Download We.Opening Allocutions presentation

Download We.Opening Session - Jean Arlat presentation

Download We.Opening Session - Alexandre Corjon presentation

Download We.Opening Session - Charles Champion presentation

Download We.Keynote Address 1 presentation

We.1.A.114:30add We.1.A.1 to agenda

Download We.1.A.1

Towards an Operational Design Domain That Supports the Safety Argumentation of an Automated Driving System

Magnus Gyllenhammar - Zenuity, Sweden Rolf Johansson - Autonomous Intelligent Driving, Sweden Fredrik Warg - SP Technical Research Institute of Sweden, Sweden Dejiu Chen - KTH Royal Institute of Technology, Sweden Hans-Martin Heyn - Volvo Technology AB, Sweden Martin Sanfridson - Volvo Technology AB, Sweden Jan Söderberg - Systemite AB, Sweden Anders Thorsén - SP Technical Research Institute of Sweden, Sweden Stig Ursing - Semcon Sweden AB, Sweden

One of the biggest challenges for self-driving road vehicles is how to argue that their safety cases are complete. The operational design domain (ODD) of the automated driving system (ADS) can be used to restrict where the ADS is valid and thus confine the scope of the safety case as well as the verification. To complete the safety case there is a need to ensure that the ADS will not exit its ODD. We present four generic strategies to ensure this. Use cases (UCs) provide a convenient way providing such a strategy for a collection of operating conditions (OCs) and further ensures that the ODD allows for operation within the real world. A framework to categorise the OCs of a UC is presented and it is suggested that the ODD is written with this structure in mind to facilitate mapping towards potential UCs. The ODD defines the functional boundary of the system and modelling it with this structure makes it modular and generalisable across different potential UCs. Further, using the ODD to connect the ADS to the UC enables the continuous delivery of the ADS feature. Two examples of dimensions of the ODD are given and a strategy to avoid an ODD exit is proposed in the respective case.

We.1.A.315:00add We.1.A.3 to agenda

Download We.1.A.3
Download We.1.A.3 presentation

Assuring ED-12C Autonomous Decision Making for UAVs

Nick Tudor - D-RisQ Ltd, United Kingdom Colin O'Halloran - D-RisQ Ltd, United Kingdom

There is a growing need to introduce a level of autonomous capability for Unmanned Air Vehicles (UAVs) to enable further commercial exploitation of the technology. The project Enhancing Safety, Reliability and Airworthiness of Beyond Visual Line Of Sight (BVLOS) Autonomous UAV operations" sought to establish the principles for developing autonomous behaviours in a high integrity decision making system which allows the appropriate level of "certification" against e.g. ED-12C/DO-178C to enable operations in non-segregated airspace. The aim was to produce behaviour for a fully autonomous UAV that would mimic the behaviour expected by a manned aircraft, i.e. that it would behave in accordance with the Standardised European Rules of the Air (SERA). The approach developed and exploited D-RisQ automated formal methods based verification technologies which allowed compliance to ED-216/DO-333 to be used. Our approach combined the innovation from the current UAS applications with the structured certification approach for manned aviation to then allow alignment of operations in multi-use airspace. "

We.1.B.114:30add We.1.B.1 to agenda

Download We.1.B.1
Download We.1.B.1 presentation

Concept Enforcement and Modularization as Methods for the ISO 26262 Safety Argumentation of Neural Networks

Gesina Schwalbe - Continental Automotive GmbH, Germany Martin Schels - Continental Automotive GmbH, Germany

Neural networks (NN) are prone to systematic faults which are hard to detect using the methods recommended by the ISO 26262 automotive functional safety standard. In this paper we propose a unified approach to two methods for NN safety argumentation: Assignment of human interpretable concepts to the internal representation of NNs to enable modularization and formal verification. Feasibility of the required concept embedding analysis is demonstrated in a minimal example and important aspects for generalization are investigated. The contribution of the methods is derived from a proposed generic argumentation structure for a NN model safety case.

We.1.B.215:00add We.1.B.2 to agenda

Download We.1.B.2
Download We.1.B.2 presentation

A Survey on Methods for the Safety Assurance of Machine Learning Based Systems

Gesina Schwalbe - Continental Automotive GmbH, Germany Martin Schels - Continental Automotive GmbH, Germany

Methods for safety assurance suggested by the ISO 26262 automotive functional safety standard are not sufficient for applications based on machine learning (ML). We provide a structured, certification oriented overview on available methods supporting the safety argumentation of a ML based system. It is sorted into life-cycle phases, and maturity of the approach as well as applicability to different ML types are collected. From this we deduce current open challenges: powerful solvers, inclusion of expert knowledge, validation of data representativity and model diversity, and model introspection with provable guarantees.

