An advanced weapon and space systems company

1

2323rdrd ISSC/NWSSS Conference ISSC/NWSSS Conference C. Forni, B. Blake – 08-23-2005

Remote Controlled & Recoverable Munitions Remote Controlled & Recoverable Munitions Safety Architecture DevelopmentSafety Architecture Development

An advanced weapon and space systems company

2

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsArchitecture Design DriversArchitecture Design Drivers

Off-On-Off operation drives the designOff-On-Off operation drives the design

For munitions systems, reliably arming, then disarming is a For munitions systems, reliably arming, then disarming is a new conceptnew concept

After a return to safe, it is necessary for the munitions to After a return to safe, it is necessary for the munitions to monitor and report the safety status to the remote controller monitor and report the safety status to the remote controller

Off-On-Off System must support safe operation even when Off-On-Off System must support safe operation even when there has been a loss of control functionality. This is necessary there has been a loss of control functionality. This is necessary whether or not that control is physically separate from the whether or not that control is physically separate from the source of hazardsource of hazard

An advanced weapon and space systems company

3

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsArchitecture Design Drivers (Continued)Architecture Design Drivers (Continued)

For remote controlled systems, safety can’t be allocated to a For remote controlled systems, safety can’t be allocated to a single isolated component (fuze). Safety critical command and single isolated component (fuze). Safety critical command and control functions are distributed throughout the systemcontrol functions are distributed throughout the system

To address in an efficient and cost effective manner, safety To address in an efficient and cost effective manner, safety must be involved throughout the concept and early must be involved throughout the concept and early development phasedevelopment phase

The following hazardous conditions must be addressed The following hazardous conditions must be addressed across the distributed control components:across the distributed control components:

Inadvertent hazardous functionsInadvertent hazardous functions

Unintentional hazardous functionsUnintentional hazardous functions

Failure to return to a non-hazardous state when commandedFailure to return to a non-hazardous state when commanded

Erroneous safety dataErroneous safety data

An advanced weapon and space systems company

4

Safety activities needed during the Concept and Early Safety activities needed during the Concept and Early Development PhasesDevelopment Phases

Criticality AssessmentCriticality Assessment

Hazards and Causal Factor IdentificationHazards and Causal Factor Identification

Mitigation DevelopmentMitigation Development

Safety activities performed iteratively during both system Safety activities performed iteratively during both system and subsystem development and subsystem development

Safety activities Safety activities instrumental in shaping both the instrumental in shaping both the architecture of the system and the final criticality of the architecture of the system and the final criticality of the subsystemssubsystems

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsSafety Activities and Development ProcessSafety Activities and Development Process

An advanced weapon and space systems company

5

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsSafety Activities within the Development ProcessSafety Activities within the Development Process

Define System, CONOPS, and develop partitioning approachCreate and Document System behavior model, functions, & Interfaces

Allocate, Define, and Document Subsystem behavior models & InterfacesDefine and Document Subsystem Requirements and InterfacesDefine and Document Functional RequirementsDefine and Document Interface Design

Iterate

System / Subsystem Definition and Analysis

Identify Criticality (to help isolate and partition SC functions)

Identify Hazards and Causal Factors (to help determine req mitigations)

Develop Mitigations (to prevent hazards)

Obtain customer requirements, perform trade studies, and develop systemconcept

Identify Criticality (to help isolate and partition SC functions)

Identify Hazards and Causal Factors (to help determine req mitigations)

Develop Mitigations (to prevent hazards)

Safety DesignActivity

DevelopmentProcess Activity

An advanced weapon and space systems company

6

Physical ComponentsPhysical Components Remote Control DeviceRemote Control Device

Comm relay device (optional)Comm relay device (optional)

MunitionsMunitions

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsPhysical vs Functional Components (Example System)Physical vs Functional Components (Example System)

Functional ComponentsFunctional Components Remote Control (RC) SubsystemRemote Control (RC) Subsystem

Communications SubsystemCommunications Subsystem

Munitions Controller (MC) SubsystemMunitions Controller (MC) Subsystem

Remote Control of Fuze

Medium Safety Criticality (II)(Reduced Safety Control)

Remote Control Link (Pipe)

Low Safety Criticality (III)(Eliminated Safety Control)

Fuze & Munitions

High Safety Criticality (I)(Maximized Safety Control)

Logisticsor Tactical

Operator

LogisticsOperator

RCUXCVROS

App SW

REPEATER(Optional)

MCXCVR

C

App SW

SafetyMonitor

Controls & Display

Fireset

MGL or Adaptor

Communications Subsystem

HCU

Intruder/Tamper Detect

Key:

