Trustworthiness in Industrial System Design
An unexpected hardware error brings the
system to the status of disruption. If the
restore from the backup fails and the
recovery of the data is too expensive or just
not possible, the whole company may end in
a disaster.
Method, preventing dangerous air pollution
from being transferred from one plant area
to another. And, at the same time, act as a
Trustworthiness Security Method in all
statuses, preventing unauthorized people
from moving from one plant area to another.
All these additional Trustworthiness
Methods are secondary.
C LASSIFICATION OF T RUSTWORTHINESS
M ETHODS I NSIDE TSSM
In general Trustworthiness Methods,
primarily introduced for the normal status,
are still valid in the other statuses and act
there as secondary. This also answers the
question of missing Trustworthiness Privacy
Methods in the TSSM beyond the normal
status: This does not mean that after any
disruption all privacy protection is gone.
Instead most Trustworthiness Privacy
Methods introduced for the normal status
continue to exist as secondary. However, it
would be quite unusual to introduce a new
primary Trustworthiness Privacy Method
just for the disrupted status without purpose
for the normal status.
The TSSM provides another classification of
the Trustworthiness Methods: The location
of the specific TSSM status:
Primary Trustworthiness Reliability or
Privacy Methods are designed and used
around the normal status.
Primary Trustworthiness Resilience
Methods are designed and used in the
time after the system has left the normal
status.
Primary Trustworthiness Safety or
Security Methods can be designed and
used in any status.
All these methods are primary (see
definition in the section above): They were
originally
introduced
to
support
trustworthiness at a specific TSSM status. Of
course, they can also support any other
TSSM status secondarily. For example, a
protection wall between fire-critical areas in
a plant was originally introduced to prevent
a small fire from spreading from one area to
another, resulting in a large plant-wide fire.
In the TSSM, such a protection wall would be
defined as a Trustworthiness Resilience
Method to defend the damaged status,
preventing moving into the disastrous
status. But this wall could also be used in the
normal status as a Trustworthiness Safety
September 2018
S UMMARY
Trustworthiness is not just an abstract term
to better understand trust in industrial
systems. It can also be practically used in
designing such systems. By introducing
Trustworthiness Methods with their
different classification, it is easier for
designers
to
understand
h