SlideShare a Scribd company logo

Dependability and Security Specification Overview

Ian Sommerville
Ian Sommerville

Discusses how safety requirements should be derived from a hazard analysis.

TechnologyBusiness
1 of 30
Download to read offline
Dependability and Security Specification Lecture 1 Dependability and Security Specification, CSE course, 2011 Slide 1
Topics covered • Risk-driven specification • Safety specification • Security specification • Software reliability specification Dependability and Security Specification, CSE course, 2011 Slide 2
Dependability requirements • Functional requirements to define error checking and recovery facilities and protection against system failures. • Non-functional requirements defining the required reliability and availability of the system. • Excluding requirements that define states and conditions that must not arise. Dependability and Security Specification, CSE course, 2011 Slide 3
Risk-driven specification • Critical systems specification should be risk-driven as risks pose a threat to the system. • This approach has been widely used in safety and security- critical systems. • The aim of the specification process should be to understand the risks (safety, security, etc.) faced by the system and to define requirements that reduce these Dependability and Security Specification, CSE course, 2011 Slide 4 risks.
Phased risk analysis • Preliminary risk analysis – Identifies risks from the systems environment. Aim is to develop an initial set of system security and dependability requirements. • Life cycle risk analysis – Identifies risks that emerge during design and development e.g. risks that are associated with the technologies used for system construction. Requirements are extended to protect against these risks. • Operational risk analysis – Risks associated with the system user interface and operator errors. Further protection requirements may be added to cope with these. Dependability and Security Specification, CSE course, 2011 Slide 5
Risk-driven specification Dependability and Security Specification, CSE course, 2011 Slide 6
Stages of risk-based analysis • Risk identification – Identify potential risks that may arise. • Risk analysis and classification – Assess the seriousness of each risk. • Risk decomposition – Decompose risks to discover their potential root causes. • Risk reduction assessment – Define how each risk must be taken into eliminated or reduced when the system is designed. Dependability and Security Specification, CSE course, 2011 Slide 7
Safety specification • Identify protection requirements that ensure that system failures do not cause injury or death or environmental damage. • Risk identification = Hazard identification • Risk analysis = Hazard assessment • Risk decomposition = Hazard analysis • Risk reduction = safety requirements specification Dependability and Security Specification, CSE course, 2011 Slide 8
Hazard identification • Identify the hazards that may threaten the system. • Hazard identification may be based on different types of hazard: – Physical hazards – Electrical hazards – Biological hazards – Service failure hazards – Etc. Dependability and Security Specification, CSE course, 2011 Slide 9
A software-controlled insulin pump • Safety-critical embedded system. Failure can lead to injury or death of the system user. • Used by diabetics to simulate the function of the pancreas which manufactures insulin, an essential hormone that metabolises blood glucose. • Measures blood glucose (sugar) using a micro- sensor and computes the insulin dose required to metabolise the glucose. • The system software, is embedded control software for the sensing and insulin delivery functions. Dependability and Security Specification, CSE course, 2011 Slide 10
Dependability and Security Specification, CSE course, 2011 Slide 11
Insulin pump organisation Insulin reservoir Needle Pump Clock assembly Sensor Controller Alarm Display1 Display2 Power supply Dependability and Security Specification, CSE course, 2011 Slide 12
Insulin pump data-flow Blood Blood parameters Blood sugar Blood sugar Blood sugar sensor analysis level Insulin requirement computation Pump control Insulin commands Insulin Insulin Insulin delivery requirement pump controller Dependability and Security Specification, CSE course, 2011 Slide 13
Dependability requirements • The system shall be available to deliver insulin when required to do so. • The system shall perform reliability and deliver the correct amount of insulin to counteract the current level of blood sugar. • The essential safety requirement is that excessive doses of insulin should never be delivered as this is potentially life threatening. Dependability and Security Specification, CSE course, 2011 Slide 14
Insulin pump risks • Insulin overdose (service failure). • Insulin underdose (service failure). • Power failure due to exhausted battery (electrical). • Electrical interference with other medical equipment (electrical). • Poor sensor and actuator contact (physical). • Parts of machine break off in body (physical). • Infection caused by introduction of machine (biological). • Allergic reaction to materials or insulin (biological). Dependability and Security Specification, CSE course, 2011 Slide 15
The risk triangle Dependability and Security Specification, CSE course, 2011 Slide 16
Hazard assessment • What is the the likelihood that a risk will arise and what are the potential consequences if an accident or incident should occur? • Risks are categorised as: – Intolerable Must never arise or result in an accident – As low as reasonably practical (ALARP) Must minimise the possibility of risk given cost and schedule constraints – Acceptable The consequences of the risk are acceptable and no extra costs should be incurred to reduce hazard probability Dependability and Security Specification, CSE course, 2011 Slide 17
