Safety critical computer systems open questions and approaches
1 / 45

Safety Critical Computer Systems - Open Questions and Approaches - PowerPoint PPT Presentation

  • Uploaded on

Safety Critical Computer Systems - Open Questions and Approaches. Andreas Gerstinger Institute for Computer Technology February 16, 2007. Agenda. Safety-Critical Systems Project Partners Three research topics Safety Engineering Diversity Software Metrics Conclusion and Outlook.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Safety Critical Computer Systems - Open Questions and Approaches' - brygid

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Safety critical computer systems open questions and approaches l.jpg

Safety Critical Computer Systems - Open Questions and Approaches

Andreas Gerstinger

Institute for Computer Technology

February 16, 2007

Agenda l.jpg
Agenda Approaches

  • Safety-Critical Systems

  • Project Partners

  • Three research topics

    • Safety Engineering

    • Diversity

    • Software Metrics

  • Conclusion and Outlook

Safety critical systems l.jpg
Safety Critical Systems Approaches

  • A safety-critical computer system is a computer system whose failure may cause injury or death to human beings or the environment

  • Examples:

    • Aircraft control system (fly-by-wire,...)

    • Nuclear power station control system

    • Control systems in cars (anti-lock brakes,...)

    • Health systems (heart pacemakers,...)

    • Railway control systems

    • Communication systems

    • Wireless Sensor Networks Applications?

Sysari project l.jpg
SYSARI Project Approaches

  • SYSARI = SYstem SAfety Research in Industry

  • Goal of the project

    • to conduct and promote the research in system safety engineering and safety-critical system design and development

  • Close cooperation between ICT and Industry

    • One "shared" Employee (me)

    • Students conducting practical Diploma Theses

    • PhD Theses

What is safety l.jpg
What is Safety? Approaches

“The avoidance of death, injury or poor health to customers, employees, contractors and the general public; also avoidance of damage to property and the environment”

Safety is also defined as "freedom from unacceptable risk of harm"

A basic concept in System Safety Engineering is the avoidance of "hazards"

Safety is NOT an absolute quantity!

Safety vs security l.jpg
Safety vs. Security Approaches

  • These two concepts are often mixed up

  • In German, there is just one term for both!

Slide9 l.jpg

Project partner l.jpg

Austrian High Tech company Approaches

World leader in air traffic control communication systems

700 employees, company based in Vienna, customers all over the world

Project Partner:

Frequentis voice communication system l.jpg

Enables communication between aircraft and controller Approaches

Communication link must never fail!



High Availability and Reliability

Fault Tolerance

Other domains:


ambulance, police, fire brigade,...


Safety Integrity Level 2

Frequentis Voice Communication System

Project partner12 l.jpg

French company Approaches

68000 employees worldwide

Mission critical information systems

25000 researchers

Nobel Prize in Physics 2007 awarded to Albert Fert, scientific director of Thales research lab

Project Partner:

Railway signalling systems l.jpg

Signalling and Switching Approaches

Axle Counters

Applications for ETCS

An incorrect output may lead to an incorrect signal causing a major accident!

Safety Integrity Level 4 (highest)

Railway Signalling Systems

Old interlocking systems l.jpg
(Old) Interlocking Systems Approaches

Mechanical /



Signal box interlocking tower l.jpg
Signal Box / Interlocking Tower Approaches

  • Electric system with some electronics

Modern signal box interlocking tower l.jpg
Modern Signal Box / Interlocking Tower Approaches

  • Lots of electronics and computer systems

Slide17 l.jpg

What is a hazard l.jpg
What is a Hazard? Approaches

  • Hazard

    • physical condition of platform that threatens the safety of personnel or the platform, i.e. can lead to an accident

    • a condition of the platform that, unless mitigated, can develop into an accident through a sequence of normal events and actions

    • "an accident waiting to happen"

  • Examples

    • oil spilled on staircase

    • failed train detection system at an automatic railway level crossing

    • loss of thrust control on a jet engine

    • loss of communication

    • distorted communication

    • undetectably incorrect output

Risk acceptability l.jpg
Risk Acceptability Approaches

  • Having identified the level of risk for the product we must determine how acceptable & tolerable that risk is

    • Regulator / Customer

    • Society

    • Operators

  • Decision criteria for risk acceptance / rejection

    • Absolute vs. relative risk (compare with previous, background)

    • Risk-cost trade-offs

    • Risk-benefit of technological options

Risk tolerability l.jpg
Risk Tolerability Approaches





Risk Criteria

Risk Reduction Measures




Slide25 l.jpg

Diversity l.jpg
Diversity Approaches

  • Goal: Fault Tolerance/Detection

  • Diversity is "a means of achieving all or part of the specified requirements in more than one independent and dissimilar manner."

