Re: [SystemSafety] Analyzing far behind the Intended Use

From: Nick Tudor < >
Date: Thu, 31 Dec 2015 08:37:14 +0000


Hi Drew

The assertion you make re foreseeable misuse is interesting. I was involved on a couple of aerospace projects where one box was DAL C (head down) and another which was DAL D ( head up - in fact, helmet mounted), both of which displayed information that could easily lead to an accident if incorrect, eg heading. The mitigation against other DAL A head down systems was accepted by the customer, even though it was well known operationally that the DAL C/D boxes were often used as sole source. The rationale behind this agreement was based on a number of factors with cost/ technology availability being the 2 main ones. Should anything go wrong operationally, I wonder how this agreement might stack up.

On Thursday, 31 December 2015, DREW Rae <d.rae_at_xxxxxx

> Martyn has clearly covered the main three requirements:
> - be clear about the intended use
> - be clear about the behaviour (including hazards) on the edges and
> beyond the intended use
> - mitigate reasonably foreseeable "misuse"
>
> I am not a lawyer, and I am not your lawyer, but in most jurisdictions
> simply warning a customer that they are misusing the product does not
> discharge the obligations of the designer, and nor should it. The
> engineering duty of care is to the potential victims, not to the middleman.
> Failure of the designer and the customer to agree on a safe _complete_
> system design, including both physical and operational aspects of the
> system, is a safety management problem - difficult relationships between
> suppliers and customers can explain the problem, but as a designer there's
> no easy way to make it someone elses problem.
>
> In addition, using an "advisory only" system as more than advisory only is
> definitely a reasonably foreseeable misuse. Arguably it should be assumed
> that advisory only systems will come to be relied on, and simply saying
> that they shouldn't be is inadequate hazard management for the designers.
> There's a York thesis "Reliant on the Compliant" that goes into this in
> some depth for aviation advisory systems. I don't recall the author, but
> maybe one of the York people on the list could provide you with a copy.
>
> My safety podcast: disastercast.co.uk
> My mobile (from October 6th): 0450 161 361
>
> On 30 December 2015 at 20:37, Martyn Thomas <
> martyn_at_xxxxxx > <javascript:_e(%7B%7D,'cvml','martyn_at_xxxxxx >
>> Are System-A and System-X different systems?
>>
>> On the general point - it is common for operators to use systems outside
>> their intended use. People have been killed because they balanced an
>> electric fire on the side of their bath, or used their powered grass-mower
>> to trim their hedges. Car owners modify their engine management systems to
>> get better performance. People even use MS Windows in safety-critical
>> applications, despite the EULA.
>>
>> What should the manufacturer do?
>>
>> Firstly, be explicit about the permitted limits of use within which the
>> product is warranted or certified to be safe. Secondly, be explicit about
>> the critical risks if the product is used outside these limits - and state
>> clearly that the warranty and any safety certification is invalidated by
>> such use. Thirdly, where a particular and dangerous misuse is foreseeable,
>> design the product so that it prevents or detects such misuse and fails
>> safely. These are common strategies that have been used by many product
>> manufacturers for years; computer system manufacturers can be expected to
>> adopt similar policies.
>>
>> Martyn
>>
>>
>> On 30/12/2015 02:12, Haim Kuper wrote:
>>
>> Hello everyone,
>>
>>
>>
>> What is your opinion regarding the following situation:
>>
>> The customer defines System-A to be used as "Advisory only". This fact
>> defines what we call the "Intended Use" of the system.
>>
>> This Intendent use is the basis of System-A safety analysis, resulting
>> with few hazards marked with CRITICAL severity.
>>
>> The operator of System-X is quite clever to use the system FAR BEHIND the
>> Intendent use.
>>
>> If you analyze this "Extra-usage", you find hazards typed as
>> CATASTROPHIC severity, and the mitigation of those hazards is quite
>> expensive.
>>
>> We do wish to protect the operator activities. However, the customer will
>> not pay the price of FAR BEHIND the Intendent use mitigation.
>>
>>
>>
>> How will you act under those constrains ?
>>
>>
>>
>> Thanks,
>>
>> Kuper
>>
>>
>>
>>
>> _______________________________________________
>> The System Safety Mailing Listsystemsafety_at_xxxxxx >>
>>
>>
>> _______________________________________________
>> The System Safety Mailing List
>> systemsafety_at_xxxxxx >> <javascript:_e(%7B%7D,'cvml','systemsafety_at_xxxxxx >>
>>
>

-- 
Nick Tudor
Tudor Associates Ltd
Mobile: +44(0)7412 074654
www.tudorassoc.com

*77 Barnards Green Road*
*Malvern*
*Worcestershire*
*WR14 3LR*
*Company No. 07642673*
*VAT No:116495996*

*www.aeronautique-associates.com <http://www.aeronautique-associates.com>*



_______________________________________________ The System Safety Mailing List systemsafety_at_xxxxxx
Received on Thu Dec 31 2015 - 09:37:25 CET

This archive was generated by hypermail 2.3.0 : Sat Feb 16 2019 - 08:17:07 CET