Safety Critical Systems Design: Patterns and Practices for Designing Mission and Safety- Critical Systems * * Portions adopted from the author’s book Doing Hard Time: Developing Real-Time Systems with UML, Objects, Frameworks, and Patterns, Addison-Wesley Publishing, 1999. Bruce Powel Douglass, Ph.D. [email protected]Chief Evangelist, I-Logix
70
Embed
Safety Critical Systems Design - Object Management Group
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Safety Critical Systems Design:
Patterns and Practices for Designing Mission and Safety-
Critical Systems*
* Portions adopted from the author’s book Doing Hard Time: Developing Real-Time Systems with UML, Objects, Frameworks, and Patterns, Addison-Wesley Publishing, 1999.
• Off– Emergency stop -- immediately cut power– Production stop -- stop after current task– Protection stop -- shut down without removing power
• Partial Shutdown– Degraded level of functionality
• Hold– No functionality, but with safety actions taken
• Manual or External Control• Restart
Eight Steps to Safety
1. Identify the Hazards2. Determine the Risks3. Define the Safety Measures4. Create Safe Requirements5. Create Safe Designs6. Implement Safety7. Assure the Safety Process8. Test, Test, Test
Risk Assessment
• For each hazard– Determine the potential severity– Determine the likelihood of the
hazard– Determine how long the user is
exposed to the hazard– Determine whether the risk can be
removed
1
8
7
6
5
4
3
2 1
7
6
5
4
3
2 1
-
6
5
4
3
2
- -W3 W2 W1S1
S2
S3
S4
E1
E2
E1
E2
G1
G2G1
G2
TUV Risk Level Determination Chart *
Risk Parameters:S: Extent of Damage
S1: Slight injuryS2: Severe irreversible injury to one or more persons or the death of a single personS3: Death of several personsS4: Catastrophic consequences, several deaths
E: Exposure TimeE1: Seldom to relatively infrequentE2: Frequent to continuous
G: Hazard PreventionG1: Possible under cetain conditionsG2: Hardly possible
W: Occurrence Probability of Hazardous EventW1: Very LowW2: LowW3: Relatively High
*adapted from DIN V 19250
Sample Risk Assessments
Device Hazard Extent ofDamage
ExposureTime
HazardPrevention
Probability TUV RiskLevel
Microwaveoven
Irradiation S2 E2 G2 W3 5
Pacemaker Pace tooslowly
S2 E2 G2 W3 5
Pace toofast
S2 E2 G2 W3 5
PowerStationBurner
Explosion S3 E1 -- W3 6
Airliner Crash S4 E2 G2 W2 8
Eight Steps to Safety
1. Identify the Hazards2. Determine the Risks3. Define the Safety Measures4. Create Safe Requirements5. Create Safe Designs6. Implement Safety7. Assure the Safety Process8. Test, Test, Test
Safety Measures• Safety measures do one of the
following– Remove the hazard– Reduce the risk– Identify the hazard to supervisory
personnel• The purpose of the safety measure is
to ensure the system remains in a safe state
Risk Reduction
• Identify the fault• Take corrective action, either
– Use redundancy to correct and move on• feedforward error correction
– Redo the computational step• feedback error detection
– Go to a fail-safe state
Fault Identification at Run-time
• Faults must be identified (and handled) in < Tfault tolerance
• Fault identification requires redundancy• Redundancy can be in terms of
– channel– device– data– control
• Redundancy may be either– Homogenous (random faults only)– Heterogeneous (systematic and random faults)
Architectural
Detailed Design
}}
Fault Tree Analysis Symbology
An event that results from acombination of events througha logic gate
A basic fault event that requiresno further development
A fault event because the eventis inconsequential or thenecesary information is notavailable
An event that is expected tooccur normally
A condition that must bepresent to produce theoutput of a gate
Transfer
AND gate
OR Gate
NOT Gate
Subset of Pacemaker Fault Analysis
ShutdownFault
Invalid Pacing Rate
Time-baseFault
Pacing too slowly
OR
BadCommanded
rate
CrystalFailure
CRC Hardware
Failed
Watchdog Failure
RateCommandCorrupted
SoftwareFailure
CPU Hardware
Failure
Data Corrupted
in vivo
ANDOR
OR
AND
Condition or event to avoid
Secondary conditions or events
Primary or FundamentalFaults
T1
R1 R2 R3
R4
R5 R6 R7R8
I1
I2
I3
Eight Steps to Safety
1. Identify the Hazards2. Determine the Risks3. Define the Safety Measures4. Create Safe Requirements5. Create Safe Designs6. Implement Safety7. Assure the Safety Process8. Test, Test, Test
• Specific requirements should track back to hazard analysis
• Architectural framework should be selected with safety needs in mind
Eight Steps to Safety
1. Identify the Hazards2. Determine the Risks3. Define the Safety Measures4. Create Safe Requirements5. Create Safe Designs6. Implement Safety7. Assure the Safety Process8. Test, Test, Test
Isolate Safety Functions• Safety-relevant systems are 300-1000%
more effort to produce• Isolation of safety systems allows more
expedient development• Care must be taken that the safety
system is truly isolated so that a defect in the non-safety system cannot affect the safety system– Different processor– Different heavy-weight tasks (depends on
• Power On Self Test (POST)– Check for latent faults– All safety measures must be tested at
power on and periodically• RAM (stuck-at, shorts, cell failures)• ROM• Flash• Disks• CPU• Interfaces• Buses
Safety Testing During Operation
• Built-In Tests– Repeats some of POST– Data integrity checks– Index and pointer validity checking– Subrange value invariant assertions– Proper functioning