Trustworthiness in Industrial System Design
to one or more of the trustworthiness
characteristics and the addition of a new
name.
C LASSIFICATION OF T RUSTWORTHINESS
M ETHODS
Beyond the assignment to one or more
trustworthiness
characteristics,
Trustworthiness Methods can be classified in
other directions:
Definition: A Trustworthiness Method can be
essential or supportive. The essential
attribute means that dropping of this
Trustworthiness Method leads to a loss of
the assigned trustworthiness characteristic
in the specific context. In contrast, a
supportive
Trustworthiness
Method
increases the trustworthiness of one or
more of the other essential methods in the
same context.
Another classification for Trustworthiness
Methods is the location in the system status.
The meaning of system status in the context
of trustworthiness is explained in the next
section. A Trustworthiness Method is
originally designed for one specific status but
can also be useful in other status locations.
Removing or modifying a Trustworthiness
Method for one status could lead to
unexpected consequences for another
status if this relationship is not defined,
which leads to another classification:
Examples:
A fire alarm sensor is an essential
Trustworthiness
Safety
Method.
Disabling it would go against any fire
alarm legal requirements and industrial
regulations.
A video surveillance system with
automatic picture evaluation could also
detect open fires and send an additional
alarm, which makes this system
supportive. But the usage does not
follow official requirements and it is not
guaranteed to work in all conditions of a
fire. That is why it is not essential.
Shutting off this surveillance system
would essentially drop the physical
security of the system but not the fire
safety system.
The network firewall in an internet/LAN
router is essential for security. Disabling
this firewall would lead to instant loss of
security in the context of internet access
protection.
A VPN system in an internet/LAN router
is essential for security in the context of
communication across the internet. But
it is also supportive for the internet
access protection because any non-VPN
access by authorized remote access
clients can be dropped, requiring that
hackers have difficulty in obtaining VPN
access. But a temporary disabling of the
VPN access would not result in a loss of
security in the internet access protection
context.
Definition: A Trustworthiness Method is
primary for a specific system status if it is
originally designed for this location. A
Trustworthiness Method is secondary for a
specific system status if it useful for this
status but primary for another system
status.
- 17 -
IIC Journal of Innovation