Presentation is loading. Please wait.

Presentation is loading. Please wait.

An advanced weapon and space systems company 1 23 rd ISSC/NWSSS Conference 23 rd ISSC/NWSSS Conference C. Forni, B. Blake – 08-23-2005 Remote Controlled.

Published byLeslie Johnston Modified over 11 years ago

Similar presentations

Presentation on theme: "An advanced weapon and space systems company 1 23 rd ISSC/NWSSS Conference 23 rd ISSC/NWSSS Conference C. Forni, B. Blake – 08-23-2005 Remote Controlled."— Presentation transcript:

1 An advanced weapon and space systems company 1 23 rd ISSC/NWSSS Conference 23 rd ISSC/NWSSS Conference C. Forni, B. Blake – 08-23-2005 Remote Controlled & Recoverable Munitions Safety Architecture Development

2 An advanced weapon and space systems company 2 Remote Controlled & Recoverable Munitions Architecture Design Drivers Off-On-Off operation drives the design Off-On-Off operation drives the design For munitions systems, reliably arming, then disarming is a new concept For munitions systems, reliably arming, then disarming is a new concept After a return to safe, it is necessary for the munitions to monitor and report the safety status to the remote controller After a return to safe, it is necessary for the munitions to monitor and report the safety status to the remote controller Off-On-Off System must support safe operation even when there has been a loss of control functionality. This is necessary whether or not that control is physically separate from the source of hazard Off-On-Off System must support safe operation even when there has been a loss of control functionality. This is necessary whether or not that control is physically separate from the source of hazard

3 An advanced weapon and space systems company 3 Remote Controlled & Recoverable Munitions Architecture Design Drivers (Continued) For remote controlled systems, safety cant be allocated to a single isolated component (fuze). Safety critical command and control functions are distributed throughout the system For remote controlled systems, safety cant be allocated to a single isolated component (fuze). Safety critical command and control functions are distributed throughout the system To address in an efficient and cost effective manner, safety must be involved throughout the concept and early development phase To address in an efficient and cost effective manner, safety must be involved throughout the concept and early development phase The following hazardous conditions must be addressed across the distributed control components: The following hazardous conditions must be addressed across the distributed control components: Inadvertent hazardous functions Inadvertent hazardous functions Unintentional hazardous functions Unintentional hazardous functions Failure to return to a non-hazardous state when commanded Failure to return to a non-hazardous state when commanded Erroneous safety data Erroneous safety data

4 An advanced weapon and space systems company 4 Safety activities needed during the Concept and Early Development Phases Safety activities needed during the Concept and Early Development Phases Criticality Assessment Criticality Assessment Hazards and Causal Factor Identification Hazards and Causal Factor Identification Mitigation Development Mitigation Development Safety activities performed iteratively during both system and subsystem development Safety activities performed iteratively during both system and subsystem development Safety activities instrumental in shaping both the architecture of the system and the final criticality of the subsystems Safety activities instrumental in shaping both the architecture of the system and the final criticality of the subsystems Remote Controlled & Recoverable Munitions Safety Activities and Development Process

5 An advanced weapon and space systems company 5 Remote Controlled & Recoverable Munitions Safety Activities within the Development Process

6 An advanced weapon and space systems company 6 Physical Components Physical Components Remote Control Device Remote Control Device Comm relay device (optional) Comm relay device (optional) Munitions Munitions Remote Controlled & Recoverable Munitions Physical vs Functional Components (Example System) Functional Components Functional Components Remote Control (RC) Subsystem Remote Control (RC) Subsystem Communications Subsystem Communications Subsystem Munitions Controller (MC) Subsystem Munitions Controller (MC) Subsystem

