Docstoc

Vehicle ATC Safety Certification

Document Sample
Vehicle ATC Safety Certification Powered By Docstoc
					        Vehicle ATC
    Safety Certification
               MMF
     Monitor Mode Field Release

            August 28, 2001

1                             S.F. Bay Area Rapid Transit
           Presentation Objective
   To demonstrate that the required analysis and
    testing has been completed to ensure safe
    operation of the VATC system with the design
    modified for Monitor Mode Field (MMF) operation

   To guide the CPUC to through the suite of
    Certification Documents provided as evidence of
    safety compliance


2                                 S.F. Bay Area Rapid Transit
    Agenda
       Laying the Groundwork

       Safety Assurance Concepts
        (How can we claim it’s safe?)
        – For the Baseline Design
        – For the MMF Release

       Verification and Validation Process/
        Documentation
        (What did we do to prove it’s safe?)

       Summary

3                                       S.F. Bay Area Rapid Transit
    Agenda
       Laying the Groundwork

       Safety Assurance Concepts
        (How can we claim it’s safe?)
        – For the Baseline Design
        – For the MMF Release

       Verification and Validation Process/
        Documentation
        (What did we do to prove it’s safe?)

       Summary

4                                    S.F. Bay Area Rapid Transit
        Laying the Groundwork

    -What is the VATC?
    -VATC Modifications for the AATC System
    -What are the MMF and CMF Releases?
    -Overview of the Documentation Package




5                           S.F. Bay Area Rapid Transit
    What is the VATC?
               Central



               Station
            Train Control


       Trackside Train Control


            Vehicle ATC
                                    Onboard
                                    Equipment

       Other Vehicle Subsystems


6                                S.F. Bay Area Rapid Transit
                  What is the VATC?


Station Train                                          Station Train
Control                                                Control




                                         Outputs
                     Inputs

                              Computer

Vehicle Sensors                                       Other Vehicle
                                                      Subsystems


                               VATC

 7                                       S.F. Bay Area Rapid Transit
    What is the VATC?
                            Implemented with
                            design techniques
           Safety           that mitigate hazardous
           Critical         operation
          Functions
                             Implemented
                             with special
                             care

            Non-
           Safety
           Critical
          Functions



8                     S.F. Bay Area Rapid Transit
                 What is the VATC?
Trackside                                              Vehicle Door
                        Vital Door
Coverboards                                            Relays
                         Control

                                         Vital control always
Track Circuits         Vital Braking     Over-rules non-vital
                          Control                       Onboard
                                                        Propulsion/
                                                        Brake Controller
 Onboard               Non-Vital
 Sensors              Motion Control


                        Non-Vital                       Trackside
                      Communications                    Coverboards

                         VATC
 9                                     S.F. Bay Area Rapid Transit
         Laying the Groundwork

     -What is the VATC?
     -VATC Modifications for the AATC System
     -What are the MMF and CMF Releases?
     -Overview of the Documentation Package




10                           S.F. Bay Area Rapid Transit
            VATC Is A Legacy System

    Therfore for the modified system:
     – Requirement to achieve a MTBH of 250,000
       years per unit to apply

     – Assumptions of original design still hold

     – All functional requirements of the baseline
       system still in place


11                                   S.F. Bay Area Rapid Transit
                VATC Modifications for
                the AATC System
                                                               Vehicle
     Existing Wayside                                          Door Relays
     Train Control             Baseline
                              Functions                        Onboard
     Existing                                                  Propulsion/
     Onboard                                                   Brake Controller
     Sensors
                                          AATC controls
                 AATC Speed
                                          Over-ride baseline
                 Commands
                                          controls
 AATC
 Radio/ATIC
                    Vehicle
                    Status      New
                              Functions

12                                              S.F. Bay Area Rapid Transit
                VATC Modifications for
                the AATC System
                                                               Vehicle
     Existing Wayside                                          Door Relays
     Train Control             Baseline
                              Functions                        Onboard
     Existing                                                  Propulsion/
     Onboard                                                   Brake Controller
     Sensors
                                          AATC controls
                 AATC Speed
                                          Over-ride baseline
                 Commands
                                          controls
 AATC
 Radio/ATIC
                    Vehicle
                    Status      New
                              Functions

13                                              S.F. Bay Area Rapid Transit
                VATC S/W Modifications
                for the AATC System
                                                               Vehicle
     Existing Wayside                                          Door Relays
     Train Control             Baseline
                              Functions                        Onboard
     Existing                                                  Propulsion/
     Onboard                                                   Brake Controller
     Sensors
                                          AATC controls
                 AATC Speed
                                          Over-ride baseline
                 Commands
                                          controls
 AATC
 Radio/ATIC
                    Vehicle
                    Status      New
                              Functions

14                                              S.F. Bay Area Rapid Transit
         Laying the Groundwork

     -What is the VATC?
     -VATC Modifications for the AATC System
     -What are the MMF and CMF Releases?
     -Overview of the Documentation Package




15                           S.F. Bay Area Rapid Transit
                The MMF Release
                                                                Vehicle
     Existing Wayside                                           Door Relays
     Train Control             Baseline
                              Functions                          Onboard
     Existing                                                    Propulsion/
     Onboard                                                     Brake Controller
     Sensors
                                          AATC controls
                 AATC Speed
                                          Over-ride baseline
                 Commands
                                          controls
 AATC
 Radio/ATIC                                                    Safety Certified
                    Vehicle
                    Status      New                            Implemented but
                              Functions                        not certified


16                                              S.F. Bay Area Rapid Transit
                The CMF Release
                                                                Vehicle
     Existing Wayside                                           Door Relays
     Train Control             Baseline
                              Functions                          Onboard
     Existing                                                    Propulsion/
     Onboard                                                     Brake Controller
     Sensors
                                          AATC controls
                 AATC Speed
                                          over-ride baseline
                 Commands
                                          controls
 AATC
 Radio/ATIC                                                    Safety Certified
                    Vehicle
                    Status      New                            Implemented but
                              Functions                        not certified

17                                              S.F. Bay Area Rapid Transit
         Laying the Groundwork

     -What is the VATC?
     -VATC Modifications for the AATC System
     -What are the MMF and CMF Releases?
     -Overview of the Documentation Package




18                           S.F. Bay Area Rapid Transit
              Documentation Package
              Overview
     Notice of Intent to Operate
     Memo from TSD to BART Safety                      LETTERS
     Letter from Harmon to BART


     Verification of Test Readiness                 CERTIFICATE

     VATC Equipment Configuration Sheet                 CONFIG.
     VATC S/W, Module Software Configuration            CONTROL

     Safety Certification Plan Document List        SCP REQM’TS

19                                             S.F. Bay Area Rapid Transit
           Attachments
                 CERTIFIABLE ELEMENTS
     1.   Design Criteria Conformance
     2.   Specification Conformance Verification

     3.   Personnel Training Conformance Verification

     4.   Safety-Related Tests Verification

     5.   Hazard Identification and Resolution Verification



20                                        S.F. Bay Area Rapid Transit
           Elements 4 and 5
     Element 4
           VATC Subsystem V&V Plan
           VATC Modifications V&V Report


     Element 5
           QA Plan and Report
           Safety Assurance Concept
           Fault Tree Analysis
           Safety Assurance Concept Implementation Analysis
           FMEA’s
           Audit Reports

21                                      S.F. Bay Area Rapid Transit
     Agenda
        Laying the Groundwork

        Safety Assurance Concepts
         (How can we claim it’s safe?)
         – For the Baseline Design
         – For the MMF Release

        Verification and Validation Process/
         Documentation
         (What did we do to prove it’s safe?)

        Summary

22                                       S.F. Bay Area Rapid Transit
        Safety Assurance Concepts

     -What do we mean by a Safety Assurance
      Concept?
     -SAC’s for the baseline system
     -SAC’s for the modified system
     -Comparing the two




23                            S.F. Bay Area Rapid Transit
        Safety Assurance Concepts

     -What do we mean by a Safety Assurance
      Concept?
     -SAC’s for the baseline system
     -SAC’s for the modified system
     -Comparing the two




24                            S.F. Bay Area Rapid Transit
     A Basic Truism For All
     Man-Made Systems
        MAN-MADE SYSTEM
     Things             Humans
      Fail                Err



      CORRUPT OPERATIONS
25                 S.F. Bay Area Rapid Transit
     What Do We Mean By a
     Safety Case?

     Things                 Humans
      Fail                    Err
              Safety Case


      HUMAN LIFE WILL NOT
        BE ENDANGERED
26                      S.F. Bay Area Rapid Transit
                ELEMENTS of               IMPLEMENTATION
                DESIGN                                              Non-
                                                            Vital
     System                                                         Vital
     Require-
      ments


                                Hex                          R       R
                                Code                         O       O
       Sub
                                                             M       M
D    System                                   EPROM
     Require-                                 BURNER
E
      ments                                                                 O
S
I                                                                           P
G                                                                           E
     Software
N    Module                                                                 R
     Require-
                TRANSLATION                                                 A
      ments                                                Intel            T
                                                                            I
                                                           8086             O
     Pseudo         Assembly   Assembly                                     N
      Code            Code       Code




                                                                      R
                                                                      A
                                                                      M
27                                             S.F. Bay Area Rapid Transit
                    OPPORTUNITIES for
                    CORRUPTION                                               Non-
                                              IMPLEMENTATION ERROR
                                                                     Vital
         System                                                              Vital
         Require-
          ments


D                                   Hex                               R       R
E                                   Code                              O       O
           Sub
S                                                                     M       M
         System                                     EPROM
I
         Require-                                   BURNER
G
          ments
N

E
R        Software
R        Module      TRANSLATION
O        Require-       ERROR
R         ments                                                  Intel             RUN TIME
                                                                                    ERROR
                                                                 8086
         Pseudo        Assembly    Assembly
          Code           Code        Code




                                                                               R
                                                                               A
                                                                               M
    28                                               S.F. Bay Area Rapid Transit
               Safety Assurance Concepts
               Required For the VATC Design
        Design Error
         – How do we provide assurances that errors are not made
           during the creative design phase?
        Translation Error
         – How do we ensure errors are not made during the
           systematic translation process?
        Implementation Error
         – How do we protect against errors made while transferring
           the implementation to the firmware?
        Run Time Error
         – How do we assure that hardware failures and errors in the
           non-vital code do not lead to hazardous operation?


29                                              S.F. Bay Area Rapid Transit
        Safety Assurance Concepts

     -What do we mean by a Safety Assurance
      Concept?
     -SAC’s for the baseline system
     -SAC’s for the modified system
     -Comparing the two




30                            S.F. Bay Area Rapid Transit
                    Safety Assurance Concepts
                    - Baseline System-                                       Non-
                                              IMPLEMENTATION ERROR
                                                                     Vital
         System                                                              Vital
         Require-
          ments


D                                   Hex                               R       R
E                                   Code                              O       O
           Sub
S                                                                     M       M
         System                                     EPROM
I
         Require-                                   BURNER
G
          ments
N

E
R        Software
R        Module      TRANSLATION
O        Require-       ERROR
R         ments                                                  Intel             RUN TIME
                                                                                    ERROR
                                                                 8086
         Pseudo        Assembly    Assembly
          Code           Code        Code




                                                                               R
                                                                               A
                                                                               M
    31                                               S.F. Bay Area Rapid Transit
               SAC For S/W Design Errors
               - Baseline -
    Highly modularized software segregating safety critical functions from
     non-safety critical functions
    Progressively structured software development process with disciplined
     verification of each step of the process
     – Westinghouse claimed that all prudent and practical
       steps had been taken

             Westinghouse claim: all prudent and
             practical steps taken to reduce risk of
             software errors causing hazard to an
             acceptable level

32                                              S.F. Bay Area Rapid Transit
            Modular Software
            Development
                      Module
                        1
     Requirements
        Book
                      Module
                        2

                      Module
                        3

                      Module
                        4


33                             S.F. Bay Area Rapid Transit
               Modular Software
               Development
                         Module
                           1
     Requirements
        Book
                         Module
                           2

                         Module
                           3


       Non-vital         Module
                           4
       Vital

34                                S.F. Bay Area Rapid Transit
     Execution Flow of Modular
     Software


     Module   Module     Module
       1        2          3



              Module
                4




35                     S.F. Bay Area Rapid Transit
            Monolithic Software
            Development

     Requirements
        Book

                    ONE LARGE
                    SOFTWARE
                    PROGRAM




36                          S.F. Bay Area Rapid Transit
      Execution Flow
      of Monolithic Software
                     GOTO




     ONE LARGE SOFTWARE PROGRAM



             GO TO

                              GO TO

37                          S.F. Bay Area Rapid Transit
               Progressively Structured Design
               Validation
               PDR Document      SMRS              Pseudo Code


Requirements
   Book




                 Preliminary   Software             Design Walk
                 Design        Design               Throughs
                 Review        Review
  38                                      S.F. Bay Area Rapid Transit
         SAC for S/W Design Errors
         -Westinghouse Claim-
      By modular design and a progressively
      structured review process, all prudent
      and practical steps have been taken to
      eliminate software errors

                  THEREFORE
     Probability of the existence of an unsafe
     software design error is assumed to be zero

39                             S.F. Bay Area Rapid Transit
                    Safety Assurance Concepts
                    - Baseline System-                                       Non-
                                                                     Vital
         System                               IMPLEMENTATION ERROR           Vital
         Require-
          ments


D                                   Hex                               R       R
E                                   Code                              O       O
           Sub
S                                                                     M       M
         System                                     EPROM
I
         Require-                                   BURNER
G
          ments
N

E
R        Software
R        Module      TRANSLATION
O        Require-       ERROR
R         ments                                                  Intel             RUN TIME
                                                                                    ERROR
                                                                 8086
         Pseudo        Assembly    Assembly
          Code           Code        Code




                                                                               R
                                                                               A
                                                                               M
    40                                               S.F. Bay Area Rapid Transit
             SAC for S/W Translation
             Errors
    Use of Assembly Language to reduce the risk of
     COTS Development Tool bugs

