Page 335 -
P. 335
318 Chapter 12 Dependability and security specification
Incorrect
Insulin Dose
Administered
or
Incorrect Correct Dose Delivery
Sugar Level Delivered at System
Measured Wrong Time Failure
or or
Sensor Sugar Timer Insulin Pump
Failure Computation Failure Computation Signals
Error Incorrect Incorrect
or or
Algorithm Arithmetic Algorithm Arithmetic
Figure 12.4 An Error Error Error Error
example of a fault tree
merged insulin underdose and insulin overdose into a single hazard, namely ‘incorrect
insulin dose administered.’ This reduces the number of fault trees that are required. Of
course, when you specify how the software should react to this hazard, you have to dis-
tinguish between an insulin underdose and an insulin overdose. As I have said, they are
not equally serious—in the short term, an overdose is the more serious hazard.
From Figure 12.4, you can see that:
1. There are three conditions that could lead to the administration of an incorrect
dose of insulin. The level of blood sugar may have been incorrectly measured so
the insulin requirement has been computed with an incorrect input. The delivery
system may not respond correctly to commands specifying the amount of
insulin to be injected. Alternatively, the dose may be correctly computed but it is
delivered too early or too late.
2. The left branch of the fault tree, concerned with incorrect measurement of the
blood sugar level, looks at how this might happen. This could occur either
