Yet the standards fall back
Yet, the standards fall back on the development process with justification. As shown by Littlewood and Strigini (1993), the extent to which the reliability of software (both OTS and bespoke) can be proved by testing is severely limited––not because appropriate tests cannot be devised, but because adequate testing cannot be carried out in cost-effective time. Thus, proponents of the standards argue that development-process evidence is an essential (though not always sufficient) part of any safety justification. There is also a precautionary principle argument: if safety cannot be demonstrated, it should not be assumed––and this leads to the rejection of reliance on product evaluation because of the intractability of the task.
It has also been suggested that purchasers are reluctant to meet the costs of applying the processes mandated by IEC 61508 and MOD 00-55 (MOD, 1997) for the higher SILs. If this is the case, it will be difficult for regulators to enforce them. It will be interesting to monitor this issue as experience of use of the standards grows.
We need a convention for the provision of evidence There is also the need for evidence to support claims that a supplier makes about software, for example that it is of a given SIL. There are many possible interpretations of such claims (Redmill, 2000), so a convention would need to embrace both definition and evidence.
Introduction The increasing popularity of commercial-off-the-shelves (COTS) in modern small satellites, such as pico- and nano-satellites, calls for the high reliability within the limits of low cost and weight. Due to the lack of ML347 mg hardened schemes of COTS components, radiation in aerospace environment like highly energized solar particles, photons, and electrons may cause transient and permanent errors in both software and hardware of COTS-based satellites. Among these radiation effects, the single event upset (SEU) effect caused by highly energized particles has been proven as one of the major threats to the space borne semiconductor devices and their host satellites. SEU results in bit flips in memory cells, registers, or flip-flops. Bit flips may introduce transient errors in both data and control flows. Data errors may cause unexpected results, while control flow errors (CFEs) are generally more serious than data errors since they can cause the program jump to unexpected locations and lead to unpredictable behavior and system crashes, which are security breaches of satellites. Additionally, experiments show that 33–77% (depending on the type of the processor) of SEU-induced errors are CFEs.4, 5 Therefore, to improve the reliability and security of small satellites, fault tolerant techniques are necessary for detecting and blocking CFEs before damages occur. Several fault tolerant techniques for detecting and blocking CFEs have been reported, which would fall into two categories: hardware redundancy and control flow checking (CFC). Furthermore, CFC techniques can be classified into hardware-based and software-based according to the implementation. In general, hardware redundancy techniques employ two or more identical processors to execute the same programs and detect CFEs (along with other errors) by comparing their outputs. Hardware redundancy techniques have a better fault tolerant capability and lower time overhead but impose higher cost, weight and complexity so that cytoplasm are viable for large satellites but infeasible for small satellites due to the strict containment of their cost and weight. The general approach adopted by CFC techniques is to divide the source code into basic blocks (a block with no branching instructions except the last one, which is described in Section 2.1) and insert extra instructions to check the control flows running inside blocks and between them. CFEs analyzed by CFC techniques are classified into three categories: CFC techniques aim to detect all the categories of CFEs with low time and memory overhead. Hardware-based CFC techniques conform to this demand but impose external devices or hardware modification. For example, an approach called control flow checking using execution tracing (CFCET) employed an external watchdog processor (a coprocessor attached to the main processor via the address bus) to trace the execution of the target program in the main processor, detected CFEs by validating each branching address. A hardware assisted preemptive CFC method modified the processors to insert extra checking instructions for detecting CFEs. Compared to hardware redundancy, hardware-based CFC techniques are cheaper due to the lower complexity of watchdog processors and hardware modification. They have good CFE detection rates but are unsuitable for the circumstance that hardware changes are not permitted. Moreover, watchdog processors are difficult to be attached to modern processors whose address buses are internal, processors modification are also infeasible because most modern COTS processors are close-sourced. Therefore, hardware-based CFC techniques are unfit for small satellites.