SlideShare a Scribd company logo

2015 05-07 - vu amsterdam - testing safety critical systems

Download as PPTX, PDF
Jaap van Ekris
Jaap van Ekris

Presentation about the steps required for Verifying and Validating safety critical systems, as well as the test approach used. It goes beyond the simple processes, and also talks about the required safety culture and people required. The presentation contains examples of real-life IEC 61508 SIL 4 systems used on stormsurge barriers...

Technology
1 of 79
Testing Safety Critical Systems Theory and Experiences J.vanEkris@Delta-Pi.nl http://www.slideshare.net/Jaap_van_Ekris/
My Job Your life’s goal will be to stay out of the newspapers Gerard Duin (KEMA) Worked at
My Projects
Agenda • The Goal • The requirements • The challenge • Go with the process flow – Development Process – System design – Testing Techniques • Trends • Reality 4
Goals of testing safety critical systems • Verify contractually agreed functionality • Verify correct functional safety-behaviour • Verify safety-behaviour during degraded and failure conditions
THE REQUIREMENTS What is so different about safety critical systems?
Some people live on the edge… How would you feel if you were getting ready to launch and knew you were sitting on top of two million parts -- all built by the lowest bidder on a government contract. John Glenn
Actually, we all do…
We might have become overprotective…
The public is mostly unaware of risk…
Until it is too late… • February 1st 1953 • Spring tide and heavy winds broke dykes • Killed 1836 humans and 30.000 animals
The battle against flood risk… • Cost €2.500.000.000 • The largest moving structure on the planet • Defends – 500 km2 land – 80.000 people • Partially controlled by software
Nothing is flawless, by design… No matter how well the design has been: • Some scenarios will be missed • Some scenarios are too expensive to prevent: – Accept risk – Communicate to stakeholders
When is software good enough? • Dutch Law on storm surge barriers • Equalizes risk of dying due to unnatural causes across the Netherlands
Risks have to be balanced… Availability of the service Safety of the service VS.
Oosterschelde Storm Surge Barrier • Chance of – Failure to close: 10-7 per usage – Unexpected closure: 10-4 per year
To put things in perspective… • Having a drunk pilot: 10-2 per flight • Hurt yourself when using a chainsaw: 10-3 per use • Dating a supermodel: 10-5 in a lifetime • Drowning in a bathtub: 10-7 in a lifetime • Being hit by falling airplane parts: 10-8 in a lifetime • Being killed by lighting: 10-9 per lifetime • Winning the lottery: 10-10 per lifetime • Your house being hit by a meteor: 10-15 per lifetime • Winning the lottery twice: 10-20 per lifetime
Small chances do happen…
Risk balance does change over time...
9/11... • Identified a fundamental (new) risk to ATC systems • Changed the ATC system dramatically • Doubled our safety critical scenario’s
Are software risks acceptable?
Software plays a significant role...
The industry statistics are against us… • Capers-Jones: at least 2 high severity errors per 10KLoc • Industry concensus is that software will never be more reliable than – 10-5 per usage – 10-9 per operating hour
THE CHALLENGE Why is testing safety critical systems so hard?
The value of testing Program testing can be used to show the presence of bugs, but never to show their absence! Edsger W. Dijkstra
Is just testing enough? • 64 bits input isn’t that uncommon • 264 is the global rice production in 1000 years, measured in individual grains • Fully testing all binary inputs on a simple 64-bits stimilus response system once takes 2 centuries
THE SOFTWARE DEVELOPMENT PROCESS Quality and reliability start at conception, not at testing…
IEC 61508: Safety Integrity Level and acceptable risk
IEC61508: Risk distribution
IEC 61508: A process for safety critical functions
SYSTEM DESIGN What do safety critical systems look like and what are their most important drivers?
Design Principles • Keep it simple... • Risk analysis drives design (decissions) • Safety first (production later) • Fail-to-safe • There shall be no single source of (catastrophic) failure
A simple design of a storm surge barrier Relais (€10,00/piece) Waterdetector (€17,50) Design documentation (Sponsored by Heineken)
Risk analysis Relais failure Chance: small Cause: aging Effect: catastophic Waterdetector fails Change: Huge Oorzaken: Rust, driftwood, seaguls (eating, shitting) Effect: Catastophic Measurement errors Chance: Collossal Causes: Waves, wind Effect: False Positive Broken cable Chance: Medium Cause: digging, seaguls Effect: Catastophic
System Architecture
Risk analysis
Typical risks identified • Components making the wrong decissions • Power failure • Hardware failure of PLC’s/Servers • Network failure • Ship hitting water sensors • Human maintenance error 37
Risk ≠ system crash • Understandability of the GUI • Wrongful functional behaviour • Data accuracy • Lack of response speed • Tolerance towards unlogical inputs • Resistance to hackers
Usability of a MMI is key to safety
Systems do misbehave...
Systems can be late…
Systems aren’t your only problem
StuurX: Component architecture design
Stuurx::Functionality, initial global design Init Start_D “Start” signal to Diesels Wacht Waterlevel < 3 meter Waterlevel> 3 meter W_O_D “Diesels ready” Sluit_? “Close Barrier” Waterlevel
Stuurx::Functionality, final global design
Stuurx::Functionality, Wait_For_Diesels, detailed design
VERIFICATION What is getting tested, and how?
Design completion...
An example of safety critical components
IEC 61508 SIL4: Required verification activities
Design Validation and Verification • Peer reviews by – System architect – 2nd designer – Programmers – Testmanager system testing • Fault Tree Analysis / Failure Mode and Effect Analysis • Performance modeling • Static Verification/ Dynamic Simulation by (Twente University)
Programming (in C/C++) • Coding standard: – Based on “Safer C”, by Les Hutton – May only use safe subset of the compiler – Verified by Lint and 5 other tools • Code is peer reviewed by 2nd developer • Certified and calibrated compiler
Unit tests • Focus on conformance to specifications • Required coverage: 100% with respect to: – Code paths – Input equivalence classes • Boundary Value analysis • Probabilistic testing • Execution: – Fully automated scripts, running 24x7 – Creates 100Mb/hour of logs and measurement data • Upon bug detection – 3 strikes is out  After 3 implementation errors it is build by another developer – 2 strikes is out  Need for a 2nd rebuild implies a redesign by another designer
Representative testing is difficult
Integration testing • Focus on – Functional behaviour of chain of components – Failure scenarios based on risk analysis • Required coverage – 100% coverage on input classes • Probabilistic testing • Execution: – Fully automated scripts, running 24x7, speed times 10 – Creates 250Mb/hour of logs and measurement data • Upon detection – Each bug  Rootcause-analysis
Redundancy is a nasty beast • You do get functional behaviour of your entire system • It is nearly impossible to see if all components are working correctly • Is EVERYTHING working ok, or is it the safetynet? 56
System testing • Focus on – Functional behaviour – Failure scenarios based on risk analysis • Required coverage – 100% complete environment (simultation) – 100% coverage on input classes • Execution: – Fully automated scripts, running 24x7, speed times 10 – Creates 250Mb/hour of logs and measurement data • Upon detection – Each bug  Rootcause-analysis
Endurance testing • Look for the “one in a million times” problem • Challenge: – Software is deterministic – execution is not (timing, transmission-errors, system load) • Have an automated script run it over and over again
Results of Endurance Tests 1.E-05 1.E-04 1.E-03 1.E-02 1.E-01 1.E+00 4.35 4.36 4.37 ChanceofFailure(LogarithmicScale) Platform Version Reliability Growth of Function M, Project S
Acceptance testing • Acceptance testing 1. Functional acceptance 2. Failure behaviour, all top 50 (FMECA) risks tested 3. A year of operational verification • Execution: – Tests performed on a working stormsurge barrier – Creates 250Mb/hour of logs and measurement data • Upon detection – Each bug  Root cause-analysis
A risk limit to testing • Some things are too dangerous to test • Some tests introduce more risks than they try to mitigate • There should always be a safe way out of a test procedure
Testing safety critical functions is dangerous...
GUI Acceptance testing • Looking for – quality in use for interactive systems – Understandability of the GUI • Structural investigation of the performance of the man-machine interactions • Looking for “abuse” by the users • Looking at real-life handling of emergency operations
Avalanche testing • To test the capabilies of alarming and control • Usually starts with one simple trigger • Generally followed by millions of alarms • Generally brings your network and systems to the breaking point
Crash and recovery procedure testing • Validation of system behaviour after massive crash and restart • Usually identifies many issues about emergency procedures • Sometimes identifies issues around power supply • Usually identifies some (combination of) systems incapable of unattended recovery...
Software will never be flawless
Production has its challenges… • Are equipment and processes optimally arranged? • Are the humans up to their task? • Does everything perform as expected?
TRENDS What is the newest and hottest?
Model Driven Design
A real-life example
A root-cause analysis of this flaw
REALITY What are the real-life challenges of a testmanager of safety critical systems?
Difference between theory and reality
Working together…
Requires true commitment to results… • Romans put the architect under the arches when removing the scaffolding • Boeing and Airbus put all lead-engineers on the first test-flight • Dijkstra put his “rekenmeisjes” on the opposite dock when launching ships
It is about keeping your back straight… • Thomas Andrews, Jr. • Naval architect in charge of RMS Titanic • He recognized regulations were insufficient for ship the size of Titanic • Decisions “forced upon him” by the client: – Limit the range of double hulls – Limit the number of lifeboats • He was on the maiden voyage to spot improvements • He knowingly went down with the ship, saving as many as he could
It requires a specific breed of people The faiths of developers and testers are linked to safety critical systems into eternity
Conclusion • Stop reading newspapers • Safety Critical Testing is a lot of work, making sure nothing happens • Technically it isn’t that much different, we’re just more rigerous and use a specific breed of people....
Questions?

