[SystemSafety] Safety Cases

Martyn Thomas martyn at thomas-associates.co.uk
Fri Feb 7 12:16:02 CET 2014 

In the National Academies / CSTB Report  /Software for Dependable
Systems: Sufficient Evidence?/
(http://sites.nationalacademies.org/cstb/CompletedProjects/CSTB_042247)
we said that every claim about the properties of a software-based system
that made it dependable in its intended application should be stated
unambiguously, and that every such claim should be shown to be true
through scientifically valid evidence that was made available for expert
review.

It seems to me that this was a reasonable position, but I recognise that
it is a position that cannot be adopted by anyone whose livelihood
depends on making claims for which thay have insufficient evidence (or
for which no scientifically valid evidence /could/ be provided).
Unfortunately, much of the safety-related systems industry is in this
position (and the same is true, /mutatis mutandis/, for security).

It seems to me that some important questions about dependability are these:

1    What properties does the system need to have in order for it to be
adequately dependable for its intended use? (and how do you know that
these properties will be adequate?)
2    What evidence would be adequate to show that it had these properties?
3    It it practical to aquire that evidence and, if not, what is the
strongest related property for which it would be practical to provide
strong evidence that the property was true?
4    What are we going to do about the gap between 1 and 3?

The usual answer to 4 is "rely on having followed best practice, as
described in Standard XYZ". That's an understandable position to take,
for practical reasons, but I suggest that professional ingegrity
requires that the (customer, regulator or other stakeholder) should be
shown the chain of reasoning 1-4 (and the evidence for all the required
properties for which strong evidence can be provided) and asked to
acknowledge that this is good enough for their purposes.

I don't care what you choose to call the document in which this
information is given, so long as you don't cause confusion by
overloading some name that the industry is using for something else.

I might refer to the answers to question 1 as a "goal", if I were trying
to be provocative.

Martyn




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20140207/2ece6c7d/attachment.html>

More information about the systemsafety mailing list