Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020....
Transcript of Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020....
![Page 1: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/1.jpg)
Automating Time Series Safety Analysisfor Automotive Control Systemsusing Weighted Partial Max-SMT
Shuichi Sato1,2, Shogo Hattori2, Hiroyuki Seki2,Yutaka Inamori1, Shoji Yuen2
1 Toyota Central R&D Labs.,Inc. 2 Nagoya University
Appeared FTSCS 2016
![Page 2: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/2.jpg)
2
Contents
• Background• Motivation• Approach and method• Case Study• Concluding remarks
2019/6/24-26 Shonan Meeting #139
![Page 3: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/3.jpg)
3
Background
• Applying STAMP*1/STPA*2 to automotive safety analysis.
*2 Systems-Theoretic Process Analysis
Preparation (Step 0)‐Identify Accidents and Hazards‐Construct a Control Structure
Step 1:
Step 2:
*1 System-Theoretic Accident Model and Process
Ex. System outputs a steering command while a driver doesn’t do steering actions.
Identify Unsafe Control Actions(UCAs)
Identify Causes of UCAs Hazard!!
UCAs
ControlAlgorithm Model
Process
Feedback
Controlled Process
2019/6/24-26 Shonan Meeting #139
![Page 4: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/4.jpg)
4
Motivation(Intermittent) multi-signal disturbance that causes UCAs
Ex.
Signal disturbance- Challenge:
Too many signal combinations and time series patternsin designing error/attack-proof systems
To detections of intermittent multi-signal disturbances.
2019/6/24-26 Shonan Meeting #139
ECU
Actuator
Wireless I/F
Sensor
![Page 5: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/5.jpg)
5
• Synchronous transition system with Boolean guard conditions.Complete graph: Potentially ill transitions possible
Actuator
Wireless I/F
Sensor
Initial
UCA
Behavioral Model
• UCA states: states with transitions of UCAs unreachable by normal transition only.
2019/6/24-26 Shonan Meeting #139
X
X
![Page 6: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/6.jpg)
6
If signals should be disturbed,unexpected transitions should occur leading to an UCA.
Behaviour with Disturbance
Actuator
Wireless I/F
Sensor
Initial
UCA×
2019/6/24-26 Shonan Meeting #139
![Page 7: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/7.jpg)
7
Input: Transition system UCAs Possible disturbed
signals
Analysis overview
Output: Disturbed signal
patterns
2019/6/24-26 Shonan Meeting #139
![Page 8: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/8.jpg)
Approach
![Page 9: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/9.jpg)
9
Transition System
・Transition system: Control state : State variable : Initial control state
= { | , : Constraints over } : Transitions
・A trace of : α = ( , ) ( , ) ・・・ ( , )0 0 1 1 n n
,i ( , , )i i i+1
where i : Value assignment for i i+1i , , ( , )i i i+1
2019/6/24-26 Shonan Meeting #139
Deterministic transition system: is unique to
![Page 10: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/10.jpg)
10
Bounded Trace Formula
・A trace formula of (length: K ) is a logical formula.
is satisfied by value assignments 0 1 K, , ・・・ , iff is a trace in
Straightforwardly constructed from M
2019/6/24-26 Shonan Meeting #139
![Page 11: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/11.jpg)
Initial
UCA
11
q0 q1 … qK
Trace (length K )
…
Trace Formula of Transition System
q0
q4
q5
q3
q1
q6 q7
qU
q2
Trace Formula:
satisfied by the values along the trace
2019/6/24-26 Shonan Meeting #139
![Page 12: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/12.jpg)
Initial
UCA
12
q0 q1 … qK
Trace (length K )
…
Trace Formula of Transition System
q0
q4
q5
q3
q1
q6 q7
qU
q2
Trace Formula:
satisfied by the values along the trace
2019/6/24-26 Shonan Meeting #139
![Page 13: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/13.jpg)
13
• Reachability to hazardous states with unexpected values for a consecutive period of time (not expected in the design).
Unsafe Control Actions (UCAs)
UCAs as constraint:
step0 step1 step i step i+n-1 step K
F
![Page 14: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/14.jpg)
Initial
UCA
q0
q4
q5
q3
q1
q6 q7
qU
q2
14
Signal Disturbance
2019/6/24-26 Shonan Meeting #139
…
![Page 15: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/15.jpg)
Initial
UCA
q0
q4
q5
q3
q1
q6 q7
qU
q2
15
Signal Disturbance
2019/6/24-26 Shonan Meeting #139
…
Accidentally altered
![Page 16: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/16.jpg)
Initial
UCA
q0
q4
q5
q3
q1
q6 q7
qU
q2
16
Signal Disturbance
2019/6/24-26 Shonan Meeting #139
…
Accidentally altered
![Page 17: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/17.jpg)
Initial
UCA
q0
q4
q5
q3
q1
q6 q7
qU
q2
17
Signal Disturbance
2019/6/24-26 Shonan Meeting #139
…
Accidentally altered
![Page 18: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/18.jpg)
18
Disturbed Signal Pattern
: Set of variables
Definition of disturbed signal pattern
: Value assignment to variables: Time series of variables
K : Trace bound length
where
: Original variables
: Cushion variables2019/6/24-26 Shonan Meeting #139
![Page 19: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/19.jpg)
Initial
UCA
19
Introduce “cushion variables ”.
