[SystemSafety] SIL upstream and downstream, EUROCAE document 039/ ED-80
Rolle, Ingo
ingo.rolle at vde.com
Thu Oct 16 13:11:33 CEST 2014
Hello,
IEC 61508-1 requires a risk analysis and risk according to ISO/IEC guide is the combination of severity and probability. In so far, IEC 61508 requires to include severity.
>From a didactic viewpoint: whether you determine the SIL by a risk analysis (upstream as Bertrand says) or calculate and provide proof that you can reach it (downstream), it's always "SIL"
IEC 62443 series however, dealing with IT security and introducing also staggered requirements, this time along the scale of "SL = security level", makes this distinction. We get SL Target and SL achieved and also SL capability, with respect to components
Ingo Rolle
-----Ursprüngliche Nachricht-----
Von: systemsafety-bounces at lists.techfak.uni-bielefeld.de [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] Im Auftrag von RICQUE Bertrand (SAGEM DEFENSE SECURITE)
Gesendet: Dienstag, 14. Oktober 2014 11:49
An: Peter Bernard Ladkin; systemsafety at lists.techfak.uni-bielefeld.de
Betreff: Re: [SystemSafety] EUROCAE document 039/ ED-80
Hi Peter,
Some remarks on your synthesis :
" A SIL is a required-reliability condition and not a severity assessment. A DAL is a severity condition and not a reliability condition."
Concerning the SIL: yes, among other requirements the SIL leads to a probabilistic requirement on reliability. BUT, upstream, in the determination of the required SIL for a given function, the severity is almost always taken in consideration.
Concerning the DAL: yes, the DAL selection comes from a table taking only into account the severity. BUT it leads downstream to reliability claims.
What becomes interesting is to compare the outcomes/consequences of both frameworks.
IEC61508 does not aim to consolidate bottom-up the residual risk at system level (all the functions together, the plant, etc...). ARP does as it is from the beginning a top-down approach.
It appears that if a top down approach was to be applied with IEC 61508 concepts, the orders of magnitude of required reliability would increase (something as being doubled). More analysis is needed to dig in this subject and we are working on that.
It appears also that IEC 61508 does not make the assumption that the system requirements are perfect (to the contrary of ARP, which I consider as a flaw) and thus encompasses a larger scope including operator mistakes.
I started working in this field coming from process industries with the opinion that IEC 61508 was a loose and flawed standard and aeronautics the ultimate.
I I wanted to be caustic and schematic, I would say that my mind has changed and that aeronautics guys are top level engineers working on a flawed concept while process industries have a not so bad standard but totally lack the competencies to even understand it. Sic transit gloria mundi...
Bertrand Ricque
Program Manager
Optronics and Defence Division
Sights Program
Mob : +33 6 87 47 84 64
Tel : +33 1 58 11 96 82
Bertrand.ricque at sagem.com
-----Original Message-----
From: systemsafety-bounces at lists.techfak.uni-bielefeld.de [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Peter Bernard Ladkin
Sent: Tuesday, October 14, 2014 11:23 AM
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] EUROCAE document 039/ ED-80
On 2014-10-14 09:34 , SPRIGGS, John J wrote:
> In my experience, when people compare safety standards and guidelines that use "levels" to inform assurance activities, they assume that the levels are in some way equivalent. That is usually a false assumption, as is the case here; there is absolutely no correlation between the SILs of IEC61508 and the levels of ED-80 or ED-12.
Yes, this seems to be coming up about a couple of times a month in my environment at the moment. I am not completely sure why. Let's try to lay it to rest. Here are a couple of short paragraphs.
IEC 61508 is based on the concept of functions of the equipment under control not being acceptably safe (according to some unspecified social convention). It requires additional functions, called safety functions, to be installed to render some dangerous situations benign and thus achieve acceptable safety. These safety functions may themselves fail, but they must not fail often enough to vitiate acceptable safety. So there is a reliability condition imposed on each safety function, to specify the level of acceptable failure of the safety function. The reliability condition is called a SIL and there are four of them, although logically there are a couple of additional categories which are conflated with one or other of the four.
Design Assurance Levels (DALS) in the airborne segment of commercial aviation have a different focus. Certification of commercial airplanes and airborne equipment considers deleterious consequences of things happening contrary to purpose (breaking or other misbehavior). These are called "effects", and they are subdivided into severities: "no effect", "minor", "major", "hazardous" and "catastrophic" effects. This conceptualisation is long-standing, from way before digital-electronic kit made its way into commercial aircraft. A DAL is assigned to a piece of kit mirroring the severity of a failure of the kit.
A SIL is a safety function reliability condition and does not depend in any way on the severity of the hazard it is intended to mitigate. A DAL depends on the severity of the hazard occurring through a failure and not at all on the frequency of such a failure.
A SIL is a required-reliability condition and not a severity assessment. A DAL is a severity condition and not a reliability condition.
Further, a SIL, being a reliability condition, is expressed probabilistically. A DAL is an absolute condition. However, the evidence regarded as necessary to claim that a DAL has been achieved (the Acceptable Means of Compliance criteria) has probabilistic/statistical aspects.
PBL
Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
#
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."
******
" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system."
#
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
More information about the systemsafety
mailing list