Analysis of Safety Critical Systems

And their Design

Gurnam Singh, Puneet Singh
Electronics and Electrical Department, BITS-Pilani
K.K. Birla Goa Campus, Goa, India
h2010018@bits-goa.ac.in
puneet@bits-goa.ac.in

Abstract— this paper provides introduction to the Safety-critical safety critical applications assure product safety: (1) Software
systems and their design techniques. Behavioural based design must be free of errors when delivered and put into operation.
and software design criteria are being discussed in brief. Our (2)Failures of the hardware must not result in unsafe operation.
work studies one such safety critical application, namely Software must be free of errors" is achieved by two steps:
software based insulin pump. It also describes safety assessment
1. Proof of Validity. The proof of validity shows that the
method for safety critical systems.
software requirements specification accomplishes all safety-
I. INTRODUCTION related functions of the system. This proof requires an exact
software requirements specification.
Critical systems are broadly classified into three categories,
2. Proof of Correctness. The proof of correctness shows that
Safety- Critical Systems, Mission Critical Systems and
the program code fulfills all the requirements of the software
Business Critical Systems.
requirements specification. Furthermore, it must be proved
Safety critical systems are those systems whose failure could
that design errors in the non-safety related software will not
result in loss of life, significant property damage, or damage
result in unsafe operation of the system.
to the environment. There exists at least one failure that can
According to design principle 2 failures of the hardware must
be adjudged to cause a catastrophe (e.g. loss of life). The
not result in unsafe operation ensured by the system
development of such systems is usually controlled by
architecture. A dual checked-redundant system which uses
regulatory authorities, depending on the area of application,
two computers to process safety-re1ated inputs separately and
such as transportation, aerospace, energy industry, medicine,
to cross-check control actions (outputs) i s a common system
and defence systems. Many modem information systems are
architecture chosen to ensure against unsafe operation.[2]
becoming safety-critical in a general sense because financial
loss and even loss of life can result from their failure. Safety
critical systems are further classified into two categories Software Design Process
A verifiable design begins with a "top down", structured and
Traditional systems and Non- Traditional systems. Traditional
systematic design approach. This approach provides a
areas that have been considered as the home of safety critical
common basis for the understanding, review, and analysis
systems include medical care, commercial aircraft, nuclear
among those responsible for certifying a design. The "top-
power, and weapons. Failure in these areas can quickly lead to
down" approach creates major functional partitions which
human life being put in danger, loss of equipment. For
are then subdivided into sub-functions. This step-wise
example Microprocessor controlled insulin pump, Pacemaker
refinement continues until the lowest level requirements are
for Heart, computerized equipment for Spinal surgery and
reached. [3]
ophthalmic surgery. Non Traditional systems are those which
A SHA is done in parallel to the design effort. Analytical
have the potential for very high consequences of failure, and
techniques, such as fault tree analysis, are used to analyze the
these systems should probably be considered safety-critical. It
safety of the system. The resulting safety-related requirements
is obvious that the loss of a commercial aircraft will probably
are included in the software requirements specifications.
kill people. It is not obvious that loss of a telephone system
Rule 1: Analysis of Software
could kill people. But a protracted loss of emergency service
"Each safety-related module shall be ana1yzed and
will certainly result in serious problems. [1]
tested sufficiently to assure its safety.
Rule 2: Redundant Software
II. DESIGN OF SAFETY CRITICAL SYSTEM "Each safety-re1 ated function shall be performed
redundantly. "
There are, however, plenty of software systems that are
Rule 3: Diverse Software
used in the design and manufacture of systems where the
"A safety-related algorithm which has been determined to
consequences of failure could be considerable. Software that
require diversity shall be performed with two diverse-by-
support the development of other software (such as a compiler)
design algorithms."
is itself safety- critical if the product that it supports is safety-
critical. The following two established design principles for
Rule 4: Continual comparisons
Continual comparisons among all powered-on
microcomputers in the system shall be used as part of
checking the proper redundant action of all safety-re1ated
functions of the system.
Rule 5: Execution Sequence Integrity
"Proper execution sequence shall llbe assured by check-in /
check-out techniques".
Rule 6: Safety Variable Storage Integrity
"Each safety variable in the ATC system shall be stored in two
diverse memory locations, that is, at a location in the leader
cradle and at a diverse memory location in the backup cradle".
Rule 7: Ram Integrity
"Integrity of storage for variables (in RAM) shall be assured
by the use of read/write tests".
Rule 8: ROM Integrity
"Integrity of fixed data and machine code,,(in ROM) ".
