Critical Information Systems

Engineering

2018-2019
 TABLE OF CONTENTS
1 AN INTRODUCTION TO CRITICAL SYSTEMS
1.1 WHAT IS A CRITICAL SYSTEM?
1.2 INTEGRITY LEVELS AND STANDARDS FOR CRITICAL SYSTEMS
DEVELOPMENT
1.3 ENGINEERING APPLICATIONS OF CRITICAL INFORMATION SYSTEMS

2 EXAMPLES OF FUNCTIONAL REQUIREMENTS FOR SOME CRITICAL

INFORMATION SYSTEMS
2.1 THE FUNCTIONAL REQUIREMENTS OF AN AIRCRAFT MONITORING
SYSTEM
2.2 THE FUNCTIONAL REQUIREMENTS OF AN AUTOMOBILE MANAGEMENT
SYSTEM
2.3 THE FUNCTIONAL REQUIREMENTS OF AN AUTOMATED COMMUTER
TRAIN CONTROL SYSTEM
2.4 REQUIREMENTS FOR A TRAFFIC LIGHT CONTROL SYSTEM

3 THE SOFTWARE DEVELOPMENT PROCESS

3.1 THE SYSTEM LIFE CYCLE MODEL AND THE SYSTEM DEVELOPMENT
PROCESS
3.2 SOFTWARE ENGINEERING AND THE SOFTWARE DEVELOPMENT
PROCESS
3.2.1 SOFTWARE DEVELOPMENT PROCESS MODELS
3.2.2 SOFTWARE DEVELOPMENT MANAGEMENT PROCESS
3.2.3 SOFTWARE CONFIGURATION MANAGEMENT PROCESS
3.2.4 SOFTWARE VERIFICATION AND VALIDATION AND SOFTWARE QUALITY
ASSURANCE
3.3 EXAMPLES OF SOFTWARE DEVELOPMENT STANDARDS

4 ESA STANDARDS FOR SOFTWARE DEVELOPMENT

4.1 HISTORY
4.2 THE STRUCTURE OF THE ECSS STANDARDS
4.3 SOFTWARE IN ESA
4.4 THE ECSS-E-ST-40 STANDARD
4.5 THE ECSS-Q-ST-80 STANDARD
4.6 THE ECSS-M-ST-10 STANDARD
4.7 THE ECSS-M-ST-40 STANDARD

5 THE MIL-STD-498 SOFTWARE DEVELOPMENT STANDARD

5.1 SOFTWARE ENGINEERING ACTIVITIES
5.2 MIL-STD-498 SOFTWARE DEVELOPMENT PHASES
5.3 THE LIFE-CYCLE MODELS
5.4 MANAGEMENT ACTIVITIES

6 STANDARDS FOR SAFETY CRITICAL SYSTEMS: DO 178B AND ARP 4754

6.1 INTRODUCTION
6.2 DEVELOPMENT OF SAFETY-RELATED AIRBORNE SOFTWARE
6.3 DO-178B DEVELOPMENT PROCESSES
6.4 DO-178B VERIFICATION PROCESSES
6.5 WHAT ARE THE MAIN CHALLENGES IN THE DEVELOPMENT OF
AIRBORNE SOFTWARE?
Introduction to Critical Information
Systems
What is a Critical Information System

• A system is critical if a malfunction could result in:

a) loss of life
b) injury or illness
c) serious environmental damage
d) significant loss of, or damage to, property
e) failure of an important mission
f) major economic loss.
Classification of Critical Systems
• Safety-critical systems (a-c)
• Failure results in loss of life, injury or damage to the
environment;
• Example: Nuclear power plant protection system;

• Mission-critical systems (e)

• Failure results in failure of some goal-directed activity;
• Example: Spacecraft navigation system;

• Business-critical systems (d-f)

• Failure results in high economic losses;
• Example: Customer accounting system in a bank;
System dependability (1)

• For critical systems, it is usually the case that the

most important system property is the dependability
of the system.

• The dependability of a system reflects the user’s

degree of trust in that system. It reflects the extent of
the user’s confidence that it will operate as users
expect and that it will not ‘fail’ in normal use.

