Runtime verification of stochastic, faulty systems
RV'10 Proceedings of the First international conference on Runtime verification
Qualifying software tools, a systems approach
SAFECOMP'12 Proceedings of the 31st international conference on Computer Safety, Reliability, and Security
Hi-index | 0.00 |
Correctly specifying requirements for composite systems is essential to system safety. In a distributed development environment, safety requirements must be clearly defined for subsystems. Unfortunately, decomposing non-functional requirements, also known as goals, is not always straightforward. Quantifiable goals, such as cost or performance, may be decomposed by allocating a fixed limit on each component. However, system safety is usually not expressible as a sum of parts. Rather, it is considered to be emergent. This thesis defines emergent and composable behaviors in the context of formally specified goals, and identifies useful special cases in which emergent system goals may be partially composable. Indirect Control Path Analysis (ICPA) is introduced as a new technique for identifying and documenting safety goals for components, using control flow and goal coverage strategies to guide goal elaboration. ICPA was applied to a semi-autonomous automotive system from a commercial automotive research laboratory and the goals and subgoals were monitored at run-time in a partial implementation of the vehicle in a simulation environment. Violations of both the goals and subgoals identified several critical design defects in the incomplete implementation. In some situations, false positive detection at the subsystem level identified problems in the subsystems that were masked by redundant goal coverage. False negative detection at the subsystem level in some of the scenarios suggests the set of subsystem safety goals only partially composes the system-level behavior. The results demonstrate proof of concept of the ICPA technique for defining system safety subgoals in a real system.