Safety-Critical Medical Actuators - Socci
-
Upload
tgazmanmohd -
Category
Documents
-
view
221 -
download
0
Transcript of Safety-Critical Medical Actuators - Socci
-
7/28/2019 Safety-Critical Medical Actuators - Socci
1/73
: 2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t 1
Health-Tech SymposiumWelch Allyn Lodge, Skaneateles, NY April 23, 2009
Vince Socci, Chief EngineerOn Target Technology [email protected] (607) 755-4980
Actuator Control Designfor Safety-Critical
Medical Applications
Actuator Control Designfor Safety-Critical
Medical Applications
A b s t r a c t
A b s t r a c t A b s t r a c t
A b s t r a c t - D e s i g n e r s o f s a f e t y - c r i t i c a l m e d i c a l a c t u a t o r c o n t r o l a p p l i c a t i o n s f a c e r i g o r o u s
r e q u i r e m e n t s a n d s t a n d a r d s t o a s s e s s s a f e t y r e q u i r e m e n t s , d e v e l o p s y s t e m a r c h i t e c t u r e s ,
a n d d e s i g n c o m p o n e n t h a r d w a r e a n d s o f t w a r e . T h i s p a p e r d e m o n s t r a t e s i n t e g r a t e d
t e c h n i q u e s o f s a f e t y - c r i t i c a l d e v e l o p m e n t w i t h e x a m p l e s f r o m v a r i o u s a c t u a t o r a p p l i c a t i o n s .
S t r a t e g i e s f o r s a f e t y a n a l y s i s , e n g i n e e r i n g d e s i g n a n d a p p l i c a t i o n o f l i f e c y c l e g u i d e l i n e s a r e
d i s c u s s e d . M e t h o d s o f d e v e l o p i n g a c t u a t o r c o n t r o l s w i t h r o b u s t f a u l t t o l e r a n c e a n d
t e s t a b i l i t y a r e h i g h l i g h t e d . T h e s e c r e t s o f e f f e c t i v e s a f e t y - c r i t i c a l d e v e l o p m e n t a r e r e v e a l e d .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
2/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 2
Stupid is as stupid does. -- Forrest Gump
E v e n t u a l l y , e v e r y o n e s c r e w s u p a n d e v e r y t h i n g b r e a k s .
I f y o u r w o r l d i s v o i d o f f a i l u r e s , y o u d o n I f y o u r w o r l d i s v o i d o f f a i l u r e s , y o u d o n I f y o u r w o r l d i s v o i d o f f a i l u r e s , y o u d o n I f y o u r w o r l d i s v o i d o f f a i l u r e s , y o u d o n t n e e d t o b e h e r e . t n e e d t o b e h e r e . t n e e d t o b e h e r e . t n e e d t o b e h e r e .
B u t i f s a f e t y
B u t i f s a f e t y B u t i f s a f e t y
B u t i f s a f e t y -
--
- r e l a t e d f a i l u r e s w o r r y y o u , s t i c k a r o u n d .
r e l a t e d f a i l u r e s w o r r y y o u , s t i c k a r o u n d . r e l a t e d f a i l u r e s w o r r y y o u , s t i c k a r o u n d .
r e l a t e d f a i l u r e s w o r r y y o u , s t i c k a r o u n d .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
3/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 3
Ready for the Ride?
Roadmap
Problem: Rigorous industry standards to assesssafety requirements, develop system architectures,and design component hardware and software.
Integrated techniques of safety-critical development Strategies for engineering design and application Methods of robust fault tolerance and testability Effective safety-critical development tips
Your Guide
Vince Socci BS EE, MS EE, MBA TM Principal, On Target Technology Cross-disciplined systems, hardware, software
engineering Electronics design and embedded controls
S p e a k e r B a c k g r o u n d V P S , O T T D , w e d o P D & M , R & D T S ,
V i n c e n t S o c c i i s a c r o s s - d i s c i p l i n e d s y s t e m s , h a r d w a r e a n d s o f t w a r e e n g i n e e r . H i s
t e c h n o l o g y e x p e r t i s e i n c l u d e s e m b e d d e d s y s t e m s , s e n s o r s a n d s i g n a l p r o c e s s i n g , p o w e r
c o n t r o l s y s t e m s , a n d d i a g n o s t i c s . S o c c i h a s 2 0 y e a r s o f e x p e r i e n c e i n s a f e t y - c r i t i c a l
s y s t e m s d e v e l o p m e n t . H e h o l d s a n M B A i n t e c h n o l o g y m a n a g e m e n t , a n d M S a n d B S
d e g r e e s i n e l e c t r i c a l e n g i n e e r i n g . A s P r i n c i p a l o f O n T a r g e t T e c h n o l o g y D e v e l o p m e n t ,
S o c c i s u p p o r t s c l i e n t s w i t h e l e c t r o n i c s d e s i g n a n d e m b e d d e d c o n t r o l s d e v e l o p m e n t . H e h a s
a p p l i e d t h e s a f e t y - c r i t i c a l d e s i g n c o n c e p t s p r e s e n t e d i n t h i s p a p e r i n m e d i c a l , a e r o s p a c e ,
a u t o m o t i v e , l o c o m o t i v e , a n d i n d u s t r i a l a p p l i c a t i o n s .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
4/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 4
Agenda
Fundamentals of Safety-Critical Systems
Actuator Control Design from a Systems Perspective
Industry Specifications and Standards
Development Strategies
Example Cases
Conclusions
Questions and Answers
-
7/28/2019 Safety-Critical Medical Actuators - Socci
5/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 5
Industrial Trends in Safety-Critical Systems
Medical
Growing focus on safety development standards Sensitive to failure, development cost/time,
marketability, global competition
Aerospace Long history of fly-by-wire and other x-by-wire
actuator control systems Long development, low volume, expensive safety-
critical applications.
Automotive Emerging x-by-wire needs Short development, high volume, cost-efficient safety-
critical applications. Demand for fault tolerance, speed-to-market & low cost.
-
7/28/2019 Safety-Critical Medical Actuators - Socci
6/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 6
Fundamental Concepts ofSafety-Critical Systems
Fundamental Concepts ofSafety-Critical Systems
-
7/28/2019 Safety-Critical Medical Actuators - Socci
7/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 7
Fundamental Concepts of Safety-CriticalSystems
Scenario:
Imagine sitting comfortably on an airplane, enjoying a newissue of your favorite magazine. All of a sudden, as youfly over the Equator, the plane does a fast 180-degreeroll, and you find yourself in an inverted flight. The pilotannounces over the loudspeaker Hmmm that doesntseem right. Are there any systems engineers onboard?
T h e s o f t w a r e d e v e l o p m e n t f o r t h e F - 1 6 f i g h t e r p l a n e
e x p e r i e n c e d t h i s e x a c t f a i l u r e m o d e d u r i n g s i m u l a t i o n
f l i g h t t e s t i n g . I t w a s r e s o l v e d i n t h e f i e l d e d d e s i g n .
I f t h i s f a i l u r e o c c u r r e d i n r e a l
I f t h i s f a i l u r e o c c u r r e d i n r e a lI f t h i s f a i l u r e o c c u r r e d i n r e a l
I f t h i s f a i l u r e o c c u r r e d i n r e a l -
--
- l i f e ,
l i f e , l i f e ,
l i f e ,
t h e a i r c r a f t a n d p i l o t w o u l d b e l o s t .
t h e a i r c r a f t a n d p i l o t w o u l d b e l o s t . t h e a i r c r a f t a n d p i l o t w o u l d b e l o s t .
t h e a i r c r a f t a n d p i l o t w o u l d b e l o s t .
S o u n d f a r f e t c h e d ?
-
7/28/2019 Safety-Critical Medical Actuators - Socci
8/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 8
Other F-16 Simulation Failures
When the computer was commanded to raise the
landing gear while the aircraft was standing still on therunway, the computer complied and turfed the aircraft.
The aircraft system also complied with commands tojettison missiles, bombs, fuel tanks, etc. while the planewas upside-down, resulting in them falling on anddamaging the wings.
When the F-16 went into a spin, the software did notgive the pilot enough control authority to recover. Thepilot had to eject.
F a i l u r e s l i k e t h i s p u t l i v e s a n d p r o p e r t y a t r i s k .
W e c a n W e c a n W e c a n W e c a n
t l e t t h e m h a p p e n
t l e t t h e m h a p p e n t l e t t h e m h a p p e n t l e t t h e m h a p p e n
p e r i o d .
p e r i o d . p e r i o d . p e r i o d .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
9/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 9
Safety-related vs. Safety-Critical
Safety-related systems those in which a failure during operation
can have serious or irreversible effects such as loss of life or limb,severe property damage or financial losses. (e.g. insulin pump)
Safety-critical systems safety-related systems that present a
direct threat to human life. They can include aircraft controlsystems, medical instrumentation, railway signaling, nuclear reactor
control systems and many other applications.
Safety-critical systems include all of the components that worktogether to achieve the safety-critical mission.
These may include input sensors, digital data devices, hardware,peripherals, drivers, actuators, the controlling software, and
other interfaces. Their development requires rigorous analysis and
comprehensive design and test.
-
7/28/2019 Safety-Critical Medical Actuators - Socci
10/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 1 0
Managing Design / Controlling Operation
Failures occur in development and operation.
Failures in development can be mitigated, but failures inoperation are unavoidable. Stuff breaks!
Effects of these hardware failures must be predictable(i.e. deterministic) and not catastrophic.
Design to consistently maintain and control the safety ofthe system when failures occur.
Robust Design + Controlled Operation = Safe Mission
Safe actuator control is guaranteed only through robustdesign (error-free) and robust operation (fault-tolerant).
S a f e t y - r e l a t e d f a i l u r e s c a n o c c u r i n d e v e l o p m e n t o r i n o p e r a t i o n . T h e d e s i g n m a y b e w e a k
o r n o t r o b u s t e n o u g h f o r t h e o p e r a t i n g e n v i r o n m e n t . D e s i g n s t a n d a r d s a n d p r a c t i c e s ,
i n c l u d i n g r i g o r o u s r e q u i r e m e n t s m a n a g e m e n t , e n g i n e e r i n g a n a l y s e s , d e s i g n r e v i e w s a n d
t e s t i n g c a n s u p p o r t v a l i d a t i o n o f t h e d e s i g n .
