EE551 Real-Time Operating Systems

Safety Critical Systems Analysis

Course originally developed by Maj Ron Smith

Safety Critical Software Systems – ilities of Systems

Software safety is one of the “ilities” of that is part of non-functional requirements specifies criteria that can be used to judge the operation of a system, rather than specific behaviors

Safety Critical Software Systems – ilities of Systems

Execution Qualities Usability and Operability Security Reliability Safety Fault Tolerance

Evolution Qualities Maintainbility, Understandability and Modifiability Supportability (Integrated Logistics Support) Testability Portability Scalability and Extensibility

Integrity – often used to encompass other ilities

Safety Critical Software Systems – ilities of Systems

Safety and reliability are often misinterpreted

There is a school of thought that states that safety is a subset of reliability

Apr 19, 2023 Major RW Smith Software Reliability (part1) - 5

Reliability

reliability, R(t) - the probability that, when operating under stated environmental conditions, a system will perform its intended function adequately for a specified interval of time.

a measure of the success with which a system conforms to some authoritative specification of its behavior

most frequent hardware metric - MTBF failure rate is more universal in software

Safeware: System Safety and ComputersNancy G. LevesonISBN-10: 0201119722 | ISBN-13: 978-0201119725

Safety Critical Software Systems – Authoritative text

Safety Critical Software Systems

Potential of the software to lead to hazardous system states

Hazards can lead to accidents and: Death Serious Injuries Damage to environment Significant loss of material Loss of strategic advantage

Safety Critical Systems

Safety Critical Systems

Safety Critical Systems

Safety Critical Systems

Examples of failures: Medical

Therac-25 (1985-87)(extreme case) Bloodbank software released over 1M

“failed” plasma units on the market. Pacemakers reset to unsafe parameters

due to external radiation sources (antitheft devices, microwaves,…)

Infusion pumps delivering the wrong rate of medicine.

Safety Critical Software Systems

Safety Critical Software cannot be verified and validated using “traditional” methods to derive test cases

Must use risk management and hazard analysis techniques Root Cause Analysis

Safety Critical Software Systems

Hazard Analysis techniques Hazard list from similar devices Hazard and Operability (HAZOP) Analysis Fault Tree Analysis (FTA) Event Tree Analysis (ETA) Failure Modes and Effects Analysis (FMEA)

Failure Modes, Effects and Criticality Analysis (FMECA)

Safety Critical Systems - Hazard Analysis – Hazard List

Known hazards lists or reports from previous similar devices Lessons Learned DB (internal to companies) Recall notices (general public – industry wide) Food and Drug Administration Web Site

(MAUDE) http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cf

maude/search.cfm

Federal Aviation Agency http://www.faa.gov/data_research/accident_incident/

Transport Canada (CADORS) http://wwwapps.tc.gc.ca/Saf-Sec-Sur/2/CADORS-SCRE

AQ/m.aspx?lang=eng

Safety Critical Systems - Hazard Analysis – Hazard List

Brainstorming session Generic lists (ISO 14971 Annex D)

Safety Critical Systems - Hazard Analysis – HAZOP

Hazard and Operability Study Process oriented

is a structured and systematic examination of a planned or existing process or operation

to identify and evaluate problems that may represent risks to personnel, equipment or environment

Originates from Chemical Industry

Safety Critical Systems - Hazard Analysis – HAZOP

Analyze the behavior of a system based on operating deviations from original design or intent

Decomposition of system into sub-processes or items (systems, subsystems, components)

Parameters (flow, temperature, pressure,…)

Systematic qualitative analysis with Guide words (less, more, inverse, too high, too low, before…)

Safety Critical Systems - Hazard Analysis - FTA

Safety Critical Systems - Hazard Analysis - ETA

Control measures

Safety Critical Systems - Hazard Analysis – FME(C)A

Item Failure Mode

Causes Effects Criticality

Prob Control measures

Registration

RMS error too large

a. Bad configurationb. Markers too closec. Handling errorsd. Tracking errore. Transformation error

Cannot use IIGS

Critical N/A Operator training Documentation

Safety Critical Software Systems

State Based Analysis methods Markov Chain Models Petri Nets

Software Cost Reduction Methods David Parnas and Constance L. Heitmeyer Formal mathematical approach to

specifications