IJCS_2016_0302017.pdf

8/16/2019 IJCS_2016_0302017.pdf

1/8

158 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016

International Journal of Computer Systems (ISSN: 2394-1065), Volume 03 – Issue 02, February, 2016

Available at http://www.ijcsonline.com/

A Systems-Theoretic Approach to the Safety Analysis in Medical Cyber-Physical

Systems

B. UmamaheswararaoA , P. Seetharamaiah

B

Ȧ Dept. of CSE, Indo American Institutions Technical Campus, Sankaram, Anakapalle Visakhapatnam, IndiaḂDepartment of CS & SE, Andhra University, Visakhapatnam, India

Abstract

Software for Medical Cyber-Physical System (MCPS) must deal with the hazards recognized by safety analysis to help

make it secure, risk-free and fail-safe. Computer based bio-electronic systems are used for replacement of damaged

human areas such as Bionic-ear for hearing problems, Bionic-eye for loss of sight, Deep Brain Stimulator for illnesses of

the mind, and Bionic-arm for arm prostheses. The aim of this paper is to investigate a system-based design approach to

modeling of software safety in MCPS and reduce the probability of unsafe system conditions through using a variety of

management, organization, technical measures. There is currently no formal methodology to test and verify the correct

operation of medical device software within the closed-loop context of the patient. To solve the above problem, use three

analysis methods such as Failure Modes and Effects Analysis (FMEA), Fault Tree Analysis (FTA) and System theoretic process analysis (STPA) techniques to identify potentially hazardous software faults and development of software safety for Control Software for Clinical Programming (CSCP) as medical device software and also discuss the safety properties

of clinical programming software. The systems theoretic accident model and process (STAMP) is used to find out the

hazards and guidance to the control structure of hazards. We applied the analysis methods to CPS and propose

approach for software safety in safety-critical medical cyber-critical systems. This approach was applied to CSCP of

cochlear implant system (CIS). Development of a cyber-physical system based on this approach provides enhanced

safety operations for software. Finally, we describe the implementation of all modules in CSCP software. A custom built

Database Application (DA) for medical development of Bionic Ear is developed under Visual Studio software

environment using MS-Access database. In this paper, STAMP is presented in the Medical cyber-physical system hazard

analysis process through a case study example. In this paper, we examine CSCP of CIS system and utilize a system-

theoretic approach taking both physical and cyber components into account deal with the potential hazards occurred in

system. We show how such strategy is capable of determining software hazards designed towards MCPS and provide

practical new requirements and design decisions that can be utilized by MCPS designers in building a safety MCPS.

Keywords: Medical Cyber-Physical System, software safety, closed-loop system, Control Software for Clinical

Programming, Cochlear Implant System.

I. I NTRODUCTION

Cyber-Physical System (CPS) is co-engineeredcommunicating systems of physical and computationalcomponents. MCPS are safety-critical, connected, brillianttechniques of medical devices. The current accidentmodels in the health field have limitations to capture main

aspects that influence the safety level of theseinfrastructures such as organizational factors, human andsoftware errors, systemic accidents and risk migration [1].A new type of accident models called System TheoreticAccident Model and Processes (STAMP) has been recently

proposed by Nancy Leveson [2] and fulfils therequirements of medical device safety.

These objectives result in better control softwarequality for medical cyber-physical systems and in a faster,more structured design. a) The essential goal of this paperis to support a safety-driven design process (physical,operational, organizational) for medical cyber-physicalsystems. Hazard research impacts and shapes early design

choices, risks research is iterated and refined as the styleadvances. b) The second objective of this paper is to

provide safety analysis for medical cyber-physical system

can be done in a top-down way in the architecture design phase combined with STPA. This performs systemtheoretic approach to identify hazards and safetyrequirements in Medical cyber-physical systems. c) Thethird objective is to reduce the probability of unsafe systemconditions through using a variety of management,organization, technical measures and keep the systems

functioning even in occurrence of one of more faults. Theremainder of this paper is organized as follows. Section 2describes the review of related literature. Section 3describes the Closed-loop system in different aspects.Section 4 discuss about the overview of CSCP of CISsystem. Section 5 discusses the case study for thisapproach. Finally, Section 6 discusses conclusions.

