Fault-Tree Generation for Embedded Software Implementing Dual-Path Checking 2011-01-1004
Given the fast changing market demands, the growing complexity of features, the shorter time to market, and the design/development constraints, the need for efficient and effective verification and validation methods are becoming critical for vehicle manufacturers and suppliers. One such example is fault-tree analysis. While fault-tree analysis is an important hazard analysis/verification activity, the current process of translating design details (e.g., system level and software level) is manual. Current experience indicates that fault tree analysis involves both creative deductive thinking and more mechanical steps, which typically involve instantiating gates and events in fault trees following fixed patterns. Specifically for software fault tree analysis, a number of the development steps typically involve instantiating fixed patterns of gates and events based upon the structure of the code. In this work, we investigate a methodology to translate software programs to fault trees. In particular we investigate software architectures for dual-path safety checking. Dual-path checking is used to verify computations; a primary chain of functions computes the desired variable, and a secondary chain of functions computes an approximation of the desired variable. The end results of the two paths are compared. If the computed values are within a certain tolerable range of each other, then the computation of the primary path is accepted. If the computed values are out of the tolerable range, then an error is indicated, and an error handler is invoked. For dual-path checking to function as intended, one needs to identify any common cause failures resulting from the dependencies on a shared variable across the two paths, and mitigate the risk of failures for those variables. In this paper, we focus on detecting safety-critical variables for dual path implementations using fault trees. The work discusses different issues in dual path checks and possible templates that can be used to generate fault trees for dual paths.