A controlled experiment for the empirical evaluation of safety analysis techniques for safety-critical software

Context: Today's safety critical systems are increasingly reliant on software. Software becomes responsible for most of the critical functions of systems. Many different safety analysis techniques have been developed to identify hazards of systems. FTA and FMEA are most commonly used by safety analysts. Recently, STPA has been proposed with the goal to better cope with complex systems including software. Objective: This research aimed at comparing quantitatively these three safety analysis techniques with regard to their effectiveness, applicability, understandability, ease of use and efficiency in identifying software safety requirements at the system level. Method: We conducted a controlled experiment with 21 master and bachelor students applying these three techniques to three safety-critical systems: train door control, anti-lock braking and traffic collision and avoidance. Results: The results showed that there is no statistically significant difference between these techniques in terms of applicability, understandability and ease of use, but a significant difference in terms of effectiveness and efficiency is obtained. Conclusion: We conclude that STPA seems to be an effective method to identify software safety requirements at the system level. In particular, STPA addresses more different software safety requirements than the traditional techniques FTA and FMEA, but STPA needs more time to carry out by safety analysts with little or no prior experience.Comment: 10 pages, 1 figure in Proceedings of the 19th International Conference on Evaluation and Assessment in Software Engineering (EASE '15). ACM, 201

Systems thinking for safety and security

The fundamental challenge facing security professionals is preventing losses, be they operational, financial or mission losses. As a result, one could argue that security professionals share this challenge with safety professionals. Despite their shared challenge, there is little evidence that recent advances that enable one community to better prevent losses have been shared with the other for possible implementation. Limitations in current safety approaches have led researchers and practitioners to develop new models and techniques. These techniques could potentially benefit the field of security. This paper describes a new systems thinking approach to safety that may be suitable for meeting the challenge of securing complex systems against cyber disruptions. Systems-Theoretic Process Analysis for Security (STPA-Sec) augments traditional security approaches by introducing a top-down analysis process designed to help a multidisciplinary team consisting of security, operations, and domain experts identify and constrain the system from entering vulnerable states that lead to losses. This new framework shifts the focus of the security analysis away from threats as the proximate cause of losses and focuses instead on the broader system structure that allowed the system to enter a vulnerable system state that the threat exploits to produce the disruption leading to the loss

How explicit are the barriers to failure in safety arguments?

Safety cases embody arguments that demonstrate how safety properties of a system are upheld. Such cases implicitly document the barriers that must exist between hazards and vulnerable components of a system. For safety certification, it is the analysis of these barriers that provide confidence in the safety of the system. The explicit representation of hazard barriers can provide additional insight for the design and evaluation of system safety. They can be identified in a hazard analysis to allow analysts to reflect on particular design choices. Barrier existence in a live system can be mapped to abstract barrier representations to provide both verification of barrier existence and a basis for quantitative measures between the predicted barrier behaviour and performance of the actual barrier. This paper explores the first stage of this process, the binding between explicit mitigation arguments in hazard analysis and the barrier concept. Examples from the domains of computer-assisted detection in mammography and free route airspace feasibility are examined and the implications for system certification are considered

System Theoretic Process Analysis: a literature survey on the approaches used for improving the safety in complex systems

Computer systems are becoming increasingly complex, specially interactive software systems, namely software user interfaces. The scientic community relies on dierent methods to assess their safety. This article provides an updated literature survey on hazard analysis approaches used to improve the safety of complex systems. To support the survey, we conceptualise complex systems, highlighting the challenge in terms of assessing their safety. We provide a brief overview on the approaches historically available to tackle issues in those systems, along with their most common methods. Finally, the article focuses in one method of a non-traditional approach, which is described in more details, along with some of its extensions, which seeks to improve the hazard analysis in complex systems

Systems-theoretic Safety Assessment of Robotic Telesurgical Systems

Robotic telesurgical systems are one of the most complex medical cyber-physical systems on the market, and have been used in over 1.75 million procedures during the last decade. Despite significant improvements in design of robotic surgical systems through the years, there have been ongoing occurrences of safety incidents during procedures that negatively impact patients. This paper presents an approach for systems-theoretic safety assessment of robotic telesurgical systems using software-implemented fault-injection. We used a systemstheoretic hazard analysis technique (STPA) to identify the potential safety hazard scenarios and their contributing causes in RAVEN II robot, an open-source robotic surgical platform. We integrated the robot control software with a softwareimplemented fault-injection engine which measures the resilience of the system to the identified safety hazard scenarios by automatically inserting faults into different parts of the robot control software. Representative hazard scenarios from real robotic surgery incidents reported to the U.S. Food and Drug Administration (FDA) MAUDE database were used to demonstrate the feasibility of the proposed approach for safety-based design of robotic telesurgical systems.Comment: Revise based on reviewers feedback. To appear in the the International Conference on Computer Safety, Reliability, and Security (SAFECOMP) 201

Idea-caution before exploitation:the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities

The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed

Towards Assurance for Plug & Play Medical Systems

Traditional safety-critical systems are designed and integrated by a systems integrator. The system integrator can asses the safety of the completed system before it is deployed. In medicine, there is a desire to transition from the traditional approach to a new model wherein a user can combine various devices post-hoc to create a new composite system that addresses a specific clinical scenario. Ensuring the safety of these systems is challenging: Safety is a property of systems that arises from the interaction of system components and it’s not possible to asses overall system safety by assessing a single component in isolation. It is unlikely that end-users will have the engineering expertise or resources to perform safety assessments each time they create a new composite system. In this paper we describe a platform-oriented approach to providing assurance for plug & play medical systems as well as an associated assurance argument pattern

Advancing Critical Care in the ICU: A Human-Centered Biomedical Data Visualization Systems

The purpose of this research is to provide medical clinicians with a new technology for interpreting large and diverse datasets to expedite critical care decision-making in the ICU. We refer to this technology as the medical information visualization assistant (MIVA). MIVA delivers multivariate biometric (bedside) data via a visualization display by transforming and organizing it into temporal resolutions that can provide contextual knowledge to clinicians. The result is a spatial organization of multiple datasets that allows rapid analysis and interpretation of trends. Findings from the usability study of the MIVA static prototype and heuristic inspection of the dynamic prototype suggest that using MIVA can yield faster and more accurate results. Furthermore, comments from the majority of the experimental group and the heuristic inspectors indicate that MIVA can facilitate clinical task flow in context-dependent health care settings

When Ambients Cannot be Opened

International audienceWe investigate expressiveness of a fragment of the ambient calculus, a formalism for describing distributed and mobile computations. More precisely, we study expressiveness of the pure and public ambient calculus from which the capability open has been removed, in terms of the reachability problem of the reduction relation. Surprisingly, we show that even for this very restricted fragment, the reachability problem is not decidable. At a second step, for a slightly weaker reduction relation, we prove that reachability can be decided by reducing this problem to markings reachability for Petri nets. Finally, we show that the name-convergence problem as well as the model-checking problem turn out to be undecidable for both the original and the weaker reduction relation. The authors are grateful to S. Tison and Y. Roos for fruitful discussions and thank the anony mous ferees for valuable comments. This work is supported by an ATIP grant from CNRS