Threat Assessment and Risk Analysis (TARA) for Interoperable Medical Devices in the Operating Room Inspired by the Automotive Industry

Prevailing trends in the automotive and medical device industry, such as life cycle overarching configurability, connectivity, and automation, require an adaption of development processes, especially regarding the security and safety thereof. The changing requirements imply that interfaces are more exposed to the outside world, making them more vulnerable to cyberattacks or data leaks. Consequently, not only do development processes need to be revised but also cybersecurity countermeasures and a focus on safety, as well as privacy, have become vital. While vehicles are especially exposed to cybersecurity and safety risks, the medical devices industry faces similar issues. In the automotive industry, proposals and draft regulations exist for security-related risk assessment processes. The medical device industry, which has less experience in these topics and is more heterogeneous, may benefit from drawing inspiration from these efforts. We examined and compared current standards, processes, and methods in both the automotive and medical industries. Based on the requirements regarding safety and security for risk analysis in the medical device industry, we propose the adoption of methods already established in the automotive industry. Furthermore, we present an example based on an interoperable Operating Room table (OR table)

Product Development within Artificial Intelligence, Ethics and Legal Risk

This open-access-book synthesizes a supportive developer checklist considering sustainable Team and agile Project Management in the challenge of Artificial Intelligence and limits of image recognition. The study bases on technical, ethical, and legal requirements with examples concerning autonomous vehicles. As the first of its kind, it analyzes all reported car accidents state wide (1.28 million) over a 10-year period. Integrating of highly sensitive international court rulings and growing consumer expectations make this book a helpful guide for product and team development from initial concept until market launch

Product Development within Artificial Intelligence, Ethics and Legal Risk

This open-access-book synthesizes a supportive developer checklist considering sustainable Team and agile Project Management in the challenge of Artificial Intelligence and limits of image recognition. The study bases on technical, ethical, and legal requirements with examples concerning autonomous vehicles. As the first of its kind, it analyzes all reported car accidents state wide (1.28 million) over a 10-year period. Integrating of highly sensitive international court rulings and growing consumer expectations make this book a helpful guide for product and team development from initial concept until market launch

Automotive Mechatronic Safety Argument Framework

A modern vehicle uses mechanical components under software control, referred to as mechatronic systems, to deliver its features. The software for these, and its supporting hardware, are typically developed according to the functional safety standard ISO 26262:2011. This standard requires that a safety argument is created that demonstrates that the safety requirements for an item are complete and satisfied by evidence. However, this argument only addresses the software and electronic hardware aspects of the mechatronic system, although safety requirements derived for these can also be allocated to the mechanical part of the mechatronic system. The safety requirements allocated to hardware and software also have a value of integrity assigned to them based on an assessment of the unmitigated risk. The concept of risk and integrity is expressed differently in the development of the mechanical components. In this thesis, we address the challenge of extending the safety argument required by ISO 26262 to include the mechanical components being controlled, so creating a safety argument pattern that encompasses the complete mechatronic system. The approach is based on a generic model for engineering which can be applied to the development of the hardware, software and mechanical components. From this, a safety argument pattern has been derived which consequently can be applied to all three engineering disciplines of the mechatronic system. The harmonisation of the concept of integrity is addressed through the use of special characteristics. The result is a model-based assurance approach which allows an argument to be constructed for the mitigation of risk associated with a mechatronic system that encompasses the three engineering disciplines of the system. This approach is evaluated through interview-based case studies and the retrospective application of the approach to an existing four corner air suspension system

Generation of model-based safety arguments from automatically allocated safety integrity levels

To certify safety-critical systems, assurance arguments linking evidence of safety to appropriate requirements must be constructed. However, modern safety-critical systems feature increasing complexity and integration, which render manual approaches impractical to apply. This thesis addresses this problem by introducing a model-based method, with an exemplary application based on the aerospace domain.Previous work has partially addressed this problem for slightly different applications, including verification-based, COTS, product-line and process-based assurance. Each of the approaches is applicable to a specialised case and does not deliver a solution applicable to a generic system in a top-down process. This thesis argues that such a solution is feasible and can be achieved based on the automatic allocation of safety requirements onto a system’s architecture. This automatic allocation is a recent development which combines model-based safety analysis and optimisation techniques. The proposed approach emphasises the use of model-based safety analysis, such as HiP-HOPS, to maximise the benefits towards the system development lifecycle.The thesis investigates the background and earlier work regarding construction of safety arguments, safety requirements allocation and optimisation. A method for addressing the problem of optimal safety requirements allocation is first introduced, using the Tabu Search optimisation metaheuristic. The method delivers satisfactory results that are further exploited for construction of safety arguments. Using the produced requirements allocation, an instantiation algorithm is applied onto a generic safety argument pattern, which is compliant with standards, to automatically construct an argument establishing a claim that a system’s safety requirements have been met. This argument is hierarchically decomposed and shows how system and subsystem safety requirements are satisfied by architectures and analyses at low levels of decomposition. Evaluation on two abstract case studies demonstrates the feasibility and scalability of the method and indicates good performance of the algorithms proposed. Limitations and potential areas of further investigation are identified

