[SystemSafety] words you cannot use at GM

[Peter Bernard Ladkin]

On 2014-05-21 10:14 , Maier, Thomas wrote:
> A correction regarding IEC 615011:
> 
> That minimum failure rate per IEC 61511 is specified in Part 1 clause 8.2.2: “The dangerous failure
> rate of a BPCS (which does not conform to IEC 61511) that places a demand on a protection layer
> shall not be assumed to be better than *10^-5 per hour*.”

I grant you that my point was badly expressed, a disadvantage of responding quickly while
multitasking on the train. But there is no correction to be made. Bertrand's response to you is
abstract but correct.

Let me be more concrete. Suppose you have a safety function SF with SIL 1, which functionality is
also provided by the BPCS. The function the BPCS provides, call it BCPS-SF, is by definition not a
safety function.

Suppose you implement code in your SIS which does the following.

* 1. Monitors the conditions under which SF should activate in the BCPS;
* 2. Monitors whether BCPS-SF executes successfully;
* 3. Contains SIS-Supplementary-SF, which executes SF.

Now, how reliable does this safety-related code SIS-Supplementary-SF have to be?

Here is the reasoning. The required safety function is SF. The executing code implementing SF is

	SF: IF <conditions> THEN BPCS-SF ELSE SIS-Supplementary-SF

The safety-related code here consists of SIS-Supplementary-SF (BPCS-SF is not safety-related by
definition). The function SF gets SIL 1. <conditions> is determined by code part 1 above; the test
for ELSE by code part 2. Let's assume they are perfect. You may assume that the rate at which the
THEN fails is at most 10^(-5), and you need 10^(-6) overall. So....

.... all you need to demonstrate concerning SIS-Supplementary-SF is 10^(-1) reliability. QED.

PBL

Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de