Page 337 -
P. 337

320   Chapter 12   Dependability and security specification



                                   SR1: The system shall not deliver a single dose of insulin that is greater than a specified maximum
                                   dose for a system user.
                                   SR2: The system shall not deliver a daily cumulative dose of insulin that is greater than a specified
                                   maximum daily dose for a system user.

                                   SR3: The system shall include a hardware diagnostic facility that shall be executed at least four
                                   times per hour.

                                   SR4: The system shall include an exception handler for all of the exceptions that are identified
                                   in Table 3.
                                   SR5: The audible alarm shall be sounded when any hardware or software anomaly is discovered
                                   and a diagnostic message, as defined in Table 4, shall be displayed.

                                   SR6: In the event of an alarm, insulin delivery shall be suspended until the user has reset the
                                   system and cleared the alarm.


                                    software failures that could lead to an incorrect dose of insulin are considered, the
                   Figure 12.5
                   Examples of safety  following ‘solutions’ might be developed:
                   requirements
                                    1.  Arithmetic error This may occur when an arithmetic computation causes a rep-
                                        resentation failure. The specification should identify all possible arithmetic
                                        errors that may occur and state that an exception handler must be included for
                                        each possible error. The specification should set out the action to be taken for
                                        each of these errors. The default safe action is to shut down the delivery system
                                        and activate a warning alarm.
                                    2.  Algorithmic error This is a more difficult situation as there is no clear program
                                        exception that must be handled. This type of error could be detected by comparing
                                        the required insulin dose computed with the previously delivered dose. If it is much
                                        higher, this may mean that the amount has been computed incorrectly. The system
                                        may also keep track of the dose sequence. After a number of above-average doses
                                        have been delivered, a warning may be issued and further dosage limited.

                                      Some of the resulting safety requirements for the insulin pump software are
                                    shown in Figure 12.5. These are user requirements and, naturally, they would be
                                    expressed in more detail in the system requirements specification. In Figure 12.5, the
                                    references to Tables 3 and 4 relate to tables that are included in the requirements
                                    document—they are not shown here.



                             12.3 Reliability specification


                                    As I discussed in Chapter 10, the overall reliability of a system depends on the hard-
                                    ware reliability, the software reliability, and the reliability of the system operators.
                                    The system software has to take this into account. As well as including requirements
   332   333   334   335   336   337   338   339   340   341   342