Social acceptability of safety-related risks • In most societies, the boundaries between the regions are pushed upwards with time i.e. society is less willing to accept risk – For example, the costs of cleaning up pollution may be less than the costs of preventing it but this may not be socially acceptable. • Risk assessment is subjective – Risks are identified as probable, unlikely, etc. This Dependability and Security Specification, CSE course, 2011 depends on who is making18Slide
Hazard assessment • Estimate the hazard probability and the hazard severity. • It is not normally possible to do this precisely so relative values are used such as ‘unlikely’, ‘rare’, ‘very high’, etc. • The aim is to make sure that the system can handle hazards that are likely to arise or that have high severity. Dependability and Security Specification, CSE course, 2011 Slide 19
Risk classification for the insulin pump Identified Hazard Accident Estimated risk Acceptability hazard probability severity 1.Insulin Medium High High Intolerable overdose computation 2. Insulin Medium Low Low Acceptable underdose computation 3. Failure of Medium Medium Low ALARP hardware monitoring system 4. Power failure High Low Low Acceptable Dependability and Security Specification, CSE course, 2011 Slide 20
Risk classification for the insulin pump Identified Hazard Accident Estimated risk Acceptability hazard probability severity 5. Machine High High High Intolerable incorrectly fitted 6. Machine Low High Medium ALARP breaks in patient 7. Machine Medium Medium Medium ALARP causes infection 8. Electrical Low High Medium ALARP interference 9. Allergic Low Low Low Acceptable reaction Dependability and Security Specification, CSE course, 2011 Slide 21
Hazard analysis • Concerned with discovering the root causes of risks in a particular system. • Techniques have been mostly derived from safety-critical systems and can be – Inductive, bottom-up techniques. Start with a proposed system failure and assess the hazards that could arise from that failure; – Deductive, top-down techniques. Start with a hazard and deduce what the causes of this could be. Dependability and Security Specification, CSE course, 2011 Slide 22
Fault-tree analysis • Put the risk or hazard at the root of the tree and identify the system states that could lead to that hazard. • Where appropriate, link these with ‘and’ or ‘or’ conditions. NO SINGLE POINT OF FAILURE The key goal should be to minimise the number of single causes of system failure. Dependability and Security Specification, CSE course, 2011 Slide 23
Dependability and Security Specification, CSE course, 2011 Slide 24
Fault tree analysis • Three possible conditions that can lead to delivery of incorrect dose of insulin – Incorrect measurement of blood sugar level – Failure of delivery system – Dose delivered at wrong time • By analysis of the fault tree, root causes of these hazards related to software are: – Algorithm error – Arithmetic error Dependability and Security Specification, CSE course, 2011 Slide 25
Risk reduction • The aim of this process is to identify dependability requirements that specify how the risks should be managed and ensure that accidents/incidents do not arise. • Risk reduction strategies – Risk avoidance; – Risk detection and removal; – Damage limitation. Dependability and Security Specification, CSE course, 2011 Slide 26
Strategy use • Normally, in critical systems, a mix of risk reduction strategies are used. • In a chemical plant control system, the system will include sensors to detect and correct excess pressure in the reactor. • However, it will also include an independent protection system that opens a relief valve if dangerously high pressure is detected. Dependability and Security Specification, CSE course, 2011 Slide 27
Insulin pump - software risks • Arithmetic error – A computation causes the value of a variable to overflow or underflow; – Maybe include an exception handler for each type of arithmetic error. • Algorithmic error – Compare dose to be delivered with previous dose or safe maximum doses. Reduce dose if too high. Dependability and Security Specification, CSE course, 2011 Slide 28
Examples of safety requirements SR1: The system shall not deliver a single dose of insulin that is greater than a specified maximum dose for a system user. SR2: The system shall not deliver a daily cumulative dose of insulin that is greater than a specified maximum daily dose for a system user. SR3: The system shall include a hardware diagnostic facility that shall be executed at least four times per hour. SR4: The system shall include an exception handler for all of the exceptions that are identified in Table 3. SR5: The audible alarm shall be sounded when any hardware or software anomaly is discovered and a diagnostic message, as defined in Table 4, shall be displayed. SR6: In the event of an alarm, insulin delivery shall be suspended until the user has reset the system and cleared the alarm. Dependability and Security Specification, CSE course, 2011 Slide 29
Key points • Risk analysis is an important activity in the specification of security and dependability requirements. It involves identifying risks that can result in accidents or incidents. • A hazard-driven approach may be used to understand the safety requirements for a system. You identify potential hazards and decompose these (using methods such as fault tree analysis) to discover their root causes. • Safety requirements should be included to ensure that hazards and accidents do not arise or, if this is impossible, to limit the damage caused by system Dependability and Security Specification, CSE course, 2011 Slide 30 failure.