    Coding Standards developed and used during
     translation from Pseudo Code to Executable Code

    Unit testing on all vital software modules



41                                   S.F. Bay Area Rapid Transit
               Assembly Language vs.
               Higher Order Language
     High Order      Assembly       Machine
     Language        Language       Language

     IF X > Y THEN   MOV AX, R2     10111000
     GO TO LABEL                    11101101
                     CMP AX, 16     11001100
                                    11100001
                     JPE R3         10101000


        Compiler      Assembler



42                                S.F. Bay Area Rapid Transit
            Coding Standards
 Guidelines for writing software modules
 Ensures uniformity across software modules
 Avoids common coding pitfalls
                                    ;-----------------------------------------------
                                    ; Check if clock time MSB is ready to roll over.
                                    ; (Greater than or equal to 0127h)
                                    ;-----------------------------------------------

     – Applies to:      Separate
                                    if_2:
                                        cmp CX, L622A_MAX_CLOCK_TIME_MSB
                                        jae else_2
                                    then_2:

        » SMRS          standards   ;-----------------------------------------------
                                    ; Clock time MSB is not ready to roll over.
                                    ; If LSB just rolled over, simply increment

        » Pseudo Code   for each    ; the clock time MSB.
                                    ;-----------------------------------------------
                                    if_3:
                                        cmp BX, 0
        » Source Code                   jne endif_3
                                    then_3:
                                        inc CX
                                    endif_3:
                                        jmp short endif_2
                                    else_2:




43                                   S.F. Bay Area Rapid Transit
              Unit Testing
        Performed on individual       All possible Inputs
         vital software modules
         that are either new or
         modified

        Test results verified that          Software
         Min/Max/Zero input                  Module
         values produced
         expected results

        Test results verified that
         all branches in the          All Outputs are Correct
         module were executed         All Branches Checked

44                                      S.F. Bay Area Rapid Transit
                    Safety Assurance Concepts
                    - Baseline System-                                Vital   Non-
         System                                IMPLEMENTATION ERROR           Vital
         Require-
          ments


D                                    Hex                               R       R
E                                    Code                              O       O
           Sub
S                                                                      M       M
         System                                      EPROM
I
         Require-                                    BURNER
G
          ments
N

E
R        Software
R        Module       TRANSLATION
O        Require-        ERROR
R         ments                                                   Intel             RUN TIME
                                                                                     ERROR
                                                                  8086
         Pseudo         Assembly    Assembly
          Code            Code        Code




                                                                                R
                                                                                A
                                                                                M
    45                                                S.F. Bay Area Rapid Transit
            Implementation
                                EPROM
                        Address         Data
                        0000         0010 1111
                        0001         0110 1100
                        0002         0101 1100
                        0003         0111 0000
                        0004         0000 0000
     Hex
     Code
                        0005         1111 0000
                        0006         0101 0101
                        0007         0101 0101
                        0008         1111 1111
                        0009         0010 1111
                        0010         0110 1100
                        0011         0101 1100
                        0012         0001 1010
                        0013         0001 1010
                        0014         0111 0000
                        0015         1111 0000
                        0016         0001 1101
                         XXXX        0011 1111

46                      S.F. Bay Area Rapid Transit
            SAC for Implementation
            Errors
        Double Storage of Vital Program Code

        Checksum stored with program code




47                              S.F. Bay Area Rapid Transit
            Double Storage of
            Vital Program Code
                                                                       EPROM


                                                                        Copy 1
            Vital
           Program

                                                                       Copy 2
         Non-Vital
         Program
                                                                      One Copy



     Faulty EPROM hardware AND/OR faulty software tool will probably not be faulty
     in the same way at two different memory locations.

     If glitch occurs while “burning” one locations, it is unlikely that the same glitch will
     occur while burning the same information in another location

48                                                        S.F. Bay Area Rapid Transit
               Checksum on Program Code
           EPROM                    Then during program
     Address        Data            operation, sum contents
     0000        0010 1111
     0001        0110 1100          of memory and compare
     0002        0101 1100          with checksum.
     0003        0111 0000
     0004        0000 0000
     0005        1111 0000          Any mismatch interpreted
     0006        0101 0101
     0007        0101 0101          as program code fault.
     0008        1111 1111
                 0010 1111
                             ADD
     0009
     0010        0110 1100
     0011        0101 1100
     0012        0001 1010
     0013        0001 1010
     0014        0111 0000
     0015        1111 0000
     0016        0001 1101
     XXXX        0011 1111   CHECKSUM


49                                  S.F. Bay Area Rapid Transit
                    Safety Assurance Concepts
                    - Baseline System-                                Vital   Non-
         System                                IMPLEMENTATION ERROR           Vital
         Require-
          ments


D                                    Hex                               R       R
E                                    Code                              O       O
           Sub
S                                                                      M       M
         System                                      EPROM
I
         Require-                                    BURNER
G
          ments
N

E
R        Software
R        Module       TRANSLATION
O        Require-        ERROR
R         ments                                                   Intel             RUN TIME
                                                                                     ERROR
                                                                  8086
         Pseudo         Assembly    Assembly
          Code            Code        Code




                                                                                R
                                                                                A
                                                                                M
    50                                                S.F. Bay Area Rapid Transit
              Run Time Errors
                                Computer System

                                PROCESSING HARDWARE

      Input                                                                Output
     Hardware                                                             Hardware
                                       Vital Software
       sensors                                                                drivers
      antennas                                                              amplifiers
                                    Non-Vital Software                     transmitters
      receivers
         etc.                                                                  Etc.



         Software design must protect against hazardous operation in the presence of:

                   Hardware failures

                   Corrupt processor behavior caused by errors in the non-vital software

51                                                       S.F. Bay Area Rapid Transit
             PROTECTION FROM HARDWARE
             FAILURES
             -Electrical/Electronic Systems-


     Input                                 Output
                      System
                      Function




52                               S.F. Bay Area Rapid Transit
            Safety Critical Systems

Input                                                   Output
                        Safety Critical
                          Function



     Must not fail and output unsafe result.
     Example:       Go when you should stop.
                    OK to say stop when you should go
     Contract Requirements = 1 in 250,000 years
           .
53                                             S.F. Bay Area Rapid Transit
              Before Computers

                         Safety Critical             Output
Input                      Functions


                     (10’s of components)

        - Functions were simple
        - Circuit responses to component failures could
          be analyzed to verify the absence of unsafe failure modes

54                                          S.F. Bay Area Rapid Transit
             NOW WITH COMPUTERS
                      Safety Critical
     Input                                         Output
                        Function

                        (Millions of
                        components)

              - More complex functions
              - Impossible to analyze as before
              - Other techniques needed:
                 -Numerical Assurance
                 -Checked Redundancy          Applicable to
                                              VATC
                 -Functional Self Tests
55                                      S.F. Bay Area Rapid Transit
             Checked Redundancy SAC to
             Protect Against Run-Time Errors
                         Redundant
     Input             Implementation                             Output

                                               Compare

                         Redundant                             Periodically
                       Implementation                           Checked

             Redundant implementation of critical functions.
             Discrepant results not allowed to reach output
             System shut down if failure persists
             Probabilities calculated to determine MTBH
56                                                  S.F. Bay Area Rapid Transit
             The Three I’s of a Successful
             Checked Redundant Design
                            Redundant
     Input                Implementation                             Output

                                                      Compare

                            Redundant                            Periodically
                          Implementation                          Checked

        Channel Independence
                A and B must have no common mode failure mechanisms
        Channel Integrity
                A and B must be correctly implemented
        Channel Inspection
                A and B must be tested periodically
57                                                     S.F. Bay Area Rapid Transit
             Mean Time Between Hazard
                            Redundant
     Input                Implementation                             Output

                                                  Compare

                            Redundant                             Periodically
                          Implementation                           Checked

         Probability of unsafe failure (Pus) occurring during
         mission time (for VATC = 1 year)
         Then MTBH is the reciprocal of Pus
         Pus is very much a function of hardware failure rates,
         the check interval, and the effectiveness of the check

58                                                  S.F. Bay Area Rapid Transit
             Mean Time Between Hazard
                            Redundant
     Input                Implementation                            Output

                                                  Compare

                            Redundant                            Periodically
                          Implementation                          Checked

         Probability of unsafe failure (Pus) occurring during
         mission time (for VATC = 1 year)
                                                          Software V&V
         Then MTBH is the reciprocal of Pus
         Pus is very much a function of failure rates,
         the check interval and the effectiveness of the check

59                                                  S.F. Bay Area Rapid Transit
                Test Intervals
Initialization Tests – Performed upon power up
Operational Tests – Performed during operation
Safety Certification Tests – Performed during Periodic Maintenance

                                      TIMELINE



     Operational–10 s to 1.2 hrs


     Initialization - every 60 hrs
                      Safety Certification – every 365 days


60                                                            S.F. Bay Area Rapid Transit
            Test Methodology
Initialization Tests – Performed upon power up
     Self Testing of all non-failsafe hardware components

Operational Tests – Performed during operation
     Self Testing of non-failsafe hardware components
     (also referred to as Interleaved Tests)
     Cross Comparison of results from redundant channels

Safety Certification Tests – Performed during Periodic Maintenance
     Testing with special test equipment

61                                         S.F. Bay Area Rapid Transit
                  VATC Simplified Block Diagram
                                                             Interrupt
                                        ROM         RAM
                                                            Controllers

                              Serial
     Sensors   Test Signal     I/O

                Input        Parallel                                Parallel
                                                    CPU
      *        Circuits        I/O
                                        Failsafe
                                        Watchdog
                                                                       I/O


                                        Timer *



                                         Failsafe                                   *
                                        Watchdog
                                        Timer *

                Input        Parallel                                Parallel
                                                    CPU
               Circuits        I/O                                     I/O

               Test Signal    Serial
                               I/O

                                                             Interrupt
                                        ROM         RAM
                                                            Controllers
                                                                                *Failsafe
62                                                        S.F. Bay Area Rapid Transit
            Test Effectiveness/Coverage

Initialization Tests – Performed upon power up
     Self Testing of all non-failsafe hardware components    100 %




63                                         S.F. Bay Area Rapid Transit
                     Initialization Test Coverage
                                                            Interrupt
                                        ROM         RAM
                                                           Controllers

                              Serial
                               I/O
     Sensors   Test Signal

                Input        Parallel                               Parallel

      *        Circuits        I/O
                                        Failsafe
                                                    CPU               I/O

                                        Watchdog
                                        Timer *



                                         Failsafe                               *
                                        Watchdog
                                        Timer *

                Input        Parallel                               Parallel
                                                    CPU               I/O
               Circuits        I/O

               Test Signal    Serial
                               I/O

                                                            Interrupt
                                        ROM         RAM
                                                           Controllers
                                                                               Failsafe
64
                                                                           * Transit
                                                          S.F. Bay Area Rapid
            Test Effectiveness/Coverage

Initialization Tests – Performed upon power up
     Self Testing of all non-failsafe hardware components    100 %

Operational Tests – Performed during operation
     Self Testing of non-failsafe hardware components    100 %
     (also referred to as Interleaved Tests)
     Cross Comparison of results from redundant channels




65                                         S.F. Bay Area Rapid Transit
                    Operational Test Coverage
                                                              Interrupt
                                         ROM         RAM
                                                             Controllers

                               Serial
                                I/O
     Sensors    Test Signal

                 Input        Parallel                                Parallel
                                                     CPU
      *         Circuits        I/O
                                         Failsafe
                                         Watchdog
                                                                        I/O



                                         Timer *



                                          Failsafe                                   *
                                         Watchdog
                                         Timer *

                Input         Parallel                                Parallel
                                                     CPU                I/O
               Circuits         I/O

                Test Signal    Serial
                                I/O

                                                              Interrupt
                                         ROM         RAM
                                                             Controllers

                                                                                 * Failsafe
66                                                         S.F. Bay Area Rapid Transit
            Test Effectiveness/Coverage
Initialization Tests – Performed upon power up
     Self Testing of all non-failsafe hardware components    100 %

Operational Tests – Performed during operation
     Self Testing of non-failsafe hardware components    100 %
     (also referred to as Interleaved Tests)
     Cross Comparison of results from redundant channels

Safety Certification Tests – Performed during Periodic Maintenance
     Testing with special test equipment of vital           100 %
     and non-vital hardware components

67                                         S.F. Bay Area Rapid Transit
                    Safety Certification Test Coverage
                                                            Interrupt
                                        ROM         RAM
                                                           Controllers

                              Serial
                               I/O
     Sensors   Test Signal

                Input        Parallel                               Parallel

      *        Circuits        I/O
                                        Failsafe
                                                    CPU               I/O

                                        Watchdog
                                        Timer *



                                         Failsafe                                 *
                                        Watchdog
                                        Timer *

                Input        Parallel                               Parallel
                                                    CPU               I/O
               Circuits        I/O

               Test Signal    Serial
                               I/O

                                                            Interrupt
                                        ROM         RAM
                                                           Controllers
                                                                               * Failsafe
68                                                        S.F. Bay Area Rapid Transit
              Hardware Testing

Input Circuits         Exercised with periodic test signal

Serial I/O             Use of checksums and CRC codes

Parallel Inputs        Exercised with periodic test signal

CPU                    Instruction set tests and data cross-comparison

Parallel Outputs       Periodic test with redundant feed back

Interrupt Controller   Check-in/out tests and watchdog timer

Watchdog Timer         Failsafe – no testing required

69                                         S.F. Bay Area Rapid Transit
           Hardware Testing (cont’d)
     ROM         Use of checksums

     RAM         Double storage of vital data

                 Disabling of interrupts (except for NMI)
                 during execution of vital modules

                 Disabling of interrupts (except for NMI)
                 during execution of vital modules
                 No program calls from vital modules
                 Check-in/check out test

70                                S.F. Bay Area Rapid Transit
        Safety Assurance Concepts

     -What do we mean by a Safety Assurance
      Concept?
     -SAC’s for the baseline system
     -SAC’s for the modified system
     -Comparing the two




