Jacky: “Safety-Critical Computing …” ► Therac-25 illustrated that comp controlled equipment could be less safe. ► Why use computers at all, if satisfactory.

Slides:

Advertisements

Similar presentations

h Protection from cyber attacks is achieved by acting on several levels: first, at the physical and material, placing the server in a place as safe as.

Advertisements

The Therac-25: A Software Fatal Failure

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

Social Implications of a Computerized Society Computer Errors Instructor: Oliver Schulte Simon Fraser University.

An Investigation of the Therac-25 Accidents Nancy G. Leveson Clark S. Turner IEEE, 1993 Presented by Jack Kustanowitz April 26, 2005 University of Maryland.

Can We Trust the Computer? Case Study: The Therac-25 Based on Article in IEEE-Computer, July 1993.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.

Therac-25 Lawsuit for Victims Against the AECL

Can We Trust the Computer?

Is it Really Engineering? Chapter 3. What's Different about Software? Is it a “dark art”? It’s a strange amalgam of art, craftsmanship, science and the.

Motivation Why study Software Engineering ?. What is Engineering ? 2 Engineering (Webster) – The application of scientific and mathematical principles.

1 Certification Chapter 14, Storey. 2 Topics  What is certification?  Various forms of certification  The process of system certification (the planning.

1 Software Development Prepared By Joseph Leung. 2Agenda 1.Discuss the need for quality software in business systems, industrial process control systems,

A Gift of Fire Third edition Sara Baase

A Gift of Fire Third edition Sara Baase

Software Engineering CSE470: Embedded Systems Overview 49 What is an Embedded System What is an Embedded System? Definition of an embedded computer system:

High Confidence Medical Device Software and Systems: A programming languages and tools perspective Mark P Jones Department of Computer Science & Electrical.

©Ian Sommerville 2004Software Engineering, 7th edition. Insulin Pump Slide 1 An automated insulin pump.

L 33 Modern Physics [1] Introduction- quantum physics Particles of light  PHOTONS The photoelectric effect –Photocells & intrusion detection devices The.

©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.

Chapter One What are Electrical & Computer Engineering.

Lecture 7, part 2: Software Reliability

CLINICAL ENGINEERING part(3) Dr. Dalia H. Elkamchouchi.

From the following article write: –3 things you found interesting and why. –2 careers you might be interested in and why. –1 career you never.

Software Engineering What is Software Engineering? Clearly: developing software But what software? Obvious: PCs, phones … but not all computers have keyboards.

Therac-25 : Summary Malfunction Complacency Race condition (turntable / energy mismatch) Data overflow (turntable not positioned) time‘85‘86‘88 ‘87 Micro-switch.

(Using Clip Art to Help Argue That) Certifying Software Professionals (is the Wave of the Future) Brian Demers February 24, 2000 CS 99 Prof. Kotz.

Therac-25 Final Presentation

Therac 25 Nancy Leveson: Medical Devices: The Therac-25 (updated version of IEEE Computer article)

ITGS Software Reliability. ITGS All IT systems are a combination of: –Hardware –Software –People –Data Problems with any of these parts, or a combination.

Course: Software Engineering © Alessandra RussoUnit 1 - Introduction, slide Number 1 Unit 1: Introduction Course: C525 Software Engineering Lecturer: Alessandra.

Chapter 8: Errors, Failures, and Risk

1 Can We Trust the Computer? What Can Go Wrong? Case Study: The Therac-25 Increasing Reliability and Safety Perspectives on Failures, Dependence, Risk,

Liability for Computer Errors Not covered in textbook.

2.2 Software Myths 2.2 Software Myths Myth 1. The cost of computers is lower than that of analog or electromechanical devices. –Hardware is cheap compared.

