International Journal of Computer Systems (ISSN: 2394-1065), Volume 03 Issue 02, February, 2016

Available at http://www.ijcsonline.com/

A Systems-Theoretic Approach to the Safety Analysis in Medical Cyber-Physical

Systems
B. UmamaheswararaoA , P. Seetharamaiah B

Dept. of CSE, Indo American Institutions Technical Campus, Sankaram, Anakapalle Visakhapatnam, India

Department of CS & SE, Andhra University, Visakhapatnam, India

Abstract
Software for Medical Cyber-Physical System (MCPS) must deal with the hazards recognized by safety analysis to help
make it secure, risk-free and fail-safe. Computer based bio-electronic systems are used for replacement of damaged
human areas such as Bionic-ear for hearing problems, Bionic-eye for loss of sight, Deep Brain Stimulator for illnesses of
the mind, and Bionic-arm for arm prostheses. The aim of this paper is to investigate a system-based design approach to
modeling of software safety in MCPS and reduce the probability of unsafe system conditions through using a variety of
management, organization, technical measures. There is currently no formal methodology to test and verify the correct
operation of medical device software within the closed-loop context of the patient. To solve the above problem, use three
analysis methods such as Failure Modes and Effects Analysis (FMEA), Fault Tree Analysis (FTA) and System theoretic
process analysis (STPA) techniques to identify potentially hazardous software faults and development of software safety
for Control Software for Clinical Programming (CSCP) as medical device software and also discuss the safety properties
of clinical programming software. The systems theoretic accident model and process (STAMP) is used to find out the
hazards and guidance to the control structure of hazards. We applied the analysis methods to CPS and propose
approach for software safety in safety-critical medical cyber-critical systems. This approach was applied to CSCP of
cochlear implant system (CIS). Development of a cyber-physical system based on this approach provides enhanced
safety operations for software. Finally, we describe the implementation of all modules in CSCP software. A custom built
Database Application (DA) for medical development of Bionic Ear is developed under Visual Studio software
environment using MS-Access database. In this paper, STAMP is presented in the Medical cyber-physical system hazard
analysis process through a case study example. In this paper, we examine CSCP of CIS system and utilize a systemtheoretic approach taking both physical and cyber components into account deal with the potential hazards occurred in
system. We show how such strategy is capable of determining software hazards designed towards MCPS and provide
practical new requirements and design decisions that can be utilized by MCPS designers in building a safety MCPS.
Keywords: Medical Cyber-Physical System, software safety, closed-loop system, Control Software for Clinical
Programming, Cochlear Implant System.

I.

INTRODUCTION

Cyber-Physical System (CPS) is co-engineered

communicating systems of physical and computational
components. MCPS are safety-critical, connected, brilliant
techniques of medical devices. The current accident
models in the health field have limitations to capture main
aspects that influence the safety level of these
infrastructures such as organizational factors, human and
software errors, systemic accidents and risk migration [1].
A new type of accident models called System Theoretic
Accident Model and Processes (STAMP) has been recently
proposed by Nancy Leveson [2] and fulfils the
requirements of medical device safety.
These objectives result in better control software
quality for medical cyber-physical systems and in a faster,
more structured design. a) The essential goal of this paper
is to support a safety-driven design process (physical,
operational, organizational) for medical cyber-physical
systems. Hazard research impacts and shapes early design
choices, risks research is iterated and refined as the style
advances. b) The second objective of this paper is to
provide safety analysis for medical cyber-physical system

can be done in a top-down way in the architecture design

phase combined with STPA. This performs system
theoretic approach to identify hazards and safety
requirements in Medical cyber-physical systems. c) The
third objective is to reduce the probability of unsafe system
conditions through using a variety of management,
organization, technical measures and keep the systems
functioning even in occurrence of one of more faults. The
remainder of this paper is organized as follows. Section 2
describes the review of related literature. Section 3
describes the Closed-loop system in different aspects.
Section 4 discuss about the overview of CSCP of CIS
system. Section 5 discusses the case study for this
approach. Finally, Section 6 discusses conclusions.
II.

