[SystemSafety] Safety Cases

From: Martyn Thomas < >
Date: Fri, 07 Feb 2014 11:16:02 +0000


In the National Academies / CSTB Report /Software for Dependable Systems: Sufficient Evidence?/
(http://sites.nationalacademies.org/cstb/CompletedProjects/CSTB_042247) we said that every claim about the properties of a software-based system that made it dependable in its intended application should be stated unambiguously, and that every such claim should be shown to be true through scientifically valid evidence that was made available for expert review.

It seems to me that this was a reasonable position, but I recognise that it is a position that cannot be adopted by anyone whose livelihood depends on making claims for which thay have insufficient evidence (or for which no scientifically valid evidence /could/ be provided). Unfortunately, much of the safety-related systems industry is in this position (and the same is true, /mutatis mutandis/, for security).

It seems to me that some important questions about dependability are these:

1 What properties does the system need to have in order for it to be adequately dependable for its intended use? (and how do you know that these properties will be adequate?)
2 What evidence would be adequate to show that it had these properties? 3 It it practical to aquire that evidence and, if not, what is the strongest related property for which it would be practical to provide strong evidence that the property was true? 4 What are we going to do about the gap between 1 and 3?

The usual answer to 4 is "rely on having followed best practice, as described in Standard XYZ". That's an understandable position to take, for practical reasons, but I suggest that professional ingegrity requires that the (customer, regulator or other stakeholder) should be shown the chain of reasoning 1-4 (and the evidence for all the required properties for which strong evidence can be provided) and asked to acknowledge that this is good enough for their purposes.

I don't care what you choose to call the document in which this information is given, so long as you don't cause confusion by overloading some name that the industry is using for something else.

I might refer to the answers to question 1 as a "goal", if I were trying to be provocative.

Martyn



The System Safety Mailing List
systemsafety_at_xxxxxx Received on Fri Feb 07 2014 - 12:16:17 CET

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:06 CEST