Defect Prediction & Prevention In Automotive Software Development

Defect Prediction & Prevention In

Automotive Software Development

11-Dec-2013

Rakesh Rana

Agenda

• Introduction: Why do we need to focus on reliability?

• Research Question

• Structure of thesis

• Reliability growth models – theory

• Defect Prediction: Chapters 2 – 4

• Defect Prevention: Chapters 5 – 6

• Conclusions

• Future research directions

Road fatalities in the EU since 2001

• 2011 more than 30,000 people died on the roads of the EU (equivalent of a medium town)

• For every death on Europe's roads there are an estimated 4 permanently disabling injuries

such as damage to the brain or spinal cord, 8 serious injuries and 50 minor injuries.

Source: EU Commission, Mobility and Transport, Road Safety; http://ec.europa.eu/transport/road_safety/specialist/statistics/

http://ec.europa.eu/transport/road_safety/specialist/statistics/

Cars: Safety Goal

“Our aim for 2020 is that no one

should be killed or seriously

injured in a Volvo”

- Thomas Broberg, Volvo’s senior safety

adviser, 2009

Source: The Volvo S60 concept, The New York Times; http://wheels.blogs.nytimes.com/2009/10/14/volvo-sets-a-lofty-safety-goal/?_r=0

http://www.industryweek.com/product-development/volvo-eyes-no-death-goal-its-new-cars-2020

"The car of the future will be just like the farmer's horse. The

farmer can steer the horse and carriage but if he falls asleep

the horse can still (get) back home. And if the farmer tries to

steer the carriage against a tree or off a cliff, the horse will

refuse"

- Anders Eugensson, Volvo's head of government affairs, Dec 2012 to Wall Street Journal

http://wheels.blogs.nytimes.com/2009/10/14/volvo-sets-a-lofty-safety-goal/?_r=0

http://www.industryweek.com/product-development/volvo-eyes-no-death-goal-its-new-cars-2020

Increasing role of Software in Cars

First automotive ECU -- single-function

controller -- 1977 -- GM.

By 1981, GM was using ~50000 lines of

code across its entire domestic passenger

car production.

Today premium-class automobiles contains

~100 m lines of software code running on

70-100 microprocessors based ECUs.

Source: http://www2.teknat.uu.se/forskning/program.php?vetenskapsid=1&hforskomr=6&id=39&lang=en

http://spectrum.ieee.org/green-tech/advanced-cars/this-car-runs-on-code

“It takes dozens of microprocessors

running 100 million lines of code to get

a premium car out of the driveway, and

this software is only going to get more

complex”

- Robert N. Charette, 2009 in IEEE Spectrum

http://www2.teknat.uu.se/forskning/program.php?vetenskapsid=1&hforskomr=6&id=39&lang=en


Cars and Software: Challenges

Cost of software and electronics can reach ~35 to 40% of the cost of a car.

Complexity also brings with it reliability issues.

In 2005, Toyota voluntarily recalled 160 000 -- Prius hybrids -- software problem. Time

needed to repair the software ~90 minutes per vehicle!

May 2008, Chrysler recalled 24 535 -- Jeep Commanders -- problem in the automatic-

transmission software.

June 2008, Volkswagen recalled about 4000 Passats and about 2500 Tiguans --

problem in the engine-control-module software.

Nov 2008, GM recalled 12 662 -- Cadillac CTS -- software problem.

Problems with repair and warranty

More than 50% of the ECUs that mechanics replace in cars are technically error free:

They exhibit neither a hardware nor a software problem.

50% of warranty costs (IBM).

Source: http://spectrum.ieee.org/green-tech/advanced-cars/this-car-runs-on-code


With so much more software in cars and its increasing

complexity, how do we control the reliability issue?

Cars and Software: The Big Question

Reliability

Source: A. Avizienis, J. C. Laprie, and B. Randell, “Fundamental concepts of dependability,” Tech. Rep. Ser.-Univ. Newctle. Tyne Comput. Sci., 2001.

IEEE standard 1633, recommended practice on software

reliability definition for software reliability:

(A) The probability that software will not cause the failure of

a system for a specfied time under specified conditions.

