safety-critical system

{{multiple image|perrow = 2|total_width=300

| image1 = C-141C Glass Cockpit Upgrade.JPEG

| image2 = OPT_IVs_Leads_Ruler_IMG_2164.jpg

| image3 = STS120LaunchHiRes-edit1.jpg

| image4 = RIAN archive 342604 The Novovoronezh nuclear power plant.jpg

| footer = Examples{{cite web|language=en|url=https://ieeexplore.ieee.org/document/1007998|title= Safety critical systems: challenges and directions|year=2002|publisher=IEEE|author=J.C. Knight|pages=547–550}} of safety-critical systems. From left to right, top to bottom: the glass cockpit of a C-141, a pacemaker, the Space Shuttle and the control room of a nuclear power plant.

}}

A safety-critical system{{cite web| title=Safety-critical system | url=http://www.encyclopedia.com/computing/dictionaries-thesauruses-pictures-and-press-releases/safety-critical-system | publisher=encyclopedia.com | access-date=15 April 2017 }} or life-critical system is a system whose failure or malfunction may result in one (or more) of the following outcomes:{{cite book|last1=Sommerville|first1=Ian|title=Software Engineering|date=2015|publisher=Pearson India|isbn=978-9332582699|url=http://iansommerville.com/software-engineering-book/files/2015/08/Ch-12-Safety-Engineering.pdf|access-date=2018-04-18|archive-date=2018-04-17|archive-url=https://web.archive.org/web/20180417100835/http://iansommerville.com/software-engineering-book/files/2015/08/Ch-12-Safety-Engineering.pdf|url-status=dead}}{{cite web|last1=Sommerville|first1=Ian|title=Critical systems|url=http://iansommerville.com/software-engineering-book/web/critical-systems/|website=an Sommerville's book website|access-date=18 April 2018|date=2014-07-24|archive-date=2019-09-16|archive-url=https://web.archive.org/web/20190916113728/http://iansommerville.com/software-engineering-book/web/critical-systems/|url-status=dead}}

death or serious injury to people
loss or severe damage to equipment/property
environmental harm

A safety-related system (or sometimes safety-involved system) comprises everything (hardware, software, and human aspects) needed to perform one or more safety functions, in which failure would cause a significant increase in the safety risk for the people or environment involved.{{cite book | chapter-url=http://www.iec.ch/functionalsafety/faq-ed2/page5.htm | title=IEC 61508 – Functional Safety | chapter=FAQ – Edition 2.0: E) Key concepts | publisher=International Electrotechnical Commission | access-date=23 October 2016 | archive-date=25 October 2020 | archive-url=https://web.archive.org/web/20201025025914/https://www.iec.ch/functionalsafety/faq-ed2/page5.htm | url-status=dead }} Safety-related systems are those that do not have full responsibility for controlling hazards such as loss of life, severe injury or severe environmental damage. The malfunction of a safety-involved system would only be that hazardous in conjunction with the failure of other systems or human error. Some safety organizations provide guidance on safety-related systems, for example the Health and Safety Executive in the United Kingdom.{{cite book| chapter-url=http://www.hse.gov.uk/humanfactors/topics/mancomppt1.pdf | title=Managing competence for safety-related systems | chapter=Part 1: Key guidance | publisher=Health and Safety Executive | location=UK | date=2007 | access-date=23 October 2016 }}

Risks of this sort are usually managed with the methods and tools of safety engineering. A safety-critical system is designed to lose less than one life per billion (10⁹) hours of operation.FAA AC 25.1309-1A – System Design and Analysis{{cite journal| first1=Jonathan P. | last1=Bowen | author-link=Jonathan Bowen | title=The Ethics of Safety-Critical Systems | journal=Communications of the ACM | volume=43 | number=4 | pages=91–97 | date=April 2000 | doi=10.1145/332051.332078 | s2cid=15979368 | doi-access=free }} Typical design methods include probabilistic risk assessment, a method that combines failure mode and effects analysis (FMEA) with fault tree analysis. Safety-critical systems are increasingly computer-based.

Safety-critical systems are a concept often used together with the Swiss cheese model to represent (usually in a bow-tie diagram) how a threat can escalate to a major accident through the failure of multiple critical barriers. This use has become common especially in the domain of process safety, in particular when applied to oil and gas drilling and production both for illustrative purposes and to support other processes, such as asset integrity management and incident investigation.{{Cite book |last=CCPS in association with Energy Institute |title=Bow Ties in Risk Management: A Concept Book for Process Safety |publisher=AIChE and John Wiley & Sons |year=2018 |isbn=9781119490395 |location=New York, N.Y. and Hoboken, N.J. |language=en |name-list-style=}}

Reliability regimens

Several reliability regimes for safety-critical systems exist:

