[SystemSafety] Agile methods

René Senden rene.senden at gmail.com
Tue Sep 3 19:07:16 CEST 2013 

Thank you Nancy, I’ve been thinking whether the necessary tailoring of an
agile environment to make it suitable/fit for purpose
is a realistic option to prevent/reduce exactly the problems you mention
 I
suppose that is what I had in the back of my mind when I 
wrote “reconciling established agile software development with software
safety requirements”
 

Rene

From: Nancy Leveson [mailto:leveson.nancy8 at gmail.com] 
Sent: dinsdag 3 september 2013 14:21
To: René Senden
Cc: Peter Bernard Ladkin; systemsafety at techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] Agile methods

Aha, defense. Well, my company was hired to do a non-advocate safety
assessment of the U.S. Missile Defense system about ten years ago, just
before the system was to be deployed and field tested. Two people used STPA
on it for the hazard of inadvertent launch. Some of the companies had used
Agile and related methods on their software. We found it very difficult to
do a hazard analysis as the requirements were so poor. We found lots of
problems, including missing cases in the software that could lead to the
hazard. 

Nancy

On Tue, Sep 3, 2013 at 8:12 AM, René Senden <rene.senden at gmail.com> wrote:
Hello Peter,

I appreciate all contributions/replies, but of course I am particularly
interested in those that actually address the initiating question..and
indeed some members of this
list addressed practical industrial experience, most of which however
contacted me offline for that, this is after all a tough crowd at times

Perhaps we have different
views on practical experience
or perhaps my wording of the question is a
little short of perfection.. I kept my initial question somewhat general
because I also have to
consider things like confidentiality..so it goes without saying that I
assume we all have similar restrictions
 the sector at hand is defence, so
not medical..

My latest contribution, as a response to Myriam, indeed concludes with an
additional question
  I am not hoping for any particular outcome, I don’t
know how you got that impression


Personally I am very skeptic about agile methods in this context..that being
said.. we can’t always chose the questions we are faced with


Rene


From: Peter Bernard Ladkin [mailto:ladkin at rvs.uni-bielefeld.de]
Sent: dinsdag 3 september 2013 6:55
To: René Senden
Cc: M Mencke; systemsafety at techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] Agile methods
On 2 Sep 2013, at 17:32, René Senden <rene.senden at gmail.com> wrote:
.... I tacitly assumed that anyone who’d answer this question with “Yes”,
would also include some
of the corresponding experiences 


I think some of the initial replies that you didn't like did include
experience. Nancy's and Martyn's for example. If you want anecdotes, that is
hoping for a bit much, since many of us work under constraints of commercial
confidence and sometimes legal privilege, *especially* when dealing with
systems which have safety-related function.

Since you said (I paraphrase) "...such as IEC 61508 and DO 178" I presume
that neither of these explicitly apply to the concrete case you have in
mind, otherwise you would have specified. I conclude that you are talking
about SW development in the medical-device domain. Indeed, there are
organisations working in this area who use "agile" development for products
with safety-related functionality.

There is a reason for such a cultural difference. For example, accidents are
earnestly and independently investigated, with considerable effort, in
commercial aviation, and safety issues identified are required to be fixed.
There was an accident twenty years ago on approach to Strasbourg airport in
which the investigators pointed out that the approach profile was consistent
with a choice of rate of descent rather than angle of descent in the AP
settings, and that the difference between the two on the annuciator was not
particularly striking. It got fixed. Whereas there are critical medical
devices coming on the market "new" in which quantity is expressed on the
display as a number, and to see the units requires a different manipulation
of the controls, which, as is well known, personnel do not always have the
time, inclination or motivation to check. Accidents and incidents caused by
medical personnel commanding right numbers with wrong units, and not
checking the units, were rife twenty years ago and are still rife today,
many or even most of them not documented. Apparently it is deemed OK for
this situation to continue. One concludes that the technical-correction
regime in the use of medical devices is not as rigorous as it is in
commercial aviation.


Is it (at all) possible to harmonize these very different worlds, or would
any such
attempt result in compromising either?

Looking through the thread, most of the replies answer that question
clearly. Maybe that was not the answer you had hoped for?

PBL

Prof. Peter Bernard Ladkin, University of Bielefeld and Causalis Limited
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE




-- 
Prof. Nancy Leveson
Aeronautics and Astronautics and Engineering Systems
MIT, Room 33-334
77 Massachusetts Ave.
Cambridge, MA 02142

Telephone: 617-258-0505
Email: leveson at mit.edu
URL: http://sunnyday.mit.edu

More information about the systemsafety mailing list