We.1.B.315:30add We.1.B.3 to agenda

Download We.1.B.3
Download We.1.B.3 presentation

Current Challenges in the Certification of Machine Learning for Safety Critical Systems

Eric Jenn - IRT Saint-Exupéry, France Alexandre Albore - IRT Saint Exupery, France Franck Mamalet - IRT Saint-Exupery, France Grégory Flandin - IRT Saint-Exupéry, France Christophe Gabreau - AIRBUS SAS, France Hervé Delseny - AIRBUS SAS, France Adrien Gauffriau - AIRBUS SAS, France Hugues Bonin - Continental, France Lucian Alecu - Continental, France Jérémy Pirard - Continental, France

Today, Machine Learning (ML) seems to be one of the only technically and economically viable solution to automate some complex tasks usually realized by humans, such as driving vehicles, recognizing voice, etc. However, these techniques come with new potential risks and as so, have only been applied in systems where the benefits of the technique are considered worth this increase of risk. But when dependability is at stake, the risk level must be contained. Giving confidence in the ML-based system to the developer of the system, to the regulation or certification authority that delivers the authorization to commission the system, or to the human operator that will interact with the system, becomes an essential objective. In order to identify the main challenges for placing a justifiable reliance on systems embedding ML and, eventually, certify those systems, the Institut de Recherche Technologique Saint-Exupery de Toulouse (IRT) has created a workgroup involving key players in the automotive, railways, and aeronautical do-mains. This paper presents the objectives of this workgroup and the approach of the problem, and gives some first results. Focus is placed on supervised machine learning.

We.1.C.114:30add We.1.C.1 to agenda

Download We.1.C.1
Download We.1.C.1 presentation

Towards Probabilistic Timing Analysis for SDFGs on Tile Based Heterogeneous MPSoCs

Ralf Stemmer - Carl von Ossietzky Universität Oldenburg, Germany Hai-Dang Vu - University of Nantes, France Kim Gruettner - OFFIS e.V., Germany Sebastien Le Nours - University of Nantes, France Wolfgang Nebel - Carl von Ossietzky Universität Oldenburg, Germany Sebastien Pillement - University of Nantes, France

Abstract—Performance and timing prediction of complex parallel data flow applications on multi-core systems is still a very difficult discipline. The reason for it comes from the complexity of the hardware platforms with difficult or hard to predict timing properties and the rising complexity of the software itself. In this work, we are proposing the combination of timing measurement and statistical simulation models for probabilistic timing and performance prediction of Synchronous Data Flow (SDF) applications on tile-based MPSoCs. We compare our work against mathematical and traditional simulation based performance prediction models. We have shown that the accuracy and execution time of our simulation can be suitable for design space exploration.

We.1.C.215:00add We.1.C.2 to agenda

Download We.1.C.2
Download We.1.C.2 presentation

Build Your Own Static WCET Analyzer: the Case of the Automotive Processor AURIX TC275

Wei-Tsun Sun - IRT Saint Exupéry, France Eric Jenn - IRT Saint Exupéry, second by Thales AVS., France Hugues Hugues Cassé - IRIT - University of Toulouse, France

Static Analysis (SA) is one of the solutions to estimate upper bounds of Worst Case Execution Times (WCET). It relies on a set of mathematical techniques, such as IPET (Implicit Path Enumeration Technique), and abstract interpretation based on Circular Linear Progressions, whose implementation partially depends on the target processor. This paper shows how an industrial end-user can develop a static WCET analyser for a specific processor target thanks to the built-in components and the modularity of the OTAWA WCET analysis framework. It points out the main difficulties that have been encountered, and gives an estimation of the development effort and of the accuracy of the results. In this paper, the approach is applied on the Infineon AURIX TC275 microcontroller.

