Now showing 1 - 10 of 18
  • Publication
    Approach for Argumenting Safety on Basis of an Operational Design Domain
    ( 2024) ;
    Zeller, Marc
    ;
    Schoenhaar, Hannes
    ;
    ;
    The Operational Design Domain (ODD) is a representative model of the real world in which an Automated Driving System (ADS) is intended to operate. The definition of the ODD is a crucial part of the development process for such an artificial intelligence (AI)-enabled system. This is due to the fact that the ODD is the basis for several critical development activities, like defining system-level requirements, test & verification, and building a well-founded safety case for an AI-based ADS. Since an inadequately defined ODD poses a major safety concern for the entire development, an ODD must be defined completely and consistently during the development process. In this work, we present an approach for the ODD definition and maintenance during the development of safety-critical AI-based ADS functionalities and provide evidences to argue the sufficient completeness and consistency. We demonstrate the feasibility of our approach by an industrial use case of a fully automated system in the railway domain.
  • Publication
    Concept for Safe Interaction of Driverless Industrial Trucks and Humans in Shared Areas
    ( 2022-06-17) ; ; ;
    Ishigooka, Tasuku
    ;
    Otsuka, Satoshi
    ;
    Mizuochi, Mariko
    Humans still need to access the same area as automated systems, like in warehouses, if full automation is not feasible or economical. In such shared areas, critical interactions are inevitable. The automation of vehicles is usually tied to an argument on improved safety. However, current standards still rely also on the awareness of humans to avoid collisions. Along with this, modern intelligent warehouses are equipped with additional sensors that can help to automate safety. Blind corners, where the view is obscured, are particularly critical and, moreover, their location can change when goods are moved. Therefor, we generalize a concept for safe interactions at known blind corners to movements in the entire warehouse. We propose an architecture that uses infrastructure sensors to prevent human-robot collisions with respect to automated forklifts as instances of driverless industrial trucks. This includes a safety critical function using wireless communication, which sporadically might be unavailable or disturbed. Therefore, the proposed architecture is able to mitigate these faults and gracefully degrades the system’s performance if required. Within our extensive evaluation, we simulate varying warehouse settings to verify our approach and to estimate the impact on an automated forklift’s performance.
  • Publication
    Dependable and Efficient Cloud-Based Safety-Critical Applications by Example of Automated Valet Parking
    ( 2021) ;
    Shekhada, Dhavalkumar
    ;
    ; ;
    Ishigooka, Tasuku
    ;
    Otsuka, Satoshi
    ;
    Mizuochi, Mariko
    Future embedded systems and services will be seamlessly connected and will interact on all levels with the infrastructure and cloud. For safety-critical applications this means that it is not sufficient to ensure dependability in a single embedded system, but it is necessary to cover the complete service chain including all involved embedded systems as well as involved services running in the edge or the cloud. However, for the development of such Cyber-Physical Systems-of-Systems (CPSoS) engineers must consider all kinds of dependability requirements. For example, it is not an option to ensure safety by impeding reliability or availability requirements. In fact, it is the engineers' task to optimize the CPSoS' performance without violating any safety goals. In this paper, we identify the main challenges of developing CPSoS based on several industrial use cases and present our novel approach for designing cloud-based safety-critical applications with optimized performance by the example of an automated valet parking system. The evaluation shows that our monitoring and recovery solution ensures a superior performance in comparison to current methods, while meeting the system's safety demands in case of connectivity-related faults.
  • Publication
    Safe Interaction of Automated Forklifts and Humans at Blind Corners in a Warehouse with Infrastructure Sensors
    ( 2021) ; ; ;
    Ishigooka, Tasuku
    ;
    Otsuka, Satoshi
    ;
    Mizuochi, Mariko
    Co-working and interaction of automated systems and humans in a warehouse is a significant challenge of progressing industrial systems' autonomy. Especially, blind corners pose a critical scenario, in which infrastructure-based sensors can provide more safety. The automation of vehicles is usually tied to an argument on improved safety. However, current standards still rely on the awareness of humans to avoid collisions, which is limited at corners with occlusion. Based on the examination of blind corner scenarios in a warehouse, we derive the relevant critical situations. We propose an architecture that uses infrastructure sensors to prevent human-robot collisions at blind corners with respect to automated forklifts. This includes a safety critical function using wireless communication, which sporadically might be unavailable or disturbed. Therefore, the proposed architecture is able to mitigate these faults and gracefully degrades performance if required. Within our extensive evaluation, we use a warehouse simulation to verify our approach and to estimate the impact on an automated forklift's performance.
  • Publication
    Resumption of runtime verification monitors: Method, approach and application
    ( 2018) ; ;
    Bauer, Bernhard
    Runtime verification checks if the behavior of a system under observation in a certain run satisfies a given correctness property. While a positive description of the system's behavior is often available from specification, it contains no information for the monitor how it should continue in case the system deviates from this behavior. If the monitor does not resume its operation in the right way, test coverage will be unnecessarily low or further observations are misclassified. To close this gap, we present a new method for extending state-based runtime monitors in an automated way, called resumption. Therefore, this paper examines how runtime verification monitors based on a positive behavior description can be resumed to find all detectable deviations instead of reporting only invalid traces. Moreover, we examine when resumption can be applied successfully and we present alternative resumption algorithms. Using an evaluation framework, their precision and recall for detecting different kinds of deviations are compared. While the algorithm seeking expected behavior for resumption works very well in all evaluated cases, the framework can also be used to find the best suited resumption extension for a specific application scenario. Further, two real world application scenarios are introduced where resumption has been successfully applied.
