@article{, author = {Becker, Klaus and Voss, Sebastian and Sch{\"{a}}tz, Bernhard}, title = {Formal analysis of feature degradation in fault-tolerant automotive systems}, journal = {Science of Computer Programming}, volume = {154}, number = {1}, pages = {89--133}, year = {2018}, month = mar, abstract = {Safety critical fault-tolerant embedded systems have to react properly on failures of internal system elements to avoid failure propagation and finally a harmful external failure at the system boundary. Beside failure detection, actions for failure handling are essential to cover safety requirements. Actions reach from enabling fail-silent, fail-safe or fail-operational behavior of system elements, or also hybrids of this in a mixed criticality system design. Graceful degradation can be applied when system resources become insufficient, reducing the set of provided functional features. In this paper, we address mixed criticality and mixed reliability automotive systems. We consider mixed reliability by functional features having different fail-operational requirements. Beside pure fail-operational features, we also consider degradations of functional features, called fail-degraded features. We describe a formal system model that contains, i.a., the functional features of a vehicle, possible feature degradations, software components that realize the features, as well as the deployment of software components to execution units. We provide a structural analysis of the level of degradation on system level and feature level, which is required in scenarios of failing execution units and/or software components. Combined with this analysis, we synthesize valid deployments of software components to execution units, incorporating an adequate level of redundancy to meet the fail-operational requirements, if feasible. We apply our approach to a constructed automotive example.}, doi = {10.1016/j.scico.2017.10.007}, keywords = {Graceful degradation, Fault tolerance, Redundancy, Fail-operational, Mixed criticality, Model-based Systems Engineering, MbSE}, } @phdthesis{, author = {Becker, Klaus}, title = {Software Deployment Analysis for Mixed Reliability Automotive Systems}, publisher = {TU M{\"{u}}nchen}, year = {2017}, month = jun, organization = {TU M{\"{u}}nchen}, school = {TU M{\"{u}}nchen}, institution = {TU M{\"{u}}nchen}, abstract = {Safety critical systems require rising dependability due to increasing autonomy. Fault-tolerance is necessary, but failures may cause system resources to become insufficient to provide all intended functional features. We introduce an approach to formally analyze failure scenarios in mixed criticality systems, combined with the synthesis of valid deployments of software to hardware, incorporating adequate redundancy to address mixed reliability. Based on a formal system model, we provide a structural analysis of necessary degradations and failovers in failure scenarios, while ensuring the fulfillment of fail-operational requirements.}, keywords = {Fault Tolerance, Graceful Degradation, Fail-Operational, Dependability, Reliability, Mixed Criticality, Safety, Deployment, Redundancy, Synthesis, Automotive, Formal Methods, Model-based Systems Engineering, MbSE}, url = {http://nbn-resolving.de/urn/resolver.pl?urn:nbn:de:bvb:91-diss-20170726-1345914-1-1}, } @inproceedings{, author = {Terzimehić, Tarik and Wenger, Monika and Zoitl, Alois and Bayha, Andreas and Becker, Klaus and M{\"{u}}ller, Thorsten and Schauerte, Hubertus}, title = {Towards an Industry 4.0 Compliant Control Software Architecture Using IEC 61499 & OPC UA}, booktitle = {IEEE International Conference on Emerging Technologies And Factory Automation (ETFA)}, year = {2017}, abstract = {The fourth industrial revolution introduced additional requirements on the industrial systems' control software in order to cope with current manufacturing systems' flexibility demands. These requirements include, among others, a dynamic reconfigurability, software reusability and an external service orchestration. This work presents the design of an industry 4.0 compliant control software architecture resulting from an iterative design process. The architecture is based on the reconfiguration services of the IEC 61499 standard and the service orchestration via OPC UA. We demonstrate the software architecture's compliance to the industry 4.0 requirements on an aluminum cold rolling mill plant demonstrator.