0% found this document useful (0 votes)
281 views8 pages

Safety Critical Systems Analysis

Uploaded by

Noorm ME
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
281 views8 pages

Safety Critical Systems Analysis

Uploaded by

Noorm ME
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/355667545

Safety Critical Systems Analysis

Article · October 2021

CITATIONS READS

2 405

3 authors, including:

Amarendra Kothalanka Danielle Nathalie Moussima


K L University Frankfurt University of Applied Sciences
10 PUBLICATIONS 8 CITATIONS 2 PUBLICATIONS 2 CITATIONS

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Safety Critical Systems View project

All content following this page was uploaded by Danielle Nathalie Moussima on 27 October 2021.

The user has requested enhancement of the downloaded file.


View metadata, citation and similar papers at core.ac.uk brought to you by CORE
provided by Global Journal of Computer Science and Technology (GJCST)

Global Journal of Computer Science and Technology


Volume 11 Issue 21 Version 1.0 December 2011
Type: Double Blind Peer Reviewed International Research Journal
Publisher: Global Journals Inc. (USA)
Online ISSN: 0975-4172 & Print ISSN: 0975-4350

Safety Critical Systems Analysis


By K. Amarendra, A. Vasudeva Rao
Dadi Institute of Engineering & Technology Visakhapatnam Dt, India

Abstract - A brief overview of the fields that must be considered when designing, implementing
safety-critical systems is presented. The notion of safety is most likely to come to mind when we
drive a car, fly on an airliner, or take an elevator ride. In each case, we are concerned with the
threat of a mishap, which defined as an unplanned event or series of events that result in death,
injury, occupational illness, damage to or loss of equipment or property or damage to the
environment.

Keywords : Safety, Design, Implementation, Applications.


GJCST Classification : K.6.5

Safety Critical Systems Analysis

Strictly as per the compliance and regulations of:

© 2011 . K. Amarendra, A. Vasudeva Rao. This is a research/review paper, distributed under the terms of the Creative Commons
Attribution-Noncommercial 3.0 Unported License http://creativecommons.org/licenses/by-nc/3.0/), permitting all non-commercial
use, distribution, and reproduction inany medium, provided the original work is properly cited.
Safety Critical Systems Analysis
K. Amarendra α, A. Vasudeva Rao Ω

Abstract- A brief overview of the fields that must be considered when practitioners and researchers deal with specific
when designing, implementing safety-critical systems is systems. Some of the examples of Non Traditional
presented. The notion of safety is most likely to come to mind systems are transportation control, banking and
when we drive a car, fly on an airliner, or take an elevator ride. financial systems, electricity generation and distribution,

December 2011
In each case, we are concerned with the threat of a mishap,
telecommunications, and the management of water
which defined as an unplanned event or series of events that
result in death, injury, occupational illness, damage to or loss systems. All of these applications are extensively
of equipment or property or damage to the environment. computerized, and computer failure can and does lead
Keywords: Safety, Design, Implementation, Applications, to extensive loss of service with consequent disruption
of normal activities.
I. INTRODUCTION Separating safety-critical and safety-related

A
systems from systems where safety integrity is unable to 37
safety critical system is a system where human
be established or maintained is an important aspect of
safety is dependent upon the correct operation of
system safety design. When implementing a system

