This paper is a follow-up to [1]. It examines the matters of planning of the scope of highly dependable objects testing. The process of new technology development and manufacture involves determining its dependability indicators. The most objective method of identifying dependability characteristics of products is field testing. One of the widely used testing plans is the [N,U,T] plan. This plan that involves testing N nonreparable samples within the time interval between 0 and a certain T. It is assumed that during the tests k objects fail, while N-k objects successfully pass the tests. Thus, at the outcome of the experiment we have a mixed sample that includes k times to failure and N-k right censored observation. If the tested object is highly dependable it is quite possible that within the time period [0,T] failures will not happen, i.e. k will be equal to 0, therefore the probability of failure within this time period is extremely low and the number of tested objects is limited. Nevertheless even in this situation it would be desirable to be able to be in control of the accuracy of the estimation obtained during such experiments. It is clear that the accuracy of such estimation will depend not only on the number of tested objects N, but also on the experiment duration. For a fixed N, as the observation time T grows the estimation accuracy increases due to the increasing proportion of complete times, while the proportion of censored ones goes down. It should be noted that when we talk about identifying the dependability characteristics of complex and costly objects we cannot test large batches of finished products. Therefore the problem consists in defining testing duration and size of the product batch to be tested subject to specified requirements for the accuracy of estimation of dependability characteristics obtained as the result of the tests. The scope planning is based on the manufacturer’s requirement to validate the lower bound of the probability of no failure P0 with a specified confidence level at a certain time point t0. The aim of the paper is to identify the test scope of a batch of finished products N(T) under the condition of fulfilment of the manufacturer’s requirement for compliance with the lower confidence bound of the probability of no failure with a specified confidence level 1 – α. Three failure distributions are under examination: exponential distribution law, Weibull distribution and distribution with linear rate function. The considered types of distribution law enable the research of objects with decreasing, constant and increasing failure rate function. Methods. In this paper the authors deduce formulas for calculation of the scope of experiment for a number of experiment durations. The estimates are obtained using the maximum likelihood method and methods of researching asymptotic properties of estimates through the Fisher information quantity. Conclusions. The findings allow for a substantiated approach to planning the scope of highly dependable objects testing. It is shown that the longer is the experiment duration the fewer products must be supplied for testing. The dependence is non-linear, close to hyperbolic and is conditioned by both the input parameters and the parametrization of the failure rate function.

Aim. Drawing the readers’ attention to the growing number of industrial disasters, associated damage, increasing human casualties and the connection of this phenomenon with computer-based automation systems. The authors produce arguments regarding the requirement for design technology with extended security features in view of the multifold growth of abnormal natural and industrial effects. The paper describes and analyzes distinctive features of control systems of critical application facilities and consequences of disregarding additional inspection of circuitry and software. Of special note is the growing risk caused by the introduction of unmanned technologies and their mass application in railway and automotive transportation. The paper examines the problems of control systems resilience to faults and external actions depending on the used components. Statistics of industrial disasters are provided, their connection with the indicators of control systems instability is examined. A special emphasis is put on the distinctive features of today’s microelectronic components and the effects of technological progress on the systems’ interference immunity and fault rate. Of note is the growing number of hazardous failures in systems based on 0.13-μm and lower microcontrollers. A significant attention is given to the research of the distinctive features of modern chips, their layout, particularly of the main element of a control system, i.e. the microcontroller and digital signal processor, the influence of the external effects on the chip. The matters related to CMOS layout in microprocessor-based units are considered, the dependance is shown between the rising noise influence and migration to new CMOS technology. Attention is drawn to the requirement to train an appropriate class of specialists able to work with such systems who have not only software engineering skills, but also profound knowledge of physics, fundamentals of control systems design and their stability. Results. A comparative evaluation of stability of 0.5 μm and 130 nm CMOS stability has been conducted. The resultant difference in threshold power of interference is over 4000 times. It is noted that most developers who design software for such systems are mislead by the non-availability of any public information on the fault rate of processing elements from the manufacturing companies. By taking the dependability figures as the main parameter they misjudge the safety integrity level, as instead of the fault rate parameters they erroneously use the microchip’s dependability figures provided by the manufacturer. Additionally, standard methods of improving the safety level used by developers (e.g. redundancy) often prove to be inefficient. Conclusions. Designing highly dependable and safe control systems must take into consideration the distinctive features of today’s computer components given the fact that new generations of modern microchips due to their fault rate characteristics are often unusable in highly dependable system design. It appears to be of relevance improving existing standards and developing new ways of increasing the stability and safety of systems. Also noted is the requirement of maintaining the level of education and awareness of a wide community of developers who work with control systems in transportation, energy, industrial automation, weapon systems, etc. as regards the importance of ensuring the required level of functional safety.