(B) The ability of a program to perform a required function

under stated conditions for a stated period of time.

Reliability


Dependability

Attributes

Safety Reliability

Reliability


Threats

Reliability

Means

Faults

Errors

Failures

Fault Prevention

Fault Tolerance

Fault Removal

Fault Forecasting

Research Focus & Questions

(Addressed in chapters 2, 3 & 4) (Addressed in chapters 5 & 6)

Thesis

RG1. Evaluating the applicability of

Software Reliability Growth Models

(SRGMs) in the context of automotive

software development?

RG2. Propose and evaluate methods that

can potentially increase the reliability of

software in the automotive domain

RQ1. Do SRGMs fit

defect inflow data

from automotive

domain?

RQ2. Differences

between the widely

used parameter

estimation methods?

RQ3. Which

SRGMs have the

best long-term

predictive power?

RQ4. How to use

fault injection &

mutation testing

@models?

RQ3. How to test

models better in

simulating

environment?

Prediction Prevention

Chapters 2 – 4: Defect prediction

(IEEE standard 1044)

o defect: An imperfection or deficiency in a work product where that

work product does not meet its requirements or specifications and

needs to be either repaired or replaced.

Software reliability growth models: Theory

Source: Wood, Alan. "Software reliability growth models." Tandem Technical Report 96 (1996).

Concave Models

• Assumption

• Examples: Exponential Model,

Goel-Okumoto; Musa-Okumoto

S-Shaped Models

• Assumption

• Examples: InflectionS, DelayedS,

gompertz, logistic model.

Chapter 2: Evaluation of standard reliability growth models

in the context of automotive software systems*

*Proceedings of 14th Product-Focused Software Process Improvement (PROFES) 2013, Paphos, Cyprus

RQ1. Do SRGMs fit

defect inflow data from

automotive domain?

• Objective: Do widely used software reliability growth models fit to defect

inflow data from the automotive domain?

• Method: Analytical study, we evaluated eight commonly used software

reliability growth models on defect inflow data from the automotive

domain (large project on active safety function).

• Results: While three parameter models provide good fit to the defect

data, better results can be obtained by accounting for changes in the

testing effort over calendar time.

Chapter 2: Evaluation of standard reliability growth models

in the context of automotive software systems*

*Proceedings of 14th Product-Focused Software Process Improvement (PROFES) 2013, Paphos, Cyprus

RQ1. Do SRGMs fit

defect inflow data from

automotive domain?

Where ai is actual values, pi predicted values of total number

of defects for data set of size k and q is the number of

parameters of software reliability growth model equation.𝑴𝑺𝑬 =

𝟏𝒌(𝒂𝒊 − 𝒑𝒊)

𝒌 − 𝒑

Chapter 3: Comparing between Maximum Likelihood

Estimator and Non-Linear Regression estimation

procedures for Software Reliability Growth Modelling*

*Proceedings of 23nd International Workshop on Software Measurement, IWSM-Mensura 2013, Turkey.

RQ2. Differences between

the widely used parameter

estimation methods?

• Objective: To explore applicability and practical considerations for

applying two widely recommended and used parameter estimation

methods.

– Maximum likelihood estimation

– Non-linear regression estimation

• Method: Analytical study comparing the parameter estimates obtained

from these two methods for same data set and also comparing them to

results obtained via empirical equations and those reported in earlier

study.

• Results: While MLE is the recommended estimator with superior

statistical properties, its usability and applicability in all situations is

questionable. We further provide an improvised metric (BPRE) for

comparing the predictive accuracy.

BPRE, Balanced Predicted Relative Error

Metric Relative Error

(RE)

Predicted Relative Error

(PRE)

Balanced Predicted Relative

Error (BPRE)

Formula 𝑹𝑬 =𝑷 − 𝑨

𝑨𝑷𝑹𝑬 =

𝑷 − 𝑨

𝑷𝑩𝑷𝑹𝑬 =

𝑷 − 𝑨

𝜼𝑷 + 𝟏 − 𝜼 (𝟐𝑨 − 𝑷)Where η=1 if P > A, 0 otherwise

𝑹𝒂𝒏𝒈𝒆: (−∞,∞) [𝟎, 𝟏) [𝟎, 𝟏)

Over Prediction

+20% +16.67% +16.67%

Under Prediction

-20% -25.0% -16.67%

Chapter 3: Comparing between Maximum Likelihood

Estimator and Non-Linear Regression estimation

procedures for Software Reliability Growth Modelling*

*Proceedings of 23nd International Workshop on Software Measurement, IWSM-Mensura 2013, Turkey.