7 An advanced weapon and space systems company 7 Architecture Development Process steps Architecture Development Process steps Identify any desired system or functional level criticality Identify any desired system or functional level criticality Develop the system behavior model (state charts and transition rules) Develop the system behavior model (state charts and transition rules) Identify potential hazards and causal factors Identify potential hazards and causal factors Identity functions and determine their safety criticality Identity functions and determine their safety criticality Define / Refine safety architecture Define / Refine safety architecture Define mitigations for identified hazards and causal factors Define mitigations for identified hazards and causal factors Shape criticality by partitioning and/or mitigation application Shape criticality by partitioning and/or mitigation application Create requirements that implement the needed mitigations Create requirements that implement the needed mitigations Iterate Iterate Remote Controlled & Recoverable Munitions Architecture Development

8 An advanced weapon and space systems company 8 A Concept of Operation (CONOPS) forms the basis for modeling operation of the system A Concept of Operation (CONOPS) forms the basis for modeling operation of the system Defines the interactions between personnel and the system Defines the interactions between personnel and the system Provides the context and boundaries for possible hazards situations Provides the context and boundaries for possible hazards situations Safety involvement in behavior modeling is paramount to design safety into the system Safety involvement in behavior modeling is paramount to design safety into the system Each model variation must be examined, and sources of hazard and causal factors identified Each model variation must be examined, and sources of hazard and causal factors identified Must be of sufficient detail to define the major architectural features of the system Must be of sufficient detail to define the major architectural features of the system Possible mitigations are examined for adequacy Possible mitigations are examined for adequacy Each component and interface provides an additional source for hazards or their causal factors Each component and interface provides an additional source for hazards or their causal factors Modification of CONOPS and/or behavior models may provide a means for effective and efficient mitigations Modification of CONOPS and/or behavior models may provide a means for effective and efficient mitigations Remote Controlled & Recoverable Munitions Behavior Modeling

9 An advanced weapon and space systems company 9 Analysis of criticality serves two purposes Analysis of criticality serves two purposes Identifying safety critical functions Identifying safety critical functions Determining the level of analysis and testing to ensure the design is safe to use Determining the level of analysis and testing to ensure the design is safe to use Criticality analysis at the functional level gives insight into what is safety critical and why Criticality analysis at the functional level gives insight into what is safety critical and why Helps concentrate critical operations to minimize hazard sources Helps concentrate critical operations to minimize hazard sources Helps distribute mitigations so loss of a single mitigation merely degrades safety Helps distribute mitigations so loss of a single mitigation merely degrades safety Aids in examination of adequacy of possible mitigations Aids in examination of adequacy of possible mitigations Similar techniques allow shaping of functional criticality to meet specific design constraints Similar techniques allow shaping of functional criticality to meet specific design constraints To concentrate safety critical functionality into a single processor To concentrate safety critical functionality into a single processor To minimize interactions with non-safety critical components To minimize interactions with non-safety critical components partition functions to minimize analysis or test activity partition functions to minimize analysis or test activity Remote Controlled & Recoverable Munitions Criticality Analysis

10 An advanced weapon and space systems company 10 Remote Controlled & Recoverable Munitions Sources of Hazard and Causal Factors - Communications Subsystem Possible hazards related to application message faults Possible hazards related to application message faults Corrupted Message data elements during the transfer of a message could result in incorrect safety critical time values, incorrect safety status info, or other erroneous data items Corrupted Message data elements during the transfer of a message could result in incorrect safety critical time values, incorrect safety status info, or other erroneous data items Corruption of an application Message could also result in a message being incorrectly interpreted as a different message, resulting in unexpected behavior Corruption of an application Message could also result in a message being incorrectly interpreted as a different message, resulting in unexpected behavior Possible hazards related to delivery fault mechanisms Possible hazards related to delivery fault mechanisms Message might not be delivered Message might not be delivered Message could be delivered to an incorrect address Message could be delivered to an incorrect address If multiple message sources are possible, the source identity could be incorrect If multiple message sources are possible, the source identity could be incorrect The Delivery Mechanism could generate an erroneous message The Delivery Mechanism could generate an erroneous message The Delivery Mechanism could generate a corrupt non-application message The Delivery Mechanism could generate a corrupt non-application message Networking or Prioritization schemes could allow the delivery of messages to occur out of order Networking or Prioritization schemes could allow the delivery of messages to occur out of order

