SlideShare uma empresa Scribd logo

Zen and the art of safety engineering

Eric Verhulst
Eric Verhulst

Generic presentation on safety engineering

Tecnologia
1 de 31
Baixar para ler offline
Altreonic NV www.altreonic.com Zen and the art of safety engineering From Deep Space to Deep Sea Push Button High Reliability
Content • Zen and quality • What is safety? • Analysis of the car pedal issue • State explosion and safety features • Safety for trains • Safety for mobility • Conclusion 07/04/2010 Altreonic NV 2
Zen and the art of motorcycle maintenance Book is about the “metaphysics of Quality” To remember: Quality is an emerging property of a system. It requires a holistic approach. It requires a deep understanding of the system, of how it works, how it is used and how it is to be maintained. Two main concepts of Quality: - Production focused (e.g. Deming) More recent: - Quality of design/development process 07/04/2010 Altreonic NV 3
What system? Any system is part of a larger system Stake Holders as a system System under Operator or development or Controlling under system consideration Environment as a System 07/04/2010 Altreonic NV 4
What system properties? Any system has to meet different, often conflicting properties: • Costprice • Energy use • Safety • Security • Size • Ease of use • Designed for “production” • Must be produced by company X • Designed to meet the requirements of the target market • Life-cycle cost • ….  Trade-offs  All properties are related  The best technical solution is not necessarily the one selected 07/04/2010 Altreonic NV 5
What is safety? • Historical: • Concept that is related to the loss of lives due to a malfunctioning of the system • Often post factum: what went wrong? • Hence safety engineering standards emphasize tracebility • The right view: • Safety is an emerging property of a quality engineering process • Reliability is a pre-condition • Safety can be improved by using feedback • The expanded view: Trustworthiness • Trustworthiness = • Safety: preventing damage or the loss of lives due to unintentional failures or malfunctioning parts • Security: preventing damage or the loss of lives due to maliciously injected failures of malfunctions • Useability: preventing damage or the loss of lives due to improper operator interfaces • Privacy: preventing loss of personal data. 07/04/2010 Altreonic NV 6
Why Formalisation? Base cost Cost of change Base cost Cost of change 300 300 Traditional Formalised Bottom-up Process Engineering Process 250 250 200 200 150 150 100 100 50 50 0 0 - Life cycle cost calculation - Formalised approach leads also to more cost-efficiency and controlled reuse - Cleaner architectures leads to smaller size (especially for software) => up to 10x! 07/04/2010 Altreonic NV 7
The biggest gain: the architecture • Complexity is the enemy • KISS: Keep It Simple but Smart • If a solution is complex, it means the problem is not well understood. • Simple solutions require a lot of thinking first. • This the technical notion of “elegance”: where engineering becomes an art. • Examples: • NASA 1 million dollar space pen vs. 1 euro russian pencil • Harrison’s (1693-1776) time-keepers allowing navigation on sea: • “It has to be “practical” => small and simple • Besides saving many lives, it made the British Empire possible. 07/04/2010 Altreonic NV 8
Why a unified and formalised approach is needed • Many stakeholders: • Political • Financial • Marketing • Engineering • Users • Many domains => many domain-specific languages • Requires unified semantics (“ontology”) • Even in the technical domain! • If no clear and common understanding is reached, there will be too many conflicting requirements, misunderstood requirements and hence the system will have hidden flaws. • Selecting the right system is the first step to develop it right. • This work has to be done up front. • This is also the cheapest phase for correcting mistakes • The further in the process, the more expensive • Risk of stopped projects • Risk of run-way costs 07/04/2010 Altreonic NV 9
How is safety reached? 1. Follow a formalised (safety) engineering process • Based on safety standard (often domain specific) • Organisation must be set up for it: mindset issue! • A good flow is iterative • Step1: • Requirements capturing • Many stakeholders, nice-to-haves, must haves • Normal case, Fault cases, Test cases • Step2: • Select requirements and write up specifications • Step3: • Model: (virtual) prototypes, simulations, formal models of critical properties, implementation models • Step4: • Verify the process • Test against specifications • Integrate and validate against requirements 2. Release 3. Certify 07/04/2010 Altreonic NV 10
Unified Systems/Software engineering MODEL(S)21 METHODOLOGY11 REQUIREMENT21 SPECIFICATIONS21 Test harness Architectural Architectural Simulation Simulation CheckPoints11 Normal case Formal Formal Functional Standards Statements Test case Implementation Implementation Non-Functional Guidelines Failure case Questions Hints Entity11 Design Views21 Answers Method11 Org Specific Domain Specific Misc SubSystem Procedure Interaction Tool Function WorkPackage11 Role Interface Modeling Process Views21 DEVLPMNT TASK11 Issues11 Install Result41 Validation TASK21 Result61 PreConditions31 Write-Up PreConditions51 USE CASES ChangeRequest21 Spec Approved WP completed RELEASE1 PreConditions41 Verification TASK11 PreConditions61 Result51 Test TASK11 Valid Approv User Test Approv Work Approved Spec Approved Result71 Applications Dev Task Approv Verif Task Approv OpenCookbook Systems Grammar 10.11.2009 Meta-models Unifying Repository Unified Semantics Unified architectural paradigm: Interacting Entities 07/04/2010 Altreonic NV 11
Is safety absolute? 1. Safety can never be absolute: • Always residual errors • Always residual risks • Design is always trade-off. 2. Safety is a statistical property: • Mean Time To Failure is what matters for malfuntions • => mean time to safety hazards • If MTTF >> life time, only external factors remain: • Operator • Environment 3. Safety level must be selected on the basis of acceptable risks • Has a cost tag (insurance) attached to it • Safety Integrity Level 3 (SIL3) • Fail-safe mode, but still safety hazard • Safety Integrity Level 4 (SIL4) • Fault tolerant, but still residual risks • Common mode failures • Common design mistakes  A safety hazard can still happen ANY time!  Most people are optimistic and then become negligent 07/04/2010 Altreonic NV 12
Concrete case 1: Pedal issues • Hybrid (=complex) vehicle with drive-by-wire throttle, brake, automatic gears • Drivers claim unintended and uncontrollable acceleration • Drivers claim that hitting the brakes doesn’t help • Drivers find that braking can be lacking • Many car manufacturers have similar issues • But reproducing the hazard situation is (often) impossible • Earlier Toyota Prius never had serious problems • What is going on? • Mass hysteria? Toyota bashing to help GM? • Some high publicity cases were proven to be a hoax • Drive-by-wire issues? Likely some • 1) Floor-mat wrong placement (Lexus) => mechanical issue 2) Accelator pedal (Made in USA) mechanical issue (BIG recall #1) 3) Prius ABS setting issue (recall #2) => recognised design issue 4) Severe Cruise control issues (discussion is ongoing) • More info at: http://www.toyota.com/recall/ 07/04/2010 Altreonic NV 13
Concrete case 1: Pedal issues • Gas pedal issues: • Not reported with older Prius models (> 10 years!) • Cannot be reproduced • Pedal was accepted as specified by Toyota • Claimed cause ranges from: • Floor mat • Dirty and wet environment • Interference with cruise control • Interference with stability control • Software issue • Hardware (electronic) issue • EMI: external EM disturbance => logic lock-up • Mechanical: spring gets stuck • Mechanical: plastic used absorbs water • Driver doesn’t know what to do • => many opinions are mainly guesses, not based on facts. • => nevertheless, there is clearly room for improvement • => these are issues for ALL car manufacturers 07/04/2010 Altreonic NV 14
