A life-critical system or safety-critical system is a system whose failure or
malfunction may result in:

• death
  Death
  Death is the permanent termination of the biological functions that sustain a living organism. Phenomena which commonly bring about death include old age, predation, malnutrition, disease, and accidents or trauma resulting in terminal injury....
  
   or serious injury to people, or
• loss or severe damage to equipment or
• environmental harm.

Risks of this sort are usually managed with the methods and tools of safety engineering

Safety engineering

Safety engineering is an applied science strongly related to systems engineering / industrial engineering and the subset System Safety Engineering...

. A life-critical system is designed to lose less than one life per billion (10⁹) hours of operation. Typical design methods include probabilistic risk assessment

Probabilistic risk assessment

Probabilistic risk assessment is a systematic and comprehensive methodology to evaluate risks associated with a complex engineered technological entity ....

, a method that combines failure mode and effects analysis (FMEA)

Failure mode and effects analysis

A failure modes and effects analysis is a procedure in product development and operations management for analysis of potential failure modes within a system for classification by the severity and likelihood of the failures...

 with fault tree analysis

Fault tree analysis

Fault tree analysis is a top down, deductive failure analysis in which an undesired state of a system is analyzed using boolean logic to combine a series of lower-level events...

. Safety-critical systems are increasingly computer-based.

Reliability regimes

Several reliability regimes for life-critical systems exist:

• Fail-operational systems continue to operate when their control systems fail. Examples of these include elevator
  Elevator
  An elevator is a type of vertical transport equipment that efficiently moves people or goods between floors of a building, vessel or other structures...
  
  s, the gas thermostat
  Thermostat
  A thermostat is the component of a control system which regulates the temperature of a system so that the system's temperature is maintained near a desired setpoint temperature. The thermostat does this by switching heating or cooling devices on or off, or regulating the flow of a heat transfer...
  
  s in most home furnaces, and passively safe nuclear reactor
  Passive nuclear safety
  Passive nuclear safety is a safety feature of a nuclear reactor that does not require operator actions or electronic feedback in order to shut down safely in the event of a particular type of emergency...
  
  s. Fail-operational mode is sometimes unsafe. Nuclear weapon
  Nuclear weapon
  A nuclear weapon is an explosive device that derives its destructive force from nuclear reactions, either fission or a combination of fission and fusion. Both reactions release vast quantities of energy from relatively small amounts of matter. The first fission bomb test released the same amount...
  
  s launch-on-loss-of-communications was rejected as a control system for the U.S. nuclear forces because it is fail-operational: a loss of communications would cause launch, so this mode of operation was considered too risky. This is contrasted with the Fail-deadly
  Fail-deadly
  Fail-deadly is a concept in nuclear military strategy which encourages deterrence by guaranteeing an immediate, automatic and overwhelming response to an attack. The term fail-deadly was coined as a contrast to fail-safe.-Military usage:...
  
   behavior of Perimetr
  Dead Hand (nuclear war)
  Dead Hand , known also as Perimeter, is a Cold-War-era nuclear-control system used by the Soviet Union and might still be in use in Russia. An example of fail-deadly deterrence, it can automatically trigger the launch of the Russian ICBMs if a nuclear strike is detected by seismic, light,...
  
   system built during the Soviet era.
• Fail-safe
  Fail-safe
  A fail-safe or fail-secure device is one that, in the event of failure, responds in a way that will cause no harm, or at least a minimum of harm, to other devices or danger to personnel....
  
   systems become safe when they cannot operate. Many medical systems fall into this category. For example, an infusion pump
  Infusion pump
  An infusion pump infuses fluids, medication or nutrients into a patient's circulatory system. It is generally used intravenously, although subcutaneous, arterial and epidural infusions are occasionally used....
  
   can fail, and as long as it complains to the nurse and ceases pumping, it will not threaten the loss of life because its safety interval is long enough to permit a human response. In a similar vein, an industrial or domestic burner controller can fail, but must fail in a safe mode (i.e. turn combustion off when they detect faults). Famously, nuclear weapon
  Nuclear weapon
  A nuclear weapon is an explosive device that derives its destructive force from nuclear reactions, either fission or a combination of fission and fusion. Both reactions release vast quantities of energy from relatively small amounts of matter. The first fission bomb test released the same amount...
  
   systems that launch-on-command are fail-safe, because if the communications systems fail, launch cannot be commanded. Railway signaling is designed to be fail-safe.
• Fail-secure systems maintain maximum security when they can not operate. For example, while fail-safe electronic doors unlock during power failures, fail-secure ones lock, possibly trapping people in a burning building.
• Fail-Passive systems continue to operate in the event of a system failure. An example includes an aircraft autopilot
  Autopilot
  An autopilot is a mechanical, electrical, or hydraulic system used to guide a vehicle without assistance from a human being. An autopilot can refer specifically to aircraft, self-steering gear for boats, or auto guidance of space craft and missiles...
  
