Page 319 -
P. 319

302   Chapter 11   Dependability and security


                                        separate buttons simultaneously avoids the hazard of the operator’s hands being
                                        in the blade pathway.
                                    2.  Hazard detection and removal The system is designed so that hazards are
                                        detected and removed before they result in an accident. For example, a chemical
                                        plant system may detect excessive pressure and open a relief valve to reduce
                                        these pressures before an explosion occurs.

                                    3.  Damage limitation The system may include protection features that minimize
                                        the damage that may result from an accident. For example, an aircraft engine
                                        normally includes automatic fire extinguishers. If a fire occurs, it can often be
                                        controlled before it poses a threat to the aircraft.

                                       Accidents most often occur when several things go wrong at the same time. An
                                    analysis of serious accidents (Perrow, 1984) suggests that they were almost all due to
                                    a combination of failures in different parts of a system. Unanticipated combinations
                                    of subsystem failures led to interactions that resulted in overall system failure. For
                                    example, failure of an air-conditioning system could lead to overheating, which then
                                    causes the system hardware to generate incorrect signals. Perrow also suggests that it
                                    is impossible to anticipate all possible combinations of failures. Accidents are there-
                                    fore an inevitable part of using complex systems.
                                       Some people have used this as an argument against software control. Because of
                                    the complexity of software, there are more interactions between the different parts of
                                    a system. This means that there will probably be more combinations of faults that
                                    could lead to system failure.
                                       However, software-controlled systems can monitor a wider range of conditions
                                    than electro-mechanical systems. They can be adapted relatively easily. They use
                                    computer hardware, which has very high inherent reliability and which is physically
                                    small and lightweight. Software-controlled systems can provide sophisticated safety
                                    interlocks. They can support control strategies that reduce the amount of time people
                                    need to spend in hazardous environments. Although software control may introduce
                                    more ways in which a system can go wrong, it also allows better monitoring and pro-
                                    tection and hence can contribute to improvements in system safety.
                                       In all cases, it is important to maintain a sense of proportion about system safety.
                                    It is impossible to make a system 100% safe and society has to decide whether or not
                                    the consequences of an occasional accident are worth the benefits that come from the
                                    use of advanced technologies. It is also a social and political decision about how to
                                    deploy limited national resources to reduce risk to the population as a whole.




                             11.4 Security


                                    Security is a system attribute that reflects the ability of the system to protect itself
                                    from external attacks, which may be accidental or deliberate. These external attacks
                                    are possible because most general-purpose computers are now networked and are
   314   315   316   317   318   319   320   321   322   323   324