Global Journal of Computer Science and Technology Volume XI Issue XXI Version I
system. Safety is considered not only for software
safety program it is important to suspect all
elements but also for hardware, electrical hardware,
components as being unsafe unless assured
operators or users etc. If the failure of a system could
otherwise and then target the few areas where
lead to consequences that are determined to be
safety requirements are allocated. Coupling between
unacceptable then the system is safety critical.
components of complex systems can be subtle and
Safety-critical systems, a term whose customary
interaction with non-safety related systems have led
meaning is systems whose failure might danger human
to harmful outcomes in safety related systems.
life, lead to substantial economic loss, or cause
extensive environmental damage. Many modern Traditional Areas
systems depend on computers for their correct Traditional areas that have been considered the
operation. The future is likely to increase dramatically the home of safety-critical systems include medical care,
number of computer systems that we consider to be commercial aircraft, nuclear power, and weapons.
safety-critical. The dropping cost of hardware, the Failure in these areas can quickly lead to human life
improvement in hardware quality, and other being put in danger, loss of equipment and so on.
technological developments ensure that new Computers are used in medicine far more widely than
applications will be sought in many domains. most people realize. The idea of using a microprocessor
Traditional Systems to control an insulin pump is quite well known. The fact
Traditional areas that have been considered the that a pacemaker is largely a computer is less well
home of safety-critical systems include medical care, known. The extensive use of computers in surgical
commercial aircraft, nuclear power, and weapons. procedures is almost unknown except by specialists.
Failure in these areas can quickly lead to human life Computerized equipment is making inroads in
being put in danger, loss of equipment, and so on. procedures such as hip replacement, spinal surgery,
Computerized equipment is making inroads in and ophthalmic surgery. In all three of these cases,
procedures such as hip replacement, spinal surgery, computer controlled robotic devices are replacing the
and ophthalmic surgery. In all three of these cases, surgeons traditional tools, and providing substantial
computer controlled robotic devices are replacing the benefits to patients.
surgeons traditional tools, and providing substantial Non Traditional Areas
benefits to patients. The scope of the safety-critical system concept
Non Traditional Systems is broad, and that breadth has to be taken into account
The scope of the safety-critical system concept when practitioners and researchers deal with specific
is broad, and that breadth has to be taken into account systems. A closer examination of the topic reveals that
many new types of system have the potential for very
Author α : Associate Professor & Head, Department of Computer high consequences of failure, and these systems should
Science & Engineering,Dadi Institute of Engineering & Technology, probably be considered safety-critical also. It is obvious
Anakapalle – 531002, Visakhapatnam Dt, India.
E-mail : [email protected] that the loss of a commercial aircraft will probably kill
Author Ω : Associate Professor, Department of Computer Science & people. It is not obvious that loss of a telephone system
Engineering,Dadi Institute of Engineering & Technology, Anakapalle – could kill people.
531002, Visakhapatnam Dt, India .
E-mail : [email protected]
© 2011 Global Journals Inc. (US)
Safety Critical Systems Analysis

Emergency service is an example of a critical • The possibility of common-cause failure;


infrastructure application. Other examples are • High levels of complexity and non-deterministic
transportation control, banking and financial systems, Failure rate; or
electricity generation and distribution, telecommunica - • Components that may not always be present or
tions, and the management of water systems. All of enabled.
these applications are extensively computerized, and
computer failure can and does lead to extensive loss of d) The problem with software
service with consequent disruption of normal activities. At a system level, this process looks
In some cases, the disruption can be very serious. reasonably straightforward but the problem comes
Widespread loss of water or electricity supply has with setting boundaries with distributed software
obvious implications for health and safety. Similarly, architectures. In this situation it is very difficult to
December 2011

widespread loss of transportation services, such as rail identify boundaries that don’t involve the possibility
and trucking, would affect food and energy distribution. of common-cause failures.
It is prudent to put the computer systems upon which Common-cause failures and dependencies
critical infrastructures depend into the safety-critical extending over the distributed communication
category. networks must also be considered and the
functional safety boundary set accordingly. These may
38
II. SAFETY BOUNDARIES include:
Functional Safety Boundaries • Global variables accessed by network
• Security attack and security blocking issues
Global Journal of Computer Science and Technology Volume XI Issue XXI Version I

a) The need for having boundaries


Taking the extreme position, very few • Affects of network lock-up on functional safety
systems are fully independent in their operation and The separation requirements over the functional
to be completely assured of the absence of safety boundary must take these failures into account.
interaction or common cause failure between the
safety-related and other systems would take an III. DISCIPLINES
inordinate amount of time and effort. This could cause
The criterion used is that these disciplines are at
the opposite effect to delay introducing the safety
the heart of the safety-critical electronic and information
benefits of the deployment of a safety-related
technology components of modern vehicles. Safety-
system. At some point a determination must be made
critical systems have many requirements that stem from
that all possible influences are controlled or risks
several engineering disciplines. The main disciplines
sufficiently known so the safety analysis can be
having a direct bearing on designing safety critical
bounded.
systems are: domain engineering, embedded systems
b) Objectives of functional safety boundaries engineering, protocol and network engineering, safety
Minimise the interfaces across the safety engineering, reliability engineering, real-time systems
boundary to direct focus on the safety separation engineering, and systems engineering.Currently, several
implemented in these; design and implementation options are available to a
Minimise likelihood of common-cause failures researcher, developer, or designer. In terms of
across the boundary; protocols, one can choose among CAN, TTCAN,
Exclude non safety related functions where Switched Ethernet, TTP/C, Flex Ray and others.
these are volatile or subject to undefined or non-safety Because of cost, flexibility, the intended application
related controls; theoretical, advances implementation technology, and
Allow a Safety Integrity Level (SIL) to be other issues, it is not straightforward to decide what
achieved within the boundary. protocol or network technology is the best.
c) Identifying safety functions a. Domain Engineering : Safety-critical systems exist in
A useful method to establish the functional a certain application context. Certainly the details of
safety boundary between systems or subsystems is to safety-critical aerospace systems are different from
undertake a Fault Tree Analysis (FTA) of the contributing those of the space shuttle, process control, or
factors to failure of the system, which may lead to automotive. It is important that it can be used to
hazardous events identified in the preliminary hazard tune or optimize certain mechanisms (e.g.,
analysis. The first attempt at a boundary would be communications, fault tolerance, fail status, etc)
around the systems that are implicated in the FTA. This b. Embedded System Engineering : Safety-critical
FTA needs to be extensive and complete from all systems are embedded systems such as micro-
initiating situations to the system failure that is a controllers; real-time operating systems, memory
casual factor for the hazardous event. Then flowing configurations, and I/O are relevant.
down the tree, mark off those functions that are c. Protocol and Network Engineering : Protocols and
related to systems that should be excluded due to: networking are at the heart of distributed safety-

