Real-Time Systems. Design Principles for Distributed Embedded Applications. Herman Kopetz. Second Edition (811374), страница 80
Текст из файла (страница 80)
They cannot be implemented in asimple safety system any more.4. The decreasing hardware costs make fail-operational (fault-tolerant) systemsthat require no expensive on-call maintenance competitive in an increasingnumber of applications.27411 System Design11.4.2 Safety AnalysisThe architecture of a safety-critical system must be carefully analyzed before it isput into operation in order to reduce the probability that an accident caused by acomputer failure will occur.Damage is a pecuniary measure for the loss in an accident, e.g., death, illness,injury, loss of property, or environmental harm. Undesirable conditions that havethe potential to cause or contribute to an accident are called hazards.
A hazard isthus a dangerous state that can lead to an accident, given certain environmentaltriggering conditions. Hazards have a severity and a probability. The severity isrelated to the worst potential damage that can result from the accident associatedwith the hazard. The severity of hazards is often classified in a severity class. Theproduct of hazard severity and hazard probability is called risk. The goal of safetyanalysis and safety engineering is to identify hazards and to propose measures thateliminate or at least reduce the hazard or reduce the probability of a hazard turninginto a catastrophe, i.e., to minimize the risk [Lev95]. A risk originating from aparticular hazard should be reduced to a level that is as low as reasonably practical(ALARP). This is a rather imprecise statement that must be interpreted with goodengineering judgment. An action that is provided to reduce the risk associated witha hazard to a tolerable level is called a safety function.
Functional safety encompasses the analysis, design, and implementation of safety functions. There exists aninternational standard, IEC 61508 on functional safety.Example: A risk minimization technique is the implementation of an independent safetymonitor that detects a hazardous state of the controlled object and forces the controlledobject into a safe state.In the following we discuss two safety analysis techniques, fault tree analysisand failure mode and effect analysis.Fault Tree Analysis.
A fault tree provides graphical insight into the possiblecombinations of component failures that can lead to a particular system failure,i.e., an accident. Fault tree analysis is an accepted methodology to identify hazardsand to increase the safety of complex systems [Xin08]. The fault tree analysisbegins at the system level with the identification of the undesirable failure event(the top event of the fault tree). It then investigates the subsystem failure conditionsthat can lead to this top event and proceeds down the tree until the analysis stopsat a basic failure, usually a component failure mode (events in ellipses).
The parts ofa fault tree that are still undeveloped are identified by the diamond symbol.The failure conditions can be connected by the AND or the OR symbol. ANDconnectors typically model redundancy or safety mechanisms.Example: Figure 11.1 depicts the fault tree of an electric iron. The undesirable top eventoccurs if the user of the electric iron receives an electric shock. Two conditions must besatisfied for this event to happen: the metal parts of the iron must be under high voltage(hazardous state) and the user must be in direct or indirect contact with the metal parts, i.e.,the user either touches the metal directly or touches a wet piece of cloth that conducts the11.4 Design of Safety-Critical Systems275user receives electric shockANDmetal under high voltageuser in contact with metalANDORinsulation defect,blank wiretouches metalground currentmonitor defectuser touchesmetal of ironuser touches wetcloth that is incontact with ironFig.
11.1 Fault tree for an electric ironelectricity. The metal parts of the iron will be under high voltage if the insulation of a wirethat touches the metal inside the iron is defect and the ground-current monitor that issupposed to detect the hazardous state (the metal parts are under high voltage) is defect.Fault trees can be formally analyzed with mathematical techniques. Given theprobability of basic component failures, the probability of the top event of a staticfault tree can be calculated by standard combinatorial approaches.Warm and cold spares, shared pools of resources, and sequence dependencies inwhich the order of the failure occurrence determines the state of the system, requiremore elaborate modeling techniques. A fault tree that cannot by analyzed bycombinatorial approaches is called a dynamic fault tree.
