Upload
editorinchiefijcs
View
214
Download
0
Embed Size (px)
Citation preview
8/16/2019 IJCS_2016_0302017.pdf
1/8
158 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016
International Journal of Computer Systems (ISSN: 2394-1065), Volume 03 – Issue 02, February, 2016
Available at http://www.ijcsonline.com/
A Systems-Theoretic Approach to the Safety Analysis in Medical Cyber-Physical
Systems
B. UmamaheswararaoA , P. Seetharamaiah
B
Ȧ Dept. of CSE, Indo American Institutions Technical Campus, Sankaram, Anakapalle Visakhapatnam, IndiaḂDepartment of CS & SE, Andhra University, Visakhapatnam, India
Abstract
Software for Medical Cyber-Physical System (MCPS) must deal with the hazards recognized by safety analysis to help
make it secure, risk-free and fail-safe. Computer based bio-electronic systems are used for replacement of damaged
human areas such as Bionic-ear for hearing problems, Bionic-eye for loss of sight, Deep Brain Stimulator for illnesses of
the mind, and Bionic-arm for arm prostheses. The aim of this paper is to investigate a system-based design approach to
modeling of software safety in MCPS and reduce the probability of unsafe system conditions through using a variety of
management, organization, technical measures. There is currently no formal methodology to test and verify the correct
operation of medical device software within the closed-loop context of the patient. To solve the above problem, use three
analysis methods such as Failure Modes and Effects Analysis (FMEA), Fault Tree Analysis (FTA) and System theoretic process analysis (STPA) techniques to identify potentially hazardous software faults and development of software safety for Control Software for Clinical Programming (CSCP) as medical device software and also discuss the safety properties
of clinical programming software. The systems theoretic accident model and process (STAMP) is used to find out the
hazards and guidance to the control structure of hazards. We applied the analysis methods to CPS and propose
approach for software safety in safety-critical medical cyber-critical systems. This approach was applied to CSCP of
cochlear implant system (CIS). Development of a cyber-physical system based on this approach provides enhanced
safety operations for software. Finally, we describe the implementation of all modules in CSCP software. A custom built
Database Application (DA) for medical development of Bionic Ear is developed under Visual Studio software
environment using MS-Access database. In this paper, STAMP is presented in the Medical cyber-physical system hazard
analysis process through a case study example. In this paper, we examine CSCP of CIS system and utilize a system-
theoretic approach taking both physical and cyber components into account deal with the potential hazards occurred in
system. We show how such strategy is capable of determining software hazards designed towards MCPS and provide
practical new requirements and design decisions that can be utilized by MCPS designers in building a safety MCPS.
Keywords: Medical Cyber-Physical System, software safety, closed-loop system, Control Software for Clinical
Programming, Cochlear Implant System.
I. I NTRODUCTION
Cyber-Physical System (CPS) is co-engineeredcommunicating systems of physical and computationalcomponents. MCPS are safety-critical, connected, brillianttechniques of medical devices. The current accidentmodels in the health field have limitations to capture main
aspects that influence the safety level of theseinfrastructures such as organizational factors, human andsoftware errors, systemic accidents and risk migration [1].A new type of accident models called System TheoreticAccident Model and Processes (STAMP) has been recently
proposed by Nancy Leveson [2] and fulfils therequirements of medical device safety.
These objectives result in better control softwarequality for medical cyber-physical systems and in a faster,more structured design. a) The essential goal of this paperis to support a safety-driven design process (physical,operational, organizational) for medical cyber-physicalsystems. Hazard research impacts and shapes early design
choices, risks research is iterated and refined as the styleadvances. b) The second objective of this paper is to
provide safety analysis for medical cyber-physical system
can be done in a top-down way in the architecture design phase combined with STPA. This performs systemtheoretic approach to identify hazards and safetyrequirements in Medical cyber-physical systems. c) Thethird objective is to reduce the probability of unsafe systemconditions through using a variety of management,organization, technical measures and keep the systems
functioning even in occurrence of one of more faults. Theremainder of this paper is organized as follows. Section 2describes the review of related literature. Section 3describes the Closed-loop system in different aspects.Section 4 discuss about the overview of CSCP of CISsystem. Section 5 discusses the case study for thisapproach. Finally, Section 6 discusses conclusions.