Recommended

Security in an embedded system
Security in an embedded system Security in an embedded system
Security in an embedded system UrmilasSrinivasan
 
ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...
ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...
ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...IJNSA Journal
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Security in embedded systems
Security in embedded systemsSecurity in embedded systems
Security in embedded systemsRaghav S
 
4 pillers of iot
4 pillers of iot4 pillers of iot
4 pillers of iotShilpaKrishna6
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System SecurityAdel Barkam
 
Security issues and solutions : IoT
Security issues and solutions : IoTSecurity issues and solutions : IoT
Security issues and solutions : IoTJinia Bhowmik
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementJim Piechocki
 

Recommended

Security in an embedded system
Security in an embedded system Security in an embedded system
Security in an embedded system UrmilasSrinivasan
 
ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...
ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...
ANALYSIS OF MACHINE LEARNING ALGORITHMS WITH FEATURE SELECTION FOR INTRUSION ...IJNSA Journal
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Security in embedded systems
Security in embedded systemsSecurity in embedded systems
Security in embedded systemsRaghav S
 
4 pillers of iot
4 pillers of iot4 pillers of iot
4 pillers of iotShilpaKrishna6
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System SecurityAdel Barkam
 
Security issues and solutions : IoT
Security issues and solutions : IoTSecurity issues and solutions : IoT
Security issues and solutions : IoTJinia Bhowmik
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementJim Piechocki
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptxGulnurAzat
 
formal verification
formal verificationformal verification
formal verificationToseef Aslam
 
The cloud ecosystem
The cloud ecosystemThe cloud ecosystem
The cloud ecosystemBHASKAR CHAUDHURY
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security Malachi Jones
 
Secure Network Design
Secure Network DesignSecure Network Design
Secure Network DesignConferencias FIST
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Zigbee Presentation
Zigbee PresentationZigbee Presentation
Zigbee PresentationMaathu Michael
 
Software Engineering - Ch2
Software Engineering - Ch2Software Engineering - Ch2
Software Engineering - Ch2Siddharth Ayer
 
Cloud computing and service models
Cloud computing and service modelsCloud computing and service models
Cloud computing and service modelsPrateek Soni
 
A Reference Architecture for IoT
A Reference Architecture for IoT A Reference Architecture for IoT
A Reference Architecture for IoT WSO2
 
Unit1
Unit1Unit1
Unit1anuragmbst
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Software resuse
Software resuseSoftware resuse
Software resuseIndu Sharma Bhardwaj
 
project Report on LAN Security Manager
project Report on LAN Security Managerproject Report on LAN Security Manager
project Report on LAN Security ManagerShahrikh Khan
 
Black Box Testing
Black Box TestingBlack Box Testing
Black Box TestingTestbytes
 
Generic Software Process Models
Generic Software Process ModelsGeneric Software Process Models
Generic Software Process ModelsEducation Front
 
Command center processing and display system replacement (ccpds-r) - Case Study
Command center processing and display system replacement (ccpds-r) - Case StudyCommand center processing and display system replacement (ccpds-r) - Case Study
Command center processing and display system replacement (ccpds-r) - Case StudyKuppusamy P
 
Software Reuse
Software ReuseSoftware Reuse
Software Reuseprince mukherjee
 
SDLC Models
SDLC ModelsSDLC Models
SDLC Modelsakash250690
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access controlElimity
 
Process Safety Life Cycle Management: Best Practices and Processes
Process Safety Life Cycle Management: Best Practices and ProcessesProcess Safety Life Cycle Management: Best Practices and Processes
Process Safety Life Cycle Management: Best Practices and ProcessesMd Rahaman
 
Reliability and security specification (CS 5032 2012)
Reliability and security specification (CS 5032 2012)Reliability and security specification (CS 5032 2012)
Reliability and security specification (CS 5032 2012)Ian Sommerville
 

More Related Content

What's hot

The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptxGulnurAzat
 
formal verification
formal verificationformal verification
formal verificationToseef Aslam
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security Malachi Jones
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Software Engineering - Ch2
Software Engineering - Ch2Software Engineering - Ch2
Software Engineering - Ch2Siddharth Ayer
 
Cloud computing and service models
Cloud computing and service modelsCloud computing and service models
Cloud computing and service modelsPrateek Soni
 
A Reference Architecture for IoT
A Reference Architecture for IoT A Reference Architecture for IoT
A Reference Architecture for IoT WSO2
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
project Report on LAN Security Manager
project Report on LAN Security Managerproject Report on LAN Security Manager
project Report on LAN Security ManagerShahrikh Khan
 
Black Box Testing
Black Box TestingBlack Box Testing
Black Box TestingTestbytes
 
Generic Software Process Models
Generic Software Process ModelsGeneric Software Process Models
Generic Software Process ModelsEducation Front
 
Command center processing and display system replacement (ccpds-r) - Case Study
Command center processing and display system replacement (ccpds-r) - Case StudyCommand center processing and display system replacement (ccpds-r) - Case Study
Command center processing and display system replacement (ccpds-r) - Case StudyKuppusamy P
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access controlElimity
 

What's hot (20)

The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
 
formal verification
formal verificationformal verification
formal verification
 
The cloud ecosystem
The cloud ecosystemThe cloud ecosystem
The cloud ecosystem
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security
 
