[SystemSafety] Software Safety Requirements according to IEC 61508

Matthew Squair mattsquair at gmail.com
Tue May 24 09:44:52 CEST 2016 

Thanks! 

There's also Bev Littlewood and John Rushby's 'possibly perfect' papers about diverse two channel systems. Which I like particularly for their treatment of aleatory and epistemic uncertainty. 

Matthew Squair

MIEAust, CPEng
Mob: +61 488770655
Email; Mattsquair at gmail.com
Web: http://criticaluncertainties.com

> On 23 May 2016, at 7:07 PM, Peter Bishop <pgb at adelard.com> wrote:
> 
> Alternatively, you try an argument like this one.
> 
> "Does software have to be ultra reliable in safety critical systems?"
> http://openaccess.city.ac.uk/2465/
> 
> It argues you can achieve better *for the overall system* *in the long term*
> *if*
> - there is some fallback in the overall system to prevent disaster
> - there are relatively few (dangerous) faults
> - faults, when found, are fixed with relatively high probability
> 
> In this argument, the initial failure rate the software is not
> particularly significant, So 10-5 or even 10-3 does not change the long
> term safety of the system very much.
> 
> This type of argument is not sensitive to changes in operational profile
> (which is always an issue with conventional software reliability arguments).
> 
> Peter Bishop
> 
>> On 22/05/2016 11:00, Peter Bernard Ladkin wrote:
>> On 2016-05-22 09:41 , Matthew Squair wrote:
>>>> Why do something that demonstrably brings you nothing, but costs resources?
>>> 
>>> Because the standard made me? :) 
>>> 
>>> Actually the legal formalism implicit in the wise crack above is one justification.
>> 
>> I don't see how.
>> 
>> "Your honour, our prior calculation of reliability of this software-based safety function was
>> 10^(-5) per operating hour. We based this on our development procedures and prior experience with
>> safety functions of this type that we and others have implemented, and our estimate was accepted by
>> the assessor as thorough and provisionally accurate.
>> 
>> Neither we nor any of our colleagues and competitors have software, any software, ever, which
>> implements this safety function which has run for the requisite period of time to achieve a higher
>> reliability estimate than 10^(-5) or less failure probability per operating hour. In order to
>> improve this estimate, such a piece of software would have to log some 45 million operating hours
>> without the slightest alteration in an identical environment to that in which our software runs. If
>> that had happened, we could be 99% certain that our software had a 10^(-6) or less probability of
>> failure. That would be an improvement. But no one has ever run any software of that sort, without
>> change, for that length of time, ever, and we doubt that anybody ever will. So no one has a better
>> estimate than ours of 10^(-5) failure probability.
>> 
>> Furthermore, we propose that it is not in any sense reasonably practicable to exercise our software
>> for 45 million operating hours in the exact environment in which it was installed. The ALARP
>> requirement is fulfilled by our existing estimate.
>> 
>> We are aware that the nominal reliability requirement for this function was set higher. We think
>> that is a design mistake. We are not responsible for the design. We discharged our responsibility
>> concerning this design mistake in that we argued to the client at the time that this was
>> inachievable in any practical sense. Our argument is correct and is mathematically uncontentious. It
>> must be accepted by any engineer.
>> 
>> Our software achieved, and achieves, what is achievable. No one can do any better, and no one has
>> any software for this function which they can demonstrate is more reliable.
>> 
>> Far from being grossly negligent, or even negligent, our software is demonstrably amongst the most
>> carefully developed and most reliable there is for this task. We refute any claim of negligence, and
>> thereby the opposition's claim for compensation."
>> 
>> This isn't theory. It is what has actually been argued in court. Indeed, I don't see what other
>> argument would ever be used in these circumstances if this one is available.
>> 
>> PBL
>> 
>> Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
>> Je suis Charlie
>> Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> The System Safety Mailing List
>> systemsafety at TechFak.Uni-Bielefeld.DE
> 
> -- 
> 
> Peter Bishop
> Chief Scientist
> Adelard LLP
> Exmouth House, 3-11 Pine Street, London,EC1R 0JH
> http://www.adelard.com
> Recep:  +44-(0)20-7832 5850
> Direct: +44-(0)20-7832 5855
> 
> Registered office: Stourside Place, Station Road, Ashford, Kent TN12 1PP
> Registered in England & Wales no. OC 304551. VAT no. 454 489808
> 
> This e-mail, and any attachments, is confidential and for the use of
> the addressee only. If you are not the intended recipient, please
> telephone 020 7832 5850. We do not accept legal responsibility for
> this e-mail or any viruses.
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20160524/b344e309/attachment-0001.html>

More information about the systemsafety mailing list