Physical (Hardware) PartitionFunctional Partition

Remote Control of Fuze

Medium Safety Criticality (II)(Reduced Safety Control)

Remote Control Link (Pipe)

Low Safety Criticality (III)(Eliminated Safety Control)

Fuze & Munitions

High Safety Criticality (I)(Maximized Safety Control)

Operator

MC Subsystem

RCUXCVROS

App SW

REPEATER(Optional)

RC Subsystem

MCXCVR

C

App SW

SafetyMonitor

Controls & Display

Fireset

MGL or Adaptor

Communications Subsystem

Intruder/Tamper Detect

RCXCVROS

App SW

REPEATER(Optional)

MCXCVR

C

App SW

SafetyMonitor

Controls & Display

Fireset

WH

Communications Subsystem

Computer

Intruder/Tamper Detect

Key:

Physical (Hardware) PartitionFunctional Partition

An advanced weapon and space systems company

7

Architecture Development Process stepsArchitecture Development Process steps

    Identify any desired system or functional level criticalityIdentify any desired system or functional level criticality

Develop the system behavior model (state charts and transition rules)Develop the system behavior model (state charts and transition rules)

Identify potential hazards and causal factorsIdentify potential hazards and causal factors

Identity functions and determine their safety criticalityIdentity functions and determine their safety criticality

Define / Refine safety architectureDefine / Refine safety architecture

Define mitigations for identified hazards and causal factorsDefine mitigations for identified hazards and causal factors

Shape criticality by partitioning and/or mitigation applicationShape criticality by partitioning and/or mitigation application

Create requirements that implement the needed mitigationsCreate requirements that implement the needed mitigations

Iterate Iterate

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsArchitecture DevelopmentArchitecture Development

An advanced weapon and space systems company

8

A Concept of Operation (CONOPS) forms the basis for A Concept of Operation (CONOPS) forms the basis for modeling operation of the systemmodeling operation of the system

    Defines the interactions between personnel and the systemDefines the interactions between personnel and the system

Provides the context and boundaries for possible hazards situationsProvides the context and boundaries for possible hazards situations

Safety involvement in “behavior modeling” is paramount to Safety involvement in “behavior modeling” is paramount to design safety into the systemdesign safety into the system

    Each model variation must be examined, and sources of hazard and causal factors Each model variation must be examined, and sources of hazard and causal factors identifiedidentified

Must be of sufficient detail to define the major architectural features of the systemMust be of sufficient detail to define the major architectural features of the system

Possible mitigations are examined for adequacyPossible mitigations are examined for adequacy

Each component and interface provides an additional source for hazards or their Each component and interface provides an additional source for hazards or their causal factorscausal factors

Modification of CONOPS and/or behavior models may Modification of CONOPS and/or behavior models may provide a means for effective and efficient mitigationsprovide a means for effective and efficient mitigations

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsBehavior ModelingBehavior Modeling

An advanced weapon and space systems company

9

Analysis of criticality serves two purposesAnalysis of criticality serves two purposes

    Identifying safety critical functionsIdentifying safety critical functions

Determining the level of analysis and testing to ensure the design is safe to useDetermining the level of analysis and testing to ensure the design is safe to use

Criticality analysis at the functional level gives insight into Criticality analysis at the functional level gives insight into what is safety critical and whywhat is safety critical and why

    Helps concentrate critical operations to minimize hazard sourcesHelps concentrate critical operations to minimize hazard sources

Helps distribute mitigations so loss of a single mitigation merely degrades safetyHelps distribute mitigations so loss of a single mitigation merely degrades safety

Aids in examination of adequacy of possible mitigationsAids in examination of adequacy of possible mitigations

Similar techniques allow shaping of functional criticality to Similar techniques allow shaping of functional criticality to meet specific design constraintsmeet specific design constraints

To concentrate safety critical functionality into a single processorTo concentrate safety critical functionality into a single processor

To minimize interactions with non-safety critical componentsTo minimize interactions with non-safety critical components

partition functions to minimize analysis or test activitypartition functions to minimize analysis or test activity

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsCriticality AnalysisCriticality Analysis

An advanced weapon and space systems company

10

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsSources of Hazard and Causal Factors - Communications SubsystemSources of Hazard and Causal Factors - Communications Subsystem

Possible hazards related to application message faultsPossible hazards related to application message faults

Corrupted Message data elements during the transfer of a message could result Corrupted Message data elements during the transfer of a message could result in incorrect safety critical time values, incorrect safety status info, or other in incorrect safety critical time values, incorrect safety status info, or other erroneous data itemserroneous data items

