Safety-Critical Systems

Similar documents
Safety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed)

Marine Risk Assessment

Using what we have. Sherman Eagles SoftwareCPR.

Safety Management in Multidisciplinary Systems. SSRM symposium TA University, 26 October 2011 By Boris Zaets AGENDA

Safety Requirement Specification

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

'Dipartimento di Ingegneria Elettrica, Universita di Genova Via all 'Opera Pia, lla Genova, Italy

SYSTEM SAFETY ENGINEERING AND MANAGEMENT

DATA ITEM DESCRIPTION Title: Failure Modes, Effects, and Criticality Analysis Report

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

LECTURE 3 MAINTENANCE DECISION MAKING STRATEGIES (RELIABILITY CENTERED MAINTENANCE)

Aeronautical studies and Safety Assessment

A study on the relation between safety analysis process and system engineering process of train control system

Hazard analysis. István Majzik Budapest University of Technology and Economics Dept. of Measurement and Information Systems

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

Safety-critical systems: Basic definitions

Critical Systems Validation

Managing for Liability Avoidance. (c) Lewis Bass

Basic STPA Tutorial. John Thomas

Gamma-ray Large Area Space Telescope

Safety Critical Systems

The Safety Case. Structure of Safety Cases Safety Argument Notation

Systems Theoretic Process Analysis (STPA)

Definition of Safety Integrity Levels and the Influence of Assumptions, Methods and Principles Used

Risk Management Qualitatively on Railway Signal System

Review and Assessment of Engineering Factors

Safety Standards Acknowledgement and Consent (SSAC) CAP 1395

Safety-Critical Systems. Rikard Land

Safety Risk Assessment Worksheet Title of Risk Assessment Risk Assessment Performed By: Date: Department:

1.0 PURPOSE 2.0 REFERENCES

SYSTEM SAFETY REQUIREMENTS

Employ The Risk Management Process During Mission Planning

ESSENTIAL SAFETY RESOURCES

Hazard Identification

Understanding safety life cycles

FLIGHT TEST RISK ASSESSMENT THREE FLAGS METHOD

Implementing IEC Standards for Safety Instrumented Systems

innova-ve entrepreneurial global 1

Policy for Evaluation of Certification Maintenance Requirements

Impact on People. A minor injury with no permanent health damage

Systems Theoretic Process Analysis (STPA)

ALIGNING MOD POSMS SAFETY AND POEMS ENVIRONMENTAL RISK APPROACHES EXPERIENCE AND GUIDANCE

North Coast Outfitters, LTD. Model SR901RT Multi-Purpose Utility Table SAFETY ASSESSMENT REPORT (SAR)

Probability Risk Assessment Methodology Usage on Space Robotics for Free Flyer Capture

Aviation Unit Safety Management System

The Best Use of Lockout/Tagout and Control Reliable Circuits

Valve Communication Solutions. Safety instrumented systems

New Airfield Risk Assessment / Categorisation

The Safety Case. The safety case

1309 Hazard Assessment Fundamentals

Three Approaches to Safety Engineering. Civil Aviation Nuclear Power Defense

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Workshop to Generate Guidelines For the Implementation of: 1 - Step 1 of State Safety Program (SSP) and 2 - Phases 1 & 2 of ICAO SMS

Federal Aviation Administration Safety & Human Factors Analysis of a Wake Vortex Mitigation Display System

Every things under control High-Integrity Pressure Protection System (HIPPS)

RISK ASSESSMENT HAZARD IDENTIFICATION AND RISK ASSESSMENT METHODOLOGY

Safety in Precast Erection

CONTENTS OF THE PCSR CHAPTER 1 - INTRODUCTION AND GENERAL DESCRIPTION

A GUIDE TO RISK ASSESSMENT IN SHIP OPERATIONS

Chapter 5: Comparison of Inspection and Testing Results

Using LOPA for Other Applications

PI MODERN RELIABILITY TECHNIQUES OBJECTIVES. 5.1 Describe each of the following reliability assessment techniques by:

Software Safety Hazard Analysis

Safety of railway control systems: A new Preliminary Risk Analysis approach

HAZARD ANALYSIS PROCESS FOR AUTONOMOUS VESSELS. AUTHORS: Osiris A. Valdez Banda Aalto University, Department of Applied Mechanics (Marine Technology)

Environmental-Related Risk Assessment

Software Reliability 1

Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI

Bhadwasi Gypsum Mine, Rajasthan State Mines & Minerals Limited CHAPTER VII Additional studies

