Re: [SystemSafety] Agile methods

From: Nancy Leveson < >
Date: Tue, 3 Sep 2013 08:21:24 -0400

Aha, defense. Well, my company was hired to do a non-advocate safety assessment of the U.S. Missile Defense system about ten years ago, just before the system was to be deployed and field tested. Two people used STPA on it for the hazard of inadvertent launch. Some of the companies had used Agile and related methods on their software. We found it very difficult to do a hazard analysis as the requirements were so poor. We found lots of problems, including missing cases in the software that could lead to the hazard.


On Tue, Sep 3, 2013 at 8:12 AM, René Senden <rene.senden_at_xxxxxx

> Hello Peter,
> I appreciate all contributions/replies, but of course I am particularly
> interested in those that actually address the initiating question..and
> indeed some members of this
> list addressed practical industrial experience, most of which however
> contacted me offline for that, this is after all a tough crowd at times…
> Perhaps we have different
> views on practical experience…or perhaps my wording of the question is a
> little short of perfection.. I kept my initial question somewhat general
> because I also have to
> consider things like it goes without saying that I
> assume we all have similar restrictions… the sector at hand is defence, so
> not medical..
> My latest contribution, as a response to Myriam, indeed concludes with an
> additional question… I am not hoping for any particular outcome, I don’t
> know how you got that impression…
> Personally I am very skeptic about agile methods in this context..that
> being said.. we can’t always chose the questions we are faced with…
> Rene
> From: Peter Bernard Ladkin [mailto:ladkin_at_xxxxxx > Sent: dinsdag 3 september 2013 6:55
> To: René Senden
> Cc: M Mencke; systemsafety_at_xxxxxx > Subject: Re: [SystemSafety] Agile methods
> On 2 Sep 2013, at 17:32, René Senden <rene.senden_at_xxxxxx > .... I tacitly assumed that anyone who’d answer this question with “Yes”,
> would also include some
> of the corresponding experiences …
> I think some of the initial replies that you didn't like did include
> experience. Nancy's and Martyn's for example. If you want anecdotes, that
> is hoping for a bit much, since many of us work under constraints of
> commercial confidence and sometimes legal privilege, *especially* when
> dealing with systems which have safety-related function.
> Since you said (I paraphrase) "...such as IEC 61508 and DO 178" I presume
> that neither of these explicitly apply to the concrete case you have in
> mind, otherwise you would have specified. I conclude that you are talking
> about SW development in the medical-device domain. Indeed, there are
> organisations working in this area who use "agile" development for products
> with safety-related functionality.
> There is a reason for such a cultural difference. For example, accidents
> are earnestly and independently investigated, with considerable effort, in
> commercial aviation, and safety issues identified are required to be fixed.
> There was an accident twenty years ago on approach to Strasbourg airport in
> which the investigators pointed out that the approach profile was
> consistent with a choice of rate of descent rather than angle of descent in
> the AP settings, and that the difference between the two on the annuciator
> was not particularly striking. It got fixed. Whereas there are critical
> medical devices coming on the market "new" in which quantity is expressed
> on the display as a number, and to see the units requires a different
> manipulation of the controls, which, as is well known, personnel do not
> always have the time, inclination or motivation to check. Accidents and
> incidents caused by medical personnel commanding right numbers with wrong
> units, and not checking the units, were rife twenty years ago and are still
> rife today, many or even most of them not documented. Apparently it is
> deemed OK for this situation to continue. One concludes that the
> technical-correction regime in the use of medical devices is not as
> rigorous as it is in commercial aviation.
> Is it (at all) possible to harmonize these very different worlds, or would
> any such
> attempt result in compromising either?
> Looking through the thread, most of the replies answer that question
> clearly. Maybe that was not the answer you had hoped for?
> Prof. Peter Bernard Ladkin, University of Bielefeld and Causalis Limited
> _______________________________________________
> The System Safety Mailing List
> systemsafety_at_xxxxxx >

Prof. Nancy Leveson
Aeronautics and Astronautics and Engineering Systems
MIT, Room 33-334
77 Massachusetts Ave.
Cambridge, MA 02142

Telephone: 617-258-0505
Email: leveson_at_xxxxxx

_______________________________________________ The System Safety Mailing List systemsafety_at_xxxxxx
Received on Tue Sep 03 2013 - 14:21:20 CEST

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:06 CEST