[trustable-software] A breakthrough (in my mind, at least)
Paul Sherwood
paul.sherwood at codethink.co.uk
Thu Sep 6 11:52:50 BST 2018
Hi all
Over recent weeks I've been struggling to understand how various
communities deal with safety (in general, not just software).
Until last week I was finding occasional moments of insight (e.g. "Aha,
the IEC standards business model is a disgrace"), but mainly I was
getting drawn into the rabbit holes of 'safety argumentation', 'safety
manual', 'pre-certification', ''probabilistic risk assessment" etc.
This has been making me increasingly uncomfortable, since I personally
don't believe that the defacto approaches (including, sadly, the
MISRA/CERT C standard work, hence my cross-post to the study group list)
are widely fit-for-purpose in the world in which I find myself. We're
designing extremely complex systems, containing huge amounts of
software. Most of that software is and will continue to be produced by
people who will never follow the MISRA/CERT standards.
And they certainly won't read ISO26262 or IEC 61508 (who in their right
mind would actually pay $3000 for that???)
The elephant in the room for me is autonomous vehicles - no-one can
credibly claim that all of that software is going to behave
deterministically, let alone be safe and secure (in the real human
sense) if our best defence is what was mapped out by
embedded/electronics engineers decades ago.
So in my heart of hearts I was beginning to think "eek... there's
**way** more work to do than i ever thought possible".
And then, bingo. I came across Nancy Leveson. The work has been done!
Crisis averted! Nancy and her colleagues at MIT have been working for
decades on a systematic, defensible, grown up engineering approach to
safety [1]
And security!
And other emergent properties of complex systems.
Happily, this work is freely available. So I don't have to pay for unfit
documents that will stay unfit because hardly anybody actually reads
them, and it's too hard to convince the rights holders that their babies
are ugly.
So now the fun starts. I've asked colleagues to start working on FTPA
hazard analysis for autonomous vehicles. IIUC understand it, it won't
take very long :-)
If you'd like to contribute please let me know.
br
Paul
[1] http://psas.scripts.mit.edu/home/
More information about the trustable-software
mailing list