[SystemSafety] Separating critical software modules from non-critical software modules

Gerry R Creech grcreech at ra.rockwell.com
Tue Jul 23 10:43:41 CEST 2013 

Myriam,

The analysis of independence would also need to prove that any failure of 
the SIL 0 software could not affect the operation of the safety software.

Since the none safety software does not have a systematic capability 
rating, it must be assumed that the non safety software could do anything 
(not just what the programmer has designed) and hence protection 
mechanisms must be applied around the safety software.

For example, the memory used for the safety software would need to be 
protected to ensure that it was not possible for the non safety software 
to write into the safety area.
There would need to be measures to ensure that failure of the non safety 
software could not take resources away from the safety software, for 
example if the non safety software went into a loop the safety software 
would still need to operate. 

 
Best regards,
 
Gerry Creech

Web:    www.rockwellautomation.com



From:   M Mencke <menckem at gmail.com>
To:     "systemsafety at techfak.uni-bielefeld.de" 
<systemsafety at techfak.uni-bielefeld.de>
Date:   23/07/2013 09:21
Subject:        [SystemSafety] Separating critical software modules from 
non-critical software modules
Sent by:        systemsafety-bounces at techfak.uni-bielefeld.de



Dear All,
For any software development project, many software modules are involved, 
where some are defined as safety critical, others are not. For example, in 
railway signaling, communications modules are likely to be defined as 
critical, whereas other modules such as those involving data storage or 
other basic functions are not. An analysis may be performed with the 
objective of demonstrating that the safety critical modules are entirely 
independent from the non critical modules, leading to the conclusion that 
the application of a programming standard for safety critical software is 
only required for those modules defined as safety critical (note the 
phrase ?with the objective of demonstrating??; I would hesitate before 
drawing the conclusion that the analysis really demonstrates what it is 
supposed to demonstrate). 
In my field the EN 50128 would be applied, however, it could be any 
standard for safety critical software. Thus, the software is developed 
applying the standard only to the modules which have been defined as 
?safety critical?. In order to supposedly save time/money, etc., the rest 
of the modules are developed as non-critical software, either as SIL 0 
functions or according to a standard programming standard. My question is 
whether such an approach is really valid, given that the application of a 
safety critical standard does not only involve the application of specific 
language features, it involves an entire development life cycle, and I 
find it difficult to see how the modules defined as ?non-critical? then do 
not form part of that life cycle. I?m not saying it is not valid, but I 
would like to know how others see this. 
Additionally, if the same programmers are involved in the programming of 
both critical and non-critical modules, does it really make sense that 
they only pay attention to the features required for safety critical 
software when programming the critical modules, and modify their 
programming style for the rest of the modules (or revert back to their 
?usual? style)? These questions also depend on what you consider as 
critical, for example, for a control system with a HMI, you could only 
consider communication modules critical, however, you need a GUI to 
display the status of the elements an operator has to control correctly. 
Some operations performed by the operator may not have the potential to 
generate a hazard with a high severity level, because there are 
mitigations in place. However, that doesn?t necessarily mean that the 
software responsible for displaying the information should not be 
programmed according to a safety critical standard. I am aware that these 
questions don?t have an ?easy? answer; any opinions would be appreciated.
Kind Regards,
Myriam._______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20130723/f4d9cc0f/attachment.html>

More information about the systemsafety mailing list