We.1.C.315:30add We.1.C.3 to agenda

Download We.1.C.3
Download We.1.C.3 presentation

Multicore shared memory interference analysis through hardware performance counters

Alfonso Mascarenas Gonzalez - ONERA, France Youcef Bouchebaba - ONERA, France Luca Santinelli - AIRBUS DS Germany, France

The aim of this paper is to present a high precision and event-versatile MBPTA framework that we have developed for the statistical timing analysis of multicore platforms. Its use satisfactorily allows the study of complex multicore platforms from the CPU point of view, without requiring hardware or software models. This gives us an accurate real view of the platform behavior for any specific situation without using extra tools. In addition, this measurement framework is directly portable to other multicore platforms with the same CPU version and easily portable to other CPU versions within the same manufacturer. The MBPTA framework directly uses coprocessors and the Performance Monitor Unit (PMU), i.e. Performance Monitor Hardware (PMH), instead of software profilers. Hardware performance counters provide low-overhead access to a considerable amount of performance information of numerous elements such as the CPU, caches or bus. The statistical timing analysis consists in proposing average and worst-case modeling by making use of the tool diagXtrm applied to measurement of task execution times. Measurements obtained from the PMH are used for analyzing and quantifying the interference that can happen within a multicore platform. The potential for measurements from coprocessor and PMU, as well as its potential for statistical analysis, is shown by using an heterogeneous multicore Texas Instrument system on chip. The interference we focus on are due to the shared memory of this platform.

We.2.A.116:30add We.2.A.1 to agenda

Download We.2.A.1
Download We.2.A.1 presentation

Safer Transitions of Responsibility for Highly Automated Driving: Designing HMI for Transitions with Functional Safety in Mind

Matthew Sassman - Semcon Sweden AB, Sweden Richard Wiik - Semcon Sweden AB, Sweden

With highly automated driving on the horizon, and the wide adoption of functional safety standards for road vehicles, it is important for human-machine interface (HMI) designers to understand what this means in terms of their work. This article provides a very brief introduction to Automotive Safety Integrity Levels (ASILs), a key functional safety concept laid out in ISO 26262, and explores how they can impact HMI design in transitions of authority in highly automated driving. It also investigates interactions to avoid, namely emph{unfair transitions}, being emph{stuck in transition}, and emph{mode confusion}, and illustrates how to apply several guidelines to help design a safe transition.

We.2.A.217:00add We.2.A.2 to agenda

Download We.2.A.2
Download We.2.A.2 presentation

Towards Safety Analysis of Interactions Between Human Users and Automated Driving Systems

Fredrik Warg - RISE Research Institutes of Sweden, Sweden Stig Ursing - Semcon Sweden AB, Sweden Martin Kaalhus - Semcon Sweden AB, Sweden Richard Wiik - Semcon Sweden AB, Sweden

One of the major challenges of designing automated driving systems (ADS) is showing that they are safe. This includes safety analysis of interactions between humans and the ADS, a multi-disciplinary task involving functional safety and human factors expertise. In this paper, we lay the foundation for a safety analysis method for these interactions, which builds upon combining human factors knowledge with known techniques from the functional safety domain. The aim of the proposed method is finding safety issues in proposed HMI protocols. It combines constructing interaction sequences between human and ADS as a variant of sequence diagrams, and use these sequences as input to a cause-consequence analysis with the purpose of finding potential interaction faults that may lead to dangerous failures. Based on a this analysis, the HMI design can be improved to reduce safety risks, and the analysis results can also be used as part of the ADS safety case.

We.2.B.116:30add We.2.B.1 to agenda

Download We.2.B.1
Download We.2.B.1 presentation

Combined Real-Time, Safety and Security Model Analysis

Pierre Dissaux - Ellidiss Technologies, France Frank Singhoff - University of Brest, Lab-STICC, CNRS UMR 6285, France Laurent Lemarchand - University of Brest, Lab-STICC, CNRS UMR 6285, France Hai Nam Tran - University of Brest, Lab-STICC, CNRS UMR 6285, France Ill-Ham Atchadam - University of Brest, Lab-STICC, CNRS UMR 6285, France

Model Driven Engineering practices have been subject to many improvements since the last tens of years as much for modelling languages as model analysis and verification solutions. In the context of critical systems, the role of early verification is one of the most challenging approaches to cope with the increase of size and complexity of embedded software. One of the subsequent issues concerns the need to perform model verifications referring to several analysis domains that may lead to contradictory conclusions about the correctness of the model. This paper describes a case study composed of a unique AADL model that is analysed by several specialized tools, all embedded into the same AADL Inspector framework. Real-Time performance is evaluated by scheduling aware end to end flow latency analysis using timing simulation results. Safety analysis makes use of the AADL error model annex to perform Fault Tree Analysis. Cyber security assessment is performed by checking a set of rules that reflect the chosen policy and that are implemented by dedicated LAMP annexes of the AADL model.