What can automotive learn from it? • Types of errors • Permanent: when things break • Intermittent: e.g. bad contact or external disturbance (e.g. RF, power) • Design errors: not all use- and fault-cases have been considered • IS SIL3 (fail safe) acceptable for gas and brake systems? • => NO! We need SIL4 (fault tolerance) • Conclusions: • Black box will be needed in cars • A simple flash card would already help a lot • But is the car designed for it? (architecture) => no • Drive-by-wire SIL4 needed: • SIL3 assumes the fault can be detected • SIL3 (e.g. high idle) is not always fail-safe (e.g. highway@200 Km/hr) • But are all possible faults detected? • => triplication and voting architectures • => heterogeneous sensors • => n-version programming • Is the car designed for it? (architecture) => partially • What is the impact on the reliability? 07/04/2010 Altreonic NV 15
What can automotive learn from it? • Safety must really become TRUSTWORHTY • Safety: system operates as specified, allways • Common mode failures mitigation by triplication • Security: integrity of system is assured • Freedom of external disturbances • Useability: • The driver is part of the system • How can we keep the system simple while increasing ROI (more fonctionality, more active safety features, less fuel consumption, …) • Publication of all safety issues can help the whole industry: • Cfr. Safety culture in aviation industry • Car must become smart enough to deal with emergency situations rather than driver, who cannot be expected to act like a test pilot. 07/04/2010 Altreonic NV 16
A simple set-up • Two pedals: • One for throttle, using one sensor • One for brake, using one sensor 4 states Brake pressed Brake not presses Gas pressed 11 => brake => ? 10 => accelerate Gas not pressed 01 => brake 00 => brake or idle? • Cases 01 and 10 are clearly provided: • The sensors work properly => see next slide • The driver had the intention • Problem cases are 01 and 10 • Priority brake > priority gas => brake when in doubt • What is the intention of the driver? 07/04/2010 Altreonic NV 17
When can we trust the sensors? • One sensor (low cost cars): • If no fault => output reflects intention of driver • If fault => 3 cases: random output, stuck at 1, stuck at 0 • Two sensors (more expensive cars): • If different output => one of them is faulty • Maximum SIL is SIL3 (switch to fail safe mode, e.g. brake or engine at high idle) • Deadly at high speed • Three sensors with triplication, voting, heterogenous => SIL4 possible • Still very small risk of common mode failure • But it is a bit more complicated. Fault can be down the chain! Wire Multiple links between sensor and ECU, each one can fail. 07/04/2010 Altreonic NV 18
When can we trust safety features? 16 states B=1 B=1 B=0 B=0 S=OK S=Not OK S=OK S=Not OK G=1 1111 1011 0111 0011 S=OK G=1 1110 1010 0110 0010 S=Not OK G=0 1101 1001 0101 0001 S=OK G=0 1100 1000 0100 0000 S=Not OK Wire Multiple links between sensor and ECU, each can fail. 07/04/2010 Altreonic NV 19
Was the pedal stuck or did the driver push full force? • => Sensor on pedal to detect presence of foot • But: state space now becomes 32 • If we take into account that sensor can fail as well: 64 • Introduces new limit case: • Driver puts foot but puts no pressure on pedal • Issues: • Sensor should sense intention of operator • Operator should sense result of actions: • Force feedback => more complexity • What about the spring? Wire 07/04/2010 Altreonic NV 20
First conclusions for safety - When there is a risk (“hazard”) possible: - Best is to isolate the functionality from the rest - Else state space explodes even more - Assume that everything can malfunction of give a wrong output - Malfuntion causes can be in three domains: - System itself - Operator - Environment - Safety measures can make it worse: - => simple and clean architectures are best - Let the system keep a history log 07/04/2010 Altreonic NV 21
The impact of electronics and software - Why electronics and software? - Programmable => easy to change => also risk - Cheap, small - Allow more sophisticated functionality - Modern planes can’t fly anymore without - Also key for lower energy and cleaner operation - BUT: - Mechanical predecessors fail gracefully - Systems in the continuous domain - Electronic and software are clocked - Fail within one clock cycle (typically 20 nanoseconds) - State space is huge (100 millions of states) because of data dependencies (1 integer = 2**32 states) 07/04/2010 Altreonic NV 22
The impact of complexity - More functionality: - => complexity increases - => state space explodes exponentially - More dynamic behaviour means more complexity: - Feedback loops needed to guarantee stability - Creates however difficult to find transition states - Clearly an issue with Toyota Prius: older models have no issues, latest issues seem to be related to interplay of more advanced features like dual engine, ABS + ESP, regenerative braking, rough road, etc. - Is an issue for all cars! - Might require use of active suspension to sense state of wheel vs. road - But, where does the complexity come from? - Reusing old Harrison 1 type architectures ? - Layering of complexity? - Conclusion: tackle complexity (and get safety) by cleaner architecture - Validate design and verify using formal approaches 07/04/2010 Altreonic NV 23
Some remarks on train safety - Train transport has a high safety track record - But still lower than (cheaper) airplane, why? - Inherent safety features: - Single track, few crossings - “Heavy metal” (2 ton/passenger!) - Proven by long use (< 100 years with little changes) - Issues: - Increasing competition for speed - Heavy mass => long braking distance - Heavy investments => long lifetime, old technology 07/04/2010 Altreonic NV 24
Static vs. dynamic safety - Current safety design is often based on rigorous static analysis and static implementation - Benefits: can be formally analysed - Drawbacks: can fail catastrophically - Real systems are more and more dynamic and are becoming difficult to analyse up-front - Real systems can often tolerate a few intermittent or aperiodic misses (e.g. ABS system) - => dynamic resource scheduling based on QoS - Fault tolerance is a limit case - Requires feedback control systems 07/04/2010 Altreonic NV 25
Use case 1: Mobility aids Future of transport is consumer-friendly • Elderly customer base ( mobility aid) • Seamlessly Indoors ↔ Outdoors (other uses) • Active safety (e.g. obstacle avoidance) • Optimal use of road network Intelligent Transport Systems , using cooperative Embedded Systems • 100% trust-worthy • Fault Tolerance • Heterogeneous network support • Scalability • Cost-Efficiency 07/04/2010 Altreonic NV 26
E-wheel control algorithm Key characteristics : High Reliability (SIL3) → Fault Tolerance (SIL4) All-in: • Traction • Braking • Anti-slip • Stability control • Active suspension  Distribute control => safety enabled SIL4 architecture Software and Hardware redundancy enables fault-tolerant controllers 1-, 2-, 3-, 4-, n-wheel platforms 07/04/2010 Altreonic NV 27
Altreonic SIL 3/4 Controller project •Key characteristics : • High Reliability (SIL3) → Fault Tolerance (SIL4) • Target market : • Robotics, Automotive, Transport, Aerospace, Machine Control. • Technological competencies/partners sought: • Input from Use cases / Application scenarios • Control systems design competence • System Simulation Altreonic Inside 07/04/2010 Altreonic NV 28
Can trains become driver less? • If train driver can run through a red light, why use drivers? • Examples: • Metro Ligne1 Paris • Reused in many other cities • Works clearly on isolated lines • Use of formal methods is a must • Remote supervision using camera’s • But can it work on rail networks with crossings? • Are the benefits large enough or marginal? • Can it be made flexible enough? • But clearly SIL4 will be required • SIL3 is fail-safe mode until repair • Network might need simplification 07/04/2010 Altreonic NV 29
Can cars become driver less? • Can traffic flow improve through automatisation? • Or should we remove the bottlenecks first? • Examples: • Driverless busses exist • Big difference with trains: • much more decentralised, individual transport mode • Will require adaption to: • Cars: multi-sensor fusion, comm links • Infrastructure: road beacons, comm links • Traffic separation: cars vs busses vs trucks • Can only work is standardisation is applied • Driver remains in seat: he is the fail-safe mode • Global view is transport and communication: • Do we still need trains or cars that connect and act like trains? 07/04/2010 Altreonic NV 30
Thank You for your attention “If it doesn't work, it must be art. If it does, it was real engineering” 07/04/2010 Altreonic NV 31

