TESTING A FAULT-TOLERANT CYBER-PHYSICAL SYSTEM DESIGNED FOR TESTABILITYPresented by Florian Krautwurm & Markus Lachenmayr

© All rights reserved

Cyber physical system operates dependable in each situation

2

The e-car remains safe while redundant component of the central control unit fails permanently

© All rights reserved

Redundancy Spatial distributionFailure detection

FunctionalRequirements

Non-FunctionalRequirements

Safe autonomous

driving, also when

components fail

(fail operational)

Availability,

Dependability,

Reliability

Robustness,

…

Testability

The e-car remains safe while redundant component of the central control unit fails permanently

Cyber physical system operates dependable in each situation

3 © All rights reserved

Vulnerable stateSafe state Dangerous state

Phase 1 Phase 3Phase 2

Testing of fault-tolerant, real-time systems is hard

Cyber physical systems involve extensive test

procedures to investigate the behavior of the system

4 © All rights reserved

Get deep insights!More bad weather tests!

Test in the field!

System built for testability by design!

5 © All rights reserved

Independent test system with distributed test probes

Point-to-point links between test probes (tp) and test probe control center (tc)

6 © All rights reserved

A safe steering test with fault injection

The basic idea of the generation of a bad weather test

n1.SteeringCtrl.Authority == primary

n2.SteeringCtrl.Authority == backup

n1.State = 0xDEAD

n2.SteeringCtrl.Authority == primary

7 © All rights reserved

A safe steering test with fault injection

Reliable statements using ALFHA1) language

8 © All rights reserved

01: TEST Critical app continues on primary failure

02: DEFINE IsPrimary(Node, App)

03: AS Node.App.Authority == primary

04: DEFINE HasPrimary(App)

05: AS IsPrimary(n1, App) XOR IsPrimary(n2, App))

06: TRIGGER IsPrimary(n1, SteeringCtrl)

07: INVARIANT HasPrimary(SteeringCtrl)

08: CYCLE

09: FROM 10 TO 15 DO n1.State = 0xDEAD

10: UNTIL 30

1) ALFHA: Assertion Language for Fault-Hypothesis Arguments

Reliable test statements from test probes that execute tests free of side effects

Test probe resources are fixed, limited, and exclusive• Execution time. Time slot within the

application schedule.

• Memory footprint. Probe memory is

reserved up-front.

• Network bandwidth. Probe packets are

fixed sized and have a fixed frequency.

• Application cycle. Probe resources can

never be used by other applications.

9 © All rights reserved

Secrets behind reliable statements at a glance

• Reliable statements from

tests of testable systems

• Probe in each system node by design,

permanently, in lab and field

• Non-intrusive monitoring,

data-seeding & testing

Testing a Fault-Tolerant Cyber-Physical System Designed for Testability

10 © All rights reserved

Testing a Fault-Tolerant Cyber-Physical System Designed for Testability

11 © All rights reserved