Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 466 – Fall 2000 - Introduction - 1 Design for Safety 1.Hazard Identification and Fault Tree Analysis 2.Risk Assessment 3.Define Safety Measures 4.Create.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CSE 466 – Fall 2000 - Introduction - 1 Design for Safety 1.Hazard Identification and Fault Tree Analysis 2.Risk Assessment 3.Define Safety Measures 4.Create."— Presentation transcript:

1 CSE 466 – Fall 2000 - Introduction - 1 Design for Safety 1.Hazard Identification and Fault Tree Analysis 2.Risk Assessment 3.Define Safety Measures 4.Create Safe Requirements 5.Implement Safety (we will talk about software specifically here) 6.Assure Safety Process 7.Test,Test,Test,Test,Test All of this happens in parallel, not just once per design

2 CSE 466 – Fall 2000 - Introduction - 2 Hazard Identification  Two Approaches  Hazard analysis: start from hazard and work backwards  Ventilator: Hypoventilation hazard  No pressure in air resevoir  resevoir vent stuck open (single failure) Hyperventilation hazard  pressure sensor failure  overpressure valve stuck closed (double failure)  FMEA: Failure Modes and Effects Analysis, start from failure & work forward  Fuel Cell Example H2 sensor stuck normal  failure to detect internal leak  Chassis vent blocked  H2 concentration > 45  explosion hazard (double failure) H2 sensor stuck as if H2 present  system shutdown on H2 leak error code  no hazard  Single fault tolerance require timing analysis too…is first fault detected before it causes a hazard, and before second fault can happens

3 CSE 466 – Fall 2000 - Introduction - 3 FMEA – Working Forward  Failure Mode: how a device can fail  Battery: never voltage spike, only low voltage  Valve: Stuck open? Stuck Closed?  Motor Controller: Stuck fast, stuck slow?  Hydrogen sensor: Will it be latent or mimic the presence of hydrogen?  FMEA  For each mode of each device perform hazard analysis as in the previous flow chart  Huge search space

4 CSE 466 – Fall 2000 - Introduction - 4 Fault Tree Analysis  Pacemaker Example single fault hazard And gates are good!

5 CSE 466 – Fall 2000 - Introduction - 5 2. Risk Assessment  Determine how risky your system is S: Extent of Damage Slight injury Serious Injury* Few Deaths* Catastrophe E: Exposure Time infrquent continuous G: Prevenability Possible Impossible W: Probability low medium high 1 2 3 4 5 6 7 8 3 4 5 7 6 - 1 2 2 3 4 6 5 - - 1 W3 W2W1 S1 S3 S2 G2 G1 G2 G1 S4 E2 E1 E2 E1 Toy oven: S2*E1*G2*W2 <= 2 TUV standard *was “single death” and “several deaths” in source: Hard Time

6 CSE 466 – Fall 2000 - Introduction - 6 Example Risk Assessment DeviceHazardExtent of Damage Exposure Time Hazard Prevention Probabil ity TUV Risk Level Microwave Oven IrradiationS2E2G2W35 PacemakerPacing too slowly Pacing too fast S2E2G2W35 Power station burner control ExplosionS3E1--W36 AirlinerCrashS4E2G2W28

7 CSE 466 – Fall 2000 - Introduction - 7 3. Define the Safety Measures  Obviation: Make it physically impossible (mechanical hookups, etc).  Education: Educate users to prevent misuse or dangerous use.  Alarming: Inform the users/operators or higher level automatic monitors of hazardous conditions  Interlocks: Take steps to eliminate the hazard when conditions exist (shut off power, fuel supply, explode, etc.  Restrict Access. High voltage sources should be in compartments that require tools to access, w/ proper labels.  Labeling  Consider  Tolerance time  Supervision of the system: constant, occasional, unattended. Airport People movers have to be design to a much higher level of safety than attended trains even if they both have fully automated control

8 CSE 466 – Fall 2000 - Introduction - 8 4. Create Safe Requirements: Specifications  Document the safety functionality  eg. The system shall NOT pass more than 10mA through the ECG lead.  Typically the use of NOT implies a much more general requirement about functionality…in ALL CASES  Create Safe Designs  Start w/ a safe architecture  Keep hazard/risk analysis up to date.  Search for common mode failures  Assign responsibility for safe design… hire a safety engineer.  Design systems that check for latent faults  Use safe design practices…this is very domain specific, we will talk about software

9 CSE 466 – Fall 2000 - Introduction - 9 5. Implement Safety – Safe Software Language Features Type and Range Safe Systems Exception Handling Re-use, Encapsulation Objects Operating Systems Protocols Testing Regression Testing Exception Testing (Fault Seeding) Nuts and Bolts

10 CSE 466 – Fall 2000 - Introduction - 10 Language Features  Type and Range Safe Systems: Pascal, Ada….Java? Program WontCompile1; type MySubRange = 10.. 20; Day = {Mo, Tu, We, Th, Fr, Sa, Su}; var MyVar: MySubRange; MyDate: Day; begin MyVar := 9; {will not compile – range error} MyDate := 0; {will not compile – wrong type)  True type safety also requires runtime checking. a[j] := b; what must be checked here to guarantee type safety? range/type of j, range/type of b  Overhead in time and code size. But safety may require this.  Does type-safe = safe?  If no, then what good is a type safe system?

