[SystemSafety] Static Analysis

[Peter Bernard Ladkin]

Michael,

On 2014-03-03 10:51 , Michael Jackson wrote:
> I think Patrick Graydon's point is that in any system involving the physical world
> (including human behaviour) there are inescapable concerns that lie beyond the
> reach of  mathematical and logical reasoning and demand tests and experiments
> for their investigation........
> 
> The phrase 'try-it-and-see' sounds like a sneer; but perhaps it is a valuable reminder
> that mathematical certainty of safety is simply not achievable.

IEC 61508 accepts that mathematical certainty of safety is not achievable either.

I have nothing against testing, far from it! (But, as Martyn, I do have my reservations about
testing being used as a means deliberately to detect bugs rather than as a means to assure via
relative exception-freedom that the development was appropriate.)

I was interpreting "try it and see" from Derek Jones's original point, cited by Les Chambers:

> If you have to implement a system quickly, where there is lots
> uncertainty about what needs to be done and how to do it, there
> are advantages to rolling out partially working systems.  You get
> to learn a lot.
> ..........
> 
> I don't think we should dismiss the suck it and see approach.  It does
> have some advantages.

That doesn't sound like testing. That sounds like experimenting. Les pointed out that learning from
accidents is de rigueur but learning through accidents is an unacceptable development method for
critical systems.

Whether or not I read Patrick correctly, I wanted to clarify that in safety-critical areas the
standards, and laws based on them, do not accept "rolling out partially working systems" unless they
can be shown per the criteria to fulfil their safety requirements anyway.

PBL

Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de