120 likes | 199 Views
Interesting Times…. Safety Systems are all around us: designed by engineers , to a specification . like any other system must be careful! not acceptable to ‘put it together and see if it works’ we must be vigilant! Things can go wrong… Software Failure Hardware Failure
E N D
Interesting Times… Safety Systems are all around us: designed by engineers, to a specification. like any other system must be careful! not acceptable to ‘put it together and see if it works’ we must be vigilant! Things can go wrong… • Software Failure • Hardware Failure • Incomplete Procedures • Human Error Human error is special, since it is us, humans, who build the systems in the first place… LHC Beam Interlock System
Software Safety Difficult to quantify ‘safe software’ … A typical mobile phone can have 2 million lines of code A car can have 100 million lines How on earth can these be tested? Complicated verification tools and mathematical proofs can be done $$$$ & Time & People & Experience … When faults cost $$$$ we hear about them: LHC Beam Interlock System
Software Failures IEEE (reliable source) http://spectrum.ieee.org/sep05/1685/failt1 2001 Software Error - USDOD http://www.defenselink.mil/news/Apr2001/n04092001_200104093.html Software Reset badly written COST 1 Helicopter, 4 marines 1998 - Airbus A320 Crash at Airshow http://www.rapp.org/archives/2004/09/aircraft_crash_videos/ The pilot claims he was misled on the aircraft's true height by a bug in the software COST 3 lives, one aircraft 1996 - Ariane 5 Rocket Failure http://www.youtube.com/watch?v=kYUrqdUyEpI Software error in the inertial reference system COST $500 million LHC Beam Interlock System
Hardware Safety It’s easier to quantify ‘safe hardware’ … Reduce the critical function Use military handbooks Use tried and tested methods Redundancy and testing But still it takes some energy $$ & Time & People & Experience … It takes extra effort to build safe systems… MUCH more effort to correct an existing system to be safe And it can still go wrong … LHC Beam Interlock System
Hardware Failures 1986 - Titan 4 Exploded after Takeoff http://www.youtube.com/watch?v=etCGlSAkdf0 Hardware failure COST $1 Billion 2005 - Bruncefield oil fire http://news.bbc.co.uk/2/hi/uk_news/4520430.stm Two safety interlocks failed http://www.airlinesafety.com/editorials/JetBlueLAX.htm LHC Beam Interlock System
Procedural Safety Using the safety equipment … Needs PROCEDURES! Components degrade Safety must be verified by checking and testing Maintenance has to be carried out to make something as good as new Two good examples of bad procedures causing loss are: Chernobyl – ‘special’ procedure being followed Piper Alpha - safety maintenance was underway LHC Beam Interlock System
Human Error Using the safety equipment … Needs operators! Humans are… ABSOLUTELY… the weakest link. 1999 Human Error - CNN http://www4.cnn.com/TECH/space/9911/10/orbiter.03/ Engineers mis-converted English to Metric COST $125-million 1998 USS York town - GCN http://www.gcn.com/print/17_30/33914-1.html Managed to enter zero for a setting, which crashed the systems 2004 Thunderbird Crash http://www.rapp.org/archives/2004/01/thunderbird_crash/ Pilot miscalculated height above sea-level LHC Beam Interlock System
Why are we the weakest link A couple of fun examples… change blindness from UBC in Canada inattention blindness from University of Illinois LHC Beam Interlock System
And so… no magic bullet to make us ‘safe engineers’ We are after all, just human. This presentation is only intended to illustrate that. -LessSoftware means more provable safety -Hardwarecan be designed to be safe -Procedures must be complete so safety can be verified -we are just human -Everyone is entitled to make a mistake AB/CO/MI has gone considerable way to developing a safety culture We’ve learned from our mistakes and those of others The time is now, to expand this safety culture! LHC Beam Interlock System
Rules for VHDL Design But there ARE rules for the VHDL realisation • Specification has to be complete • Add safety rules and recommendations to specification • Describe how you will check that those rules are met • Use lots of Asserts in VHDL • Use complete Testbenches that PROVE you tested them • Design small blocks of code that can be completely tested • Build a real-life test bench to prove your design • Document anything which is ‘dangerous’ These are the minimum. They all assume you have safe hardware as a basis We accept no compromise here. LHC Beam Interlock System
FIN LHC Beam Interlock System