[SystemSafety] ARRL: A Criterion for Composable Safety and Systems Engineering
Peter Bernard Ladkin
ladkin at rvs.uni-bielefeld.de
Tue Sep 24 12:39:39 CEST 2013
I guess one is talking about http://hal.archives-ouvertes.fr/docs/00/84/85/21/PDF/8_-_20130065.pdf
On 9/24/13 11:27 AM, Braband, Jens wrote:
> .... IMHO it contains a lot of unfounded statements and also some obvious errors,
I agree there are some significant errors. I'll restrict myself here to the misconceptions
concerning IEC 61508 SILs and safety requirements.
> -Table 1 is completely wrong.
Yes, it is completely and utterly wrong. It appears to correlate commercial-aerospace severity
categories (for example, from AMC25) with IEC 61508 SILs. There is no conceptual relation between
these whatever.
AMC25 severity classes are measures of how much damage is caused. It is measured by lives lost,
injuries caused, and metal bent (or composites fractured).
IEC 61508 SILs are reliability classes of safety functions. It is measured by a rate of dangerous
failures per operational hour.
> -Also table 2 is oversimplified, e. g. neither does ASIL-D correspond completely to SIL 3 or DAL B
> nor does SIL 4 to DAL A
That is quite correct; they don't correspond. DALs are requirements on system components. SILs are
requirements on safety functions.
Best to keep straight the distinction between system components (or "items" in IEC 61508
terminology) and safety functions, which are behaviors implemented by system components.
> -A SIL is not a system property,...
That is quite correct.
> -A SIL level alone is not the top level safety requirement.
A SIL is never a top-level safety requirement. Proof is as follows.
See IEC 61508-1:2010 Section 7.5 Overall Safety Requirements:
[begin quote]
7.5.1 Objective
The objective of the requirements of this subclause is to develop the specification for the overall
safety requirements, in terms of the overall safety functions requirements and overall safety
integrity requirements, for the E/E/PE safety-related systems and other risk reduction measures, in
order to achieve the required functional safety.
7.5.2 Requirements
7.5.2.1 A set of all necessary overall safety functions shall be developed based on the hazardous
events derived from the hazard and risk analysis. This shall constitute the specification for the
overall safety functions requirements.
[end quote]
So, there are overall safety requirements; these are derived from the hazard and risk analysis; and
they are developed/specified *in terms of* (amongst other things) safety integrity requirements. A
safety integrity requirement is a requirement that a specific safety function have a specific SIL.
I don't know why there should still be this level of confusion a decade and a half since the
standard was published. I suspect it may have to do with the fact that buying the 61508 document is
so expensive that most people don't do it and they rely for their understanding on hearsay.
I see two solutions to that problem, if it is one.
1. Everyone should join their local standards committee, whereby a copy will be made available for
free. However, the ensuing cost of refreshments at meetings will likely bankrupt the local standards
organisation.
2. The standards document should be much cheaper than it is; even free. I know a dozen people on
this list who will support such a proposal for very good reason. Distributing standards free would
trash the business model of the IEC (even though clever people could fix that model). But making it
a lot less expensive would be something the IEC could do tomorrow, if it chose, and to my mind it
should so choose.
PBL
Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
More information about the systemsafety
mailing list