Hubbry Logo
Safety-critical systemSafety-critical systemMain
Open search
Safety-critical system
Community hub
Safety-critical system
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Safety-critical system
Safety-critical system
Safety-critical system
View on Wikipedia
from Wikipedia
Examples[1] of safety-critical systems. From left to right, top to bottom: the glass cockpit of a C-141, a pacemaker, the Space Shuttle and the control room of a nuclear power plant.

A safety-critical system[2] or life-critical system is a system whose failure or malfunction may result in one (or more) of the following outcomes:[3][4]

  • death or serious injury to people
  • loss or severe damage to equipment/property
  • environmental harm

A safety-related system (or sometimes safety-involved system) comprises everything (hardware, software, and human aspects) needed to perform one or more safety functions, in which failure would cause a significant increase in the safety risk for the people or environment involved.[5] Safety-related systems are those that do not have full responsibility for controlling hazards such as loss of life, severe injury or severe environmental damage. The malfunction of a safety-involved system would only be that hazardous in conjunction with the failure of other systems or human error. Some safety organizations provide guidance on safety-related systems, for example the Health and Safety Executive in the United Kingdom.[6]

Risks of this sort are usually managed with the methods and tools of safety engineering. A safety-critical system is designed to lose less than one life per billion (109) hours of operation.[7][8] Typical design methods include probabilistic risk assessment, a method that combines failure mode and effects analysis (FMEA) with fault tree analysis. Safety-critical systems are increasingly computer-based.

Safety-critical systems are a concept often used together with the Swiss cheese model to represent (usually in a bow-tie diagram) how a threat can escalate to a major accident through the failure of multiple critical barriers. This use has become common especially in the domain of process safety, in particular when applied to oil and gas drilling and production both for illustrative purposes and to support other processes, such as asset integrity management and incident investigation.[9]

Reliability regimens

[edit]

Several reliability regimes for safety-critical systems exist:

  • Fail-operational systems continue to operate when their control systems fail. Examples of these include elevators, the gas thermostats in most home furnaces, and passively safe nuclear reactors. Fail-operational mode is sometimes unsafe. Nuclear weapons launch-on-loss-of-communications was rejected as a control system for the U.S. nuclear forces because it is fail-operational: a loss of communications would cause launch, so this mode of operation was considered too risky. This is contrasted with the fail-deadly behavior of the Perimeter system built during the Soviet era.[10]
  • Fail-soft systems are able to continue operating on an interim basis with reduced efficiency in case of failure.[11] Most spare tires are an example of this: They usually come with certain restrictions (e.g. a speed restriction) and lead to lower fuel economy. Another example is the "Safe Mode" found in most Windows operating systems.
  • Fail-safe systems become safe when they cannot operate. Many medical systems fall into this category. For example, an infusion pump can fail, and as long as it alerts the nurse and ceases pumping, it will not threaten the loss of life because its safety interval is long enough to permit a human response. In a similar vein, an industrial or domestic burner controller can fail, but must fail in a safe mode (i.e. turn combustion off when they detect faults). Famously, nuclear weapon systems that launch-on-command are fail-safe, because if the communications systems fail, launch cannot be commanded. Railway signaling is designed to be fail-safe.
  • Fail-secure systems maintain maximum security when they cannot operate. For example, while fail-safe electronic doors unlock during power failures, fail-secure ones will lock, keeping an area secure.
  • Fail-Passive systems continue to operate in the event of a system failure. An example includes an aircraft autopilot. In the event of a failure, the aircraft would remain in a controllable state and allow the pilot to take over and complete the journey and perform a safe landing.
  • Fault-tolerant systems avoid service failure when faults are introduced to the system. An example may include control systems for ordinary nuclear reactors. The normal method to tolerate faults is to have several computers continually test the parts of a system, and switch on hot spares for failing subsystems. As long as faulty subsystems are replaced or repaired at normal maintenance intervals, these systems are considered safe. The computers, power supplies and control terminals used by human beings must all be duplicated in these systems in some fashion.

Software engineering for safety-critical systems

[edit]

Software engineering for safety-critical systems is particularly difficult. There are three aspects which can be applied to aid the engineering software for life-critical systems. First is process engineering and management. Secondly, selecting the appropriate tools and environment for the system. This allows the system developer to effectively test the system by emulation and observe its effectiveness. Thirdly, address any legal and regulatory requirements, such as Federal Aviation Administration requirements for aviation. By setting a standard for which a system is required to be developed under, it forces the designers to stick to the requirements. The avionics industry has succeeded in producing standard methods for producing life-critical avionics software. Similar standards exist for industry, in general, (IEC 61508) and automotive (ISO 26262), medical (IEC 62304) and nuclear (IEC 61513) industries specifically. The standard approach is to carefully code, inspect, document, test, verify and analyze the system. Another approach is to certify a production system, a compiler, and then generate the system's code from specifications. Another approach uses formal methods to generate proofs that the code meets requirements.[12] All of these approaches improve the software quality in safety-critical systems by testing or eliminating manual steps in the development process, because people make mistakes, and these mistakes are the most common cause of potential life-threatening errors.

Examples of safety-critical systems

[edit]

Infrastructure

[edit]

Medicine[13]

[edit]

The technology requirements can go beyond avoidance of failure, and can even facilitate medical intensive care (which deals with healing patients), and also life support (which is for stabilizing patients).

Nuclear engineering[15]

[edit]

Oil and gas production[16]

[edit]

Recreation

[edit]

Transport

[edit]

Railway[17]

[edit]

Automotive[19]

[edit]

Aviation[20]

[edit]

Spaceflight[21]

[edit]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Safety-critical system

View on Grokipedia
from Grokipedia
A safety-critical system is defined as a whose or malfunction could result in unacceptable consequences, such as loss of human life, significant property damage, or severe environmental harm. These systems encompass hardware, software, or integrated components that demand exceptional reliability, , and real-time performance to prevent hazardous events. They are distinguished from general by their potential for catastrophic impact, necessitating rigorous practices to mitigate risks throughout the lifecycle, from to operation. Safety-critical systems are prevalent across high-stakes industries, including , healthcare, nuclear energy, automotive, and transportation. Notable examples include flight control systems like those in the , medical devices such as pacemakers and insulin pumps, controls, and automotive braking or deployment mechanisms. In transportation, they extend to railway signaling and automated vehicle controls, while non-traditional applications involve emergency services like 911 systems and such as banking networks that could indirectly endanger lives through financial disruption. These systems often operate in complex environments, requiring , diversity in components, and mechanisms to handle potential faults without compromising safety. Development and certification of safety-critical systems follow stringent international standards to ensure dependability and compliance. Key standards include IEC 61508 for functional safety of electrical, electronic, and programmable electronic systems; ISO 26262 for automotive electrical and electronic safety; DO-178C for aviation software; IEC 62304 for medical device software; and CENELEC EN 50128 for railway applications. These frameworks emphasize risk analysis, formal verification methods beyond traditional testing, and security measures to address vulnerabilities like software flaws or cyber threats. As systems grow in complexity—such as in automated transportation and telemedicine—ongoing challenges include advancing specification techniques, architecture design, and assurance processes to maintain ultra-high dependability levels.

