Trustworthiness in Industrial System Design
arrows, crossing one or more lines from
down to up.
S YSTEMATIC U SAGE OF TSSM INTO
THE S YSTEM D ESIGN
E XAMPLES OF TSSM U SAGE
The TSSM graphic can be used as schema to
plan systems and also to describe expected
or unexpected status changes around the
Trustworthiness System Status. Figure 8
shows the empty schema: With any
anticipated or unexpected status change,
the method to defend or stabilize (see figure
7) can be entered with their succeeded or
failed arrows, latter crossing one of the
dotted lines from up to down. And also
restart or repair methods can be drawn as
Figure 9 shows an example of the TSSM
planning table with a well-known IT
problem: Hard disks are not reliable so we
simulate the threat Hard disk may break.
Within the normal sytem status this will be
addressed by a RAID 1/5/10 system 5 ,
frequent checking of the disks, replacing the
damaged disks and doing parallel frequent
backups.
Thread: Computer hard disk may break
use RAID-1/5/10 [rl]
check disks [rl]
Normal
replace broken disks [rl]
make frequent backups [rl]
Time
RAID fails (overheated disk
destroys neighbor disk)
Disruption
Disrupted
restore works:
back to normal
replace broken disks [rs]
restore data from backup [rs]
data backup damaged:
cannot be restored
Damage
Damaged
re-create data manually [rs]
re-creation works:
back to normal
re-creation too expensive
or not possible
Disaster
Disastrous
disaster plan available [rs]
(”close department, other businesses stay”)
disaster plan works:
back to normal
disaster plan does not work
or data loss too high
Downfall
shut down company
Status
[sf]=safety, [sc]=security, [rl]=reliability, [rs]=resilience, [pv]=privacy
Figure 9: Usage of TSSM planning table to address an IT problem
5
RAID systems: https://en.wikipedia.org/wiki/RAID
- 23 -
IIC Journal of Innovation