Secure Network Design
Secure Network DesignSecure Network Design
Secure Network Design
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 
Zigbee Presentation
Zigbee PresentationZigbee Presentation
Zigbee Presentation
 
Software Engineering - Ch2
Software Engineering - Ch2Software Engineering - Ch2
Software Engineering - Ch2
 
Cloud computing and service models
Cloud computing and service modelsCloud computing and service models
Cloud computing and service models
 
A Reference Architecture for IoT
A Reference Architecture for IoT A Reference Architecture for IoT
A Reference Architecture for IoT
 
Unit1
Unit1Unit1
Unit1
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
Software resuse
Software resuseSoftware resuse
Software resuse
 
project Report on LAN Security Manager
project Report on LAN Security Managerproject Report on LAN Security Manager
project Report on LAN Security Manager
 
Black Box Testing
Black Box TestingBlack Box Testing
Black Box Testing
 
Generic Software Process Models
Generic Software Process ModelsGeneric Software Process Models
Generic Software Process Models
 
Command center processing and display system replacement (ccpds-r) - Case Study
Command center processing and display system replacement (ccpds-r) - Case StudyCommand center processing and display system replacement (ccpds-r) - Case Study
Command center processing and display system replacement (ccpds-r) - Case Study
 
Software Reuse
Software ReuseSoftware Reuse
Software Reuse
 
SDLC Models
SDLC ModelsSDLC Models
SDLC Models
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
 

Viewers also liked

Process Safety Life Cycle Management: Best Practices and Processes
Process Safety Life Cycle Management: Best Practices and ProcessesProcess Safety Life Cycle Management: Best Practices and Processes
Process Safety Life Cycle Management: Best Practices and ProcessesMd Rahaman
 
Reliability and security specification (CS 5032 2012)
Reliability and security specification (CS 5032 2012)Reliability and security specification (CS 5032 2012)
Reliability and security specification (CS 5032 2012)Ian Sommerville
 
DDS Security Specification (Adopted Beta1 June 2014)
DDS Security Specification (Adopted Beta1 June 2014)DDS Security Specification (Adopted Beta1 June 2014)
DDS Security Specification (Adopted Beta1 June 2014)Gerardo Pardo-Castellote
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013Ian Sommerville
 
CS 5032 L6 reliability and security specification 2013
CS 5032 L6 reliability and security specification 2013CS 5032 L6 reliability and security specification 2013
CS 5032 L6 reliability and security specification 2013Ian Sommerville
 
CS 5032 L7 dependability engineering 2013
CS 5032 L7 dependability engineering 2013CS 5032 L7 dependability engineering 2013
CS 5032 L7 dependability engineering 2013Ian Sommerville
 
CS 5032 L5 safety specification 2013
CS 5032 L5 safety specification 2013CS 5032 L5 safety specification 2013
CS 5032 L5 safety specification 2013Ian Sommerville
 
Critical System Specification in Software Engineering SE17
Critical System Specification in Software Engineering SE17Critical System Specification in Software Engineering SE17
Critical System Specification in Software Engineering SE17koolkampus
 
Introducing sociotechnical systems
Introducing sociotechnical systemsIntroducing sociotechnical systems
Introducing sociotechnical systemssommerville-videos
 
Software engineering critical systems
Software engineering critical systemsSoftware engineering critical systems
Software engineering critical systemsDr. Loganathan R
 
Deadlocks in operating system
Deadlocks in operating systemDeadlocks in operating system
Deadlocks in operating systemMidhun Sankar
 
Intro to Deadlocks
Intro to DeadlocksIntro to Deadlocks
Intro to Deadlockslionpeal
 
Deadlocks in operating system
Deadlocks in operating systemDeadlocks in operating system
Deadlocks in operating systemSara Ali
 

Viewers also liked (20)

Process Safety Life Cycle Management: Best Practices and Processes
Process Safety Life Cycle Management: Best Practices and ProcessesProcess Safety Life Cycle Management: Best Practices and Processes
Process Safety Life Cycle Management: Best Practices and Processes
 
Reliability and security specification (CS 5032 2012)
Reliability and security specification (CS 5032 2012)Reliability and security specification (CS 5032 2012)
Reliability and security specification (CS 5032 2012)
 
DDS Security Specification (Adopted Beta1 June 2014)
DDS Security Specification (Adopted Beta1 June 2014)DDS Security Specification (Adopted Beta1 June 2014)
DDS Security Specification (Adopted Beta1 June 2014)
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013
 
Verification&Validation
Verification&ValidationVerification&Validation
Verification&Validation
 
CS 5032 L6 reliability and security specification 2013
CS 5032 L6 reliability and security specification 2013CS 5032 L6 reliability and security specification 2013
CS 5032 L6 reliability and security specification 2013
 
CS 5032 L7 dependability engineering 2013
CS 5032 L7 dependability engineering 2013CS 5032 L7 dependability engineering 2013
CS 5032 L7 dependability engineering 2013
 
