Re: [SystemSafety] Functional hazard analysis, does it work?

From: Martyn Thomas < >
Date: Wed, 20 Jan 2016 10:28:14 +0000

On 20/01/2016 07:06, DREW Rae wrote:
> The more effort you put into creating an analysable model of the real
> world, the less that model looks like the real world and the greater
> the chance that the safety problems will exist outside the analysis
> altogether.


Somehow, you have to be satisfied that you understand well enough what you are trying to do. When you believe you have achieved this, wouldn't you agree that expressing your results formally can only be beneficial? Why would you choose to write things down informally if you had a way to do so formally and there were tools that would then tell you about errors and inconsistencies?

Trivially, we can partition our task into two objectives.

The first is to establish the functionality, interfaces to other systems and the safety and security properties that we need. The second is to implement these in a system and generate adequate evidence that we have done so successfully.

The first is hard and inherently contains some steps that cannot be fully formalised. (I'll assume we agree about that and leave any discussion about it to a separate thread). But once we have completed this objective to the extent that we consider to be sufficient to enable the second objective to proceed to a successful conclusion, it is possible to attempt a formal model of the functionality and properties that we have established.

I don't see how doing so could possibly weaken the work we have already completed - indeed, it will probably reveal some oversights and contradictions that will help us to improve it.

It is likely also to reveal some functionality or properties or interfaces that we cannot formalise. That's a useful warning sign, because it indicates areas where our knowledge is incomplete (perhaps inevitably so) and where we shall need to direct our best efforts to mitigate the risks that result from this incomplete knowledge.

It will also give you a firm starting point for the second objective and, in my experience, reduce the cost of this second stage whilst improving the quality ( assessed on whatever measures you would like to choose).


The System Safety Mailing List
systemsafety_at_xxxxxx Received on Wed Jan 20 2016 - 11:28:25 CET

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:07 CEST