@article{, author = {Becker, Klaus and Voss, Sebastian and Sch{\"{a}}tz, Bernhard}, title = {Formal analysis of feature degradation in fault-tolerant automotive systems}, journal = {Science of Computer Programming}, volume = {154}, number = {1}, pages = {89--133}, year = {2018}, month = mar, abstract = {Safety critical fault-tolerant embedded systems have to react properly on failures of internal system elements to avoid failure propagation and finally a harmful external failure at the system boundary. Beside failure detection, actions for failure handling are essential to cover safety requirements. Actions reach from enabling fail-silent, fail-safe or fail-operational behavior of system elements, or also hybrids of this in a mixed criticality system design. Graceful degradation can be applied when system resources become insufficient, reducing the set of provided functional features. In this paper, we address mixed criticality and mixed reliability automotive systems. We consider mixed reliability by functional features having different fail-operational requirements. Beside pure fail-operational features, we also consider degradations of functional features, called fail-degraded features. We describe a formal system model that contains, i.a., the functional features of a vehicle, possible feature degradations, software components that realize the features, as well as the deployment of software components to execution units. We provide a structural analysis of the level of degradation on system level and feature level, which is required in scenarios of failing execution units and/or software components. Combined with this analysis, we synthesize valid deployments of software components to execution units, incorporating an adequate level of redundancy to meet the fail-operational requirements, if feasible. We apply our approach to a constructed automotive example.}, doi = {10.1016/j.scico.2017.10.007}, keywords = {Graceful degradation, Fault tolerance, Redundancy, Fail-operational, Mixed criticality, Model-based Systems Engineering, MbSE}, } @phdthesis{, author = {Becker, Klaus}, title = {Software Deployment Analysis for Mixed Reliability Automotive Systems}, publisher = {TU M{\"{u}}nchen}, year = {2017}, month = jun, organization = {TU M{\"{u}}nchen}, school = {TU M{\"{u}}nchen}, institution = {TU M{\"{u}}nchen}, abstract = {Safety critical systems require rising dependability due to increasing autonomy. Fault-tolerance is necessary, but failures may cause system resources to become insufficient to provide all intended functional features. We introduce an approach to formally analyze failure scenarios in mixed criticality systems, combined with the synthesis of valid deployments of software to hardware, incorporating adequate redundancy to address mixed reliability. Based on a formal system model, we provide a structural analysis of necessary degradations and failovers in failure scenarios, while ensuring the fulfillment of fail-operational requirements.}, keywords = {Fault Tolerance, Graceful Degradation, Fail-Operational, Dependability, Reliability, Mixed Criticality, Safety, Deployment, Redundancy, Synthesis, Automotive, Formal Methods, Model-based Systems Engineering, MbSE}, url = {http://nbn-resolving.de/urn/resolver.pl?urn:nbn:de:bvb:91-diss-20170726-1345914-1-1}, } @inproceedings{becker2015b, author = {Becker, Klaus and Voss, Sebastian}, title = {Analyzing Graceful Degradation for Mixed Critical Fault-Tolerant Real-Time Systems}, booktitle = {18th IEEE Symposium on Real-Time Distributed Computing (ISORC)}, publisher = {IEEE}, year = {2015}, location = {Auckland, New Zealand}, abstract = {Fault-tolerant distributed embedded systems have to react properly on the occurrence of faults in order to avoid harm to the system or its environment. Faulty system resources have to be isolated from the remaining system. Hence, these resources become unavailable, leading to a decreasing number of available resources and input data. In such cases, mechanisms like graceful degradation may be applied to ensure that the system does not turn off completely, but degrades its provided set of functional features gracefully. It must be ensured that the remaining intact resources are efficiently used to execute at least those features, which are required to behave fail-operational. In this paper, we investigate deployments of mixed-critical software components to a fault-tolerant system platform. We introduce a formal model of software components and their publish/subscribe based communication channels. We use this model to analyze the graceful degradation of the system in different scenarios of failing execution hardware. This includes also the explicit deactivation of software components due to unavailable required input data. Our analysis is based on using an SMT solver and contributes to guarantee that all requirements with respect to fail-operationality are met by the system design. The approach is evaluated by an example and a scalability analysis.}, doi = {10.1109/ISORC.2015.10}, keywords = {Dependability, Fault Tolerance, Graceful Degradation, Mixed Criticality, Deployment, Formal Methods, SMT, Model-based Systems Engineering, MbSE}, }