CS 5032 L5 safety specification 2013
CS 5032 L5 safety specification 2013CS 5032 L5 safety specification 2013
CS 5032 L5 safety specification 2013
 
System success and failure
System success and failureSystem success and failure
System success and failure
 
Emergent properties
Emergent propertiesEmergent properties
Emergent properties
 
Critical System Specification in Software Engineering SE17
Critical System Specification in Software Engineering SE17Critical System Specification in Software Engineering SE17
Critical System Specification in Software Engineering SE17
 
Critical systems engineering
Critical systems engineeringCritical systems engineering
Critical systems engineering
 
OS - Deadlock
OS - DeadlockOS - Deadlock
OS - Deadlock
 
Introducing sociotechnical systems
Introducing sociotechnical systemsIntroducing sociotechnical systems
Introducing sociotechnical systems
 
Software engineering critical systems
Software engineering critical systemsSoftware engineering critical systems
Software engineering critical systems
 
Deadlocks in operating system
Deadlocks in operating systemDeadlocks in operating system
Deadlocks in operating system
 
Intro to Deadlocks
Intro to DeadlocksIntro to Deadlocks
Intro to Deadlocks
 
Chapter 7 - Deadlocks
Chapter 7 - DeadlocksChapter 7 - Deadlocks
Chapter 7 - Deadlocks
 
Deadlocks in operating system
Deadlocks in operating systemDeadlocks in operating system
Deadlocks in operating system
 
Deadlock ppt
Deadlock ppt Deadlock ppt
Deadlock ppt
 

Similar to Dependability and Security Specification Overview

Security testing (CS 5032 2012)
Security testing (CS 5032 2012)Security testing (CS 5032 2012)
Security testing (CS 5032 2012)Ian Sommerville
 
CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013Ian Sommerville
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specificationAryan Ajmer
 
Software Engineering - Ch9
Software Engineering - Ch9Software Engineering - Ch9
Software Engineering - Ch9Siddharth Ayer
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013Ian Sommerville
 
Dezfuli.homayoon
Dezfuli.homayoonDezfuli.homayoon
Dezfuli.homayoonNASAPMC
 
DojoSec FISMA Presentation
DojoSec FISMA PresentationDojoSec FISMA Presentation
DojoSec FISMA Presentationdanphilpott
 
2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deckElaine Axum
 
Operational Security for Transportation: Connectivity to Rails
Operational Security for Transportation: Connectivity to Rails Operational Security for Transportation: Connectivity to Rails
Operational Security for Transportation: Connectivity to Rails Ashley Finden
 
Health Informatics – Application of Clinical Risk Management to the Manufactu...
Health Informatics – Application of Clinical Risk Management to the Manufactu...Health Informatics – Application of Clinical Risk Management to the Manufactu...
Health Informatics – Application of Clinical Risk Management to the Manufactu...Plan de Calidad para el SNS
 
Sil explained in valve actuators
Sil explained in valve actuatorsSil explained in valve actuators
Sil explained in valve actuatorsJohn Kingsley
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfAbdulrafiiMohammed
 
Swiss early warning system for natural hazards
Swiss early warning system for natural hazardsSwiss early warning system for natural hazards
Swiss early warning system for natural hazardsGlobal Risk Forum GRFDavos
 
Information Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docxInformation Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docxlanagore871
 
CCNA Security - Chapter 9
CCNA Security - Chapter 9CCNA Security - Chapter 9
CCNA Security - Chapter 9Irsandi Hasan
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in icsMayur Mehta
 

Similar to Dependability and Security Specification Overview (20)

Security testing (CS 5032 2012)
Security testing (CS 5032 2012)Security testing (CS 5032 2012)
Security testing (CS 5032 2012)
 
Ch9
Ch9Ch9
Ch9
 
CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specification
 
Software Engineering - Ch9
Software Engineering - Ch9Software Engineering - Ch9
Software Engineering - Ch9
 
SIL.ppt
SIL.pptSIL.ppt
SIL.ppt
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013
 
Dezfuli.homayoon
Dezfuli.homayoonDezfuli.homayoon
Dezfuli.homayoon
 
DojoSec FISMA Presentation
DojoSec FISMA PresentationDojoSec FISMA Presentation
DojoSec FISMA Presentation
 
2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck
 
Presentation
PresentationPresentation
Presentation
 
Operational Security for Transportation: Connectivity to Rails
Operational Security for Transportation: Connectivity to Rails Operational Security for Transportation: Connectivity to Rails
Operational Security for Transportation: Connectivity to Rails
 
Health Informatics – Application of Clinical Risk Management to the Manufactu...
Health Informatics – Application of Clinical Risk Management to the Manufactu...Health Informatics – Application of Clinical Risk Management to the Manufactu...
Health Informatics – Application of Clinical Risk Management to the Manufactu...
 
