A top-down approach to high-consequence fault analysis for software systems (Abstract)

Even ifsofiware code is fault-free, hardware failures can alter value in memory, possibly where the code itself is stored, causing a computer system to reach an unacceptable state. Microprocessor systems are used to perform many safey and security functions where a design goal is to eliminate single-pointfailures such as these. One design approach is to use multiple processors, compare the outputs, and assume a failure has occurred if the outputs don’t agree. In systems where the design is constrained to a single processor, however, analytical methods are needed to identify potential singlepointfailures at the bit level so that an effective fault-tolerant strategy can be employed. This paper describes a top-down methodology, based upon Fault Tree Analysis, that has been used to identify potential high-consequence faults in microprocessor-based systems. The key to making the Fault Tree Analysis tractable is to effectively incorporate appropriate design features such as software path control and checksums so that complicated branches of the fault tree can be terminated early. The analysis uses simplljied software flow diagrams depicting relevant code elements. Pertinent sections of machine language are then examined to identify suspect hardware. A comparison of this methodology with approaches based upon Failure Modes and Effects Analysis is made. The methodology is demonstrated through a simple example. Use offault trees to show that software code is free of safety or security faults is also demonstrated.