Failures safety critical system components

Safety critical systems, like many other domains, may benefit from the flexibility offered by component-based software development. However, to be applicable to safety critical systems, component-based development must directly support modelling and analysis of key non-functional concerns, such as availability, reliability, and the overall failure behaviour of the system, in order to deliver a... 

Cichocki, T. and J. Gorski, Failure Mode and Effect Analysis for Safety-Critical Systems with Software Components, in Floor Koomneef, Meine van der Meulen (eds.) Computer Safety, Reliability and Security, Proceedings of 19th International Conference SAFECOMP 2000, Rotterdam (The Netherlands), October 24—27, 2000, Springer Lecture Notes in Computer Science 1943, p. 382-394. 

In our future work, we intend to involve the smdy of ASR intersections and cyclic ASRs in the architectural design decisions. An ASR intersection is a number of common component interfaces among multiple ASRs. A cyclic ASR is a closed sequence of connected components. By considering ASR intersections and cyclic ASRs, we may be able to measure the architectural impacts on the reliability of more complicated software architectures. Another direction of future research will incorporate failure severities in the architectural design decisions. Some systems are critical to specific failure types, while they are less critical to other failures [20]. Therefore, this research will allow new applications in safety-critical systems that distinguish among different failure severities. Further research will allow to estimate the failure severity of a component based on its location and connectivity in an architecture. This will help in identifying the components that are critical to system reliability. 

Nowadays, an ever increasing number of information systems are embedded systems that have a dedicated function in a specific, often safety critical application environment (e.g., components of a railway control system). In case of safety critical systems, failures may endanger human life, or result in serious environmental or material damage, thus ensuring conformance to a correct specification is crucial for their development. 

Safety Instrumented Systems (SISs), i.e. safety-critical systems that are based on electrical/ electronic or programmable electronic technology, often employ redundancy to enhance their performance. The intended reliability effects of redundancy may however, be reduced if the system components are exposed to similar environmental exposures, design errors, and errors made during operation and maintenance. When multiple failures are attributed to a shared cause, they are often referred to as Common Cause Failures (CCFs). Standards that frame the development of SIS, such as lEC 61508 (2010), lEC 62061 (lEC 62061, 2005) and lEC 61511 (lEC 61511, 2003), require that measures are implemented to avoid CCFs and that the remaining effects of CCFs are included in reliability analyses. 

This approach is based on a safety analysis, often used for safety critical systems. The safety analysis performed at each stage of the system development is intended to identify all possible hazards with their relevant causes. Traditional safety analysis methods include, e.g. Functional Hazard Analysis (FHA) [1], Failure Mode and Effect Analysis (FMEA) [2] and Fault Tree Analysis (FTA). FMEA is a bottom-up method since it starts with the failure of a component or subsystem and then looks at its effect on the overall system. First, it lists all the components comprising a system and their associated failure modes. Then, the effects on other components or subsystems are evaluated and listed along with the consequence on the system for each component s failure modes. FTA, in particular, is a deductive method to analyze system design and robustness. Within this approach we can determine how a system failure can occur. It also allows us to propose countermeasures with a higher coverage or having wider dimension. 

Safety assurance can also be achieved by the use of fault tolerance techniques [1], [14] like design diversity [22] that mitigates failures from individual software components. Software design diversity can reduce the dangerous failure rate of the composite system as the same failure has to occur in more than one software component before it becomes dangerous. These techniques have been used in a range of safety-critical systems [3, 15]. 

Failure modes and effects analysis (FMEA) A systematic, methodical analysis performed to identify and document all identifiable failure modes at a prescribed level and to specify the resultant effect of the failure mode at various levels of assembly (NSTS 22254) the failure or malfunction of each system component is identified, along with the mode of failure (e.g., switch jammed in the on position). The effects of the failure are traced through the system and the ultimate effect on task performance is evaluated. Also called failure mode and effect criticality analysis (ASSE) a basic system safety technique wherein the kinds of failures that might occur and their effect on the overall product or system are considered. Example The effect on a system by the failure of a single component, such as a register or a hydraulic valve (SSDC). 

Safety-critical computer software components Those computer software components (processes, functions, values or computer program state) whose errors (inadvertent or unauthorized occurrence, failure to occur when required, occurrence out of sequence, occurrence in combination with other functions, or erroneous value) can result in a potential hazard, or loss of predictability or control of a system (MIL-STD-882). 

