Академический Документы
Профессиональный Документы
Культура Документы
Outline
Safety Engineering and its application to Software
Safety Driven Design
The Process
Example: Martian Lander
Comparison to other Methods and Results
Software in Automotive
and Aerospace Systems
Lines of Code:
MER (Mars Rovers) 428,000
F-35 (Joint Strike Fighter) 5.7 million
Modern day car: 100 million
Safety Engineering
Broad Definition of Safety Loss Events (accident) can
be:
A car that wont start because of a Software Error in the
Computer (Recall!)
A spacecraft that crashes into the surface of the planet
System Safety
System accidents:
Catastrophic outcome arising from interactions between
operating components
Each component functions within an acceptable
performance range, or in the context of an appropriate
objective
Safety is Emergent
Safety must be Built-in From the Beginning
Cheaper
More Effective
6
Controlling States
Since hazardous states can be prevented through
appropriate control (enforcing safety constraints), this
hazard analysis method seeks to find instances of
Inadequate Control
Inadequate control occurs when there are state transitions to
hazardous states
The commands or actions that lead to violation of safety
constraints:
Inadequate Control Actions
Control Structure
10
Control
Input
Wrong or
Missing
Inadequate
Control
Algorithm
Process
Model
Wrong
Feedback
Wrong or
Missing
Actuator(s)
Inadequate
Actuator
Operation
Process Input
Wrong or
Missing
Controlled
Process
Sensor(s)
Inadequate
Sensor
Operation
Disturbances
Unidentified
or Out of
Range
Process Output
Wrong or Missing
11
12
Process
Overview
Use STPA
(Inadequate
Control Actions
and Control
Flaws) to analyze
high-level design
and refine safety
constraints, or
change design.
Iterate.
Create Design
14
15
16
17
19
20
21
STPA
22
24
Use STPA to
Refine Constraints or Change Design
Create a new safety constraint, modify the related
safety constraint, or refine the related
safety constraint to better enforce control.
Create new design or modify existing design to
eliminate, prevent or mitigate the effect
of the control flaw
Accept the design as is and record the rationale
for doing so.
25
26
27
28
29
Results
Deployment and testing held up for 6 months because so
many scenarios identified for inadvertent launch. In many of
these scenarios:
All components were operating exactly as intended
Complexity of component interactions led to unanticipated
system behavior
Thank you
Questions?
32