Designing Safety-Critical Computer Systems

40 Computer Designing Safety-Critical Computer Systems T he ubiquitous computer is firmly established as the electronic component of choice for designing systems that control safety-critical applications. Such applications can be found everywhere: aircraft fly-by-wire controls, oil and chemical processing, hospital life-support systems, manufacturing robotics, and countless other commercial and industrial applications. As this century matures, developers will increasingly exploit computing's power in safety-critical applications that directly touch us all: steer-by-wire automotive systems, automated air-and surface-traffic control, powered prosthetics, and so on. However, these computer-based systems raise the ongoing concern that they might fail and cause harm. Indeed, past computer failures have produced catastrophic results, most famously the notorious Therac 25, a therapeutic computer system intended to heal but which inadvertently killed and maimed patients before being forced off the market. 1 The safety of computer-based systems is of long-standing and continuing interest to computing professionals. As research continues in this area, proposed system concepts and architectures— deemed safe by their developers—have been found to be impractical for real-life engineering applications that can place lives, property, or the environment at risk. Such dependable, seemingly safe, concepts and structures fail in practice for three primary reasons: Their originators or users • have an incomplete understanding of what makes a system " safe, " • fail to consider the larger system into which the implemented concept is to be embedded, or • ignore single points of failure that will make the safe concept unsafe when put into practice. Reviewing the fundamental definitions and concepts of system safety provides a framework for addressing these shortcomings. Exploring the systematic design of safety-critical computer systems in engineering practice helps to show how engineers can verify that these designs will be safe. The notion of safety is most likely to come to mind when we drive a car, fly on an airliner, or take an elevator ride. In each case, we are concerned with the threat of a mishap, which the US Department of Defense defines as an unplanned event or series of events that result in death, injury, occupational illness , damage to or loss of equipment or property, or damage to the environment. 3 The mishap risk assesses the impact of a mishap in terms of two primary concerns: its potential severity and the probability of its occurrence. 3 For example , an airliner crash would affect an individual more severely than an automobile fender-bender, …