}, doi = {10.1109/ETFA.2017.8247718}, keywords = {Industry 4.0, MbSE, model-based systems engineering, OPC UA, IEC 61499}, } @inproceedings{, author = {Becker, Klaus and Voss, Sebastian}, title = {A Formal Model and Analysis of Feature Degradation in Fault-Tolerant Systems}, booktitle = {4th Int. Workshop on Formal Techniques for Safety-Critical Systems (FTSCS)}, year = {2016}, month = jan, address = {Paris, France}, abstract = {Fault-tolerant systems have to react on errors resulting from faults properly to avoid error propagation and finally a harmful failure of the entire system. Beside the detection of failing system elements, also the actions to handle failures are essential to cover the safety requirements. Actions reach from enabling fail-silent, fail-safe or fail-operational behavior of system elements, or also hybrids of this in a mixed-critical system design. Graceful degradation may be applied when system resources become insufficient, reducing the set of provided functional features. In this paper we address mixed critical systems, which partially comprise fail-operational functional features. We consider degradations of functional features in failure scenarios. We describe a formal model that contains i.a. the features of a system, possible feature degradations, the software components that realize these features, as well as the deployment of these components to execution units. We calculate valid deployments of software components to execution units and analyze them according to the level of graceful degradation on feature level and system level, as a consequence of failures of execution units or software components. We show an example from the automotive domain to illustrate our approach.}, doi = {10.1007/978-3-319-29510-7_8}, keywords = {Graceful-degradation, Fault-tolerance Redundancy, Fail-operational, Mixed-critical, Diversity, Deployment, Dependability, Model-based Systems Engineering, MbSE}, } @inproceedings{, author = {Becker, Klaus and Frtunikj, Jelena and Felser, Meik and Fiege, Ludger and Buckl, Christian and Rothbauer, Stefan and Zhang, Licong and Klein, Cornel}, title = {{RACE} {RTE}: A Runtime Environment for Robust Fault-Tolerant Vehicle Functions}, booktitle = {3rd Workshop on Critical Automotive applications - Robustness & Safety (CARS)}, year = {2015}, month = sep, address = {Paris, France}, abstract = {The degree of automated operation in vehicles is increasing continuously. Manufacturers want existing and new functions to be integrated, which drives engineering costs. On the other hand, customers grow accustomed to a steady flow of new functionality on smart phones, partially integrated into their vehicles. In this paper, the Runtime Environment (RTE) of the RACE project is presented. Based on a cross-domain system topology, the RTE executes real-time applications of mixed criticality up to fail-operational behavior. It offers communication and safety mechanisms that are configurable in-field to support Plug&Play scenarios. Since integrated functions often require access to different vehicle domains, the vehicle runtime and configuration data model is reified in the RTE to enable test and verification of all these mechanisms.}, keywords = {Model-based Systems Engineering, MbSE}, url = {https://hal.archives-ouvertes.fr/hal-01192987}, } @inproceedings{, author = {Gupta, Pragya Kirti and Becker, Klaus and Duchon, Markus and Sch{\"{a}}tz, Bernhard}, title = {Formalizing Performance Degradation Strategies as an Enabler for Selfhealing Smart Energy Systems}, booktitle = {{Tagungsband Dagstuhl-Workshop MBEES: Modellbasierte Entwicklung eingebetteter Systeme XI Model-Based Development of Embedded Systems}}, year = {2015}, month = apr, organization = {Dagstuhl-Workshop MBEES: Eleventh Workshop on Modellbasierte Entwicklung Eingebetteter Systeme}, abstract = {Smart behavior in reactive systems can be achieved when systems can react appropriately to environmental changes. These adjustments in behavior can be achieved through predefined strategies. In this work, we present a formal specification of performance degradation where the overall performance of the system is intentionally lowered in order to ensure high availability of the core services of the system in fault scenarios. We demonstrate the application of this strategy in the energy domain. Power outages can be foreseen as one of the big challenges in the smart grid functionality. In such a power outage situation, it is essential to support high priority services at all times. During such situations, to prolong support for high priority services , we propose an approach using constraint-based formal modeling by developing the degradation strategy. A service is selected or deactivated based on its priority, energy consumption and its performance contribution. As a consequence, when services have to be disabled due to insufficient available energy, the performance of the overall system degrades, but high priority services remain available. We validate our approach by using the Z3 SMT solver to identify a valid degradation strategy scheme for a fault scenario in the fortiss smart energy living lab demonstrator.