RQ2. Differences between

the widely used parameter

estimation methods?

𝑩𝑷𝑹𝑬 =𝑷𝒓𝒆𝒅𝒊𝒄𝒕𝒆𝒅 − 𝑨𝒄𝒕𝒖𝒂𝒍

𝜼 ∗ 𝑷𝒓𝒆𝒅𝒊𝒄𝒕𝒆𝒅 + 𝟏 − 𝜼 ∗ (𝟐 ∗ 𝑨𝒄𝒕𝒖𝒂𝒍 − 𝑷𝒓𝒆𝒅𝒊𝒄𝒕𝒆𝒅); 𝒘𝒉𝒆𝒓𝒆 𝜼 =

𝟏 𝒊𝒇 𝑷𝒓𝒆𝒅𝒊𝒄𝒕𝒆𝒅 > 𝑨𝒄𝒕𝒖𝒂𝒍𝟎 𝒊𝒇 𝑷𝒓𝒆𝒅𝒊𝒄𝒕𝒆𝒅 < 𝑨𝒄𝒕𝒖𝒂𝒍

Chapter 4: Evaluating long-term predictive power of

standard reliability growth models on automotive systems*

*Proceedings of the 24th IEEE International Symposium on Software Reliability Engineering, Pasadena,2013

RQ3. Which SRGMs have the

best long-term predictive

power?

• Objective:

– Which SRGMs fit best to the defect data from automotive software projects?

– Which SRGMs have the best long-term predictive power?

– Which models growth rates are consistent between projects over time?

• Method: Analytical study comparing seven widely used SRGMs on full & partial

defect inflow data from four large automotive software projects.

Chapter 4: Evaluating long-term predictive power of

standard reliability growth models on automotive systems*

*Proceedings of the 24th IEEE International Symposium on Software Reliability Engineering, Pasadena,2013

RQ3. Which SRGMs have the

best long-term predictive

power?

• Results:

– Which SRGMs fit best to the defect data from automotive software projects?

– Which SRGMs have the best long term predictive power?

– Which models growth rates are consistent between projects over time?

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Musa-Okumoto Goel-Okumoto Inflection-S Delayed-S Rayleigh Gompertz Logistic

BPRE for different models using growth rate from project A (100% data)

PRE-100%

PRE-90%

PRE-70%

PRE-50%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Musa-Okumoto Goel-Okumoto Inflection-S Delayed-S Rayleigh Gompertz Logistic

BPRE values (average across projects) for SRGMs using full & partial data

PRE-100%

PRE-90%

PRE-70%

PRE-50%

BPRE ~100% --

too bad prediction

BPRE ~0% -- predicted total

#Defects ~Actual total #Defects

Same SRGM, using full and

partial data (forecasting)

Research Focus & Questions

(Addressed in chapters 5 & 6)

Thesis

RG2. Propose and evaluate methods that

can potentially increase the reliability of

software in the automotive domain

Prevention

Models SRGMs

Models Functional Models

w.r.t. MBD

Prediction

Chapter 5: Increasing Efficiency of ISO-26262 Verification and

Validation by Combining Fault Injection and Mutation Testing

with Model Based Development*

*8th International Joint Conference on Software Technologies - ICSOFT-EA, Reykjavik, Iceland, July 2013

RQ4. How to use

fault injection &

mutation testing

@models?

• Objective:

– How models can be used more effectively for early verification and validation?

• Method: Descriptive-Qualitative case study based on empirical observations to

propose a framework which combines methods of fault injection and mutation

testing to be used at the model level that can be used for increasing the efficiency

of ISO-26262 compliance.

