|
So, for these and similar systems requiring predictable safety, how can we assure it? Must we build it in from scratch, or can we tinker with a "Rube
Goldberg" contraption, turning a sow's ear into a silk purse? I subscribe to the phrase, "The best way to make a silk purse out of a sow's ear is to start with a
silk sow." Build it in, we must.
The reasons why I believe we must design and build-in system safety relate to practicality, strategy and positive measures. An existing system, especially one
that has evolved over a number of years, may have an uncertain pedigree, and its safety-critical elements may not have been subjected to the controls necessary to assure their
predictable and acceptable responses to stressing environments. Worse yet, its safety "architecture" may not be properly documented (or even known with certainty),
or may have become invalidated upon subsequent system modification. The necessary safety architecture, and implementation through positive measures, is best achieved through
"from-scratch" design, evaluation fabrication and testing in a controlled environment.
Curiously, not everyone agrees with this view. At our 20th International System Safety Conference last August, I asked one of the presenters if she thought
the principles described in her paper could be used to incrementally improve the safety of elaborate, highly evolved, existing systems to arbitrarily high levels; and
surprisingly, she answered "yes."
Needless to say, I firmly disagree. I would like to see more debate on this question because it reaches to the foundation of what we think system safety
really is. Are we architects and builders, or are we tinkerers?
|