Recomendados

Jonathan bromley doulos
Jonathan bromley doulosJonathan bromley doulos
Jonathan bromley doulosObsidian Software
 
BCO Inc
BCO IncBCO Inc
BCO IncDGravina
 
Chapter 1 ASE Slides ppt
Chapter 1 ASE Slides pptChapter 1 ASE Slides ppt
Chapter 1 ASE Slides pptMr SMAK
 
miniAVIT Brochure
miniAVIT BrochureminiAVIT Brochure
miniAVIT Brochurejohnuzz
 
Tbp communication phase 2 - aug 19
Tbp communication phase 2 - aug 19Tbp communication phase 2 - aug 19
Tbp communication phase 2 - aug 19pgb_tbp
 
Arena product presentation
Arena product presentationArena product presentation
Arena product presentationjhjsmits
 
Barrick simulation with mimic presentation
Barrick simulation with mimic presentationBarrick simulation with mimic presentation
Barrick simulation with mimic presentationMYNAH Technologies
 
Stop the Line practice in SW development
Stop the Line practice in SW developmentStop the Line practice in SW development
Stop the Line practice in SW developmentGabor Gunyho
 

Recomendados

Jonathan bromley doulos
Jonathan bromley doulosJonathan bromley doulos
Jonathan bromley doulosObsidian Software
 
BCO Inc
BCO IncBCO Inc
BCO IncDGravina
 
Chapter 1 ASE Slides ppt
Chapter 1 ASE Slides pptChapter 1 ASE Slides ppt
Chapter 1 ASE Slides pptMr SMAK
 
miniAVIT Brochure
miniAVIT BrochureminiAVIT Brochure
miniAVIT Brochurejohnuzz
 
Tbp communication phase 2 - aug 19
Tbp communication phase 2 - aug 19Tbp communication phase 2 - aug 19
Tbp communication phase 2 - aug 19pgb_tbp
 
