Rant

Note: The following is rant: it is fundimentally uninformed by experience. Composable systems are not my specialty. Neither are safety systems.

But I wonder: is composition fundimentally the wrong metaphor for building safe or secure systems?

Security and safety are global properties of the complete system. Bad local behavior doesn't necessarily corrupt the system (e.g. redundancy), and entirely proper local behavior can still be unsafe (e.g. someone on the control system of a properly functioning chemical plant SCADA system can set all the valves in individually legal configurations, which would result in a fire.)

Thus I wonder if a better metaphor is decomposition? Begin with the top in creating a model, describing and evaluating the threat model and safetly model (E.G. what Jan Jurgen's presentation proposes) and decompose the system into constructible (perhaps existing) pieces?

Thus the question: Is building secure, safe systems a fundimentally top-down process? Must we start with an overall architecture?