RELATED TECHNIQUES FOR SAFETY

ANALYSIS IN MCPS

Traditionally view safety as a failure problem. Because

the primary cause of injuries in the older systems was
element failure, the hazard analysis methods and safety
design methods concentrated on determining critical
components and either avoiding their failing or providing
redundancy to minimize the effects of element failing.
Here we use sequence of event accident model and

158 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016

B. Umamaheswararao et al

A Systems-Theoretic Approach to the safety Analysis in Medical Cyber-Physical Systems

minimization is concentrated on developing barriers

between events and preventing component failures. Hazard
analysis identifies chain of events that leads to accidents.
Resolution is used to add redundancy, protective functions,
patches to provide system safety. Fault Tree Analysis
(FTA) and Failure Modes and Effect Analysis (FMEA)
methodologies use the decomposition approach on safety.
A.

Software Failure Mode and Effects Analysis

(SFMEA)
This analysis is performed in order to determine the
top events for lower level analysis. SFMEA analysis will
be performed following the list of failure types. SFMEA
will be used to identify critical functions based on the
applicable software specification. The formulation of
recommendations of fault related techniques that may help
reduce failure criticality is included as part of this analysis
step.
B.

Software Fault Tree Analysis (SFTA)

After determining the top-level failure events, a
complete Software Fault Tree Analysis shall be performed
to analyze the faults that can cause those failures. This is a
top down technique that determines the origin of the
critical failure.
The top-down technique is applied
following the information provided at the design level,
descending to the code modules.
There are several limitations of these approaches. The
majority of software-related injuries have involved errors
in the requirements, not problems of the software to
properly apply the requirements [3]. A second major
problem is that most common hazard analysis methods
such as FTA and FMEA work on a preexisting design. But
systems and system styles have become so complicated
that patiently waiting until a design is finished to carry out
safety research on it is impractical. The only hope for
practical and cost-effective safe style techniques in
methods is to develop protection in from the beginning. In
complete protection motivated style, the information
needed by the designers to make good choices emerged to
them before they create the style and the studies are
performed running in similar to the style process rather
than after it. We believe that such style techniques will not
only price you a lot less but will result in much more secure
techniques.
However, they require specific style requirements for
the research and they do not take the powerful actions of
software in concern. [6] Proposed a threat research
method, STPA, which discusses the powerful actions of the
program by considering the protection as a control issue
rather than a component failing issue. [7] Analyzed the
STPA strategy in a research study where it is applied on a
functional crew-return vehicle style. The practicality and
effectiveness of STPA strategy is also evaluated thoroughly
for beginning program style stage in [8]. These studies
determine that with STPA it is possible to recognize
protection requirements and restrictions of the program
before the specific style. Several writers revealed positive
results from applying STPA on various techniques.
The earlier mentioned strategies provide sufficient
support for hazard analysis. However, they require detailed
design specifications for the analysis and they do not take
the powerful actions of software in concern. To deal with

the lack of design specification in the early design stage,

[4] suggested an actuator-based approach for hazard
analysis. [5] Suggested a structure for hazard analysis that
helps to evaluate powerful actions of technical system. [6]
Proposed a threat research method, STPA, which discusses
the powerful actions of the program by considering the
protection as a control issue rather than a component
failing issue.
[7] Analyzed the STPA strategy in a
research study where it is applied on a functional crewreturn vehicle style. The practicality and effectiveness of
STPA strategy is also evaluated thoroughly for beginning
program style stage in [8]. These studies determine that
with STPA it is possible to recognize protection
requirements and restrictions of the program before the
specific style. Several authors revealed positive results
from applying STPA on various techniques.
III.