II. RELATED TECHNIQUES FOR SAFETY
ANALYSIS IN MCPS
Traditionally view safety as a failure problem. Becausethe primary cause of injuries in the older systems waselement failure, the hazard analysis methods and safetydesign methods concentrated on determining criticalcomponents and either avoiding their failing or providingredundancy to minimize the effects of element failing.Here we use sequence of event accident model and
8/16/2019 IJCS_2016_0302017.pdf
2/8
8/16/2019 IJCS_2016_0302017.pdf
3/8
B. Umamaheswararao et al A Systems-Theoretic Approach to the safety Analysis in Medical Cyber-Physical Systems
160 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016
Fig. 2 Medical devices closed-loop system
The CSCP of CIS which includes the following aspectsfor the safety protection function: patient registration,Impedance measure, CSCP software self checking,
programming DSPS, Adjusting TCL and MCL values.Control system that consists of monitor module and control
module. We start from hazard identification throughrequirements analysis. Here we considered only one of themain hazards arising from CSCP of CIS system: Systemreports erroneous patient’s results to the user. The design
process should proceed by defining the safety ofrequirements into a lower level.
Fig. 3 CSCP of CIS Architecture model
Safety constraints are used to recognize the safe andunsafe states of a system. They are produced from hazardsthat are described in the system specifications. Thesuccessful design and administration of safety restrictionimproves program safety. In STAMP, these restrictionsare used to produce the program specifications that arecompulsory to maintain the program safety.
A.
Systems-Theoretic Process Analysis (STPA)
STPA is a new hazard research technique, based onSTAMP. It uses a collection of interacting loops ofcontrol to evaluate systems. It can be used at any stage ofthe system lifecycle, from before designing to afterimplementation. STPA technique is dependent on thefollowing ways: define System Hazards and RelatedSafety Constraints, develop Safety Control Structure forclosed-loop system, Recognize Possibly InsufficientControl Activities, Determine How potentially InsufficientControl Activities Could Happen.
B. Causal Analysis using System Theory (CAST)
CAST is to analyze the control structure dynamics foraccident analysis. CAST methodology is based on thefollowing ways: identify the System and the Accident(Loss), identify the Hazards involved in the Accident
(Loss), identify the Proximal Events (near time of theaccident), draw the Safety Control Structure, and analyzethe physical system, controllers.
IV. OVERVIEW OF THE CSCP OF CIS SYSTEM
The cochlear implant System (CIS) has three hardware
modules: Impedance Telemetry Monitoring System(ITMS), Digital Speech Processor System (DSPS), andImplantable Receiver Stimulator (IRS).
A. Impedance Telemetry Monitoring System (ITMS)
ITMS is used finding the active electrodes of electrodearray of 12 Electrodes and their respective TCL (ThresholdComfort Level) and MCL (Most Comfortable Level).Impedance Telemetry Monitoring Systems (ITMS) isdesigned based on programmable logic device – FPGA(Field Programmable Gate Array). The identified hardwaremodules to develop FPGA based ITMS are FPGA module,ASK (Amplitude Shift Key) modulated, and LSK (LoadShift Key) demodulated RF-transmitter and receiver. TheITMS used to send the impedance request to IRS(Implantable Receiver Stimulator) and to receiveimpedance values with electrode or channel numbersrespectively. FPGA is used as central processing unit tosend request or receive impedance values and LCD is usedto display measured impedance values with respect toelectrode numbers. The function of ITMS is to measureelectrode impedances and neural response of a patientthrough stimulation and recording of electrical signals canfacilitate device fitting and parameter adjustments.
B. Digital Speech Processor System (DSPS)
DSPS receives an external sound or speech and
generates encoded speech data bits for transmission to IRSvia radio frequency link for exciting the electrode array bycontinuously executing speech processing programembedded in DSPS.
C. Implantable Receiver Stimulator (IRS)
IRS is to stimulate auditory nerve system with the helpof electrode array placed inside the cochlea of deafened
person. IRS receives directions from the speech processor by way of magnetic induction sent from the transmitter andalso IRS receives its power through the transmission.
