1.

a) Dijkstra argued that 'software testing can be used to demonstrate the presence of bugs, but never to show their absence'. Briefly explain the problems that this observation creates for the development of safety- critical systems.

[3 marks]

b) The Federal Aviation Administration recently released Notice 8110.89 'Guidelines for the Approval of Software Changes in Legacy Systems'. This document considers some of the problems that frustrate the use of Black Box testing to establish the reliability of modifications that are made to legacy systems. Give a number of reasons that might have motivated the FAA to issue this guidance.

[7 marks]

c) In August 2001, the German Air Traffic Control Authorities (DFS) decided to migrate their existing graphical display software onto a new hardware platform. These display devices provide resolutions that are beyond most commercially available hardware and that are far better than was available to the original programmers of the Controllers' user interface. Briefly explain why it can be difficult to use white box testing techniques in the verification of such safety-critical legacy systems.

[10 marks]

2.

a) The German car manufacturer AUDI AG operate a Linux cluster of 52 Pentium III dual-processor nodes and 24 Pentium 4 processor single nodes to drive car accident simulation software. This architecture is currently being upgraded to include an additional 64 dual nodes based on the Intel Xeon processor. The system includes 57GB RAM, 10 terabytes of hard-disk storage and relatively Fast Ethernet switches (100 Mbit/s). What problems might you expect from the development of accident simulation software to run on this platform?

[3 marks]

b) Most recent cars rely upon Controller Area Network (CAN) architectures for power train functions, chassis control and passive safety devices, such as airbags. These systems typically rely upon a single dedicated wiring loom for each application. CAN is not, however, used for primary safety functions, including steering and braking. Suggest reasons why it is not widely used for primary safety functions.

[5 marks]

c) The FlexRay system is being developed by BMW, DaimlerChrysler, Motorola and Philips Semiconductors. FlexRay is a standard for the development of safety-critical buses to support drive- by-wire, adaptive cruise control, collision avoidance and active suspension. FlexRay is based on what is known as a Time-Triggered Protocol. Critical applications are guaranteed access to the bus at predefined intervals, this is intended to support determinism for safety-critical functions. In addition to these static messages there are also ad hoc dynamic message segments. A global clock is used to synchronise this access to a shared bus. A "bus guardian" is used to prevent contention or the flooding from pathological processes. Two channels are available and a scheduler is used to ensure that important messages are never blocked by less important signals. Use these components of the FlexRay architecture to devise a fault tolerant 2 out of 3 voting scheme for automotive applications.

[12 marks]

3. a) In 1997, Driver Reminder Appliances were introduced across the UK railways. These are intended to ensure that drivers do not start their trains when the signals are at 'red'. Drivers must remember to manually set Passive DRA systems by pushing down a button on top of their control system after the train comes to a halt. When set, the button illuminates red and disables the traction power. Pulling out the button resets the device and allows the driver to proceed. The idea is that the light and the action remind the driver to check that the signal allows them to continue. Briefly assess the effectiveness of this techniques as a means of ensuring that drivers do not proceed beyond signals at 'red'.

[3 marks]

b) There are a number of situations in which it is dangerous to use passive DRA systems. For example, every driver is supposed to set the system when they enter the cab. This is intended to ensure that they check the signal before they leave the station. However, some drivers have set the DRA as they leave the cab. Hence, new drivers entering the cab may lack the intended reminder of setting the system. Further hazards can arise if drivers attempt to set the DRA while the train is in motion; the system can be abused as a form of braking mechanism. Procedures are specified in the drivers' rule book to guard against these problems. Briefly explain why rule violations and errors can result in drivers breaking these guidelines.

[6 marks]

c) QinetiQ were recently commissioned to examine the reasons why DRA systems fail to prevent drivers from starting when signals are at 'red'. In an initial questionnaire, 99% of drivers stated that they used the DRA according to the specified guidelines. However, only 30% of the forms were returned and doubts have been expressed about the reliability of the 99% response. Briefly describe how you would go about gaining additional insights into the reasons why DRA devices are not having their intended effect.

[11 marks]

4. Most recent Safety-Critical Software standards, including IEC 61508, exploit a risk equation, which is defined in terms of the product of the consequence and likelihood of hazards. What are the strengths and weaknesses of this approach to risk assessment?

[20 marks]