Corruption of an application Message could also result in a message being Corruption of an application Message could also result in a message being incorrectly interpreted as a different message, resulting in unexpected behaviorincorrectly interpreted as a different message, resulting in unexpected behavior

Possible hazards related to delivery fault mechanismsPossible hazards related to delivery fault mechanisms

Message might not be deliveredMessage might not be delivered

Message could be delivered to an incorrect addressMessage could be delivered to an incorrect address

If multiple message sources are possible, the source identity could be incorrectIf multiple message sources are possible, the source identity could be incorrect

The Delivery Mechanism could generate an erroneous messageThe Delivery Mechanism could generate an erroneous message

The Delivery Mechanism could generate a corrupt non-application messageThe Delivery Mechanism could generate a corrupt non-application message

Networking or Prioritization schemes could allow the delivery of messages to Networking or Prioritization schemes could allow the delivery of messages to occur out of orderoccur out of order

An advanced weapon and space systems company

11

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsSources of Hazard and Causal Factors - Remote ControllerSources of Hazard and Causal Factors - Remote Controller

Erroneous command generationErroneous command generation

Corrupted message data elements during message generation result in incorrect Corrupted message data elements during message generation result in incorrect safety critical values, authorizations, message interpretation, etc.safety critical values, authorizations, message interpretation, etc.

Unintended or erroneous generation of a valid application message (OS, Operator)Unintended or erroneous generation of a valid application message (OS, Operator)

Erroneous transmission of a valid message (out of order, stale, etc)Erroneous transmission of a valid message (out of order, stale, etc)

False Report of Safe to OperatorFalse Report of Safe to Operator

Display/Processor Hardware and firmware (including memory)Display/Processor Hardware and firmware (including memory)

Operating System (could affect data, application execution, etc)Operating System (could affect data, application execution, etc)

Application SWApplication SW

Received DataReceived Data

Operator InputsOperator Inputs

An advanced weapon and space systems company

12

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsSources of Hazard and Causal Factors - Munitions ControllerSources of Hazard and Causal Factors - Munitions Controller

Unintended Detonation (arm and fire warhead)Unintended Detonation (arm and fire warhead)

Hardware and firmware (including memory)Hardware and firmware (including memory)

Application SWApplication SW

Received Data (including messages from Remote Controller, Comm subsystem)Received Data (including messages from Remote Controller, Comm subsystem)

Operator actions or inputOperator actions or input

False Report of Safe to OperatorFalse Report of Safe to Operator

Incorrect safe indication on munitionIncorrect safe indication on munition

Hardware/FirmwareHardware/Firmware

SWSW

Incorrect safe indication reported to Remote ControllerIncorrect safe indication reported to Remote Controller

Hardware/Firmware (memory)Hardware/Firmware (memory)

SW (bad message data, erroneously generated message)SW (bad message data, erroneously generated message)

An advanced weapon and space systems company

13

Designing to prevent single point failures from propagating Designing to prevent single point failures from propagating hazards is not adequatehazards is not adequate

Utilize layered mitigation approach that places mitigation in Utilize layered mitigation approach that places mitigation in at least two places in the systemat least two places in the system

First at the hazard source (munition HW and SW that controls arm/disarm)First at the hazard source (munition HW and SW that controls arm/disarm)

Second at source of casual factors (HW failure or SW errors) that had potential to Second at source of casual factors (HW failure or SW errors) that had potential to propagate the hazardpropagate the hazard

At least one mitigation should reside in a hardware element if possibleAt least one mitigation should reside in a hardware element if possible

If no HW mitigation possible, additional mitigation is necessary to reduce the If no HW mitigation possible, additional mitigation is necessary to reduce the safety criticality of the software element providing the mitigationsafety criticality of the software element providing the mitigation

Layered mitigations developed for each identified hazard Layered mitigations developed for each identified hazard case in the PHAcase in the PHA

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsHazard Mitigation ApproachHazard Mitigation Approach

An advanced weapon and space systems company

14

Mitigations are necessary for the following issuesMitigations are necessary for the following issues

The loss of the command channel must not directly result in a hazardThe loss of the command channel must not directly result in a hazard

Must address the case of unintended arming and firingMust address the case of unintended arming and firing

Must address legal commands arriving at the wrong timeMust address legal commands arriving at the wrong time

Must ensure the munitions can be disarmed (< 1E-6 probability of remaining Must ensure the munitions can be disarmed (< 1E-6 probability of remaining armed)armed)

Must ensure hazardous command activity was intended (mitigation may require Must ensure hazardous command activity was intended (mitigation may require operator confirmation)operator confirmation)