D. CSCP software functional operations
The CSCP software is designed for DSPS and ITMS
used by an audiologist for performing post operative fitting procedure for better recognition of sound. The programcontains multiple functional modules such as patientinformation management, UART Settings, impedancemeasurement, fitting and mapping. The software isdesigned under VB.net2008, with a database MS ACCESS.The designed database tables are responsible to record
patient basic information, medical record, and evaluation ofhearing abilities, evaluation of speech and language status,rehabilitation status, evaluation of psychological status,medical and audio logical evaluation, processor
programming, and specific training with processoraccessories and so on.
Initially, the CSCP software starts from Audiologistregistration and then goes for patient registration.Whenever the CSCP displays “invalid details please inputall the required details”, Stop the CSCP software process
8/16/2019 IJCS_2016_0302017.pdf
4/8
B. Umamaheswararao et al A Systems-Theoretic Approach to the safety Analysis in Medical Cyber-Physical Systems
161 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016
and proceed to again registration process. Whenever theITMS is loaded it reads the impedance values fromimpedance database table if available and displays eachchannel resistance value in corresponding textboxes anddisplays the resistance values in chart control also. If theresistance values are not yet stored it displays the error
message as “insufficient recipient data please try again”.The impedance measurement modules display theimpedance values if the audiologist had already measuredthe impedance values of the patient in normal text form andalso graphical representation. If the impedance values arenot available it displays the null values. Whenever fittingmodule is loaded it reads the impedance values from theimpedance table and displays in the correspondingtextboxes of each channel and creates a new row inmapping table with default values of TCL and MCL.
V. STPA ANALYSIS OF CSCP OF CIS SYSTEM
The Here system objectives are defined as Allow
system to reduce the probability of unsafe systemconditions through using a variety of physical,organization, cyber measures. Provide automatic tocaptures accidents resulting from component interaction,not just failures. Provide automatic patient protection. AndAccident Definition is patient is killed or seriously injured.
A. System Hazard Identification
A safety-driven design should start with identifyingaccidents and then defining the system hazards whichwould cause these accidents to occur. The accidents herecan be defined as undesired or unplanned events thatresults in a loss, including loss of human life or humaninjury, property damage, environmental pollution, mission
loss, etc [8]. The hazards here can be defined as systemstates or a set of conditions that, together with a particularset of hazardous conditions, will lead to an accident [8].Hazard is a State of system conditions when interact withother condition in environment of system, lead to accidents[9]. The system-level hazards relevant to this definition ofan accident include:
TABLE 1. IDENTIFIED HAZARD IN CSCP OF CIS
Hazard (H)
H1 System reports fake patient’s results to theuser.
H2 The system reports the patient’s requiredresults from the controller too late
H3 The system ask for wrong operations byhazard
H4 Commands for volume exceeding the patient’s impedance, THL, MCL are sent tothe DSPS.
H5 Wrong patient’s treatment history retrieved.
H6 Current treatment profile appended to wrong patient’s record.
H7 Identifying incorrect electrode failure
impedance module.
H8 Measurements of impedance values areincorrect.
H9 Wrong calculation of active electrode values.
H10 Faulty decision in CSCP software regardingITMS malfunctioning.
H11 Identification of active electrodes is wrongregarding ITMS malfunctioning
H12 Release of incorrect volume.
H13 Incorrect calculation of THL, MCL values,volume delivered to wrong location.
H14 Incorrect calculation of THL, MCL values,volume too high.
H15 Finding THL, MCL for failed electrodes
H16 Communication failure between CSCP andDSPS or ITMS.
The H1 hazard of reporting of erroneous patientresults is clinically significant and can lead to medical
accidents. H2 is the hazard where the system reports thecorrect patient results but too late for usage. Such delaymay have medical consequences. H3 is the hazard wherethe system executes the requested operations by hazardrather than that of the operators. Running centrifuges withthe highest speed and switching their speed to the lowestspeed without considering the speed requested by theoperator is an example such a hazard. These hazards arenot recognized by the controllers in the system as suchhazards hide the actual situation from the controllers,imposing another hazard.
