This paper presents a formal model of protection mechanisms in computing systems and demonstrates its appropriateness. The "safety" problem for protection systems is defined as determining whether a subject can acquire a particular right to an object. In restricted cases, this problem is decidable, meaning there is an algorithm to determine if a system in a particular configuration is safe. However, in general, it is undecidable whether a situation is safe. The paper discusses various implications of this fact. The model considers only protection aspects of a system, not the semantics of programs or general models of computation. It is similar to models in [5,9], which argue that the model can describe most protection systems currently in use. The paper introduces the concept of safety in protection systems, which means that an unreliable subject cannot pass a right to someone who did not already have it. It then considers a restricted family of protection systems and shows that safety is decidable for these systems. The paper also presents a surprising result: there is no algorithm that can decide the safety question for arbitrary protection systems. The proof uses simple ideas and can be extended directly to more elaborate protection models. The paper also discusses the significance of these results, drawing an analogy with the undecidability of context-free grammar ambiguity. It suggests that while it is undecidable whether a protection system is safe in general, it may be possible to decide safety for particular situations in particular protection systems. The paper presents a formal model of protection systems, which includes a set of generic rights, initial subjects and objects, commands, and conditions for commands. The model is used to describe the effects of commands on the access matrix, which represents the rights of subjects to objects. The paper also discusses the implications of the model for real systems, noting that the order in which commands are executed is not prescribed in advance. The paper concludes by discussing the undecidability of the safety problem and its implications for operating system design. It suggests that while it is undecidable whether a protection system is safe in general, it may be possible to decide safety for particular situations in particular protection systems. The paper also discusses the importance of considering restricted cases or individual cases when designing operating systems.This paper presents a formal model of protection mechanisms in computing systems and demonstrates its appropriateness. The "safety" problem for protection systems is defined as determining whether a subject can acquire a particular right to an object. In restricted cases, this problem is decidable, meaning there is an algorithm to determine if a system in a particular configuration is safe. However, in general, it is undecidable whether a situation is safe. The paper discusses various implications of this fact. The model considers only protection aspects of a system, not the semantics of programs or general models of computation. It is similar to models in [5,9], which argue that the model can describe most protection systems currently in use. The paper introduces the concept of safety in protection systems, which means that an unreliable subject cannot pass a right to someone who did not already have it. It then considers a restricted family of protection systems and shows that safety is decidable for these systems. The paper also presents a surprising result: there is no algorithm that can decide the safety question for arbitrary protection systems. The proof uses simple ideas and can be extended directly to more elaborate protection models. The paper also discusses the significance of these results, drawing an analogy with the undecidability of context-free grammar ambiguity. It suggests that while it is undecidable whether a protection system is safe in general, it may be possible to decide safety for particular situations in particular protection systems. The paper presents a formal model of protection systems, which includes a set of generic rights, initial subjects and objects, commands, and conditions for commands. The model is used to describe the effects of commands on the access matrix, which represents the rights of subjects to objects. The paper also discusses the implications of the model for real systems, noting that the order in which commands are executed is not prescribed in advance. The paper concludes by discussing the undecidability of the safety problem and its implications for operating system design. It suggests that while it is undecidable whether a protection system is safe in general, it may be possible to decide safety for particular situations in particular protection systems. The paper also discusses the importance of considering restricted cases or individual cases when designing operating systems.