SafetyCritical Software: Status Report

1
Safety-Critical Software Status Report

• Authors
• Patrick R.H. Place
• Kyo C. Kang

Presented by Julio Munoz Jorge Favela
2
Therac 25 A Study Case

• Radiation Therapy machine

• Patients were given massive overdoses of
  radiation

• How much?

• Approximately 100 times the intended dose of
  radiation

3
Requirements Engineering and Safety

• Safety critical components of a system must be
  developed on a particular way

• Requirements engineering eliminate errors from
• Misunderstanding customer desires
• Poorly conceived customer requests

• Systems cannot be feasible tested in a live
  situation

• Customer requirements are presented on many
  forms natural language, diagrams mathematics

4
Comments on Software Safety

• Reliability is Not safety

• Reliability

• The probability that a system will not fail for
  a stated length of time

• Safety

The absence of unsafe software conditions

• A system may be reliable but unsafe

5
Software Need Not Be Perfect
Perfect Software
It does not contain errors.
Software Error
A variance between the operation of the software
and the users concept of how the software should
operate.
6
Software Reliability Model

• Static Models

• Dynamic Models

The Rayleigh Model
7
Safe Software Is Secure and Reliable

• Security depends on reliability

Safety depends on
A secure system needs to be reliable, to do not
fail at any point. The system-critical components
needs to be secure, not altered by external
agents.
8
Software Should Not Replace Hardware

• Software is flexible and easy to modify.

• Hardware maybe quite expensive to modify.

• Hardware fails in more predictable ways than
  software.

• Software does not exhibit physical
  characteristics that maybe observed in the same
  way as hardware.

9
Hazard Analysis Technique

• To check the hazard of the system, there are two
  aspects
• Hazard identification
• Hazard analysis

10
Hazard Identification 1

• The Delphi technique
• One approach to reaching decision groups.
• Member of the group are separated geographically
• Basic Approach
• The members of the group receive a questionnaire
  to express their opinion.
• A coordinator collect the members opinion and
  send to a expert

11
Hazard Identification 2

• The expert may be agree or disagree explaining
  any outlying opinion
• The group produce a opinion after several rounds.

12
Hazard Identification 3

• Join Application Desing (JAD)
• It is an approach to developing detail system
  definition
• The purpose is to reach a decision about a
  particular topic
• People who participate must be skilled and
  empowered to make decision.
• The number of people must be between 6 and 10

13
Hazard Identification 4

• JAD needs a facilitator
• Does not have any interest
• Good communicator and diplomatic
• Control the group
• JAD require a sponsor
• Ensure coordination
• The ideas own to the group rather than individual
• The disadvantage
• The coordinator can become a bottleneck

14
Hazard Identification 5

• Hazard and operative analysis
• Operate at all stages of the development life
  cycle
• Ensure a systematic evaluation of the functional
  requirements
• two step of analysis
• Identify how the system should operate
• Determine when a identify condition become safety
  critical

15
Hazard Identification 6

• The data generates tables
• Indicate sequence of operation
• Hazard may occur

16
Hazard Analysis 1

• Examine the system and determine lead to a mishap
• Two strategies
• Inductive techniques
• Consider a particular component of the system and
  attempt to know what is the consequences of the
  fault will be
• Determine What system state are possible

17
Hazard Analysis 2

• Deductive techniques
• Consider a system failure and then attempt to
  know the system or component state contribute the
  system failure
• Determine How given state occurs

18
Hazard Analysis 2

• Fault Tree Analysis
• It is deductive
• Determine the cause of an undesirable event
• Use connector
• and gate an output occurs if all of the inputs
  fault occurs
• or gate an output occurs if any of the input
  fault occur
• Basic event is a basic initiating fault and
  require no further development

19
Hazard Analysis 3

• Fault Tree Analysis
• It is deductive
• Determine the cause of an undesirable event
• Use connector

and gate
or gate
Basic event
Undeveloped event
intermediate event
20
Hazard Analysis 4

• Event Tree Analysis
• It is inductive technique
• Consider the initiating event in the system
• Consider all the consequences of that event
• Analyzes desirable and undesirable event
• It is forwarding-looking
• Consider future problem

21
Hazard Analysis 4

• Failure Modes and Effect Analysis
• Inductive technique
• Intent to anticipate potential failures

22
References

• THERAC-25, Computerized Radiation Therapy
• TROY GALLAGHER
• http//www.netcomp.monash.edu.au/cpe9001/ass
  ets/readings/www_uguelph_ca_tgallagh_tgallagh.ht
  ml
• Medical Devices The Therac 25
• Nancy Leveson
• University of Washington
• 1995
• CSQE Primer
• Barbara Frank, Phil Marriot Chett Warzusen
• Third Edition
• 2002
• Quality Council of Indiana

23
Questions
Presented by Julio Munoz Jorge Favela