SAFETY-CRITICAL Software Development for Automotive, Railway, Industrial, Automotive applications
WHAT IS SAFETY-CRITICAL & CERTIFIED SOFTWARE??
First thing to explain in this webinar, is the definition of SAFETY-CRITICAL?Sofware: what is the difference respect to MISSION-CRITICAL??
You will see that the differences are not as many as you think, but they are actually more bureaucratic and formal than technical.?
Exactly: the objectives, the strategies for writing good Quality Software are more or less the same, what changes is the severity in the application of the rules?and above all the required detailed documentation?of the overall Process.?
HOW SAFETY IS HANDLED BY THE STANDARDS FOR THE VARIOUS MARKETS??
?Shortly, there is a real way to produce software that is:?
- formal, enough to avoid ambiguity
- scientific, based on strict criteria and not on creativity
- repeatable, in different areas and factors of scale
?And it was especially a fundamental meeting with one of the greatest experts in avionics certification?in the world, Vance Hilderman, a guru who has trained thousands and thousands of people all over the world and has participated in the certification of the majority of civilian (and partly military) aircrafts that are on the market, and I was fortunate enough to have him as a teacher and colleague for many years and in different companies.
?What I did was just starting from the enormous esteem I had for him and his immense knowledge, to enrich my cultural baggage, absorb as a sponge everything related to the avionic world and finally be able to give voice to a my dream, to make peace between the two worlds:?
the world of Software, of which I considered myself an expert working in advanced domains for several years and that one of Correctness?and Safety-Critical.?
Because I like you, exasperated by my personal experience, until a few years ago I was still resigned to the fact that the software was indeed an interesting aspect, complex and crucial for a variety of devices, but it was inevitably creative, uncontrollable and almost impossible to control.?
Moving however from the world of embedded software in general towards that safety critical, my doubts rather than solving, continued to grow:?
what were the techniques, methods, processes suitable to develop truly fair and secure software??
?
Thanks?to Vance, I discovered that enormous world of software certification, that is a long and complex process of repeated and crossed checks by an authority,?showing the compliance to a completely different approach to?those known so far?.
Forget (but not at all, because I'll be back on that!) the world ISO-9001, CMMI or other certifications... those avionics and other standards are quite another thing. And above all, they are mandatory.?
Sure: an airplane to fly, a car to move on the road, a train to carry goods or passengers and a medical device are all united by some factors.?
First of all: as we have already said, Safety-Critical systems, where a malfunction could be highly risky because human life is at stake.
?So a well-known phenomenon happens: a State Authority?will study sooner or later the process, putting together a panel of the best experts in the field, who will write a Safety Standard, to ensure the safety of people using that category of products, which makes the software development method a process as much as possible engineered.?
Over the years, a whole series of SAFETY CRITICAL STANDARDS have been released, with abbreviations well-known to professionals, such as:?
2017: ONE WHOLE YEAR WITHOUT A SINGLE PLANE CRASH
The avionics certification is absolutely the most feared: considered to be the same as the caudine forks, it is considered terrible and expensive, not wrongly I would say.?
The budget?of a”normal" project certified with different standards or even not certified,?can rise even of 200 or 300%? if the company wanted to proceed along the path of the DO-178, without, among other things, no guarantee of success and especially with a difficult management and forecast of the times.?
What is the counter-match?
Well:
in 2017 there was NO MORTAL ACCIDENT with airliners?
NONE
Is it clear enough?
Think about these things:
It would be nice, isn't it?
Too bad that it was calculated that a hypothetical DO-178 compliant mobile phone?could cost up to €20-30,000 if not more (yes, THIRTY THOUSANDS EURO).?And every single application thousands of euros.?
Ok, all right, I'll ask you a question:
"Would you accept to produce a mobile phone, an app, a computer program, an embedded system, much more reliable, performing, secure at the price of a content and reasonable increase in costs? But then saving much more in terms of maintenance, support, service costs?”
If the answer is NO: you have the wrong article, continue to spend little, very little in the development and to burn large, unpredictable and out of control capital in after-sales assistance and support and to manage the bad references of black pecked customers.?
BEST WISHES.
If instead you want to find out how to:
then, it is the case that you attend to the webinar...
CHRISTINE, THE KILLER (SELF DRIVING) CAR?
