Well, as someone said, because it’s the worst of social media, combined with the worst of corporate culture and the worst of website design. Because dealing with it regularly is as interesting as cleaning out my sock draw, and because the tone, like an endless ritalin fuelled rotary meeting, is just plain unhealthy. The philosopher Kant once said that you should always treat human beings as ends in themselves, and never as just the means to an end. Well LinkedIn for crimes against the categorical imperative alone you have to go…
Archives For Humour
A Trump presidency in the wings who’d have thought! And what a total shock it was to all those pollsters, commentators and apparatchiks who are now trying to explain why they got it so wrong. All of which is a textbook example of what students of risk theory call a Black Swan event. Continue Reading…
More infernal statistics
Well, here we are again. Given recent developments in the infernal region it seems like a good time for another post. Have you ever, dear reader, been faced with the problem of how to achieve an unachievable safety target? Well worry no longer! Herewith is Screwtape’s patented man based mitigation medicine.
The first thing we do is introduce the concept of ‘mitigation’, ah what a beautiful word that is. You see it’s saying that it’s OK that your system doesn’t meet its safety target, because you can claim credit for the action of an external mitigator in the environment. Probability wise if the probability of an accident is P_a then P_a equals the product of your systems failure probability P_s and. the probability that some external mitigation also fails P_m or P_a = P_s X P_m.
So let’s use operator intervention as our mitigator, lovely and vague. But how to come up with a low enough P_m? Easy, we just look at the accident rate that has occurred for this or a like system and assume that these were due to operator mitigation being unsuccessful. Voila, we get our really small numbers.
Now, an alert reader might point out that this is totally bogus and that P_m is actually the likelihood of operator failure when the system fails. Operators failing, as those pestilential authors of the WASH1400 study have pointed out, is actually quite likely. But I say, if your customer is so observant and on the ball then clearly you are not doing your job right. Try harder or I may eat your soul, yum yum.
Well hello there, it’s been a while hasn’t it?
In the absence of our good host I thought I’d just pop in and offer some advice on how to use statistics for requirements compliance. Now of course what I mean by requirements compliance is that ticklish situation where the customer has you over the proverbial barrel with an eye-gouger of a requirement. What to do, what to do. Well dear reader all is not lost, what one can do is subtly rework the requirement right in front of the customer without them even recognising it…
No! I hear you say, ‘how can this wonder be achieved Screwtape?’
Well it’s really quite simple, when one understands that requirements are to a greater or lesser extent ‘operationally’ defined by their method of verification. That means that just as requirements belong to the customer so too should the method one uses to demonstrate that you’ve met them. Now if you’re in luck the customer doesn’t realise this, so you propose adopting a statistical proof of compliance, throw in some weaselling about process variability, based on the median of a sample of tests. Using the median is important as it’s more resistant to outlier values, which is what we want to obfuscate (obviously). As the method of verification defines the requirement all of a sudden you’ve taken the customer’s deterministic requirement and turned it into a weaker probabilistic one. Even better you now have psychological control over half of the requirement, ah the beauty of psychological framing effects.
Now if you’ll excuse me all this talk of statistics has reminded me that I have some souls to reap over at the Australian Bureau of Statistics*.Mmm, those statisticians, their souls are so dry and filled with tannin, just like a fine pinot noir.
Till the next time. Yours infernally,
*Downstairs senior management were not amused by having to fill out their name and then having a census checker turn up on their doorstep asking whether they were having a lend of the ABS.
Earlier this year the US Government declassified a WWII OSS field manual on sabotage. Now the Simple Sabotage Field Manual is not what you might think. No it’s not a 101 on blowing up bridges, nor is it a cookbook for how to conduct Operation Kutschera, but rather it’s aimed at a lower key sabotage of ordinary working practices inside the organisation. For example using conferences and meetings to strategically delay decision making. Nobody get kills but that new Panzer design with the Porsche turret? Well sorry Reichs Marshall it’ll be buried in design committee until about 1948. Charlie Stross went on to twitter asking for modern updates to the OSS manual, I’m not sure whether that exercise increased or decreased the net sum of human happiness, but hey, it was amusing.
Which got me to thinking, if you read the OSS manual and find that every working day seems like a text book play courtesy of the boys from Prince William Park, then shouldn’t you logically conclude that you are sitting in the middle of a war? If you see folk in your organisation regularly using moves out of the OSS play book they may not be just haplessly incompetent. If nothing else this should make you look at your daily fare of corporate hooey in a new light. So stay frosty people, and remember three times is enemy action.
The 15 commandments of the god of the machine
Herewith, are the 15 commandments for thine safety critical software as spoken by the machine god unto his prophet Kopetz.
