Well-formed Dependency and Open-loop Safety. Based on Slides by Professor Lui Sha

Similar documents
Simplicity to Control Complexity. Based on Slides by Professor Lui Sha

Real-Time & Embedded Systems

Ranger Walking Initiation Stephanie Schneider 5/15/2012 Final Report for Cornell Ranger Research

PL estimation acc. to EN ISO

Safety Critical Systems

Section 1: Multiple Choice Explained EXAMPLE

Ch.5 Reliability System Modeling.

Understanding safety life cycles

IST-203 Online DCS Migration Tool. Product presentation

CT433 - Machine Safety

Implementing Emergency Stop Systems - Safety Considerations & Regulations A PRACTICAL GUIDE V1.0.0

Every things under control High-Integrity Pressure Protection System (HIPPS)

Solenoid Valves used in Safety Instrumented Systems

The Best Use of Lockout/Tagout and Control Reliable Circuits

Critical Systems Validation

EMERGENCY SHUT-DOWN RELIABILITY ADVANTAGE

Valve Communication Solutions. Safety instrumented systems

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

2600T Series Pressure Transmitters Plugged Impulse Line Detection Diagnostic. Pressure Measurement Engineered solutions for all applications

Session: 14 SIL or PL? What is the difference?

Using what we have. Sherman Eagles SoftwareCPR.

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

SINGLES STRATEGIES AND TACTICS

Module 3 Developing Timing Plans for Efficient Intersection Operations During Moderate Traffic Volume Conditions

Electrical Equipment Failures Cause & Liability. Prepared by: Robert Abend, PE on 11 August 2014

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance

DATA ITEM DESCRIPTION Title: Failure Modes, Effects, and Criticality Analysis Report

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

Safety manual for Fisher GX Control Valve and Actuator

Stand-Alone Bubble Detection System

Introduction to Machine Safety Standards

Section 1: Multiple Choice

Neles trunnion mounted ball valve Series D Rev. 2. Safety Manual

PROCEDURE. April 20, TOP dated 11/1/88

Gas Network Craftsperson

SIDRA INTERSECTION 6.1 UPDATE HISTORY

Quality Management Determined from Risk Assessment

Workshop Information IAEA Workshop

The benefits of the extended diagnostics feature. Compact, well-proven, and flexible

The Relationship Between Automation Complexity and Operator Error

Why do I need dual channel safety? Pete Archer - Product Specialist June 2018

PHIL 121: Methods of Reasoning Fall 2016 Course Schedule

Implementing IEC Standards for Safety Instrumented Systems

Basics: KEYS TO COACHING LACROSSE. 1. Players at every level must play every day with both hands.

SPEAKING OUTLINE School Bus Drivers In-service LESSON: Safe Student Loading and Unloading Slide 1 I. Introduction school bus is the safest

E28/Q28 Safety Exhaust Valve Externally Monitored

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

Industrial Compressor Controls Standard Custom

Failure Mode and Effect Analysis (FMEA) for a DMLC Tracking System

SEMEMI SQA Unit Code H2AP 04 Carrying out fault location on electrical equipment and circuits

Three Approaches to Safety Engineering. Civil Aviation Nuclear Power Defense

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

Line Following with RobotC Page 1

Hydraulic (Subsea) Shuttle Valves

Lecture 1 Temporal constraints: source and characterization

IMCA DP Station Keeping Bulletin 04/18 November 2018

Bespoke Hydraulic Manifold Assembly

Application Note. Safety Sub-function PUS Category 1, up to PL c. Application Note PUS, Category 1, up to PL c M20 S22 R20 M1 Q20

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Hemoglobin Reference Failure Troubleshooting

Computer Aided Drafting, Design and Manufacturing Volume 26, Number 2, June 2016, Page 53. The design of exoskeleton lower limbs rehabilitation robot

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

Safe hydraulics for hydroforming presses. more finished product to be created from less raw material.

Iteration: while, for, do while, Reading Input with Sentinels and User-defined Functions

The Safety Case. Structure of Safety Cases Safety Argument Notation

Application Note. Safety Sub-functions SSC Category 1, up to PL c PUS Category 1, up to PL c. Application Note SSC, PUS, Category 1, up to PL c STOP

CASE STUDY. Compressed Air Control System. Industry. Application. Background. Challenge. Results. Automotive Assembly

ENSURING AN ACCURATE RESULT IN AN ANALYTICAL INSTRUMENTATION SYSTEM PART 1: UNDERSTANDING AND MEASURING TIME DELAY

Ninth - Twelfth Grade Foxtrot Dance Project

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

Training Fees 3,400 US$ per participant for Public Training includes Materials/Handouts, tea/coffee breaks, refreshments & Buffet Lunch.