Aim. Dependability of products is usually researched with no regard to its genesis, while the causes of undependability are conventionally regarded as generalizing stochastic relationships that take into consideration “the result of interaction of a number of factors: the environment, system properties, process-specific, operational and other requirements.” Consequently, the evaluation of dependability indicators is based on the assumption that by the beginning of operation the product is in working order. Respectively, the relations between the dependability and the time are considered only for the product operation period. The best known dependability-to-time relation is the empirical failure function, the so-called U-shaped dependability curve, which no one yet was able to describe with simple mathematical formulas usable in engineering calculations. The presence of the first “hump” in the U-shaped curve is associated with the manifestation of design errors, manufacturing defects or incorrect assembly of products, yet the specific causes of this “hump’s” existence are not clarified in publications. The definition of the term “operability” does not rule out, and in practice there are often cases when design and development activities do not cover all the parameters that characterize the product’s ability to perform the specified functions or when some of the documented requirements are not coordinated with the values of functional parameters, while during manufacture the values of such parameters may exceed the specified limits. As the result, a seemingly operable structure that passes experimental development may not be fit in terms of specified dependability indicators. Methods. The dependability properties of any product are specified long before the operation and can only fully manifest themselves after its beginning. The paper shows a graph that reflects the conditional probability of fault-free operation per lifecycle stages of products long before the beginning of operation. The dependability of unique highly vital systems (UHVS) may be ensured from the very early lifecycle stages based on consecutive execution of certain design, process engineering and manufacturing procedures, as well as application of engineering analysis of dependability. Results. The paper examines the role and significance of each lifecycle stage in ensuring UHVS dependability. The procedures of the engineering method of ensuring dependability are listed, the principles of UHVS design principles are set forth. Basic tools for increasing dependability and its evaluation principles are shown. Conclusions. The paper shows the possibility of ensuring the dependability of UHVSs using engineering procedures implemented at each lifecycle stage before the beginning of operation. Such procedures would enable an adequate level of design, development, preproduction, manufacture, as well as the development of a UHVS dependability evaluation method based on a single theoretical and methodological basis.

In [1-2] it is shown that the widely known Esary-Proschan assessments [3-6] (EPA) are NP-complete [7]. In the process of their calculation a mutual cross-over of those assessments occurs despite the fact that the procedure of enumeration of complete sets of simple chains (SChs) and simple cuts (SCus) is performed all the way. This is confirmed by special research of these paradoxical phenomena in EPA conducted in [8] that concludes that EPAs are not assessments, as assessments cannot be NP-complete. In [7] it is clearly stated that in general an enumeration of a complete set of SCh (or SCu) alone already is an NP-complete problem. It implies directly that any NP-complete method cannot be an assessment one. In [9-10] a number of problems are classified depending on the associated computational complexity. As we can see out of those presented the most favourable is the intellectual intensity, as it allows controlling the computational process in the most desirable way, i.e. allows implementing the forced interruption principle (FIP) in regards to the computational procedure that is assessed by a certain parameter. For example, the parameter of achieved relative computational error. It should be noted that the devices, mechanisms and other systems we deal with in real life are called automated because such man-machine systems implement the FIP at the discretion of the human operator. We deal much less with automatic systems. The aim of this paper is to set forth the formal rules that allows quite easily the conventional NPcomplete Esary-Proschan assessments to be transformed to the class of intelligent (IN-class) assessment methods that implement the FIP. Complete sets of SCh and SCu do not need to be enumerated here. Expanding the class of existing [1-6, 8, 11-29] methods that in one way or another implement the FIP is without a doubt a relevant problem for experts involved in structural dependability analysis of complex systems. It is an axiom that any of the tools of such system analysis, of which the exhaustive events (EE) are the “delivery nurse”, contributes to the design of structurally dependent systems, while developing at the same time the analysis tool system itself. Essentially, the problem consists in casting the classic EPAs in the form of logic symbol multiplication (LSM) of logical operands the method uses. The result consists in the fact that we remove the “hardships” of NP-completeness from the classic EPAs and obtain a sufficiently efficient analysis tool.