}, keywords = {Model-based Systems Engineering, MbSE}, url = {https://download.fortiss.org/public/mbees/mbees2015_proceedings.pdf}, } @inproceedings{becker2015a, author = {Becker, Klaus and Sch{\"{a}}tz, Bernhard}, title = {Deployment Calculation and Analysis for a Fault-Tolerant System Platform}, booktitle = {11th Dagstuhl-Workshop on Model-Based Development of Embedded Systems (MBEES)}, pages = {100-109}, year = {2015}, month = mar, abstract = {In many embedded systems like in the automotive domain, safety-critical features are increasingly realized by software. Some of these features are often required to behave fail-operational, meaning that they must stay alive even in the presence of random hardware failures. In this paper, we introduce a constraint-based approach to calculate valid deployments of mixed critical software components to the execution nodes of a new fault-tolerant SW/HW architecture for electric vehicles. To avoid harm, faulty execution nodes have to be isolated from the remaining system. We treat the changes to the deployment that are required after isolations of execution nodes to keep those software components alive that realize fail-operational features. However, the remaining system resources may become insufficient to execute the full set of software components after such isolations. Hence, some components might have to be deactivated, meaning that features might get lost. Our approach allows to formally analyze which subset of features can still be provided after one or more isolations. We present an arithmetic system model of the deployment problem that can be solved by an SMT solver.}, keywords = {Fault-tolerance, fail-operational, deployment, model-based systems engineering, MbSE}, url = {https://mediatum.ub.tum.de/doc/1281559/288733.pdf}, } @inproceedings{Buechel2015, author = {Buechel, Martin and Frtunikj, Jelena and Becker, Klaus and Sommer, Stephan and Buckl, Christian and Armbruster, Michael and Klein, Cornel and Marek, Andre and Zirkler, Andreas and Knoll, Alois}, title = {An Automated Electric Vehicle Prototype Showing New Trends in Automotive Architectures}, booktitle = {IEEE 18th International Conference on Intelligent Transportation Systems (ITSC)}, year = {2015}, location = {Las Palmas, Gran Canaria, Spain}, abstract = {The automotive domain is challenged by the increasing importance of Information Technology (IT) based functions. To show the possibilities of modern IT systems, a demonstrator car was developed in RACE (Robust and Reliant Automotive Computing Environment for Future eCars) based on a completely redesigned E/E architecture, which supports the integration of mixed-criticality components and offers features like Plug&Play. This paper presents the architecture and components of this vehicle prototype, which is equipped with modern systems such as Steer-by-Wire without mechanical fallback. It was designed to support future driver assistance systems, e.g. to carry out autonomous parking maneuvers onto an inductive charging station, a task, which is hard to achieve accurately enough for a human driver. Therefore, a special emphasis lies on the description of the sensor set for automated operation.}, doi = {10.1109/ITSC.2015.209}, keywords = {Automated Vehicles, automotive architecture, autonomous driving, electric vehicle, Vehicle Prototype, Model-based Systems Engineering, MbSE}, } @inproceedings{becker2015b, author = {Becker, Klaus and Voss, Sebastian}, title = {Analyzing Graceful Degradation for Mixed Critical Fault-Tolerant Real-Time Systems}, booktitle = {18th IEEE Symposium on Real-Time Distributed Computing (ISORC)}, publisher = {IEEE}, year = {2015}, location = {Auckland, New Zealand}, abstract = {Fault-tolerant distributed embedded systems have to react properly on the occurrence of faults in order to avoid harm to the system or its environment. Faulty system resources have to be isolated from the remaining system. Hence, these resources become unavailable, leading to a decreasing number of available resources and input data. In such