Must ensure operator not given false safe indicationMust ensure operator not given false safe indication

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsExample PHA Hazard Cases requiring MitigationExample PHA Hazard Cases requiring Mitigation

An advanced weapon and space systems company

15

Communications subsystem designed as a PipeCommunications subsystem designed as a Pipe

Virtual direct connect of RC and MCsVirtual direct connect of RC and MCs

Corrupt application messages that result in incorrect data or Corrupt application messages that result in incorrect data or an incorrect message are detectablean incorrect message are detectable

Application generated 32-bit CRC in message data (separate from packet CRC)Application generated 32-bit CRC in message data (separate from packet CRC)

Message ID is duplicated within all Safety-Critical messages Message ID is duplicated within all Safety-Critical messages

All safety critical data is duplicated with-in Safety-Critical messagesAll safety critical data is duplicated with-in Safety-Critical messages

Erroneous messages received due to delivery mechanism Erroneous messages received due to delivery mechanism faults are detectable faults are detectable (delivered to wrong address, out of order, etc) (delivered to wrong address, out of order, etc)

Header Information (source, destination, seq #) included in 32-bit CRCHeader Information (source, destination, seq #) included in 32-bit CRC

Sequence # can be used to detect out of order (stale) messagesSequence # can be used to detect out of order (stale) messages

Commands resulting in hazardous actions are self Commands resulting in hazardous actions are self terminating (Loss of communications won’t cause hazard)terminating (Loss of communications won’t cause hazard)

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsHazard Mitigation Approach – Communications SubsystemHazard Mitigation Approach – Communications Subsystem

An advanced weapon and space systems company

16

Erroneous invocation of the message generation functionErroneous invocation of the message generation function

Messages generated at each invocation (not canned)Messages generated at each invocation (not canned)

Keys used to verify message is valid for current state/operator/confirmation status Keys used to verify message is valid for current state/operator/confirmation status (prevents erroneous invocation by a random entry)(prevents erroneous invocation by a random entry)

Operator must confirm intent to initiate hazardous operations (affects key value)Operator must confirm intent to initiate hazardous operations (affects key value)

False display of safe by the RCFalse display of safe by the RC

Duplicate safety-critical data elementsDuplicate safety-critical data elements

Broadcast Commands utilized for state controlBroadcast Commands utilized for state control

All displayed munition icons marked as in transition (hazardous) when command All displayed munition icons marked as in transition (hazardous) when command is sent. Only updated to valid status when positive confirmation receivedis sent. Only updated to valid status when positive confirmation received

Munition Icons drawn (not canned) and are redrawn when data is received or Munition Icons drawn (not canned) and are redrawn when data is received or periodically if no other activity is occurring (complete screen redraw)periodically if no other activity is occurring (complete screen redraw)

Multiple independent screen indications for safety status indication of MCs and Multiple independent screen indications for safety status indication of MCs and field (shape, color, text)field (shape, color, text)

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsHazard Mitigation Approach – Remote ControllerHazard Mitigation Approach – Remote Controller

An advanced weapon and space systems company

17

IM Explosives used in warhead, and LEEFI detonatorIM Explosives used in warhead, and LEEFI detonator

ESAD architecture (mp generated dynamic signal )ESAD architecture (mp generated dynamic signal )

State machine-based processing allows hazardous action only where authorizedState machine-based processing allows hazardous action only where authorized

Hazardous operation all self terminating (if not command terminated earlier)Hazardous operation all self terminating (if not command terminated earlier)

Monitors Safety Critical Signals for validityMonitors Safety Critical Signals for validity

Controls both power and MC static switch control signals to the FiresetControls both power and MC static switch control signals to the Fireset

Hardware Safety Monitor designed to act as a safety copHardware Safety Monitor designed to act as a safety cop

Acts as a watchdog for all Safety Critical timers in the microcontrollerActs as a watchdog for all Safety Critical timers in the microcontroller

Validates state transitions performed by the microcontrollerValidates state transitions performed by the microcontroller

Still alive monitoring allows detection of failed microcontrollerStill alive monitoring allows detection of failed microcontroller

Controls SM static switch signals to the Fireset (both MC and SM needed to arm)Controls SM static switch signals to the Fireset (both MC and SM needed to arm)

Either the microcontroller or Safety monitor can render the munition inoperativeEither the microcontroller or Safety monitor can render the munition inoperative

Independent monitor of Safety Critical signals.Independent monitor of Safety Critical signals.

Remote Controlled & Recoverable MunitionsRemote Controlled & Recoverable MunitionsHazard Mitigation Approach – Munitions ControllerHazard Mitigation Approach – Munitions Controller