[SystemSafety] EUROCAE document 039/ ED-80

RICQUE Bertrand (SAGEM DEFENSE SECURITE) bertrand.ricque at sagem.com
Tue Oct 14 15:55:04 CEST 2014


The standard is not free from contradictions and inconsistencies and will soon be again improved.

The standard leaves the user free to select the required SIL for a function by any means, rational or not. The informative part suggests different ways to combine severity of concerned hazard with the probability or frequency of occurrence of the initiating conditions for the hazard, with also other criteria such as capability to escape the situation (if the passengers had a parachute maybe there would not be any DAL A in the planes ...) and others. There are plenty of ways to decide a SIL for a given function. In the industry you find very often non rational things such as : everything must be SIL 2 with exceptions of the situations you don't feel comfortable with that you put SIL 3 ... This is not against the standard.

The standard is not a risk assessment standard. It takes the results from the risk assessment to put requirements on safety systems design.

It is thus not surprising that :
* Risk assessment is quickly (poorly) covered by the standard
* Some assumptions on the way risk assessment is realised are made by the standard
* Persons not used to risk assessment look in the standard to find answers
* Persons applying the standard experience difficulties when they start consolidating the bottom-up approach (incompatible functions, antagonistic failure modes, etc...). This is normal, the standard is nor designed neither tailored to tackle such issues.

I begin to be convinced that an approach combining:
* the Top-Down of ARP,
* with the questioning of requirements of 61508,
* with the methods/rigour obligations of 61508,
* with the requirements of DO could be valuable.

Bertrand Ricque
Program Manager
Optronics and Defence Division
Sights Program
Mob : +33 6 87 47 84 64
Tel : +33 1 58 11 96 82
Bertrand.ricque at sagem.com


-----Original Message-----
From: systemsafety-bounces at lists.techfak.uni-bielefeld.de [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Bridal Olof
Sent: Tuesday, October 14, 2014 3:12 PM
To: Peter Bernard Ladkin; systemsafety at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] EUROCAE document 039/ ED-80

Peter,

It feels a bit awkward to have this discussion with you since you are one of the few people who actually understand the definition of SIL in IEC 61508. In fact, we agree a lot more than you might think.

About your statement "a SIL is a safety function reliability condition and does not depend in any way on the severity of the hazard it is intended to mitigate", I have no problem with the "reliability condition" part but disagree with "does not depend in any way on the severity".

For example in IEC 61508-1, clause 7.5.2.3 we find "a target safety integrity requirement shall be determined that will result in the tolerable risk being met". Since risk is defined a combination of the probability and severity of harm, it think it is clear that the severity *does* influence the target safety integrity requirement and thus the required SIL. A safety function intended to prevent the occurrence of very severe consequences will typically be assigned a higher SIL than a safety function that is intended to prevent less severe consequences, all other things being equal.

Taking the on-demand case as an example, let's say that we are worried about some particular potential harm of severity S. The actual risk can be expressed as the combination (P1*P2,S) where P1 is the occurrence probability of the hazard that the safety function is intended to mitigate and P2 is the safety function's on-demand probability of failure. The tolerable risk with respect to the considered potential harm may similarly be expressed as (P3,S). In order to meet the tolerable risk we have now to make sure that P2 < P3/P1 and this simple inequality will be the basis for the determination of the SIL which of course is a discretized representation of P2. It may seem like P3/P1 is independent of S but that is not true since P3 depends on S! As previously stated, the combination (P3,S) represents the tolerable risk and it should be clear that the higher the S, the lower the P3 has to be in order to be 'tolerable'.

But you are of course right in that once the required SIL has been determined and documented somewhere, it does not in itself provide any information about the severity (or the probability for that matter) of the potential harm.

/Olle

-----Original Message-----
From: systemsafety-bounces at lists.techfak.uni-bielefeld.de [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Peter Bernard Ladkin
Sent: den 14 oktober 2014 1:29
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] EUROCAE document 039/ ED-80

Olle,

On 2014-10-14 11:47 , Bridal Olof wrote:
> .... I don't fully agree with the statement that "a SIL is a safety function reliability condition and does not depend in any way on the severity of the hazard it is intended to mitigate".
>
> Part 5 of IEC 61508, and particularly its appendixes C-G, clearly show that the potential "consequence" (i.e. degree of injury) of a hazard is an important factor in the determination of the *required* SIL for the safety function.

I think it wise to distinguish between what is normative, and what is informative only. The definition of SIL in Part 1 (Clause 7.6) is normative. That normative process makes no reference to severity per se, with one exception:

Clause 7.6.2.11 says that if something gets SIL 4 designation then (part a) ) you must consider whether this designation can be avoided, by considering additional risk-reduction measures, including specifically considering whether severity can be reduced or likelihood can be reduced.

The examples, and examples of methods, in Part 5 are informative. That means, taken literally, that it is entirely up to you whether you follow or not, that is, add in particular consideration of severity or not. Obviously, considering severity is a particular part of considering risk, but it is the overall risk that the normative part addresses, not severity per se.

This may seem legalistic to some, but my general view of matters is that clarity of concept is important. Otherwise people (lots of them, in my experience) are going to think, for example, that SILs and DALs are essentially the same kind of thing. The concept of assigning something a reliability condition based on (overall) risk, and assigning something a criticality (which is what I call a measure based on severity) are two different things, because risk and severity are not the same thing (although one is a component of the other).

As Bertrand says, in practice the two get mushed together. The same might be said of the entire documentation of which IEC 61508 consists, and I can't think the standard is better for it.

PBL

Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de




_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
#
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."
******
" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system."
#



More information about the systemsafety mailing list