Trustworthiness in Industrial System Design
Pool of
Trustworthiness
Methods
brought back to normal. For example,
an airplane engine flame-out situation
ges
would cause the captain to react by
bringing the airplane to a lower
Security
Normal
succeed
altitude so he can try a windmill
Safety
“works”
Restart. After that maneuver the pilot
cha
llen
ge
needs to check the entire system, e.g.,
suc
cee s Reliability
d
Disruption
fail
to find out why the engine flamed out,
Privacy
bring the airplane back to the original
altitude and declare the problem as
System
Stabilizing
Defending
status
methods
methods
solved, and thus change the status
back to normal. Figure 6 demonstrates
Figure 5: Trustworthiness in normal system status receiving incidents
this case: The pilot’s action to bring the
airplane to a lower altitude is a
A threat in general is not a problem in and of
Trustworthiness Safety Method, reaching a
itself. For example, every electric motor has
safe status of disrupted. The Windmill
the principle threat of overheating and every
Restart is a Trustworthiness Resilience
internet access the threat of a hacker attack.
But only if the threat actually reaches the
Pool of
targets
Trustworthiness
Threat system Incident
system, is it relevant. In this case the threat
Methods
cha
created an incident, as shown in Figure 5.
llen
ges
Now Trustworthiness Mechanisms which are
Security
Normal
assigned to security and/or safety are trying
succeed
Safety
“works”
to reject this incident. For example, a safety
ch a
method reduces the speed of the
lle
suc nges
overheated motor so it can cool down. Or
cee
Reliability
Disruption
d
fail
Privacy
the firewall in the router blocks the hacker
s
ge
n
e
attack as a security method. If protection is
ll
ha
c
successful, the system status returns back to
Security
Disrupted
succeed
Safety
“problems”
normal. If the threat cannot be prevented –
ch a
either because the Trustworthiness
lle
suc nges
Mechanisms are not working as expected or
cee
Resilience
d
fail
Damage
an oversight by design failure – the system
status switches from normal to disrupted.
Threat targets
system
Incident
cha
llen
System
status
Disrupted Systems
A disrupted system is not necessarily a big
problem. The Trustworthy System Status
just defines this as a condition that the
system is outside the normal status and
needs some individual handling to be
Stabilizing
methods
Defending
methods
Figure 6: Trustworthiness in normal and disrupted system status
Method. If one of these methods fails, the
disrupted status cannot be continued, and
the system status moves to damaged
(because now one of the engines cannot be
- 19 -
IIC Journal of Innovation