Archives For Design

Buncefield Tank on Fire (Image Source: Royal Chiltern Air Support Unit)

Why sometimes simpler is better in safety engineering.

Continue Reading…

I just realised that I’ve used the term ‘design hypothesis’ throughout this blog without a clear definition of what one is. 🙂

So here it is.

A design hypothesis is a prediction that a specific design will result in a specific outcome. A design hypothesis must:

  1. Identify the designs provenance, e.g the theory, practice or standards from it is derived.
  2. Provide a concise description of the design.
  3. State what the design must achieve in a verifiable fashion.
  4. Clearly identify critical assumptions that support the hypothesis.

Note that the concept of a fault hypothesis can be seen as a particular and constrained form of design hypothesis as, after Powell (1992), a fault hypothesis specifies assumptions about the types of faults, the rate at which components fail and how components may fail for fault tolerant computing purposes.

I give a short example of of a design hypothesis in the Titanic Part I post.


Powell, D., Failure mode assumptions and assumption coverage. In Proc. of the 22nd IEEE Annual International Symposium on Fault-Tolerant Computing (FTCS-22) , p386–395, Boston, USA, 1992.

In June of 2011 the Australian Safety Critical Systems Association (ASCSA) published a short discussion paper on what they believed to be the philosophical principles necessary to successfully guide the development of a safety critical system. The paper identified eight management and eight technical principles, but do these principles do justice to the purported purpose of the paper?

Continue Reading…