Safety-Critical Systems 6 Quality Management and Certification T 79.5303.
-
Upload
thomas-newman -
Category
Documents
-
view
215 -
download
0
Transcript of Safety-Critical Systems 6 Quality Management and Certification T 79.5303.
![Page 1: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/1.jpg)
Safety-Critical Systems 6Quality Management and
Certification T 79.5303
![Page 2: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/2.jpg)
Quality Management
• Systematic actions to gain quality,which is essential in the life cycle of a safety system.
• Quality Assurance:
- concentrates that manufacture prosess and work are performed correctly.
• Quality Control:
- ensures that product is correct.
![Page 3: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/3.jpg)
ISO 9000Quality Management System
• International Organisation for Standardisation (ISO) created the Quality Management System (QMS) basis already in 1987.
• ISO 9001:1987 Model for quality assurance in design, development, production, installation and servicing.
• ISO 9002:1987 Model for quality assurance in production, installation and servicing.
• ISO 9003:1987 Model for quality assurance in final inspection and test covered only the final inspection of finished product.
![Page 4: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/4.jpg)
ISO 9001
• ISO 9000:2000 combines the three standards 9001, 9002, and 9003 into one, now called 9001.
• Design and development procedures are required only if a company does in fact engage in the creation of new products.
• New version has a goal to improve effectiveness via process performance metrics — numerical measurement of the effectiveness of tasks and activities.
![Page 5: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/5.jpg)
ISO 9001
• A company or organization that has been independently audited and certified to be in conformance with ISO 9001 may publicly state that it is "ISO 9001 certified" or "ISO 9001 registered."
• Certification to an ISO 9000 standard does not guarantee the compliance (and therefore the quality) of end products and services; rather, it certifies that consistent business processes are being applied.
• ISO 9001 is not enough and more strict systems are needed. These are described on norms, which have to be followed according to get system certificated.
![Page 6: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/6.jpg)
ISO 9001 System
• The requirements in ISO 9001 include:• a set of procedures that cover all key processes in the
business• monitoring manufacturing processes to ensure
manufactures are producing quality produce• keeping proper records • checking outgoing product for defects, with appropriate
corrective action where necessary • regularly reviewing individual processes and the quality
system itself for effectiveness.
![Page 7: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/7.jpg)
Certification
• Process to indicate conformance with a standard – checked by an authorised body.
• National Safety Authority, Minister of Transportation
• International institutes and certified /notified bodies in EU
• Follow given guidelines, like DO-178B, IEC 61508 or CENELEC norms.
![Page 8: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/8.jpg)
![Page 9: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/9.jpg)
Example in Avionic systemDO-178B Certification
• DO-178B provides the aviation community with guidelines for developing software for airborne systems and equipment that complies with accepted airworthiness requirements.
• Five software levels (A through E), Level A is the most stringent.
![Page 10: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/10.jpg)
![Page 11: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/11.jpg)
DO-178B Certification
The number of objectives to be satisfied.
In the standard, "with independence" refers to a separation of responsibilities where the person(s) who verify an objective must not be the developers of the item in question.
In some cases, an automated tool may be equivalent to independence.
![Page 12: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/12.jpg)
Safety-Critical Systems Summary
![Page 13: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/13.jpg)
V - Lifecycle model
SystemAcceptance
System Integration & Test
Module Integration & Test
Requirements Analysis
Requirements Model
Test Scenarios Test Scenarios
SoftwareImplementation
& Unit Test
SoftwareDesign
Requirements Document
Systems Analysis &
Design
Functional / Architechural - Model
Specification Document K
now
led
ge B
ase
** Configuration controlled Knowledge that is increasing in Understanding until Completion of the System:
• Requirements Documentation• Requirements Traceability• Model Data/Parameters• Test Definition/Vectors
![Page 14: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/14.jpg)
I - Requirements
• Requirements are stakeholders (customer) demands – what they want the system to do.
• Not defining how !!! => specification
• Safety requirements are defining what the system must do and must not do in order to ensure safety. Both positive and negative functionality.