We.2.B.217:00add We.2.B.2 to agenda

Download We.2.B.2
Download We.2.B.2 presentation

Preliminary Safety-Security Co-engineering Process in the Industrial Automation Sector

Alejandra Ruiz - Tecnalia, Spain Javier Puelles - Tecnalia, Spain Jabier Martinez - Tecnalia, Spain Thomas Gruber - AIT Austrian Institute Of Technology, Austria Martin Matschnig - Siemens AG, Austria Bernhard Fischer - Siemens AG, Austria

The Industrial Automation Sector has a long tradition of showing compliance on functional safety. Ultimately, security was taken into account only at production phase and with a reactive approach. However, this domain is experiencing an increasing need to incorporate cyber-security mechanisms and to provide evidences on security-related standards and applying security by design principles. Both domains have their own regulations defining specific life-cycles. In this work we analyzed IEC 61508 (safety-related) and ISA 62443 (security-related) standards to 1) identify commonalities and create a mapping model, and 2) propose a combined process in the context of safety and security co-engineering. Our approach is qualitatively evaluated by experts on the standards and by practitioners of this domain.

We.2.C.116:30add We.2.C.1 to agenda

Download We.2.C.1
Download We.2.C.1 presentation

Safe Scheduling on Multicores: an approach leveraging mixed-criticality and end-to-end deadlines.

Daniel Loche - Renault S.A.S. & LAAS-CNRS, France Michaël Lauer - Université de Toulouse/LAAS-CNRS, France Matthieu Roy - LAAS-CNRS, France Jean-Charles Fabre - LAAS-CNRS, France

Memory access duration on multicore architectures are highly variable, since concurrent accesses to resources by different cores induce time interferences. Consequently, critical software tasks may be delayed by non-critical ones, leading to deadline misses and possible catastrophic failures. We present an approach to tackle the implementation of mixed criticality workloads on multicore chips, focusing on task chains, i.e., sequences of tasks with end-to-end deadlines. Our main contribution is a Monitoring & Control Agent able to stop non-critical software execution in order to prevent memory interference and guarantee that critical tasks deadlines are met. This paper describes our approach, and the associated experimental framework to conduct experiments to analyze attainable real-time guarantees on a multicore platform.

We.2.C.217:00add We.2.C.2 to agenda

Download We.2.C.2
Download We.2.C.2 presentation

Non-Preemptive Scheduling of Mixed-Criticality Real-Time Systems

Jasdeep Singh - ONERA, France Luca Santinelli - ONERA, France Federico Reghenzani - Politecnico di Milano, Italy Konstantinos Bletsas - Polytechnic Institute of Porto (ISEP/IPP), Portugal Zhishan Guo - University of Central Florida, United States

In this work we develop an offline analysis of periodic mixed-criticality real-time systems. We develop a graph-based exploratory method to non-preemptively schedule multiple criticality tasks. The exploration process obtains a schedule for each periodic instance of the tasks. The schedule adjusts for criticality mode changes to maximize the resource usage by allowing lower criticality executions. At the same time, it ensures that the schedulability of other higher criticality jobs is never compromised. We also quantify the probabilities associated to a criticality mode change by using task probabilistic Worst Case Execution Times. A method to reduce the offline complexity is also proposed.

We.2.C.317:30add We.2.C.3 to agenda

Download We.2.C.3
Download We.2.C.3 presentation

Accounting for interferences in the design of Time-Triggered Applications

Antoine Ferlin - IRT Saint Exupery, France Eric Jenn - Thales AVS and IRT Saint Exupery, France Marc Kaufmann - Safran Electronics and Defense, France

Multicore processors are making their way into safety critical embedded systems. In order to ensure compliance with temporal requirements, interferences between cores induced by the shared platform resources must be taken into account and controlled. This paper proposes an approach to account for SDRAM interferences in the context of a time-triggered software architecture. The approach is applied on a simple robotic application.

We.3.A.117:30add We.3.A.1 to agenda

Download We.3.A.1
Download We.3.A.1 presentation

An Ontology Based Anomaly Detection System for Cellular Vehicular Communications

Quentin Ricard - LAAS-CNRS, France Philippe Owezarski - LAAS-CNRS, France

Intelligent Transportation Systems are being deployed all over the world, providing new applications and services that could prevent accidents, help regulate traffic and the automotive industry in designing energy efficient vehicles. However, enabling vehicles to communicate with the rest of the world ultimately leads to new security challenges with connected vehicles becoming new interesting targets for malicious actors. Thus, safeguards need to be deployed to detect malicious and anomalous activities in vehicular communications. This paper presents an approach to anomaly detection based on an ontological representation of cellular vehicular communication.

