[SystemSafety] Separating critical software modules from non-critical software modules

Tue Jul 23 10:55:15 CEST 2013

Hello, Myriam.
Just one remark (though many could be made): I have sometimes found that,
if the amount of non-safety related software is not big, and the
development team is small, it is better (cheaper) to develop the whole of
it as if every function were SIL 4. Using a unique process, methodology,
set of tools, and set of practices is a big advantage, even if it would not
be necessary for every function / component.

2013/7/23 M Mencke <menckem at gmail.com>

> Dear All,
>
> For any software development project, many software modules are involved,
> where some are defined as safety critical, others are not. For example, in
> railway signaling, communications modules are likely to be defined as
> critical, whereas other modules such as those involving data storage or
> other basic functions are not. An analysis may be performed with the
> objective of demonstrating that the safety critical modules are entirely
> independent from the non critical modules, leading to the conclusion that
> the application of a programming standard for safety critical software is
> only required for those modules defined as safety critical (note the phrase
> “with the objective of demonstrating…”; I would hesitate before drawing the
> conclusion that the analysis really demonstrates what it is supposed to
> demonstrate).
>
> In my field the EN 50128 would be applied, however, it could be any
> standard for safety critical software. Thus, the software is developed
> applying the standard only to the modules which have been defined as
> “safety critical”. In order to supposedly save time/money, etc., the rest
> of the modules are developed as non-critical software, either as SIL 0
> functions or according to a standard programming standard. My question is
> whether such an approach is really valid, given that the application of a
> safety critical standard does not only involve the application of specific
> language features, it involves an entire development life cycle, and I find
> it difficult to see how the modules defined as “non-critical” then do not
> form part of that life cycle. I’m not saying it is not valid, but I would
> like to know how others see this.
>
> Additionally, if the same programmers are involved in the programming of
> both critical and non-critical modules, does it really make sense that they
> only pay attention to the features required for safety critical software
> when programming the critical modules, and modify their programming style
> for the rest of the modules (or revert back to their “usual” style)? These
> questions also depend on what you consider as critical, for example, for a
> control system with a HMI, you could only consider communication modules
> critical, however, you need a GUI to display the status of the elements an
> operator has to control correctly. Some operations performed by the
> operator may not have the potential to generate a hazard with a high
> severity level, because there are mitigations in place. However, that
> doesn’t necessarily mean that the software responsible for displaying the
> information should not be programmed according to a safety critical
> standard. I am aware that these questions don’t have an “easy” answer; any
> opinions would be appreciated.
>
> Kind Regards,
>
> Myriam.
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20130723/55c0560b/attachment-0001.html>