Applying STPA-based Hazard Analysis to support HBSE for Systems built using MAPs
|
|
- Liliana Mills
- 5 years ago
- Views:
Transcription
1 Applying STPA-based Hazard Analysis to support HBSE for Systems built using MAPs ISPCE 2015 Chicago, IL, USA Sam Procter, John Hatcliff, Kim Fowler SAnToS Lab Kansas State University Anura Fernando Underwriters Laboratories Sandy Weininger Food and Drug Admin. Support: This work is supported in part by the US National Science Foundation (NSF) (# ), the NSF US Food and Drug Administration Scholarin-Residence Program (# ) and the National Institutes of Health / NIBIB Quantum Program.
2 Health Care Involves A Variety of System Components Sensor Data Displays Clinical Protocols Clinicians Actuators Information Systems Patient! Sensors
3 Motivation n What are the types of things we could do with device integration? n Information forwarding n Automation of clinical workflows n Closed loop control between devices n Unlike personal computing, medical devices are not designed to work together n Integrating medical devices would bring myriad benefits n how can we do so safely?
4 Outline n Background n PCA Interlock Scenario n Medical Application Platforms n AADL n Vision n Language n Tool n Hazard Analysis n Future
5 Status Quo: MDDS Medical Device Data Systems Data only flows from producers to consumers; data must be faithfully re-presented Devices Data Consumers Display Gadgets EMR Databases
6 PCA Interlock Scenario n Patients are commonly given patient-controlled analgesics after surgery n Crucial to care, but numerous issues related to safety n Data for disabling the pump exists now (just a system invariant) -- we just need to integrate it
7 Clinically Supported Motivating Clinical Problem: PCA Overdose n n A particularly attractive feature may be the ability to automatically terminate or reduce PCA (or PCEA) infusions when monitoring technology suggests the presence of opioidinduced respiratory depression. To facilitate such capabilities, we strongly endorse the efforts to develop international standards for device interoperability and device-device communication. It is critical that any monitoring system be linked to a reliable process to summon a competent health care professional to the patient's bedside in a timely manner.
8 PCA Pump Safety Interlock Fully leverage device data streams and the ability to control devices Devices PCA Pump Clinician / Monitoring Capnograph Enable Pump for safe time window Monitoring Data + Alarm Information Enable bolus dose only when ticket present Device Task controller PCA Bolus Enable Ticket Combined PCA Vitals Monitoring Aggregated Monitoring Status Status Display for PCA Monitoring Application Pulse Oximeter Monitoring Data + Alarm Information
9 Medical Application Platforms Devices Displays Clinician Console Apps B u s EMR Databases Computational Platform n A Medical Application Platform is a safety- and securitycritical real-time computing platform for n n Integrating heterogeneous devices, medical IT systems, and information displays via communications infrastructure, and Hosting applications ( apps ) that provide medical utility via the ability to acquire information from and update/control integrated devices, IT systems, and displays
10 Background PCA Pump Interlock Architecture SUI App Display View Display Medical Application Platform Data for Display App Start / Stop Commands Sensor + Alarm Data Data should arrive once per second Clinician (App Administrator) Pulse Oximeter, Capnograph, and Patient Controlled Analgesia Pump PCA PR SPO 2 ETCO 2 RR View Display Configuration, Alarm Clear Patient Attach Sensors
11 Background Architecture Analysis and Description Language (AADL) n n n n n SAE Standard, used in e.g., Avionics Enables model-driven, component-based development of n n n Software Hardware And the bindings between the two Previously applied to a single medical device, what about a system of multiple medical devices? How well can it work on a managed platform? Can we do anything beyond describing an app s architecture with it?
12 Outline n Background n Vision n Analyses n Code generation n Language n Tool n STPA n Hazard Analysis n Future
13 Vision Analyses and Regulatory Artifacts Clinical Use Case / Workflow Description App Developer 3 rd Party Certifiers Assurance Case Requirements 3 rd Party ICE Conformance & Safety Certification Submission Package Hazard Analysis Medical Device Coordination Framework FDA 510K Submission Package Risk Assessment App Deployment FDA Evaluators
14 Vision Code Generation A. The app s architecture is specified in AADL 1. Components as AADL Devices / Processes 2. Connections are specified 3. RT/QoS Parameters are via AADL s propertyspecification mechanism B. The app is programmatically translated to Java and XML C. The app is launched on a compatible MAP C Instantiates as
15 Outline n Background n Vision n Language n Why MDD? n Why (a subset of) AADL? n Constructs n Tool n Hazard Analysis n Future
16 MAP Characteristics MAP constituted device instances are variable the constituents that form the MAP constituted device may different on different invocations of the device. n Same app, and thus same conceptual system MAPs-R-Us Platform PCA Interlock App Bus AnyPCA PCA Pump n n Just one architecture and development framework But, different component instances. ACME Platform PCA Interlock App Bus NellCore Pulse Ox PCA+ PCA Pump Masimo Pulse Ox
17 MAP Characteristics MAP constituted device instances are variable the constituents that form the MAP constituted device may different on different invocations of the device. n Same app, and thus same conceptual system MAPs-R-Us Platform PCA Interlock App Bus AnyPCA PCA Pump n n Just one architecture and development framework But, different component instances. ACME Platform PCA Interlock App Bus NellCore Pulse Ox PCA+ PCA Pump Masimo Pulse Ox
18 Language Why use AADL? n History of successful safety-critical projects n Avionics / Boeing (SAVI): integrate-then-build approach n Previously found that MAPs lend themselves to pub-sub n Device as publisher, apps as subscriber n Natural to model with AADL s port connections n Annexes support a number of regulatory and verification artifacts n Hazard Analysis (EMV2), Interface contracts (BLESS), etc.
19 Language Why subset AADL? n AADL is targeted at co-design, ie: complete systems n MAPs are managed platforms n Semantic mismatches n Processes n Insufficiency of pre-declared properties n Unrealizable communication patterns n No shared-memory access in pub/sub middleware
20 Language Model AADL System Output rate: 1 sec.. 5 sec Device1 Device2 AADL Process: Logic Thread1 Thread3 Thread2 AADL Process: Display Thread1 Thread2 Channel Delay: 50ms Period: 50ms WCET: 5ms
21 Language System Medical Devices Software Components Communication links between components and properties of those links!