B. System Safety Constraint and safety Requirements
After the system hazards are defined, they should betranslated into the corresponding safety constraints, whichare restrictions on how the system can achieve its purpose.
TABLE 2 SAFETY CONSTRAINTS ANDREQUIREMENTS
hazards
Safetyconstraints (SC)
SafetyRequirements (SR)
H1 SC1: correct patientresults must bereported to theAudiologist
SR1:The system shallensure correct patientresult reporting basedon existing standardsfor each users
H2 SC2: Patient resultsmust be reported tothe Audiologist in auseable time frame.
SR2: The system shallhave a patient resultreport turn-around-timeof X.
H3 SC3: The systemmust only performoperations requested
by a legitimateoperator.
SR3: The system shallmake sure that onlygenuine functions areexecuted.
For the purpose of the case study, the hazard that will be analyzed is H1. The system reports erroneous patientsresults to the medical staff is the hazard that led to the
medical casualty, and subsequent case accident.
8/16/2019 IJCS_2016_0302017.pdf
5/8
B. Umamaheswararao et al A Systems-Theoretic Approach to the safety Analysis in Medical Cyber-Physical Systems
162 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016
C. System Control Structure
Once the hazards and related safety constraints have been defined, a typical socio-technical hierarchicalstructure with safety control processes, which is calledhierarchical safety control structure, should be described.The next step is to develop the safety control structure forthe system. The main work for defining this controlstructure involves identifying the responsibilities of eachcomponent or sub-system as well as all their relationships.It should be in compliance with the System DesignSpecification. Hierarchical safety control structures can bevery complex, so, when analyzing different hazards, only
part of the overall structures is considered as the object andthe rest is treated as environment factors. The next step isto investigate the control loops. The main purpose ofanalyzing control loops is to find violation of securityconstraints that may be caused by other interacting controlloops.
Fig. 4 CSCP sample process in control structure
D. High Level Hazard Analysis using STPA
The STPA process is used to analyze each of thehigh level hazards. The two steps of STPA includeidentifying unsafe control of the system and determininghow these control action could occur. A controller can
provide unsafe control in the following four ways:1) A
control action is not provided, missing or not followed; 2)A control action is provided but is wrongly provided; 3) Acontrol action is provided at the wrong timing, earlier orlater than the required timing, or out of sequence with other
control actions. 4) For a control action which is acontinuous signal, the control action is stopped too early orapplied too long.
For each hazard analysis, first tables are createdlisting all the unsafe control actions provided by controllers
from the four ways we identified above. Then causalfactors are considered in the three general categories: (1)the controller operation, (2) the behavior of actuators andcontrolled processes, and (3) communication andcoordination among controllers and decision makers.
After the safety control structure in system-level has been defined, the next step is to identify the potential forinadequate control, which may drive the system into ahazardous state. STPA is a systemic method used forhazard analysis. This model considers hazards and causesin a systemic way rather than just based on componentfailures or failure events. At this level, CSCP becomes acontroller for the two lower controlled processes: ITMS
controller, DSPS controller. CSCP controller maintains theoverall system, ITMS, DSPS data processing. ITMScontrol process monitors and record active impedancevalues from patient samples. DSPS control process volumeof the system and sends volume information to the patient.
TABLE 3. UNSAFE CONTROL ACTIONSIdentify
Unsafe
Control
Actions
Requir
ed
action
not
provide
d
Unsafe
action
provide
d
Incorrect
Timing/Order
Control
action stops
To
o
ear
ly
Too late Too
soon
To
o
lon
g
Patient
status
signal
Catastro
phic-
Wrong patient
info
determination
Catastro
phic-
Wrong patient
info
determination
Not
an
hazard
(N/
A)
Catastroph
ic- Wrong
patientinfo
determinat
ion andsystem is
hang andacknowled
gement
time
Not an
hazard
(N/
A)
CSCPDSPS :
command normal
Catastro
phic-
wrongdetermi
nation
of
patient
information, PL
values,filer co-
efficient
Catastro
phic-
Wrong
patientinfo and
impedan
ce
values determi
nation
(N/
A)
Catastroph
ic- Wrong
patient
info
determinat
ion and
system is
hang andacknowled
gementtime
Not an
hazard
(N/
A)
ITMSCSCP:
provide
impedance values
Catastro phic-
incorrec
t valuesare
gathere
d.
