IIC Journal of Innovation 9th Edition | Page 28

Trustworthiness in Industrial System Design An unexpected hardware error brings the system to the status of disruption. If the restore from the backup fails and the recovery of the data is too expensive or just not possible, the whole company may end in a disaster. Method, preventing dangerous air pollution from being transferred from one plant area to another. And, at the same time, act as a Trustworthiness Security Method in all statuses, preventing unauthorized people from moving from one plant area to another. All these additional Trustworthiness Methods are secondary. C LASSIFICATION OF T RUSTWORTHINESS M ETHODS I NSIDE TSSM In general Trustworthiness Methods, primarily introduced for the normal status, are still valid in the other statuses and act there as secondary. This also answers the question of missing Trustworthiness Privacy Methods in the TSSM beyond the normal status: This does not mean that after any disruption all privacy protection is gone. Instead most Trustworthiness Privacy Methods introduced for the normal status continue to exist as secondary. However, it would be quite unusual to introduce a new primary Trustworthiness Privacy Method just for the disrupted status without purpose for the normal status. The TSSM provides another classification of the Trustworthiness Methods: The location of the specific TSSM status:    Primary Trustworthiness Reliability or Privacy Methods are designed and used around the normal status. Primary Trustworthiness Resilience Methods are designed and used in the time after the system has left the normal status. Primary Trustworthiness Safety or Security Methods can be designed and used in any status. All these methods are primary (see definition in the section above): They were originally introduced to support trustworthiness at a specific TSSM status. Of course, they can also support any other TSSM status secondarily. For example, a protection wall between fire-critical areas in a plant was originally introduced to prevent a small fire from spreading from one area to another, resulting in a large plant-wide fire. In the TSSM, such a protection wall would be defined as a Trustworthiness Resilience Method to defend the damaged status, preventing moving into the disastrous status. But this wall could also be used in the normal status as a Trustworthiness Safety September 2018 S UMMARY Trustworthiness is not just an abstract term to better understand trust in industrial systems. It can also be practically used in designing such systems. By introducing Trustworthiness Methods with their different classification, it is easier for designers to understand h