Trustworthiness in Industrial System Design
status is established again. Examples for
such Trustworthy Methods are:
T HE T RUSTWORTHY S YSTEM S TATUS
The Trustworthy System Status defines the
health of an existing system from normal to
ruined as the result of specific levels of loss
of functionality. Only in the normal status
does the system work as specified. In the
next sections we will delve deeper into this
status definition, ending with a universal
Trustworthy System Status Model (TSSM).
A combustion engine needs frequent oil
changes.
Standard software products need
frequent updates (service packs).
New regulations and laws around privacy
must be reviewed and Trustworthy
Methods around privacy most likely
need updates or additional installations.
Ideal: A System with No Threats
Pool of
Trustworthiness
Methods
Normal
“works”
cha
lle
suc nges
cee
d
System
status
Reliability
Privacy
fail
Stabilizing
methods
Figure 4: Trustworthiness in a system with no Incidents
The Trustworthy System normal meets
everyone’s expectations on how the system
should work and everyone has full trust in
this system. As long as the system is not a
target of threats this normal status could be
permanent. Of course, a system without
threats is purely theoretical, but is a good
starting point to understand the Trustworthy
System Status.
If a Trustworthy Method was
forgotten or does not work as
expected then the challenge
cannot be rejected and the method
fails (red arrow in Figure 4). We will
see in the next sections what
happens in that case.
Defending the System Against Incidents
After this theoretical but core system design
is finished, all potential threats must be
addressed. In the spirit of the definiton of
trustworthiness such threats can come from
outside, e.g., a hurricane, loss of power or a
hacker attack, or from inside, e.g., an
overheated motor or a design error which
results in a failed system status.
Even without threats , Trustworthy Methods
are necessary: Every system needs
maintenance and every system has to fulfill
privacy requirements. The methods are
frequently challenged by the system as
shown in Figure 4: The specific methods
assigned to reliability and privacy ideally
reject the challenge and the normal system
September 2018
In Figure 4, the purple circle
contains all types of Trustworthy
Methods which are necessary to
keep the Trustworthy System
Status normal as long as possible.
- 18 -