Recommended

Testing Safety Critical Systems (10-02-2014, VU amsterdam)
Testing Safety Critical Systems (10-02-2014, VU amsterdam)Testing Safety Critical Systems (10-02-2014, VU amsterdam)
Testing Safety Critical Systems (10-02-2014, VU amsterdam)Jaap van Ekris
 
2016-04-28 - VU Amsterdam - testing safety critical systems
2016-04-28 - VU Amsterdam - testing safety critical systems2016-04-28 - VU Amsterdam - testing safety critical systems
2016-04-28 - VU Amsterdam - testing safety critical systemsJaap van Ekris
 
2017 03-10 - vu amsterdam - testing safety critical systems
2017 03-10 - vu amsterdam - testing safety critical systems2017 03-10 - vu amsterdam - testing safety critical systems
2017 03-10 - vu amsterdam - testing safety critical systemsJaap van Ekris
 
Testing safety critical systems: Practice and Theory (14-05-2013, VU Amsterdam)
Testing safety critical systems: Practice and Theory (14-05-2013, VU Amsterdam)Testing safety critical systems: Practice and Theory (14-05-2013, VU Amsterdam)
Testing safety critical systems: Practice and Theory (14-05-2013, VU Amsterdam)Jaap van Ekris
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systemsJaap van Ekris
 
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Jaap van Ekris
 
2010-03-31 - VU Amsterdam - Experiences testing safety critical systems
2010-03-31 - VU Amsterdam - Experiences testing safety critical systems2010-03-31 - VU Amsterdam - Experiences testing safety critical systems
2010-03-31 - VU Amsterdam - Experiences testing safety critical systemsJaap van Ekris
 
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)James Clause
 

Recommended

Testing Safety Critical Systems (10-02-2014, VU amsterdam)
Testing Safety Critical Systems (10-02-2014, VU amsterdam)Testing Safety Critical Systems (10-02-2014, VU amsterdam)
Testing Safety Critical Systems (10-02-2014, VU amsterdam)Jaap van Ekris
 
2016-04-28 - VU Amsterdam - testing safety critical systems
2016-04-28 - VU Amsterdam - testing safety critical systems2016-04-28 - VU Amsterdam - testing safety critical systems
2016-04-28 - VU Amsterdam - testing safety critical systemsJaap van Ekris
 
2017 03-10 - vu amsterdam - testing safety critical systems
2017 03-10 - vu amsterdam - testing safety critical systems2017 03-10 - vu amsterdam - testing safety critical systems
2017 03-10 - vu amsterdam - testing safety critical systemsJaap van Ekris
 
Testing safety critical systems: Practice and Theory (14-05-2013, VU Amsterdam)
Testing safety critical systems: Practice and Theory (14-05-2013, VU Amsterdam)Testing safety critical systems: Practice and Theory (14-05-2013, VU Amsterdam)
Testing safety critical systems: Practice and Theory (14-05-2013, VU Amsterdam)Jaap van Ekris
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systemsJaap van Ekris
 