© 2011 Global Journals Inc. (US)


Safety Critical Systems Analysis

critical systems. The degree of flexibility offered by amounts of X-rays. Software may also be involved in
the protocol is in order to experiment with and providing humans with information, such as information
provide higher layer protocols (HLP). Still another which a doctor uses to decide on medication. Both
issue is the application of inter-networking (using types of system can impact the safety of the patient.
bridges, switches, and routers) at the vehicle level. Big civil engineering structures are designed on
d. Safety Engineering : system (availability) reliability computers and tested using mathematical models. An
deals with the problem of ensuring that a system error in the software could conceivably result in a bridge
performs a required task or mission (at) for a collapsing. Aircraft, trains, ships and cars are also
specified time. System safety is concerned with designed and modelled using computers.
ensuring that a mishap does not occur in the Even something a simple as traffic lights can be
process. Usually, there are some failures exits like viewed as safety critical. An error giving green lights to

December 2011
benign failures and catastrophic failures. both directions at a cross road could result in a car
e. Reliability Engineering : It deals with the available accident. Within cars, software involved in functions
operation of a system even under the failure of such as engine management, anti-lock brakes, traction
system components. The primary mechanism is the control, and a host of other functions, could potentially
use of redundant components to design fault fail in a way which increases the likelihood of a road
tolerant systems. There are two schemes to handle accident.
the replacement of failed components. They are 39
static and dynamic redundancy. V. CHALLENGES
f. Real time Engineering : Techniques for ensuring In one way or another, many people in the software

Global Journal of Computer Science and Technology Volume XI Issue XXI Version I
that a system meet timeliness requirements are business are working on safety-critical systems
important for safety-critical applications. A technology. Many more systems than one might expect
distinction is made between hard real-time and soft have to be viewed as safety-critical and the number is
real-time systems. Safety-critical systems certainly increasing all the time. So what are the major challenges
belong to the category of hard real-time systems. To that we face?
see if a system meets real-time requirements, In some cases, what amount to completely new
schedulability analysis is used and this technologies is required? The number of interacting
methodology is well known for single-processor or safety-critical systems present in a single application will
multiprocessor operating systems. force the sharing of resources between systems. This
g. Systems Engineering : System engineering will eliminate a major architectural element that gives
emphasizes formal processes that start with a confidence in correct operation—physical separation.
system’s requirements and specification, and Knowing that the failure of one system cannot affect
includes an iterative design, test, and verification another greatly facilitates current analysis techniques.
cycle. This will be lost as multiple functions are hosted on a
single platform to simplify construction and to reduce
IV. APPLICATIONS
power and weight requirements. Techniques that
Safety critical systems are whose failure results provide high levels of assurance of non-interference will
in loss of life, property damage or damage to the be required.
environment. There are many well known examples in Breakdowns in the interplay between software
application areas such as medical devices, aircraft flight engineering and systems engineering remains a
control weapons and nuclear systems. significant cause of failures. It is essential that
Example of a safety critical system is an aircraft comprehensive approaches to total system modelling
fly by wire control system, where the pilot inputs be developed so that properties of entire systems can
commands to the control computer using a joystick, and be analysed. Such approaches must accommodate
the computer manipulates the actual aircraft controls. software properly and provide high fidelity models of
The lives of hundreds of passengers are totally critical software characteristics. They must also deal with
dependent upon the continued correct operation of the issue of assured non-interference.
such a system. Defective software specifications are implicated
Moving down to earth, railway signalling in many serious failures, and it is clear that we have
systems must enable controllers to direct trains, while difficulty stating exactly what software is required to do.
preventing trains from colliding. Like an aircraft fly by There are many aspects of specification that are not
wire, lives are dependent upon the correct operation of supported by any current technique, and, even where
the system. However, there is always the option of specification techniques do exist, there remains a lack
stopping all trains if the integrity of the system becomes of integration to permit whole specification analysis.
suspect. You can't just stop an aircraft while the fly by
wire system is fixed!
VI. DESIGNING
Software in medical systems may be directly The design of any safety critical system must be
responsible for human life, such as metering safe as simple as possible taking no unnecessary risks.
© 2011 Global Journals Inc. (US)
Safety Critical Systems Analysis

