Engineering Discussions of Discussions: The York List after 15 Years

The archives of the University of York Safety-Critical Systems Mailing List start on 19 May, 1995, 15 years ago.

I took a look at some of the older archives, up until December 2001, and remembered many names of former avid contributors. Two notable regulars, Peter Mellor and Peter Amey, no longer contribute because they are no longer. I miss them and their contributions, public and private. I followed Peter A’s cancer blog assiduously, and sadly, and hope it will remain a record of a singular life and an inspiration and comfort to others in that predicament.

Numbers in what follows are approximate. I hope I haven’t forgotten people.

In 1995 there were 77 messages. Those still contributing in 2009, fifteen years later: Martyn Thomas, myself, Nancy Leveson, Brian Wichmann, John McDermid (twice) and Chris Johnson (thrice).

In 1996, 144 messages. Tim Kelly, Tom Anderson and Peter Bishop are 2009 contributors who started then.

In 1997, 213 messages. Add Tony Foord, Mike Holloway, Jon Hind.

In 1998, 396 messages. Add Mark Bowell, Stuart Palin, Felix Redmill, Jens Braband, Andy Ashworth and Barrie Reynolds.

In 1999, 250 messages. Add Gerard Le Lann, Bill Black, Dewi Daniels.

In 2000, 655 messages. Add John Spriggs, David Tombs, Bev Littlewood, Rolf Spiker, Bertrand Ricque, Rod Chapman, Mike Ellims. This year is also when the late Peter Amey joined in.

Up to this point, the list was moderated by Jonathan Moffett. In 2001, Tim Kelly took over. With the exception of a blip in December 2001 (see below), moderation policy has been «hands-off», and the charter never invoked, on a list with hundreds of contributors and many more non-contributing readers.

In 2001, there were 755 messages. Add Olof (Olle) Bridal, Eric Scharpf, Des Nutt, Dock Allen, Robin Cook, Francois Taiani, Andy Farnsworth, David Crocker.

Some more numbers: 2002, 689 messages; 2003, 651 messages; 2004, 853 messages; 2005, 418 messages; 2006, 639 messages; 2007, 723 messages; 2008, 483 messages.

In 2009, there were 1,131 messages, from 177 contributors. 36 of those contributors had first contributed to the list between 1995 and 2001. Amongst 2009 contributors, Martyn, Nancy and myself were still prominent, joined by mid-timers Bertrand Ricque and Thierry Coq, and later-comers Paul Cleary, Nicholas Lusty, Jeff Payne and Chris Hills.

From December 1st-15th, 2009, there were 31 people contributing 231 messages! Then came a topic on «Civility in Discourse», introduced by a young researcher on the York faculty, Andrew Rae. His thread enticed 34 people (21 of them only for this thread) for 80 comments over three days, 15-17th December, by any measure a success. And then stopped. From 17th – 31st December there were only 64 messages, a quarter of the total in the first half of the month.

In January 2010, there were 32 messages from 19 people, 10 of whom had not contributed in December.

In February 2010, there were 36 messages from 22 people, 13 of whom had not contributed in December 2009 or January 2010.

In March 2010, there were 33 messages from 17 people, 6 of them who had not contributed in December, January or February.

So what happened here in 2009, to generate so much interest, followed by a comparative drought?

Here follows a personal account.

From about the middle of the year, Martyn Thomas and I made a concerted attempt to engage committee members and opinionators on the international E/E/PE Functional Safety standard IEC 61508 in, as we see them, the significant (according to Martyn, dangerous) failings of the standard concerning software development and assessment. International Committee members Bill Black, Rolf Spiker, and Bertrand Ricque engaged, as did others who consult on and work with the standard. The debate was intense and, as Martyn would say, robust. Some of it was off-line – Rolf asked me for an opinion on a proposed Appendix to the new version of the standard, and I referred him to Bev Littlewood, who is the leading authority on the techniques therein, for a three-way discussion. Bertrand Ricque circulated a polemical note of mine to members of the International Committee on the SW part of IEC 61508, and a discussion started amongst various of us in private. I was invited by the Chairman of the German national committee responsible for involvment in IEC 61508, DKE Committee GK 914, to air my concerns and make constructive proposals for development of the SW standard (IEC 61508 Part 3) which work is ongoing. I met Bertrand Ricque in Paris in December to talk about the issues, and I imagine we shall meet again soon.

