Trustworthiness in Industrial System Design
trustworthiness characteristics have sharp
boundaries between their protected targets.
This makes it easier to understand the design
focus around each one of the five
characteristics.
Environment (top right quadrant) is
exclusively protected by safety. It
includes any natural aspects that are
accessed by the system (e.g., pollution of
air or water in nature ), but also private
neighborhoods
and
public
infrastructure. No other trustworthiness
characteristic directly addresses this
quadrant.
The System (bottom left quadrant)
describes only the static system,
including installed software and
operational data, but not the operation
itself. Security is responsible for its
protection; resilience and to some
degree reliability also protect the system
against damage or loss of compontents,
e.g., by fire or theft.
Finally the system in Operation is mostly
shielded by security, reliability and
partially resilience. The operational part
of the system also includes the staff, e.g.,
being protected by security against
human threats from outside.
The reader may be confused by these sharp
boundaries
of
trustworthiness
characteristics between the four quadrants.
For example: are not resilience functions
typically installed in a system to prevent a
disaster for humans and environment in case
of a major system malfunction? The short
answer is that such resilience functions are
used to establish safety functions that
ultimately protect the humans and
environment; the resilience functions
themselves do not provide the protections.
The general answer will be provided by the
concept of Trustworthiness Methods,
introduced later in this article.
It is not possible to redirect the arrows in
Figure 2 by 180 degree to ask the question
“Who is threatening the trustworthiness of a
system?” Simply stated, every member of
the four quadrants threathens any of the five
characteristics of trusthworthiness: e.g.,
humans by making errors or attacks, the
environment by disturbances and the
system or operation by faults.
Employees are targeted in the Humans as
well as in the Operation quadrant which may
sound unusual. But, for example, every
employee knows exactly when he or she has
their yearly review meeting with the boss:
The employee wears one hat for the
personal expectation of receiving higher
salary and benefits and another hat as a staff
member agreeing to work with higher
efficiency and better interaction with the
rest of the team.
The complete vision of trustworthiness can
be seen in these four quadrants: All
important elements are protected. This
model also shows that the five
- 13 -
IIC Journal of Innovation