22 Language System Medical Devices Software Components Communication links between Components and properties of those links!
23 Language Device Interface Specification Ports Properties of those ports Device API Only -- Presents the app s view of the required device capabilities, not the full device capabilities
24 Language Device Interface Specification Device API Only -- Presents the app s view of the required device capabilities, not the full device capabilities Ports Properties on those ports
25 Language Process Specification External ports Tasks (Threads) Connections between external ports and threads
26 Language Process Specification External ports Tasks (Threads) Connections between external ports and threads
27 Language Thread Specification External ports Properties
28 Language Thread Specification External ports Properties Any necessary architectural annotations can be created!
29 Component Development Automatic code generation AADL Component Architecture Component skeleton generation Behavioral code written by component developer n n n n n Development of component architecture using AADL / OSATE2 Automatic generation of component architecture (skeletons) Automatic generation of component layout and app topology (configuration) Development of core behavioral code (business logic) using IDE of choice Translator can be retargeted to other languages as desired
30 Language Subset AADL Constructs Used AADL Construct System Device Process Thread System-level port connection Process implementation-level port connection Components MAP Concept Layout Medical Device API for App Software Component Task Connections Channel Task-Port Communication
31 Language Translation Target System.cfg.xml Dev2.java Task1 Logic.java Task1 Display.java Dev1.java Task3 Task2 LogicSuperType.java Logic.compsig.xml (QoS/RT) Task2 DisplaySuperType.java Display.compsig.xml (QoS/RT)
32 Outline n Background n Vision n Language n Tool n OSATE2 n Availability n Hazard Analysis n Future
33 Tool OSATE2 n Open-source, Eclipse-based tool n Our work is available as a plugin n Uses the model-traversal built into OSATE2
34 Tool OSATE2
35 Tool OSATE2
36 Outline n Background n Vision n Language n Tool n Hazard Analysis n History n Fundamentals n Control Actions n Future
37 Hazard Analysis Leveraging Semiformal Architectural Descriptions Requirements Clinical Use Case / Workflow Description App Developer Assurance Case 3 rd Party Certifiers 3 rd Party ICE Conformance & Safety Certification Submission Package Hazard Analysis MDCF FDA 510K Submission Package App Deployment FDA Evaluators Risk Assessment
38 Hazard Analysis History: FTA n FTA: Bell Labs, 1962 n Looks for contributory causes to undesired events Too Large of Dose Allowed G1 Bad Physiological Data Received Undetected Error G2 G3 Incorrect Physiological Reading Message Garbled by Network Physiological Data within Max Range Software Encoding or Decoding Error Internal Diagnostics Fail
39 Hazard Analysis History: FMEA n FMEA: US Military, 1949 n Analyses impacts of individual components System: PCA Interlock Scenario Subsystem: Pulse Oximeter Device Mode/Phase: Execution Function Failure Mode Fail Rate Causal Factors Effect System Effect Detected by Current Control Hazard Risk Rec. Action Provide SpO 2 Fails to Provide N/A Network or dev. Failure No SpO 2 data Unknown patient state App Potential OD 3D Default to KVO Provides late N/A Network slowness No SpO 2 data Unknown patient state App Potential OD 3C Default to KVO Provides wrong N/A Device error SpO 2 wrong Wrong patient state None Potential OD 1E Dev. should report data quality Analyst: Sam Procter Date: September 26, 2014 Page 3/14
40 Hazard Analysis History: STPA n STPA: Nancy Leveson / MIT, 2005(ish) n Applies systems theory, focuses on control n Loops n Actions Sensor Controlled Process Controller Control Actions Actuator
41 STPA in AADL The Annotated Control Loop Control Action: App > PCA Pump Control Action: App > Inappropriate PCA Pump Control Action: Inadvertent Pump Normally command Feedback: PulseOx > App Feedback Message: PulseOx > App Inadequate Feedback: Sends bad SpO 2 Controller: App Logic Controller: App Logic Process Model Incorrect: Wrongly believes patient to be healthy Actuator: PCA Pump Actuator: PCA Pump Inadequate Operation: Pumps Normally Sensor: Pulse Oximeter Sensor: Pulse Oximeter Inadequate Operation: SpO 2 value incorrect Controlled Process: Patient
42 STPA: Fundamentals STPA: Background & Fundamentals n Fundamentals n Accident Levels n Accidents n System Boundaries n Hazards n Safety Constraints n Control Actions n Control Structure
43 Hazard Analysis STPA: Fundamentals n Fundamentals n Accident Levels n Accidents n System Boundaries n Hazards n Safety Constraints Example 1. A human is killed or seriously injured. 2. A medical device s services are unavailable n Control Actions n Control Structure Tie into ISO s notions of criticality?
