REDUCTION OF HAZARDOUS MATERIALS OR CONDITIONS Software should contain only code that is absolutely necessary to achieve required functionality Implications for COTS Extra code may lead to hazards and may make software analysis more difficult Memory not used should be initialized to a pattern that will revert to a safe state Design Turbine-Generator Example Safety requirements 1. Must always be able to close steam valves within a few hundred milliseconds 2. Under no circumstances can steam valves open spuriously Whatever the nature of internal or external fault Divided into two parts(decoupled)on separate processors 1. Non-critical functions: loss cannot endanger turbine nor cause it to shutdown less important governing functions supervisory, coordination, and management functions 2. Small number of critical functions
c ��������������������� ���������� REDUCTION OF HAZARDOUS MATERIALS OR CONDITIONS Software should contain only code that is absolutely necessary to achieve required functionality. Implications for COTS Extra code may lead to hazards and may make software analysis more difficult. Memory not used should be initialized to a pattern that will revert to a safe state. c ��������������������� ���������� Turbine−Generator Example Safety requirements: 1. Must always be able to close steam valves within a few hundred milliseconds. 2. Under no circumstances can steam valves open spuriously, whatever the nature of internal or external fault. Divided into two parts (decoupled) on separate processors: 1. Non−critical functions: loss cannot endanger turbine nor cause it to shutdown. less important governing functions supervisory, coordination, and management functions 2. Small number of critical functions
Turbine-Generator Example(2) Uses polling: No interrupts except for fatal store fault(nonmaskable) Timing and sequencing thus defined More rigorous and exhaustive testing possible All messages unidirectional No recovery or contention protocols required Higher level of predictability Self-checks of Sensibility of incoming signals Whether processor functioning correctly Failure of self-check leads to reversion to safe state through fail-safe hardware State table defines Scheduling of tasks Self-check criteria appropriate under particular conditions Hazard reduction · Passive safeguards Maintain safety by their presence Fail into safe states Active safeguards Require hazard or condition to be detected and corrected Tradeoffs Passive rely on physical principles Active depend on less reliable detection and recovery mechanisms BUT Passive tend to be more restrictive in terms of design freedom and not always feasible to implement
c ��������������������� ���������� Turbine−Generator Example (2) Uses polling : No interrupts except for fatal store fault (nonmaskable) Timing and sequencing thus defined More rigorous and exhaustive testing possible. All messages unidirectional No recovery or contention protocols required Higher level of predictability Self−checks of Sensibility of incoming signals Whether processor functioning correctly Failure of self−check leads to reversion to safe state through fail−safe hardware. State table defines: Scheduling of tasks Self−check criteria appropriate under particular conditions ��������������������� ���������� Hazard Reduction Passive safeguards: Maintain safety by their presence Fail into safe states Active safeguards: Require hazard or condition to be detected and corrected Tradeoffs: Passive rely on physical principles Active depend on less reliable detection and recovery mechanisms. c BUT Passive tend to be more restrictive in terms of design freedom and not always feasible to implement
eyeson Design for Controllability Make system easier to control, both for humans and computers Use incremental control Perform critical steps incrementally rather than in one step Provide feedback To test validity of assumptions and models upon which decisions made To allow taking corrective action before significant damage done Provide various types of fallback or intermediate states · Lower time pressures ● Provide decision aids Use monitoring Monitoring Difficult to make monitors independent Checks require access to information being monitored but usually involves possibility of corrupting that information Depends on assumptions about structure of system and about errors that may or may not occur May be incorrect under certain conditions Common incorrect assumptions may be reflected both in design of monitor and devices being monitored
c ��������������������� ���������� Design for Controllability Make system easier to control, both for humans and computers. Use incremental control: Perform critical steps incrementally rather than in one step. Provide feedback To test validity of assumptions and models upon which decisions made To allow taking corrective action before significant damage done. Provide various types of fallback or intermediate states Lower time pressures Provide decision aids Use monitoring c ��������������������� ���������� Monitoring Difficult to make monitors independent: Checks require access to information being monitored but usually involves possibility of corrupting that information. Depends on assumptions about structure of system and about errors that may or may not occur May be incorrect under certain conditions Common incorrect assumptions may be reflected both in design of monitor and devices being monitored