• Usefulness and trustworthiness are not the same

thing. A system does not have to be trusted to be
useful.
System dependability (2)
• Dependability encompasses the following aspects of a
system
• Reliability R(t) = probability of system working correctly provided that
is was working at t=0
• Maintainability M(d) = probability of system working correctly d time
units after error occurred.
• Availability: probability of system working at time t
• Safety: the ability of a system to operate without catastrophic failure
• Security: the ability of a system to protect itself against accidental or
deliberate intrusion
• Survivability: Reflects the extent to which the system can deliver
services whilst under hostile attack;
• Error tolerance: Reflects the extent to which user input errors can be
avoided and tolerated
Importance of dependability

• Systems that are not dependable and are unreliable,

unsafe or insecure may be rejected by their users.

• The costs of system failure may be very high.

• Undependable systems may cause information loss

with a high consequent recovery cost.
Type of failures in critical systems

• Hardware failure
• Hardware fails because of design and manufacturing errors
or because components have reached the end of their
natural life.

• Software failure
• Software fails due to errors in its specification, design or
implementation.

• Operational failure
• Human operators make mistakes. Now perhaps the largest
cause of system failures.
Safety Integrity Levels (SIL) for critical systems

• The first step in developing a system is performing a

preliminary hazard analysis, to determine whether the
system could present a hazard to safety. If yes, we must
conduct a more detailed hazard analysis:
• How likely is it that an error in the system will result in a particular
hazard?
• How likely is the hazard to actually cause an accident?
• What is the likely magnitude of the accident in terms of injuries or
deaths?

• Standards for safety critical software have now

standardized on a scale of five discrete levels of safety
integrity, with an Safety Integrity Level (SIL) of 4 being
"very high", down to a level of 0 for a system which is not
safety related.

• The term "safety related" is used to collectively refer to

integrity levels 1 to 4
Standards for critical systems development
Standard
Quality Systems - Model for Quality Assurance in
Design/Development, Production, Installation and
Servicing.
ISO9001/EN29001/BS5750 part 1
Functional Safety : Safety Related Systems
IEC61508: "Functional Safety
Electrical/Electronic/Programmable Electronic
Safety-related Systems"
Description
This is the recommended minimum standard of
quality system for software with safety integrity level
of 0, and an essential prerequisite for higher integrity
levels.
A general standard, which sets the scene for most
other safety related software standards.
of Is a globally recognized, generic standard for the
development of safety-related electronic systems. It is
a generic standard who defines safety integrity levels
(SIL) and guidelines

Railway Applications A standard for the railway industry.

50128 is dedicated to Software for Railway Control &
CENELEC 50126/8/9 Protection Systems.

Software for Computers in the Safety Systems of A standard for the nuclear industry.
Nuclear Powers Stations.

IEC880
Software Considerations in Airborne Systems and A standard for avionics and airborne systems.
Equipment Certification.

DO178B
MISRA Development Guidelines for Vehicle Based Issued by the Motor Industry Software Reliability
Software Association for automotive software.

IEC 26262 - "Road vehicles -- Functional safety".
A new standard for automotive industry. The standard
is derived from IEC 61508. Defines the status of
technology for the development of safety-related
systems in automobiles. Compliance with this
standard will be compulsory for all electrical and
electronic devices in the automobile environment
once the standard comes into effect.

Safety Management Considerations for Defense A standard for the defense industry.
Systems Containing Programmable Electronics.

Defense Standard 00-56

The Procurement of Safety Critical Software in Detailed software standard for safety critical defense
Defense Equipment. equipment.

Defense Standard 00-55

Engineering Applications of Critical Information
Systems
• Infrastructure: Emergency services dispatch systems, Electricity
generation, transmission and distribution, Fire alarm…

• Medicine: Heart-lung machines, Mechanical ventilation systems,

Infusion pumps and Insulin pumps, Radiation therapy machines,
Robotic surgery machines, Defibrillator machines

• Nuclear engineering: Nuclear reactor control systems

• Transport: Railway signaling and control systems

• Automotive: Airbag systems, Braking systems, Seat belts, Steering

systems

• Aviation: Air traffic control systems, Avionics particularly fly-by-wire

systems, Receiver autonomous integrity monitoring (RAIM), Engine
control systems (FADEC), Aircrew life support systems, Flight
planning to determine fuel requirements for a flight

• Space: Launchers control, Guidance, Navigation and Control System,

On board software for satellite platform…