A safety-critical system (SCS) or life-critical system is a system whose failure or malfunction may result in one (or more) of the following outcomes: *

death Death is the irreversible cessation of all biological functions that sustain an organism. For organisms with a brain, death can also be defined as the irreversible cessation of functioning of the whole brain, including brainstem, and brain ...

or serious injury to people * loss or severe damage to equipment/property * environmental harm A safety-related system (or sometimes safety-involved system) comprises everything (hardware, software, and human aspects) needed to perform one or more safety functions, in which failure would cause a significant increase in the safety risk for the people or environment involved. Safety-related systems are those that do not have full responsibility for controlling hazards such as loss of life, severe injury or severe

environmental damage Environmental degradation is the deterioration of the environment through depletion of resources such as quality of air, water and soil; the destruction of ecosystems; habitat destruction; the extinction of wildlife; and pollution. It is defin ...

. The malfunction of a safety-involved system would only be that hazardous in conjunction with the failure of other systems or

human error Human error refers to something having been done that was " not intended by the actor; not desired by a set of rules or an external observer; or that led the task or system outside its acceptable limits".Senders, J.W. and Moray, N.P. (1991) Human ...

. Some safety organizations provide guidance on safety-related systems, for example the

Health and Safety Executive The Health and Safety Executive (HSE) is a UK government agency responsible for the encouragement, regulation and enforcement of workplace health, safety and welfare, and for research into occupational risks in Great Britain. It is a non-depar ...

(HSE) in the

United Kingdom The United Kingdom of Great Britain and Northern Ireland, commonly known as the United Kingdom (UK) or Britain, is a country in Europe, off the north-western coast of the continental mainland. It comprises England, Scotland, Wales and ...

. Risks of this sort are usually managed with the methods and tools of safety engineering. A safety-critical system is designed to lose less than one life per billion (10⁹) hours of operation. Typical design methods include

probabilistic risk assessment Probabilistic risk assessment (PRA) is a systematic and comprehensive methodology to evaluate risks associated with a complex engineered technological entity (such as an airliner or a nuclear power plant) or the effects of stressors on the environm ...

, a method that combines failure mode and effects analysis (FMEA) with

fault tree analysis Fault tree analysis (FTA) is a type of failure analysis in which an undesired state of a system is examined. This analysis method is mainly used in safety engineering and reliability engineering to understand how systems can fail, to identify ...

. Safety-critical systems are increasingly

computer A computer is a machine that can be programmed to carry out sequences of arithmetic or logical operations ( computation) automatically. Modern digital electronic computers can perform generic sets of operations known as programs. These prog ...

-based.

Reliability regimes

Several reliability regimes for safety-critical systems exist: * Fail-operational systems continue to operate when their

control systems A control system manages, commands, directs, or regulates the behavior of other devices or systems using control loops. It can range from a single home heating controller using a thermostat controlling a domestic boiler to large industrial c ...

fail. Examples of these include

elevator An elevator or lift is a cable-assisted, hydraulic cylinder-assisted, or roller-track assisted machine that vertically transports people or freight between floors, levels, or decks of a building, vessel, or other structure. They ...

s, the gas

thermostat A thermostat is a regulating device component which senses the temperature of a physical system and performs actions so that the system's temperature is maintained near a desired setpoint (control system), setpoint. Thermostats are used i ...

s in most home furnaces, and passively safe nuclear reactors. Fail-operational mode is sometimes unsafe.

Nuclear weapon A nuclear weapon is an explosive device that derives its destructive force from nuclear reactions, either fission (fission bomb) or a combination of fission and fusion reactions ( thermonuclear bomb), producing a nuclear explosion. Both bomb ...

s launch-on-loss-of-communications was rejected as a control system for the U.S. nuclear forces because it is fail-operational: a loss of communications would cause launch, so this mode of operation was considered too risky. This is contrasted with the

fail-deadly Fail-deadly is a concept in nuclear military strategy that encourages deterrence by guaranteeing an immediate, automatic, and overwhelming response to an attack, even if there is no one to trigger such retaliation. The term ''fail-deadly'' was coi ...

behavior of the

Perimeter A perimeter is a closed path that encompasses, surrounds, or outlines either a two dimensional shape or a one-dimensional length. The perimeter of a circle or an ellipse is called its circumference. Calculating the perimeter has several pr ...

system built during the Soviet era. * Fail-soft systems are able to continue operating on an interim basis with reduced efficiency in case of failure. Most spare tires are an example of this: They usually come with certain restrictions (e.g. a speed restriction) and lead to lower fuel economy. Another example is the "Safe Mode" found in most Windows operating systems. *

Fail-safe In engineering, a fail-safe is a design feature or practice that in the event of a specific type of failure, inherently responds in a way that will cause minimal or no harm to other equipment, to the environment or to people. Unlike inherent safe ...

systems become safe when they cannot operate. Many medical systems fall into this category. For example, an

infusion pump An infusion pump infuses fluids, medication or nutrients into a patient's circulatory system. It is generally used intravenously, although subcutaneous, arterial and epidural infusions are occasionally used. Infusion pumps can administer flu ...

can fail, and as long as it alerts the nurse and ceases pumping, it will not threaten the loss of life because its safety interval is long enough to permit a human response. In a similar vein, an industrial or domestic burner controller can fail, but must fail in a safe mode (i.e. turn combustion off when they detect faults). Famously,

nuclear weapon A nuclear weapon is an explosive device that derives its destructive force from nuclear reactions, either fission (fission bomb) or a combination of fission and fusion reactions ( thermonuclear bomb), producing a nuclear explosion. Both bomb ...

systems that launch-on-command are fail-safe, because if the communications systems fail, launch cannot be commanded.

Railway signaling Railway signalling (), also called railroad signaling (), is a system used to control the movement of railway traffic. Trains move on fixed rails, making them uniquely susceptible to collision. This susceptibility is exacerbated by the enorm ...

is designed to be fail-safe. *

Fail-secure In engineering, a fail-safe is a design feature or practice that in the event of a specific type of failure, inherently responds in a way that will cause minimal or no harm to other equipment, to the environment or to people. Unlike inherent safe ...

systems maintain maximum security when they cannot operate. For example, while fail-safe electronic doors unlock during power failures, fail-secure ones will lock, keeping an area secure. * Fail-Passive systems continue to operate in the event of a system failure. An example includes an aircraft

autopilot An autopilot is a system used to control the path of an aircraft, marine craft or spacecraft without requiring constant manual control by a human operator. Autopilots do not replace human operators. Instead, the autopilot assists the operator' ...

. In the event of a failure, the aircraft would remain in a controllable state and allow the pilot to take over and complete the journey and perform a safe landing. *

Fault-tolerant system Fault tolerance is the property that enables a system to continue operating properly in the event of the failure of one or more faults within some of its components. If its operating quality decreases at all, the decrease is proportional to the ...

s avoid service failure when faults are introduced to the system. An example may include control systems for ordinary

nuclear reactor A nuclear reactor is a device used to initiate and control a fission nuclear chain reaction or nuclear fusion reactions. Nuclear reactors are used at nuclear power plants for electricity generation and in nuclear marine propulsion. Heat fr ...

s. The normal method to tolerate faults is to have several computers continually test the parts of a system, and switch on hot spares for failing subsystems. As long as faulty subsystems are replaced or repaired at normal maintenance intervals, these systems are considered safe. The computers, power supplies and control terminals used by human beings must all be duplicated in these systems in some fashion.

Software engineering for safety-critical systems

Software engineering Software engineering is a systematic engineering approach to software development. A software engineer is a person who applies the principles of software engineering to design, develop, maintain, test, and evaluate computer software. The term '' ...

for safety-critical systems is particularly difficult. There are three aspects which can be applied to aid the engineering software for life-critical systems. First is process engineering and management. Secondly, selecting the appropriate tools and environment for the system. This allows the system developer to effectively test the system by emulation and observe its effectiveness. Thirdly, address any legal and regulatory requirements, such as FAA requirements for aviation. By setting a standard for which a system is required to be developed under, it forces the designers to stick to the requirements. The

avionics Avionics (a blend of ''aviation'' and ''electronics'') are the electronic systems used on aircraft. Avionic systems include communications, navigation, the display and management of multiple systems, and the hundreds of systems that are fit ...

industry has succeeded in producing standard methods for producing life-critical avionics software. Similar standards exist for industry, in general, (

IEC 61508 IEC 61508 is an international standard published by the International Electrotechnical Commission consisting of methods on how to apply, design, deploy and maintain automatic protection systems called safety-related systems. It is titled ''Functio ...

) and automotive (

ISO 26262 ISO 26262, titled "Road vehicles – Functional safety", is an international standard for functional safety of electrical and/or electronic systems that are installed in serial production road vehicles (excluding mopeds), defined by the Interna ...

), medical (

IEC 62304 IEC 62304 – medical device software – software life cycle processes is an international standard published by the International Electrotechnical Commission (IEC). The standard specifies life cycle requirements for the development of medical s ...

) and nuclear (

IEC 61513 The International Electrotechnical Commission (IEC; in French: ''Commission électrotechnique internationale'') is an international standards organization that prepares and publishes international standards for all electrical, electronic and re ...

) industries specifically. The standard approach is to carefully code, inspect, document, test, verify and analyze the system. Another approach is to certify a production system, a

compiler In computing, a compiler is a computer program that translates computer code written in one programming language (the ''source'' language) into another language (the ''target'' language). The name "compiler" is primarily used for programs tha ...

, and then generate the system's code from specifications. Another approach uses

formal methods In computer science, formal methods are mathematically rigorous techniques for the specification, development, and verification of software and hardware systems. The use of formal methods for software and hardware design is motivated by the exp ...

to generate

proofs Proof most often refers to: * Proof (truth), argument or sufficient evidence for the truth of a proposition * Alcohol proof, a measure of an alcoholic drink's strength Proof may also refer to: Mathematics and formal logic * Formal proof, a co ...

that the code meets requirements. All of these approaches improve the

software quality In the context of software engineering, software quality refers to two related but distinct notions: * Software functional quality reflects how well it complies with or conforms to a given design, based on functional requirements or specificatio ...

in safety-critical systems by testing or eliminating manual steps in the development process, because people make mistakes, and these mistakes are the most common cause of potential life-threatening errors.

Examples of safety-critical systems

Infrastructure

Circuit breaker A circuit breaker is an electrical safety device designed to protect an electrical circuit from damage caused by an overcurrent or short circuit. Its basic function is to interrupt current flow to protect equipment and to prevent the ris ...

Emergency services Emergency services and rescue services are organizations that ensure public safety and health by addressing and resolving different emergencies. Some of these agencies exist solely for addressing certain types of emergencies, while others deal w ...

dispatch systems *

Electricity generation Electricity generation is the process of generating electric power from sources of primary energy. For utilities in the electric power industry, it is the stage prior to its delivery ( transmission, distribution, etc.) to end users or its s ...

transmission Transmission may refer to: Medicine, science and technology * Power transmission ** Electric power transmission ** Propulsion transmission, technology allowing controlled application of power *** Automatic transmission *** Manual transmission ** ...

and

distribution Distribution may refer to: Mathematics * Distribution (mathematics), generalized functions used to formulate solutions of partial differential equations *Probability distribution, the probability of a particular value or value range of a vari ...

Fire alarm A fire alarm system warns people when smoke, fire, carbon monoxide or other fire-related or general notification emergency, emergencies are detected. These alarms may be activated automatically from smoke detectors and heat detectors or may also ...

Fire sprinkler A fire sprinkler or sprinkler head is the component of a fire sprinkler system that discharges water when the effects of a fire have been detected, such as when a predetermined temperature has been exceeded. Fire sprinklers are extensively use ...

Fuse (electrical) In electronics and electrical engineering, a fuse is an electrical safety device that operates to provide overcurrent protection of an electrical circuit. Its essential component is a metal wire or strip that melts when too much current flows thr ...

Fuse (hydraulic) In hydraulic systems, a fuse (or velocity fuse) is a component which prevents the sudden loss of hydraulic fluid pressure. It is a safety feature, designed to allow systems to continue operating, or at least to not fail catastrophically, in the ev ...

Life support system A life-support system is the combination of equipment that allows survival in an environment or situation that would not support that life in its absence. It is generally applied to systems supporting human life in situations where the outsid ...

s *

Telecommunications Telecommunication is the transmission of information by various types of technologies over wire, radio, optical, or other electromagnetic systems. It has its origin in the desire of humans for communication over a distance greater than that ...

Medicine

The technology requirements can go beyond avoidance of failure, and can even facilitate medical ''

intensive care Intensive care medicine, also called critical care medicine, is a medical specialty that deals with seriously or critically ill patients who have, are at risk of, or are recovering from conditions that may be life-threatening. It includes pro ...

'' (which deals with healing patients), and also ''

life support Life support comprises the treatments and techniques performed in an emergency in order to support life after the failure of one or more vital organs. Healthcare providers and emergency medical technicians are generally certified to perform basic ...

