Page 319 -
P. 319
302 Chapter 11 Dependability and security
separate buttons simultaneously avoids the hazard of the operator’s hands being
in the blade pathway.
2. Hazard detection and removal The system is designed so that hazards are
detected and removed before they result in an accident. For example, a chemical
plant system may detect excessive pressure and open a relief valve to reduce
these pressures before an explosion occurs.
3. Damage limitation The system may include protection features that minimize
the damage that may result from an accident. For example, an aircraft engine
normally includes automatic fire extinguishers. If a fire occurs, it can often be
controlled before it poses a threat to the aircraft.
Accidents most often occur when several things go wrong at the same time. An
analysis of serious accidents (Perrow, 1984) suggests that they were almost all due to
a combination of failures in different parts of a system. Unanticipated combinations
of subsystem failures led to interactions that resulted in overall system failure. For
example, failure of an air-conditioning system could lead to overheating, which then
causes the system hardware to generate incorrect signals. Perrow also suggests that it
is impossible to anticipate all possible combinations of failures. Accidents are there-
fore an inevitable part of using complex systems.
Some people have used this as an argument against software control. Because of
the complexity of software, there are more interactions between the different parts of
a system. This means that there will probably be more combinations of faults that
could lead to system failure.
However, software-controlled systems can monitor a wider range of conditions
than electro-mechanical systems. They can be adapted relatively easily. They use
computer hardware, which has very high inherent reliability and which is physically
small and lightweight. Software-controlled systems can provide sophisticated safety
interlocks. They can support control strategies that reduce the amount of time people
need to spend in hazardous environments. Although software control may introduce
more ways in which a system can go wrong, it also allows better monitoring and pro-
tection and hence can contribute to improvements in system safety.
In all cases, it is important to maintain a sense of proportion about system safety.
It is impossible to make a system 100% safe and society has to decide whether or not
the consequences of an occasional accident are worth the benefits that come from the
use of advanced technologies. It is also a social and political decision about how to
deploy limited national resources to reduce risk to the population as a whole.
11.4 Security
Security is a system attribute that reflects the ability of the system to protect itself
from external attacks, which may be accidental or deliberate. These external attacks
are possible because most general-purpose computers are now networked and are