1 Software Testing and Quality Assurance Lecture 33 – Software Quality Assurance.

Security and Reliability THERAC CASE STUDY TEXTBOOK: BRINKMAN’S ETHICS IN A COMPUTING CULTURE READING: CHAPTER 5, PAGES

Therac-25 Case Family vs. Programmer. People Suffered From Different Type of Bad Programming Database accuracy problems. Many people could not vote in.

OmnAuto (“All Car”). October 20, Members October 20, OmnAuto 1.Define the Problem 2.US Government Issues 3.Define the Solution 4.Market Identified.

Intent Specification Intent Specification is used in SpecTRM

Dimitrios Christias Robert Lyon Andreas Petrou Dimitrios Christias Robert Lyon Andreas Petrou.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 3 Slide 1 Critical Systems 1.

CS 4001Mary Jean Harrold 1 Can We Trust the Computer?

© 2008 Wayne Wolf Overheads for Computers as Components 2nd ed. System design techniques Quality assurance. 1.

IT Job Roles & Responsibilities Shannon Ciriaco Unit 2:

Professionalism in Computing An Overview Khurshid Ahmad, Prof. PhD, CEng., MBCS Department of Computing, University of Surrey, Guildford, Surrey.

CS 4001D Spring 2004Mary Jean Harrold1 Class 9 Questions, comments On-line discussion Term paper proposal Therac-25 paper Quick Quiz at end Assign.

Therac-25 CS4001 Kristin Marsicano. Therac-25 Overview  What was the Therac-25?  How did it relate to previous models? In what ways was it similar/different?

Electronics engineering MICHAEL ORTIZ 8 TH PERIOD.

CSCI1600: Embedded and Real Time Software Lecture 6: Modeling I: Continuous Systems Steven Reiss, Fall 2015.

CS, AUHenrik Bærbak Christensen1 Critical Systems Sommerville 7th Ed Chapter 3.

Dr. Rob Hasker. Classic Quality Assurance  Ensure follow process Solid, reviewed requirements Reviewed design Reviewed, passing tests  Why doesn’t “we.

Why Cryptosystems Fail R. Anderson, Proceedings of the 1st ACM Conference on Computer and Communications Security, 1993 Reviewed by Yunkyu Sung

Ch  ICT is used in many ways in the provision and management of healthcare services:  Hospital administration  Medical training  Maintenance.

Dr. Rob Hasker. Classic Quality Assurance  Ensure follow process Solid, reviewed requirements Reviewed design Reviewed, passing tests  Why doesn’t “we.

Randy Modowski Adam Reimel Max Varner COSC 380 May 23, 2011 Accountability.

Can We Trust the Computer? FIRE, Chapter 4. What Can Go Wrong? What are the risks and reasons for computer failures? How much risk must or should we accept?

Ethics in Information Technology Chapter 7 Software Development Ethics in Information Technology.

Universal Systems Model. Has 4 elements – Has 4 elements – Inputs Inputs Process Process Output Output Feedback Feedback.

Why study Software Design/Engineering ?

The Development Process of Web Applications

ATTRACT TWD Symposium, Barcelona, Spain, 1st July 2016

Computer Integrated Manufacturing ( CIM). Chapter One 1.1 Introduction 1.2 Types of Manufacturing 1.3 CIM Hardware and CIM Software 1.4 Nature and Role.

A Gift of Fire Third edition Sara Baase

Reliability and Safety

System design techniques

Therac-25: A Lesson Learned

Week 13: Errors, Failures, and Risks

Computer in Safety-Critical Systems

A Gift of Fire Third edition Sara Baase

Presentation transcript:

Jacky: “Safety-Critical Computing …” ► Therac-25 illustrated that comp controlled equipment could be less safe. ► Why use computers at all, if satisfactory techniques already exist? ► Who is held responsible? ► Therac-25 relied on computer control instead of physical safe-guards

Jacky (cont. 1) ► What are the differences between physical failures and logical/software failures? ► Therac had 2 states, producing electron beams and X-rays. To produce X-rays, the electron beam was up to 100 times more powerful. A metal object is supposed to absorb the electrons. ► If the tech went from X-rays to electrons within 8 seconds, the target was withdrawn but the beam would be set to full intensity.