DeZURIK. KSV Knife Gate Valve. Safety Manual

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6

Safety-critical systems: Basic definitions

CS 341 Computer Architecture and Organization. Lecturer: Bob Wilson Cell Phone: or

Partial Stroke Testing. A.F.M. Prins

Safety Manual VEGAVIB series 60

High performance disc valves Series Type BA, BK, BW, BM, BN, BO, BE, BH Rev Safety Manual

Limb Perfusion Device

LITHGOW SWIMMING CLUB SQUAD PROGRESSION POLICY & COACHING GUIDELINES

Lab Report. Objectives:

Applications & Tools. Evaluation of the selection of a safetyrelated mode using non-safety-related components

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

Fail Operational Controls for an Independent Metering Valve

Drain Splash Back Burns Operator

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

A quantitative software testing method for hardware and software integrated systems in safety critical applications

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

Shearwater GF Computer

Leakage Current Testing Is it right for your application?

A systematic hazard analysis and management process for the concept design phase of an autonomous vessel.

A4s Operation Manual

New Thinking in Control Reliability

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

The Key Variables Needed for PFDavg Calculation

Reliability of Safety-Critical Systems Chapter 10. Common-Cause Failures - part 1

C1960. Multi-recipe profile recorder/controller. Measurement made easy

INTRODUCTION TO PATTERN RECOGNITION

An Architectural Approach for Improving Availability in Web Services

Transcription:

Well-formed Dependency and Open-loop Safety Based on Slides by Professor Lui Sha

Reminders and Announcements Announcements: CS 424 is now on Piazza: piazza.com/illinois/fall2017/cs424/home We must form 4-person groups for robot-based MPs (each group gets one robot) If you already formed a group, please send me and Yiran Zhao (the TA) the names of your group partners (email to: zhao97@illinois.edu, with CC: zaher@illinois.edu). Please use the subject: CS424 GROUP (in upper case). All people who do not have a group by the end of next week will be assigned a group by us.

Recap Reliability for a giving mission duration t, R(t), is the probability of the system working as specified (i.e., probability of no failures) for a duration that is at least as long as t. The most commonly used reliability function is the exponential reliability function: R( t) = e λt where l is the failure rate.

Triple Modular Redundancy Which case is TMR? TMR has a lower reliability in the long term. How come?

Implications of the Postulates R(Effort, Complexity, t) = e-kc t/e Note: splitting the effort greatly reduces reliability. 5

Analytic Redundancy and Complexity Reduction Partial redundancy via simple backup that meets only safety-critical requirements

Example: A Sorting Exercise Sorting: Bubble sort: easy to write but slower, O(n 2 ) Quick sort: faster, O(n log(n)), but more complicated to write Joe remembers how to do bubble sort, but is not perfectly sure of quick sort (has a 50% chance of getting it right). Joe is asked to write a sorting routine: Correct and fast: A Correct but slow: B Incorrect: F Critical requirement: Must pass!

Solution Simplicity to control complexity

Solution Key property Use complex but efficient solution in the common case If the complex solution fails, catch the failure and switch to the simple (less efficient) but safe option

Simplex Architectural Pattern A simple verifiable core; diversity in the form of 2 alternatives; feedback control of the software execution. Simple high assurance control subsystem Switch Logic Plant Complex high performance control subsystem Data Flow Block Diagram Better performance, but less reliable 10

Example Component with mean time to failure = 10 years. Compare the reliability of: a) Using this component alone b) TMR using three versions of this component

Example Component with mean time to failure = 10 years. Compare the reliability of: a) Using this component alone b) TMR using three versions of this component After 1 year

Example Component with mean time to failure = 10 years. Compare the reliability of: a) Using this component alone b) TMR using three versions of this component After 1 year Answer: a) r(t) = e -l t = e (1/10).1 = 0.9048

Example Component with mean time to failure = 10 years. Compare the reliability of: a) Using this component alone b) TMR using three versions of this component After 1 year Answer: a) r(t) = e -l t = e (1/10).1 = 0.9048 b) r(t) 3 + 3r(t) 2 (1 r(t)) = 0.9745

Example Component with mean time to failure = 10 years. Compare the reliability of: a) Using this component alone b) TMR using three versions of this component After 15 years

Example Component with mean time to failure = 10 years. Compare the reliability of: a) Using this component alone b) TMR using three versions of this component After 15 years Answer: a) r(t) = e -l t = e (1/10).15 = 0.2231

Example Component with mean time to failure = 10 years. Compare the reliability of: a) Using this component alone b) TMR using three versions of this component After 15 years Answer: a) r(t) = e -l t = e (1/10).15 = 0.2231 b) r(t) 3 + 3r(t) 2 (1 r(t)) = 0.1271

Example Component with mean time to failure = 10 years. Compare the reliability of: a) Using this component alone b) TMR using three versions of this component c) Using this component with a reduced complexity backup (C = 0.1) After 15 years

Example Component with mean time to failure = 10 years. Compare the reliability of: a) Using this component alone b) TMR using three versions of this component c) Using this component with a reduced complexity backup (C = 0.1) After 15 years Answer: c) r 1 (t) = e -l t = 0.2231, r b (t) = e 0.1l t = 0.8607

Example Component with mean time to failure = 10 years. Compare the reliability of: a) Using this component alone b) TMR using three versions of this component c) Using this component with a reduced complexity backup (C = 0.1) After 15 years Answer: c) r 1 (t) = e -l t = 0.2231, r b (t) = e 0.1l t = 0.8607 1 (1 r 1 (t))(1 r b (t)) = 0.8918

Example Component with mean time to failure = 10 years (at unit complexity and unit budget). Compare the reliability of: a) Using this component alone b) TMR using three versions of this component assuming same total budget After 1 year

Example Component with mean time to failure = 10 years (at unit complexity and unit budget). Compare the reliability of: a) Using this component alone b) TMR using three versions of this component assuming same total budget After 1 year Answer: a) r(t) = e -l t = e (1/10).1 = 0.9048

Example Component with mean time to failure = 10 years (at unit complexity and unit budget). Compare the reliability of: a) Using this component alone b) TMR using three versions of this component assuming same total budget After 1 year Answer: a) r(t) = e -l t = e (1/10).1 = 0.9048 b) r 2 (t) = e -3 l t = 0.7408 r 2 (t) 3 + 3r 2 (t) 2 (1 r 2 (t)) = 0.8333

Lessons Learned?

Lessons Learned More components/redundancy is not always better When budget is finite, more components means spreading thinner lower reliability Having a simple (i.e., low complexity) backup significantly improves reliability!

Well Formed Dependencies Informal intuition: A reliable component should not depend on a less reliable component (it defeats the purpose).

Well Formed Dependencies Informal intuition: A reliable component should not depend on a less reliable component (it defeats the purpose). Design guideline: Use but do not depend on less reliable components

Well Formed Dependencies Component A is said to depend on B, if the correctness of A s service depends on B s correctness. Component A is said to use the service of B, but not depend on it for its critical service S, if S can function correctly in spite of all B s faults. A system s dependency relations are said to be well-formed if and only if critical components may use but do not depend on the less critical components

Design Philosophy Build the system out of a reliable core and less reliable components Ensure that the reliable core is minimal (must be simple to reduce complexity see lessons learned from reliability examples ) The reliable core can use but do not depend on other components (i.e., failures elsewhere should not affect reliable core) The reliable core should ensure safety or recover from failures of other components

Sorting Revisited How does the reliable component depend on the less reliable component? How to fix it?

Sorting Revisited How does the reliable component depend on the less reliable component? How to fix it? Reliable component Less Reliable component

Sorting Revisited Ensuring Well-formed Dependencies Resource sharing faults Memory accessing fault: address space isolation Hogging the CPU: CPU cycle limit Timing fault: time out. Semantic fault Wrong order: Bubble sort Corrupt the input data item list: Export only a permutation function on a protected input list

Safe State In cyber-physical systems it important to keep the system from harm. The reliable core must ensure that the system remains in a safe state (keep the kid away from the freeway!!) even when other components fail Example: If your tire blows up, safely park the car on the shoulder of the road (safe state)

Discussion: Patient Controlled Analgesia When pain is severe in a post-surgery patient, the patient can push a button to get more pain medication (morphine: drug overdose will cause death). This is an example of a lethal device in the hands of an error-prone operator (the patient). How can we ensure safety of software controlled PCA?

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback