[SystemSafety] Qualifying SW as "proven in use"
Peter Bernard Ladkin
ladkin at rvs.uni-bielefeld.de
Mon Jun 17 12:32:49 CEST 2013
Folks,
there is a significant question how SW can be qualified as "proven in use" according to IEC
61508:2010. There is a judgement in some quarters (notably the German national committee) that the
criteria in IEC 61508:2010 are inappropriate. I think it wouldn't be out of place to say that many
in the IEC 61508 Maintenance Teams find the current criteria unsatisfactory in one way or another.
We in Germany have been discussing the issue and possible solutions for a couple of years, and
recently the discussion has gone international. There seems to be a general feeling that qualifying
SW statistically via the approach given by the exponential failure model is not practical, because
the data requirements are overwhelming - it is regarded by most as implausible that companies will
have the requisite data to the requisite quality even for SIL 2. But even if you qualify your SW for
SIL 2 or higher without such data, then at some point some data will exist and people use such data
as evidence that the original assessment was accurate. But what sort of evidence does it offer? The
answer is probably a lot less than you might be convinced it does.
There seems to me to be a lack of examples where things can go wrong - at least a lack of examples
specifically adapted to assessments according to IEC 61508:2010. So I wrote one up - fictitious but
I hope still persuasive - to illustrate what (some of) the assurance issues are. I hope it can aid
the debate.
http://www.rvs.uni-bielefeld.de/publications/WhitePapers/LadkinPiUessay20130614.pdf
PBL
--
Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
More information about the systemsafety
mailing list