Jacky (cont. 2) ► Therac was not the first system to radiate and kill patients; 3 patients were killed in 1966, because of a failure in the system. ► Over 500 patients were successfully treated by Therac before the failures. ► This is the problem with software, just because a system works for a certain amount of test cases, doesn’t necessarily mean we can make a prediction about other cases.

Jacky (cont. 3) ► Testing software is different when compared to testing typical engineered structures. ► If a bridge can sustain a weight of 5000kg, it can also sustain a weight of 4999kg, 4998kg, 4997kg, … ► Why were the techs not alarmed when the interface read Malfunction 54 when treating patients.

Jacky (cont. 4) ► What did AECL do when it became apparent that there was a problem? ► Ans. They proposed a solution where they would take off the key cap of the “up arrow” key and cover it with electrical tape. This would make it difficult to switch from X-ray to normal quickly.

Jacky (cont. 5) ► Therac-25 had a history of problems:  Massive assembly started rotating spontaneously (failure: diode blown out)  Patients were overdosed with Therac-20 (failure: hazy – fuses blown, hardware circuit, but there were hardwire locks) ► The publics faith in computing is illustrated on page 772, paragraph 5

Jacky (cont. 6) ► Why did institutions continue to use therac- 25. ► “The world is largely divided between people whose job it is to track down problems and others who are supposed to get on with production.” (pg. 773) ► Virtually all devices now have embedded computers.

Jacky (cont. 7) ► FDA recalls about 400 medical devices per year eg. Ultrasound units, patient monitors, pacemakers, blood analyzers, ventilators, etc. (pg. 774) ► Marvin Minsky: “When a program grows in power by an evolution of partially understood patches and fixes, the programmer begins to lose track of the internal details …”

Jacky (cont. 8) ► “… loses his ability to predict what will happen, begins to hope instead of to know, and watches the result as though the program were an individual whose range of behavior in uncertain.” ► When do we stop testing? ► What does it mean to stop testing when we achieve 2 – 3 errors per 1000 lines of code. What is a line of code?

Jacky (cont. 9) ► We work around bugs. That is one reason software has such low standards. ► Safety is not the same as reliability. Can a system be reliable, but unsafe? ► Safety engineering: Failure of a single component should never be capable of causing an accident.

Jacky (cont. 10) ► Tony Hoare: “The principle that the work of an engineer should be inspected and signed off by another more experienced and competent engineer lies at the heart of the codes of safe practice in all branches of engineering.” ► What is one criticism of formal software engineering methods.

Jacky (cont. 11) ► How useful are formal methods? Is it expensive? (pg. 284) ► What of regulation? ► John Shore: “We require certification for doctors, lawyers, architects, civil engineers, aircraft pilots, automobile drivers, and even hair stylists! Why not software engineers?”

Jacky (cont. 12) ► Tony Hoare: “No industry and no profession has ever voluntarily and spontaneously developed or adopted an effective and relevant code for safe practice. Even voluntary codes are established only in the face of some kind of external pressure or threat, arising from public disquiet, fostered by journals and newspapers and taken up by politicians.”

Jacky (cont. 13) ► Is there really a need for regulation? How do programmers compare with each other? ► Ans. Best programmers are 25 times better than the worst. Teams out-produce others by a factor of up to 5. Some managers have a poor grip on their responsibilities.

Jacky (cont. 14) ► What types of regulation are proposed?  Regulate programmers, satisfy educational requirements  Certify organization i.e. companies, and departments. ISO. (this is the favored approach)  Regulate the products themselves.  UK Ministry have a requirement that formal methods must be used for military software.

Jacky (cont. 15) ► UK has a law called “Machine Safety Directive” which allows criminal charges to be brought upon director or manager of device that causes injury.