May 24, 2011 - Hazard-based Selection of Test Cases. Functional Safety of Mechatronic Systems. Mario Gleirscher. Software & Systems Engineering.
Hazard-based Selection of Test Cases Functional Safety of Mechatronic Systems
Mario Gleirscher Software & Systems Engineering Institut f¨ ur Informatik Technische Universit¨ at M¨ unchen
May 24, 2011
Motivation
Functional Safety
Hazards
Conclusion
Safety Case1 : Assurance of an Airbag Control
Machine I: An airbag system . . .
1 2
Cf. Safety case management [Kel98] Cf. [Wik11]
2/20 Hazard-based Selection of Test Cases
Mario Gleirscher
Motivation
Functional Safety
Hazards
Conclusion
Safety Case1 : Assurance of an Airbag Control
Machine I: An airbag system . . .
Safety Case G: Does the airbag release iff it’s intended? 1 2
Cf. Safety case management [Kel98] Cf. [Wik11]
2/20 Hazard-based Selection of Test Cases
Mario Gleirscher
Motivation
Functional Safety
Hazards
Conclusion
Safety Case1 : Assurance of an Airbag Control
Machine I: An airbag system . . .
“. . . functional safety methods have to extend to non-E/E/PS parts of the system . . . ”2
Context E: . . . in a car operated out in a street by a human driver.
“. . . functional safety can[not] be determined without considering the environment . . . ”2
1 2
Cf. Safety case management [Kel98] Cf. [Wik11]
2/20 Hazard-based Selection of Test Cases
Mario Gleirscher
Motivation
Functional Safety
1
Functional Safety System Modelling Property Analysis and Specification
2
Hazards Property Analysis and Specification Test Case Selection
3
Conclusion
3/20 Hazard-based Selection of Test Cases
Hazards
Conclusion
Mario Gleirscher
Motivation
Functional Safety
1
Functional Safety System Modelling Property Analysis and Specification
2
Hazards Property Analysis and Specification Test Case Selection
3
Conclusion
4/20 Hazard-based Selection of Test Cases
Hazards
Conclusion
Mario Gleirscher
Motivation
Functional Safety
Hazards
Conclusion
A System Model MW of the Airbag World W Functional1 model MW :
E
I
E Safety Analyst
MI describing the mechatronic system I and ME describing its operational environment E. 1
Cf. [Bro10].
5/20 Hazard-based Selection of Test Cases
Mario Gleirscher
Motivation
Functional Safety
Hazards
Conclusion
A System Model MW of the Airbag World W A system boundary allows interaction across shared phenomena1 :
ME
MI
ME I MI ,
repaired(Airbag), refilled(Gas), signal(activate,Airbag), on(crashSensor), . . .
ME J MI ,
released(Airbag), . . .
where A I B = ctrV ar(A) ∩ monV ar(B). 1
Cf. [Jac01, PM95]
5/20 Hazard-based Selection of Test Cases
Mario Gleirscher
Motivation
Functional Safety
Hazards
Conclusion
A System Model MW of the Airbag World W Supportive phenomena for safety modelling and measurement:
ME
MI
ME \ M I ,
crashed(Car), shocked(Car), deformed(Car), protected(Person), driving(Car), irritated(Passenger), ...
MI \ ME ,
empty(Airbag), . . .
5/20 Hazard-based Selection of Test Cases
Mario Gleirscher
Motivation
Functional Safety
Hazards
Conclusion
A System Model MW of the Airbag World W Interface behaviour , histories of shared phenomena states: ME
Intervals shocked(Car) deformed(Car) crashed(Car) signal(crash) released(Airbag) ...
5/20 Hazard-based Selection of Test Cases
... F 0 F F F ...
n T 2 F F F ...
MI
... T 10 F F F ...
... F 10 T T F ...
n+j F 10 T T T ...
... F 10 T T T ...
m F 10 T T T ...
−→ ... ... ... ... ... ... Mario Gleirscher
Motivation
Functional Safety
Hazards
Conclusion
MW as a Test Model ME
MI
off
off
enter leave
driving
boot
activate
release
maintain
activated
collide
crashed
maintain
maintain
release
release
released
Independent control states, transitions with action preconditions and effects1 .
Where to get the information? System use cases → MI , ME Domain and context analysis → ME 1
Details in Golog script, cf. [Rei01].
6/20 Hazard-based Selection of Test Cases
Mario Gleirscher
Motivation
Functional Safety
Hazards
Conclusion
MW as a Test Model ME
MI
off
off
enter leave
driving
boot
activate
release
maintain
activated
collide
crashed
maintain
maintain
release
release
released
Independent control states, transitions with action preconditions and effects1 .
Problem: Which of MW ’s possible or mutated transitions may obstruct safety in ME ? 1
Details in Golog script, cf. [Rei01].
6/20 Hazard-based Selection of Test Cases
Mario Gleirscher
Motivation
Functional Safety
Hazards
Conclusion
Functional Safety in MW
ME
Functional safety goal3
MI
Behavioral property to globally maintain (or avoid) in E, formally: 2φ
G,
2protected(Body)
G0 ,
2[crashed(Car) → 3
