Safety is the foremost requirement of avionics systems on aircraft. So far, avionics systems have evolved into an integrated system, i.e., integrated avionics system, and the derivative functions occur when the avionics systems are upgraded. However, the traditional safety analysis method is insufficient to be utilized in upgraded avionics systems due to these derivative functions. In this letter, a safety evaluation scheme is proposed to quantitatively evaluate the safety of the upgraded avionics systems. All the functions including the derivative functions can be traced and covered. Meanwhile, a set of safety issues based on different views is established to evaluate the safety capability from three layers, i.e., the mission layer, function layer and resource layer. The proposed scheme can be considered as an efficient scheme in the safety validation and verification in the upgraded avionics systems.
Peachanika THAMMAKAROON Poj TANGAMCHIT
We propose a systematic method for improving the response time of forward collision warning (FCW) on vehicles. First, a performance metric, called the warning lag time, is introduced. We use the warning lag time because its measurement is practical in real driving situations. Next, we discuss two ideas to improve this warning lag time, vertical and horizontal methods. The vertical method gives an additional warning, derived from the cause of a car crash, to a normal FCW system. The experiment showed that it can improve the warning lag time by an average of 0.31sec. compared with a traditional FCW system. The horizontal method uses distributed sensing among vehicles, which helps the vehicle see farther. It can also improve the warning lag time by an average of 1.08sec. compared with a single vehicle FCW.
In this paper, a novel synchronization method is proposed for a heterogeneous cognitive radio that combines public safety mobile communication systems (PMCSs) with commercial mobile wireless communication systems (CMWCSs). The proposed method enables self-synchronization of the PMCSs as well as co-synchronization of PMCSs and CMWCSs. In this paper, the self-synchronization indicates that each system obtains own timing synchronization. The co-synchronization indicates that a system recognizes data transmitted from other systems correctly. In our research, we especially focus on PMCS self-synchronization because it is one of the most difficult parts of our proposed cognitive radio that improves PMCS's communication quality. The proposed method is utilized for systems employing differentially encoded π/4 shift QPSK modulation. The synchronization can be achieved by correlating envelopes calculated from a PMCS's received signals with subsidiary information (SI) sent via a CMWCS. In this paper, the performance of the proposed synchronization method is evaluated by computer simulation. Moreover, because this SI can also be used to improve the bit error rate (BER) of PMCSs, BER improvement and efficient SI sending methods are derived, after which their performance is evaluated.
Jingyuan ZHAO Meiqin WANG Jiazhe CHEN Yuliang ZHENG
SAFER block cipher family consists of SAFER K, SAFER SK, SAFER+ and SAFER++. As the first proposed block cipher of them, SAFER K is strengthened by SAFER SK with improved key schedule. SAFER+ is designed as an AES candidate and Bluetooth uses a customized version of it for security. SAFER++, a variant of SAFER+, is among the cryptographic primitives selected for the second phase of the NESSIE project. In this paper, we take advantage of properties of the linear transformation and S-boxes to identify new impossible differentials for SAFER SK, SAFER+, and SAFER++. Moreover, we give the impossible differential attacks on 4-round SAFER SK/128 and 4-round SAFER+/128(256), 5-round SAFER++/128 and 5.5-round SAFER++/256. Our attacks significantly improve previously known impossible differential attacks on them. Specifically, our attacks on SAFER+ are the best attack in terms of number of rounds.
Runtime analysis is to enhance the safety of critical systems by monitoring the change of corresponding external environments. In this paper, a modified FTA approach, making full utilization of the existing safety analysis result, is put forward to achieve runtime safety analysis. The procedures of the approach are given in detail. This approach could be widely used in safety engineering of critical systems.
Akihiro TOMITA Xiaoqing WEN Yasuo SATO Seiji KAJIHARA Kohei MIYASE Stefan HOLST Patrick GIRARD Mohammad TEHRANIPOOR Laung-Terng WANG
The applicability of at-speed scan-based logic built-in self-test (BIST) is being severely challenged by excessive capture power that may cause erroneous test responses even for good circuits. Different from conventional low-power BIST, this paper is the first to explicitly focus on achieving capture power safety with a novel and practical scheme, called capture-power-safe logic BIST (CPS-LBIST). The basic idea is to identify all possibly-erroneous test responses caused by excessive capture power and use the well-known approach of masking (bit-masking, slice-masking,vector-masking) to block them from reaching the multiple-input signature register(MISR). Experiments with large benchmark circuits and a large industrial circuit demonstrate that CPS-LBIST can achieve capture power safety with negligible impact on test quality and circuit overhead.