44 Hazard Analysis STPA: Fundamentals n Fundamentals n Accident Levels n Accidents n System Boundaries n Hazards n Safety Constraints Example 1. The patient is killed or seriously injured [DeathOrInjury] 2. The PCA pump stops responding to commands [DenialOfService] n Control Actions n Control Structure
45 Hazard Analysis STPA: Fundamentals n Fundamentals Example n Accident Levels n Accidents n System Boundaries Pulse Oximeter Process Boundary System Boundary App Boundary Patient n Hazards n Safety Constraints Capnography Device App PCA Pump n Control Actions n Control Structure Display Clinician
46 Hazard Analysis STPA: Fundamentals n Fundamentals n Accident Levels n Accidents n System Boundaries n Hazards n Safety Constraints n Control Actions n Control Structure Example 1. An inadvertent Pump Normally command is sent to the pump [PatientHarmed] 2. Commands are sent to the pump too quickly [PCADoS] Benefits: Regulators: Supports strong traceability both in code and in (hypertext) reports
47 Hazard Analysis STPA: Fundamentals n Fundamentals n Accident Levels n Accidents n System Boundaries n Hazards n Safety Constraints Example 1. The app must only instruct the pump to run at a normal rate when the patient can tolerate more analgesic [InadvertentPumpNormally] 2. The app must wait for a designated length of time between sending pump commands [TooManyCommands] n Control Actions n Control Structure
48 STPA in AADL Fundamentals n Fundamentals n Accident Levels n Accidents n System Boundaries n Hazards n Safety Constraints n Control Actions n Control Structure Example App -> Pump: Pump Normally Actuator Benefits: Controller Process Sensor Developers: Hazard Analysis artifacts are automatically in-sync with system architecture
49 Hazard Analysis STPA: Fundamentals n Fundamentals n Accident Levels n Accidents Example Physiological Status Patient n System Boundaries n Hazards n Safety Constraints Pulse Oximeter Capnography Device Physiological Data Device Ok Device Error App Pump Normal Pump KVO Request More PCA Pump Pump Status n Control Actions n Control Structure Display Physiological Data Pump Normal Pump KVO Device Ok Device Error View Patient Status View Device Status Provide Rx Authorize Override Clinician Verify Rx
50 Hazard Analysis STPA: Identifying Hazardous Control Actions n Hazardous Control Action Table n Cross-product of control actions and STPA guidewords Control Action Providing Not Providing Applied too Long Stopped too Soon Early Late App -> Pump: Pump Normally PH Not Hazardous PH Not Hazardous PH Not Hazardous App -> Disp: Patient Ok BID BID BID BID BID BID PulseOx->App: Provide SpO 2 Not Hazardous PH, BID Not Hazardous PH, BID Not Hazardous PH, BID PulseOx->App: Provide Pulse Rate Not Hazardous PH, BID Not Hazardous PH, BID Not Hazardous PH, BID PH = Patient Harmed BID = Bad Info Displayed
51 Hazard Analysis STPA: Hazardous Causes and Compensations Control Action: App -> Pump: Pump Normally n Providing: n Bad Data: n Cause: n Incorrect values are gathered from one of the physiological sensors n Compensation: n n Not Providing: Rely on multiple sensed physiological parameters to provide redundancy n Not hazardous
52 Hazard Analysis STPA: Hazardous Causes and Compensations Control Action: App -> Pump: Pump Normally n Wrong Timing or Order: n Not applicable n Too Long n Network Drop n Cause: n Network drops out, leaving the pump running normally regardless of the patient s health n Compensation: n Commands to pump normally have an associated maximum time, after which the pump returns to KVO
53 STPA in AADL Where should we start? Control Action: App > PCA Pump A control action is provided in an unsafe way Feedback Message: PulseOx > App How would the control action be unsafe? Controller: App What Logic constraint would be violated? What should the occurrence be named? What would cause this to occur? How can this occurrence be compensated for? Actuator: PCA Pump Sensor: Pulse Oximeter Controlled Process: Patient
54 Hazard Analysis Annotating our Architectural Model How would the control action be unsafe? What constraint would be violated? What should the occurrence be named? What would cause this to occur? How can this occurrence be compensated for? We ll come back to this one in a moment
55 Report Generation Development Automatic report generation AADL Component Architecture with Hazard Annotations n n n Development of component architecture using AADL / OSATE2 Addition of Hazard Analysis Annotations Automatic generation of STPA-Styled Hazard Analysis Report Example In Progress Report Online at:
56 STPA s Causality Guidewords Annotated Control Loop Benefits: Managers: Constrains developers so style and architectural assumptions are consistent Developers: Guides analysis so starting from scratch isn t necessary Nancy Leveson. Figure 4.8, Page 93, Engineering A Safer World. MIT Press, 2011
57 AADL EM Fault Types Type Hierarchy Error Library Type STPA Error Type App Error Type Errors with Physiological Monitors LateDelivery DelayedOperation SpO2ValueLate IncorrectValue IncorrectInformation SpO2ValueLow N/A NoInformation NoSpO2Data Errors with App Logic ServiceCommission InnapropriateCtrlAction InadvertentPumpNormally ServiceOmission MissingCtrlAction InadvertentPumpMinimally AADL Standard Error Types STPA Guidewords App Specific Error Types
58 AADL EM Fault Types App Specific Error Library Application independent: Sourced from STPA Application specific: Defined by app risk management process
59 STPA in AADL Using our fault type Control Action: App > PCA Pump Inadvertent Pump Normally Feedback Message: PulseOx > App Controller: App Logic Actuator: PCA Pump Sensor: Pulse Oximeter Controlled Process: Patient
60 Integrated Hazard Analysis Using our fault type What specific fault will result? What can we do with our model + specific fault information?
61 STPA in AADL Where would the bad control action come from? Control Action: App > PCA Pump Feedback Message: PulseOx > App Controller: App Logic Controller: App Logic Process Model Incorrect: Wrongly believes patient to be healthy Propagates error out Actuator: PCA Pump Sensor: Pulse Oximeter Controlled Process: Patient
62 Integrated Hazard Analysis Specification Step 1: Out Propagation SpO2 App Logic PumpCmd Outgoing Port Outgoing Fault
63 STPA in AADL Where would the bad control action come from? Control Action: App > PCA Pump Feedback Message: PulseOx > App Controller: App Logic Controller: App Logic Process Model Incorrect: Wrongly believes patient to be healthy Bad information in Actuator: PCA Pump Sensor: Pulse Oximeter Controlled Process: Patient
64 Integrated Hazard Analysis Specification Step 2: In Propagation SpO2 App Logic PumpCmd Incoming Port Incoming Fault
65 Integrated Hazard Analysis Specification Step 3: Relation between incoming and outgoing SpO2 App Logic PumpCmd Name of flow Type of flow Specific faults Specific Ports
66 STPA in AADL Where should we go now? Control Action: App > PCA Pump Feedback Message: PulseOx > App Controller: App Logic Controller: App Logic Process Model Incorrect: Wrongly believes patient to be healthy Option 2: Look for the impact Actuator: PCA Pump Option 1: Look for the source Sensor: Pulse Oximeter Controlled Process: Patient
67 STPA in AADL Where should we go now? Option 3: Look for other sources / impacts App Logic Display PCA Pump Pulse Oximeter Clinician Patient
68 Integrated Hazard Analysis OSATE Remembers A Neglected Connection App Logic Display Pulse Oximeter
69 Tool Supported Process Interaction between Report and Model Cause > Effect 4. What else could cause this error? 3. Where else could this fault go? 1. Here s an empty cell (STPA Keyword + Control Action) could anything go wrong? 2. Create occurrence and supporting EM annotations Effect > Cause
70 Impacts n Automation n Traditionally, analysts have to mine a system and maintain it without tool support n Architectural integration n Faults can be bound to specific components and ports n Future: n Testing + Fault Injection n If a compensation is claimed, we can autogenerate a test
71 Outline n Background n Vision n Language n Tool n STPA n Future n Next Steps n Tool Extensions
72 Next Steps Compositional Reasoning and Assurance Cases Requirements Clinical Use Case / Workflow Description App Developer Assurance Case 3 rd Party Certifiers 3 rd Party ICE Conformance & Safety Certification Submission Package Hazard Analysis MDCF FDA 510K Submission Package App Deployment FDA Evaluators Risk Assessment
73 Future Tool extensions n Abstraction Depth n Model methods / functions n Data Types n CORBA IDL n MAP Device Drivers n Logging Annotations
74 Further Reading n Source available online at n Installable into OSATE2 via update site: updatesite n Full documentation online at n Publications online at
75 Applying STPA-based Hazard Analysis to support HBSE for Systems built using MAPs ISPCE 2015 Chicago, IL, USA Sam Procter, John Hatcliff, Kim Fowler SAnToS Lab Kansas State University Anura Fernando Underwriters Laboratories Sandy Weininger Food and Drug Admin. Support: This work is supported in part by the US National Science Foundation (NSF) (# ), the NSF US Food and Drug Administration Scholarin-Residence Program (# ) and the National Institutes of Health / NIBIB Quantum Program.
