interesting times…
DESCRIPTION
Interesting Times…. Safety Systems are all around us: designed by engineers , to a specification . like any other system must be careful! not acceptable to ‘put it together and see if it works’ we must be vigilant! Things can go wrong… Software Failure Hardware Failure - PowerPoint PPT PresentationTRANSCRIPT
B. Todd AB/CO/MI 30th January 2008
Safety in Mind…
LHC Beam Interlock System 2 of 12 [email protected]
Interesting Times…Safety Systems are all around us:
designed by engineers, to a specification. like any other system
must be careful! not acceptable to ‘put it together and see if it works’ we must be vigilant!
Things can go wrong…
1. Software Failure2. Hardware Failure
3. Incomplete Procedures4. Human Error
Human error is special, since it is us, humans, who build the systems in the first place…
LHC Beam Interlock System 3 of 12 [email protected]
Software SafetyDifficult to quantify ‘safe software’ …
A typical mobile phone can have 2 million lines of codeA car can have 100 million lines
How on earth can these be tested?Complicated verification tools and mathematical proofs can be done
$$$$ &Time &
People &Experience …
When faults cost $$$$ we hear about them:
LHC Beam Interlock System 4 of 12 [email protected]
Software FailuresIEEE (reliable source)
http://spectrum.ieee.org/sep05/1685/failt1
2001 Software Error - USDODhttp://www.defenselink.mil/news/Apr2001/n04092001_200104093.html
Software Reset badly written COST 1 Helicopter, 4 marines
1998 - Airbus A320 Crash at Airshowhttp://www.rapp.org/archives/2004/09/aircraft_crash_videos/
The pilot claims he was misled on the aircraft's true height by a bug in the software COST 3 lives, one aircraft
1996 - Ariane 5 Rocket Failurehttp://www.youtube.com/watch?v=kYUrqdUyEpI
Software error in the inertial reference system COST $500 million
LHC Beam Interlock System 5 of 12 [email protected]
Hardware SafetyIt’s easier to quantify ‘safe hardware’ …
Reduce the critical functionUse military handbooks
Use tried and tested methodsRedundancy and testing
But still it takes some energy
$$ &Time &
People &Experience …
It takes extra effort to build safe systems…MUCH more effort to correct an existing system to be safe
And it can still go wrong …
LHC Beam Interlock System 6 of 12 [email protected]
Hardware Failures
1986 - Titan 4 Exploded after Takeoffhttp://www.youtube.com/watch?v=etCGlSAkdf0
Hardware failure COST $1 Billion
2005 - Bruncefield oil firehttp://news.bbc.co.uk/2/hi/uk_news/4520430.stm
Two safety interlocks failed
http://www.airlinesafety.com/editorials/JetBlueLAX.htm
LHC Beam Interlock System 7 of 12 [email protected]
Procedural SafetyUsing the safety equipment …
Needs PROCEDURES!
Components degradeSafety must be verified by checking and testing
Maintenance has to be carried out to make something as good as new
Two good examples of bad procedures causing loss are:
Chernobyl – ‘special’ procedure being followed
Piper Alpha - safety maintenance was underway
LHC Beam Interlock System 8 of 12 [email protected]
Human ErrorUsing the safety equipment …
Needs operators!
Humans are… ABSOLUTELY… the weakest link.
1999 Human Error - CNNhttp://www4.cnn.com/TECH/space/9911/10/orbiter.03/
Engineers mis-converted English to Metric COST $125-million
1998 USS York town - GCNhttp://www.gcn.com/print/17_30/33914-1.html
Managed to enter zero for a setting, which crashed the systems
2004 Thunderbird Crashhttp://www.rapp.org/archives/2004/01/thunderbird_crash/
Pilot miscalculated height above sea-level
LHC Beam Interlock System 9 of 12 [email protected]
Why are we the weakest link
A couple of fun examples…
change blindnessfrom UBC in Canada
inattention blindnessfrom University of Illinois
LHC Beam Interlock System 10 of 12 [email protected]
And so…no magic bullet to make us
‘safe engineers’We are after all, just human.
This presentation is only intended to illustrate that.
-Less Software means more provable safety-Hardware can be designed to be safe
-Procedures must be complete so safety can be verified-we are just human
-Everyone is entitled to make a mistake
AB/CO/MI has gone considerable way to developing a safety cultureWe’ve learned from our mistakes and those of others
The time is now, to expand this safety culture!
LHC Beam Interlock System 11 of 12 [email protected]
Rules for VHDL DesignBut there ARE rules for the VHDL realisation
1. Specification has to be complete2. Add safety rules and recommendations to specification3. Describe how you will check that those rules are met
4. Use lots of Asserts in VHDL5. Use complete Testbenches that PROVE you tested them6. Design small blocks of code that can be completely tested
7. Build a real-life test bench to prove your design8. Document anything which is ‘dangerous’
These are the minimum.They all assume you have safe hardware as a basis
We accept no compromise here.