![Page 15: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/15.jpg)
I - Requirement Engineering Right Requirements
• Ways to refine Requirements
- complete – linking to hazards (possible dangerous events)
- correct – testing & modelling
- consistent – semi/formal language
- unambiguous – text in real English
![Page 16: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/16.jpg)
I - Semi-formal Requirements
Requirements should be inambigious, complete, consistent and correct. - Natural language has the intepretation possibility. More accurate description needed.- Using pure mathematic notation – not always suitable for communication with domain expert. - Formalised Methods are used to tackle the requirement engineering. (Structured text, formalised English).
![Page 17: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/17.jpg)
I - Hazard formalisation
hazardous state undesired state(damage)
undesired event(accident occurence)
safe state
i.e. protection process
a
p
![Page 18: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/18.jpg)
I – Multiple Hazards
condition 1
condition 2
condition 3
Situation/Szenario A hazardous state 1 undesired state(damage 1)
undesired event(accident occurence)
safe state
i.e. protection process
a
p
hazard occurence 1
hazardous state 2 undesired state(damage 2)
undesired event(accident occurence)
safe state
i.e. protection process
a
p
hazard occurence 2
condition 4
Situation/Szenario B
HAZARD B
HAZARD A
![Page 19: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/19.jpg)
I - Hazard example
bogie or chassis failure
train/railway infrastructure information correct
correct speed set values
correct safeguarding
train speed execution is incorrect
possible derailment onflexible track element
![Page 20: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/20.jpg)
I - Hazard Analysis
• A Hazard is situation in which there is actual or potential danger to people or to environment.
• Analytical techniques: - Failure modes and effects analysis (FMEA) - Failure modes, effects and criticality analysis (FMECA) - Hazard and operability studies (HAZOP) - Event tree analysis (ETA) - Fault tree analysis (FTA)
![Page 21: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/21.jpg)
Fault Tree Analysis 1
The diagram shows a heater controller for a tank of toxic liquid. The computer controls the heater using a power switch on the basis of information obtained from a temperature sensor. The sensor is connected to the computer via an electronic interface that supplies a binary signal indicating when the liquid is up to its required temperature. The top event of the fault tree is the liquid being heated above its required temperature.
![Page 22: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/22.jpg)
Fault event notfully traced to its source
Basic event, input
Fault event resultingfrom other events
OR connection
![Page 23: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/23.jpg)
I - Risk Analysis
• Risk is a combination of the severity (class) and frequency (probability) of the hazardous event.
• Risk Analysis is a process of evaluating the probability of hazardous events.
• The Value of life??Value of life is estimated between 0.75M –2M GBP.
USA numbers higher.
![Page 24: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/24.jpg)
V - Lifecycle model
SystemAcceptance
System Integration & Test
Module Integration & Test
Requirements Analysis
Requirements Model
Test Scenarios Test Scenarios
SoftwareImplementation
& Unit Test
SoftwareDesign
Requirements Document
Systems Analysis &
Design
Functional / Architechural - Model
Specification Document K
now
led
ge B
ase
** Configuration controlled Knowledge that is increasing in Understanding until Completion of the System:
• Requirements Documentation• Requirements Traceability• Model Data/Parameters• Test Definition/Vectors
![Page 25: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/25.jpg)
II - Designing for Safety 1
• Faults groups:
- requirement/specification errors
- random component failures
- systematic faults in design (software)• Approaches to tackle problems
- right system architecture (fault-tolerant)
- reliability engineering (component, system)
- quality management (designing and producing processes)
![Page 26: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/26.jpg)
II - Designing for Safety 2• Hierarchical design
- simple modules, encapsulated functionality- separated safety kernel – safety critical functions
• Maintainability- preventative versa corrective maintenance- scheduled maintenance routines for whole lifecycle - easy to find faults and repair – short MTTR mean time to repair
• Human error- Proper HMI
![Page 27: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/27.jpg)
• Fault tolerance hardware- Achieved mainly by redundancy Redundancy- Adds cost, weight, power consumption, complexityOther means:- Improved maintenance, single system with better materials (higher MTBF)
II Design - Fault Tolerance
![Page 28: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/28.jpg)
V - Lifecycle model
SystemAcceptance
System Integration & Test
Module Integration & Test
Requirements Analysis
Requirements Model
Test Scenarios Test Scenarios
SoftwareImplementation
& Unit Test
SoftwareDesign
Requirements Document
Systems Analysis &
Design
Functional / Architechural - Model
Specification Document K
now
led
ge B
ase
** Configuration controlled Knowledge that is increasing in Understanding until Completion of the System:
• Requirements Documentation• Requirements Traceability• Model Data/Parameters• Test Definition/Vectors
![Page 29: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/29.jpg)
III - Safety-Critical Software 1Correct Program:- Normally iteration is needed to develop a working solution. (writing code, testing and modification).- In non-critical environment code is accepted, when tests are passed.- Testing is not enough for safety-critical application – Needs an assessment process: dynamic/static testing, simulation, code analysis and formal verification.
![Page 30: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/30.jpg)
III - Safety-Critical Software 2
Dependable Software :
- Process for development
- Work discipline
- Well documented
- Quality management
- Validated/verificated
![Page 31: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/31.jpg)
III - Safety-Critical Software 3
Designing Principles- Use hardware interlocks before computer/software - New software features add complexity, try to keep software simple - Plan for avoiding human error – unambigious human-computer interface- Removal of hazardous module (Ariane 5 unused code)
![Page 32: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/32.jpg)
III - Safety-Critical Software 4
Designing Principles- Add barriers: hard/software locks for critical parts- Minimise single point failures: increase safety margins, exploit redundancy and allow recovery.- Isolate failures: don‘t let things get worse.- Fail-safe: panic shut-downs, watchdog code- Avoid common mode failures: Use diversity – different programmers, n-version programming
![Page 33: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/33.jpg)
III - Safety-Critical Software 5
Designing Principles:
- Fault tolerance: Recovery blocks – if one module fails, execute alternative module.
- Don‘t relay on run-time systems
![Page 34: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/34.jpg)
III - Safety-Critical Software 6
Reduction of Hazardous Conditions -summary- Simplify: Code contains only minimum features and no unnecessary or undocumented features or unused executable code- Diversity: Data and control redundancy - Multi-version programming: shared specification leads to common-mode failures, but synchronisation code increases complexity
![Page 35: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/35.jpg)
Verified software process
![Page 36: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/36.jpg)
V - Lifecycle model
SystemAcceptance
System Integration & Test
Module Integration & Test
Requirements Analysis
Requirements Model
Test Scenarios Test Scenarios
SoftwareImplementation
& Unit Test
SoftwareDesign
Requirements Document
Systems Analysis &
Design
Functional / Architechural - Model
Specification Document K
now
led
ge B
ase
** Configuration controlled Knowledge that is increasing in Understanding until Completion of the System:
• Requirements Documentation• Requirements Traceability• Model Data/Parameters• Test Definition/Vectors
![Page 37: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/37.jpg)
Testing
Testing is a process used to verify or validate system or its components.Testing is performed during various stage of system development. V-lifecycle diagram.- Module testing – evaluation of a small function of the hardware/software.- System integration testing – investigates correct interaction of modules.- System validation testing – a complete system satisfies its requirements.
![Page 38: Safety-Critical Systems 6 Quality Management and Certification T 79.5303.](https://reader035.fdocuments.in/reader035/viewer/2022070406/56649dde5503460f94ad758c/html5/thumbnails/38.jpg)
Home assignments 1.12 (primary, functional and indirect safety)
2.4 (unavailability)
5.10 (incompleteness within specification)
7.15 (reliability model)
9.17 (reuse of software)
11.2 Textual specification
11.18 Z-language
12.7 Dynamic testing
Please email your home assignments by 26 April 2007 to [email protected]: OFFIS, I-Logix, KnowGravity