A New Systems-Theoretic Approach to Safety. Dr. John Thomas
A New Systems-Theoretic Approach to Safety Dr. John Thomas Outline Goals for a systemic approach Foundations New systems approaches to safety Systems-Theoretic Accident Model and Processes STPA (hazard
More informationCIS 890: High-Assurance Systems
CIS 890: High-Assurance Systems Hazard Analysis Lecture: Failure Modes, Effects, and Criticality Analysis Copyright 2016, John Hatcliff, Kim Fowler. The syllabus and all lectures for this course are copyrighted
More informationArchitecture-Led Safety Process
Architecture-Led Safety Process Peter H. Feiler Julien Delange David P. Gluch John D. McGregor December 2016 TECHNICAL REPORT CMU/SEI-2016-TR-012 Software Solutions Division http://www.sei.cmu.edu Copyright
More informationIntro to Systems Theory and STAMP John Thomas and Nancy Leveson. All rights reserved.
Intro to Systems Theory and STAMP 1 Why do we need something different? Fast pace of technological change Reduced ability to learn from experience Changing nature of accidents New types of hazards Increasing
More informationSTPA FOR LINAC4 AVAILABILITY REQUIREMENTS. A. Apollonio, R. Schmidt 4 th European STAMP Workshop, Zurich, 2016
STPA FOR LINAC4 AVAILABILITY REQUIREMENTS A. Apollonio, R. Schmidt 4 th European STAMP Workshop, Zurich, 2016 LHC colliding particle beams at very high energy 26.8 km Circumference LHC Accelerator (100
More informationA New Approach to Safety in Software-Intensive Systems
A New Approach to Safety in Software-Intensive Systems Nancy G. Leveson Aeronautics and Astronautics Dept. Engineering Systems Division MIT Why need a new approach? Without changing our patterns of thought,
More informationMy 36 Years in System Safety: Looking Backward, Looking Forward
My 36 Years in System : Looking Backward, Looking Forward Nancy Leveson System safety engineer (Gary Larsen, The Far Side) How I Got Started Topics How I Got Started Looking Backward Looking Forward 2
More informationUNIT-III LIFE-CYCLE PHASES
INTRODUCTION: UNIT-III LIFE-CYCLE PHASES - If there is a well defined separation between research and development activities and production activities then the software is said to be in successful development
More informationDistributed Systems Programming (F21DS1) Formal Methods for Distributed Systems
Distributed Systems Programming (F21DS1) Formal Methods for Distributed Systems Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh
More informationAutomated Integration Of Potentially Hazardous Open Systems
Automated Integration Of Potentially Hazardous Open Systems John Rushby Computer Science Laboratory SRI International Menlo Park, CA John Rushby, SR I Self-Integrating Hazardous Systems 1 Introduction
More informationThe AMADEOS SysML Profile for Cyber-physical Systems-of-Systems
AMADEOS Architecture for Multi-criticality Agile Dependable Evolutionary Open System-of-Systems FP7-ICT-2013.3.4 - Grant Agreement n 610535 The AMADEOS SysML Profile for Cyber-physical Systems-of-Systems
More informationAn Integrated Approach to Requirements Development and Hazard Analysis
An Integrated Approach to Requirements Development and Hazard Analysis John Thomas, John Sgueglia, Dajiang Suo, and Nancy Leveson Massachusetts Institute of Technology 2015-01-0274 Published 04/14/2015
More informationSpectrum Detector for Cognitive Radios. Andrew Tolboe
Spectrum Detector for Cognitive Radios Andrew Tolboe Motivation Currently in the United States the entire radio spectrum has already been reserved for various applications by the FCC. Therefore, if someone
More informationEthics. Paul Jackson. School of Informatics University of Edinburgh
Ethics Paul Jackson School of Informatics University of Edinburgh Required reading from Lecture 1 of this course was Compulsory: Read the ACM/IEEE Software Engineering Code of Ethics: https: //ethics.acm.org/code-of-ethics/software-engineering-code/
More informationAutomated Driving Systems with Model-Based Design for ISO 26262:2018 and SOTIF
Automated Driving Systems with Model-Based Design for ISO 26262:2018 and SOTIF Konstantin Dmitriev The MathWorks, Inc. Certification and Standards Group 2018 The MathWorks, Inc. 1 Agenda Use of simulation
More informationApplication of STPA in Radiation Therapy: a Preliminary Study
Application of STPA in Radiation Therapy: a Preliminary Study Natalia Silvis-Cividjian Wilko Verbakel Marjan Admiraal MIT STAMP Workshop 2018 VU medical center Vrije Universiteit (VU) campus Amsterdam,
More informationHuman Factors Points to Consider for IDE Devices
U.S. FOOD AND DRUG ADMINISTRATION CENTER FOR DEVICES AND RADIOLOGICAL HEALTH Office of Health and Industry Programs Division of Device User Programs and Systems Analysis 1350 Piccard Drive, HFZ-230 Rockville,
More informationEngineering a Safer World. Prof. Nancy Leveson Massachusetts Institute of Technology
Engineering a Safer World Prof. Nancy Leveson Massachusetts Institute of Technology Why Our Efforts are Often Not Cost-Effective Efforts superficial, isolated, or misdirected Too much effort on assuring
More informationROM/UDF CPU I/O I/O I/O RAM
DATA BUSSES INTRODUCTION The avionics systems on aircraft frequently contain general purpose computer components which perform certain processing functions, then relay this information to other systems.