11 CSE 466 – Fall 2000 - Introduction - 11 Guidelines  Make it right before you make it fast  Verify during program execution  Pre-condition invariants  Things that must be true before you attempt to perform and operation.  Post-condition invariants  Things that must be true after and operation is performed  eg while (item!=null) { process(item); item = item  next; } assert(item == tail) // post-condition invariant  Exception handling What should happen in the event of an exception (assert(false))? who should be responsible for this check?

12 CSE 466 – Fall 2000 - Introduction - 12 Exception Handling  Its NOT okay to just let the system crash if some operation fails! You must, at least, get into safe mode.  Standard C: it is up to the app writer to perform error checking on the value returned by f1 and f2. Easily put off, or ignored. Can’t distinguish error handling from normal flow, no guarantee that all errors are handled gracefully.  a = f1(b,&c) if (a) switch (a) { case 1: handle exception 1 case 2: handle exception 2 … } d = f2(e,&f) if (d) switch (d) { case 1: handle exception 1 case 2: handle exception 2 … }

13 CSE 466 – Fall 2000 - Introduction - 13 Exception Handling in Java void myMethod() throws FatalException { try { // normal functional flow a = x.f1(b); // a is return value, b is parameter d = x.f2(e); // d is return value, e is parameter } catch (IOException ex) { recover and continue } catch (ArrayOutOfBoundsException ex) { not recoverable, throw new FatalException(“I’m Dead”); } finally { finish up and exit } Exceptions that are thrown, or not handled will terminate the current procedure and raise the exception to the caller, and so on. Exceptions are subclassed so that you can have very general or very specific exception handlers. No errors go unhandled. Separates throwing exceptions functional code exception handling

14 CSE 466 – Fall 2000 - Introduction - 14 Safety of Object Oriented SW  Strongly typed at compile time  Run time checking is not native, but can be built into class libraries for extensive modularization and re-use. The class author can force the app to deal with exceptions by throwing them! class embeddedList extends embeddedObject() { public add(embeddedObject item) throws tooBigException { if (this.len() > this.max()) throw new tooBigException(“List size too big”); else addItem2List(item); }  If you call embeddedList.add() you have three choices:  Catch the exception and handle it.  Catch the exception and map it into one of your exceptions by throwing an exception of a type declared in your own throws clause.  Declare the exception in your throws clause and let the exception pass through your method (although you might have a finally clause that cleans up first). Compiler will make you aware of any exceptions you forgot to consider!  When to use exceptions and when to use status codes or other means?

15 CSE 466 – Fall 2000 - Introduction - 15 More Language Features  Garbage collection  What is this for  Is it good or bad for embedded systems  Inheritance  Means that type safe systems can still have functions that operate on generic objects.  Means that we can re-use commonalities between objects.  Encapsulation  Means the the creator of the data structure also gets to define how the data structure is accessed and used, and when it is used improperly.  Means that the data structure can change without changing the users of the data structure (is the queue an array or a linked list…who cares!)  Re-use  Use trusted systems that have been thoroughly tested  OS  Networking  etc.  We have a project group looking into pros/cons of embedded java

16 CSE 466 – Fall 2000 - Introduction - 16 6. Testing  Unit test (white box)  requires knowledge of the detailed implementation of a single sub-system.  Test local functionality  Control algorithms  Boundary conditions and fault response  Integration Test (gray box)  Distributed processor systems w/ ongoing communications  Subsystems are already unit tested  Primarily for interfaces and component interaction  Falt seeding includes breaking the bus, disabling a subsystem, EMI exposure, power supply fluxuation, etc  Embedded systems require physical test environments  Validation Testing  Complete system  Environmental chamber  More fault seeding, bad user, etc.  Fault Seeding and Regression Testing!!!

