This report describes a formal approach to verification and validation of safety requirements for embedded software, by application to a simple control-logic case study. The logic is formally specified in Z. System safety properties are... more
This report describes a formal approach to verification and validation of safety requirements for embedded software, by application to a simple control-logic case study. The logic is formally specified in Z. System safety properties are formalised by defining an abstract model of the system’s physical behaviour in Z, including its hazardous states and dominant sensor failures. The Possum specification-animation tool is then used to check that the logic meets its safety requirements. Finally, the logic is implemented in SPARK Ada and SPARK Examiner is used to formally verify the implementation meets its specification. Design safety validation and source code verification are completely automated, removing the need for
The adoption of systems-focused risk assessment techniques has not led to measurable improvement in the rate of patient harm. Why? In part, because these tools focus solely on understanding problems, and provide no direct support for... more
The adoption of systems-focused risk assessment techniques has not led to measurable improvement in the rate of patient harm. Why? In part, because these tools focus solely on understanding problems, and provide no direct support for designing and managing solutions (i.e., risk control). This second installment of a 2-part series on rebalancing risk management describes a structured approach to bridging this gap: The Active Risk Control (ARC) Toolkit. A pilot study is presented to show how ARC Toolkit can improve the quality of risk management practice.
In recent decades, safety has emerged as a major issue in many embedded applications in the aerospace, aircraft, automobile, railways, nuclear, medical, and other industries. Safety in this context means avoiding harm to individuals or... more
In recent decades, safety has emerged as a major issue in many embedded applications in the aerospace, aircraft, automobile, railways, nuclear, medical, and other industries. Safety in this context means avoiding harm to individuals or society due to malfunctioning computer equipment or software. The essential requirements for these systems are so strict that they are regulated by government agencies such as the US Federal Aviation Administration (FAA) in the case of both airborne and ground aviation systems.The general concept of safety assurance is to minimize risk that can lead to accidents. This implies that the software tools used to develop the hardware and software components in safety-critical systems must be evaluated as thoroughly as the products themselves.
Integrating modern aircraft stores, particularly weapons, creates a complex system of systems challenge. The traditional approach to such integrations was for each to be a stand-alone program. For each program a unique interface would... more
Integrating modern aircraft stores, particularly weapons, creates a complex system of systems challenge. The traditional approach to such integrations was for each to be a stand-alone program. For each program a unique interface would usually be implemented, usually also with a set of unique problems, such as the missile ‘ghosting’ problems experienced during the F-16 to AMRAAM integration (Ward 1993). In response to the problems of such an approach MIL-STD-1760 an Interface Standard for Aircraft to Store Electrical Interconnection System was released by the US DoD to standardise aircraft/store interfaces. This paper discusses the advantages and limitations of the architectural techniques of MIL-STD-1760. A hierarchical method for integrating the use of the standard into a safety case is also described.
This paper discusses issues related to the RTCA document DO-254 Design Assurance Guidance for Airborne Electronic Hardware and its consequences for hardware certification. In particular, problems related to circuits’ compliance with... more
This paper discusses issues related to the RTCA document DO-254 Design Assurance Guidance for Airborne Electronic Hardware and its consequences for hardware certification. In particular, problems related to circuits’ compliance with DO-254 in avionics and other industries are considered. Extensive literature review of the subject is given, including current views on and experiences of chip manufacturers and EDA industry with qualification of hardware design tools, including formal approaches to hardware verification. Some results of the authors’ own study on tool qualification are presented.
Caches have become increasingly important with the widening gap between main memory and processor speeds. However, they are a source of unpredictability due to their characteristics, resulting in programs behaving in a different way than... more
Caches have become increasingly important with the widening gap between main memory and processor speeds. However, they are a source of unpredictability due to their characteristics, resulting in programs behaving in a different way than expected.Cache locking mechanisms adapt caches to the needs of real-time systems. Locking the cache is a solution that trades performance for predictability: at a cost of generally lower performance, the time of accessing the memory becomes predictable.This paper combines compile-time cache analysis with data cache locking to estimate the worst-case memory performance (WCMP) in a safe, tight and fast way. In order to get predictable cache behavior, we first lock the cache for those parts of the code where the static analysis fails. To minimize the performance degradation, our method loads the cache, if necessary, with data likely to be accessed.Experimental results show that this scheme is fully predictable, without compromising the performance of t...
