Page 331 -
P. 331
314 Chapter 12 Dependability and security specification
12.2.1 Hazard identification
In safety-critical systems, the principal risks come from hazards that can lead to an
accident. You can tackle the hazard identification problem by considering different
types of hazards, such as physical hazards, electrical hazards, biological hazards,
radiation hazards, service failure hazards, and so on. Each of these classes can then
be analyzed to discover specific hazards that could occur. Possible combinations of
hazards that are potentially dangerous must also be identified.
The insulin pump system that I have used as an example in earlier chapters is a
safety-critical system, because failure can cause injury or even death to the system
user. Accidents that may occur when using this machine include the user suffering
from long-term consequences of poor blood sugar control (eye, heart, and kidney
problems); cognitive dysfunction as a result of low blood sugar levels; or the occur-
rence of some other medical conditions, such as an allergic reaction.
Some of the hazards in the insulin pump system are:
• insulin overdose computation (service failure);
• insulin underdose computation (service failure);
• failure of the hardware monitoring system (service failure);
• power failure due to exhausted battery (electrical);
• electrical interference with other medical equipment such as a heart pacemaker
(electrical);
• poor sensor and actuator contact caused by incorrect fitting (physical);
• parts of machine breaking off in patient’s body (physical);
• infection caused by introduction of machine (biological);
• allergic reaction to the materials or insulin used in the machine (biological).
Experienced engineers, working with domain experts and professional safety
advisers, identify hazards from previous experience and from an analysis of the appli-
cation domain. Group working techniques such as brainstorming may be used, where
a group of people exchange ideas. For the insulin pump system, people who may be
involved include doctors, medical physicists, and engineers and software designers.
Software-related hazards are normally concerned with failure to deliver a system
service, or with the failure of monitoring and protection systems. Monitoring and
protection systems are included in a device to detect conditions, such as low battery
levels, which could lead to device failure.
12.2.2 Hazard assessment
The hazard assessment process focuses on understanding the probability that a haz-
ard will occur and the consequences if an accident or incident associated with that
hazard should occur. You need to make this analysis to understand whether a hazard
