Page 336 -
P. 336
12.2 Safety specification 319
because the sensor that provides an input to calculate the sugar level has failed
or because the calculation of the blood sugar level has been carried out
incorrectly. The sugar level is calculated from some measured parameter, such
as the conductivity of the skin. Incorrect computation can result from either an
incorrect algorithm or an arithmetic error that results from the use of floating
point numbers.
3. The central branch of the tree is concerned with timing problems and concludes
that these can only result from system timer failure.
4. The right branch of the tree, concerned with delivery system failure, examines
possible causes of this failure. These could result from an incorrect computation
of the insulin requirement, or from a failure to send the correct signals to the
pump that delivers the insulin. Again, an incorrect computation can result from
algorithm failure or arithmetic errors.
Fault trees are also used to identify potential hardware problems. Hardware fault
trees may provide insights into requirements for software to detect and, perhaps, cor-
rect these problems. For example, insulin doses are not administered at a very high
frequency, no more than two or three times per hour and sometimes less often than
this. Therefore, processor capacity is available to run diagnostic and self-checking
programs. Hardware errors such as sensor, pump, or timer errors can be discovered
and warnings issued before they have a serious effect on the patient.
12.2.4 Risk reduction
Once potential risks and their root causes have been identified, you are then able to
derive safety requirements that manage the risks and ensure that incidents or acci-
dents do not occur. There are three possible strategies that you can use:
1. Hazard avoidance The system is designed so that the hazard cannot occur.
2. Hazard detection and removal The system is designed so that hazards are
detected and neutralized before they result in an accident.
3. Damage limitation The system is designed so that the consequences of an acci-
dent are minimized.
Normally, designers of critical systems use a combination of these approaches. In
a safety-critical system, intolerable hazards may be handled by minimizing their
probability and adding a protection system that provides a safety backup. For exam-
ple, in a chemical plant control system, the system will attempt to detect and avoid
excess pressure in the reactor. However, there may also be an independent protection
system that monitors the pressure and opens a relief valve if high pressure is detected.
In the insulin delivery system, a ‘safe state’ is a shutdown state where no insulin
is injected. Over a short period this is not a threat to the diabetic’s health. For the