The second edition of the international standard of IEC 61508, functional safety of electrical/electronic/programmable electronic safety-related system (SRS), was published in 2010. This international standard adopts a risk-based approach by which safety integrity requirements can be determined. It presents a formula to estimate the hazardous event rate taking account of non-perfect proof-tests. But it is not clear how to derive the formula. In the present paper, firstly, taking account of non-perfect proof-tests, the relationship between the dangerous undetected failure of SRS, the demand on the SRS and hazardous event is modeled by a fault tree and state-transition diagrams. Next, the hazardous event rate is formulated by use of the state-transition diagrams for the determination of the safety integrity requirements. Then, a comparison is made between the formulas obtained by this paper and given in the standard, and it is found that the latter does not always present rational formulation.
Masayuki MURAKAMI Hiroyasu IKEDA
Although many companies have developed robots that assist humans in the activities of daily living, safety requirements and test methods for such robots have not been established. Given the risk associated with a robot malfunctioning in the human living space, from the viewpoints of safety and EMC, it is necessary that the robot does not create a hazardous situation even when exposed to possibly severe electromagnetic disturbances in the operating environment. Thus, in immunity tests for personal care robots, the safety functions should be more rigorously tested than the other functions, and be repeatedly activated in order to ascertain that the safety functions are not lost in the presence of electromagnetic disturbances. In this paper, immunity test procedures for personal care robots are proposed that take into account functional safety requirements. A variety of test apparatuses are presented, which were built for activating the safety functions of robots, and detecting whether they were in a safe state. The practicality of the developed immunity test system is demonstrated using actual robots.
The large and complicated safety-critical systems today need to keep changing to accommodate ever-changing objectives and environments. Accordingly, runtime analysis for safe reconfiguration or evaluation is currently a hot topic in the field, whereas information acquisition of external environment is crucial for runtime safety analysis. With the rapid development of web services, mobile networks and ubiquitous computing, abundant realtime information of environment is available on the Internet. To integrate these public information into runtime safety analysis of critical systems, this paper brings forward a framework, which could be implemented with open source and cross platform modules and encouragingly, applicable to various safety-critical systems.
Hirokatsu KATAOKA Kimimasa TAMURA Kenji IWATA Yutaka SATOH Yasuhiro MATSUI Yoshimitsu AOKI
The percentage of pedestrian deaths in traffic accidents is on the rise in Japan. In recent years, there have been calls for measures to be introduced to protect vulnerable road users such as pedestrians and cyclists. In this study, a method to detect and track pedestrians using an in-vehicle camera is presented. We improve the technology of detecting pedestrians by using the highly accurate images obtained with a monocular camera. In the detection step, we employ ECoHOG as the feature descriptor; it accumulates the integrated gradient intensities. In the tracking step, we apply an effective motion model using optical flow and the proposed feature descriptor ECoHOG in a tracking-by-detection framework. These techniques were verified using images captured on real roads.
This paper investigates potential to improve fault-detection coverage by means of on-chip redundancy. The international standard on functional safety, namely, IEC61508 Ed. 2.0 Part 2 Annex E.3 prescribes the upper bound of βIC (common cause failure (CCF) ratio to all failures) is 0.25 to satisfy frequency upper bound of dangerous failure in the safety function for SIL (Safety Integrated Level) 3. On the other hand, this paper argues that the βIC does not necessarily have to be less than 0.25 for SIL 3, and that the upper bound of βIC can be determined depending on failure rate λ and CCF detection coverage. In other words, the frequency upper bound of dangerous failure for SIL3 can also be satisfied with βIC higher than 0.25 if the failure rate λ is lower than 400[fit]. Moreover, the paper shows that on-chip redundancy has potential to satisfy SIL 4 requirement; the frequency upper bound of dangerous failure for SIL4 can be satisfied with feasible ranges of βIC, λ and CCF coverage which can be realized by redundant code.
We have developed a dedicated onboard “sensor” utilizing wireless communication devices for collision avoidance around road intersections. The “sensor” estimates the positions of transmitters on traffic participants by comparing the strengths of signals received by four ZigBee receivers installed at the four corners of a vehicle. On-board sensors involving cameras cannot detect objects in non line-of-sight (NLOS) area caused by buildings and other vehicles. Although infrastructure sensors for vehicle-to-infrastructure (V2I) cooperative systems can detect such hidden objects, they are substantially more expensive than on-board sensors. The on-board wireless “sensor” developed in this work would function as an alternative tool for collision avoidance around intersections. Herein, we extend our previous work by considering a road surface reflection model to improve the estimation accuracy. By using this model, we succeeded in reducing the error mismatches between the observed data and the calibration data of the estimation algorithm. The proposed system will be realized on the basis of these enhancements.
Nikolaos TRIANTAFYLLOU Petros STEFANEAS Panayiotis FRANGOS
The Open Mobile Alliance (OMA) Order of Rights Object Evaluation algorithm causes the loss of rights on contents under certain circumstances. By identifying the cases that cause this loss we suggest an algebraic characterization, as well as an ordering of OMA licenses. These allow us to redesign the algorithm so as to minimize the losses, in a way suitable for the low computational powers of mobile devices. In addition we provide a formal proof that the proposed algorithm fulfills its intent. The proof is conducted using the OTS/CafeOBJ method for verifying invariant properties.
An automotive operating system is a typical safety-critical software and therefore requires extensive analysis w.r.t its effect on system safety. Our earlier work [1] reported a systematic model checking approach for checking the safety properties of the OSEK/VDX-based operating system Trampoline. This article reports further performance improvement using embeddedC constructs for efficient verification of the Trampoline model developed in the earlier work. Experiments show that the use of embeddedC constructs greatly reduces verification costs.
Software FMEA is valuable and practically used for embedded software of safety-critical systems. In this paper, a novel method for Software FMEA is presented based on co-analysis of system model and software model. The method is hopeful to detect quantitative and dynamic effects by a targeted software failure. A typical application of the method is provided to illustrate the procedure and the applicable scenarios. In addition, a pattern is refined from the application for further reuse.
Chen CHEN Qingqi PEI Xiaoji LI Rong SUN
In this letter, a Simple but Effective Congestion Control scheme (SECC) in VANET has been proposed to guarantee the successful transmissions for safety-related nodes. The strategy derive a Maximum Beacon Load Activity Indicator (MBLAI) to restrain the neighboring general periodical beacon load for the investigated safety-related “observation nodes”, i.e., the nodes associated with some emergent events. This mechanism actually reserves some bandwidth for the safety-related nodes to make them have higher priorities than periodical beacons to access channel. Different from the static congestion control scheme in IEEE802.11p, this strategy could provide dynamic control strength for congestion according to tolerant packets drop ratio for different applications.
Dong Ho LEE You-Ze CHO Hoang-Anh PHAM Jong Myung RHEE Yeonseung RYU
In this paper, we present a new fault-tolerant, large-scale star network scheme called Scalable Autonomous Fault-tolerant Ethernet (SAFE). The primary goal of a SAFE scheme is to provide network scalability and autonomous fault detection and recovery. SAFE divides a large-scale, mission-critical network, such as the naval combatant network, into several subnets by limiting the number of nodes in each subnet. This network can be easily configured as a star network in order to meet fault recovery time requirements. For SAFE, we developed a novel mechanism for inter-subnet fault detection and recovery; a conventional Ethernet-based heartbeat mechanism is used in each subnet. Theoretical and experimental performance analyses of SAFE in terms of fail-over time were conducted under various network failure scenarios. The results validate our scheme.
The need for the OpenGL-family of the 3D rendering API's are highly increasing, especially for graphical human-machine interfaces on various systems. In the case of safety-critical market for avionics, military, medical and automotive applications, OpenGL SC, the safety critical profile of the OpenGL standard plays the major role for graphical interfaces. In this paper, we present an efficient way of implementing OpenGL SC 3D graphics API for the environments with hardware-supported OpenGL 1.1 and its multi-texture extension facility, which is widely available on recent embedded systems. Our approach achieved the OpenGL SC features at the low development cost on the embedded systems and also on general personal computers. Our final result shows its compliance with the OpenGL SC standard specification. From the efficiency point of view, we measured its execution times for various application programs, to show a remarkable speed-up.
Sho ENDO Takeshi SUGAWARA Naofumi HOMMA Takafumi AOKI Akashi SATOH
This paper presents a glitchy-clock generator integrated in FPGA for evaluating fault injection attacks and their countermeasures on cryptographic modules. The proposed generator exploits clock management capabilities, which are common in modern FPGAs, to generate clock signal with temporal voltage spike. The shape and timing of the glitchy-clock cycle are configurable at run time. The proposed generator can be embedded in a single FPGA without any external instrument (e.g., a pulse generator and a variable power supply). Such integration enables reliable and reproducible fault injection experiments. In this paper, we examine the characteristics of the proposed generator through experiments on Side-channel Attack Standard Evaluation Board (SASEBO). The result shows that the timing of the glitches can be controlled at the step of about 0.17 ns. We also demonstrate its application to the safe-error attack against an RSA processor.
ITS (Intelligent Transport Systems) wireless communications system has been developing based on the leading edge ICT (Information Communication Technologies) in Japan. The comfort driving systems for example VICS (Vehicular Information Communication system), ETC (Electronic Toll Collection), Telematics has already become popular and the safety driving support systems, such as ASV (Advanced Safety Vehicle) and SMARTWAY have been scheduled for introduction in the near future. However, there are many residual issues in the comfort driving system because of the existence of the traffic jam and the interest of the economical cars in the world. Moreover, the acceleration of the development of the Smart Grid and EV (Electric Vehicle) would affect the future development of the ITS wireless communications system. In this paper, it is clarified that the future development should be advanced considering the one of the basic business rule of 'market-in and product-out'.