Implementation of a triple modular redundant FPGA based safety critical system for reliable software execution

This paper describes the implementation of a TMR (Triple Modular Redundant) microprocessor system on a FPGA. The system exhibits true redundancy in that three instances of the same processor system (both software and hardware) are executed in parallel. The described system uses software to control external peripherals and a voter is used to output correct results. An error indication is asserted whenever two of the three outputs match or all three outputs disagree. The software has been implemented to conform to a particular safety critical coding guideline/standard which is popular in industry. The system was verified by injecting various faults into it.

Pattern-based reuse of successful designs: usability ofsafety-critical systems

Users of safety-critical systems are expected to effectively control or monitor complex systems, with errors potentially leading to catastrophe. For such systems, safety is of paramount importance and must be designed into the human-machine interface. While many case studies show how inadequate design practice led to poor safety and usability, concrete guidance on good design practices is scarce. The paper argues that the pattern language paradigm, widely used in the software design community, is a suitable means of documenting appropriate design strategies. We discuss how typical usability-related properties (e.g., flexibility) need some adjustment to be used for assessing safety-critical systems, and document a pattern language, based on corresponding "safety-usability" principles

Formal change impact analyses for emulated control software

Processor emulators are a software tool for allowing legacy computer programs to be executed on a modern processor. In the past emulators have been used in trivial applications such as maintenance of video games. Now, however, processor emulation is being applied to safety-critical control systems, including military avionics. These applications demand utmost guarantees of correctness, but no verification techniques exist for proving that an emulated system preserves the original system’s functional and timing properties. Here we show how this can be done by combining concepts previously used for reasoning about real-time program compilation, coupled with an understanding of the new and old software architectures. In particular, we show how both the old and new systems can be given a common semantics, thus allowing their behaviours to be compared directly.

Towards platform-independent real-time systems

Real-time software systems are rarely developed once and left to run. They are subject to changes of requirements as the applications they support expand, and they commonly outlive the platforms they were designed to run on. A successful real-time system is duplicated and adapted to a variety of applications - it becomes a product line. Current methods for real-time software development are commonly based on low-level programming languages and involve considerable duplication of effort when a similar system is to be developed or the hardware platform changes. To provide more dependable, flexible and maintainable real-time systems at a lower cost what is needed is a platform-independent approach to real-time systems development. The development process is composed of two phases: a platform-independent phase, that defines the desired system behaviour and develops a platform-independent design and implementation, and a platform-dependent phase that maps the implementation onto the target platform. The last phase should be highly automated. For critical systems, assessing dependability is crucial. The partitioning into platform dependent and independent phases has to support verification of system properties through both phases.

An automated failure mode and effect analysis based on high-level design specificication with behavior trees

Formal methods have significant benefits for developing safety critical systems, in that they allow for correctness proofs, model checking safety and liveness properties, deadlock checking, etc. However, formal methods do not scale very well and demand specialist skills, when developing real-world systems. For these reasons, development and analysis of large-scale safety critical systems will require effective integration of formal and informal methods. In this paper, we use such an integrative approach to automate Failure Modes and Effects Analysis (FMEA), a widely used system safety analysis technique, using a high-level graphical modelling notation (Behavior Trees) and model checking. We inject component failure modes into the Behavior Trees and translate the resulting Behavior Trees to SAL code. This enables us to model check if the system in the presence of these faults satisfies its safety properties, specified by temporal logic formulas. The benefit of this process is tool support that automates the tedious and error-prone aspects of FMEA.

Timing analysis of assembler code control-flow paths

Timinganalysis of assembler code is essential to achieve the strongest possible guarantee of correctness for safety-critical, real-time software. Previous work has shown how timingconstrain ts on controlflow paths through high-level language programs can be formalised using the semantics of the statements comprisingthe path. We extend these results to assembler-level code where it becomes possible to not only determine timingconstrain ts, but also to verify them against the known execution times for each instruction. A minimal formal model is developed with both a weakest liberal precondition and a strongest postcondition semantics. However, despite the formalism’s simplicity, it is shown that complex timingb ehaviour associated with instruction pipeliningand iterative code can be modelled accurately.

Demographic effects on the use of vertical sources of guidance by managers in widely differing cultural contexts

Data provided by 7380 middle managers from 60 nations are used to determine whether demographic variables are correlated with managers’ reliance on vertical sources of guidance in different nations and whether these correlations differ depending on national culture characteristics. Significant effects of Hofstede’s national culture scores, age, gender, organization ownership and department function are found. After these main effects have been discounted, significant although weak interactions are found, indicating that demographic effects are stronger in individualist, low power distance nations than elsewhere. Significant non-predicted interaction effects of uncertainty avoidance and masculinity-femininity are also obtained. The implications for theory and practice of the use of demographic attributes in understanding effective management procedures in various parts of the world are discussed.

Perceptions of organisational subculture and their significance for organisational commitment

This paper investigates the relationship between perceptions of organisational culture, organisational subculture, leadership style, and commitment. The impact of culture and leadership style on commitment has been previously noted, but there is a lack of detail regarding how different types of culture and leadership styles relate to commitment. The paper particularly addresses the notion of organisational subcultures and how the perception of those cultures relates to commitment, subculture being a neglected variable in the commitment literature. These issues were addressed in a survey of 258 nurses drawn from a range of hospital settings and wards within the Sydney metropolitan region. Results indicate that perceived organisational subculture has a strong relationship with commitment. Furthermore, the results identify the relative strength of specific types of leadership style and specific types of subculture with commitment. Both innovative and supportive subcultures have a clear positive relationship, while bureaucratic subcultures have a negative relationship. In terms of leadership style, a consideration style had a stronger relationship with commitment than a structuring style. Regression analysis was used to investigate the possible role of subculture as a mediator for the influence of leadership on commitment. Both direct and indirect effects of leadership on commitment were found. Implications for practice and for further research are discussed.

Safety issues in functional capacity evaluation: Findings from a trial of a new approach for evaluating clients with chronic back pain

Although safety is recognized as a critical issue in functional capacity evaluations (FCEs), it has rarely been investigated. This paper reports on the findings of a study which examined safety aspects of a new approach to FCE. Fourteen rehabilitation clients with chronic back pain participated in the study. Aspects examined included the pre-FCE screening procedures, the monitoring of performance and safety during the FCE, and the end of FCE measures and follow-up procedures. Support was found for the screening procedures of the approach, particularly blood pressure measurement, and for the combined approach to monitoring of the persons performance from biomechanical, physiological and psychophysical perspectives. Issues for FCE safety in general are identified and discussed, including the importance of screening procedures to determine readiness for FCEs and the issue of load handling in FCEs, especially in relation to clients with chronic back pain.

Model-Driven safety evaluation with state-event-based component failure annotations

Over the past years, the paradigm of component-based software engineering has been established in the construction of complex mission-critical systems. Due to this trend, there is a practical need for techniques that evaluate critical properties (such as safety, reliability, availability or performance) of these systems. In this paper, we review several high-level techniques for the evaluation of safety properties for component-based systems and we propose a new evaluation model (State Event Fault Trees) that extends safety analysis towards a lower abstraction level. This model possesses a state-event semantics and strong encapsulation, which is especially useful for the evaluation of component-based software systems. Finally, we compare the techniques and give suggestions for their combined usage