Lists with This Book. This book is not yet featured on Listopia. Add this book to your favorite list ». Community Reviews. Showing Average rating 3. Rating details. All Languages. More filters. Sort order. Start your review of Safety Critical Computer Systems. Charlie rated it really liked it Sep 10, Eton rated it it was amazing Dec 15, Rune Fredriksen rated it really liked it Sep 21, Chris rated it liked it Dec 18, Phil Rogers rated it liked it Jul 13, Adam Frost rated it really liked it May 03, Carl rated it really liked it Apr 14, Adrian rated it it was ok Apr 12, Helen rated it it was amazing Jun 12, Andersen added it Mar 10, Saurabhdeep marked it as to-read Apr 08, This text is intended for both engineering and computer science students, and for practicing engineers within computer related industries.
The approach taken is equally suited to engineers who consider computers from a hardware, software or systems viewpoint. All Rights Reserved. Figure 5: Sensor-input comparison You can also implement redundancy as analytic redundancy, which is the comparison of a measured value with a value derived in some other way, as shown in Figure 6.
High school physics does come in handy! If the calculated and measured values agree pretty closely, we're confident that the sensor is working correctly. Another example: in the medical world, patient heart rate can be extracted from a signal analysis of an arterial blood-pressure waveform. It can then be compared with the value measured directly from the patient's electrocardiograph signal when doing analytic redundancy.
These approaches can be combined and embellished. In the approaches discussed so far, if the compared data disagree we know something is wrong with a sensor. But we don't know which sensor is wrong.
So it's often best to just shut down the entire redundant pair in what's called a fail-stop. An alternative approach is to add a third redundant element and to replace the two-way comparison with three-way "voting. But this could also be done in a mix-and-match sort of way, resulting in a combination of several kinds of redundancy.
In the various triple redundancy approaches, a faulty sensor can be identified and shut down while the remaining redundant elements can continue to operate safely. Shutdown systems If a safety-critical system has an immediate safe state, as illustrated on the left side of Figure 2, a shutdown system can be used to terminate a hazardous situation as soon it detects it. The basic shutdown architecture is illustrated in Figure 7.
It will force the entire system into a safe state in other words, off whenever a hazard is detected and thus lock the system out of a life-threatening state. The shutdown system is independent of the primary system that is normally in control, and operates in parallel with it. To ensure its complete independence, the shutdown system has its own separate sensor s. A diagnostic subsystem is used to ensure the integrity of operation of the shutdown system itself.
If the diagnostic subsystem determines that the shutdown system's decisions may be untrustworthy, it can bring the entire system to an immediate safe state rather than allowing the primary system to continue to operate without trustworthy shutdown monitoring going on in parallel. A cancer irradiation facility can be designed in this way. The primary system operates a nuclear particle accelerator that directs a highly focused beam into a well-defined area of a patient's body. Its sensors monitor the radiation dosage on target.
Its irradiation shutdown system, on the other hand, works with radiation sensors on other parts of the patient's body and in other parts of the treatment room. It will also monitor radiation dosage on target. The irradiation shutdown system itself is evaluated by an irradiation shutdown diagnostic subsystem.
As we will see later on, the primary system in Figure 7 can be designed in a number of ways, some of them quite complex with sophisticated redundancy built in. But as shown thus far, the shutdown system portion of the design has no redundancy and is thus a potential single point of failure. A single faulty shutdown system could also bring a cancer irradiation facility to a standstill, thus endangering its patients in a different way by denying them their medical treatment.
So in fact, some safety-critical systems have dual shutdown systems working in parallel with either "AND" or "OR" logic for deciding when to shut down the primary.
In extreme instances, a safety-critical system can be designed with three shutdown systems working in parallel using TMR-style voting among them. In this way, a faulty shutdown system can be identified and itself be shut down while the remaining shutdown systems can continue to operate in redundant and trustworthy fashion and the primary system continues to provide its services.
Single channel with actuation monitoring The idea of a shutdown system can also be applied on a smaller scale within a primary system itself, as shown in Figure 8. The ellipses represent major system activities, which could be implemented as software tasks or processes, either on separate processors or sharing a single processor, depending on the scale of the system.
This is called actuation monitoring, which is illustrated on the right side of Figure 8 for a medical safety-critical system. Actuation monitoring can be done in a number of ways, each with a different balance of costs versus benefits.
The most basic form of actuation monitoring is end-around monitoring. It simply checks the commands to the output actuators for validity before they reach the actuators themselves. A more stringent form is wrap-around monitoring, which checks that the output actuators are actually producing valid outputs that will soon reach the patient under treatment.
A third, usually more costly, form is actuation-results monitoring that uses an independent set of sensors to verify that the system is actually producing the results it's intended to provide. A medical infusion pump controller could be designed in this way.
Let's assume that a stepper motor is doing the actual pumping of fluid. End-around monitoring could be used to check that the stepper motor is receiving the correct or at least reasonable commands.
Wrap-around monitoring could use a fluid flow sensor to check that the correct or reasonable amount of fluid is being delivered to the patient under treatment.
And actuation- results monitoring could use an invasive probe to measure the concentration of specific drugs or other contents in the patient's bloodstream resulting from the operation of the infusion pump. A significant weakness of both the shutdown system and the single-channel architectures is that they cannot continue to operate safely in the presence of faults.
They have single points of failure. You can see them stretching across the top of Figure 8. This means that these architectures can only be used in safety-critical systems that have an immediate safe state, as on the left side of Figure 2. Dual-channel architectures For safety-critical systems without an immediate safe state, dual-channel architectures can be used to allow a system to continue operation even when one of its channels has "fail stopped.
Figure 9: A dual-channel architecture In dual-channel architecture one of the channels serves as the primary, or active, channel and the other is a standby or backup channel, ready to take over system operation if the current primary channel suffers faults or www. Depending on the needs of the specific safety-critical system, the standby channel when becoming active could either continue normal operation of the system or it could take the system through a possibly long and complex sequence of steps to bring it to its eventual safe state.
On the other hand, a nuclear reactor control system, in cases of failure of one of its internal embedded processing channels, would be expected to stay in operation long enough to shut down the reactor by proceeding through a lengthy sequence of activities: stepping the graphite moderator rods down into the full depth of the reactor core while accelerating the flow of coolant through the reactor, and monitoring the gradual slowdown of the nuclear reaction through myriad sensors —until the reactor can be declared safe for human access.
Dual-channel architecture is going to have higher unit costs than previous architectures we've discussed. There will be redundant embedded processing channels using redundant hardware and redundant sensors. But the big benefit of paying this price is the ability to continue to operate in the presence of a fault.
Dual-channel architecture has a number of popular variants. If the two channels shown in Figure 9 use the same replicated software and hardware, the architecture can handle random faults well but it can't handle systematic faults such as software design or coding defects that would be reproduced in both channels.
0コメント