Chapter 5: Increasing Efficiency of ISO-26262 Verification and

Validation by Combining Fault Injection and Mutation Testing

with Model Based Development*

*8th International Joint Conference on Software Technologies - ICSOFT-EA, Reykjavik, Iceland, 2013

RQ4. How to use

fault injection &

mutation testing

@models?

a) Assign TSRs corresponding

to FSRs to Z-outputs

b) Inject Faults (simulating

common defects) to X-inputs

c) Identify critical fault scenarios;

Study fault propagation properties;

Build fault tolerance

e) Repeat Steps (b) & (c) to

test, correct & validate

the function for its “d”

dependencies

d) Cause Mutation to “n” blocks of

function & assess effectiveness of

given test suit using M.Testing

f) Examine Mutation not killed; Update

test cases or build new to detect such

failure scenarios/defects

Chapter 6: Improving Fault Injection in Automotive Model

Based Development using Fault Bypass Modelling*

*2nd Workshop on Software-Based Methods for Robust Embedded Systems, INFORMATIK, Germany,2 013

RQ3. How to test models better

in simulating environment?

Environment Model

SW system Model

Out_1

Output

Inp_2

Inp_1

Out_2

Natural/State

parameter(s)

• Objective:

– How simulations of functional models be used effectively for early verification

and validation?

• Method: Descriptive-Qualitative case study based on experiment, we propose

and provide proof-of-concept for “fault bypass modelling”, a simple yet effective

framework for correct analysis of simulation in closed loop mode.

Chapter 6: Improving Fault Injection in Automotive Model

Based Development using Fault Bypass Modelling*

*2nd Workshop on Software-Based Methods for Robust Embedded Systems, INFORMATIK, Germany,2 013

0 1 2 3 4 5 6 7 8 9 10 11 12 13 140

10

20

30

40

50

60

Time in sec

Sp

ee

d in

RP

M

Vehicle and wheel speed with fault injection (FBM)

Vehicle Speed

Wheel Speed

0 1 2 3 4 5 6 7 8 9 100

20

40

60

80

100

120

140

Time in sec

Sp

ee

d in

RP

M

Vehicle and wheel speed with fault injection

Vehicle Speed

Wheel Speed

RQ3. How to test models better

in simulating environment?

Vehicle Speed

Control Signal

Wheel Speed

Vehicle Speed

Wheel Speed

Relative Slip

ABS Model

Environment Model

Conclusions

RG1. Evaluating the applicability of software reliability growth models

in the context of automotive software development?

1. SRGMs are able to fit the defect inflow data from automotive domain.

2. MLE Vs. NLR

– MLE has superior statistical properties.

– MLE is not applicable in all cases.

– A new metric for predictive accuracy is introduced.

3. Logistic and Gompertz model provide best fit among widely used

SRGMs, these models also provide best long-term predictive power. The

results also indicates that information (in form of growth rates) can be used

to improve the predictive power of most SRGMs.

Conclusions

RG2. Propose and evaluate methods that can potentially increase

the reliability of software in the automotive domain.

4. A framework to combine fault injection and mutation testing approach

applied at behavioural models is introduced.

5. Fault Bypass Modelling is introduced that helps to develop robust

software, a proof-of-concept is provided.

Conclusions

Why predict and prevent software defects in automotive domain?

• Predicting defects inflow help us manage defects and testing resources

effectively.

• Effective defect management and defect prevention increases reliability

of software in cars and thus cars themselves. It also translates to lower

development costs and time to market.

• Consumers get cars that are cheaper, safe and reliable.

• Lower ownership costs and it allows adding more innovations to your

cars with the help of software.

Future Research Directions

• Exploratory analysis of defect inflow data distribution from

industrial software projects

• Evaluating SRGMs and their long-term predictive power for

embedded software projects from industry

• Explore Machine Learning to Predicts Defects and Analysing Risks

in Large Software Development Projects

• SRGMs based on functional/behavioural models of software

• Measuring impact of software quality and/or software reliability

assessment on software development projects

Thank You

Back Up Slides

Source: Healing with Art, community on Facebook, https://www.facebook.com/photo.php?fbid=10151903164088141&set=a.378605758140.163024.14524668140&type=1&theater