Definition and Fundamentals

Definition and Scope

A safety-critical system is defined as one whose failure could result in , significant , or environmental harm. This distinguishes it from mission-critical systems, where failures primarily lead to loss of operational capability or mission objectives without directly endangering human life or causing catastrophic damage. The scope of safety-critical systems extends beyond isolated components to include integrated hardware, software, and human elements operating within complex environments. These systems are prevalent in high-stakes domains such as , nuclear power plants, and medical devices, where real-time constraints ensure timely responses and mechanisms prevent or mitigate failures. Key characteristics of safety-critical systems emphasize extreme dependability, often targeting levels exceeding 99.999% to minimize downtime risks. Design practices incorporate , such as duplicated components for , and diversity, including varied hardware or software implementations to avoid common modes.

Historical Development

The concept of safety-critical systems traces its origins to the , when industrial advancements in transportation and power generation necessitated mechanisms to prevent catastrophic failures. In railway operations, early signaling innovations emerged to mitigate collision risks amid rapid rail expansion. The semaphore signaling system, patented by Joseph James Stevens in 1842 and first implemented on the London and Railway, used visual flags or arms to indicate track sections, establishing fixed block signaling as a standard by 1870. Complementing these, mechanical interlocking, introduced by John Saxby in 1843 at Bricklayers Arms Junction in , prevented conflicting train routes by linking signal levers mechanically. Similarly, safety valves developed as precursors to automated safeguards in steam-powered systems; frequent explosions on ships and locomotives in the early 1800s, often due to , led to innovations like Charles Retchie's 1848 accumulation chamber, which improved valve responsiveness by enhancing compression for rapid pressure release. These mechanical devices represented foundational safety-critical engineering, prioritizing designs to protect human life and infrastructure. Post-World War II advancements in the and marked a shift toward electronic and computational controls in high-stakes environments. Nuclear reactor safety systems evolved with a strong emphasis on preventing criticality accidents and radioactive releases; early designs incorporated features like negative temperature coefficients and redundant cooling, informed by destructive tests on experimental reactors in that confirmed self-limiting reactivity. The 1958 Halden Reactor Project in further advanced human-machine interfaces for reactor control, fostering international collaboration on safety instrumentation. In , the Apollo program's Guidance Computer (AGC), developed by MIT in the early , pioneered fault-tolerant software for real-time and control during lunar missions. Featuring a priority-based operating system and error recovery mechanisms—demonstrated during the "1202" alarm that allowed safe landing—the AGC influenced subsequent fault-tolerant computing paradigms, proving embedded systems' reliability in life-critical scenarios. The 1980s and saw formalized standards and incident-driven reforms that elevated software's role in safety-critical domains. The DO-178 standard, issued by RTCA in 1981, established objectives for airborne software assurance, categorizing development processes by failure severity to ensure verifiable safety in systems. Tragic events like the radiation therapy machine incidents (1985–1987), where software race conditions and absent hardware interlocks caused overdoses up to 100 times intended levels, resulting in at least three deaths, spurred regulatory overhauls in medical devices. These accidents, investigated by Nancy Leveson and others, highlighted inadequate error handling and led to enhanced FDA guidelines for software validation and human oversight in healthcare. By the late , Y2K preparations underscored systemic interdependencies in global infrastructure; efforts to remediate date-handling flaws in critical systems like power grids and finance revealed risks from untested vendor software and international variances, prompting widespread risk assessments and contingency planning. In the , safety-critical systems have increasingly incorporated and cybersecurity amid growing complexity. AI integration, accelerated by advances in , has introduced architectural patterns for cyber-physical systems, such as runtime monitoring to detect anomalies, though challenges persist in adapting standards like to non-deterministic algorithms. Concurrently, cybersecurity developments address evolving threats to interconnected infrastructure; the U.S. Department of Homeland Security's Cyber Security Division, established in the , has fostered public-private frameworks for securing IoT-enabled critical sectors like energy and transportation. Events like the , where algorithms triggered a $1 trillion market plunge in minutes due to liquidity imbalances and "hot potato" volume, exposed vulnerabilities in automated financial systems, influencing regulations for circuit breakers and risk controls. These shifts emphasize holistic assurance, blending AI potential with robust defenses against cyber and systemic failures.

Core Principles

Failure Modes and Effects

In safety-critical systems, primary failure modes encompass a range of issues that can compromise system integrity and lead to hazardous outcomes. Common-mode failures occur when multiple redundant components fail simultaneously due to a shared cause, such as a design flaw or external event, exemplified by the 1996 rocket explosion where identical software errors in dual inertial reference systems caused mission failure. Software bugs, including race conditions where concurrent processes access shared resources unpredictably, represent another critical mode, potentially resulting in or system lockup in applications like flight control software. Hardware faults, such as (EMI) disrupting signal integrity in or medical devices, can induce erroneous outputs or component malfunctions, as seen in space mission anomalies attributed to EMI-induced resets. Human errors, often manifesting as unintended actions like omitting a procedural step or misinterpreting interface cues, contribute significantly to failures, accounting for a substantial portion of incidents in complex operations such as nuclear plant controls. Failure Modes and Effects Analysis (FMEA) provides a structured, bottom-up to systematically identify and mitigate these risks in safety-critical systems. Developed originally for applications in the , FMEA involves assembling a to define the system's scope and functions, such as braking in an automotive . The process proceeds by breaking down the system into components and subsystems, then brainstorming potential failure modes for each—for instance, a sensor outputting invalid data due to . Effects are evaluated at local, system, and end-user levels, assessing impacts like delayed detection. Severity is ranked on a 1-10 scale, where 1 indicates negligible impact and 10 denotes catastrophic consequences, such as loss of life. Occurrence and detection probabilities are similarly rated to compute a Risk Priority Number (RPN), guiding . Finally, strategies are recommended, including redundancies or enhanced monitoring, with actions tracked for implementation. In software contexts, this adapts to SFMEA, focusing on modes like timing violations while verifying against requirements. A related analytical tool, (FTA), complements FMEA by offering a top-down, deductive approach to model system-level risks. FTA begins with a defined top event, such as "uncontrolled acceleration," represented at the root of a diagrammatic using logic gates: OR gates for independent failure paths (e.g., or malfunction) and AND gates for conjunctive events (e.g., both power supplies failing). Basic events at the leaves include component faults or human actions, enabling probabilistic quantification of the top event's likelihood through minimal cut sets—minimal combinations of failures causing the event. Unlike FMEA's inductive, component-centric focus, FTA excels in tracing cascading dependencies across the entire system, making it suitable for holistic risk modeling in . Quantitative evaluation of these failure modes often employs the Probability of Failure on Demand (PFD), a metric denoting the likelihood that a safety function fails when invoked in low-demand scenarios. For high-integrity systems, such as those achieving under standards like , the average PFD (PFDavg) must be in the range of 10^{-5} to less than 10^{-4}, ensuring rare dangerous failures over the system's lifecycle.

