Trustworthiness in Industrial System Design
started again – an issue which needs deeper
analysis and likely repair after a safe
emergency landing). Of course, there are
industries, such as nuclear plants, for
example, which must take disrupted systems
seriously while analyzing the reason for the
disruption and modifying Trustworthiness
Reliability, Security and Safety Methods
before the system restart back to normal is
possible. For other industries it is good
practice to document disruptions and also
take precautions and make specific
enhancements to prevent this disruption in
the future.
from disrupted to damaged. Stabilizing
Methods on the other hand try to defend
challenges which are coming from the
current
status.
Furthermore,
Trustworthiness Methods, assigned to
reliability or privacy, are replaced by
methods assigned to resilience as soon as
the normal Trustworthy System status
leaves. This switch is a result of the original
definitions of reliability and resilience: All
methods, assigned to reliability, target well-
known issues inside the normal operation of
the system. As soon as the normal status
moves to the disruption stage, we reach the
unexpected status of the system. Now
methods assigned to resilience take over to
stabilize the current status.
The interesting thing about status is the
symmetry: Defending Methods, assigned to
security and safety, try to protect the current
system status from incidents to avoid latter
failures, e.g., from normal to disrupted or
September 2018
- 20 -