71                            S.F. Bay Area Rapid Transit
                    Safety Assurance Concepts
                    - Baseline System-                               Vital   Non-
         System                                                              Vital
         Require-                             IMPLEMENTATION ERROR
          ments


D                                   Hex                               R       R
E                                   Code                              O       O
           Sub
S                                                                     M       M
         System                                     EPROM
I
         Require-                                   BURNER
G
          ments
N

E
R        Software
R        Module      TRANSLATION
O        Require-       ERROR
R         ments                                                  Intel             RUN TIME
                                                                                    ERROR
                                                                 8086
         Pseudo        Assembly    Assembly
          Code           Code        Code




                                                                               R
                                                                               A
                                                                               M
    72                                               S.F. Bay Area Rapid Transit
           SAC for S/W Design Errors
           -Westinghouse Claim-
     By modular design and a progressively
     structured review process, all prudent
     and practical steps have been taken to
     eliminate software errors

                 THEREFORE
     Probability of the existence of an unsafe
     software design error is assumed to be zero
73                               S.F. Bay Area Rapid Transit
                    Safety Assurance Concepts
                    - Baseline System-                               Vital   Non-
         System                               IMPLEMENTATION ERROR           Vital
         Require-
          ments


D                                   Hex                               R       R
E                                   Code                              O       O
           Sub
S                                                                     M       M
         System                                     EPROM
I
         Require-                                   BURNER
G
          ments
N

E
R        Software
R        Module      TRANSLATION
O        Require-       ERROR
R         ments                                                  Intel             RUN TIME
                                                                                    ERROR
                                                                 8086
         Pseudo        Assembly    Assembly
          Code           Code        Code




                                                                               R
                                                                               A
                                                                               M
    74                                               S.F. Bay Area Rapid Transit
        SAC for S/W Translation
        Errors
 Use of Assembly Language to reduce the
  risk of COTS Development Tool bugs
 Coding Standards developed and used
  during translation from Pseudo Code to
  Executable Code
 Unit testing on all vital software modules




75                           S.F. Bay Area Rapid Transit
                    Safety Assurance Concepts
                    - Baseline System-                               Vital   Non-
         System                               IMPLEMENTATION ERROR           Vital
         Require-
          ments


D                                   Hex                               R       R
E                                   Code                              O       O
           Sub
S                                                                     M       M
         System                                     EPROM
I
         Require-                                   BURNER
G
          ments
N

E
R        Software
R        Module      TRANSLATION
O        Require-       ERROR
R         ments                                                  Intel             RUN TIME
                                                                                    ERROR
                                                                 8086
         Pseudo        Assembly    Assembly
          Code           Code        Code




                                                                               R
                                                                               A
                                                                               M
    76                                               S.F. Bay Area Rapid Transit
           SAC for Implementation
           Errors
    Double Storage of Vital Program Code




    Checksum stored with program code

77                             S.F. Bay Area Rapid Transit
            Double Storage of
            Vital Program Code-Baseline
                                                                       EPROM


                                                                        Copy 1
            Vital
           Program

                                                                       Copy 2
         Non-Vital
         Program
                                                                      One Copy



     Faulty EPROM hardware AND/OR faulty software tool will probably not be faulty
     in the same way at two different memory locations.

     If glitch occurs while “burning” one locations, it is unlikely that the same glitch will
     occur while burning the same information in another location

78                                                        S.F. Bay Area Rapid Transit
                 Double Assembly of Program Code
                 - Modified Release -


                                       Copy 1
                                                      USE
                       COTS SET 1
       Vital
                                         Hex
       And                               Code
     Non-Vital
     Program
       Code

                                                  COMPARE
                       COTS SET 2       Copy 2

                                         Hex
                                         Code




79                                  S.F. Bay Area Rapid Transit
               Checksum on Program Code
           EPROM                     Then during program
     Address        Data             operation, sum contents
     0000        0010 1111
     0001        0110 1100           of memory and compare
     0002        0101 1100           with checksum.
     0003        0111 0000
     0004        0000 0000
     0005        1111 0000           Any mismatch interpreted
     0006        0101 0101
     0007        0101 0101           as program code fault.
     0008        1111 1111
                 0010 1111
                             ADD
     0009
     0010        0110 1100
     0011        0101 1100
     0012        0001 1010
     0013        0001 1010
     0014        0111 0000
     0015        1111 0000
     0016        0001 1101
     XXXX        0011 1111   CHECKSUM


80                                 S.F. Bay Area Rapid Transit
                    Safety Assurance Concepts
                    - Baseline System-                               Vital   Non-
         System                               IMPLEMENTATION ERROR           Vital
         Require-
          ments


D                                   Hex                               R       R
E                                   Code                              O       O
           Sub
S                                                                     M       M
         System                                     EPROM
I
         Require-                                   BURNER
G
          ments
N

E
R        Software
R        Module      TRANSLATION
O        Require-       ERROR
R         ments                                                  Intel             RUN TIME
                                                                                    ERROR
                                                                 8086
         Pseudo        Assembly    Assembly
          Code           Code        Code




                                                                               R
                                                                               A
                                                                               M
    81                                               S.F. Bay Area Rapid Transit
              Run Time Errors
                                Computer System

                                PROCESSING HARDWARE

      Input                                                                Output
     Hardware                                                             Hardware
                                       Vital Software
       sensors                                                                drivers
      antennas                                                              amplifiers
                                    Non-Vital Software                     transmitters
      receivers
         etc.                                                                  Etc.



         Software design must protect against hazardous operation in the presence of:

                   Hardware failures

                   Corrupt processor behavior caused by errors in the non-vital software

82                                                       S.F. Bay Area Rapid Transit
             Checked Redundancy SAC to Protect
             Against Run-Time Errors

                           Redundant
     Input               Implementation                            Output

                                                    Compare

                           Redundant                           Periodically
                         Implementation                         Checked

             Redundant implementation of critical functions.
             Detected discrepancies blocked from output
             System shut down if failure persists
             Probabilities calculated to determine MTBH
83                                                   S.F. Bay Area Rapid Transit
              The Three I’s of a Successful
              Checked Redundant Design
                             Redundant
     Input                 Implementation                            Output

                                                     Compare

                             Redundant                           Periodically
                           Implementation                         Checked

       Channel Independence
               A and B must have no common mode failure mechanisms
       Channel Integrity
               A and B must be correctly implemented
       Channel Inspection
               A and B must be tested periodically

84                                                     S.F. Bay Area Rapid Transit
             Mean Time Between Hazard
                            Redundant
     Input                Implementation                             Output

                                                  Compare

                            Redundant                            Periodically
                          Implementation                          Checked

         Probability of unsafe failure (Pus) occurring during
         mission time (for VATC = 1 year)

         Then MTBH is the reciprocal of Pus

         Pus is very much a function of the check interval and the
         effectiveness of the check
85                                                  S.F. Bay Area Rapid Transit
                Test Intervals Frequencies
Initialization Tests – Performed upon power up
Operational Tests – Performed during operation
Safety Certification Tests – Performed during Periodic Maintenance

                                      TIMELINE



     Operational–10 s to 1.2 hrs


     Initialization - every 60 hrs
                      Safety Certification – every 365 days

86                                                            S.F. Bay Area Rapid Transit
            Test Methodology
Initialization Tests – Performed upon power up
       Self Testing of all non-failsafe hardware components

 Operational Tests – Performed during operation
     Self Testing of non-failsafe hardware components
     (also referred to as Interleaved Tests)
     Cross Comparison of results from redundant channels

Safety Certification Tests – Performed during Periodic Maintenance
     Testing with special test equipment


87                                         S.F. Bay Area Rapid Transit
                  VATC Simplified Block Diagram
                                                             Interrupt
                                        ROM         RAM
                                                            Controllers

                              Serial
     Sensors   Test Signal     I/O

                Input        Parallel                                Parallel
                                                    CPU
      *        Circuits        I/O
                                        Failsafe
                                        Watchdog
                                                                       I/O


                                        Timer *



                                         Failsafe                                   *
                                        Watchdog
                                        Timer *

                Input        Parallel                                Parallel
                                                    CPU
               Circuits        I/O                                     I/O

               Test Signal    Serial
                               I/O

                                                             Interrupt
                                        ROM         RAM
                                                            Controllers
                                                                                *Failsafe
88                                                        S.F. Bay Area Rapid Transit
                  Hardware Testing
     Input Circuits         Exercised with periodic test signal

     Serial I/O             Use of checksums and CRC codes

     Parallel Inputs        Exercised with periodic test signal

     CPU                    Instruction set tests and data cross-comparison

     Parallel Outputs       Periodic test with redundant feed back

     Interrupt Controller   Check-in/out tests and watchdog timer

     Watchdog Timer         Failsafe – no testing required

89                                              S.F. Bay Area Rapid Transit
           Hardware Testing (cont’d)

     ROM          Use of checksums

     RAM          Double storage of vital data

MODIFIED          Disabling of interrupts (except for NMI)
                  during execution of vital modules

                  No program calls from vital modules
      SAME        Check-in/check out test

90                              S.F. Bay Area Rapid Transit
        Safety Assurance Concepts

     -What do we mean by a Safety Assurance
      Concept?
     -SAC’s for the baseline system
     -SAC’s for the modified system
     -Comparing the two




91                            S.F. Bay Area Rapid Transit
                 Comparing the Baseline to
                 the Modified SAC’s
     Protection from:       Comparison        Difference

     Design Error           Same              NA

     Translation Error      Same             NA

     Implementation Error   Modified          Baseline: double
                                              Storage of vital code
                                              Modified: double
                                              Compiling of all code

     Run Time Error         Modified          RAM data
                                              Protection modified
92                                       S.F. Bay Area Rapid Transit
     Agenda
        Laying the Groundwork

        Safety Assurance Concepts
         (How can we claim it’s safe?)
         – For the Baseline Design
         – For the MMF Release

        Verification and Validation Process/
         Documentation
         (What did we do to prove it’s safe?)

        Summary

93                                       S.F. Bay Area Rapid Transit
           Safety Confirmation
High Level Requirements

                   VALIDATION
                   Was it designed
                   to do the right thing?

                                                  Software Requirements
                                                  Pseudo Code
                  VERIFICATION
                  Was the design translated/
                  implemented correctly?
     Hex Code
     EPROM

94                                             S.F. Bay Area Rapid Transit
                MMF Software Release
                                                               Vehicle
     Existing Wayside                                          Door Relays
     Train Control             Baseline
                              Functions                        Onboard
     Existing                                                  Propulsion/
     Onboard                                                   Brake Controller
     Sensors
                                          AATC controls
                 AATC Speed
                                          Over-ride baseline
                 Commands
                                          controls
 AATC
 Radio/ATIC
                    Vehicle
                    Status      New
                              Functions


95                                              S.F. Bay Area Rapid Transit
                MMF Software V&V
                Objectives
                                                               Vehicle
     Existing Wayside                                          Door Relays
     Train Control             Baseline
                              Functions                        Onboard
     Existing                                                  Propulsion/
     Onboard                                                   Brake Controller
     Sensors
                                          AATC controls
                 AATC Speed
                                          Over-ride baseline
                 Commands
                                          controls
 AATC
 Radio/ATIC
                    Vehicle
                    Status      New
                              Functions

96                                              S.F. Bay Area Rapid Transit
                MMF Software V&V
                Objectives
                                                               Vehicle
     Existing Wayside                                          Door Relays
     Train Control             Baseline
                              Functions                        Onboard
     Existing                                                  Propulsion/
     Onboard                                                   Brake Controller
     Sensors
                                          AATC controls
                 AATC Speed
                                          Over-ride baseline
                 Commands
                                          controls
 AATC
 Radio/ATIC
                    Vehicle
                    Status      New
                              Functions

97                                              S.F. Bay Area Rapid Transit
                MMF Software V&V
                Objectives
                         Hardware Testing
                                                               Vehicle
     Existing Wayside                                          Door Relays
     Train Control             Baseline
                              Functions                        Onboard
     Existing                                                  Propulsion/
     Onboard                                                   Brake Controller
     Sensors
                                          AATC controls
                 AATC Speed
                                          Over-ride baseline
                 Commands
                                          controls
 AATC
 Radio/ATIC
                    Vehicle
                    Status      New
                              Functions

98                                              S.F. Bay Area Rapid Transit
               High Level Fault Tree Structure
                                                              Unsafe
                                                             Condition

                                                                                   CMF Release
                                     Baseline functions                   New AATC Functions
                                  Implemented incorrectly                Implemented incorrectly




                       Functional logic              H/W Checking
                        Implemented                 Code implemented
                         incorrectly                   incorrectly




     Baseline functiions
         Modified
                                   Baseline functions
                                   Not isolated from
                                    New functions
                                                        MMF Release
        incorrectly


99                                                                       S.F. Bay Area Rapid Transit
            Element 4 and 5
            Documentation
      Element 4
            VATC Subsystem V&V Plan
            VATC Modifications V&V Report


      Element 5
            QA Plan and Report
            Safety Assurance Concept
            Fault Tree Analysis
            Safety Assurance Concept Implementation Analysis
            FMEA’s
            Audit Reports

100                                      S.F. Bay Area Rapid Transit
                  AATC Safety
                  Analysis/Reports
SAFETY ASSURANCE CONCEPTS (SAC)
   Document explaining what features of the design ensures that
   hazards are adequately mitigated.
SAFETY ASSURANCE CONCEPTS IMPLEMENTATION (SACI)
   Analysis confirming that SAC are implemented
FAULT TREE ANALYSIS (FTA)
      Graphic analysis identifying which functions are safety critical

S/W V&V REPORT
      Requirements tracing, V&V records

FAILURE MODES AND EFFECTS ANALYSIS (FMEA)
   Circuit analysis confirming failsafe behavior of critical circuits
101                                                   S.F. Bay Area Rapid Transit
             Some Key Westinghouse
             Analysis Documents
                                 Identifies combinations
       Baseline Fault
                                 of failures that can lead
       Tree Analysis
                                 to unsafe operation




      Computes probability           System Hazard
      of unsafe combination             Analysis
      occurring and ultimately           (SHA)
      the system MTBH

