[SystemSafety] SIL ratings to be scrapped?
Peter Bernard Ladkin
ladkin at rvs.uni-bielefeld.de
Sat Aug 24 08:57:21 CEST 2013
Matthew,
On 8/24/13 5:55 AM, Matthew Squair wrote:
> That take up may be based more on a lack of understanding of its utility in non process control
> domains (low IMHO) or a judgement that it's an easy 'compliance = safety' argument that can be sold
> to defence customers who love a standards approach...
>
> On Friday, 23 August 2013, RICQUE Bertrand (SAGEM DEFENSE SECURITE) wrote:
>
> It is interesting to see this evolution in UK while at the same time the major defense operators
> (DCNS, Nexter, EADS, …) in France are adopting IEC61508 straightforward and including it in
> their requirements, included for retrofits …____
To the contrary, it is based not on any lack of understanding but on straightforward market mechanisms.
Suppose you want to buy a washing machine, a very good washing machine, maybe the best. Then you
might look to Miele, just down the road from us (there is a plant here too, but washing machines are
down the road). It comes with a plug for German-standard house electricity supply. Suppose for the
sake of this analogy that changing the plug is *very expensive*, costs, say, on the order of the
price of the machine itself. And it's not just a washing machine you want, but all other household
kit too, from other countries as well as Germany and your own. Now, nobody else's plugs fit your
sockets and your plugs don't fit theirs. What do you do? Well, first you give thanks that you're all
on 230-250V and 50-60Hz. Then you don't pay for all those plug changes, you just go buy adaptors.
Because otherwise it would cost you twice as much.
This only works, though, if (a) the common grid values are some approximation to an adequate
electricity supply, and (b) there exist adaptors.
Here is the translation. Common grid values = international standard. Local plugs/sockets = local
military procurement standards.
Most major defence contractors have multiple clients. Most have, let us say, First Customers: the
First Customer of a US company is the US military, that of a French company the French military, of
an Indian company the Indian military, and so on. Successful military equipment suppliers supply
clients other than their First Customer.
Clients want kit developed to a standard, preferably their own. Suppliers have developed kit to a
standard, or multiple standards, but not necessarily the one Client uses, unless Client is the First
Customer.
So what is going to happen? Client wants to buy; Supplier wants to sell. It's going to happen, hope
both parties, but there is that pesky thing about standards conformance, which is usually a legal
requirement.
Somebody is going to have to put up the resources (i.e., pay) for Supplier's kit to be retroassessed
to Client's standard. This can cost huge amounts and be very tricky. For example, the UK military's
attempt to retroassess the C130J was a massive attempt involving innovative engineering methods and
can only be regarded as partially successful (see the German/Daniels project on the SW, for
example). And the entity putting up resources is ultimately Client. If you screw up the contract,
for example on Mk 3 Chinooks, Client doesn't get the info it needs to assess conformance to local
standard and consequently cannot use the kit as desired.
One might thereby think it useful for Client to have a local law which says: if it's US MIL STAN
it's good enough for us. But that is not what local law says in most developed countries. And there
may be good reason for that - it may not be true! See, for example, the controversy over the quality
of the aforesaid C130J SW. And, besides, such a law only works for Supplier from a specific country.
You'd have to have a similar Client law for other countries with Suppliers, and then Client would
basically be saying "if it's developed to some military standard somewhere, it's good enough for
me". But would such an attitude be enough to assure fitness for local purpose? Who knows? And
counterexamples abound. Look up, for example, "Chinook" and "Mull of Kintyre" and read doubts
expressed by UK military investigators about the quality/safety of the control system of one of the
world's workhorses.
So what's easiest and cheapest while being effective? There is an international civil standard, for
better or worse. Suppose Client has good local understanding of how its local standard relates to
that international standard; maybe even has a rough translation algorithm, leaving out some Sharp
Points. Suppose Supplier has developed kit to that international standard and provides the
accompanying documentation. Then Client pays locally for the translation which it knows how to do,
leaving Sharp Points. Supplier and Client just have to address Sharp Points. Likely to be much
cheaper all around.
Eventually, even First Customer understands that Supplier is developing to IEC 61508 anyway. Rather
than insist on its own local standard being applied in parallel, on each development, First Customer
invests once in a rough translation manual. And on each new procurement, applies the translation
manual, and Supplier and First Customer file off Sharp Points. Much less expensive in the long run.
And much less wasteful of resources for the world, too, as a whole, unless you adhere to a religion
which regards the generation of paper as being the most holy of human activities, like the remnants
of the Prussian state......
The success of such an approach, though, does rest on above caveats (a): that objectively the
international standard is mostly adequate for most military system safety purposes; and (b):
applying the translation manuals plus filing off the sharp edges mostly works. That may or may not
be the case. But to set the mechanism in motion, all that is required is that sufficiently many
people *believe* both (a) and (b).
PBL
Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
More information about the systemsafety
mailing list