Software point of view, this usually involves minimizing engineer safe mechanical systems than safe computing
the use of interrupts and minimizing the use of systems, particularly when software is a major
concurrency within the software. component of the engineered system. With the
Ideally, a safety critical system requiring a high increased used of software in safety-critical components
integrity level would have no interrupts and only one of complex systems, governments agencies and other
task. However, this is not achievable in practice. institutions are increasingly including requirements for
There are two distinct philosophies for the software hazard analysis and verification of software
specification and design of safety critical systems. safety.
• To specify and design a "perfect" system, which Security : It has become clear that security
cannot go wrong because there are no faults in it, attacks against information systems are a large and
growing problem. Attacks against both public and
December 2011

and to prove that there are no faults in it.


private networks can have devastating effects. The
• To aim for the first philosophy is to accept that
Internet is being used increasingly to provide
mistakes may have been made, and to include error
communication service to business, and security attacks
detection and recovery capabilities to prevent errors
against the Internet are a troubling problem for network
from actually causing a hazard to safety.
users.
The first of these approaches can work well for Although Internet attacks are important, private
40 small systems, which are sufficiently compact for formal networks are a bigger concern. Money is moved locally
mathematical methods to be used in the specification and around the World on private networks owned by
and design, and for formal mathematical proof of design financial institutions. Transportation systems are
Global Journal of Computer Science and Technology Volume XI Issue XXI Version I

correctness to be established. monitored and controlled using mostly private networks.


The second philosophy, of accepting that no A successful attack against certain private networks
matter how careful we are in developing a system, that it could permit funds or valuable information such as
could still contain errors, is the approach more generally credit card numbers to be stolen, transportation to be
adopted. This philosophy can be applied at a number of disrupted, and so on. The potential for loss is
levels: considerable, and, although no physical damage would
• Within a routine, to check that inputs are valid, to be involved in security failures, the consequences of
trap errors within the routine, and to ensure that failure are such that many systems that only carry
outputs are safe; information should be regarded as safety-critical.
• Within the software, to check that system inputs are VII. IMPLEMENTATION
valid, to trap errors within the Software, and to
ensure that system outputs are safe; Some programming language features prone to
• Within the system, as independent verification that problems than others. This is because of number of
the rest of the system is behaving correctly, and to reasons. Those are
prevent it from causing the system to become 1) Programmers do errors while using the feature.
unsafe; 2) Poor compilation or poor implementation.
The safety enforcing part is usually referred to 3) Programs written may be difficult to analyze and
as an interlock or protection subsystem. Designing test.
safety-critical systems is a complex endeavour
Few programming language features that cause
particularly if extensive use of advanced electronics and
problems:
information technology is used. The increased use of
microcontrollers in modern automotive systems has 1) Usage of pointers : It is very difficult to use the
brought many benefits such as the merging of chassis pointers in programming language .In order to use
control systems for active safety with passive-safety pointers; the developers’ need great understanding
systems. Unfortunately, it has also brought the potential of memory address and management. Programs
for catastrophic failures. Thus, the widespread which use pointers can be difficult to understand or
application of microcontrollers requires extreme care in analyze.
order to produce a dependable system. Dependability 2) Memory Management : The memory allocation and
involves reliability, safety, availability, and security but in de-allocation is related to pointers. every
this paper we are only concerned with safety, reliability, programmer allocate memory but sometimes they
and availability. forget to de-allocate .Compilers and operating
The area of system safety is well-established systems frequently fail to fully recover de-allocated
and procedures exist to identify and analyse memory. The result is errors which are dependent
electromechanical hazards along with techniques to on execution time, with a system mysteriously failing
eliminate or limit hazards in a final product. after a period of continuous operation.
Unfortunately, much more is known about how to 3) Multiple Entry and Exits : More number of exit and