- Thou shalt regard the system safety case as thy tabernacle of safety and derive thine critical software failure modes and requirements from it.
- Thou shalt adopt a fundamentally safe architecture and define thy fault tolerance hypothesis as part of this. Even unto the definition of fault containment regions, their modes of failure and likelihood.
- Thine fault tolerance shall include start-up operating and shutdown states
- Thine system shall be partitioned to ‘divide and conquer’ the design. Yea such partitioning shall include the precise specification of component interfaces by time and value such that all manner of men shall comprehend them
- Thine project team shall develop a consistent model of time and state for even unto the concept of states and fault recovery by voting is the definition of time important.
- Yea even though thou hast selected a safety architecture pleasing to the lord, yet it is but a house built upon the sand, if no ‘programming in the small’ error detection and fault recovery is provided.
- Thou shall ensure that errors are contained and do not propagate through the system for a error idly propagated to a service interface is displeasing to the lord god of safety and invalidates your righteous claims of independence.
- Thou shall ensure independent channels and components do not have common mode failures for it is said that homogenous redundant channels protect only from random hardware failures neither from the common external cause such as EMI or power loss, nor from the common software design fault.
- Thine voting software shall follow the self-confidence principle for it is said that if the self-confidence principle is observed then a correct FCR will always make the correct decision under the assumption of a single faulty FCR, and only a faulty FCR will make false decisions.
- Thou shall hide and separate thy fault-tolerance mechanisms so that they do not introduce fear, doubt and further design errors unto the developers of the application code.
- Thou shall design your system for diagnosis for it is said that even a righteously designed fault tolerant system my hide such faults from view whereas thy systems maintainers must replace the affected LRU.
- Thine interfaces shall be helpful and forgive the operator his errors neither shall thine system dump the problem in the operators lap without prior warning of impending doom.
- Thine software shall record every single anomaly for your lord god requires that every anomaly observed during operation must be investigated until a root cause is defined
- Though shall mitigate further hazards introduced by your design decisions for better it is that you not program in C++ yet still is it righteous to prevent the dangling of thine pointers and memory leaks
- Though shall develop a consistent fault recovery strategy such that even in the face of violations of your fault hypothesis thine system shall restart and never give up.
Dispatches from the cyber-front
Interesting episode on the ABC’s Four Corners program this monday that discloses more about the ongoing attacks against government computer networks. Four Corners sources confirmed that, as I predicted at the time, the Bureau of Meteorology infiltration was a beach head operation to allow further attacks on higher value government targets (such as the Australian Geospatial-Intelligence Organisation and Intelligence/Surveillance assets such as the JORN system). OK, smug mode off. Continue Reading…
Yep, my annual teaching gig at UNSW’s Canberra campus is coming up, from July 18th to 22 inclusive, to be precise. A one week intensive, no holds barred tour de force of system safety, and amazingly we still have a few seats left. Yes you too can be thrilled, awed and amused by my pedagogical skills, and if you’re still interested in catching a show then check out the reviews.
Of course as this is the 21st century you can also peruse the online course material here, but hey if you want to listen to me, you need to pay. Sarcasm as always is free. 🙂
Safety cases and that room full of monkeys
Back in 1943, the French mathematician Émile Borel published a book titled Les probabilités et la vie, in which he stated what has come to be called Borel’s law which can be paraphrased as, “Events with a sufficiently small probability never occur.” Continue Reading…
How to deal with those pesky high risks without even trying
One of my clients recently came to me with what seemed to be an insurmountable problem in getting his facility accepted despite the presence of an unacceptably high risk of a catastrophic accident. The regulator, not happy, likewise all those mothers with placards outside his office every morning. Most upsetting. Not a problem said I, let me introduce you to the Screwtape LLC patented cut and come again risk refactoring strategy. Please forgive me now dear reader for without further ado we must do some math.
Risk is defined as the loss times probability of loss or R = L x P (1), which is the reverse of expectation, now interestingly if we have a set of individual risks we can add them together to get the total risk, for our facility we might say that total risk is R_f = (R_1 + R_2 + R_3 … + R_n). ‘So what Screwtape, this will not pacify those angry mothers!’ I hear you say? Ahh, now bear with me as I show you how we can hide, err I mean refactor, our unacceptable risk in plain view. Let us also posit that we have a number of systems S_1, S_2, S_3 and so on in our facility… Well instead of looking at the total facility risk, let’s go down inside our facility and look at risks at the system level. Given that the probability of each subsystem causing an accident is (by definition) much less, why then per system the risk must also be less! If you don’t get an acceptable risk at the system level then go down to the subsystem, or equipment level.