11 An advanced weapon and space systems company 11 Remote Controlled & Recoverable Munitions Sources of Hazard and Causal Factors - Remote Controller Erroneous command generation Erroneous command generation Corrupted message data elements during message generation result in incorrect safety critical values, authorizations, message interpretation, etc. Corrupted message data elements during message generation result in incorrect safety critical values, authorizations, message interpretation, etc. Unintended or erroneous generation of a valid application message (OS, Operator) Unintended or erroneous generation of a valid application message (OS, Operator) Erroneous transmission of a valid message (out of order, stale, etc) Erroneous transmission of a valid message (out of order, stale, etc) False Report of Safe to Operator False Report of Safe to Operator Display/Processor Hardware and firmware (including memory) Display/Processor Hardware and firmware (including memory) Operating System (could affect data, application execution, etc) Operating System (could affect data, application execution, etc) Application SW Application SW Received Data Received Data Operator Inputs Operator Inputs

12 An advanced weapon and space systems company 12 Remote Controlled & Recoverable Munitions Sources of Hazard and Causal Factors - Munitions Controller Unintended Detonation (arm and fire warhead) Unintended Detonation (arm and fire warhead) Hardware and firmware (including memory) Hardware and firmware (including memory) Application SW Application SW Received Data (including messages from Remote Controller, Comm subsystem) Received Data (including messages from Remote Controller, Comm subsystem) Operator actions or input Operator actions or input False Report of Safe to Operator False Report of Safe to Operator Incorrect safe indication on munition Incorrect safe indication on munition Hardware/Firmware Hardware/Firmware SW SW Incorrect safe indication reported to Remote Controller Incorrect safe indication reported to Remote Controller Hardware/Firmware (memory) Hardware/Firmware (memory) SW (bad message data, erroneously generated message) SW (bad message data, erroneously generated message)

13 An advanced weapon and space systems company 13 Designing to prevent single point failures from propagating hazards is not adequate Designing to prevent single point failures from propagating hazards is not adequate Utilize layered mitigation approach that places mitigation in at least two places in the system Utilize layered mitigation approach that places mitigation in at least two places in the system First at the hazard source (munition HW and SW that controls arm/disarm) First at the hazard source (munition HW and SW that controls arm/disarm) Second at source of casual factors (HW failure or SW errors) that had potential to propagate the hazard Second at source of casual factors (HW failure or SW errors) that had potential to propagate the hazard At least one mitigation should reside in a hardware element if possible At least one mitigation should reside in a hardware element if possible If no HW mitigation possible, additional mitigation is necessary to reduce the safety criticality of the software element providing the mitigation If no HW mitigation possible, additional mitigation is necessary to reduce the safety criticality of the software element providing the mitigation Layered mitigations developed for each identified hazard case in the PHA Layered mitigations developed for each identified hazard case in the PHA Remote Controlled & Recoverable Munitions Hazard Mitigation Approach

14 An advanced weapon and space systems company 14 Mitigations are necessary for the following issues Mitigations are necessary for the following issues The loss of the command channel must not directly result in a hazard The loss of the command channel must not directly result in a hazard Must address the case of unintended arming and firing Must address the case of unintended arming and firing Must address legal commands arriving at the wrong time Must address legal commands arriving at the wrong time Must ensure the munitions can be disarmed (< 1E-6 probability of remaining armed) Must ensure the munitions can be disarmed (< 1E-6 probability of remaining armed) Must ensure hazardous command activity was intended (mitigation may require operator confirmation) Must ensure hazardous command activity was intended (mitigation may require operator confirmation) Must ensure operator not given false safe indication Must ensure operator not given false safe indication Remote Controlled & Recoverable Munitions Example PHA Hazard Cases requiring Mitigation

