14971, the risk management standard for medical devices. ISO 14971 which does discuss the concept of indirect hazards and risks arising from the erroneous ...
The ‘User-Information System’ Relationship: A Reliance-based Safety Classification Fig. 5. Case Studies: SRIS Classification Scheme.
James E. Mateer and Richard W. Jones Engineering Requirements Ltd, ZJU-UIUC Institute Introduction
Case Study:
Information Systems (InfoSys) are typically designed to enable humans to perform tasks for which they are not well suited such as handling large amounts of information and performing complex calculations. If an InfoSys is being used to contribute to a user’s decision making, it could lead to a misguided decision if the information is late, omitted or erroneous. This misguided decision could have safety consequences. The safety management of risks associated with a, so called, Safety Related Information System (SRIS) is problematic because, when a human user makes an information-based decision it is difficult to ascertain a measurable correlation between the erroneous behaviour of the Information System (InfoSys) and the subsequent contributory effects within an accident chain. Safety Related InfoSys (SRIS) are currently not explicitly catered for within the majority of current best practice standards. There are at least two exceptions though; (a) Military Standard (MS) 882E, whereby its Software Control Category (SCC) descriptions provide sub-narratives for software delivering information and subsequently attribute a level of criticality and (b) ISO 14971, the risk management standard for medical devices. ISO 14971 which does discuss the concept of indirect hazards and risks arising from the erroneous output from an information system though only in the context of In Vitro Diagnostic systems (IVD’s) (within Annex H of the standard). This paper proposes a safety-related classification approach for InfoSys, which is based upon the ‘reliance’ aspect of the ‘user- InfoSys’ relationship. The aim such a classification approach is to support the derivation of safety design requirements for InfoSys (whose erroneous outputs have the potential to contribute to harm) in a more appropriate manner.
The proposed SRIS safety classification has been applied to a hand-held target locator which is an InfoSys used, (a) to locate targets in day and night conditions and (b) to derive their position relative to the user’s location. The system’s technologies include optical magnification, thermal imaging, class 1 eye safe laser, inclinometer and digital magnetic compass to help locate and derive target distance, inclination and bearing relative to present position. The distance, height difference and bearing provided by the target locator are communicated to a third party by the user. TABLE III. CLASSIFIC TABLE II: SAFETY FAILURE MODES
A Reliance-Based Classification
The majority of the SRFMs can be paired, for example range too large and too small were amalgamated into “range erroneously high or low”; an approach which is acceptable when the consequences of the failure mode are the same. Range failure modes can be treated as one SRFM and by pairing the failure modes . result was 7 classifications the Many of the classifications are the same because the GE and CbE assessments were identical; for example all of the alpha numeric GE outputs are assessed in terms of detectability as “RP” and the CbE as “NP”; this gives rise to the class “B” SRFMs indicated in Table III. With the vast majority of SRFMs being class “B”, it would be justifiable to declare the system holistically as Class “B”.
