[SystemSafety] SILs and Security Levels

[RICQUE Bertrand (SAGEM DEFENSE SECURITE)]

Thank you for your remarks. I add some comments.

Subsystem definition = minimal cutset. What is the physical subsystem in a 2oo3 architecture ? :-))) Unstable definition.
TM: I am not aware of this definition in IEC 61508. According to the definition in part 4, a subsystem may HAVE a 2oo3 architecture, and it would then HAVE three minimul cutsets: (channel1 FAILED & channel2 FAILED), (channel1 FAILED & channel3 FAILED), (channel2 FAILED & channel3 FAILED).
BR : right, so that you have 3 "subsystems" corresponding to 3 combination of 3 physical equipments but not corresponding to an identified equipement. Requirements applicable to equipements or component are difficult to transpose to "moving" arrangements of equipements. Add diversity in the picture and try to apply the requirements ... During edition 2 it was discovered that the definition was flawed. In particular the HFT requirement was applicable to the subsystem (in the mind of the original writers a subsystem was "the sensors", "the logic solver", "the actuators").Of course it is impossible to apply HFT =2 to the above example (as you have 3 subsystems and not one ...). Several persons opposed a change to the subsystem definition. The correction was done by lifting the HFT requirement at system level ... 

Failure rates : applicable at function level, not at system level and even less at equipment level.
TM: the definition in part 4 seems quite clear to me. It is the rate of failure occurring, regardless of what the failure is about (be it a function of a complex system, or just the ability of an optocoupler to provide isolation).

Fault tolerance : unclear to what and how it finally applies. The famous case of the backplane ...
TM: The famous backplane case doesn't ring a bell... :-) - can you give a hint or link?
BR : SIL 3 HFT = 1 at best, but the redundant GPUs are on a single backplane ... Rationale ?!?

Diagnostics : unclear between requirement for diagnostic embedded in equipment and diagnostics created at system level. E.g. unclear if two simple sensors is a better architecture than a single congruency check sensor.
TM: I don't think this is a matter of definitions and concepts. It is an engineering judgement about the quality of diagnostic measures implemented in a given system and its application. IEC 61508-2 provides recommendations in tables A.2 - A.14.
Which architecture of your sensor subsystem example is the better one (i.e. the one with higher integrity) is not only determined by diagnostics.
BR : This is interesting. Annexes require features but never really performance of the features (according to targeted SIL). Performance of diagnostics (only the coverage aspect of the performance) is only used in Route 1H with SFF. BTW I don't know if we will get rid out of Route 1H in edition 3, but some of us will try ...
#
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."
******
" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system."
#