[SystemSafety] Safety Cases
Peter Bernard Ladkin
ladkin at rvs.uni-bielefeld.de
Tue Feb 11 13:26:06 CET 2014
Michael,
that sounds a lot like how one starts an Ontological Hazard Analysis. There is, though, a
difference, as I see it, as follows.
* You start with the overall functional requirements of the system, express them in some language
(we probably prefer the word "vocabulary" to the word "alphabet", because items of vocabulary have
meanings whereas items of an alphabet generally not) and wish to derive safety requirements from that.
* Whereas OHA starts with very-top-level formulations of safety requirements, not general requirements.
For example, when expressing the safety requirement of a level crossing (grade crossing), one
doesn't need to express any general functional requirement of a train, or a road vehicle, except
that they occupy space. The safety requirement is then that the space that each occupies must be
disjoint. You don't even need to say, at this level, that a car moves, or a train moves. But surely
something about enabling movement must be in, or derivable from, the general functional requirements
of either.
PBL
On 2014-02-11 11:32 , Michael Jackson wrote:
> A system has an intended functional behaviour satisfying a set of 'positive' requirements: "When I
> press the footbrake the car slows down," and "When the current flow is excessive the circuit breaker
> trips." These are positive, just like "When I turn the steering wheel the car turns" and "When the
> ignition switch is turned on the motor starts." There is some (quite large) set of events, states,
> etc embodying this behaviour: let's call it the alphabet of the functional design. When the car is
> properly designed, maintained, and operated, it 'goes right' in the sense that an observer who
> observes only elements of the alphabet will see that the functional behaviour is as intended.
>
> The first kind of safety concern arises directly from some failure to exhibit the intended
> functional behaviour: "I pressed the brake but the car didn't slow down (so I ran into the car
> ahead)." "The current flow exceeded the threshold but the circuit breaker didn't trip (so the cable
> caught fire)." These safety concerns arise when "something goes wrong": what goes wrong (but not, in
> general the resulting mishap) is fully expressible in the functional design alphabet. If a serious
> accident results the investigators determine what should have "gone right" but in fact "went
> wrong". Knowing "What constitutes going right" allows them to examine what "went wrong" and identify
> the causes.
>
> The second kind of safety concern arises from circumstances expressible only in a larger alphabet.
> The road collapses in front of the car; a tree falls on the car; the car is rammed from behind and
> the fuel tank explodes; the exhaust system is damaged by impact of a flyng stone and poisonous fumes
> leak into the cabin; a child left alone in the car contrives to start it and cause a crash. The
> alphabet of such imaginable dangers is unbounded: the hazards cannot be identified by examining the
> causal links on which the intended functional behaviour relies.
Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
More information about the systemsafety
mailing list