Protecting from state mismatch

Detecting state mismatch

Alerting on exceptional states	This is an important feature in safety-critical systems. Consider the Torrey Canyon supertanker accident. The state mismatch occurred after the navigation system was unintentionally set to the Control state, a state intended for use in maintenance only. However, the last interaction fault was that the captain did not notice the exceptional state. Similarly, were the “engine idle” mode of the Airbus A320 plane highlighted, the captain of Air France Flight 296 could have noticed it and reaccelerated before it was too late.
Modeling the system states	How can the system know when to alert about an exceptional state? To enable this feature, we need to the system to include a model of its normal behavior. This model is used for self-recognition of the system states at run-time. On each state change, the system can compare the state to the model and activate the alarm on exceptional state transition, or on changing to an exceptional state. In the supertanker example, this model defines the Control state as normal for maintenance and exceptional when sailing. In the airbus A320 example, the model defines that the “engine idle” state is normal for high altitudes but exceptional for low altitudes.
Alarm reliability	What if the alarm is turned off and nobody can hear it? The design should include means to detect when these happen. For example, a sound validation unit consisting of a sound generator, a microphone and a comparator can be added to the system in order to detect situations of the alarm being turned off (Harel, 2006).
Sensor reliability	What if one of the sensors get stuck? In safety-critical systems the system should trace the changes in the sensors and notify on sensors that always give the same values.
Reliability of state indicators	What if the led indicating the exceptional state is burned out and nobody can see it? The design should include means to notify the user when this happens, for example, by adding a led to indicate operation in a normal state. When the system changes to an exceptional state, the additional indicator turns off. The user may notice that all the lights are off, and conclude that there might be a problem with the lights.
Active vs. passive state indication	The problem with the solution above is that the indication of burned-out led is passive. The users are required to notice that a light is absent. The problem with this solution is that users might unnoticed this kind of indication. For example, when the Torrey Canyon supertanker approached the reef, the captain failed to notice the absence of the compass clicking typical to situations of course changes. When he noticed their absence, it was too late. A better way to ensure early recognition of the problem with the warning indicators is by an active ‘Check Gauges’ indication, similar to the one used in many cars.