Sil explained in valve actuators
Sil explained in valve actuatorsSil explained in valve actuators
Sil explained in valve actuators
 
Iec61508 guide
Iec61508 guideIec61508 guide
Iec61508 guide
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdf
 
Swiss early warning system for natural hazards
Swiss early warning system for natural hazardsSwiss early warning system for natural hazards
Swiss early warning system for natural hazards
 
Information Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docxInformation Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docx
 
CCNA Security - Chapter 9
CCNA Security - Chapter 9CCNA Security - Chapter 9
CCNA Security - Chapter 9
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in ics
 

More from Ian Sommerville

Ultra Large Scale Systems
Ultra Large Scale SystemsUltra Large Scale Systems
Ultra Large Scale SystemsIan Sommerville
 
Dependability requirements for LSCITS
Dependability requirements for LSCITSDependability requirements for LSCITS
Dependability requirements for LSCITSIan Sommerville
 
Conceptual systems design
Conceptual systems designConceptual systems design
Conceptual systems designIan Sommerville
 
Requirements Engineering for LSCITS
Requirements Engineering for LSCITSRequirements Engineering for LSCITS
Requirements Engineering for LSCITSIan Sommerville
 
An introduction to LSCITS
An introduction to LSCITSAn introduction to LSCITS
An introduction to LSCITSIan Sommerville
 
Internet worm-case-study
Internet worm-case-studyInternet worm-case-study
Internet worm-case-studyIan Sommerville
 
Designing software for a million users
Designing software for a million usersDesigning software for a million users
Designing software for a million usersIan Sommerville
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflowIan Sommerville
 
CS5032 Case study Ariane 5 launcher failure
CS5032 Case study Ariane 5 launcher failureCS5032 Case study Ariane 5 launcher failure
CS5032 Case study Ariane 5 launcher failureIan Sommerville
 
CS5032 Case study Kegworth air disaster
CS5032 Case study Kegworth air disasterCS5032 Case study Kegworth air disaster
CS5032 Case study Kegworth air disasterIan Sommerville
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1Ian Sommerville
 
CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2Ian Sommerville
 
L17 CS5032 critical infrastructure
L17 CS5032 critical infrastructureL17 CS5032 critical infrastructure
L17 CS5032 critical infrastructureIan Sommerville
 
CS5032 Case study Maroochy water breach
CS5032 Case study Maroochy water breachCS5032 Case study Maroochy water breach
CS5032 Case study Maroochy water breachIan Sommerville
 
CS 5032 L18 Critical infrastructure 2: SCADA systems
CS 5032 L18 Critical infrastructure 2: SCADA systemsCS 5032 L18 Critical infrastructure 2: SCADA systems
CS 5032 L18 Critical infrastructure 2: SCADA systemsIan Sommerville
 
CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013Ian Sommerville
 

More from Ian Sommerville (20)

Ultra Large Scale Systems
Ultra Large Scale SystemsUltra Large Scale Systems
Ultra Large Scale Systems
 
Resp modellingintro
Resp modellingintroResp modellingintro
Resp modellingintro
 
Resilience and recovery
Resilience and recoveryResilience and recovery
Resilience and recovery
 
LSCITS-engineering
LSCITS-engineeringLSCITS-engineering
LSCITS-engineering
 
Requirements reality
Requirements realityRequirements reality
Requirements reality
 
Dependability requirements for LSCITS
Dependability requirements for LSCITSDependability requirements for LSCITS
Dependability requirements for LSCITS
 
Conceptual systems design
Conceptual systems designConceptual systems design
Conceptual systems design
 
Requirements Engineering for LSCITS
Requirements Engineering for LSCITSRequirements Engineering for LSCITS
Requirements Engineering for LSCITS
 
An introduction to LSCITS
An introduction to LSCITSAn introduction to LSCITS
An introduction to LSCITS
 
Internet worm-case-study
Internet worm-case-studyInternet worm-case-study
Internet worm-case-study
 
Designing software for a million users
Designing software for a million usersDesigning software for a million users
Designing software for a million users
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflow
 
CS5032 Case study Ariane 5 launcher failure
CS5032 Case study Ariane 5 launcher failureCS5032 Case study Ariane 5 launcher failure
CS5032 Case study Ariane 5 launcher failure
 
CS5032 Case study Kegworth air disaster
CS5032 Case study Kegworth air disasterCS5032 Case study Kegworth air disaster
CS5032 Case study Kegworth air disaster
 
CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1CS5032 L19 cybersecurity 1
CS5032 L19 cybersecurity 1
 
CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2
 
L17 CS5032 critical infrastructure
L17 CS5032 critical infrastructureL17 CS5032 critical infrastructure
L17 CS5032 critical infrastructure
 
CS5032 Case study Maroochy water breach
CS5032 Case study Maroochy water breachCS5032 Case study Maroochy water breach
CS5032 Case study Maroochy water breach
 
CS 5032 L18 Critical infrastructure 2: SCADA systems
CS 5032 L18 Critical infrastructure 2: SCADA systemsCS 5032 L18 Critical infrastructure 2: SCADA systems
CS 5032 L18 Critical infrastructure 2: SCADA systems
 
CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013
 

Recently uploaded

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sectoritnewsafrica
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 

Recently uploaded (20)

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 

Dependability and Security Specification Overview

  • 1. Dependability and Security Specification Lecture 1 Dependability and Security Specification, CSE course, 2011 Slide 1
  • 2. Topics covered • Risk-driven specification • Safety specification • Security specification • Software reliability specification Dependability and Security Specification, CSE course, 2011 Slide 2
  • 3. Dependability requirements • Functional requirements to define error checking and recovery facilities and protection against system failures. • Non-functional requirements defining the required reliability and availability of the system. • Excluding requirements that define states and conditions that must not arise. Dependability and Security Specification, CSE course, 2011 Slide 3
  • 4. Risk-driven specification • Critical systems specification should be risk-driven as risks pose a threat to the system. • This approach has been widely used in safety and security- critical systems. • The aim of the specification process should be to understand the risks (safety, security, etc.) faced by the system and to define requirements that reduce these Dependability and Security Specification, CSE course, 2011 Slide 4 risks.
  • 5. Phased risk analysis • Preliminary risk analysis – Identifies risks from the systems environment. Aim is to develop an initial set of system security and dependability requirements. • Life cycle risk analysis – Identifies risks that emerge during design and development e.g. risks that are associated with the technologies used for system construction. Requirements are extended to protect against these risks. • Operational risk analysis – Risks associated with the system user interface and operator errors. Further protection requirements may be added to cope with these. Dependability and Security Specification, CSE course, 2011 Slide 5
  • 6. Risk-driven specification Dependability and Security Specification, CSE course, 2011 Slide 6
  • 7. Stages of risk-based analysis • Risk identification – Identify potential risks that may arise. • Risk analysis and classification – Assess the seriousness of each risk. • Risk decomposition – Decompose risks to discover their potential root causes. • Risk reduction assessment – Define how each risk must be taken into eliminated or reduced when the system is designed. Dependability and Security Specification, CSE course, 2011 Slide 7
  • 8. Safety specification • Identify protection requirements that ensure that system failures do not cause injury or death or environmental damage. • Risk identification = Hazard identification • Risk analysis = Hazard assessment • Risk decomposition = Hazard analysis • Risk reduction = safety requirements specification Dependability and Security Specification, CSE course, 2011 Slide 8
  • 9. Hazard identification • Identify the hazards that may threaten the system. • Hazard identification may be based on different types of hazard: – Physical hazards – Electrical hazards – Biological hazards – Service failure hazards – Etc. Dependability and Security Specification, CSE course, 2011 Slide 9
  • 10. A software-controlled insulin pump • Safety-critical embedded system. Failure can lead to injury or death of the system user. • Used by diabetics to simulate the function of the pancreas which manufactures insulin, an essential hormone that metabolises blood glucose. • Measures blood glucose (sugar) using a micro- sensor and computes the insulin dose required to metabolise the glucose. • The system software, is embedded control software for the sensing and insulin delivery functions. Dependability and Security Specification, CSE course, 2011 Slide 10
  • 11. Dependability and Security Specification, CSE course, 2011 Slide 11
  • 12. Insulin pump organisation Insulin reservoir Needle Pump Clock assembly Sensor Controller Alarm Display1 Display2 Power supply Dependability and Security Specification, CSE course, 2011 Slide 12
  • 13. Insulin pump data-flow Blood Blood parameters Blood sugar Blood sugar Blood sugar sensor analysis level Insulin requirement computation Pump control Insulin commands Insulin Insulin Insulin delivery requirement pump controller Dependability and Security Specification, CSE course, 2011 Slide 13
  • 14. Dependability requirements • The system shall be available to deliver insulin when required to do so. • The system shall perform reliability and deliver the correct amount of insulin to counteract the current level of blood sugar. • The essential safety requirement is that excessive doses of insulin should never be delivered as this is potentially life threatening. Dependability and Security Specification, CSE course, 2011 Slide 14
  • 15. Insulin pump risks • Insulin overdose (service failure). • Insulin underdose (service failure). • Power failure due to exhausted battery (electrical). • Electrical interference with other medical equipment (electrical). • Poor sensor and actuator contact (physical). • Parts of machine break off in body (physical). • Infection caused by introduction of machine (biological). • Allergic reaction to materials or insulin (biological). Dependability and Security Specification, CSE course, 2011 Slide 15
  • 16. The risk triangle Dependability and Security Specification, CSE course, 2011 Slide 16
  • 17. Hazard assessment • What is the the likelihood that a risk will arise and what are the potential consequences if an accident or incident should occur? • Risks are categorised as: – Intolerable Must never arise or result in an accident – As low as reasonably practical (ALARP) Must minimise the possibility of risk given cost and schedule constraints – Acceptable The consequences of the risk are acceptable and no extra costs should be incurred to reduce hazard probability Dependability and Security Specification, CSE course, 2011 Slide 17
