Re: [SystemSafety] Safety Cases

From: Peter Bernard Ladkin < >
Date: Tue, 11 Feb 2014 13:26:06 +0100


Michael,

that sounds a lot like how one starts an Ontological Hazard Analysis. There is, though, a difference, as I see it, as follows.

For example, when expressing the safety requirement of a level crossing (grade crossing), one doesn't need to express any general functional requirement of a train, or a road vehicle, except that they occupy space. The safety requirement is then that the space that each occupies must be disjoint. You don't even need to say, at this level, that a car moves, or a train moves. But surely something about enabling movement must be in, or derivable from, the general functional requirements of either.

PBL On 2014-02-11 11:32 , Michael Jackson wrote:
> A system has an intended functional behaviour satisfying a set of 'positive' requirements: "When I
> press the footbrake the car slows down," and "When the current flow is excessive the circuit breaker
> trips." These are positive, just like "When I turn the steering wheel the car turns" and "When the
> ignition switch is turned on the motor starts." There is some (quite large) set of events, states,
> etc embodying this behaviour: let's call it the alphabet of the functional design. When the car is
> properly designed, maintained, and operated, it 'goes right' in the sense that an observer who
> observes only elements of the alphabet will see that the functional behaviour is as intended.
>
> The first kind of safety concern arises directly from some failure to exhibit the intended
> functional behaviour: "I pressed the brake but the car didn't slow down (so I ran into the car
> ahead)." "The current flow exceeded the threshold but the circuit breaker didn't trip (so the cable
> caught fire)." These safety concerns arise when "something goes wrong": what goes wrong (but not, in
> general the resulting mishap) is fully expressible in the functional design alphabet. If a serious
> accident results the investigators determine what should have "gone right" but in fact "went
> wrong". Knowing "What constitutes going right" allows them to examine what "went wrong" and identify
> the causes.
>
> The second kind of safety concern arises from circumstances expressible only in a larger alphabet.
> The road collapses in front of the car; a tree falls on the car; the car is rammed from behind and
> the fuel tank explodes; the exhaust system is damaged by impact of a flyng stone and poisonous fumes
> leak into the cabin; a child left alone in the car contrives to start it and cause a crash. The
> alphabet of such imaginable dangers is unbounded: the hazards cannot be identified by examining the
> causal links on which the intended functional behaviour relies.

Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de



The System Safety Mailing List
systemsafety_at_xxxxxx Received on Tue Feb 11 2014 - 13:26:18 CET

This archive was generated by hypermail 2.3.0 : Thu Apr 25 2019 - 17:17:06 CEST