Re: [SystemSafety] Fwd: Measurement + Control

From: Martyn Thomas < >
Date: Sun, 15 Dec 2013 19:02:07 +0000

I agree with Nancy, of course, that safety engineering is a whole-life activity not "after the fact or independently".

However, the regulators that I have experienced do need, expect and require a structured explanation of why the "packaged up" evidence from the safety engineering amounts to credible evidence that the certification requirements for safety have been met.

I'm comfortable with that structured explanation being called a "safety argument" or "safety case" and in my opinion such arguments are very much part of safety engineering.


On 15/12/2013 18:35, Nancy Leveson wrote:
> I am getting increasingly frustrated by a prevalent attitude that the
> goal of safety engineering is to prove that a design is safe. I am not
> picking on Drew -- he is bringing up a good point. But it emphasizes
> the absurdity of the approach if safety is being "outsourced."
> The goal of safety engineering is to design safe systems. It is not
> to, after-the-fact or independently, try to show that a system is
> safe. At best, the latter goals are simply add-ons to the primary
> goal, i.e., a final step that is used simply to ensure that what was
> done before is approved). If safety engineering is done correctly,
> i.e., the hazard analysis and safety engineering steps have been
> accomplished by the engineers as they are designing the system and
> making design decisions, then the after-the-fact preparation of the
> case for the regulators is simple and consists of simply packaging up
> what was done during development.
> Engineering is not about making "arguments."
> Nancy

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Sun Dec 15 2013 - 20:02:18 CET

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:06 CEST