Safety Critical Systems

Safety Critical Systems

ITV Model-based Analysis and Design of Embedded SoftwareTechniques and methods for Critical Software

Anders P. RavnAalborg University

August 2011

Safety Critical Systems• Safety is a property of a system: a failure in the operation of

the system will not endanger human life or its environment.• Safety-critical system is a system of high criticality, e.g. in

IEC 61508 it relates to Safety Integrity Level 4, in which the safety of the related equipment and its environment is assured.

• A safety-critical system is generally one which carries an extremely high level of assurance of its safety.

• Safety integrity refers to the likelihood of a safety-critical system satisfactorily performing its required safety functions under all stated conditions within a stated period of time.

N. Storey. Safety-Critical Computer Systems. Addison-Wesley, 1996.

Selected Safety Standards

• IEC 61508, Functional Safety of electrical/ electronic/programmable electronic safety-related systems, International Electrotechnical Commission, 2010.

• DO-178B, Software considerations in airborne systems and equipment certification, RTCA, 1992

• ED-12B, Software considerations in airborne systems and equipment certification,RTCA & European Organisation for Civil Aviation Equipment,

• DEF STANDARD 00-56, Safety Management Requirements for Defence Systems, United Kingdom Ministry of Defence, June 2007.

• FDA 21 CFR part 820, Quality System (QS) Regulation/Medical Device Good Manufacturing Practice, June 1997.

Safety Integrity Levels

DEF STANDARD 00-56 Safety Integrity Levels

Safety Integrity Levels and acceptable risks

IEC 61508 Safety Integrity Levels

IEC 61508 Organization - 1

IEC 61508 Organization

Safety Lifecycle

Lifecycle in Realisation Phase

Lifecycle Software Realization

Lifecycle Overview 1

Lifecycle Overview 2

Lifecycle Overview 3

Lifecycle Overview 4

From S-requirements to S-functions

Hazards and Risks

”Although not within the scope of this standard, it is of primary importance that identified hazards of the EUC are eliminated at source, for example by the application of inherent safety principles and the application of good engineering practices.”

IEC 61508-1 7.4.2.2 NOTE

• A hazard is a situation that poses a level of threat to life, health, property, or environment.• Most hazards are dormant or potential, with only a theoretical

risk of harm; however, once a hazard becomes "active", it can create an emergency situation. • A hazard does not exist when it is not happening.• A hazardous situation that has come to pass is called an

incident. • Hazard and vulnerability interact together to create risk.

(Wikipedia)

Target failure probabilities and SIL levels(low demand mode)

Low demand mode: frequency of demand on safety function is less than one per year. (IEC 61508-5)

Target failure probabilities and SIL levels(high demand or continuous mode)

Assessment

Consequences

• A – minor injury• B – serious permant injury to one or more

persons, death of one person• C – death of several people• D – very many people killed

Exercise – Please classify

• Airbus 380 control system• Airbus 380 infotainment system• High speed train control system• Cruise control in a car• Anaestetics monitoring equipment• Electronic door lock• Net banking application• Playground entertainment system

Consequence