F a i l u r e s i n o p e r a t i o n a r e u n a v o i d a b l e . S t u f f b r e a k s ! W h e t h e r i t s a w i r e i n a h a r n e s s o r a
w o r n - o u t r e l a y h a r d w a r e w i l l e v e n t u a l l y f a i l . S a f e t y - c r i t i c a l s y s t e m s a r e d e s i g n e d s u c h
t h a t t h e e f f e c t s o f t h e s e h a r d w a r e f a i l u r e s a r e p r e d i c t a b l e ( i . e . d e t e r m i n i s t i c ) a n d n o t
c a t a s t r o p h i c . A r c h i t e c t u r e s a r e d e s i g n e d t o c o n s i s t e n t l y m a i n t a i n a n d c o n t r o l t h e s a f e t y o f
t h e s y s t e m w h e n f a i l u r e s o c c u r .
R o b u s t D e s i g n + C o n t r o l l e d O p e r a t i o n = S a f e M i s s i o n
R o b u s t D e s i g n + C o n t r o l l e d O p e r a t i o n = S a f e M i s s i o n R o b u s t D e s i g n + C o n t r o l l e d O p e r a t i o n = S a f e M i s s i o n
R o b u s t D e s i g n + C o n t r o l l e d O p e r a t i o n = S a f e M i s s i o n
R e m e m b e r t h a t s a f e a c t u a t o r c o n t r o l i s g u a r a n t e e d o n l y t h r o u g h r o b u s t d e s i g n a n d r o b u s t
o p e r a t i o n . D e s i g n r o b u s t n e s s i s a c h i e v e d t h r o u g h r o b u s t p r o c e s s e s a n d e n g i n e e r i n g
d e s i g n p r a c t i c e s . C o n t r o l l e d o p e r a t i o n i s a c h i e v e d b y t h o r o u g h m o n i t o r i n g , f a u l t d e t e c t i o n
a n d m i t i g a t i o n s t r a t e g i e s .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
11/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 1 1
Safety-Critical Medical Actuator Examples
Hospital beds
Ambulatory scooters
Patient lifts
Pumps and valves for drug delivery
X-ray controllers
Massage therapy
Prosthetics
Laparoscopic tools
Etc.
M o n i t o r s a r e p a s s i v e ,
M o n i t o r s a r e p a s s i v e , M o n i t o r s a r e p a s s i v e ,
M o n i t o r s a r e p a s s i v e ,
b u t a c t u a t o r s a r e a c t i v e .
b u t a c t u a t o r s a r e a c t i v e . b u t a c t u a t o r s a r e a c t i v e .
b u t a c t u a t o r s a r e a c t i v e .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
12/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 1 2
Actuator Control Designfrom a Systems Perspective
Actuator Control Designfrom a Systems Perspective
-
7/28/2019 Safety-Critical Medical Actuators - Socci
13/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 1 3
Actuator Control System Block Diagram
An operator uses the control interface to stimulate the control system.
Control algorithms drive an output to the actuator, which moves the mechanical interface.
A feedback response of the mechanical interface is collected through feedback sensors.
Signal conditioning is applied to inputs and outputs to convert raw signals to usable forms.
Power
Source
Sensor
Outputs
Input
Signal
Conditioning
Control
Algorithms
Output
Signal
ConditioningActuator
Mechanical
Interface
Control
Interface
Control
Stimulus
Controller
Command
Output
Command
Driver
Output
Control
Feedback
Mechanical
Response
Actuation
Force
Actuation
Energy
T h i s p a p e r f o c u s e s o n a c t u a t o r c o n t r o l s y s t e m s b e c a u s e t h e s e a p p l i c a t i o n s p r o v i d e a
r e l e v a n t m i x t u r e o f h a r d w a r e a n d s o f t w a r e f u n c t i o n s t h a t i n t e g r a t e t h e b r o a d r e q u i r e m e n t s
o f s a f e t y - c r i t i c a l s y s t e m s . C o n s i d e r t h e f o l l o w i n g s y s t e m b l o c k d i a g r a m o f a n a c t u a t o r
c o n t r o l s y s t e m .
M o s t o f t h e s e c o n t r o l s y s t e m f u n c t i o n a l b l o c k s a r e h a r d w a r e f u n c t i o n s , i m p l e m e n t e d b y
s o m e m e c h a n i c a l o r e l e c t r i c a l c o m p o n e n t s . T h e c o n t r o l a l g o r i t h m s a r e t y p i c a l l y s o f t w a r e
f u n c t i o n s , i m p l e m e n t e d b y a c o m p u t i n g p r o g r a m i n s t a l l e d t o a n d o p e r a t i n g o n a p r o c e s s i n g
d e v i c e . S i g n a l c o n d i t i o n i n g c a n o c c u r i n b o t h h a r d w a r e a n d s o f t w a r e .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
14/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 1 4
Built-In-Test (BIT)
Built-in-test (BIT) validates interfaces and control
variables.
Verify integrity of system before, during and after use.
BIT analysis is part of the design process of a safety-critical system. Considers potential failures throughout the systems Verifies that these failures will be detected and
mitigated by the BIT functions. Ex. If a power source is lost, BIT should detect the
failure and respond by ensuring that the systemresponds in a safe manner.
C o n t r o l l e r s g e n e r a l l y u s e s o m e f o r m o f b u i l t - i n - t e s t ( B I T ) t o v a l i d a t e i n t e r f a c e s a n d c o n t r o l
v a r i a b l e s . B I T i s d e s i g n e d t o d e t e c t f a i l u r e s i n a n y o f t h e s y s t e m e l e m e n t s . B I T i s t h e
p r i m a r y m e a n s t o v e r i f y t h e i n t e g r i t y a n d o p e r a t i o n o f s y s t e m a n d h a r d w a r e c o m p o n e n t s
b e f o r e , d u r i n g a n d a f t e r t h e m i s s i o n .
S y s t e m s e n g i n e e r s t y p i c a l l y p e r f o r m a B I T a n a l y s i s a s p a r t o f t h e d e s i g n p r o c e s s o f a
s a f e t y - c r i t i c a l s y s t e m . T h i s B I T a n a l y s i s c o n s i d e r s p o t e n t i a l f a i l u r e s t h r o u g h o u t t h e s y s t e m s
a n d v e r i f i e s t h a t t h e s e f a i l u r e s w i l l b e d e t e c t e d a n d m i t i g a t e d b y t h e B I T f u n c t i o n s . F o r
i n s t a n c e , i f t h e p o w e r s o u r c e o f F i g u r e 2 f a i l s ( e . g . l o s s o f p o w e r ) , B I T s h o u l d d e t e c t t h e
f a i l u r e a n d r e s p o n d b y e n s u r i n g t h a t t h e s y s t e m r e s p o n d s i n a s a f e m a n n e r .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
15/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 1 5
BIT Software vs. Hardware
Safety-critical systems are becoming more complex.
Role of software is becoming more dominant for bothcontrol and monitoring.
BIT can be implemented in hardware or software form.
Software implementation of BIT functionality is preferred.
Hardware is subject to failure, resulting in false positiveor false negative failure detection.
Hardware that implements BIT functions should notreduce reliability or system safety.
A s s a f e t y - c r i t i c a l s y s t e m s a r e b e c o m i n g m o r e c o m p l e x a n d c o m p u t e r - c o n t r o l l e d , t h e r o l e o f
s o f t w a r e i s b e c o m i n g m o r e d o m i n a n t f o r b o t h c o n t r o l a n d m o n i t o r i n g . B I T f u n c t i o n a l i t y c a n
b e i m p l e m e n t e d i n h a r d w a r e o r s o f t w a r e f o r m . S o f t w a r e i m p l e m e n t a t i o n o f B I T f u n c t i o n a l i t y
i s p r e f e r r e d . H a r d w a r e t h a t i m p l e m e n t s B I T f u n c t i o n a l i t y c a n i t s e l f b e s u b j e c t t o f a i l u r e ,
r e s u l t i n g i n f a l s e p o s i t i v e o r f a l s e n e g a t i v e f a i l u r e d e t e c t i o n . E n g i n e e r i n g d e s i g n p r a c t i c e s
s u g g e s t t h a t h a r d w a r e t h a t i m p l e m e n t s B I T f u n c t i o n s s h o u l d n o t r e d u c e r e l i a b i l i t y o r s y s t e m
s a f e t y .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
16/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 1 6
Controller Implementation of a SimpleActuator Control System
Controller Software (and Core Hardware)
Input
Interfaces
Input
Signal
Conditioning
Input
Signal
Processing
Output
Signal
Processing
Output
Signal
Conditioning
Feedback
Interfaces
Control
Algorithm
Processing
Built-In
Test
Data Communication and Management
Real-Time Operating System
Actuator
Controller Hardware
Peripheral
Hardware
N o w l e t s c o n s i d e r a s i m p l e a c t u a t o r s y s t e m f r o m t h e p e r s p e c t i v e o f c o n t r o l l e r
i m p l e m e n t a t i o n . T h i s f i g u r e p r o v i d e s a g e n e r a l b l o c k d i a g r a m o f c o n t r o l l e r i m p l e m e n t a t i o n .
T h e a r r o w s r e p r e s e n t a s i m p l i f i e d f u n c t i o n a l f l o w f o r t h e a c t u a t o r . A c t u a l d a t a f l o w c a n b e
m u c h m o r e c o m p l e x . R e f e r t o t h e f i g u r e f o r t h e f o l l o w i n g d i s c u s s i o n .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
17/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 1 7
External Interfaces
The following interfaces are
external to the controllerhardware: Actuator
Input interfaces Feedback interfaces.