II. RELATED TECHNIQUES FOR SAFETY

ANALYSIS IN MCPS

Traditionally view safety as a failure problem. Becausethe primary cause of injuries in the older systems waselement failure, the hazard analysis methods and safetydesign methods concentrated on determining criticalcomponents and either avoiding their failing or providingredundancy to minimize the effects of element failing.Here we use sequence of event accident model and

8/16/2019 IJCS_2016_0302017.pdf

2/8

8/16/2019 IJCS_2016_0302017.pdf

3/8

B. Umamaheswararao et al A Systems-Theoretic Approach to the safety Analysis in Medical Cyber-Physical Systems


Fig. 2 Medical devices closed-loop system

The CSCP of CIS which includes the following aspectsfor the safety protection function: patient registration,Impedance measure, CSCP software self checking,

programming DSPS, Adjusting TCL and MCL values.Control system that consists of monitor module and control

module. We start from hazard identification throughrequirements analysis. Here we considered only one of themain hazards arising from CSCP of CIS system: Systemreports erroneous patient’s results to the user. The design

process should proceed by defining the safety ofrequirements into a lower level.

Fig. 3 CSCP of CIS Architecture model

Safety constraints are used to recognize the safe andunsafe states of a system. They are produced from hazardsthat are described in the system specifications. Thesuccessful design and administration of safety restrictionimproves program safety. In STAMP, these restrictionsare used to produce the program specifications that arecompulsory to maintain the program safety.

A.

Systems-Theoretic Process Analysis (STPA)

STPA is a new hazard research technique, based onSTAMP. It uses a collection of interacting loops ofcontrol to evaluate systems. It can be used at any stage ofthe system lifecycle, from before designing to afterimplementation. STPA technique is dependent on thefollowing ways: define System Hazards and RelatedSafety Constraints, develop Safety Control Structure forclosed-loop system, Recognize Possibly InsufficientControl Activities, Determine How potentially InsufficientControl Activities Could Happen.

B. Causal Analysis using System Theory (CAST)

CAST is to analyze the control structure dynamics foraccident analysis. CAST methodology is based on thefollowing ways: identify the System and the Accident(Loss), identify the Hazards involved in the Accident

(Loss), identify the Proximal Events (near time of theaccident), draw the Safety Control Structure, and analyzethe physical system, controllers.

IV. OVERVIEW OF THE CSCP OF CIS SYSTEM

The cochlear implant System (CIS) has three hardware

modules: Impedance Telemetry Monitoring System(ITMS), Digital Speech Processor System (DSPS), andImplantable Receiver Stimulator (IRS).

A. Impedance Telemetry Monitoring System (ITMS)

ITMS is used finding the active electrodes of electrodearray of 12 Electrodes and their respective TCL (ThresholdComfort Level) and MCL (Most Comfortable Level).Impedance Telemetry Monitoring Systems (ITMS) isdesigned based on programmable logic device – FPGA(Field Programmable Gate Array). The identified hardwaremodules to develop FPGA based ITMS are FPGA module,ASK (Amplitude Shift Key) modulated, and LSK (LoadShift Key) demodulated RF-transmitter and receiver. TheITMS used to send the impedance request to IRS(Implantable Receiver Stimulator) and to receiveimpedance values with electrode or channel numbersrespectively. FPGA is used as central processing unit tosend request or receive impedance values and LCD is usedto display measured impedance values with respect toelectrode numbers. The function of ITMS is to measureelectrode impedances and neural response of a patientthrough stimulation and recording of electrical signals canfacilitate device fitting and parameter adjustments.

B. Digital Speech Processor System (DSPS)

DSPS receives an external sound or speech and

generates encoded speech data bits for transmission to IRSvia radio frequency link for exciting the electrode array bycontinuously executing speech processing programembedded in DSPS.

