[SystemSafety] Call for Submissions

Peter Bernard Ladkin ladkin at causalis.com
Thu Aug 25 10:38:04 CEST 2016

Barrister Stephen Mason http://www.stephenmason.eu sent me a heads-up on the EU performing a
consultation on the safety of apps. Non-embedded apps.


This seems prima facie weird. According to standard (engineering) definitions, such apps are not
safety-related, period. It could be that the EU is looking for connections with safety which do not
fit standard conceptions.

One model for a non-standard conception is ATC. (Although it is odd to call it "non-standard", I
guess, since the system has been around way longer than the "standard" conceptions. Indeed, if one
dates the initialisation of positive control to the 1956 Grand Canyon collision, it is three times
as long.)

Let us consider airspace with 100% primary and secondary radar coverage. The
data-gathering/-distribution/-display systems (let me call it real-time traffic display, RTTD) used
by ATCOs obviously have a connection with safety in that an ATCO can take/inappropriate
inappropriate actions on aircraft separation if the current traffic situation is not veridically

The safety of the airspace system could be defined in terms of the maintenance of appropriate
separation of all participating aircraft, and more generally separation of participating aircraft
from all other aircraft. Put briefly: no airproxes (however you might choose to define airprox).

Maintenance of safety is composed of three factors which form a causal chain: veridical RTTD;
correct procedural actions by the ATCO based on the RTTD information; conformant execution of the
agreed actions by flight crew.

Functional safety of the RTTD is guaranteed: RTTD paints pixels on screens and there are no known
dangerous failures of painting pixels on screens. But it is equally clear that misleading
information followed by nominally-appropriate action by an ATCO on that information followed by
nominally-appropriate response by flight crew can result in loss of separation and thus an airprox.
In other words, a failure of dependability properties of the RTTD can by itself lead to a hazardous
event; it does not need to be compounded with other failures.

The point is here that the behaviour of the other components of the causal chain is regulated, more
or less completely.

So I guess the point of the consultation might be to elicit such causal chains in which the
behaviour of an app in a causal chain can be similarly be sole cause.

But notice how the situation must be constructed. If the specific behaviour of the app can be
mitigated by a change in behaviour of another agent in the chain, say by a human, then it can't be
sole cause: an additional causal factor is that the mitigating behaviour did not occur. So unless
the app executes in a context in which the behaviour of other actors is rigorously constrained, as
in ATC, the app can't be sole cause of a hazardous event.

It'll be interesting to see what comes out of the consultation.


Prof. Peter Bernard Ladkin, Bielefeld, Germany
Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20160825/e24f4983/attachment.pgp>

More information about the systemsafety mailing list