TESTING A FAULT-TOLERANT CYBER-PHYSICAL SYSTEM …€¦ · Safe autonomous driving, also when...
Transcript of TESTING A FAULT-TOLERANT CYBER-PHYSICAL SYSTEM …€¦ · Safe autonomous driving, also when...
TESTING A FAULT-TOLERANT CYBER-PHYSICAL SYSTEM DESIGNED FOR TESTABILITYPresented by Florian Krautwurm & Markus Lachenmayr
© All rights reserved
Cyber physical system operates dependable in each situation
2
The e-car remains safe while redundant component of the central control unit fails permanently
© All rights reserved
Redundancy Spatial distributionFailure detection
FunctionalRequirements
Non-FunctionalRequirements
Safe autonomous
driving, also when
components fail
(fail operational)
Availability,
Dependability,
Reliability
Robustness,
…
Testability
The e-car remains safe while redundant component of the central control unit fails permanently
Cyber physical system operates dependable in each situation
3 © All rights reserved
Vulnerable stateSafe state Dangerous state
Phase 1 Phase 3Phase 2
Testing of fault-tolerant, real-time systems is hard
Cyber physical systems involve extensive test
procedures to investigate the behavior of the system
4 © All rights reserved
Get deep insights!More bad weather tests!
Test in the field!
System built for testability by design!
5 © All rights reserved
Independent test system with distributed test probes
Point-to-point links between test probes (tp) and test probe control center (tc)
6 © All rights reserved
A safe steering test with fault injection
The basic idea of the generation of a bad weather test
n1.SteeringCtrl.Authority == primary
n2.SteeringCtrl.Authority == backup
n1.State = 0xDEAD
n2.SteeringCtrl.Authority == primary
7 © All rights reserved
A safe steering test with fault injection
Reliable statements using ALFHA1) language
8 © All rights reserved
01: TEST Critical app continues on primary failure
02: DEFINE IsPrimary(Node, App)
03: AS Node.App.Authority == primary
04: DEFINE HasPrimary(App)
05: AS IsPrimary(n1, App) XOR IsPrimary(n2, App))
06: TRIGGER IsPrimary(n1, SteeringCtrl)
07: INVARIANT HasPrimary(SteeringCtrl)
08: CYCLE
09: FROM 10 TO 15 DO n1.State = 0xDEAD
10: UNTIL 30
1) ALFHA: Assertion Language for Fault-Hypothesis Arguments
Reliable test statements from test probes that execute tests free of side effects
Test probe resources are fixed, limited, and exclusive• Execution time. Time slot within the
application schedule.
• Memory footprint. Probe memory is
reserved up-front.
• Network bandwidth. Probe packets are
fixed sized and have a fixed frequency.
• Application cycle. Probe resources can
never be used by other applications.
9 © All rights reserved
Secrets behind reliable statements at a glance
• Reliable statements from
tests of testable systems
• Probe in each system node by design,
permanently, in lab and field
• Non-intrusive monitoring,
data-seeding & testing
Testing a Fault-Tolerant Cyber-Physical System Designed for Testability
10 © All rights reserved
Testing a Fault-Tolerant Cyber-Physical System Designed for Testability
11 © All rights reserved