C. Implantable Receiver Stimulator (IRS)

IRS is to stimulate auditory nerve system with the helpof electrode array placed inside the cochlea of deafened

person. IRS receives directions from the speech processor by way of magnetic induction sent from the transmitter andalso IRS receives its power through the transmission.

D. CSCP software functional operations

The CSCP software is designed for DSPS and ITMS

used by an audiologist for performing post operative fitting procedure for better recognition of sound. The programcontains multiple functional modules such as patientinformation management, UART Settings, impedancemeasurement, fitting and mapping. The software isdesigned under VB.net2008, with a database MS ACCESS.The designed database tables are responsible to record

patient basic information, medical record, and evaluation ofhearing abilities, evaluation of speech and language status,rehabilitation status, evaluation of psychological status,medical and audio logical evaluation, processor

programming, and specific training with processoraccessories and so on.

Initially, the CSCP software starts from Audiologistregistration and then goes for patient registration.Whenever the CSCP displays “invalid details please inputall the required details”, Stop the CSCP software process

8/16/2019 IJCS_2016_0302017.pdf

4/8



and proceed to again registration process. Whenever theITMS is loaded it reads the impedance values fromimpedance database table if available and displays eachchannel resistance value in corresponding textboxes anddisplays the resistance values in chart control also. If theresistance values are not yet stored it displays the error

message as “insufficient recipient data please try again”.The impedance measurement modules display theimpedance values if the audiologist had already measuredthe impedance values of the patient in normal text form andalso graphical representation. If the impedance values arenot available it displays the null values. Whenever fittingmodule is loaded it reads the impedance values from theimpedance table and displays in the correspondingtextboxes of each channel and creates a new row inmapping table with default values of TCL and MCL.

V. STPA ANALYSIS OF CSCP OF CIS SYSTEM

The Here system objectives are defined as Allow

system to reduce the probability of unsafe systemconditions through using a variety of physical,organization, cyber measures. Provide automatic tocaptures accidents resulting from component interaction,not just failures. Provide automatic patient protection. AndAccident Definition is patient is killed or seriously injured.

A. System Hazard Identification

A safety-driven design should start with identifyingaccidents and then defining the system hazards whichwould cause these accidents to occur. The accidents herecan be defined as undesired or unplanned events thatresults in a loss, including loss of human life or humaninjury, property damage, environmental pollution, mission

loss, etc [8]. The hazards here can be defined as systemstates or a set of conditions that, together with a particularset of hazardous conditions, will lead to an accident [8].Hazard is a State of system conditions when interact withother condition in environment of system, lead to accidents[9]. The system-level hazards relevant to this definition ofan accident include:

TABLE 1. IDENTIFIED HAZARD IN CSCP OF CIS

Hazard (H)

H1 System reports fake patient’s results to theuser.

H2 The system reports the patient’s requiredresults from the controller too late

H3 The system ask for wrong operations byhazard

H4 Commands for volume exceeding the patient’s impedance, THL, MCL are sent tothe DSPS.

H5 Wrong patient’s treatment history retrieved.

H6 Current treatment profile appended to wrong patient’s record.

H7 Identifying incorrect electrode failure

impedance module.

H8 Measurements of impedance values areincorrect.

H9 Wrong calculation of active electrode values.

H10 Faulty decision in CSCP software regardingITMS malfunctioning.

H11 Identification of active electrodes is wrongregarding ITMS malfunctioning

H12 Release of incorrect volume.

H13 Incorrect calculation of THL, MCL values,volume delivered to wrong location.

H14 Incorrect calculation of THL, MCL values,volume too high.

H15 Finding THL, MCL for failed electrodes

H16 Communication failure between CSCP andDSPS or ITMS.

The H1 hazard of reporting of erroneous patientresults is clinically significant and can lead to medical

accidents. H2 is the hazard where the system reports thecorrect patient results but too late for usage. Such delaymay have medical consequences. H3 is the hazard wherethe system executes the requested operations by hazardrather than that of the operators. Running centrifuges withthe highest speed and switching their speed to the lowestspeed without considering the speed requested by theoperator is an example such a hazard. These hazards arenot recognized by the controllers in the system as suchhazards hide the actual situation from the controllers,imposing another hazard.

