[SystemSafety] Fwd: Measurement + Control

[Martyn Thomas]

I agree with Nancy, of course, that safety engineering is a whole-life
activity not "after the fact or independently".

However, the regulators that I have experienced do need, expect and
require a structured explanation of why the "packaged up" evidence from
the safety engineering amounts to credible evidence that the
certification requirements for safety have been met.

I'm comfortable with that structured explanation being called a "safety
argument" or "safety case" and in my opinion such arguments are very
much part of safety engineering.


Martyn



On 15/12/2013 18:35, Nancy Leveson wrote:
> I am getting increasingly frustrated by a prevalent attitude that the
> goal of safety engineering is to prove that a design is safe. I am not
> picking on Drew -- he is bringing up a good point. But it emphasizes
> the absurdity of the approach if safety is being "outsourced." 
>
> The goal of safety engineering is to design safe systems. It is not
> to, after-the-fact or independently, try to show that a system is
> safe. At best, the latter goals are simply add-ons to the primary
> goal, i.e., a final step that is used simply to ensure that what was
> done before is approved). If safety engineering is done correctly,
> i.e., the hazard analysis and safety engineering steps have been
> accomplished by the engineers as they are designing the system and
> making design decisions, then the after-the-fact preparation of the
> case for the regulators is simple and consists of simply packaging up
> what was done during development. 
>
> Engineering is not about making "arguments." 
>
> Nancy