STAMP MODEL

STAMP Treats injuries as a control problem. It has

been shown address the need for an effective method for
dealing with safety in complicated techniques such as a
MCPS. The STAMP is a new system-based approach to
safety. The primary variations between STAMP and other
traditional techniques are that STAMP looks at systems as
dynamic systems rather than static and consider safety of a
system as a control problem not a reliability issue. STAMP
also not only allows case study of problems and risky states
but also those that are related to business, online, and
ecological problems. STAMP technique is dependent on
the following three pillars: safety control structure, safety
constraint, and process model.
Safety control structure symbolizes the framework
of all control loops in the system from higher stages to
lower levels [9]. In patient care, it is possible to create a
physical closed-loop program by consistently tracking
patients declares, instantly reconfiguring distribution
devices, and only notifying care providers if patients
declares redirect from the normal range. Caregivers can
then focus on making important medical choices, reducing
the chances of losing critical events, thereby enhancing
individual safety.
Closed-loop control has been
implemented in some medical programs. Figure 1 shows a
standard control loop with Controller, Actuators,
Controlled Process, and Sensors as its building blocks.

Fig. 1 Simple Control loop

Figure 2 shows how medical devices can be
interconnected to form a physical closed-loop system. This
improving application complexness needs new design
techniques to effectively handle this improving
complexness.

159 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016

B. Umamaheswararao et al

A Systems-Theoretic Approach to the safety Analysis in Medical Cyber-Physical Systems

(Loss), identify the Proximal Events (near time of the

accident), draw the Safety Control Structure, and analyze
the physical system, controllers.
IV.

OVERVIEW OF THE CSCP OF CIS SYSTEM

The cochlear implant System (CIS) has three hardware

modules: Impedance Telemetry Monitoring System
(ITMS), Digital Speech Processor System (DSPS), and
Implantable Receiver Stimulator (IRS).
A.
Fig. 2 Medical devices closed-loop system
The CSCP of CIS which includes the following aspects
for the safety protection function: patient registration,
Impedance measure, CSCP software self checking,
programming DSPS, Adjusting TCL and MCL values.
Control system that consists of monitor module and control
module. We start from hazard identification through
requirements analysis. Here we considered only one of the
main hazards arising from CSCP of CIS system: System
reports erroneous patients results to the user. The design
process should proceed by defining the safety of
requirements into a lower level.

Impedance Telemetry Monitoring System (ITMS)

ITMS is used finding the active electrodes of electrode
array of 12 Electrodes and their respective TCL (Threshold
Comfort Level) and MCL (Most Comfortable Level).
Impedance Telemetry Monitoring Systems (ITMS) is
designed based on programmable logic device FPGA
(Field Programmable Gate Array). The identified hardware
modules to develop FPGA based ITMS are FPGA module,
ASK (Amplitude Shift Key) modulated, and LSK (Load
Shift Key) demodulated RF-transmitter and receiver. The
ITMS used to send the impedance request to IRS
(Implantable Receiver Stimulator) and to receive
impedance values with electrode or channel numbers
respectively. FPGA is used as central processing unit to
send request or receive impedance values and LCD is used
to display measured impedance values with respect to
electrode numbers. The function of ITMS is to measure
electrode impedances and neural response of a patient
through stimulation and recording of electrical signals can
facilitate device fitting and parameter adjustments.
B. Digital Speech Processor System (DSPS)
DSPS receives an external sound or speech and
generates encoded speech data bits for transmission to IRS
via radio frequency link for exciting the electrode array by
continuously executing speech processing program
embedded in DSPS.

Fig. 3 CSCP of CIS Architecture model

Safety constraints are used to recognize the safe and
unsafe states of a system. They are produced from hazards
that are described in the system specifications.
The
successful design and administration of safety restriction
improves program safety. In STAMP, these restrictions
are used to produce the program specifications that are
compulsory to maintain the program safety.
A.

Systems-Theoretic Process Analysis (STPA)

STPA is a new hazard research technique, based on
STAMP.
It uses a collection of interacting loops of
control to evaluate systems. It can be used at any stage of
the system lifecycle, from before designing to after
implementation. STPA technique is dependent on the
following ways: define System Hazards and Related
Safety Constraints, develop Safety Control Structure for
closed-loop system, Recognize Possibly Insufficient
Control Activities, Determine How potentially Insufficient
Control Activities Could Happen.
B.

Causal Analysis using System Theory (CAST)

CAST is to analyze the control structure dynamics for
accident analysis. CAST methodology is based on the
following ways: identify the System and the Accident
(Loss), identify the Hazards involved in the Accident

C. Implantable Receiver Stimulator (IRS)

IRS is to stimulate auditory nerve system with the help
of electrode array placed inside the cochlea of deafened
person. IRS receives directions from the speech processor
by way of magnetic induction sent from the transmitter and
also IRS receives its power through the transmission.
D.

