Upload
itris-automation
View
522
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Sangmin LEE (Business Developer Asia and America) presented the following topic at the CSIA 2013 Executive Conference: "Risk management and business protection with Coding Standardization & Static Analyzer". http://csiaexecutiveconference.org/ http://www.controlsys.org/
Citation preview
Risk management and business protection with
Coding Standardization & Static Analyzer
Sangmin Lee
Director, International Business Development
Itris Automation Square
SI Revenue & Specialties
The key of SI success is software development and IT management
Mars Polar Lander Crash • Cost
– $125,000,000
• Disaster – After a 286-day journey from
Earth, the Mars Climate Orbiter fell too far into Mars’ atmosphere, causing it to crash
• Cause – The software that controlled the
Orbiter thrusters used imperial units (pounds of force), rather than metric units (Newtons) as specified by NASA
Ariane 5 Explosion • Cost
– $500,000,000
• Disaster – ESA’s Ariane 5 unmanned rocket
was intentionally destroyed seconds after launch on its maiden flight
– Also destroyed was its cargo of four scientific satellites
• Cause – When the guidance system tried to
convert the sideways rocket velocity from 64-bits to 16-bits format, an overflow error resulted
– When the system shut down, control passed to an identical redundant unit…
AT&T Lines Go Dead • Cost
– 75,000,000 phone calls missed
– 200,000 airline reservations lost
• Disaster
– A single switch at one of AT&T’s 114
switching centers suffered a minor
mechanical problem and shut down the
center
– When the center came back up, it sent a
message to other switching centers, which
in turn caused them to shut down
– This brought down the entire AT&T network
for 9 hours
• Cause
– A single line of buggy code in a complex
software upgrade implemented to speed up
calling caused a ripple effect that shut down
the network
Medical Machine Kills (1985)
• Cost – 3 people dead
– 3 people critically injured
• Disaster – Therac-25 radiation
therapy machine delivered lethal radiation doses to patients
• Cause – A subtle bug called a race
condition
World War III… Almost
• Cost – Almost all of humanity
• Disaster – Soviet early warning system
indicated the U.S. had launched 5 ICBMs
– The human operator thankfully interpreted this as an error
• Cause – A bug in the software failed to
filter out false missile detections caused by sunlight reflecting off cloud-tops
Your software?
How do you assess the quality of your software?
How do you protect yourself?
Why should system integrator care?
System Integrator Client
Service delivered
Law suit
Product Liability Legal Theories
• NEGLIGENCE – Did you fail to act as a reasonably prudent person/plant
operator/manufacturer/installer/repairer would have acted under the
same or similar circumstances
• STRICT LIABILITY – Whether a person has been injured by a product that was defective in
design or manufacture
– Unreasonably dangerous when it left the manufacturer ’s control. You
may have been eminently reasonable, yet liable for a defect.
• BREACH OF WARRANTY – This is a lesser applied theory but still available to an injured party. The
focus is on whether the product conformed to representations made by
the seller in writing, verbally, or implied by law.
Source: Legal Considerations for Safety - Rockwell Automation Safety Automation Forum - November 2011
Defective Condition
• Consumer Expectation Test:
– Whether the product failed to perform as safely as an
ordinary consumer would expect.
• Risk Utility Test:
– Whether the harm could have been avoided by
adopting a reasonable alternative design and on
balance the benefit of that design outweighs the risk.
– This test usually applies in cases involving more
complex products.
Source: Legal Considerations for Safety - Rockwell Automation Safety Automation Forum - November 2011
What is safer alternative design?
• A way that plaintiffs can demonstrate a defective product
is to show that a safer alternative design was available
• A design which satisfies ALL of the below
– Prevents or significantly reduces the risk of injury
– Does not substantially impair the product’s utility
– Is not too expensive (economically feasible)
– Is technologically feasible at the time the product left the
manufacturer’s control
Source: Legal Considerations for Safety - Rockwell Automation Safety Automation Forum - November 2011
Software quality
usability
performance
operation reliability
functionality
bug detection rate
maintenance cost
code complexity
reusability
testability
reliability
changeability efficiency
maintainability
coupling
exception handling
fault tolerance
understandability
readability
architecture
Source: PSaQC (~“Psychic”) PLC Software automated Quality Contro, DNVl
Quality and safe design
• Applicable standards and guidelines governing your
product are a key part of every product liability
• ISO, 14121.199E:
– Documentation on risk assessment shall demonstrate the
procedure which has been followed and the results which have
been achieved
• FDA, General Principles of Software Validation
– Software validation is a critical tool used to assure the quality of
device software and software automated operations. Software
validation can …reduced liability to device manufacturers
• ISO, IEC, IAEA, EWICS, etc.
Common developer issues • Secure and defensive programming
• Many malware exploiting vulnerability because of the lack of defensive
programming
• Defensive programming is not educated widely
• Input inconsistency check, surveillance mechanism, etc.
• Developers ignore the standards because it is cumbersome, they have not had
experiences, or sometime just they don’t like it
• Mistakes leftover in the code unknowingly
• Reuse of code is very common
• Reuse of code causes confusion and mistakes
• Complete manual verification on all test variables and instructions (AFI, etc.) is
virtually impossible
• Lack of verification
• There is no standard to objectively evaluate the quality of programmers
• There are many standards but very little systemic verification (especially for PLC)
• Outsourced development makes it harder to verify the quality
What to do to protect yourself?
• Implement code standardization
– Multiple standards and refer to your industry standard
– Recommend code standardization to your customers
• Encourage and educate to use
– Old habits are hard to kick
– Educate the importance and encourage the developers
• Verify and reinforce with static analyzer
– Manual verification is not enough and can be faulty
– Static anlyzers are priced reasonably
– Don’t forget your PLC/PAC programs