Assuring Safety and Security

Large technological systems produce new capabilities that allow innovative solutions to social, engineering and environmental problems. This trend is especially important in the safety-critical systems (SCS) domain where we simultaneously aim to do more with the systems whilst reducing the harm they might cause. Even with the increased uncertainty created by these opportunities, SCS still need to be assured against safety and security risk and, in many cases, certified before use. A large number of approaches and standards have emerged, however there remain challenges related to technical risk such as identifying inter-domain risk interactions, developing safety-security causal models, and understanding the impact of new risk information. In addition, there are socio-technical challenges that undermine technical risk activities and act as a barrier to co-assurance, these include insufficient processes for risk acceptance, unclear responsibilities, and a lack of legal, regulatory and organisational structure to support safety-security alignment. A new approach is required. The Safety-Security Assurance Framework (SSAF) is proposed here as a candidate solution. SSAF is based on the new paradigm of independent co-assurance, that is, keeping the disciplines separate but having synchronisation points where required information is exchanged. SSAF is comprised of three parts - the Conceptual Model defines the underlying philosophy, and the Technical Risk Model (TRM) and Socio-Technical Model (STM) consist of processes and models for technical risk and socio-technical aspects of co-assurance. Findings from a partial evaluation of SSAF using case studies reveal that the approach has some utility in creating inter-domain relationship models and identifying socio-technical gaps for co-assurance. The original contribution to knowledge presented in this thesis is the novel approach to co-assurance that uses synchronisation points, explicit representation of a technical risk argument that argues over interaction risks, and a confidence argument that explicitly considers co-assurance socio-technical factors

Developing a distributed electronic health-record store for India

The DIGHT project is addressing the problem of building a scalable and highly available information store for the Electronic Health Records (EHRs) of the over one billion citizens of India

Risk and safety management of autonomous systems: analysis of methods for use within the maritime industry

Abstract Maritime autonomous systems pose many challenges to their designers. A fully autonomous vessel must be able to handle everyday navigation and propulsion in addition to an extensive list of other tasks such as cargo handling, emergency maneuvering, ship-ship and ship-shore communications, situational awareness, and much more. If such systems are to be implemented for the sake of increased safety, their operational risk and safety must be managed and assured. The goal of this thesis is to investigate how risk and safety of these systems can and should be managed. There are three categories of system modelling methods that can be used for this purpose. The oldest category is “sequential methods”, followed chronologically by the most popular category, called “epidemiological methods”, and then by the newest category, “systemic methods”. This thesis contains an overview of the three categories. Followed by a literature review that investigates the approaches to risk and safety management of autonomous systems that are taken within four transportation industries (aviation, railway, automotive, and maritime). Next are three SWOT analyses, one for each category of methods. For the role of autonomous maritime systems, the literature review and SWOT analyses indicate that STPA (a systemic method) is the optimal choice from the existing methods. This is because it is a comprehensive method that can handle complex socio-technical systems, such as those in question, while providing useful safety improvement recommendations. However, no single method is better than every other in all situations, and STPA presents certain limitations and drawbacks. First, it is very resource intensive, demanding long time investments from expert personnel. Second, because few data on the proposed systems exist, it is very difficult to conclusively recommend a suitable method. Therefore, if practitioners decide to employ STPA, they should be open to considering other methods in case they can yield better results. Finally, STPA (and other systemic methods) cannot currently yield accident probabilities. This means that STPA, in its current form, is unable to entirely satisfy the IMO’s FSA, which is important for the future of autonomous ships. Conversely, the literature review and SWOT analyses indicate that methods that can satisfy the FSA are unsafe for this application. This is because they are too theoretically simplistic and not comprehensive enough to produce trustworthy results. To solve this issue, one of the following should take place: (a) STPA (or another systemic method) is augmented to include probabilistic abilities; (b) STPA (or another systemic method) is combined with a sequential method to achieve the benefits of both categories (e.g. comprehensive and probabilistic results); or (c) a new systemic method is created that provides the depth of analysis of STPA as well as the required probabilistic capabilities. However, barring the FSA issue, the enclosed analysis indicates that the optimal choice is a systemic method (specifically STPA) despite its heavy burden to resources. This may seem like a cavalier recommendation, but it is the most comprehensive method and it produces the most safety improvement recommendations, thereby making it the optimal choice. It is recommended that system analysis is performed from the design concept stage through to system operation, regardless of the method chosen. This is so that the analysis can be improved as more system data are produced.This thesis has been conducted in co-operation with Rowan Brown and Osiris Valdez Banda.Tämä opinnäyte on tehty yhteistyössä Rowan Brownin ja Osiris Valdez Bandan kanssa