Arena product presentation
Arena product presentationArena product presentation
Arena product presentationjhjsmits
 
Barrick simulation with mimic presentation
Barrick simulation with mimic presentationBarrick simulation with mimic presentation
Barrick simulation with mimic presentationMYNAH Technologies
 
Stop the Line practice in SW development
Stop the Line practice in SW developmentStop the Line practice in SW development
Stop the Line practice in SW developmentGabor Gunyho
 
Introduction to Software Testing
Introduction to Software TestingIntroduction to Software Testing
Introduction to Software TestingHenry Muccini
 
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...Verhaert Masters in Innovation
 
Soft quality & standards
Soft quality & standardsSoft quality & standards
Soft quality & standardsPrince Bhanwra
 
Soft quality & standards
Soft quality & standardsSoft quality & standards
Soft quality & standardsPrince Bhanwra
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...The Linux Foundation
 
1 introduction
1 introduction1 introduction
1 introductionAyesha Bhatti
 
1 introduction (1)
1 introduction (1)1 introduction (1)
1 introduction (1)Ayesha Bhatti
 
Implementing Test Automation in Agile Projects
Implementing Test Automation in Agile ProjectsImplementing Test Automation in Agile Projects
Implementing Test Automation in Agile ProjectsDominik Dary
 
Testing in the Oil &amp; Gas Market“
Testing in the Oil &amp; Gas Market“Testing in the Oil &amp; Gas Market“
Testing in the Oil &amp; Gas Market“Ernesto Kiszkurno
 
Stop the line & Stop Feature Development practices
Stop the line & Stop Feature Development practicesStop the line & Stop Feature Development practices
Stop the line & Stop Feature Development practicesAgile Spain
 
Ch1
Ch1Ch1
Ch1Rifai Kariapper
 
Schneider Electric Scada Global Support Provides Troubleshooting and Technica...
Schneider Electric Scada Global Support Provides Troubleshooting and Technica...Schneider Electric Scada Global Support Provides Troubleshooting and Technica...
Schneider Electric Scada Global Support Provides Troubleshooting and Technica...Preeya Selvarajah
 
Implementing Test Automation in Agile Projects
Implementing Test Automation in Agile ProjectsImplementing Test Automation in Agile Projects
Implementing Test Automation in Agile ProjectsMichael Palotas
 
Sibelco technical-brochure
Sibelco technical-brochureSibelco technical-brochure
Sibelco technical-brochureSibelco Ceramics
 
Feasible
FeasibleFeasible
Feasibleanasamirah
 
Concurrent systems composing
Concurrent systems composingConcurrent systems composing
Concurrent systems composingEric Verhulst
 
Standards/IP Business Services
Standards/IP Business ServicesStandards/IP Business Services
Standards/IP Business ServicesMatthew Doty
 
SCM Transformation Challenges and How to Overcome Them
SCM Transformation Challenges and How to Overcome ThemSCM Transformation Challenges and How to Overcome Them
SCM Transformation Challenges and How to Overcome ThemCompuware
 
Etcel Brochure 062009
Etcel Brochure 062009Etcel Brochure 062009
Etcel Brochure 062009sibleyd
 
Software Architecture: Test Case Writing
Software Architecture: Test Case WritingSoftware Architecture: Test Case Writing
Software Architecture: Test Case WritingSitdhibong Laokok
 
Session 1 introduction concurrent programming
Session 1 introduction concurrent programmingSession 1 introduction concurrent programming
Session 1 introduction concurrent programmingEric Verhulst
 
Unified Systems Engineering feasibility
Unified Systems Engineering feasibilityUnified Systems Engineering feasibility
Unified Systems Engineering feasibilityEric Verhulst
 

Mais conteúdo relacionado

Semelhante a Zen and the art of safety engineering

Introduction to Software Testing
Introduction to Software TestingIntroduction to Software Testing
Introduction to Software TestingHenry Muccini
 
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...Verhaert Masters in Innovation
 
Soft quality & standards
Soft quality & standardsSoft quality & standards
Soft quality & standardsPrince Bhanwra
 
Soft quality & standards
Soft quality & standardsSoft quality & standards
Soft quality & standardsPrince Bhanwra
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...The Linux Foundation
 
Implementing Test Automation in Agile Projects
Implementing Test Automation in Agile ProjectsImplementing Test Automation in Agile Projects
Implementing Test Automation in Agile ProjectsDominik Dary
 
Testing in the Oil &amp; Gas Market“
Testing in the Oil &amp; Gas Market“Testing in the Oil &amp; Gas Market“
Testing in the Oil &amp; Gas Market“Ernesto Kiszkurno
 
Stop the line & Stop Feature Development practices
Stop the line & Stop Feature Development practicesStop the line & Stop Feature Development practices
Stop the line & Stop Feature Development practicesAgile Spain
 
Schneider Electric Scada Global Support Provides Troubleshooting and Technica...
Schneider Electric Scada Global Support Provides Troubleshooting and Technica...Schneider Electric Scada Global Support Provides Troubleshooting and Technica...
Schneider Electric Scada Global Support Provides Troubleshooting and Technica...Preeya Selvarajah
 
Implementing Test Automation in Agile Projects
Implementing Test Automation in Agile ProjectsImplementing Test Automation in Agile Projects
Implementing Test Automation in Agile ProjectsMichael Palotas
 
Sibelco technical-brochure
Sibelco technical-brochureSibelco technical-brochure
Sibelco technical-brochureSibelco Ceramics
 
