DENETS ghly DE pendable IP-based NET works and S ervices NODES - - PowerPoint PPT Presentation

1

Dependability Assessment

• f Two Network Supported

Automotive Applications

Ossama Hamouda, Mohamed Kaâniche, Karama Kanoun

DENETS

NODES Winter School and Seminar

“Dependability and Computer Engineering: Concepts for Software Intensive Systems”; IGI Global book 1-3 February 2012, Turku, Finland

2

Context: communicating automotive systems

• Wireless and mobile technologies for automotive applications

n Car-to-car communication with server-based infrastructure

• Increase traffic capacity and safety
• Dependability challenges: design and assessment

Internet

Servers UMTS Servers GPRS WLAN WLAN …

3

Applications

Data storage: VBB Original data Data replication and temporary backup on neighboring cars Internet

Data

• wner

Contributors

• Virtual black box (VBB)
• Automated highway systems

(AHS)

n Platooning

• Aim

nQuantify and analyze dependability nSupport Design tradeoffs

4

Challenges

• Dynamicity/mobility

n changing topologies and

connectivity characteristics

• Complexity

n large number of components

and interactions

n multiple failure modes and

recovery scenarios

• Performance/dependability

tradeoffs

☞ Compositional

Model-based approach integrating dependability & mobility related characteristics

■ Stochastic Activity

Networks (SAN)

■ Möbius tool

5

Automated Highway Systems (AHS)

Traffic Flow ∆x = 1 to 5 m

Intra-platoon

∆y = 30 to 60 m

Inter-platoon Exit

5

• Objective

n Improve the flow and capacity of the traffic n Enhance safety by reducing accidents

6

Traffic Flow

Exit

n Intra-platoon coordination

• Centralized
• Decentralized

n Inter-platoon coordination

• Centralized
• Decentralized

Fixed ¡Infrastructure

6

Automated Highway Systems (AHS)

• Objective

n Improve the flow and capacity of the traffic n Enhance safety by reducing accidents

7 7

Aim

• Quantify safety

n Taking into account different types of failure modes

affecting the vehicles or their communication, and the associated recovery maneuvers

• Compare different coordination strategies

8 8

Failure modes and maneuvers

• PATH project, Berkeley University, USA

9

Failure modes and maneuvers

v_KO (v_OK)

safe state

KOTIE-N KOTIE-E KOTIE KOGS KOCS KOAS FM6 FM5 FM4 FM3 FM2 FM1

10

Mutiple Failures: Catastrophic situation

catastrophic situation Combination of failure modes

nMeasure: ¡Unsafety

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡= ¡Probability ¡{ ¡system ¡state ¡at ¡instant ¡(t) ¡∈ ¡ST1, ¡ST2 ¡, ¡or ¡ST3 ¡}

S (t)

11

Modeling

• Case study

n Highway with 2 lanes n Vehicles may change from one lane to another n Maximum number of vehicles per platoon: N

• SAN model

One_vehicle One_vehicle One_vehicle

.....

Dynamicity Configuration Severity

12

Modeling

• Case study

n Highway with 2 lanes n Vehicles may change from one lane to another n Maximum number of vehicles per platoon: N

• SAN model

One_vehicle One_vehicle One_vehicle

.....

Dynamicity Configuration Severity behavior of a vehicle as resulting from its failure modes and the maneuvers

13

Modeling

• Case study

n Highway with 2 lanes n Vehicles may change from one lane to another n Maximum number of vehicles per platoon: N

• SAN model

One_vehicle One_vehicle One_vehicle

.....

Dynamicity Configuration Severity Initializes the other submodels and synchronizes their evolution according to the whole system evolution

14

Modeling

• Case study

n Highway with 2 lanes n Vehicles may change from one lane to another n Maximum number of vehicles per platoon: N

• SAN model

One_vehicle One_vehicle One_vehicle

.....

Dynamicity Configuration Severity models the dynamics of the system in the absence of failures, resulting from join and leave events that correspond to vehicles entering or getting out of the highway

15

Modeling

• Case study

n Highway with 2 lanes n Vehicles may change from one lane to another n Maximum number of vehicles per platoon: N

• SAN model

One_vehicle One_vehicle One_vehicle

.....

Dynamicity Configuration Severity Describes the impact of multiple failures affecting several vehicles

16

Modeling

• Case study

n Highway with 2 lanes n Vehicles may change from one lane to another n Maximum number of vehicles per platoon: N

• SAN composed model

17

One-­‑vehicle ¡Sub ¡Model ¡(1-­‑AHS)

One_vehicle One_vehicle One_vehicle

.....

Dynamicit y Configuration Severity IN cc1 cc2 cc3 cc4 cc5 cc6 f1 f2 f3 f4 f5 f6 L1 L2 L3 L4 L5 L6 OG1 OG2 OG3 OG4 OG5 OG6 SM1 SM2 SM3 SM4 SM5 SM6 IG1 IG2 IG3 IG4 IG5 IG6 AS GS CS TIE_E TIE TIE_N fm1 fm2 fm3 fm4 fm5 fm6 back_to OUT v_KO v_OK get_out

18

Number of Vehicles Impact

• Centralized intra-platoon
• Decentralized inter-platoon
• Exponential distributions
• L1 = λ
• L2 = 2λ
• L3 = 2λ
• L4 = 2λ
• L5 = 3λ
• L6 = 4λ

λ = 10-5 /hr , join rate = 12/hr, and leave rate = 4/hr where, λ is the smallest failure rate

18

N = number of vehicles

19 19

N = number of vehicles

Coordination Strategy

20

n The analysis allowed us to quantify safety and perform a comparative analysis

ØTrip duration ØTraffic dynamics ØPlatoon size ØCoordination strategy

Set by the designer

20

Automated Highway System: Summary

21

Virtual Black Box Application (VBB)

• Objective

n Collect relevant information related to a vehicle and

its environment, in a manner similar to the black box

• f an aircraft

§ Replay historical data in the event of an accident

n Software-based data storage on the fixed

infrastructure

n Need to protect data against accidental and malicious

threats  use data replication

• Dependability attributes

n Data availability n Data integrity n Data confidentiality

22

Virtual Black Box Application (VBB)

• Objective

n Collect relevant information related to a vehicle and

its environment, in a manner similar to the black box

• f an aircraft

§ Replay historical data in the event of an accident

n Software-based data storage on the fixed

infrastructure

n Need to protect data against accidental and malicious

threats  use data replication

• Dependability attributes

n Data availability n Data integrity n Data confidentiality

23

R1

Scenario

• Data Records continuously collected

and temporary stored on the vehicle

• VBB resident on the infrastructure
• To prevent data loss:

n Data records are replicated and

backed up on encountered cars (Participants)

n Data stored on infrustructure

when access available to Vehicle/Participants

VBB Original data Data replication and temporary backup on encountered cars

Internet

Vehicle Participants Time t1 t2 … tn … R1 R1 R2 Rn R1 R2 R1 Rn replication Backup on encountered cars

When an accident occurs, the last z records gathered are sufficient to analyze the accident (or at least r among these z)

24

Data Records Replication

• Replication strategies

n Replication by duplication

§ Create full copies of the data record

n Replication by fragmentation: Erasure codes

§ Suitable to ensure data availability and confidentiality

• Erasure code (n, k)

n Generates n fragments of the data record that are

disseminated to encountered cars.

n k fragments are sufficient to restore the original record n (n-k) fragments loss can be tolerated (besides original

record)

n n = k =1: replication by duplication n k ää  confidentiality ää

25

Dependability Modeling

• VBB unavailability assessment
• Sensitivity analyses

n Replication strategy: n, k n Number of records to analyze an accident: z, r n Other parameters

§ Rate of data loss (Vehicle /Participants): failure rate λ § Car-to-Car encounter rate : α § Car-to-Infrastructure connection rate: β

• Two step approach

n Connectivity dynamics analysis

§ C2C and C2I encounter distributions and connection rates

n Availability modeling based on stochastic models using

the results of the connectivity analyses as an input

26

Estimation of connectivity dynamics: α, β

• Techniques

n Analytical proofs n Simulation n Processing of publicly available mobility traces

§ CRAWDAD: http://crawdad.cs.dartmouth.edu § Multi-agent Traffic simulator developed by ETH Zürich

http://www.lst.inf.ethz.ch/research/ad-hoc/car-traces

• Conclusions

n C2C encounter times Distribution

§ Freeways: Exponential § Urban traffic: Pareto

n C2I encounter times Distribution

§ Exponential

27

Simulation of a freeway scenario

(x1,y1) (x2,y2) (x6,y6) (x3,y3) (x4,y4) (x5,y5) R W L f(v) f(v) RAP

§ Cars move independently according to speed distribution f(v)

• opposite directions on upper and lower half

§ Uniform Initial placement of cars (ρ: car density) § Fixed communication radius for the cars: R

28

Example of results: freeway mobility scenarios

α = 0.31 meet / sec ≈ 1116 meet / hr β = 0.011 meet / sec ≈ 40 meet / hr

C2C encounter times C2I encounter times

• Exponential distribution well suited to describe C2C and

C2I encounter times

29

Urban mobility scenarios

CRAWDAD mobility trace

α ≈ 0.3 meet / sec ≈ 1080 meet / hr

Pareto provides a better fit than the exponential distribution

ρ ≈ 7 vehicles / km

30

Virtual Black Box availability modeling

• Unavailability measure: UA

n Probability of data loss: § more than r data records among last generated z records lost

• Modeling assumptions

n Failures: Data records loss times

(Vehicle/Participants)

§ Exponentially distributed with rate λ n Mobility scenarios: § C2C encounter times: w Exponential distribution, rate α (Freeways) w Pareto distribution (Urban traffic) § C2I encounter times: exponential distribution, rate β

31

System Model

Single data record behavior:

n data loss n Replication and storage at

infrastructure Loss of multiple data records

: z : 1

32

One_record submodel

• ne-record-created

A: α FC MF Dp: δ Bp : β SF T-DS DS OD T-DL DL Dv : δ Bv : β Start-id Rec-id # fragments to create: n # fragments on Participants Data record Lost C2C encounter fragment loss C2I encounter data loss Data record Safe

OD->Mark() == 1 && DS->Mark() == 0 && DL->Mark() == 0 && ( (MF->Mark() + SF->Mark()) < k )

Input predicates

DS->Mark() == 0 && DL->Mark() == 0 && SF->Mark() >= k

Input predicates

One_record

33

SAN composed model

34

Unavailability of one data record

c = α/β

Connectivity ratio:

Urban networks Free highways

Failure rate

35

VBB Unavailability

• Replication by duplication vs no replication

Urban networks Free highways

Failure rate

36

Virtual Black Box: Summary

• Combined modeling approach integrating

dependability and connectivity dynamics

• Sensitivity analyses

n Replication strategies under different mobility

scenarios

§ Replication vs No replication: significant improvement § Duplication vs Erasure coding: same order of magnitude n Exponential vs Pareto distributed C2C encounters § Unavailability estimation may differ slightly (a few times) depending on the connectivity ratio and the failure rate

37

Summary and conclusion

• Two case studies from automotive domain that relies on

mobile communication technologies and mobile ad-hoc networks to assess safety (AHS) or availability (VBB)

• Compositional modeling approach integrating

dependability and connectivity dynamics

n Master the complexity of the models taking into account

the dynamic behavior of the components

n Easily adaptable for other scenarios

§ Other mobility scenarios § Higher number of platoons, …

• More details in Ossama Hamouda Thesis: “Dependability

modelling and evaluation of vehicular applications based on mobile ad- hoc networks”, http://tel.archives-ouvertes.fr/tel-00546260/fr/