8 Problems with Solutions for Assignment 3 - Dependability | CS 686, Assignments of Computer Science

Material Type: Assignment; Professor: Knight; Class: Dependability; Subject: Computer Science; University: University of Virginia; Term: Spring 2008;

Typology: Assignments

Pre 2010

Uploaded on 07/29/2009

koofers-user-hf6
koofers-user-hf6 🇺🇸

10 documents

1 / 2

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Page 0
Department of Computer Science University of Virginia
Page score
CS686 SPRING 2008
ASSIGNMENT 3
SAMPLE SOLUTIONS
1. N/A.
2. Already distributed.
3. There are two fundamental problems with systems that are designed to warn people about
hazardous states: (a) failure to warn when a hazardous state exists; and (b) warning when a
hazardous state does not exist. Consider the system in Storey problem 3.23 and suppose that
there is an alarm light to warn operators that the system has turned off the heater to avoid the
stated hazard, i.e., the power switch is also connected to a warning light. The fault tree is deal-
ing, in part, with problem (a) except that the goal is prevent the hazard. Examine the design of
the system and document the circumstances when problem (b) might arise.
In this case, an alarm will be raised when no hazard exists if the pressure sensor, the alarm
relay or the siren fails in the “closed” position. For example, if the alarm relays fails closed,
it will activate the alarm although no hazard exists.
4. Problem (b) in question 1 is often referred to as “false alarms”. False alarms are a serious
problem because they cause operators to lose confidence in the alarm system. In the most
extreme cases, operators actually turn warning systems off.
This is a computer system dependability problem that is somewhat different from the topics
that we have discussed in class. Document as a series of bullets (no essays please) a set of gen-
eral techniques that you might consider to help avoid false alarms. (10)
Duplicate each component and require them to operate in series. This is not a good
approach because it leads to lots more chances of type (a) failures.
Duplicate the entire warning circuit and take the logical AND of the two systems. This
approach has problems too.
Use very high quality components. This works provided you know what the poulation fail-
ure statistics are for the components.
Use different technology such as solid state relays instead of mechanical relays.
Test the warning system regularly.
Demand a signal duration of delta-t to avoid noise.
Preventive maintenance on the alarm system.
Less sensitive algorithms.
5. For the B777 incident, document the failed component combinations that were deemed safe
pf2

Partial preview of the text

Download 8 Problems with Solutions for Assignment 3 - Dependability | CS 686 and more Assignments Computer Science in PDF only on Docsity!

Page 0

Department of Computer Science University of Virginia

Page score

CS686 S PRING 2008

ASSIGNMENT 3

S AMPLE S OLUTIONS

1. N/A.

  1. Already distributed.
  2. There are two fundamental problems with systems that are designed to warn people about hazardous states: (a) failure to warn when a hazardous state exists; and (b) warning when a hazardous state does not exist. Consider the system in Storey problem 3.23 and suppose that there is an alarm light to warn operators that the system has turned off the heater to avoid the stated hazard, i.e., the power switch is also connected to a warning light. The fault tree is deal- ing, in part, with problem (a) except that the goal is prevent the hazard. Examine the design of the system and document the circumstances when problem (b) might arise.

In this case, an alarm will be raised when no hazard exists if the pressure sensor, the alarm relay or the siren fails in the “closed” position. For example, if the alarm relays fails closed, it will activate the alarm although no hazard exists.

  1. Problem (b) in question 1 is often referred to as “false alarms”. False alarms are a serious problem because they cause operators to lose confidence in the alarm system. In the most extreme cases, operators actually turn warning systems off. This is a computer system dependability problem that is somewhat different from the topics that we have discussed in class. Document as a series of bullets (no essays please) a set of gen- eral techniques that you might consider to help avoid false alarms. (10)
    • Duplicate each component and require them to operate in series. This is not a good approach because it leads to lots more chances of type (a) failures.
    • Duplicate the entire warning circuit and take the logical AND of the two systems. This approach has problems too.
    • Use very high quality components. This works provided you know what the poulation fail- ure statistics are for the components.
    • Use different technology such as solid state relays instead of mechanical relays.
    • Test the warning system regularly.
    • Demand a signal duration of delta-t to avoid noise.
    • Preventive maintenance on the alarm system.
    • Less sensitive algorithms.
  2. For the B777 incident, document the failed component combinations that were deemed safe

Page 1

Department of Computer Science University of Virginia

Page score

for flight.

One failed sensor in the Air data Inertial Reference Unit (ADIRU) still allows dispatch.

  1. For the B777 incident, clearly the aircraft was in a hazardous state. What where the character- istics of the state that made it hazardous?

A sensor failed, but the aircraft’s software system was unaware. Record was lost at power off.

  1. For the B777 incident, how and when did the hazardous state arise?

When the power cycle deleted the data about the failed ADIRU sensor.

  1. For the B777 incident, what specific development steps should have been done to avoid the serious incident that occurred?

Obviously this is a very complex issue. If it were simple, the problem would never have arisen. We can approach the problem by applying the general approach we have been discussing. The airplane entered a hazardous state and should not have. The hazardous state was almost cer- tainly correctly identified in the hazard analysis process. If not (and obviously this would be checked), then the hazard analysis process needs to be reexamined.

If the hazard was properly documented, then the next step is to suspect the fault-tree analysis. Since the development is a fault tree is informal, the possibility of a mistake is very real. The fault tree will not document much detail of the software because the defects in the software will be design faults. It is likely that analysis of the software in this case was incomplete.

Much of the observed behavior was quite bizarre. An important practical approach would be to apply what are called “reasonableness” checks to the software. No aircraft would ever actually do what the software thought it was doing. There should have been code that said: “Hey, wait a minute, this doesn’t make sense. Do you want me to ignore it?”

Finally, this is an example of seriously flawed failure semantics. The sensors should be built in a way that forced recognizably defective values (like zeros) after failure. The failed sensor was recognized, and it would have been fairly simple to design the sensor so that its output was disconnected after it was declared failed.