edited to remove typos 


Alasdair,

Whilst you're undoubtedly right that the highest priority is to maintain safety, and that, as failure is not completely avoidable, safe failure has to be engineered, that is only part of the story. 


Firstly, as Andy rightly points out, there's the paradox of monitoring for failure increasing the likelihood of failure with the follow-on consequences he describes.


I know that, as a fellow railway engineer, working with Safety Critical Systems, Andy will agree completely that things also have to be operable and reliable. Ultimately, every system has a customer of some kind, and the customer experience has to be a very close second to safety, To pursue your analogy of the fuse to protect against short circuit, it wouldn't be acceptable if the fuse blew too frequently, either because it was too low in value or because the connected device had a vulnerability that kept creating over-current conditions. The fuse needs to be the ultimate protection to ensure safety, but the connected device has to be so designed as to reduce, to an acceptable level, the likelihood of causing the fuse to blow.


Moving that out to the railway scenario, most of us who use trains have experienced that gut wrenching moment when we are advised either that our desired train has been cancelled, or worse still that the train we're sat on is going to be stuck where we are for several hours, due to a signalling failure, or failure of the overhead power. Of course, we need to be glad that the system failed in a safe manner rather than allowing the train to move in an unsafe fashion, or present a person or persons to be exposed to the risk of electrocution, but we still have a right to expect that such incidents, and their consequences, are kept to a minimum. 


As a railway telecommunications engineer, very little of what I am directly responsible for is defined as Safety Critical, as the critical safety layers are in the systems themselves, either the signalling system or the traction system. Exceptions are Public Address Systems used for evacuation purposes and train to signaller radio, though the latter only becomes a potential safety hazard if either the signalling system has failed, or has correctly stopped a movement that could have been unsafe. Also, if the comms links provided to carry SCADA operation for remote control of traction systems completely fail, this can delay the isolation of traction systems to prevent or curtail electrocution. For all of these, we have to achieve an acceptable level of reliability and availability, usually, through dual redundancy and diverse routing.


However, other comms links for signalling have the potential for bringing the signalling system down completely. Yes, it will fail safely, but it will bring trains to a grinding halt. I can assure you that it would be completely unacceptable to Network Rail let the train operators if failures occurred because the comms links were not sufficiently reliable and available..


Hence, it is definitely still a failure if functionality has been lost, albeit not as critical a failure as if safety is lost, and if functionality is lost too frequently, or there is an inherent vulnerability rendering a system liable to high risk of loss of functionality, then that is almost, but not quite, as unacceptable as the likelihood of unsafe failure. The task of the engineer is, as both you and Andy have said,  to be aware of and acknowledge the likelihood of failure, whether it gives rise to loss of safety or functionality, but also to reduce the risk of both types of failure to a minimum,  recognising those instances where there is a trade-off in risk to safety against risk to function, in which case, safety has to be the priority. 


Distinctions are made between safety critical systems and safety related systems, and also between absolute duties and "as low as reasonably practicable" duties for risk reduction/management, and the latter distinction is definitely related to the consequences to people, whether death, injury or merely inconvenience. Whilst the last is not covered by HASAW 1974 or subsidiary legislation, it is business critical and thus still of huge importance. Let's not forget that one of the delayed passengers could be somebody on their way to save life/lives, but let's not get embroiled in consequential loss!

edited to remove typos 


Alasdair,

Whilst you're undoubtedly right that the highest priority is to maintain safety, and that, as failure is not completely avoidable, safe failure has to be engineered, that is only part of the story. 


Firstly, as Andy rightly points out, there's the paradox of monitoring for failure increasing the likelihood of failure with the follow-on consequences he describes.


I know that, as a fellow railway engineer, working with Safety Critical Systems, Andy will agree completely that things also have to be operable and reliable. Ultimately, every system has a customer of some kind, and the customer experience has to be a very close second to safety, To pursue your analogy of the fuse to protect against short circuit, it wouldn't be acceptable if the fuse blew too frequently, either because it was too low in value or because the connected device had a vulnerability that kept creating over-current conditions. The fuse needs to be the ultimate protection to ensure safety, but the connected device has to be so designed as to reduce, to an acceptable level, the likelihood of causing the fuse to blow.


Moving that out to the railway scenario, most of us who use trains have experienced that gut wrenching moment when we are advised either that our desired train has been cancelled, or worse still that the train we're sat on is going to be stuck where we are for several hours, due to a signalling failure, or failure of the overhead power. Of course, we need to be glad that the system failed in a safe manner rather than allowing the train to move in an unsafe fashion, or present a person or persons to be exposed to the risk of electrocution, but we still have a right to expect that such incidents, and their consequences, are kept to a minimum. 


As a railway telecommunications engineer, very little of what I am directly responsible for is defined as Safety Critical, as the critical safety layers are in the systems themselves, either the signalling system or the traction system. Exceptions are Public Address Systems used for evacuation purposes and train to signaller radio, though the latter only becomes a potential safety hazard if either the signalling system has failed, or has correctly stopped a movement that could have been unsafe. Also, if the comms links provided to carry SCADA operation for remote control of traction systems completely fail, this can delay the isolation of traction systems to prevent or curtail electrocution. For all of these, we have to achieve an acceptable level of reliability and availability, usually, through dual redundancy and diverse routing.


However, other comms links for signalling have the potential for bringing the signalling system down completely. Yes, it will fail safely, but it will bring trains to a grinding halt. I can assure you that it would be completely unacceptable to Network Rail let the train operators if failures occurred because the comms links were not sufficiently reliable and available..


Hence, it is definitely still a failure if functionality has been lost, albeit not as critical a failure as if safety is lost, and if functionality is lost too frequently, or there is an inherent vulnerability rendering a system liable to high risk of loss of functionality, then that is almost, but not quite, as unacceptable as the likelihood of unsafe failure. The task of the engineer is, as both you and Andy have said,  to be aware of and acknowledge the likelihood of failure, whether it gives rise to loss of safety or functionality, but also to reduce the risk of both types of failure to a minimum,  recognising those instances where there is a trade-off in risk to safety against risk to function, in which case, safety has to be the priority. 


Distinctions are made between safety critical systems and safety related systems, and also between absolute duties and "as low as reasonably practicable" duties for risk reduction/management, and the latter distinction is definitely related to the consequences to people, whether death, injury or merely inconvenience. Whilst the last is not covered by HASAW 1974 or subsidiary legislation, it is business critical and thus still of huge importance. Let's not forget that one of the delayed passengers could be somebody on their way to save life/lives, but let's not get embroiled in consequential loss!