[SystemSafety] Fwd: Critical Design Checklist

From: Nancy Leveson < >
Date: Tue, 27 Aug 2013 13:10:44 -0400

Kevin, safety does not start with design. It starts with hazard analysis. Then you make specific design decisions with respect to the hazard causes you have identified in your hazard analysis. I don't understand how you can start with the design and just look at that. Every major accident had different specific design flaws -- in thirty years and investigating hundreds of accidents, I have rarely seen them repeated.

In addition, it sounds like you are equating safety and reliability. As no realistically complex and large software has never been found to be fault-free in its lifetime, a more realistic goal is to make it safe by starting with hazard analysis (as NASA has done since its first safety program was initiated by Jerome Lederer in 1968.

Nancy

On Mon, Aug 26, 2013 at 4:37 PM, Driscoll, Kevin R < kevin.driscoll_at_xxxxxx

> For NASA, we are creating a Critical Design Checklist:****
>
> **• ***Objective*****
>
> **- ***A checklist for designers to help them determine if a
> safety-critical design has met its safety requirements*****
>
> **- ***Not a “Have you done ...” checklist*****
>
> **w **Too easy to just check “yes” without doing sufficient work****
>
> **w **Instead, “What have you done ...”****
>
> **w **Prove what you have done is sufficient****
>
> **• ***We are looking for inputs to include in this checklist*****
>
> **• ***Do you have any inputs that should be included? *****
>
> **- ***Meta-question: “If you were asked to participate in a design
> review of a safety-critical design, what questions would you ask?”
> (Particularly, general questions you would have before seeing the details
> of a design.)*****
>
> **- ***Inverse meta-question: “If you were presenting a design, what
> questions would you dread being asked?” :-}*****
>
> **w **Where are the bodies buried?****
>
> ** **
>
> We are finishing the Checklist by next week and would like to include any
> good questions you may have that we have overlooked. Realizing this is an
> imposition on your time, I am hoping some of you would be so kind as to
> spend just a few minutes to send questions or even question fragments.****
>
> ** **
>
> --****
>
> P.S.****
>
> I am also looking for unusual failure scenarios to add to my collection,
> like those I’ve described in my series of “Murphy was an Optimist”
> presentations (e.g.
> http://www.rvs.uni-bielefeld.de/publications/DriscollMurphyv19.pdf).****
>
> ** **
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety_at_xxxxxx >
>

-- 
Prof. Nancy Leveson
Aeronautics and Astronautics and Engineering Systems
MIT, Room 33-334
77 Massachusetts Ave.
Cambridge, MA 02142

Telephone: 617-258-0505
Email: leveson_at_xxxxxx
URL: http://sunnyday.mit.edu



-- 
Prof. Nancy Leveson
Aeronautics and Astronautics and Engineering Systems
MIT, Room 33-334
77 Massachusetts Ave.
Cambridge, MA 02142

Telephone: 617-258-0505
Email: leveson_at_xxxxxx
URL: http://sunnyday.mit.edu



_______________________________________________ The System Safety Mailing List systemsafety_at_xxxxxx
Received on Tue Aug 27 2013 - 19:10:55 CEST

This archive was generated by hypermail 2.3.0 : Sat Feb 16 2019 - 08:17:06 CET