CSCP software functional operations

The CSCP software is designed for DSPS and ITMS
used by an audiologist for performing post operative fitting
procedure for better recognition of sound. The program
contains multiple functional modules such as patient
information management, UART Settings, impedance
measurement, fitting and mapping. The software is
designed under VB.net2008, with a database MS ACCESS.
The designed database tables are responsible to record
patient basic information, medical record, and evaluation of
hearing abilities, evaluation of speech and language status,
rehabilitation status, evaluation of psychological status,
medical and audio logical evaluation, processor
programming, and specific training with processor
accessories and so on.
Initially, the CSCP software starts from Audiologist
registration and then goes for patient registration.
Whenever the CSCP displays invalid details please input
all the required details, Stop the CSCP software process

160 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016

B. Umamaheswararao et al

A Systems-Theoretic Approach to the safety Analysis in Medical Cyber-Physical Systems

and proceed to again registration process. Whenever the

ITMS is loaded it reads the impedance values from
impedance database table if available and displays each
channel resistance value in corresponding textboxes and
displays the resistance values in chart control also. If the
resistance values are not yet stored it displays the error
message as insufficient recipient data please try again.
The impedance measurement modules display the
impedance values if the audiologist had already measured
the impedance values of the patient in normal text form and
also graphical representation. If the impedance values are
not available it displays the null values. Whenever fitting
module is loaded it reads the impedance values from the
impedance table and displays in the corresponding
textboxes of each channel and creates a new row in
mapping table with default values of TCL and MCL.
V.

H9

Wrong calculation of active electrode values.

H10

Faulty decision in CSCP software regarding

ITMS malfunctioning.

H11

Identification of active electrodes is wrong

regarding ITMS malfunctioning

H12

Release of incorrect volume.

H13

Incorrect calculation of THL, MCL values,

volume delivered to wrong location.

H14

Incorrect calculation of THL, MCL values,

volume too high.

H15

Finding THL, MCL for failed electrodes

H16

Communication failure between CSCP and

DSPS or ITMS.

STPA ANALYSIS OF CSCP OF CIS SYSTEM

The Here system objectives are defined as Allow

system to reduce the probability of unsafe system
conditions through using a variety of physical,
organization, cyber measures. Provide automatic to
captures accidents resulting from component interaction,
not just failures. Provide automatic patient protection. And
Accident Definition is patient is killed or seriously injured.
A.

System Hazard Identification

A safety-driven design should start with identifying
accidents and then defining the system hazards which
would cause these accidents to occur. The accidents here
can be defined as undesired or unplanned events that
results in a loss, including loss of human life or human
injury, property damage, environmental pollution, mission
loss, etc [8]. The hazards here can be defined as system
states or a set of conditions that, together with a particular
set of hazardous conditions, will lead to an accident [8].
Hazard is a State of system conditions when interact with
other condition in environment of system, lead to accidents
[9]. The system-level hazards relevant to this definition of
an accident include:
TABLE 1. IDENTIFIED HAZARD IN CSCP OF CIS
Hazard (H)
H1

System reports fake patients results to the

user.

H2

The system reports the patients

results from the controller too late

H3

The system ask for wrong operations by

hazard

H4

Commands for volume exceeding the

patients impedance, THL, MCL are sent to
the DSPS.

H5

Wrong patients treatment history retrieved.

H6

Current treatment profile appended to wrong

patients record.

H7

Identifying incorrect
impedance module.

H8

Measurements of impedance values are

incorrect.

electrode

required

failure

The H1 hazard of reporting of erroneous patient

results is clinically significant and can lead to medical
accidents. H2 is the hazard where the system reports the
correct patient results but too late for usage. Such delay
may have medical consequences. H3 is the hazard where
the system executes the requested operations by hazard
rather than that of the operators. Running centrifuges with
the highest speed and switching their speed to the lowest
speed without considering the speed requested by the
operator is an example such a hazard. These hazards are
not recognized by the controllers in the system as such
hazards hide the actual situation from the controllers,
imposing another hazard.
B.

