Safety engineering

Question 1

What are the two classes of safety critical systems?

Answer 1

1. Primary safety-critical software: This is software that is embedded as a controller in a system. Malfunctioning of such software can cause a hardware malfunction, which results in human injury or environmental damage. For example, advanced, aerodynamically unstable, military aircraft require continual software-controlled adjustment of their flight surfaces to ensure that they do not crash.
2. Secondary safety-critical software: This is software that can indirectly result in an injury. An example of such software is a computer-aided engineering design system whose malfunctioning might result in a design fault in the object being designed. Some control systems, such as those controlling critical national infrastructure (electricity supply, telecommunications, sewage treatment, etc.), are secondary safety-critical systems.

Question 2

What are the hazard driven techniques in safety critical systems?

Answer 2

1. Hazard avoidance: The system is designed so that hazards are avoided. For example, a paper-cutting system that requires an operator to use two hands to press separate buttons simultaneously avoids the hazard of the operator’s hands being in the blade’s pathway.
2. Hazard detection and removal: The system is designed so that hazards are detected and removed before they result in an accident. For example, a chemical plant system may detect excessive pressure and open a relief valve to reduce pressure before an explosion occurs.
3. Damage limitation: The system may include protection features that minimize the damage that may result from an accident. For example, an aircraft engine normally includes automatic fire extinguishers. If there is an engine fire, it can often be controlled before it poses a threat to the aircraft.

Question 3

What are the four activities in hazard driven safety specifications?

Answer 3

1. Hazard identification: The hazard identification process identifies hazards that may threaten the system. These hazards may be recorded in a hazard register. This is a formal document that records the safety analyses and assessments and that may be submitted to a regulator as part of a safety case. Hazard identification may be based on different types of hazard: physical, electrical, biological, service failure, etc.
2. Hazard assessment: The hazard assessment process decides which hazards are the most dangerous and/or the most likely to occur. These should be prioritized when deriving safety requirements. The process is concerned with understanding the likelihood that a risk will arise and the potential consequences if an accident or incident should occur. Risks may be categorized as: intolerable (must never arise or result in an accident), as low as reasonably practical - ALARP (must minimize the possibility of risk given cost and schedule constraints), and acceptable (the consequences of the risk are acceptable and no extra costs should be incurred to reduce hazard probability).
3. Hazard analysis: This is a process of root-cause analysis that identifies the events that can lead to the occurrence of a hazard. Techniques have been mostly derived from safety-critical systems and can be: inductive, bottom-up: start with a proposed system failure and assess the hazards that could arise from that failure; and deductive, top-down: start with a hazard and deduce what the causes of this could be.
4. Risk reduction: This process is based on the outcome of hazard analysis and leads to identification of safety requirements. These requirements may be concerned with ensuring that a hazard does not arise or lead to an accident or that if an accident does occur, the associated damage is minimized. The aim of this process is to identify dependability requirements that specify how the risks should be managed and ensure that accidents/incidents do not arise. Risk reduction strategies: hazard avoidance; hazard detection and removal; damage limitation.

Question 4

What are some safety assurance techniques?

Answer 4

1. Hazard analysis and monitoring, where hazards are traced from preliminary hazard analysis through to testing and system validation.
2. Safety reviews, which are used throughout the development process.
3. Safety certification, where the safety of critical components is formally certified. This involves a group external to the system development team examining the available evidence and deciding whether or not a system or component should be considered to be safe before it is made available for use.

Question 5

What is formal verification?

Answer 5

Formal methods can be used when a mathematical specification of the system is produced. They are the ultimate static verification technique that may be used at different stages in the development process.

Question 6

What are the advantages and disadvantages of formal methods?

Answer 6

Advantages of formal methods

1. Producing a mathematical specification requires a detailed analysis of the requirements and this is likely to uncover errors.
2. Concurrent systems can be analysed to discover race conditions that might lead to deadlock.
3. Testing for such problems is very difficult. They can detect implementation errors before testing when the program is analysed alongside the specification.

Disadvantages of formal methods

1. Require specialized notations that cannot be understood by domain experts.
2. Very expensive to develop a specification and even more expensive to show that a program meets that specification.
3. Proofs may contain errors. It may be possible to reach the same level of confidence in a program more cheaply using other V & V techniques.

Question 6

What are the three levels of statistic analysis?

Answer 6

1. Characteristic error checking: The static analysers can check for patterns in the code that are characteristic of errors made by programmers using a particular language.
2. User-defined error checking: Users of a programming language define error patterns, thus extending the types of error that can be detected. This allows specific rules that apply to a program to be checked.
3. Assertion checking: Developers include formal assertions in their program and relationships that must hold. The static analyser symbolically executes the code and highlights potential problems.