Requirements Specification

The basic task of the system is to pump the water that accumulates at the bottom of the shaft to the surface. The following image illustrates the pump control system.

Functional Requirements

• Pump operation. The pump is switched on when the water level is below the high-water level and the methane level is below critical. In addition to automatic operation, the operator and the supervisor are allowed to switch the pump on and off based on some conditions. The operator is only allowed to switch on the pump when the water level is above the low-water level, and the methane level is below critical. The supervisor however can switch it on only based on the methane level, which has to be below critical.
  The pump is switched off automatically when the water level goes below the low-water level or when the methane level reaches the critical level. The supervisor is allowed to switch it off only when the water level is below the high-water level.
• Pump monitoring. Every operation on the pump and its state alterations are logged.
• Environment monitoring. The environment sensors for methane and carbon monooxide gas, and airflow need to be constantly monitored and logged. The critical levels of these sensor values may lead to the pump being shutdown or to alarms being raised.
• Operator information. The operator should receive information about all critical readings of sensors.

Non-functional Requirements

Among the related non-functional requirements, we are interested in the dependability requirement defined below.

Dependability

For the pump control system, the dependability requirements ensure that the system is reliable and safe.
Reliability of the pump system is measured by the number of shifts that can be allowed to be lost if the pump does not operate when it should be. In this case, a system can be said to be reliable if it loses at most 1 shift in 100. Also, even on pump failure, a water accretion period of one hour is allowed before a shift is defined as lost.
Safety of the pump system is related to the probability that an explosion can occur if the pump is operated when the methane level is above critical. In this case, the probability is assumed to be less than 10-7 during the lifetime of the system.

Architectural Design

Logical Architecture

The logical architecture, as mentioned previously, considers the functional requirements of the system, and in this case also the security requirement. Hence, for this system, the functional requirements can be mapped to four classes: pump subsystem, data logger (introduced due to pump monitoring), environment subsystem, and operator.

Physical Architecture

Dependability

At the subsystems level, safety of the system can be threatened due to the failures mentioned below.

• The environment subsystem sends an incorrect methane value to the pump subsystem.
• The environment subsystem fails to generate an alarm when the methane level goes above critical.
• The communication subsystem does not notify the pump subsystem about the alarm.
• The pump subsystem fails to switch off the pump after receiving the alarm.

From the above, it can be deduced that safety of the system is dependent on the environment subsystem, the pump subsystem, and the communication medium between them. Two types of failures can affect safety: fail-silent and fail-noisy. The first step would be to create fault containment areas. The task of raising an alarm can be avoided, if the pump subsystem can be assigned an additional operation of checking the methane level continuously. This way the pump can switch itself off when it receives no response from the environment subsystem.
In the case of reliability, to prevent loss of shift, the pump should be repaired before the water accretion period passes.
Looking into more details, the component sensor in the pump subsystem needs to be annotated with attributes like failure probability and MTBF (mean time between failures). Since, sensors only fail in a fail-noisy way, replication of the sensors is required to tolerate hardware failure. Three sets of sensors can be used along with N-modular redundancy (NMR) technique for detecting and tolerating faults.
In a similar manner, the other components in the system can be analyzed and measures taken to achieve dependability.