A critical system is a system whose failure or malfunction may result in death or serious injury to people, loss or severe damage to equipment or environmental harm. Many critical systems rely on correct, valid images being displayed on graphical displays, allowing users of the system to make decisions or execute operations based on the displayed image. The operator of the critical system has to be assured, however, that the image that is displayed is a correct, valid image, since incorrect, yet valid images can not be detected by the operator or user. An example of a critical system design that allows an evaluator to be confident of the displayed image is the dual display images will be presented in air craft control systems. These dual displays, however, require that the operator constantly scan two different display screens and detect any differences or changes between the two different displays.
A valid, incorrect images are images that appear to be correct to the operator, or evaluator of the image, but through an inadvertent or malicious event the image data is corrupted, resulting in the presentation of an image that could appear to be correct, that is complies with all the display formalities, yet the image conveys information that is incorrect.
To determine the likelihood that an incorrect, valid image will be displayed, a fault tree analysis can be conducted. A fault tree analysis is a failure analysis in which an undesired state of the system is analyzed using boolean logic to combine a series of lower-level events. This analysis method is mainly used to quantitatively determine the probability of a failure event. In a critical system fault tree analysis, like that shown in FIG. 1, any failure (shown as Stream A-N) would generate a false display of the critical information in the display. By calculating the probability of the occurrence of any fault event and then multiplying the probability of the occurrence of each fault event, a system designer can generate an overall likelihood of a false display of critical information, e.g., displaying an incorrect, valid image. Critical systems must be designed such that the probability of displaying an incorrect, valid image is minimized because any incorrect, valid image could have catastrophic results for the operator or others relying on the information contained in the displayed image. AS a result, every system when designed is allocated a fault tolerance threshold which is the maximum allowable probability that an incorrect, valid image is displayed by the critical system.
An additional problem associated with designing reliable, critical systems is that the reliability of hardware and software components used in critical systems directly relates to the respective cost of the component. Therefore, the most expensive components are also the most reliable. Therefore, if a system design requires extremely reliable operations, then the cost of the components is generally commensurately higher then the components costs of a less reliable system.