SAFETY-CRITICAL SYSTEMS BUILT WITH COTS

The rail transportation industry has always been very safety conscious , given the potential for a catastrophic system failure. And the repla cement of traditional relay-based systems with microprocessor-based co ntrol systems over the past two decades has made it all the more impor tant to prove software correctness. At the same time, competitive pres sure has led to the increased use of COTS (commercial, off-the-shelf) equipment in safety-critical systems, making it imperative that we ext end proven safety techniques to COTS-based systems as well. To this en d, we have developed the Vital Framework (V_Frame), which is used to d evelop a safety critical platform from COTS hardware and software. The key technologies in this framework are formal methods, information re dundancy, a proprietary data format, and a concurrent checking scheme. Combining these technologies results in a real-time, checkable correc tness criterion that is a signature of the application's algorithm str ucture and is independent of both the hardware and the operating syste m. Because it is a contradiction for a CPU to check itself and guarant ee that it is correctly executing the intended semantics of an applica tion, V_Frame uses a fail-safe, realtime application checker outside t he domain of the CPU to ensure the correct (and proper) execution of t he application. This is done by placing correctness criteria on the RA C that must be met to allow the outputs to be sent to the field. These correctness criteria are generated from the application rather than t he compiled version of the application. This raises the checking proce ss into the information universe as opposed to the physical universe ( specific faults in the CPU registers or faults in the firmware running on the CPU). In the event that an error is detected, the system is pl aced into a known safe state.