cases, mechanisms like graceful degradation may be applied to ensure that the system does not turn off completely, but degrades its provided set of functional features gracefully. It must be ensured that the remaining intact resources are efficiently used to execute at least those features, which are required to behave fail-operational. In this paper, we investigate deployments of mixed-critical software components to a fault-tolerant system platform. We introduce a formal model of software components and their publish/subscribe based communication channels. We use this model to analyze the graceful degradation of the system in different scenarios of failing execution hardware. This includes also the explicit deactivation of software components due to unavailable required input data. Our analysis is based on using an SMT solver and contributes to guarantee that all requirements with respect to fail-operationality are met by the system design. The approach is evaluated by an example and a scalability analysis.}, doi = {10.1109/ISORC.2015.10}, keywords = {Dependability, Fault Tolerance, Graceful Degradation, Mixed Criticality, Deployment, Formal Methods, SMT, Model-based Systems Engineering, MbSE}, } @inproceedings{becker2014, author = {Becker, Klaus and Armbruster, Michael and Sch{\"{a}}tz, Bernhard and Buckl, Christian}, title = {Deployment Calculation and Analysis for a Fail-Operational Automotive Platform}, booktitle = {1st Workshop on Engineering Dependable Systems of Systems (EDSoS)}, year = {2014}, month = may, location = {Newcastle upon Tyne, UK}, abstract = {In domains like automotive, safety-critical features are increasingly realized by software. Some features might even require fail-operational behavior, so that they must be provided even in the presence of random hardware failures. A new fault-tolerant SW/HW architecture for electric vehicles provides inherent safety capabilities that enable fail-operational features. In this paper we introduce a formal model of this architecture and an approach to calculate valid deployments of mixed-critical software-components to the execution nodes, while ensuring fail-operational behavior of certain components. Calculated redeployments cover the cases in which faulty execution nodes have to be isolated. This allows to formally analyze which set of features can be provided under decreasing available execution resources.}, keywords = {Model-based Systems Engineering, MbSE}, url = {https://arxiv.org/abs/1404.7763}, } @inproceedings{becker2014b, author = {Becker, Klaus and Sch{\"{a}}tz, Bernhard and Armbruster, Michael and Buckl, Christian}, title = {A Formal Model for Constraint-Based Deployment Calculation and Analysis for Fault-Tolerant Systems}, booktitle = {Proceedings of the 12th International Conference on Software Engineering and Formal Methods (SEFM)}, year = {2014}, location = {Grenoble, France}, abstract = {In many embedded systems like in the automotive domain, safety-critical features are increasingly realized by software. Some of these features are often required to behave fail-operational, meaning that they must stay alive even in the presence of random hardware failures. We propose a new fault-tolerant SW/HW architecture for electric vehicles with inherent safety capabilities that enable fail-operational features. In this paper, we introduce a constraint-based approach to calculate valid deployments of mixed-critical software components to the execution nodes. To avoid harm, faulty execution nodes have to be isolated from the remaining system. We treat the isolations of execution nodes and the required changes to the deployment to keep those software components alive that realize fail-operational features. The affected software components have to be resumed on intact execution nodes. However, the remaining system resources may become insufficient to execute the full set of software components after an isolation of an execution node. Hence, some components might have to be deactivated, meaning that features might get lost. Our approach allows to formally analyze which subset of features can still be provided after one or more isolations. We present an arithmetic system model with formal constraints of the deployment-problem that can be solved by a SMT-Solver. We evaluate our approach by showing an example problem and its solution.