Safety Critical Systems Analysis
Safety Critical Systems Analysis
net/publication/355667545
CITATIONS READS
2 405
3 authors, including:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Danielle Nathalie Moussima on 27 October 2021.
Abstract - A brief overview of the fields that must be considered when designing, implementing
safety-critical systems is presented. The notion of safety is most likely to come to mind when we
drive a car, fly on an airliner, or take an elevator ride. In each case, we are concerned with the
threat of a mishap, which defined as an unplanned event or series of events that result in death,
injury, occupational illness, damage to or loss of equipment or property or damage to the
environment.
© 2011 . K. Amarendra, A. Vasudeva Rao. This is a research/review paper, distributed under the terms of the Creative Commons
Attribution-Noncommercial 3.0 Unported License http://creativecommons.org/licenses/by-nc/3.0/), permitting all non-commercial
use, distribution, and reproduction inany medium, provided the original work is properly cited.
Safety Critical Systems Analysis
K. Amarendra α, A. Vasudeva Rao Ω
Abstract- A brief overview of the fields that must be considered when practitioners and researchers deal with specific
when designing, implementing safety-critical systems is systems. Some of the examples of Non Traditional
presented. The notion of safety is most likely to come to mind systems are transportation control, banking and
when we drive a car, fly on an airliner, or take an elevator ride. financial systems, electricity generation and distribution,
December 2011
In each case, we are concerned with the threat of a mishap,
telecommunications, and the management of water
which defined as an unplanned event or series of events that
result in death, injury, occupational illness, damage to or loss systems. All of these applications are extensively
of equipment or property or damage to the environment. computerized, and computer failure can and does lead
Keywords: Safety, Design, Implementation, Applications, to extensive loss of service with consequent disruption
of normal activities.
I. INTRODUCTION Separating safety-critical and safety-related
A
systems from systems where safety integrity is unable to 37
safety critical system is a system where human
be established or maintained is an important aspect of
safety is dependent upon the correct operation of
system safety design. When implementing a system
Global Journal of Computer Science and Technology Volume XI Issue XXI Version I
system. Safety is considered not only for software
safety program it is important to suspect all
elements but also for hardware, electrical hardware,
components as being unsafe unless assured
operators or users etc. If the failure of a system could
otherwise and then target the few areas where
lead to consequences that are determined to be
safety requirements are allocated. Coupling between
unacceptable then the system is safety critical.
components of complex systems can be subtle and
Safety-critical systems, a term whose customary
interaction with non-safety related systems have led
meaning is systems whose failure might danger human
to harmful outcomes in safety related systems.
life, lead to substantial economic loss, or cause
extensive environmental damage. Many modern Traditional Areas
systems depend on computers for their correct Traditional areas that have been considered the
operation. The future is likely to increase dramatically the home of safety-critical systems include medical care,
number of computer systems that we consider to be commercial aircraft, nuclear power, and weapons.
safety-critical. The dropping cost of hardware, the Failure in these areas can quickly lead to human life
improvement in hardware quality, and other being put in danger, loss of equipment and so on.
technological developments ensure that new Computers are used in medicine far more widely than
applications will be sought in many domains. most people realize. The idea of using a microprocessor
Traditional Systems to control an insulin pump is quite well known. The fact
Traditional areas that have been considered the that a pacemaker is largely a computer is less well
home of safety-critical systems include medical care, known. The extensive use of computers in surgical
commercial aircraft, nuclear power, and weapons. procedures is almost unknown except by specialists.