Near controller or far away
Connected through wireharnesses, or wireless
Susceptible to hardware failures
Controller Software (and Core Hardware)
Input
Interfaces
Input
Signal
Conditioning
Input
Signal
Processing
Output
Signal
Processing
Output
Signal
Conditioning
Feedback
Interfaces
Control
Algorithm
Processing
Built-In
Test
Data Communication and Management
Real-Time Operating System
Actuator
Controller Hardware
Peripheral
Hardware
-
7/28/2019 Safety-Critical Medical Actuators - Socci
18/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 1 8
Controller Hardware
Includes: I/O signal conditioning peripheral interfaces core processing platform.
Signal conditioning: Converts the input signals for
the core processor Translates processor outputs
into driver signals for theactuator.
Peripheral hardware may includewatchdog monitors, protectivedevices etc.
Processing platform includes theprocessor, memory, and any
other devices needed to supportprocessing operation.
Controller Software (and Core Hardware)
Input
Interfaces
Input
Signal
Conditioning
Input
Signal
Processing
Output
Signal
Processing
Output
Signal
Conditioning
Feedback
Interfaces
Control
Algorithm
Processing
Built-In
Test
Data Communication and Management
Real-Time Operating System
Actuator
Controller Hardware
Peripheral
Hardware
T h e c o n t r o l l e r h a r d w a r e p r o v i d e s I / O s i g n a l c o n d i t i o n i n g , p e r i p h e r a l i n t e r f a c e s a n d a c o r e
p r o c e s s i n g p l a t f o r m . S i g n a l c o n d i t i o n i n g c o n v e r t s t h e i n p u t s i g n a l s i n t o f o r m s t h a t c a n b e
i n t e r p r e t e d b y t h e c o r e p r o c e s s o r , a n d t r a n s l a t e s p r o c e s s o r o u t p u t s i n t o d r i v e r s i g n a l s f o r
t h e a c t u a t o r . T h e s e d r i v e r s i g n a l s m a y b e h i g h c u r r e n t s i g n a l s t h a t d i r e c t l y d r i v e t h e
a c t u a t o r o r t h e y c a n p r o v i d e i n d i r e c t c o n t r o l o f a n e x t e r n a l p o w e r s o u r c e , a s s h o w n i n
F i g u r e 2 . P e r i p h e r a l h a r d w a r e m a y i n c l u d e w a t c h d o g m o n i t o r s , d a t a c o m m u n i c a t i o n
d e v i c e s , p o w e r c o n v e r t e r s , p r o t e c t i v e d e v i c e s a n d f i l t e r s , c o n f i g u r a t i o n h a r d w a r e a n d o t h e r
p e r i p h e r a l h a r d w a r e . T h e c o r e p r o c e s s i n g p l a t f o r m i n c l u d e s t h e p r o c e s s o r , m e m o r y , a n d
a n y o t h e r d e v i c e s n e e d e d t o s u p p o r t p r o c e s s i n g o p e r a t i o n .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
19/73
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 1 9
Controller RTOS
Real-time Operating Systems
perform: executive management task scheduling
other operating utilities
Examples:
Ad-hoc operating system Commercial off-the-shelf
RTOS:
Integrity, VxWorks, LynxOS Must be certifiable to the
safety criticality level of theapplication.
Controller Software (and Core Hardware)
Input
Interfaces
Input
Signal
Conditioning
Input
Signal
Processing
Output
Signal
Processing
Output
Signal
Conditioning
Feedback
Interfaces
Control
Algorithm
Processing
Built-In
Test
Data Communication and Management
Real-Time Operating System
Actuator
Controller Hardware
Peripheral
Hardware
C o n t r o l l e r s o f t w a r e , w h i c h r e s i d e s a n d o p e r a t e s o n t h e c o r e h a r d w a r e , h a s a r e a l - t i m e
o p e r a t i n g s y s t e m ( R T O S ) t h a t p e r f o r m s a l l e x e c u t i v e m a n a g e m e n t a n d t a s k s c h e d u l i n g , a s
w e l l a s o t h e r o p e r a t i n g u t i l i t i e s . T h i s m a y b e a n a d - h o c o p e r a t i n g s y s t e m , o r i t c a n b e a
c o m m e r c i a l o f f - t h e - s h e l f R T O S , s u c h a s V x W o r k s , C s L E O S o r I n t e g r i t y , t h a t i s c e r t i f i a b l e t o
t h e s a f e t y c r i t i c a l i t y l e v e l o f t h e a p p l i c a t i o n .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
20/732
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 2 0
Input/Output Signal Processing
Input signal processing
Read raw data from inputhardware
Massage into usable form
Software filters Discrete debouncing Range detection.
Output signal processing
Create physical signals to
drive to hardware. Timing or filtering of output
drivers
Controller Software (and Core Hardware)
Input
Interfaces
Input
Signal
Conditioning
Input
Signal
Processing
Output
Signal
Processing
Output
Signal
Conditioning
Feedback
Interfaces
Control
Algorithm
Processing
Built-In
Test
Data Communication and Management
Real-Time Operating System
Actuator
Controller Hardware
Peripheral
Hardware
I n p u t s i g n a l p r o c e s s i n g s o f t w a r e r e a d s r a w d a t a i n p u t s f r o m t h e h a r d w a r e a n d m a s s a g e s
t h e m i n t o u s a b l e f o r m f o r t h e s o f t w a r e a l g o r i t h m s . T h i s m a s s a g i n g i n c l u d e s s o f t w a r e f i l t e r s
( e . g . l a g a n d l e a d f i l t e r s ) , d i s c r e t e d e b o u n c i n g , a n d r a n g e d e t e c t i o n . O u t p u t s i g n a l
p r o c e s s i n g c o n v e r t s t h e r e s u l t s o f t h e c o n t r o l a l g o r i t h m s i n t o p h y s i c a l s i g n a l s t o d r i v e t o
h a r d w a r e .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
21/732
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 2 1
Control Algorithm Processing
Provides the heart of the actuator
control functionality.
Control data and variables areread and processed todeterministicallydrive the real-time response of the actuator.
Critical real-time and frequency-
dependent algorithms
Controller Software (and Core Hardware)
Input
Interfaces
Input
Signal
Conditioning
Input
Signal
Processing
Output
Signal
Processing
Output
Signal
Conditioning
Feedback
Interfaces
Control
Algorithm
Processing
Built-In
Test
Data Communication and Management
Real-Time Operating System
Actuator
Controller Hardware
Peripheral
Hardware
C o n t r o l a l g o r i t h m s p r o v i d e t h e h e a r t o f t h e a c t u a t o r c o n t r o l f u n c t i o n a l i t y . T h i s i s w h e r e t h e
p l a n t m o d e l s , c o n t r o l l o o p s a n d d e c i s i o n s a r e p r o c e s s e d . C o n t r o l d a t a a n d v a r i a b l e s a r e
r e a d a n d r e a l - t i m e a l g o r i t h m s a r e p r o c e s s e d t o d e t e r m i n i s t i c a l l y d r i v e t h e a p p r o p r i a t e r e a l -
t i m e r e s p o n s e o f t h e a c t u a t o r .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
22/732
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 2 2
Data Communications and Management
Manipulate the data associated
with the inputs and outputs
Provides any processingassociated with redundancy orcross-channel communication.
Multichannel Datasets
(copies) Data synchronization
Self and cross-channel BIT.
Amount of data that must bemanaged can become huge andcoordination can becomecomplex.
Controller Software (and Core Hardware)
Input
Interfaces
Input
Signal
Conditioning
Input
Signal
Processing
Output
Signal
Processing
Output
Signal
Conditioning
Feedback
Interfaces
Control
Algorithm
Processing
Built-In
Test
Data Communication and Management
Real-Time Operating System
Actuator
Controller Hardware
Peripheral
Hardware
T h e d a t a c o m m u n i c a t i o n a n d m a n a g e m e n t f u n c t i o n s m a n i p u l a t e t h e d a t a a s s o c i a t e d w i t h
t h e i n p u t s a n d o u t p u t s , i n c l u d i n g d i g i t a l c o m m u n i c a t i o n t o e x t e r n a l c o m p o n e n t s . T h e s e
f u n c t i o n s a l s o p r o v i d e a n y p r o c e s s i n g a s s o c i a t e d w i t h r e d u n d a n c y o r c r o s s - c h a n n e l
c o m m u n i c a t i o n . F o r e x a m p l e , a q u a d - r e d u n d a n t a c t u a t o r s y s t e m w o u l d h a v e a c o m p l e t e
s e t o f d a t a f o r e a c h o f t h e f o u r c h a n n e l s . S o m e l e v e l o f d a t a s y n c h r o n i z a t i o n i s n e e d e d t o
m a i n t a i n c o o r d i n a t e d c o n t r o l o f t h e f o u r c h a n n e l s . E a c h c h a n n e l m a y p e r f o r m B I T o n i t s e l f
a n d o n e o r m o r e o f t h e o t h e r c h a n n e l s . D e p e n d i n g o n t h e i n t r i c a c y o f d a t a c o m m u n i c a t i o n ,
t h e a m o u n t o f d a t a t h a t m u s t b e m a n a g e d c a n b e c o m e h u g e a n d c o o r d i n a t i o n c a n b e c o m e
c o m p l e x .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
23/732
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 2 3
Built-In-Test
BIT functions detect faults and
isolate them to individualcomponents or small groups.
Detection Test during operationand compare results to expectedvalues.
Isolation Determine if the fault
occurred inside the controller orexternal interfaces.
Test all faults that have an effecton the safe operation of themission.
Controller Software (and Core Hardware)
Input
Interfaces
Input
Signal
Conditioning
Input
Signal
Processing
Output
Signal
Processing
Output
Signal
Conditioning
Feedback
Interfaces
Control
Algorithm
Processing
Built-In
Test
Data Communication and Management
Real-Time Operating System
Actuator
Controller Hardware
Peripheral
Hardware
A c t u a t o r c o n t r o l s i n c l u d e B I T f u n c t i o n s t o d e t e c t f a u l t s a n d i s o l a t e t h e m t o i n d i v i d u a l
c o m p o n e n t s o r s m a l l g r o u p s o f t h e m . F a i l u r e d e t e c t i o n i s u s u a l l y a c c o m p l i s h e d b y
c o n d u c t i n g a s e r i e s o f t e s t s d u r i n g o p e r a t i o n a n d c o m p a r i n g r e s u l t s t o e x p e c t e d v a l u e s .