Risk Analysis Techniques

Risk analysis techniques in safety-critical systems extend beyond identifying individual failure modes to systematically evaluate and quantify potential hazards at the system level, incorporating both qualitative and probabilistic methods to inform strategies. These approaches help prioritize based on likelihood and severity, ensuring that safety measures address the most critical scenarios in domains such as process industries, nuclear facilities, and transportation. By integrating structured deviation analysis, probabilistic modeling, and layer-based assessments, these techniques provide a framework for reducing overall system vulnerability while accounting for uncertainties. The (HAZOP) is a qualitative method originally developed for chemical process plants, where it systematically examines deviations from intent to identify potential hazards and operability problems. Conducted by multidisciplinary teams, HAZOP applies a set of standard guide words—such as "no," "more," "less," "as well as," "part of," "reverse," and "other than"—to process parameters like flow, , and at each node of a (P&ID). For instance, applying "no" to flow might reveal scenarios like failure leading to process shutdown, prompting evaluation of causes, consequences, and safeguards. This structured brainstorming approach, standardized in IEC 61882:2016, enhances early detection of flaws and has been widely adopted in safety-critical process systems to prevent accidents by fostering comprehensive deviation analysis. Probabilistic Risk Assessment (PRA), also known as Probabilistic Safety Assessment (PSA) in some contexts, employs principles to quantify the overall risk of system failures by modeling event sequences and their likelihoods. Central to PRA is the use of event trees, which map out possible outcomes from an initiating event—such as a component malfunction—branching into success or failure paths for mitigating systems, with probabilities assigned based on failure rates derived from data, expert judgment, or historical records. Fault trees complement this by analyzing top-level undesired events backward to basic causes, enabling the calculation of core damage frequency or other risk metrics in safety-critical applications like nuclear power plants. As outlined in guidelines, PRA integrates these models to assess mission risks and support decision-making, providing a rigorous, quantitative basis for comparing design alternatives and verifying safety margins. Layer of Protection Analysis (LOPA) offers a semi-quantitative approach to evaluate whether existing safeguards sufficiently reduce risk for specific scenarios, focusing on independent protection layers (IPLs) that prevent or mitigate initiating events leading to consequences. Each IPL, such as alarms, relief valves, or interlocks, is assigned a probability of failure on demand (PFD), typically targeting risk reduction factors like 10:1 for basic alarms or 100:1 for safety instrumented systems, with the overall scenario frequency calculated as the initiating event frequency multiplied by the product of IPL PFDs. Developed by the Center for Chemical Process Safety (CCPS), LOPA bridges qualitative hazard identification (e.g., from HAZOP) and full quantitative PRA, allowing quick assessments of whether additional layers are needed to meet tolerable risk criteria, such as 10^{-5} per year for catastrophic events in process industries. This method emphasizes IPL independence to avoid common-cause failures, ensuring robust risk reduction in safety-critical operations. Human Reliability Analysis (HRA) quantifies the contribution of s to system risk, particularly in complex environments where operators interact with automated controls, using techniques like THERP to estimate human error probabilities (HEPs) for specific tasks. THERP, a foundational first-generation HRA method, decomposes procedures into task steps, assesses error modes (e.g., omission, commission), and applies performance shaping factors like stress or training to adjust base HEPs—such as 0.003 for reading a meter under ideal conditions or 0.01 for skilled diagnostic tasks—from empirical tables. Detailed in the NUREG/CR-1278 handbook, THERP integrates these HEPs into PRA event trees or fault trees, revealing that human errors can account for up to 50% of risk in nuclear control rooms, thereby guiding training and interface designs to minimize errors in safety-critical human-system interactions.

Engineering Practices

Hardware Reliability Design

Hardware reliability design in safety-critical systems emphasizes architectures and techniques that mitigate failures through proactive fault masking, detection, and environmental resilience, ensuring continuous operation under adverse conditions. These designs prioritize hardware-level interventions to achieve high dependability, often quantified by metrics such as (MTBF), where MTBF = 1 / λ and λ represents the component in failures per unit time. Such approaches are essential in domains requiring uninterrupted functionality, where even transient faults can lead to catastrophic outcomes. Redundancy is a cornerstone of hardware reliability, involving the duplication or triplication of critical components to maintain system integrity. Hardware redundancy, such as (TMR), deploys three identical modules performing the same function, with outputs combined via majority voting to mask faults in any single module. This static configuration operates continuously without reconfiguration, providing seamless but at the cost of increased resource utilization. In contrast, dynamic detects errors and reconfigures the system by switching to spare modules, offering flexibility for varying fault scenarios while potentially introducing brief recovery latencies. Both types enhance overall system reliability by distributing risk across multiple pathways, with TMR particularly prevalent in applications demanding zero-downtime operation. Fault detection and tolerance mechanisms are integrated into hardware to identify and isolate errors in real-time, preventing propagation to system-level failures. Built-in test equipment (BITE) comprises embedded diagnostic circuits that perform self-checks on components, such as power supplies and interfaces, to pinpoint faults without external tools. Watchdog timers, simple hardware counters that reset the system if not periodically serviced by the processor, guard against hangs or infinite loops by enforcing timely responses. For data integrity, error-correcting codes like the enable single-error correction; it uses r parity bits to protect up to k = 2^r - r - 1 data bits, where the parity bits are positioned at powers of two and calculated via syndrome decoding to locate and flip erroneous bits. These techniques collectively achieve high diagnostic coverage, often exceeding 90% for single faults in certified designs. Environmental hardening fortifies hardware against external stressors that could induce failures, ensuring robustness in harsh operational contexts. Designs incorporate shielding and materials tolerant to , such as silicon-on-insulator processes that reduce charge collection in events, thereby minimizing single-event upsets. Temperature extremes are addressed through management, including heat sinks and wide-range components tested via procedures, which simulate high (up to 71°C) and low (down to -51°C) conditions to verify material integrity and performance. Electromagnetic compatibility (EMC) is ensured by compliance with IEC 61000 standards, which specify immunity tests for conducted disturbances (e.g., 150 kHz to 80 MHz) to prevent interference-induced malfunctions in safety-related equipment. Component selection plays a pivotal role in reliability, favoring parts certified to safety integrity levels (SIL) under , which defines SIL 3 as requiring, for low-demand operation, an average probability of on demand (PFD_avg) in the range of 10^{-4} to 10^{-3}, and for high-demand or continuous operation, a dangerous undetected (PFH_d) in the range of 10^{-8} to 10^{-7} per hour. These safety-rated components, often with MTBF values exceeding 10^6 hours, undergo rigorous qualification to account for λ derived from , enabling architects to predict and allocate based on system-wide reliability targets.

