Reliability and Safety Modeling of a Digital Feed Water Control System

Much digital instrumentation and control systems embedded in the critical medical healthcare equipment aerospace devices and nuclear industry have obvious consequence of different failure modes. These failures can affect the behavior of the overall safety critical digital system and its ability to deliver its dependability attributes if any defected area that could be a hardware component or software code embedded inside the digital system is not detected and repaired appropriately. The safety and reliability analysis of safety critical systems can be accomplished with Markov modeling techniques which could express the dynamic and regenerative behavior of the digital control system. Certain states in the system represent system failure while others represent fault free behavior or correct operation in the presence of faults. This paper presents the development of a safety and reliability modeling of a digital feedwater control system using Markov based chain models. All the Markov states and the transitions between these states were assumed and calculated from the control logic for the digital control system. Finally based on the simulation results of modeling the digital feedwater control system the system does meet its reliability requirement with the probability of being in fully operational states is 0.99 over a 6 months time.Comment: 13 pages, 7 figures, conferenc

Formal Specifications and Analysis of the Computer Assisted Resuscitation Algorithm (CARA) Infusion Pump Control System

Reliability of medical devices such as the CARA Infusion Pump Control System is of extreme importance given that these devices are being used on patients in critical condition. The Infusion Pump Control System includes embedded processors and accompanying embedded software for monitoring as well as controlling sensors and actuators that allow the embedded systems to interact with their environments. This nature of the Infusion Pump Control System adds to the complexity of assuring the reliability of the total system. The traditional methods of developing embedded systems are inadequate for such safety-critical devices. In this paper, we study the application of formal methods to the requirements capture and analysis for the Infusion Pump Control System. Our approach consists of two phases. The first phase is to convert the informal design requirements into a set of reference specifications using a formal system, in this case EFSMs (Extended Finite State Machines). The second phase is to translate the reference specifications to the tools supporting formal analysis, such as SCR and Hermes. This allows us to conclude properties of the reference specifications. Our research goal is to develop a framework and methodology for the integrated use of formal methods in the development of embedded medical systems that require high assurance and confidence

Architecture Level Safety Analyses for Safety-Critical Systems

The dependency of complex embedded Safety-Critical Systems across Avionics and Aerospace domains on their underlying software and hardware components has gradually increased with progression in time. Such application domain systems are developed based on a complex integrated architecture, which is modular in nature. Engineering practices assured with system safety standards to manage the failure, faulty, and unsafe operational conditions are very much necessary. System safety analyses involve the analysis of complex software architecture of the system, a major aspect in leading to fatal consequences in the behaviour of Safety-Critical Systems, and provide high reliability and dependability factors during their development. In this paper, we propose an architecture fault modeling and the safety analyses approach that will aid in identifying and eliminating the design flaws. The formal foundations of SAE Architecture Analysis & Design Language (AADL) augmented with the Error Model Annex (EMV) are discussed. The fault propagation, failure behaviour, and the composite behaviour of the design flaws/failures are considered for architecture safety analysis. The illustration of the proposed approach is validated by implementing the Speed Control Unit of Power-Boat Autopilot (PBA) system. The Error Model Annex (EMV) is guided with the pattern of consideration and inclusion of probable failure scenarios and propagation of fault conditions in the Speed Control Unit of Power-Boat Autopilot (PBA). This helps in validating the system architecture with the detection of the error event in the model and its impact in the operational environment. This also provides an insight of the certification impact that these exceptional conditions pose at various criticality levels and design assurance levels and its implications in verifying and validating the designs

Implementing Software Safety in the NASA Environment

Until recently, NASA did not consider allowing computers total control of flight systems. Human operators, via hardware, have constituted the ultimate safety control. In an attempt to reduce costs, NASA has come to rely more and more heavily on computers and software to control space missions. (For example. software is now planned to control most of the operational functions of the International Space Station.) Thus the need for systematic software safety programs has become crucial for mission success. Concurrent engineering principles dictate that safety should be designed into software up front, not tested into the software after the fact. 'Cost of Quality' studies have statistics and metrics to prove the value of building quality and safety into the development cycle. Unfortunately, most software engineers are not familiar with designing for safety, and most safety engineers are not software experts. Software written to specifications which have not been safety analyzed is a major source of computer related accidents. Safer software is achieved step by step throughout the system and software life cycle. It is a process that includes requirements definition, hazard analyses, formal software inspections, safety analyses, testing, and maintenance. The greatest emphasis is placed on clearly and completely defining system and software requirements, including safety and reliability requirements. Unfortunately, development and review of requirements are the weakest link in the process. While some of the more academic methods, e.g. mathematical models, may help bring about safer software, this paper proposes the use of currently approved software methodologies, and sound software and assurance practices to show how, to a large degree, safety can be designed into software from the start. NASA's approach today is to first conduct a preliminary system hazard analysis (PHA) during the concept and planning phase of a project. This determines the overall hazard potential of the system to be built. Shortly thereafter, as the system requirements are being defined, the second iteration of hazard analyses takes place, the systems hazard analysis (SHA). During the systems requirements phase, decisions are made as to what functions of the system will be the responsibility of software. This is the most critical time to affect the safety of the software. From this point, software safety analyses as well as software engineering practices are the main focus for assuring safe software. While many of the steps proposed in this paper seem like just sound engineering practices, they are the best technical and most cost effective means to assure safe software within a safe system

