Which of the following is a defining feature of a safety-critical software system

Part 1: Writer answers to the following questions on dependability and security engineering of software systems

1.     Give two examples of government functions that are supported by complex sociotechnical systems and explain why, in the foreseeable future, these functions cannot be completely automated.

Service New Brunswick, Hospital Patient Registration System.

As long as such systems provide services to different types of human users with backgrounds, capabilities, and personalities,  these functions cannot be completely automated.

2.     Explain why the environment in which a computer-based system is installed may have unanticipated efforts on the system that lead to system failure. Illustrate your answer with a different example from that used in Chapter 10 of the textbook.

Other systems in the system's environment can have unanticipated effects because they have relationships with the system over and above whatever formal relationships (e.g. data exchange) are defined in the system specification. For example, the system may share an electrical power supply and air conditioning unit, they may be located in the same room (so if there is a fire in one system then the other will be affected) etc.

3.     Why is it impossible to infer the emergent properties of a complex system from the properties of the system components?

For a complex system, integration of large number of components is also complex, which may result in emergent properties of integrated system own, even if individual component has satisfactory emergent properties.

4.     Why is it sometimes difficult to decide whether or not there has been a failure in a sociotechnical system? Illustrate your answer by using examples from the MHC-PMS that has been discussed in textbook chapters.

The notion of a system failure is a judgment on the part of the observer of the failure, depending on their experience and expectations. Users of a system never read the specification so it is pointless to define failures as a deviation from a specification.

For example, consider two users of the MHC-PMS from different backgrounds:

a)     User 1 is a doctor who has extensive experience of mental health care. When selecting a menu of options to identify the patient��s condition, he or she will expect to see in this menu the conditions with which they are familiar. If these conditions do not appear in the menu then he or she may consider this to be a system failure.

b)     User 2 is a doctor who has recently graduated and has only limited experience of mental health care. When selecting the menu of options, they assume that these reflect the conditions which the system can handle so they classify the patient according to these conditions. They do not observe a system failure.

5.     Giving reasons for your answers, suggest which dependability attributes are likely to be most critical for the following systems:

a)     An Internet server provided by an ISP with thousands of customers

b)     A computer-controlled scalpel used in keyhole surgery

c)     A directional control system used in a satellite launch vehicle

d)     An Internet-based personal finance management system

Internet server: Availability as failure of availability affects a large number of people, the reputation of the supplier and hence its current and future income.

A computer-controlled scalpel: Safety as safety-related failures can cause harm to the patient.

A directional control system: Reliability as mission failure could result from failure of the system to perform to specification.

A personal finance management system: Security because of potential losses to users.

6.     Identify six consumer products that are likely to be controlled by safety-critical software systems.

Possible domestic appliances that may include safety-critical software include:

Microwave oven

Power tools such as a drill or electric saw

Lawnmower

Central heating furnace

Garbage disposal unit

Vacuum cleaner

Food processor or blender

7.     Reliability and safety are related but distinct dependability attributes. Describe the most important distinction between these attributes and explain why it is possible for a reliable system to be unsafe and vice versa.

Ensuring system reliability does not necessarily lead to system safety as reliability is concerned with meeting the system specification (the system 'shall') whereas safety is concerned with excluding the possibility of dangerous behavior (the system 'shall not'). If the specification does not explicitly exclude dangerous behavior then a system can be reliable but unsafe.

8.     In a medical system that is designed for deliver radiation to treat tumors, suggest one hazard that may arise and propose one software feature that may be used to ensure that the identified hazard does not result in an accident.

A possible hazard is delivery of too much radiation to a patient. This can arise because of a system failure where a dose greater than the specified dose is delivered or an operator failure where the dose to be delivered is wrongly input.

    Software features that may be included to guard against system failure are the delivery of radiation in increments with a operator display showing the dose delivered and the requirement that the operator confirm the delivery of the next increment. To reduce the probability of operator error, there could be a feature that requires confirmation of the dose to be delivered and that compares this to previous doses delivered to that patient. Alternatively, two different operators could be required to independently input the dose before the machine could operate.

9.     Using the MHC-PMS as an example, identified three threats to this system in addition to the threats given in the textbook (Fig. 11.8). Suggest controls that might be put in place to reduce the chances of a successful attack based these threats.

