- UL 4600 web site
- UL 4600 draft standard
(with permission of Underwriters Laboratories) // Voting Version 13 December
- Latest topical presentation slides:
- Hot Papers:
- Koopman, P., Ferrell, U., Fratrik, F. & Wagner, M., "A Safety Standard Approach for Fully
Autonomous Vehicles," WAISE 2019, Sept. 2019.
- Koopman, P., Osyk, B. & Weast, J., "Autonomous Vehicles Meet the Physical
World: RSS, Variability, Uncertainty, and Proving Safety," SAFECOMP,
- Koopman, P., & Osyk, B., "Safety Argument
Considerations for Public Road Testing of Autonomous Vehicles," SAE
WXC, 2019-01-0123, Apr. 2019.
- Koopman, P., Kane, A. & Black, J., "Credible Autonomy
Safety Argumentation," Safety-Critical Systems Symposium, Bristol UK,
- Koopman, P. & Fratrik, F., "How many operational design domains,
objects, and events?" SafeAI 2019, AAAI, Jan 27, 2019.
- Pezzementi, Z., Tabor, T., Yim, S., Chang, J., Drozd, B., Guttendorf, D.,
Wagner, M., & Koopman, P., "Putting image
manipulations in context: robustness testing for safe perception,"
IEEE International Symposium on Safety, Security, and Rescue Robotics (SSRR),
- Koopman, P., "The
Heavy Tail Safety Ceiling," Automated and Connected Vehicle Systems
Testing Symposium, June 2018.
- Hutchison et al., "Robustness
Testing of Autonomy Software," ICSE-SEIP, 2018.
- Full paper list
- On-line course materials:
- Social Media:
My background includes time as a submarine officer for the US Navy, a
principal in a couple small startups, an embedded CPU architect for Harris
Semiconductor, and an embedded system architect for United Technologies
Research Center. At Carnegie Mellon I've worked in the broad areas of wearable
computers, software robustness, embedded networking, dependable embedded
computer systems, and autonomous vehicle safety. My recent research interests
focus on self-driving car safety, embedded system dependability, safety
critical systems, embedded control networks, distributed embedded systems,
secure embedded systems, and embedded systems education. I'm also co-founder of
Edge Case Research. I'm a senior member of IEEE, senior member of the ACM, and
a member of IFIP WG 10.4 on
Dependable Computing and Fault Tolerance. I was awarded the 2018 IEEE-SSIT Carl
Barus Award for outstanding service in the public interest. As of 2019 I am
half-time at Carnegie Mellon University and half time at Edge Case Research.
For more information, please see the below links:
Previous Projects and Other Topics:
Unintended Acceleration talk (on blogspot)
Investigations into potential causes of Unintended Acceleration (UA) for Toyota
vehicles have made news several times in the past few years. Some blame has
been placed on floor mats and sticky throttle pedals. But a jury trial verdict
found that defects in Toyota's Electronic Throttle Control System (ETCS)
software and safety architecture caused a fatal mishap. This verdict was based
in part on a wide variety of computer hardware and software issues. This talk
will outline key events in the still-ongoing Toyota UA story and pull together
the technical issues that have been discovered by NASA and other experts. The
results paint a picture that should inform not only future designers of
safety-critical software for automobiles but also all computer-based system
- Stress Tests for Autonomy Architectures (STAA)
This combines our experience with Ballista software robustness testing and
invariant-based embedded safety monitors to create a testing approach that will
help ensure autonomous vehicles and other robots are safe even if they
encounter unexpected or exceptional operating conditions. The follow-on is
called Robustness Inside-Out Testing (RIOT), although not a lot of public
available info on that right now.
- Invariant-Based Embedded System
Safety Monitor (Mini-poster)
Can we create a simple, generic safety shutdown building block? Ideally, what
we want is a standard component building block to ensure that a subsystem or
entire system gets shut down if it exhibits unsafe behavior, without having to
model the details of the design. Example result: these ideas have been
successfully applied to a prototype autonomous vehicles and a prototype
commercial vehicle technology demonstration platform.
- Cyclic Redundancy Checks (CRCs) and
A lot of the folklore on checksums isn't quite right.
We spent a considerable number of CPU-years crunching on a search for optimal
polynomials. And we found them. Currently we are working with the FAA applying
that knowledge to aviation applications.
- Embedded Network Gateway
How can you mitigate malicious and non-malicious timing fault propagation
across an embedded network gateway? Or, put another way, how can you keep your
car's radio from destabilizing you car's suspension system? Example result:
using a FIFO queue to mitigate timing clumps from an IT-style network to a
control network can be worse than just throwing clumped messages away.
Predictive filters look like a good way to go instead.
- Low Cost Embedded Network Message
How can you get cryptographically secure multicast authentication on a real
time embedded network such as CAN or FlexRay? You only have a few bits to spend
for this in each message, as well as limited memory and CPU power. Example
result: combining truncated authenticators from multiple message packets
provides a useful engineering tradeoff among bandwidth, attack resistance, and
- Embedded System Security
The rules of the embedded security game are likely to
differ from those of IT and desktop security. You can't just treat an embedded
computer like your desktop machine.
- Embedded System Safety
Embedded systems usually have the ability to release
energy into the environment via actuators. Any potentially uncontrolled release
of such energy is, by definition, a safety issue.
- Ballista -- Software Robustness
Some software isn't particularly robust to exceptional
inputs. We developed an automated approach to finding robustness
vulnerabilities in APIs, including the POSIX and Windows. We found some
one-line programs that crashed mature commercial operating systems.
- Graceful Degradation
Wouldn't it be nice if systems failed soft instead of
failing hard, and did so without having to resort to brute force redundancy?
- System Architecture
How to figure out the pieces and how they fit together
in systems that are bigger than just a CPU or just a computer.
- Embedded Control Networks
These differ in many ways from IT style networks, and
we have worked on a variety of aspects.
- Distributed Embedded System
Distributed embedded systems have unique dependability
challenges, especially when theoretical ideas such as group membership and
periodic real time schedules meet the real world.
- Stack Computers
In a previous life I designed stack-based CPUs. While
they have fallen out of the mainstream, there is still quite a bit of interest,
so I maintain a page with my work in this area.
- Computer Architecture
In addition to stack computers, I've done a little bit
of work on supercomputer architecture and everyday CPU design.
- Embedded System Education
Consolidated list of Lecture Notes and
- 18-642 Embedded System
Software Engineering (Every Fall starting 2017, and one-time Spring in 2018)
- 18-649 Distributed Embedded Systems (Every starting
Spring 2007, and taught many previous years as 18-549; every Fall
Complete lecture slides are on-line as an advanced
embedded systems tutorial.
- 18-348 Embedded System
Engineering (Fall 2006, 2007, 2009, every Spring 2012-2017)
- 18-849 Dependable Embedded
Systems (Fall 2005, 2008, 2010).
Includes an extensive reading list of scholarly papers
on distributed systems, dependability, safety, and more.
- 18-548, Memory System
Architecture (Fall 1998; discontinued).
An old course, but it has on-line lecture notes that
cover memory hierarchy top to bottom.
Click here for book information.
(Click here for author discount page)
Philip Koopman; Office voice: +1.412.268.5225 US Eastern
Time More Contact Info