Presentation for experienced Software Engineers about developping highly reliable and safety critical complex embedded systems.

1. Betrouwbare Software Praktijkervaringen met het maken van betrouwbare software Jaap van Ekris

4. Mijn domein: Safety Critical Systems

5. Extended ISO 9126 - Quint

7. Hulpmiddelen: Quintworkshop Het eisen van productkwaliteit

11. Customized process: SIL-Levels On-Demand Continuous Operation SIL-1 10 -1 /incident 10 -6 /uur SIL-2 10 -2 /incident 10 -7 /uur SIL-3 10 -3 /incident 10 -8 /uur SIL-4 10 -4 /incident 10 -9 /uur

15. De risico-analyse

18. Redundantie! Hoogtebepaling Aansturing Hoogtemeting Waterkering Diesels Meet a Meet b Stuur a Stuur b Info

19. Faalkansen Info Hoogtebepaling Aansturing Hoogtemeting Waterkering Diesels Meet a Meet b Stuur a Stuur b Schakelfouten Kans: (10 -6 ) 2 + (10 -6 ) 2 Meetfouten Kans: (10 -6 ) 3 Meter kapot Kans: (10 -5 ) 3 Kabelbreuk Kans: (10 -8 ) 12 Kabelbreuk Kans: (10 -8 ) 4 Kabelbreuk Kans: 3 * (10 -8 ) 2 Schakelfouten Kans: 10 -2

20. Een patroon Stuur x WD Stuur X :: Functionaliteit StuurX::Diagnose Info Meet a Meet b Diesels Kering Voortgang Functionaliteit Voortgang Diagnose Controle Functionaliteit

25. Stuur x : Zonder redundantie StartD W_O_D Sluit b Wacht Init Not Sluit a EN Not Sluit b Sluit a SluitA SluitB Geen waterstand “ Ready” van Diesels Sluit_? “ Sluitt” naar Kering Finished Failed “ Start” naar Diesels

26. StartD2 Stuur b “ OK” StartD StartD1 “ Start_D” naar Stuur b W_O_D Stuur b > 1 minuut StartD1’ Stuur b geeft “Start_D” “ OK” naar Stuur b “ Sent” StartD3 “ Sent” naar Stuur b “ Start” naar Diesels Init2 Init1 “ Init” naar Stuur b > 1 minuut “ Wacht” Init “ Stuur b “ StartD” W_O_D1 “ Ready” via Stuur b “ Ready” van Diesels “ Ready” naar Stuur b Sluit2 Stuur b “ OK” Sluit_? Sluit1 “ SluitS” naar Stuur b Stuur b > 1 minuut Sluit1’ Stuur b geeft “Sluit” “ Sent” Sluit3 “ SentS” naar Stuur b “ Sluitt” naar Kering Finished Waterstanda < 3 meter EN Waterstandb < 3 meter Failed “ OKS” naar Stuur b StartD4 > 1 minuut “ Sent” van Stuur b Sluit4 “ Sent” van Stuur b Sluit b Wacht Not Sluit a EN Not Sluit b Sluit a SluitA SluitB Geen waterstand Stuur x : Met redundantie

29. Een gedetailleerde specificatie W_O_D IN: Ready_Diesels Ready_StuurB While (NOT Ready_Diesels OR Ready_StuurB){ Wait(1 second) } W_O_D1

38. Maar je kunt niet alles van te voren weten……. Microsoft server crash nearly causes 800-plane pile-up Failure to restart system after 30 days caused data overload. A major breakdown in Southern California's air traffic control system last week was partly due to a &quot;design anomaly&quot; in the way Microsoft Windows servers were integrated into the system, according to a report in the Los Angeles Times. The radio system shutdown, which lasted more than three hours, left 800 planes in the air without contact to air traffic control, and led to at least five cases where planes came too close to one another, according to comments by the Federal Aviation Administration reported in the LA Times and The New York Times. Air traffic controllers were reduced to using personal mobile phones to pass on warnings to controllers at other facilities, and watched close calls without being able to alert pilots, according to the LA Times report. The failure was ultimately down to a combination of human error and a design glitch in the Windows servers brought in over the past three years to replace the radio system's original Unix servers, according to the FAA. The servers are timed to shut down after 49.7 days of use in order to prevent a data overload, a union official told the LA Times. To avoid this automatic shutdown, technicians are required to restart the system manually every 30 days. An improperly trained employee failed to reset the system, leading it to shut down without warning, the official said. Backup systems failed because of a software failure, according to a report in The New York Times. The contract for designing the system, called Voice Switching and Control System (VSCS), was awarded to Harris Corporation in 1992 and the system was installed in the late 1990s, initially using Unix servers, according to Harris. In 2001, the company completed testing of the VSCS Control Subsystem Upgrade (VCSU), which replaced the original servers with off-the-shelf Dell hardware running Microsoft Windows 2000 Advanced Server. The upgrade was installed in California last year, according to the FAA. Soon after installation, however, the FAA discovered that the system design could lead to a radio system shutdown, and put the maintenance procedure into place as a workaround, the LA Times said. The FAA reportedly said it has been working on a permanent fix but has only eliminated the problem in Seattle. The FAA is now planning to institute a second workaround - an alert that will warn controllers well before the software shuts down. The shutdown is intended to keep the system from becoming overloaded with data and potentially giving controllers wrong information about flights, according to a software analyst cited by the LA Times. Microsoft told Techworld it was aware of the reports but was not immediately able to comment.