Real-Time Systems. Design Principles for Distributed Embedded Applications. Herman Kopetz. Second Edition (811374), страница 88
Текст из файла (страница 88)
The bus guardian unit was needed in all three experiments if a coverage of>99% must be achieved. It eliminated the most critical failure of a node, thebabbling idiots.A detailed description of the MARS fault injection experiments and a comparison with software-fault injection carried out on the same system is contained inArlat et al. [Arl03].Points to Remember30512.5.3 Sensor and Actuator FailuresThe sensors and actuators, placed at the interface between the physical world andcyberspace, are physical devices that will eventually fail, just like any other physicaldevice.
The failures of sensors and actuators are normally not spontaneous crashfailures, but manifest themselves either as transient malfunctions or a gradual driftaway from the correct operation, often correlated with extreme physical conditions(e.g., temperature, vibration). An undetected sensor failure produces erroneousinputs to the computational tasks that, as a consequence, will lead to erroneousoutputs that can be safety-relevant. Therefore it is state-of-the-art that any industrialstrength embedded system must have the capability to detect or mask the failure ofany one of its sensors and actuators.
This capability must be tested by fault-injectionexperiments, either software-based or physical.An actuator is intended to transform a digital signal, generated in cyberspace, tosome physical action in the environment. The incorrect operation of an actuator canonly be observed and detected if one or more sensors observe the intended effect in thephysical environment. This error-detection capability with respect to actuator failuresmust also be tested by fault-injection experiments (see also the example in Sect. 6.1.2).In safety-critical applications, these fault-injection tests must be carefully documented, since they form a part of the safety case.Points to RememberllllllAn essential fraction – up to 50% – of the development costs of a real-timecomputer system is devoted to ensure that the system is fit-for-purpose.
Insafety-critical applications that must be certified, this fraction is even higher.Verification establishes the consistency between a (formal) specification withthe system under test (SUT), while validation is concerned with the consistencybetween the model of the user’s intention with the SUT. The missing linkbetween verification and validation is the relation between the model of theuser’s intention and the (formal) specification of the system.If a purely probabilistic point of view is taken, then an estimate that the meantime to failure (MTTF) of the SUT will be larger than a given number of hourscan only be made if system tests have been executed for a duration that is largerthan this number of hours.The modification of the behavior of the object under test by introducing a testprobe is called the probe effect.Design for testability establishes a framework where test-outputs can beobserved without a probe effect and where test inputs can be controlled at anylevel of the system architecture.It is a challenge for the tester to find an effective and representative set of test-datathat will give the designer confidence that the system will work correctly for allinputs.
A further challenge relates to finding an effective automatable test oracle.306lll12 ValidationIn the last few years clever formal techniques have been developed to get ahandle on the state explosion problem such that systems of industrial size can beverified by model checking.Fault injection is the intentional activation of faults by hardware or softwaremeans to be able to observe the system operation under fault conditions.
Duringa fault-injection experiment the target system is exposed to two types of inputs:the injected faults and the input data.The sensors and actuators, placed at the interface between the physical world andcyberspace, are physical devices that will eventually fail, just like any otherphysical device. Therefore it is state-of-the-art that any industrial-strengthembedded system must have the capability to detect or mask the failure of anyone of its sensors and actuators.Bibliographic NotesIn the survey article Software Testing Research: Achievements, Challenges,Dreams Bertoloni [Ber07] gives an excellent overview of the state-of-the-art insoftware testing and some of the open research challenges.
The research report“Formal Methods and the Certification of Critical Systems” [Rus93] by JohnRushby is a seminal work on the role of formal methods in the certification ofsafety-critical systems.Review Questions and Problems12.112.212.312.412.512.612.712.812.912.1012.1112.12What is the difference between validation and verification?Describe the different methods for test-data selection.What is a test oracle?How does a component provider and component user test a component basedsystem?Discuss the different steps that must be taken to investigate a real-worldphenomenon by a formal method.
Which one of these steps can be formalized, which cannot?In Sect. 12.4.2, three different levels of formal methods have been introduced. Explain each one of these levels and discuss the costs and benefits ofapplying formal methods at each one of these levels.What is model checking?What is the “probe effect”?How can the “testability” of a design be improved?What is the role of testing during the certification of a ultra-dependablesystem?Which are the purposes of fault-injection experiments?Compare the characteristics of hardware and software fault-injectionmethods.Chapter 13Internet of ThingsOverview The connection of physical things to the Internet makes it possible toaccess remote sensor data and to control the physical world from a distance.
Themash-up of captured data with data retrieved from other sources, e.g., with data thatis contained in the Web, gives rise to new synergistic services that go beyond theservices that can be provided by an isolated embedded system. The Internet ofThings is based on this vision. A smart object, which is the building block of theInternet of Things, is just another name for an embedded system that is connected tothe Internet.
There is another technology that points in the same direction – theRFID technology. The RFID technology, an extension of the ubiquitous optical barcodes that are found on many every-day products, requires the attachment of asmart low-cost electronic ID-tag to a product such that the identity of a product canbe decoded from a distance.
By putting more intelligence into the ID tag, the taggedthing becomes a smart object. The novelty of the Internet-of-Things (IoT) is not inany new disruptive technology, but in the pervasive deployment of smart objects.At the beginning of this chapter, the vision of the IoT is introduced. The nextsection elaborates on the forces that drive the development of the IoT.
We distinguish between technology push and technology pull forces. The technology pushforces see in the IoT the possibility of vast new markets for novel ICT products andservices, while the technology pull forces see the potential of the IoT to increase theproductivity in many sectors of the economy, to provide new services, e.g., for anaging society, and to promote a new lifestyle. Section 13.3 focuses on the technologyissues that have to be addressed in order to bring the IoT to a mass market.Section 13.4 discusses the RFID technology, which can be seen as a forerunner ofthe IoT.
The topic of wireless sensor networks, where self-organizing smart objectsbuild ad-hoc networks and collect data from the environment, is covered inSect. 13.5. The pervasive deployment of smart objects that collect data and controlthe physical environment from a distance poses a severe challenge to the securityand safety of the world and the privacy of our lives.H. Kopetz, Real-Time Systems: Design Principles for Distributed Embedded Applications,Real-Time Systems Series, DOI 10.1007/978-1-4419-8237-7_13,# Springer Science+Business Media, LLC 201130730813.113 Internet of ThingsThe Vision of an Internet-of-ThingsOver the past 50 years, the Internet has exponentially grown from a small researchnetwork, comprising only a few nodes, to a worldwide pervasive network thatservices more than a billion users.
The further miniaturization and cost reductionof electronic devices makes it possible to expand the Internet into a new dimension:to smart objects, i.e., everyday physical things that are enhanced by a smallelectronic device to provide local intelligence and connectivity to the cyberspaceestablished by the Internet. The small electronic device, a computational component that is attached to a physical thing, bridges the gap between the physical worldand the information world. A smart object is thus a cyber-physical system or anembedded system, consisting of a thing (the physical entity) and a component (thecomputer) that processes the sensor data and supports a wireless communicationlink to the Internet.Example: Consider a smart refrigerator that keeps track of the availability and expiry dateof food items and autonomously places an order to the next grocery shop if the supply of afood item is below a given limit.The novelty of the IoT is not in the functional capability of a smart object –already today many embedded systems are connected to the Internet – but in theexpected size of billions or even trillions of smart objects that bring about noveltechnical and societal issues that are related to size.