'' (which is for stabilizing patients). *

Heart-lung machine Cardiopulmonary bypass (CPB) is a technique in which a machine temporarily takes over the function of the heart and lungs during surgery, maintaining the circulation of blood and oxygen to the body. The CPB pump itself is often referred to as a he ...

s *

Mechanical ventilation Mechanical ventilation, assisted ventilation or intermittent mandatory ventilation (IMV), is the medical term for using a machine called a ventilator to fully or partially provide artificial ventilation. Mechanical ventilation helps move a ...

systems *

Infusion pump An infusion pump infuses fluids, medication or nutrients into a patient's circulatory system. It is generally used intravenously, although subcutaneous, arterial and epidural infusions are occasionally used. Infusion pumps can administer flu ...

s and

Insulin pump An insulin pump is a medical device used for the administration of insulin in the treatment of diabetes mellitus, also known as continuous subcutaneous insulin therapy. The device configuration may vary depending on design. A traditional pump ...

s *

Radiation therapy Radiation therapy or radiotherapy, often abbreviated RT, RTx, or XRT, is a therapy using ionizing radiation, generally provided as part of cancer treatment to control or kill malignant cells and normally delivered by a linear accelerator. Rad ...

machines *

Robotic surgery Robotic surgery are types of surgical procedures that are done using robotic systems. Robotically assisted surgery was developed to try to overcome the limitations of pre-existing minimally-invasive surgical procedures and to enhance the capabi ...

machines *

Defibrillator Defibrillation is a treatment for life-threatening cardiac arrhythmias, specifically ventricular fibrillation (V-Fib) and non-perfusing ventricular tachycardia (V-Tach). A defibrillator delivers a dose of electric current (often called a ''coun ...

machines *

Pacemaker An artificial cardiac pacemaker (or artificial pacemaker, so as not to be confused with the natural cardiac pacemaker) or pacemaker is a medical device that generates electrical impulses delivered by electrodes to the chambers of the heart ei ...

devices * Dialysis machines * Devices that electronically monitor vital functions (electrography; especially,

electrocardiography Electrocardiography is the process of producing an electrocardiogram (ECG or EKG), a recording of the heart's electrical activity. It is an electrogram of the heart which is a graph of voltage versus time of the electrical activity of the hear ...

, ECG or EKG, and

electroencephalography Electroencephalography (EEG) is a method to record an electrogram of the spontaneous electrical activity of the brain. The biosignals detected by EEG have been shown to represent the postsynaptic potentials of pyramidal neurons in the neocorte ...

, EEG) * Medical imaging devices (

X-ray An X-ray, or, much less commonly, X-radiation, is a penetrating form of high-energy electromagnetic radiation. Most X-rays have a wavelength ranging from 10 picometers to 10 nanometers, corresponding to frequencies in the range 30&nb ...

, computerized tomography- CT or CAT, different magnetic resonance imaging- MRI- techniques,

positron emission tomography Positron emission tomography (PET) is a functional imaging technique that uses radioactive substances known as radiotracers to visualize and measure changes in metabolic processes, and in other physiological activities including blood flow, ...

- PET) * Even healthcare information systems have significant safety implications

Nuclear engineering

Nuclear reactor A nuclear reactor is a device used to initiate and control a fission nuclear chain reaction or nuclear fusion reactions. Nuclear reactors are used at nuclear power plants for electricity generation and in nuclear marine propulsion. Heat fr ...

control systems

Recreation

Amusement ride Amusement rides, sometimes called carnival rides, are mechanical devices or structures that move people especially kids to create fun and enjoyment. Rides are often perceived by many as being scary or more dangerous than they actually are. This ...

s *

Climbing equipment A wide range of equipment is used during rock or any other type of climbing that includes equipment commonly used to protect a climber against the consequences of a fall. Rope, cord and webbing Climbing ropes are typically of kernmantle c ...

Parachute A parachute is a device used to slow the motion of an object through an atmosphere by creating drag or, in a ram-air parachute, aerodynamic lift. A major application is to support people, for recreation or as a safety device for aviators, w ...

s *

Scuba equipment Scuba diving is a mode of underwater diving whereby divers use breathing equipment that is completely independent of a surface air supply. The name "scuba", an acronym for "Self-Contained Underwater Breathing Apparatus", was coined by Christ ...

Diving rebreather A Diving rebreather is an underwater breathing apparatus that absorbs the carbon dioxide of a diver's exhaled breath to permit the rebreathing (recycling) of the substantially unused oxygen content, and unused inert content when present, of ea ...

Dive computer A dive computer, personal decompression computer or decompression meter is a device used by an underwater diver to measure the elapsed time and depth during a dive and use this data to calculate and display an ascent profile which according to th ...