Rule 9: CPU Integrity
"Integrity of machine code execution shall be assured by the
use of an instruction set test."
Rule 10: Serial Link Integrity
"Integrity of communication among microcomputers
shall be assured."
Rule 11: Clock And Timer Integrity
"Integrity of clock rates and timers shall be assured by
comparisons".
Rule 12: Interrupt Integrity
"Integrity of the effect of interrupts on the system shall be
assured".
Rule 13: Software Timers On Critical Checks
"On any check for which it is additionally necessary to
provide a separate timer to assure that the check is being
completed within some maximum period of time, this rule
shall be used".
Rule 14: System Watchdog Timer
"A hardware watchdog timer shall be utilized to guard against
improper program looping or halting."
Rule 15: Safety Error Termination
"A safety-error terminatjlon shall cause the system
to go into a tight loop".
III. SAFETY ASSESSMENT OF DESIGN PATTERNS
Safety and reliability requirements of a safety critical system
are both highly related to the probability of failure in this
system, they differ on the type of failure, whether it is a safe
or an unsafe failure.The reliability requirement concerns the
continuity of the required service, while the safety
requirement addresses the severity of failures in the required
service.[4]
Many metrics, such as Steady-State Safety (SSS) and Mean
Time to Unsafe Failure (MTTUF) are used in the assessment
of safety-critical systems. Nevertheless, the risk, which is
defined in the standard IEC61508 as a combination of the
probability of occurrence of harm and the severity of that
harm, is considered as the most generic metric that deals with
a wide range of applications.
A new metric that can be used to assess the probability of
unsafe failure in different design patterns. The new metric is
called Relative Safety Improvement (RSI), and it is defined as
”the percentage improvement in safety (reduction in
probability of unsafe failure) relative to the maximum possible
improvement which can be achieved when the probability of
unsafe failure is reduced to 0”.
For any design pattern, the relative safety improvement can
be calculated as shown in Equation 1:
RSI = (1- PUF(new)/PUF(old))*100%
– RSI: Relative safety improvement.
– PUF(old):Probability of unsafe failure in the basic system.
– PUF(new):Probability of unsafe failure in the design
pattern.
This metric is easy to use in the assessment process of
design patterns: either through employment of a mathematical
modeling for design patterns or by using simulation
techniques to demonstrate the safety improvement in each
design pattern. [4]
IV. ANALYSIS OF SYSTEM DESIGN
The system algebra is a formal method which can be used to
analyze the system design. Any system can exist in any of the
three states, safe, hazardous, or unsafe. This approach helps in
determining the availability, safety and functionality of a
simple or a complex system. The analysis of the system
algebra expression for a given system also helps in
determining its fault tolerance. The system algebra is a means
of avoiding the occurrence of an unreliable system state or a
hazardous state by improving the system design, before
implementing and testing the system in the field. The system
algebra approach helps in analyzing the intermediate system
states and the signal flows from the input stage to the
computation and to the actuator stage, The system algebra
expression is generated based on the information regarding the
failure rates of the components and the sub-systems.
Quantitative prediction with respect to time is done with the
transitions of the system from a safe state to a hazardous state
to an unsafe state. Based on the analysis, it is observed that a
subsystem that has redundancy is capable of withstanding the
failure for a longer period of time without affecting the
functionality of the system. The system design of the FCS
predicts the system failure rate of around 10-9, which is
required for safety-critical systems This illustrates that the
system algebra approach is useful for analyzing system
integrity and the requirements for safety critical applications,
and further validates the applicability of the system algebra to
analyze the availability based on the system state
transitions.[5]
 V. SOFTWARE BASED INSULIN PIMP: AN OVERVIEW
VI. REFRENCES

Figure.1 shows the block diagram of a safety critical [1] John C. Knight "Safety Critical Systems: Challenges and
system i.e. software bases insulin pump. Directions"
[2] Amer Saeed, Rogirio de Lemos "The Role of Formal
Insulin reservoir Methods in the Requirements Analysis of Safety-Critical
Systems
Needle
Pump Clock [3] Gary S. Krut "software design criteria for the safety-
assembly
critical protection of automated transit systems"
[4]Ashraf Armoush, Eva Beckschulze and Stefan Kowalewski
"Safety Assessment of Design Patterns for
Sensor Controller Alarm
Safety-Critical Embedded Systems"
[5]Manju Nanda Shrisha Rao "A Formal Method Approach
To Analyze The Design Of Aircraft Flight Control Systems"
Display1 Display2

Power supply

Figure.1

The system shall be available to deliver insulin when required

to do so. The system shall perform reliability and deliver the
correct amount of insulin to counteract the current level of
blood sugar. The essential safety requirement is that excessive
doses of insulin should never be delivered as this is potentially
life threatening.
Figure.2 describes the data flow model if the insulin pump
system. This shows the flow of data in the system.

Figure.2