System Safety Constraint and safety Requirements

After the system hazards are defined, they should be
translated into the corresponding safety constraints, which
are restrictions on how the system can achieve its purpose.
TABLE
2
SAFETY
REQUIREMENTS

CONSTRAINTS

AND

hazar
ds

Safety
constraints (SC)

Safety
Requirements (SR)

H1

SC1: correct patient

results
must
be
reported
to
the
Audiologist

SR1:The system shall

ensure correct patient
result reporting based
on existing standards
for each users

H2

SC2: Patient results

must be reported to
the Audiologist in a
useable time frame.

SR2: The system shall

have a patient result
report turn-around-time
of X.

H3

SC3: The system

must only perform
operations requested
by
a
legitimate
operator.

SR3: The system shall

make sure that only
genuine functions are
executed.

For the purpose of the case study, the hazard that will
be analyzed is H1. The system reports erroneous patients
results to the medical staff is the hazard that led to the
medical casualty, and subsequent case accident.

161 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016

B. Umamaheswararao et al

A Systems-Theoretic Approach to the safety Analysis in Medical Cyber-Physical Systems

C.

System Control Structure

Once the hazards and related safety constraints have
been defined, a typical socio-technical hierarchical
structure with safety control processes, which is called
hierarchical safety control structure, should be described.
The next step is to develop the safety control structure for
the system. The main work for defining this control
structure involves identifying the responsibilities of each
component or sub-system as well as all their relationships.
It should be in compliance with the System Design
Specification. Hierarchical safety control structures can be
very complex, so, when analyzing different hazards, only
part of the overall structures is considered as the object and
the rest is treated as environment factors. The next step is
to investigate the control loops. The main purpose of
analyzing control loops is to find violation of security
constraints that may be caused by other interacting control
loops.

control actions. 4) For a control action which is a

continuous signal, the control action is stopped too early or
applied too long.
For each hazard analysis, first tables are created
listing all the unsafe control actions provided by controllers
from the four ways we identified above. Then causal
factors are considered in the three general categories: (1)
the controller operation, (2) the behavior of actuators and
controlled processes, and (3) communication and
coordination among controllers and decision makers.
After the safety control structure in system-level has
been defined, the next step is to identify the potential for
inadequate control, which may drive the system into a
hazardous state. STPA is a systemic method used for
hazard analysis. This model considers hazards and causes
in a systemic way rather than just based on component
failures or failure events. At this level, CSCP becomes a
controller for the two lower controlled processes: ITMS
controller, DSPS controller. CSCP controller maintains the
overall system, ITMS, DSPS data processing. ITMS
control process monitors and record active impedance
values from patient samples. DSPS control process volume
of the system and sends volume information to the patient.
TABLE 3. UNSAFE CONTROL ACTIONS

Fig. 4 CSCP sample process in control structure

D.

High Level Hazard Analysis using STPA

The STPA process is used to analyze each of the
high level hazards. The two steps of STPA include
identifying unsafe control of the system and determining
how these control action could occur. A controller can
provide unsafe control in the following four ways:1) A
control action is not provided, missing or not followed; 2)
A control action is provided but is wrongly provided; 3) A
control action is provided at the wrong timing, earlier or
later than the required timing, or out of sequence with other

Identify
Unsafe
Control
Actions

Requir
ed
action
not
provide
d

Unsafe
action
provide
d

Patient
status
signal

Catastro
phicWrong
patient
info
determi
nation

Catastro
phicWrong
patient
info
determi
nation

CSCP
DSPS :
comman
d normal

Catastro
phicwrong
determi
nation
of
patient
informa
tion, PL
values,
filer coefficient
Catastro
phicincorrec
t values
are
gathere
d.
High
system
volume

Catastro
phicWrong
patient
info and
impedan
ce
values
determi
nation

(N/
A)

Not an
hazard

(N/
A)

Must be
done
assured

Must be done
before
opening
the
system and after
isolating

ITMS
CSCP:
provide
impedan
ce values

Volume
release

Incorrect
Timing/Order

Control
action stops

To
o
ear
ly
Not
an
haz
ard
(N/
A)

Too late

Too
soon

Catastroph
ic- Wrong
patient
info
determinat
ion
and
system is
hang and
acknowled
gement
time
Catastroph
ic- Wrong
patient
info
determinat
ion
and
system is
hang and
acknowled
gement
time

Not an
hazard

To
o
lon
g
(N/
A)

Not an
hazard

(N/
A)

Catastroph
icincorrect
values are
gathered.

