Skip to content

Minutes 2 March 2023

Jump to bottom
Paul Albertella edited this page Mar 2, 2023 · 1 revision

2023-03-02 Host: Paul Albertella Participants: Pete Brink, Kent Nelson, Raffaele Giannessi, Gabriele Paoloni, Elana Copperman Agenda: Discuss use of STPA

Goal of using STPA:

  • Identify the negative outcomes that we want to avoid (losses)
  • Identify the system / environment conditions that can lead to these losses
    • By environment we mean things outside the system that either interact with it or
  • Identify the (subset) of functionality provided by Linux that is pertinent to the safety goals that we are trying to achieve
  • Help us define safety requirements for Linux and for the other components of the system that it interacts with

Issues:

  • Pete: There may be things within Linux that don’t do what we need them to do, which may interfere with our objectives
    • Paul: Goal is to first identify what is directly relevant to the safety goals, and then form this, identify what else might interfere with that

Control hierarchy approach

  • Focus on controlled process that we care about with respect to safety
    • Identify how that process is controlled to avoid or mitigate the losses
    • Identify what criteria (constraints) need to be satisfied in order to avoid or mitigate the losses
  • Understand what role our software has in:
    • controlling that process, or
    • controlling intermediate processes that control it
    • enabling other controllers or processes to control it, or
    • providing the means for controllers and controlled processes to receive information (feedback) that they need to perform their specified role
  • Control hierarchy is likely to involve many cooperating controllers and controlled processes
    • The process that is ultimately connected with safety (this thing that can hurt people) is unlikely to be directly connected to our component
    • Control structure helps us to understand how (and through which other components of the system) we interact, and what our responsibilities are

Loss scenarios

  • What can lead to a loss for a specific control action in a specific context
    • i.e. for a particular pairing of controller and controlled process as part of the larger control hierarchy
  • See diagram in STPA guidance document

What to look at next in OSEP?

  • Stack memory
  • CPU scheduling
    • This is a popular choice
  • Other hardware interaction (e.g. i2c, ethernet)
Clone this wiki locally