Concurrent systems composing
Concurrent systems composingConcurrent systems composing
Concurrent systems composingEric Verhulst
 
Standards/IP Business Services
Standards/IP Business ServicesStandards/IP Business Services
Standards/IP Business ServicesMatthew Doty
 
SCM Transformation Challenges and How to Overcome Them
SCM Transformation Challenges and How to Overcome ThemSCM Transformation Challenges and How to Overcome Them
SCM Transformation Challenges and How to Overcome ThemCompuware
 
Etcel Brochure 062009
Etcel Brochure 062009Etcel Brochure 062009
Etcel Brochure 062009sibleyd
 
Software Architecture: Test Case Writing
Software Architecture: Test Case WritingSoftware Architecture: Test Case Writing
Software Architecture: Test Case WritingSitdhibong Laokok
 

Semelhante a Zen and the art of safety engineering (20)

Introduction to Software Testing
Introduction to Software TestingIntroduction to Software Testing
Introduction to Software Testing
 
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
Innovation day 2013 2.5 joris vanderschrick (verhaert) - embedded system de...
 
Soft quality & standards
Soft quality & standardsSoft quality & standards
Soft quality & standards
 
Soft quality & standards
Soft quality & standardsSoft quality & standards
Soft quality & standards
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
 
1 introduction
1 introduction1 introduction
1 introduction
 
1 introduction (1)
1 introduction (1)1 introduction (1)
1 introduction (1)
 
Implementing Test Automation in Agile Projects
Implementing Test Automation in Agile ProjectsImplementing Test Automation in Agile Projects
Implementing Test Automation in Agile Projects
 
Testing in the Oil &amp; Gas Market“
Testing in the Oil &amp; Gas Market“Testing in the Oil &amp; Gas Market“
Testing in the Oil &amp; Gas Market“
 
Stop the line & Stop Feature Development practices
Stop the line & Stop Feature Development practicesStop the line & Stop Feature Development practices
Stop the line & Stop Feature Development practices
 
Ch1
Ch1Ch1
Ch1
 
Schneider Electric Scada Global Support Provides Troubleshooting and Technica...
Schneider Electric Scada Global Support Provides Troubleshooting and Technica...Schneider Electric Scada Global Support Provides Troubleshooting and Technica...
Schneider Electric Scada Global Support Provides Troubleshooting and Technica...
 
Implementing Test Automation in Agile Projects
Implementing Test Automation in Agile ProjectsImplementing Test Automation in Agile Projects
Implementing Test Automation in Agile Projects
 
Sibelco technical-brochure
Sibelco technical-brochureSibelco technical-brochure
Sibelco technical-brochure
 
Feasible
FeasibleFeasible
Feasible
 
Concurrent systems composing
Concurrent systems composingConcurrent systems composing
Concurrent systems composing
 
Standards/IP Business Services
Standards/IP Business ServicesStandards/IP Business Services
Standards/IP Business Services
 
SCM Transformation Challenges and How to Overcome Them
SCM Transformation Challenges and How to Overcome ThemSCM Transformation Challenges and How to Overcome Them
SCM Transformation Challenges and How to Overcome Them
 
Etcel Brochure 062009
Etcel Brochure 062009Etcel Brochure 062009
Etcel Brochure 062009
 
Software Architecture: Test Case Writing
Software Architecture: Test Case WritingSoftware Architecture: Test Case Writing
Software Architecture: Test Case Writing
 

Mais de Eric Verhulst

Session 1 introduction concurrent programming
Session 1 introduction concurrent programmingSession 1 introduction concurrent programming
Session 1 introduction concurrent programmingEric Verhulst
 
Unified Systems Engineering feasibility
Unified Systems Engineering feasibilityUnified Systems Engineering feasibility
Unified Systems Engineering feasibilityEric Verhulst
 
OpenComRTOS 1.4_tutorial_3o4_presentation
OpenComRTOS 1.4_tutorial_3o4_presentationOpenComRTOS 1.4_tutorial_3o4_presentation
OpenComRTOS 1.4_tutorial_3o4_presentationEric Verhulst
 
Open ComRTOS 1.4_tutorial_2o4_presentation
Open ComRTOS 1.4_tutorial_2o4_presentationOpen ComRTOS 1.4_tutorial_2o4_presentation
Open ComRTOS 1.4_tutorial_2o4_presentationEric Verhulst
 
OpenComRtos 1.4_tutorial_1o4_presentation
OpenComRtos 1.4_tutorial_1o4_presentationOpenComRtos 1.4_tutorial_1o4_presentation
OpenComRtos 1.4_tutorial_1o4_presentationEric Verhulst
 
MARC ONERA Toulouse2012 Altreonic
MARC ONERA Toulouse2012 AltreonicMARC ONERA Toulouse2012 Altreonic
MARC ONERA Toulouse2012 AltreonicEric Verhulst
 
Unified Systems Engeneering with GoedelWorks
Unified Systems Engeneering with GoedelWorksUnified Systems Engeneering with GoedelWorks
Unified Systems Engeneering with GoedelWorksEric Verhulst
 
Open comrtos formally_developed _rtos_for_heterogeneous_systems
Open comrtos formally_developed _rtos_for_heterogeneous_systemsOpen comrtos formally_developed _rtos_for_heterogeneous_systems
Open comrtos formally_developed _rtos_for_heterogeneous_systemsEric Verhulst
 

Mais de Eric Verhulst (8)

Session 1 introduction concurrent programming
Session 1 introduction concurrent programmingSession 1 introduction concurrent programming
Session 1 introduction concurrent programming
 
Unified Systems Engineering feasibility
Unified Systems Engineering feasibilityUnified Systems Engineering feasibility
Unified Systems Engineering feasibility
 