Software Development Methods

Software development for safety-critical systems employs rigorous lifecycles to ensure from requirements to , minimizing errors that could lead to catastrophic failures. The , a structured approach, integrates development and verification phases in a sequential manner, starting with and progressing through detailed design, coding, and , with each level verified against the corresponding higher-level requirements to maintain bidirectional . This model is particularly suited for safety-critical applications, as it facilitates early detection of discrepancies and supports compliance with standards by documenting how software artifacts align with safety objectives. In embedded systems, the V-model often interfaces with hardware design processes to verify integrated behavior. While traditional waterfall-like models dominate, adaptations of agile methodologies have emerged to incorporate iterative practices while preserving safety assurances. The (SAFe), for instance, extends agile principles across large teams by incorporating safety gates, such as iterative assessments and compliance checkpoints, allowing for incremental development in safety-critical domains like automotive software without compromising regulatory needs. These adaptations address challenges like maintaining living in dynamic environments, enabling faster feedback loops while ensuring that safety requirements evolve with the system. Verification and validation (V&V) processes are central to these lifecycles, encompassing techniques to confirm that the software meets its specifications and is free from defects. Static analysis tools, guided by the guidelines, enforce coding rules to prevent common vulnerabilities, such as or pointer errors, by checking without execution; for example, :2012 includes over 140 rules categorized by severity to promote portability and reliability in embedded systems. complement this through , which exhaustively verifies system models against specifications; using (CTL), properties like liveness—ensuring a eventually completes—can be expressed and checked, such as the formula EFp\mathbf{EF} \, p (there exists a path where pp eventually holds), applied to verify deadlock-free operation in real-time controllers. Coding standards further enforce discipline, with providing a framework for software divided into five levels (A through E) based on failure severity, where Level A ( potential) mandates the highest rigor, including structural coverage objectives. To contain errors, techniques like partitioning isolate software modules in time or space, preventing faults in one partition from propagating, as required for higher assurance levels under . These standards ensure that code is deterministic and robust, with tools automating compliance checks. Testing strategies prioritize comprehensive coverage of decision logic, particularly through (MC/DC), which requires test cases demonstrating that each condition in a decision independently affects the outcome, achieving 100% for critical software under Level A. MC/DC goes beyond basic branch coverage by isolating condition effects—for instance, in the expression (ab)c(a \land b) \lor c, tests must show aa flipping the result while holding bb and cc constant—thus exposing subtle faults in complex logic common to controls. In the context of artificial intelligence (AI) systems increasingly classified as safety-critical—where operations can result in significant harm, including financial loss, medical injury, or infrastructure failure—software development methods adapt to ensure reliability despite inherent non-determinism. These systems follow safety-critical engineering principles, including promoting deterministic behavior through constrained architectures and probabilistic thresholds, strict validation of inputs via dataset curation and out-of-distribution detection, and transitions to safe states upon failure detection. Fail-closed mechanisms are commonly employed, defaulting the system to non-action or restricted functionality when safe operation conditions are unmet, rather than proceeding with speculative execution. These practices mirror those in aviation (e.g., fail-safe designs and regulatory feedback loops), nuclear control systems (e.g., defense in depth and safety margins), and medical devices (e.g., input quality assessments and auditing for AI diagnostics).

Standards and Assurance

Certification Processes

Certification processes for safety-critical systems involve rigorous regulatory frameworks to verify that systems achieve required safety integrity levels through structured evidence submission and independent verification. These processes ensure compliance with international standards that define safety lifecycles encompassing phases from concept and development to operation, service, and decommissioning. A foundational standard is , which addresses of electrical/electronic/programmable electronic safety-related systems across industries. It specifies four safety integrity levels (SIL 1 to SIL 4), where higher levels correspond to greater risk reduction; for low-demand mode operations, SIL 4 requires a probability of failure on demand (PFD) of less than 10^{-4}. The standard mandates a safety lifecycle with phases including concept, realization (design and implementation), operation and maintenance, and eventual decommissioning to systematically manage risks. For automotive applications, adapts these principles specifically for electrical/electronic systems in production vehicles, defining Automotive Safety Integrity Levels (ASIL A to D) that map hazards to required integrity based on exposure, severity, and controllability. Similar to , it outlines a safety lifecycle covering concept phase ( and ), product development (, hardware, and software), production and operation, service, and decommissioning. In , software certification follows , which provides objectives and activities for airborne assurance, structured by Assurance Levels ( A to E), with DAL A requiring the highest rigor for failure conditions that could cause catastrophic events. The process integrates with FAA oversight, including planning, development, verification, and . For medical devices, specifies software lifecycle processes classified by software safety classes (A to C), with Class C for software that could lead to death or serious injury, emphasizing integration and validation. involves FDA review alongside compliance with this standard. A second edition is in draft as of 2025, expected in 2026, introducing updated rigor levels and extended scope for AI-driven health software. In applications, CENELEC EN 50128 governs software for control and protection systems, defining safety integrity levels aligned with EN 50129 (SIL 0-4) and requiring tool qualification and independent assessment. It is set to be replaced by EN 50716 by 2026, with enhancements for modern software practices. Certification is typically overseen by domain-specific bodies conducting independent audits and requiring submission of comprehensive evidence, such as safety cases. In , the (FAA) certifies aircraft through a process involving design reviews, ground and of safety-critical systems, and oversight via Organization Designation Authorizations (ODAs) to ensure regulatory compliance. Safety cases often employ Goal Structuring Notation (GSN), a graphical method to articulate claims (e.g., ), supporting strategies, evidence (e.g., analyses), and contexts, facilitating clear argumentation for certifiers. For medical devices, the (FDA) classifies devices by risk (Class I to III) and requires premarket notification (510(k)) for moderate-risk devices or premarket approval (PMA) for high-risk ones, including clinical data and quality compliance to assure . Integrity levels are determined by mapping identified to appropriate ; for instance, SIL or ASIL assignment involves quantitative risk assessments to select levels that reduce hazards to tolerable thresholds. A common pitfall in these processes is incomplete from hazards through requirements to verification evidence, which can complicate audits and lead to delays. International harmonization efforts promote consistency, such as under the Machinery Regulation (EU) 2023/1230, which replaces the 2006/42/EC and requires conformity to essential health and safety requirements via harmonized European standards for machinery design, including safety-related controls and new aspects like cybersecurity, enabling for market access (fully applicable from January 20, 2027, with transitional provisions). These processes focus on initial approval, with ongoing reliability regimens addressing post-certification maintenance.

Reliability Regimens

Reliability regimens in safety-critical systems encompass ongoing operational practices designed to monitor, predict, and mitigate failures during deployment, ensuring sustained performance and minimizing risks to human life or . Predictive maintenance relies on techniques, such as analysis, to detect early signs of degradation in mechanical components like turbines or engines, allowing interventions before faults escalate. For instance, in applications, sensors integrated with AI models analyze real-time data to forecast potential failures in systems, enhancing overall equipment reliability. NASA's predictive maintenance programs further emphasize systematic trending of equipment conditions to schedule repairs proactively, reducing unplanned downtime in mission-critical environments. Failure reporting systems form a core component of these regimens, providing closed-loop feedback for continuous improvement. NASA's Problem Reporting and Corrective Action System (PRACAS), also known as FRACAS, tracks anomalies in , categorizes issues by severity, and mandates corrective actions to prevent recurrence, thereby maintaining system integrity across operational lifecycles. These systems ensure that data from field operations informs reliability enhancements, distinguishing them from initial design phases by focusing on post-deployment feedback. Key metrics and modeling approaches quantify and predict reliability under operational stresses. System availability is commonly calculated using the formula A=MTBFMTBF+MTTRA = \frac{MTBF}{MTBF + MTTR}, where MTBF represents the and MTTR the , providing a probabilistic measure of uptime essential for safety-critical evaluations. Markov models extend this by representing system states (e.g., operational, degraded, failed) as a , enabling predictions of transition probabilities in safety-critical controls, where time-series analysis helps forecast reliability over extended missions. Redundancy management employs strategies like hot and cold standby configurations to achieve seamless in real-time systems. In hot standby, duplicate components run in parallel and synchronize continuously, allowing instantaneous switching upon primary failure; cold standby, conversely, keeps backups powered down until activation, balancing cost with readiness. For real-time safety-critical networks, such as automotive Ethernet systems, failover times are engineered to be less than 50 ms to prevent disruptions in time-sensitive operations. Incident response protocols emphasize thorough post-failure investigations to address underlying issues. Root cause analysis, particularly the 5 Whys technique, systematically probes each failure layer by repeatedly asking "why" until the fundamental cause is uncovered, as applied in NASA's mishap reviews to identify systemic vulnerabilities beyond immediate symptoms. This method facilitates targeted corrective measures, such as process redesigns, ensuring long-term reliability without relying on superficial fixes.

Applications

Infrastructure and Energy

Safety-critical systems in the infrastructure and energy sectors are essential for maintaining large-scale operations that support societal functions, such as electricity distribution, generation, hydrocarbon transport, and water management. These systems incorporate redundant controls, real-time monitoring, and fault-tolerant designs to prevent catastrophic failures that could lead to widespread outages, environmental damage, or loss of life. In power grids, systems enable centralized monitoring and control of transmission and distribution networks, ensuring operational stability under normal and stressed conditions. A key reliability principle in power grid design is N-1 contingency planning, which mandates that the system must withstand the loss of any single component—such as a or generator—without collapsing into instability or blackout. This criterion is evaluated through extensive simulations to verify load redistribution and voltage stability post-failure. The 2003 Northeast blackout, which affected over 50 million people across eight U.S. states and , , underscored the consequences of inadequate ; it originated from overgrown vegetation contacting high-voltage lines, leading to cascading failures due to insufficient real-time monitoring and communication among operators. Lessons from this event prompted enhancements in vegetation management, automated protective relaying, and situational awareness tools to bolster grid resilience. In nuclear power plants, reactor protection systems form the core of safety instrumentation, designed to automatically shut down the reactor and mitigate accidents in response to abnormal conditions like excessive or . These systems adhere to (IAEA) standards, which emphasize defense-in-depth with multiple independent barriers and diverse actuation mechanisms to avoid common-mode failures. For instance, protection may involve rapid control rod insertion to halt the fission , complemented by emergency coolant injection systems that flood the core to prevent meltdown. Such diversity ensures that no single fault compromises overall safety, as validated through probabilistic risk assessments integrated into plant licensing. For oil and gas operations, pipeline integrity management programs are critical to preventing leaks and ruptures in extensive underground and subsea networks that transport hazardous fluids over thousands of kilometers. systems apply an external electrical current to pipelines, shifting the corrosion reaction away from the metal surface and thereby extending asset life in corrosive soils or seawater environments. Complementing this, computational algorithms analyze pressure, flow, and acoustic data in real-time to identify anomalies, enabling rapid isolation of affected segments. The 2010 disaster illustrated the perils of (BOP) failures; the BOP, intended as a valve on the Macondo well, malfunctioned due to unrecognized drill pipe buckling and inadequate shear ram testing, resulting in an uncontrolled release of over 4 million barrels of oil into the and highlighting the need for rigorous BOP maintenance and testing protocols. Water infrastructure, including dams and reservoirs, relies on supervisory control systems to regulate flood gates and spillways, automating responses to rising water levels during storms to avert downstream flooding. These systems integrate with seismic sensors that detect ground vibrations from earthquakes, triggering immediate gate adjustments or alerts to prevent structural compromise in seismically active regions. For example, in large embankment or concrete gravity dams, such controls ensure controlled release of water volumes, maintaining reservoir levels within safe operational envelopes while monitoring for seepage or deformation that could signal instability. Artificial intelligence systems are increasingly integrated into infrastructure and energy management, such as predictive maintenance in power grids and anomaly detection in SCADA systems, and are classified as safety-critical due to potential infrastructure failures or financial losses from outages. These AI systems follow safety-critical engineering principles, including efforts to achieve deterministic behavior through safety envelopes that constrain responses to predefined safe sets, strict validation of inputs via black-box testing and formal verification, and transitions to safe states using fail-safe mechanisms that revert to non-AI controllers upon detected anomalies. Fail-closed mechanisms ensure that if safe operation conditions are unmet, the system defaults to restricted functionality, mirroring practices in nuclear control systems where AI aids fault detection while maintaining deterministic safety boundaries.