Fail-operational systems continue to operate when their control systems fail. Examples of these include elevators, the gas thermostats in most home furnaces, and passively safe nuclear reactors. Fail-operational mode is sometimes unsafe. Nuclear weapons launch-on-loss-of-communications was rejected as a control system for the U.S. nuclear forces because it is fail-operational: a loss of communications would cause launch, so this mode of operation was considered too risky. This is contrasted with the fail-deadly behavior of the Perimeter system built during the Soviet era.{{cite magazine|url=https://www.wired.com/politics/security/magazine/17-10/mf_deadhand|title=Inside the Apocalyptic Soviet Doomsday Machine|magazine=WIRED|date=2009-09-21|last1=Thompson|first1=Nicholas}}
Fail-soft systems are able to continue operating on an interim basis with reduced efficiency in case of failure.{{cite web|url=http://www.dictionary.com/browse/fail-soft|title=Definition fail-soft}} Most spare tires are an example of this: They usually come with certain restrictions (e.g. a speed restriction) and lead to lower fuel economy. Another example is the "Safe Mode" found in most Windows operating systems.
Fail-safe systems become safe when they cannot operate. Many medical systems fall into this category. For example, an infusion pump can fail, and as long as it alerts the nurse and ceases pumping, it will not threaten the loss of life because its safety interval is long enough to permit a human response. In a similar vein, an industrial or domestic burner controller can fail, but must fail in a safe mode (i.e. turn combustion off when they detect faults). Famously, nuclear weapon systems that launch-on-command are fail-safe, because if the communications systems fail, launch cannot be commanded. Railway signaling is designed to be fail-safe.
Fail-secure systems maintain maximum security when they cannot operate. For example, while fail-safe electronic doors unlock during power failures, fail-secure ones will lock, keeping an area secure.
Fail-Passive systems continue to operate in the event of a system failure. An example includes an aircraft autopilot. In the event of a failure, the aircraft would remain in a controllable state and allow the pilot to take over and complete the journey and perform a safe landing.
Fault-tolerant systems avoid service failure when faults are introduced to the system. An example may include control systems for ordinary nuclear reactors. The normal method to tolerate faults is to have several computers continually test the parts of a system, and switch on hot spares for failing subsystems. As long as faulty subsystems are replaced or repaired at normal maintenance intervals, these systems are considered safe. The computers, power supplies and control terminals used by human beings must all be duplicated in these systems in some fashion.

Software engineering for safety-critical systems

Software engineering for safety-critical systems is particularly difficult. There are three aspects which can be applied to aid the engineering software for life-critical systems. First is process engineering and management. Secondly, selecting the appropriate tools and environment for the system. This allows the system developer to effectively test the system by emulation and observe its effectiveness. Thirdly, address any legal and regulatory requirements, such as Federal Aviation Administration requirements for aviation. By setting a standard for which a system is required to be developed under, it forces the designers to stick to the requirements. The avionics industry has succeeded in producing standard methods for producing life-critical avionics software. Similar standards exist for industry, in general, (IEC 61508) and automotive (ISO 26262), medical (IEC 62304) and nuclear (IEC 61513) industries specifically. The standard approach is to carefully code, inspect, document, test, verify and analyze the system. Another approach is to certify a production system, a compiler, and then generate the system's code from specifications. Another approach uses formal methods to generate proofs that the code meets requirements.{{cite journal| first1=Jonathan P. | last1=Bowen | first2=Victoria | last2=Stavridou | title=Safety-critical systems, formal methods and standards | publisher=IEE/BCS | journal=Software Engineering Journal | volume=8 | number=4 | pages=189–209 | date=July 1993 | doi=10.1049/sej.1993.0025 | s2cid=9756364 }} All of these approaches improve the software quality in safety-critical systems by testing or eliminating manual steps in the development process, because people make mistakes, and these mistakes are the most common cause of potential life-threatening errors.

Examples of safety-critical systems

=Infrastructure=

Circuit breaker
Emergency services dispatch systems
Electricity generation, transmission and distribution
Fire alarm
Fire sprinkler
Fuse (electrical)
Fuse (hydraulic)
Life support systems
Telecommunications

=Medicine<ref>{{cite web|url=http://www.mddionline.com/article/device-safety-system-design|title=Medical Device Safety System Design: A Systematic Approach|work=mddionline.com|date=2012-01-24}}</ref>=

The technology requirements can go beyond avoidance of failure, and can even facilitate medical intensive care (which deals with healing patients), and also life support (which is for stabilizing patients).

Heart-lung machines
Anesthetic machines
Mechanical ventilation systems
Infusion pumps and Insulin pumps
Radiation therapy machines
Robotic surgery machines
Defibrillator machines
Pacemaker devices
Dialysis machines
Devices that electronically monitor vital functions (electrography; especially, electrocardiography, ECG or EKG, and electroencephalography, EEG)
Medical imaging devices (X-ray, computerized tomography- CT or CAT, different magnetic resonance imaging- MRI- techniques, positron emission tomography- PET)
Even healthcare information systems have significant safety implications {{cite journal |editor-last=Anderson |editor-first=RJ |editor2-last=Smith |editor2-first=MF |title=Special Issue: Confidentiality, Privacy and Safety of Healthcare Systems |journal=Health Informatics Journal |volume=4 |issue=3–4 |date=September–December 1998 |url=https://journals.sagepub.com/toc/jhib/4/3-4}}

