Safety-Critical Medical Actuators - Socci

7/28/2019 Safety-Critical Medical Actuators - Socci

1/73

: 2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t 1

Health-Tech SymposiumWelch Allyn Lodge, Skaneateles, NY April 23, 2009

Vince Socci, Chief EngineerOn Target Technology [email protected] (607) 755-4980

Actuator Control Designfor Safety-Critical

Medical Applications

Actuator Control Designfor Safety-Critical

Medical Applications

A b s t r a c t

A b s t r a c t A b s t r a c t

A b s t r a c t - D e s i g n e r s o f s a f e t y - c r i t i c a l m e d i c a l a c t u a t o r c o n t r o l a p p l i c a t i o n s f a c e r i g o r o u s

r e q u i r e m e n t s a n d s t a n d a r d s t o a s s e s s s a f e t y r e q u i r e m e n t s , d e v e l o p s y s t e m a r c h i t e c t u r e s ,

a n d d e s i g n c o m p o n e n t h a r d w a r e a n d s o f t w a r e . T h i s p a p e r d e m o n s t r a t e s i n t e g r a t e d

t e c h n i q u e s o f s a f e t y - c r i t i c a l d e v e l o p m e n t w i t h e x a m p l e s f r o m v a r i o u s a c t u a t o r a p p l i c a t i o n s .

S t r a t e g i e s f o r s a f e t y a n a l y s i s , e n g i n e e r i n g d e s i g n a n d a p p l i c a t i o n o f l i f e c y c l e g u i d e l i n e s a r e

d i s c u s s e d . M e t h o d s o f d e v e l o p i n g a c t u a t o r c o n t r o l s w i t h r o b u s t f a u l t t o l e r a n c e a n d

t e s t a b i l i t y a r e h i g h l i g h t e d . T h e s e c r e t s o f e f f e c t i v e s a f e t y - c r i t i c a l d e v e l o p m e n t a r e r e v e a l e d .


2/73

2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 2

Stupid is as stupid does. -- Forrest Gump

E v e n t u a l l y , e v e r y o n e s c r e w s u p a n d e v e r y t h i n g b r e a k s .

I f y o u r w o r l d i s v o i d o f f a i l u r e s , y o u d o n I f y o u r w o r l d i s v o i d o f f a i l u r e s , y o u d o n I f y o u r w o r l d i s v o i d o f f a i l u r e s , y o u d o n I f y o u r w o r l d i s v o i d o f f a i l u r e s , y o u d o n t n e e d t o b e h e r e . t n e e d t o b e h e r e . t n e e d t o b e h e r e . t n e e d t o b e h e r e .

B u t i f s a f e t y

B u t i f s a f e t y B u t i f s a f e t y

B u t i f s a f e t y -

--

- r e l a t e d f a i l u r e s w o r r y y o u , s t i c k a r o u n d .

r e l a t e d f a i l u r e s w o r r y y o u , s t i c k a r o u n d . r e l a t e d f a i l u r e s w o r r y y o u , s t i c k a r o u n d .

r e l a t e d f a i l u r e s w o r r y y o u , s t i c k a r o u n d .


3/73


Ready for the Ride?

Roadmap

Problem: Rigorous industry standards to assesssafety requirements, develop system architectures,and design component hardware and software.

Integrated techniques of safety-critical development Strategies for engineering design and application Methods of robust fault tolerance and testability Effective safety-critical development tips

Your Guide

Vince Socci BS EE, MS EE, MBA TM Principal, On Target Technology Cross-disciplined systems, hardware, software

engineering Electronics design and embedded controls

S p e a k e r B a c k g r o u n d V P S , O T T D , w e d o P D & M , R & D T S ,

V i n c e n t S o c c i i s a c r o s s - d i s c i p l i n e d s y s t e m s , h a r d w a r e a n d s o f t w a r e e n g i n e e r . H i s

t e c h n o l o g y e x p e r t i s e i n c l u d e s e m b e d d e d s y s t e m s , s e n s o r s a n d s i g n a l p r o c e s s i n g , p o w e r

c o n t r o l s y s t e m s , a n d d i a g n o s t i c s . S o c c i h a s 2 0 y e a r s o f e x p e r i e n c e i n s a f e t y - c r i t i c a l

s y s t e m s d e v e l o p m e n t . H e h o l d s a n M B A i n t e c h n o l o g y m a n a g e m e n t , a n d M S a n d B S

d e g r e e s i n e l e c t r i c a l e n g i n e e r i n g . A s P r i n c i p a l o f O n T a r g e t T e c h n o l o g y D e v e l o p m e n t ,

S o c c i s u p p o r t s c l i e n t s w i t h e l e c t r o n i c s d e s i g n a n d e m b e d d e d c o n t r o l s d e v e l o p m e n t . H e h a s

a p p l i e d t h e s a f e t y - c r i t i c a l d e s i g n c o n c e p t s p r e s e n t e d i n t h i s p a p e r i n m e d i c a l , a e r o s p a c e ,

a u t o m o t i v e , l o c o m o t i v e , a n d i n d u s t r i a l a p p l i c a t i o n s .


4/73


Agenda

Fundamentals of Safety-Critical Systems

Actuator Control Design from a Systems Perspective

Industry Specifications and Standards

Development Strategies

Example Cases

Conclusions

Questions and Answers


5/73


Industrial Trends in Safety-Critical Systems

Medical

Growing focus on safety development standards Sensitive to failure, development cost/time,

marketability, global competition

Aerospace Long history of fly-by-wire and other x-by-wire

actuator control systems Long development, low volume, expensive safety-

critical applications.

Automotive Emerging x-by-wire needs Short development, high volume, cost-efficient safety-

critical applications. Demand for fault tolerance, speed-to-market & low cost.


6/73


Fundamental Concepts ofSafety-Critical Systems

Fundamental Concepts ofSafety-Critical Systems


7/73


Fundamental Concepts of Safety-CriticalSystems

Scenario:

Imagine sitting comfortably on an airplane, enjoying a newissue of your favorite magazine. All of a sudden, as youfly over the Equator, the plane does a fast 180-degreeroll, and you find yourself in an inverted flight. The pilotannounces over the loudspeaker Hmmm that doesntseem right. Are there any systems engineers onboard?

T h e s o f t w a r e d e v e l o p m e n t f o r t h e F - 1 6 f i g h t e r p l a n e

e x p e r i e n c e d t h i s e x a c t f a i l u r e m o d e d u r i n g s i m u l a t i o n

f l i g h t t e s t i n g . I t w a s r e s o l v e d i n t h e f i e l d e d d e s i g n .

I f t h i s f a i l u r e o c c u r r e d i n r e a l

I f t h i s f a i l u r e o c c u r r e d i n r e a lI f t h i s f a i l u r e o c c u r r e d i n r e a l

I f t h i s f a i l u r e o c c u r r e d i n r e a l -

--

- l i f e ,

l i f e , l i f e ,

l i f e ,

t h e a i r c r a f t a n d p i l o t w o u l d b e l o s t .

t h e a i r c r a f t a n d p i l o t w o u l d b e l o s t . t h e a i r c r a f t a n d p i l o t w o u l d b e l o s t .

t h e a i r c r a f t a n d p i l o t w o u l d b e l o s t .

S o u n d f a r f e t c h e d ?


8/73


Other F-16 Simulation Failures

When the computer was commanded to raise the

landing gear while the aircraft was standing still on therunway, the computer complied and turfed the aircraft.

The aircraft system also complied with commands tojettison missiles, bombs, fuel tanks, etc. while the planewas upside-down, resulting in them falling on anddamaging the wings.

When the F-16 went into a spin, the software did notgive the pilot enough control authority to recover. Thepilot had to eject.

F a i l u r e s l i k e t h i s p u t l i v e s a n d p r o p e r t y a t r i s k .

W e c a n W e c a n W e c a n W e c a n

t l e t t h e m h a p p e n

t l e t t h e m h a p p e n t l e t t h e m h a p p e n t l e t t h e m h a p p e n

p e r i o d .

p e r i o d . p e r i o d . p e r i o d .


9/73


Safety-related vs. Safety-Critical

Safety-related systems those in which a failure during operation

can have serious or irreversible effects such as loss of life or limb,severe property damage or financial losses. (e.g. insulin pump)

Safety-critical systems safety-related systems that present a

direct threat to human life. They can include aircraft controlsystems, medical instrumentation, railway signaling, nuclear reactor

control systems and many other applications.

Safety-critical systems include all of the components that worktogether to achieve the safety-critical mission.

These may include input sensors, digital data devices, hardware,peripherals, drivers, actuators, the controlling software, and

other interfaces. Their development requires rigorous analysis and

comprehensive design and test.


10/73

2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 1 0

Managing Design / Controlling Operation

Failures occur in development and operation.

Failures in development can be mitigated, but failures inoperation are unavoidable. Stuff breaks!

Effects of these hardware failures must be predictable(i.e. deterministic) and not catastrophic.

Design to consistently maintain and control the safety ofthe system when failures occur.

Robust Design + Controlled Operation = Safe Mission

Safe actuator control is guaranteed only through robustdesign (error-free) and robust operation (fault-tolerant).

S a f e t y - r e l a t e d f a i l u r e s c a n o c c u r i n d e v e l o p m e n t o r i n o p e r a t i o n . T h e d e s i g n m a y b e w e a k

o r n o t r o b u s t e n o u g h f o r t h e o p e r a t i n g e n v i r o n m e n t . D e s i g n s t a n d a r d s a n d p r a c t i c e s ,

i n c l u d i n g r i g o r o u s r e q u i r e m e n t s m a n a g e m e n t , e n g i n e e r i n g a n a l y s e s , d e s i g n r e v i e w s a n d

t e s t i n g c a n s u p p o r t v a l i d a t i o n o f t h e d e s i g n .

