[SystemSafety] Proposed rewrite of IEC 61508 "proven in use" assessment conditions for SW
Peter Bernard Ladkin
ladkin at rvs.uni-bielefeld.de
Sun Jul 7 13:39:41 CEST 2013
Folks,
the German national committee tasked with IEC 61508 Part 3 (SW) matters has been working for some
time on developing the assessment requirements for SW elements to be considered adequately "proven
in use". (Please note that the term "proven in use" is a technical term in IEC 61508; one may query
whether it is appropriate - I think it is appropriate - but for current purposes I suggest we just
accept it.)
On 17 June I started a thread entitled "Qualifying SW as "proven in use"" and referred to a white
paper I wrote at
http://www.rvs.uni-bielefeld.de/publications/WhitePaper/LadkinPiUessay20130614.pdf
That white paper had two parts: one detailed via a hypothetical example the problems one might have
if the assessment requirements are too lax (specifically, the problems that arise with the current
assessment conditions in IEC 61508-3:2010); the second suggested an approach to assessment via
Markov processes (which could be extending, maybe, to Bayesian Belief Networks, if one has some
information about the internal architecture of the SW - grey box rather than black box).
I had originally tried to approach the issue of modelling how SW behaves by suggesting that it
behaves as a (arbitrarily complicated) finite-state machine (FSM), but that approach foundered in
two ways:
(1) there is inherent non-determinism in (a) the use of source-code languages which do not have a
demonstrably unambiguous semantics; (b) in the use of many compilers (especially those which
"optimise"); (c) maybe in the linkers; (d) maybe in the realisation of the opcode instructions in
HW; and
(2) there are no mature statistical techniques for determining to a given degree of confidence
whether exhibited behavior is that of an FSM.
For Point (2) I am *very* grateful for numerous discussions with Bev Littlewood. Bev also suggested
that the Markov-process approach might be a way to accommodate Point (1); hence the suggestion in my
white paper referenced above.
Members of the IEC Maintenance Team for the 61508 SW part who are interested in the "proven in use"
assessment conditions met in Frankfurt on 29 April. The Chair, Audrey Canning, asked the German
members at the meeting to prepare a proposal for replacement of the "proven in use" conditions by
some we consider more apt. The ultimate goal is formally a "Technical Specification", which is an
IEC publication, and possible incorporation into the next edition of IEC 61508-3, which is
provisionally scheduled for 2016 (after the formal two-year maintenance action, which is anticipated
to start in 2014). The German committee (rather, the subcommittee tasked with SW matters) finished
its proposal on 4 July and there is now a text which we would like to offer for general commentary
to experts who are not necessarily on the IEC 61508-SW Maintenance Team and who are not necessarily
involved with 61508 standardisation committees at all.
The text consists of a series of clauses in IEC-standards format, and is about three pages long. We
have made a serious attempt to include explicitly the conditions under which the future
failure-behavior behavior/frequency of SW can be inferred with some given degree of confidence from
past failure behavior, as explained in detail to us over the last four years by Bev Littlewood.
Basically, that which is necessary to ensure that the relevant statistical properties of the future
proposed use are identical to those of the recorded past use (one of which is, of course, that the
recording is veridical!).
(Note: I specifically use the term "failure behavior" of SW to indicate that it is the behavior of
running SW which is being talked about, not the static pattern which is source code or object code,
and to avoid the trope that that static pattern is not capable of failure in the normal engineering
sense, since failure is a behavior which a static pattern ipso facto cannot have.)
The text will eventually become public (we discussed how it should appear on the DKE WWW site). We
would like general commentary, but we also have to figure out how to mutate general commentary into
something which fits on the formal IEC comment form. So at this point, rather than distribute it
generally as an attachment to a message here, we would like to distribute it to those people who
explicitly express an intent to read it and comment.
I would like to invite people here to send me a short e-mail note (private, please, to avoid
"spamming" the list) expressing an intent to read the short proposed "proven in use" clauses and
comment. Comment can be of any form, including general messages to this list, but I would reserve
the right to come back to you with a request to shoehorn your points into the formal IEC format
(caveat: this can be far more annoying than it might first appear :-) ).
Again, many thanks to Bev for his substantial support. Any mistakes are ours, not his. Indeed, he
might be hard put to recognise anything he said in what we've written :-)
Next task is to revise Part 7 Annex D. I'll keep this list advised on that as well. The moral drawn
from our discussions so far is that there is both more and less to qualifying pre-existing SW for
new future use in a safety-related application than ensuring that the statistical properties in the
future use are, to some specified degree of confidence, identical to those determined in the past.
PBL
--
Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
More information about the systemsafety
mailing list