{"title":"系统安全是复合系统的紧急属性","authors":"Jennifer Black, Philip Koopman","doi":"10.1109/DSN.2009.5270316","DOIUrl":null,"url":null,"abstract":"Decomposition is used to manage system complexity, but is problematic for emergent properties such as system safety. Previously, we introduced Indirect Control Path Analysis (ICPA) for elaborating system safety goals in composite systems. We now provide mathematical definitions of emergent and composable system behaviors in the context of formal specifications and ICPA, and identify useful special cases in which partial decomposition of emergent safety goals is possible. We apply ICPA to a semi-autonomous automotive system to identify safety goals for key subsystems, and then monitor the system and subsystem goals at run-time in an implementation of the vehicle. Although false negatives at the subsystem level indicate the subgoals do not fully compose the original safety goal, some system-level go al violations are detected by subsystem monitors. In addition, monitoring at both the system and subsystem level has identified certain safety-related errors that may be imperceptible to system testers.","PeriodicalId":376982,"journal":{"name":"2009 IEEE/IFIP International Conference on Dependable Systems & Networks","volume":"263 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"37","resultStr":"{\"title\":\"System safety as an emergent property in composite systems\",\"authors\":\"Jennifer Black, Philip Koopman\",\"doi\":\"10.1109/DSN.2009.5270316\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Decomposition is used to manage system complexity, but is problematic for emergent properties such as system safety. Previously, we introduced Indirect Control Path Analysis (ICPA) for elaborating system safety goals in composite systems. We now provide mathematical definitions of emergent and composable system behaviors in the context of formal specifications and ICPA, and identify useful special cases in which partial decomposition of emergent safety goals is possible. We apply ICPA to a semi-autonomous automotive system to identify safety goals for key subsystems, and then monitor the system and subsystem goals at run-time in an implementation of the vehicle. Although false negatives at the subsystem level indicate the subgoals do not fully compose the original safety goal, some system-level go al violations are detected by subsystem monitors. In addition, monitoring at both the system and subsystem level has identified certain safety-related errors that may be imperceptible to system testers.\",\"PeriodicalId\":376982,\"journal\":{\"name\":\"2009 IEEE/IFIP International Conference on Dependable Systems & Networks\",\"volume\":\"263 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"1900-01-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"37\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2009 IEEE/IFIP International Conference on Dependable Systems & Networks\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/DSN.2009.5270316\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 IEEE/IFIP International Conference on Dependable Systems & Networks","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN.2009.5270316","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
System safety as an emergent property in composite systems
Decomposition is used to manage system complexity, but is problematic for emergent properties such as system safety. Previously, we introduced Indirect Control Path Analysis (ICPA) for elaborating system safety goals in composite systems. We now provide mathematical definitions of emergent and composable system behaviors in the context of formal specifications and ICPA, and identify useful special cases in which partial decomposition of emergent safety goals is possible. We apply ICPA to a semi-autonomous automotive system to identify safety goals for key subsystems, and then monitor the system and subsystem goals at run-time in an implementation of the vehicle. Although false negatives at the subsystem level indicate the subgoals do not fully compose the original safety goal, some system-level go al violations are detected by subsystem monitors. In addition, monitoring at both the system and subsystem level has identified certain safety-related errors that may be imperceptible to system testers.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
