曝光台 注意防骗
网曝天猫店富美金盛家居专营店坑蒙拐骗欺诈消费者
be independently audited.
· Desk audits, peer reviews, static and dynamic analysis tools and techniques, and debugging
tools should be used to verify implementation of identified safety-critical computing system
functions.
System Design Requirements and Guidelines
The following system design requirements and guidelines should apply:
· The CST system should have at least one safe state identified for each operation phase.
· Software should return hardware systems under the control of software to a designed safe
state when unsafe conditions are detected.
· Where practical, safety-critical functions should be performed on a standalone computer. If
this is not practical, safety-critical functions should be isolated to the maximum extent
practical from non-critical functions.
· Personnel not associated with the original design team should design the CST system and its
software for ease of maintenance.
· The software should be designed to detect safety-critical failures in external hardware input
or output hardware devices and revert to a safe state upon their occurrence.
· The software should make provisions for logging all system errors detected.
· Software control of safety-critical functions should have feedback mechanisms that give
positive indications of the function’s occurrence.
· The system and software should be designed to ensure that design safety requirements are not
violated under peak load conditions.
· Applicant should clearly identify an overall policy for error handling. Specific error detection
and recovery situations should be identified.
· When redundancy is used to reduce the vulnerability of a software system to a single
mechanical or logic failure, the additional failure modes from the redundancy scheme should
be identified and mitigated.
· The CST system should be designed to ensure that the system is in a safe state during powerup.
FAA System Safety Handbook, Chapter 13: Launch Safety
December 30, 2000
13 -
28
· The CST system should not enter an unsafe or hazardous state after an intermittent power
transient or fluctuation.
· The CST system should gracefully degrade to a secondary mode of operation or shutdown in
the event of a total power loss so that potentially unsafe states are not created.
· The CST system should be designed such that a failure of the primary control computer will
be detected and the CST system returned to a safe state.
· The software should be designed to perform a system level check at power-up to verify that
the system is safe and functioning properly prior to application of power to safety-critical
functions.
· When read-only memories are used, positive measures, such as operational software
instructions, should be taken to ensure that the data is not corrupted or destroyed.
· Periodic checks of memory, instruction, and data buss(es) should be performed.
· Fault detection and isolation programs should be written for safety-critical subsystems of the
computing system.
· Operational checks of testable safety-critical system elements should be made immediately
prior to performance of a related safety-critical operation.
· The software should be designed to prevent unauthorized system or subsystem interaction
from initiating or sustaining a safety-critical sequence.
· The system design should prevent unauthorized or inadvertent access to or modification of
the software and object coding.
· The executive program or operating system should ensure the integrity of data or programs
loaded into memory prior to their execution.
· The executive program or operating system should ensure the integrity of data and program
during operational reconfiguration.
· Safety-critical computing system functions and their interfaces to safety-critical hardware
should be controlled at all times. The interfaces should be monitored to ensure that erroneous
or spurious data does not adversely affect the system, that interface failures are detected, and
that the state of the interface is safe during power-up, power fluctuations & interruptions, in
the event of system errors or hardware failure.
· Safety-critical operator display legends and other interface functions should be clear, concise
and unambiguous and, where possible, be duplicated using separate display devices.
· The software should be capable of detecting improper operator entries or sequences of entries
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:
System Safety Handbook系统安全手册上(45)
