Re: [SystemSafety] Analyzing far behind the Intended Use

From: Haim Kuper < >
Date: Wed, 30 Dec 2015 18:05:58 +0200

Thanks a lot.  

System-A and System-X are the same: X is a typo.  


From: systemsafety-bounces_at_xxxxxx [mailto:systemsafety-bounces_at_xxxxxx Martyn Thomas
Sent: Wednesday, December 30, 2015 12:38 PM To: systemsafety_at_xxxxxx Subject: Re: [SystemSafety] Analyzing far behind the Intended Use  

Are System-A and System-X different systems?

On the general point - it is common for operators to use systems outside their intended use. People have been killed because they balanced an electric fire on the side of their bath, or used their powered grass-mower to trim their hedges. Car owners modify their engine management systems to get better performance. People even use MS Windows in safety-critical applications, despite the EULA.

What should the manufacturer do?

Firstly, be explicit about the permitted limits of use within which the product is warranted or certified to be safe. Secondly, be explicit about the critical risks if the product is used outside these limits - and state clearly that the warranty and any safety certification is invalidated by such use. Thirdly, where a particular and dangerous misuse is foreseeable, design the product so that it prevents or detects such misuse and fails safely. These are common strategies that have been used by many product manufacturers for years; computer system manufacturers can be expected to adopt similar policies.


On 30/12/2015 02:12, Haim Kuper wrote:

Hello everyone,  

What is your opinion regarding the following situation:

The customer defines System-A to be used as "Advisory only". This fact defines what we call the "Intended Use" of the system.

This Intendent use is the basis of System-A safety analysis, resulting with few hazards marked with CRITICAL severity.

The operator of System-X is quite clever to use the system FAR BEHIND the Intendent use.

If you analyze this "Extra-usage", you find hazards typed as CATASTROPHIC severity, and the mitigation of those hazards is quite expensive.

We do wish to protect the operator activities. However, the customer will not pay the price of FAR BEHIND the Intendent use mitigation.  

How will you act under those constrains ?  



The System Safety Mailing List

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Wed Dec 30 2015 - 17:06:54 CET

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:07 CEST