Marginalizing Risk

A major focus of finance is reducing risk on investments, a goal commonly achieved by dispersing the risk among numerous investors. Sometimes, however, risk dispersion can cause investors to underestimate and under-protect against risk. Risk can even be so widely dispersed that rational investors individually lack the incentive to monitor it. This Article examines the market failures resulting from risk dispersion and analyzes when government regulation may be necessary or appropriate to limit these market failures. The Article also examines how such regulation should be designed,including the extent to which it should limit risk dispersion in the first instance

Informationsflussanalysen diskreter eingebetteter Regelkreise

Embedded systems used in safety-critical domains have to uphold strict safety and security requirements. At the same time, their complexity has been strongly increasing across application domains. To manage this rise in complexity, manufacturers have shifted towards model-driven development methodologies. While successful in managing the complexity in the development of large, interconnected systems, analysis and verification techniques for model-driven development methods and languages still have to reach a similar level of maturity as those for text-based imperative programming languages traditionally used in the development of safety-critical em bedded systems. In this thesis, we present an information flow analysis method for discrete embedded control system models, which has the potential to identify possible violations of both safety requirements and security policies by analyzing where and under which conditions information travels through a model. The main challenges such an information flow analysis faces are to (1) consider the specific semantics of the modeling languages, which heavily rely on concurrency and a complex notion of timing, and (2) relate the strongly different semantics of signal-flow-oriented and state-machine-based components, which comprise embedded control system models. Our major contribution is twofold: First, we provide an information flow analysis for the signal-flow-oriented components of an embedded control system model. The main idea of this analysis is that we only extract that information from an existing model which is required to analyze information flow in respect to both its timing and functionality. To this end, our technique captures timed path conditions, i.e., the precise control, data and timing conditions under which information flow is enabled as well as when and how these conditions are triggered. Second, we relate the inherently different semantics of the signal-flow-oriented and the state-machine-based components. To this end, we first translate the state-machine-based controller into a formally verifiable representation and, second, combine this representation with condition observer automata which we generate from the timed path conditions extracted in the first step of our method. This enables us to use the well-established technique of model checking to identify precisely the behavior that leads to the execution of information flow paths under analysis. To show the practical applicability of our approach, we have implemented it as a fully automatic and modular framework for MATLAB Simulink/Stateflow and Modelica, two widely used languages from the domain of embedded control systems, and applied our information flow analysis to two industrial case studies. In these case studies, we are able to verify integrity by checking that no information flow is possible from a non-critical to a critical component.Im sicherheitskritischen Bereich unterliegen eingebettete Systeme strengen Anforderungen an Ausfall- sowie Datensicherheit. Zugleich ist die Systemkomplexität in den vergangenen Jahren in allen Anwendungsbereichen stark gestiegen. Um diesem Anstieg zu begegnen, nutzen Hersteller modellgetriebene Entwicklungsansätze. Während Ansätze dieser Art bereits erfolgreich dazu genutzt werden, komplexe, miteinander verbundene Systeme zu entwickeln, haben Ansätze zur Analyse und Verifikation dieser Systeme noch nicht den Stand erreicht, den ähnliche Methoden für imperative Programmiersprachen aufweisen. In dieser Arbeit stellen wir eine Informationsflussanalyse für diskrete eingebettete Kontrollsystemmodelle vor, die es ermöglicht, Verletzungen von Ausfall- sowie Datensicherheitsanforderungen zu erkennen. Unsere Analyse verfolgt, wie und unter welchen Bedingungen Informationen durch ein Modell fließen. Die Herausforderungen in der Entwicklung einer solchen Analyse liegen in (1) der Berücksichtigung der spezifischen Semantik der Modellierungssprachen, welche auf komplexen zeitlichen Abhängigkeiten und Parallelität basieren, und (2) der Verbindung der stark heterogenen Semantiken der signalflussorientierten und jener auf Zustandsautomaten basierenden Komponenten, aus denen Kontrollsystemmodelle aufgebaut sind. Die vorliegende Arbeit leistet in diesem Gebiet zwei Beiträge. Zum einen eine Informationsflussanalyse für die signalflussorientierten Komponenten eines Kontrollsystemmodells. Diese Analyse basiert auf der Idee, nur diejenigen Informationen eines Modells zu extrahieren, die für die Analyse des Informationsflusses hinsichtlich des Zeitverhaltens und der Funktionalität des Modells relevant sind. Um dies zu ermöglichen, erfasst unser Ansatz timed path conditions, das heißt, diejenigen Bedingungen, die präzise das Kontroll-, Zeit-, und Datenverhalten abbilden,unter denen Informationsfluss stattfindet. Zum anderen schafft unsere Arbeit eine Verbindung zwischen den stark heterogenen Semantiken der signalflussorientierten und den auf Zustandsautomaten basierenden Komponenten. Unser Ansatz ermöglicht dies durch eine Übersetzung der Automaten in eine formal verifizierbare Darstellung, und die Kombination dieser Darstellung mit condition observer automata, welche wir aus den im ersten Schritt extrahierten timed path conditions generieren. Diese Verbindung der Semantiken ermöglicht uns, eine wohlfundierte Technik wie model checking zu nutzen, um genau das Verhalten des Zustandsautomaten zu identifizieren, welches zur Ausführung eines Informationsflusspfades führt. Um die Anwendbarkeit unseres Ansatzes unter Beweis zu stellen, präsentieren wir außerdem eine vollautomatische und modular aufgebaute Implementierung für M ATLAB Simulink/Stateflow und Modelica, zwei im Bereich sicherheitskritischer eingebetteter Software weit verbreitete Sprachen. Mithilfe dieser Implementierung konnten wir unseren Ansatz zur Informationsflussanalyse auf zwei Fallstudien aus dem industriellen Bereich anwenden. In beiden Fallstudien waren wir in der Lage, die Integrität kritischer Berechnungen sicherzustellen, indem wir Informationsfluss zwischen nicht-kritischen und sicherheitskritischen Komponenten ausschließen konnten