As you may have read, in March 2018 a self-driving car from Uber invested a 49-year-old woman in Arizona, killing her.??
Exactly: as in the best (and worst) science-fiction films (if not horror), a machine with artificial intelligence has apparently gone mad and killed a human being, one of the worst nightmares of man's technological evolution. This accident, as you may image, has created a great stir and controversy, causing the suspension of any road test.?
In this article, I'll try to explain in a simple way what happened, who's precisely the fault (and not what the newspapers say, not even the specialized press!), what is the underlying error and what has to do a old man with a hat.?
You will understand why all this has to do with software projects, with the game of poker and above all you will understand that, very probably, you are involved, too. Yes, just YOU.?
But let's go in order.
The autonomous driving race
For several years, a long series of technology startups, big automotive giants, and alternative transport services companies such as Uber, even players from other markets suchs us Apple have decided that it was time to overcome the limits of driving by men (inaccurate, incapable, tired if not often drunk) and that you had to start experimenting with an autonomous guide operated by artificial intelligence: in a few words?very powerful computers?that take automatic decisions, analyzing the road, obstacles, other vehicles and pedestrians and deciding to accelerate, brake and steer in place of the driver.?
Do you remember something? Of course ... autonomously driven machines, robots, computer systems that take autonomous decisions and, as in the best science fiction movies, become the worst nightmare of man. From "Space 1999"?to the saga of Terminator, from "Christine" to "The Lawmoyer", passing through a very long series of films, some B-series, the man has always imagined with horror a dystopian future in which the machines rebel and come to killm if not even to try to exterminate humanity.?
Well: it seems unfortunately that this moment has really arrived.
But how do these autonomous driving systems work? What really caused the accident? But above all, why all the newspapers, even specialized ones, a lot of experts - if not even the same companies that develop these systems - are committing some crude fundamental errors so that all the theories and practical applications of autonomously driven machines on the road are actually a big trick or even a scam??
How self driving cars work
The basic idea in itself is quite simple: you take a machine from the modern ones, you fill it with cameras, sensors, radar and other systems of surveillance and analysis of the road, you equip it with very quick actuators that drive the steering, the accelerator and the brake and above all you create a very complex software that analyzes all these inputs and decides how to behave the car, trying to be the same if not better than a human driving. The famous robot that performs a tedious, dangerous or otherwise obsolete task that man no longer wants to do.
??But are we talking about science fiction ... or reality?
There are not a few companies all over the world that have also invested huge human and technological capital to create these self-driving cars ... the major car manufacturers are almost all involved with their experiments, but there are also big tech names like Google and Apple, in addition to companies such as Uber that provide rental services with driver, all engaged in this race against the clock to be able to realize first the dream of any driver tired, sleepy or who drank a bit 'too much: to say to your car:?
"Kitt, bring me home!"
as Michael Knight did with his famous super-smart car (and also a bit 'nasty) in the TV series of the 80 "SUPERCAR".?
?
What went wrong in Uber's car (and it WASN'T a fault)
So, the first problem (and I'll come back to it) is that the pedestrian, who was leading the bike by hand, was crossing in a forbidden spot, without crosswalks, without lights where the cars were going at great speed. So, even just this fact makes the causes of the incident unbalanced towards what I want you to understand, we are not yet finished.?
Uber's car actually had a radar-based security system on board, which had already identified the poor victim and was ready to go into operation, but ... it was DISABLED!?
Exactly: the device that identifies potential obstacles had already identified the pedestrian tens of meters and a few seconds before the impact and was ready to brake in time to save it, but it was not enabled! And why this madness??
Simply: to easily test their systems and avoid false alarms, the company had decided to disable the emergency braking and entrust this task to the driver on board, which with traditional commands could (and should!) Intervene in time to avoid collision. Although it seems absurd, in reality it is perfectly legitimate and normal ... the final supervision of safety was left to the human driver.?
So why did not the driver stop on time?
Simple:?
because she was watching ... a show on the phone
For almost an hour, the driver, who was paid $ 24 an hour to be careful and operational at the wheel, was following a transmission on the phone, looking only occasionally at the road. And she noticed the impending impact less than a second before, without having time to stop.??
So, only her fault? Of the distracted backup driver? Will she go to jail? Isn't the car possessed, the crazy robot, the software-killer???