Not anhazard
(N/A)
Catastrophic-
incorrect
values aregathered.
Catastr ophic-
network
dropout
(N/A)
Volumerelease
Highsystem
volume
Must bedone
assured
Must be done before
opening the
system and after
isolating
Too highvolume
in the system
8/16/2019 IJCS_2016_0302017.pdf
6/8
B. Umamaheswararao et al A Systems-Theoretic Approach to the safety Analysis in Medical Cyber-Physical Systems
163 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016
E. Identify how the safety constraints could be violated
After hazards have been identified, the followingstep should identify causal factors, which are very useful tofigure out mitigating features against the hazard. Becausehazards result from inadequate control and enforcement ofsafety constraints, the causal factors can be understood interms of control flaws. Figure 4.3 shows a classification ofcontrol flaws leading to hazards. The safety controlstructure diagram is evaluated by using this classificationof control flaws. Please note that not all the control flawswill contribute to the hazard, which means not all thecontrol flaws will become the causal factors. It depends ondifferent cases. Here, hazard h1 is selected to be analyzedfirst.
Fig. 5 Causal factors leading to hazard h1
Using above framework for the thesis STPAanalysis, the intent is to identify the hazards that led to thecase accident. The focus of the analysis will be for H1:Accurate patient results must be reported to the audiologistat all time, since this was the catalyst for the FDA recall.The identified hazards of the case accident will serve as thedriver to the design requirements that will be generated inthe next section. Furthermore, during the STPA analysis,additional hazards that could lead to other accidents will bedocumented for the purpose of comparing against theoriginal set of hazards identified by the standard FMECAmethodology.
(i) Control Input or external information wrong or
missing
The safety constraints may be inadequately enforceddue to the following scenarios:
Input command missing to initiate impedance
measurement process
Input command execution too early to initiateimpedance measurement process
Input command execution too late to initiate impedancemeasurement process
Wrong input command to initiate impedance
measurement process
Incorrect input command to initiate impedancemeasurement process
Inadequate digital data input
Missing digital data input
Input command missing to initiate data transfer process
Inadequate digital data input
Input command missing to initiate data conversion process
Input command execution too early
Input command execution too late
Inadequate digital data input
Missing digital data input
Input command missing to initiate data transfer process
(i i) I nadequate Control Algori thm of CSCP system
Scenarios that may violate the safety constraints belongingto this classification are:
Inadequate algorithm for acquiring patient sampleimpedance measurements
Inadequate algorithm for impedance measurementscomparison
Inadequate algorithm for patient sample impedancemeasurements
Inadequate control algorithm for upstream datatransfer
Inadequate control algorithm for downstream datatransfer.
(i ii ) Process Model of CSCP system i s inconsistent,
incomplete
Scenarios which may lead to inadequate enforcement ofthe safety constraints are the following:
CONTROLLER: Assume erroneous low impedanceresults from ITMS is accurate result
CONTROLLER: Assume erroneous highimpedance results from ITMS is accurate result
ITMS: Inadequate impedance result feedback
ITMS: Assume erroneous low impedance resultsfrom controlled process is accurate result
ITMS: Assume erroneous high impedance resultsfrom controlled process is accurate result
Incorrect data transfer confirmation logic on ITMS
controller
Incomplete data transfer confirmation logic onITMS controller
Data transfer logic is inconsistent
(iv) M issing feedback delays
8/16/2019 IJCS_2016_0302017.pdf
7/8
B. Umamaheswararao et al A Systems-Theoretic Approach to the safety Analysis in Medical Cyber-Physical Systems
164 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016
Scenarios which may lead to Missing feedback delaysof the safety constraints are the following:
Missing impedance readings feedback to CSCPcontroller
Incorrect impedance readings feedback to CSCP
controller
Fragmented impedance readings feedback to CSCPcontroller
Delayed impedance readings feedback to CSCPcontroller
Unexpected impedance readings feedback to CSCPcontroller
Delayed feedback on data transfer
(v) I ncorrect or no inf ormation provided Measurement
inaccuracies Feedback delays
Missing impedance readings to ITMS
Incorrect impedance readings to ITMS
Fragmented impedance readings to ITMS
Delayed impedance readings to ITMS
Unexpected impedance readings from ITMS
No patient result data feedback
Erroneous patient result data feedback
Delay in patient result data feedback
F. Hazard L ist and Hazard Log
i) Hazard
H1.System reports fake patient’s results to the user.