OpenComRTOS 1.4_tutorial_3o4_presentation
OpenComRTOS 1.4_tutorial_3o4_presentationOpenComRTOS 1.4_tutorial_3o4_presentation
OpenComRTOS 1.4_tutorial_3o4_presentation
 
Open ComRTOS 1.4_tutorial_2o4_presentation
Open ComRTOS 1.4_tutorial_2o4_presentationOpen ComRTOS 1.4_tutorial_2o4_presentation
Open ComRTOS 1.4_tutorial_2o4_presentation
 
OpenComRtos 1.4_tutorial_1o4_presentation
OpenComRtos 1.4_tutorial_1o4_presentationOpenComRtos 1.4_tutorial_1o4_presentation
OpenComRtos 1.4_tutorial_1o4_presentation
 
MARC ONERA Toulouse2012 Altreonic
MARC ONERA Toulouse2012 AltreonicMARC ONERA Toulouse2012 Altreonic
MARC ONERA Toulouse2012 Altreonic
 
Unified Systems Engeneering with GoedelWorks
Unified Systems Engeneering with GoedelWorksUnified Systems Engeneering with GoedelWorks
Unified Systems Engeneering with GoedelWorks
 
Open comrtos formally_developed _rtos_for_heterogeneous_systems
Open comrtos formally_developed _rtos_for_heterogeneous_systemsOpen comrtos formally_developed _rtos_for_heterogeneous_systems
Open comrtos formally_developed _rtos_for_heterogeneous_systems
 

Último

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Último (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Zen and the art of safety engineering

