[SystemSafety] Fwd: Critical Design Checklist

Nancy Leveson leveson.nancy8 at gmail.com
Tue Aug 27 19:10:44 CEST 2013 

---------- Forwarded message ----------
From: Nancy Leveson <leveson.nancy8 at gmail.com>
Date: Tue, Aug 27, 2013 at 1:02 PM
Subject: Re: [SystemSafety] Critical Design Checklist
To: "Driscoll, Kevin R" <kevin.driscoll at honeywell.com>


Kevin, safety does not start with design. It starts with hazard analysis.
Then you make specific design decisions with respect to the hazard causes
you have identified in your hazard analysis. I don't understand how you can
start with the design and just look at that. Every major accident had
different specific design flaws -- in thirty years and investigating
hundreds of accidents, I have rarely seen them repeated.

In addition, it sounds like you are equating safety and reliability. As no
realistically complex and large software has never been found to be
fault-free in its lifetime, a more realistic goal is to make it safe by
starting with hazard analysis (as NASA has done since its first safety
program was initiated by Jerome Lederer in 1968.

Nancy


On Mon, Aug 26, 2013 at 4:37 PM, Driscoll, Kevin R <
kevin.driscoll at honeywell.com> wrote:

>  For NASA, we are creating a Critical Design Checklist:****
>
> **•       ***Objective*****
>
> **-     ***A checklist for designers to help them determine if a
> safety-critical design has met its safety requirements*****
>
> **-     ***Not a “Have you done ...” checklist*****
>
> **w  **Too easy to just check “yes” without doing sufficient work****
>
> **w  **Instead, “What have you done ...”****
>
> **w  **Prove what you have done is sufficient****
>
> **•       ***We are looking for inputs to include in this checklist*****
>
> **•       ***Do you have any inputs that should be included? *****
>
> **-     ***Meta-question:  “If you were asked to participate in a design
> review of a safety-critical design, what questions would you ask?”
>  (Particularly, general questions you would have before seeing the details
> of a design.)*****
>
> **-     ***Inverse meta-question:  “If you were presenting a design, what
> questions would you dread being asked?”  :-}*****
>
> **w  **Where are the bodies buried?****
>
> ** **
>
> We are finishing the Checklist by next week and would like to include any
> good questions you may have that we have overlooked.   Realizing this is an
> imposition on your time, I am hoping some of you would be so kind as to
> spend just a few minutes to send questions or even question fragments.****
>
> ** **
>
> --****
>
> P.S.****
>
> I am also looking for unusual failure scenarios to add to my collection,
> like those I’ve described in my series of “Murphy was an Optimist”
> presentations (e.g.
> http://www.rvs.uni-bielefeld.de/publications/DriscollMurphyv19.pdf).****
>
> ** **
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
>
>


-- 
Prof. Nancy Leveson
Aeronautics and Astronautics and Engineering Systems
MIT, Room 33-334
77 Massachusetts Ave.
Cambridge, MA 02142

Telephone: 617-258-0505
Email: leveson at mit.edu
URL: http://sunnyday.mit.edu



-- 
Prof. Nancy Leveson
Aeronautics and Astronautics and Engineering Systems
MIT, Room 33-334
77 Massachusetts Ave.
Cambridge, MA 02142

Telephone: 617-258-0505
Email: leveson at mit.edu
URL: http://sunnyday.mit.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20130827/b8ac2206/attachment-0001.html>

More information about the systemsafety mailing list