F a i l u r e s i n o p e r a t i o n a r e u n a v o i d a b l e . S t u f f b r e a k s ! W h e t h e r i t s a w i r e i n a h a r n e s s o r a

w o r n - o u t r e l a y h a r d w a r e w i l l e v e n t u a l l y f a i l . S a f e t y - c r i t i c a l s y s t e m s a r e d e s i g n e d s u c h

t h a t t h e e f f e c t s o f t h e s e h a r d w a r e f a i l u r e s a r e p r e d i c t a b l e ( i . e . d e t e r m i n i s t i c ) a n d n o t

c a t a s t r o p h i c . A r c h i t e c t u r e s a r e d e s i g n e d t o c o n s i s t e n t l y m a i n t a i n a n d c o n t r o l t h e s a f e t y o f

t h e s y s t e m w h e n f a i l u r e s o c c u r .

R o b u s t D e s i g n + C o n t r o l l e d O p e r a t i o n = S a f e M i s s i o n

R o b u s t D e s i g n + C o n t r o l l e d O p e r a t i o n = S a f e M i s s i o n R o b u s t D e s i g n + C o n t r o l l e d O p e r a t i o n = S a f e M i s s i o n

R o b u s t D e s i g n + C o n t r o l l e d O p e r a t i o n = S a f e M i s s i o n

R e m e m b e r t h a t s a f e a c t u a t o r c o n t r o l i s g u a r a n t e e d o n l y t h r o u g h r o b u s t d e s i g n a n d r o b u s t

o p e r a t i o n . D e s i g n r o b u s t n e s s i s a c h i e v e d t h r o u g h r o b u s t p r o c e s s e s a n d e n g i n e e r i n g

d e s i g n p r a c t i c e s . C o n t r o l l e d o p e r a t i o n i s a c h i e v e d b y t h o r o u g h m o n i t o r i n g , f a u l t d e t e c t i o n

a n d m i t i g a t i o n s t r a t e g i e s .


11/73


Safety-Critical Medical Actuator Examples

Hospital beds

Ambulatory scooters

Patient lifts

Pumps and valves for drug delivery

X-ray controllers

Massage therapy

Prosthetics

Laparoscopic tools

Etc.

M o n i t o r s a r e p a s s i v e ,

M o n i t o r s a r e p a s s i v e , M o n i t o r s a r e p a s s i v e ,

M o n i t o r s a r e p a s s i v e ,

b u t a c t u a t o r s a r e a c t i v e .

b u t a c t u a t o r s a r e a c t i v e . b u t a c t u a t o r s a r e a c t i v e .

b u t a c t u a t o r s a r e a c t i v e .


12/73


Actuator Control Designfrom a Systems Perspective

Actuator Control Designfrom a Systems Perspective


13/73


Actuator Control System Block Diagram

An operator uses the control interface to stimulate the control system.

Control algorithms drive an output to the actuator, which moves the mechanical interface.

A feedback response of the mechanical interface is collected through feedback sensors.

Signal conditioning is applied to inputs and outputs to convert raw signals to usable forms.

Power

Source

Sensor

Outputs

Input

Signal

Conditioning

Control

Algorithms

Output

Signal

ConditioningActuator

Mechanical

Interface

Control

Interface

Control

Stimulus

Controller

Command

Output

Command

Driver

Output

Control

Feedback

Mechanical

Response

Actuation

Force

Actuation

Energy

T h i s p a p e r f o c u s e s o n a c t u a t o r c o n t r o l s y s t e m s b e c a u s e t h e s e a p p l i c a t i o n s p r o v i d e a

r e l e v a n t m i x t u r e o f h a r d w a r e a n d s o f t w a r e f u n c t i o n s t h a t i n t e g r a t e t h e b r o a d r e q u i r e m e n t s

o f s a f e t y - c r i t i c a l s y s t e m s . C o n s i d e r t h e f o l l o w i n g s y s t e m b l o c k d i a g r a m o f a n a c t u a t o r

c o n t r o l s y s t e m .

M o s t o f t h e s e c o n t r o l s y s t e m f u n c t i o n a l b l o c k s a r e h a r d w a r e f u n c t i o n s , i m p l e m e n t e d b y

s o m e m e c h a n i c a l o r e l e c t r i c a l c o m p o n e n t s . T h e c o n t r o l a l g o r i t h m s a r e t y p i c a l l y s o f t w a r e

f u n c t i o n s , i m p l e m e n t e d b y a c o m p u t i n g p r o g r a m i n s t a l l e d t o a n d o p e r a t i n g o n a p r o c e s s i n g

d e v i c e . S i g n a l c o n d i t i o n i n g c a n o c c u r i n b o t h h a r d w a r e a n d s o f t w a r e .


14/73


Built-In-Test (BIT)

Built-in-test (BIT) validates interfaces and control

variables.

Verify integrity of system before, during and after use.

BIT analysis is part of the design process of a safety-critical system. Considers potential failures throughout the systems Verifies that these failures will be detected and

mitigated by the BIT functions. Ex. If a power source is lost, BIT should detect the

failure and respond by ensuring that the systemresponds in a safe manner.

C o n t r o l l e r s g e n e r a l l y u s e s o m e f o r m o f b u i l t - i n - t e s t ( B I T ) t o v a l i d a t e i n t e r f a c e s a n d c o n t r o l

v a r i a b l e s . B I T i s d e s i g n e d t o d e t e c t f a i l u r e s i n a n y o f t h e s y s t e m e l e m e n t s . B I T i s t h e

p r i m a r y m e a n s t o v e r i f y t h e i n t e g r i t y a n d o p e r a t i o n o f s y s t e m a n d h a r d w a r e c o m p o n e n t s

b e f o r e , d u r i n g a n d a f t e r t h e m i s s i o n .

S y s t e m s e n g i n e e r s t y p i c a l l y p e r f o r m a B I T a n a l y s i s a s p a r t o f t h e d e s i g n p r o c e s s o f a

s a f e t y - c r i t i c a l s y s t e m . T h i s B I T a n a l y s i s c o n s i d e r s p o t e n t i a l f a i l u r e s t h r o u g h o u t t h e s y s t e m s

a n d v e r i f i e s t h a t t h e s e f a i l u r e s w i l l b e d e t e c t e d a n d m i t i g a t e d b y t h e B I T f u n c t i o n s . F o r

i n s t a n c e , i f t h e p o w e r s o u r c e o f F i g u r e 2 f a i l s ( e . g . l o s s o f p o w e r ) , B I T s h o u l d d e t e c t t h e

f a i l u r e a n d r e s p o n d b y e n s u r i n g t h a t t h e s y s t e m r e s p o n d s i n a s a f e m a n n e r .


15/73


BIT Software vs. Hardware

Safety-critical systems are becoming more complex.

Role of software is becoming more dominant for bothcontrol and monitoring.

BIT can be implemented in hardware or software form.

Software implementation of BIT functionality is preferred.

Hardware is subject to failure, resulting in false positiveor false negative failure detection.

Hardware that implements BIT functions should notreduce reliability or system safety.

A s s a f e t y - c r i t i c a l s y s t e m s a r e b e c o m i n g m o r e c o m p l e x a n d c o m p u t e r - c o n t r o l l e d , t h e r o l e o f

s o f t w a r e i s b e c o m i n g m o r e d o m i n a n t f o r b o t h c o n t r o l a n d m o n i t o r i n g . B I T f u n c t i o n a l i t y c a n

b e i m p l e m e n t e d i n h a r d w a r e o r s o f t w a r e f o r m . S o f t w a r e i m p l e m e n t a t i o n o f B I T f u n c t i o n a l i t y

i s p r e f e r r e d . H a r d w a r e t h a t i m p l e m e n t s B I T f u n c t i o n a l i t y c a n i t s e l f b e s u b j e c t t o f a i l u r e ,

r e s u l t i n g i n f a l s e p o s i t i v e o r f a l s e n e g a t i v e f a i l u r e d e t e c t i o n . E n g i n e e r i n g d e s i g n p r a c t i c e s

s u g g e s t t h a t h a r d w a r e t h a t i m p l e m e n t s B I T f u n c t i o n s s h o u l d n o t r e d u c e r e l i a b i l i t y o r s y s t e m

s a f e t y .


16/73


Controller Implementation of a SimpleActuator Control System

Controller Software (and Core Hardware)

Input

Interfaces

Input

Signal

Conditioning

Input

Signal

Processing

Output

Signal

Processing

Output

Signal

Conditioning

Feedback

Interfaces

Control

Algorithm

Processing

Built-In

Test

Data Communication and Management

Real-Time Operating System

Actuator

Controller Hardware

Peripheral

Hardware

N o w l e t s c o n s i d e r a s i m p l e a c t u a t o r s y s t e m f r o m t h e p e r s p e c t i v e o f c o n t r o l l e r

i m p l e m e n t a t i o n . T h i s f i g u r e p r o v i d e s a g e n e r a l b l o c k d i a g r a m o f c o n t r o l l e r i m p l e m e n t a t i o n .

T h e a r r o w s r e p r e s e n t a s i m p l i f i e d f u n c t i o n a l f l o w f o r t h e a c t u a t o r . A c t u a l d a t a f l o w c a n b e

m u c h m o r e c o m p l e x . R e f e r t o t h e f i g u r e f o r t h e f o l l o w i n g d i s c u s s i o n .


17/73


External Interfaces

The following interfaces are

external to the controllerhardware: Actuator

Input interfaces Feedback interfaces.