  . In the event of a failure, the aircraft would remain in a controllable state and allow the pilot to take over and complete the journey and perform a safe landing.
• Fault-tolerant system
  Fault-tolerant system
  Fault-tolerance or graceful degradation is the property that enables a system to continue operating properly in the event of the failure of some of its components. A newer approach is progressive enhancement...
  
  s avoid service failure when faults are introduced to the system. An example may include control systems for ordinary nuclear reactor
  Nuclear reactor
  A nuclear reactor is a device to initiate and control a sustained nuclear chain reaction. Most commonly they are used for generating electricity and for the propulsion of ships. Usually heat from nuclear fission is passed to a working fluid , which runs through turbines that power either ship's...
  
  s. The normal method to tolerate faults is to have several computers continually test the parts of a system, and switch on hot spares for failing subsystems. As long as faulty subsystems are replaced or repaired at normal maintenance intervals, these systems are considered safe. Interestingly, the computers, power supplies and control terminals used by human beings must all be duplicated in these systems in some fashion.

Software engineering for life-critical systems

Software engineering

Software engineering

Software Engineering is the application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software, and the study of these approaches; that is, the application of engineering to software...

 for life-critical systems is particularly difficult. There are three aspects which can be applied to aid the engineering software for life-critical systems. First is process engineering and management. Secondly, selecting the appropriate tools and environment for the system. This allows the system developer to effectively test the system by emulation and observe its effectiveness. Thirdly, address any legal and regulatory requirements, such as FAA requirements for aviation. By setting a standard for which a system is required to be developed under, it forces the designers to stick to the requirements. The avionics

Avionics

Avionics are electronic systems used on aircraft, artificial satellites and spacecraft.Avionic systems include communications, navigation, the display and management of multiple systems and the hundreds of systems that are fitted to aircraft to meet individual roles...

 industry has succeeded in producing standard methods for producing life-critical avionics software

DO-178B

DO-178B, Software Considerations in Airborne Systems and Equipment Certification is a document dealing with the safety of software used in airborne systems....

. The standard approach is to carefully code, inspect, document, test, verify and analyze the system. Another approach is to certify a production system, a compiler

Compiler

A compiler is a computer program that transforms source code written in a programming language into another computer language...

, and then generate the system's code from specifications. Another approach uses formal methods

Formal methods

In computer science and software engineering, formal methods are a particular kind of mathematically-based techniques for the specification, development and verification of software and hardware systems...

 to generate proof

Mathematical proof

In mathematics, a proof is a convincing demonstration that some mathematical statement is necessarily true. Proofs are obtained from deductive reasoning, rather than from inductive or empirical arguments. That is, a proof must demonstrate that a statement is true in all cases, without a single...

s that the code meets requirements. All of these approaches improve the software quality

Software quality

In the context of software engineering, software quality refers to two related but distinct notions that exist wherever quality is defined in a business context:...

 in safety-critical systems by testing or eliminating manual steps in the development process, because people make mistakes, and these mistakes are the most common cause of potential life-threatening errors.

Infrastructure

• Circuit breaker
  Circuit breaker
  A circuit breaker is an automatically operated electrical switch designed to protect an electrical circuit from damage caused by overload or short circuit. Its basic function is to detect a fault condition and, by interrupting continuity, to immediately discontinue electrical flow...
  
  
• Emergency services dispatch
  Dispatch (logistics)
  Dispatch is a procedure for assigning employees or vehicles to customers. Industries that dispatch include taxicabs, couriers, emergency services, as well as home and commercial services such as maid services, plumbing, HVAC, pest control and electricians.With vehicle dispatching, clients are...
  
   systems
• Electricity generation
  Electricity generation
  Electricity generation is the process of generating electric energy from other forms of energy.The fundamental principles of electricity generation were discovered during the 1820s and early 1830s by the British scientist Michael Faraday...
  
  , transmission
  Electric power transmission
  Electric-power transmission is the bulk transfer of electrical energy, from generating power plants to Electrical substations located near demand centers...
  
   and distribution
  Electricity distribution
  File:Electricity grid simple- North America.svg|thumb|380px|right|Simplified diagram of AC electricity distribution from generation stations to consumers...
  
  
• Fire alarm
• Fire sprinkler
  Fire sprinkler
  A fire sprinkler system is an active fire protection measure, consisting of a water supply system, providing adequate pressure and flowrate to a water distribution piping system, onto which fire sprinklers are connected...
  
  
• Fuse (electrical)
  Fuse (electrical)
  In electronics and electrical engineering, a fuse is a type of low resistance resistor that acts as a sacrificial device to provide overcurrent protection, of either the load or source circuit...
  
