Integrate hardware/software device testing for use in a safety-critical application

As processor based technologies are used to replace aging electro-mechanical appliances in safety-critical applications such as train and transit, the need to demonstrate their safety prior to actual usage is of utmost importance. Traditional fault injection techniques reflect the presence of hardware/software (physical) faults in an appliance, but ignore the effects of the appliance's intended operational environment on its performance. Furthermore, fault injection testing is limited in its effectiveness when appliances are constructed from processor based technologies using Commercial Off The Shelf (COTS) products. The use of these technologies prevents the analyst from having a detailed knowledge of the appliance's design and implementation. As a result, the identification and injection of faults to test these systems is at best a very arguable process. In train and transit applications, the occurrence of a single hazard (fault) may be quite catastrophic resulting in significant societal costs, ranging from loss of life to major asset damages. The Axiomatic Safety-Critical Assessment Process (ASCAP) [1-4] has been demonstrated as a competent method for assessing the risk associated with train and transit systems. ASCAP concurrently simulates the movement of n-trains within a given system from the perspective of the individual trains. During simulation, each train interacts with a series of appliances that are located along the track, within the trains and at a central office. Within ASCAP, each appliance is represented by a probabilistic multistate model, whose state selection is decided using a Monte Carlo process. In lieu of exercising this multistate model for a given appliance, the ASCAP methodology supports the inclusion of actual appliances within the simulation platform. Hence, an appliance can be fault tested in a simulation environment that emulates the actual operational environment to which it will be exposed. The ASCAP software can interface with a given appliance through an Input/Output (I/O) node contained within its executing platform. This node provides the ASCAP software with the capability of communicating with an external device, such as a track or an onboard appliance. When a train intersects with a particular appliance, the actual appliance can be queried by the ASCAP simulator to ascertain its status. This state information can then be used by ASCAP in lieu of its multi-state model representation of the appliance. This simulation process provides a mechanism to determine the appliance's ability to perform its intended safety-critical function in the presence of hardware/software design faults within its intended operational environment. By being able to quantify these effects prior to deploying a new appliance, credible and convincing evidences can be prepared the to ensure that overall system safety will not be adversely impacted.