[SystemSafety] Static Analysis

[Michael Jackson]

Yes. Surely "taking the discussion on to the system behaviour applied 
to the wider
physical world" beyond "the control / measurement systems" is what 
it's all about,
isn't it? It's only in the wider physical world that the system 
purpose has meaning
and the real costs of safety failures are felt.

-- Michael Jackson



At 10:49 03/03/2014, GRAZEBROOK, Alvery N wrote:
>Peter:
>
> > I think Patrick Graydon's point is that in any system
> > involving the physical world (including human behaviour)
> > there are inescapable concerns that lie beyond the reach
> > of  mathematical and logical reasoning and demand tests
> > and experiments for their investigation. For these concerns
> > testing can show the presence of error but not its absence:
> > infinite testing is not an option. Accepting this point we
> > must at some stage decide that no more testing is
> > practicable, and that the system is now to be put into
> > operation.
>
> > It is uncomfortable to characterise this decision as
> > 'try-it-and-see' but it is correct in principle.
>
>A safety assessment is always more than the logical correctness of 
>its control elements. Understanding the physics of the environment, 
>and the human factors aspects, and common-cause failures (e.g. 
>effects of damage) are always part of the story.
>
>Recently, this forum has discussed the limitations and value of 
>applying logically rigorous techniques to the implementation of the 
>control / measurement systems. Patric Graydon and Michael Jackson 
>are taking the discussion on to the system behaviour applied to the 
>wider physical world.
>
>This branch of the discussion appears to be confusing the two areas 
>of practice. Of course you need to apply an empirical (experimental) 
>approach to understanding the physics of the environment and the 
>human factors aspects. In a manner that is kind-of parallel to the 
>scientific method, the Civil Aerospace sector captures aspects of 
>this empirical research through accident investigations, and 
>ultimately into the Certification Standard CS-25.
>
>An example of this is the Heathrow 777 incident. The authorities and 
>airframe manufacturers have collaborated to improve our 
>understanding of ice accretion following the Heathrow 777 incident 
>where the aircraft lost fuel supply to both engines on final 
>approach. Icing and the release of ice in the engine feed lines was 
>almost certainly a cause.
>
>Having followed Patrick Graydon's logic, I see a value in using 
>software during the process of empirical discovery. During this 
>phase you manage safety in various ways, not necessarily by applying 
>high assurance standards to the experimental software. When you 
>understand the demands this places on the control-system adequately, 
>you then decide to implement a safety-critical controller for 
>production use. I would still recommend use of strong software 
>development practices, and consider the value you can get from 
>applying formal specification and formal analysis to this part of the work.
>
>Cheers,
>         Alvery
>** the opinions expressed here are my own, not necessarily those of 
>my employer.
>
>This email (including any attachments) may contain confidential 
>and/or privileged information or information otherwise protected 
>from disclosure. If you are not the intended recipient please notify 
>the sender immediately and delete this email and any attachments 
>from your system.  Do not copy this email or any attachments and do 
>not use it for any purpose or disclose its content to any 
>person.  Airbus Operations Limited disclaims all liability if this 
>email transmission has been corrupted by virus, altered or falsified.
>
>Airbus Operations Limited, a company registered in England and 
>Wales, with registration number 3468788.  Registered 
>office:  Pegasus House, Aerospace Avenue, Filton, Bristol, BS99 7AR, UK.
>
>_______________________________________________
>The System Safety Mailing List
>systemsafety at TechFak.Uni-Bielefeld.DE