Failure in these areas can quickly lead to human life Computerized equipment is making inroads in
being put in danger, loss of equipment, and so on. procedures such as hip replacement, spinal surgery,
Computerized equipment is making inroads in and ophthalmic surgery. In all three of these cases,
procedures such as hip replacement, spinal surgery, computer controlled robotic devices are replacing the
and ophthalmic surgery. In all three of these cases, surgeons traditional tools, and providing substantial
computer controlled robotic devices are replacing the benefits to patients.
surgeons traditional tools, and providing substantial Non Traditional Areas
benefits to patients. The scope of the safety-critical system concept
Non Traditional Systems is broad, and that breadth has to be taken into account
The scope of the safety-critical system concept when practitioners and researchers deal with specific
is broad, and that breadth has to be taken into account systems. A closer examination of the topic reveals that
many new types of system have the potential for very
Author α : Associate Professor & Head, Department of Computer high consequences of failure, and these systems should
Science & Engineering,Dadi Institute of Engineering & Technology, probably be considered safety-critical also. It is obvious
Anakapalle – 531002, Visakhapatnam Dt, India.
E-mail : [email protected] that the loss of a commercial aircraft will probably kill
Author Ω : Associate Professor, Department of Computer Science & people. It is not obvious that loss of a telephone system
Engineering,Dadi Institute of Engineering & Technology, Anakapalle – could kill people.
531002, Visakhapatnam Dt, India .
E-mail : [email protected]
© 2011 Global Journals Inc. (US)
Safety Critical Systems Analysis
widespread loss of transportation services, such as rail identify boundaries that don’t involve the possibility
and trucking, would affect food and energy distribution. of common-cause failures.
It is prudent to put the computer systems upon which Common-cause failures and dependencies
critical infrastructures depend into the safety-critical extending over the distributed communication
category. networks must also be considered and the
functional safety boundary set accordingly. These may
38
II. SAFETY BOUNDARIES include:
Functional Safety Boundaries • Global variables accessed by network
• Security attack and security blocking issues
Global Journal of Computer Science and Technology Volume XI Issue XXI Version I
critical systems. The degree of flexibility offered by amounts of X-rays. Software may also be involved in
the protocol is in order to experiment with and providing humans with information, such as information
provide higher layer protocols (HLP). Still another which a doctor uses to decide on medication. Both
issue is the application of inter-networking (using types of system can impact the safety of the patient.
bridges, switches, and routers) at the vehicle level. Big civil engineering structures are designed on
d. Safety Engineering : system (availability) reliability computers and tested using mathematical models. An
deals with the problem of ensuring that a system error in the software could conceivably result in a bridge
performs a required task or mission (at) for a collapsing. Aircraft, trains, ships and cars are also
specified time. System safety is concerned with designed and modelled using computers.
ensuring that a mishap does not occur in the Even something a simple as traffic lights can be
process. Usually, there are some failures exits like viewed as safety critical. An error giving green lights to
December 2011
benign failures and catastrophic failures. both directions at a cross road could result in a car
e. Reliability Engineering : It deals with the available accident. Within cars, software involved in functions
operation of a system even under the failure of such as engine management, anti-lock brakes, traction
system components. The primary mechanism is the control, and a host of other functions, could potentially
use of redundant components to design fault fail in a way which increases the likelihood of a road
tolerant systems. There are two schemes to handle accident.
the replacement of failed components. They are 39
static and dynamic redundancy. V. CHALLENGES
f. Real time Engineering : Techniques for ensuring In one way or another, many people in the software
Global Journal of Computer Science and Technology Volume XI Issue XXI Version I
that a system meet timeliness requirements are business are working on safety-critical systems
important for safety-critical applications. A technology. Many more systems than one might expect
distinction is made between hard real-time and soft have to be viewed as safety-critical and the number is
real-time systems. Safety-critical systems certainly increasing all the time. So what are the major challenges
belong to the category of hard real-time systems. To that we face?
see if a system meets real-time requirements, In some cases, what amount to completely new
schedulability analysis is used and this technologies is required? The number of interacting
methodology is well known for single-processor or safety-critical systems present in a single application will
multiprocessor operating systems. force the sharing of resources between systems. This
g. Systems Engineering : System engineering will eliminate a major architectural element that gives
emphasizes formal processes that start with a confidence in correct operation—physical separation.