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Jaap van Ekris
 
2010-03-31 - VU Amsterdam - Experiences testing safety critical systems
2010-03-31 - VU Amsterdam - Experiences testing safety critical systems2010-03-31 - VU Amsterdam - Experiences testing safety critical systems
2010-03-31 - VU Amsterdam - Experiences testing safety critical systemsJaap van Ekris
 
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)James Clause
 
incident analysis - procedure and approach
incident analysis - procedure and approachincident analysis - procedure and approach
incident analysis - procedure and approachDerek Chang
 
Stop Feeding IBM i Performance Hogs - Robot
Stop Feeding IBM i Performance Hogs - RobotStop Feeding IBM i Performance Hogs - Robot
Stop Feeding IBM i Performance Hogs - RobotHelpSystems
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)Digital Bond
 
Tests antipatterns
Tests antipatternsTests antipatterns
Tests antipatternsMaciej Przewoznik
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 
Steer and/or sink the supertanker by Andrew Rendell
Steer and/or sink the supertanker by Andrew RendellSteer and/or sink the supertanker by Andrew Rendell
Steer and/or sink the supertanker by Andrew RendellValtech UK
 
A Computer Vision Application for In Vitro Diagnostics Devices
A Computer Vision Application for In Vitro Diagnostics DevicesA Computer Vision Application for In Vitro Diagnostics Devices
A Computer Vision Application for In Vitro Diagnostics DevicesAdaCore
 
Real Time Systems
Real Time SystemsReal Time Systems
Real Time Systemsleo3004
 
A study of anti virus' response to unknown threats
A study of anti virus' response to unknown threatsA study of anti virus' response to unknown threats
A study of anti virus' response to unknown threatsUltraUploader
 
Cost-effective software reliability through autonomic tuning of system resources
Cost-effective software reliability through autonomic tuning of system resourcesCost-effective software reliability through autonomic tuning of system resources
Cost-effective software reliability through autonomic tuning of system resourcesVincenzo De Florio
 
GrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapGrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapJoel Cardella
 
The Great Disconnect of Data Protection: Perception, Reality and Best Practices
The Great Disconnect of Data Protection: Perception, Reality and Best PracticesThe Great Disconnect of Data Protection: Perception, Reality and Best Practices
The Great Disconnect of Data Protection: Perception, Reality and Best Practicesiland Cloud
 
BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...
BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...
BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...BlueHat Security Conference
 
LAYER OF PROTECTION ANALYSIS
LAYER OF PROTECTION ANALYSISLAYER OF PROTECTION ANALYSIS
LAYER OF PROTECTION ANALYSISThapa Prakash (TA-1)
 
5 Under-utilized PCI Requirements and how you can leverage them
5 Under-utilized PCI Requirements and how you can leverage them5 Under-utilized PCI Requirements and how you can leverage them
5 Under-utilized PCI Requirements and how you can leverage themPraveen Vackayil
 
Software Testing Basics
Software Testing BasicsSoftware Testing Basics
Software Testing Basicssachinmistry786
 
Fault tolerance techniques
Fault tolerance techniquesFault tolerance techniques
Fault tolerance techniquesECEDepartmentJSREC
 
2016 02-15 - IASTED Innsbruck 2016 - the role and decompesition of delivery ...
2016 02-15 - IASTED Innsbruck 2016 - the role and decompesition of delivery ...2016 02-15 - IASTED Innsbruck 2016 - the role and decompesition of delivery ...
2016 02-15 - IASTED Innsbruck 2016 - the role and decompesition of delivery ...Jaap van Ekris
 
2016-05-30 risk driven design
2016-05-30 risk driven design2016-05-30 risk driven design
2016-05-30 risk driven designJaap van Ekris
 
What the hack happened to digi notar (28-10-2011)
What the hack happened to digi notar (28-10-2011)What the hack happened to digi notar (28-10-2011)
What the hack happened to digi notar (28-10-2011)Jaap van Ekris
 
2010-09-21 - (ISC)2 - Protecting patient privacy while enabling medical re…
2010-09-21 - (ISC)2 - Protecting patient privacy while enabling medical re…2010-09-21 - (ISC)2 - Protecting patient privacy while enabling medical re…
2010-09-21 - (ISC)2 - Protecting patient privacy while enabling medical re…Jaap van Ekris
 
2011-03-12 - PDAtotaal Usergroup meeting - Ervaringen met Windows Phone 7 in ...
2011-03-12 - PDAtotaal Usergroup meeting - Ervaringen met Windows Phone 7 in ...2011-03-12 - PDAtotaal Usergroup meeting - Ervaringen met Windows Phone 7 in ...
2011-03-12 - PDAtotaal Usergroup meeting - Ervaringen met Windows Phone 7 in ...Jaap van Ekris
 

More Related Content

What's hot

incident analysis - procedure and approach
incident analysis - procedure and approachincident analysis - procedure and approach
incident analysis - procedure and approachDerek Chang
 
Stop Feeding IBM i Performance Hogs - Robot
Stop Feeding IBM i Performance Hogs - RobotStop Feeding IBM i Performance Hogs - Robot
Stop Feeding IBM i Performance Hogs - RobotHelpSystems
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)Digital Bond
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 
Steer and/or sink the supertanker by Andrew Rendell
Steer and/or sink the supertanker by Andrew RendellSteer and/or sink the supertanker by Andrew Rendell
Steer and/or sink the supertanker by Andrew RendellValtech UK
 
A Computer Vision Application for In Vitro Diagnostics Devices
A Computer Vision Application for In Vitro Diagnostics DevicesA Computer Vision Application for In Vitro Diagnostics Devices
A Computer Vision Application for In Vitro Diagnostics DevicesAdaCore
 
Real Time Systems
Real Time SystemsReal Time Systems
Real Time Systemsleo3004
 
A study of anti virus' response to unknown threats
A study of anti virus' response to unknown threatsA study of anti virus' response to unknown threats
A study of anti virus' response to unknown threatsUltraUploader
 
Cost-effective software reliability through autonomic tuning of system resources
Cost-effective software reliability through autonomic tuning of system resourcesCost-effective software reliability through autonomic tuning of system resources
Cost-effective software reliability through autonomic tuning of system resourcesVincenzo De Florio
 
GrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapGrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapJoel Cardella
 
The Great Disconnect of Data Protection: Perception, Reality and Best Practices
The Great Disconnect of Data Protection: Perception, Reality and Best PracticesThe Great Disconnect of Data Protection: Perception, Reality and Best Practices
The Great Disconnect of Data Protection: Perception, Reality and Best Practicesiland Cloud
 
BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...
BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...
BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...BlueHat Security Conference
 
5 Under-utilized PCI Requirements and how you can leverage them
5 Under-utilized PCI Requirements and how you can leverage them5 Under-utilized PCI Requirements and how you can leverage them
5 Under-utilized PCI Requirements and how you can leverage themPraveen Vackayil
 

What's hot (17)

incident analysis - procedure and approach
incident analysis - procedure and approachincident analysis - procedure and approach
incident analysis - procedure and approach
 
Stop Feeding IBM i Performance Hogs - Robot
Stop Feeding IBM i Performance Hogs - RobotStop Feeding IBM i Performance Hogs - Robot
Stop Feeding IBM i Performance Hogs - Robot
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)
 
Tests antipatterns
Tests antipatternsTests antipatterns
Tests antipatterns
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)
 
Steer and/or sink the supertanker by Andrew Rendell
Steer and/or sink the supertanker by Andrew RendellSteer and/or sink the supertanker by Andrew Rendell
Steer and/or sink the supertanker by Andrew Rendell
 
A Computer Vision Application for In Vitro Diagnostics Devices
A Computer Vision Application for In Vitro Diagnostics DevicesA Computer Vision Application for In Vitro Diagnostics Devices
A Computer Vision Application for In Vitro Diagnostics Devices
 
Real Time Systems
Real Time SystemsReal Time Systems
Real Time Systems
 
A study of anti virus' response to unknown threats
A study of anti virus' response to unknown threatsA study of anti virus' response to unknown threats
A study of anti virus' response to unknown threats
 
Cost-effective software reliability through autonomic tuning of system resources
Cost-effective software reliability through autonomic tuning of system resourcesCost-effective software reliability through autonomic tuning of system resources
Cost-effective software reliability through autonomic tuning of system resources
 
GrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapGrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the Cheap
 
The Great Disconnect of Data Protection: Perception, Reality and Best Practices
The Great Disconnect of Data Protection: Perception, Reality and Best PracticesThe Great Disconnect of Data Protection: Perception, Reality and Best Practices
The Great Disconnect of Data Protection: Perception, Reality and Best Practices
 
BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...
BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...
BlueHat v18 || Go build a tool - best practices for building a robust &amp; e...
 
LAYER OF PROTECTION ANALYSIS
LAYER OF PROTECTION ANALYSISLAYER OF PROTECTION ANALYSIS
LAYER OF PROTECTION ANALYSIS
 
5 Under-utilized PCI Requirements and how you can leverage them
5 Under-utilized PCI Requirements and how you can leverage them5 Under-utilized PCI Requirements and how you can leverage them
5 Under-utilized PCI Requirements and how you can leverage them
 
Software Testing Basics
Software Testing BasicsSoftware Testing Basics
Software Testing Basics
 
Fault tolerance techniques
Fault tolerance techniquesFault tolerance techniques
Fault tolerance techniques
 

Viewers also liked

2016 02-15 - IASTED Innsbruck 2016 - the role and decompesition of delivery ...
2016 02-15 - IASTED Innsbruck 2016 - the role and decompesition of delivery ...2016 02-15 - IASTED Innsbruck 2016 - the role and decompesition of delivery ...
2016 02-15 - IASTED Innsbruck 2016 - the role and decompesition of delivery ...Jaap van Ekris
 
2016-05-30 risk driven design
2016-05-30 risk driven design2016-05-30 risk driven design
2016-05-30 risk driven designJaap van Ekris
 
What the hack happened to digi notar (28-10-2011)
What the hack happened to digi notar (28-10-2011)What the hack happened to digi notar (28-10-2011)
What the hack happened to digi notar (28-10-2011)Jaap van Ekris
 
2010-09-21 - (ISC)2 - Protecting patient privacy while enabling medical re…
2010-09-21 - (ISC)2 - Protecting patient privacy while enabling medical re…2010-09-21 - (ISC)2 - Protecting patient privacy while enabling medical re…
2010-09-21 - (ISC)2 - Protecting patient privacy while enabling medical re…Jaap van Ekris
 
2011-03-12 - PDAtotaal Usergroup meeting - Ervaringen met Windows Phone 7 in ...
2011-03-12 - PDAtotaal Usergroup meeting - Ervaringen met Windows Phone 7 in ...2011-03-12 - PDAtotaal Usergroup meeting - Ervaringen met Windows Phone 7 in ...
2011-03-12 - PDAtotaal Usergroup meeting - Ervaringen met Windows Phone 7 in ...Jaap van Ekris
 
2016 11-15 - nvrb - software betrouwbaarheid
2016 11-15 - nvrb - software betrouwbaarheid2016 11-15 - nvrb - software betrouwbaarheid
2016 11-15 - nvrb - software betrouwbaarheidJaap van Ekris
 
2011-04-29 - Risk management conference - Technische IT risico's in de praktijk
2011-04-29 - Risk management conference - Technische IT risico's in de praktijk2011-04-29 - Risk management conference - Technische IT risico's in de praktijk
2011-04-29 - Risk management conference - Technische IT risico's in de praktijkJaap van Ekris
 
Windows Phone 7 and the cloud, the good, the bad and the ugly (17-06-2011, SDN)
Windows Phone 7 and the cloud, the good, the bad and the ugly (17-06-2011, SDN)Windows Phone 7 and the cloud, the good, the bad and the ugly (17-06-2011, SDN)
Windows Phone 7 and the cloud, the good, the bad and the ugly (17-06-2011, SDN)Jaap van Ekris
 

Viewers also liked (8)

2016 02-15 - IASTED Innsbruck 2016 - the role and decompesition of delivery ...
2016 02-15 - IASTED Innsbruck 2016 - the role and decompesition of delivery ...2016 02-15 - IASTED Innsbruck 2016 - the role and decompesition of delivery ...
2016 02-15 - IASTED Innsbruck 2016 - the role and decompesition of delivery ...
 
