Date post: | 27-Mar-2015 |
Category: |
Documents |
Upload: | leslie-johnston |
View: | 218 times |
Download: | 0 times |
An advanced weapon and space systems company
1
2323rdrd ISSC/NWSSS Conference ISSC/NWSSS Conference C. Forni, B. Blake – 08-23-2005
Remote Controlled & Recoverable Munitions Remote Controlled & Recoverable Munitions Safety Architecture DevelopmentSafety Architecture Development
An advanced weapon and space systems company
2
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsArchitecture Design DriversArchitecture Design Drivers
Off-On-Off operation drives the designOff-On-Off operation drives the design
For munitions systems, reliably arming, then disarming is a For munitions systems, reliably arming, then disarming is a new conceptnew concept
After a return to safe, it is necessary for the munitions to After a return to safe, it is necessary for the munitions to monitor and report the safety status to the remote controller monitor and report the safety status to the remote controller
Off-On-Off System must support safe operation even when Off-On-Off System must support safe operation even when there has been a loss of control functionality. This is necessary there has been a loss of control functionality. This is necessary whether or not that control is physically separate from the whether or not that control is physically separate from the source of hazardsource of hazard
An advanced weapon and space systems company
3
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsArchitecture Design Drivers (Continued)Architecture Design Drivers (Continued)
For remote controlled systems, safety can’t be allocated to a For remote controlled systems, safety can’t be allocated to a single isolated component (fuze). Safety critical command and single isolated component (fuze). Safety critical command and control functions are distributed throughout the systemcontrol functions are distributed throughout the system
To address in an efficient and cost effective manner, safety To address in an efficient and cost effective manner, safety must be involved throughout the concept and early must be involved throughout the concept and early development phasedevelopment phase
The following hazardous conditions must be addressed The following hazardous conditions must be addressed across the distributed control components:across the distributed control components:
Inadvertent hazardous functionsInadvertent hazardous functions
Unintentional hazardous functionsUnintentional hazardous functions
Failure to return to a non-hazardous state when commandedFailure to return to a non-hazardous state when commanded
Erroneous safety dataErroneous safety data
An advanced weapon and space systems company
4
Safety activities needed during the Concept and Early Safety activities needed during the Concept and Early Development PhasesDevelopment Phases
Criticality AssessmentCriticality Assessment
Hazards and Causal Factor IdentificationHazards and Causal Factor Identification
Mitigation DevelopmentMitigation Development
Safety activities performed iteratively during both system Safety activities performed iteratively during both system and subsystem development and subsystem development
Safety activities Safety activities instrumental in shaping both the instrumental in shaping both the architecture of the system and the final criticality of the architecture of the system and the final criticality of the subsystemssubsystems
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsSafety Activities and Development ProcessSafety Activities and Development Process
An advanced weapon and space systems company
5
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsSafety Activities within the Development ProcessSafety Activities within the Development Process
Define System, CONOPS, and develop partitioning approachCreate and Document System behavior model, functions, & Interfaces
Allocate, Define, and Document Subsystem behavior models & InterfacesDefine and Document Subsystem Requirements and InterfacesDefine and Document Functional RequirementsDefine and Document Interface Design
Iterate
System / Subsystem Definition and Analysis
Identify Criticality (to help isolate and partition SC functions)
Identify Hazards and Causal Factors (to help determine req mitigations)
Develop Mitigations (to prevent hazards)
Obtain customer requirements, perform trade studies, and develop systemconcept
Identify Criticality (to help isolate and partition SC functions)
Identify Hazards and Causal Factors (to help determine req mitigations)
Develop Mitigations (to prevent hazards)
Safety DesignActivity
DevelopmentProcess Activity
An advanced weapon and space systems company
6
Physical ComponentsPhysical Components Remote Control DeviceRemote Control Device
Comm relay device (optional)Comm relay device (optional)
MunitionsMunitions
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsPhysical vs Functional Components (Example System)Physical vs Functional Components (Example System)
Functional ComponentsFunctional Components Remote Control (RC) SubsystemRemote Control (RC) Subsystem
Communications SubsystemCommunications Subsystem
Munitions Controller (MC) SubsystemMunitions Controller (MC) Subsystem
Remote Control of Fuze
Medium Safety Criticality (II)(Reduced Safety Control)
Remote Control Link (Pipe)
Low Safety Criticality (III)(Eliminated Safety Control)
Fuze & Munitions
High Safety Criticality (I)(Maximized Safety Control)
Logisticsor Tactical
Operator
LogisticsOperator
RCUXCVROS
App SW
REPEATER(Optional)
MCXCVR
C
App SW
SafetyMonitor
Controls & Display
Fireset
MGL or Adaptor
Communications Subsystem
HCU
Intruder/Tamper Detect
Key:
Physical (Hardware) PartitionFunctional Partition
