曝光台 注意防骗
网曝天猫店富美金盛家居专营店坑蒙拐骗欺诈消费者
different from the one with the function being monitored.
Override commands shall require multiple operator actions.
Software shall process the necessary commands within the time to criticality of a hazardous event.
Hazardous commands shall only be issued by the controlling application, or by authorized ground personnel.
Software that executes hazardous commands shall notify ground personnel upon execution or provide the
FAA System Safety Handbook, Appendix J: Software Safety
December 30, 2000
J-8
reason for failure to execute a hazardous command.
Prerequisite conditions (e.g., correct mode, correct configuration, component availability, proper sequence,
and parameters in range) for the safe execution of an identified hazardous command shall be met before
execution.
In the event that prerequisite conditions have not been met, the software shall reject the command and alert
the ground personnel.
Software shall make available status of all software controllable inhibits to the ground personnel.
Software shall accept and process ground personnel commands to activate/deactivate software
controllable inhibits.
Software shall provide an independent and unique command to control each software controllable inhibit.
Software shall incorporate the capability to identify and status each software inhibits associated with
hazardous commands.
Software shall make available current status on software inhibits associated with hazardous commands to the
ground personnel.
All software inhibits associated with a hazardous command shall have a unique identifier.
Each software inhibit command associated with a hazardous command shall be consistently identified using
the rules and legal values.
If an automated sequence is already running when a software inhibit associated with a hazardous command is
activated, the sequence shall complete before the software inhibit is executed.
Software shall have the ability to resume control of an inhibited operation after deactivation of a software
inhibit associated with a hazardous command.
The state of software inhibits shall remain unchanged after the execution of an override.
Software shall provide error handling to support safety critical functions.
Software shall provide caution and warning status to the ground personnel.
Software shall provide for ground personnel forced execution of any automatic safing, isolation, or
switchover functions.
Software shall provide for ground personnel forced termination of any automatic safing, isolation, or
switchover functions.
Software shall provide procession for ground personnel commands in return to the previous mode or
configuration of any automatic safing, isolation, or switchover function.
Software shall provide for ground personnel forced override of any automatic safing, isolation, or switchover
functions.
Software shall provide fault containment mechanisms to prevent error propagation across replaceable unit
interfaces.
Software (including firmware) Power On Self Test (POST) utilized within any replaceable unit or component
shall be confined to that single system process controlled by the replaceable unit or component.
Software (including firmware) POST utilized within any replaceable unit or component shall terminate in a
safe state.
Software shall initialize, start, and restart replaceable units to a safe state.
For systems solely using software for hazard risk mitigation, software shall require two independent
command messages for a commanded system action that could result in a critical or catastrophic hazard.
Software shall require two independent operator actions to initiate or terminate a system function
that could result in a critical hazard.
Software shall require three independent operator actions to initiate or terminate a system function that could
result in a catastrophic hazard.
Operational software functions shall allow only authorized access.
Software shall provide proper sequencing (including timing) of safety critical commands.
Software termination shall result in a safe system state.
In the event of hardware failure, software faults that lead to system failures, or when the software detects a
configuration inconsistent with the current mode of operation, the software shall have the capability to place
FAA System Safety Handbook, Appendix J: Software Safety
December 30, 2000
J-9
the system into a safe state.
When the software is notified of or detects hardware failures, software faults that lead to system failures, or a
configuration inconsistent with the current mode of operation, the software shall notify the crew, ground
operators, or the controlling executive.
Hazardous processes and safing processes with a time to criticality such that timely human intervention may
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:
System Safety Handbook系统安全手册下(130)
