Safety critical system components

Safety critical systems, like many other domains, may benefit from the flexibility offered by component-based software development. However, to be applicable to safety critical systems, component-based development must directly support modelling and analysis of key non-functional concerns, such as availability, reliability, and the overall failure behaviour of the system, in order to deliver a... 

Cichocki, T. and J. Gorski, Failure Mode and Effect Analysis for Safety-Critical Systems with Software Components, in Floor Koomneef, Meine van der Meulen (eds.) Computer Safety, Reliability and Security, Proceedings of 19th International Conference SAFECOMP 2000, Rotterdam (The Netherlands), October 24—27, 2000, Springer Lecture Notes in Computer Science 1943, p. 382-394. 

A strong assurance component is typical for safety cases of safety critical systems. 

First, safety critical systems must be reliable. These systems control releases in the event of accidents. It s necessary to have a critical analyzer, instrument and electrical system test program. This should consist of preventive maintenance and alarm and trip device testing for panel alarms, emergency isolation valves and other critical components. [7]... 

Sandom C (2002). Human Factors Considerations for System Safety, in Components of System Safety, Redmill F and Anderson T (Eds.), proceedings of 10th Safety Critical Systems Symposium, 5th-7th February 2002 Southampton, Springer-Verlag, UK, February 2002... 

In our future work, we intend to involve the smdy of ASR intersections and cyclic ASRs in the architectural design decisions. An ASR intersection is a number of common component interfaces among multiple ASRs. A cyclic ASR is a closed sequence of connected components. By considering ASR intersections and cyclic ASRs, we may be able to measure the architectural impacts on the reliability of more complicated software architectures. Another direction of future research will incorporate failure severities in the architectural design decisions. Some systems are critical to specific failure types, while they are less critical to other failures [20]. Therefore, this research will allow new applications in safety-critical systems that distinguish among different failure severities. Further research will allow to estimate the failure severity of a component based on its location and connectivity in an architecture. This will help in identifying the components that are critical to system reliability. 

Abstract. Component-based architectures are widely used in embedded systems. For managing complexity and improving quality separation of concerns is one of the most important principles. For one component, separation of concerns is realized by defining the overall component functionality by separated protocol behaviors. One of the main challenges of applying separation of concerns is the later automatic composition of the separated, maybe interdependent concerns which is not supported by current component-based approaches. Moreover, the complexity of real-time distributed embedded systems requires to consider safety requirements for the composition of the separated concerns. We present an approach which addresses these problems by a well-defined automatic composition of protocol behaviors with respect to interdependent concerns. The composition is performed by taking a proper refinement relation into accoimt so that the analysis results of the separated concerns are preserved which is essential for safety critical systems. 

Nowadays, an ever increasing number of information systems are embedded systems that have a dedicated function in a specific, often safety critical application environment (e.g., components of a railway control system). In case of safety critical systems, failures may endanger human life, or result in serious environmental or material damage, thus ensuring conformance to a correct specification is crucial for their development. 

In the past, safety engineering has been applied to build dependable systems out of less reliable components. A multitude of practical techniques such as fault masking, error detection, fault diagnosis, and recovery have evolved to improve the reliability of safety-critical system. Since the operations of these systems also depends on software and communicated information, malicious attacks to information security must be considered and appropriately addressed. Commonly, the focus of security can be described by the Confidentiality, Integrity, and Availability (CIA) model. A safety analysis needs to include security risks, determined by vulnerability, threat, and impact with respect to the CIA model. 

The Third International Workshop on Next Generation of System Assurance Approaches for Safety-Critical Systems (SASSUR 2014) aims to explore new ideas on compositional and evolutionary safety assurance and certification. In particular, SASSUR aims to provide a forum for thematic presentations and in-depth discussions about reuse and composition of safety arguments, safety evidence, and contextual information about system components, in a way that makes assurance and certification more cost-effective, precise, and scalable. 

The proposed variant of Scrum - SafeScrum, is motivated by the need to make it possible to use methods that are flexible with respect to planning, documentation and specification while still being acceptable to lEC 61508, as well as making Scrum a useful approach for developing safety critical systems. The rest of this section explains the components and concepts of this combined approach. 

Even though many complex embedded systems are safety-critical, or at least business-critical, they are often developed in traditional, relatively primitive and unsafe programming languages such as C/C++ or assembly. As a general rule, the development practice for complex embedded systems in industry is not radically different from less critical software systems formal verification techniques are rarely used. Such methods are typically only applied to truly safety-critical systems or components. (Even then, it is no panacea as formally proven software might still be unsafe (Liggesmeyer Trapp, 2009).)... 

Kaiser, B., P. Liggesmeyer, O. Mackel (2003). A new component concept for fault trees. In P. A. Lindsay and A. Cant (Eds.), Safety Critical Systems and Software 2003, Eigth Australian Workshop on Safety-Plated Programmable Systems, (SCS2003), Canberra, ACT. Australia, 9-10 October 2003, Volume 33 of CRPIT, pp. 31-46. Australian Computer Society. 

Safety Instrumented Systems (SISs), i.e. safety-critical systems that are based on electrical/ electronic or programmable electronic technology, often employ redundancy to enhance their performance. The intended reliability effects of redundancy may however, be reduced if the system components are exposed to similar environmental exposures, design errors, and errors made during operation and maintenance. When multiple failures are attributed to a shared cause, they are often referred to as Common Cause Failures (CCFs). Standards that frame the development of SIS, such as lEC 61508 (2010), lEC 62061 (lEC 62061, 2005) and lEC 61511 (lEC 61511, 2003), require that measures are implemented to avoid CCFs and that the remaining effects of CCFs are included in reliability analyses. 

The objective of this work is to analyze the use of software tools in hardware development for safety-critical systems, from the perspective of potential application of formal approaches to improve product quality. The rest of the paper is structured as follows. Section 2 sets the stage for the analysis, providing an overview of a design flow for PLD components, with emphasis on design verification. Section 3 outlines the potential impact of tool quality on product safety, and Section 4 discusses specific hardware issues that can still remain unresolved after formal verification of the design. 

---