© 2011 Global Journals Inc. (US)


Safety Critical Systems Analysis

entry points to loops, blocks, procedures and most popular Ada subset for safety critical software is
functions, is really just a variation of unstructured the SPARKAda subset.
programming. However, controlled use of more than SPARKAda is a subset of the Ada Programming
one exit can simplify code and reduces the risk. Language that restricts several features of Ada such as
4) Type of Data : where the type of data in a variable unrestricted tasking. SPARKAda includes a built-in
changes, or the structure of a record changes, is toolset called the ”Examimator” which tests the entire
difficult to analyze, and can easily confuse a source code for conditional and unconditional data flow
programmer leading to programming errors. errors which in theory would deem the source code
5) Declaration & Initialization : A simple spelling exception free. The disadvantage to SPARKAda is that is
mistake can result in software which compiles, but closed and proprietary which increases the cost of
does not execute correctly. In the worst case

December 2011
implementation. Since it is a closed format, outside
individual units may appear to execute correctly, community support is restricted and there is a higher
with the error only being detectable at a system risk of implementation with only one vendor to rely on for
level. Declaration must be perfect. technical support and language updates.
6) Parameter Passing : passing one procedure or
function as a parameter to another procedure or VIII. TESTING & VERIFICATION
function, is difficult to analyze and test thoroughly. Safety critical testing : Testing of safety-critical
7) Recursion : Recursion is calling a function itself. It is systems follows two important strategies which are 41
difficult to analyze and test thoroughly. Recursion systematic rigorous testing and static analysis. While
can also lead to unpredictable real time behavior.

Global Journal of Computer Science and Technology Volume XI Issue XXI Version I
there is no substitute for rigorous testing at many levels:
8) Concurrency and Interrupts : These features are Unit, regression, functionality and integration testing,
supported directly by some programming testing effectiveness depends on the quality of the
languages only. Use of concurrency and interrupts test cases used. The best test suites are those that
is some what produce ambiguity. have good code coverage. Statement coverage and
The use of such programming language condition Coverage are the most commonly used
features in safety critical software is discouraged. metrics. Full Condition coverage is considered essential
Most modern programming languages for safety-critical code, such as flight control software.
encourage the use of block structure and modular Achieving full coverage can be exceedingly time-
programming, such that programmers take good consuming and expensive.
structure for granted. Well structured software is easier Safety critical software functions provide the
to analyze and test, and consequently less likely to source of requirements to be tested. Testing shall be
contain errors. performed to verify correct incorporation of software
The features of few programming languages safety requirements. Testing must show that hazards
which can be used to increase reliability are: have been eliminated or controlled to an acceptable
1) Perfect data usage : The data is only used and level of risk. Additional hazardous states identified
assigned where it is of a compatible type. during testing shall undergo complete analysis prior
2) Constraint checking : Ensure that arrays bounds are to software delivery or use. Software safety testing
not violated, that data does not overflow, that zero of Safety-Critical Computer Software Components
division does not occur. (SCCSC) shall be included in the integration and
3) Parameter checking : To ensure that parameters integration and acceptance tests. Acceptance testing
passed to or from procedures and functions are of shall verify correct operation of the SCCSCs in
the correct type, are passed in the right direction (in conjunction with system hardware and operators[36].
or out) and contain valid data. It shall verify correct operation during stress conditions
There are no commonly available programming and in the presence of system faults. It is important
languages which provide all of the good language to tailor the safety-critical testing effort to emphasize
features. The solution is to use a language subset, the parts of the software that need additional analysis
where a language with as many good features as and testing. The greatest effort must be placed on
possible is chosen, and the bad features are simply not the hazards posing the highest risk. We consider it
used. Use of a subset requires discipline on behalf of adequate to divide the software into two risk groups for
the programmers and ideally a subset checking tool to test purposes.
catch the occasional mistake. An advantage of a subset Verification is the most important and most
approach is that the bounds of the subset can be expensive group of activities in the development of
flexible, to allow the use of some features in a limited safety critical systems, with verification activities being
and controlled way. associated with each stage of the development lifecycle.
Ada is the preferred language for the An added complication is that independent verification
implementation of safety critical software because it can is usually required. The means by which this is achieved
be used effectively within the above constraints. The depends upon the integrity level. Independent