15 An advanced weapon and space systems company 15 Communications subsystem designed as a Pipe Communications subsystem designed as a Pipe Virtual direct connect of RC and MCs Virtual direct connect of RC and MCs Corrupt application messages that result in incorrect data or an incorrect message are detectable Corrupt application messages that result in incorrect data or an incorrect message are detectable Application generated 32-bit CRC in message data (separate from packet CRC) Application generated 32-bit CRC in message data (separate from packet CRC) Message ID is duplicated within all Safety-Critical messages Message ID is duplicated within all Safety-Critical messages All safety critical data is duplicated with-in Safety-Critical messages All safety critical data is duplicated with-in Safety-Critical messages Erroneous messages received due to delivery mechanism faults are detectable (delivered to wrong address, out of order, etc) Erroneous messages received due to delivery mechanism faults are detectable (delivered to wrong address, out of order, etc) Header Information (source, destination, seq #) included in 32-bit CRC Header Information (source, destination, seq #) included in 32-bit CRC Sequence # can be used to detect out of order (stale) messages Sequence # can be used to detect out of order (stale) messages Commands resulting in hazardous actions are self terminating (Loss of communications wont cause hazard) Commands resulting in hazardous actions are self terminating (Loss of communications wont cause hazard) Remote Controlled & Recoverable Munitions Hazard Mitigation Approach – Communications Subsystem

16 An advanced weapon and space systems company 16 Erroneous invocation of the message generation function Erroneous invocation of the message generation function Messages generated at each invocation (not canned) Messages generated at each invocation (not canned) Keys used to verify message is valid for current state/operator/confirmation status (prevents erroneous invocation by a random entry) Keys used to verify message is valid for current state/operator/confirmation status (prevents erroneous invocation by a random entry) Operator must confirm intent to initiate hazardous operations (affects key value) Operator must confirm intent to initiate hazardous operations (affects key value) False display of safe by the RC False display of safe by the RC Duplicate safety-critical data elements Duplicate safety-critical data elements Broadcast Commands utilized for state control Broadcast Commands utilized for state control All displayed munition icons marked as in transition (hazardous) when command is sent. Only updated to valid status when positive confirmation received All displayed munition icons marked as in transition (hazardous) when command is sent. Only updated to valid status when positive confirmation received Munition Icons drawn (not canned) and are redrawn when data is received or periodically if no other activity is occurring (complete screen redraw) Munition Icons drawn (not canned) and are redrawn when data is received or periodically if no other activity is occurring (complete screen redraw) Multiple independent screen indications for safety status indication of MCs and field (shape, color, text) Multiple independent screen indications for safety status indication of MCs and field (shape, color, text) Remote Controlled & Recoverable Munitions Hazard Mitigation Approach – Remote Controller

17 An advanced weapon and space systems company 17 IM Explosives used in warhead, and LEEFI detonator IM Explosives used in warhead, and LEEFI detonator ESAD architecture (mp generated dynamic signal ) ESAD architecture (mp generated dynamic signal ) State machine-based processing allows hazardous action only where authorized State machine-based processing allows hazardous action only where authorized Hazardous operation all self terminating (if not command terminated earlier) Hazardous operation all self terminating (if not command terminated earlier) Monitors Safety Critical Signals for validity Monitors Safety Critical Signals for validity Controls both power and MC static switch control signals to the Fireset Controls both power and MC static switch control signals to the Fireset Hardware Safety Monitor designed to act as a safety cop Hardware Safety Monitor designed to act as a safety cop Acts as a watchdog for all Safety Critical timers in the microcontroller Acts as a watchdog for all Safety Critical timers in the microcontroller Validates state transitions performed by the microcontroller Validates state transitions performed by the microcontroller Still alive monitoring allows detection of failed microcontroller Still alive monitoring allows detection of failed microcontroller Controls SM static switch signals to the Fireset (both MC and SM needed to arm) Controls SM static switch signals to the Fireset (both MC and SM needed to arm) Either the microcontroller or Safety monitor can render the munition inoperative Either the microcontroller or Safety monitor can render the munition inoperative Independent monitor of Safety Critical signals. Independent monitor of Safety Critical signals. Remote Controlled & Recoverable Munitions Hazard Mitigation Approach – Munitions Controller

Download ppt "An advanced weapon and space systems company 1 23 rd ISSC/NWSSS Conference 23 rd ISSC/NWSSS Conference C. Forni, B. Blake – 08-23-2005 Remote Controlled."