10.  Suggest appropriate reliability metrics for the classes of software systems below. Give reasons for your choice of metric. Predict the usage of these systems and suggest appropriate values of the reliability metrics.

a)     A system that monitors patients in a hospital intensive care unit

b)     A word processor

c)     An automated vending machine control system

d)     A system to control braking in a car

e)     A system to control a refrigeration unit

f)      A management report generator

1.     There are two essential safety requirements for the train protection system:

a)     The train shall not enter a segment of track that is signalled with a red light.

b)     The train shall not exceed the specified speed limit for a section of track.

Assuming that the signal status and the speed limit for the track segment are transmitted to onboard software on the train before it enters the track segment, propose five possible functional system requirements for the onboard software that may be generated from the system safety requirements.

There are several different possibilities here. Some examples:

a)     The system shall ensure that the train brakes are applied when a 'red signal' is received.

b)     The system shall sound an alarm in the driver's cabin when a 'red signal' is received.

c)     The system shall compare the train speed with the segment speed limit once per second.

d)     If the train speed exceeds the segment speed limit and the train throttle position is not zero then the throttle position should be reset to zero.

e)     If the train speed exceeds the segment speed limit and the train deceleration is less than the comfortable decleration limit then the train brakes should be applied.

2.     Give two examples of diverse, redundant activities that might be incorporated into dependable processes.

Agile based development using non-object-oriented programming

Plan driven development using object-oriented programming

3.     Imagine you are implementing a software-based control system. Suggest circumstances in which it would be appropriate to use a fault-tolerant architecture, and explain why this approach would be required.

System failure is not tolerant-able because of safety of human being, such as aircraft control system.

4.     You are responsible for the design of a communications switch that has to provide 24/7 availability, but which is not safety-critical. Giving reasons for your answer, suggest an architectural style that might be used for this system.

In this case, using protection architecture may not be necessary, but to guarantee 24/7 availability self-morning based architecture is desirable.   

5.     Using two examples to explain the important differences between application security engineering and infrastructure security engineering.

Application security: security of UNB��s course registration system

Infrastructure: Security of UNB networks

6.     Using a software application system example to show the effectiveness of the layered approach to asset protection should be used.

UNB course registration system

Layer 1 asset: client interface and management system. Protection: client authentication

Layer 2 asset: course management system. Protection: administrator authentication and client authorization

Layer 3 asset: UNB student record database. Protection: database administrator authentication and client authorization  

7.     What is social engineering? Why is it difficult to protect against it in large organizations?

Because it is human-to-human activity.

Part 2: Dependability and security requirements and engineering

Assume that you are developing software to control an automated garage door control system.

1.     Write a safety requirement specification for the system with similar format to Fig. 12.5 on page 320 in the textbook.

Example: When the door is moving down and there is an object under the door, the door should immediately stop and going up.

2.     Write a functional reliability requirement specification for the system with similar format to Fig. 12.8 on page 328 in the textbook.

Example: Whenever the open or close button is pressed, the door should be immediately going up or down, with failure rate less than 0.001%.

3.     Write a security requirement specification for the system with similar format to those on page 332 in the textbook.

Example: Unless using the designated remote control, no other remote control can remotely open or close the door.

4.     Draw a UML class diagram to show your architecture design of the system with top-level components and their relationships, using the protection system architectural style (Fig. 13.3 on page 350). Write a short explanation of the design diagram.

5.     In terms of design for system security, for each of the design guidelines given in Fig. 14.6 on page 381 of the textbook, describe whether the guideline is relevant to this system design, it not, explain why not. If yes, describe how you apply the guideline in your design.

Part 2: Write the following documents required Team Software Process (TSPi) for your CS3043 MARS project

1.     Team Member Goals 1-4 (page 34)

Team Member Goal 1 Be a cooperative and effective team member.

Team Member Goal 2 Do consistently disciplined personal work.

Team Member Goal 3 Plan and track all your personal work.

Team Member Goal 4 Produce quality products.

2.     Weekly Status Report: Form Week (page 45) for any one of weeks during the project

Write your answers in a MS Word file with name ��cs3043a2.doc�� or a PDF file with name ��cs1043a2.pdf��. Submit the file through the course website.

Which of the following is defining feature of a safety critical software system?

What is safety critical software?

What are the two classes of safety critical software?

What are some examples of critical systems?