Remote Control of Fuze
Medium Safety Criticality (II)(Reduced Safety Control)
Remote Control Link (Pipe)
Low Safety Criticality (III)(Eliminated Safety Control)
Fuze & Munitions
High Safety Criticality (I)(Maximized Safety Control)
Operator
MC Subsystem
RCUXCVROS
App SW
REPEATER(Optional)
RC Subsystem
MCXCVR
C
App SW
SafetyMonitor
Controls & Display
Fireset
MGL or Adaptor
Communications Subsystem
Intruder/Tamper Detect
RCXCVROS
App SW
REPEATER(Optional)
MCXCVR
C
App SW
SafetyMonitor
Controls & Display
Fireset
WH
Communications Subsystem
Computer
Intruder/Tamper Detect
Key:
Physical (Hardware) PartitionFunctional Partition
An advanced weapon and space systems company
7
Architecture Development Process stepsArchitecture Development Process steps
Identify any desired system or functional level criticalityIdentify any desired system or functional level criticality
Develop the system behavior model (state charts and transition rules)Develop the system behavior model (state charts and transition rules)
Identify potential hazards and causal factorsIdentify potential hazards and causal factors
Identity functions and determine their safety criticalityIdentity functions and determine their safety criticality
Define / Refine safety architectureDefine / Refine safety architecture
Define mitigations for identified hazards and causal factorsDefine mitigations for identified hazards and causal factors
Shape criticality by partitioning and/or mitigation applicationShape criticality by partitioning and/or mitigation application
Create requirements that implement the needed mitigationsCreate requirements that implement the needed mitigations
Iterate Iterate
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsArchitecture DevelopmentArchitecture Development
An advanced weapon and space systems company
8
A Concept of Operation (CONOPS) forms the basis for A Concept of Operation (CONOPS) forms the basis for modeling operation of the systemmodeling operation of the system
Defines the interactions between personnel and the systemDefines the interactions between personnel and the system
Provides the context and boundaries for possible hazards situationsProvides the context and boundaries for possible hazards situations
Safety involvement in “behavior modeling” is paramount to Safety involvement in “behavior modeling” is paramount to design safety into the systemdesign safety into the system
Each model variation must be examined, and sources of hazard and causal factors Each model variation must be examined, and sources of hazard and causal factors identifiedidentified
Must be of sufficient detail to define the major architectural features of the systemMust be of sufficient detail to define the major architectural features of the system
Possible mitigations are examined for adequacyPossible mitigations are examined for adequacy
Each component and interface provides an additional source for hazards or their Each component and interface provides an additional source for hazards or their causal factorscausal factors
Modification of CONOPS and/or behavior models may Modification of CONOPS and/or behavior models may provide a means for effective and efficient mitigationsprovide a means for effective and efficient mitigations
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsBehavior ModelingBehavior Modeling
An advanced weapon and space systems company
9
Analysis of criticality serves two purposesAnalysis of criticality serves two purposes
Identifying safety critical functionsIdentifying safety critical functions
Determining the level of analysis and testing to ensure the design is safe to useDetermining the level of analysis and testing to ensure the design is safe to use
Criticality analysis at the functional level gives insight into Criticality analysis at the functional level gives insight into what is safety critical and whywhat is safety critical and why
Helps concentrate critical operations to minimize hazard sourcesHelps concentrate critical operations to minimize hazard sources
Helps distribute mitigations so loss of a single mitigation merely degrades safetyHelps distribute mitigations so loss of a single mitigation merely degrades safety
Aids in examination of adequacy of possible mitigationsAids in examination of adequacy of possible mitigations
Similar techniques allow shaping of functional criticality to Similar techniques allow shaping of functional criticality to meet specific design constraintsmeet specific design constraints
To concentrate safety critical functionality into a single processorTo concentrate safety critical functionality into a single processor
To minimize interactions with non-safety critical componentsTo minimize interactions with non-safety critical components
partition functions to minimize analysis or test activitypartition functions to minimize analysis or test activity
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsCriticality AnalysisCriticality Analysis
An advanced weapon and space systems company
10
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsSources of Hazard and Causal Factors - Communications SubsystemSources of Hazard and Causal Factors - Communications Subsystem
Possible hazards related to application message faultsPossible hazards related to application message faults
Corrupted Message data elements during the transfer of a message could result Corrupted Message data elements during the transfer of a message could result in incorrect safety critical time values, incorrect safety status info, or other in incorrect safety critical time values, incorrect safety status info, or other erroneous data itemserroneous data items