ii ) System E lement
CSCP, DSPS, ITMS and Data Base
ii i) Causal F actors
CF1- Input command missing to initiate impedancemeasurement process
CF2- Input command execution too early to initiateimpedance measurement process
CF3- Input command execution too late to initiate
impedance measurement process
CF4- Wrong input command to initiate impedancemeasurement process
CF5- Incorrect input command to initiateimpedance measurement process. Etc…..
iv) Safety constraints
SC1- correct patient results must be reported to the
Audiologist
SC2- Patient results must be reported to theAudiologist in a useable time frame.
VI. R ESULT DISCUSSION
From the control structure, For H1 and the caseaccident, there were 12 hazards (underlined) that wereidentified that could have lead to patient injury. In the f1-
f2-f3-f4 control loops and can describe the physical blockage of the membrane or nerve. This finding mayseem biased to discovery since this analysis occurred postaccident. These hazards may not be covered in the FMEAanalysis.
In the next loop, b1-b2-b3-b4, the patient data is nowrequested by the DSPS from ITMS controller. It providedthe structure necessary for a comprehensive hazardanalysis. Some hazards identified were left nondescriptsuch as inadequate patient data transfer. This may indicatemissing, late, erroneous transfer processes which may be anadvantage to discover new conditions at which the controlloop migrates to an unsafe state.
In control loop, c1-c2-c3-c4, the transported digital dataoriginally from the CSCP is converted to usable, patientdata. The case study’s proprietary software algorithm
performs this conversion and analyzes the results forquality. The control loop, c9-g6, is similar to the othercontrol loops where data is transferred up the hierarchicalstructure. Therefore similar hazards were found for thiscontrol loop as were for the other data transfer controlloops. It is noted that the adherence to the turned aroundtime requirement will play a significant role in the caseaccident. In conclusion, the STPA methodology wasapplied to the case accident and an extensive amount ofhazards were identified. Of the over 134 hazards
identified, 12 were found to play a contributor to the caseaccident.
We used STPA to identify the related hazards, createdthe safety control structure and identified the related causalfactors. Finally we compared the results based on STPAwith the original FMEA results. In our case, wedemonstrated how to apply STPA to hazard analysis. Wethink that STPA provides a different idea and way todevelop hazard analysis, compared with traditionalmethods. Existing hazard analysis approaches such as FTAand FMEA have been used for a long period. Asdemonstrated in earlier chapters, we now realize that thesemethods have some limitations. These limitations are of
primary concern for complex systems, and STPA may havesome advantages for such systems. STPA provides asystemic methodology for hazard analysis as well as clearguidance for conducting a hazard analysis. STPA isusually used at the system level, but it can also be extendedfor more detailed levels.
An analysis of FMEA could not detect such hazards asa potential hazard because based on such analysis as longas an ITMS is healthy and works properly, the functionalityis not disrupted and hence the system could be consideredsafe. However, such a hazard could be identified by STPAand proper mitigations could be placed accordingly. Resultverification at lower-levels can be done easily as the
number of involved parties is less in comparison to upper-level control mechanisms, improving the accuracy of finalresults reported to the operators. In addition such resultverification can monitor the physical components integrity
8/16/2019 IJCS_2016_0302017.pdf
8/8
B. Umamaheswararao et al A Systems-Theoretic Approach to the safety Analysis in Medical Cyber-Physical Systems
165 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016
and performance. Additionally, even with the presence ofresult verification, there is no verification for the sequenceof results reported from lower-level loops to the higher-level loops in the hierarchical control structure. Therefore,the higher-control loops take actions based on the receivedresults that are not the actual expected results. This is not
defining the appropriate behavior of the system that makesthe process model incomplete and it is one of the frequentforms of deficiencies that occur due to incomplete processmodel. To address such hazards, the process model of thecontroller should either perform source verification for anyreceived results by utilizing a light-weighted public/privatesafety system.
