A controlled experiment for the empirical evaluation of safety analysis techniques for safety-critical software

Context: Today's safety critical systems are increasingly reliant on software. Software becomes responsible for most of the critical functions of systems. Many different safety analysis techniques have been developed to identify hazards of systems. FTA and FMEA are most commonly used by safety analysts. Recently, STPA has been proposed with the goal to better cope with complex systems including software. Objective: This research aimed at comparing quantitatively these three safety analysis techniques with regard to their effectiveness, applicability, understandability, ease of use and efficiency in identifying software safety requirements at the system level. Method: We conducted a controlled experiment with 21 master and bachelor students applying these three techniques to three safety-critical systems: train door control, anti-lock braking and traffic collision and avoidance. Results: The results showed that there is no statistically significant difference between these techniques in terms of applicability, understandability and ease of use, but a significant difference in terms of effectiveness and efficiency is obtained. Conclusion: We conclude that STPA seems to be an effective method to identify software safety requirements at the system level. In particular, STPA addresses more different software safety requirements than the traditional techniques FTA and FMEA, but STPA needs more time to carry out by safety analysts with little or no prior experience.Comment: 10 pages, 1 figure in Proceedings of the 19th International Conference on Evaluation and Assessment in Software Engineering (EASE '15). ACM, 201

System Theoretic Process Analysis: a literature survey on the approaches used for improving the safety in complex systems

Computer systems are becoming increasingly complex, specially interactive software systems, namely software user interfaces. The scientic community relies on dierent methods to assess their safety. This article provides an updated literature survey on hazard analysis approaches used to improve the safety of complex systems. To support the survey, we conceptualise complex systems, highlighting the challenge in terms of assessing their safety. We provide a brief overview on the approaches historically available to tackle issues in those systems, along with their most common methods. Finally, the article focuses in one method of a non-traditional approach, which is described in more details, along with some of its extensions, which seeks to improve the hazard analysis in complex systems

Communicating Processes with Data for Supervisory Coordination

We employ supervisory controllers to safely coordinate high-level discrete(-event) behavior of distributed components of complex systems. Supervisory controllers observe discrete-event system behavior, make a decision on allowed activities, and communicate the control signals to the involved parties. Models of the supervisory controllers can be automatically synthesized based on formal models of the system components and a formalization of the safe coordination (control) requirements. Based on the obtained models, code generation can be used to implement the supervisory controllers in software, on a PLC, or an embedded (micro)processor. In this article, we develop a process theory with data that supports a model-based systems engineering framework for supervisory coordination. We employ communication to distinguish between the different flows of information, i.e., observation and supervision, whereas we employ data to specify the coordination requirements more compactly, and to increase the expressivity of the framework. To illustrate the framework, we remodel an industrial case study involving coordination of maintenance procedures of a printing process of a high-tech Oce printer.Comment: In Proceedings FOCLASA 2012, arXiv:1208.432

Advancing Critical Care in the ICU: A Human-Centered Biomedical Data Visualization Systems

The purpose of this research is to provide medical clinicians with a new technology for interpreting large and diverse datasets to expedite critical care decision-making in the ICU. We refer to this technology as the medical information visualization assistant (MIVA). MIVA delivers multivariate biometric (bedside) data via a visualization display by transforming and organizing it into temporal resolutions that can provide contextual knowledge to clinicians. The result is a spatial organization of multiple datasets that allows rapid analysis and interpretation of trends. Findings from the usability study of the MIVA static prototype and heuristic inspection of the dynamic prototype suggest that using MIVA can yield faster and more accurate results. Furthermore, comments from the majority of the experimental group and the heuristic inspectors indicate that MIVA can facilitate clinical task flow in context-dependent health care settings

Rodent Habitat on ISS: Advances in Capability for Determining Spaceflight Effects on Mammalian Physiology

Rodent research is a valuable essential tool for advancing biomedical discoveries in life sciences on Earth and in space. The National Research Counsel's Decadal survey (1) emphasized the importance of expanding NASAs life sciences research to perform long duration, rodent experiments on the International Space Station (ISS). To accomplish this objective, new flight hardware, operations, and science capabilities were developed at NASA ARC to support commercial and government-sponsored research. The flight phases of two separate spaceflight missions (Rodent Research-1 and Rodent Research-2) have been completed and new capabilities are in development. The first flight experiments carrying 20 mice were launched on Sept 21, 2014 in an unmanned Dragon Capsule, SpaceX4; Rodent Research-1 was dedicated to achieving both NASA validation and CASIS science objectives, while Rodent Reesearch-2 extended the period on orbit to 60 days. Groundbased control groups (housed in flight hardware or standard cages) were maintained in environmental chambers at Kennedy Space Center. Crewmembers previously trained in animal handling transferred mice from the Transporter into Habitats under simultaneous veterinary supervision by video streaming and were deemed healthy. Health and behavior of all mice on the ISS was monitored by video feed on a daily basis, and post-flight quantitative analyses of behavior were performed. The 10 mice from RR-1 Validation (16wk old, female C57Bl6/J) ambulated freely and actively throughout the Habitat, relying heavily on their forelimbs for locomotion. The first on-orbit dissections of mice were performed successfully, and high quality RNA (RIN values>9) and liver enzyme activities were obtained, validating the quality of sample recovery. Post-flight sample analysis revealed that body weights of FLT animals did not differ from ground controls (GC) housed in the same hardware, or vivarium controls (VIV) housed in standard cages. Organ weights analyzed post-flight showed that there were no differences between FLT and GC groups in adrenal gland and spleen weights, whereas FLT thymus and liver weights exceeded those of GC. Minimal differences between the control groups (GC and VIV) were observed. In addition, Over 3,000 aliquots collected post-flight from the four groups of mice were deposited into the Ames Life Science Data Archives for the Biospecimen Sharing Program and Genelab project. New capabilities recently developed include DEXA scanning, grip strength tests and male mice. In conclusion, new capability for long duration rodent habitation of group-housed rodents was developed and includes in-flight sample collection, thus avoiding the complication of reentry. Results obtained to date reveal the possibility of striking differences between the effects of short duration vs. long duration spaceflight. This Rodent Research system enables achievement of both basic science and translational research objectives to advance human exploration of space