  • 18. Social acceptability of safety-related risks • In most societies, the boundaries between the regions are pushed upwards with time i.e. society is less willing to accept risk – For example, the costs of cleaning up pollution may be less than the costs of preventing it but this may not be socially acceptable. • Risk assessment is subjective – Risks are identified as probable, unlikely, etc. This Dependability and Security Specification, CSE course, 2011 depends on who is making18Slide
  • 19. Hazard assessment • Estimate the hazard probability and the hazard severity. • It is not normally possible to do this precisely so relative values are used such as ‘unlikely’, ‘rare’, ‘very high’, etc. • The aim is to make sure that the system can handle hazards that are likely to arise or that have high severity. Dependability and Security Specification, CSE course, 2011 Slide 19
  • 20. Risk classification for the insulin pump Identified Hazard Accident Estimated risk Acceptability hazard probability severity 1.Insulin Medium High High Intolerable overdose computation 2. Insulin Medium Low Low Acceptable underdose computation 3. Failure of Medium Medium Low ALARP hardware monitoring system 4. Power failure High Low Low Acceptable Dependability and Security Specification, CSE course, 2011 Slide 20
  • 21. Risk classification for the insulin pump Identified Hazard Accident Estimated risk Acceptability hazard probability severity 5. Machine High High High Intolerable incorrectly fitted 6. Machine Low High Medium ALARP breaks in patient 7. Machine Medium Medium Medium ALARP causes infection 8. Electrical Low High Medium ALARP interference 9. Allergic Low Low Low Acceptable reaction Dependability and Security Specification, CSE course, 2011 Slide 21
  • 22. Hazard analysis • Concerned with discovering the root causes of risks in a particular system. • Techniques have been mostly derived from safety-critical systems and can be – Inductive, bottom-up techniques. Start with a proposed system failure and assess the hazards that could arise from that failure; – Deductive, top-down techniques. Start with a hazard and deduce what the causes of this could be. Dependability and Security Specification, CSE course, 2011 Slide 22
  • 23. Fault-tree analysis • Put the risk or hazard at the root of the tree and identify the system states that could lead to that hazard. • Where appropriate, link these with ‘and’ or ‘or’ conditions. NO SINGLE POINT OF FAILURE The key goal should be to minimise the number of single causes of system failure. Dependability and Security Specification, CSE course, 2011 Slide 23
  • 24. Dependability and Security Specification, CSE course, 2011 Slide 24
  • 25. Fault tree analysis • Three possible conditions that can lead to delivery of incorrect dose of insulin – Incorrect measurement of blood sugar level – Failure of delivery system – Dose delivered at wrong time • By analysis of the fault tree, root causes of these hazards related to software are: – Algorithm error – Arithmetic error Dependability and Security Specification, CSE course, 2011 Slide 25
  • 26. Risk reduction • The aim of this process is to identify dependability requirements that specify how the risks should be managed and ensure that accidents/incidents do not arise. • Risk reduction strategies – Risk avoidance; – Risk detection and removal; – Damage limitation. Dependability and Security Specification, CSE course, 2011 Slide 26
  • 27. Strategy use • Normally, in critical systems, a mix of risk reduction strategies are used. • In a chemical plant control system, the system will include sensors to detect and correct excess pressure in the reactor. • However, it will also include an independent protection system that opens a relief valve if dangerously high pressure is detected. Dependability and Security Specification, CSE course, 2011 Slide 27
  • 28. Insulin pump - software risks • Arithmetic error – A computation causes the value of a variable to overflow or underflow; – Maybe include an exception handler for each type of arithmetic error. • Algorithmic error – Compare dose to be delivered with previous dose or safe maximum doses. Reduce dose if too high. Dependability and Security Specification, CSE course, 2011 Slide 28
  • 29. Examples of safety requirements SR1: The system shall not deliver a single dose of insulin that is greater than a specified maximum dose for a system user. SR2: The system shall not deliver a daily cumulative dose of insulin that is greater than a specified maximum daily dose for a system user. SR3: The system shall include a hardware diagnostic facility that shall be executed at least four times per hour. SR4: The system shall include an exception handler for all of the exceptions that are identified in Table 3. SR5: The audible alarm shall be sounded when any hardware or software anomaly is discovered and a diagnostic message, as defined in Table 4, shall be displayed. SR6: In the event of an alarm, insulin delivery shall be suspended until the user has reset the system and cleared the alarm. Dependability and Security Specification, CSE course, 2011 Slide 29
  • 30. Key points • Risk analysis is an important activity in the specification of security and dependability requirements. It involves identifying risks that can result in accidents or incidents. • A hazard-driven approach may be used to understand the safety requirements for a system. You identify potential hazards and decompose these (using methods such as fault tree analysis) to discover their root causes. • Safety requirements should be included to ensure that hazards and accidents do not arise or, if this is impossible, to limit the damage caused by system Dependability and Security Specification, CSE course, 2011 Slide 30 failure.