Re: [SystemSafety] Static Analysis

From: GRAZEBROOK, Alvery N < >
Date: Mon, 3 Mar 2014 11:49:15 +0100


> I think Patrick Graydon's point is that in any system
> involving the physical world (including human behaviour)
> there are inescapable concerns that lie beyond the reach
> of mathematical and logical reasoning and demand tests
> and experiments for their investigation. For these concerns
> testing can show the presence of error but not its absence:
> infinite testing is not an option. Accepting this point we
> must at some stage decide that no more testing is
> practicable, and that the system is now to be put into
> operation.

> It is uncomfortable to characterise this decision as
> 'try-it-and-see' but it is correct in principle.

A safety assessment is always more than the logical correctness of its control elements. Understanding the physics of the environment, and the human factors aspects, and common-cause failures (e.g. effects of damage) are always part of the story.

Recently, this forum has discussed the limitations and value of applying logically rigorous techniques to the implementation of the control / measurement systems. Patric Graydon and Michael Jackson are taking the discussion on to the system behaviour applied to the wider physical world.

This branch of the discussion appears to be confusing the two areas of practice. Of course you need to apply an empirical (experimental) approach to understanding the physics of the environment and the human factors aspects. In a manner that is kind-of parallel to the scientific method, the Civil Aerospace sector captures aspects of this empirical research through accident investigations, and ultimately into the Certification Standard CS-25.

An example of this is the Heathrow 777 incident. The authorities and airframe manufacturers have collaborated to improve our understanding of ice accretion following the Heathrow 777 incident where the aircraft lost fuel supply to both engines on final approach. Icing and the release of ice in the engine feed lines was almost certainly a cause.

Having followed Patrick Graydon's logic, I see a value in using software during the process of empirical discovery. During this phase you manage safety in various ways, not necessarily by applying high assurance standards to the experimental software. When you understand the demands this places on the control-system adequately, you then decide to implement a safety-critical controller for production use. I would still recommend use of strong software development practices, and consider the value you can get from applying formal specification and formal analysis to this part of the work.


** the opinions expressed here are my own, not necessarily those of my employer.

This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient please notify the sender immediately and delete this email and any attachments from your system. Do not copy this email or any attachments and do not use it for any purpose or disclose its content to any person. Airbus Operations Limited disclaims all liability if this email transmission has been corrupted by virus, altered or falsified.

Airbus Operations Limited, a company registered in England and Wales, with registration number 3468788. Registered office: Pegasus House, Aerospace Avenue, Filton, Bristol, BS99 7AR, UK.

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Mon Mar 03 2014 - 11:49:31 CET

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:06 CEST