Critical Systems SpecificationObjectivesTopics coveredDependability requirementsRisk-driven specificationStages of risk-based analysisSlide 7Risk identificationInsulin pump risksRisk analysis and classificationLevels of riskSocial acceptability of riskRisk assessmentRisk assessment - insulin pumpRisk decompositionFault-tree analysisInsulin pump fault treeRisk reduction assessmentStrategy useInsulin pump - software risksSafety requirements - insulin pumpSafety specificationIEC 61508Control system safety requirementsThe safety life-cycleSafety requirementsSecurity specificationThe security specification processStages in security specificationSlide 30Types of security requirementLIBSYS security requirementsSystem reliability specificationFunctional reliability requirementsNon-functional reliability specificationReliability metricsSlide 37Probability of failure on demandRate of fault occurrence (ROCOF)Mean time to failureAvailabilityNon-functional requirements spec.Failure consequencesFailure classificationSteps to a reliability specificationBank auto-teller systemReliability specification for an ATMSpecification validationKey pointsSlide 50©Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 1Critical Systems Specification©Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 2ObjectivesTo explain how dependability requirements may be identified by analysing the risks faced by critical systemsTo explain how safety requirements are generated from the system risk analysisTo explain the derivation of security requirementsTo describe metrics used for reliability specification©Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 3Topics coveredRisk-driven specificationSafety specificationSecurity specificationSoftware reliability specification©Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 4Dependability requirementsFunctional requirements to define error checking and recovery facilities and protection against system failures.Non-functional requirements defining the required reliability and availability of the system.Excluding requirements that define states and conditions that must not arise.©Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 5Risk-driven specificationCritical systems specification should be risk-driven.This approach has been widely used in safety and security-critical systems.The aim of the specification process should be to understand the risks (safety, security, etc.) faced by the system and to define requirements that reduce these risks.©Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 6Stages of risk-based analysisRisk identification•Identify potential risks that may arise.Risk analysis and classification•Assess the seriousness of each risk.Risk decomposition•Decompose risks to discover their potential root causes.Risk reduction assessment•Define how each risk must be taken into eliminated or reduced when the system is designed.©Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 7Risk-driven specificationRisk analysis andclassifi cationRisk reductionassessmentRiskassessmentDependabilityrequirementsRiskdecompositionRoot causeanalysisRiskdescriptionRiskidentification©Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 8Risk identificationIdentify the risks faced by the critical system.In safety-critical systems, the risks are the hazards that can lead to accidents.In security-critical systems, the risks are the potential attacks on the system.In risk identification, you should identify risk classes and position risks in these classes •Service failure;•Electrical risks;•…©Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 9Insulin pump risksInsulin overdose (service failure).Insulin underdose (service failure).Power failure due to exhausted battery (electrical).Electrical interference with other medical equipment (electrical).Poor sensor and actuator contact (physical).Parts of machine break off in body (physical).Infection caused by introduction of machine (biological).Allergic reaction to materials or insulin (biological).©Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 10Risk analysis and classificationThe process is concerned with understanding the likelihood that a risk will arise and the potential consequences if an accident or incident should occur.Risks may be categorised as:•Intolerable. Must never arise or result in an accident•As low as reasonably practical(ALARP). Must minimise the possibility of risk given cost and schedule constraints•Acceptable. The consequences of the risk are acceptable and no extra costs should be incurred to reduce hazard probability©Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 11Levels of riskUnacceptable regionRisk cannot be toleratedRisk tolerated only ifrisk reduction is impracticalor grossly expensiveAcceptableregionNegligible riskALARPregion©Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 12Social acceptability of riskThe acceptability of a risk is determined by human, social and political considerations.In most societies, the boundaries between the regions are pushed upwards with time i.e. society is less willing to accept risk•For example, the costs of cleaning up pollution may be less than the costs of preventing it but this may not be socially acceptable.Risk assessment is subjective•Risks are identified as probable, unlikely, etc. This depends on who is making the assessment.©Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 13Risk assessmentEstimate the risk probability and the risk severity.It is not normally possible to do this precisely so relative values are used such as ‘unlikely’, ‘rare’, ‘very high’, etc.The aim must be to exclude risks that are likely to arise or that have high severity.©Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 14Risk assessment - insulin pump©Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 9 Slide 15Risk decompositionConcerned with