Similar presentations

Computer Networks TCP/IP Protocol Suite.

Computer Networks TCP/IP Protocol Suite.
1 Evaluation of Commercial Off The Shelf (COTS) Operating System (OS) Malfunction Mitigation Methods C. Forni, ATK B. Blake, ATK R. Hall, Textron D. Magidson,

1 Evaluation of Commercial Off The Shelf (COTS) Operating System (OS) Malfunction Mitigation Methods C. Forni, ATK B. Blake, ATK R. Hall, Textron D. Magidson,
4-15-99 1 Steven F. Mattern Science and Engineering Associates, Inc. (505) 346-9839.

Steven F. Mattern Science and Engineering Associates, Inc. (505)
Making the System Operational

Making the System Operational
Chapter 1 Introduction Copyright © 2008. Operating Systems, by Dhananjay Dhamdhere Copyright © 20081.2 Introduction Abstract Views of an Operating System.

Chapter 1 Introduction Copyright © Operating Systems, by Dhananjay Dhamdhere Copyright © Introduction Abstract Views of an Operating System.
Communicating over the Network

Communicating over the Network
Construction process lasts until coding and testing is completed consists of design and implementation reasons for this phase –analysis model is not sufficiently.

Construction process lasts until coding and testing is completed consists of design and implementation reasons for this phase –analysis model is not sufficiently.
Lecture 8: Testing, Verification and Validation

Lecture 8: Testing, Verification and Validation
Global Analysis and Distributed Systems Software Architecture Lecture # 5-6.

Global Analysis and Distributed Systems Software Architecture Lecture # 5-6.
Distributed Systems Major Design Issues Presented by: Christopher Hector CS8320 – Advanced Operating Systems Spring 2007 – Section 2.6 Presentation Dr.

Distributed Systems Major Design Issues Presented by: Christopher Hector CS8320 – Advanced Operating Systems Spring 2007 – Section 2.6 Presentation Dr.
1 1999/Ph 514: Channel Access Concepts EPICS Channel Access Concepts Bob Dalesio LANL.

1 1999/Ph 514: Channel Access Concepts EPICS Channel Access Concepts Bob Dalesio LANL.
Chapter 16: Recovery System

Chapter 16: Recovery System
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development 2.
1 SpaceWire Update NASA GSFC November 25, 2002. 2 GSFC SpaceWire Status New Link core with split clock domains complete (Much faster) New Router core.

1 SpaceWire Update NASA GSFC November 25, GSFC SpaceWire Status New Link core with split clock domains complete (Much faster) New Router core.
OSI Model OSI MODEL.

OSI Model OSI MODEL.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
CS 795 – Spring 2010.  “Software Systems are increasingly Situated in dynamic, mission critical settings ◦ Operational profile is dynamic, and depends.

CS 795 – Spring  “Software Systems are increasingly Situated in dynamic, mission critical settings ◦ Operational profile is dynamic, and depends.
Fault Detection in a HW/SW CoDesign Environment Prepared by A. Gaye Soykök.

Fault Detection in a HW/SW CoDesign Environment Prepared by A. Gaye Soykök.
1 Fall 2005 Hardware Addressing and Frame Identification Qutaibah Malluhi CSE Department Qatar University.

1 Fall 2005 Hardware Addressing and Frame Identification Qutaibah Malluhi CSE Department Qatar University.
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.

Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.

Similar presentations

Ads by Google