### **Recall from earlier...**



- Removing/containing certain faults enhances safety
- How about faults that do not originate from digital component being designed?





























## **FTA/FMEA** like analysis

#### • Without building the trees

- Can top level failure appear with:
  Single faults?
  - Multiple faults?

Safety-Critical Real-time Sys

- Proved by a CAT base
- Proved by a SAT-based model checker (Prover plugin)
- Countermodels are *sequences* of combinations of input and fault modes

# Hydraulic system

- Fifteen fault modes
  - Three component faults
  - Three possible faults on each of the four valves
- Results:
  - No single faults lead to top event
  - No combination of valve faults lead to top event
  - One combination of HECU & PLD2 faults violates the safety property



















## Where time comes into it...

- Semi-synchronous architecture
- The change of common state can be asynchronous in various nodes
- Design leads to eventual synchrony and common state

Next course day: Architecture issues

Safety-Critical Real-time Systems

31 of 31 Autumn 2004