Formal verification of automotive embedded UML designs

Software applications are increasingly dominating safety critical domains. Safety critical domains are domains where the failure of any application could impact human lives. Software application safety has been overlooked for quite some time but more focus and attention is currently directed to this area due to the exponential growth of software embedded applications. Software systems have continuously faced challenges in managing complexity associated with functional growth, flexibility of systems so that they can be easily modified, scalability of solutions across several product lines, quality and reliability of systems, and finally the ability to detect defects early in design phases. AUTOSAR was established to develop open standards to address these challenges. ISO-26262, automotive functional safety standard, aims to ensure functional safety of automotive systems by providing requirements and processes to govern software lifecycle to ensure safety. Each functional system needs to be classified in terms of safety goals, risks and Automotive Safety Integrity Level (ASIL: A, B, C and D) with ASIL D denoting the most stringent safety level. As risk of the system increases, ASIL level increases and the standard mandates more stringent methods to ensure safety. ISO-26262 mandates that ASILs C and D classified systems utilize walkthrough, semi-formal verification, inspection, control flow analysis, data flow analysis, static code analysis and semantic code analysis techniques to verify software unit design and implementation. Ensuring software specification compliance via formal methods has remained an academic endeavor for quite some time. Several factors discourage formal methods adoption in the industry. One major factor is the complexity of using formal methods. Software specification compliance in automotive remains in the bulk heavily dependent on traceability matrix, human based reviews, and testing activities conducted on either actual production software level or simulation level. ISO26262 automotive safety standard recommends, although not strongly, using formal notations in automotive systems that exhibit high risk in case of failure yet the industry still heavily relies on semi-formal notations such as UML. The use of semi-formal notations makes specification compliance still heavily dependent on manual processes and testing efforts. In this research, we propose a framework where UML finite state machines are compiled into formal notations, specification requirements are mapped into formal model theorems and SAT/SMT solvers are utilized to validate implementation compliance to specification. The framework will allow semi-formal verification of AUTOSAR UML designs via an automated formal framework backbone. This semi-formal verification framework will allow automotive software to comply with ISO-26262 ASIL C and D unit design and implementation formal verification guideline. Semi-formal UML finite state machines are automatically compiled into formal notations based on Symbolic Analysis Laboratory formal notation. Requirements are captured in the UML design and compiled automatically into theorems. Model Checkers are run against the compiled formal model and theorems to detect counterexamples that violate the requirements in the UML model. Semi-formal verification of the design allows us to uncover issues that were previously detected in testing and production stages. The methodology is applied on several automotive systems to show how the framework automates the verification of UML based designs, the de-facto standard for automotive systems design, based on an implicit formal methodology while hiding the cons that discouraged the industry from using it. Additionally, the framework automates ISO-26262 system design verification guideline which would otherwise be verified via human error prone approaches

Evaluation of effectiveness of fault-tolerant techniques in a digital instrumentation and control system with a fault injection experiment

Recently, instrumentation and control (I&C) systems in nuclear power plants have undergone digitalization. Owing to the unique characteristics of digital I&C systems, the reliability analysis of digital systems has become an important element of probabilistic safety assessment (PSA). In a reliability analysis of digital systems, fault-tolerant techniques and their effectiveness must be considered. A fault injection experiment was performed on a safety-critical digital I&C system developed for nuclear power plants to evaluate the effectiveness of fault-tolerant techniques implemented in the target system. A software-implemented fault injection in which faults were injected into the memory area was used based on the assumption that all faults in the target system will be reflected in the faults in the memory. To reduce the number of required fault injection experiments, the memory assigned to the target software was analyzed. In addition, to observe the effect of the fault detection coverage of fault-tolerant techniques, a PSA model was developed. The analysis of the experimental result also can be used to identify weak points of fault-tolerant techniques for capability improvement of fault-tolerant techniques