Rodent Research Development for Long Duration Studies on the International Space Station

Rodent research in space is needed to advance our understanding of the health risks,consequences and possible countermeasures to protect crew during future, long duration missions. TheAnimal Enclosure Module (AEM) was designed originally to support habitation of rats and mice onrelatively short duration, Shuttle missions (<19 days). The AEM was flown previously on 27 SpaceShuttle missions, and recently was modified extensively to support future long duration space biology andbiomedical research on the International Space Station (ISS). In consultation with a Science WorkingGroup comprised of veterinarians and investigators experienced in rodent spaceflight experimentation inspace, the Rodent Habitat project team at Ames Research Center modified existing hardware, developednew hardware, operations, and science activities, and performed a series of ground-based operational andscience habitat verification tests in preparation for the first validation flight

Advances in Rodent Research Missions on the International Space Station

A Research platform for rodent experiment on the ISS is an essential tool for advancing biomedical research in space. The Rodent Research allows for experiments of much longer duration that experiments on the Shuttle. NASAs Rodent Research (RR)-1 mission was successfully completed, including post-flight analysis and achieved a number of objectives including validation of flight hardware, on-orbit operations, and science capabilities that were developed at the NASA Ames Research Center. Briefly, twenty C57BL/6J adult female mice were launched on the SpX4 Dragon vehicle, which thrived for up to 37 days in microgravity. Daily health checks of the mice were performed during the mission via downlinked video; all animals were healthy and displayed normal behavior without any significant signs of stress. Behavioral analysis demonstrated that Flight and Ground Control mice exhibited the same range of behaviors, including eating, drinking, exploratory behavior, self- and allo-grooming, and social interactions indicative of healthy animals. The animals were euthanized and select tissues were collected from some of the mice on orbit to assess the long-term sample storage capabilities of the ISS. The data obtained from the flight mice were comparable to those from the 3 groups of control mice (baseline, vivarium and ground controls), suggesting that the ISS has adequate capability to support long-duration rodent experimentations. We recovered over 35 tissues from 40 RR1 frozen carcasses, yielded over 3200 aliquots of tissues, and distributed to the scientific community, including NASAs GeneLab and scientists in the U.S. through Biospecimen Sharing Program via Ames Life Science Data Archive. Tissues were also distributed to Russian research colleagues at the Institute for Biomedical Problems. The expression levels of select genes including albumin, catalase, GAPDH, HMGCoA Reductase, and IGF1 were determined using RNA isolated from the livers by qPCR and no significant differences by one factor ANOVA were found between flight and ground control groups. In addition, some of the liver samples were subject to transcriptomics, epigenomics and proteomics. The data are now available to the scientific community through GeneLabs open science data website. Since the RR1 mission, another long duration mission (Rodent Research-2) was completed on the ISS in 2015 in which 20 female C57 BL/6J mice were successfully maintained on the ISS for varying time points, with the last group of 5 animals being on-orbit for 54 days. This second Rodent Research flight expanded the programs capabilities with the introduction of new technologies including blood collection and separation and bone densitometry scanning. Furthermore, we have continued to expand the ISSs capabilities by running a series of ground-based verification testing using male mice. Our next step is to fly male mice for Rodent Research-4 on SpaceX-10 to study the effects of microgravity on bone healing and regeneration. It will be the first long-duration mission using male mice using Rodent Hardware. In addition, the number of mice will increase from 20 mice (on RR-1 and RR-2) to 40 for RR-4. When samples return to Earth, a number of tissues will be dissected from the frozen carcasses and select tissue samples will become available to the scientific community via BSP. Altogether, we have continued to expand our capabilities for performing long-duration missions on the ISS as emphasized in the National Research Councils Decadal Survey released in 2011 and to maximize science return from each mission

Protocol Techniques for Testing Radiotherapy Accelerators

The nature of radiotherapy accelerators is briefly explained. It is argued that these complex safety-critical systems need a systematic basis for testing their software. The paper describes a novel application of protocol specification and testing methods to radiotherapy accelerators. An outline specification is given in LOTOS (Language Of Temporal Ordering Specification) of the accelerator control system. It is completely infeasible to use this directly for test generation. Instead, specification inputs are restricted using annotations in a Parameter Constraint Language. This is automatically translated into LOTOS and combined with the accelerator specification. It then becomes manageable to generate tests automatically of the actual accelerator to check that it agrees with its specification according to the relation ioconf (input-output conformance). Sample input annotations, their translation to LOTOS, and the resulting test cases are described

When Ambients Cannot be Opened

International audienceWe investigate expressiveness of a fragment of the ambient calculus, a formalism for describing distributed and mobile computations. More precisely, we study expressiveness of the pure and public ambient calculus from which the capability open has been removed, in terms of the reachability problem of the reduction relation. Surprisingly, we show that even for this very restricted fragment, the reachability problem is not decidable. At a second step, for a slightly weaker reduction relation, we prove that reachability can be decided by reducing this problem to markings reachability for Petri nets. Finally, we show that the name-convergence problem as well as the model-checking problem turn out to be undecidable for both the original and the weaker reduction relation. The authors are grateful to S. Tison and Y. Roos for fruitful discussions and thank the anony mous ferees for valuable comments. This work is supported by an ATIP grant from CNRS