2016-05-30 risk driven design
2016-05-30 risk driven design2016-05-30 risk driven design
2016-05-30 risk driven design
 
What the hack happened to digi notar (28-10-2011)
What the hack happened to digi notar (28-10-2011)What the hack happened to digi notar (28-10-2011)
What the hack happened to digi notar (28-10-2011)
 
2010-09-21 - (ISC)2 - Protecting patient privacy while enabling medical re…
2010-09-21 - (ISC)2 - Protecting patient privacy while enabling medical re…2010-09-21 - (ISC)2 - Protecting patient privacy while enabling medical re…
2010-09-21 - (ISC)2 - Protecting patient privacy while enabling medical re…
 
2011-03-12 - PDAtotaal Usergroup meeting - Ervaringen met Windows Phone 7 in ...
2011-03-12 - PDAtotaal Usergroup meeting - Ervaringen met Windows Phone 7 in ...2011-03-12 - PDAtotaal Usergroup meeting - Ervaringen met Windows Phone 7 in ...
2011-03-12 - PDAtotaal Usergroup meeting - Ervaringen met Windows Phone 7 in ...
 
2016 11-15 - nvrb - software betrouwbaarheid
2016 11-15 - nvrb - software betrouwbaarheid2016 11-15 - nvrb - software betrouwbaarheid
2016 11-15 - nvrb - software betrouwbaarheid
 
2011-04-29 - Risk management conference - Technische IT risico's in de praktijk
2011-04-29 - Risk management conference - Technische IT risico's in de praktijk2011-04-29 - Risk management conference - Technische IT risico's in de praktijk
2011-04-29 - Risk management conference - Technische IT risico's in de praktijk
 
Windows Phone 7 and the cloud, the good, the bad and the ugly (17-06-2011, SDN)
Windows Phone 7 and the cloud, the good, the bad and the ugly (17-06-2011, SDN)Windows Phone 7 and the cloud, the good, the bad and the ugly (17-06-2011, SDN)
Windows Phone 7 and the cloud, the good, the bad and the ugly (17-06-2011, SDN)
 

Similar to 2015 05-07 - vu amsterdam - testing safety critical systems

Safety and security in distributed systems
Safety and security in distributed systemsSafety and security in distributed systems
Safety and security in distributed systemsEinar Landre
 
Safety and security in distributed systems
Safety and security in distributed systems Safety and security in distributed systems
Safety and security in distributed systems Einar Landre
 
Safety and security in mission critical IoT systems
Safety and security in mission critical IoT systemsSafety and security in mission critical IoT systems
Safety and security in mission critical IoT systemsEinar Landre
 
Risk management and business protection with Coding Standardization & Static ...
Risk management and business protection with Coding Standardization & Static ...Risk management and business protection with Coding Standardization & Static ...
Risk management and business protection with Coding Standardization & Static ...Itris Automation Square
 
Siegel - keynote presentation, 18 may 2013
Siegel - keynote presentation, 18 may 2013Siegel - keynote presentation, 18 may 2013
Siegel - keynote presentation, 18 may 2013NeilSiegelslideshare
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsC4Media
 
Testing Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidTesting Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidSteve Branam
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Alex Pinto
 
Functional safety by FMEA/FTA
Functional safety by FMEA/FTAFunctional safety by FMEA/FTA
Functional safety by FMEA/FTAmehmor
 
2008-10-09 - Bits and Chips Conference - Embedded Systemen Architecture patterns
2008-10-09 - Bits and Chips Conference - Embedded Systemen Architecture patterns2008-10-09 - Bits and Chips Conference - Embedded Systemen Architecture patterns
2008-10-09 - Bits and Chips Conference - Embedded Systemen Architecture patternsJaap van Ekris
 
Netpod - The Merging of NPM & APM
Netpod - The Merging of NPM & APMNetpod - The Merging of NPM & APM
Netpod - The Merging of NPM & APMBoni Bruno
 
Observability - The good, the bad and the ugly Xp Days 2019 Kiev Ukraine
Observability - The good, the bad and the ugly Xp Days 2019 Kiev Ukraine Observability - The good, the bad and the ugly Xp Days 2019 Kiev Ukraine
Observability - The good, the bad and the ugly Xp Days 2019 Kiev Ukraine Aleksandr Tavgen
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
Arizona State University Test Lecture
Arizona State University Test LectureArizona State University Test Lecture
Arizona State University Test LecturePete Sarson, PH.D
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security programOutpost24
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Digital Bond
 

Similar to 2015 05-07 - vu amsterdam - testing safety critical systems (20)

Safety and security in distributed systems
Safety and security in distributed systemsSafety and security in distributed systems
Safety and security in distributed systems
 
Safety and security in distributed systems
Safety and security in distributed systems Safety and security in distributed systems
Safety and security in distributed systems
 
Safety and security in mission critical IoT systems
Safety and security in mission critical IoT systemsSafety and security in mission critical IoT systems
Safety and security in mission critical IoT systems
 
Risk management and business protection with Coding Standardization & Static ...
Risk management and business protection with Coding Standardization & Static ...Risk management and business protection with Coding Standardization & Static ...
Risk management and business protection with Coding Standardization & Static ...
 
Siegel - keynote presentation, 18 may 2013
Siegel - keynote presentation, 18 may 2013Siegel - keynote presentation, 18 may 2013
Siegel - keynote presentation, 18 may 2013
 
Design For Testability
Design For TestabilityDesign For Testability
Design For Testability
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
 
Testing Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking StupidTesting Is How You Avoid Looking Stupid
Testing Is How You Avoid Looking Stupid
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
 
Functional safety by FMEA/FTA
Functional safety by FMEA/FTAFunctional safety by FMEA/FTA
Functional safety by FMEA/FTA
 
Software Security and IDS.pptx
Software Security and IDS.pptxSoftware Security and IDS.pptx
Software Security and IDS.pptx
 
2008-10-09 - Bits and Chips Conference - Embedded Systemen Architecture patterns
2008-10-09 - Bits and Chips Conference - Embedded Systemen Architecture patterns2008-10-09 - Bits and Chips Conference - Embedded Systemen Architecture patterns
2008-10-09 - Bits and Chips Conference - Embedded Systemen Architecture patterns
 
Netpod - The Merging of NPM & APM
Netpod - The Merging of NPM & APMNetpod - The Merging of NPM & APM
Netpod - The Merging of NPM & APM
 