Development of a Predictable Hardware Architecture Template and Integration into an Automated System Design Flow

The requirements of safety-critical real-time embedded systems pose unique challenges on their design process which cannot be fulfilled with traditional development methods. To ensure their correct timing and functionality, it has been suggested to move the design process to a higher abstraction level, which opens the possibility to utilize automated correct-by-design development flows from a functional specification of the system down to the level of Multiprocessor Systems-on-Chip (MPSoCs). ForSyDe, an embedded system design methodology, presents a flow of this kind by basing system development on the theory of Models of Computation and side-effect-free processes, making it possible to separate the timing analysis of computation and communication of process networks. To be able to offer guarantees on the timing of tasks implemented on a MPSoc, the hardware platform needs to provide predictability and composability in every component, which in turn requires a range of special considerations in its design. This thesis presents a predictable and composable FPGA-based MPSoC template based on the Altera Nios II soft processor and Avalon Switch Fabric interconnection structure and its integration into the automated ForSyDe system design flow. To present the functionality and to test the validity of timing predictions, two sample applications have been developed and tested in the context of the design flow as well as on the implemented hardware platform

Einfluss der Kupfferzell-Depletion auf die hepatische Mikrozirkulation und die systemische Inflammation in der murinen polymikrobiellen Sepsis

Die abdominelle Sepsis ist nach wie vor mit einer erheblichen Mortalität verbunden. Häufig stellt eine sekundäre Peritonitis als Folge einer Hohlorganperforation oder Anastomoseninsuffizienz den Fokus dar, welcher sich rasch systemisch auswirkt. Durch den bakteriellen Abfluss der Bakterien über das portokavernöse System agiert die Leber als zentrale Filterstation und wird dabei gleichzeitig durch infiltrierende Leukozyten und schockbedingte Minderperfusion geschädigt. Verantwortlich für die bakterielle Clearance in der Leber sind die Kupfferzellen, die zudem durch Freisetzung pro- und antiinflammatorischer Mediatoren den systemischen Entzündungsverlauf entscheidend beeinflussen. In der vorliegenden Arbeit wurde der Einfluss der selektiven Kupfferzell-Depletion mittels Dichloromethylen-Bisphosphonat (Cl2MBP-Clodronat) im murinen Sepsismodell der Colon Ascendens Stent Peritonitis (CASP) auf die Mikrozirkulation der Leber mit Hilfe der intravitalen Fluoreszenzmikroskopie sowie mit ex vivo Analysen untersucht. Zudem erfolgte die Beurteilung der systemischen Reaktion hinsichtlich der Mortalität sowie der veränderten Freisetzung von Entzündungsmediatoren in Serum, Milz, Leber und Lunge. Die polymikrobielle Sepsis führte in der Leber zu einer erheblichen Perfusionsstörung nach 12h sowie zu einer signifikanten sinusoidalen Leukozytenstase nach 3h Sepsis, die nach 12h rückläufig war. Des Weiteren konnte ein deutlicher Anstieg der hepatozellulären Apoptose 12h nach CASP nachgewiesen werden. Die Kupfferzell-Depletion verminderte sowohl die sinusoidale Leukozytenstase als auch die hepatozelluläre Apoptose signifikant und wirkte somit protektiv in der Ausbildung des Leberschadens. Erstmals konnte eine reduzierte Leukozytenstase nach Kupfferzell-Depletion bei gleichzeitigem lokalem Anstieg von TNF nachgewiesen werden. Bezüglich der Phagozytoserate zeigte sich in der polymikrobiellen Sepsis eine initiale Hyperaktivität mit nachfolgender Erschöpfung der Kupfferzellen. Nach Clodronat-Applikation war, wie erwartet, die Phagozytoseaktivität zu beiden Zeitpunkten deutlich eingeschränkt. Systemisch führte die Kupfferzell-Depletion zu einer signifikant erhöhten Sterblichkeit in der CASP. Zudem kam es zu einem massiven Anstieg des TNF sowie einer signifikanten Reduktion des antiinflammatorischen IL-10 in Serum und Leber. Die Depletion der Kupfferzellen vor Induktion der polymikrobiellen Sepsis führte somit zu einem vermindertem hepatozellulärem Leberschaden bei gleichzeitig erhöhter Mortalität durch die uneingeschränkte Hyperinflammation. Die Blockade der Kupfferzellen zu einem späteren Zeitpunkt, in der Phase der Immunparalyse, wäre jedoch eine neue Möglichkeit zur Therapie sekundärer Infektionen in der Sepsis.Abdominal sepsis represents a