[SystemSafety] Call for Submissions
Peter Bernard Ladkin
ladkin at causalis.com
Thu Aug 25 14:16:03 CEST 2016
On 2016-08-25 13:33 , GRAZEBROOK, Alvery N wrote:
> [PBL] .... According to standard (engineering) definitions, such apps are not safety-related, period. It could be
> that the EU is looking for connections with safety which do not fit standard conceptions.
> another take on this ...
Bertrand Ricque also wrote me privately to indicate his disagreement with my equating the functional
safety of displays to the functional safety of pixels on a screen, which I claimed is almost guaranteed.
I say almost: German on-line banking displays a flickering bar code which is read by a device which
uses this flickering display and the data from a chip&PIN bankcard to generate a nonce which you
type in to validate the transaction. There is a warning about the flickering display for those
susceptible to epilectic fits triggered by visuals.
Peripherally interesting here is that in IEC 61508 safety is equated with acceptable risk, and risk
is quantified by the prevalence of dangerous failure. The flickering bar code is not a failure! It
is also clearly part of the function of the system. So it looks as if the IEC 61508 concepts are
inadequate to deal with all cases of computer-related engineered-object functional safety.
I believe Bertrand is, as I was, concerned about the causal effects of the pixel pattern upon
further system operation. As I indicated with the ATC example, I don't think this is adequately
captured by the notion of functional safety. Neither is it characterised by the notion of data
safety, as characterised in the DSIWG document.
What about a notion of semantic safety? The pixels on the ATCO screen have a meaning. It is this
meaning which contributes, or not, to the further operation of the entire system.
The meaning of a particular collection of pixels is the assertion "this aircraft with ID xxx at this
time (within a sweep) is in position yyy over the earth's surface at pressure altitude zzz (plus
other stuff)" (the data are of course approximations, let me not worry about that). The meaning of
the entire display D is the conjunction of the assertions, most of the variable parts of which which
will have this form (there are others: "airspace sector boundary is <here>", for example). Let us
call this Meaning(D).
The display is veridical if Meaning(display)) is true. A dangerous failure of the display D is then
when Meaning(D) fails to indicate a pending loss of separation (there are more or less standard
geometric/dynamic criteria for this). That is,
There exist aircraft X, Y such that X, Y are in Objects(D) & pending-loss-of-separation(X,Y) &
NOT(Meaning(D) => pending-loss-of-separation(X,Y)
Exercise for others: formulate it for Pokemon GO :-)
Prof. Peter Bernard Ladkin, Bielefeld, Germany
Je suis Charlie
Tel+msg +49 (0)521 880 7319 www.rvs-bi.de
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 163 bytes
Desc: OpenPGP digital signature
More information about the systemsafety