[SystemSafety] SIL ratings to be scrapped?

[Peter Bernard Ladkin]

Matthew,

On 8/24/13 5:55 AM, Matthew Squair wrote:
> That take up may be based more on a lack of understanding of its utility in non process control
> domains (low IMHO) or a judgement that it's an easy 'compliance = safety' argument that can be sold
> to defence customers who love a standards approach...
>
> On Friday, 23 August 2013, RICQUE Bertrand (SAGEM DEFENSE SECURITE) wrote:
>
>     It is interesting to see this evolution in UK while at the same time the major defense operators
>     (DCNS, Nexter, EADS, …) in France are adopting IEC61508 straightforward and including it in
>     their requirements, included for retrofits …____

To the contrary, it is based not on any lack of understanding but on straightforward market mechanisms.

Suppose you want to buy a washing machine, a very good washing machine, maybe the best. Then you 
might look to Miele, just down the road from us (there is a plant here too, but washing machines are 
down the road). It comes with a plug for German-standard house electricity supply. Suppose for the 
sake of this analogy that changing the plug is *very expensive*, costs, say, on the order of the 
price of the machine itself. And it's not just a washing machine you want, but all other household 
kit too, from other countries as well as Germany and your own. Now, nobody else's plugs fit your 
sockets and your plugs don't fit theirs. What do you do? Well, first you give thanks that you're all 
on 230-250V and 50-60Hz. Then you don't pay for all those plug changes, you just go buy adaptors. 
Because otherwise it would cost you twice as much.

This only works, though, if (a) the common grid values are some approximation to an adequate 
electricity supply, and (b) there exist adaptors.

Here is the translation. Common grid values = international standard. Local plugs/sockets = local 
military procurement standards.

Most major defence contractors have multiple clients. Most have, let us say, First Customers: the 
First Customer of a US company is the US military, that of a French company the French military, of 
an Indian company the Indian military, and so on. Successful military equipment suppliers supply 
clients other than their First Customer.

Clients want kit developed to a standard, preferably their own. Suppliers have developed kit to a 
standard, or multiple standards, but not necessarily the one Client uses, unless Client is the First 
Customer.

So what is going to happen? Client wants to buy; Supplier wants to sell. It's going to happen, hope 
both parties, but there is that pesky thing about standards conformance, which is usually a legal 
requirement.

Somebody is going to have to put up the resources (i.e., pay) for Supplier's kit to be retroassessed 
to Client's standard. This can cost huge amounts and be very tricky. For example, the UK military's 
attempt to retroassess the C130J was a massive attempt involving innovative engineering methods and 
can only be regarded as partially successful (see the German/Daniels project on the SW, for 
example). And the entity putting up resources is ultimately Client. If you screw up the contract, 
for example on Mk 3 Chinooks, Client doesn't get the info it needs to assess conformance to local 
standard and consequently cannot use the kit as desired.

One might thereby think it useful for Client to have a local law which says: if it's US MIL STAN 
it's good enough for us. But that is not what local law says in most developed countries. And there 
may be good reason for that - it may not be true! See, for example, the controversy over the quality 
of the aforesaid C130J SW. And, besides, such a law only works for Supplier from a specific country. 
You'd have to have a similar Client law for other countries with Suppliers, and then Client would 
basically be saying "if it's developed to some military standard somewhere, it's good enough for 
me". But would such an attitude be enough to assure fitness for local purpose? Who knows? And 
counterexamples abound. Look up, for example, "Chinook" and "Mull of Kintyre" and read doubts 
expressed by UK military investigators about the quality/safety of the control system of one of the 
world's workhorses.

So what's easiest and cheapest while being effective? There is an international civil standard, for 
better or worse. Suppose Client has good local understanding of how its local standard relates to 
that international standard; maybe even has a rough translation algorithm, leaving out some Sharp 
Points. Suppose Supplier has developed kit to that international standard and provides the 
accompanying documentation. Then Client pays locally for the translation which it knows how to do, 
leaving Sharp Points. Supplier and Client just have to address Sharp Points. Likely to be much 
cheaper all around.

Eventually, even First Customer understands that Supplier is developing to IEC 61508 anyway. Rather 
than insist on its own local standard being applied in parallel, on each development, First Customer 
invests once in a rough translation manual. And on each new procurement, applies the translation 
manual, and Supplier and First Customer file off Sharp Points. Much less expensive in the long run.

And much less wasteful of resources for the world, too, as a whole, unless you adhere to a religion 
which regards the generation of paper as being the most holy of human activities, like the remnants 
of the Prussian state......

The success of such an approach, though, does rest on above caveats (a): that objectively the 
international standard is mostly adequate for most military system safety purposes; and (b): 
applying the translation manuals plus filing off the sharp edges mostly works. That may or may not 
be the case. But to set the mechanism in motion, all that is required is that sufficiently many 
people *believe* both (a) and (b).

PBL

Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de