[SystemSafety] Paper on Software Reliability and the Urn Model

Peter Bernard Ladkin ladkin at rvs.uni-bielefeld.de
Wed Feb 25 12:41:49 CET 2015

On 2015-02-25 12:20 , Martyn Thomas wrote:
> Can you list all the assumptions that are necessary before drawing conclusions about future
> reliability from the operational history?

Let me address the context first. Annex D has been published in a highly-referenced standard for 17
years now, and in my judgement it is awful. It doesn't stress even the basic assumptions, and I have
anecdotal evidence that people are coming to assessors, having plugged in the numbers from Table D.1
of Annex D, and saying "see, we got the numbers, so approve the software". In cases in which, for
example, the SW has been through lots of different versions. For example, an RTOS. Doesn't work. So
in my opinion Annex D should say !!DOESN'T WORK!! in big red letters.

Annex D needs rewriting. I don't think it's going to stop the above behavior if it's just omitted
from the next version of IEC 61508. Besides, taking something out of a standard in which it's been
for 17 years is a political task well beyond any political capabilities I might have.

Someone needs to suggest what should be in a rewrite. That's the point of the current exercise, a
contribution to that.

Can we get it right (you ask above)? Dunno. You be the judge when the paper is available. If there
is stuff wrong in it, I promise you it will be fixed. If there's critical stuff missed out, it'll
get put in.

And of course it's only input. What will come out of IEC deliberations I cannot predict.


Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de

More information about the systemsafety mailing list