a) Briefly describe the main stages involved in a Failure Modes, Effects and Criticality Analysis (FMECA) analysis.
b) FMECA can be used to calculate Risk Priority Numbers which are given as the product of the severity index, the occurence index and the detection index. What are the main limitations and dangers in using this approach to hazard analysis?
c) You have been asked to devise a functional block diagram for a replacement to the London Ambulance Service dispatch system. Briefly sketch a high-level view of this diagram and make an initial list of pos sible failure modes for at least three of the components.
a) Compare and contrast at least three different definitions of workload.
b) Briefly explain why Crew Resource Management techniques must explicitly consider the problems created by poor situation awareness.
c) Explain why Crew Resource Management techniques are likely to be insufficient guarantors of situation awareness and optimal workload during the day to day operation of any of the safety-critical systems that have been introduced during this course.
a) Briefy explain why an appropriate and effective hardware management plan can have a significant impact on the acquisition of a safety-critical software system.
b) How does multilevel, triple modular redundancy remove a single point of failure from a standard TMR safety-critical system architecture.
c) NASA's technical summary of the orbiter guidance and control systems contains the following passage:
"Each computer in a redundant set operates in synchronized steps and cross-checks results of processing about 440 times per second. Synchronization refers to the software scheme used to ensure simultaneous intercomputer communications of necessary GPC status information among the primary avionics computers. If a GPC operating in a redundant set fails to meet two redundant synchronization codes in a row, the remaining computers will vote it out of the redundant set. Or if a GPC has a problem with its multiplexer interface adapter receiver during two successive reads of response data and does not receive any data while the other members of the redundant set do not receive the data, they in turn will vote the GPC out of the set. A failed GPC is halted as soon as possible"
Explain why this approach provides a high degree of assurance in such a safety-critical application.
Explain the reasons for AND against the introduction of COTS products into safety critical systems. What techniques can be used to improve the safety of systems that make use of such products.
Here are the sample solutions for this paper.