102                                   S.F. Bay Area Rapid Transit
                 The S/W Analysis Process

      Baseline
       FTA




       MMF
       FTA




103                           S.F. Bay Area Rapid Transit
                          Baseline Fault Tree Structure
                                                          BART ATC
                                                           Unsafe
                                                          Condition




                                                                      Doors commanded to open
                 Train speed greater than
                                                                          In unsafe manner
                Commanded speed without
                    Adequate braking




                    Failure to respond
External BRK3                               Brake request
                    To brake request
Failure                                     Not generated by
                    Generated by pro-
                                            Processing kernel
                    cessing kernel




 104                                                                  S.F. Bay Area Rapid Transit
                              Tree Structure Modified for AATC
                                                                                       BART ATC
                                                                                         Unsafe
                                                                                        Condition




                                                                  BART ATC                                      New AATC
                                                                    Unsafe
                                                                   Condition                                    Functions




                       Train speed greater than
                                                                               Doors commanded to open
                      Commanded speed without
                                                                                   In unsafe manner
                          Adequate braking




                           Failure to respond
      External BRK3        To brake request       Brake request
      Failure              Generated by pro-      Not generated by
                           cessingkernel          Processing kernel




105                                                                                                 S.F. Bay Area Rapid Transit
      Baseline Construct
      Representing Checked
      Redundancy                       Hazard Event




                 Hazard Event                           Hazard
                                                        Event




          Leader           Follower
         Hazardous         Hazardous
           Event             Event


106                                       S.F. Bay Area Rapid Transit
                   Fault Conditions for Modified Release
                                                       Hazard Event




                                                                             Unintended
                  Hazard Event                                             Operation of S/W
                                                                           Generates Hazard


                                                                                 Z.1



  Mechanism requiring
   Leader & Follower             Hazard Event
       modified




                         Leader            Follower
                        Hazardous          Hazardous
107
                          Event              Event
                                                                      S.F. Bay Area Rapid Transit
                      The S/W Analysis Process
                                SHA                 MTBH
      Baseline
       FTA

                                                     SAC




       MMF                                                    FMEA
       FTA
                                      List of Assumptions

      List of Basic
      Events                                                  SMRS

                               SACI   List of Requirements     Pseudo
                                                               Code

                                                                Assembly
                                                                  Code

                         Corrected MTBH
108                                         S.F. Bay Area Rapid Transit
                      The S/W Analysis Process
                                     SHA                        MTBH
      Baseline
       FTA
                                                                 SAC      ATTACHMENTS
                                                                          5.6 & 5.7




       MMF                                                                     FMEA
       FTA
                                                  List of Assumptions


      List of Basic
      Events                        SACI                                       SMRS
                                                  List of Requirements           Pseudo
                                                                                 Code

                                                                                 Assembly
                                                                                   Code
 ATTACHMENT 5.4
                         Corrected MTBH
                         ATTACHMENT 5.5, APP. B     ATTACHMENT 5.5, SECTIONS 3 & 4

109                                                     S.F. Bay Area Rapid Transit
      Fault Tree “Z-Branch”
             Analysis




110                 S.F. Bay Area Rapid Transit
                What is the “Z-Branch”
     Certain aspects of all vital computer and
      software implementations require V&V
      regardless of the specific application.

     These common “problem areas” include:
      –   RAM/ROM
      –   Program Pointer               These are described
                                        in the VATC Safety
      –   The Stack
                                        Assurance Concepts
      –   Interrupts
                                        document, Section 2.3.5
      –   Pointer and Index Variables

111                                       S.F. Bay Area Rapid Transit
            What are these
            “Problem Areas?”


 Divided into




                                               Outputs
                          Inputs
 Two Types:                        Computer

  1) Things that can
    happen when the
    computer is running
                                    VATC

112                                 S.F. Bay Area Rapid Transit
                 What are these
      System
                 “Problem Areas?”                   Vital   Non-
                                                            Vital
      Require-
       ments


                              Hex                    R       R
                              Code                   O       O
        Sub
                                                     M       M
      System                            EPROM
      Require-                          BURNER
       ments



      Software
      Module
      Require-                          2) Things that can
       ments
                                           happen during
                                           software development
      Pseudo      Assembly   Assembly
       Code         Code       Code




113                                       S.F. Bay Area Rapid Transit
              What are these problem areas?
              RAM and ROM
     Read Only Memory (ROM) contains permanent,
      non-changing data
     Random Access Memory (RAM) contains dynamic,
      changing data
     What can go wrong:
      – Hardware failures can corrupt
        memory contents
      – Software errors can corrupt
        memory contents

114                                     S.F. Bay Area Rapid Transit
             What are these problem areas?
             The Program Pointer
     Keeps track of which software instruction to
      execute next
                                What can go wrong?
                Module A              - Hardware glitch can alter
                                        the program pointer
                                      - Software errors can
                                        corrupt the pointer
 Module D                  Module B




                Module C




115                                      S.F. Bay Area Rapid Transit
             What are these problem areas?
             The Stack
     Stack Pointer                       256
      – Determines where next             255
        data will be read from or           :
        written to stack memory
                                            :
                      Stack Pointer         5
                                            4
     Stack Memory Contents
                                            3
      – An area in RAM           Stack
        used to temporarily    Memory       2
        store data          (256 bytes)     1


116                                   S.F. Bay Area Rapid Transit
             What are these problem areas?
             The Stack
     What can go wrong?
      – Hardware glitch can corrupt the stack
        pointer or the contents of stack
        memory
      – Software error can corrupt the stack
        pointer or the contents of stack
        memory



117                                  S.F. Bay Area Rapid Transit
                 What are these problem areas?
                 Interrupt Processing
                               Module A




      Module E


                    Module D                   Module B



      Module F



                                                          Module G
                               Module C




     Main loop with interrupting processes               Module H




118                                       S.F. Bay Area Rapid Transit
              What are these problem areas?
              Interrupt Processing
                                  Module A




                     Module D   Main Loop          Module B




                                  Module C
      The Main Loop
      executes continuously
      as fast as possible



119                                          S.F. Bay Area Rapid Transit
                 What are these problem areas?
                 Interrupt Processing
                                         Module A




      Module E

                        Module D                          Module B



      Module F


                                                                     Module G
                                         Module C


                 Modules E & F stop
                 the main loop from                                  Module H

                 processing until they
                 are completed

120                                                 S.F. Bay Area Rapid Transit
                 What are these problem areas?
                 Interrupt Processing
                               Module A




      Module E


                    Module D                   Module B



      Module F
     What can go wrong?
      – Software errors can alterC interrupt frequencyG
                              Module               Module


      – Software errors can prevent interrupts from
        being serviced in a timely manner (latency) H
                                                   Module




121                                       S.F. Bay Area Rapid Transit
              What are these problem areas?
              Pointers and Indexes
     Allows access to any part of memory
                         MEMORY                    MEMORY
                      ADDRESS   CONTENTS        ADDRESS   CONTENTS

                         :         :               :         :
                         :         :               :         :
                       121        89              10        65
           POINTER                                                   RETURN
           VARIABLE    122       125              11       127        VALUE

                123    123        12       12     12       250          250

                       124         7              13        13
                       125        16              14       105
                         :         :               :         :
                         :         :               :         :




122                                                    S.F. Bay Area Rapid Transit
      What have we done to identify
       and protect these “Problem
                Areas?”



123                     S.F. Bay Area Rapid Transit
                                                                                                           Unintended


                                    VATC FTA                                                           Software Operation
                                                                                                        Causes Hazard
                                                                                                                                        Z-Branch
      Part 1                                    S/W Design Error
                                                   Results in
                                                                                                           Part 2                                              Firmware
                                                                                                                                                            Implementation
                                                   Hazardous                                                                                                Error Results in
                                                   Operation                                                                                                    Hazard




                                                                                                                                                                                          No
                                                                   Non-Vital Logic                                                                                                   Mitigation for
                         Vital Logic Modified                                                                                 Error During                   Error During
                                                                    Corrupts Vital                                                                                                   Fault During
                           and Introduces                                                                                   Assembly, Link or              Burning of Master
                                                                   Operation and                                                                                                      Copying of
                                Hazard                                                                                      Conversion to Hex                  EPROM
                                                                   Causes Hazard                                                                                                        Master
                                                                                                                                                                                          18




                                                                                                                                                                                                 No
                                                                                                                     No                                                  No
       Vital Logic for          Other Vital Logic            Protection from         No Protection                                              No                                          Mitigation for
                                                                                                                Mitigation for                                      Mitigation for
         Functions             Affects Execution or           Corruption of              from                                             Mitigation for                                    Error During
                                                                                                                   Error in                                            Fault in
          Modified                Results of Vital          Variable Data not        Corruption of                                        Error at Time                                      Burning of
                                                                                                                 Software                                             EPROM
        Incorrectly                   Logic                     Provided                Stack                                             of Translation                                       Master
                                                                                                                    Tools                                              Burner
              8                                                                           13                                                    15                                            EPROM
                                                                                                                     14                                                  16
                                                                                                                                                                                                 17




                                                                  Data
       Modifications                                                                      Data
                                  Modifications                Corrupted
           Affect                                                                      Corrupted
                                  Affect Results                 During
       Execution of                                                                     Between
                                  of Vital Logic                Interrupt
        Vital Logic                                                                  Interrupt Calls
                                        10                     Processing
             9                                                                             12
                                                                   11




124                                                                                                                              S.F. Bay Area Rapid Transit
            FTA Z-Branch                                            S/W Design Error
                                                                       Results in
                                                                       Hazardous

            Part 1                                                     Operation




Basic Event #8                                                                         Non-Vital Logic
                                             Vital Logic Modified
Vital function                                 and Introduces
                                                    Hazard
                                                                                        Corrupts Vital
                                                                                       Operation and
                                                                                       Causes Hazard
implemented incorrectly.


                           Vital Logic for          Other Vital Logic            Protection from         No Protection
                             Functions             Affects Execution or           Corruption of              from
                              Modified                Results of Vital          Variable Data not        Corruption of
                            Incorrectly                   Logic                     Provided                Stack
                                  8                                                                           13




                                                                                      Data
                           Modifications                                                                      Data
                                                      Modifications                Corrupted
                               Affect                                                                      Corrupted
                                                      Affect Results                 During
                           Execution of                                                                     Between
                                                      of Vital Logic                Interrupt
                            Vital Logic                                                                  Interrupt Calls
                                                            10                     Processing
                                 9                                                                             12
                                                                                       11




125                                                             S.F. Bay Area Rapid Transit
          FTA Z-Branch                                            S/W Design Error
                                                                     Results in
                                                                     Hazardous

          Part 1                                                     Operation




Basic Event #8
Vital function VERIFIED THAT:
           WE                              Vital Logic Modified
                                             and Introduces
                                                                                     Non-Vital Logic
                                                                                      Corrupts Vital
                                                                                     Operation and
implemented incorrectly.                          Hazard
                                                                                     Causes Hazard


       -The function was identified as “vital”
         (SAC Implementation Analysis, Appendix C.3)
                                                  Other Vital Logic            Protection from         No Protection
       -The function was properly unit tested
                         Vital Logic for
                           Functions
                            Modified
                                                 Affects Execution or
                                                    Results of Vital
                                                                                Corruption of
                                                                              Variable Data not
                                                                                                           from
                                                                                                       Corruption of
                                                        Logic                     Provided                Stack
         (SAC Implementation Analysis, Appendix C.3,
                          Incorrectly
                                8                                                                           13


          V&V Report, Section 2)
       -A code review was performed on the
                         Modifications
                                                                                    Data
                                                                                                            Data
                                                    Modifications                Corrupted
        function (SAC Implementation Analysis,
                             Affect
                         Execution of
                                                    Affect Results
                                                    of Vital Logic
                                                                                   During
                                                                                  Interrupt
                                                                                                         Corrupted
                                                                                                          Between
                                                                                                       Interrupt Calls
                          Vital Logic
         Appendix C.3, and V&V Report, Section 9)
                               9
                                                          10                     Processing
                                                                                     11
                                                                                                             12




126                                                           S.F. Bay Area Rapid Transit
            FTA Z-Branch                                            S/W Design Error
                                                                       Results in
                                                                       Hazardous

            Part 1                                                     Operation




Basic Event #8
Vital function                               Vital Logic Modified
                                               and Introduces
                                                                                       Non-Vital Logic
                                                                                        Corrupts Vital
                                                                                       Operation and
implemented incorrectly.                            Hazard
                                                                                       Causes Hazard

 Identification of Vital Software Modules
  - The SAC Implementation Analysis examined
 each basic event of the fault tree and identified
                           Vital Logic for
                             Functions
                                                    Other Vital Logic
                                                   Affects Execution or
                                                                                 Protection from
                                                                                  Corruption of
                                                                                                         No Protection
                                                                                                             from
                                                                                                         Corruption of
                              Modified                Results of Vital          Variable Data not
 where in the VATC software associated
                            Incorrectly
                                  8
                                                          Logic                     Provided                Stack
                                                                                                              13

 functions were implemented
 - These vital software modules are listed in                                         Data
 Appendix C.3 of the SAC Implementation
                           Modifications
                               Affect
                           Execution of
                                                      Modifications
                                                      Affect Results
                                                                                   Corrupted
                                                                                     During
                                                                                                              Data
                                                                                                           Corrupted
                                                                                                            Between
                                                      of Vital Logic                Interrupt
 Analysis                   Vital Logic
                                 9
                                                            10                     Processing
                                                                                       11
                                                                                                         Interrupt Calls
                                                                                                               12




127                                                             S.F. Bay Area Rapid Transit
          FTA Z-Branch                                            S/W Design Error
                                                                     Results in
                                                                     Hazardous

          Part 1 onfirmation of Unit Testing
               C
                                                                     Operation