Reliability and Safety Modeling of a Digital Feed-Water Control System

 إن الكثير من الأجهزة الرقمية وأنظمة التحكم المضمنة في معدات الرعاية الصحية الطبية الحيوية، وأجهزة الطيران، والصناعات النووية لها نتائج واضحة لأنماط الفشل المختلفة. يمكن أن تؤثر حالات الفشل هذه على سلوك النظام الرقمي الشامل للسلامة وقدرته على تقديم سمات الموثوقية الخاصة به إذا لم يتم الكشف عن أي منطقة معيبة يمكن أن تكون مكونًا من مكونات الأجهزة أو رمز البرنامج المضمّن داخل النظام الرقمي وإصلاحه بشكل مناسب. يمكن تحقيق تحليل السلامة والموثوقية للأنظمة الهامة للسلامة باستخدام تقنيات نمذجة ماركوف التي يمكن أن تعبر عن السلوك الديناميكي والتجديدي لنظام التحكم الرقمي. تمثل حالات معينة في النظام فشل النظام، بينما تمثل حالات أخرى سلوكًا خاليًا من الأخطاء أو عملية صحيحة في وجود أخطاء. تقدم هذه الورقة تطوير نمذجة السلامة والموثوقية لنظام التحكم الرقمي في مياه التغذية باستخدام نماذج السلسلة القائمة على ماركوف. تم افتراض جميع حالات ماركوف والتحولات بين هذه الحالات وحسابها من منطق التحكم لنظام التحكم الرقمي. أخيرًا ، استنادًا إلى نتائج المحاكاة لنمذجة نظام التحكم الرقمي في مياه التغذية ، فإن النظام يلبي متطلبات الموثوقية الخاصة به مع احتمال أن يكون في حالة التشغيل الكامل هو 0.99 على مدار 6 أشهر.Much digital instrumentation and control systems embedded in the critical medical healthcare equipment, aerospace devices, and nuclear industry have obvious consequence of different failure modes. These failures can affect the behavior of the overall safety-critical digital system and its ability to deliver its dependability attributes if any defected area that could be a hardware component or software code embedded inside the digital system is not detected and repaired appropriately. The safety and reliability analysis of safety-critical systems can be accomplished with Markov modeling techniques which could express the dynamic and regenerative behavior of the digital control system. Certain states in the system represent system failure, while others represent fault free behavior or correct operation in the presence of faults. This paper presents the development of a safety and reliability modeling of a digital feedwater control system using Markov-based chain models. All the Markov states and the transitions between these states were assumed and calculated from the control logic for the digital control system. Finally, based on the simulation results of modeling the digital feedwater control system, the system does meet its reliability requirement with the probability of being in fully operational states is 0.99 over a 6 months’ time. &nbsp

Software quality and reliability prediction using Dempster -Shafer theory

As software systems are increasingly deployed in mission critical applications, accurate quality and reliability predictions are becoming a necessity. Most accurate prediction models require extensive testing effort, implying increased cost and slowing down the development life cycle. We developed two novel statistical models based on Dempster-Shafer theory, which provide accurate predictions from relatively small data sets of direct and indirect software reliability and quality predictors. The models are flexible enough to incorporate information generated throughout the development life-cycle to improve the prediction accuracy.;Our first contribution is an original algorithm for building Dempster-Shafer Belief Networks using prediction logic. This model has been applied to software quality prediction. We demonstrated that the prediction accuracy of Dempster-Shafer Belief Networks is higher than that achieved by logistic regression, discriminant analysis, random forests, as well as the algorithms in two machine learning software packages, See5 and WEKA. The difference in the performance of the Dempster-Shafer Belief Networks over the other methods is statistically significant.;Our second contribution is also based on a practical extension of Dempster-Shafer theory. The major limitation of the Dempsters rule and other known rules of evidence combination is the inability to handle information coming from correlated sources. Motivated by inherently high correlations between early life-cycle predictors of software reliability, we extended Murphy\u27s rule of combination to account for these correlations. When used as a part of the methodology that fuses various software reliability prediction systems, this rule provided more accurate predictions than previously reported methods. In addition, we proposed an algorithm, which defines the upper and lower bounds of the belief function of the combination results. To demonstrate its generality, we successfully applied it in the design of the Online Safety Monitor, which fuses multiple correlated time varying estimations of convergence of neural network learning in an intelligent flight control system