Marco Conceptual

From the literature robustness can be defined as dependability of a system with particular respect to external faults. Taking this definition of robustness as a specialised case of dependability and considering the base definitions of dependability raises the following discussion points.

The first definition of dependability given by Avižienis et al (2004) is one of it being the “ability to avoid service failures that are more frequent and more severe than is acceptable”. This highlights a need to specify what service failures are acceptable as a result

of external failures and how often they can occur in order to have a measure of what is acceptably robust. While for safety critical functionality this may be straightforward for other functionality it may not be obvious, particularly without prior knowledge of what external failures could occur. This may require the specification of; degraded modes of operation, events that must not take place or availability targets. A related question for non-safety critical automotive systems is what are the key dependability characteristics and which are most impacted by external faults?

The second definition of dependability given by Avižienis et al (2004) is “the ability to deliver service that can justifiably be trusted ” which raises the issue of what are the methods

to gain assurance that the system can be trusted to be robust?

Complex systems are characterised by having interdependencies which make them inherently non-linear and difficult to model or abstract and exhibit emergent behaviour not recognised during the original design. Automotive Electronics are complex embedded Systems of Systems which are interconnected by design, have a high degree of “Dynamic Complexity” due to the temporal nature of dynamic interactions. There is evidence of the scale of issues of automotive electronics but not of the specific causes . The current automotive approach to cope with complexity and rate of change are standards for open systems, sharing and reuse of software and model-based development.

Robust design techniques, e.g. Design for Six Sigma, are mechanically focused and have an emphasis on a “Right First Time” philosophy and an expectation that failure modes are known in advance that fundamentally misses the issue of emergence. This contrasts with the learning from the field of software development, particularly agile methods, on emergent issues which is to develop iteratively and incrementally to allow continuous integration and test. Hence any robust design process framework for complex systems needs to build in an iterative approach.

While there are explicit design methods for achieving mechanical robustness, for software-based systems the main concern appears to be reliability and prevention of fault conditions in the first case. This may be because the major research efforts and standards focus on high dependability systems but this tends to lead to solutions such as guaranteeing high reliability or redundancy which may not be appropriate for non-safety critical systems which nonetheless need to be robust to meet customer expectations. This primacy of reliability over robustness in the literature may reflect research being driven by the demands

of high integrity systems such as for aerospace or safety critical automotive applications rather than the increasing demand of mass complexity of the majority of automotive applications and consumer goods.

However there are many good design principles which do not entail additional cost but are not fully recognised in the automotive field. For example there seems to be little or no published work considering the application of concepts of self-stabilization within the automotive domain. It may be that the principles of self-stability are implicit in automotive design and often fail-safe is achieved by reverting back to sufficient level of mechanical control e.g. in braking and steering systems with a reboot of the microprocessor to re-invoke the additional electronically controlled functionality. However this may benefit from some explicit consideration. Certainly it suggests a need for systematic knowledge capture and dissemination which while being beyond the scope of this work should be included as an element in a framework for design for robustness.

There are other lessons to learn to from safety critical approaches such as the need to do upfront risk analysis to determine where design effort to address systematic risks needs to be. Safety cases are a specific tool which it is proposed to investigate whether they can be adapted to designing for robustness.

The use of formal methods has significant potential within automotive and is the subject of on-going pilot and research projects focusing initially on high integrity applications. This should pave the way for lightweight methods and tools which then can be used for robustness analysis of all systems. To enable this requires design artefacts for formal analysis, models in particular, which encompass robustness critical attributes and the knowledge of what are the specific properties that need to be checked to prove robustness. While the development of the formal methods tools and techniques is outside the scope of

methods to robustness issues and provide enabling capabilities for this in terms of models and the understanding of the specific properties that need to be checked to prove robustness.

A significant question arising from the literature is: can complex systems of systems be usefully modeled at a level of abstraction that allows robustness properties to be examined? There is extensive work ongoing on modelling complex systems which can provide a framework but whether modelling right things in terms of robustness is debatable in the absence of a clear understanding of robustness issues.

This highlights the importance of domain knowledge in complex systems. Domain knowledge has been identified as critical in the literature for: developing design guidelines, recognising critical robustness factors, modelling and abstraction and identification of areas of focus for robustness testing. For example the final statement of Driscoll et al. (2003) on practical approaches to Byzantine failures is “Anyone designing a system with high dependability requirements must thoroughly understand these failures and how to combat them.” However there is a lack of domain knowledge for automotive electronics robustness

issues in published literature, this may be due in part to an unwillingness to put such information to the public domain and in part due to a lack of specific systematic robustness focused studies. Hence to meet the objectives of this thesis a systematic study of robustness issues is required to build domain knowledge.

Test methods addressing robustness is an area where there is a growing body of work which should be included in a design for robustness framework but not subject to specific development within the scope of this thesis.