Basic Event #8     - Inspection of software module
Vital function    unit test results verified that
                                           Vital Logic Modified
                                             and Introduces
                                                                                     Non-Vital Logic
                                                                                      Corrupts Vital
                                                                                     Operation and
implemented incorrectly.
                  modified vital modules were
                                                  Hazard
                                                                                     Causes Hazard



               properly tested
               - Unit testing isolates each module
                         Vital Logic for          Other Vital Logic            Protection from         No Protection
                                                                                                           from
                           Functions             Affects Execution or           Corruption of
               and confirms that the proper
                            Modified
                          Incorrectly
                                                    Results of Vital
                                                        Logic
                                                                              Variable Data not
                                                                                  Provided
                                                                                                       Corruption of
                                                                                                          Stack
                                                                                                            13
               outputs result from given inputs
                                8




               - Unit test results are in the V&V
               Report, Section 2
                         Modifications
                             Affect
                                                    Modifications
                                                                                    Data
                                                                                 Corrupted
                                                                                                            Data
                                                                                                         Corrupted
                                                    Affect Results                 During
                         Execution of                                                                     Between
                                                    of Vital Logic                Interrupt
                          Vital Logic                                                                  Interrupt Calls
                                                          10                     Processing
                               9                                                                             12
                                                                                     11




128                                                           S.F. Bay Area Rapid Transit
          FTA Z-Branch                                            S/W Design Error
                                                                     Results in
                                                                     Hazardous

          Part 1                                                     Operation




Basic Event #8 Confirmation of Code Review
Vital function                             Vital Logic Modified
                                                                                     Non-Vital Logic
                                                                                      Corrupts Vital
                 - Inspection of code review results
implemented incorrectly.
                                             and Introduces
                                                  Hazard
                                                                                     Operation and
                                                                                     Causes Hazard

              verified that modified vital modules
              were properly reviewed
              - Code reviews ensure that vital
                         Vital Logic for
                           Functions
                                                  Other Vital Logic
                                                 Affects Execution or
                                                    Results of Vital
                                                                               Protection from
                                                                                Corruption of
                                                                              Variable Data not
                                                                                                       No Protection
                                                                                                           from
                                                                                                       Corruption of
                            Modified
              modules are implemented
                          Incorrectly
                                8
                                                        Logic                     Provided                Stack
                                                                                                            13


              correctly
              - Code review results are in the                                      Data

              V&V Report, Section 9
                         Modifications
                             Affect
                         Execution of
                                                    Modifications
                                                    Affect Results
                                                    of Vital Logic
                                                                                 Corrupted
                                                                                   During
                                                                                  Interrupt
                                                                                                            Data
                                                                                                         Corrupted
                                                                                                          Between
                          Vital Logic                                                                  Interrupt Calls
                                                          10                     Processing
                               9                                                                             12
                                                                                     11




129                                                           S.F. Bay Area Rapid Transit
             FTA Z-Branch                                             S/W Design Error
                                                                         Results in
                                                                         Hazardous

             Part 1                                                      Operation




Basic Event #9
Software error in one                          Vital Logic Modified
                                                 and Introduces
                                                                                         Non-Vital Logic
                                                                                          Corrupts Vital
                                                                                         Operation and
vital function prevents or                            Hazard
                                                                                         Causes Hazard


alters execution of
another vital function.
                             Vital Logic for          Other Vital Logic            Protection from         No Protection
                               Functions             Affects Execution or           Corruption of              from
                                Modified                Results of Vital          Variable Data not        Corruption of
                              Incorrectly                   Logic                     Provided                Stack
                                    8                                                                           13




                                                                                        Data
                             Modifications                                                                      Data
                                                        Modifications                Corrupted
                                 Affect                                                                      Corrupted
                                                        Affect Results                 During
                             Execution of                                                                     Between
                                                        of Vital Logic                Interrupt
                              Vital Logic                                                                  Interrupt Calls
                                                              10                     Processing
                                   9                                                                             12
                                                                                         11




130                                                               S.F. Bay Area Rapid Transit
           FTA Z-Branch                                            S/W Design Error
                                                                      Results in
                                                                      Hazardous

           Part 1                                                     Operation




Basic Event #9             WE VERIFIED THAT:
Software error in one
                           -The vital function contains
                                            Vital Logic Modified
                                                                                      Non-Vital Logic
                                                                                       Corrupts Vital
vital function prevents or                    and Introduces
                                                   Hazard
                                                                                      Operation and


alters execution of         check-in and check-out                                    Causes Hazard




another vital function.     runtime tests (SAC
                             Implementation Analysis,
                             Appendix C.3)
                          Vital Logic for
                            Functions
                                                   Other Vital Logic
                                                  Affects Execution or
                                                                                Protection from
                                                                                 Corruption of
                                                                                                        No Protection
                                                                                                            from
                                                                                                        Corruption of
                             Modified                Results of Vital          Variable Data not
                           Incorrectly                   Logic                     Provided                Stack
                                 8                                                                           13
                       -Interrupt timing and latency
                         tests were performed on the
                         interrupt string (SAC
                          Modifications              Modifications
                                                                                     Data
                                                                                  Corrupted
                                                                                                             Data
                                                                                                          Corrupted
                            Implementation Analysis,
                              Affect
                          Execution of
                           Vital Logic
                                                     Affect Results
                                                     of Vital Logic
                                                                                    During
                                                                                   Interrupt
                                                                                                           Between
                                                                                                        Interrupt Calls
                                                           10                     Processing
                            Appendix D)
                                9                                                     11
                                                                                                              12




131                                                            S.F. Bay Area Rapid Transit
             FTA Z-Branch                                             S/W Design Error
                                                                         Results in
                                                                         Hazardous

             Part 1                                                      Operation




Basic Event #9
Software error in one                          Vital Logic Modified
                                                                                         Non-Vital Logic
                                                                                          Corrupts Vital
vital function prevents or                       and Introduces
                                                      Hazard
                                                                                         Operation and
                                                                                         Causes Hazard

alters execution of
another vital function.
         Check-In & Check-Out Runtime Tests
                             Vital Logic for          Other Vital Logic            Protection from         No Protection
                                                                                                               from
                               Functions             Affects Execution or           Corruption of
                                Modified                Results of Vital          Variable Data not        Corruption of

         -Check-In/Out runtime tests detect out-
                              Incorrectly
                                    8
                                                            Logic                     Provided                Stack
                                                                                                                13


         of-sequence program execution
          - Inspection of software source code                                          Data
                                                                                                                Data
                             Modifications
         verified that vital modules include
                                 Affect
                             Execution of
                                                        Modifications
                                                        Affect Results
                                                        of Vital Logic
                                                                                     Corrupted
                                                                                       During
                                                                                      Interrupt
                                                                                                             Corrupted
                                                                                                              Between
                                                                                                           Interrupt Calls
                              Vital Logic
         these tests               9
                                                              10                     Processing
                                                                                         11
                                                                                                                 12




132                                                               S.F. Bay Area Rapid Transit
             FTA Z-Branch                                             S/W Design Error
                                                                         Results in
                                                                         Hazardous

             Part 1                                                      Operation




Basic Event #9
Software error in one                          Vital Logic Modified
                                                                                         Non-Vital Logic
                                                                                          Corrupts Vital
vital function prevents or                       and Introduces
                                                      Hazard
                                                                                         Operation and
                                                                                         Causes Hazard

alters execution of
another vital function.
                                                      Other Vital Logic            Protection from         No Protection
                         Interrupt Timing Tests
                             Vital Logic for
                               Functions
                                Modified
                                                     Affects Execution or
                                                        Results of Vital
                                                                                    Corruption of
                                                                                  Variable Data not
                                                                                                               from
                                                                                                           Corruption of
                              Incorrectly                   Logic                     Provided                Stack
                                    8                                                                           13

                         - Confirm correct frequency
                         - Confirm correct latency
                           (interrupt service delay)
                             Modifications
                                 Affect
                                                        Modifications
                                                        Affect Results
                                                                                        Data
                                                                                     Corrupted
                                                                                       During
                                                                                                                Data
                                                                                                             Corrupted
                                                                                                              Between
                             Execution of               of Vital Logic                Interrupt
                              Vital Logic                                                                  Interrupt Calls
                                                              10                     Processing
                                   9                                                                             12
                                                                                         11




133                                                               S.F. Bay Area Rapid Transit
              FTA Z-Branch                                           S/W Design Error
                                                                        Results in
                                                                        Hazardous

              Part 1                                                    Operation




Basic Event #10
Software error in one                         Vital Logic Modified
                                                and Introduces
                                                                                        Non-Vital Logic
                                                                                         Corrupts Vital
                                                                                        Operation and
vital function alters the                            Hazard
                                                                                        Causes Hazard


results of another vital
function.
                            Vital Logic for          Other Vital Logic            Protection from         No Protection
                              Functions             Affects Execution or           Corruption of              from
                               Modified                Results of Vital          Variable Data not        Corruption of
                             Incorrectly                   Logic                     Provided                Stack
                                   8                                                                           13




                                                                                       Data
                            Modifications                                                                      Data
                                                       Modifications                Corrupted
                                Affect                                                                      Corrupted
                                                       Affect Results                 During
                            Execution of                                                                     Between
                                                       of Vital Logic                Interrupt
                             Vital Logic                                                                  Interrupt Calls
                                                             10                     Processing
                                  9                                                                             12
                                                                                        11




134                                                              S.F. Bay Area Rapid Transit
              FTA Z-Branch WE VERIFIED THAT:                         S/W Design Error
                                                                        Results in
                                                                        Hazardous

              Part 1         -Only the correct functions                Operation



                              modify the contents of
Basic Event #10
                              critical variables (SAC
Software error in one             Implementation Analysis,
                                              Vital Logic Modified
                                                and Introduces
                                                                                        Non-Vital Logic
                                                                                         Corrupts Vital
                                                                                        Operation and
vital function alters the         Appendix C.4)
                                                     Hazard
                                                                                        Causes Hazard


results of another vital
function.                    -All memory writes using
                              pointers or indexes are
                            Vital Logic for          Other Vital Logic            Protection from         No Protection
                                                                                                              from
                              within their defined array
                              Functions
                               Modified
                             Incorrectly
                                                    Affects Execution or
                                                       Results of Vital
                                                           Logic
                                                                                   Corruption of
                                                                                 Variable Data not
                                                                                     Provided
                                                                                                          Corruption of
                                                                                                             Stack

                              bounds (SAC Implementation
                                   8                                                                           13



                                  Analysis, Appendix C.5)
                             -All stack operations are
                            Modifications              Modifications
                                                                                       Data
                                                                                    Corrupted
                                                                                                               Data
                                                                                                            Corrupted
                              proper (SAC Implementation
                                Affect
                            Execution of
                             Vital Logic
                                                       Affect Results
                                                       of Vital Logic
                                                             10
                                                                                      During
                                                                                     Interrupt
                                                                                    Processing
                                                                                                             Between
                                                                                                          Interrupt Calls

                                  Analysis, Appendix C.6)
                                  9                                                     11
                                                                                                                12




135                                                              S.F. Bay Area Rapid Transit
              FTA Z-Branch                                             S/W Design Error
                                                                          Results in
                                                                          Hazardous

              Part 1                                                      Operation



                          There are only three ways a
Basic Event #10           software module can alter the
Software error in one                                                                     Non-Vital Logic

                          results of another software
                                                Vital Logic Modified
                                                  and Introduces
                                                                                           Corrupts Vital
                                                                                          Operation and
vital function alters the                              Hazard
                                                                                          Causes Hazard
                          module:
results of another vital
function.                  - Writing to memory using a
                           critical variable name
                              Vital Logic for
                                Functions
                                                       Other Vital Logic
                                                      Affects Execution or
                                                                                    Protection from
                                                                                     Corruption of
                                                                                                            No Protection
                                                                                                                from
                                 Modified                Results of Vital          Variable Data not        Corruption of
                               Incorrectly                   Logic                     Provided                Stack

                           - Writing to memory using a
                                     8                                                                           13



                           pointer or index
                            - Altering the stack in an
                              Modifications              Modifications
                                                                                         Data
                                                                                      Corrupted
                                                                                                                 Data
                                                                                                              Corrupted
                           improper way
                                  Affect
                              Execution of
                               Vital Logic
                                                         Affect Results
                                                         of Vital Logic
                                                               10
                                                                                        During
                                                                                       Interrupt
                                                                                      Processing
                                                                                                               Between
                                                                                                            Interrupt Calls
                                    9                                                                             12
                                                                                          11




136                                                                S.F. Bay Area Rapid Transit
           FTA Z-Branch                                          S/W Design Error
                                                                    Results in
                                                                    Hazardous

           Part 1 Only Correct Functions Update                     Operation



                     Critical Variables
Basic Event #10
Software error in one - Critical variables were
                                          Vital Logic Modified
                                            and Introduces
                                                                                    Non-Vital Logic
                                                                                     Corrupts Vital

vital function alters the identified as any variable used
                                                                                    Operation and
                                                 Hazard
                                                                                    Causes Hazard


results of another vital by a vital module
function.
                     - All software modules were
                                                 Other Vital Logic            Protection from         No Protection
                     searched for each identified
                        Vital Logic for
                          Functions
                           Modified
                                                Affects Execution or
                                                   Results of Vital
                                                                               Corruption of
                                                                             Variable Data not
                                                                                                          from
                                                                                                      Corruption of

                     critical variable name
                         Incorrectly
                               8
                                                       Logic                     Provided                Stack
                                                                                                           13




                     - Each occurrence of a critical
                     variable was examined to
                        Modifications
                                                                                   Data
                                                                                                           Data
                                                   Modifications                Corrupted
                     ensure that its usage was
                            Affect
                        Execution of
                                                   Affect Results
                                                   of Vital Logic
                                                                                  During
                                                                                 Interrupt
                                                                                                        Corrupted
                                                                                                         Between
                                                                                                      Interrupt Calls
                         Vital Logic
                     correct as per design
                              9
                                                         10                     Processing
                                                                                    11
                                                                                                            12




137                                                          S.F. Bay Area Rapid Transit
           FTA Z-Branch                                         S/W Design Error
                                                                   Results in
                                                                   Hazardous

           Part 1
              Pointer and Index Variables are Used
                                                                   Operation




              Correctly when Writing to Memory
Basic Event #10
Software error in one memory writes using pointers
                    - All                Vital Logic Modified
                                           and Introduces
                                                                                   Non-Vital Logic
                                                                                    Corrupts Vital
                                                                                   Operation and
vital function alters the
                   or indexes were identified
                                                Hazard
                                                                                   Causes Hazard


results of another vital
function.           - Simple software was inspected to
              ensure memory writes using
                       Vital Logic for          Other Vital Logic            Protection from         No Protection
                                               Affects Execution or           Corruption of              from
              pointers/indexes are always within
                         Functions
                          Modified
                        Incorrectly
                                                  Results of Vital
                                                      Logic
                                                                            Variable Data not
                                                                                Provided
                                                                                                     Corruption of
                                                                                                        Stack

              proper bounds   8                                                                           13




              - Complex software had runtime
              bounds check added just before
                       Modifications
                           Affect
                                                  Modifications
                                                                                  Data
                                                                               Corrupted
                                                                                                          Data
                                                                                                       Corrupted
                                                  Affect Results                 During
              memory write occurs
                       Execution of
                        Vital Logic
                                                  of Vital Logic
                                                        10
                                                                                Interrupt
                                                                               Processing
                                                                                                        Between
                                                                                                     Interrupt Calls
                                                                                                           12
                             9                                                     11




138                                                         S.F. Bay Area Rapid Transit
           FTA Z-Branch                                         S/W Design Error
                                                                   Results in
                                                                   Hazardous

           Part 1                                                  Operation




Basic Event #10           Stack Operations are Correct
Software error in one                    Vital Logic Modified
                                                                                   Non-Vital Logic


vital function alters the
                          - Runtime stack pointer range
                                           and Introduces
                                                Hazard
                                                                                    Corrupts Vital
                                                                                   Operation and
                                                                                   Causes Hazard


results of another vital check was implemented
function.                 - All software instructions
                    which alter the stack (change
                       Vital Logic for
                         Functions
                                                Other Vital Logic
                                               Affects Execution or
                                                                             Protection from
                                                                              Corruption of
                                                                                                     No Protection
                                                                                                         from
                                                  Results of Vital          Variable Data not        Corruption of
                    the stack pointer, push data on
                          Modified
                        Incorrectly
                              8
                                                      Logic                     Provided                Stack
                                                                                                          13

                    the stack, pop data off the
                    stack) were identified and
                    examined to ensure that they
                       Modifications              Modifications
                                                                                  Data
                                                                               Corrupted
                                                                                                          Data
                                                                                                       Corrupted
                    were correctly implemented
                           Affect
                       Execution of
                        Vital Logic
                                                  Affect Results
                                                  of Vital Logic
                                                        10
                                                                                 During
                                                                                Interrupt
                                                                               Processing
                                                                                                        Between
                                                                                                     Interrupt Calls
                             9                                                                             12
                                                                                   11




139                                                         S.F. Bay Area Rapid Transit
             FTA Z-Branch                                            S/W Design Error
                                                                        Results in
                                                                        Hazardous

             Part 1                                                     Operation




Basic Event #11
Software error causes                         Vital Logic Modified
                                                and Introduces
                                                                                        Non-Vital Logic
                                                                                         Corrupts Vital
                                                                                        Operation and
corruption of critical                               Hazard
                                                                                        Causes Hazard


variable data during
interrupt processing.
                            Vital Logic for          Other Vital Logic            Protection from         No Protection
                              Functions             Affects Execution or           Corruption of              from
                               Modified                Results of Vital          Variable Data not        Corruption of
                             Incorrectly                   Logic                     Provided                Stack
                                   8                                                                           13




                                                                                       Data
                            Modifications                                                                      Data
                                                       Modifications                Corrupted
                                Affect                                                                      Corrupted
                                                       Affect Results                 During
                            Execution of                                                                     Between
                                                       of Vital Logic                Interrupt
                             Vital Logic                                                                  Interrupt Calls
                                                             10                     Processing
                                  9                                                                             12
                                                                                        11




140                                                             S.F. Bay Area Rapid Transit
             FTA Z-Branch WE VERIFIED THAT:                       S/W Design Error
                                                                     Results in
                                                                     Hazardous

             Part 1      -Only the correct functions                 Operation



                          modify the contents of
Basic Event #11
                          critical variables (SAC
Software error causes         Implementation Analysis,
                                           Vital Logic Modified
                                             and Introduces
                                                                                     Non-Vital Logic
                                                                                      Corrupts Vital
                                                                                     Operation and
corruption of critical        Appendix C.4) *SAME*
                                                  Hazard
                                                                                     Causes Hazard


variable data during
interrupt processing.    -All memory writes using
                          pointers or indexes are
                         Vital Logic for          Other Vital Logic            Protection from         No Protection
                                                                                                           from
                          within their defined array
                           Functions
                            Modified
                          Incorrectly
                                                 Affects Execution or
                                                    Results of Vital
                                                        Logic
                                                                                Corruption of
                                                                              Variable Data not
                                                                                  Provided
                                                                                                       Corruption of
                                                                                                          Stack

                          bounds (SAC Implementation
                                8                                                                           13



                              Analysis, Appendix C.5) *SAME*
                         -All stack operations are
                         Modifications              Modifications
                                                                                    Data
                                                                                 Corrupted
                                                                                                            Data
                                                                                                         Corrupted
                          proper (SAC Implementation
                             Affect
                         Execution of
                          Vital Logic
                                                    Affect Results
                                                    of Vital Logic
                                                          10
                                                                                   During
                                                                                  Interrupt
                                                                                 Processing
                                                                                                          Between
                                                                                                       Interrupt Calls

                              Analysis, Appendix C.6) *SAME*
                               9                                                     11
                                                                                                             12




141                                                          S.F. Bay Area Rapid Transit
             FTA Z-Branch                                            S/W Design Error
                                                                        Results in
                                                                        Hazardous

             Part 1                                                     Operation




Basic Event #12
                                                                                        Non-Vital Logic
Software error causes                         Vital Logic Modified
                                                and Introduces
                                                                                         Corrupts Vital
                                                                                        Operation and
                                                     Hazard
corruption of critical                                                                  Causes Hazard



variable data between
interrupt calls.
                            Vital Logic for          Other Vital Logic            Protection from         No Protection
                              Functions             Affects Execution or           Corruption of              from
                               Modified                Results of Vital          Variable Data not        Corruption of
                             Incorrectly                   Logic                     Provided                Stack
                                   8                                                                           13




                                                                                       Data
                            Modifications                                                                      Data
                                                       Modifications                Corrupted
                                Affect                                                                      Corrupted
                                                       Affect Results                 During
                            Execution of                                                                     Between
                                                       of Vital Logic                Interrupt
                             Vital Logic                                                                  Interrupt Calls
                                                             10                     Processing
                                  9                                                                             12
                                                                                        11




142                                                              S.F. Bay Area Rapid Transit
             FTA Z-Branch WE VERIFIED THAT:                       S/W Design Error
                                                                     Results in
                                                                     Hazardous

             Part 1      -Only the correct functions                 Operation



                          modify the contents of
Basic Event #12           critical variables (SAC                                    Non-Vital Logic
Software error causes         Implementation Analysis,
                                           Vital Logic Modified
                                             and Introduces
                                                                                      Corrupts Vital
                                                                                     Operation and
                                                  Hazard
corruption of critical        Appendix C.4) *SAME*                                   Causes Hazard



variable data between
interrupt calls.         -All memory writes using
                          pointers or indexes are
                         Vital Logic for          Other Vital Logic            Protection from         No Protection
                                                                                                           from
                          within their defined array
                           Functions
                            Modified
                          Incorrectly
                                                 Affects Execution or
                                                    Results of Vital
                                                        Logic
                                                                                Corruption of
                                                                              Variable Data not
                                                                                  Provided
                                                                                                       Corruption of
                                                                                                          Stack

                          bounds (SAC Implementation
                                8                                                                           13



                              Analysis, Appendix C.5) *SAME*
                         -All stack operations are
                         Modifications              Modifications
                                                                                    Data
                                                                                 Corrupted
                                                                                                            Data
                                                                                                         Corrupted
                          proper (SAC Implementation
                             Affect
                         Execution of
                          Vital Logic
                                                    Affect Results
                                                    of Vital Logic
                                                          10
                                                                                   During
                                                                                  Interrupt
                                                                                 Processing
                                                                                                          Between
                                                                                                       Interrupt Calls

                              Analysis, Appendix C.6) *SAME*
                               9                                                     11
                                                                                                             12




143                                                           S.F. Bay Area Rapid Transit
            FTA Z-Branch                                            S/W Design Error
                                                                       Results in
                                                                       Hazardous

            Part 1                                                     Operation




Basic Event #13                                                                        Non-Vital Logic
                                             Vital Logic Modified
Software error                                 and Introduces
                                                    Hazard
                                                                                        Corrupts Vital
                                                                                       Operation and
                                                                                       Causes Hazard
causes corruption
of stack, which
causes hazard.
                           Vital Logic for          Other Vital Logic            Protection from         No Protection
                             Functions             Affects Execution or           Corruption of              from
                              Modified                Results of Vital          Variable Data not        Corruption of
                            Incorrectly                   Logic                     Provided                Stack
                                  8                                                                           13




                                                                                      Data
                           Modifications                                                                      Data
                                                      Modifications                Corrupted
                               Affect                                                                      Corrupted
                                                      Affect Results                 During
                           Execution of                                                                     Between
                                                      of Vital Logic                Interrupt
                            Vital Logic                                                                  Interrupt Calls
                                                            10                     Processing
                                 9                                                                             12
                                                                                       11




144                                                             S.F. Bay Area Rapid Transit
            FTA Z-Branch                                            S/W Design Error
                                                                       Results in
                                                                       Hazardous

            Part 1                                                     Operation




Basic Event #13                                                                        Non-Vital Logic
                                             Vital Logic Modified
Software error                                 and Introduces
                                                    Hazard
                                                                                        Corrupts Vital
                                                                                       Operation and
                                                                                       Causes Hazard
causes corruption     WE VERIFIED THAT:
of stack, which
causes hazard.        -Added runtime stack
                       pointer range check (SAC
                           Vital Logic for
                             Functions
                              Modified
                                                    Other Vital Logic
                                                   Affects Execution or
                                                      Results of Vital
                                                                                 Protection from
                                                                                  Corruption of
                                                                                Variable Data not
                                                                                                         No Protection
                                                                                                             from
                                                                                                         Corruption of
                                                                                                            Stack
                       Implementation Analysis,
                            Incorrectly
                                  8
                                                          Logic                     Provided
                                                                                                              13


                       Appendix C.6) *SAME*

                      -All stack operations are                                       Data
                                                                                                              Data
                           Modifications              Modifications                Corrupted
                       proper (SAC Implementation
                               Affect
                           Execution of
                            Vital Logic
                                                      Affect Results
                                                      of Vital Logic
                                                                                     During
                                                                                    Interrupt
                                                                                                           Corrupted
                                                                                                            Between
                                                                                                         Interrupt Calls
                                                            10                     Processing
                       Analysis, Appendix C.6) *SAME*
                                 9                                                     11
                                                                                                               12




145                                                             S.F. Bay Area Rapid Transit
                                                                                                           Unintended


                                    VATC FTA                                                           Software Operation
                                                                                                        Causes Hazard
                                                                                                                                        Z-Branch
      Part 1                                    S/W Design Error
                                                   Results in
                                                                                                           Part 2                                              Firmware
                                                                                                                                                            Implementation
                                                   Hazardous                                                                                                Error Results in
                                                   Operation                                                                                                    Hazard




                                                                                                                                                                                          No
                                                                   Non-Vital Logic                                                                                                   Mitigation for
                         Vital Logic Modified                                                                                 Error During                   Error During
                                                                    Corrupts Vital                                                                                                   Fault During
                           and Introduces                                                                                   Assembly, Link or              Burning of Master
                                                                   Operation and                                                                                                      Copying of
                                Hazard                                                                                      Conversion to Hex                  EPROM
                                                                   Causes Hazard                                                                                                        Master
                                                                                                                                                                                          18




                                                                                                                                                                                                 No
                                                                                                                     No                                                  No
       Vital Logic for          Other Vital Logic            Protection from         No Protection                                              No                                          Mitigation for
                                                                                                                Mitigation for                                      Mitigation for
         Functions             Affects Execution or           Corruption of              from                                             Mitigation for                                    Error During
                                                                                                                   Error in                                            Fault in
          Modified                Results of Vital          Variable Data not        Corruption of                                        Error at Time                                      Burning of
                                                                                                                 Software                                             EPROM
        Incorrectly                   Logic                     Provided                Stack                                             of Translation                                       Master
                                                                                                                    Tools                                              Burner
              8                                                                           13                                                    15                                            EPROM
                                                                                                                     14                                                  16
                                                                                                                                                                                                 17




                                                                  Data
       Modifications                                                                      Data
                                  Modifications                Corrupted
           Affect                                                                      Corrupted
                                  Affect Results                 During
       Execution of                                                                     Between
                                  of Vital Logic                Interrupt
        Vital Logic                                                                  Interrupt Calls
                                        10                     Processing
             9                                                                             12
                                                                   11




146                                                                                                                              S.F. Bay Area Rapid Transit
              FTA Z-Branch
              Part 2                                                       Firmware
                                                                        Implementation
                                                                        Error Results in
                                                                            Hazard
Basic Event #14
Assembler, linker or
other conversion process
                                                                                                      No
introduces error in                       Error During                   Error During            Mitigation for
                                                                                                 Fault During
                                        Assembly, Link or              Burning of Master
executable code.                        Conversion to Hex                  EPROM                  Copying of
                                                                                                    Master
                                                                                                      18




                                                                                                             No
                                  No                                                 No
                                                            No                                          Mitigation for
                             Mitigation for                                     Mitigation for
                                                      Mitigation for                                    Error During
                                Error in                                           Fault in
                                                      Error at Time                                      Burning of
                              Software                                            EPROM
                                                      of Translation                                       Master
                                 Tools                                             Burner
                                                            15                                            EPROM
               Buggy              14                                                 16
                                                                                                             17
          assembler/linker
              tool suite


