Safety-Critical Software: Status Report
Authors: Patrick R.H. Place Kyo C. Kang Presented by: Julio Munoz Jorge Favela
�Therac 25: A Study Case
• Radiation Therapy machine
• Patients were given massive overdoses of radiation • How much? • Approximately 100 times the intended dose of radiation
�Requirements Engineering and Safety
• Safety critical components of a system must be developed on a particular way • Requirements engineering eliminate errors from –Misunderstanding customer desires –Poorly conceived customer requests • Systems cannot be feasible tested in a live situation • Customer requirements are presented on many forms: natural language, diagrams & mathematics
�Comments on Software Safety
Reliability is Not safety
Reliability:
“The probability that a system will not fail for a stated length of time”
Safety:
“The absence of unsafe software conditions”
A system may be reliable but unsafe
�Software Need Not Be Perfect
Perfect Software: It does not contain errors. Software Error:
A variance between the operation of the software and the user’s concept of how the software should operate.
�Software Reliability Model
• Static Models • Dynamic Models The Rayleigh Model
�Safe Software Is Secure and Reliable
Security depends on reliability
Safety depends on…
A secure system needs to be reliable, to do not fail at any point. The system-critical components needs to be secure, not altered by external agents.
�Software Should Not Replace Hardware
• Software is flexible and easy to modify. • Hardware maybe quite expensive to modify. • Hardware fails in more predictable ways than software. • Software does not exhibit physical characteristics that maybe observed in the same way as hardware.
�Hazard Analysis Technique
• To check the hazard of the system, there are two aspects
– Hazard identification – Hazard analysis
�Hazard Identification [1]
• The Delphi technique – One approach to reaching decision groups. – Member of the group are separated geographically – Basic Approach • The members of the group receive a questionnaire to express their opinion. • A coordinator collect the member’s opinion and send to a expert
�Hazard Identification [2]
• The expert may be agree or disagree explaining any outlying opinion • The group produce a opinion after several rounds.
�Hazard Identification [3]
• Join Application Desing (JAD)
– It is an approach to developing detail system definition – The purpose is to reach a decision about a particular topic – People who participate must be skilled and empowered to make decision. – The number of people must be between 6 and 10
�Hazard Identification [4]
– JAD needs a facilitator • Does not have any interest • Good communicator and diplomatic • Control the group – JAD require a sponsor • Ensure coordination – The ideas own to the group rather than individual – The disadvantage • The coordinator can become a bottleneck
�Hazard Identification [5]
• Hazard and operative analysis
– Operate at all stages of the development life cycle – Ensure a systematic evaluation of the functional requirements – two step of analysis
• Identify how the system should operate • Determine when a identify condition become safety critical
�Hazard Identification [6]
– The data generates tables
• Indicate sequence of operation
– Hazard may occur
�Hazard Analysis [1]
• Examine the system and determine lead to a mishap • Two strategies – Inductive techniques • Consider a particular component of the system and attempt to know what is the consequences of the fault will be • Determine “What” system state are possible
�Hazard Analysis [2]
– Deductive techniques • Consider a system failure and then attempt to know the system or component state contribute the system failure • Determine “How” given state occurs
�Hazard Analysis [2]
• Fault Tree Analysis – It is deductive – Determine the cause of an undesirable event – Use connector • and gate: an output occurs if all of the inputs fault occurs • or gate: an output occurs if any of the input fault occur • Basic event: is a basic initiating fault and require no further development
�Hazard Analysis [3]
• Fault Tree Analysis
– It is deductive – Determine the cause of an undesirable event – Use connector
and gate
or gate
Basic event
Undeveloped event
intermediate event
�Hazard Analysis [4]
• Event Tree Analysis – It is inductive technique – Consider the initiating event in the system • Consider all the consequences of that event – Analyzes desirable and undesirable event – It is forwarding-looking • Consider future problem
�Hazard Analysis [4]
• Failure Modes and Effect Analysis
– Inductive technique – Intent to anticipate potential failures
�References
• THERAC-25, Computerized Radiation Therapy
TROY GALLAGHER
http://www.netcomp.monash.edu.au/cpe9001/assets/readings/www_uguelph_ca_~tgallagh_~tgallagh.html
•
Medical Devices: The Therac 25
Nancy Leveson University of Washington 1995
•
CSQE Primer
Barbara Frank, Phil Marriot & Chett Warzusen Third Edition 2002 Quality Council of Indiana
�Questions
Presented by: Julio Munoz Jorge Favela