(depending on use)

Transport

Railway

Railway signalling Railway signalling (), also called railroad signaling (), is a system used to control the movement of railway traffic. Trains move on fixed rails, making them uniquely susceptible to collision. This susceptibility is exacerbated by the enormo ...

and control systems * Platform detection to control train doorsWayback Machine
/ref> * Automatic train stop

Automotive

Airbag An airbag is a vehicle occupant-restraint system using a bag designed to inflate extremely quickly, then quickly deflate during a collision. It consists of the airbag cushion, a flexible fabric bag, an inflation module, and an impact sensor. T ...

systems *

Braking A brake is a mechanical device that inhibits motion by absorbing energy from a moving system. It is used for slowing or stopping a moving vehicle, wheel, axle, or to prevent its motion, most often accomplished by means of friction. Backgroun ...

systems *

Seat belt A seat belt (also known as a safety belt, or spelled seatbelt) is a vehicle safety device designed to secure the driver or a passenger of a vehicle against harmful movement that may result during a collision or a sudden stop. A seat belt red ...

s *

Power Steering A power steering is a mechanical device equipped on a motor vehicle that helps drivers steer the vehicle by reducing steering effort needed to turn the steering wheel, making it easier for the vehicle to turn or maneuver at lower speeds. Hydra ...

systems *

Advanced driver-assistance systems An advanced driver-assistance system (ADAS) is any of a groups of electronic technologies that assist drivers in driving and parking functions. Through a safe human-machine interface, ADAS increase car and road safety. ADAS uses automated techno ...

Electronic throttle control Electronic throttle control (ETC) is an automobile technology which electronically "connects" the accelerator pedal to the throttle, replacing a mechanical linkage. A typical ETC system consists of three major components: (i) an accelerator ped ...

* Battery management system for hybrids and electric vehicles *

Electric park brake An electronic parking brake (EPB), also known as an electric parking brake or electric park brake, is an electronically controlled parking brake, whereby the driver activates the holding mechanism with a button and the brake pads are electrically ...

Shift by wire Shift-by-wire is the system on an automatic transmission in which the transmission modes are engaged/changed in an automobile through electronic controls without any mechanical linkage between the gear shifting lever and the transmission. The tran ...

systems * Drive by wire systems *

Park by wire A park by wire system engages the parking pawl of a transmission using electrical means. This can also be considered as part of a shift by wire system whose objective is to put the vehicle in Park, Reverse, Neutral and Drive modes without the tr ...

Aviation

Air traffic control Air traffic control (ATC) is a service provided by ground-based air traffic controllers who direct aircraft on the ground and through a given section of controlled airspace, and can provide advisory services to aircraft in non-controlled airsp ...

systems *

Avionics Avionics (a blend of ''aviation'' and ''electronics'') are the electronic systems used on aircraft. Avionic systems include communications, navigation, the display and management of multiple systems, and the hundreds of systems that are fit ...

, particularly

fly-by-wire Fly-by-wire (FBW) is a system that replaces the conventional manual flight controls of an aircraft with an electronic interface. The movements of flight controls are converted to electronic signals transmitted by wires, and flight control ...

systems *

Radio navigation Radio navigation or radionavigation is the application of radio frequencies to determine a position of an object on the Earth, either the vessel or an obstruction. Like radiolocation, it is a type of radiodetermination. The basic principles a ...

RAIM * Engine control systems * Aircrew life support systems *

Flight planning Flight planning is the process of producing a flight plan to describe a proposed aircraft flight. It involves two safety-critical aspects: fuel calculation, to ensure that the aircraft can safely reach the destination, and compliance with air tr ...

to determine fuel requirements for a flight

Spaceflight

Human spaceflight Human spaceflight (also referred to as manned spaceflight or crewed spaceflight) is spaceflight with a crew or passengers aboard a spacecraft, often with the spacecraft being operated directly by the onboard human crew. Spacecraft can also be ...

vehicles *

Rocket range A spaceport or cosmodrome is a site for launching or receiving spacecraft, by analogy to a seaport for ships or an airport for aircraft. The word ''spaceport'', and even more so ''cosmodrome'', has traditionally been used for sites capable ...

launch safety systems *

Launch vehicle A launch vehicle or carrier rocket is a rocket designed to carry a payload ( spacecraft or satellites) from the Earth's surface to outer space. Most launch vehicles operate from a launch pads, supported by a launch control center and sys ...

safety * Crew rescue systems * Crew transfer systems

References

External links

An Example of a Life-Critical System

Safety-critical systems Virtual Library

{{Authority control Engineering failures Formal methods Software quality Safety Risk analysis Safety engineering Computer systems Control engineering

Reliability regimes

Software engineering for safety-critical systems

Examples of safety-critical systems

Infrastructure

Medicine

Nuclear engineering

Recreation

Transport

Railway

Automotive

Aviation

Spaceflight

See also

References

External links