Medical and Healthcare

Safety-critical systems in medical and healthcare encompass devices and technologies designed to monitor, diagnose, and treat patients while minimizing risks of failure that could lead to life-threatening outcomes. These systems, such as implantable cardiac devices and pumps, undergo stringent regulatory oversight, including premarket approval processes, to ensure reliability and . Failures in these systems can result from hardware malfunctions, software errors, or human factors, underscoring the need for robust design, testing, and mechanisms. Implantable devices like pacemakers are classified as FDA Class III medical devices, requiring premarket approval due to their potential to sustain or support life and the risks associated with implantation. These devices incorporate lead integrity alerts, such as Medtronic's RV Lead Integrity Alert (LIA), which monitor for lead fractures by detecting abnormal impedance or noise, thereby extending detection time to reduce inappropriate shocks. Battery life modeling for modern pacemakers targets durations exceeding 10 years, with single-chamber models often lasting 7-12 years and advanced leadless variants projected up to 16 years, achieved through optimized energy algorithms and high-capacity lithium-iodine batteries. Infusion pumps employ dose error reduction software (DERS) to establish programmable limits on infusion rates and volumes, preventing over-infusion errors by alerting users to potential dosing discrepancies during setup. The FDA has approved DERS-integrated systems, such as those from Healthcare, which allow customization of drug libraries to enforce safe parameters and mitigate programming mistakes that could lead to adverse drug events. A historical example of software vulnerabilities in safety-critical medical systems is the machine incidents in 1985-1987, where a in the control software allowed operators to override safety checks, resulting in massive overdoses and at least three patient deaths; this case highlighted the dangers of inadequate in high-stakes environments. Diagnostic systems in healthcare integrate safety features to protect patients and operators from equipment hazards. MRI machines utilize quench protection for their superconducting magnets, which operate at cryogenic temperatures; these systems include pressure relief valves and helium exhaust vents to safely dissipate energy during a quench—a sudden loss of superconductivity that could otherwise release boiling helium vapor, risking asphyxiation or thermal burns. In radiation therapy, linear accelerators incorporate multi-leaf collimators (MLC) with safety interlocks that halt beam delivery if leaf positions deviate from planned configurations or if mechanical faults are detected, ensuring precise tumor targeting while preventing unintended radiation exposure. Telemedicine integrations for real-time patient monitoring rely on safety-critical protocols that include mechanisms to maintain continuity during network disruptions, automatically switching to connections or manual oversight modes to avoid lapses in vital sign tracking. These systems, often used for remote cardiac or chronic , employ redundant data pathways and low-latency alerting to ensure timely interventions, with studies showing improved patient adherence and reduced hospital readmissions when is seamlessly implemented. Artificial intelligence systems in medical diagnostics and treatment planning, such as AI-assisted image analysis for retinal conditions or heartbeat classification, are classified as safety-critical owing to risks of medical injury from misdiagnosis or erroneous dosing. These systems adhere to safety principles including deterministic behavior via safety envelopes that limit AI outputs to verified safe sets, strict input validation through explainable AI and black-box testing, and transitions to safe states using simplex architectures that switch to reference controllers on failure. Fail-closed mechanisms default the system to non-action or human oversight if conditions for safe operation are not met, drawing from practices in medical devices like automated insulin pumps where redundant AI instances ensure reliability.

Transportation Systems

In transportation systems, safety-critical systems are essential for preventing collisions, enforcing operational limits, and ensuring responses in dynamic environments involving ground vehicles and rail networks. These systems integrate sensors, actuators, and communication protocols to mitigate risks from , mechanical failure, or environmental factors, with a primary emphasis on collision avoidance and precise signaling. Ground and demand high-integrity designs due to the high involved, where even brief malfunctions can lead to catastrophic outcomes. In automotive applications, Advanced Driver Assistance Systems (ADAS) such as Automatic Emergency Braking (AEB) exemplify safety-critical implementations governed by , the international standard for in road vehicle electrical and electronic (E/E) systems. ISO 26262 addresses hazards from malfunctioning E/E systems, including those in ADAS, by defining Automotive Safety Integrity Levels (ASIL) from A (lowest ) to D (highest), with AEB often classified as ASIL D due to its potential to prevent life-threatening collisions through rapid sensor-based detection and braking intervention. Similarly, (ESC) employs to maintain vehicle stability during maneuvers, integrating data from inertial measurement units (IMUs), wheel speed sensors, and steering inputs via adaptive Kalman filters to estimate 3D velocity and attitude, thereby reducing skidding risks in up to 35% of potential crashes. These systems rely on hardware reliability design principles in electronic control units (ECUs) to achieve fault-tolerant operation. Railway signaling systems prioritize collision avoidance through automated enforcement mechanisms, as seen in the (ETCS) Level 2, which uses radio-based communication via to transmit movement authorities from the Radio Block Centre (RBC) to onboard units, eliminating lineside signals for continuous supervision. ETCS Level 2 calculates maximum permissible speeds and braking curves in real-time using data, ensuring safe train separation and preventing overspeed incidents with Safety Integrity Level 4 (SIL4) certification. In the United States, (PTC) systems similarly enforce speed limits and protect against derailments by automatically intervening to prevent train-to-train collisions, incursions into work zones, or movements through misaligned switches, as mandated by the Rail Safety Improvement Act of 2008 and fully implemented across 57,536 route miles by 2020. The 1987 King's Cross Underground highlighted ventilation failures in rail infrastructure, where inadequate piston-effect reliance from train movements and airflow reversals (from 1.75 m/s downward to 3.25 m/s upward) exacerbated smoke spread, contributing to 31 fatalities and prompting recommendations for enhanced ventilation controls and fire risk assessments. Traffic management in urban settings incorporates (V2X) communication at smart intersections to bolster safety, enabling real-time alerts for vulnerable road users via vehicle-to- (V2P) and vehicle-to-infrastructure (V2I) exchanges that detect obscured crosswalk users even in low-visibility conditions. V2X systems can prevent up to 79% of intersection-related crashes involving non-impaired drivers by integrating multi-modal data for proactive warnings. Fail-safe designs in braking systems, such as dual-voting actuators, ensure to maintain operation during faults, as in the Double Redundant Electro-Hydraulic Brake (DREHB) system, which uses dual brake control units (BCUs) and hydraulic providers (e.g., Electric Boost and High-Pressure Accumulator) with voting mechanisms to reconfigure in degraded modes, achieving pressure responses of 28.0 MPa/s while adhering to for ASIL D compliance. Dual-winding motors in actuators further support behavior by isolating faults to one channel, reducing risk to 1 Failure In Time (FIT) and enabling emergency braking without full system loss. Artificial intelligence in autonomous vehicles and ADAS, such as deep neural networks for object detection, is deemed safety-critical due to risks of infrastructure failure or collisions leading to harm. Design principles include deterministic behavior enforced by safety envelopes and formal verification to predict outcomes, strict input validation via extensive testing and explainable AI, and transitions to safe states through mechanisms like the simplex architecture that activates backup controllers. Fail-closed approaches restrict AI to non-speculative execution, defaulting to human intervention or halted operation if validation fails, akin to aviation's collision avoidance systems.