B. System Safety Constraint and safety Requirements

After the system hazards are defined, they should betranslated into the corresponding safety constraints, whichare restrictions on how the system can achieve its purpose.

TABLE 2 SAFETY CONSTRAINTS ANDREQUIREMENTS

hazards

Safetyconstraints (SC)

SafetyRequirements (SR)

H1 SC1: correct patientresults must bereported to theAudiologist

SR1:The system shallensure correct patientresult reporting basedon existing standardsfor each users

H2 SC2: Patient resultsmust be reported tothe Audiologist in auseable time frame.

SR2: The system shallhave a patient resultreport turn-around-timeof X.

H3 SC3: The systemmust only performoperations requested

by a legitimateoperator.

SR3: The system shallmake sure that onlygenuine functions areexecuted.

For the purpose of the case study, the hazard that will be analyzed is H1. The system reports erroneous patientsresults to the medical staff is the hazard that led to the

medical casualty, and subsequent case accident.

8/16/2019 IJCS_2016_0302017.pdf

5/8



C. System Control Structure

Once the hazards and related safety constraints have been defined, a typical socio-technical hierarchicalstructure with safety control processes, which is calledhierarchical safety control structure, should be described.The next step is to develop the safety control structure forthe system. The main work for defining this controlstructure involves identifying the responsibilities of eachcomponent or sub-system as well as all their relationships.It should be in compliance with the System DesignSpecification. Hierarchical safety control structures can bevery complex, so, when analyzing different hazards, only

part of the overall structures is considered as the object andthe rest is treated as environment factors. The next step isto investigate the control loops. The main purpose ofanalyzing control loops is to find violation of securityconstraints that may be caused by other interacting controlloops.

Fig. 4 CSCP sample process in control structure

D. High Level Hazard Analysis using STPA

The STPA process is used to analyze each of thehigh level hazards. The two steps of STPA includeidentifying unsafe control of the system and determininghow these control action could occur. A controller can

provide unsafe control in the following four ways:1) A

control action is not provided, missing or not followed; 2)A control action is provided but is wrongly provided; 3) Acontrol action is provided at the wrong timing, earlier orlater than the required timing, or out of sequence with other

control actions. 4) For a control action which is acontinuous signal, the control action is stopped too early orapplied too long.

For each hazard analysis, first tables are createdlisting all the unsafe control actions provided by controllers

from the four ways we identified above. Then causalfactors are considered in the three general categories: (1)the controller operation, (2) the behavior of actuators andcontrolled processes, and (3) communication andcoordination among controllers and decision makers.

After the safety control structure in system-level has been defined, the next step is to identify the potential forinadequate control, which may drive the system into ahazardous state. STPA is a systemic method used forhazard analysis. This model considers hazards and causesin a systemic way rather than just based on componentfailures or failure events. At this level, CSCP becomes acontroller for the two lower controlled processes: ITMS

controller, DSPS controller. CSCP controller maintains theoverall system, ITMS, DSPS data processing. ITMScontrol process monitors and record active impedancevalues from patient samples. DSPS control process volumeof the system and sends volume information to the patient.

TABLE 3. UNSAFE CONTROL ACTIONSIdentify

Unsafe

Control

Actions

Requir

ed

action

not

provide

d

Unsafe

action

provide

d

Incorrect

Timing/Order

Control

action stops

To

o

ear

ly

Too late Too

soon

To

o

lon

g

Patient

status

signal

Catastro

phic-

Wrong patient

info

determination

Catastro

phic-

Wrong patient

info

determination

Not

an

hazard

(N/

A)

Catastroph

ic- Wrong

patientinfo

determinat

ion andsystem is

hang andacknowled

gement

time

Not an

hazard

(N/

A)

CSCPDSPS :

command normal

Catastro

phic-

wrongdetermi

nation

of

patient

information, PL

values,filer co-

efficient

Catastro

phic-

Wrong

patientinfo and

impedan

ce

values determi

nation

(N/

A)

Catastroph

ic- Wrong

patient

info

determinat

ion and

system is

hang andacknowled

gementtime

Not an

hazard

(N/

A)

ITMSCSCP:

provide

impedance values

Catastro phic-

incorrec

t valuesare

gathere

d.

