defined for each application and is part of its specification. - Failure propagation: a software failure should not propagate to software with a higher criticality level. The functional failure propagation, being applicationspecific is not in the scope of this work. Along with these properties we assume the following hypothesis: all software should be developed and executed on Linux. It means that Linux is used as the embedded operating system of our spacecraft. In order to ensure these two properties, our objective is to use space and time isolation of applications running on a Linux operating system. The use of Linux is motivated by its recent evolution that make it useful for embedded systems. As an example, the navigation system of the helicopter on Mars launched by NASA runs on Linux.
Th.4.A.115:00add Th.4.A.1 to agenda
Efficient Use of Systems Theoretic Process Analysis for Automated Driving Systems
This paper describes how to use Systems Theoretic Process Analysis (STPA) for the purpose of being part of a safety case of an Automated Driving System (ADS). A central contribution is the proposed control structure following a decision hierarchy. This enables the generation of a list of efficient unsafe control actions (UCA) and corresponding controller constraints, for which it is possible to cover a complete list of loss scenarios. These results can master the general problem of reaching completeness with respect to all potential unsafe scenarios. In particular this solves some problems highlighted in ISO 21448 (SOTIF), like the so-called Area 3 problem and the problem of triggering conditions. The most important outcome of this paper is that it enables reaching completeness in the verification strategy without running into the problem of “billion miles of driving”, which can be the case when the set of loss scenarios leading to UCAs is potentially infinite. Even the “smart miles” argumentation is avoided this way, as the definition of the scenarios related to the UCA of the respective controllers is not formulated such that an enormous number of test miles is required.
Th.4.A.215:30add Th.4.A.2 to agenda
Software fault propagation patterns for model-based safety assessment in autonomous cars
The development of driver assistance and autonomous driving systems for vehicles has started to revolutionize the transportation sector, promising comfort, and safety. While significant technological progress has already been made in this area, the road ahead is littered with many challenges. Among these challenges, ensuring safety has become even more critical due to the increasing use of complex, communicating, and reconfigurable embedded software. Current solutions to address safety include the use of model-based approaches for safety analyses instead of the traditional document-based safety analysis that is both informal and inefficient when faced with complexity. To this end, and in the context of automotive embedded software, we propose to rely on the use of fault patterns to improve the construction of software models used to conduct safety analyses. This paper makes a methodological proposal that improves current practices in terms of facilitated model construction and reusability, and that has been validated on the study of an automotive software component.
Th.4.A.316:00add Th.4.A.3 to agenda
Pave the way for connected & autonomous driving at level crossings
France has the highest number of level crossings in Europe (more than 15 400), representing 1% of road fatalities and more than 37% of railway fatalities (excluding suicide). As increasingly intelligent, connected & automated vehicles are emerging on the roads, the SNCF (French Railway Operator) and VALEO (automotive equipment supplier) have joined forces to study how to prepare the arrival of such automated/autonomous vehicles at level crossings. To enable a safe driving in such level-crossing areas by these automated/autonomous vehicles, impacts on both vehicle and infrastructure sides have been studied & demonstrated succesfully. In particular : - Wireless communications between vehicles & level crossings (called "V2X" communications) have been used in combination with exteroceptive sensors (eg camera, etc.) - Railway & automotive functional safety and cybersecurity approaches have been mixed. The final presentation will aim at : - presenting some of the use cases & scenarios that need to be addressed by the automated vehicles in level crossing areas - describing the major specifications on both vehicle & infrastructure sides that will enable such use cases & scenarios. Especially, the risk sharing between the vehicles and the infrastructure will be mentioned. Automated driving at level crossings (with trains approaching possibly at high speeds) is indeed a topic not targeted yet by the C-ITS ecosystem (Cooperative Intelligent Transport System), which is rather focusing currently only on connected driving at level crossings, with purpose to provide only information and/or warning to the driver (eg about a risk of collision with a train).
Th.4.B.115:00add Th.4.B.1 to agenda
MASTECS Multicore Timing Analysis on an Avionics Vehicle Management Computer
Driven by the increasing compute performance required by modern autonomous systems, high-integrity applications are moving to multi-core processors as their main computing platform. Using multi-core processors in avionics is particularly challenging since the timing behavior of the software is not only affected by its inputs but also by software running simultaneously on other cores. To address this challenge the MASTECS EU project has developed a methodology for multicore timing analysis. In this work, we show the results of applying this methodology to a representative avionics use case provided by MASTECS partner Collins Aerospace
Th.4.B.215:30add Th.4.B.2 to agenda
Using IA to estimate Memory Interference Impact on Avionics Software on Multicore Platform
Characterization of memory interferences on multi-core platform is a complex and hot challenge in avionics. Instead of a fine and complex explicit modelization of all the contributors to this phenomenon, we propose an original methodology to perform this characterization, using a data/machine-learning approach. In a first step, we analyze the binary of avionics applications to extract Memory Access Pattern and compute statistical features about the usage of memory by the application. Secondly, we generate a representative dataset of applications using Bandit-based algorithm, which accelerates space exploration and allows limiting the training dataset size. Finally, we train a deep-learning model to predict the contribution of an application to memory contentions phenomenon and its resilience against it.
