Catálogo de publicaciones - libros

The Aim of this paper is to show how a safety argument could be constructed for the use of blueprints in platforms using Integrated Modular Avionics (IMA). It is assumed that the IMA system will contain safety-critical elements. Given current safety analysis techniques, there is no certainty that this can be achieved satisfactorily.

Initially there is a need to define a blueprint: once this is done, the blueprints will be considered by looking at the impact of Blueprints on IMA Safety. The ultimate objective of IMA is to produce a reconfigurable system. Whilst this has potential safety benefits, there are substantial problems with the ability to argue that a reconfigurable IMA is safe. Consequently, this project will concentrate on a 3 Step Approach towards developing full IMA capability. The three steps are:

This approach is progressively more complex, but will enable confidence to be gained from success at each step. The safety argument that is produced in this paper is generic and has been produced as part of an MSc project. However, the overall IMA safety argument needs to consider many other issues and factors, which may affect the safety of blueprints. This is not covered in this paper, but is expanded in more detail in the MSc project (Jolliffe 2004).

This paper presents ongoing research into the modular certification of Integrated Modular Systems (IMS) within BAE Systems. An IMS is an open systems approach to the construction of systems from a set of standard hardware and software modules. Modular certification is the modular safety assessment of such systems. The aim is to reduce the certification costs of a system following a change to the system. To achieve this, a strategy has been proposed that is based on the concept of change isolation through the use of rely/guarantee contracts. The strategy advocates a more product-oriented approach to the development of safety cases for IMS.

Computer-based systems are now routinely deployed in many complex dynamic domains, such as aviation and industrial process control. The critical nature of these systems means that their operators rely on them to do the right thing at the right time when called upon. In other words, they are expected to have a high level of what Laprie (1995) defines as dependability. To date dependability research has largely focused on developing techniques for improving the dependability of hardware and software in safety critical applications (e.g., Leveson, 1995). Dependability, however, is a property of the whole socio-technical system: people, computers and context. It is therefore important not only to understand these components, but also how the interactions between them affect dependability.

As the complexity of embedded applications evolves, real-time Java is increasingly being used in large-scale applications that demand higher levels of abstraction, portability, and dynamic behaviour. Examples of such applications include management of network infrastructure, automation of manufacturing processes and control of power generating equipment. To meet these demands, real-time Java has moved increasingly into the mission-critical domain.

With the increased penetration into mission-critical and the expected eventual integration into safety-critical applications, the need to assure that Java can deliver reliable operation without exceeding resource constraints has increased. Ease of development and maintenance, support for dynamic behaviour, high performance, soft and hard real-time constraints, and reduction of physical footprint are just some of the requirements of mission-critical Java developers.

To meet these requirements, standards for both mission-critical and safety-critical software are being developed to assist developers in making the engineering tradeoffs necessary for components of such software.