}, doi = {10.1007/978-3-319-10431-7_15}, keywords = {Fault-Tolerance, Fail-Operational, Mixed-Critical, Deployment, Dependability, SMT, Model-based Systems Engineering, MbSE}, } @inproceedings{Sommer2013b, author = {Sommer, Stephan and Camek, Alexander and Buckl, Christian and Becker, Klaus and Zirkler, Andreas and Fiege, Ludger and Armbruster, Michael and Knoll, Alois}, title = {RACE: A Centralized Platform Computer Based Architecture for Automotive Applications}, booktitle = {Vehicular Electronics Conference (VEC) and the International Electric Vehicle Conference (IEVC) (VEC/IEVC 2013)}, publisher = {{IEEE}}, year = {2013}, month = oct, abstract = {In the last couple of years software functionality of modern cars increased dramatically. This growing functionality leads directly to a higher complexity of development and configuration. Current studies show that the amount of software will continue to grow. Additionally, advanced driver assistance systems (ADAS) and autonomous functionality, such as highly and fully automated driving or parking, will be introduced. Many of these new functions require access to different communication domains within the car, which increases system complexity. AUTOSAR, the software architecture established as a standard in the automotive domain, provides no methodologies to reduce this kind of complexity and to master new challenges. One solution for these evolving systems is developed in the RACE project. Here, a centralized platform computer (CPC) is introduced, which is inspired by the well-established approach used in other domains like avionics and automation. The CPC establishes a generic safety-critical execution environment for applications, providing interfaces for test and verification as well as a reliable communication infrastructure to smart sensors and actuators. A centralized platform also significantly reduces the complexity of integration and verification of new applications, and enables the support for Plug&Play.}, doi = {10.1109/IEVC.2013.6681152}, keywords = {embedded, RACE, Model-based Systems Engineering, MbSE}, } @inproceedings{Blech2012, author = {Blech, Jan Olaf and Falcone, Yli{\`{e}}s and Becker, Klaus}, title = {Towards Certified Runtime Verification}, booktitle = {Proceedings of the 14th International Conference on Formal Engineering Methods (ICFEM 2012)}, publisher = {ACM}, year = {2012}, month = nov, timestamp = 2013.07.23, owner = {jeraj}, address = {Kyoto, Japan}, abstract = {Runtime verification (RV) is a successful technique to monitor system behavior at runtime and potentially take compensating actions in case of deviation from a specification. For the usage in safety critical systems the question of reliability of RV components arises since in existing approaches RV components are not verified and may themselves be erroneous. In this paper, we present work towards a framework for certified RV components. We present a solution for implementations of transition functions of RV monitors and prove them correct using the Coq proof assistant. We extract certified executable OCaml code and use it inside RV monitors. We investigate an application scenario in the domain of automotive embedded systems and present performance evaluation for some monitored properties.}, doi = {10.1007/978-3-642-34281-3_34}, keywords = {Model-based Systems Engineering, MbSE}, } @inproceedings{Sommer2012a, author = {Becker, Klaus and Buckl, Christian and Camek, Alexander and Falk, Reiner and Fiege, Ludger and Gessner, J{\"{u}}rgen and Sommer, Stephan}, title = {{SW-basierte Integration von neuen Fahrzeugfunktionen in zentralisierten Controllern}}, booktitle = {Automotive - Safety & Security}, year = {2012}, abstract = {In aktuellen Fahrzeugen wird ein wesentlicher Teil der Fahrzeugfunktionen durch Software realisiert. Die Integration aktiv eingreifender Assistenzsysteme wird diesen Trend noch verst{\"{a}}rken und die Komplexit{\"{a}}t des Bordnetzes wird weiter zunehmen. In diesem Artikel stellen wir einen Ansatz vor, Bordnetz und Software im Fahrzeug {\"{u}}ber eine datenzentrische Middleware zu entkoppeln. Sie koordiniert die Kommunikation zwischen Funktionen, Sensorik und Aktorik zur Laufzeit. Basierende auf einer Zentralrechnerarchitektur wird eine redundante Datenbasis zur Verf{\"{u}}gung gestellt, die eine fail-operational Ausf{\"{u}}hrung auch von sicherheitskritischen Funktionen erlaubt. Wir stellen am Beispiel Plug-and-Play (PnP) eine neue Sekund{\"{a}}rfunktion vor, die durch diesen Ansatz erm{\"{o}}glicht wird. Safetyund Security-Aspekte der vorgestellten Architektur werden ebenfalls betrachtet.}, isbn = {978-3-88579-604-6}, keywords = {Model-based Systems Engineering, MbSE}, url = {https://dl.gi.de/handle/20.500.12116/17552}, }