Current practice in healthcare risk management is supported by many tools for risk assessment (understanding problems), but none for risk control (solving problems). The results: a failure to improve safety, and a waste of the investment... more
Current practice in healthcare risk management is supported by many tools for risk assessment (understanding problems), but none for risk control (solving problems). The results: a failure to improve safety, and a waste of the investment made in risk assessment. The Active Risk Control (ARC) Toolkit, available for free, fills this void with a systematic, structured approach to risk control.
This paper presents an overview and discusses the role of certification in safety-critical computer systems focusing on software, and partially hardware, used in the civil aviation domain. It discusses certification activities according... more
This paper presents an overview and discusses the role of certification in safety-critical computer systems focusing on software, and partially hardware, used in the civil aviation domain. It discusses certification activities according to RTCA DO-178B “Software Considerations in Airborne Systems and Equipment Certification” and touches on tool qualification according to RTCA DO-254 “Design Assurance Guidance for Airborne Electronic Hardware.” Specifically, certification issues as related to real-time operating systems and programming languages are reviewed, as well as software development tools and complex electronic hardware tool qualification processes are discussed. Results of an independent industry survey done by the authors are also presented.
This paper presents an overview and discusses the role of certification in safety-critical computer systems focusing on software, and partially hardware, used in the civil aviation domain. It discusses certification activities according... more
This paper presents an overview and discusses the role of certification in safety-critical computer systems focusing on software, and partially hardware, used in the civil aviation domain. It discusses certification activities according to RTCA DO-178B “Software Considerations in Airborne Systems and Equipment Certification” and touches on tool qualification according to RTCA DO-254 “Design Assurance Guidance for Airborne Electronic Hardware.” Specifically, certification issues as related to real-time operating systems and programming languages are reviewed, as well as software development tools and complex electronic hardware tool qualification processes are discussed. Results of an independent industry survey done by the authors are also presented.
In this article we call for a new approach to patient safety improvement, one based on the emerging field of evidence-based healthcare risk management (EBHRM). We explore EBHRM in the broader context of the evidence-based healthcare... more
In this article we call for a new approach to patient safety improvement, one based on the emerging field of evidence-based healthcare risk management (EBHRM). We explore EBHRM in the broader context of the evidence-based healthcare movement, assess the benefits and challenges that might arise in adopting an evidence-based approach, and make recommendations for meeting those challenges and realizing the benefits of a more scientific approach.
"Based on analysis of Operating Cycle of airplane the model to evaluate level of safety was introduced. Steps of modernization existed system of safety was introduced and requirements to hardware and software presented. On-board hardware... more
"Based on analysis of Operating Cycle of airplane the model to evaluate level of safety was introduced. Steps of modernization existed system of safety was introduced and requirements to hardware and software presented. On-board hardware functions and reliability requirements have been analyzed and the structure of hardware was presented and realized. The structure of full size system to provide the Concept of Dynamic Safety was developed and presented. Economics of the Concept realisation was presented, it was proved that substantial profit and higher level of safety may be achieved provided the Concept of Dynamic Safety."
on 12th of April 2021 accordingly requests from Russian native speakers this paper was translated with minimal corrections. The file is included. Unfortunately, is spite that Boeing was sorry to say "educated " by me personally in 1999 regarding 737 reliability and maintenance of reliability issues for 3 (three) months and in spite of EC DG Research grant 2004-2009 to follow and develop proposed concept up to industrial implementation Neither Boeing nor Airbus nor Russian Commercial aviation did not get any serious step to save lives of us passengers. They knew and ignore...
Model-Driven Engineering (MDE) promises to enhance system development by reducing development time, and increasing productivity and quality. MDE is gaining popularity in several industry sectors, and is attractive also for critical... more
Model-Driven Engineering (MDE) promises to enhance system development by reducing development time, and increasing productivity and quality. MDE is gaining popularity in several industry sectors, and is attractive also for critical systems where they can reduce efforts and costs for verification and validation (V&V), and can ease certification. Incorporating model-driven techniques into a legacy well-proven development cycle is not simply a matter of placing models and transformations in the design and implementation phases. We present the experience in the model-driven design and V&V of a safety-critical system in the railway domain, namely the Prolan Block, a railway interlocking system manufactured by the Hungarian company Prolan Co., required to be CENELEC SIL-4 compliant. The experience has been carried out in an industrial-academic partnership within the EU project CECRIS. We discuss the challenges and the lessons learnt in this pilot project of introducing MD design and testi...