Perhaps, but in reality it is not even the point. There are other factors to consider that now I'll show you, because it seems a bit 'all based on very powerful and technologically advanced companies, which provide the best experts in the world and the most incredible technologies to achieve this goal, but failing to manage the unpredictable.??
领英推荐
But in reality there is a huge fundamental error that almost no one is incredibly aware, if not people like me who come from even more delicate and critical sectors such as the aeronautical one.??
Why such systems will never work, under current conditions, in spite of all the efforts that are putting on the giants of transport and information technology????
But above all, is there already something at the level of other autonomous means of transport in the world in other sectors?
Self-landing airplanes
Of course, there are already some transport systems managed entirely by artificial intelligences and autonomous computers that work well, indeed very well, and have been around for several years. I analyze them briefly to make you understand what they have in common but above all what is the difference with cars that should drive themselves on our everyday roads and why a similar incident would never happen.?
The reason, as we will see, is that these other systems work with boundary conditions much more restrictive than what newspapers, experts and large companies worldwide and would have us believe possible for cars.?
Let's talk briefly about one of the first autonomous passenger transport systems that has existed for some decades and works in a practically perfect way: the ILS (Instrument Landing System). It could have happened to you, especially if you live in a city in Northern Europe, that in the autumn or winter, landing in a strong fog, the captain asked all the passengers to turn off any electronic device because an instrumental landing was in progress, so there shouldn' be any interference of any kind with the on-board systems.?
I'll do it easy without going into too much detail of technological aspects that you can go to look for you even on Wikipedia, but these systems are based on a continuous exchange of information between a whole series of sensors and computer systems that are on board the plane, on the satellites visible at that time from the plane itself, on the control tower and on all the other land systems that are around the airport and in various stations throughout the territory. In short, all the instrumental landing is based not only on the sophisticated equipment, on the advanced onboard software, on the sensors and radars that are mounted on the plane ... but are based on a multiplicity of equipment, computers and of communication devices that are both on the plane and on the ground and on the satellites. And above all a series of radar control systems and other tools to make sure that all the landing path, the surroundings, the runway are free from interference, other aircraft or flying objects?(see the issue of drones), in other words that there are external disturbance elements. This will be a fundamental point on which we will return later.?
These systems have existed since the 1960s and have made it possible to make millions and millions of instrumental landings without any serious accidents. In fact, he considers that in 2017 there was not a single fatal accident of passenger transport aircraft in the world.?
Repeat it with me:?
37 million flights in 2017, no fatal accidents
With systems that rely heavily on software and radio communications to perform a variety of automated tasks. Evidently, if the probability of a car accident in general is 17,000 times higher than that of a plane crash?(exact: the car is seventeen thousand times?more dangerous than the plane!), we have omething to learn from the avionic world, isn't it? And at the end of reading this article it will be much clearer why this is very useful for you and your company that makes software, even if not avionics.?
Trains that brake independently
Let's now look at another highly critical passenger transport system that is based entirely on autonomous computer-based driving systems: high-speed trains, like the Italian Frecciarossa, which has one of the most advanced systems in the world in terms of safety. they rely heavily on instrumental guidance, also made in this case by a mix of on-board systems and those that are located along the railway and in the control rooms of the intermediate stations and those of departure and arrival.
?To get an idea, a train like the Frecciarossa at full load traveling at 300 km / h in a total emergency situation requires at least 4?km to stop with an emergency brake.? You got it right, FOUR KILOMETERS!??
If the driver operates a rapid braking, the train continues to move forward and hit any type of obstacle or problem in front of him for 4 km before stopping. On the other hand, if it stops calmly without an emergency, a train of that type takes 6 to 8 km to stop completely.
?
What does this mean?
Obviously, that the driver does not have any kind of responsibility and action regarding the emergency braking because the speed is so high, and the stopping spaces are so long that if even he could see on his sight an obstacle a few hundred meters ahead, or even a kilometer further on, he would have no chance to stop in time, thus potentially causing a major rail disaster. For this reason, even here for many years there have been very advanced security systems including ERTMS / ETCS (European Rail Traffic Management System / European Train Control System)?which is a system for the management, control and protection of railway traffic and related signaling that is again based on computerized on-board systems, sensors, radars and other things mounted on the train, a whole series of transponders and other systems that while traveling along the railway, signaling and communication devices of the train with the closest stations as well as departure and arrival ones.??