The fin de coup is to present this ensemble of subsystem risks as a voluminous and comprehensive list (2), thereby convincing everyone of the earnestness of your endeavours, but omit any consideration of ensemble risk (3). Of course one should be scrupulously careful that the numbers add up, even though you don’t present them. After all there’s no point in getting caught for stealing a pence while engaged in purloining the Bank of England! For extra points we can utilise subjective measures of risk rather than numeric, thereby obfuscating the proceedings further.
Needless to say my client went away a happy man, the facility was built and the total risk of operation was hidden right there in plain sight… ah how I love the remorseless bloody hand of progress.
1. Where R = Risk, L = Loss, and P = Probability after De’Moivre. I believe Screwtape keeps De’Moivre’s heart in a jar on his desk. (Ed.).
2. The technical term for this is a Preliminary Hazard Analysis.
3. Screwtape omitted to note that total risk remains the same, all we’ve done is budgeted it out across an ensemble of subsystems, i.e. R_f = R_s1 + R_s2 + R_s3 (Ed.).
Meme’s, media and drug dealer’s
In honour of our Prime Minister’s use of the drug dealer’s argument to justify (at least to himself) why it’s OK for Australia to continue to sell coal, when we know we really have to stop, here’s an update of a piece I wrote on the role of the media in propagating denialist meme’s. Enjoy, there’s even a public heath tip at the end.
Ladies and gentlemen you need to leave, like leave your luggage!
This has been another moment of aircraft evacuation Zen.
How to make rocket landings a bit
No one should underestimate how difficult landing a booster rocket is, let alone onto a robot barge that’s sitting in the ocean. The booster has to decelerate to a landing speed on a hatful of fuel, then maintain a fixed orientation to the deck while it descends, all the while counteracting the dynamic effects of a tall thin flexible airframe, fuel slosh, c of g changes, wind and finally landing gear bounce when you do hit. It’s enough to make an autopilot cry. Continue Reading…
A short (and possibly evil) treatise on SILs from our guest blogger
May I introduce myself?
The name’s Screwtape, some of you might have heard of me from that short and nasty book by C.S. Lewis. All lies of course, and I would know, about lies that is… baboom tish! Anyway the world has moved on and I’m sure that you’d be completely unsurprised to hear that I’ve branched out into software consulting now. I do find the software industry one that is oh so over-ripe for the plucking of immortal souls, ah but I digress. Your good host has asked me here today to render a few words on the question of risk based safety integrity levels and how to turn such pesky ideals, akin in many ways to those other notions of christian virtue, to your own ends. Continue Reading…
Practical risk management, or why I love living in Australia
We’re into the ninth day of closed beaches here with two large great whites spotted ‘patrolling our shores’, whatever that means. Of course in Australia closed doesn’t actually mean the beaches are padlocked, not yet anyway. We just put a sign up and people can make their own minds up as to whether they wish to run the risk of being bitten. In my books a sensible approach to the issue, one that balances societal responsibility with personal freedom. I mean it’s not like they’re as dangerous as bicycles Continue Reading…
A short digression on who vs whom, neatly illustrating why writing requirements in natural english can be so damn difficult… I also love the idea of spider fastballs 🙂
Engineers build castles in the air and operators live in them. But nature is the one who always collects the rent…
Well if news from the G20 is anything to go by we may be on the verge of a seismic shift in how the challenge of climate change is treated. Our Prime Ministers denial notwithstanding 🙂
I realise that you are not directly responsible for the repeal of the carbon tax by the current government, and I also realise that we the voting public need to man up and shoulder the responsibility for the government and their actions. I even appreciate that if you did wish to retain the carbon tax as a green surcharge, the current government would undoubtedly act to force your hand.
But really, I have to draw the line at your latest correspondence. Simply stamping the latest bill with “SAVINGS FROM REMOVING THE CARBON TAX” scarcely does the benefits of this legislative windfall justice. You have, I fear, entirely undersold the comprehensive social, moral and economic benefits that accrue through the return of this saving to your customers. I submit therefore for your corporate attention some alternatives slogans:
- “Savings from removing the carbon tax…you’ll pay for it later”
- “Savings from removing the carbon tax…buy a bigger air conditioner, you’ll need it”
- “Savings from removing the carbon tax…we also have a unique coal seam investment opportunity”
- “Savings from removing the carbon tax, invest in climate change!”
- “Savings from removing the carbon tax, look up the word ‘venal’, yep that’s you”
- “Savings from removing the carbon tax, because a bigger flatscreen TV is worth your children’s future”
- “Savings from removing the carbon tax, disinvesting in the future”
So be brave and take advantage of this singular opportunity to fully invest your corporate reputation in the truly wonderful outcomes of this prescient and clear sighted decision by our federal government.
