Asafety-critical system[2] orlife-critical system is a system whose failure or malfunction may result in one (or more) of the following outcomes:[3][4]
death or serious injury to people
loss or severe damage to equipment/property
environmental harm
Asafety-related system (or sometimessafety-involved system) comprises everything (hardware, software, and human aspects) needed to perform one or more safety functions, in which failure would cause a significant increase in the safety risk for the people or environment involved.[5] Safety-related systems are those that do not have full responsibility for controlling hazards such as loss of life, severe injury or severeenvironmental damage. The malfunction of a safety-involved system would only be that hazardous in conjunction with the failure of other systems orhuman error. Some safety organizations provide guidance on safety-related systems, for example theHealth and Safety Executive in theUnited Kingdom.[6]
Safety-critical systems are a concept often used together with theSwiss cheese model to represent (usually in abow-tie diagram) how a threat can escalate to a major accident through the failure of multiple critical barriers. This use has become common especially in the domain ofprocess safety, in particular when applied to oil and gas drilling and production both for illustrative purposes and to support other processes, such asasset integrity management andincident investigation.[9]
Several reliability regimes for safety-critical systems exist:
Fail-operational systems continue to operate when theircontrol systems fail. Examples of these includeelevators, the gasthermostats in most home furnaces, andpassively safe nuclear reactors. Fail-operational mode is sometimes unsafe.Nuclear weapons launch-on-loss-of-communications was rejected as a control system for the U.S. nuclear forces because it is fail-operational: a loss of communications would cause launch, so this mode of operation was considered too risky. This is contrasted with thefail-deadly behavior of thePerimeter system built during the Soviet era.[10]
Fail-soft systems are able to continue operating on an interim basis with reduced efficiency in case of failure.[11] Most spare tires are an example of this: They usually come with certain restrictions (e.g. a speed restriction) and lead to lower fuel economy. Another example is the "Safe Mode" found in most Windows operating systems.
Fail-safe systems become safe when they cannot operate. Many medical systems fall into this category. For example, aninfusion pump can fail, and as long as it alerts the nurse and ceases pumping, it will not threaten the loss of life because its safety interval is long enough to permit a human response. In a similar vein, an industrial or domestic burner controller can fail, but must fail in a safe mode (i.e. turn combustion off when they detect faults). Famously,nuclear weapon systems that launch-on-command are fail-safe, because if the communications systems fail, launch cannot be commanded.Railway signaling is designed to be fail-safe.
Fail-secure systems maintain maximum security when they cannot operate. For example, while fail-safe electronic doors unlock during power failures, fail-secure ones will lock, keeping an area secure.
Fail-Passive systems continue to operate in the event of a system failure. An example includes an aircraftautopilot. In the event of a failure, the aircraft would remain in a controllable state and allow the pilot to take over and complete the journey and perform a safe landing.
Fault-tolerant systems avoid service failure when faults are introduced to the system. An example may include control systems for ordinarynuclear reactors. The normal method to tolerate faults is to have several computers continually test the parts of a system, and switch on hot spares for failing subsystems. As long as faulty subsystems are replaced or repaired at normal maintenance intervals, these systems are considered safe. The computers, power supplies and control terminals used by human beings must all be duplicated in these systems in some fashion.
Software engineering for safety-critical systems is particularly difficult. There are three aspects which can be applied to aid the engineering software for life-critical systems. First is process engineering and management. Secondly, selecting the appropriate tools and environment for the system. This allows the system developer to effectively test the system by emulation and observe its effectiveness. Thirdly, address any legal and regulatory requirements, such as Federal Aviation Administration requirements for aviation. By setting a standard for which a system is required to be developed under, it forces the designers to stick to the requirements. Theavionics industry has succeeded in producingstandard methods for producing life-critical avionics software. Similar standards exist for industry, in general, (IEC 61508) and automotive (ISO 26262), medical (IEC 62304) and nuclear (IEC 61513) industries specifically. The standard approach is to carefully code, inspect, document, test, verify and analyze the system. Another approach is to certify a production system, acompiler, and then generate the system's code from specifications. Another approach usesformal methods to generateproofs that the code meets requirements.[12] All of these approaches improve thesoftware quality in safety-critical systems by testing or eliminating manual steps in the development process, because people make mistakes, and these mistakes are the most common cause of potential life-threatening errors.
The technology requirements can go beyond avoidance of failure, and can even facilitate medicalintensive care (which deals with healing patients), and alsolife support (which is for stabilizing patients).