  
• Fuse (hydraulic)
  Fuse (hydraulic)
  In hydraulic systems, a fuse is a component which prevents the sudden loss of hydraulic fluid pressure. It is a safety feature, designed to allow systems to continue operating, or at least to not fail catastrophically, in the event of a system breach...
  
  
• Telecommunications
• Burner Control systems

Medicine

The technology requirements can go beyond avoidance of failure, and can even facilitate medical intensive care (which deals with healing patients), and also life support

Life support

Life support, in medicine is a broad term that applies to any therapy used to sustain a patient's life while they are critically ill or injured. There are many therapies and techniques that may be used by clinicians to achieve the goal of sustaining life...

(which is for stabilizing patients).

• Heart-lung machine
  Heart-lung machine
  Cardiopulmonary bypass is a technique that temporarily takes over the function of the heart and lungs during surgery, maintaining the circulation of blood and the oxygen content of the body. The CPB pump itself is often referred to as a heart–lung machine or "the pump"...
  
  s
• Mechanical ventilation
  Mechanical ventilation
  In medicine, mechanical ventilation is a method to mechanically assist or replace spontaneous breathing. This may involve a machine called a ventilator or the breathing may be assisted by a physician, respiratory therapist or other suitable person compressing a bag or set of bellows...
  
   systems
• Infusion pump
  Infusion pump
  An infusion pump infuses fluids, medication or nutrients into a patient's circulatory system. It is generally used intravenously, although subcutaneous, arterial and epidural infusions are occasionally used....
  
  s and Insulin pump
  Insulin pump
  The insulin pump is a medical device used for the administration of insulin in the treatment of diabetes mellitus, also known as continuous subcutaneous insulin infusion therapy.The device includes:...
  
  s
• Radiation therapy
  Radiation therapy
  Radiation therapy , radiation oncology, or radiotherapy , sometimes abbreviated to XRT or DXT, is the medical use of ionizing radiation, generally as part of cancer treatment to control malignant cells.Radiation therapy is commonly applied to the cancerous tumor because of its ability to control...
  
   machines
• Robotic surgery
  Robotic surgery
  Robotic surgery, computer-assisted surgery, and robotically-assisted surgery are terms for technological developments that use robotic systems to aid in surgical procedures....
  
   machines
• Defibrillator machines

Recreation

• Amusement ride
  Amusement ride
  Amusement rides are large mechanical devices that move people to create enjoyment. They are frequently found at amusement parks, traveling carnivals, and funfairs.-Notable types:*Afterburner*Ali Baba*Balloon Race*Booster...
  
  s
• Climbing equipment
  Climbing equipment
  A wide range of equipment is used during rock climbing. The most popular types of climbing equipment are briefly described in this article. The article on protecting a climb describes equipment commonly used to protect a climber against the consequences of a fall....
  
  
• Parachute
  Parachute
  A parachute is a device used to slow the motion of an object through an atmosphere by creating drag, or in the case of ram-air parachutes, aerodynamic lift. Parachutes are usually made out of light, strong cloth, originally silk, now most commonly nylon...
  
  s
• SCUBA Equipment
  Scuba set
  A scuba set is an independent breathing set that provides a scuba diver with the breathing gas necessary to breathe underwater during scuba diving. It is much used for sport diving and some sorts of work diving....
  
  

Automotive

• Airbag
  Airbag
  An Airbag is a vehicle safety device. It is an occupant restraint consisting of a flexible envelope designed to inflate rapidly during an automobile collision, to prevent occupants from striking interior objects such as the steering wheel or a window...
  
   systems
• Braking
  Brake
  A brake is a mechanical device which inhibits motion. Its opposite component is a clutch. The rest of this article is dedicated to various types of vehicular brakes....
  
   systems
• Seat belt
  Seat belt
  A seat belt or seatbelt, sometimes called a safety belt, is a safety harness designed to secure the occupant of a vehicle against harmful movement that may result from a collision or a sudden stop...
  
  s
• Steering
  Steering
  Steering is the term applied to the collection of components, linkages, etc. which will allow a vessel or vehicle to follow the desired course...
  
   systems

Aviation

• Air traffic control
  Air traffic control
  Air traffic control is a service provided by ground-based controllers who direct aircraft on the ground and in the air. The primary purpose of ATC systems worldwide is to separate aircraft to prevent collisions, to organize and expedite the flow of traffic, and to provide information and other...
  
   systems
• Avionics
  Avionics
  Avionics are electronic systems used on aircraft, artificial satellites and spacecraft.Avionic systems include communications, navigation, the display and management of multiple systems and the hundreds of systems that are fitted to aircraft to meet individual roles...
  