So robust discussion on the York list initiated various consequential actions amongst people and groups responsible for a major international standard (indeed, I understand it is the IEC’s best-selling standard). That must be a Good Thing, indeed what many mailing-list maintainers dream about. And indeed it is one reason that I valued the York list highly. Martyn does also, I believe. (Nancy opines that the things which are most important do not admit of effective discussion on email lists. Of the other two founding members who still contributed in 2009, Chris Johnson indicates it to his students «for amusement», and John McDermid has mostly moved on to what he regards as more consequential activities.)

But that doesn’t suit everyone. Andrew Rae was disturbed by what he regarded as incivility, hence his thread. He opined that one should not use words such as «nonsense» and «silly» in «professional» discussion. Nonsense, some of us said, how silly! Sometimes people say silly things, such as a suggestion one should not say «silly» – now that does sound a bit nonsensical, doesn’t it? Andrew singled me out as a – the – malfeasant, and conducted an on-line «poll» on verbal comportment, in whose informal results I was singled out for anonymous collective disapproval.

Andrew’s thread was a hit! 34 contributors in three days and three times that many subscribing to the anonymous poll. I wonder that opinions about writing style are seen more worthy of technical support such as on-line polls than are substantial matters and disagreements in system safety, which is what the list is supposedly about. For these are literally matters of life and death, whereas opining that a view is «silly» or «nonsense» is not. Think of a poll, say, on what people think of the SW Part 3 of IEC 61508, particularly in view of the strenuous, and to my mind inappropriate, constraints on commentary on the standard imposed by the IEC.

Whatever. It seems, at least in the short term, that the days of robust discussion are over. Because it tolerated robust discussion, the list was a public source of information on topics which do not otherwise occur in the open literature, such as the appropriate application of IEC 61508.

The issue raised by Andrew’s thread is whether one can regulate language so that no words with socially perjorative or negative connotations are used – I take it there is nothing “wrong” with positive connotations – but substantial debate is still possible. I don’t think so, many of the colleagues whom I rate most highly don’t think so, and as far as I can tell most of my linguist and philosophical colleagues don’t think so either. It disturbs me that a number of engineers, who cannot as a class be regarded in any way as expert on the subject, somehow think it is, without consulting linguistic or argument-theoretic expertise on the matter.

And such expertise is to my mind sorely needed. There is a standard saying amongst computer scientists – for all I know, engineers in general – that, when one writes a paper, one says first what one is going to say, then one says it, then one says what one has said. One of the results of that is that I frequently get papers to review, say of about 14 pages, which have two to three pages of real content. Believe me, it is not only the trees that suffer! I much prefer the style of, say, John Searle or David Lewis, philosophers known for their succinct style, who say things just once, and in the right order – during their lifetime, as far as they can manage it. Writing styles differ, sometimes considerably. A style is a writing tool. It is somehow odd to see engineers thereby arguing for fewer tools by restricting writing style.