I s o l a t i o n l o g i c d e t e r m i n e s i f t h e f a u l t o c c u r r e d i n s i d e t h e c o n t r o l l e r o r w a s t h e r e s u l t o f
e x t e r n a l i n t e r f a c e s . T h e d e s i g n e r s g o a l i s t o t e s t a n y p o t e n t i a l f a u l t t h a t h a s a n e f f e c t o n
t h e s a f e o p e r a t i o n o f t h e m i s s i o n i n t h e a p p r o p r i a t e m o d e o f B I T .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
24/732
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 2 4
BIT Modes
BIT can be categorizedinto the following modes: Power-up BIT (PBIT) Continuous BIT (CBIT) Initiated BIT (IBIT)
Each safety-critical fault istested in one or more ofthese BIT modes
Each BIT mode mayperform a subset (orsuperset) of another BITmode
Fault thresholds,persistence limits andscheduling of individualBIT are coordinated to
reject false failureindications.
CBIT
PBIT IBIT
CommonBIT
N e s t e d a c r o n y m s
-
7/28/2019 Safety-Critical Medical Actuators - Socci
25/732
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 2 5
Power-up BIT (PBIT)
Also known as Start-up BIT
Executes on application of power Rapid check of ability to operate
Examples Core processing failure the
mission can be halted beforeoperator safety is jeopardized
Actuator feedback interfacefailure the actuator may notbe controllable, and themission would be aborted
Scope of PBIT testing dependson application power uprequirements.
Designers must trade-off PBITtest coverage with PBIT timingconstraints.
CBIT
PBIT IBIT
Sample PBIT Tests: Processor diagnostics Memory Configuration Watchdog timeout Power supply voltage Interrupts Critical I/O
-
7/28/2019 Safety-Critical Medical Actuators - Socci
26/732
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 2 6
Continuous BIT (CBIT)
Also known as Periodic BIT
Provides continuous monitoringof all system components.
Minimizes failure exposure time.
Example: Current feedback on a
drug pump actuator detects if theflow is obstructed duringoperation.
CBIT completion time must beconsidered when the maximumfailure exposure time (themaximum time between when afault occurs and when the fault is
detected and mitigated) iscritical.
CBIT
PBIT IBIT
Sample CBIT Tests: Subset of PBIT tests Control Sensors Control Discretes Feedback Sensors Feedback Discretes Dynamic responsiveness Data communication validation
Actuator current monitors
-
7/28/2019 Safety-Critical Medical Actuators - Socci
27/732
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 2 7
Initiated BIT (IBIT)
Also known as Maintenance BIT,
or other alternative names.
Extensive set of tests, initiated bythe operator, which occurs whenthe system is in a stable, knownenvironment.
The environment must be
controlled because control of theactuator is given to the BITfunctions rather than the normalcontrol algorithms.
Example: range test on anactuator
IBIT completion time is typicallylong because it performscomprehensive, full-range tests
CBIT
PBIT IBIT
Sample IBIT Tests: Superset of PBIT and CBIT tests Power system tests Dynamic actuator tests Mechanical range tests Initiated failure tests
S u p p o s e a n a c t u a t o r m o v e s a s w i n g - a r m f r o m 0 t o 1 8 0 . T h e s y s t e m c a n n o t t e s t t h e f u l l
r a n g e o f m o t i o n d u r i n g o p e r a t i o n , u n l e s s t h e a p p l i c a t i o n g u a r a n t e e s t o m o v e t h e s w i n g - a r m
o v e r i t s f u l l r a n g e o f m o t i o n d u r i n g t h e m i s s i o n . T h e o p e r a t o r c a n u s e a s p e c i a l c o n t r o l l e d
t e s t i n I B I T t o v e r i f y t h a t t h e s w i n g - a r m c a n o p e r a t e o v e r i t s f u l l r a n g e o f m o t i o n .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
28/732
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 2 8
BIT Analysis
Leverages results of other system safety analyses,
including: Preliminary System Safety Assessment
Fault Tree Analysis Failure Modes and Effects Analysis
Consider failure mode, probability of failure, cause andeffect, recognition/detection scheme, isolation, systemcompensation
Will typically yield action items for design improvements.
Not a do it once checkbox Analysis is incrementaluntil requirements are satisfied.
-
7/28/2019 Safety-Critical Medical Actuators - Socci
29/732
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 2 9
Redundancy
Failures are mitigated by the
other operating channels,perhaps with a degraded levelof performance.
The effects of failures in non-redundant components, such
as the control interface andpower source, cannot bealleviated.
Power
Source
Sensor
Monitors
ActuatorController
ActuatorController
ActuatorController
Actuator
Control
InterfaceController
Mechanical
Interface
Sensor
MonitorsSensor
MonitorsSensor
Monitors
R e d u n d a n c y i s a c o m m o n d e s i g n p r a c t i c e t h a t i s o f t e n u s e d t o m a i n t a i n f u n c t i o n a l i t y a f t e r a
f a i l u r e o c c u r s .
I n t h i s c a s e , f u n c t i o n a l i t y i s m a i n t a i n e d b y f o u r r e d u n d a n t o p e r a t i n g c h a n n e l s . F a i l u r e s t h a t
o c c u r i n a c o n t r o l l e r , a c t u a t o r o r m e c h a n i c a l m o n i t o r c a n b e m i t i g a t e d b y t h e o t h e r
o p e r a t i n g c h a n n e l s , p e r h a p s w i t h a d e g r a d e d l e v e l o f p e r f o r m a n c e . T h e e f f e c t s o f f a i l u r e s
i n n o n - r e d u n d a n t c o m p o n e n t s , s u c h a s t h e c o n t r o l i n t e r f a c e a n d p o w e r s o u r c e i n t h i s c a s e ,
c a n n o t b e a l l e v i a t e d .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
30/733
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 3 0
Degradation Categories for Failure Response
Fail-Operational From an
operator perspective, the systembehaves normally. Failure is reported, but
system operation isunaffected.
System components thatremain functional typically
take over the functions of thefailed components.
Example: Dual-redundantsurgical blood flow systemstypically can meetperformance requirementswith only one channel. When
one channel fails, the systemcontinues to perform usingthe remaining channel.
Power
Source
Sensor
Monitors
ActuatorController
ActuatorController
ActuatorController
Actuator
Control
InterfaceController
Mechanical
Interface
Sensor
MonitorsSensor
MonitorsSensor
Monitors
T h e r e a r e m a n y f a i l u r e m o d e s , b u t s y s t e m d e s i g n e r s h a v e d e v e l o p e d a p p r o a c h e s t o m i t i g a t e t h e m .
V a r i o u s r e s p o n s e c a t e g o r i e s h a v e b e e n d e v e l o p e d t o d e s c r i b e m i t i g a t i o n o f t h e s e s y s t e m f a i l u r e s :
F a i l - O p e r a t i o n a l F r o m a n o p e r a t o r p e r s p e c t i v e , t h e s y s t e m b e h a v e s n o r m a l l y . T h e f a i l u r e i s
r e p o r t e d , b u t s y s t e m o p e r a t i o n i s u n a f f e c t e d . T h e s y s t e m c o m p o n e n t s t h a t r e m a i n f u n c t i o n a l
t y p i c a l l y t a k e o v e r t h e f u n c t i o n s o f t h e f a i l e d c o m p o n e n t s . E x a m p l e : Q u a d - r e d u n d a n t f l i g h t c o n t r o l
s u r f a c e a c t u a t o r s y s t e m s t y p i c a l l y c a n m e e t p e r f o r m a n c e r e q u i r e m e n t s w i t h o n l y t h r e e c h a n n e l s .
W h e n o n e c h a n n e l f a i l s , t h e s y s t e m c o n t i n u e s t o p e r f o r m u s i n g t h e r e m a i n i n g t h r e e c h a n n e l s .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
31/733
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 3 1
Degradation Categories for Failure Response
Fail-Passive Outputs assume a
predetermined desirable state,such as a power disconnect tothe actuators.
Failure is reported, andoperation is reverted tobackup.
Intervention may be required,
but the system remains undercontrol in some degradedfashion.
Example: Ambulatory scooterused reduced speed modewhen battery supply is low.The vehicle will not maintain
desired performance, butrider can limp home.
Power
Source
Sensor
Monitors
ActuatorController
ActuatorController
ActuatorController
Actuator
Control
InterfaceController
Mechanical
Interface
Sensor
MonitorsSensor
MonitorsSensor
Monitors
F a i l - P a s s i v e T h e s y s t e m o u t p u t s a p r e d e t e r m i n e d d e s i r a b l e s t a t e , s u c h a s a p o w e r d i s c o n n e c t t o t h e
a c t u a t o r s . T h e f a i l u r e i s r e p o r t e d , a n d o p e r a t i o n i s t y p i c a l l y r e v e r t e d t o a b a c k u p m e c h a n i s m .
I n t e r v e n t i o n m a y b e r e q u i r e d , b u t t h e s y s t e m g e n e r a l l y r e m a i n s u n d e r c o n t r o l , a l t h o u g h u s u a l l y i n
s o m e d e g r a d e d f a s h i o n . E x a m p l e : M a n y m a r i n e a c t u a t o r c o n t r o l a p p l i c a t i o n s p r o v i d e a
m e c h a n i c a l b a c k u p t h a t i s a u t o m a t i c a l l y e n g a g e d w h e n a u t o m a t e d s y s t e m s f a i l , t h e r e b y e n a b l i n g
t h e p i l o t t o l i m p h o m e . T h e v e h i c l e m a y n o t m e e t p e r f o r m a n c e r e q u i r e m e n t s , b u t i t w i l l b e a b l e t o
t r a v e l t o a s a f e e n v i r o n m e n t .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
32/733
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 3 2
Degradation Categories for Failure Response
Fail-Safe Provides a saferesponse when normal,predictable control is notpossible. Subcategory of fail-passive Actuators are not controllable
in a manner to meet theperformance specification.
System employs mechanismsto force the actuator in aknown state that maintains asafe operational state.
