[SystemSafety] Proposed rewrite of IEC 61508 "proven in use" assessment conditions for SW

[Peter Bernard Ladkin]

Folks,

the German national committee tasked with IEC 61508 Part 3 (SW) matters has been working for some 
time on developing the assessment requirements for SW elements to be considered adequately "proven 
in use". (Please note that the term "proven in use" is a technical term in IEC 61508; one may query 
whether it is appropriate - I think it is appropriate - but for current purposes I suggest we just 
accept it.)

On 17 June I started a thread entitled "Qualifying SW as "proven in use"" and referred to a white 
paper I wrote at
http://www.rvs.uni-bielefeld.de/publications/WhitePaper/LadkinPiUessay20130614.pdf
That white paper had two parts: one detailed via a hypothetical example the problems one might have 
if the assessment requirements are too lax (specifically, the problems that arise with the current 
assessment conditions in IEC 61508-3:2010); the second suggested an approach to assessment via 
Markov processes (which could be extending, maybe, to Bayesian Belief Networks, if one has some 
information about the internal architecture of the SW - grey box rather than black box).

I had originally tried to approach the issue of modelling how SW behaves by suggesting that it 
behaves as a (arbitrarily complicated) finite-state machine (FSM), but that approach foundered in 
two ways:
(1) there is inherent non-determinism in (a) the use of source-code languages which do not have a 
demonstrably unambiguous semantics; (b) in the use of many compilers (especially those which 
"optimise"); (c) maybe in the linkers; (d) maybe in the realisation of the opcode instructions in 
HW; and
(2) there are no mature statistical techniques for determining to a given degree of confidence 
whether exhibited behavior is that of an FSM.

For Point (2) I am *very* grateful for numerous discussions with Bev Littlewood. Bev also suggested 
that the Markov-process approach might be a way to accommodate Point (1); hence the suggestion in my 
white paper referenced above.

Members of the IEC Maintenance Team for the 61508 SW part who are interested in the "proven in use" 
assessment conditions met in Frankfurt on 29 April. The Chair, Audrey Canning, asked the German 
members at the meeting to prepare a proposal for replacement of the "proven in use" conditions by 
some we consider more apt. The ultimate goal is formally a "Technical Specification", which is an 
IEC publication, and possible incorporation into the next edition of IEC 61508-3, which is 
provisionally scheduled for 2016 (after the formal two-year maintenance action, which is anticipated 
to start in 2014). The German committee (rather, the subcommittee tasked with SW matters) finished 
its proposal on 4 July and there is now a text which we would like to offer for general commentary 
to experts who are not necessarily on the IEC 61508-SW Maintenance Team and who are not necessarily 
involved with 61508 standardisation committees at all.

The text consists of a series of clauses in IEC-standards format, and is about three pages long. We 
have made a serious attempt to include explicitly the conditions under which the future 
failure-behavior behavior/frequency of SW can be inferred with some given degree of confidence from 
past failure behavior, as explained in detail to us over the last four years by Bev Littlewood. 
Basically, that which is necessary to ensure that the relevant statistical properties of the future 
proposed use are identical to those of the recorded past use (one of which is, of course, that the 
recording is veridical!).

(Note: I specifically use the term "failure behavior" of SW to indicate that it is the behavior of 
running SW which is being talked about, not the static pattern which is source code or object code, 
and to avoid the trope that that static pattern is not capable of failure in the normal engineering 
sense, since failure is a behavior which a static pattern ipso facto cannot have.)

The text will eventually become public (we discussed how it should appear on the DKE WWW site). We 
would like general commentary, but we also have to figure out how to mutate general commentary into 
something which fits on the formal IEC comment form. So at this point, rather than distribute it 
generally as an attachment to a message here, we would like to distribute it to those people who 
explicitly express an intent to read it and comment.

I would like to invite people here to send me a short e-mail note (private, please, to avoid 
"spamming" the list) expressing an intent to read the short proposed "proven in use" clauses and 
comment. Comment can be of any form, including general messages to this list, but I would reserve 
the right to come back to you with a request to shoehorn your points into the formal IEC format 
(caveat: this can be far more annoying than it might first appear :-) ).

Again, many thanks to Bev for his substantial support. Any mistakes are ours, not his. Indeed, he 
might be hard put to recognise anything he said in what we've written :-)

Next task is to revise Part 7 Annex D. I'll keep this list advised on that as well. The moral drawn 
from our discussions so far is that there is both more and less to qualifying pre-existing SW for 
new future use in a safety-related application than ensuring that the statistical properties in the 
future use are, to some specified degree of confidence, identical to those determined in the past.

PBL

-- 
Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de