Chaos engineering
Chaos engineering Chaos engineering
Chaos engineering
 
Observability - The good, the bad and the ugly Xp Days 2019 Kiev Ukraine
Observability - The good, the bad and the ugly Xp Days 2019 Kiev Ukraine Observability - The good, the bad and the ugly Xp Days 2019 Kiev Ukraine
Observability - The good, the bad and the ugly Xp Days 2019 Kiev Ukraine
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Arizona State University Test Lecture
Arizona State University Test LectureArizona State University Test Lecture
Arizona State University Test Lecture
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security program
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 

More from Jaap van Ekris

2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants
2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants
2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giantsJaap van Ekris
 
2020 09-08 - sdn - waarom klanten een hekel aan software ontwikkelaars hebben
2020 09-08 - sdn - waarom klanten een hekel aan software ontwikkelaars hebben2020 09-08 - sdn - waarom klanten een hekel aan software ontwikkelaars hebben
2020 09-08 - sdn - waarom klanten een hekel aan software ontwikkelaars hebbenJaap van Ekris
 
2018-11-08 risk and reslience festival
2018-11-08 risk and reslience festival2018-11-08 risk and reslience festival
2018-11-08 risk and reslience festivalJaap van Ekris
 
2015 10-08 Uitwijken, het hoe, waarom en de consequenties
2015 10-08 Uitwijken, het hoe, waarom en de consequenties2015 10-08 Uitwijken, het hoe, waarom en de consequenties
2015 10-08 Uitwijken, het hoe, waarom en de consequentiesJaap van Ekris
 
TOPAAS Versie 2.0, een praktische inleiding
TOPAAS Versie 2.0, een praktische inleidingTOPAAS Versie 2.0, een praktische inleiding
TOPAAS Versie 2.0, een praktische inleidingJaap van Ekris
 
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)Jaap van Ekris
 
2010-04-17 - PDAtotaal Usergroup meeting - Introductie in Windows Phone 7
2010-04-17 - PDAtotaal Usergroup meeting - Introductie in Windows Phone 72010-04-17 - PDAtotaal Usergroup meeting - Introductie in Windows Phone 7
2010-04-17 - PDAtotaal Usergroup meeting - Introductie in Windows Phone 7Jaap van Ekris
 
2009-07-09 - DNV - Risico en betrouwbaarheid van ICT systemen
2009-07-09 - DNV - Risico en betrouwbaarheid van ICT systemen2009-07-09 - DNV - Risico en betrouwbaarheid van ICT systemen
2009-07-09 - DNV - Risico en betrouwbaarheid van ICT systemenJaap van Ekris
 
2009-02-18 - IASTED Innsbruck 2009 - Factors in project management influencin...
2009-02-18 - IASTED Innsbruck 2009 - Factors in project management influencin...2009-02-18 - IASTED Innsbruck 2009 - Factors in project management influencin...
2009-02-18 - IASTED Innsbruck 2009 - Factors in project management influencin...Jaap van Ekris
 
2009-02-12 - VU Amsterdam - Customer Satisfaction and dealing with customers ...
2009-02-12 - VU Amsterdam - Customer Satisfaction and dealing with customers ...2009-02-12 - VU Amsterdam - Customer Satisfaction and dealing with customers ...
2009-02-12 - VU Amsterdam - Customer Satisfaction and dealing with customers ...Jaap van Ekris
 
2008-07-15 - (ISC)2 - Mobile Phone Security, you have to let go in order t…
2008-07-15 - (ISC)2 - Mobile Phone Security, you have to let go in order t…2008-07-15 - (ISC)2 - Mobile Phone Security, you have to let go in order t…
2008-07-15 - (ISC)2 - Mobile Phone Security, you have to let go in order t…Jaap van Ekris
 
2008-06-23 - SDN - Kwaliteit van software, wat is dat nu eigenlijk?
2008-06-23 - SDN - Kwaliteit van software, wat is dat nu eigenlijk?2008-06-23 - SDN - Kwaliteit van software, wat is dat nu eigenlijk?
2008-06-23 - SDN - Kwaliteit van software, wat is dat nu eigenlijk?Jaap van Ekris
 
2008-02-14 - IASTED Innsbruck 2008 - Customer Retention and Delivery Quality ...
2008-02-14 - IASTED Innsbruck 2008 - Customer Retention and Delivery Quality ...2008-02-14 - IASTED Innsbruck 2008 - Customer Retention and Delivery Quality ...
2008-02-14 - IASTED Innsbruck 2008 - Customer Retention and Delivery Quality ...Jaap van Ekris
 
2008-02-07 - VU Amsterdam - Customer Satisfaction and dealing with customers ...
2008-02-07 - VU Amsterdam - Customer Satisfaction and dealing with customers ...2008-02-07 - VU Amsterdam - Customer Satisfaction and dealing with customers ...
2008-02-07 - VU Amsterdam - Customer Satisfaction and dealing with customers ...Jaap van Ekris
 

More from Jaap van Ekris (14)

2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants
2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants
2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants
 
2020 09-08 - sdn - waarom klanten een hekel aan software ontwikkelaars hebben
2020 09-08 - sdn - waarom klanten een hekel aan software ontwikkelaars hebben2020 09-08 - sdn - waarom klanten een hekel aan software ontwikkelaars hebben
2020 09-08 - sdn - waarom klanten een hekel aan software ontwikkelaars hebben
 
2018-11-08 risk and reslience festival
2018-11-08 risk and reslience festival2018-11-08 risk and reslience festival
2018-11-08 risk and reslience festival
 
2015 10-08 Uitwijken, het hoe, waarom en de consequenties
2015 10-08 Uitwijken, het hoe, waarom en de consequenties2015 10-08 Uitwijken, het hoe, waarom en de consequenties
2015 10-08 Uitwijken, het hoe, waarom en de consequenties
 
TOPAAS Versie 2.0, een praktische inleiding
TOPAAS Versie 2.0, een praktische inleidingTOPAAS Versie 2.0, een praktische inleiding
TOPAAS Versie 2.0, een praktische inleiding
 
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
Cloud Security (11-09-2012, (ISC)2 Secure Amsterdam)
 
2010-04-17 - PDAtotaal Usergroup meeting - Introductie in Windows Phone 7
2010-04-17 - PDAtotaal Usergroup meeting - Introductie in Windows Phone 72010-04-17 - PDAtotaal Usergroup meeting - Introductie in Windows Phone 7
2010-04-17 - PDAtotaal Usergroup meeting - Introductie in Windows Phone 7
 
2009-07-09 - DNV - Risico en betrouwbaarheid van ICT systemen
2009-07-09 - DNV - Risico en betrouwbaarheid van ICT systemen2009-07-09 - DNV - Risico en betrouwbaarheid van ICT systemen
2009-07-09 - DNV - Risico en betrouwbaarheid van ICT systemen
 
2009-02-18 - IASTED Innsbruck 2009 - Factors in project management influencin...
2009-02-18 - IASTED Innsbruck 2009 - Factors in project management influencin...2009-02-18 - IASTED Innsbruck 2009 - Factors in project management influencin...
2009-02-18 - IASTED Innsbruck 2009 - Factors in project management influencin...
 