Example: Patient lift backupis engaged when automatedsystems fail, holding patientsafely. The lift will not meetperformance requirements,
but it will maintain a safeenvironment.
Power
Source
Sensor
Monitors
ActuatorController
ActuatorController
ActuatorController
Actuator
Control
InterfaceController
Mechanical
Interface
Sensor
MonitorsSensor
MonitorsSensor
Monitors
F a i l - S a f e T h i s a p p r o a c h i s u s e d t o p r o v i d e a s a f e r e s p o n s e w h e n n o r m a l , p r e d i c t a b l e c o n t r o l i s n o t
p o s s i b l e . I n t h i s c a t e g o r y , w h i c h i s s o m e t i m e s c o n s i d e r e d a s u b c a t e g o r y o f f a i l - p a s s i v e , t h e
a c t u a t o r s a r e n o t c o n t r o l l a b l e i n a m a n n e r t o m e e t t h e p e r f o r m a n c e s p e c i f i c a t i o n . H o w e v e r , t h e
s y s t e m e m p l o y s m e c h a n i s m s t o f o r c e t h e a c t u a t o r i n a k n o w n s t a t e t h a t m a i n t a i n s a s a f e
o p e r a t i o n a l s t a t e . E x a m p l e : H y b r i d - e l e c t r i c v e h i c l e s ( H E V ) h a v e e x p e r i e n c e d f a i l u r e s t h a t c a u s e
r u n a w a y m o t o r s w h e r e m o t o r s s p e e d u p o u t o f c o n t r o l a n d t r a n s f e r u n c o m m a n d e d p o w e r t o t h e
d r i v e a x l e s . A f a i l - s a f e m i t i g a t i o n w o u l d d i s c o n n e c t p o w e r f r o m t h e m o t o r , u s u a l l y t h r o u g h h i g h -
c u r r e n t r e l a y s , w h e n a f a i l u r e o c c u r s . T h e v e h i c l e m a y n o t b e d r i v a b l e , b u t t h e p a s s e n g e r s a n d
c a r g o r e m a i n s a f e .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
33/733
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 3 3
Degradation Categories for Failure Response
Fail-Active Highly undesirable
state occurring when mitigationinto one of the other categories isnot possible.
Applications allow a smallprobability, such as 10-9.
Actuators respond in anuncontrollable/unpredictable
(nondeterministic) manner. Safety-critical systems are
designed to minimize fail-active scenarios.
Example: Automotive steer-by-wire applications havesteering wheel interfaces with
common mode failures thatcould inhibit steering control.
Power
Source
Sensor
Monitors
ActuatorController
ActuatorController
ActuatorController
Actuator
Control
InterfaceController
Mechanical
Interface
Sensor
MonitorsSensor
MonitorsSensor
Monitors
F a i l - A c t i v e T h i s c a t e g o r y i s h i g h l y u n d e s i r a b l e a n d s t r i k e s f e a r i n t o t h e h e a r t s o f s a f e t y - c r i t i c a l
s y s t e m s d e s i g n e r s . I t o c c u r s w h e n m i t i g a t i o n i n t o o n e o f t h e o t h e r c a t e g o r i e s i s n o t p o s s i b l e . I t
c a n n o t b e p r e v e n t e d c o m p l e t e l y , s o a p p l i c a t i o n s t y p i c a l l y a l l o w a s m a l l p r o b a b i l i t y , s u c h a s 1 0 - 9 .
I n a f a i l - a c t i v e s t a t e , a c t u a t o r s d r i v e t h e s y s t e m i n a n u n c o n t r o l l a b l e a n d u n p r e d i c t a b l e
( n o n d e t e r m i n i s t i c ) m a n n e r . S a f e t y - c r i t i c a l s y s t e m s a r e d e s i g n e d t o m i n i m i z e f a i l - a c t i v e s c e n a r i o s .
E x a m p l e : A u t o m o t i v e s t e e r - b y - w i r e a p p l i c a t i o n s h a v e a u n i q u e c h a l l e n g e i n t h a t t y p i c a l s t e e r i n g
w h e e l i n t e r f a c e s h a v e c o m m o n m o d e f a i l u r e s t h a t c o u l d i n h i b i t s t e e r i n g c o n t r o l .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
34/733
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 3 4
Degradation Requirements
Performance specs apply degradation categories
through multiple failure modes.
Example for a tri-redundant artificial heart: After the first failure, the system shall remain fail-
operational. After the second failure, the operation shall be fail-
passive. After the third failure, the operation shall be fail-safe.
Select architectures and components to meet theserequirements. In this example, the heart must be able topump with only two operating channels. The actuators
must be sized to enable operation with only twofunctioning actuators.
A p p l i c a t i o n p e r f o r m a n c e s p e c i f i c a t i o n s m a y r e q u i r e s y s t e m a r c h i t e c t u r e s t o a p p l y t h e s e
d e g r a d a t i o n c a t e g o r i e s t h r o u g h m u l t i p l e f a i l u r e m o d e s . F o r i n s t a n c e , a f t e r t h e f i r s t f a i l u r e i n
a q u a d - r e d u n d a n t f l i g h t a c t u a t o r s y s t e m , t h e s y s t e m m a y b e r e q u i r e d t o r e m a i n f a i l -
o p e r a t i o n a l . A f t e r t h e s e c o n d f a i l u r e i n t h e s y s t e m , t h e a p p l i c a t i o n m a y r e q u i r e f a i l - p a s s i v e
o p e r a t i o n . A f t e r t h r e e f a i l u r e s , t h e a p p l i c a t i o n m a y r e q u i r e f a i l - s a f e o p e r a t i o n . S y s t e m
d e s i g n e r s m u s t b e a w a r e o f f a i l u r e r e s p o n s e r e q u i r e m e n t s a n d s e l e c t a r c h i t e c t u r e s a n d
c o m p o n e n t s a c c o r d i n g l y . I n t h i s a p p l i c a t i o n , t h e a c t u a t o r s y s t e m m u s t b e a b l e t o
a d e q u a t e l y m o v e t h e a i r c r a f t s u r f a c e s w i t h o n l y t w o o p e r a t i n g c h a n n e l s . T h e r e f o r e , t h e
a c t u a t o r s m u s t b e s i z e d t o e n a b l e o p e r a t i o n w i t h o n l y t w o f u n c t i o n i n g a c t u a t o r s .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
35/733
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 3 5
Industry Specifications andStandards
Industry Specifications andStandards
-
7/28/2019 Safety-Critical Medical Actuators - Socci
36/733
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 3 6
Role of Industry Standards
Safety-critical applications are guaranteed only through
robust designs and controlled operation.
Industry specs and standards provide guidelines to: Support safety-critical application development
Generally accepted engineering practices for robustdesign
Definitions and expectations for controlled operation
Compliance to these standards significantly influencedevelopment cost and schedule.
Standards can contain requirements, guidelines or both. Requirementsprocesses/practices that must be
implemented. Guidelinesrecommended practices/methods.
W e c l a i m e d e a r l i e r t h a t s a f e t y - c r i t i c a l a p p l i c a t i o n s a r e g u a r a n t e e d o n l y t h r o u g h r o b u s t
d e s i g n s a n d c o n t r o l l e d o p e r a t i o n . I n d u s t r y s p e c i f i c a t i o n s a n d s t a n d a r d s p r o v i d e g e n e r a l l y
a c c e p t e d e n g i n e e r i n g p r a c t i c e s a n d g u i d e l i n e s t o s u p p o r t s a f e t y - c r i t i c a l a p p l i c a t i o n
d e v e l o p m e n t . D e v e l o p m e n t p r o g r a m s w i l l i d e n t i f y a p p l i c a b l e i n d u s t r y s p e c i f i c a t i o n s a n d
s t a n d a r d s e a r l y i n t h e l i f e - c y c l e , a s c o m p l i a n c e t o t h e s e s t a n d a r d s c a n h a v e a s i g n i f i c a n t
i n f l u e n c e o n d e v e l o p m e n t c o s t a n d s c h e d u l e .
S t a n d a r d s c a n c o n t a i n r e q u i r e m e n t s , g u i d e l i n e s o r b o t h . R e q u i r e m e n t s a r e p r o c e s s e s o r
d e s i g n p r a c t i c e s t h a t m u s t b e i m p l e m e n t e d . G u i d e l i n e s p r o v i d e r e c o m m e n d e d p r a c t i c e s
a n d m e t h o d s f o r s a t i s f y i n g r e q u i r e m e n t s .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
37/733
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 3 7
Safety Standards Categories
Safety
Standards
Development
Processes
Design
Practices
Management EngineeringAnalysis SystemArchitecture ComponentPractices
S t a n d a r d s c a n b e a p p l i e d t o d e v e l o p m e n t p r o c e s s e s a n d / o r d e s i g n i m p l e m e n t a t i o n
E x a m p l e s o f d e v e l o p m e n t p r o c e s s e s a r e s o f t w a r e d e v e l o p m e n t p l a n s , q u a l i t y m a n a g e m e n t
p r o c e s s e s a n d v e r i f i c a t i o n p l a n s . E n g i n e e r i n g a n a l y s i s s t a n d a r d s i n c l u d e r e l i a b i l i t y a n a l y s i s
a n d o t h e r p e r f o r m a n c e a n a l y s e s . D e s i g n p r a c t i c e s a r e v e r y s p e c i f i c t o t h e a p p l i c a t i o n
i n d u s t r y . F o r i n s t a n c e , t h e F e d e r a l M o t o r V e h i c l e S a f e t y S t a n d a r d s ( F M V S S ) p r o v i d e
d e s i g n p r a c t i c e s f o r m o t o r v e h i c l e s .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
38/733
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 3 8
Sample Safety Standards and Applicability
Automotive Industry SoftwareMISRA / MISRA C
Motor vehicle systems and components (CAN)CMVSS
Motor vehicle systems and components (US)FMVSS
Railway IndustryEN 50128
Medical EquipmentIEC 60601
Automotive FMEASAE J1739
Vehicle Electronic SystemsSAE J1938
Guidelines for Electric Vehicle SafetySAE J2344
Nuclear IndustryIEC 880
Software design requirements (non-process)UL-1998
Automotive software safety processesMOD DEF STAN 00-55
Automotive system safety processesMOD DEF STAN 00-56
Generic 'Programmable Systems'IEC 61508
Aerospace and Aviation SoftwareRTCA/DO-178B
Aerospace and Aviation HardwareRTCA/DO-254
Aircraft systems certification considerationsARP 4754Airborne systems safety assessmentARP 4761
Safety systems for US DoDMIL-STD-882
ApplicabilityStandard
A l t h o u g h t h e s c o p e o f t h i s p a p e r i s n o t t o p r o v i d e a t u t o r i a l o f s a f e t y s t a n d a r d s , i t i s r e l e v a n t
t o i d e n t i f y s o m e s t a n d a r d s a n d t h e i r a p p l i c a b l e i n d u s t r i e s a n d a p p l i c a t i o n s . T a b l e 1
h i g h l i g h t s s o m e c o m m o n s t a n d a r d s .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
39/733
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 3 9
Applicability of Standards
There is some cross-breeding of standards.