In short, throughout all the path a Frecciarossa between one station and another travels at high speed, any action of the trainers is totally useless and the train is completely driven by the computer, so much that the drivers themselves told me that they could travel with the glass completely obscured because it would not change anything for them.
But how do you protect the railway at high speed from external interference problems???
It is very simple: first of all there are no such things as level crossings that would represent a risk that is too high and can not be managed in any way. In the same way, the rails of high-speed trains are protected by hundreds of kilometers of difficult-to-climb barriers, video surveillance systems and proximity alarms in case you overtake someone or some big animal, and advanced systems that check that the rails are perfectly intact without any kind of interruption or problem. Furthermore, as we said, the train continues to communicate its position and safety status with transponders along the rails and stations to ensure that there is no danger.
The REAL problem of the Uber car accident?
Now, is it clearer to you why there is a huge underlying error, not so much when you design these autonomous driving systems of automobiles but when you have the utopian claim to have them circulate on normal roads of all days?
Roads with holes, without horizontal or vertical signs, that widen or tighten without any criteria, with signs that do not always have a sense or a uniform standard throughout the country, let alone in different countries.???
Without then talking about the other drivers ... people of all types, of all ages, with completely different driving styles ranging from the young reckless, to the famous old man with the hat?I mentioned at the beginning of the article, to the lady who returns from shopping and so on.??
Everyone with experience, driving skills, completely different and completely unpredictable behavior.??
To end then with pedestrians, who cross (always?) On the strips but also suddenly, other types of dangers, loads that are lost by trucks or other cars and so on.??
A total madness, completely unpredictable, that no computer in the world can ever manage in any way in a safe way as that of a hyper-controlled, safe, standard like that around an airplane or a railway system.???
The real problem with Uber's car was that of... allowing to circulate in every day streets.
The solution for self-driving cars?
The only way to have autonomously driven cars that can safely carry passengers without any risk to their safety and of the others is to:?
create new roads and highways,?with the same standards all over the world or at least in the whole country or a group of neighbouring states, perfectly regular and maintained, with always perfect horizontal and vertical signs, full of sensors and transponders inserted in the asphalt, in the traffic signs, in the guardrails that communicate continuously with the cars, which identify dangers such as loss of loads, accidents, slowdowns and so on.
With cars that talk to each other and are continuously transmitted the information collected by their sensors and those of the motorway network, which communicate with the nearest traffic control center. And above all, barriers along the way and at the main accesses that completely block access to pedestrians, strangers, animals and, of course, machines that are not autonomously driven, or that have on board malfunctioning or outdated systems, machines that take the highway into the wrong sense and so on. In short, to anyone who is not updated and authorized.?
Now, let's imagine that in this whole world so perfect and similar to the safe environment of high-speed railways and yet similar to the instrumental landing of airplanes, on this safe highway where there are only self-driving cars, suddenly what is the nightmare of everyday roads ... but that on such a highway could become the cause of a real tragedy: THE OLD MAN WITH THE HAT.???
That is that person, that car, that system, that software that is not in compliance with all the architecture, the standard, with the compliance of all the other cars and the highway infrastructure and who in some way violating the accesses is able to access all the 'intelligent highway and gets in the middle of the road at 40 per hour with the other self-driving cars whizzing around until the behavior is so unpredictable that even these computers go crazy and cause fatal accidents.??
So, even more , we must avoid in any way that the old man with the hat can in any way identify the flaws of the access system and break in violating all the requirements and access characteristics.???
Software and old men with hat
And now let's see what have to do with it the software projects, the poker game and above all what has to do with YOU.
The software projects are very similar to what you have heard about so far, as they are very complex systems in which they interact with each other a series of entities, subsystems, computers that communicate with each other in a very complex way. Exactly like an intelligent motorway network, the high-speed rail system or an aircraft landing an instrumental landing.
The same care for the rules, requirements, infrastructure, compatibility, security of access and so on must also be put in a software project every day, such as the one in which maybe you work or manage you, otherwise the risk is that of the incompatible code, a modification not adequately considered in its impacts, an update of a subsystem, the release of a new component not foreseen in the initial infrastructure could have devastating impacts and cause disastrous consequences in your software, in your business and in your customers.
