H6 updated.H10 updated: during development of a future control system software release memory corruption has been observed.The root cause has not been possible to determine.It cannot be ruled out that the underlying software problem exists in earlier released control system software.The analysis determines that double software errors need to occur, resulting in faulty data in specific locations in the memory both in ppc1 and ppc2 software.The locations of the faulty data need to relate to a critical function in the ppc1 software and simultaneously affect the mitigating function in ppc2 software.This needs to happen during a single session, i.E.From start up until shutdown or reset.Although it has been observed in the ppc2 software that memory corruption has occurred, the system is regarded as safe since, regardless if the memory corruption occurs in the ppc1 software or ppc2 software it still requires double failures in order for the hazardous situation to occur.The ppc1 software and the ppc2 software are different applications with different memory content and different functionality.In order for a hazardous situation to occur, memory corruption would need to occur, affecting a specific critical function in the ppc1 software, and simultaneously, during the same session (a session starts with a powerup of the complete system or a reset of a system error and ends with a powerdown, opc key to off, or a system error reset), memory corruption would need to occur in the ppc2 software, in a way disabling the mitigating function for the critical function affected in the ppc1.The likelihood for this is regarded as improbable since the memory corruption will disappear every time the ppc1 and ppc2 software is reset, something that occurs regularly during use of the system.This has never been observed or reported by customers.
|