2009-02-12 - VU Amsterdam - Customer Satisfaction and dealing with customers ...
2009-02-12 - VU Amsterdam - Customer Satisfaction and dealing with customers ...2009-02-12 - VU Amsterdam - Customer Satisfaction and dealing with customers ...
2009-02-12 - VU Amsterdam - Customer Satisfaction and dealing with customers ...
 
2008-07-15 - (ISC)2 - Mobile Phone Security, you have to let go in order t…
2008-07-15 - (ISC)2 - Mobile Phone Security, you have to let go in order t…2008-07-15 - (ISC)2 - Mobile Phone Security, you have to let go in order t…
2008-07-15 - (ISC)2 - Mobile Phone Security, you have to let go in order t…
 
2008-06-23 - SDN - Kwaliteit van software, wat is dat nu eigenlijk?
2008-06-23 - SDN - Kwaliteit van software, wat is dat nu eigenlijk?2008-06-23 - SDN - Kwaliteit van software, wat is dat nu eigenlijk?
2008-06-23 - SDN - Kwaliteit van software, wat is dat nu eigenlijk?
 
2008-02-14 - IASTED Innsbruck 2008 - Customer Retention and Delivery Quality ...
2008-02-14 - IASTED Innsbruck 2008 - Customer Retention and Delivery Quality ...2008-02-14 - IASTED Innsbruck 2008 - Customer Retention and Delivery Quality ...
2008-02-14 - IASTED Innsbruck 2008 - Customer Retention and Delivery Quality ...
 
2008-02-07 - VU Amsterdam - Customer Satisfaction and dealing with customers ...
2008-02-07 - VU Amsterdam - Customer Satisfaction and dealing with customers ...2008-02-07 - VU Amsterdam - Customer Satisfaction and dealing with customers ...
2008-02-07 - VU Amsterdam - Customer Satisfaction and dealing with customers ...
 

Recently uploaded

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseWSO2
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...caitlingebhard1
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 