Our STPA analysis facilitated the process ofunderstanding a complex control structure such as a CSCPsoftware infrastructure and the relationship among itscontrol loops. As we showed in our analysis, even thoughsome of the hazards were the result of insufficient accesscontrol at lower-level loops, most of them were the result
of inadequate control over the interactions among thesystem components and their associated control loops. Thelesson learned from our STPA analysis can be used to
prevent hazards in other CPS. For example, medicaldevices are becoming more intelligent these days andnumerous components have to interact with each other toaccomplish a task. Therefore, system designers can utilizethe STAMP framework to identify hazards in a complexenvironment that runs mostly through complex interactionsamong its numerous components.
The results based on STPA analysis include not onlycomponent failures but also the interaction failures amongcomponents or between components and human operators
within a hierarchical structure. Although it has manyadvantages, STPA still has some subjective aspects. Fordifferent people, safety control structure might be different
because their understanding of the system might bedifferent. The identification of hazards and causal factorsalso might be different. Like all the other approaches forhazard analysis, STPA cannot provide a proof forcompleteness and accuracy of identification of hazards andcausal factors. The followings are the uses over the CSCPof CIS system.
Identify the importance of software in the MCPS ofmedical care devices system.
Reduce the number of hazards after applying theFTA and FMEA software testing methods.
It describes the safety integrity of the entire system.
It allows focusing on quality assurance procedures
for the most basic safety structures.
Focus on prevention rather than detection.
Identify the design constraints.
Derive the risk prevention rate of the software inmedical devices.
Provides the information about the ongoing state of
software safety. Reducing the severity and failure frequency.
It identifies any structural weakness.
Criteria for early planning of tests and test cases
Decrease system development time and cost
Reduce future failures by using some collection ofinformation.
VII.
CONCLUSION
In this paper the concept of STAMP-based hazardanalysis in road tunnels has been introduced and illustratedthrough a case study example. This paper discusses thesecharacteristics and suggests a design analysis approach that
better integrates security into the core design of the system.We applied STPA on a sample case study. Numeroushazards were identified that highlights some of the missingdesign requirements pieces needed in the original designintent to avoid safety hazards imposed by the studied case.The future work will be the risk assessment based on thehazards identified by the SPTA. STAMP model helpsidentify more inadequate controls inside of the control
structure, from the physical process to management, to theoverall communication and coordination and to the safetyculture of the Medical system
R EFERENCES
[1] K.Kirytopoulos, K. Kazaras. “The need for a new approach to roadtunnels risk analysis” ESREL; Proc. International Conference inSafety and Reliability, (expected 2011).
[2] N. Leveson. “A new accident model for engineering safer systems”,Safety Science 42, pp.237 – 270, (2004).
[3] N. Leveson, Safeware: System Safety and Computers. Addison-Wesley, 1995.
[4] Johannessen, P., Torner, F. and Torin, J. (2004) Actuator basedhazard analysis for safety critical systems, in Computer Safety,Reliability, and Security, v 3219, pp. 130 – 141.
[5] Gleirscher, M. (2013) Hazard analysis for technical systems,Software Quality: Increasing Value in Software and SystemsDevelopment, 5:th International Conference, SWQD, v 133, p104-124, Austria.
[6] Leveson, N. (2012). Engineering a safer world: Systems thinkingapplied to safety. (Book draft). Retrieved fromhttp://sunnyday.mit.edu/saferworld/index.html, to be published byMIT Press in 2012
[7] Nakao, H., Katahira, M., Miyamoto, Y. and Leveson, N. (2011)Safety guided design of crew return vehicle in concept design phaseusing STAMP/STPA, in Proc. of the 5th IAASS Conference, pp.497-501.
[8] Ishimatsu, T., Leveson, N. G., Thomas, J., Katahira, M., Miyamoto,Y. and Nakao, H. (2010) Modeling and hazard analysis usingSTPA, in Proc. of the 4th IAASS Conference Making Safety
Matter, p.10.[9] N. Leveson, Engineering a Safer World: Systems Thinking Applied
to Safety. MIT Press, 2011.