The general public is expected to demand in not too distant future instituting more stringent certification procedures for computing parts of traditional and new-generation safety-critical application systems. Such quality-of-service (QoS) certification processes will not and can not rely solely on the testing approach. Design-time guaranteeing of timely service capabilities of various subsystems is an inevitable part of such processes. Although some promising developments in this area have been occurring in recent years, the technological challenges yet to be overcome are enormous. This paper is a summary of the author's perspective on the remaining challenges and promising directions for tackling them.

Shared memory multiprocessors are frequently used as compute servers with multiple parallel programs executing at the same time. In such environments, an operating system switches the contexts of multiple processes. When the operating system switches contexts, in addition to the cost of saving the context of the process being swapped out and that of bringing in the context of the new process to be run, the cache performance of processors also can be affected. The blocked algorithm improves cache performance by increasing the locality of memory references. In a blocked program using this algorithm, program performance can be significantly affected by the reuse of a block loaded into a cache memory. If frequent context switching replaces the block before it is completely reused, the cache locality in a blocked program cannot be successfully exploited. To address this problem, we propose a preemption-safe policy to utilize the cache locality of blocked programs in a multiprogrammed system. The proposed policy delays context switching until a block is fully reused within a program, but also compensates for the monopolized processor time on processor scheduling mechanisms. Our simulation results show that in a situation where blocked programs are run on multiprogrammed shared-memory multiprocessors, the proposed policy improves the performance of these programs due to a decrease in cache misses. In such situations, it also has a beneficial impact on the overall system performance due to the enhanced processor utilization.

The present paper modifies the algorithm to estimate harmful event frequencies and examines the definition of modes of operation in IEC 61508. As far as the continuous mode concerns, the calculated results coincide with those obtained based on the standard. However, for the intermediate region of medium demand frequencies and/or medium demand durations, the standard gives much higher harmful event frequencies than the real values. In order to avoid this difficulty, a new definition of modes of operation and a shortcut method for allocation of SILs are presented.

This paper reviews the present EMC technology level, introduces the problems to be investigated in the near future from the viewpoint of design technology, test and measurement and systems safety, and proposes what is a goal of technology level of EMC to be established for circuits, equipments and systems.

Recently several dosimetric assessment procedures have been proposed to demonstrate the compliance of handheld mobile telecommuications equipment (MTE) with safety limits. However, for none of these procedures has an estimation of the overall uncertainty in assessing the maximum exposure been provided for a reasonable cross-section of potential users. This paper presents a setup and procedure based on a high-precision dosimetric scanner combined with a new phantom derived from an anatomical study. This allows the assessment of the maximum spatial peak SAR values occurring in approximately 90% of all MTE users, including children, with a precision of better than 25%. This setup and procedure therefore satisfies the requirements of the FCC, as well as those drafted by a CENELEC working group mandated by the European Union.

In this paper, we present a first step for developing a method of verifying both safety and correctness of object-oriented design specification. At first, we analyze the discrepancies, which can occur between requirements specification and design specification, to make clear target faults. Then, we propose a new design review method which aims at detecting faults in the design specification by using three kinds of information tables. Here, we assume that component library, standards for safety and design specification obtained from the Booch's object-oriented design method are given. At the beginning, the designers construct a design table based on a design specification, and the verifiers construct a correctness table and a safety table from component library and standards for safety. Then, by comparing the items on three tables, the verifiers review a given design specification and detect faults in it. Finally, using a small example of object-oriented design specification, we show that faults concerning safety or correctness can be detected by the new design review method.

For the study of the biological effects of ELF (Extremely Low Frequency) electric fields, the perception mechanism of ELF electric fields was analyzed. When a human body is exposed to an electric field, the hair on the body surface moves due to the electric force exerted on the hair. In theoretical analysis, it was shown that the force is approximately proportional to the dielectric constant of hair and the spatial gradient of the square of the electric field at the hair. The dielectric constant of hair was measured with different temperatures and humidities of the surrounding air. A technique was developed to estimate the electric force exerted on a hair during the field exposure. After experiments with model hair, the technique was applied to a body hair of a living human being. It was found that the force increased with field strength and relative humidity. The variations of the force agreed well with those expected from the theoretical analysis and the measurement of hair dielectric constants. These results explain the cause of the reported variation in the threshold of biological effects of an electric field. The results will help to establish a practical safety standard for the held exposure.

An estimation method for efficiently calculating the field intensity in the Fresnel region of broadside colinear array antennas is developed, and its performance is experimentally verified. The calculation utilizes only the antenna design data, and is readily applicable to arbitrary array antennas. This method can provide a safety protection zone in the proximity of array antennas, in order to protect radio communication personnel and general public from the potentially hazardous radiofrequency exposure.

The studies on the biological effects of ELF electric fields conducted in Japan are reviewed. Among international studies, they are characterized as the studies from the viewpoint of bioengineering. In early studies, the safety standard of high voltage transmission lines was determined by a distinct biological effect, i.e., the sensation of the spark discharge caused by electrostatic induction. In numerical analysis, the field coupling to both animal and human bodies became well understood. Some new measurement techniques were developed which enabled us to evaluate the field exposure on a human body. A system was developed to realize the chronic exposure of an electric field on mice and cats. An optical telemetry technique was developed to measure the physiological response of an animal when it was exposed to an electric field. An ion-current shuttle box was developed to investigate the behavioral change of a rat when it was exposed to an ion-current as well as an electric field. In animal experiments, a mechanism of sensing the field was investigated. The cause of the seasonal change of field sensitivity was found. In cases of chronic exposure, suppression of growth was suspected. In shuttle box studies, an avoidance behavior from an ion-current was quantified. To find whether there are any adverse or beneficial effects of the field exposure on human beings, further study is required to clarify the mechanisms of the biological effects.

Electronics and automobiles were bound together by the introduction of emission regulations in the 1970's. The rapid progress of control technology and semiconductors that typify microcomputers has brought still closer relations between them. Without electronics, it would be impossible to realize features such as pursuit of comfort and environmental and safety measures which should be added to the automobile's fundamental features. In looking ahead to the future, the role of electronics in achieving electric automobiles and the ultimate goal of "automatic driving" is ever-increasing. Everyone knows that automobiles have become indispensable in our lives. In the future, the role of electronics will become increasingly important in order to evolve automobiles even further to allow harmonization with society.

This paper presents a method for verifying safety property of a communication protocol modeled as two extended communicating finite-state machines with two unbounded FIFO channels connecting them. In this method, four types of atomic formulae specifying a condition on a machine and a condition on a sequence of messages in a channel are introduced. A human verifier describes a logical formula which expresses conditions expected to be satisfied by all reachable global states, and a verification system proves that the formula is indeed satisfied by such states (i.e. the formula is an invariant) by induction. If the invariant is never satisfied in any unsafe state, it can be concluded that the protocol it safe. To show the effectiveness of this method, a sample protocol extracted from the data transfer phase of the OSI session protocol was verified by using the verification system.

In this paper we propose a method of formal verfication of fault-tolerance of sequential machines using regular temporal logic. In this method, fault-tolerant properties are described in the form of input-output sequences in regular temporal logic formulas and they are formally verified by checking if they hold for all possible input-output sequences of the machine. We concretely illustrate the method of its application for formal verification of fail-safeness with an example of a comparator for redundant system. The result of verification shows effectiveness of the proposed method.

This paper first clarifies the logic construction of safety control for the operation of a power press and then describes fail-safe dual two-rail system signal processing and fail-safe multiple-valued logic operations as methods for achieving this control as a fail-safe system. It finally shows a circuit for generating fail-safe two-rail run button signals based on ternary logic for concrete operation of the power press and an operation control circuit for confirming brake performance for each cycle of slide operation by using the run button signals. The control circuit uses such multiple-valued logic operations that binary logic signals that do not erroneously go logic 1 are added to a multiple-valued logic signal and the multiple-valued logic signal is converted to a binary logic signal that does not erroneously go logic 1 by a threshold operation.