system’s requirements and specification, and Knowing that the failure of one system cannot affect
includes an iterative design, test, and verification another greatly facilitates current analysis techniques.
cycle. This will be lost as multiple functions are hosted on a
single platform to simplify construction and to reduce
IV. APPLICATIONS
power and weight requirements. Techniques that
Safety critical systems are whose failure results provide high levels of assurance of non-interference will
in loss of life, property damage or damage to the be required.
environment. There are many well known examples in Breakdowns in the interplay between software
application areas such as medical devices, aircraft flight engineering and systems engineering remains a
control weapons and nuclear systems. significant cause of failures. It is essential that
Example of a safety critical system is an aircraft comprehensive approaches to total system modelling
fly by wire control system, where the pilot inputs be developed so that properties of entire systems can
commands to the control computer using a joystick, and be analysed. Such approaches must accommodate
the computer manipulates the actual aircraft controls. software properly and provide high fidelity models of
The lives of hundreds of passengers are totally critical software characteristics. They must also deal with
dependent upon the continued correct operation of the issue of assured non-interference.
such a system. Defective software specifications are implicated
Moving down to earth, railway signalling in many serious failures, and it is clear that we have
systems must enable controllers to direct trains, while difficulty stating exactly what software is required to do.
preventing trains from colliding. Like an aircraft fly by There are many aspects of specification that are not
wire, lives are dependent upon the correct operation of supported by any current technique, and, even where
the system. However, there is always the option of specification techniques do exist, there remains a lack
stopping all trains if the integrity of the system becomes of integration to permit whole specification analysis.
suspect. You can't just stop an aircraft while the fly by
wire system is fixed!
VI. DESIGNING
Software in medical systems may be directly The design of any safety critical system must be
responsible for human life, such as metering safe as simple as possible taking no unnecessary risks.
© 2011 Global Journals Inc. (US)
Safety Critical Systems Analysis
Software point of view, this usually involves minimizing engineer safe mechanical systems than safe computing
the use of interrupts and minimizing the use of systems, particularly when software is a major
concurrency within the software. component of the engineered system. With the
Ideally, a safety critical system requiring a high increased used of software in safety-critical components
integrity level would have no interrupts and only one of complex systems, governments agencies and other
task. However, this is not achievable in practice. institutions are increasingly including requirements for
There are two distinct philosophies for the software hazard analysis and verification of software
specification and design of safety critical systems. safety.
• To specify and design a "perfect" system, which Security : It has become clear that security
cannot go wrong because there are no faults in it, attacks against information systems are a large and
growing problem. Attacks against both public and
December 2011
entry points to loops, blocks, procedures and most popular Ada subset for safety critical software is
functions, is really just a variation of unstructured the SPARKAda subset.
programming. However, controlled use of more than SPARKAda is a subset of the Ada Programming
one exit can simplify code and reduces the risk. Language that restricts several features of Ada such as
4) Type of Data : where the type of data in a variable unrestricted tasking. SPARKAda includes a built-in
changes, or the structure of a record changes, is toolset called the ”Examimator” which tests the entire
difficult to analyze, and can easily confuse a source code for conditional and unconditional data flow
programmer leading to programming errors. errors which in theory would deem the source code
5) Declaration & Initialization : A simple spelling exception free. The disadvantage to SPARKAda is that is
mistake can result in software which compiles, but closed and proprietary which increases the cost of
does not execute correctly. In the worst case
December 2011
implementation. Since it is a closed format, outside
individual units may appear to execute correctly, community support is restricted and there is a higher
with the error only being detectable at a system risk of implementation with only one vendor to rely on for
level. Declaration must be perfect. technical support and language updates.
