[SystemSafety] Call for Submissions

Martyn Thomas martyn at thomas-associates.co.uk
Thu Aug 25 12:01:21 CEST 2016

The questionnaire covers risks to people and property that seem somewhat
wider than our normal use of "safety". But it's their consultation, so
let's go with their terminology.

It looks like an opportunity to influence the EU to consider a directive
requiring better software engineering.


On 25/08/2016 09:38, Peter Bernard Ladkin wrote:
> Barrister Stephen Mason http://www.stephenmason.eu sent me a heads-up on the EU performing a
> consultation on the safety of apps. Non-embedded apps.
> https://ec.europa.eu/digital-single-market/en/news/public-consultation-safety-apps-and-other-non-embedded-software
> This seems prima facie weird. According to standard (engineering) definitions, such apps are not
> safety-related, period. It could be that the EU is looking for connections with safety which do not
> fit standard conceptions.
> One model for a non-standard conception is ATC. (Although it is odd to call it "non-standard", I
> guess, since the system has been around way longer than the "standard" conceptions. Indeed, if one
> dates the initialisation of positive control to the 1956 Grand Canyon collision, it is three times
> as long.)
> Let us consider airspace with 100% primary and secondary radar coverage. The
> data-gathering/-distribution/-display systems (let me call it real-time traffic display, RTTD) used
> by ATCOs obviously have a connection with safety in that an ATCO can take/inappropriate
> inappropriate actions on aircraft separation if the current traffic situation is not veridically
> displayed.
> The safety of the airspace system could be defined in terms of the maintenance of appropriate
> separation of all participating aircraft, and more generally separation of participating aircraft
> from all other aircraft. Put briefly: no airproxes (however you might choose to define airprox).
> Maintenance of safety is composed of three factors which form a causal chain: veridical RTTD;
> correct procedural actions by the ATCO based on the RTTD information; conformant execution of the
> agreed actions by flight crew.
> Functional safety of the RTTD is guaranteed: RTTD paints pixels on screens and there are no known
> dangerous failures of painting pixels on screens. But it is equally clear that misleading
> information followed by nominally-appropriate action by an ATCO on that information followed by
> nominally-appropriate response by flight crew can result in loss of separation and thus an airprox.
> In other words, a failure of dependability properties of the RTTD can by itself lead to a hazardous
> event; it does not need to be compounded with other failures.
> The point is here that the behaviour of the other components of the causal chain is regulated, more
> or less completely.
> So I guess the point of the consultation might be to elicit such causal chains in which the
> behaviour of an app in a causal chain can be similarly be sole cause.
> But notice how the situation must be constructed. If the specific behaviour of the app can be
> mitigated by a change in behaviour of another agent in the chain, say by a human, then it can't be
> sole cause: an additional causal factor is that the mitigating behaviour did not occur. So unless
> the app executes in a context in which the behaviour of other actors is rigorously constrained, as
> in ATC, the app can't be sole cause of a hazardous event.
> It'll be interesting to see what comes out of the consultation.
> Prof. Peter Bernard Ladkin, Bielefeld, Germany
> MoreInCommon
> Je suis Charlie
> Tel+msg +49 (0)521 880 7319  www.rvs-bi.de
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20160825/c276da86/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 560 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20160825/c276da86/attachment.pgp>

More information about the systemsafety mailing list