A Hierarchy of Software Checking not detected Observe system externally to provide independent view Use additional hardware or completely separate hardware Often observe both controlled system and controller not detected Independent monitoring by process separate from that being che data being passed between modules consistency of global data structures not detected expected timing of modules or processes Can detect coding errors and implementation errors Use assertions: statements(boolean expressions on system state about expected state of module at different points in execution or about expected value of parameters passed to module not detected e.g. range checks, state checks, reasonableness checks e Used to detect hardware failures and individual instruction errors e.g,memory protection violation, divide by zero Checksums Often built into hardware or checks included in operating system Software Monitoring(Checking) In general, farther down the hierarchy check can be made, the better Detect the error closer to the time it occurred and before erroneous data used Easier to isolate and diagnose the problem More likely to be able to fix erroneous state rather than recover to safe state Writing effective self-checks very hard and number usually limited by time and memory Limit to safety-critical states Use hazard analysis to determine check contents and location Added monitoring and checks can cause failures themselvesA Hierarchy of Software Checking c ��������������������� ���������� not detected not detected not detected Used to detect hardware failures and individual instruction errors. Observe system externally to provide independent view not detected Fail Checksums e.g., memory protection violation, divide by zero e.g. range checks, state checks, reasonableness checks about expected value of parameters passed to module. Use assertions: statements (boolean expressions on system state) about expected state of module at different points in execution or Can detect coding errors and implementation errors. expected timing of modules or processes consistency of global data structures data being passed between modules May check: Independent monitoring by process separate from that being checked. Often observe both controlled system and controller. Use additional hardware or completely separate hardware. Often built into hardware or checks included in operating system. c ��������������������� ���������� Software Monitoring (Checking) In general, farther down the hierarchy check can be made, the better: Detect the error closer to the time it occurred and before erroneous data used. Easier to isolate and diagnose the problem More likely to be able to fix erroneous state rather than recover to safe state. Writing effective self−checks very hard and number usually limited by time and memory. Limit to safety−critical states Use hazard analysis to determine check contents and location Added monitoring and checks can cause failures themselves