Not anhazard

(N/A)

Catastrophic-

incorrect

values aregathered.

Catastr ophic-

network

dropout

(N/A)

Volumerelease

Highsystem

volume

Must bedone

assured

Must be done before

opening the

system and after

isolating

Too highvolume

in the system

8/16/2019 IJCS_2016_0302017.pdf

6/8



E. Identify how the safety constraints could be violated

After hazards have been identified, the followingstep should identify causal factors, which are very useful tofigure out mitigating features against the hazard. Becausehazards result from inadequate control and enforcement ofsafety constraints, the causal factors can be understood interms of control flaws. Figure 4.3 shows a classification ofcontrol flaws leading to hazards. The safety controlstructure diagram is evaluated by using this classificationof control flaws. Please note that not all the control flawswill contribute to the hazard, which means not all thecontrol flaws will become the causal factors. It depends ondifferent cases. Here, hazard h1 is selected to be analyzedfirst.

Fig. 5 Causal factors leading to hazard h1

Using above framework for the thesis STPAanalysis, the intent is to identify the hazards that led to thecase accident. The focus of the analysis will be for H1:Accurate patient results must be reported to the audiologistat all time, since this was the catalyst for the FDA recall.The identified hazards of the case accident will serve as thedriver to the design requirements that will be generated inthe next section. Furthermore, during the STPA analysis,additional hazards that could lead to other accidents will bedocumented for the purpose of comparing against theoriginal set of hazards identified by the standard FMECAmethodology.

(i) Control Input or external information wrong or

missing

The safety constraints may be inadequately enforceddue to the following scenarios:

Input command missing to initiate impedance

measurement process

Input command execution too early to initiateimpedance measurement process

Input command execution too late to initiate impedancemeasurement process

Wrong input command to initiate impedance

measurement process

Incorrect input command to initiate impedancemeasurement process

Inadequate digital data input

Missing digital data input

Input command missing to initiate data transfer process


Input command missing to initiate data conversion process

Input command execution too early

Input command execution too late


Missing digital data input

Input command missing to initiate data transfer process

(i i) I nadequate Control Algori thm of CSCP system

Scenarios that may violate the safety constraints belongingto this classification are:

Inadequate algorithm for acquiring patient sampleimpedance measurements

Inadequate algorithm for impedance measurementscomparison

Inadequate algorithm for patient sample impedancemeasurements

Inadequate control algorithm for upstream datatransfer

Inadequate control algorithm for downstream datatransfer.

(i ii ) Process Model of CSCP system i s inconsistent,

incomplete

Scenarios which may lead to inadequate enforcement ofthe safety constraints are the following:

CONTROLLER: Assume erroneous low impedanceresults from ITMS is accurate result

CONTROLLER: Assume erroneous highimpedance results from ITMS is accurate result

ITMS: Inadequate impedance result feedback

ITMS: Assume erroneous low impedance resultsfrom controlled process is accurate result

ITMS: Assume erroneous high impedance resultsfrom controlled process is accurate result

Incorrect data transfer confirmation logic on ITMS

controller

Incomplete data transfer confirmation logic onITMS controller

Data transfer logic is inconsistent

(iv) M issing feedback delays

8/16/2019 IJCS_2016_0302017.pdf

7/8



Scenarios which may lead to Missing feedback delaysof the safety constraints are the following:

Missing impedance readings feedback to CSCPcontroller

Incorrect impedance readings feedback to CSCP

controller

Fragmented impedance readings feedback to CSCPcontroller

Delayed impedance readings feedback to CSCPcontroller

Unexpected impedance readings feedback to CSCPcontroller

Delayed feedback on data transfer

(v) I ncorrect or no inf ormation provided Measurement

inaccuracies Feedback delays

Missing impedance readings to ITMS

Incorrect impedance readings to ITMS

Fragmented impedance readings to ITMS

Delayed impedance readings to ITMS

Unexpected impedance readings from ITMS

No patient result data feedback

Erroneous patient result data feedback

Delay in patient result data feedback

F. Hazard L ist and Hazard Log

i) Hazard

H1.System reports fake patient’s results to the user.