Reliance relates to the level of delegation in responsibility that is given to the InfoSys and is categorised by the capacity of the user to detect erroneous behavior. It is suggested here that, what we should be striving for is “designing for reliance”; where the level of development rigour applied to an SRIS is commensurate with the level to which it must support the user in the detection of erroneous behaviour. This can be determined at the early stages of system design, so that development requirements can be defined appropriately. In essence the developer is looking to design the system capability to meet the envisaged reliance that should be placed upon it – for example ideally the Physician and Nurse should be totally reliant on Decision Support Systems for Medication Delivery which in turn indicates that an extremely high degree of rigour should be applied during the development process. The proposed classification scheme bands systems by the level of reliance by using a correlation between the capacity to detect GROSSLY ERRONEOUS (GE) and CREDIBLE but ERRONEOUS (CbE) outputs. GE outputs, which are ‘obvious errors’, are easier to detect by the human user than those of a CbE nature, which require a level of verification or validation activity. All SRISs are relied upon to some degree and that reliance is a function of our capacity to identify misleading outputs, (categorized here as either GE or CbE). TABLE I. THE CLASSES , PARAMETER SETS
Figure 1. SRIS Classification Scheme, 3 x 3 Matrix In principle the matrix is founded upon the fact that the higher the reliance upon the system the harder it is to detect an erroneous behaviour. This is not about how much harm can come from a misguided decision but how much confidence is placed in the correct output of the InfoSys in order for an appropriate ‘executable plan’ (an information-based decision) to be arrived at. The proposed classification matrix for an SRIS, which follows traditional principles for matrix style classification, is presented in Figure 1. The bottom right hand corner represents one end of the classification spectrum - low reliance (Class E). The top left hand corner provides the highest reliance class of SRIS (Class A). Between these two opposite poles are classifications “B”, “C” and “D”. To arrive at a classification status for an SRIS the capacity to detect GE and CbE behaviours are correlated. In this matrix the GE detection can be seen to run across the top of the matrix and the CbE detection down the left-hand side. Table I provides a sample of definitions which characterise specific matrix elements and thus classes. The following definitions are provided for each of the terms adopted to characterise “detection”, starting with the easiest and progressing incrementally to the most difficult. Immediately Obvious (IO) – The user of the information does not need to make any deductions but can instantly recognise that the output is exhibiting erroneous behaviour; Reasonably Practicable (RP) – With the use of other available sources of information and within the time available to make a decision, it is reasonably practicable to detect InfoSys erroneous behaviour. Not Possible (NP) – It is not possible for the user to detect erroneous behaviour – which could be due to insufficient time between the generation of the information output and the point at which a decision has to be made or because there are no feasible ways to verify or validate the output. F RESEARCH POSTER PRESENTATION DESIGN © 2015
www.PosterPresentations.com
Figure. 2. Fault Tree indicating potential causes for the hand of wrong target position by the user in a target location system.
Discussion Although only one case study has been presented here, classification has been carried out on a further two diverse InfoSys; a commercial aircraft Flight Load Planner and a Driver Night Vision System. In each case, SRFMs were identified and classified using the 3 x 3 classification matrix. In total 29 SRFMs were classified and included at least one classification from “B” to “E”. Understandably there were no Class “A” assignments as the case scenarios did not include a system from a high risk operating domain. Even with such a small sample size of SRFMs some trends begin to surface. In all of the case studies the majority of CbE failure modes were assessed as “NP”, which is understandable by way of the failure being “credible”. It was only the speed element within the driver’s night vision system that was assessed as “RP”, because of the availability to the user of a second source of the same information. Thus for the vast majority of cases where the CbE element is “NP”, the only variability is that associated with the GE element, ranging from “NP” to “IO” and narrowing the range of classifications from “A” to “C”, see Figure 5. In the case studied the GE detection was constrained to “RP” and “IO”, which further limited the classification options to Class “B” or “C”. It is strongly suspected that the norm for SRIS will be a GE detection of at least “RP” and combined with a predominantly “NP” CbE element the majority of systems will sit within Classes “B” or “C”. That is not to say that the other classes are redundant, as they provide the mechanism for the inclusion of all InfoSys and those that do not fit into the “normal” category. This would include systems where delegation by the user is more pronounced, for example those used to provide warnings in hazardous operating environments.
Figure 3. Case Studies: SRIS Classification Scheme. In practice, the combination of InfoSys classification and criticality assignment is selfmoderating, in that the reliance measure dictates the class which then shapes the resultant development rigour. Consider an aircraft’s Ground Proximity Warning System (GPWS). If the pilot is unable to detect GE or CbE behaviour, then the SRIS is deemed to be “Class A”. Due to the high impact of the potential accident sequence (aircraft crash) the criticality of the InfoSys is considered to be high and thus the mandated development rigour would be substantial.