Aim. The aim of the paper is to develop a method that would allow for integrated experimental, computational, analytical and expert assessment of the vulnerabilities of satellite communication networks, feasibility of information technology interference by intruders against such vulnerabilities and probability of fault tolerance under the chosen information protection solutions, trusted information technologies and fault tolerance sensors. The paper shows the relevance and importance of the method of increasing fault tolerance of satellite communication networks under information technology interference in service control channels and satellite equipment data. The authors examine targeted information technology interference that causes malfunction of satellite modems, control stations and connected user computer networks. The paper shows the unique nature of satellite communication networks operation due to the global operating range, availability of broadband radio signals from communication and retransmission spacecraft for technical analysis and processing within the operating range, potential possibility of unauthorized connection to communication services. The primary direction of development of procedural and process engineering guidelines on protection and fault tolerance of satellite communication networks are defined. Methods. A method has been developed that is based on three components: model of experimental identification of satellite communication network vulnerabilities; simulation, computational and analytical model of detection and identification of threats of information technology interference; decision-making algorithm for improvement of the fault tolerance of a satellite communication network under information technology interference. The model of experimental detection of satellite communication network vulnerability allows, as part of bench tests, establishing connections between existing vulnerabilities of the hardware and software of satellite modems, control stations, user networks and the potential information technology interferences by intruders. As part of the vulnerability model the authors describe the certificates of vulnerable radio technical and information technology parameters of the satellite communication network signals, as well as suggest an analytic expression for calculating the probability of detection of such network vulnerabilities. The paper presents a computational and analytical model of detection and identification of information technology interference threats as a structure of advanced means of detection, prevention and elimination of the consequences of information technology interference in satellite communication networks and the mathematical expression for identification of conditional probability of materialization of the threat of information technology interference in satellite communication networks. An algorithm is considered for improvement of fault tolerance of satellite communication networks under information technology interference, including preparation of parameters and evaluation of the fault tolerance of a satellite communication network, adjustment of the parameters of satellite communication network, information security facilities and fault tolerance sensors, situational adjustment of satellite communication network fault tolerance solutions. Conclusions. It is noted that the developed method enables improved fault tolerance of satellite communication networks under information technology interference based on a set of interconnected procedures of the model of experimental detection of satellite communication network vulnerabilities on testbed; simulation, computational and analytical models of detection and identification of information technology interference threats; application of the decision-making algorithm of improvement of satellite communication network fault tolerance.

Aim. The so-called pair-wise comparison method is one of the most popular decision-making procedures owing to its efficiency, flexibility and simplicity. The primary disadvantage of this method in the context of expert evaluation of large numbers of alternatives or within a sufficiently wide field of knowledge is the impossibility to compare each element with each other, both due to the large number of such comparisons, random gaps and difficulties experienced by the expert while comparing some alternatives. The assessments are affected by gaps that complicate decision-making, as most statistical methods are not applicable to incomplete sets of data. The fairly popular algorithm for processing of pair-wise comparison matrices (the Saaty algorithm) cannot work with matrices that predominantly contain zero components. The purpose of the paper is to develop a method of processing comparison matrices in order to obtain weight coefficients (weights) of the considered alternatives that enable quantitative comparisons. Methods. In practice, there are several approaches to managing sets of data with gaps. The first, most easily implementable, approach involves the elimination of copies with gaps from the set with further handling of only complete data. This approach should be used in case gaps in data are isolated. Although even in this case there is a serious risk of “losing” important trends while deleting data. The second approach involves using special modifications of data processing methods that tolerate gaps in sets of data. And, finally, there are various methods of evaluation of missed element values. Those methods help to fill in the gaps in sets of data based on certain assumptions regarding the values of the missing data. The applicability and efficiency of individual approaches, in principle, depends on the number of gaps in data and reasons of their occurrence. In this paper, the pair-wise comparison matrix is considered in the form of a loaded graph, while the alternatives are the nodes and comparisons are the edges of the graph. Respectively, if a pair of alternatives occurs for which the expert could not specify a preference, the corresponding edge is absent. The paper considers a way of removing edges that correspond to the most controversial values, i.e. a cycle breakage algorithm that causes transformation of the initial graph to the spanning tree that allows for unambiguous comparison of any two alternatives. The algorithm of joint alignment of both the upper and lower boundaries of expert assessments is not considered in this paper. Results. The paper gives an example of practical application of the developed algorithm of processing incomplete matrices of pair-wise comparisons of ten objects obtained in a certain expert assessment. It also shows the efficiency of the suggested approach to priority recovery of compared alternatives, explores ways of automating computing and future lines of research. Conclusions. The proposed method can be used in a wide range of tasks of analysis and quantitative evaluation of risks, safety management of complex systems and objects, as well as tasks related to the verification of compliance with the requirements for such highly dependable elements as nuclear reactors, aviation and rocket technology, gas equipment components, etc., i.e. in cases when low (less than 0,01) probabilities of failure per given operation time are to be evaluated, while the failure statistics for such elements in operation is practically nonexistent. The proposed algorithm can be applied in expert assessment in order to identify the type and parameters of time to failure distribution of such highly dependable elements, which in turn will allow evaluating dependability characteristics with the required accuracy