Aerospace and Defense

Safety-critical systems in and defense operate under extreme conditions, including high velocities, radiation , and hostile environments, where failures can result in mission loss or catastrophic consequences. These systems incorporate multiple layers of , fault-tolerant designs, and rigorous testing to ensure reliability. In , (FBW) systems replace mechanical linkages with electronic controls, enhancing precision and stability while mitigating . The Boeing 777 employs a triple-redundant primary flight control system, featuring three identical flight control computers that continuously cross-monitor each other to detect and isolate faults, maintaining operational integrity even if one fails. This architecture, combined with triple-redundant actuator control electronics for flight surfaces, achieves a failure probability below 10^{-9} per flight hour, certified under FAA standards. Sensor failures, however, remain a vulnerability; the 2009 crash of Air France Flight 447 highlighted this when ice crystals temporarily blocked the pitot tubes, leading to inconsistent airspeed data, autopilot disconnection, and subsequent pilot disorientation, resulting in the loss of all 228 aboard. The BEA investigation emphasized the need for improved sensor redundancy and crew training for such transient faults. In , must withstand vacuum, thermal extremes, and cosmic radiation, necessitating specialized hardware. The rocket integrates an Autonomous Flight Safety System (AFSS), which uses onboard sensors and algorithms to monitor trajectory in real-time and automatically trigger destruct commands if deviations threaten public safety, eliminating human intervention delays. This system, tested across multiple launches, has enabled over 570 successful missions as of November 2025 while ensuring . Satellites rely on radiation-hardened processors, such as NASA's High-Performance Computing (HPSC) initiative's rad-hard-by-design multicore chips, which incorporate error-correcting codes and to mitigate single-event upsets from , sustaining operations in orbits like where radiation flux can exceed 10^5 particles per cm² per second. Defense applications demand autonomous navigation resilient to jamming and electronic warfare. Missile guidance systems fuse inertial navigation systems (INS) with GPS for precise targeting; for instance, the U.S. uses INS accelerometers and gyroscopes to track acceleration and rotation, periodically updated by to correct drift, achieving accuracies under 10 meters over 1,000 km ranges. In drone swarms, collision avoidance algorithms employ distributed sensing and predictive modeling; military systems like those in U.S. Department of Defense trials use velocity obstacle methods and behaviors inspired by migrations, enabling dozens of UAVs to maintain formation while evading threats, with response times under 100 ms to prevent mid-air collisions. Hypersonic vehicles face exceeding 2,000°C during atmospheric re-entry or sustained flight above Mach 5, requiring advanced thermal protection systems (TPS). NASA's (CMC) TPS, developed for vehicles like the X-43A demonstrator, uses fibers in a matrix to dissipate heat through and insulation, tested in arc-jet facilities simulating re-entry conditions with heat fluxes up to 10 MW/m². These systems, integrated with channels, ensure structural integrity for durations over 600 seconds, supporting missions like reusable hypersonic glide vehicles. Artificial intelligence in aerospace applications, such as AI for UAV collision avoidance or predictive maintenance in avionics, is classified as safety-critical given the potential for catastrophic failures in high-velocity environments. These systems incorporate principles like deterministic behavior through formal verification and safety envelopes, input validation via runtime monitoring and XAI, and safe state transitions using backup systems or kill-switches. Fail-closed mechanisms disable AI functionality and revert to manual or redundant controls if operational conditions fail, reflecting practices in aviation where AI enhances but does not supplant certified safety systems.