Recently uploaded (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

2015 05-07 - vu amsterdam - testing safety critical systems

  • 1. Testing Safety Critical Systems Theory and Experiences J.vanEkris@Delta-Pi.nl http://www.slideshare.net/Jaap_van_Ekris/
  • 2. My Job Your life’s goal will be to stay out of the newspapers Gerard Duin (KEMA) Worked at
  • 4. Agenda • The Goal • The requirements • The challenge • Go with the process flow – Development Process – System design – Testing Techniques • Trends • Reality 4
  • 5. Goals of testing safety critical systems • Verify contractually agreed functionality • Verify correct functional safety-behaviour • Verify safety-behaviour during degraded and failure conditions
  • 6. THE REQUIREMENTS What is so different about safety critical systems?
  • 7. Some people live on the edge… How would you feel if you were getting ready to launch and knew you were sitting on top of two million parts -- all built by the lowest bidder on a government contract. John Glenn
  • 9. We might have become overprotective…
  • 10. The public is mostly unaware of risk…
  • 11. Until it is too late… • February 1st 1953 • Spring tide and heavy winds broke dykes • Killed 1836 humans and 30.000 animals
  • 12. The battle against flood risk… • Cost €2.500.000.000 • The largest moving structure on the planet • Defends – 500 km2 land – 80.000 people • Partially controlled by software
  • 13. Nothing is flawless, by design… No matter how well the design has been: • Some scenarios will be missed • Some scenarios are too expensive to prevent: – Accept risk – Communicate to stakeholders
  • 14. When is software good enough? • Dutch Law on storm surge barriers • Equalizes risk of dying due to unnatural causes across the Netherlands
  • 15. Risks have to be balanced… Availability of the service Safety of the service VS.
  • 16. Oosterschelde Storm Surge Barrier • Chance of – Failure to close: 10-7 per usage – Unexpected closure: 10-4 per year
  • 17. To put things in perspective… • Having a drunk pilot: 10-2 per flight • Hurt yourself when using a chainsaw: 10-3 per use • Dating a supermodel: 10-5 in a lifetime • Drowning in a bathtub: 10-7 in a lifetime • Being hit by falling airplane parts: 10-8 in a lifetime • Being killed by lighting: 10-9 per lifetime • Winning the lottery: 10-10 per lifetime • Your house being hit by a meteor: 10-15 per lifetime • Winning the lottery twice: 10-20 per lifetime
  • 18. Small chances do happen…
  • 19. Risk balance does change over time...
  • 20. 9/11... • Identified a fundamental (new) risk to ATC systems • Changed the ATC system dramatically • Doubled our safety critical scenario’s
  • 21. Are software risks acceptable?
  • 22. Software plays a significant role...
  • 23. The industry statistics are against us… • Capers-Jones: at least 2 high severity errors per 10KLoc • Industry concensus is that software will never be more reliable than – 10-5 per usage – 10-9 per operating hour
  • 24. THE CHALLENGE Why is testing safety critical systems so hard?
  • 25. The value of testing Program testing can be used to show the presence of bugs, but never to show their absence! Edsger W. Dijkstra
  • 26. Is just testing enough? • 64 bits input isn’t that uncommon • 264 is the global rice production in 1000 years, measured in individual grains • Fully testing all binary inputs on a simple 64-bits stimilus response system once takes 2 centuries
  • 27. THE SOFTWARE DEVELOPMENT PROCESS Quality and reliability start at conception, not at testing…
  • 28. IEC 61508: Safety Integrity Level and acceptable risk
  • 30. IEC 61508: A process for safety critical functions
  • 31. SYSTEM DESIGN What do safety critical systems look like and what are their most important drivers?
  • 32. Design Principles • Keep it simple... • Risk analysis drives design (decissions) • Safety first (production later) • Fail-to-safe • There shall be no single source of (catastrophic) failure
  • 33. A simple design of a storm surge barrier Relais (€10,00/piece) Waterdetector (€17,50) Design documentation (Sponsored by Heineken)
  • 34. Risk analysis Relais failure Chance: small Cause: aging Effect: catastophic Waterdetector fails Change: Huge Oorzaken: Rust, driftwood, seaguls (eating, shitting) Effect: Catastophic Measurement errors Chance: Collossal Causes: Waves, wind Effect: False Positive Broken cable Chance: Medium Cause: digging, seaguls Effect: Catastophic
  • 37. Typical risks identified • Components making the wrong decissions • Power failure • Hardware failure of PLC’s/Servers • Network failure • Ship hitting water sensors • Human maintenance error 37
  • 38. Risk ≠ system crash • Understandability of the GUI • Wrongful functional behaviour • Data accuracy • Lack of response speed • Tolerance towards unlogical inputs • Resistance to hackers
  • 39. Usability of a MMI is key to safety
  • 41. Systems can be late…
  • 42. Systems aren’t your only problem
  • 44. Stuurx::Functionality, initial global design Init Start_D “Start” signal to Diesels Wacht Waterlevel < 3 meter Waterlevel> 3 meter W_O_D “Diesels ready” Sluit_? “Close Barrier” Waterlevel
  • 47. VERIFICATION What is getting tested, and how?
  • 49. An example of safety critical components
  • 50. IEC 61508 SIL4: Required verification activities
  • 51. Design Validation and Verification • Peer reviews by – System architect – 2nd designer – Programmers – Testmanager system testing • Fault Tree Analysis / Failure Mode and Effect Analysis • Performance modeling • Static Verification/ Dynamic Simulation by (Twente University)
  • 52. Programming (in C/C++) • Coding standard: – Based on “Safer C”, by Les Hutton – May only use safe subset of the compiler – Verified by Lint and 5 other tools • Code is peer reviewed by 2nd developer • Certified and calibrated compiler
  • 53. Unit tests • Focus on conformance to specifications • Required coverage: 100% with respect to: – Code paths – Input equivalence classes • Boundary Value analysis • Probabilistic testing • Execution: – Fully automated scripts, running 24x7 – Creates 100Mb/hour of logs and measurement data • Upon bug detection – 3 strikes is out  After 3 implementation errors it is build by another developer – 2 strikes is out  Need for a 2nd rebuild implies a redesign by another designer
  • 55. Integration testing • Focus on – Functional behaviour of chain of components – Failure scenarios based on risk analysis • Required coverage – 100% coverage on input classes • Probabilistic testing • Execution: – Fully automated scripts, running 24x7, speed times 10 – Creates 250Mb/hour of logs and measurement data • Upon detection – Each bug  Rootcause-analysis
  • 56. Redundancy is a nasty beast • You do get functional behaviour of your entire system • It is nearly impossible to see if all components are working correctly • Is EVERYTHING working ok, or is it the safetynet? 56
  • 57. System testing • Focus on – Functional behaviour – Failure scenarios based on risk analysis • Required coverage – 100% complete environment (simultation) – 100% coverage on input classes • Execution: – Fully automated scripts, running 24x7, speed times 10 – Creates 250Mb/hour of logs and measurement data • Upon detection – Each bug  Rootcause-analysis
  • 58. Endurance testing • Look for the “one in a million times” problem • Challenge: – Software is deterministic – execution is not (timing, transmission-errors, system load) • Have an automated script run it over and over again
  • 59. Results of Endurance Tests 1.E-05 1.E-04 1.E-03 1.E-02 1.E-01 1.E+00 4.35 4.36 4.37 ChanceofFailure(LogarithmicScale) Platform Version Reliability Growth of Function M, Project S
  • 60. Acceptance testing • Acceptance testing 1. Functional acceptance 2. Failure behaviour, all top 50 (FMECA) risks tested 3. A year of operational verification • Execution: – Tests performed on a working stormsurge barrier – Creates 250Mb/hour of logs and measurement data • Upon detection – Each bug  Root cause-analysis
  • 61. A risk limit to testing • Some things are too dangerous to test • Some tests introduce more risks than they try to mitigate • There should always be a safe way out of a test procedure
  • 62. Testing safety critical functions is dangerous...
  • 63. GUI Acceptance testing • Looking for – quality in use for interactive systems – Understandability of the GUI • Structural investigation of the performance of the man-machine interactions • Looking for “abuse” by the users • Looking at real-life handling of emergency operations
  • 64. Avalanche testing • To test the capabilies of alarming and control • Usually starts with one simple trigger • Generally followed by millions of alarms • Generally brings your network and systems to the breaking point
  • 65. Crash and recovery procedure testing • Validation of system behaviour after massive crash and restart • Usually identifies many issues about emergency procedures • Sometimes identifies issues around power supply • Usually identifies some (combination of) systems incapable of unattended recovery...
  • 66. Software will never be flawless
  • 67. Production has its challenges… • Are equipment and processes optimally arranged? • Are the humans up to their task? • Does everything perform as expected?
  • 68. TRENDS What is the newest and hottest?
  • 71. A root-cause analysis of this flaw
  • 72. REALITY What are the real-life challenges of a testmanager of safety critical systems?
  • 75. Requires true commitment to results… • Romans put the architect under the arches when removing the scaffolding • Boeing and Airbus put all lead-engineers on the first test-flight • Dijkstra put his “rekenmeisjes” on the opposite dock when launching ships
  • 76. It is about keeping your back straight… • Thomas Andrews, Jr. • Naval architect in charge of RMS Titanic • He recognized regulations were insufficient for ship the size of Titanic • Decisions “forced upon him” by the client: – Limit the range of double hulls – Limit the number of lifeboats • He was on the maiden voyage to spot improvements • He knowingly went down with the ship, saving as many as he could
  • 77. It requires a specific breed of people The faiths of developers and testers are linked to safety critical systems into eternity
  • 78. Conclusion • Stop reading newspapers • Safety Critical Testing is a lot of work, making sure nothing happens • Technically it isn’t that much different, we’re just more rigerous and use a specific breed of people....