  • Publication
    Safe adaptation for reliable and energy-efficient E/E architectures
    ( 2017) ; ; ;
    Ruiz, Alejandra
    ;
    Radermacher, Ansgar
    The upcoming changing mobility paradigms request more and more services and features to be included in future cars. Electric mobility and highly automated driving lead to new requirements and demands on vehicle information and communication (ICT) architectures. For example, in the case of highly automated driving, future drivers no longer need to monitor and control the vehicle all the time. This calls for new fault-tolerant approaches of automotive E/E architectures. In addition, the electrification of vehicles requires a flexible underlying E/E architecture which facilitates enhanced energy management. Within the EU-funded SafeAdapt project, a new E/E architecture for future vehicles has been developed in which adaptive systems ensure safe, reliable, and cost-effective mobility. The holistic approach provides the necessary foundation for future invehicle systems and its evaluation shows the great potential of such reliable and energy-efficient E/E architectures.
  • Publication
    Method for automatic resumption of runtime verification monitors
    ( 2017) ; ;
    Bauer, Bernhard
    In networked embedded systems created with parts from different suppliers, deviations from the expected communication behavior often cause integration problems. Therefore, runtime verification monitors are used to detect if observed communication behavior fulfills defined correctness properties. However, in order to resume verification if unspecified behavior is observed, the runtime monitor needs a definition of the resumption. Otherwise, further deviations may be overlooked. We present a method for extending state-based runtime monitors with resumption in an automated way. This enables continuous monitoring without interruption. The method may exploit diverse resumption algorithms. In an evaluation, we show how to find the best suited resumption extension for a specific application scenario and compare the algorithms.
  • Publication
    DANA - Description and Analysis of Networked Applications
    We introduce the DANA platform for specifying and analyzing networked applications. DANA was originally created targeting the automotive domain for the verification and validation of software interface behavior in new infotainment and advanced driver assistant systems that are integrated on a single hardware platform. The messages in these interfaces can contain complex data, e.g., playlists with images. Therefore, valid behavior is described as a layered reference model. The platform can use the model to generate test cases, code for simulation, and to verify a live or recorded trace. Exchangeable resumption algorithms enable DANA to resume runtime verification after a deviation using the original state machine without manual changes. A generic input model allows quick integration of new sources for messages. Therefore, DANA can easily be applied to other domains where interactive behavior can be observed. In this paper, we present the tool, its layered reference model, and show its application for runtime verification.
  • Publication
    Generic management of availability in fail-operational automotive systems
    The availability of functionality is a crucial aspect of mission- and safety-critical systems. This is for instance demonstrated by the pursuit to automate road transportation. Here, the driver is not obligated to be part of the control loop, thereby requiring the underlying system to remain operational even after a critical component failure. Advances in the field of mixed-criticality research have allowed to address this topic of fail-operational system behaviour more efficiently. For instance, general purpose computing platforms may relinquish the need for dedicated backup units, as their purpose can be redefined at runtime. Based on this, a deterministic and resource-efficient reconfiguration mechanism is developed, in order to address safety concerns with respect to availability in a generic manner. To find a configuration for this mechanism that can ensure all availability-related safety properties, a design-time method to automatically generate schedules for different modes of operations from declaratively defined requirements is established. To cope with the inherent computational complexity, heuristics are developed to effectively narrow the problem space. Subsequently, this method's applicability and scalability are respectively evaluated qualitatively within an automotive case study and quantitatively by means of a tool performance analysis.
  • Publication
    Absicherung vernetzter IoT-Funktionen mit selbstlernenden Modellen
    Mit dem Internet-of-Things (IoT) wird die Verknüpfung diverser Systeme von eingebetteten Steuerungen über Cloud-Services und diverse Frameworks sowie Plattformen möglich. Für den Nachrichtenaustausch der beteiligten Komponenten existiert bereits heute eine Vielzahl von grundlegenden Kommunikationsprotokollen. Die darauf aufbauenden Anwendungsprotokolle sind jedoch in der Regel spezifisch für einzelne Applikationen definiert und umgesetzt. Um auch das korrekte Funktionieren einer vernetzten Anwendung sicherzustellen, muss deren Interaktion mit anderen Komponenten abgesichert und verifiziert werden. Damit dies effizient möglich ist, sind neue Verfahren zur automatisierten Absicherung notwendig, so dass die korrekte Interaktion solcher verteilter Anwendungen sichergestellt werden kann. Hierfür wird ein modellgetriebenes Verfahren vorgestellt, welches es erlaubt Fehler automatisiert anhand des Kommunikationsverhaltens festzustellen. Um den Aufwand hierfür gering zu halten und auch neue, zunächst unbekannte Anwendungen absichern zu können, wird ein selbstlernendes Verfahren eingesetzt. Das kann teilautomatisiert Modelle aus Anwendungsprotokollen erzeugen, die dann wiederum überprüft und weiterverwendet werden können. So können diese Modelle auch wieder zur automatisierten Absicherung der Anwendungen genutzt werden. Das Verfahren wurde in verschiedenen Projekten und Anwendungsszenarios, wie am Beispiel einer Modell-Produktionsanlage, bereits erfolgreich erprobt.