Catastr
ophicnetwork
drop
out

(N/
A)

Too
high
volume
in the system

162 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016

B. Umamaheswararao et al

A Systems-Theoretic Approach to the safety Analysis in Medical Cyber-Physical Systems

E. Identify how the safety constraints could be violated

After hazards have been identified, the following
step should identify causal factors, which are very useful to
figure out mitigating features against the hazard. Because
hazards result from inadequate control and enforcement of
safety constraints, the causal factors can be understood in
terms of control flaws. Figure 4.3 shows a classification of
control flaws leading to hazards. The safety control
structure diagram is evaluated by using this classification
of control flaws. Please note that not all the control flaws
will contribute to the hazard, which means not all the
control flaws will become the causal factors. It depends on
different cases. Here, hazard h1 is selected to be analyzed
first.

Inadequate digital data input

Missing digital data input
Input command missing to initiate data transfer process
Inadequate digital data input
Input command missing to initiate data conversion
process
Input command execution too early
Input command execution too late
Inadequate digital data input
Missing digital data input
Input command missing to initiate data transfer process

(ii) Inadequate Control Algorithm of CSCP system

Scenarios that may violate the safety constraints belonging
to this classification are:
Inadequate algorithm for acquiring patient sample
impedance measurements
Inadequate algorithm for impedance measurements
comparison
Inadequate algorithm for patient sample impedance
measurements
Inadequate control algorithm for upstream data
transfer

Fig. 5 Causal factors leading to hazard h1

Using above framework for the thesis STPA
analysis, the intent is to identify the hazards that led to the
case accident. The focus of the analysis will be for H1:
Accurate patient results must be reported to the audiologist
at all time, since this was the catalyst for the FDA recall.
The identified hazards of the case accident will serve as the
driver to the design requirements that will be generated in
the next section. Furthermore, during the STPA analysis,
additional hazards that could lead to other accidents will be
documented for the purpose of comparing against the
original set of hazards identified by the standard FMECA
methodology.
(i) Control Input or external information wrong or
missing
The safety constraints may be inadequately enforced
due to the following scenarios:
Input command missing
measurement process

to

initiate

impedance

Input command execution too early to initiate

impedance measurement process
Input command execution too late to initiate impedance
measurement process
Wrong input command
measurement process

to

initiate

impedance

Incorrect input command to initiate impedance

measurement process

Inadequate control algorithm for downstream data

transfer.

(iii) Process Model of CSCP system is inconsistent,

incomplete
Scenarios which may lead to inadequate enforcement of
the safety constraints are the following:
CONTROLLER: Assume erroneous low impedance
results from ITMS is accurate result
CONTROLLER:
Assume
erroneous
high
impedance results from ITMS is accurate result
ITMS: Inadequate impedance result feedback
ITMS: Assume erroneous low impedance results
from controlled process is accurate result
ITMS: Assume erroneous high impedance results
from controlled process is accurate result
Incorrect data transfer confirmation logic on ITMS
controller
Incomplete data transfer confirmation logic on
ITMS controller
Data transfer logic is inconsistent

(iv) Missing feedback delays

163 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016

B. Umamaheswararao et al

A Systems-Theoretic Approach to the safety Analysis in Medical Cyber-Physical Systems

Scenarios which may lead to Missing feedback delays

of the safety constraints are the following:
Missing impedance readings feedback to CSCP
controller
Incorrect impedance readings feedback to CSCP
controller
Fragmented impedance readings feedback to CSCP
controller
Delayed impedance readings feedback to CSCP
controller
Unexpected impedance readings feedback to CSCP
controller
Delayed feedback on data transfer