ii ) System E lement

CSCP, DSPS, ITMS and Data Base

ii i) Causal F actors

CF1- Input command missing to initiate impedancemeasurement process

CF2- Input command execution too early to initiateimpedance measurement process

CF3- Input command execution too late to initiate

impedance measurement process

CF4- Wrong input command to initiate impedancemeasurement process

CF5- Incorrect input command to initiateimpedance measurement process. Etc…..

iv) Safety constraints

SC1- correct patient results must be reported to the

Audiologist

SC2- Patient results must be reported to theAudiologist in a useable time frame.

VI. R ESULT DISCUSSION

From the control structure, For H1 and the caseaccident, there were 12 hazards (underlined) that wereidentified that could have lead to patient injury. In the f1-

f2-f3-f4 control loops and can describe the physical blockage of the membrane or nerve. This finding mayseem biased to discovery since this analysis occurred postaccident. These hazards may not be covered in the FMEAanalysis.

In the next loop, b1-b2-b3-b4, the patient data is nowrequested by the DSPS from ITMS controller. It providedthe structure necessary for a comprehensive hazardanalysis. Some hazards identified were left nondescriptsuch as inadequate patient data transfer. This may indicatemissing, late, erroneous transfer processes which may be anadvantage to discover new conditions at which the controlloop migrates to an unsafe state.

In control loop, c1-c2-c3-c4, the transported digital dataoriginally from the CSCP is converted to usable, patientdata. The case study’s proprietary software algorithm

performs this conversion and analyzes the results forquality. The control loop, c9-g6, is similar to the othercontrol loops where data is transferred up the hierarchicalstructure. Therefore similar hazards were found for thiscontrol loop as were for the other data transfer controlloops. It is noted that the adherence to the turned aroundtime requirement will play a significant role in the caseaccident. In conclusion, the STPA methodology wasapplied to the case accident and an extensive amount ofhazards were identified. Of the over 134 hazards

identified, 12 were found to play a contributor to the caseaccident.

We used STPA to identify the related hazards, createdthe safety control structure and identified the related causalfactors. Finally we compared the results based on STPAwith the original FMEA results. In our case, wedemonstrated how to apply STPA to hazard analysis. Wethink that STPA provides a different idea and way todevelop hazard analysis, compared with traditionalmethods. Existing hazard analysis approaches such as FTAand FMEA have been used for a long period. Asdemonstrated in earlier chapters, we now realize that thesemethods have some limitations. These limitations are of

primary concern for complex systems, and STPA may havesome advantages for such systems. STPA provides asystemic methodology for hazard analysis as well as clearguidance for conducting a hazard analysis. STPA isusually used at the system level, but it can also be extendedfor more detailed levels.

An analysis of FMEA could not detect such hazards asa potential hazard because based on such analysis as longas an ITMS is healthy and works properly, the functionalityis not disrupted and hence the system could be consideredsafe. However, such a hazard could be identified by STPAand proper mitigations could be placed accordingly. Resultverification at lower-levels can be done easily as the

number of involved parties is less in comparison to upper-level control mechanisms, improving the accuracy of finalresults reported to the operators. In addition such resultverification can monitor the physical components integrity

8/16/2019 IJCS_2016_0302017.pdf

8/8



and performance. Additionally, even with the presence ofresult verification, there is no verification for the sequenceof results reported from lower-level loops to the higher-level loops in the hierarchical control structure. Therefore,the higher-control loops take actions based on the receivedresults that are not the actual expected results. This is not

defining the appropriate behavior of the system that makesthe process model incomplete and it is one of the frequentforms of deficiencies that occur due to incomplete processmodel. To address such hazards, the process model of thecontroller should either perform source verification for anyreceived results by utilizing a light-weighted public/privatesafety system.