Near controller or far away

Connected through wireharnesses, or wireless

Susceptible to hardware failures


Input

Interfaces

Input

Signal

Conditioning

Input

Signal

Processing

Output

Signal

Processing

Output

Signal

Conditioning

Feedback

Interfaces

Control

Algorithm

Processing

Built-In

Test



Actuator

Controller Hardware

Peripheral

Hardware


18/73


Controller Hardware

Includes: I/O signal conditioning peripheral interfaces core processing platform.

Signal conditioning: Converts the input signals for

the core processor Translates processor outputs

into driver signals for theactuator.

Peripheral hardware may includewatchdog monitors, protectivedevices etc.

Processing platform includes theprocessor, memory, and any

other devices needed to supportprocessing operation.


Input

Interfaces

Input

Signal

Conditioning

Input

Signal

Processing

Output

Signal

Processing

Output

Signal

Conditioning

Feedback

Interfaces

Control

Algorithm

Processing

Built-In

Test



Actuator

Controller Hardware

Peripheral

Hardware

T h e c o n t r o l l e r h a r d w a r e p r o v i d e s I / O s i g n a l c o n d i t i o n i n g , p e r i p h e r a l i n t e r f a c e s a n d a c o r e

p r o c e s s i n g p l a t f o r m . S i g n a l c o n d i t i o n i n g c o n v e r t s t h e i n p u t s i g n a l s i n t o f o r m s t h a t c a n b e

i n t e r p r e t e d b y t h e c o r e p r o c e s s o r , a n d t r a n s l a t e s p r o c e s s o r o u t p u t s i n t o d r i v e r s i g n a l s f o r

t h e a c t u a t o r . T h e s e d r i v e r s i g n a l s m a y b e h i g h c u r r e n t s i g n a l s t h a t d i r e c t l y d r i v e t h e

a c t u a t o r o r t h e y c a n p r o v i d e i n d i r e c t c o n t r o l o f a n e x t e r n a l p o w e r s o u r c e , a s s h o w n i n

F i g u r e 2 . P e r i p h e r a l h a r d w a r e m a y i n c l u d e w a t c h d o g m o n i t o r s , d a t a c o m m u n i c a t i o n

d e v i c e s , p o w e r c o n v e r t e r s , p r o t e c t i v e d e v i c e s a n d f i l t e r s , c o n f i g u r a t i o n h a r d w a r e a n d o t h e r

p e r i p h e r a l h a r d w a r e . T h e c o r e p r o c e s s i n g p l a t f o r m i n c l u d e s t h e p r o c e s s o r , m e m o r y , a n d

a n y o t h e r d e v i c e s n e e d e d t o s u p p o r t p r o c e s s i n g o p e r a t i o n .


19/73


Controller RTOS

Real-time Operating Systems

perform: executive management task scheduling

other operating utilities

Examples:

Ad-hoc operating system Commercial off-the-shelf

RTOS:

Integrity, VxWorks, LynxOS Must be certifiable to the

safety criticality level of theapplication.


Input

Interfaces

Input

Signal

Conditioning

Input

Signal

Processing

Output

Signal

Processing

Output

Signal

Conditioning

Feedback

Interfaces

Control

Algorithm

Processing

Built-In

Test



Actuator

Controller Hardware

Peripheral

Hardware

C o n t r o l l e r s o f t w a r e , w h i c h r e s i d e s a n d o p e r a t e s o n t h e c o r e h a r d w a r e , h a s a r e a l - t i m e

o p e r a t i n g s y s t e m ( R T O S ) t h a t p e r f o r m s a l l e x e c u t i v e m a n a g e m e n t a n d t a s k s c h e d u l i n g , a s

w e l l a s o t h e r o p e r a t i n g u t i l i t i e s . T h i s m a y b e a n a d - h o c o p e r a t i n g s y s t e m , o r i t c a n b e a

c o m m e r c i a l o f f - t h e - s h e l f R T O S , s u c h a s V x W o r k s , C s L E O S o r I n t e g r i t y , t h a t i s c e r t i f i a b l e t o

t h e s a f e t y c r i t i c a l i t y l e v e l o f t h e a p p l i c a t i o n .


20/732


Input/Output Signal Processing

Input signal processing

Read raw data from inputhardware

Massage into usable form

Software filters Discrete debouncing Range detection.

Output signal processing

Create physical signals to

drive to hardware. Timing or filtering of output

drivers


Input

Interfaces

Input

Signal

Conditioning

Input

Signal

Processing

Output

Signal

Processing

Output

Signal

Conditioning

Feedback

Interfaces

Control

Algorithm

Processing

Built-In

Test



Actuator

Controller Hardware

Peripheral

Hardware

I n p u t s i g n a l p r o c e s s i n g s o f t w a r e r e a d s r a w d a t a i n p u t s f r o m t h e h a r d w a r e a n d m a s s a g e s

t h e m i n t o u s a b l e f o r m f o r t h e s o f t w a r e a l g o r i t h m s . T h i s m a s s a g i n g i n c l u d e s s o f t w a r e f i l t e r s

( e . g . l a g a n d l e a d f i l t e r s ) , d i s c r e t e d e b o u n c i n g , a n d r a n g e d e t e c t i o n . O u t p u t s i g n a l

p r o c e s s i n g c o n v e r t s t h e r e s u l t s o f t h e c o n t r o l a l g o r i t h m s i n t o p h y s i c a l s i g n a l s t o d r i v e t o

h a r d w a r e .


21/732


Control Algorithm Processing

Provides the heart of the actuator

control functionality.

Control data and variables areread and processed todeterministicallydrive the real-time response of the actuator.

Critical real-time and frequency-

dependent algorithms


Input

Interfaces

Input

Signal

Conditioning

Input

Signal

Processing

Output

Signal

Processing

Output

Signal

Conditioning

Feedback

Interfaces

Control

Algorithm

Processing

Built-In

Test



Actuator

Controller Hardware

Peripheral

Hardware

C o n t r o l a l g o r i t h m s p r o v i d e t h e h e a r t o f t h e a c t u a t o r c o n t r o l f u n c t i o n a l i t y . T h i s i s w h e r e t h e

p l a n t m o d e l s , c o n t r o l l o o p s a n d d e c i s i o n s a r e p r o c e s s e d . C o n t r o l d a t a a n d v a r i a b l e s a r e

r e a d a n d r e a l - t i m e a l g o r i t h m s a r e p r o c e s s e d t o d e t e r m i n i s t i c a l l y d r i v e t h e a p p r o p r i a t e r e a l -

t i m e r e s p o n s e o f t h e a c t u a t o r .


22/732


Data Communications and Management

Manipulate the data associated

with the inputs and outputs

Provides any processingassociated with redundancy orcross-channel communication.

Multichannel Datasets

(copies) Data synchronization

Self and cross-channel BIT.

Amount of data that must bemanaged can become huge andcoordination can becomecomplex.


Input

Interfaces

Input

Signal

Conditioning

Input

Signal

Processing

Output

Signal

Processing

Output

Signal

Conditioning

Feedback

Interfaces

Control

Algorithm

Processing

Built-In

Test



Actuator

Controller Hardware

Peripheral

Hardware

T h e d a t a c o m m u n i c a t i o n a n d m a n a g e m e n t f u n c t i o n s m a n i p u l a t e t h e d a t a a s s o c i a t e d w i t h

t h e i n p u t s a n d o u t p u t s , i n c l u d i n g d i g i t a l c o m m u n i c a t i o n t o e x t e r n a l c o m p o n e n t s . T h e s e

f u n c t i o n s a l s o p r o v i d e a n y p r o c e s s i n g a s s o c i a t e d w i t h r e d u n d a n c y o r c r o s s - c h a n n e l

c o m m u n i c a t i o n . F o r e x a m p l e , a q u a d - r e d u n d a n t a c t u a t o r s y s t e m w o u l d h a v e a c o m p l e t e

s e t o f d a t a f o r e a c h o f t h e f o u r c h a n n e l s . S o m e l e v e l o f d a t a s y n c h r o n i z a t i o n i s n e e d e d t o

m a i n t a i n c o o r d i n a t e d c o n t r o l o f t h e f o u r c h a n n e l s . E a c h c h a n n e l m a y p e r f o r m B I T o n i t s e l f

a n d o n e o r m o r e o f t h e o t h e r c h a n n e l s . D e p e n d i n g o n t h e i n t r i c a c y o f d a t a c o m m u n i c a t i o n ,

t h e a m o u n t o f d a t a t h a t m u s t b e m a n a g e d c a n b e c o m e h u g e a n d c o o r d i n a t i o n c a n b e c o m e

c o m p l e x .


23/732


Built-In-Test

BIT functions detect faults and

isolate them to individualcomponents or small groups.

Detection Test during operationand compare results to expectedvalues.

Isolation Determine if the fault

occurred inside the controller orexternal interfaces.

Test all faults that have an effecton the safe operation of themission.


Input

Interfaces

Input

Signal

Conditioning

Input

Signal

Processing

Output

Signal

Processing

Output

Signal

Conditioning

Feedback

Interfaces

Control

Algorithm

Processing

Built-In

Test



Actuator

Controller Hardware

Peripheral

Hardware

A c t u a t o r c o n t r o l s i n c l u d e B I T f u n c t i o n s t o d e t e c t f a u l t s a n d i s o l a t e t h e m t o i n d i v i d u a l

c o m p o n e n t s o r s m a l l g r o u p s o f t h e m . F a i l u r e d e t e c t i o n i s u s u a l l y a c c o m p l i s h e d b y

c o n d u c t i n g a s e r i e s o f t e s t s d u r i n g o p e r a t i o n a n d c o m p a r i n g r e s u l t s t o e x p e c t e d v a l u e s .

I s o l a t i o n l o g i c d e t e r m i n e s i f t h e f a u l t o c c u r r e d i n s i d e t h e c o n t r o l l e r o r w a s t h e r e s u l t o f

e x t e r n a l i n t e r f a c e s . T h e d e s i g n e r s g o a l i s t o t e s t a n y p o t e n t i a l f a u l t t h a t h a s a n e f f e c t o n

t h e s a f e o p e r a t i o n o f t h e m i s s i o n i n t h e a p p r o p r i a t e m o d e o f B I T .


24/732


BIT Modes

BIT can be categorizedinto the following modes: Power-up BIT (PBIT) Continuous BIT (CBIT) Initiated BIT (IBIT)

Each safety-critical fault istested in one or more ofthese BIT modes

Each BIT mode mayperform a subset (orsuperset) of another BITmode

Fault thresholds,persistence limits andscheduling of individualBIT are coordinated to

reject false failureindications.

CBIT

PBIT IBIT

CommonBIT

N e s t e d a c r o n y m s


25/732


Power-up BIT (PBIT)

Also known as Start-up BIT

Executes on application of power Rapid check of ability to operate

Examples Core processing failure the

mission can be halted beforeoperator safety is jeopardized

Actuator feedback interfacefailure the actuator may notbe controllable, and themission would be aborted

Scope of PBIT testing dependson application power uprequirements.

Designers must trade-off PBITtest coverage with PBIT timingconstraints.

CBIT

PBIT IBIT

Sample PBIT Tests: Processor diagnostics Memory Configuration Watchdog timeout Power supply voltage Interrupts Critical I/O


26/732


Continuous BIT (CBIT)

Also known as Periodic BIT

Provides continuous monitoringof all system components.

Minimizes failure exposure time.

Example: Current feedback on a

drug pump actuator detects if theflow is obstructed duringoperation.

CBIT completion time must beconsidered when the maximumfailure exposure time (themaximum time between when afault occurs and when the fault is

detected and mitigated) iscritical.

CBIT

PBIT IBIT

Sample CBIT Tests: Subset of PBIT tests Control Sensors Control Discretes Feedback Sensors Feedback Discretes Dynamic responsiveness Data communication validation

Actuator current monitors


27/732


Initiated BIT (IBIT)

Also known as Maintenance BIT,

or other alternative names.

Extensive set of tests, initiated bythe operator, which occurs whenthe system is in a stable, knownenvironment.

The environment must be

controlled because control of theactuator is given to the BITfunctions rather than the normalcontrol algorithms.

Example: range test on anactuator

IBIT completion time is typicallylong because it performscomprehensive, full-range tests

CBIT

PBIT IBIT

Sample IBIT Tests: Superset of PBIT and CBIT tests Power system tests Dynamic actuator tests Mechanical range tests Initiated failure tests

S u p p o s e a n a c t u a t o r m o v e s a s w i n g - a r m f r o m 0 t o 1 8 0 . T h e s y s t e m c a n n o t t e s t t h e f u l l

r a n g e o f m o t i o n d u r i n g o p e r a t i o n , u n l e s s t h e a p p l i c a t i o n g u a r a n t e e s t o m o v e t h e s w i n g - a r m

o v e r i t s f u l l r a n g e o f m o t i o n d u r i n g t h e m i s s i o n . T h e o p e r a t o r c a n u s e a s p e c i a l c o n t r o l l e d

t e s t i n I B I T t o v e r i f y t h a t t h e s w i n g - a r m c a n o p e r a t e o v e r i t s f u l l r a n g e o f m o t i o n .


28/732


BIT Analysis

Leverages results of other system safety analyses,

including: Preliminary System Safety Assessment

Fault Tree Analysis Failure Modes and Effects Analysis

Consider failure mode, probability of failure, cause andeffect, recognition/detection scheme, isolation, systemcompensation

Will typically yield action items for design improvements.

Not a do it once checkbox Analysis is incrementaluntil requirements are satisfied.


29/732


Redundancy

Failures are mitigated by the

other operating channels,perhaps with a degraded levelof performance.

The effects of failures in non-redundant components, such

as the control interface andpower source, cannot bealleviated.

Power

Source

Sensor

Monitors

ActuatorController

ActuatorController

ActuatorController

Actuator

Control

InterfaceController

Mechanical

Interface

Sensor

MonitorsSensor

MonitorsSensor

Monitors

R e d u n d a n c y i s a c o m m o n d e s i g n p r a c t i c e t h a t i s o f t e n u s e d t o m a i n t a i n f u n c t i o n a l i t y a f t e r a

f a i l u r e o c c u r s .

I n t h i s c a s e , f u n c t i o n a l i t y i s m a i n t a i n e d b y f o u r r e d u n d a n t o p e r a t i n g c h a n n e l s . F a i l u r e s t h a t

o c c u r i n a c o n t r o l l e r , a c t u a t o r o r m e c h a n i c a l m o n i t o r c a n b e m i t i g a t e d b y t h e o t h e r

o p e r a t i n g c h a n n e l s , p e r h a p s w i t h a d e g r a d e d l e v e l o f p e r f o r m a n c e . T h e e f f e c t s o f f a i l u r e s

i n n o n - r e d u n d a n t c o m p o n e n t s , s u c h a s t h e c o n t r o l i n t e r f a c e a n d p o w e r s o u r c e i n t h i s c a s e ,

c a n n o t b e a l l e v i a t e d .


30/733


Degradation Categories for Failure Response

Fail-Operational From an

operator perspective, the systembehaves normally. Failure is reported, but

system operation isunaffected.

System components thatremain functional typically

take over the functions of thefailed components.

Example: Dual-redundantsurgical blood flow systemstypically can meetperformance requirementswith only one channel. When

one channel fails, the systemcontinues to perform usingthe remaining channel.

Power

Source

Sensor

Monitors

ActuatorController

ActuatorController

ActuatorController

Actuator

Control

InterfaceController

Mechanical

Interface

Sensor

MonitorsSensor

MonitorsSensor

Monitors

T h e r e a r e m a n y f a i l u r e m o d e s , b u t s y s t e m d e s i g n e r s h a v e d e v e l o p e d a p p r o a c h e s t o m i t i g a t e t h e m .

V a r i o u s r e s p o n s e c a t e g o r i e s h a v e b e e n d e v e l o p e d t o d e s c r i b e m i t i g a t i o n o f t h e s e s y s t e m f a i l u r e s :

F a i l - O p e r a t i o n a l F r o m a n o p e r a t o r p e r s p e c t i v e , t h e s y s t e m b e h a v e s n o r m a l l y . T h e f a i l u r e i s

r e p o r t e d , b u t s y s t e m o p e r a t i o n i s u n a f f e c t e d . T h e s y s t e m c o m p o n e n t s t h a t r e m a i n f u n c t i o n a l

t y p i c a l l y t a k e o v e r t h e f u n c t i o n s o f t h e f a i l e d c o m p o n e n t s . E x a m p l e : Q u a d - r e d u n d a n t f l i g h t c o n t r o l

s u r f a c e a c t u a t o r s y s t e m s t y p i c a l l y c a n m e e t p e r f o r m a n c e r e q u i r e m e n t s w i t h o n l y t h r e e c h a n n e l s .

W h e n o n e c h a n n e l f a i l s , t h e s y s t e m c o n t i n u e s t o p e r f o r m u s i n g t h e r e m a i n i n g t h r e e c h a n n e l s .


31/733



Fail-Passive Outputs assume a

predetermined desirable state,such as a power disconnect tothe actuators.

Failure is reported, andoperation is reverted tobackup.

Intervention may be required,

but the system remains undercontrol in some degradedfashion.

Example: Ambulatory scooterused reduced speed modewhen battery supply is low.The vehicle will not maintain

desired performance, butrider can limp home.

Power

Source

Sensor

Monitors

ActuatorController

ActuatorController

ActuatorController

Actuator

Control

InterfaceController

Mechanical

Interface

Sensor

MonitorsSensor

MonitorsSensor

Monitors

F a i l - P a s s i v e T h e s y s t e m o u t p u t s a p r e d e t e r m i n e d d e s i r a b l e s t a t e , s u c h a s a p o w e r d i s c o n n e c t t o t h e

a c t u a t o r s . T h e f a i l u r e i s r e p o r t e d , a n d o p e r a t i o n i s t y p i c a l l y r e v e r t e d t o a b a c k u p m e c h a n i s m .

I n t e r v e n t i o n m a y b e r e q u i r e d , b u t t h e s y s t e m g e n e r a l l y r e m a i n s u n d e r c o n t r o l , a l t h o u g h u s u a l l y i n

s o m e d e g r a d e d f a s h i o n . E x a m p l e : M a n y m a r i n e a c t u a t o r c o n t r o l a p p l i c a t i o n s p r o v i d e a

m e c h a n i c a l b a c k u p t h a t i s a u t o m a t i c a l l y e n g a g e d w h e n a u t o m a t e d s y s t e m s f a i l , t h e r e b y e n a b l i n g

t h e p i l o t t o l i m p h o m e . T h e v e h i c l e m a y n o t m e e t p e r f o r m a n c e r e q u i r e m e n t s , b u t i t w i l l b e a b l e t o

t r a v e l t o a s a f e e n v i r o n m e n t .


32/733



Fail-Safe Provides a saferesponse when normal,predictable control is notpossible. Subcategory of fail-passive Actuators are not controllable

in a manner to meet theperformance specification.

System employs mechanismsto force the actuator in aknown state that maintains asafe operational state.

Example: Patient lift backupis engaged when automatedsystems fail, holding patientsafely. The lift will not meetperformance requirements,

but it will maintain a safeenvironment.

Power

Source

Sensor

Monitors

ActuatorController

ActuatorController

ActuatorController

Actuator

Control

InterfaceController

Mechanical

Interface

Sensor

MonitorsSensor

MonitorsSensor

Monitors

F a i l - S a f e T h i s a p p r o a c h i s u s e d t o p r o v i d e a s a f e r e s p o n s e w h e n n o r m a l , p r e d i c t a b l e c o n t r o l i s n o t

p o s s i b l e . I n t h i s c a t e g o r y , w h i c h i s s o m e t i m e s c o n s i d e r e d a s u b c a t e g o r y o f f a i l - p a s s i v e , t h e

a c t u a t o r s a r e n o t c o n t r o l l a b l e i n a m a n n e r t o m e e t t h e p e r f o r m a n c e s p e c i f i c a t i o n . H o w e v e r , t h e

s y s t e m e m p l o y s m e c h a n i s m s t o f o r c e t h e a c t u a t o r i n a k n o w n s t a t e t h a t m a i n t a i n s a s a f e

o p e r a t i o n a l s t a t e . E x a m p l e : H y b r i d - e l e c t r i c v e h i c l e s ( H E V ) h a v e e x p e r i e n c e d f a i l u r e s t h a t c a u s e

r u n a w a y m o t o r s w h e r e m o t o r s s p e e d u p o u t o f c o n t r o l a n d t r a n s f e r u n c o m m a n d e d p o w e r t o t h e

d r i v e a x l e s . A f a i l - s a f e m i t i g a t i o n w o u l d d i s c o n n e c t p o w e r f r o m t h e m o t o r , u s u a l l y t h r o u g h h i g h -

c u r r e n t r e l a y s , w h e n a f a i l u r e o c c u r s . T h e v e h i c l e m a y n o t b e d r i v a b l e , b u t t h e p a s s e n g e r s a n d

c a r g o r e m a i n s a f e .


33/733



Fail-Active Highly undesirable

state occurring when mitigationinto one of the other categories isnot possible.

Applications allow a smallprobability, such as 10-9.

Actuators respond in anuncontrollable/unpredictable

(nondeterministic) manner. Safety-critical systems are

designed to minimize fail-active scenarios.

Example: Automotive steer-by-wire applications havesteering wheel interfaces with

common mode failures thatcould inhibit steering control.

Power

Source

Sensor

Monitors

ActuatorController

ActuatorController

ActuatorController

Actuator

Control

InterfaceController

Mechanical

Interface

Sensor

MonitorsSensor

MonitorsSensor

Monitors

F a i l - A c t i v e T h i s c a t e g o r y i s h i g h l y u n d e s i r a b l e a n d s t r i k e s f e a r i n t o t h e h e a r t s o f s a f e t y - c r i t i c a l

s y s t e m s d e s i g n e r s . I t o c c u r s w h e n m i t i g a t i o n i n t o o n e o f t h e o t h e r c a t e g o r i e s i s n o t p o s s i b l e . I t

c a n n o t b e p r e v e n t e d c o m p l e t e l y , s o a p p l i c a t i o n s t y p i c a l l y a l l o w a s m a l l p r o b a b i l i t y , s u c h a s 1 0 - 9 .

I n a f a i l - a c t i v e s t a t e , a c t u a t o r s d r i v e t h e s y s t e m i n a n u n c o n t r o l l a b l e a n d u n p r e d i c t a b l e

( n o n d e t e r m i n i s t i c ) m a n n e r . S a f e t y - c r i t i c a l s y s t e m s a r e d e s i g n e d t o m i n i m i z e f a i l - a c t i v e s c e n a r i o s .

E x a m p l e : A u t o m o t i v e s t e e r - b y - w i r e a p p l i c a t i o n s h a v e a u n i q u e c h a l l e n g e i n t h a t t y p i c a l s t e e r i n g

w h e e l i n t e r f a c e s h a v e c o m m o n m o d e f a i l u r e s t h a t c o u l d i n h i b i t s t e e r i n g c o n t r o l .


34/733


Degradation Requirements

Performance specs apply degradation categories

through multiple failure modes.

Example for a tri-redundant artificial heart: After the first failure, the system shall remain fail-

operational. After the second failure, the operation shall be fail-

passive. After the third failure, the operation shall be fail-safe.

Select architectures and components to meet theserequirements. In this example, the heart must be able topump with only two operating channels. The actuators

must be sized to enable operation with only twofunctioning actuators.

A p p l i c a t i o n p e r f o r m a n c e s p e c i f i c a t i o n s m a y r e q u i r e s y s t e m a r c h i t e c t u r e s t o a p p l y t h e s e

d e g r a d a t i o n c a t e g o r i e s t h r o u g h m u l t i p l e f a i l u r e m o d e s . F o r i n s t a n c e , a f t e r t h e f i r s t f a i l u r e i n

a q u a d - r e d u n d a n t f l i g h t a c t u a t o r s y s t e m , t h e s y s t e m m a y b e r e q u i r e d t o r e m a i n f a i l -

o p e r a t i o n a l . A f t e r t h e s e c o n d f a i l u r e i n t h e s y s t e m , t h e a p p l i c a t i o n m a y r e q u i r e f a i l - p a s s i v e

o p e r a t i o n . A f t e r t h r e e f a i l u r e s , t h e a p p l i c a t i o n m a y r e q u i r e f a i l - s a f e o p e r a t i o n . S y s t e m

d e s i g n e r s m u s t b e a w a r e o f f a i l u r e r e s p o n s e r e q u i r e m e n t s a n d s e l e c t a r c h i t e c t u r e s a n d

c o m p o n e n t s a c c o r d i n g l y . I n t h i s a p p l i c a t i o n , t h e a c t u a t o r s y s t e m m u s t b e a b l e t o

a d e q u a t e l y m o v e t h e a i r c r a f t s u r f a c e s w i t h o n l y t w o o p e r a t i n g c h a n n e l s . T h e r e f o r e , t h e

a c t u a t o r s m u s t b e s i z e d t o e n a b l e o p e r a t i o n w i t h o n l y t w o f u n c t i o n i n g a c t u a t o r s .


35/733


Industry Specifications andStandards

Industry Specifications andStandards


36/733


Role of Industry Standards

Safety-critical applications are guaranteed only through

robust designs and controlled operation.

Industry specs and standards provide guidelines to: Support safety-critical application development

Generally accepted engineering practices for robustdesign

Definitions and expectations for controlled operation

Compliance to these standards significantly influencedevelopment cost and schedule.

Standards can contain requirements, guidelines or both. Requirementsprocesses/practices that must be

implemented. Guidelinesrecommended practices/methods.

W e c l a i m e d e a r l i e r t h a t s a f e t y - c r i t i c a l a p p l i c a t i o n s a r e g u a r a n t e e d o n l y t h r o u g h r o b u s t

d e s i g n s a n d c o n t r o l l e d o p e r a t i o n . I n d u s t r y s p e c i f i c a t i o n s a n d s t a n d a r d s p r o v i d e g e n e r a l l y

a c c e p t e d e n g i n e e r i n g p r a c t i c e s a n d g u i d e l i n e s t o s u p p o r t s a f e t y - c r i t i c a l a p p l i c a t i o n

d e v e l o p m e n t . D e v e l o p m e n t p r o g r a m s w i l l i d e n t i f y a p p l i c a b l e i n d u s t r y s p e c i f i c a t i o n s a n d

s t a n d a r d s e a r l y i n t h e l i f e - c y c l e , a s c o m p l i a n c e t o t h e s e s t a n d a r d s c a n h a v e a s i g n i f i c a n t

i n f l u e n c e o n d e v e l o p m e n t c o s t a n d s c h e d u l e .

S t a n d a r d s c a n c o n t a i n r e q u i r e m e n t s , g u i d e l i n e s o r b o t h . R e q u i r e m e n t s a r e p r o c e s s e s o r

d e s i g n p r a c t i c e s t h a t m u s t b e i m p l e m e n t e d . G u i d e l i n e s p r o v i d e r e c o m m e n d e d p r a c t i c e s

a n d m e t h o d s f o r s a t i s f y i n g r e q u i r e m e n t s .


37/733


Safety Standards Categories

Safety

Standards

Development

Processes

Design

Practices

Management EngineeringAnalysis SystemArchitecture ComponentPractices

S t a n d a r d s c a n b e a p p l i e d t o d e v e l o p m e n t p r o c e s s e s a n d / o r d e s i g n i m p l e m e n t a t i o n

E x a m p l e s o f d e v e l o p m e n t p r o c e s s e s a r e s o f t w a r e d e v e l o p m e n t p l a n s , q u a l i t y m a n a g e m e n t

p r o c e s s e s a n d v e r i f i c a t i o n p l a n s . E n g i n e e r i n g a n a l y s i s s t a n d a r d s i n c l u d e r e l i a b i l i t y a n a l y s i s

a n d o t h e r p e r f o r m a n c e a n a l y s e s . D e s i g n p r a c t i c e s a r e v e r y s p e c i f i c t o t h e a p p l i c a t i o n

i n d u s t r y . F o r i n s t a n c e , t h e F e d e r a l M o t o r V e h i c l e S a f e t y S t a n d a r d s ( F M V S S ) p r o v i d e

d e s i g n p r a c t i c e s f o r m o t o r v e h i c l e s .


38/733


Sample Safety Standards and Applicability

Automotive Industry SoftwareMISRA / MISRA C

Motor vehicle systems and components (CAN)CMVSS

Motor vehicle systems and components (US)FMVSS

Railway IndustryEN 50128

Medical EquipmentIEC 60601

Automotive FMEASAE J1739

Vehicle Electronic SystemsSAE J1938

Guidelines for Electric Vehicle SafetySAE J2344

Nuclear IndustryIEC 880

Software design requirements (non-process)UL-1998

Automotive software safety processesMOD DEF STAN 00-55

Automotive system safety processesMOD DEF STAN 00-56

Generic 'Programmable Systems'IEC 61508

Aerospace and Aviation SoftwareRTCA/DO-178B

Aerospace and Aviation HardwareRTCA/DO-254

Aircraft systems certification considerationsARP 4754Airborne systems safety assessmentARP 4761

Safety systems for US DoDMIL-STD-882

ApplicabilityStandard

A l t h o u g h t h e s c o p e o f t h i s p a p e r i s n o t t o p r o v i d e a t u t o r i a l o f s a f e t y s t a n d a r d s , i t i s r e l e v a n t

t o i d e n t i f y s o m e s t a n d a r d s a n d t h e i r a p p l i c a b l e i n d u s t r i e s a n d a p p l i c a t i o n s . T a b l e 1

h i g h l i g h t s s o m e c o m m o n s t a n d a r d s .


39/733


Applicability of Standards

There is some cross-breeding of standards.

Ex. DO-178B is used in some automotive and medicalapplications.

System Integrity Levels (SIL)

Classified from 4 (highest safety) to 0 (not safety-related) [DO-178B uses A (high) to E (low)]

SIL determines applicable development and testprocesses

Not globally adopted Some countries take deviations

M a n y o f t h e s t a n d a r d s l i s t e d a b o v e c l a s s i f y s y s t e m s i n t o f i v e S y s t e m I n t e g r i t y L e v e l s ( S I L s )

f r o m 4 ( h i g h e s t s a f e t y ) t o 0 ( n o t s a f e t y r e l a t e d ) . D O - 1 7 8 B u s e s A ( h i g h e s t s a f e t y ) t o E

( l o w e s t s a f e t y ) . T h e S I L o f t h e d e v e l o p m e n t p r o j e c t d r i v e s t h e p r o c e s s e s f o r t h a t p r o j e c t .

F o r i n s t a n c e , t o t e s t s o f t w a r e i n a D O - 1 7 8 B L e v e l A p r o j e c t , s u c h a s a f l i g h t c o n t r o l s y s t e m

w i t h n o m e c h a n i c a l b a c k u p , a l l c o d e s t a t e m e n t s m u s t b e e x e c u t e d , a l l c o d e b r a n c h e s m u s t

b e f o l l o w e d , a n d a c t u a l t a r g e t h a r d w a r e m u s t b e u s e d .


40/734


But do I HAVE to?

Designers mission is to achieve safety certification

Deviations can be taken, if they are coordinated with andapproved by the applications certification representative.

The Code is more what you'd call

"guidelines" than actual rules.

B a r b o s s a , P i r a t e s o f t h e C a r i b b e a n

T o s t e a l a q u o t e f r o m t h e m o v i e P i r a t e s o f t h e C a r i b b e a n , m a n y o f t h e s e s t a n d a r d s a r e

m o r e w h a t y o u ' d c a l l g u i d e l i n e s t h a n a c t u a l r u l e s . T h e d e s i g n e r s r e a l m i s s i o n i s t o

a c h i e v e s a f e t y c e r t i f i c a t i o n . D e v i a t i o n s c a n b e t a k e n , i f t h e y a r e c o o r d i n a t e d w i t h a n d

a p p r o v e d b y t h e a p p l i c a t i o n s c e r t i f i c a t i o n r e p r e s e n t a t i v e .


41/734


Development StrategiesDevelopment Strategies


42/734


So Tell Me, Do You Feel Lucky Punk?

For a system to be trusted with human life, it must be:

Well-planned, Well-designed, Well-tested Design Goal Eliminate catastrophic failure modes, or Minimize the risk to a very low probability

Testing is necessary, but not sufficient Proves the presence of errors, not their absence No way to test safety into the system

Safety is built-in throughout the development life-cycle Safety-critical development plans and test procedures Independent reviews

S y s t e m s t h a t a r e w e l l - p l a n n e d , d e s i g n e d , t e s t e d a n d c e r t i f i e d c a n b e t r u s t e d w i t h h u m a n

l i f e . T h e d e s i g n g o a l o f s a f e t y - c r i t i c a l s y s t e m d e v e l o p m e n t i s t o e l i m i n a t e f a i l u r e m o d e s

t h a t c o u l d r e s u l t i n c a t a s t r o p h i c f a i l u r e s , o r i f t h a t i s n o t f e a s i b l e , m i n i m i z e t h e r i s k s u c h t h a t

t h e r e i s a v e r y l o w p r o b a b i l i t y o f c a t a s t r o p h i c f a i l u r e .

S a f e t y i s p r o v e n n o t o n l y t h r o u g h t e s t i n g , b u t a l s o t h r o u g h s a f e p l a n n i n g a n d d e v e l o p m e n t

p r o c e s s e s . T e s t i n g i s a n e c e s s a r y , b u t n o t s u f f i c i e n t , e l e m e n t o f s a f e t y - c r i t i c a l d e v e l o p m e n t

i t o n l y p r o v e s t h e p r e s e n c e o f e r r o r s , n o t t h e i r a b s e n c e . W e h a v e n t y e t f o u n d a w a y t o

t e s t s a f e t y i n t o t h e s y s t e m .

S a f e t y m u s t b e b u i l t - i n t h r o u g h o u t t h e d e v e l o p m e n t l i f e - c y c l e u s i n g s a f e t y - c r i t i c a l

d e v e l o p m e n t p l a n s a n d p r o c e d u r e s , i n d e p e n d e n t r e v i e w s , a n d c o m p r e h e n s i v e t e s t c a s e s .

T h i s s e c t i o n h i g h l i g h t s s o m e b a s i c d e v e l o p m e n t s t r a t e g i e s t h a t h a v e p r o v e n t o b e i m p o r t a n t

i n m a n y o f t h e a u t h o r s d e s i g n s . I t i s b y n o m e a n s a c o m p r e h e n s i v e l i s t , b u t i t d o e s c a p t u r e

s o m e t h o u g h t p r o c e s s e s t h a t m u s t b e e x e r c i s e d .


43/734


Improving Fault Tolerance

Brick wall partitoning

Redundancy no single-point failures

Cross-channel data voting

Isolation and independence (e.g. power sources) Both hardware and software

BIT mode allocation

Hardware independence of control and BIT HW

Reliability, maintainability and safety analyses

Deterministic performance

Comprehensive validation and verification

Requirements-based simulation and testing

Certified development tools


44/734


Example CasesExample Cases

T h r o u g h o u t m y c a r e e r , I h a v e w o r k e d o n s a f e t y - c r i t i c a l a p p l i c a t i o n s o n a v a r i e t y o f

p l a t f o r m s , i n c l u d i n g a i r p l a n e s , l o c o m o t i v e s , h e a v y - d u t y t r u c k s , p a s s e n g e r v e h i c l e s , p o w e r

s y s t e m s , a n d m e d i c a l d i a g n o s t i c s . I n t e r e s t i n g l y , t h e c o n c e p t s n e e d e d t o m a k e t h e s e

s y s t e m s f a u l t - t o l e r a n t , f a i l - o p e r a t i v e o r f a i l - s a f e a r e q u i t e c o m m o n .

T h e f o l l o w i n g d e s c r i b e s s o m e e x a m p l e s o f s a f e t y - c r i t i c a l s y s t e m s .


45/734


Fly-by-wire Aircraft Control Systems

In the past, many aircraft had mechanical backups for

their electronic flight control systems.

Fly-by-wire systems with no mechanical backups arebecoming more prevalent in both military andcommercial environments.

Actuation systems, such as those that move flightsurfaces, have become safety-critical.


46/734


Automotive Drive-by-wire System

Now developing full authority drive-by-wire systems:

Brake-by-wire Steer-by-wire

Throttle-by-wire.

Previously achieved fault tolerance through hardwareredundancy.

Redundancy can be cost and space prohibitive in drive-by-wire applications.

Software standards such as MISRA are being developedto facilitate fault tolerance with less hardwareredundancy.


47/734


Railway Signaling System

Railway signaling systems enable operators to direct

trains while preventing trains from colliding

Malfunction in these systems could cause death

Safety-related hardware is used to provide redundancy

Control independence is provided through coordinatedactions by the train operator and the dispatcher.


48/734


Submarine Depth Control System

Similar challenges as aircraft applications

Preferred fail-safe response depends on the applicationand environment.

In a battle environment, underwater concealment isimportant, so surfacing the submarine may not be thebest mitigation

Submarine pilot must be able to eventually surface afailed vehicle to recover personnel


49/734


Nuclear Power Station Shutdown

Nuclear power stations require a protection system that

closes the station down in the event of a malfunction.

Protection system must mitigate the consequences ofthe situation.

Both hardware and software protection systems areused, since the multiple redundancy increasesconfidence in safety.

With great power comes

great responsibility.

U n c l e B e n , S p i d e r m a n


50/735


Medical Systems

Can be directly responsible for human life

Examples: Hardware that controls laparoscopic surgery devices Software that monitors safe amounts of x-rays

Information systems that doctors use to coordinatemedication

Safety development standards have recently become astrong focus in the medical industry.

Therac-25 radiation therapy machine has resulted in lostlives due to software-related radiation overdoses.


51/735


Conclusions

System safety requires robust design and controlled operation

during failure modes. Designers for safety-critical applications utilize industry standards

and development processes, as well as preferred engineering

practices, to develop safe, validated and deterministic designs.

Redundancy and comprehensive BIT mitigate system failures

Learn to expect the unexpected.

The response to an unexpected event must be known anddesigned into the system before that unexpected event occurs.

Predictable and deterministic responses to all potential failuremodes are paramount in safety-critical design.

Many of the issues, practices and strategies described in thispresentation are a result of previous or ongoing projects atOn Target Technology Development.

I f w e a l l k e e p o u r w i t s a b o u t u s a s w e d e v e l o p t h e s e s a f e t y - c r i t i c a l s y s t e m s , w e c a n s i t b a c k

a n d r e l a x i n o u r c o n f i n e d s p a c e o n b o a r d a n a i r c r a f t w i t h o u t w o r r y i n g t h a t a d e s i g n f a i l u r e

w i l l s e n d o u r s t e e l h o r s e f o r a l o o p e v e n w h e n w e f l y o v e r t h e E q u a t o r .


52/735


On Target Medical Actuator Projects

Products, research projects, partnerships

Medical monitor

Muscle diagnostic system

Circulation Actuation through the Limb Footwear (CALF)

Personal transporter

Respiratory therapy stimulation vest

X-ray controller


53/735


Q&AQ&A


54/735


If you have any further questions

On Target TechnologyDevelopment

1701 North Street, Bldg 40-1, Endicott, NY 13760

P: (607) 755-4990 F: (607) 755-4981

Contact: Vince Socci, Principal

[email protected]

www.ontargettechnology.com

On Time, On Budget, On Top On Target


55/735


Backup slidesBackup slides


56/735


How do you meet that demand?

Education and training in safety-critical application

development Integrated system awareness and development

Proven safety standards, development processes, anddesign practices

Lessons learned and development strategies from theschool of hard knocks

Education and training in safety-critical application

development

Integrated system awareness and development

Proven safety standards, development processes, anddesign practices

Lessons learned and development strategies from theschool of hard knocks

You took the initiative to participate in this workshopYou took the initiative to participate in this workshopYou took the initiative to participate in this workshopYou took the initiative to participate in this workshop

and learn the skills needed to meet that demand.and learn the skills needed to meet that demand.and learn the skills needed to meet that demand.and learn the skills needed to meet that demand.

As a result, you will become more valuable toAs a result, you will become more valuable toAs a result, you will become more valuable toAs a result, you will become more valuable to

your organization and your industry.your organization and your industry.your organization and your industry.your organization and your industry.

Congratulations!Congratulations!Congratulations!Congratulations!

T h e r e i s o n l y s o m u c h w e c a n l e a r n i n a 9 0 - m i n u t e c o u r s e . B u t w e w i l l c o v e r t h e h i g h l i g h t s ,

a n d y o u w i l l t a k e t h a t o v e r v i e w a s a f o u n d a t i o n f o r y o u r f u t u r e l e a r n i n g .


57/735


F-16 Thunderbird Crashes

See http://www.f-16.net/f-16_news_article968.html

F - 1 6 C p e r f o r m e d a b e l l y l a n d i n g o n t h e L u k e

A F B r u n w a y o n J u n e 1 7 , 2 0 0 4 a t

a p p r o x i m a t e l y 1 4 1 6 .

T h e p i l o t o f t h e F - 1 6 d e c l a r e d a n i n - f l i g h t

e m e r g e n c y w h e n h e c o u l d n o t e x t e n d t h e

l a n d i n g g e a r . A f t e r n u m e r o u s a t t e m p t s t o

e x t e n d i t , t h e a i r c r a f t r a n o u t o f f u e l a n d t h e

p i l o t w a s f o r c e d t o p u t t h e j e t d o w n o n i t s b e l l y .

A f t e r s l i d i n g t o a f i e r y s t o p , t h e c a n o p y w a s

s e e n t o g o u p a n d t h e p i l o t s p r i n t e d a w a y f r o m

t h e b u r n i n g a i r c r a f t . T h e p i l o t i s t h o u g h t t o b e

o k , b u t t h e a i r c r a f t i s m o s t l i k e l y t o t a l e d .

E v e n t # 1 E v e n t # 1 E v e n t # 1 E v e n t # 1

P i l o t E r r o r

P i l o t E r r o r P i l o t E r r o r P i l o t E r r o r E v e n t # 2

E v e n t # 2 E v e n t # 2 E v e n t # 2

S y s t e m F a i l u r e

S y s t e m F a i l u r e S y s t e m F a i l u r e S y s t e m F a i l u r e

See http://www.f-16.net/f-16_news_article1100.html

A p i l o t ' s e r r o r c a u s e d a T h u n d e r b i r d s F - 1 6 C t o c r a s h s h o r t l y a f t e r t a k e o f f d u r i n g a S e p t e m b e r a i r s h o w a t M o u n t a i n

H o m e A i r F o r c e B a s e , I d a h o . T h e p i l o t e j e c t e d j u s t b e f o r e t h e a i r c r a f t i m p a c t e d t h e g r o u n d .

O n W e d n e s d a y t h e 2 1 s t , t h e A i r F o r c e A c c i d e n t I n v e s t i g a t i o n B o a r d h e l d a n e w s c o n f e r e n c e a t t h e h o m e o f t h e

T h u n d e r b i r d s - N e l l i s A i r F o r c e B a s e - t o a n n o u n c e w h a t c a u s e d a n F 1 6 t o c r a s h l a s t S e p t e m b e r .

A c c o r d i n g t o t h e a c c i d e n t i n v e s t i g a t i o n b o a r d r e p o r t t h e p i l o t , 3 1 - y e a r - o l d C a p t a i n C h r i s S t r i c k l i n , m i s i n t e r p r e t e d

t h e a l t i t u d e r e q u i r e d t o c o m p l e t e t h e " S p l i t S " m a n e u v e r . H e m a d e h i s c a l c u l a t i o n b a s e d o n a n i n c o r r e c t m e a n -

s e a - l e v e l a l t i t u d e o f t h e a i r f i e l d . T h e p i l o t i n c o r r e c t l y c l i m b e d t o 1 , 6 7 0 f e e t a b o v e g r o u n d l e v e l i n s t e a d o f 2 , 5 0 0 f e e t

b e f o r e i n i t i a t i n g t h e p u l l d o w n t o t h e S p l i t S m a n e u v e r .

W h e n h e r e a l i z e d s o m e t h i n g w a s w r o n g , t h e p i l o t p u t m a x i m u m b a c k s t i c k p r e s s u r e a n d r o l l e d s l i g h t l y l e f t t o

e n s u r e t h e a i r c r a f t w o u l d i m p a c t a w a y f r o m t h e c r o w d s h o u l d h e h a v e t o e j e c t . H e e j e c t e d w h e n t h e a i r c r a f t w a s

1 4 0 f e e t a b o v e g r o u n d - j u s t 0 . 8 s e c o n d s p r i o r t o i m p a c t . H e s u s t a i n e d o n l y m i n o r i n j u r i e s f r o m t h e e j e c t i o n . T h e r e

w a s n o o t h e r d a m a g e t o m i l i t a r y o r c i v i l i a n p r o p e r t y .

T h e a i r c r a f t , v a l u e d a t a b o u t $ 2 0 . 4 m i l l i o n , w a s d e s t r o y e d .

T h e d i f f e r e n c e i n a l t i t u d e s a t N e l l i s a n d M o u n t a i n H o m e m a y h a v e c o n t r i b u t e d t o t h e p i l o t ' s e r r o r . T h e a i r f i e l d a t

N e l l i s i s a t 2 , 0 0 0 f e e t w h e r e a s t h e o n e a t M o u n t a i n H o m e i s a t 3 , 0 0 0 f e e t . I t a p p e a r s t h a t t h e p i l o t r e v e r t e d b a c k t o

h i s N e l l i s h a b i t p a t t e r n f o r s a p l i t s e c o n d . T h u n d e r b i r d c o m m a n d e r L t . C o l . R i c h a r d M c S p a d d e n s a i d S t r i c k l i n h a d

p e r f o r m e d t h e s t u n t a r o u n d 2 0 0 t i m e s , a t d i f f e r e n t a l t i t u d e s d u r i n g h i s y e a r a s a T h u n d e r b i r d p i l o t .

M c S p a d d e n s a y s S t r i c k l i n i s a n e x c e p t i o n a l o f f i c e r . " H e i s a n e x t r e m e l y t a l e n t e d p i l o t . H e c a m e i n h e r e a n d m a d e

a n h o n e s t m i s t a k e , " s a y s L t . C o l . M c S p a d d e n . B u t t h a t m i s t a k e h a s c o s t S t r i c k l i n h i s p r e s t i g i o u s s p o t o n t h e

T h u n d e r b i r d t e a m . " H e ' s a s s i g n e d t o W a s h i n g t o n D . C . , " s a y s M c S p a d d e n . " H e ' s w o r k i n g i n t h e P e n t a g o n t h e r e i n

o n e o f t h e a g e n c i e s . "

T h e m a n e u v e r t h e p i l o t w a s t r y i n g t o c o m p l e t e i s c a l l e d t h e " S p l i t S M a n e u v e r . " T h e s t u n t r e q u i r e s t h a t t h e p i l o t

c l i m b t o 2 , 5 0 0 f e e t . I n v e s t i g a t o r s s a y S t r i c k l i n o n l y c l i m b e d t o 1 , 6 7 0 f e e t b e f o r e h e w e n t i n t o t h e s p i n n i n g r o l l .

T h e b o a r d d e t e r m i n e d o t h e r f a c t o r s s u b s t a n t i a l l y c o n t r i b u t e d t o c r e a t i n g t h e o p p o r t u n i t y f o r t h e e r r o r i n c l u d i n g t h e

r e q u i r e m e n t t o c o n v e r t s e a l e v e l a l t i t u d e i n f o r m a t i o n f r o m t h e F - 1 6 i n s t r u m e n t s - t o t h e i r a l t i t u d e a b o v e g r o u n d a n d

c a l l o u t t h a t i n f o r m a t i o n t o a s a f e t y o p e r a t o r b e l o w .

B u t t h e A i r F o r c e h a s n o w c h a n g e d t h a t a s a r e s u l t o f t h e c r a s h . T h u n d e r b i r d p i l o t s w i l l n o w c a l l o u t t h e M S L

( m e a n - s e a - l e v e l ) a l t i t u d e s a s o p p o s e d t o t h e A G L ( a b o v e - g r o u n d - l e v e l ) a l t i t u d e s .

T h u n d e r b i r d p i l o t s w i l l n o w a l s o c l i m b a n e x t r a 1 0 0 0 f e e t b e f o r e p e r f o r m i n g t h e S p l i t S M a n e u v e r t o p r e v e n t

a n o t h e r m i s t a k e l i k e t h e o n e o n S e p . 1 4 , 2 0 0 3 f r o m h a p p e n i n g a g a i n .

C a p t a i n C h r i s S t r i c k l i n h a s b e e n i n t h e A i r F o r c e s i n c e 1 9 9 4 a n d f l e w w i t h t h e T h u n d e r b i r d s f o r t h e f i r s t s e a s o n

n o w . H e h a s l o g g e d a t o t a l o f 1 , 5 0 0 + f l i g h t h o u r s a n d h a s r e c e i v e d n u m e r o u s a w a r d s . H e s e r v e d a s a f l i g h t

e x a m i n e r , f l i g h t i n s t r u c t o r a n d f l i g h t c o m m a n d e r .

T h e T h u n d e r b i r d s w i l l a g a i n t a k e t o t h e s k i e s t h i s y e a r . T h e y h a v e 6 5 a i r s h o w s s c h e d u l e d .

T h e S e p t e m b e r c r a s h w a s t h e s e c o n d i n v o l v i n g a T h u n d e r b i r d s j e t s i n c e t h e t e a m b e g a n u s i n g F - 1 6 s i n 1 9 8 3 .

P i l o t e r r o r w a s b l a m e d f o r a F e b . 1 4 , 1 9 9 4 , t r a i n i n g c r a s h i n v o l v i n g i n a m a n e u v e r c a l l e d a s p i r a l d e s c e n t a t t h e

I n d i a n S p r i n g s A u x i l i a r y A i r f i e l d , n o r t h w e s t o f L a s V e g a s . T h e p i l o t s u r v i v e d , b u t t h e m a n e u v e r w a s d i s c o n t i n u e d .


58/735


Automotive Brake-by-Wire System

FL FR

RL RR

P

A brake actuator interfaces with

each wheel (FL, FR, RL, andRR).

These actuators are controlledusing the brake pedal input (P).

Dual-redundant signal paths areused to prevent single-point

failures in the wiring.

What happens when a brake fails?

(active/inactive)

A pedal?

B r a k e - b y - w i r e s y s t e m s a r e s a f e t y c r i t i c a l s y s t e m s . I f t h e b r a k e s f a i l t o o p e r a t e c o r r e c t l y , t h e

v e h i c l e w i l l n o t b e c o n t r o l l a b l e . I m a g i n e w h a t w o u l d h a p p e n i f y o u w e r e d r i v i n g 1 2 0 k p h

a n d t h e b r a k e s w o u l d n o t a c t u a t e ? W h a t i f t h e f a i l u r e f o r c e d t h e b r a k e s t o a c t u a t e

u n c o n t r o l l a b l y ?


59/735


Partitioning and Modularity

Allocate system requirements and distribute them to

functional components. Different functional componentsmay have different safety integrity levels.

Systems SIL is the minimum SIL for any functionalcomponent that performs safety-critical functions

Functional blocks may be implemented with brick-walltime and space partitioning of separately loadablesoftware applications. These programs can havedifferent SILs, which may result in reduced test andcertification costs and increased portability/reuse.

R e m e m b e r - S e l e c t i o n o f t h e s a f e t y i n t e g r i t y l e v e l i s i m p o r t a n t b e c a u s e i t d e t e r m i n e s w h i c h

d e v e l o p m e n t g u i d e l i n e s , p r o c e s s e s a n d s t a n d a r d s w i l l b e r e q u i r e d i n d e v e l o p m e n t .


60/736


System Redundancy

Primary means to develop fault tolerant systems of components

Lets compare these two systems

Power

Source

Sensor

Monitors

ActuatorController

ActuatorController

ActuatorController

Actuator

Control

InterfaceController

Mechanical

Interface

Sensor

MonitorsSensor

MonitorsSensor

Monitors

FL FR

RL RR

P

T h e f i r s t e x a m p l e i s a b r a k e - b y - w i r e s y s t e m . I f o n e b r a k e a c t u a t o r f a i l s i n a n i n a c t i v e s t a t e

( i . e . t h e b r a k e c a n n o t b e a p p l i e d ) , t h e b r a k e a c t u a t o r s o n t h e o t h e r t h r e e w h e e l s w i l l l i k e l y

s t o p t h e v e h i c l e . R e d u n d a n c y a l l o w s t h e s y s t e m t o p e r f o r m , a l b e i t i n a d e g r a d e d m o d e ,

w h e n f a i l u r e s o c c u r . I f a b r a k e f a i l s i n a n a c t i v e s t a t e ( i . e . t h e b r a k e i s a p p l i e d w h e n n o t

c o m m a n d e d ) , t h e s a f e t y o f t h e o p e r a t o r m a y b e j e o p a r d i z e d , e s p e c i a l l y i f i t o c c u r s w h i l e t h e

v e h i c l e i s t r a v e l i n g a t h i g h s p e e d s w h e n t h e f a i l u r e o c c u r s . T h e F e d e r a l M o t o r V e h i c l e

S a f e t y S t a n d a r d s ( F M V S S ) p r o v i d e g u i d e l i n e s t o c o n s i d e r w h e n d e v e l o p i n g t h i s t y p e o f

s y s t e m . D e p e n d i n g o n y o u r a p p l i c a t i o n , t h e f a i l - s a f e p o s i t i o n o f b r a k e a c t u a t o r s m a y b e

f u l l - a c t i v e , p a r t i a l l y a c t i v e , o r f u l l i n a c t i v e .

T h e s e c o n d e x a m p l e s h o w s a q u a d a c t u a t o r s y s t e m w h e r e b y a l l a c t u a t o r s c o n t r o l t h e s a m e

m e c h a n i c a l i n t e r f a c e . F a i l u r e s i n t h e c o n t r o l l e r s , a c t u a t o r s a n d f e e d b a c k s e n s o r s a r e

m i t i g a t e d b y r e d u n d a n t c o m p o n e n t s . H o w e v e r , f a i l u r e s i n t h e c o n t r o l i n t e r f a c e , p o w e r

s o u r c e a n d e v e n t h e m e c h a n i c a l i n t e r f a c e c a n n o t b e m i t i g a t e d . T h e s e a r e c a l l e d s i n g l e -

p o i n t f a i l u r e m o d e s , i n w h i c h a f a i l u r e a t a s i n g l e p o i n t w i l l c a u s e t h e s y s t e m t o b e

i n o p e r a b l e . G o o d s y s t e m a r c h i t e c t u r e s m i n i m i z e s i n g l e - p o i n t f a i l u r e m o d e s , a n d i d e a l l y

h a v e n o n e .


61/736


System Redundancy

Brake-by-wire system

FL FR

RL RR

P

If one brake actuator fails in an inactivestate, the brake actuators on the other

three wheels will likely stop the vehicle.Redundancy allows the system to perform(degraded) when failures occur.

If a brake fails in an active state, the

safety of the operator may be jeopardized.

The Federal Motor Vehicle Safety

Standards (FMVSS) provide guidelines toconsider when developing this type ofsystem.

Depending on your application, the fail-safe position of brake actuators may befull-active, partially active, or full inactive.


62/736


System Architecture Analyses and Processes

Formal development processes for:

System requirements management Design and analysis

Comprehensive verification

Quantifies safety performance and determines safety-critical design practices that should be implemented.

Evaluate static failures and dynamic failures such as:

A required event that does not occur An undesirable event that does occur Order of events sequence failures Timing failures in event sequences

Consider all failure modes that affect performance

T h e i n d u s t r y s t a n d a r d s d e s c r i b e d e a r l i e r s t r e s s f o r m a l p l a n n i n g , d e v e l o p m e n t a n d t e s t

p r o c e s s e s . S y s t e m s e n g i n e e r i n g f o r s a f e t y - c r i t i c a l s y s t e m s e m p h a s i z e s f o r m a l

d e v e l o p m e n t p r o c e s s e s f o r s y s t e m r e q u i r e m e n t s m a n a g e m e n t , i t e r a t i v e d e s i g n a n d

a n a l y s i s , a n d c o m p r e h e n s i v e v e r i f i c a t i o n . T h e s e g u i d e l i n e s , c o u p l e d w i t h r o b u s t d e s i g n

p r a c t i c e s , p r o v i d e s a f e s y s t e m a r c h i t e c t u r e s .

A s a f e t y a n a l y s i s , s u c h a s t h e s y s t e m s a f e t y a s s e s s m e n t p r o c e s s d e s c r i b e d b y g u i d e l i n e s

l i k e A R P 4 7 6 1 [ 5 ] , a r e p e r f o r m e d o n t h e s y s t e m a r c h i t e c t u r e t o q u a n t i f y s a f e t y p e r f o r m a n c e

a n d a s c e r t a i n w h a t s a f e t y - c r i t i c a l d e s i g n p r a c t i c e s s h o u l d b e

Documents

Safety-Critical Medical Actuators - Socci