University of Minnesota Driven to Discover
U of MNUniversity of Minnesota
Center for Transportation Studies

Programs & Labs

ITS Sensor Header

Fall 2001

Research explores the role of software in critical transportation systems

Photo of Mats Heimdahl, right, with students Peiquen Chen and Devaraj George.

Mats Heimdahl, right, with students Peiquen Chen and Devaraj George.

When the software on your desktop computer crashes, you get a headache. But when the software in question is controlling the tail flaps of a jet aircraft—or the steering system of a minivan—the results can be catastrophic. Mats Heimdahl, associate professor of computer science and engineering at the University of Minnesota, is exploring problems faced by software engineers in a world increasingly dependent on computers. Heimdahl's Critical Systems Research Group (CriSys) has received funding from the National Science Foundation, the Defense Department, and NASA to explore issues in critical systems, and from the Minnesota Department of Transportation to investigate software issues in critical transportation systems.

"Fly-by-wire" avionics systems, in which the control surfaces and engines of an airplane are controlled by computers and software rather than steel cables and hydraulic lines connected directly to the pilot's controls, are a good example of a safety-critical system. But computerized controls are not just for airplanes anymore. "Drive-by-wire" systems are currently being developed, and Heimdahl predicts that such systems, used to control steering, braking, and other functions, will soon be as common in consumer automobiles as in commercial jetliners.

One advantage of fly-by-wire that could extend to drive-by-wire is that a computer can perform many additional tasks beyond simply executing the vehicle operator's commands. For example, in addition to implementing commands from the pilot's controls, the computer can perform constant adjustments to keep a naturally unstable plane flying smoothly, without the pilot ever knowing. In a more down-to-earth application, drive-by-wire could provide functions--like rear-wheel steering—that are impossible to implement using conventional mechanical systems. Such systems also promise to be cheaper to build than mechanical systems, as chips and wires replace expensive hydraulic cylinders and machine parts.

Nevertheless, introduction of software control typically brings the systems to a new level of complexity. The software often causes new and unforeseen interaction between systems that were unrelated before computer control was introduced to tie them together; these unforeseen interactions can have catastrophic consequences. Finally, as the automation becomes more complex, the opportunities for operator confusion increase. "It becomes imperative to provide the operator with a seamless, predictable set of controls and instruments that mimic the operating qualities of a mechanical system," says Heimdahl. All of these factors can make software development a major cost driver for new products.

The increased use of software in critical systems presents a new kind of challenge to engineers designing advanced vehicles, because software is not limited by the physical laws that constrain mechanical systems. Software's infinite flexibility can tempt designers to add a feature here, or make a minor change there, with consequences that are not fully understood until the system is nearing completion. And because software, unlike hardware, is essentially invisible, its complexity may not be apparent until it is too late to correct a problem.

The ability to formally specify the requirements for a software system, and to use this specification as a model for the development of the actual software, is a powerful technique for overcoming these challenges. To this end, Heimdahl and his students in CriSys have developed an approach—called specification-based prototyping—to simulate and validate formal specifications for process-control systems.

Within the context of specification execution and simulation, specification-based prototyping combines the advantages of traditional formal specifications (such as precision and easy analysis) with the advantages of rapid prototyping (such as risk management and early end-user involvement). The approach lets an engineer refine a formal executable model of the system requirements to a detailed model of the software requirements.

Throughout this refinement process, the specification is used as an early prototype of the proposed software. By using the specification as the prototype, most of the problems that plague traditional code-based prototyping disappear. First, the formal specification will always be consistent with the behavior of the prototype (excluding real-time response) and the specification is, by definition, updated as the prototype evolves. Second, the risk of evolving the prototype into a poorly designed production system is largely eliminated. Finally, the dynamic evaluation of the prototype can be augmented with formal analysis.

In order for control-by-wire systems to achieve their full potential, Heimdahl advocates more research in the area of software development for safety-critical systems. In addition, he recommends educating all engineering disciplines in the methods of software engineering--not just "programming." Software engineers should themselves be educated in the methods of traditional engineering discipline, to enable them to approach the design of critical software systems with the rigor of mechanical or electrical engineering.