Professional Documents
Culture Documents
HUMAN
PROCESS
- Operating Rules
SYSTEM
- Hardware - Software
Critical Applications
Computer based systems used in avionics, chemical process and nuclear power plants. A failure in the system endangers human lives directly or through environment pollution. Large scale economic influence.
Safety Definition
Safety: Safety is a property of a system that it will not endanger human life or the environment. Safety-Critical System: A system that is intended to achieve, on its own, the necessary level of safety integrity for the implementation of the required safety functions.
1
Concept
2
System Definition and Application Conditions
3
Risk Analysis
4
System Requirements
5
Apportionment of System Requirements
6
Design and Implementation
7
Manufacture
8
Installation
9
System Validation (including Safety Acceptance and Commissioning)
10
System Acceptance
12
Performance Monitoring
11
Operation and Maintenance
13
Modification and Retrofit
14
Decommissioning and Disposal
Note: The phase at which a modification enters the life-cycle will be dependent upon both the system being modified and the specific modification under consideration.
Risk Analysis
Risk is a combination of the severity (class) and frequency (probability) of the hazardous event. Risk Analysis is a process of evaluating the probability of hazardous events. The Value of life??
Value of life is estimated between 0.75M 2M GBP. USA numbers higher.
Risk Analysis
Classes: - Catastrophic multiple deaths >10 - Critical a death or severe injuries - Marginal a severe injury - Insignificant a minor injury
Frequency Categories: Frequent 0,1 events/year Probable 0,01 Occasional 0,001 Remote 0,0001 Improbable 0,00001 Incredible 0,000001
Hazard Analysis
A Hazard is situation in which there is actual or potential danger to people or to environment.
Analytical techniques:
- Failure modes and effects analysis (FMEA) - Failure modes, effects and criticality analysis (FMECA) - Hazard and operability studies (HAZOP) - Event tree analysis (ETA) - Fault tree analysis (FTA)
OR connection
Risk acceptability
National/international decision level of an acceptable loss (ethical, political and economical) Risk Analysis Evaluation: ALARP as low as reasonable practical (UK, USA) Societal risk has to be examined when there is a possibility of a catastrophe involving a large number of casualties GAMAB Globalement Au Moins Aussi Bon = not greater than before (France) All new systems must offer a level of risk globally at least as good as the one offered by any equivalent existing system
MEM minimum endogenous mortality Hazard due to a new system would not significantly augment the figure of the minimum endogenous mortality for an individual
Risk acceptability
Tolerable hazard rate (THR) A hazard rate which guarantees that the resulting risk does not exceed a target individual risk SIL 4 = SIL 3 = SIL 2 = SIL 1 = 10-9 10-8 10-7 10-6 < THR < 10-8 < THR < 10-7 < THR < 10-6 < THR < 10-5
per hour and per function
Potential Loss of Life (PLL) expected number of casualties per year SIL = safety integrity level
a)
b)
c) d)
Based on the data on recent failures of critical systems, the following can be concluded: Failures become more and more distributed and often nation-wide (e.g. air traffic control and commercial systems like credit card denial of authorisation) The source of failure is more rarely in hardware (physical faults), and more frequently in system design or end-user operation / interaction (software). The harm caused by failures is mostly economical, but sometimes health and safety concerns are also involved. Failures can impact many different aspects of dependability (dependability = ability to deliver service that can justifiably be trusted).
V - Lifecycle model
Requirements Model
Requirements Analysis
Test Scenarios
Test Scenarios
System Acceptance
Knowledge Base *
Requirements Document
Software Design
* Configuration controlled Knowledge that is increasing in Understanding until Completion of the System: Requirements Documentation Requirements Traceability Model Data/Parameters Test Definition/Vectors
Safety Requirements
Requirements are stakeholders (customer) demands what they want the system to do. Not defining how !!! => specification
Safety requirements are defining what the system must do and must not do in order to ensure safety. Both positive and negative functionality.
Specification
Supplier instructions how to build the system. Derived from the required functionality = Requirements.
Requirements R + Domain Knowledge D => Specification S
Where do we go wrong?
Many system failures are not failures to understand R requirements ; they are mistakes in D domain knowledge
A NYC subway train crashed into the rear end of another train on 5th June 1995. The motorman ran through a red light. The safety system did apply the emergency brakes. However the ...signal spacing was set in 1918, when trains were shorter, lighter and slower, and the emergency brake system could not stop the train in time.
Are you sure?
Requirement Engineering
Right Requirements
Ways to refine Requirements - complete linking to hazards (possible dangerous events) - correct testing & modelling - consistent semi/formal language - unambiguous text in real English
Requirement Engineering
Tools Doors (Telelogic) - Data base and configuration management - History, traceability and linking