147                                                                    S.F. Bay Area Rapid Transit
              FTA Z-Branch
              Part 2                                                       Firmware
                                                                        Implementation
                                                                        Error Results in
                                                                            Hazard
Basic Event #14
Assembler, linker or
other conversion process
introduces error in                       WE VERIFIED THAT:
                                          Error During                   Error During
                                                                                                      No
                                                                                                 Mitigation for
                                        Assembly, Link or              Burning of Master         Fault During
executable code.                        Conversion to Hex
                                          -Two independent
                                                                           EPROM                  Copying of
                                                                                                    Master
                                                                                                      18

                                          assembler/linker tool suites
                                          were used to generate two
                                                                                                             No
                                  No
                                          executable files, and that
                             Mitigation for
                                                            No
                                                      Mitigation for
                                                                                     No
                                                                                Mitigation for
                                                                                                        Mitigation for
                                                                                                        Error During
                                Error in                                           Fault in
                              Software
                                 Tools
                                          these files match (SAC
                                                      Error at Time
                                                      of Translation
                                                                                  EPROM
                                                                                   Burner
                                                                                                         Burning of
                                                                                                           Master
                                                            15                                            EPROM
               Buggy
          assembler/linker
                                  14
                                          Implementation Analysis,                   16
                                                                                                             17


              tool suite                  Appendix E)

148                                                                    S.F. Bay Area Rapid Transit
              FTA Z-Branch
              Part 2                                                       Firmware
                                                                        Implementation
                                                                        Error Results in
                                                                            Hazard
Basic Event #14
Assembler, linker or
other conversion process
                                                                                                      No
introduces error in                       Error During                   Error During            Mitigation for


executable code.                          Use Two Independent Tool
                                        Assembly, Link or
                                        Conversion to Hex
                                                                       Burning of Master
                                                                           EPROM
                                                                                                 Fault During
                                                                                                  Copying of
                                                                                                    Master
                                          Suites:                                                     18




                                          - Low probability that two
                                  No      different compiler tools
                             Mitigation for
                                                            No
                                                                                     No
                                                                                Mitigation for
                                                                                                             No
                                                                                                        Mitigation for
                                                      Mitigation for                                    Error During
                                Error in
                              Software
                                 Tools
                                          contain the same error
                                                      Error at Time
                                                      of Translation
                                                                                   Fault in
                                                                                  EPROM
                                                                                   Burner
                                                                                                         Burning of
                                                                                                           Master
                                                            15                                            EPROM
               Buggy              14                                                 16
                                                                                                             17
          assembler/linker
              tool suite


149                                                                    S.F. Bay Area Rapid Transit
             FTA Z-Branch
             Part 2                                                        Firmware
                                                                        Implementation
                                                                        Error Results in
                                                                            Hazard
Basic Event #15
A computer glitch during
assembly, linking or
other conversion process                  Error During                   Error During
                                                                                                      No
                                                                                                 Mitigation for
                                        Assembly, Link or              Burning of Master         Fault During
introduces error in                     Conversion to Hex                  EPROM                  Copying of
                                                                                                    Master
executable code.                                                                                      18




                                                                                                             No
                                  No                                                 No
                                                            No                                          Mitigation for
                             Mitigation for                                     Mitigation for
                                                      Mitigation for                                    Error During
                                Error in                                           Fault in
                                                      Error at Time                                      Burning of
                              Software                                            EPROM
                                                      of Translation                                       Master
                                 Tools                                             Burner
                                                            15                                            EPROM
                                  14                                                 16
                                                                                                             17
            Glitch during
          assembly process

150                                                                    S.F. Bay Area Rapid Transit
             FTA Z-Branch
             Part 2                                                        Firmware
                                                                        Implementation
                                                                        Error Results in
                                                                            Hazard
Basic Event #15
A computer glitch during
assembly, linking or
other conversion process                                                                              No
                                                                                                 Mitigation for

introduces error in                       WE VERIFIED THAT:
                                          Error During
                                        Assembly, Link or
                                        Conversion to Hex
                                                                         Error During
                                                                       Burning of Master
                                                                           EPROM
                                                                                                 Fault During
                                                                                                  Copying of
                                                                                                    Master
executable code.                                                                                      18
                                          -The process of assembly
                                           and linking is performed
                                  No
                             Mitigation for
                                           twice, and that the two
                                                            No
                                                                                     No
                                                                                Mitigation for
                                                                                                             No
                                                                                                        Mitigation for
                                                      Mitigation for                                    Error During
                                Error in
                              Software     resulting executable files
                                                      Error at Time
                                                      of Translation
                                                                                   Fault in
                                                                                  EPROM
                                                                                                         Burning of
                                                                                                           Master
                                 Tools                                             Burner
                                  14       match (SAC Implementation
                                                            15
                                                                                     16
                                                                                                          EPROM
                                                                                                             17
            Glitch during
          assembly process
                                              Analysis, Appendix E)

151                                                                    S.F. Bay Area Rapid Transit
             FTA Z-Branch
             Part 2                                                        Firmware
                                                                        Implementation
                                                                        Error Results in
                                                                            Hazard
Basic Event #15
A computer glitch during
assembly, linking or
other conversion process                                                                              No
                                                                                                 Mitigation for

introduces error in                       Build the Executable Twice:
                                          Error During
                                        Assembly, Link or
                                        Conversion to Hex
                                                                         Error During
                                                                       Burning of Master
                                                                           EPROM
                                                                                                 Fault During
                                                                                                  Copying of
                                                                                                    Master
executable code.                                                                                      18
                                           - Low probability that a
                                          random computer glitch
                                  No      could produce the same
                             Mitigation for
                                                            No
                                                                                     No
                                                                                Mitigation for
                                                                                                             No
                                                                                                        Mitigation for
                                                      Mitigation for                                    Error During
                                Error in
                              Software    error during two different
                                                      Error at Time
                                                      of Translation
                                                                                   Fault in
                                                                                  EPROM
                                                                                                         Burning of
                                                                                                           Master
                                 Tools                                             Burner
                                  14      build operations  15
                                                                                     16
                                                                                                          EPROM
                                                                                                             17
            Glitch during
          assembly process

152                                                                    S.F. Bay Area Rapid Transit
                FTA Z-Branch
                Part 2                                                 Firmware
                                                                    Implementation
                                                                    Error Results in
                                                                        Hazard
Basic Event #16
Executable code becomes
corrupted by faulty
                                                                                                  No
EPROM burner.                         Error During                   Error During            Mitigation for
                                                                                             Fault During
                                    Assembly, Link or              Burning of Master
                                    Conversion to Hex                  EPROM                  Copying of
                                                                                                Master
                                                                                                  18




                                                                                                         No
                              No                                                 No
                                                        No                                          Mitigation for
                         Mitigation for                                     Mitigation for
                                                  Mitigation for                                    Error During
                            Error in                                           Fault in
                                                  Error at Time                                      Burning of
                          Software                                            EPROM
                                                  of Translation                                       Master
                             Tools                                             Burner
                                                        15                                            EPROM
  Buggy EPROM                 14                                                 16
                                                                                                         17
     burner



153                                                                S.F. Bay Area Rapid Transit
                FTA Z-Branch
                Part 2                                                 Firmware
                                                                    Implementation
                                                                    Error Results in
                                                                        Hazard
Basic Event #16
Executable code becomes
corrupted by faulty
                                                                                             No
EPROM burner.                                                                           Mitigation for
                                      WE VERIFIED THAT:
                                      Error During
                                    Assembly, Link or
                                    Conversion to Hex
                                                                     Error During
                                                                   Burning of Master
                                                                       EPROM
                                                                                        Fault During
                                                                                         Copying of
                                                                                           Master
                                                                                             18
                                      -Runtime EPROM
                                       checksum is in place
                              No          (SAC Implementation
                                                   No
                                                                  No
                                                                                                    No
                                                                                               Mitigation for
                         Mitigation for                      Mitigation for
                            Error in
                          Software
                                          Analysis, Appendix E)
                                              Mitigation for
                                              Error at Time
                                                                Fault in
                                                               EPROM
                                                                                               Error During
                                                                                                Burning of
                                                  of Translation                                  Master
                             Tools                                             Burner
                                                        15                                       EPROM
  Buggy EPROM                 14                                                 16
                                                                                                    17
     burner



154                                                                S.F. Bay Area Rapid Transit
                FTA Z-Branch
                Part 2                                                 Firmware
                                                                    Implementation
                                                                    Error Results in
                                                                        Hazard
Basic Event #16
Executable code becomes
corrupted by faulty                   Runtime EPROM Check                                         No
EPROM burner.                         Code Protects Software
                                      Error During                   Error During            Mitigation for
                                                                                             Fault During
                                    Assembly, Link or              Burning of Master
                                    Conversion to Hex                  EPROM                  Copying of

                                      After Build Process:                                      Master
                                                                                                  18



                                       - Once the translation
                              No      process is complete, it is
                                                        No
                                                                                 No
                                                                                                         No
                                                                                                    Mitigation for
                         Mitigation for                                     Mitigation for
                            Error in
                          Software
                                      protected by a checksum
                                                  Mitigation for
                                                  Error at Time
                                                  of Translation
                                                                               Fault in
                                                                              EPROM
                                                                                                    Error During
                                                                                                     Burning of
                                                                                                       Master
                             Tools                                             Burner
  Buggy EPROM                 14      that can detect any later
                                                        15
                                                                                 16
                                                                                                      EPROM
                                                                                                         17
     burner
                                      changes
155                                                                S.F. Bay Area Rapid Transit
             FTA Z-Branch
             Part 2                                                  Firmware
                                                                  Implementation
                                                                  Error Results in
                                                                      Hazard
Basic Event #17
Executable code is not
correctly burned into
                                                                                                No
master EPROM.                       Error During                   Error During            Mitigation for
                                                                                           Fault During
                                  Assembly, Link or              Burning of Master
                                  Conversion to Hex                  EPROM                  Copying of
                                                                                              Master
                                                                                                18




                                                                                                       No
                            No                                                 No
                                                      No                                          Mitigation for
                       Mitigation for                                     Mitigation for
                                                Mitigation for                                    Error During
                          Error in                                           Fault in
                                                Error at Time                                      Burning of
                        Software                                            EPROM
                                                of Translation                                       Master
                           Tools                                             Burner
                                                      15                                            EPROM
                            14                                                 16
                                                                                                       17

             Glitch during
            EPROM burning

156                                                              S.F. Bay Area Rapid Transit
             FTA Z-Branch
             Part 2                                                  Firmware
                                                                  Implementation
                                                                  Error Results in
                                                                      Hazard
Basic Event #17
Executable code is not
correctly burned into
                                                                                           No
master EPROM.                                                                         Mitigation for
                                    WE VERIFIED THAT:
                                    Error During
                                  Assembly, Link or
                                  Conversion to Hex
                                                                   Error During
                                                                 Burning of Master
                                                                     EPROM
                                                                                      Fault During
                                                                                       Copying of
                                                                                         Master
                                                                                           18
                                    -Runtime EPROM
                                     checksum is in place
                            No          (SAC Implementation
                                                 No
                                                                No
                                                                               No
                                                                          Mitigation for
                       Mitigation for                      Mitigation for
                          Error in
                        Software
                                        Analysis, Appendix E) *SAME*of
                                            Mitigation for
                                            Error at Time
                                                              Fault in
                                                             EPROM
                                                                          Error During
                                                                           Burning
                                                of Translation                                 Master
                           Tools                                             Burner
                                                      15                                       EPROM
                            14                                                 16
                                                                                                 17

             Glitch during
            EPROM burning

157                                                              S.F. Bay Area Rapid Transit
                FTA Z-Branch
                Part 2                                                 Firmware
                                                                    Implementation
                                                                    Error Results in
                                                                        Hazard

Basic Event #18
Copies of master
EPROM do not exactly                                                                              No

match the master                      Error During
                                    Assembly, Link or
                                                                     Error During
                                                                   Burning of Master
                                                                                             Mitigation for
                                                                                             Fault During
                                                                                              Copying of
EPROM.                              Conversion to Hex                  EPROM
                                                                                                Master
                                                                                                  18




                                                                                                         No
                              No                                                 No
                                                        No                                          Mitigation for
                         Mitigation for                                     Mitigation for
                                                  Mitigation for                                    Error During
                            Error in                                           Fault in
                                                  Error at Time                                      Burning of
                          Software                                            EPROM
                                                  of Translation                                       Master
                             Tools                                             Burner
                                                        15                                            EPROM
      Failed EPROM            14                                                 16
                                                                                                         17




158                                                                S.F. Bay Area Rapid Transit
                FTA Z-Branch
                Part 2                                                 Firmware
                                                                    Implementation
                                                                    Error Results in
                                                                        Hazard

Basic Event #18
Copies of master
EPROM do not exactly                                                                         No

match the master                      WE VERIFIED THAT:
                                      Error During
                                    Assembly, Link or
                                                                     Error During
                                                                   Burning of Master
                                                                                        Mitigation for
                                                                                        Fault During
                                                                                         Copying of
EPROM.                              Conversion to Hex                  EPROM
                                                                                           Master
                                                                                             18
                                      -Runtime EPROM
                                       checksum is in place
                              No          (SAC Implementation
                                                   No
                                                                  No
                                                                                 No
                                                                            Mitigation for
                         Mitigation for                      Mitigation for
                            Error in
                          Software
                                          Analysis, Appendix E) *SAME*of
                                              Mitigation for
                                              Error at Time
                                                                Fault in
                                                               EPROM
                                                                            Error During
                                                                             Burning
                                                  of Translation                                 Master
                             Tools                                             Burner
                                                        15                                       EPROM
      Failed EPROM            14                                                 16
                                                                                                   17




159                                                                S.F. Bay Area Rapid Transit
      VATC Subsystem
      Design Verification



160          S.F. Bay Area Rapid Transit
          VATC MMF Verification
          Activities

         Design Review
         Software Module Desk Checks
         Group Walk-Through Code Review
         Traceability Matrix
         Testing
         Open Issues Closeout


161                            S.F. Bay Area Rapid Transit
      V&V Report Contents
      Section 1 – Report Organization
      Section 2 – Unit Testing Report
      Section 3 – Lab Integration Testing
      Section 4 – ERS Integration Testing
      Section 5 – Hayward Test Track Testing
      Section 6 – Mainline Track Testing
      Section 7 – Traceability Matrix
      Section 8 – Software Module Desk Check
      Section 9 – Software Module Code Reviews
      Section 10 - Final Design Review
      Section 11 – Open Issues Closeout

162                            S.F. Bay Area Rapid Transit
               VATC MMF Design
               Review
                (V&V Report Section 10)




      •   Presentation of Software Design to technical staff
      •   Participation of Harmon, Sandia and various BART
          Departments
      •   Generation of Action Items List
      •   Closeout of Action Items List



163                                        S.F. Bay Area Rapid Transit
      V&V Report Contents
      Section 1 – Report Organization
      Section 2 – Unit Testing Report
      Section 3 – Lab Integration Testing
      Section 4 – ERS Integration Testing
      Section 5 – Hayward Test Track Testing
      Section 6 – Mainline Track Testing
      Section 7 – Traceability Matrix
      Section 8 – Software Module Desk Check
      Section 9 – Software Module Code Reviews
      Section 10 - Final Design Review
      Section 11 – Open Issues Closeout

164                            S.F. Bay Area Rapid Transit
          Software Module Desk
          Checks
          (V&V Report Section 8)




                               Cross              Cross

              Specifications   check   Pseudo     check
                                                          Source Code
              Requirements             Code




         Generated Report listing
          discrepancies founded and corrected.