Th.4.B.316:00add Th.4.B.3 to agenda
Modelling and analyzing multi-core COTS processors
To embed multi-core COTS processors in an avionic product, the platform must be thoroughly analyzed from two perspectives: the worst case real-time behaviours and the safety impact of internal failures. Both activities are very complex and error-prone for large size systems. Moreover, the frameworks for both perspectives (real-time and safety) are completely decoupled, leading to independent and possibly incoherent analyses. Our purpose is to unify both worlds and help designers in their certification process. To this end, we have formalized and unified as much as possible the different perspectives of multi-core analysis. We have also proposed a simple description language for the platform, which contains the minimal concepts needed by both perspectives, as well as an automatic translation to the two analysis frameworks.
Th.4.C.115:00add Th.4.C.1 to agenda
Toward the certification of safety-related systems using ML techniques: the ACAS-Xu experience
In the context of the use of Machine Learning (ML) techniques in the development of safety-critical applications for both airborne and ground aeronautical products, this paper proposes elements of reasoning for a conformity to the future industrial standard. Indeed, this contribution is based on the EUROCAE WG-114/SAE G-34 ongoing standardization work that will produce the guidance to support the future certification/approval objectives. The proposed argumentation is structured using assurance case patterns that will support the demonstration of compliance with assurance objectives of the new standard. At last, these patterns are applied to the ACAS-Xu use case to contribute to a future conformity demonstration using evidences from ML development process outputs
Th.4.C.215:30add Th.4.C.2 to agenda
Do safety standards need radical changes ?
As Embedded France’s cross-domain group dedicated to the rationale and to the evolution of safety standards we observe the emergence of new types of systems. It is noticeable in the automotive, railway, production systems, defense, and to some extent in aeronautics, space and nuclear domains. Some of these changes are likely to affect development assurance in depth; up to the point where considering an update of part of their principles is becoming relevant. Such an evolution has already started with the surge of cybersecurity, machine learning and autonomy. This paper reviews further evolutions and delineates their associated impacts on assurance standards. We first focus on the need for new classes of risks and for regulation to define their levels of acceptance by society. In a second part we explain why it is necessary to introduce “on-line” risk assessment and “on-line” determination of the mitigation policy, depending on environment and system capabilities.
Th.5.A.117:00add Th.5.A.1 to agenda
Multilayer Monitoring for Real-Time Applications
Validation of timing requirements of multicore, het- erogenous and distributed systems is difficult problem because of a large number of situations that introduce temporal variability and/or interference. A possible solution is to augment the system with monitors and to rely on runtime monitoring techniques. In this paper we propose such a runtime monitoring which spans all the semantics layers of a model-based design, from high- level specification to executable code. We showcase our runtime monitoring on a safety-critical application for driving assistance.
Th.5.A.217:30add Th.5.A.2 to agenda
Safety and Security monitoring convergence at the dawn of Open Hardware
The emergence of multi-core processors into the embedded world one decade ago led to the IT/OT convergence. Since the last few years, a second convergence is ongoing in the domains of safety-critical and security-critical systems. Nowadays both safety protection systems and security protection systems are relying on monitoring to ensure the expected critical software behavior. However, all these systems incur an overhead in terms of performance to fulfill the service, that could be an issue with time-critical systems. The safety monitoring process that was mostly involved at design time, focusing both on the software and the hardware to ensure hard real-time behavior and propose some mitigation to faults and errors, is now also targeting the integration and deployment phases with adaptive runtime engines to deal with the timing interference issue of multi-core architectures. The security monitoring process that was mostly used to focus on protecting against software vulnerabilities at runtime has now to consider unreliable hardware that some cyberthreats such as Spectre and Meltdown are able to exploit. Communalizing the monitoring features required by Heath & Usage Monitoring Systems (HUMS) and Hardware Intrusion Detection Systems (HIDS) would allow us to reduce the performance impact. In this context, open hardware architectures are a major opportunity, allowing us to analyze the hardware design without black box, to seek formal proof of critical properties, to implement mechanisms for improved predictability, and to enhance hardware-level observability.
Th.5.B.117:00add Th.5.B.1 to agenda
Towards an agile, model-based multidisciplinary process to improve operational diagnosis in complex systems
Systems’ online diagnostics require multidisciplinary system knowledge and experience by their operators. When the complexity of the system rises, operational (in-service) diagnostics become a complex task. In an effort to improve the efficiency while better handling the complexity of diagnostics during operations, the authors propose a methodology aiming to increase the agility in complex systems’ development processes. This paper introduces a new way to construct operational models early on the development cycle so as to improve the performance of monitoring activities and, ultimately, increase the confidence on the systems’ resilience provided by its design
ERTS 2022 - IMPORTANT DATES
Abstract of Regular &
Short Paper submission (4 pages) : Sept.5th, 2021
extended to October 3rd, 2021 (any time on earth)
Acceptance Notification : Nov. 18th, 2021
Regular Paper for review (10 pages) : Jan. 9th, 2022
Final Paper (Short and Regular) :
Jan. 30th, 2022
Congress (new dates): June 1st to 2nd, 2022