Aim. Evaluating the risk of collision between trains during shunting operations in railway stations. Risk is the combination of the probability and consequences of an event. The most complicated task related to risk assessment is the choice of the evaluation model for the probability of an undesired event. The model must ensure practical applicability of the results. In the context of railway facilities the construction of analytical models of probability evaluation is of principal interest due to the possibility to demonstrate the factors that are taken into consideration by the model. The main purpose of this paper is to examine the extent to which the Shunting Automatic Cab Signalling System (MALS) contributes to the probability of side collision of trains involving shunting engines in railway stations. The main function of the Shunting Automatic Cab Signalling System is to ensure that shunting engines do not pass signals at danger in stations. Methods. Methods of the probability theory and theory of random processes, addition, multiplication formulas, composite probability, properties of Poisson flows. In [2] a method is suggested for calculating the probability of collision as the result of shunting or train locomotive passing a signal at danger. The development of the method was based on the main assumption that the flow of shunting consists for each switch is a Poisson flow. This paper suggests a modification of this method that takes into consideration the possible use of the MALS system with shunting engines. The input data for the algorithm of calculation of the collision probability are the station topology, passenger train schedule and their possible routes through the station, average train lengths and speeds, as well as the frequency of shunting consists passing over switches. Results. An algorithm has been developed for calculation of the probability of train-to-train collision involving shunting engines within a random time period. For different operating modes, e.g. pulling up, coupling, formulas are shown for calculation of the probability of collision with a passenger or freight train on a random switch. The algorithms consists in the following: 1) a time period is specified for which it is required to calculate the probability of collision; 2) passenger train timetable is designed using data from ASU “Express”; 3) overall number of passenger trains passing through the station within the specified time period is calculated; 4) passenger trains are renumbered according to the order of their arrival to the station; 5) probability of signal violation by shunting engine driver is calculated; 6) probability of violation of traffic safety by shunting engine driver in the “pull up” mode is calculated; 7) probability of violation of traffic safety by the shunting engine driver after coupling with the “coupling” mode off is calculated; 8) overall number of possible routes for each train is calculated; 9) for each train the frequency of one or another route is identified; 10) for each switch of each route a number is specified in the order of appearance; 11) probability that each passenger train on each route has at least one collision is calculated; 12) probability of at least one collision of each passenger train moving through the station is calculated; 13) probability of at least one collision in the station within the specified period of time is calculated. The paper considers the example of calculation of collision probability for an individual train route and the station as a whole within a month and a year. It shows that the use of MALS helps significantly reduce the probability of side collisions in railway stations.

Aim. Familiarizing the readers with the state of the art and development prospects of functional safety norms and standards in the Russian Federation. As the safety of any product, service or process is its second most important characteristic after the function, safety-related systems (SRSs) are widely used in order to ensure the safety of industrial, transportation, energy, communication and critical facilities, buildings and structures, urban infrastructure, as well as machines, equipment and vehicles. Unfortunately, since 1980’s the technologies used in the development of the SRSs have not gained full traction in Russia. As the result, a conservative approach is in use that often involves excessive requirements, which increases the cost of the developed safety systems but usually does not guarantee compliance with the requirements. Currently, functional safety (FS) is recognized globally as the primary SRSs characteristic, that indicates the probability of successful performance by the system of the safety function(s) under the given conditions within the given time period. Methods. Globally, the implementation, further development and practical application of the FS method is based on the development and application of a large number of regulatory documents at the international, regional and national levels, that help organize and perform activities related to the assessment and FS requirements compliance confirmation for a wide range of SRSs. In order to ensure methodological support and coordination of the activities aimed at the development of FS-related regulatory framework in the Russian Federation in accordance with the national standard GOST R 1.1-2013 Standardization in the Russian Federation. Technical committees for standardization. Rules of organization and function, the technical committee for standardization TK 058 Functional Safety has been established, is actively working and has so far developed around 50 FS-related standards. The TK 058 standardization activities are based on the provisions of the Federal Law dated June 29, 2015 no. 162-FZ On standardization in the Russian Federation. Conclusions. As in the Russian Federation a certain FS-related regulatory framework has already been established, while the market shows demand for services of FS requirements compliance evaluation, the main task for today is to develop, using national and international requirements, organizational support, regulatory and guidance documentation that would create a fully-fledged infrastructure that implements the national institution of FS requirements compliance verification. That will ensure not only a radical reduction of the risk of disasters and accidents, but also significantly increase the competitiveness of Russian products in the internal and foreign markets.