CHAPTER 4 FMECA METHODOLOGY

ADVISORY MATERIAL JOINT AMJ

Systems of Accounting for and Control of Nuclear Material

Accident Investigation and Hazard Analysis

QUANTIFYING THE TOLERABILITY OF POTENTIAL IGNITION SOURCES FROM UNCERTIFIED MECHANICAL EQUIPMENT INSTALLED IN HAZARDOUS AREAS

Risk Management. Definitions. Principles of Risk Management. Types of Risk

-JHA- Job. For Science and Engineering. Hazard Assessment

A Presentation to the International System Safety Society August 11, 2016 by Gary D. Braman Senior System Safety Engineer Sikorsky Aircraft

FMEA- FA I L U R E M O D E & E F F E C T A N A LY S I S. PRESENTED BY: AJITH FRANCIS

4. Hazard Analysis. Limitations of Formal Methods. Need for Hazard Analysis. Limitations of Formal Methods

PRACTICAL EXAMPLES ON CSM-RA

Safety models & accident models

Real-Time & Embedded Systems

MIL-STD-883G METHOD

Failure modes and models

Adaptability and Fault Tolerance

Local Rules for Radiography: Ionising Radiation Regulations Working Instructions Staff MUST Follow

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

How to Define Your Systems and Assets to Support Reliability. How to Define Your Failure Reporting Codes to Support Reliability

Safety Engineering - Hazard Identification Techniques - M. Jahoda

Safe Work Practices and Permit-to-Work System

Safety Analysis: Event Classification

DEPARTMENT OF THE NAVY NAVAL AIR SYSTEMS COMMAND RADM WILLIAM A. MOFFEIT BUILDING BUSE ROAD, BLDG 2272 PATUXENT RIVER, MARYLAND,

RISK ASSESSMENT FORM Project / Work Description: Handling of furniture.

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance

Resilience Engineering: The changing nature of safety

Hazard Identification

4-sight Consulting. IEC case study.doc

Presented to the Israel Annual Conference on Aerospace Sciences, 2009 RISK-ANALYSIS A SUPPLEMENT TO DAMAGE-TOLERANCE ANALYSIS

Operator Exposed to Chlorine Gas

A systematic hazard analysis and management process for the concept design phase of an autonomous vessel.

Transcription:

Software Testing & Analysis (F22ST3) Safety-Critical Systems Andrew Ireland School of Mathematical and Computer Science Heriot-Watt University Edinburgh Software Testing & Analysis (F22ST3) 2 What Are Safety-Critical Systems? Any system where failure may, directly or indirectly, threaten human life or the environment can be classified as safety-critical, e.g. Fly-by-wire control systems; Military command and control systems; Secondary air traffic control radar systems; Automatic railway signaling systems; Nuclear reactor control systems. Increasingly control mechanisms rely upon software rather than hardware which makes software of crucial importance within many safety-critical applications.

Definitions & Terminology Leveson (Leveson, N.G. Safeware: System Safety and Computers, Addison-Wesley, 1995): Safety is freedom from accidents or losses. An accident is an undesired and unplanned (but not necessarily unexpected) event that results in (at least) a specified level of loss (loss of life, damage to property or the environment). A hazard is a state or set of conditions of a system (or an object) that, together with other conditions in the environment of the system (or object), will lead potentially to an accident (loss event). Software Testing & Analysis (F22ST3) 4 Definitions & Terminology (more) Hazard severity is the worst possible accident that could result from the hazard given the environment in its most unfavorable state. Hazard likelihood is the probability of occurrence. Hazard level is the combination of severity and likelihood. Risk is the hazard level combined with (1) the likelihood of the hazard leading to an accident and (2) hazard exposure or duration.

The Safety Life-cycle Hazard Analysis and Risk Assessment Safety Requirements Specification: (1) functional (2) safety-integrity Designation of Safety Critical Systems Validation Planning Design and Implementation Verification Safety Validation Operation and Maintenance Software Testing & Analysis (F22ST3) 6 Hazard Analysis Hazard analysis represents the heart of an effective safety programme. The objective is to discover potential hazards and causes which may arise given a systems operational environment. 1. Hazard identification: determining what hazards might exist during operation of the system. 2. Hazard classification: order hazards with respect to hazard level (severity & likelihood of arising). 3. Hazard decomposition or causal analysis: an analysis of the individual hazards is carried out in order to determine root cause(s).