We.3.A.218:00add We.3.A.2 to agenda

Download We.3.A.2
Download We.3.A.2 presentation

Testbed for Multi-access Edge Computing V2X applications prototyping and evaluation

Bilel Cherif - LAAS-CNRS, France Nicolas Riviere - LAAS-CNRS and University of Toulouse, France Pascal Berthou - LAAS-CNRS and University of Toulouse, France Yann Labit - LAAS-CNRS and University of Toulouse, France

Multi-access Edge Computing (MEC) is one of the key enablers behind intelligent transportation systems (ITS) futuristic applications. To address and evaluate applications that aimed at offering a service in this context, researchers and developers need a prototyping tool to abstract this system aspects. However, currently available tools do not model this environment nor give the possibility of running under development MEC services for evaluation purposes. In this paper, we propose a MEC vehicular application testbed, combining virtual technologies and network emulation tools. The goal is to help through the process of evaluating proposed solutions and applications destined to offer MEC ITS services.

We.3.B.117:30add We.3.B.1 to agenda

Download We.3.B.1
Download We.3.B.1 presentation

High-Precision Sound Analysis to Find Safety and Cybersecurity Defects

Daniel Kästner - AbsInt GmbH, Germany Laurent Mauborgne - AbsInt GmbH, Germany Christian Ferdinand - AbsInt GmbH, Germany

In recent years, security concerns have become more and more relevant for safety-critical systems. Many cybersecurity vulnerabilities are caused by runtime errors, hence sound static runtime error analysis contributes to meeting both safety and security goals. In addition, for cybersecurity goals, often sophisticated data and control flow analyses are needed, e.g., to track the effects of corrupted values, or determine dependence on potentially corrupted inputs. A sound analysis can guarantee that neither control flow paths nor read or write accesses are missed, even in case of data or function pointer accesses. To be feasible for industrial use, a static analyzer must be precise, i.e., produce few false alarms, and it must be user-configurable to allow analyzing specific data and control flow properties. It must also support efficient alarm investigation to minimize the manual effort needed to review the findings of the analyzer. In this article we give an overview of novel extensions of the sound static analyzer Astrée to minimize the false alarm rate, and to support advanced data and control flow analysis by taint analysis and analysis-enhanced program slicing. We describe an application of Astrée’s taint analysis framework to detect Spectre v1/1.1/SplitSpectre vulnerabilities. Astrée’s program slicer can also be applied for alarm slicing, which can significantly reduce the manual effort of reviewing the analyzer findings. Practical experience is reported on industrial avionic and automotive applications.

We.3.B.218:00add We.3.B.2 to agenda

Download We.3.B.2
Download We.3.B.2 presentation

Integration of safety and cybersecurity analysis through combination of systems and reliability theory methods

Joaquim Maria Castella Triginer - Virtual Vehicle Research Center, Spain Helmut Martin - Virtual Vehicle Research Center, Austria Bernhard Winkler - Virtual Vehicle Research Center, Austria Nadja Marko - Virtual Vehicle Research Center, Austria

The development of requirements for automotive E/E (electrics/electronics) systems are becoming increasingly complex since these systems are more and more interconnected and software-intensive. In the automotive industry, there are two main international standards to accomplish safety and cybersecurity requirements: ISO 26262 for functional safety in E/E systems and SAE J3061 (ISO/SAE 21434 in elaboration) for cybersecurity engineering in cyber-physical vehicle systems. Safety and security are two interdependent properties of future automated driving systems that must ensure the protection of vehicles against unintended failures and intentional attacks. To optimize resources, it is necessary to find common properties to integrate functional safety and cybersecurity in a unified analysis. Furthermore, a holistic approach to safety and cybersecurity analysis is needed, based on systems theory, which addresses more types of hazards and threats, and treats them as a problem of dynamic control rather than individual component failure. This paper presents the integration of safety and cybersecurity analysis through the combination of methods based on systems theory and reliability theory. It provides an overall, generic methodology to combine the functional safety and cybersecurity analysis, to obtain a list of common requirements. The presented approach combines systems theory methods STPA (Systems-Theoretic Process Analysis) and STPA-sec (STPA for Security) with the reliability theory methods HARA (Hazard Analysis and Risk Assessment) and TARA (Threat Analysis and Risk Assessment). The proposed approach is applied to an on-going project of a fully automated vehicle at Virtual Vehicle Research Center called SPIDER (Smart PhysIcal Demonstration and Evaluation Robot). SPIDER is an omnidirectional robot car, which can autonomously move along a predefined global path with a self-developed mobile platform for the development and testing of autonomous driving functions. First results provide a proof of concept on applying the proposed approach to the remote communication module of SPIDER obtaining the functional and technical safety and cybersecurity requirements.