Abstract. Roboethics is a recently developed field of applied ethics which deals with the ethical aspects of technologies such as robots, ambient intelligence, direct neural interfaces and invasive nano-devices and intelligent soft bots.... more
Abstract. Roboethics is a recently developed field of applied ethics which deals with the ethical aspects of technologies such as robots, ambient intelligence, direct neural interfaces and invasive nano-devices and intelligent soft bots. In this article we look specifically at the issue of (moral) responsibility in artificial intelligent systems. We argue for a pragmatic approach, where responsibility is seen as a social regulatory mechanism. We claim that having a system which takes care of certain tasks intelligently, learning from experience ...
A fundamental problem in the design and development of embedded control systems is the verification of safety requirements. Formal methods, offering a mathematical way to specify and analyze the behavior of a system, together with the... more
A fundamental problem in the design and development of embedded control systems is the verification of safety requirements. Formal methods, offering a mathematical way to specify and analyze the behavior of a system, together with the related support tools can successfully be applied in the formal proof that a system is safe. However, the complexity of real systems is such that automated tools often fail to formally validate such systems.
Systems whose failure can lead to the damage of property or the environment, or loss of human life are regarded as safety-critical systems. It is no longer adequate to build safety-critical systems based on the control of errors and... more
Systems whose failure can lead to the damage of property or the environment, or loss of human life are regarded as safety-critical systems. It is no longer adequate to build safety-critical systems based on the control of errors and failures alone. Safetycritical systems must also deal ...
This report discusses architectures for safety-critical systems. The report summarises the existing literature in the area as well as the guidance provided by existing safety-critical system development standards. We discuss the three... more
This report discusses architectures for safety-critical systems. The report summarises the existing literature in the area as well as the guidance provided by existing safety-critical system development standards. We discuss the three constituent functions of fault tolerant architectures: error detection, damage assessment and confinement and error recovery. We also consider methods for fault prevention.
The cost of finding and correcting defects represents one of the most expensive software development activities. And that too, if the errors get carried away till the final acceptance testing stage of the project life cycle, then the... more
The cost of finding and correcting defects represents one of the most expensive software development activities. And that too, if the errors get carried away till the final acceptance testing stage of the project life cycle, then the project is at a greater risk in terms of its Time and Cost factors. A small amount of effort spent on quality assurance will see good amount of cost savings in terms of detecting and eliminating the defects. The purpose of defect prevention is to identify those defects in the beginning of the life cycle and prevent them from recurring so that the defect may not surface again. Software for safety-critical systems must deal with the hazards identified by safety analysis in order to make the system safe, risk-free and fail-safe. Certain faults in critical systems can result in catastrophic consequences such as death, injury or environmental harm. The focus of this paper is an approach to software safety analysis based on a combination of two existing fault...
Human safety in the Middle East is a crucial aspect especially when working on critical mission systems. Any trivial error may result in inevitable dangerous causalities that lead to loss of innocent souls. The main objective of this... more
Human safety in the Middle East is a crucial aspect especially when working on critical mission systems. Any trivial error may result in inevitable dangerous causalities that lead to loss of innocent souls. The main objective of this paper is to introduce a complete study of a system that automates the currently adopted manual process of having dedicated men to control the barriers at the railway crossings when trains pass, the main objective is to reduce the possible human errors resulting from manual control. This study aims to provide a robust solution that adheres to a formal, systematic and new procedure to enhance the overall quality of requirements gathered for critical systems. In addition, it reflects how effective is the usage of goal oriented modelling in requirements elicitation stage for critical systems to define a clear scope and validate requirements against any missing, inconsistent or vague requirements at early stage.
This paper discusses issues related to the RTCA document DO-254 Design Assurance Guidance for Airborne Electronic Hardware and its consequences for hardware certification. In particular, problems related to circuits’ compliance with... more
This paper discusses issues related to the RTCA document DO-254 Design Assurance Guidance for Airborne Electronic Hardware and its consequences for hardware certification. In particular, problems related to circuits’ compliance with DO-254 in avionics and other industries are considered. Extensive literature review of the subject is given, including current views on and experiences of chip manufacturers and EDA industry with