Assurance of safety-related applications on a COTS platform

摘要

Many computer-based information systems act in an advisory manner, where an obvious failure can be tolerated, but a 'plausible but wrong' output is hazardous. It is also often necessary to support such safety-related applications on a COTS platform, as to the user it is simply another task to be performed and be used alongside other office automation tools. This paper looks at how 'fail-safe' applications can be implemented on a COTS platform with appropriate levels of assurance. The approach is based on monitoring software running in parallel with the actual application, providing a 'sanity check' on the outputs displayed. A significant issue is how to avoid 'common cause' or latent failures, such as the operating system failing to run the monitor. The approach is illustrated by a number of case studies: a military pilot's planning aide, an 'ATC-like' display and a critical document control.