At 10:49 03/03/2014, GRAZEBROOK, Alvery N wrote:
>Peter:
>
> > I think Patrick Graydon's point is that in any system
> > involving the physical world (including human behaviour)
> > there are inescapable concerns that lie beyond the reach
> > of mathematical and logical reasoning and demand tests
> > and experiments for their investigation. For these concerns
> > testing can show the presence of error but not its absence:
> > infinite testing is not an option. Accepting this point we
> > must at some stage decide that no more testing is
> > practicable, and that the system is now to be put into
> > operation.
>
> > It is uncomfortable to characterise this decision as
> > 'try-it-and-see' but it is correct in principle.
>
>A safety assessment is always more than the logical correctness of
>its control elements. Understanding the physics of the environment,
>and the human factors aspects, and common-cause failures (e.g.
>effects of damage) are always part of the story.
>
>Recently, this forum has discussed the limitations and value of
>applying logically rigorous techniques to the implementation of the
>control / measurement systems. Patric Graydon and Michael Jackson
>are taking the discussion on to the system behaviour applied to the
>wider physical world.
>
>This branch of the discussion appears to be confusing the two areas
>of practice. Of course you need to apply an empirical (experimental)
>approach to understanding the physics of the environment and the
>human factors aspects. In a manner that is kind-of parallel to the
>scientific method, the Civil Aerospace sector captures aspects of
>this empirical research through accident investigations, and
>ultimately into the Certification Standard CS-25.
>
>An example of this is the Heathrow 777 incident. The authorities and
>airframe manufacturers have collaborated to improve our
>understanding of ice accretion following the Heathrow 777 incident
>where the aircraft lost fuel supply to both engines on final
>approach. Icing and the release of ice in the engine feed lines was
>almost certainly a cause.
>
>Having followed Patrick Graydon's logic, I see a value in using
>software during the process of empirical discovery. During this
>phase you manage safety in various ways, not necessarily by applying
>high assurance standards to the experimental software. When you
>understand the demands this places on the control-system adequately,
>you then decide to implement a safety-critical controller for
>production use. I would still recommend use of strong software
>development practices, and consider the value you can get from
>applying formal specification and formal analysis to this part of the work.
>
>Cheers,
> Alvery
>** the opinions expressed here are my own, not necessarily those of
>my employer.
>
>This email (including any attachments) may contain confidential
>and/or privileged information or information otherwise protected
>from disclosure. If you are not the intended recipient please notify
>the sender immediately and delete this email and any attachments
>from your system. Do not copy this email or any attachments and do
>not use it for any purpose or disclose its content to any
>person. Airbus Operations Limited disclaims all liability if this
>email transmission has been corrupted by virus, altered or falsified.
>
>Airbus Operations Limited, a company registered in England and
>Wales, with registration number 3468788. Registered
>office: Pegasus House, Aerospace Avenue, Filton, Bristol, BS99 7AR, UK.
>
>_______________________________________________
>The System Safety Mailing List
>systemsafety_at_xxxxxx
The System Safety Mailing List
systemsafety_at_xxxxxx
Received on Mon Mar 03 2014 - 14:39:41 CET
This archive was generated by hypermail 2.3.0 : Sun Feb 17 2019 - 17:17:06 CET