Reliability, Maintainability, and Quality Control. Inclusion of these organizations in the system safety process, from concept through disposal, will aid in the identification of safety-critical components for reliability analysis. A failure mode(s) and effect(s) analysis (FMEA), as well as other common reliability models, can be used to identify critical and noncritical failure points. The quality assurance element can be extremely usefid in the overall system safety process. Quality engineers should participate in the inspection of safety-critical components, serve on certification boards, audit any corrective-action requirements, and identify any safety impacts associated with implementation of such requirements. 

Critical items List The purpose of the FMEA is to identify and evaluate failure modes and the possible system effects of those failures. Since the potential for undesirable effects must be eliminated or controlled, the FMEA also provides recommended actions that must be taken to accomplish this goal. As part of this analysis process, the FMEA identifies any and all items within the system that, if a failure were to occur, would have a critical effect on the operation of that system. Therefore, to facilitate evaluation and analysis of these system effects, a critical items list is developed. The list provides detailed descriptive information on each item. It will explain its overall function within the system, as well as the function of any components that may make up that item. The failure mode determined as critical is then listed along with the potential effect(s) of such a failure. If an item on the critical items list is to be accepted as is, then acceptance rationale must be provided. Such rationale may include an explanation of any existing or planned design limitations that will prevent the failure during actual system operations, or the provision of excessive factors of safety that will render such fail-ure(s) extremely improbable. Another area for evaluating acceptance is the history, or lack thereof, and any known failures of systems similar in nature and operation. 

The fault hazard analysis (FHA)—also referred to as the functional hazard analysis—method follows an inductive reasoning approach to problem solving in that the analysis concentrates primarily on the specific and moves toward the general (TAI 1989). The FHA is an expansion of the FMEA (Stephenson 1991). As demonstrated in the previous chapter, the FMEA is concerned with the critical examination and documentation of the possible ways in which a system component, circuit, or piece of hardware may fail and the effect of that failure on the performance of that element. The FHA takes this evaluation a step further by determining the effect of such failures on the system, the subsystem, or personnel. In fact, when a FMEA has already been completed for a given system and information on the adverse safety effect of component or human failures is desired for that system, the safety engineer can often utilize the data from the FMEA as an input to the FHA. 

Defects or faults in any component of the loop can develop into malfunctions. Faults are not always visible to the operator immediately, but may appear in such a way that they give rise to complete loop failure. In safety-critical applications, no failure can be tolerated [3]. Redundancies in hardware and software facilitate fault recovery. So, for increased dependability fault tolerant control (PTC) is an ideal solution. In critical controls it may be disastrous to tolerate any failure of control systems. In PTC the system continues to operate with single failure in components and/or subsystems. Also in cases of critical controls, FTC will make a controlled shutdown to a safe state in a critical situation. FTC systems use the help of redundancies in hardware and software, discussed earlier, and fault diagnostics and intelligent software to monitor health and behavior of components and function blocks and take remedial action. With these tools the faults are isolated and suitable... 

The process of detecting possible failures in embedded systems is normally performed by safety experts who identify the failure mechanisms using CFT analysis in order to trace all possible reasons for each specific top-level event during the system s lifetime. Their objective is to find all possible safety-critical components that might trigger the underlying hazard. They design this model based on all possible failure relations between the system components related to... 

ABSTRACT In most cases, Model Based Safety Analysis (MBSA) of critical systems focuses only on the process and not on the control system of this process. For instance, to assess the dependability attributes of power plants, only a model (Fault Tree, Markov chain. ..) of the physical components of the plant (pumps, steam generator, turbine, alternator. ..) is used. In this paper, we claim that for repairable and/or phased-mission systems, not only the process but the whole closed-loop system Proc-ess/Control must be considered to perform a relevant MBSA. Indeed, a part of the control functions aims to handle the dynamical mechanisms that change the mission phase as well as manage repairs and redundancies in the process. Therefore, the achievement of these mechanisms depends on the functional/dysfunctional status of the control components, on which these functions are implemented. A qualitative or quantitative analysis method which considers both the process and the control provides consequently more realistic results by integrating the failures of the control components that may lead to the non-achievement of these mechanisms. This claim is exemplified on an industrial study case issued from a power plant. The system is modeled by a BDMP (Boolean logic Driven Markov Process), assuming first that the control components are faultless, i.e. only the faults in the process are considered, and afterwards that they may fail. The minimal cut sequences of the system are computed in both cases. The comparison of these two sets of minimal cut sequences shows the benefit of the second approach. 

---