More informationObjectives. Designing, implementing, deploying and operating systems which include hardware, software and people
Chapter 2. Computer-based Systems Engineering Designing, implementing, deploying and operating s which include hardware, software and people Slide 1 Objectives To explain why software is affected by broader
More information4 th European STAMP Workshop 2016
4 th European STAMP Workshop 2016 STPA Tutorial - Part 1 Introduction Objectives and Content Overview 2 Objectives and Organization The goal of this tutorial is to give you an overview of STPA. Targeted
More informationModel Based Design Of Medical Devices
Model Based Design Of Medical Devices A Tata Elxsi Perspective Tata Elxsi s Solutions - Medical Electronics Abstract Modeling and Simulation (M&S) is an important tool that may be employed in the end-to-end
More informationDesigning for recovery New challenges for large-scale, complex IT systems
Designing for recovery New challenges for large-scale, complex IT systems Prof. Ian Sommerville School of Computer Science St Andrews University Scotland St Andrews Small Scottish town, on the north-east
More informationScientific Certification
Scientific Certification John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Scientific Certification: 1 Does The Current Approach Work? Fuel emergency
More informationHamdy Faramawy Senior Application Specialist ABB Sweden
Design, Engineering and Application of New Firm Capacity Control System (FCCS) Mohammed Y. Tageldin, MSc. MIET Senior Protection Systems Engineer ABB United Kingdom mohammed.tageldin@gb.abb.com Hamdy Faramawy
More informationLab 1.2 Joystick Interface
Lab 1.2 Joystick Interface Lab 1.0 + 1.1 PWM Software/Hardware Design (recap) The previous labs in the 1.x series put you through the following progression: Lab 1.0 You learnt some theory behind how one
More informationApplying systems thinking to safety assurance of Nuclear Power Plants
Applying systems thinking to safety assurance of Nuclear Power Plants Francisco Luiz de Lemos Instituto de Pesquisas Energeticas/ Comissao Nacional de Energia Nuclear IPEN/CNEN _ Brazil IMPRO Dialog Forum
More informationOphthalmic Digital Health Areas
FDA Perspectives on Ophthalmic Mobile Medical Applications and Telemedicine Ronald Schuchard Center for Devices and Radiological Health Office of Device Evaluation Ophthalmic Digital Health Areas Software
More informationMaking your ISO Flow Flawless Establishing Confidence in Verification Tools
Making your ISO 26262 Flow Flawless Establishing Confidence in Verification Tools Bryan Ramirez DVT Automotive Product Manager August 2015 What is Tool Confidence? Principle: If a tool supports any process
More informationMedical Devices cyber risks and threats
Medical Devices cyber risks and threats David Grainger Senior Medical Device Specialist MHRA The challenges of software medical device regulation. david.grainger@mhra.gov.uk Current framework 1998 In Vitro
More informationWearable Computing Technologies and Regulations
Wearable Computing Technologies and Regulations Anura Fernando Principal Engineer, Underwriters Laboratories (UL) Wearables TechCon - March 10, 2015 2015 UL LLC Copyright 2015 UL LLC All rights reserved
More informationFrom Requirements to Code: Model Based Development of a Medical Cyber Physical System
University of Pennsylvania ScholarlyCommons Departmental Papers (CIS) Department of Computer & Information Science 7-2014 From Requirements to Code: Model Based Development of a Medical Cyber Physical
More informationMedical Device Risk Management
Page 1 of 14 X Medical Device Risk Management Posted 14 February 2018 By Darin OppenheimerSuraj Ramachandran This article focuses on risk management in the medical device industry and reviews organizational
More informationCurrent Systems. 1 of 6
Current Systems Overview Radio communications within the State of California s adult correctional institutions are vital to the daily safety and security of the institution, staff, inmates, visitors, and
More informationCC532 Collaborative System Design
CC532 Collaborative Design Part I: Fundamentals of s Engineering 5. s Thinking, s and Functional Analysis Views External View : showing the system s interaction with environment (users) 2 of 24 Inputs
More informationMethodology for Agent-Oriented Software
ب.ظ 03:55 1 of 7 2006/10/27 Next: About this document... Methodology for Agent-Oriented Software Design Principal Investigator dr. Frank S. de Boer (frankb@cs.uu.nl) Summary The main research goal of this
More informationGrundlagen des Software Engineering Fundamentals of Software Engineering
Software Engineering Research Group: Processes and Measurement Fachbereich Informatik TU Kaiserslautern Grundlagen des Software Engineering Fundamentals of Software Engineering Winter Term 2011/12 Prof.
More informationWilliam Milam Ford Motor Co
Sharing technology for a stronger America Verification Challenges in Automotive Embedded Systems William Milam Ford Motor Co Chair USCAR CPS Task Force 10/20/2011 What is USCAR? The United States Council
More informationBCV-1203 Barcode Verification System Users Guide Version 1.2
BCV-1203 Barcode Verification System Users Guide Version 1.2 6 Clock Tower Place Suite 100 Maynard, MA 01754 USA Tel: (866) 837-1931 Tel: (978) 461-1140 FAX: (978) 461-1146 http://www.diamondt.com/ Liability
More informationTIBCO FTL Part of the TIBCO Messaging Suite. Quick Start Guide
TIBCO FTL 6.0.0 Part of the TIBCO Messaging Suite Quick Start Guide The TIBCO Messaging Suite TIBCO FTL is part of the TIBCO Messaging Suite. It includes not only TIBCO FTL, but also TIBCO eftl (providing
More informationSafety and Reliability Evaluation using AADL
Institut Supérieur de l Aéronautique et de l Espace Safety and Reliability Evaluation using AADL Based on a UAV HW Architecture Model Prepared by BOSSEBOEUF Julien CHATONNAY Nicolas PIERRA Jérôme (MS EMS
More information4. OPE INTENT SPECIFICATION TRACEABILITY...
