REDUCTION OF HAZARDOUS MATERIALS OR CONDITIONS Software should contain only code that is absolutely necessary to achieve required functionality Implications for COTS Extra code may lead to hazards and may make software analysis more difficult Memory not used should be initialized to a pattern that will revert to a safe state Design Turbine-Generator Example Safety requirements 1. Must always be able to close steam valves within a few hundred milliseconds 2. Under no circumstances can steam valves open spuriously Whatever the nature of internal or external fault Divided into two parts(decoupled)on separate processors 1. Non-critical functions: loss cannot endanger turbine nor cause it to shutdown less important governing functions supervisory, coordination, and management functions 2. Small number of critical functionsc ��������������������� ���������� REDUCTION OF HAZARDOUS MATERIALS OR CONDITIONS Software should contain only code that is absolutely necessary to achieve required functionality. Implications for COTS Extra code may lead to hazards and may make software analysis more difficult. Memory not used should be initialized to a pattern that will revert to a safe state. c ��������������������� ���������� Turbine−Generator Example Safety requirements: 1. Must always be able to close steam valves within a few hundred milliseconds. 2. Under no circumstances can steam valves open spuriously, whatever the nature of internal or external fault. Divided into two parts (decoupled) on separate processors: 1. Non−critical functions: loss cannot endanger turbine nor cause it to shutdown. less important governing functions supervisory, coordination, and management functions 2. Small number of critical functions