A dynamic fault tree istransformed into a Markov chain that can be solved by numerical techniques. Thereare excellent computer tools available that assist the design engineer in evaluatingthe reliability and safety of a given design, e.g., Mobius [Dea02].Failure Mode and Effect Analysis (FMEA). Failure Mode and Effect Analysis(FMEA) is a bottom-up technique for systematically analyzing the effects ofpossible failure modes of components within a system to detect weak spots of thedesign and to prevent system failures from occurring. FMEA requires a team ofexperienced engineers to identify all possible failure modes of each component andto investigate the consequences of every failure on the service of the system at thesystem/user interface.
The failure modes are entered into a standardized work sheetas sketched in Fig. 11.2.A number of software tools have been developed to support the FMEA. The firstefforts attempted to reduce the bookkeeping burden by introducing customizedspreadsheet programs. Recent efforts have been directed towards assisting thereasoning process and to provide a system wide FMEA analysis [Sta03].FMEA is complementary to the fault tree analysis, which was discussed in theprevious section.
While the fault tree analysis starts from the undesirable top event,and proceeds down to the component failures that are the cause of this systemfailure, the FMEA starts with the components and investigates the effects of thecomponent failure on the system functions.27611 System Designcomponent failure mode failure effect probabilitycriticalityFig. 11.2 Worksheet for an FMEATable 11.1CriticalityLevel ALevel BLevel CLevel DLevel ECriticality level (Adapted from [ARI92])Failure of functionResults in catastrophic failure condition for the aircraftResults in hazardous/severe-major failure condition for theaircraftResults in major failure condition for the aircraftResults in minor failure condition for the aircraftHas no effect on aircraft operational capability or pilot workloadDependability Modeling.
A dependability model is a model of a distributed systemconstructed for the purpose of analyzing the reliability of behavior of the envisioned system. A good starting point for a reliability model is a structure blockdiagram derived from the architectural representation of the design, where theblocks are components and the connection among components are the dependenciesamong the components. The blocks are annotated with the failure rates and therepair rates of components, where the repair rate after a transient fault, closelyrelated to the g-state cycle, is of particular importance, since most of the faults aretransients.
If there is any dependency among the failure rates of components, e.g.,caused by the co-location of components on the same hardware unit, these dependencies must be carefully evaluated, since the correlated failures of componentshave a strong impact on the overall reliability. The correlation of failures amongreplicated components in a fault-tolerant design is of particular concern. There are anumber of software tools to evaluate the reliability and availability of a design, suchas the Mobius tool [Dea02].The dependability analysis establishes the criticality of each function for theanalyzed mission.
The criticality determines the level of attention that mustbe given to the component that implements the function in the overall design ofthe system.An example for the criticality level assignment of functions with respect to theairworthiness of a computer system onboard an aircraft is given in Table 11.1.11.4.3 Safety CaseA safety case is a combination of a set of sound and well-documented argumentssupported by analytical and experimental evidence concerning the safety of a11.4 Design of Safety-Critical Systems277given design. The safety case must convince an independent certification authoritythat the system under consideration is safe to deploy. What exactly constitutes aproper safety case of a safety-critical computer system is a subject of intense debate.Outline of the Safety Case. The safety case must argue why it is extremely unlikelythat faults will cause a catastrophic failure.
The arguments that are included in thesafety case will have a major influence on design decisions at later stages of theproject. Hence, the outline of the safety case should be planned during the earlystages of a project.At the core of the safety case is a rigorous analysis of the envisioned hazards andfaults that could arise during the operation of the system and could cause catastrophic effects, such as harm to humans, economic loss, or severe environmentaldamage. The safety case must demonstrate that sufficient provisions (engineeringand procedural) have been taken to reduce the risk to a level that is acceptable tosociety and why some other possible measures have been excluded (maybe due toeconomic or procedural reasons). The evidence is accumulated as the projectproceeds.
It consists of management evidence (ensuring that all prescribed procedures have been followed), design evidence (demonstrating that an establishedprocess model has been followed), and testing and operational evidence that iscollected during the test phases and the operational phases of the target system orsimilar systems. The safety case is thus a living document.A safety case will combine evidence from independent sources to convince thecertification authority that the system is safe to deploy.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