q0 q1 … qK
…q0
q4
q5
q3
q1
q6 q7
qU
q2
Replace variables on RHS with cushion variables.
Modified Trace Formula with Cushion Variables
Modified Trace Formula: U : Set of variables disturbed
…
Errors assign deferent values leading to UCA
![Page 20: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/20.jpg)
20
Disturbed Signal Detection
is not satisfiable,
because
where
: Cushion variables: Original variables( )
.
,
is satisfiable.
![Page 21: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/21.jpg)
Initial
UCA
21
Intermittent Signal Disturbance
q0
q4
q5
q3
q1
q6 q7
qU
q2
Signal disturbances occur no more than L times in p execution steps.
: Set of variables: Set of variable indexes of
,where
2 signal disturbance
2019/6/24-26 Shonan Meeting #139
![Page 22: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/22.jpg)
Constaints with signal disturbance
22
Apply to pMax-SMT solver .Weighted Partial Max-SMT solver finds
with minimum cost.
Soft *2*1 : Must be satisfied *2 : Can be falsifiedHard *1
.
Trace formula with CushionsIntermittent constraint
.
Equality between original and cushion variables
Cost is heuristically assigned to・Uniform ・As soon as possible: bigger costs for bigger step index
![Page 23: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/23.jpg)
Design process overview
2019/6/24-26 Shonan Meeting #139
23
![Page 24: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/24.jpg)
Case Study
![Page 25: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/25.jpg)
25
ACC
TC
ABT
CarModel
12
678
11
16
17
18
1920
1415
> 0
21
> 0> 0
12
13
> 0
> 0
In[0,150]
3
45
10
9
> 0 True iff input is more than 0. True iff input is in the range of 0-150.In[0,150]
Overview of Simplified Automotive Control System
Control acceleration and deceleration in accordance with leading vehicle.
Arbitrate multiple control requests.
Shift into neutral gear during brief stops in order to improve gas mileage.
ACC
TC
ABT
![Page 26: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/26.jpg)
26
UCA: Acceleration command is not provided for five consecutive clock cycles in the cruise control mode, even though the leading vehicle moves further away.
Move further away No acceleration commands
Cruise control mode
UCA Example
2019/6/24-26 Shonan Meeting #139
![Page 27: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/27.jpg)
LTS (ACC-ECU component)
2019/6/24-26 Shonan Meeting #139
27
Combined with other componentsby shared variables
![Page 28: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/28.jpg)
Derivation of failures
2019/6/24-26 Shonan Meeting #139
28
apply our method in Step 2
Following STAMP/STPA …
![Page 29: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/29.jpg)
UCA definition
2019/6/24-26 Shonan Meeting #139
29
lasts for n-units of time in a row:
![Page 30: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/30.jpg)
30
Signal names in each pattern
Result (1/2)
Example of obtained pattern
disturbed
2019/6/24-26 Shonan Meeting #139
![Page 31: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/31.jpg)
31
Signal names in each pattern
Result (2/2)
disturbed
Disturbed patterns under the condition VehicleSpeed is not disturbed. (Number of disturbed signals = 3)
Example of obtained pattern
![Page 32: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/32.jpg)
32
Signal names in each pattern
Result (2/2)
disturbed
Disturbed patterns under the condition VehicleSpeed is not disturbed. (Number of disturbed signals = 3)
Example of obtained pattern
![Page 33: Automating Time Series Safety Analysis for Automotive Control Systems using Weighted ... · 2020. 2. 5. · for Automotive Control Systems. using Weighted Partial Max-SMT. Shuichi](https://reader035.fdocument.pub/reader035/viewer/2022071508/61293678c737a73fd41cb6fe/html5/thumbnails/33.jpg)
33
Concluding remarks• Faulty behavior caused by (intermittent) signal disturbance, in
an automotive control system using Weighted Partial Max-SMT solvers.
• Case study on a simplifed automotive control system
• Finding clues to point out which signals are essential to avoid failures.
- Trace formulae with cushion variables.
- Constraints for intermittent disturbance .
2019/6/24-26 Shonan Meeting #139