  , particularly fly-by-wire
  Fly-by-wire
  Fly-by-wire is a system that replaces the conventional manual flight controls of an aircraft with an electronic interface. The movements of flight controls are converted to electronic signals transmitted by wires , and flight control computers determine how to move the actuators at each control...
  
   systems
• Radio navigation
  Radio navigation
  Radio navigation or radionavigation is the application of radio frequencies to determine a position on the Earth. Like radiolocation, it is a type of radiodetermination.The basic principles are measurements from/to electric beacons, especially...
  
   RAIM
  RAIM
  Receiver Autonomous Integrity Monitoring is a technology developed to assess the integrity of Global Positioning System signals in a GPS receiver system. It is of special importance in safety-critical GPS applications, such as in aviation or marine navigation.-General description:RAIM detects...
  
  
• Engine control
  Aircraft engine controls
  Aircraft engine controls provide a means for the pilot to control and monitor the operation of the aircraft's powerplant. This article describes controls used with a basic internal-combustion engine driving a propeller. Some optional or more advanced configurations are described at the end of the...
  
   systems
• Aircrew life support
  Life support (aviation)
  Life support, or aircrew life support, in aviation, is the field centered on, and related technologies used in, ensuring the safety of aircrew, particularly military aviation. This includes safety equipment capable of helping them survive in the case of a crash, accident, or malfunction.Life...
  
   systems
• Flight planning
  Flight planning
  Flight planning is the process of producing a flight plan to describe a proposed aircraft flight. It involves two safety-critical aspects: fuel calculation, to ensure that the aircraft can safely reach the destination, and compliance with air traffic control requirements, to minimise the risk of...
  
   to determine fuel requirements for a flight

Spaceflight

• Human spaceflight
  Human spaceflight
  Human spaceflight is spaceflight with humans on the spacecraft. When a spacecraft is manned, it can be piloted directly, as opposed to machine or robotic space probes and remotely-controlled satellites....
  
   vehicles
• Rocket range launch safety systems
• Launch vehicle
  Launch vehicle
  In spaceflight, a launch vehicle or carrier rocket is a rocket used to carry a payload from the Earth's surface into outer space. A launch system includes the launch vehicle, the launch pad and other infrastructure....
  
   safety

See also

• Mission critical
  Mission Critical
  Mission critical refers to any factor of a system whose failure will result in the failure of business operations. That is, it is critical to the organization's 'mission'....
  
  
• International Journal of Critical Computer-Based Systems
• Reliability theory
  Reliability theory
  Reliability theory describes the probability of a system completing its expected function during an interval of time. It is the basis of reliability engineering, which is an area of study focused on optimizing the reliability, or probability of successful functioning, of systems, such as airplanes,...
  
  
• Reliable system design
• Redundancy (engineering)
  Redundancy (engineering)
  In engineering, redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system, usually in the case of a backup or fail-safe....
  
  
• Factor of safety
  Factor of safety
  Factor of safety , also known as safety factor , is a term describing the structural capacity of a system beyond the expected loads or actual loads. Essentially, how much stronger the system is than it usually needs to be for an intended load...
  
  
• Nuclear reactor
  Nuclear reactor
  A nuclear reactor is a device to initiate and control a sustained nuclear chain reaction. Most commonly they are used for generating electricity and for the propulsion of ships. Usually heat from nuclear fission is passed to a working fluid , which runs through turbines that power either ship's...
  
  
• Biomedical engineering
  Biomedical engineering
  Biomedical Engineering is the application of engineering principles and design concepts to medicine and biology. This field seeks to close the gap between engineering and medicine: It combines the design and problem solving skills of engineering with medical and biological sciences to improve...
  
  
• SAPHIRE
  SAPHIRE
  SAPHIRE is a probabilistic risk and reliability assessment software tool. SAPHIRE stands for Systems Analysis Programs for Hands-on Integrated Reliability Evaluations. The system was developed for the U.S...
  
   (risk analysis software)
• Formal methods
  Formal methods
  In computer science and software engineering, formal methods are a particular kind of mathematically-based techniques for the specification, development and verification of software and hardware systems...
  
  
• Therac-25
  Therac-25
  The Therac-25 was a radiation therapy machine produced by Atomic Energy of Canada Limited after the Therac-6 and Therac-20 units ....
  
  
• Zonal Safety Analysis
  Zonal safety analysis
  Zonal Safety Analysis is one of three analytical methods which, taken together, form a Common Cause Analysis in aircraft safety engineering under SAE ARP4761. The other two methods are Particular Risks Analysis and Common Mode Analysis . Aircraft system safety requires the independence of...
  
  

External links

• An Example of a Life-Critical System
• Safety-critical systems Virtual Library
• They Write the Right Stuff
• Explanation of Fail Operational and Fail Passive in Avionics
• Useful Slides which explain Fault Tolerance and Fail * in distributed Systems