White Paper –
Fault Injection Testing for Automotive Software
Car systems are becoming ever more complex, while also taking more responsibility for safety-related tasks, such as adaptive cruise control and the widely-predicted advent of autonomous vehicles. To provide the necessary confidence in such automotive systems, they are designed to be fault tolerant and fail-safe. Positive testing should provide confidence that the system’s functional requirements are met, but for safety-related systems we also need to be sure that when the unexpected does occur the system is truly fault tolerant or will fail to a safe state. One way we address this is to perform negative testing in the form of fault injection testing – we deliberately inject faults into the system to assure ourselves that it reacts in the way we expected (i.e. safely).
Sometimes these scenarios should never occur (e.g. a software task should never ‘die’ or get stuck in an infinite loop) and cannot be simulated by normal system testing, but with fault injection testing, we create the fault scenario and measure the subsequent system behaviour to ensure it is safe.
Fault injection testing has been around for well over 30 years, and tests the dependability or robustness of a system in the presence of faults in the system’s environment (e.g. a faulty power supply, badly-formed input messages) and faults in the system itself (e.g. a flipped bit caused by cosmic radiation, poor design and bad coding). It can be applied throughout the lifecycle (from early modelling to the testing of the complete system) and typically supplements the more normal test techniques by targeting that code that is only there to handle exceptional situations and so increases test coverage. When applied early in the lifecycle it is typically used to improve the design to cope with unexpected faults, while later in the lifecycle it is used to obtain confidence that mechanisms for achieving dependability are working, and to find defects in the implementation of the fault tolerant design.