Ex. DO-178B is used in some automotive and medicalapplications.
System Integrity Levels (SIL)
Classified from 4 (highest safety) to 0 (not safety-related) [DO-178B uses A (high) to E (low)]
SIL determines applicable development and testprocesses
Not globally adopted Some countries take deviations
M a n y o f t h e s t a n d a r d s l i s t e d a b o v e c l a s s i f y s y s t e m s i n t o f i v e S y s t e m I n t e g r i t y L e v e l s ( S I L s )
f r o m 4 ( h i g h e s t s a f e t y ) t o 0 ( n o t s a f e t y r e l a t e d ) . D O - 1 7 8 B u s e s A ( h i g h e s t s a f e t y ) t o E
( l o w e s t s a f e t y ) . T h e S I L o f t h e d e v e l o p m e n t p r o j e c t d r i v e s t h e p r o c e s s e s f o r t h a t p r o j e c t .
F o r i n s t a n c e , t o t e s t s o f t w a r e i n a D O - 1 7 8 B L e v e l A p r o j e c t , s u c h a s a f l i g h t c o n t r o l s y s t e m
w i t h n o m e c h a n i c a l b a c k u p , a l l c o d e s t a t e m e n t s m u s t b e e x e c u t e d , a l l c o d e b r a n c h e s m u s t
b e f o l l o w e d , a n d a c t u a l t a r g e t h a r d w a r e m u s t b e u s e d .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
40/734
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 4 0
But do I HAVE to?
Designers mission is to achieve safety certification
Deviations can be taken, if they are coordinated with andapproved by the applications certification representative.
The Code is more what you'd call
"guidelines" than actual rules.
B a r b o s s a , P i r a t e s o f t h e C a r i b b e a n
T o s t e a l a q u o t e f r o m t h e m o v i e P i r a t e s o f t h e C a r i b b e a n , m a n y o f t h e s e s t a n d a r d s a r e
m o r e w h a t y o u ' d c a l l g u i d e l i n e s t h a n a c t u a l r u l e s . T h e d e s i g n e r s r e a l m i s s i o n i s t o
a c h i e v e s a f e t y c e r t i f i c a t i o n . D e v i a t i o n s c a n b e t a k e n , i f t h e y a r e c o o r d i n a t e d w i t h a n d
a p p r o v e d b y t h e a p p l i c a t i o n s c e r t i f i c a t i o n r e p r e s e n t a t i v e .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
41/734
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 4 1
Development StrategiesDevelopment Strategies
-
7/28/2019 Safety-Critical Medical Actuators - Socci
42/734
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 4 2
So Tell Me, Do You Feel Lucky Punk?
For a system to be trusted with human life, it must be:
Well-planned, Well-designed, Well-tested Design Goal Eliminate catastrophic failure modes, or Minimize the risk to a very low probability
Testing is necessary, but not sufficient Proves the presence of errors, not their absence No way to test safety into the system
Safety is built-in throughout the development life-cycle Safety-critical development plans and test procedures Independent reviews
S y s t e m s t h a t a r e w e l l - p l a n n e d , d e s i g n e d , t e s t e d a n d c e r t i f i e d c a n b e t r u s t e d w i t h h u m a n
l i f e . T h e d e s i g n g o a l o f s a f e t y - c r i t i c a l s y s t e m d e v e l o p m e n t i s t o e l i m i n a t e f a i l u r e m o d e s
t h a t c o u l d r e s u l t i n c a t a s t r o p h i c f a i l u r e s , o r i f t h a t i s n o t f e a s i b l e , m i n i m i z e t h e r i s k s u c h t h a t
t h e r e i s a v e r y l o w p r o b a b i l i t y o f c a t a s t r o p h i c f a i l u r e .
S a f e t y i s p r o v e n n o t o n l y t h r o u g h t e s t i n g , b u t a l s o t h r o u g h s a f e p l a n n i n g a n d d e v e l o p m e n t
p r o c e s s e s . T e s t i n g i s a n e c e s s a r y , b u t n o t s u f f i c i e n t , e l e m e n t o f s a f e t y - c r i t i c a l d e v e l o p m e n t
i t o n l y p r o v e s t h e p r e s e n c e o f e r r o r s , n o t t h e i r a b s e n c e . W e h a v e n t y e t f o u n d a w a y t o
t e s t s a f e t y i n t o t h e s y s t e m .
S a f e t y m u s t b e b u i l t - i n t h r o u g h o u t t h e d e v e l o p m e n t l i f e - c y c l e u s i n g s a f e t y - c r i t i c a l
d e v e l o p m e n t p l a n s a n d p r o c e d u r e s , i n d e p e n d e n t r e v i e w s , a n d c o m p r e h e n s i v e t e s t c a s e s .
T h i s s e c t i o n h i g h l i g h t s s o m e b a s i c d e v e l o p m e n t s t r a t e g i e s t h a t h a v e p r o v e n t o b e i m p o r t a n t
i n m a n y o f t h e a u t h o r s d e s i g n s . I t i s b y n o m e a n s a c o m p r e h e n s i v e l i s t , b u t i t d o e s c a p t u r e
s o m e t h o u g h t p r o c e s s e s t h a t m u s t b e e x e r c i s e d .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
43/734
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 4 3
Improving Fault Tolerance
Brick wall partitoning
Redundancy no single-point failures
Cross-channel data voting
Isolation and independence (e.g. power sources) Both hardware and software
BIT mode allocation
Hardware independence of control and BIT HW
Reliability, maintainability and safety analyses
Deterministic performance
Comprehensive validation and verification
Requirements-based simulation and testing
Certified development tools
-
7/28/2019 Safety-Critical Medical Actuators - Socci
44/734
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 4 4
Example CasesExample Cases
T h r o u g h o u t m y c a r e e r , I h a v e w o r k e d o n s a f e t y - c r i t i c a l a p p l i c a t i o n s o n a v a r i e t y o f
p l a t f o r m s , i n c l u d i n g a i r p l a n e s , l o c o m o t i v e s , h e a v y - d u t y t r u c k s , p a s s e n g e r v e h i c l e s , p o w e r
s y s t e m s , a n d m e d i c a l d i a g n o s t i c s . I n t e r e s t i n g l y , t h e c o n c e p t s n e e d e d t o m a k e t h e s e
s y s t e m s f a u l t - t o l e r a n t , f a i l - o p e r a t i v e o r f a i l - s a f e a r e q u i t e c o m m o n .
T h e f o l l o w i n g d e s c r i b e s s o m e e x a m p l e s o f s a f e t y - c r i t i c a l s y s t e m s .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
45/734
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 4 5
Fly-by-wire Aircraft Control Systems
In the past, many aircraft had mechanical backups for
their electronic flight control systems.
Fly-by-wire systems with no mechanical backups arebecoming more prevalent in both military andcommercial environments.
Actuation systems, such as those that move flightsurfaces, have become safety-critical.
-
7/28/2019 Safety-Critical Medical Actuators - Socci
46/734
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 4 6
Automotive Drive-by-wire System
Now developing full authority drive-by-wire systems:
Brake-by-wire Steer-by-wire
Throttle-by-wire.
Previously achieved fault tolerance through hardwareredundancy.
Redundancy can be cost and space prohibitive in drive-by-wire applications.
Software standards such as MISRA are being developedto facilitate fault tolerance with less hardwareredundancy.
-
7/28/2019 Safety-Critical Medical Actuators - Socci
47/734
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 4 7
Railway Signaling System
Railway signaling systems enable operators to direct
trains while preventing trains from colliding
Malfunction in these systems could cause death
Safety-related hardware is used to provide redundancy
Control independence is provided through coordinatedactions by the train operator and the dispatcher.
-
7/28/2019 Safety-Critical Medical Actuators - Socci
48/734
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 4 8
Submarine Depth Control System
Similar challenges as aircraft applications
Preferred fail-safe response depends on the applicationand environment.
In a battle environment, underwater concealment isimportant, so surfacing the submarine may not be thebest mitigation
Submarine pilot must be able to eventually surface afailed vehicle to recover personnel
-
7/28/2019 Safety-Critical Medical Actuators - Socci
49/734
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 4 9
Nuclear Power Station Shutdown
Nuclear power stations require a protection system that
closes the station down in the event of a malfunction.
Protection system must mitigate the consequences ofthe situation.
Both hardware and software protection systems areused, since the multiple redundancy increasesconfidence in safety.
With great power comes
great responsibility.
U n c l e B e n , S p i d e r m a n
-
7/28/2019 Safety-Critical Medical Actuators - Socci
50/735
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 5 0
Medical Systems
Can be directly responsible for human life
Examples: Hardware that controls laparoscopic surgery devices Software that monitors safe amounts of x-rays
Information systems that doctors use to coordinatemedication
Safety development standards have recently become astrong focus in the medical industry.
Therac-25 radiation therapy machine has resulted in lostlives due to software-related radiation overdoses.
-
7/28/2019 Safety-Critical Medical Actuators - Socci
51/735
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 5 1
Conclusions
System safety requires robust design and controlled operation
during failure modes. Designers for safety-critical applications utilize industry standards
and development processes, as well as preferred engineering
practices, to develop safe, validated and deterministic designs.