=Nuclear engineering<ref>{{cite web|url=http://www.world-nuclear.org/info/Safety-and-Security/Safety-of-Plants/Safety-of-Nuclear-Power-Reactors/|title=Safety of Nuclear Reactors|work=world-nuclear.org|access-date=2013-12-18|archive-date=2016-01-18|archive-url=https://web.archive.org/web/20160118223416/http://www.world-nuclear.org/info/Safety-and-Security/Safety-of-Plants/Safety-of-Nuclear-Power-Reactors/|url-status=dead}}</ref>=

Nuclear reactor control systems

=Oil and gas production<ref>{{Cite book |last=Step Change in Safety |title=Assurance and Verification Practitioners' Guidance Document |publisher=Step Change in Safety |year=2018 |location=Aberdeen |language=en}}</ref>=

Process containment
Well integrity
Hull integrity (for floating production storage and offloading)
Jacket and topside structures
Lifting equipment
Helidecks
Mooring systems
Fire and gas detection
Critical instrumented functions (process shutdown, emergency shutdown)
Actuated isolation valves
Pressure relief devices
Blowdown valves and flare system
Drilling well control (blowout preventer, mud and cement)
Ventilation and heating, ventilation, and air conditioning
Drainage systems
Ballast systems
Hull cargo tanks inerting system
Heading control
Ignition prevention (Ex certified electrical equipment, insulated hot surfaces, etc.)
Firewater pumps
Firewater and foam distribution piping
Firewater and foam monitors
Deluge valves
Gaseous fire suppression systems
Firewater hydrants
Passive fire protection
Temporary Refuge
Escape routes
Lifeboats and liferafts
Personal survival equipment (e.g., lifejackets)

=Recreation=

=Transport=

==Railway<ref>{{cite web |url=http://rtos.com/images/uploads/Safety-Critical_Systems_In_Rail_Transportation.pdf |title=Safety-Critical Systems in Rail Transportation |website=Rtos.com |access-date=2016-10-23 |url-status=dead |archive-url=https://web.archive.org/web/20131219031018/http://rtos.com/images/uploads/Safety-Critical_Systems_In_Rail_Transportation.pdf |archive-date=2013-12-19 }}</ref>==

Railway signalling and control systems
Platform detection to control train doors[https://web.archive.org/web/20121207052412/http://www.fersil-railway.com/wp-content/uploads/PLAQUETTEA4-ENGL.pdf Wayback Machine]
Automatic train stop

==Automotive<ref>{{cite web|url=http://books.sae.org/pt-103/|title=Safety-Critical Automotive Systems|work=sae.org}}</ref>==

Airbag systems
Braking systems
Seat belts
Power Steering systems
Advanced driver-assistance systems
Electronic throttle control
Battery management system for hybrids and electric vehicles
Electric park brake
Shift by wire systems
Drive by wire systems
Park by wire

==Aviation<ref>{{cite book|title=Developing Safety-Critical Software: A Practical Guide for Aviation Software and DO-178C Compliance|author= Leanna Rierson|isbn= 978-1-4398-1368-3|date = 2013-01-07|publisher= CRC Press}}</ref>==

Air traffic control systems
Avionics, particularly fly-by-wire systems
Radio navigation (Receiver Autonomous Integrity Monitoring)
Engine control systems
Aircrew life support systems
Flight planning to determine fuel requirements for a flight

==Spaceflight<ref>{{cite web |url=http://www.dept.aoe.vt.edu/~cdhall/courses/aoe4065/NASADesignSPs/N_PG_8705_0002_.pdf |title=Human-Rating Requirements and Guidelinesfor Space Flight Systems |work=NASA Procedures and Guidelines |id=NPG: 8705.2 |date=June 19, 2003 |access-date=2016-10-23 |archive-date=2021-03-17 |archive-url=https://web.archive.org/web/20210317191659/http://www.dept.aoe.vt.edu/~cdhall/courses/aoe4065/NASADesignSPs/N_PG_8705_0002_.pdf |url-status=dead }}</ref>==

Human spaceflight vehicles
Rocket range launch safety systems
Launch vehicle safety
Crew rescue systems
Crew transfer systems

References

External links

[http://shemesh.larc.nasa.gov/fm/fm-why-def-life-critical.html An Example of a Life-Critical System]
[https://web.archive.org/web/20070426012627/http://vl.fmnet.info/safety/ Safety-critical systems Virtual Library]
[http://www.iasa.com.au/folders/RoboLander_files/AutolandFailmodes.htm Explanation of Fail Operational and Fail Passive in Avionics]
[https://standards.nasa.gov/standard/NASA/NASA-STD-87398 NASA Technical Standards System] Software Assurance and Software Safety Standard

{{Webarchive|url=https://web.archive.org/web/20200715023914/http://www.iasa.com.au/folders/RoboLander_files/AutolandFailmodes.htm |date=2020-07-15 }}

Category:Computer systems

Category:Control engineering

Category:Engineering failures

Category:Formal methods

Category:Safety

Category:Risk analysis

Category:Process safety

Category:Safety engineering

Category:Software quality