Just received a text from my gas and electricity supplier. Good news! My gas and electricity bills will come down by about 4 and 8% respectively due to the repeal of the carbon tax in Australia. Of course we had to doom the planetary ecosystem and condemn our children to runaway climate change but hey, think of the $550 we get back per year. And, how can it get any better, now we’re also seen as a nation of environmental wreckers. I think I’ll go an invest the money in that AGL Hunter coal seam gas project, y’know thinking global, acting local. Thanks Prime Minister Abbott, thanks!
The quote below is from the eminent British scientist Lord Kelvin, who also pronounced that x-rays were a hoax, that heavier than air flying machines would never catch on and that radio had no future…
I often say that when you can measure what you are speaking about, and express it in numbers, then you know something about it; but when you cannot measure it, when you cannot express it in numbers, your may knowledge is of a meager and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of science, whatever that may be.
Lord Kelvin, 1891
I’d turn that statement about and remark that once you have a number in your grasp, your problems have only just started. And that numbers shorn of context are a meagre and entirely unsatisfactory way of expressing our understanding of the world.
When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong.
Arthur C. Clarke, Profiles of the Future (1962)
I often think that Arthur C. Clarke penned his famous laws in direct juxtaposition to the dogmatic statements of Lord Kelvin. It’s nice to think so anyway. 🙂
For those of you in northern climes, here’s some tips on safer summer reading, and for once I have nothing to add. 🙂
The DEF STAN 00-55 monster is back!!
That’s right, moves are afoot to reboot the cancelled UK MOD standard for software safety, DEF STAN 00-55. See the UK SCSC’s Event Diary for an opportunity to meet and greet the writers. They’ll have the standard up for an initial look on-line sometime in July as we well, so stay posted.
Yep, here I am in Canberra teaching for a week at ADFA. Though right at the moment I’ve been gazumped by RADM Uzzel. 🙂
An accidental mascot for an accident
Entirely by accident the above mascot for a Japanese fridge manufacturer has become the ‘unofficial’ mascot for the Daichii Fukushima site, after a few people noticed the inadvertently hilarious english name. Which all seems strangely appropriate, though a crack in the egg would have made it perfect… 🙂
My thanks to John Downer for the link.
So now I’m a chartered professional engineer! Which according to Engineers Australia means that I’m certified to practice in a competent, independent and ethical manner; and indicates that I’m a leader in my field. 🙂
From Les Hatton, here’s how, in four easy steps:
- Insist on using R = F x C in your assessment. This will panic HR (People go into HR to avoid nasty things like multiplication.)
- Put “end of universe” as risk number 1 (Rationale: R = F x C. Since the end of the universe has an infinite consequence C, then no matter how small the frequency F, the Risk is also infinite)
- Ignore all other risks as insignificant
- Wait for call from HR…
A humorous note, amongst many, in an excellent presentation on the fell effect that bureaucracies can have upon the development of safety critical systems. I would add my own small corollary that when you see warning notes on microwaves and hot water services the risk assessment lunatics have taken over the asylum…
Provided as part of the QR show bag for the CORE 2012 conference. The irony of a detachable cab being completely unintentional…
The “‘Oh #%*!”, moment captured above definitely qualifies for the vigorous application of the rule that when the fire’s too hot, the water’s too deep or the smoke’s too thick leave. 🙂
But in fact in this incident the pilot actually had to convince the navigator that he needed to leave ‘right now!’. The navigator it turned out was so fixated on shutting down the aircrafts avionics system he didn’t realise how bad thing were, nor recognise that immediate evacuation was the correct response.
The UK Track Operatives Strategic Safety Action Statement for 2009-2011 is now available here. They don’t get much better than this 🙂
Sometimes just doing ‘bloody nothing’ in response to a ‘near miss’ event is the appropriate response.Continue Reading...
After an interminable discussion with some engineering colleagues as to what was the expection of a design team should be when they saw the word ‘preliminary’, I got fed up and stomped back to my workstation to nail this particular issue to the floor.Continue Reading...
Information theory and Twitter
Having observed the behaviour of the twitterverse for some time now I propose the following general law of twitter and information value:
The number of twitters on any given subject is inversely proportional to the number of known facts taken to some power.
Just thought you’d like to know. 🙂
This railway crossing near miss due to a driver ‘racing the devil’ is, on the face of it, a classic example of the perversity of human behaviour. But on closer examination it does illustrate the risk we introduce when transitioning from a regine of approved operational procedures to those that have been merely accepted or tolerated.Continue Reading...