6) Parameter Passing : passing one procedure or
function as a parameter to another procedure or VIII. TESTING & VERIFICATION
function, is difficult to analyze and test thoroughly. Safety critical testing : Testing of safety-critical
7) Recursion : Recursion is calling a function itself. It is systems follows two important strategies which are 41
difficult to analyze and test thoroughly. Recursion systematic rigorous testing and static analysis. While
can also lead to unpredictable real time behavior.
Global Journal of Computer Science and Technology Volume XI Issue XXI Version I
there is no substitute for rigorous testing at many levels:
8) Concurrency and Interrupts : These features are Unit, regression, functionality and integration testing,
supported directly by some programming testing effectiveness depends on the quality of the
languages only. Use of concurrency and interrupts test cases used. The best test suites are those that
is some what produce ambiguity. have good code coverage. Statement coverage and
The use of such programming language condition Coverage are the most commonly used
features in safety critical software is discouraged. metrics. Full Condition coverage is considered essential
Most modern programming languages for safety-critical code, such as flight control software.
encourage the use of block structure and modular Achieving full coverage can be exceedingly time-
programming, such that programmers take good consuming and expensive.
structure for granted. Well structured software is easier Safety critical software functions provide the
to analyze and test, and consequently less likely to source of requirements to be tested. Testing shall be
contain errors. performed to verify correct incorporation of software
The features of few programming languages safety requirements. Testing must show that hazards
which can be used to increase reliability are: have been eliminated or controlled to an acceptable
1) Perfect data usage : The data is only used and level of risk. Additional hazardous states identified
assigned where it is of a compatible type. during testing shall undergo complete analysis prior
2) Constraint checking : Ensure that arrays bounds are to software delivery or use. Software safety testing
not violated, that data does not overflow, that zero of Safety-Critical Computer Software Components
division does not occur. (SCCSC) shall be included in the integration and
3) Parameter checking : To ensure that parameters integration and acceptance tests. Acceptance testing
passed to or from procedures and functions are of shall verify correct operation of the SCCSCs in
the correct type, are passed in the right direction (in conjunction with system hardware and operators[36].
or out) and contain valid data. It shall verify correct operation during stress conditions
There are no commonly available programming and in the presence of system faults. It is important
languages which provide all of the good language to tailor the safety-critical testing effort to emphasize
features. The solution is to use a language subset, the parts of the software that need additional analysis
where a language with as many good features as and testing. The greatest effort must be placed on
possible is chosen, and the bad features are simply not the hazards posing the highest risk. We consider it
used. Use of a subset requires discipline on behalf of adequate to divide the software into two risk groups for
the programmers and ideally a subset checking tool to test purposes.
catch the occasional mistake. An advantage of a subset Verification is the most important and most
approach is that the bounds of the subset can be expensive group of activities in the development of
flexible, to allow the use of some features in a limited safety critical systems, with verification activities being
and controlled way. associated with each stage of the development lifecycle.
Ada is the preferred language for the An added complication is that independent verification
implementation of safety critical software because it can is usually required. The means by which this is achieved
be used effectively within the above constraints. The depends upon the integrity level. Independent
verification can vary from independent witnessing of 5. John C. Knight. “Safety Critical Systems: Challenges
tests, participation at reviews and audit of the and Directions” Proceedings of the 24th
developer's verification, to fully independent execution of International Conference on Software Engineering
all verification activities. Independent verification is an (ICSE), Orlando, Florida, 2002.
addition to verification conducted by developers, not a 6. N.Leveson, Safeware: System Safety and
substitute for it. Computers, Addison Wesley, 1995.
According to ISO 9001 activity, reviews will be 7. L.Pullum, Software Fault Tolerance: Techniques and
conducted as a part of verification. Reviews become Implementation, Artech House, 2001.
more formal, including techniques such as detailed 8. W.R. Dunn, Practical Design of Safety-Critical
walkthroughs of even the lowest level of design. The Computer Systems, Reliability Press, 2002.
scope of reviews is extended to include safety criteria. 9. Kopetz, H.,Real-Time Systems, Design Principles for
December 2011