References

  1. https://www.sciencedirect.com/topics/computer-science/safety-critical-systems
  2. https://dl.acm.org/doi/10.1145/581339.581406
  3. https://research.cs.queensu.ca/home/cisc853/readings/papers/SafetyCriticalKnight.pdf
  4. https://curatepartners.com/tech-skills-tools-platforms/understanding-safety-critical-systems-ensuring-reliability-and-safety-in-high-stakes-industries/
  5. https://www.mndwrk.com/blog/the-role-of-standards-in-safety-critical-qa-navigating-iso-26262-do-178c-and-iec-62304
  6. https://ieeexplore.ieee.org/document/1007998
  7. https://ntrs.nasa.gov/api/citations/20030065988/downloads/20030065988.pdf
  8. https://ntrs.nasa.gov/api/citations/20220011814/downloads/aegpaper_r2.pdf
  9. https://ntrs.nasa.gov/api/citations/20120003291/downloads/20120003291.pdf
  10. https://dl.acm.org/doi/full/10.1145/3589950
  11. https://ntrs.nasa.gov/api/citations/20050180618/downloads/20050180618.pdf
  12. https://ntrs.nasa.gov/api/citations/20140004053/downloads/20140004053.pdf
  13. https://ieeexplore.ieee.org/document/5572815/
  14. https://www.viperinnovations.com/a-timeline-of-rail-innovation-1800s/
  15. http://www.goolevalve.com/news/news-detail-110.html
  16. https://world-nuclear.org/information-library/safety-and-security/safety-of-plants/safety-of-nuclear-power-reactors
  17. https://www.oecd-nea.org/jointproj/docs/halden/the-halden-project-1958-2008.pdf
  18. https://www.computerweekly.com/feature/Apollo-11-The-computers-that-put-man-on-the-moon
  19. https://www.rtca.org/do-178/
  20. http://sunnyday.mit.edu/papers/therac.pdf
  21. https://cacm.acm.org/opinion/inside-risks-risks-of-y2k/
  22. https://dl.acm.org/doi/10.1145/3489449.3490014
  23. https://www.dhs.gov/archive/science-and-technology/news/2017/03/20/securing-critical-infrastructure-21st-century
  24. https://www.cftc.gov/sites/default/files/idc/groups/public/%40economicanalysis/documents/file/oce_flashcrash0314.pdf
  25. https://www.sciencedirect.com/topics/engineering/common-mode-failure
  26. https://swehb.nasa.gov/display/SWEHBVC/8.05%2B-%2BSW%2BFailure%2BModes%2Band%2BEffects%2BAnalysis
  27. https://www.sciencedirect.com/topics/engineering/electromagnetic-interference
  28. https://www.hse.gov.uk/humanfactors/topics/humanfail.htm
  29. https://asq.org/quality-resources/fmea
  30. https://www.apisnorthamerica.com/fta-vs-fmea-understanding-key-differences-and-applications/
  31. https://www.exida.com/blog/back-to-basics-16-pfdavg
  32. https://webstore.iec.ch/en/publication/24321
  33. https://ntrs.nasa.gov/api/citations/20120001369/downloads/20120001369.pdf
  34. https://www.aiche.org/resources/publications/books/layer-protection-analysis-simplified-process-risk-assessment
  35. https://www.nrc.gov/docs/ML0712/ML071210299.pdf
  36. https://efunctionalsafety.com/what-is-mtbf-in-relation-to-sil/
  37. https://www.nature.com/articles/s41598-023-41363-3
  38. https://www.sciencedirect.com/topics/computer-science/hardware-redundancy
  39. https://www.sciencedirect.com/topics/computer-science/built-in-test
  40. https://ieeexplore.ieee.org/document/8326900/
  41. https://zoo.cs.yale.edu/classes/cs323/doc/Hamming.pdf
  42. https://ntrs.nasa.gov/api/citations/20070018806/downloads/20070018806.pdf
  43. https://www.atec.army.mil/publications/Mil-Std-810G/Mil-Std-810G.pdf
  44. https://www.emerson.com/documents/automation/technical-white-paper-safety-integrity-level-sil-en-71898.pdf
  45. https://criticalsystemslabs.com/wp-content/uploads/2025/09/Closing-the-Gap-Between-IEC-61511-an-d-AI-Copyright_merged.pdf
  46. https://dspace.mit.edu/bitstream/handle/1721.1/152996/3617694.3623224.pdf?sequence=1&isAllowed=y
  47. https://www.safer-ai.org/u/2025/10/65f83deba01586303ce5adae_How-Can-Nuclear-Safety-Inform-AI-Risk-Management.pdf
  48. https://assets.iec.ch/public/acos/IEC%252061508%2520&%2520Functional%2520Safety-2022.pdf?2023040501
  49. https://www.byhon.it/a-brief-introduction-to-iso-26262/
  50. https://www.iso.org/standard/68391.html
  51. https://www.iso.org/standard/63879.html
  52. https://lfhregulatory.co.uk/iec-62304-update-2026/
  53. https://standards.cencenelec.eu/dyn/www/f?p=CENLEC:105::RESET::::
  54. https://www.systerel.fr/en/news/towards-the-future-of-railway-software-operational-safety-with-cenelec-en-50716-standard/
  55. https://www.faa.gov/aircraft/air_cert/airworthiness_certification
  56. https://www.faa.gov/about/office_org/headquarters_offices/ang/redac/redac-sas-201503-gsn-community-standard-v1.pdf
  57. https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance/overview-device-regulation
  58. https://visuresolutions.com/alm-guide/software-development-process-for-safety-critical-systems/
  59. https://osha.europa.eu/en/legislation/directive/regulation-20231230eu-machinery
  60. https://single-market-economy.ec.europa.eu/single-market/goods/european-standards/harmonised-standards/machinery-md_en
  61. https://llis.nasa.gov/lesson/849
  62. https://llis.nasa.gov/lesson/738
  63. https://ieeexplore.ieee.org/document/9540709
  64. https://dbmteam.com/media/c23gzoe1/nasa-root-cause-analysis.pdf
  65. http://publish.illinois.edu/science-of-security-lablet/files/2014/06/Semantic-Security-Analysis-of-SCADA-Networks-to-Detect-Malicious-Control-Commands-in-Power-Grids.pdf
  66. https://home.engineering.iastate.edu/~jdm/WebJournalPapers/TopoChenFinal.pdf
  67. https://www.nerc.com/globalassets/our-work/reports/event-reports/august_2003_blackout_final_report.pdf
  68. https://www-pub.iaea.org/MTCD/Publications/PDF/Pub1715web-46541668.pdf
  69. https://www.woodwayenergy.com/pipeline-integrity-management-corrosion-detection-prevention/
  70. https://www.slb.com/products-and-services/innovating-in-oil-and-gas/well-production/midstream/pipeline-integrity/pipeline-integrity-monitoring-and-leak-detection
  71. https://www.csb.gov/assets/1/20/appendix_2_a__deepwater_horizon_blowout_preventer_failure_analysis1.pdf
  72. https://www.publications.usace.army.mil/portals/76/publications/engineermanuals/em_1110-2-3600.pdf
  73. https://www.encardio.com/blog/key-factors-that-are-supervised-under-dam-monitoring
  74. https://ieeexplore.ieee.org/document/9984982
  75. https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPCD/classification.cfm?ID=NKE
  76. https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPCD/classification.cfm?ID=DXY
  77. https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfpcd/classification.cfm?id=DXY
  78. https://www.medtronicacademy.com/features/rv-lead-integrity-alert-lia-feature
  79. https://pmc.ncbi.nlm.nih.gov/articles/PMC6931941/
  80. https://www.accessdata.fda.gov/cdrh_docs/pdf23/K230665.pdf
  81. https://radiologybusiness.com/topics/medical-imaging/diagnostic-imaging/fda-approves-iv-infusion-pump-system-dose-error-reduction-software
  82. https://www.cs.columbia.edu/~junfeng/08fa-e6998/sched/readings/therac25.pdf
  83. https://radiology.ucsf.edu/patient-care/patient-safety/mri/quench
  84. https://www.pondiot.com/blog/internet-failover-a-lifeline-for-healthcare-facilities
  85. https://pmc.ncbi.nlm.nih.gov/articles/PMC11258279/
  86. https://censinet.com/perspectives/safety-critical-ai-lessons-aviation-machine-learning
  87. https://www.iso.org/standard/43464.html
  88. https://dewesoft.com/blog/adas-standards-and-adas-safety-protocols
  89. https://www.sciencedirect.com/science/article/abs/pii/S096706612030068X
  90. https://www.ertms.net/wp-content/uploads/2024/03/ERTMSETCS-Levels-Updated-2024-Edition.pdf
  91. https://railroads.dot.gov/research-development/program-areas/train-control/ptc/positive-train-control-ptc
  92. https://www.theisrm.org/documents/Fennel%20(1988)%20Investigation%20Into%20the%20Kings%20Cross%20Fire.pdf
  93. https://miovision.com/blog/how-v2x-improves-road-safety/
  94. https://www.mdpi.com/2076-0825/10/11/287
  95. https://www.ti.com/lit/pdf/slyy183
  96. https://arxiv.org/abs/2405.06624
  97. https://ieeexplore.ieee.org/document/495891/
  98. https://www.faa.gov/sites/faa.gov/files/AirFrance447_BEA.pdf
  99. https://www.floridatoday.com/story/tech/science/space/2017/03/11/spacex-autonomous-flight-safety-system-afss-kennedy-space-center-florida-falcon9-rocket-air-force-military/98539952/
  100. https://etd.gsfc.nasa.gov/our-work/hpsc-transforming-spaceflight-computing-with-radiation-hardened-multicore-technology/
  101. https://apps.dtic.mil/sti/tr/pdf/ADP010954.pdf
  102. https://pmc.ncbi.nlm.nih.gov/articles/PMC11858889/
  103. https://ntrs.nasa.gov/api/citations/20080017096/downloads/20080017096.pdf
Add your contribution
Related Hubs
User Avatar
No comments yet.