Application of a Safety-Driven Design Methodology to an Outer Planet Exploration Mission Brandon D. Owens, Margaret Stringfellow Herring, Nicolas Dulac, and Nancy G. Leveson Complex Systems Research Laboratory
More informationLEARNING FROM THE AVIATION INDUSTRY
DEVELOPMENT Power Electronics 26 AUTHORS Dipl.-Ing. (FH) Martin Heininger is Owner of Heicon, a Consultant Company in Schwendi near Ulm (Germany). Dipl.-Ing. (FH) Horst Hammerer is Managing Director of
More informationWhere does architecture end and technology begin? Rami Razouk The Aerospace Corporation
Introduction Where does architecture end and technology begin? Rami Razouk The Aerospace Corporation Over the last several years, the software architecture community has reached significant consensus about
More informationCANopen Programmer s Manual Part Number Version 1.0 October All rights reserved
Part Number 95-00271-000 Version 1.0 October 2002 2002 All rights reserved Table Of Contents TABLE OF CONTENTS About This Manual... iii Overview and Scope... iii Related Documentation... iii Document Validity
More informationAsura. An Environment for Assessment of Programming Challenges using Gamification
Asura An Environment for Assessment of Programming Challenges using Gamification José Paulo Leal CLIS 2018 José Carlos Paiva 16th April 2018 Beijing, China Outline Motivation Proposal Architecture Enki
More informationPEAK GAMES IMPLEMENTS VOLTDB FOR REAL-TIME SEGMENTATION & PERSONALIZATION
PEAK GAMES IMPLEMENTS VOLTDB FOR REAL-TIME SEGMENTATION & PERSONALIZATION CASE STUDY TAKING ACTION BASED ON REAL-TIME PLAYER BEHAVIORS Peak Games is already a household name in the mobile gaming industry.
More informationLogical Trunked. Radio (LTR) Theory of Operation
Logical Trunked Radio (LTR) Theory of Operation An Introduction to the Logical Trunking Radio Protocol on the Motorola Commercial and Professional Series Radios Contents 1. Introduction...2 1.1 Logical
More informationEngineering a Safer and More Secure World
Engineering a Safer and More Secure World Nancy Leveson MIT Topics What is the problem? Why do we need something new? Applying systems theory to system safety engineering STAMP: a new model of accident
More informationAGENTS AND AGREEMENT TECHNOLOGIES: THE NEXT GENERATION OF DISTRIBUTED SYSTEMS
AGENTS AND AGREEMENT TECHNOLOGIES: THE NEXT GENERATION OF DISTRIBUTED SYSTEMS Vicent J. Botti Navarro Grupo de Tecnología Informática- Inteligencia Artificial Departamento de Sistemas Informáticos y Computación
More informationActivity-Centric Configuration Work in Nomadic Computing
Activity-Centric Configuration Work in Nomadic Computing Steven Houben The Pervasive Interaction Technology Lab IT University of Copenhagen shou@itu.dk Jakob E. Bardram The Pervasive Interaction Technology
More informationAn Integrated Modeling and Simulation Methodology for Intelligent Systems Design and Testing
An Integrated ing and Simulation Methodology for Intelligent Systems Design and Testing Xiaolin Hu and Bernard P. Zeigler Arizona Center for Integrative ing and Simulation The University of Arizona Tucson,
More informationRunning the PR2. Chapter Getting set up Out of the box Batteries and power
Chapter 5 Running the PR2 Running the PR2 requires a basic understanding of ROS (http://www.ros.org), the BSD-licensed Robot Operating System. A ROS system consists of multiple processes running on multiple
More informationComponent Based Mechatronics Modelling Methodology
Component Based Mechatronics Modelling Methodology R.Sell, M.Tamre Department of Mechatronics, Tallinn Technical University, Tallinn, Estonia ABSTRACT There is long history of developing modelling systems
More informationWireless technologies Test systems
Wireless technologies Test systems 8 Test systems for V2X communications Future automated vehicles will be wirelessly networked with their environment and will therefore be able to preventively respond
More informationCompliance & Safety. Mark-Alexander Sujan Warwick CSI
Compliance & Safety Mark-Alexander Sujan Warwick CSI What s wrong with this equation? Safe Medical Device #1 + Safe Medical Device #2 = Unsafe System (J. Goldman) 30/04/08 Compliance & Safety 2 Integrated
More informationGlobal Navigation Satellite System for IE 5000
Global Navigation Satellite System for IE 5000 Configuring GNSS 2 Information About GNSS 2 Guidelines and Limitations 4 Default Settings 4 Configuring GNSS 5 Configuring GNSS as Time Source for PTP 6 Verifying
More informationSoftware as a Medical Device (SaMD)
Software as a Medical Device () Working Group Status Application of Clinical Evaluation Working Group Chair: Bakul Patel Center for Devices and Radiological Health US Food and Drug Administration NWIE
More informationAutonomy, how much human in the loop? Architecting systems for complex contexts
Architecting systems for complex contexts by Gerrit Muller University College of South East Norway e-mail: gaudisite@gmail.com www.gaudisite.nl Abstract The move from today s automotive archictectures
More informationDistributed Control-as-a-Service with Wireless Swarm Systems"
Distributed Control-as-a-Service with Wireless Swarm Systems" Prof. Rahul Mangharam Director, Real-Time & Embedded Systems Lab Dept. Electrical & Systems Engineering Dept. Computer & Information Science
More informationCombination Products Verification, Validation & Human Factors Sept. 12, 2017
Combination Products Verification, Validation & Human Factors Sept. 12, 2017 Speaker Scott Thiel Director, Navigant Consulting Regulatory consulting in Life Sciences industry with focus on medical devices,
More informationSoftware Model Checking for Embedded Systems
Software Checking for Embedded Systems SAnToS Laboratory, Kansas State University, USA LASER, University of Massachusetts, USA Principal Investigators Support Matt Dwyer John Hatcliff George Avrunin Staff
More informationLUCEDA PHOTONICS DELIVERS A SILICON PHOTONICS IC SOLUTION IN TANNER L-EDIT
LUCEDA PHOTONICS DELIVERS A SILICON PHOTONICS IC SOLUTION IN TANNER L-EDIT WIM BOGAERTS, PIETER DUMON, AND MARTIN FIERS, LUCEDA PHOTONICS JEFF MILLER, MENTOR GRAPHICS A M S D E S I G N & V E R I F I C
More informationC Series Functional Safety
SAFETY MANUAL C Series Functional Safety This document provides information about developing, deploying, and running Functional Safety systems using C Series Functional Safety modules. C Series Functional
More informationLeveraging 21st Century SE Concepts, Principles, and Practices to Achieve User, Healthcare Services, and Medical Device Development Success
Leveraging 21st Century SE Concepts, Principles, and Practices to Achieve User, Healthcare Services, and Medical Device Development Success Charles Wasson, ESEP Wasson Strategics, LLC Professional Training
More informationIsrael Railways No Fault Liability Renewal The Implementation of New Technological Safety Devices at Level Crossings. Amos Gellert, Nataly Kats
Mr. Amos Gellert Technological aspects of level crossing facilities Israel Railways No Fault Liability Renewal The Implementation of New Technological Safety Devices at Level Crossings Deputy General Manager
More informationEnsuring Innovation. By Kevin Richardson, Ph.D. Principal User Experience Architect. 2 Commerce Drive Cranbury, NJ 08512
By Kevin Richardson, Ph.D. Principal User Experience Architect 2 Commerce Drive Cranbury, NJ 08512 The Innovation Problem No one hopes to achieve mediocrity. No one dreams about incremental improvement.
