Safety Critical Defence Project

Introduction

Bitwise was asked by a prime contractor to specify, design, implement and test software for a family of safety critical military devices to be delivered to the prime’s Client. The software included both real-time embedded software and manufacturing support software. Bitwise was responsible for the creation of the software safety case and the collection and management of all the associated evidence that demonstrated correct process had been followed.

Bitwise was also involved in the hardware design process; the selection of microcontroller and peripheral components; and contributed towards the validation of the hardware design.

Analysis and Design

Bitwise, as part of the Safety Review Board, was heavily involved in the analysis which concluded that the family of devices needed to be given an IEC61508 SIL-4 Continuous safety rating with a requirement to fail safe (rather than fail operational). The end Client involved also required that DEF STAN 00-56 was followed.

Software functional requirements and related software safety requirements, using Hazard Identification, FMECA and FTA methodologies, were derived and specified. Further, the system was required to operate with very low power requirements and a constrained physical footprint.

Given the substantial challenge these requirements presented it was agreed, with the Client, that significant effort would be spent verifying them with the end Client and their intended users of the system. Bitwise created a series of high fidelity prototypes to enable this verification process to be carried out as effectively as possible. The feedback from the demonstration sessions was subsequently fed back as refinements to the captured requirements.

Bitwise worked with external specialists in user interface design, ergonomics and safety in the creation of the prototypes.

Solution and Implementation

The system hardware design consisted of a bespoke SIL-4 rated hardware combinator and two diversely implemented (at both hardware and software level) SIL-3 rated microcontroller systems: A functional controller and a safety controller. This modular block of hardware and software was used as the ‘safe system’ on all the device variants.

Both SIL-3 microcontroller systems used an event pumped deterministic event processing engine feeding a set of finite state machines which implemented the required control logic. All finite state machines were automatically coded from a formal language definition of the required functionality. Formal proof and finite state machine path analysis was performed on the design to ensure there were no safety vulnerabilities present in the design.

The functional and safety controllers used diverse detailed design and software implementations created by diverse engineering teams. Further diversification was achieved by the test specification and execution being performed by engineers separate from the software implementation teams.

The implementation language was C++ with a strictly defined set of coding standards (encompassing and extending MISRA) defined by Bitwise through their experience of working on safety critical embedded systems for a number of different domains

A multi target build environment allowed on and off target code profiling, static analysis and code coverage capture which was integrated with a continuous integration server performing both on and off target continuous integration testing and static analysis.

An integrated version control, code review and issue management system was used to manage the software development process.

Throughout the project Bitwise was regularly visited at its offices by a subject matter expert from the end Client’s organisation to review the project specific development and quality processes being employed together with ongoing scrutiny of the design, implementation and test methodology being undertaken.

Project Management

The project was led at a programme level by the prime contractor but the Bitwise Project Manager directly managed the software development team and liaised with the Client Programme Manager. Bitwise was directly responsible for managing the software development and software safety management budget, issues, risks and milestones. This was communicated through weekly formal reporting together with regular meetings and conference calls.

The Bitwise Software Safety Manager was a member of the Client led Safety Review Board and provided regular input into the overall safety management process.