It is true that there is in many engineering-society codes of conduct a clause requiring that members not criticise other members of their profession in public. I guess it may be reasonable to require members not to insult other members in public, for insults serve largely political or social purposes. But suppressing criticism, an activity in which one subjects engineering behavior to scrutiny and pronounces judgement on it, thereby suppresses necessary debate on contentious technical matters, of which in computer-related safety there are very many. And the behavior can hardly be separated from the actor, the individual engineer or engineers who engaged in that behavior. The recent Haddon-Cave report on the Nimrod was praised for «naming names», by which was meant saying who was responsible for, inter alia, the regrettable history of safety cases which accompanied the structural modifications for air-to-air refuelling. Now, it was other engineers who showed Haddon-Cave what was wrong with those safety cases. Does it become OK if you, as an engineer, rather than going public with your misgivings in violation of your code of conduct, tell your story to a third person, a lawyer, who then goes public with it? When engineers are accused in a French court, as they are at the moment in the Concorde trial, of inappropriately fitting a titanium strip to a Continental Airlines engine cowling, when an aluminum strip is specified, then the debate, which is open, is about whether they may have or should not have, and is conducted, we would hope, under the direction of the judge primarily by engineers and not lawyers. And some of those engineers would thereby be theoretically violating professional codes of conduct. What happens, practically, is that «we» agree not to apply that code in such cases. But that means that someone judges when it is appropriate to apply a code and when not, and when such selective application takes place it raises the question of who selects and for what purposes, and the question then becomes not one of professional ethics but one of politics. Indeed, the basis of most criticism of such clauses in professional codes of conduct is that historically they have served primarily political ends.

Oh, I almost forgot about December 2001. That was when I got thrown off the list for my conduct of a discussion on rhetoric and its uses for safety argumentation, which started with a note of mine on 24th October, which elicited all sorts of interesting opinions and discussion, which one can read in the archive (best go to «thread view» and look at threads with the occurrence of the word «Rhetoric» in the label). Some correspondents had little patience for that style of discussion, and complained to the York department chairman, Alan Burns, who removed me from the list, indeed removed the list for some days. He repented, after being approached on one side by friends of his who suggested my contributions were valuable, and on the other by me with the argument that the list had a charter, which I had not broken, and if certain styles of discussion were to be proscribed then it should be explicitly in the charter, that being what charters are for. Alan agreed, the charter was modified, and I was reinstated.

Both these incidents have to do with argumentation and its forms. There is an academic discipline – maybe even set of disciplines – entirely concerned with argumentation (actual argumentation, and its actual as well as wished-for properties). It is often called Argumentation Theory and may be traced back to Steven Toulmin’s 1958 book The Uses of Argument. I don’t have a lot of interest in much of the work in the field, but I have recently found the work on Argumentation Schemes by Walton, Reed and Macagno both useful and very readable. A related discipline, even the same one, is called Informal Logic, and there is a readable and helpful entry on Informal Logic by Leo Groarke in the on-line Stanford Encyclopedia of Philosophy, which by the way is an astonishing and wonderful resource for all matters philosophical.

My own technical favorite in the field is an article by the UCLA philosopher Terence Parsons, What Is An Argument?.

In the engineering of safety-critical systems, a lot rests – indeed must rest, according to various civil and military standards – on arguments for the truth of certain assertions: that a particular component or subsystem will not fail catastrophically more than once in one billion operational hours, for example. These arguments are not decisive, by any of the criteria known to logic, but they are rated as better or worse, as adequate or inadequate, by regulators and clients. For example, «proven in use»: you have a component which has been installed on aircraft and run operationally for, say, one million flight hours, and has never failed. What is the worth of the argument to the conclusion that it will not fail catastrophically in one billion flight hours? Not very good, you might think. What if is has run for 60 million flight hours? Is it better? But then you learn that the software which governs the behavior of the component has changed versions every six months: that is, the SW has been modified and reinstalled. So is that the same kit, or a variety of different kit, that has operated for 60 million hours? If you think that history allows it to count as the same kit, do you say that because you think that the latest version of the software is in some sense «more reliable» than previous versions? Many SW engineers would think: «new version; expect new bugs». Then, what counts as a «bug», and what a «feature» to be addressed by operator behavior? Despite such issues, which are far from being resolved, the moniker «proven in use» for an argument type is officially sanctioned by, for example, the international standard on E/E/PE Functional Safety, IEC 61508.

And of course when things go wrong, compensation claims come to court, and in that venue come yet more styles of argument into play.

