Information System Hazard Analysis by Fieran Mason-Blakley B.Sc
Total Page:16
File Type:pdf, Size:1020Kb
Information System Hazard Analysis by Fieran Mason-Blakley B.Sc., University of Victoria, 2003 M.Sc., University of Victoria, 2011 A Dissertation Submitted in Partial Fulfillment of the Requirements for the Degree of DOCTOR OF PHILOSOPHY in the Department of Computer Science c Fieran Mason-Blakley, 2017 University of Victoria All rights reserved. This dissertation may not be reproduced in whole or in part, by photocopying or other means, without the permission of the author. ii Information System Hazard Analysis by Fieran Mason-Blakley B.Sc., University of Victoria, 2003 M.Sc., University of Victoria, 2011 Supervisory Committee Dr. Jens Weber, Supervisor (Department of Computer Science) Dr. Morgan Price, Co-Supervisor (Department of Computer Science) Dr. Abdul Roudsari, Outside Member (School of Health Information Science) iii Supervisory Committee Dr. Jens Weber, Supervisor (Department of Computer Science) Dr. Morgan Price, Co-Supervisor (Department of Computer Science) Dr. Abdul Roudsari, Outside Member (School of Health Information Science) ABSTRACT We present Information System Hazard Analysis (ISHA), a novel systemic hazard analysis technique focused on Clinical Information System (CIS)s. The method is a synthesis of ideas from United States Department of Defense Standard Practice System Safety (MIL-STD-882E), System Theoretic Accidents Models and Processes (STAMP) and Functional Resonance Analysis Method (FRAM). The method was constructed to fill gaps in extant methods for hazard analysis and the specific needs of CIS. The requirements for the method were sourced from existing literature and from our experience in analysis of CIS related accidents and near misses, as well as prospective analysis of these systems. The method provides a series of iterative steps which are followed to complete the analysis. These steps include modelling phases that are based on a combination of STAMP and FRAM concepts. The method also prescribes the use of triangulation of hazard identification techniques which identify the effects of component and process failures, as well as failures of the System Under Investigation (SUI) to satisfy its safety requirements. Further to this new method, we also contribute a novel hazard analysis model for CIS as well as a safety factor taxonomy. These two artifacts can be used to support execution of the ISHA method. We verified the method composition against the identified requirements by inspec- tion. We validated the method's feasibility through a number of case studies. Our iv experience with the method, informed by extant safety literature, indicates that the method should be generalizable to information systems outside of the clinical domain with modification of the team selection phase. v Contents Supervisory Committee ii Abstract iii Table of Contents v List of Tables xi List of Figures xvi Acknowledgements xxi Dedication xxii 1 Introduction 1 1.1 Motivation . 1 1.2 Terminology . 2 1.3 Existing Techniques and Methods . 4 1.3.1 Traditional Methods . 4 1.3.2 Systemic Methods . 4 1.4 Limitations of Existing Approaches . 6 1.4.1 Limitations of Traditional Techniques . 6 1.4.2 Limitations of Systemic Methods . 8 1.4.3 Need for Clinical Information System Hazard Analysis . 8 1.5 Problem Definition . 8 1.6 Research Goals . 9 1.7 Research Methods . 9 1.8 Contributions . 10 1.8.1 Information System Hazard Analysis . 10 1.9 Evaluation . 11 vi 1.9.1 Information System Hazard Analysis . 11 1.10 Organization of Dissertation . 