Professional Documents
Culture Documents
2
What is Safety?
3
Safety vs. Security
These two concepts are often mixed up
In German, there is just one term for both!
System
Security Safety
= protection against = doesn’t cause harm
attacks
4
SILs and Dangerous Failure Probability
5
Railway Signalling Systems
Signalling and Switching
Axle Counters
Applications for ETCS
6
(Old) Interlocking Systems
Mechanical /
Electromechanical
Systems
7
Signal Box / Interlocking Tower
Electric system with some electronics
8
Modern Signal Box / Interlocking Tower
Lots of electronics and computer systems
9
What is a Hazard?
Hazard
physical condition of platform that threatens the safety of
personnel or the platform, i.e. can lead to an accident
a condition of the platform that, unless mitigated, can
develop into an accident through a sequence of normal
events and actions
"an accident waiting to happen"
Examples
oil spilled on staircase
failed train detection system at an automatic railway level
crossing
loss of thrust control on a jet engine
loss of communication
distorted communication
undetectably incorrect output
10
Hazard Severity Level (Example)
Category Id Definition
.
CATASTROPHIC I General: A hazard, which may cause death, system
loss, or severe property or environmental damage.
11
Hazard Probability Level (Example)
Occurrences
Level Probability [h-1] Definition
per year
may occur several times
Frequent P ≥ 10-3 More than 10
a month
likely to occur once a
Probable 10-3 > P ≥ 10-4 1 to 10
year
likely to occur in the life
Occasional 10-4 > P ≥ 10-5 10-1 to 1
of the system
unlikely but possible to
Remote 10-5 > P ≥ 10-6 occur in the life of the 10-2 to 10-1
system
Improbable 10-6 > P ≥ 10-7 very unlikely to occur 10-3 to 10-2
extremely unlikely, if not
Incredible P < 10-7 Less than 10-3
inconceivable to occur
12
Risk Classification Scheme (Example)
Hazard Severity
Hazard CATASTROPHIC CRITICAL MARGINAL NEGLIGIBLE
Probability
Frequent A A A B
Probable A A B C
Occasional A B C C
Remote B C C D
Improbable C C D D
Incredible C D D D
13
Risk Class Definition (Example)
14
Risk Acceptability
15
Risk Tolerability
Hazard
Severity Probability
Risk
Risk Criteria
No
Risk
Tolerable? Reduction
Yes Measures
16
What are Safety Requirements
22
Layers of Diversity
abstraction
Diversity Examples
Implementation
e.g. n version coding
(e.g. source code)
Realisation
(e.g. object code) e.g. diverse compilers
HW
(CPU, memory,...) e.g. diverse CPU
23
Examples for Diversity
Specification Diversity
Some faults to be targeted:
Design Diversity
Data Diversity programming bugs,
specification faults, compiler
Time Diversity faults, CPU faults, random
Hardware Diversity hardware faults (e.g. bit flips),
security attacks,...
Compiler Diversity
Automated Systematic Diversity
Testing Diversity
Diverse Safety Arguments
…
24
Compiler Diversity
Use of two
...
Module A
{
diverse compilers
int i;
int end;
get(end); Common
to compile one for i = 1 to end
result=func(i,result);
POS[i]=result;
Source Code
common source }
next
...
code
Diverse Compiler
Compiler Compiler - different manufacturer
A B - different version
- different compiler options
... ...
move $4, A add ($66533), A
jmp $54256 ret Diverse Object
add ($5436), B
...
move $4, C
...
Code (?)
25
Compiler Diversity: Issues
Targeted Faults:
Systematic compiler faults
Some systematic and permanent hardware faults (if
executed on one board)
Issues:
To some degree possible with one compiler and
different compile options (optimization on/off,…)
If compilers from different manufacturers are taken,
independence must be ensured
26
Systematic Automatic Diversity
What can be "diversified":
memory usage
execution sequence
statement structures
array references
data coding
register usage
addressing modes
pointers
mathematical and logic rules
27