Example Hazard Severity Categories US Department of Defense (MIL-STD-882B: System Safety Program Requirements): Category I: Catastrophic; may cause death or system loss. Category II: Critical; may cause severe injury, severe occupational illness, or system damage. Category III: Marginal; may cause minor injury, minor occupational illness, or minor system damage. Category IV: Negligible; will not result in injury, occupational illness, or system damage. Software Testing & Analysis (F22ST3) 8 Hazard Likelihood Categories Leveson (Leveson, N.G. 1995): Frequent: Likely to occur frequently to an individual item, continuously experienced throughout the fleet or inventory. Probable: Will occur several times during the life of an individual item, frequently throughout the fleet or inventory. Occasional: Likely to occur sometimes during the life of an individual item, several times throughout the fleet or inventory.

Hazard Likelihood Categories Leveson (Leveson, N.G. 1995): Remote: Unlikely to occur but possible during the life of an individual item but reasonably expected to occur in an fleet or inventory. Improbable: Extremely unlikely to occur to an individual item; possible for a fleet or inventory. Physically Impossible: Cannot occur to an individual item or in a fleet or inventory. Software Testing & Analysis (F22ST3) 10 Example: A Simple Boiler System Pump Water Boiler Pump Input Signal Water Level Sensor 2 Sensor Reading 2 Control System Water Level Sensor 1 Sensor Reading 1

Hazard Analysis: Fault Trees There are many techniques for analysing hazards in order to identify the root causes. Fault trees are one such technique. Fault trees are used to show the causal links between systems events and particular system faults. Building blocks: Basic events denoted by circles; Intermediate events denoted by rectangles; System fault denoted by the tree root; Events are connected by AND- and OR-gates. As an example consider the following fault: Boiler water level higher than safe limit. Software Testing & Analysis (F22ST3) 12 A Fault Tree for the Boiler System Sensor 1 failure Sensor 2 failure 4 Sensors show level < limit when level > limit Control stuck on 3 Pump set ON when level > limit Pump stuck on 2 Pumping when level > limit level > limit at start-up 1 Boiler level above limit Note: denotes AND while + denotes OR.

Risk Assessment Risk assessment follows on from hazard analysis and is involved in classifying the acceptability or safety integrity level of each hazard. This classification is based upon the: hazard level for each of the identified hazards and likelihood of an accident resulting from the hazard. During hazard analysis worst-case effects are usually only considered and simple qualitative methods are employed. In contrast risk analysis involves more quantitative analyses, e.g. statistical analysis based upon historical data. Software Testing & Analysis (F22ST3) 14 Safety Integrity Level Sommerville (Sommerville, I. 1995): 1. Intolerable: The system must be designed in such a way so that either the hazard cannot arise or, if it does arise, it will not result in an accident. 2. As low as reasonably practical (ALARP): The system must be designed so that the probability of an accident arising because of the hazard is minimized subject to other considerations such as cost, delivery and so on. 3. Acceptable: While the system designers should take all possible steps to reduce the probability of this hazard arising, these should not increase costs, delivery time or other non-functional system attributes.

Safety Requirements Specification Hazard analysis & risk assessment identify safety-critical functions and associated safety integrity levels which provide the basis for a safety criteria used by the system designers, i.e. a statement of what has to be achieved with respect to each of the hazards (but not how): 1. Hazard avoidance: design so that the hazard cannot arise, e.g. The dead-man s handle eliminates the hazard of a run-away train. 2. Hazard probability reduction: design to ensure that hazards cannot arise as a result of any single failure, e.g. install both software and hardware interlocks. 3. Accident prevention: design to detect hazards and remove them before an accident arises, e.g. automatic detection of aircraft engine fire linked with an automatic engine shut-down mechanism. Software Testing & Analysis (F22ST3) 16 Safety Case Safety critical systems require certification by a regulating authority, e.g. FAA, HSE,... A safety case documents the safety justification for a system and provides basis for the certification process came to prominence through Lord Cullen s recommendations following the Piper Alpha disaster (1988). A safety case records all the safety activities and should therefore be created early on during the development of a system. A safety case must also be maintained throughout the operational life of a system.

Safety Case: Key Components A high-level rigorous safety argument, e.g. if X fails then Y will prevent Z from occurring... Supporting evidence, e.g. test data, mathematical proofs showing that Y follows from the failure of X and that Y will prevent Z. All assumptions need to be made explicit, an unjustified assumption represents a flaw in the safety argument. Safety cases are typically multidisciplinary, as a consequence hard to manage. Software Testing & Analysis (F22ST3) 18 Summary The nature of safety critical systems The safety life-cycle Hazard analysis and risk assessment Safety requirements Safety case Further reading: Safeware Leveson, N.G. Addison-Wesley, 1995. Safety-Critical Computer Systems Storey, N. Addison-Wesley, 1996.

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback