A top-down approach to high-consequence fault analysis for software systems

Summary form only given, as follows. Even if software code is fault-free, hardware failures can alter values in memory, possibly where the code itself is stored, causing a computer system to reach an unacceptable state. Microprocessor systems are used to perform many safety and security functions where a design goal is to eliminate single-point failures such as these. One design approach is to use multiple processors, compare the outputs, and assume a failure has occurred if the outputs don't agree. In systems where the design is constrained to a single processor, however, analytical methods are needed to identify potential single-point failures at the bit level so that an effective fault-tolerant strategy can be employed. This paper describes a top-down methodology, based upon fault tree analysis, that has been used to identify potential high-consequence faults in microprocessor-based systems. The key to making the fault tree analysis tractable is to effectively incorporate appropriate design features such as software path control and checksums so that complicated branches of the fault tree can be terminated early. The analysis uses simplified software flow diagrams depicting relevant code elements. Pertinent sections of machine language are then examined to identify suspect hardware. A comparison of this methodology with approaches based upon failure modes and effects analysis (FMEA) is made. The methodology is demonstrated through a simple example. Use of fault trees to show that software code is free of safety or security faults is also demonstrated.