From: Ken Garlington <garlingtonke@lmtas.lmco.com>
Subject: Re: Need help with PowerPC/Ada and realtime tasking
Date: 1996/05/31
Date: 1996-05-31T00:00:00+00:00 [thread overview]
Message-ID: <31AEC06C.1EB@lmtas.lmco.com> (raw)
In-Reply-To: 292872602wnr@diphi.demon.co.uk
JP Thornley wrote:
> If you demand a correct/safe implementation in code of a flight control
> system from requirements that are incorrect/unsafe then what steps
> would you take to achieve it?
Actually, there are some things that can be _attempted_ at the implementation
level, although your results may vary:
1. You can have the system stop processing when an unexpected event occurs,
such as an Ada exception or a hardware interrupt. This assumes that denial of
service is not a safety-critical event in itself, of course.
2. You can create a "kernel mode," representing a subset of the requirements
that are absolutely necessary for safe operation. Using some means, such as
an operator input, you can cause the system to stop processing all code not
in the "kernel" when a fault is detected. This approach works on the theory that the
code in the "kernel" is used frequently, and so have a lot of test and operational
time. Conversely, the "non-kernel" code is used less frequently, and therefore
might have a potentially higher risk of a fault (either due to code
error or requirements error) than the "kernel." Clearly, the reversion to the
"kernel" must be done in an orderly fashion, with appropriate operator feedback.
3. You can use checkpoint/rollback techniques to try to overcome input errors
that were not adequately caught by the required input checking. I'm skeptical
of this approach in a dynamic environment, but there's a lot of literature
available on this type of technique.
Personally, I think it's better to use failure modes and effects analysis on
the requirements, and do FMET testing after development, than to depend on this
stuff. However, some of this might work in some areas.
--
LMTAS - "Our Brand Means Quality"
next prev parent reply other threads:[~1996-05-31 0:00 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
1996-05-17 0:00 Need help with PowerPC/Ada and realtime tasking Dave Struble
1996-05-18 0:00 ` JP Thornley
1996-05-20 0:00 ` Robert I. Eachus
1996-05-21 0:00 ` Michael Levasseur
1996-05-21 0:00 ` Richard Riehle
1996-05-25 0:00 ` JP Thornley
1996-05-27 0:00 ` Darren C Davenport
1996-05-30 0:00 ` Ralph E. Crafts
1996-05-31 0:00 ` JP Thornley
1996-06-03 0:00 ` Ken Garlington
1996-05-28 0:00 ` Tasking in safety-critical software (!) (was Re: Need help with PowerPC/Ada and realtime tasking) Kevin F. Quinn
1996-05-25 0:00 ` Need help with PowerPC/Ada and realtime tasking JP Thornley
1996-05-27 0:00 ` Robert Dewar
1996-05-28 0:00 ` JP Thornley
1996-05-29 0:00 ` Ken Garlington
1996-05-29 0:00 ` Robert A Duff
1996-05-30 0:00 ` Software Safety (was: Need help with PowerPC/Ada and realtime tasking) Ken Garlington
1996-05-30 0:00 ` Robert Dewar
1996-06-02 0:00 ` JP Thornley
1996-06-03 0:00 ` Robert A Duff
1996-06-05 0:00 ` Norman H. Cohen
1996-06-07 0:00 ` Ken Garlington
1996-06-12 0:00 ` Norman H. Cohen
1996-06-12 0:00 ` Ken Garlington
1996-06-08 0:00 ` Robert Dewar
1996-06-08 0:00 ` Robert A Duff
1996-05-31 0:00 ` Robert A Duff
1996-06-03 0:00 ` Ken Garlington
1996-05-30 0:00 ` Need help with PowerPC/Ada and realtime tasking JP Thornley
1996-05-31 0:00 ` Ken Garlington [this message]
1996-06-02 0:00 ` JP Thornley
1996-06-03 0:00 ` Ken Garlington
1996-05-28 0:00 ` Robert I. Eachus
1996-05-30 0:00 ` JP Thornley
1996-05-28 0:00 ` Robert I. Eachus
1996-05-30 0:00 ` JP Thornley
1996-06-03 0:00 ` Ken Garlington
1996-05-31 0:00 ` Robert I. Eachus
1996-06-03 0:00 ` Ralph Paul
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox