Model-Implemented Fault Injection for Robustness Assessment

The complexity of safety-related embedded computer systems is steadily increasing. Besides verifying that such systems implement the correct functionality, it is essential to verify that they also present an acceptable level of robustness. Robustness is in this thesis defined as the resilience of hardware, software or systems against errors that occur during runtime. One way of performing robustness assessment is to carry out fault injection, also known as fault insertion testing from certain safety standards. The idea behind fault injection is to accelerate the occurrence of faults in the system to evaluate its behavior under the influence of anticipated faults, and to evaluate error handling mechanisms. Model-based development is becoming more and more common for the development of safety-related software. Thus, in this thesis we investigate how we can benefit from conducting fault injection experiments on behavior models of software. This is defined as model-implemented fault injection in this thesis, since additional model artifacts are added to support the injection of faults that are activated during simulation. In particular, this thesis addresses injection of hardware fault effects (e.g. bit-level errors in microcontrollers) into Simulink® models. To evaluate the method, a fault injection tool has been developed (called MODIFI ), that is able to perform fault injection into Simulink behavior models. MODIFI imports tailored fault libraries that define the effects of faults according to an XML-schema. The fault libraries are converted into executable model blocks that are added to behavior models and activated during runtime to emulate the effect of faults. Further, we use a method called minimal cut sets generation to increase the usefulness of the tool. During the work within MOGENTES, an EU 7th framework programme project that focused on model-based generation of test cases for dependable embedded systems, fault injection experiments have been performed on safetyrelated models with the MODIFI tool. Experiments were also performed using traditional fault injection methods, and in particular hardware-implemented fault injection, to evaluate the correlation between the methods. The results reveal that fault injection on software models is efficient and useful for robustness assessment and that results produced with MODIFI appear to be representative for the results obtained with other fault injection methods. However, a software model suppresses implementation details, thus leading to fewer locations where faults can be injected. Therefore it cannot entirely replace traditional fault injection methods, but by performing model-implemented fault injection in early design phases an overview of the robustness of a model can be obtained, given these limitations. It can also be useful for testing of error handling mechanisms that are implemented in the behavior model.