  • Can tolerate/detect a wide range of faults

"The most certain and effectual check upon errors which arise in the process of computation, is to cause the same computations to be made by separate and independent computers; and this check is rendered still more decisive if they make their computations by different methods."

Dionysius Lardner, 1834

Examples for diversity l.jpg
Examples for Diversity Approaches

  • Specification Diversity

  • Design Diversity

  • Data Diversity

  • Time Diversity

  • Hardware Diversity

  • Compiler Diversity

  • Automated Systematic Diversity

  • Testing Diversity

  • Diverse Safety Arguments

Some faults to be targeted:

programming bugs, specification faults, compiler faults, CPU faults, random hardware faults (e.g. bit flips), security attacks,...

Compiler diversity issues l.jpg
Compiler Diversity: Issues code

  • Targeted Faults:

    • Systematic compiler faults

    • Some Heisenbugs

    • Some systematic and permanent hardware faults (if executed on one board)

  • Issues:

    • To some degree possible with one compiler and different compile options (optimization on/off,…)

    • If compilers from different manufacturers are taken, independence must be ensured

Systematic automatic diversity l.jpg
Systematic Automatic Diversity code

  • Artificial introduction of diversity to tolerate HW Faults

  • (Automatic) Transformation of program P to a semantically equivalent program P' which uses the HW differently

    • e.g. different memory areas, different registers, different comparisons,...

      if A=B then  if A-B = 0 then

      A or B  not (not A and not B)

Systematic automatic diversity32 l.jpg
Systematic Automatic Diversity code

  • What can be "diversified":

    • memory usage

    • execution sequence

    • statement structures

    • array references

    • data coding

    • register usage

    • addressing modes

    • pointers

    • mathematical and logic rules

Systematic automatic diversity issues l.jpg
Systematic Automatic Diversity: Issues code

  • Targeted Faults:

    • Systematic hardware faults

    • Permanent random hardware faults

  • Issues:

    • Can be performed on source code or assembler level

    • If performed on source code level, it must be ensured that compiler does not "cancel out" diversity

    • (Software) Fault injection experiments showed an improvement of a factor ~100 regarding HW faults

Example diverse calculation of position l.jpg

Position P can be calculated based on speedometer and accelerometer readings

Voter can also be implemented diversely

PositionA and PositionB could be transmitted in different formats

Example: Diverse Calculation of Position

Open issues l.jpg
Open Issues accelerometer readings

  • How can diversity be used most efficiently?

  • Can diversity be introduced automatically?

  • Which faults are detected/tolerated to which extent?

  • How can the quality fo the diversity be measured?

  • Can diversity be also used to detect security intrusions?

Slide36 l.jpg

Software metrics for safety critical systems l.jpg

Problems accelerometer readings

Which metrics should safety-critical software fulfill?

Which coding rules are good and useful?

What are the desired ranges for metrics?

Which metrics influence maintainability?

Software Metrics for Safety-Critical Systems

Some raw metrics l.jpg
Some RAW Metrics... accelerometer readings

Outline of method l.jpg
Outline of Method accelerometer readings

  • Create a questionnaire with relevant questions regarding software quality and get answers from expert developers for various software packages they work with

  • Automatically measure potentially interesting metrics of the software packages

  • Correlate questionnaire responses with the measured metrics to find out which metric correlates with which property

Graph 4 internal quality vs cc l.jpg
Graph 4: Internal Quality vs. CC accelerometer readings

Summary of results l.jpg
Summary of Results accelerometer readings

  • Strongest correlation with perceived internal quality:

    • Comment density

    • Control Flow Anomalies

  • No correlation with perceived internal quality:

    • Cyclomatic Complexity

    • Average Method Size

    • Average File Size

    • ...

Slide43 l.jpg

Further related topics l.jpg
Further Related Topics accelerometer readings

  • Agile Methods in Safety Critical Development

  • Hazard Analysis Methods

  • Safety Standards

  • Safety of Operating Systems

  • COTS Components for Safety-Critical Systems

  • Safety Aspects of Modern Programming Languages (Java, C#.NET)

  • Fault Detection, Correction and Tolerance

  • Safety and Security Harmonisation

  • Linux in Safety-Critical Environments

  • Online Tests to detect hardware faults

Conclusion l.jpg
Conclusion accelerometer readings

  • Many open issues in this field...

  • All research activities in SYSARI project practically motivated

  • Number of safety-critical systems increases

  • International Standards play a vital role (e.g. IEC 61508)


    Andreas Gerstinger: [email protected]