?In shorter words:
YOU MUST PROTECT YOUR PROJECT FROM THE OLD WITH THE HAT!???
?
What does the... POKER game have to do with this?
In the very common card game, there is a famous rule even if not written ... which says that when you sit down, there is always a person at the table who does not know the rules well and can therefore be plucked. But if in the first quarter of an hour of play you have not identified who is the chicken to pluck, there is a big chance that it will be YOU.?
?Ok, and how do we put this together with all the previous talk??
It's very simple ... in the last quarter of an hour I told you about how the design of a system, of a complex infrastructure is full of rules, of requirements, of autonomous intelligences that must talk to each other in a standard protocol, of actors that interact with your system according to precise protocols, of modifications that are introduced in an absolutely accurate way and of accesses that are protected by all the people, entities and processes that are not authorized.?
In a nutshell, in the last quarter of an hour I've talked to you about the potential old main with the hat of your software project.?
Here, then:?
If these questions have not jumped in your mind or you can not give you an answer, well, there's a risk that the old man is endangering your software project ...
The old man with a HAT... could be YOU!
So maybe it is the case that take a deep breath, and subscribe to my next webinar...
5 th Commandment: THOU (Software) SHALT NOT KILL!
Software is one of the most complex things ever produced by man, without comparison. There is no literary product, scientific program, architectural work that can match the number of man/hours or man/years necessary to produce a software of great complexity like the one installed on a modern plane, a car of the latest generation, the computer or smartphone you are using, even a social like Facebook.
And software is so complex that it often makes mistakes... actually, it kills.
It kills people, it blows up companies, it burns huge capitals, it damages the brand.?
In 1982, it is suspected that CIA had deliberately introduced a bug (software error) within the control code of the Trans-Siberian gas pipeline in Russia.?For counterintelligence purposes, the US had decided to blow up this once operational conduct with the result of provoking the largest non-nuclear explosion in history.?
Between 1985 and 1987, a particle accelerator called Terac 25?caused several deaths in some hospitals.? Based on a previous design, the new device was equipped with a software-based security device instead of a mechanical one but unfortunately it was programmed by a technician without any formal preparation and without safety criteria. In some cases of wrong usage, a very thin bug called ”race condition” caused the emission of high-powered X-rays without a protective shield that directly hit the patients, killing or seriously injuring them.?
In 1996, the Ariane V rocket was deliberately blown up?because it had gone totally out of trajectory and without control. The inertial navigation software of the previous version, Ariane IV, was considered so reliable to be used without modifying it and above all without testing it with the new speed and acceleration requirements of the new and more powerful vector. A trivial conversion error from 64 to 16 bits caused an unmanaged overflow that led to self-destruction with a damage of 370 million dollars.???
On August 1, 2012, a Knight Corporation computer gone mad began sending thousands of incorrect stock trading orders per second, selling at market prices instead of using the Bid/Ask fork and systematically losing money at each transaction. In just over 30 minutes,?the company lost $ 440 million and almost went bankrupt.?
On October 19, 2016,?the Schiaparelli space probe?crashed on the Martian surface?as part of the ExoMars exploration mission of Mars in collaboration between ESA and Russia. The parachute opened for only 3 seconds instead of 30 as it should have, with the result of landing too fast and getting destroyed on impact. In this case, like in the previous examples, the software had not been able to manage the exceptional conditions that had occurred.?
And these are?only the macroscopic damages,?those accounting for hundreds of millions of dollars?and which become famous for that.??
Actually, there are certainly less striking episodes where companies lose not only millions of dollars and euros, but above all they lose fame, reliability, market position, user confidence and so on.?
All things that can cause problems not only immediately in the short term, but may?lead to a long and inexorable decline
?
Do not worry, there is even worse: the process of software production, in most companies including the best, is at least badly managed if not out of control and the consequences sooner or later will become striking and plain for all to see.?
Another, EXCELLENT, motivation to attend my webinar...?
WEBINAR "SAFETY-CRITICAL??Software Development??for Aerospace, Automotive, Railway, Industrial applications"
In this webinar, we will explain how many things has in common all these standards, and what are the differences and peculiarities:?