Despite the central role played by argument in the development of safety-critical software-based systems, in the education of most engineers working in the field there is not one course on argument (only philosophy students must generally take compulsory courses in logic, either formal or informal or both). Many of the arguments used in safety-critical systems engineering are statistical or probabilistic, and there is often a compulsory course on the basics of probability and statistics in most engineering curricula. However, the probabilistic and statistical arguments used in safety cases are not necessarily routine, formulaic arguments such as those which social scientists might use, but are often special (even specious) – let us call them «bespoke». Generating bespoke arguments requires an understanding of fundamentals, but there is no compulsory course on the foundations of probabilistic or inductive argumentation (based, say, on Ian Hacking’s wonderful book An Introduction to Probability and Inductive Logic) in any engineering curriculum of which I am aware; nor courses on discursive argument – or indeed on writing. Engineers, not necessarily the people picked out by their high-school teachers for their talents in argumentation and writing (those would likely be students who later went on to study philosophy, law and literature), are apparently supposed to pick all this up by osmosis.

What is picked up by osmosis is very variable amongst cultures. Not only that, but in my experience argument forms regarded as persuasive vary considerably between cultures. I spent about the first twenty years of my life in the UK, the next almost-twenty in California, and have been fifteen years in Bielefeld, Germany, with some time in between working in German, Swiss, Scottish and French universities and research institutions. So I do have some experience of the differences in what is regarded as persuasive in discussion, and of the consequences of those differences for social and political organisation. They are sometimes enormous.

In 2001, Martyn suggested to me that a small change in writing style would be beneficial. The issue revolves around how one refers in writing to a view which one does not support, as well as the person who proposed it. I used to write things such as «X said M, and this just can’t be right». Now, I explicitly separate person and view: «X expressed the view M. Let’s look at M. I don’t think M can be defended». To me, the change in content of these two styles is minimal or zero, and I regard the second as lengthier than the first. To some others, the first represents something more like a personal insult, and so the second is the most succinct acceptable form. So I have done that now for almost a decade, in various fora, and reaped the social benefits of so doing, as Martyn correctly surmised. (However, you can’t please everyone. Here is Chris Hills reacting to a summary essay I wrote of an argument sequence occurring in the list during 4-10 September 2009, with a claim that it – he means my behavior in compiling it – is “unethical”.)

Almost exactly nine years later it’s dejà vu all over again. This time around I’m happy to be the bogeyman, or Sündenbock as we say here, for, as my neighbors here in Germany know, every social organisation needs one. So let it be my fault, whatever it is. The consequent eightfold reduction in list traffic and reduction in contribution of some eminent commentators will be welcomed by some list members.


Some may see in the previous line the use of an argument form known as «post hoc ergo propter hoc» that is often regarded in informal logic as a «fallacy»: see the entry «post hoc fallacy» in the index of Walton et al., op. Cit., for example. Now, some think informally of a «fallacy» as an argument that does not establish its conclusion (see, for example, this on-line dictionary entry). But this cannot be right, because «circular reasoning» (Assume A: conclude A) is also often regarded as a fallacy (e.g., Walton et al., op. cit. call it the «fallacy of begging the question») but it is in fact a logically valid argument, the very epitome of an argument which does establish its conclusion! Parsons, op.cit., has some insight into the difference between fallacy (said of argument forms) and invalidity (said of inferences).

Whatever one may say of fallacies, my last line is not one – in order to classify it so, one read the word “consequent” as meaning “causally following”. But of course “consequent” can also mean “following in time”. So read, my statement is a simple empirical truth.


It was pointed out by John Spriggs that Sündenböcke and Bogeymen are quite different. Indeed they appear to have different ranges, so he must be right. The Sündenbock is circumpolar, whereas the Wikipedia entry for Butzemann or Bogeyman puts the range as Southern Germany or Switzerland, although the subject of the ethnographical study by Raymond Briggs is undoubtedly an English variant.

Leave a Reply