This paper examines conflicts that can arise inproviding safety, security and reliability for largeand complex high consequence systems. Formost large systems the design approach is todivide—or parse—them up into numeroussubsystems, each providing a separate functionor product. But parsing promotes insularity inthat separate individuals or groups of individualscontrol resources for each subsystem. Thisinsularity threatens the effective integration ofthe subsystems. We define conflicts betweendesigned-in interfaces (“interface failure”) and asunintentional sharing of information or energy(“subsystem interference”) and give examples ofeach. We propose solutions for two classes ofhigh consequence systems: those highly evolvedsystems for which repeated failures arediscouraged but accepted, and those for whichnot a single failure is acceptable. The five-stepsolution for the latter class includes the elementsof requirements synthesis, theme-based strategy,principle-based implementation, systematicanalysis, and recovery planning. The lessrigorous solution for the former class isdescribed in an accompanying paper as the DIALprocess.
展开▼