persisting problem on surgical intensive care units. The liver as “first line” organ to be confronted with gut bacteria drained via the portal vein plays an important role during abdominal sepsis. Several local and systemic defence mechanisms of the innate immune system are initiated in the liver. Kupffer cells (KC) are critically involved in these processes by phagocytosis of bacteria, secretion of pro- and antiinflammatory cytokines as well as recruitment of other immune cells to the liver, e.g. neutrophils or monocytes. However, these mechanisms also provoke a progressive damage of the liver itself that may end up in fulminant hepatic failure. Intravenous or intraperitoneal administration of LPS caused significant sinusoidal perfusion failure in the liver. Additionally, increased leukocyte stasis within the sinusoids and consecutive parenchymatous infiltration of neutrophils were observed. These findings were associated with significant rates of hepatocellular apoptosis and increased plasma levels of ALT and AST demonstrating severe hepatic damage. In the past, KC have been extensively studied in the context of sepsis. However, many aspects of their function are still controversially discussed. This may be referred to the diversity of sepsis models but also to different used techniques of Kupffer cell depletion. Among them administration of Gadolinium chloride (GdCl3) impairs Ca2+ metabolism and therefore causes a reduced phagocytotic activity of KC obtaining depletion rates from 56 to 75%. However, contradictory results after treatment with GdCl3 in sepsis have been reported: improved hepatic microcirculation and survival benefit were observed but also increased mortality and elevated proinflammatory cytokines could be detected. Reduced leukocyte infiltration, decreased liver damage, and improved survival after GdCl3 treatment was mainly associated with significantly decreased TNF levels in models of LPS shock but also in polymicrobial cecal ligation and puncture. Therefore, TNF was thought to be a key player for the recruitment of inflammatory cells to the liver and for the initiation of hepatocellular apoptosis. In this study, the colon ascendens stent peritonitis (CASP) was used. In contrast to models of LPS shock, CASP is a model of polymicrobial abdominal sepsis that was shown to be clinically relevant as it mirrors a common course of systemic infection in surgical intensive care patients. Moreover, CASP is highly reproducible in comparison to CLP. For the first time, effects of CASP on hepatic microcirculation and hepatic failure were analyzed using intravital fluorescence microscopy. To address local and systemic functions of KC after CASP, KC were depleted by intravenous administration of liposome-encapsulated clodronate. In contrast to GdCl3 application, this method is nontoxic and allows a selective and complete depletion of KC without activation

Development of a Predictable Hardware Architecture Template and Integration into an Automated System Design Flow

The requirements of safety-critical real-time embedded systems pose unique challenges on their design process which cannot be fulfilled with traditional development methods. To ensure their correct timing and functionality, it has been suggested to move the design process to a higher abstraction level, which opens the possibility to utilize automated correct-by-design development flows from a functional specification of the system down to the level of Multiprocessor Systems-on-Chip (MPSoCs). ForSyDe, an embedded system design methodology, presents a flow of this kind by basing system development on the theory of Models of Computation and side-effect-free processes, making it possible to separate the timing analysis of computation and communication of process networks. To be able to offer guarantees on the timing of tasks implemented on a MPSoc, the hardware platform needs to provide predictability and composability in every component, which in turn requires a range of special considerations in its design. This thesis presents a predictable and composable FPGA-based MPSoC template based on the Altera Nios II soft processor and Avalon Switch Fabric interconnection structure and its integration into the automated ForSyDe system design flow. To present the functionality and to test the validity of timing predictions, two sample applications have been developed and tested in the context of the design flow as well as on the implemented hardware platform