Search for: All records

Simulation-basedFaultInjection(FI)ishighlyrecommended by functional safety standards in the automotive and aerospace domains, in order to “support the argumentation of completeness and correctness of a system architectural design with respect to faults” (ISO 26262). We argue that a library of failure models facilitates this process. Such a library, firstly, supports completeness claims through, e.g., an extensive and systematic collection process. Secondly, we argue why failure model specifications should be executable—to be implemented as FI operators within a simulation framework—and parametrizable—to be relevant and accurate for different systems. Given the distributed nature of automo- tive and aerospace development processes, we moreover argue that a data-flow-based definition allows failure models to be applied to black- box components. Yet, existing sources for failure models provide frag- mented, ambiguous, incomplete, and redundant information, often meet- ing neither of the above requirements. We therefore introduce a library of 18 executable and parameterizable failure models collected with a sys- tematic literature survey focusing on automotive and aerospace Cyber- Physical Systems (CPS). To demonstrate the applicability to simulation- based FI, we implement and apply a selection of failure models to a real- world automotive CPS within a state-of-the-art simulation environment, and highlight their impact. 

We introduce DeepCert, a tool-supported method for verifying the robustness of deep neural network (DNN) image classifiers to contextually relevant perturbations such as blur, haze, and changes in image contrast. While the robustness of DNN classifiers has been the subject of intense research in recent years, the solutions delivered by this research focus on verifying DNN robustness to small perturbations in the images being classified, with perturbation magnitude measured using established 𝐿𝑝 norms. This is useful for identifying potential adversarial attacks on DNN image classifiers, but cannot verify DNN robustness to contextually relevant image perturbations, which are typically not small when expressed with 𝐿𝑝 norms. DeepCert addresses this underexplored verification problem by supporting: (1) the encoding of real-world image perturbations; (2) the systematic evaluation of contextually relevant DNN robustness, using both testing and formal verification; (3) the generation of contextually relevant counterexamples; and, through these, (4) the selection of DNN image classifiers suitable for the operational context (i) envisaged when a potentially safety-critical system is designed, or (ii) observed by a deployed system. We demonstrate the effectiveness of DeepCert by showing how it can be used to verify the robustness of DNN image classifiers build for two benchmark datasets (‘German Traffic Sign’ and ‘CIFAR-10’) to multiple contextually relevant perturbations.