Corruption of an application Message could also result in a message being Corruption of an application Message could also result in a message being incorrectly interpreted as a different message, resulting in unexpected behaviorincorrectly interpreted as a different message, resulting in unexpected behavior
Possible hazards related to delivery fault mechanismsPossible hazards related to delivery fault mechanisms
Message might not be deliveredMessage might not be delivered
Message could be delivered to an incorrect addressMessage could be delivered to an incorrect address
If multiple message sources are possible, the source identity could be incorrectIf multiple message sources are possible, the source identity could be incorrect
The Delivery Mechanism could generate an erroneous messageThe Delivery Mechanism could generate an erroneous message
The Delivery Mechanism could generate a corrupt non-application messageThe Delivery Mechanism could generate a corrupt non-application message
Networking or Prioritization schemes could allow the delivery of messages to Networking or Prioritization schemes could allow the delivery of messages to occur out of orderoccur out of order
An advanced weapon and space systems company
11
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsSources of Hazard and Causal Factors - Remote ControllerSources of Hazard and Causal Factors - Remote Controller
Erroneous command generationErroneous command generation
Corrupted message data elements during message generation result in incorrect Corrupted message data elements during message generation result in incorrect safety critical values, authorizations, message interpretation, etc.safety critical values, authorizations, message interpretation, etc.
Unintended or erroneous generation of a valid application message (OS, Operator)Unintended or erroneous generation of a valid application message (OS, Operator)
Erroneous transmission of a valid message (out of order, stale, etc)Erroneous transmission of a valid message (out of order, stale, etc)
False Report of Safe to OperatorFalse Report of Safe to Operator
Display/Processor Hardware and firmware (including memory)Display/Processor Hardware and firmware (including memory)
Operating System (could affect data, application execution, etc)Operating System (could affect data, application execution, etc)
Application SWApplication SW
Received DataReceived Data
Operator InputsOperator Inputs
An advanced weapon and space systems company
12
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsSources of Hazard and Causal Factors - Munitions ControllerSources of Hazard and Causal Factors - Munitions Controller
Unintended Detonation (arm and fire warhead)Unintended Detonation (arm and fire warhead)
Hardware and firmware (including memory)Hardware and firmware (including memory)
Application SWApplication SW
Received Data (including messages from Remote Controller, Comm subsystem)Received Data (including messages from Remote Controller, Comm subsystem)
Operator actions or inputOperator actions or input
False Report of Safe to OperatorFalse Report of Safe to Operator
Incorrect safe indication on munitionIncorrect safe indication on munition
Hardware/FirmwareHardware/Firmware
SWSW
Incorrect safe indication reported to Remote ControllerIncorrect safe indication reported to Remote Controller
Hardware/Firmware (memory)Hardware/Firmware (memory)
SW (bad message data, erroneously generated message)SW (bad message data, erroneously generated message)
An advanced weapon and space systems company
13
Designing to prevent single point failures from propagating Designing to prevent single point failures from propagating hazards is not adequatehazards is not adequate
Utilize layered mitigation approach that places mitigation in Utilize layered mitigation approach that places mitigation in at least two places in the systemat least two places in the system
First at the hazard source (munition HW and SW that controls arm/disarm)First at the hazard source (munition HW and SW that controls arm/disarm)
Second at source of casual factors (HW failure or SW errors) that had potential to Second at source of casual factors (HW failure or SW errors) that had potential to propagate the hazardpropagate the hazard
At least one mitigation should reside in a hardware element if possibleAt least one mitigation should reside in a hardware element if possible
If no HW mitigation possible, additional mitigation is necessary to reduce the If no HW mitigation possible, additional mitigation is necessary to reduce the safety criticality of the software element providing the mitigationsafety criticality of the software element providing the mitigation
Layered mitigations developed for each identified hazard Layered mitigations developed for each identified hazard case in the PHAcase in the PHA
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsHazard Mitigation ApproachHazard Mitigation Approach
An advanced weapon and space systems company
14
Mitigations are necessary for the following issuesMitigations are necessary for the following issues
The loss of the command channel must not directly result in a hazardThe loss of the command channel must not directly result in a hazard
Must address the case of unintended arming and firingMust address the case of unintended arming and firing
Must address legal commands arriving at the wrong timeMust address legal commands arriving at the wrong time
Must ensure the munitions can be disarmed (< 1E-6 probability of remaining Must ensure the munitions can be disarmed (< 1E-6 probability of remaining armed)armed)
Must ensure hazardous command activity was intended (mitigation may require Must ensure hazardous command activity was intended (mitigation may require operator confirmation)operator confirmation)
