Validating The Safety Of Embedded Real-Time Control Systems Using FMEA

Validating embedded real time systems for use in safety critical applications is difficult for most applications. When these systems are based on commercially available microprocessors andor microcontrollers, the validation task can be made significantly more difficult by the lack of basic data integrity protection on board the processor and peripherals. Additionally, basic address boundary protection may not be provided by the real time scheduler being used. Hardware FMEAs need to trace faults through their effect on the software. Additionally, the software design, including the real time scheduler or operating system, needs to be completely analyzed to ensure that hardware data integrity failures and software failures cannot cause the control processing to place the controlled system into an unsafe state. The techniques needed to perform hardware FMEAs are well known in the reliability engineering discipline. However, techniques which will allow the validation of software are not well known and are difficult to apply. A variety of software safety analysis techniques have been developed, including software fault uees and time Petri nets. These techniques attempt to assess the correctness of the software design when it is operating on unfailed hardware. All software analysis techniques are severely limited when the integrity of the data being pl-ocessed cannot be guaranteed. Hughes Aircraft has adapted and extended traditional FMEA techniques to include assessment of software failures. Hughes has been using the resulting technique to assess the safety of embedded real-time control systems designed for use in automotive applications. The use of FMEA techniques in assessing the software safety of these controllers has allowed analysis of the effects of a more comprehensive set of potential failures, including data corruption, than is practical using other software safety analysis techniques. The ability to assess the results of data corruption has proven to be crucial in providing feedback to design teams about the potential safety risks of the designs being analyzed.