At one level the ALARP principle seems like common sense, and would be expected to be broadly applicable. However people have found difficulty in applying it to software (and in some other circumstances, e.g. ordnance and explosives). Why should this be?
There seem to be three related issues which make it difficult to apply the ALARP principle to software:
1. Most of the techniques we are interested in, e.g. rigorous testing, provide information about risk, they do not reduce risk (in this sense ALARP simply doesn’t apply);
2. Even if we assume we will remove faults we find by carrying out some analysis we cannot predict what these faults will be in advance – so we cannot know the benefit of applying the technique in advance so there is no prior basis to make the judgement whether or not application of the technique complies with ALARP;
3. Less obviously, there is an implicit assumption behind the ALARP principle that determining risk is cheap, but that reducing risk is expensive. This is not the case for software – finding the problems through testing, etc. is the expensive part of the process, and writing the code is only 5-10% of the cost.
No comments:
Post a Comment