Redundancy and comprehensive BIT mitigate system failures
Learn to expect the unexpected.
The response to an unexpected event must be known anddesigned into the system before that unexpected event occurs.
Predictable and deterministic responses to all potential failuremodes are paramount in safety-critical design.
Many of the issues, practices and strategies described in thispresentation are a result of previous or ongoing projects atOn Target Technology Development.
I f w e a l l k e e p o u r w i t s a b o u t u s a s w e d e v e l o p t h e s e s a f e t y - c r i t i c a l s y s t e m s , w e c a n s i t b a c k
a n d r e l a x i n o u r c o n f i n e d s p a c e o n b o a r d a n a i r c r a f t w i t h o u t w o r r y i n g t h a t a d e s i g n f a i l u r e
w i l l s e n d o u r s t e e l h o r s e f o r a l o o p e v e n w h e n w e f l y o v e r t h e E q u a t o r .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
52/735
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 5 2
On Target Medical Actuator Projects
Products, research projects, partnerships
Medical monitor
Muscle diagnostic system
Circulation Actuation through the Limb Footwear (CALF)
Personal transporter
Respiratory therapy stimulation vest
X-ray controller
-
7/28/2019 Safety-Critical Medical Actuators - Socci
53/735
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 5 3
Q&AQ&A
-
7/28/2019 Safety-Critical Medical Actuators - Socci
54/735
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 5 4
If you have any further questions
On Target TechnologyDevelopment
1701 North Street, Bldg 40-1, Endicott, NY 13760
P: (607) 755-4990 F: (607) 755-4981
Contact: Vince Socci, Principal
www.ontargettechnology.com
On Time, On Budget, On Top On Target
-
7/28/2019 Safety-Critical Medical Actuators - Socci
55/735
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 5 5
Backup slidesBackup slides
-
7/28/2019 Safety-Critical Medical Actuators - Socci
56/735
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 5 6
How do you meet that demand?
Education and training in safety-critical application
development Integrated system awareness and development
Proven safety standards, development processes, anddesign practices
Lessons learned and development strategies from theschool of hard knocks
Education and training in safety-critical application
development
Integrated system awareness and development
Proven safety standards, development processes, anddesign practices
Lessons learned and development strategies from theschool of hard knocks
You took the initiative to participate in this workshopYou took the initiative to participate in this workshopYou took the initiative to participate in this workshopYou took the initiative to participate in this workshop
and learn the skills needed to meet that demand.and learn the skills needed to meet that demand.and learn the skills needed to meet that demand.and learn the skills needed to meet that demand.
As a result, you will become more valuable toAs a result, you will become more valuable toAs a result, you will become more valuable toAs a result, you will become more valuable to
your organization and your industry.your organization and your industry.your organization and your industry.your organization and your industry.
Congratulations!Congratulations!Congratulations!Congratulations!
T h e r e i s o n l y s o m u c h w e c a n l e a r n i n a 9 0 - m i n u t e c o u r s e . B u t w e w i l l c o v e r t h e h i g h l i g h t s ,
a n d y o u w i l l t a k e t h a t o v e r v i e w a s a f o u n d a t i o n f o r y o u r f u t u r e l e a r n i n g .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
57/735
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 5 7
F-16 Thunderbird Crashes
See http://www.f-16.net/f-16_news_article968.html
F - 1 6 C p e r f o r m e d a b e l l y l a n d i n g o n t h e L u k e
A F B r u n w a y o n J u n e 1 7 , 2 0 0 4 a t
a p p r o x i m a t e l y 1 4 1 6 .
T h e p i l o t o f t h e F - 1 6 d e c l a r e d a n i n - f l i g h t
e m e r g e n c y w h e n h e c o u l d n o t e x t e n d t h e
l a n d i n g g e a r . A f t e r n u m e r o u s a t t e m p t s t o
e x t e n d i t , t h e a i r c r a f t r a n o u t o f f u e l a n d t h e
p i l o t w a s f o r c e d t o p u t t h e j e t d o w n o n i t s b e l l y .
A f t e r s l i d i n g t o a f i e r y s t o p , t h e c a n o p y w a s
s e e n t o g o u p a n d t h e p i l o t s p r i n t e d a w a y f r o m
t h e b u r n i n g a i r c r a f t . T h e p i l o t i s t h o u g h t t o b e
o k , b u t t h e a i r c r a f t i s m o s t l i k e l y t o t a l e d .
E v e n t # 1 E v e n t # 1 E v e n t # 1 E v e n t # 1
P i l o t E r r o r
P i l o t E r r o r P i l o t E r r o r P i l o t E r r o r E v e n t # 2
E v e n t # 2 E v e n t # 2 E v e n t # 2
S y s t e m F a i l u r e
S y s t e m F a i l u r e S y s t e m F a i l u r e S y s t e m F a i l u r e
See http://www.f-16.net/f-16_news_article1100.html
A p i l o t ' s e r r o r c a u s e d a T h u n d e r b i r d s F - 1 6 C t o c r a s h s h o r t l y a f t e r t a k e o f f d u r i n g a S e p t e m b e r a i r s h o w a t M o u n t a i n
H o m e A i r F o r c e B a s e , I d a h o . T h e p i l o t e j e c t e d j u s t b e f o r e t h e a i r c r a f t i m p a c t e d t h e g r o u n d .
O n W e d n e s d a y t h e 2 1 s t , t h e A i r F o r c e A c c i d e n t I n v e s t i g a t i o n B o a r d h e l d a n e w s c o n f e r e n c e a t t h e h o m e o f t h e
T h u n d e r b i r d s - N e l l i s A i r F o r c e B a s e - t o a n n o u n c e w h a t c a u s e d a n F 1 6 t o c r a s h l a s t S e p t e m b e r .
A c c o r d i n g t o t h e a c c i d e n t i n v e s t i g a t i o n b o a r d r e p o r t t h e p i l o t , 3 1 - y e a r - o l d C a p t a i n C h r i s S t r i c k l i n , m i s i n t e r p r e t e d
t h e a l t i t u d e r e q u i r e d t o c o m p l e t e t h e " S p l i t S " m a n e u v e r . H e m a d e h i s c a l c u l a t i o n b a s e d o n a n i n c o r r e c t m e a n -
s e a - l e v e l a l t i t u d e o f t h e a i r f i e l d . T h e p i l o t i n c o r r e c t l y c l i m b e d t o 1 , 6 7 0 f e e t a b o v e g r o u n d l e v e l i n s t e a d o f 2 , 5 0 0 f e e t
b e f o r e i n i t i a t i n g t h e p u l l d o w n t o t h e S p l i t S m a n e u v e r .
W h e n h e r e a l i z e d s o m e t h i n g w a s w r o n g , t h e p i l o t p u t m a x i m u m b a c k s t i c k p r e s s u r e a n d r o l l e d s l i g h t l y l e f t t o
e n s u r e t h e a i r c r a f t w o u l d i m p a c t a w a y f r o m t h e c r o w d s h o u l d h e h a v e t o e j e c t . H e e j e c t e d w h e n t h e a i r c r a f t w a s
1 4 0 f e e t a b o v e g r o u n d - j u s t 0 . 8 s e c o n d s p r i o r t o i m p a c t . H e s u s t a i n e d o n l y m i n o r i n j u r i e s f r o m t h e e j e c t i o n . T h e r e
w a s n o o t h e r d a m a g e t o m i l i t a r y o r c i v i l i a n p r o p e r t y .
T h e a i r c r a f t , v a l u e d a t a b o u t $ 2 0 . 4 m i l l i o n , w a s d e s t r o y e d .
T h e d i f f e r e n c e i n a l t i t u d e s a t N e l l i s a n d M o u n t a i n H o m e m a y h a v e c o n t r i b u t e d t o t h e p i l o t ' s e r r o r . T h e a i r f i e l d a t
N e l l i s i s a t 2 , 0 0 0 f e e t w h e r e a s t h e o n e a t M o u n t a i n H o m e i s a t 3 , 0 0 0 f e e t . I t a p p e a r s t h a t t h e p i l o t r e v e r t e d b a c k t o
h i s N e l l i s h a b i t p a t t e r n f o r s a p l i t s e c o n d . T h u n d e r b i r d c o m m a n d e r L t . C o l . R i c h a r d M c S p a d d e n s a i d S t r i c k l i n h a d
p e r f o r m e d t h e s t u n t a r o u n d 2 0 0 t i m e s , a t d i f f e r e n t a l t i t u d e s d u r i n g h i s y e a r a s a T h u n d e r b i r d p i l o t .
M c S p a d d e n s a y s S t r i c k l i n i s a n e x c e p t i o n a l o f f i c e r . " H e i s a n e x t r e m e l y t a l e n t e d p i l o t . H e c a m e i n h e r e a n d m a d e
a n h o n e s t m i s t a k e , " s a y s L t . C o l . M c S p a d d e n . B u t t h a t m i s t a k e h a s c o s t S t r i c k l i n h i s p r e s t i g i o u s s p o t o n t h e
T h u n d e r b i r d t e a m . " H e ' s a s s i g n e d t o W a s h i n g t o n D . C . , " s a y s M c S p a d d e n . " H e ' s w o r k i n g i n t h e P e n t a g o n t h e r e i n
o n e o f t h e a g e n c i e s . "
T h e m a n e u v e r t h e p i l o t w a s t r y i n g t o c o m p l e t e i s c a l l e d t h e " S p l i t S M a n e u v e r . " T h e s t u n t r e q u i r e s t h a t t h e p i l o t
c l i m b t o 2 , 5 0 0 f e e t . I n v e s t i g a t o r s s a y S t r i c k l i n o n l y c l i m b e d t o 1 , 6 7 0 f e e t b e f o r e h e w e n t i n t o t h e s p i n n i n g r o l l .
T h e b o a r d d e t e r m i n e d o t h e r f a c t o r s s u b s t a n t i a l l y c o n t r i b u t e d t o c r e a t i n g t h e o p p o r t u n i t y f o r t h e e r r o r i n c l u d i n g t h e
r e q u i r e m e n t t o c o n v e r t s e a l e v e l a l t i t u d e i n f o r m a t i o n f r o m t h e F - 1 6 i n s t r u m e n t s - t o t h e i r a l t i t u d e a b o v e g r o u n d a n d
c a l l o u t t h a t i n f o r m a t i o n t o a s a f e t y o p e r a t o r b e l o w .