© 2011 Global Journals Inc. (US)


Safety Critical Systems Analysis

verification can vary from independent witnessing of 5. John C. Knight. “Safety Critical Systems: Challenges
tests, participation at reviews and audit of the and Directions” Proceedings of the 24th
developer's verification, to fully independent execution of International Conference on Software Engineering
all verification activities. Independent verification is an (ICSE), Orlando, Florida, 2002.
addition to verification conducted by developers, not a 6. N.Leveson, Safeware: System Safety and
substitute for it. Computers, Addison Wesley, 1995.
According to ISO 9001 activity, reviews will be 7. L.Pullum, Software Fault Tolerance: Techniques and
conducted as a part of verification. Reviews become Implementation, Artech House, 2001.
more formal, including techniques such as detailed 8. W.R. Dunn, Practical Design of Safety-Critical
walkthroughs of even the lowest level of design. The Computer Systems, Reliability Press, 2002.
scope of reviews is extended to include safety criteria. 9. Kopetz, H.,Real-Time Systems, Design Principles for
December 2011

Distributed Embedded Applications, Kluwer


IX. CONCLUSION Academic Publishers, 1997.
The choice of a language can have a significant 10. Conmy, P., Nicholson, M., Purwantoro, Y.,M., and
impact on the success or failure of a safety-critical McDermid, J. (2002) Safety Analysis and
system. The language can impact the ease of validation, Certification of Open Distributed Systems.
the number of defects, and many important parts of the 11. J. A. McDermid, The cost of COTS, IEE Colloquium
42 development process. Few languages are inherently - COTS and Safety critical systems London,1998.
“safe” as well as having good tool support, good 12. IEC 61508 Functional Safety of electrical / electronic
/ programmable electronic safety-related systems
Global Journal of Computer Science and Technology Volume XI Issue XXI Version I

documentation and wide usage.


A general-purpose language, which is made Geneva: International Electrotechnical Commission,
“safe” by use of a subset and good tool support, is the 1998.
best choice for a safety-critical system. Modelling 13. Tindell, K., “Analysis of Hard Real-Time
languages show excellent promise as implementation communications”, Real-Time Systems,vol 9,pp,147-
languages for all types of software development, not just 171,1995.
safety critical. 14. Jesty, P.H., Hobley, K.M., Evans, R., and Kendall,
Safety critical software is a complex subject. I.,“Safety Analysis of Vehicle-Based Systems,”
This paper will give an analysis of safety critical system Proceedings of the 8th Safety-critical Systems
means about design, implementation, verification, Symposium, 2000.
Applications etc. 15. Raghu Singh. “A Systematic Approach to Software
Although safety critical systems have been in Safety”. Proceedings of Sixth Asia Pacific Software
use for many years, the development of safety critical Engineering Conference (APSEC), Takamatsu,
software is still a relatively new and immature subject. Japan, 1999.
New techniques and methodologies for safety critical 16. N. G. Leveson “Software Safety: Why, what, and
software are a popular research topic with universities, how”. ACM Computing Surveys, 18(2):125-163,
and are now becoming available to industry. June 1986.
Tools supporting the development of safety critical 17. The University of York, Safety critical systems
software are now available, making the implementation engineering, system safety engineering, Modular
of safety critical standards a practical prospect. MSc, diploma, certificate, short courses1999.
18. The University of York, Heslington, U.K.;
REFERENCES REFERENCES REFERENCIAS www.cs.york.ac.uk/MSc/SCSE.
19. The Hazards Forum, Safety-related systems:
1. Robyn R. Lutz, “Software Engineering for Safety: a
Guidance for engineers, The Hazards Forum (1995).
Roadmap”, Proceedings of the Conference on The
London,U.K.;www.iee.org.uk/PAB/SCS/hazpub.htm.
Future of Software Engineering, June 04-11, 2000,
Limerick, Ireland, pp. 213-226.
2. Alan C. Tribble et al. “Software Safety Analysis of a
Flight Guidance System”, Proceedings of the 21st
Digital Avionics Systems Conference (DASC'02),
Irvine, California, Oct. 27-31, 2002.
3. Debra S. Herman, “Software Safety and Reliability
Basics”, (ch.2), Software Safety and Reliability:
Techniques, Approaches, and Standards of Key
Industrial Sectors Wiley-IEEE Computer Society
Press, 2000.
4. Dale M. Gray. Frontier Status Report #203, 19 May
2000, www.asi.org

© 2011 Global Journals Inc. (US)

View publication stats

You might also like