(v) Incorrect or no information provided Measurement

inaccuracies Feedback delays
Missing impedance readings to ITMS
Incorrect impedance readings to ITMS
Fragmented impedance readings to ITMS
Delayed impedance readings to ITMS
Unexpected impedance readings from ITMS
No patient result data feedback
Erroneous patient result data feedback
Delay in patient result data feedback

F. Hazard List and Hazard Log

i) Hazard
H1.System reports fake patients results to the user.
ii) System Element
CSCP, DSPS, ITMS and Data Base
iii) Causal Factors
CF1- Input command missing to initiate impedance
measurement process
CF2- Input command execution too early to initiate
impedance measurement process
CF3- Input command execution too late to initiate
impedance measurement process
CF4- Wrong input command to initiate impedance
measurement process
CF5- Incorrect input command to initiate
impedance measurement process. Etc..
iv) Safety constraints
SC1- correct patient results must be reported to the
Audiologist
SC2- Patient results must be reported to the
Audiologist in a useable time frame.

VI.

RESULT DISCUSSION

From the control structure, For H1 and the case

accident, there were 12 hazards (underlined) that were
identified that could have lead to patient injury. In the f1f2-f3-f4 control loops and can describe the physical
blockage of the membrane or nerve. This finding may
seem biased to discovery since this analysis occurred post
accident. These hazards may not be covered in the FMEA
analysis.
In the next loop, b1-b2-b3-b4, the patient data is now
requested by the DSPS from ITMS controller. It provided
the structure necessary for a comprehensive hazard
analysis. Some hazards identified were left nondescript
such as inadequate patient data transfer. This may indicate
missing, late, erroneous transfer processes which may be an
advantage to discover new conditions at which the control
loop migrates to an unsafe state.
In control loop, c1-c2-c3-c4, the transported digital data
originally from the CSCP is converted to usable, patient
data. The case studys proprietary software algorithm
performs this conversion and analyzes the results for
quality. The control loop, c9-g6, is similar to the other
control loops where data is transferred up the hierarchical
structure. Therefore similar hazards were found for this
control loop as were for the other data transfer control
loops. It is noted that the adherence to the turned around
time requirement will play a significant role in the case
accident. In conclusion, the STPA methodology was
applied to the case accident and an extensive amount of
hazards were identified.
Of the over 134 hazards
identified, 12 were found to play a contributor to the case
accident.
We used STPA to identify the related hazards, created
the safety control structure and identified the related causal
factors. Finally we compared the results based on STPA
with the original FMEA results.
In our case, we
demonstrated how to apply STPA to hazard analysis. We
think that STPA provides a different idea and way to
develop hazard analysis, compared with traditional
methods. Existing hazard analysis approaches such as FTA
and FMEA have been used for a long period.
As
demonstrated in earlier chapters, we now realize that these
methods have some limitations. These limitations are of
primary concern for complex systems, and STPA may have
some advantages for such systems. STPA provides a
systemic methodology for hazard analysis as well as clear
guidance for conducting a hazard analysis. STPA is
usually used at the system level, but it can also be extended
for more detailed levels.
An analysis of FMEA could not detect such hazards as
a potential hazard because based on such analysis as long
as an ITMS is healthy and works properly, the functionality
is not disrupted and hence the system could be considered
safe. However, such a hazard could be identified by STPA
and proper mitigations could be placed accordingly. Result
verification at lower-levels can be done easily as the
number of involved parties is less in comparison to upperlevel control mechanisms, improving the accuracy of final
results reported to the operators. In addition such result
verification can monitor the physical components integrity