B u t t h e A i r F o r c e h a s n o w c h a n g e d t h a t a s a r e s u l t o f t h e c r a s h . T h u n d e r b i r d p i l o t s w i l l n o w c a l l o u t t h e M S L
( m e a n - s e a - l e v e l ) a l t i t u d e s a s o p p o s e d t o t h e A G L ( a b o v e - g r o u n d - l e v e l ) a l t i t u d e s .
T h u n d e r b i r d p i l o t s w i l l n o w a l s o c l i m b a n e x t r a 1 0 0 0 f e e t b e f o r e p e r f o r m i n g t h e S p l i t S M a n e u v e r t o p r e v e n t
a n o t h e r m i s t a k e l i k e t h e o n e o n S e p . 1 4 , 2 0 0 3 f r o m h a p p e n i n g a g a i n .
C a p t a i n C h r i s S t r i c k l i n h a s b e e n i n t h e A i r F o r c e s i n c e 1 9 9 4 a n d f l e w w i t h t h e T h u n d e r b i r d s f o r t h e f i r s t s e a s o n
n o w . H e h a s l o g g e d a t o t a l o f 1 , 5 0 0 + f l i g h t h o u r s a n d h a s r e c e i v e d n u m e r o u s a w a r d s . H e s e r v e d a s a f l i g h t
e x a m i n e r , f l i g h t i n s t r u c t o r a n d f l i g h t c o m m a n d e r .
T h e T h u n d e r b i r d s w i l l a g a i n t a k e t o t h e s k i e s t h i s y e a r . T h e y h a v e 6 5 a i r s h o w s s c h e d u l e d .
T h e S e p t e m b e r c r a s h w a s t h e s e c o n d i n v o l v i n g a T h u n d e r b i r d s j e t s i n c e t h e t e a m b e g a n u s i n g F - 1 6 s i n 1 9 8 3 .
P i l o t e r r o r w a s b l a m e d f o r a F e b . 1 4 , 1 9 9 4 , t r a i n i n g c r a s h i n v o l v i n g i n a m a n e u v e r c a l l e d a s p i r a l d e s c e n t a t t h e
I n d i a n S p r i n g s A u x i l i a r y A i r f i e l d , n o r t h w e s t o f L a s V e g a s . T h e p i l o t s u r v i v e d , b u t t h e m a n e u v e r w a s d i s c o n t i n u e d .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
58/735
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 5 8
Automotive Brake-by-Wire System
FL FR
RL RR
P
A brake actuator interfaces with
each wheel (FL, FR, RL, andRR).
These actuators are controlledusing the brake pedal input (P).
Dual-redundant signal paths areused to prevent single-point
failures in the wiring.
What happens when a brake fails?
(active/inactive)
A pedal?
B r a k e - b y - w i r e s y s t e m s a r e s a f e t y c r i t i c a l s y s t e m s . I f t h e b r a k e s f a i l t o o p e r a t e c o r r e c t l y , t h e
v e h i c l e w i l l n o t b e c o n t r o l l a b l e . I m a g i n e w h a t w o u l d h a p p e n i f y o u w e r e d r i v i n g 1 2 0 k p h
a n d t h e b r a k e s w o u l d n o t a c t u a t e ? W h a t i f t h e f a i l u r e f o r c e d t h e b r a k e s t o a c t u a t e
u n c o n t r o l l a b l y ?
-
7/28/2019 Safety-Critical Medical Actuators - Socci
59/735
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 5 9
Partitioning and Modularity
Allocate system requirements and distribute them to
functional components. Different functional componentsmay have different safety integrity levels.
Systems SIL is the minimum SIL for any functionalcomponent that performs safety-critical functions
Functional blocks may be implemented with brick-walltime and space partitioning of separately loadablesoftware applications. These programs can havedifferent SILs, which may result in reduced test andcertification costs and increased portability/reuse.
R e m e m b e r - S e l e c t i o n o f t h e s a f e t y i n t e g r i t y l e v e l i s i m p o r t a n t b e c a u s e i t d e t e r m i n e s w h i c h
d e v e l o p m e n t g u i d e l i n e s , p r o c e s s e s a n d s t a n d a r d s w i l l b e r e q u i r e d i n d e v e l o p m e n t .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
60/736
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 6 0
System Redundancy
Primary means to develop fault tolerant systems of components
Lets compare these two systems
Power
Source
Sensor
Monitors
ActuatorController
ActuatorController
ActuatorController
Actuator
Control
InterfaceController
Mechanical
Interface
Sensor
MonitorsSensor
MonitorsSensor
Monitors
FL FR
RL RR
P
T h e f i r s t e x a m p l e i s a b r a k e - b y - w i r e s y s t e m . I f o n e b r a k e a c t u a t o r f a i l s i n a n i n a c t i v e s t a t e
( i . e . t h e b r a k e c a n n o t b e a p p l i e d ) , t h e b r a k e a c t u a t o r s o n t h e o t h e r t h r e e w h e e l s w i l l l i k e l y
s t o p t h e v e h i c l e . R e d u n d a n c y a l l o w s t h e s y s t e m t o p e r f o r m , a l b e i t i n a d e g r a d e d m o d e ,
w h e n f a i l u r e s o c c u r . I f a b r a k e f a i l s i n a n a c t i v e s t a t e ( i . e . t h e b r a k e i s a p p l i e d w h e n n o t
c o m m a n d e d ) , t h e s a f e t y o f t h e o p e r a t o r m a y b e j e o p a r d i z e d , e s p e c i a l l y i f i t o c c u r s w h i l e t h e
v e h i c l e i s t r a v e l i n g a t h i g h s p e e d s w h e n t h e f a i l u r e o c c u r s . T h e F e d e r a l M o t o r V e h i c l e
S a f e t y S t a n d a r d s ( F M V S S ) p r o v i d e g u i d e l i n e s t o c o n s i d e r w h e n d e v e l o p i n g t h i s t y p e o f
s y s t e m . D e p e n d i n g o n y o u r a p p l i c a t i o n , t h e f a i l - s a f e p o s i t i o n o f b r a k e a c t u a t o r s m a y b e
f u l l - a c t i v e , p a r t i a l l y a c t i v e , o r f u l l i n a c t i v e .
T h e s e c o n d e x a m p l e s h o w s a q u a d a c t u a t o r s y s t e m w h e r e b y a l l a c t u a t o r s c o n t r o l t h e s a m e
m e c h a n i c a l i n t e r f a c e . F a i l u r e s i n t h e c o n t r o l l e r s , a c t u a t o r s a n d f e e d b a c k s e n s o r s a r e
m i t i g a t e d b y r e d u n d a n t c o m p o n e n t s . H o w e v e r , f a i l u r e s i n t h e c o n t r o l i n t e r f a c e , p o w e r
s o u r c e a n d e v e n t h e m e c h a n i c a l i n t e r f a c e c a n n o t b e m i t i g a t e d . T h e s e a r e c a l l e d s i n g l e -
p o i n t f a i l u r e m o d e s , i n w h i c h a f a i l u r e a t a s i n g l e p o i n t w i l l c a u s e t h e s y s t e m t o b e
i n o p e r a b l e . G o o d s y s t e m a r c h i t e c t u r e s m i n i m i z e s i n g l e - p o i n t f a i l u r e m o d e s , a n d i d e a l l y
h a v e n o n e .
-
7/28/2019 Safety-Critical Medical Actuators - Socci
61/736
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 6 1
System Redundancy
Brake-by-wire system
FL FR
RL RR
P
If one brake actuator fails in an inactivestate, the brake actuators on the other
three wheels will likely stop the vehicle.Redundancy allows the system to perform(degraded) when failures occur.
If a brake fails in an active state, the
safety of the operator may be jeopardized.
The Federal Motor Vehicle Safety
Standards (FMVSS) provide guidelines toconsider when developing this type ofsystem.
Depending on your application, the fail-safe position of brake actuators may befull-active, partially active, or full inactive.
-
7/28/2019 Safety-Critical Medical Actuators - Socci
62/736
2 0 0 9 O n T a r g e t T e c h n o l o g y D e v e l o p m e n t P a g e 6 2
System Architecture Analyses and Processes
Formal development processes for:
System requirements management Design and analysis
Comprehensive verification
Quantifies safety performance and determines safety-critical design practices that should be implemented.
Evaluate static failures and dynamic failures such as:
A required event that does not occur An undesirable event that does occur Order of events sequence failures Timing failures in event sequences
Consider all failure modes that affect performance
T h e i n d u s t r y s t a n d a r d s d e s c r i b e d e a r l i e r s t r e s s f o r m a l p l a n n i n g , d e v e l o p m e n t a n d t e s t
p r o c e s s e s . S y s t e m s e n g i n e e r i n g f o r s a f e t y - c r i t i c a l s y s t e m s e m p h a s i z e s f o r m a l
d e v e l o p m e n t p r o c e s s e s f o r s y s t e m r e q u i r e m e n t s m a n a g e m e n t , i t e r a t i v e d e s i g n a n d
a n a l y s i s , a n d c o m p r e h e n s i v e v e r i f i c a t i o n . T h e s e g u i d e l i n e s , c o u p l e d w i t h r o b u s t d e s i g n
p r a c t i c e s , p r o v i d e s a f e s y s t e m a r c h i t e c t u r e s .
A s a f e t y a n a l y s i s , s u c h a s t h e s y s t e m s a f e t y a s s e s s m e n t p r o c e s s d e s c r i b e d b y g u i d e l i n e s
l i k e A R P 4 7 6 1 [ 5 ] , a r e p e r f o r m e d o n t h e s y s t e m a r c h i t e c t u r e t o q u a n t i f y s a f e t y p e r f o r m a n c e
a n d a s c e r t a i n w h a t s a f e t y - c r i t i c a l d e s i g n p r a c t i c e s s h o u l d b e