More informationUnderstanding STPA-Sec Through a Simple Roller Coaster Example
Understanding STPA-Sec Through a Simple Roller Coaster Example William Young Jr PhD Candidate, Engineering Systems Division Systems Engineering Research Lab Massachusetute of Technology 2016 STAMP
More informationCSCI 445 Laurent Itti. Group Robotics. Introduction to Robotics L. Itti & M. J. Mataric 1
Introduction to Robotics CSCI 445 Laurent Itti Group Robotics Introduction to Robotics L. Itti & M. J. Mataric 1 Today s Lecture Outline Defining group behavior Why group behavior is useful Why group behavior
More informationARCHITECTURE AND MODEL OF DATA INTEGRATION BETWEEN MANAGEMENT SYSTEMS AND AGRICULTURAL MACHINES FOR PRECISION AGRICULTURE
ARCHITECTURE AND MODEL OF DATA INTEGRATION BETWEEN MANAGEMENT SYSTEMS AND AGRICULTURAL MACHINES FOR PRECISION AGRICULTURE W. C. Lopes, R. R. D. Pereira, M. L. Tronco, A. J. V. Porto NepAS [Center for Teaching
More informationThe GRAIL project: Galileo Localisation for the European Train Control System
The GRAIL project: Galileo Localisation for the European Train Control System CERGAL 2008 Braunschweig, 3. April 2008 M. Meyer zu Hörste, K. Lemmer, A. Urech and M. Jose Galileo 6 th Framework Programme
More informationKey Safety Challenges for the IIoT
An Industrial Internet Consortium Technical White Paper IIC:WHT:IN6:V1.0:PB:20171201 2017-12-01 Version 1.0 The Industrial Internet is an internet of things, machines, computers and people. Industrial
More informationDEVELOPMENT OF A ROBOID COMPONENT FOR PLAYER/STAGE ROBOT SIMULATOR
Proceedings of IC-NIDC2009 DEVELOPMENT OF A ROBOID COMPONENT FOR PLAYER/STAGE ROBOT SIMULATOR Jun Won Lim 1, Sanghoon Lee 2,Il Hong Suh 1, and Kyung Jin Kim 3 1 Dept. Of Electronics and Computer Engineering,
More informationDeviceNet Physical Layer Design and Conformance Testing
DeviceNet Physical Layer Design and Conformance Testing Kiah Hion Tang, Richard T. McLaughlin DeviceNet Europe Technical Support Centre, University of Warwick, U.K. Abstract DeviceNet defines a more tightened
More informationDespite the euphonic name, the words in the program title actually do describe what we're trying to do:
I've been told that DASADA is a town in the home state of Mahatma Gandhi. This seems a fitting name for the program, since today's military missions that include both peacekeeping and war fighting. Despite
More informationApplied Safety Science and Engineering Techniques (ASSET TM )
Applied Safety Science and Engineering Techniques (ASSET TM ) The Evolution of Hazard Based Safety Engineering into the Framework of a Safety Management Process Applied Safety Science and Engineering Techniques
More informationKeywords: Aircraft Systems Integration, Real-Time Simulation, Hardware-In-The-Loop Testing
25 TH INTERNATIONAL CONGRESS OF THE AERONAUTICAL SCIENCES REAL-TIME HARDWARE-IN-THE-LOOP SIMULATION OF FLY-BY-WIRE FLIGHT CONTROL SYSTEMS Eugenio Denti*, Gianpietro Di Rito*, Roberto Galatolo* * University
More informationSAFETY CASES: ARGUING THE SAFETY OF AUTONOMOUS SYSTEMS SIMON BURTON DAGSTUHL,
SAFETY CASES: ARGUING THE SAFETY OF AUTONOMOUS SYSTEMS SIMON BURTON DAGSTUHL, 17.02.2017 The need for safety cases Interaction and Security is becoming more than what happens when things break functional
More informationRECOMMENDATION ITU-R M.541-8*
Rec. ITU-R M.541-8 1 RECOMMENDATION ITU-R M.541-8* OPERATIONAL PROCEDURES FOR THE USE OF DIGITAL SELECTIVE-CALLING EQUIPMENT IN THE MARITIME MOBILE SERVICE (Question ITU-R 9/8) (1978-1982-1986-1990-1992-1994-1995-1996-1997)
More informationSAP Dynamic Edge Processing IoT Edge Console - Administration Guide Version 2.0 FP01
SAP Dynamic Edge Processing IoT Edge Console - Administration Guide Version 2.0 FP01 Table of Contents ABOUT THIS DOCUMENT... 3 Glossary... 3 CONSOLE SECTIONS AND WORKFLOWS... 5 Sensor & Rule Management...
More informationASTRO 25 MISSION CRITICAL DATA YOUR LIFELINE FOR SUCCESSFUL MISSIONS
ASTRO 25 MISSION CRITICAL DATA YOUR LIFELINE FOR SUCCESSFUL MISSIONS ALWAYS AVAILABLE Your mission critical operations depend on reliable voice PTT communications all the time, everywhere you operate.