Must ensure operator not given false safe indicationMust ensure operator not given false safe indication
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsExample PHA Hazard Cases requiring MitigationExample PHA Hazard Cases requiring Mitigation
An advanced weapon and space systems company
15
Communications subsystem designed as a PipeCommunications subsystem designed as a Pipe
Virtual direct connect of RC and MCsVirtual direct connect of RC and MCs
Corrupt application messages that result in incorrect data or Corrupt application messages that result in incorrect data or an incorrect message are detectablean incorrect message are detectable
Application generated 32-bit CRC in message data (separate from packet CRC)Application generated 32-bit CRC in message data (separate from packet CRC)
Message ID is duplicated within all Safety-Critical messages Message ID is duplicated within all Safety-Critical messages
All safety critical data is duplicated with-in Safety-Critical messagesAll safety critical data is duplicated with-in Safety-Critical messages
Erroneous messages received due to delivery mechanism Erroneous messages received due to delivery mechanism faults are detectable faults are detectable (delivered to wrong address, out of order, etc) (delivered to wrong address, out of order, etc)
Header Information (source, destination, seq #) included in 32-bit CRCHeader Information (source, destination, seq #) included in 32-bit CRC
Sequence # can be used to detect out of order (stale) messagesSequence # can be used to detect out of order (stale) messages
Commands resulting in hazardous actions are self Commands resulting in hazardous actions are self terminating (Loss of communications won’t cause hazard)terminating (Loss of communications won’t cause hazard)
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsHazard Mitigation Approach – Communications SubsystemHazard Mitigation Approach – Communications Subsystem
An advanced weapon and space systems company
16
Erroneous invocation of the message generation functionErroneous invocation of the message generation function
Messages generated at each invocation (not canned)Messages generated at each invocation (not canned)
Keys used to verify message is valid for current state/operator/confirmation status Keys used to verify message is valid for current state/operator/confirmation status (prevents erroneous invocation by a random entry)(prevents erroneous invocation by a random entry)
Operator must confirm intent to initiate hazardous operations (affects key value)Operator must confirm intent to initiate hazardous operations (affects key value)
False display of safe by the RCFalse display of safe by the RC
Duplicate safety-critical data elementsDuplicate safety-critical data elements
Broadcast Commands utilized for state controlBroadcast Commands utilized for state control
All displayed munition icons marked as in transition (hazardous) when command All displayed munition icons marked as in transition (hazardous) when command is sent. Only updated to valid status when positive confirmation receivedis sent. Only updated to valid status when positive confirmation received
Munition Icons drawn (not canned) and are redrawn when data is received or Munition Icons drawn (not canned) and are redrawn when data is received or periodically if no other activity is occurring (complete screen redraw)periodically if no other activity is occurring (complete screen redraw)
Multiple independent screen indications for safety status indication of MCs and Multiple independent screen indications for safety status indication of MCs and field (shape, color, text)field (shape, color, text)
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsHazard Mitigation Approach – Remote ControllerHazard Mitigation Approach – Remote Controller
An advanced weapon and space systems company
17
IM Explosives used in warhead, and LEEFI detonatorIM Explosives used in warhead, and LEEFI detonator
ESAD architecture (mp generated dynamic signal )ESAD architecture (mp generated dynamic signal )
State machine-based processing allows hazardous action only where authorizedState machine-based processing allows hazardous action only where authorized
Hazardous operation all self terminating (if not command terminated earlier)Hazardous operation all self terminating (if not command terminated earlier)
Monitors Safety Critical Signals for validityMonitors Safety Critical Signals for validity
Controls both power and MC static switch control signals to the FiresetControls both power and MC static switch control signals to the Fireset
Hardware Safety Monitor designed to act as a safety copHardware Safety Monitor designed to act as a safety cop
Acts as a watchdog for all Safety Critical timers in the microcontrollerActs as a watchdog for all Safety Critical timers in the microcontroller
Validates state transitions performed by the microcontrollerValidates state transitions performed by the microcontroller
Still alive monitoring allows detection of failed microcontrollerStill alive monitoring allows detection of failed microcontroller
Controls SM static switch signals to the Fireset (both MC and SM needed to arm)Controls SM static switch signals to the Fireset (both MC and SM needed to arm)
Either the microcontroller or Safety monitor can render the munition inoperativeEither the microcontroller or Safety monitor can render the munition inoperative
Independent monitor of Safety Critical signals.Independent monitor of Safety Critical signals.
Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsHazard Mitigation Approach – Munitions ControllerHazard Mitigation Approach – Munitions Controller