Our STPA analysis facilitated the process ofunderstanding a complex control structure such as a CSCPsoftware infrastructure and the relationship among itscontrol loops. As we showed in our analysis, even thoughsome of the hazards were the result of insufficient accesscontrol at lower-level loops, most of them were the result

of inadequate control over the interactions among thesystem components and their associated control loops. Thelesson learned from our STPA analysis can be used to

prevent hazards in other CPS. For example, medicaldevices are becoming more intelligent these days andnumerous components have to interact with each other toaccomplish a task. Therefore, system designers can utilizethe STAMP framework to identify hazards in a complexenvironment that runs mostly through complex interactionsamong its numerous components.

The results based on STPA analysis include not onlycomponent failures but also the interaction failures amongcomponents or between components and human operators

within a hierarchical structure. Although it has manyadvantages, STPA still has some subjective aspects. Fordifferent people, safety control structure might be different

because their understanding of the system might bedifferent. The identification of hazards and causal factorsalso might be different. Like all the other approaches forhazard analysis, STPA cannot provide a proof forcompleteness and accuracy of identification of hazards andcausal factors. The followings are the uses over the CSCPof CIS system.

Identify the importance of software in the MCPS ofmedical care devices system.

Reduce the number of hazards after applying theFTA and FMEA software testing methods.

It describes the safety integrity of the entire system.

It allows focusing on quality assurance procedures

for the most basic safety structures.

Focus on prevention rather than detection.

Identify the design constraints.

Derive the risk prevention rate of the software inmedical devices.

Provides the information about the ongoing state of

software safety. Reducing the severity and failure frequency.

It identifies any structural weakness.

Criteria for early planning of tests and test cases

Decrease system development time and cost

Reduce future failures by using some collection ofinformation.

VII.

CONCLUSION

In this paper the concept of STAMP-based hazardanalysis in road tunnels has been introduced and illustratedthrough a case study example. This paper discusses thesecharacteristics and suggests a design analysis approach that

better integrates security into the core design of the system.We applied STPA on a sample case study. Numeroushazards were identified that highlights some of the missingdesign requirements pieces needed in the original designintent to avoid safety hazards imposed by the studied case.The future work will be the risk assessment based on thehazards identified by the SPTA. STAMP model helpsidentify more inadequate controls inside of the control

structure, from the physical process to management, to theoverall communication and coordination and to the safetyculture of the Medical system

R EFERENCES

[1] K.Kirytopoulos, K. Kazaras. “The need for a new approach to roadtunnels risk analysis” ESREL; Proc. International Conference inSafety and Reliability, (expected 2011).

[2] N. Leveson. “A new accident model for engineering safer systems”,Safety Science 42, pp.237 – 270, (2004).

[3] N. Leveson, Safeware: System Safety and Computers. Addison-Wesley, 1995.

[4] Johannessen, P., Torner, F. and Torin, J. (2004) Actuator basedhazard analysis for safety critical systems, in Computer Safety,Reliability, and Security, v 3219, pp. 130 – 141.

[5] Gleirscher, M. (2013) Hazard analysis for technical systems,Software Quality: Increasing Value in Software and SystemsDevelopment, 5:th International Conference, SWQD, v 133, p104-124, Austria.

[6] Leveson, N. (2012). Engineering a safer world: Systems thinkingapplied to safety. (Book draft). Retrieved fromhttp://sunnyday.mit.edu/saferworld/index.html, to be published byMIT Press in 2012

[7] Nakao, H., Katahira, M., Miyamoto, Y. and Leveson, N. (2011)Safety guided design of crew return vehicle in concept design phaseusing STAMP/STPA, in Proc. of the 5th IAASS Conference, pp.497-501.

[8] Ishimatsu, T., Leveson, N. G., Thomas, J., Katahira, M., Miyamoto,Y. and Nakao, H. (2010) Modeling and hazard analysis usingSTPA, in Proc. of the 4th IAASS Conference Making Safety

Matter, p.10.[9] N. Leveson, Engineering a Safer World: Systems Thinking Applied

to Safety. MIT Press, 2011.

Documents

IJCS_2016_0302017.pdf