  • 1. Altreonic NV www.altreonic.com Zen and the art of safety engineering From Deep Space to Deep Sea Push Button High Reliability
  • 2. Content • Zen and quality • What is safety? • Analysis of the car pedal issue • State explosion and safety features • Safety for trains • Safety for mobility • Conclusion 07/04/2010 Altreonic NV 2
  • 3. Zen and the art of motorcycle maintenance Book is about the “metaphysics of Quality” To remember: Quality is an emerging property of a system. It requires a holistic approach. It requires a deep understanding of the system, of how it works, how it is used and how it is to be maintained. Two main concepts of Quality: - Production focused (e.g. Deming) More recent: - Quality of design/development process 07/04/2010 Altreonic NV 3
  • 4. What system? Any system is part of a larger system Stake Holders as a system System under Operator or development or Controlling under system consideration Environment as a System 07/04/2010 Altreonic NV 4
  • 5. What system properties? Any system has to meet different, often conflicting properties: • Costprice • Energy use • Safety • Security • Size • Ease of use • Designed for “production” • Must be produced by company X • Designed to meet the requirements of the target market • Life-cycle cost • ….  Trade-offs  All properties are related  The best technical solution is not necessarily the one selected 07/04/2010 Altreonic NV 5
  • 6. What is safety? • Historical: • Concept that is related to the loss of lives due to a malfunctioning of the system • Often post factum: what went wrong? • Hence safety engineering standards emphasize tracebility • The right view: • Safety is an emerging property of a quality engineering process • Reliability is a pre-condition • Safety can be improved by using feedback • The expanded view: Trustworthiness • Trustworthiness = • Safety: preventing damage or the loss of lives due to unintentional failures or malfunctioning parts • Security: preventing damage or the loss of lives due to maliciously injected failures of malfunctions • Useability: preventing damage or the loss of lives due to improper operator interfaces • Privacy: preventing loss of personal data. 07/04/2010 Altreonic NV 6
  • 7. Why Formalisation? Base cost Cost of change Base cost Cost of change 300 300 Traditional Formalised Bottom-up Process Engineering Process 250 250 200 200 150 150 100 100 50 50 0 0 - Life cycle cost calculation - Formalised approach leads also to more cost-efficiency and controlled reuse - Cleaner architectures leads to smaller size (especially for software) => up to 10x! 07/04/2010 Altreonic NV 7
  • 8. The biggest gain: the architecture • Complexity is the enemy • KISS: Keep It Simple but Smart • If a solution is complex, it means the problem is not well understood. • Simple solutions require a lot of thinking first. • This the technical notion of “elegance”: where engineering becomes an art. • Examples: • NASA 1 million dollar space pen vs. 1 euro russian pencil • Harrison’s (1693-1776) time-keepers allowing navigation on sea: • “It has to be “practical” => small and simple • Besides saving many lives, it made the British Empire possible. 07/04/2010 Altreonic NV 8
  • 9. Why a unified and formalised approach is needed • Many stakeholders: • Political • Financial • Marketing • Engineering • Users • Many domains => many domain-specific languages • Requires unified semantics (“ontology”) • Even in the technical domain! • If no clear and common understanding is reached, there will be too many conflicting requirements, misunderstood requirements and hence the system will have hidden flaws. • Selecting the right system is the first step to develop it right. • This work has to be done up front. • This is also the cheapest phase for correcting mistakes • The further in the process, the more expensive • Risk of stopped projects • Risk of run-way costs 07/04/2010 Altreonic NV 9
  • 10. How is safety reached? 1. Follow a formalised (safety) engineering process • Based on safety standard (often domain specific) • Organisation must be set up for it: mindset issue! • A good flow is iterative • Step1: • Requirements capturing • Many stakeholders, nice-to-haves, must haves • Normal case, Fault cases, Test cases • Step2: • Select requirements and write up specifications • Step3: • Model: (virtual) prototypes, simulations, formal models of critical properties, implementation models • Step4: • Verify the process • Test against specifications • Integrate and validate against requirements 2. Release 3. Certify 07/04/2010 Altreonic NV 10
  • 11. Unified Systems/Software engineering MODEL(S)21 METHODOLOGY11 REQUIREMENT21 SPECIFICATIONS21 Test harness Architectural Architectural Simulation Simulation CheckPoints11 Normal case Formal Formal Functional Standards Statements Test case Implementation Implementation Non-Functional Guidelines Failure case Questions Hints Entity11 Design Views21 Answers Method11 Org Specific Domain Specific Misc SubSystem Procedure Interaction Tool Function WorkPackage11 Role Interface Modeling Process Views21 DEVLPMNT TASK11 Issues11 Install Result41 Validation TASK21 Result61 PreConditions31 Write-Up PreConditions51 USE CASES ChangeRequest21 Spec Approved WP completed RELEASE1 PreConditions41 Verification TASK11 PreConditions61 Result51 Test TASK11 Valid Approv User Test Approv Work Approved Spec Approved Result71 Applications Dev Task Approv Verif Task Approv OpenCookbook Systems Grammar 10.11.2009 Meta-models Unifying Repository Unified Semantics Unified architectural paradigm: Interacting Entities 07/04/2010 Altreonic NV 11
  • 12. Is safety absolute? 1. Safety can never be absolute: • Always residual errors • Always residual risks • Design is always trade-off. 2. Safety is a statistical property: • Mean Time To Failure is what matters for malfuntions • => mean time to safety hazards • If MTTF >> life time, only external factors remain: • Operator • Environment 3. Safety level must be selected on the basis of acceptable risks • Has a cost tag (insurance) attached to it • Safety Integrity Level 3 (SIL3) • Fail-safe mode, but still safety hazard • Safety Integrity Level 4 (SIL4) • Fault tolerant, but still residual risks • Common mode failures • Common design mistakes  A safety hazard can still happen ANY time!  Most people are optimistic and then become negligent 07/04/2010 Altreonic NV 12
  • 13. Concrete case 1: Pedal issues • Hybrid (=complex) vehicle with drive-by-wire throttle, brake, automatic gears • Drivers claim unintended and uncontrollable acceleration • Drivers claim that hitting the brakes doesn’t help • Drivers find that braking can be lacking • Many car manufacturers have similar issues • But reproducing the hazard situation is (often) impossible • Earlier Toyota Prius never had serious problems • What is going on? • Mass hysteria? Toyota bashing to help GM? • Some high publicity cases were proven to be a hoax • Drive-by-wire issues? Likely some • 1) Floor-mat wrong placement (Lexus) => mechanical issue 2) Accelator pedal (Made in USA) mechanical issue (BIG recall #1) 3) Prius ABS setting issue (recall #2) => recognised design issue 4) Severe Cruise control issues (discussion is ongoing) • More info at: http://www.toyota.com/recall/ 07/04/2010 Altreonic NV 13
  • 14. Concrete case 1: Pedal issues • Gas pedal issues: • Not reported with older Prius models (> 10 years!) • Cannot be reproduced • Pedal was accepted as specified by Toyota • Claimed cause ranges from: • Floor mat • Dirty and wet environment • Interference with cruise control • Interference with stability control • Software issue • Hardware (electronic) issue • EMI: external EM disturbance => logic lock-up • Mechanical: spring gets stuck • Mechanical: plastic used absorbs water • Driver doesn’t know what to do • => many opinions are mainly guesses, not based on facts. • => nevertheless, there is clearly room for improvement • => these are issues for ALL car manufacturers 07/04/2010 Altreonic NV 14
  • 15. What can automotive learn from it? • Types of errors • Permanent: when things break • Intermittent: e.g. bad contact or external disturbance (e.g. RF, power) • Design errors: not all use- and fault-cases have been considered • IS SIL3 (fail safe) acceptable for gas and brake systems? • => NO! We need SIL4 (fault tolerance) • Conclusions: • Black box will be needed in cars • A simple flash card would already help a lot • But is the car designed for it? (architecture) => no • Drive-by-wire SIL4 needed: • SIL3 assumes the fault can be detected • SIL3 (e.g. high idle) is not always fail-safe (e.g. highway@200 Km/hr) • But are all possible faults detected? • => triplication and voting architectures • => heterogeneous sensors • => n-version programming • Is the car designed for it? (architecture) => partially • What is the impact on the reliability? 07/04/2010 Altreonic NV 15