17 CSE 466 – Fall 2000 - Introduction - 17 7. Safe Design Process  Mainly, the hazard/risk/FMEA analysis is a process not an event!  How you do things is as important as what you do.  Standards for specification, documentation, design, review, and test  ISO9000 defines quality process…one quality level is stable and predictable.  There are many processes, but the good ones include release/test early and often! Incremental analysis, development, and testing

Download ppt "CSE 466 – Fall 2000 - Introduction - 1 Design for Safety 1.Hazard Identification and Fault Tree Analysis 2.Risk Assessment 3.Define Safety Measures 4.Create."

Similar presentations

Exceptions: when things go wrong. Various sources of error public static doSomething() { int i = 3.0; while(!done); { int i = false } ) Syntactic errors.

Exceptions: when things go wrong. Various sources of error public static doSomething() { int i = 3.0; while(!done); { int i = false } ) Syntactic errors.
Yoshi

Yoshi
Exception Handling Chapter 15 2 What You Will Learn Use try, throw, catch to watch for indicate exceptions handle How to process exceptions and failures.

Exception Handling Chapter 15 2 What You Will Learn Use try, throw, catch to watch for indicate exceptions handle How to process exceptions and failures.
Liang, Introduction to Java Programming, Eighth Edition, (c) 2011 Pearson Education, Inc. All rights reserved. 0132130807 1 Chapter 13 Exception Handling.

Liang, Introduction to Java Programming, Eighth Edition, (c) 2011 Pearson Education, Inc. All rights reserved Chapter 13 Exception Handling.
Exceptions and Exception Handling Carl Alphonce CSE116 March 9, 2007.

Exceptions and Exception Handling Carl Alphonce CSE116 March 9, 2007.
Exceptions1 Syntax, semantics, and pragmatics. Exceptions2 Syntax, semantics, pragmatics Syntax –How it looks, i.e. how we have to program to satisfy.

Exceptions1 Syntax, semantics, and pragmatics. Exceptions2 Syntax, semantics, pragmatics Syntax –How it looks, i.e. how we have to program to satisfy.
Slides prepared by Rose Williams, Binghamton University ICS201 Exception Handling University of Hail College of Computer Science and Engineering Department.

Slides prepared by Rose Williams, Binghamton University ICS201 Exception Handling University of Hail College of Computer Science and Engineering Department.
COP 2800 Lake Sumter State College Mark Wilson, Instructor.

COP 2800 Lake Sumter State College Mark Wilson, Instructor.
API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.

API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Liang, Introduction to Java Programming, Fifth Edition, (c) 2005 Pearson Education, Inc. All rights reserved. 0-13-148952-6 1 Chapter 17 Exceptions and.

Liang, Introduction to Java Programming, Fifth Edition, (c) 2005 Pearson Education, Inc. All rights reserved Chapter 17 Exceptions and.
Exceptions in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

Exceptions in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
© 2006 Pearson Addison-Wesley. All rights reserved4-1 Chapter 4 Data Abstraction: The Walls.

© 2006 Pearson Addison-Wesley. All rights reserved4-1 Chapter 4 Data Abstraction: The Walls.
CSE 466 – Spring 2000 - Introduction - 1 5. Implement Safety – Safe Software Language Features Type and Range Safe Systems Exception Handling Re-use, Encapsulation.

CSE 466 – Spring Introduction Implement Safety – Safe Software Language Features Type and Range Safe Systems Exception Handling Re-use, Encapsulation.
CSE 466 – Fall 2000 - Introduction - 1 Safety  Examples  Terms and Concepts  Safety Architectures  Safe Design Process  Software Specific Stuff 

CSE 466 – Fall Introduction - 1 Safety  Examples  Terms and Concepts  Safety Architectures  Safe Design Process  Software Specific Stuff 
Introduction to Java Chapter 11 Error Handling. Motivations When a program runs into a runtime error, the program terminates abnormally. How can you handle.

Introduction to Java Chapter 11 Error Handling. Motivations When a program runs into a runtime error, the program terminates abnormally. How can you handle.
1 Exception and Event Handling (Based on:Concepts of Programming Languages, 8 th edition, by Robert W. Sebesta, 2007)

1 Exception and Event Handling (Based on:Concepts of Programming Languages, 8 th edition, by Robert W. Sebesta, 2007)
PRAGMATIC PARANOIA Steven Hadfield & Anthony Rice.

PRAGMATIC PARANOIA Steven Hadfield & Anthony Rice.
Testing. What is Testing? Definition: exercising a program under controlled conditions and verifying the results Purpose is to detect program defects.

Testing. What is Testing? Definition: exercising a program under controlled conditions and verifying the results Purpose is to detect program defects.
June 14, 2001Exception Handling in Java1 Richard S. Huntrods June 14, 2001 University of Calgary.

June 14, 2001Exception Handling in Java1 Richard S. Huntrods June 14, 2001 University of Calgary.

Similar presentations

Ads by Google