Safety Cases and FTA



Safety Cases and FTA

From: Andrew Rae <ajrae_at_xxxxxx>
Date: Tue, 8 May 2012 12:47:16 +0100
Message-ID: <CAE4faLLM_uGVA+5DtPW3bWVEQMSQkz5gDtpYc55grBs6RR4hbg@xxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

Brian et al,
Regardless of the merits of Fault Tree Analysis and GSN safety arguments
(see caveat below)
they fill totally different safety roles, and cannot substitute for each
other. A safety case is not a PSSA as the
term is used in ARP-4761, and there is no sound argument for replacing the
PSSA with a safety case.

A safety argument (for example a GSN structure) is only valid if it can be
supported by evidence. It doesn't
substitute for evidence. FTA is a model which can be used to generate
evidence to support the safety argument.

Using an analogy, PSSA using FTA is equivalent to testing software. It is a
way of examing the design to identify
weaknesses. The fact that you've done the examination isn't proof that
there aren't weaknesses, but it is evidence
of good process, and perhaps evidence of some of the product properties.

A safety case by itself doesn't fill this role. I can vaguely imagine a
method where architectural decisions were
represented in GSN, and reviewed, in order to examine the high level design
for weaknesses. I've never seen this
done in practice let alone seen evidence that it would actually improve the
final design.

Remember, the job of safety engineering is primarily to make systems safer.
Evidence and demonstration have little
merit except as ways of facilitating review, because review may find ways
to make the system safer. A good safety
case, like a good test, may help someone point out where further analysis
would be productive.

[Caveat: I don't mean to imply by any of the above that I consider FTA to
be an effective practice. The available evidence
indicates that it isn't fit-for-purpose for overall risk assessment. It is
plausible that it is good for the same reason that
software testing is good, but as with many safety practices  there isn't
direct evidence that it is useful in this way.

I share some but not all of Nancy's concerns about safety cases. I've
certainly seen them misused in the ways she
describes, but consider this to be mainly misuse of the idea not inherent
to the core principles. As Nancy says, it isn't
an argument to be had in short sentences on a mailing list.]

Content-Type: text/plain
X-Original-Content-Type: text/html; charset=ISO-8859-1


[The content of this part has been removed by the mailing list software]

Received on Tue 08 May 2012 - 12:47:17 BST