  • 16. What can automotive learn from it? • Safety must really become TRUSTWORHTY • Safety: system operates as specified, allways • Common mode failures mitigation by triplication • Security: integrity of system is assured • Freedom of external disturbances • Useability: • The driver is part of the system • How can we keep the system simple while increasing ROI (more fonctionality, more active safety features, less fuel consumption, …) • Publication of all safety issues can help the whole industry: • Cfr. Safety culture in aviation industry • Car must become smart enough to deal with emergency situations rather than driver, who cannot be expected to act like a test pilot. 07/04/2010 Altreonic NV 16
  • 17. A simple set-up • Two pedals: • One for throttle, using one sensor • One for brake, using one sensor 4 states Brake pressed Brake not presses Gas pressed 11 => brake => ? 10 => accelerate Gas not pressed 01 => brake 00 => brake or idle? • Cases 01 and 10 are clearly provided: • The sensors work properly => see next slide • The driver had the intention • Problem cases are 01 and 10 • Priority brake > priority gas => brake when in doubt • What is the intention of the driver? 07/04/2010 Altreonic NV 17
  • 18. When can we trust the sensors? • One sensor (low cost cars): • If no fault => output reflects intention of driver • If fault => 3 cases: random output, stuck at 1, stuck at 0 • Two sensors (more expensive cars): • If different output => one of them is faulty • Maximum SIL is SIL3 (switch to fail safe mode, e.g. brake or engine at high idle) • Deadly at high speed • Three sensors with triplication, voting, heterogenous => SIL4 possible • Still very small risk of common mode failure • But it is a bit more complicated. Fault can be down the chain! Wire Multiple links between sensor and ECU, each one can fail. 07/04/2010 Altreonic NV 18
  • 19. When can we trust safety features? 16 states B=1 B=1 B=0 B=0 S=OK S=Not OK S=OK S=Not OK G=1 1111 1011 0111 0011 S=OK G=1 1110 1010 0110 0010 S=Not OK G=0 1101 1001 0101 0001 S=OK G=0 1100 1000 0100 0000 S=Not OK Wire Multiple links between sensor and ECU, each can fail. 07/04/2010 Altreonic NV 19
  • 20. Was the pedal stuck or did the driver push full force? • => Sensor on pedal to detect presence of foot • But: state space now becomes 32 • If we take into account that sensor can fail as well: 64 • Introduces new limit case: • Driver puts foot but puts no pressure on pedal • Issues: • Sensor should sense intention of operator • Operator should sense result of actions: • Force feedback => more complexity • What about the spring? Wire 07/04/2010 Altreonic NV 20
  • 21. First conclusions for safety - When there is a risk (“hazard”) possible: - Best is to isolate the functionality from the rest - Else state space explodes even more - Assume that everything can malfunction of give a wrong output - Malfuntion causes can be in three domains: - System itself - Operator - Environment - Safety measures can make it worse: - => simple and clean architectures are best - Let the system keep a history log 07/04/2010 Altreonic NV 21
  • 22. The impact of electronics and software - Why electronics and software? - Programmable => easy to change => also risk - Cheap, small - Allow more sophisticated functionality - Modern planes can’t fly anymore without - Also key for lower energy and cleaner operation - BUT: - Mechanical predecessors fail gracefully - Systems in the continuous domain - Electronic and software are clocked - Fail within one clock cycle (typically 20 nanoseconds) - State space is huge (100 millions of states) because of data dependencies (1 integer = 2**32 states) 07/04/2010 Altreonic NV 22
  • 23. The impact of complexity - More functionality: - => complexity increases - => state space explodes exponentially - More dynamic behaviour means more complexity: - Feedback loops needed to guarantee stability - Creates however difficult to find transition states - Clearly an issue with Toyota Prius: older models have no issues, latest issues seem to be related to interplay of more advanced features like dual engine, ABS + ESP, regenerative braking, rough road, etc. - Is an issue for all cars! - Might require use of active suspension to sense state of wheel vs. road - But, where does the complexity come from? - Reusing old Harrison 1 type architectures ? - Layering of complexity? - Conclusion: tackle complexity (and get safety) by cleaner architecture - Validate design and verify using formal approaches 07/04/2010 Altreonic NV 23
  • 24. Some remarks on train safety - Train transport has a high safety track record - But still lower than (cheaper) airplane, why? - Inherent safety features: - Single track, few crossings - “Heavy metal” (2 ton/passenger!) - Proven by long use (< 100 years with little changes) - Issues: - Increasing competition for speed - Heavy mass => long braking distance - Heavy investments => long lifetime, old technology 07/04/2010 Altreonic NV 24
  • 25. Static vs. dynamic safety - Current safety design is often based on rigorous static analysis and static implementation - Benefits: can be formally analysed - Drawbacks: can fail catastrophically - Real systems are more and more dynamic and are becoming difficult to analyse up-front - Real systems can often tolerate a few intermittent or aperiodic misses (e.g. ABS system) - => dynamic resource scheduling based on QoS - Fault tolerance is a limit case - Requires feedback control systems 07/04/2010 Altreonic NV 25
  • 26. Use case 1: Mobility aids Future of transport is consumer-friendly • Elderly customer base ( mobility aid) • Seamlessly Indoors ↔ Outdoors (other uses) • Active safety (e.g. obstacle avoidance) • Optimal use of road network Intelligent Transport Systems , using cooperative Embedded Systems • 100% trust-worthy • Fault Tolerance • Heterogeneous network support • Scalability • Cost-Efficiency 07/04/2010 Altreonic NV 26
  • 27. E-wheel control algorithm Key characteristics : High Reliability (SIL3) → Fault Tolerance (SIL4) All-in: • Traction • Braking • Anti-slip • Stability control • Active suspension  Distribute control => safety enabled SIL4 architecture Software and Hardware redundancy enables fault-tolerant controllers 1-, 2-, 3-, 4-, n-wheel platforms 07/04/2010 Altreonic NV 27
  • 28. Altreonic SIL 3/4 Controller project •Key characteristics : • High Reliability (SIL3) → Fault Tolerance (SIL4) • Target market : • Robotics, Automotive, Transport, Aerospace, Machine Control. • Technological competencies/partners sought: • Input from Use cases / Application scenarios • Control systems design competence • System Simulation Altreonic Inside 07/04/2010 Altreonic NV 28
  • 29. Can trains become driver less? • If train driver can run through a red light, why use drivers? • Examples: • Metro Ligne1 Paris • Reused in many other cities • Works clearly on isolated lines • Use of formal methods is a must • Remote supervision using camera’s • But can it work on rail networks with crossings? • Are the benefits large enough or marginal? • Can it be made flexible enough? • But clearly SIL4 will be required • SIL3 is fail-safe mode until repair • Network might need simplification 07/04/2010 Altreonic NV 29
  • 30. Can cars become driver less? • Can traffic flow improve through automatisation? • Or should we remove the bottlenecks first? • Examples: • Driverless busses exist • Big difference with trains: • much more decentralised, individual transport mode • Will require adaption to: • Cars: multi-sensor fusion, comm links • Infrastructure: road beacons, comm links • Traffic separation: cars vs busses vs trucks • Can only work is standardisation is applied • Driver remains in seat: he is the fail-safe mode • Global view is transport and communication: • Do we still need trains or cars that connect and act like trains? 07/04/2010 Altreonic NV 30
  • 31. Thank You for your attention “If it doesn't work, it must be art. If it does, it was real engineering” 07/04/2010 Altreonic NV 31