165                                             S.F. Bay Area Rapid Transit
      V&V Report Contents
      Section 1 – Report Organization
      Section 2 – Unit Testing Report
      Section 3 – Lab Integration Testing
      Section 4 – ERS Integration Testing
      Section 5 – Hayward Test Track Testing
      Section 6 – Mainline Track Testing
      Section 7 – Traceability Matrix
      Section 8 – Software Module Desk Check
      Section 9 – Software Module Code Reviews
      Section 10 - Final Design Review
      Section 11 – Open Issues Closeout

166                            S.F. Bay Area Rapid Transit
             Group Walk-Through Code Review
             (V&V Report Section 9)




     Performed on modified/new vital software modules
     Verified that proper logic was in place and source code
      represented approved design
     Verified that coding standards and styles guidelines
      were followed
     Checklist provided to ensure completeness in the
      evaluation

167                                       S.F. Bay Area Rapid Transit
      V&V Report Contents
      Section 1 – Report Organization
      Section 2 – Unit Testing Report
      Section 3 – Lab Integration Testing
      Section 4 – ERS Integration Testing
      Section 5 – Hayward Test Track Testing
      Section 6 – Mainline Track Testing
      Section 7 – Traceability Matrix
      Section 8 – Software Module Desk Check
      Section 9 – Software Module Code Reviews
      Section 10 - Final Design Review
      Section 11 – Open Issues Closeout

168                            S.F. Bay Area Rapid Transit
            VATC Traceability Matrix
            (V&V Report Section 7)

                                                        SysRS
                                                        Table

      Each AATC System
      Requirement relating                          Mapping betw een
                                                    SysRS and SRS

      to the VATC is traced
      to the VATC Design,                               SRS

      Code and Test.                                    Table




                                     Mapping betw een              Mapping betw een
                                     SRS and Modules                SRS and Tests




                                        Module                         Test
                                        Table                          Table




169                                   S.F. Bay Area Rapid Transit
         SYSRS to SRS Report
                                                 SysRS
                                                 Table



      Each AATC System                       Mapping betw een
                                             SysRS and SRS
      Requirement relating
      to the VATC is traced                      SRS

      to one or more VATC                        Table



      Subsystem               Mapping betw een              Mapping betw een
                              SRS and Modules                SRS and Tests
      Requirement
                                 Module                         Test
                                 Table                          Table




170                            S.F. Bay Area Rapid Transit
         SRS-Software Module
         Report
                                                 SysRS
                                                 Table




                                             Mapping betw een
                                             SysRS and SRS


      Tracing of each VATC
      Subsystem                                  SRS
                                                 Table

      Requirement to one or
      more software modules   Mapping betw een
                              SRS and Modules
                                                            Mapping betw een
                                                             SRS and Tests




                                 Module                         Test
                                 Table                          Table




171                            S.F. Bay Area Rapid Transit
        SRS-Test Report
                                                 SysRS
                                                 Table




                                             Mapping betw een

      Tracing of each VATC                   SysRS and SRS




      Subsystem                                  SRS

      Requirement to one or                      Table



      more Test               Mapping betw een              Mapping betw een
                              SRS and Modules                SRS and Tests




                                 Module                         Test
                                 Table                          Table




172                            S.F. Bay Area Rapid Transit
      V&V Report Contents
      Section 1 – Report Organization
      Section 2 – Unit Testing Report
      Section 3 – Lab Integration Testing
      Section 4 – ERS Integration Testing
      Section 5 – Hayward Test Track Testing
      Section 6 – Mainline Track Testing
      Section 7 – Traceability Matrix
      Section 8 – Software Module Desk Check
      Section 9 – Software Module Code Reviews
      Section 10 - Final Design Review
      Section 11 – Open Issues Closeout

173                            S.F. Bay Area Rapid Transit
              VATC Unit Testing – MMF
              (V&V Report Section 2)

         Performed on vital           All possible Inputs
          modified/new software
          modules

         Test results verified that
                                             Software
          Min/Max/Zero input
          values produced                    Module
          expected results

         Test results verified that
          all branches in the
          module were executed           All Outputs Safe
                                         All Branches Checked
174                                    S.F. Bay Area Rapid Transit
      V&V Report Contents
      Section 1 – Report Organization
      Section 2 – Unit Testing Report
      Section 3 – Lab Integration Testing
      Section 4 – ERS Integration Testing
      Section 5 – Hayward Test Track Testing
      Section 6 – Mainline Track Testing
      Section 7 – Traceability Matrix
      Section 8 – Software Module Desk Check
      Section 9 – Software Module Code Reviews
      Section 10 - Final Design Review
      Section 11 – Open Issues Closeout

175                            S.F. Bay Area Rapid Transit
              Laboratory Subsystem Integration
              Testing - MMF (V&V Report Section 3)
      •Verified functionality
      of ATP Cradle
                                                                                                        LCD

      •VATC in Monitor Mode                                                            RS-232
                                                                                                       Console

                                                                                      Serial Link,



      only                                                  ATP                       Power, Etc.




                                                               Cradle




                                                                         ON
      •Generation of ATP                                                                                         Control
                                                                                                                 Pane l
                                                          RS-232                                                 Switch Box
      reports
                                                                         37 Volts
                                                         Serial Link

                                        Win9x
                                                                                                     5 Volts




      •Decoding of AATC
                                                                        37 Volts                     5 Volts




                                AATU / AATC SIM ULATOR                          POWER SUPPLY

      commands                      (Snooper/Driver)




176                                               S.F. Bay Area Rapid Transit
      V&V Report Contents
      Section 1 – Report Organization
      Section 2 – Unit Testing Report
      Section 3 – Lab Integration Testing
      Section 4 – ERS Integration Testing
      Section 5 – Hayward Test Track Testing
      Section 6 – Mainline Track Testing
      Section 7 – Traceability Matrix
      Section 8 – Software Module Desk Check
      Section 9 – Software Module Code Reviews
      Section 10 - Final Design Review
      Section 11 – Open Issues Closeout

177                            S.F. Bay Area Rapid Transit
             ERS Subsystem Integration
             Testing – MMF (V&V Report Section 4)
     Verified proper
      functionality of
      Vehicle ATC using                                                  Laptop computer

                                                                                                    RS-232


      existing Primary                                           Track Circuit Simulation/ Tests
                                                                                                   Serial Link



                                                                                                                 AATC Control Tests


      Test Equipment.                                                   Westinghouse
                                                                    Primary Test Equipment




                                                                                                                 AATC SIMULATOR
                           ATC         ATC       ATC                        RS-232                                   (AATU)
                          Cradle      Cradle    Cradle                     Serial Link
                            1           2         3
                                                                                                                                       RS-232
                                                                                                                                      Serial Link




                                                Main Power
                                                Switc h and
                                                  A11-J1
                              Acc elerometers   Connec tor




178                                                           S.F. Bay Area Rapid Transit
      V&V Report Contents
      Section 1 – Report Organization
      Section 2 – Unit Testing Report
      Section 3 – Lab Integration Testing
      Section 4 – ERS Integration Testing
      Section 5 – Hayward Test Track Testing
      Section 6 – Mainline Track Testing
      Section 7 – Traceability Matrix
      Section 8 – Software Module Desk Check
      Section 9 – Software Module Code Reviews
      Section 10 - Final Design Review
      Section 11 – Open Issues Closeout

179                            S.F. Bay Area Rapid Transit
              Hayward Test Track Testing –
              MMF
              (V&V Report Section 5)


         Verified VATC never goes under AATC
          control

         Verified proper Automatic Train Operation
          under existing track circuit system, including:
             - Motion Control
             - Door Operation
             - Wayside Communications
180                                     S.F. Bay Area Rapid Transit
      V&V Report Contents
      Section 1 – Report Organization
      Section 2 – Unit Testing Report
      Section 3 – Lab Integration Testing
      Section 4 – ERS Integration Testing
      Section 5 – Hayward Test Track Testing
      Section 6 – Mainline Track Testing
      Section 7 – Traceability Matrix
      Section 8 – Software Module Desk Check
      Section 9 – Software Module Code Reviews
      Section 10 - Final Design Review
      Section 11 – Open Issues Closeout

181                            S.F. Bay Area Rapid Transit
              Mainline Testing – MMF
              (V&V Report Section 6)


     Verified Proper automatic track circuit control
      operation

     Verified IDEN coverboard communications




182                                    S.F. Bay Area Rapid Transit
      V&V Report Contents
      Section 1 – Report Organization
      Section 2 – Unit Testing Report
      Section 3 – Lab Integration Testing
      Section 4 – ERS Integration Testing
      Section 5 – Hayward Test Track Testing
      Section 6 – Mainline Track Testing
      Section 7 – Traceability Matrix
      Section 8 – Software Module Desk Check
      Section 9 – Software Module Code Reviews
      Section 10 - Final Design Review
      Section 11 – Open Issues Closeout

183                            S.F. Bay Area Rapid Transit
                   Open Issues Closeout
                   (V&V Report Section 11)


     Open Issues Record – problems reported and corrective
      actions taken during Design, Implementation, Testing and
      Analysis of the VATC Subsystem.

         Problem


          Found




          Fixed




184                                          S.F. Bay Area Rapid Transit
               Open Issues Closeout
               (V&V Report Section 11)


         15 Non-Vital Open Issues Identified

         Memorandum – documents why closure of
          15 Non-Vital Issues is NOT necessary prior
          to MMF Safety Certification




185                                      S.F. Bay Area Rapid Transit
              Open Issues Closeout
              (V&V Report Section 11)



         Unit Testing Report

          – Lists discrepancies found during Unit
            Testing

          – Cross-references the discrepancy to an
            item in the Open Issues file (where
            applicable).

186                                     S.F. Bay Area Rapid Transit
      V&V Report Contents
      Section 1 – Report Organization
      Section 2 – Unit Testing Report
      Section 3 – Lab Integration Testing
      Section 4 – ERS Integration Testing
      Section 5 – Hayward Test Track Testing
      Section 6 – Mainline Track Testing
      Section 7 – Traceability Matrix
      Section 8 – Software Module Desk Check
      Section 9 – Software Module Code Reviews
      Section 10 - Final Design Review
      Section 11 – Open Issues Closeout

187                            S.F. Bay Area Rapid Transit
      Agenda
         Laying the Groundwork

         Safety Assurance Concepts
          (How can we claim it’s safe?)
          – For the Baseline Design
          – For the MMF Release

         Verification and Validation Process/
          Documentation
          (What did we do to prove it’s safe?)

         Summary


188                                       S.F. Bay Area Rapid Transit
              SUMMARY
     Emphasis of the MMF certification has been to
      demonstrate that baseline functions have not been
      corrupted
      – Functional requirements still intact
      – Hardware checking routines still in place
      – Proper isolation between new and old functions


     Safety requirements for the baseline system
      maintained for the modified release

189                                      S.F. Bay Area Rapid Transit
            SUMMARY (cont’d)
     Proper understanding of the safety
      assurance concepts demonstrated in the
      SAC document

     Safety analysis developed and confirmed
      vital requirements using a structured and
      orderly process documented in the FTA and
      SACI documents

190                             S.F. Bay Area Rapid Transit
             SUMMARY (cont’d)
     Complete and proper implementation of the SAC’s
      confirmed by examination of the potential hazards
      identified in the FTA Z-Branch and documented in
      the SACI

     Comprehensive tracing from:
      – requirements to implementation and
      – requirements to test program
      Completed and documented in the V&V Report


191                                     S.F. Bay Area Rapid Transit
                 SUMMARY                   IMPLEMENTATION

                                                            Vital   Non-
      System                                                        Vital
      Require-
       ments


                                 Hex                         R       R
                                 Code                        O       O
        Sub
                                                             M       M
D     System                                  EPROM
      Require-                                BURNER
E
       ments                                                                O
S
I                                                                           P
G                                                                           E
      Software
N     Module                                                                R
      Require-
                 TRANSLATION                                                A
       ments                                             Intel              T
                                                                            I
                                                         8086               O
      Pseudo         Assembly   Assembly                                    N
       Code            Code       Code




                                                                      R
                                                                      A
                                                                      M
192                                            S.F. Bay Area Rapid Transit
      Conclusion

               The VATC MMF
               software is safe and
               ready for revenue
               service!



193                S.F. Bay Area Rapid Transit

				
DOCUMENT INFO