Trustworthiness in Industrial System Design
As shown, there are no more changes in
using Trustworthiness Methods in the
subsequent status – everything is based on
methods assigned to safety, security and
resilience. Traditional alert colors are used to
demonstrate status: green for normal,
yellow for disrupted, orange for damaged,
red for disastrous and magenta for ruined.
The graphic also shows the required effort to
move from a lower system status to a higher
one. Principally, such a status change could
also make jumps – for example from
damaged to normal; to keep this graphic
simple such practical options were not
added. To have a better understanding of
the lower status values I continue my
example with the flamed-out engine of an
airplane. Assuming the Trustworthiness
Method of bringing the airplane to a lower
altitude or that the windmill Restart fails, the
status would stay damaged. In this case, the
other engine would probably flame out too,
e.g., because the airplane ran out of fuel.
Now the status falls to disastrous. If the pilot
is able to succeed with the Trustworthiness
Method of an emergency landing, the status
will stay as disastrous and the airplane would
probably fly again after significant repair.
Otherwise, the plane will crash and end as
ruined making it clear that there is no way
back to normal.
Time
Normal
Disruption
Disrupted
Damage
Damaged
Disaster
Disastrous
Downfall
Status
[sf]=safety, [sc]=security, [rl]=reliability, [rs]=resilience, [pv]=privacy
Figure 8: TSSM planning table
September 2018
- 22 -