Robust-fault tolerance is a property that a computational result becomes nearly equal to the correct one at the occurrence of faults in digital system. There are many cases where the safety of digital control systems can be maintained if the property is satisfied. In this paper, robust-fault-tolerant three-valued arithmetic modules such as an adder and a multiplier are proposed. The positive and negative integers are represented by the number of 1's and 1's, respectively. The design concept of the arithmetic modules is that a fault makes linearly additive effect with a small value to the final result. Each arithmetic module consists of identical submodules linearly connected, so that multi-stage structure is formed to generate the final output from the last submodule. Between the input and output digits in the submodule some simple functional relation is satisfied with respect to the number of 1's and 1's. Moreover, the output digit value depends on very small portion of the submodules including the input digits. These properties make the linearly additive effect with a small value to the final result in the arithmetic modules even if multiple faults are occurred at the input and output of any gates in the submodules. Not only direct three-valued representation but also the use of three-valued logic circuits is inherently suitable for efficient implementation of the arithmetic VLSI system. The evaluation of the robust-fault-tolerant three-valued arithmetic modules is done with regard to the chip size and the speed using the standard CMOS design rule. As a result, it is made clear that the chip size can be greatly reduced.

Free choice nets are a class of Petri nets, which can represent the substantial features of systems by modeling both choice and concurrency. And in the modelling and design of a large number of concurrent systems, live and safe free choice nets (LSFC nets) have been explored their structural characteristics. On the other hand, state machine decomposable nets (SMD nets) are a class of Petri nets which can be decomposed by a set of strongly connected state machines (S-decomposition). State machine allocatable nets (SMA nets) are a well-behaved class of SMD nets. Of particular interest is the relation between free choice nets and SMA nets such that a free choice net has a live and safe marking if and only if the net is an SMA net. That is, the structure of an LSFC net is an SMA net. Recently, the structure of SMA net has been completely characterized by the authors based on an S-decomposition. In other words, a necessary and sufficient condition for a net to be an SMA net is obtained in terms of the net structure where synchronization between strongly connected state machine components (S-components) has been clarified. Unfortunately, it requires tremendous amount of time and spaces to decide a given net to be an SMA net by applying the condition directly. Moreover, there exist no efficient algorithm to decide the liveness and safeness of a given SMA net that lessens the usefulness of decomposition techniques. In this paper, we consider efficient polynomial order algorithms to decide whether a given net is a live and safe SHA net.

A fail-safe logic operation refers to such a processing operation that the output assumes the logical value zero when the operation circuit fails. The fail-safe multiple-valued logic operation is proposed as one method of logic operation. Section 2 defines the fail-asfe multiple-valued logic operation and presents an example of method for accomplishing the fail-safe multiple-valued logic operation. Section 3 describes the method of designing a fail-safe threshold operation device (window comparator) as basic device in the fail-safe multiple-valued logic operation in consideration of LSI implementation and shows an example of prototype fail-safe window comparator. This operation device has higher and lower thresholds. It oscillates and produces an operational output signal only when the input signal level falls between the higher and lower thresholds. Unless the fail-safe window comparator is supplied with input signals of higher voltage than the power supply voltage, it dose not form a feedbadk loop as required for it to oscillate. This characteristic prevents the device from erroneously producing an output signal when any failure occurs in the amplifiers comprising the oscillation circuit. The window comparator can be built as a fail-safe threshold operation device. The fail-safe characteristic is utilized in its LSI implementation. Section 4 verifies the fail-safe property of the prortotype fail-safe window comparator. It is shown that even when the LSI develops failures not evident from outsid (latent failures), it does not lose the operational function and maintains the fail-safe characteristic.

Many practical communication protocols provide priority service as well as ordinary service. In such a protocol, the protocol machines can initiate a priority service at most of the states. This characteristic leads an extreme increment of the number of state transitions on the protocol machines and causes state space explosion in verification of safety property of the protocol. This paper describes a method of constructing a communication protocol from composition of a subprotocol for ordinary service and that for priority service. This paper also presents a sufficient condition for a composed protocol to inherit safety property from the subprotocols. By using the composition method and the sufficient condition, the decision problem for safety property of the composed protocol can be reduced to those of the subprotocols. An experimental result of verification of a part of OSI session protocol is also described. The result shows that the method can reduce the computation time for verifying safety property to about 3% against the naive way.