12 2 Background 13 2.1 What is an Assurance Case? . 13 2.2 Why do We Need Assurance Cases? . 14 2.3 What do Assurance Cases Look Like? . 15 2.3.1 How Can We Express Assurance Cases? . 15 2.4 Identifying Claims . 19 2.5 Generating Evidence . 19 2.5.1 Hazard Analysis . 19 2.5.2 Traditional Methods . 20 2.5.3 Tree Base Techniques . 20 2.5.4 Methodologies for Dynamic Systems . 21 2.5.5 Qualitative Methodologies . 21 2.5.6 Systemic Hazard Analysis . 22 2.6 Creating an Argument . 29 2.6.1 Lightweight Assurance Case Assembly . 29 2.6.2 Assurance Case Patterns . 31 3 Information System Hazard Analysis 33 3.1 Select Team . 35 3.1.1 Running Example . 39 3.2 Source the Concept of Operations . 40 3.2.1 Running Example . 40 3.3 Source Requirements . 40 3.3.1 Running Example . 41 3.4 Source System Model . 44 3.4.1 Running Example . 44 3.5 Preliminary Hazard List . 47 3.5.1 Identification/Construction of a Base Preliminary Hazard List 47 3.5.2 Hazard Descriptions . 53 3.5.3 Hazard Checklist . 61 3.5.4 Hazard Mapping . 62 3.6 Preliminary Hazard Analysis . 63 vii 3.6.1 Preliminary Prioritization of Hazards . 66 3.6.2 Construction of the Universal Triangulation Model . 66 3.6.3 Safety Constraint Enforcement Mechanism Modelling . 75 3.6.4 Hazard Mapping . 76 3.6.5 Risk Assessment Codes . 77 3.6.6 Final Hazard Prioritization . 84 3.7 Event Chain Analysis . 85 3.7.1 Running Example . 85 3.8 Component Fault Analysis . 86 3.9 Process Fault Analysis . 87 3.10 Hazard Triangulation . 87 3.11 Assurance Case Construction . 88 3.11.1 Safety Goals . 88 3.11.2 Construct the Argument . 89 3.11.3 Evidence Extraction . 92 3.11.4 Defeaters . 92 3.11.5 Running Example . 93 3.12 Generate Recommendations . 93 3.13 Repeat . 95 4 Information System Hazard Analysis: 96 4.1 Select Team . 97 4.2 Source Concept of Operations . 97 4.3 Source Requirements . 98 4.4 Source Model . 99 4.5 Preliminary Hazard List . 99 4.5.1 Hazard Checklist . 104 4.5.2 Hazard Mapping . 104 4.5.3 Preliminary Hazard Analysis . 104 4.6 Event Chain Analysis . 109 4.7 Component Fault Analysis . 110 4.8 Process Fault Analysis . 116 4.9 Hazard Triangulation . 116 4.9.1 Running Example . 119 4.10 Assurance Case Construction . 122 viii 4.11 Generate Recommendations . 128 5 A Formal Information Model for ISHA 135 5.1 Functional Requirements . 136 5.2 Hazard Metamodel Model . 138 5.2.1 Structured Assurance Case Base Classes . 139 5.2.2 Structured Assurance Case Terminology Classes . 139 5.2.3 Argumentation Metamodel . 141 5.2.4 Artefact Metamodel . 141 5.2.5 Hazard Metamodel . 141 5.2.6 System Structure Metamodel . 142 5.2.7 Risk Metamodel . 142 5.3 Universal Triangulation Model Patterns . 142 5.3.1 Pattern Description Template . 142 5.3.2 Patterns . 143 5.4 Summary . 162 6 Evaluation 163 6.1 Validation of Method Requirements . 163 6.1.1 Systemic Basis . 164 6.1.2 Validated Systems Safety Process Basis . 167 6.1.3 Clinical Information System Specialization . 170 6.2 Verification of Method Requirements . 172 6.2.1 Systemic Basis . 173 6.2.2 Validated Systems Safety Process . 175 6.2.3 Clinical Information System Specialization . 177 7 Discussion 179 7.1 Strengths and Weaknesses . 179 7.2 The Strength of Requirements . 180 7.3 The Evolution of the Environment . 181 7.4 Scoping Breadth and Granularity . 181 7.5 Risk and Incomplete Data . 182 7.6 Completeness . 182 7.7 Prioritization . 182 ix 8 Conclusions and Future Work 185 8.1 Contributions . 185 8.1.1 Information System Hazard Analysis . 185 8.1.2 Application Supports . 187 8.1.3 Case Studies . 188 8.1.4 Systematic Review . 188 8.2 Future Work . ..