164 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016

B. Umamaheswararao et al

A Systems-Theoretic Approach to the safety Analysis in Medical Cyber-Physical Systems

and performance. Additionally, even with the presence of

result verification, there is no verification for the sequence
of results reported from lower-level loops to the higherlevel loops in the hierarchical control structure. Therefore,
the higher-control loops take actions based on the received
results that are not the actual expected results. This is not
defining the appropriate behavior of the system that makes
the process model incomplete and it is one of the frequent
forms of deficiencies that occur due to incomplete process
model. To address such hazards, the process model of the
controller should either perform source verification for any
received results by utilizing a light-weighted public/private
safety system.
Our STPA analysis facilitated the process of
understanding a complex control structure such as a CSCP
software infrastructure and the relationship among its
control loops. As we showed in our analysis, even though
some of the hazards were the result of insufficient access
control at lower-level loops, most of them were the result
of inadequate control over the interactions among the
system components and their associated control loops. The
lesson learned from our STPA analysis can be used to
prevent hazards in other CPS.
For example, medical
devices are becoming more intelligent these days and
numerous components have to interact with each other to
accomplish a task. Therefore, system designers can utilize
the STAMP framework to identify hazards in a complex
environment that runs mostly through complex interactions
among its numerous components.
The results based on STPA analysis include not only
component failures but also the interaction failures among
components or between components and human operators
within a hierarchical structure. Although it has many
advantages, STPA still has some subjective aspects. For
different people, safety control structure might be different
because their understanding of the system might be
different. The identification of hazards and causal factors
also might be different. Like all the other approaches for
hazard analysis, STPA cannot provide a proof for
completeness and accuracy of identification of hazards and
causal factors. The followings are the uses over the CSCP
of CIS system.
Identify the importance of software in the MCPS of
medical care devices system.
Reduce the number of hazards after applying the
FTA and FMEA software testing methods.
It describes the safety integrity of the entire system.

Criteria for early planning of tests and test cases

Decrease system development time and cost
Reduce future failures by using some collection of
information.
VII. CONCLUSION
In this paper the concept of STAMP-based hazard
analysis in road tunnels has been introduced and illustrated
through a case study example. This paper discusses these
characteristics and suggests a design analysis approach that
better integrates security into the core design of the system.
We applied STPA on a sample case study. Numerous
hazards were identified that highlights some of the missing
design requirements pieces needed in the original design
intent to avoid safety hazards imposed by the studied case.
The future work will be the risk assessment based on the
hazards identified by the SPTA. STAMP model helps
identify more inadequate controls inside of the control
structure, from the physical process to management, to the
overall communication and coordination and to the safety
culture of the Medical system
REFERENCES
[1]

[2]
[3]
[4]

[5]

[6]

[7]

[8]

[9]

K.Kirytopoulos, K. Kazaras. The need for a new approach to road

tunnels risk analysis ESREL; Proc. International Conference in
Safety and Reliability, (expected 2011).
N. Leveson. A new accident model for engineering safer systems,
Safety Science 42, pp.237270, (2004).
N. Leveson, Safeware: System Safety and Computers. AddisonWesley, 1995.
Johannessen, P., Torner, F. and Torin, J. (2004) Actuator based
hazard analysis for safety critical systems, in Computer Safety,
Reliability, and Security, v 3219, pp. 130141.
Gleirscher, M. (2013) Hazard analysis for technical systems,
Software Quality: Increasing Value in Software and Systems
Development, 5:th International Conference, SWQD, v 133, p104124, Austria.
Leveson, N. (2012). Engineering a safer world: Systems thinking
applied
to
safety.
(Book
draft).
Retrieved
from
http://sunnyday.mit.edu/saferworld/index.html, to be published by
MIT Press in 2012
Nakao, H., Katahira, M., Miyamoto, Y. and Leveson, N. (2011)
Safety guided design of crew return vehicle in concept design phase
using STAMP/STPA, in Proc. of the 5th IAASS Conference, pp.
497-501.
Ishimatsu, T., Leveson, N. G., Thomas, J., Katahira, M., Miyamoto,
Y. and Nakao, H. (2010) Modeling and hazard analysis using
STPA, in Proc. of the 4th IAASS Conference Making Safety
Matter, p.10.
N. Leveson, Engineering a Safer World: Systems Thinking Applied
to Safety. MIT Press, 2011.

It allows focusing on quality assurance procedures

for the most basic safety structures.
Focus on prevention rather than detection.
Identify the design constraints.
Derive the risk prevention rate of the software in
medical devices.
Provides the information about the ongoing state of
software safety.
Reducing the severity and failure frequency.
It identifies any structural weakness.

165 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016