More informationPan-Canadian Trust Framework Overview
Pan-Canadian Trust Framework Overview A collaborative approach to developing a Pan- Canadian Trust Framework Authors: DIACC Trust Framework Expert Committee August 2016 Abstract: The purpose of this document
More informationDeepwind Conference 2018, Trondheim, Norway. D-ICE Engineering
Deepwind Conference 2018, Trondheim, Norway D-ICE Engineering Services & Products Arctic Engineering About us Dynamic Positioning Dynamic Positioning Basin Tests Full Scale Tests R&D Design & Simulations
More informationUSING THE INDUSTRIAL INTERNET OF THINGS TO TRANSFORM HUMAN SAFETY AND ENERGY CONSUMPTION IN THE MINING INDUSTRY
INNOVATION INVESTIGATION USING THE INDUSTRIAL INTERNET OF THINGS TO TRANSFORM HUMAN SAFETY AND ENERGY CONSUMPTION IN THE MINING INDUSTRY NTT INNOVATION INSTITUTE, INC. TRANSFORMING IDEAS INTO MARKETPLACE
More informationSCOE SIMULATION. Pascal CONRATH (1), Christian ABEL (1)
SCOE SIMULATION Pascal CONRATH (1), Christian ABEL (1) Clemessy Switzerland AG (1) Gueterstrasse 86b 4053 Basel, Switzerland E-mail: p.conrath@clemessy.com, c.abel@clemessy.com ABSTRACT During the last
More informationSystems. Roland Kammerer. 29. October Institute of Computer Engineering Vienna University of Technology. Communication in Distributed Embedded
Communication Roland Institute of Computer Engineering Vienna University of Technology 29. October 2010 Overview 1. Distributed Motivation 2. OSI Communication Model 3. Topologies 4. Physical Layer 5.
More informationMathematical Techniques. for Mitigating Alarm Fatigue
Mathematical Techniques Alarm Fatigue for Mitigating Alarm Fatigue Hospital staff are exposed to an average of 350 alarms per bed per day, based on a sample from an intensive care unit at the Johns Hopins
More informationKnowledge Enhanced Electronic Logic for Embedded Intelligence
The Problem Knowledge Enhanced Electronic Logic for Embedded Intelligence Systems (military, network, security, medical, transportation ) are getting more and more complex. In future systems, assets will
More informationSYNTHESIZING AND SPECIFYING ARCHITECTURES FOR SYSTEM OF SYSTEMS
SYSTEM OF SYSTEMS ENGINEERING COLLABORATORS INFORMATION EXCHANGE (SOSECIE) SYNTHESIZING AND SPECIFYING ARCHITECTURES FOR SYSTEM OF SYSTEMS 28 APRIL 2015 C. Robert Kenley, PhD, ESEP Associate Professor
More information"TELSIM: REAL-TIME DYNAMIC TELEMETRY SIMULATION ARCHITECTURE USING COTS COMMAND AND CONTROL MIDDLEWARE"
"TELSIM: REAL-TIME DYNAMIC TELEMETRY SIMULATION ARCHITECTURE USING COTS COMMAND AND CONTROL MIDDLEWARE" Rodney Davis, & Greg Hupf Command and Control Technologies, 1425 Chaffee Drive, Titusville, FL 32780,
More informationDr. Cynthia Dion-Schwartz Acting Associate Director, SW and Embedded Systems, Defense Research and Engineering (DDR&E)
Software-Intensive Systems Producibility Initiative Dr. Cynthia Dion-Schwartz Acting Associate Director, SW and Embedded Systems, Defense Research and Engineering (DDR&E) Dr. Richard Turner Stevens Institute
More informationidocent: Indoor Digital Orientation Communication and Enabling Navigational Technology
idocent: Indoor Digital Orientation Communication and Enabling Navigational Technology Final Proposal Team #2 Gordie Stein Matt Gottshall Jacob Donofrio Andrew Kling Facilitator: Michael Shanblatt Sponsor:
More informationGA A23281 EXTENDING DIII D NEUTRAL BEAM MODULATED OPERATIONS WITH A CAMAC BASED TOTAL ON TIME INTERLOCK
GA A23281 EXTENDING DIII D NEUTRAL BEAM MODULATED OPERATIONS WITH A CAMAC BASED TOTAL ON TIME INTERLOCK by D.S. BAGGEST, J.D. BROESCH, and J.C. PHILLIPS NOVEMBER 1999 DISCLAIMER This report was prepared
More informationDEVELOPMENTS IN EU MDD & IVDD SOFTWARE REGULATION
Objectives DEVELOPMENTS IN EU MDD & IVDD SOFTWARE REGULATION Some brief remarks on data protection Current regulation of medical devices software Overview of EU medical devices directives revision process
More informationAnalysis and Design of Safety-critical, Cyber-Physical Systems
Analysis and Design of Safety-critical, Cyber-Physical Systems John D. McGregor School of Computing Clemson University Clemson, SC 29632 johnmc@clemson.edu David P. Gluch Software Engineering Institute
More informationINF3430 Clock and Synchronization
INF3430 Clock and Synchronization P.P.Chu Using VHDL Chapter 16.1-6 INF 3430 - H12 : Chapter 16.1-6 1 Outline 1. Why synchronous? 2. Clock distribution network and skew 3. Multiple-clock system 4. Meta-stability
More informationmedlab Two Channel Invasive Blood Pressure OEM board EG 02000
medlab Two Channel Invasive Blood Pressure OEM board EG 02000 Technical Manual Copyright Medlab 2003-2014 1 Version 2.02 01.04.2014 Contents: Mechanical dimensions, overview 3 Specifications 5 Connector
More informationExtending PSSA for Complex Systems
Extending PSSA for Complex Systems Professor John McDermid, Department of Computer Science, University of York, UK Dr Mark Nicholson, Department of Computer Science, University of York, UK Keywords: preliminary
More informationCEOCFO Magazine. Pat Patterson, CPT President and Founder. Agilis Consulting Group, LLC
CEOCFO Magazine ceocfointerviews.com All rights reserved! Issue: July 10, 2017 Human Factors Firm helping Medical Device and Pharmaceutical Companies Ensure Usability, Safety, Instructions and Training
More informationTarocco Closed Loop Motor Controller
Contents Safety Information... 3 Overview... 4 Features... 4 SoC for Closed Loop Control... 4 Gate Driver... 5 MOSFETs in H Bridge Configuration... 5 Device Characteristics... 6 Installation... 7 Motor
More information