[SystemSafety] Critical systems Linux

[Ferrell, Uma D.]

Use of any type of tool (Tool Qualification) is subject to assessment of fitness-of-purpose on a case-by-case basis in aviation as well. I can certainly see some regulators being enamored by the features of a specific tool without thinking about the purpose of the tool on a specific project. This is a common pitfall.

From: systemsafety <systemsafety-bounces at lists.techfak.uni-bielefeld.de> On Behalf Of Olwen Morgan
Sent: Wednesday, November 21, 2018 1:01 PM
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] Critical systems Linux




Just to be clear, I wasn't casting aspersions on SCADE but on the situation in which one TuV looks askance at something to which another TuV gives qualified approval. As it happened, SCADE was a steam hammer to crack a nut on the machine safety project to which I referred. It ended up using Coloured Petri-Nets instead.

TuV Sud had issued the certification (subject to assessment of fitness-for-purpose on a case-by-case basis) and it was TuV Rheinland that looked askance at it. I gathered at the time (maybe mistakenly) that TuV Rheinland is more familiar with safety of machinery applications than is TuV Sud and possibly thereby brought a somewhat more rigorous point of view to bear on the matter.

I'm not a huge fan of SCADE but that's just a personal foible. Thinking in terms of Petri-Nets comes easier to me than does thinking in terms of temporal logic.



Olwen


On 21/11/2018 14:14, Tom Ferrell wrote:
As someone who frequently audits specific projects where organizational level approvals have been granted by TÜV Süd, I would suggest their focus tends to be more broad and not to the same depth that I am accustomed to for aviation.  The KCG code generator contained within SCADE has been qualified multiple times for aviation work.  This qualification is based on the fact that KCG is built on a formal language, LUSTRE.  The proofs accomplished to demonstrate the model to code conversion have been looked at repeatedly and found to be complete and correct in all cases that I am aware of.

From: systemsafety [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Olwen Morgan
Sent: Wednesday, November 21, 2018 9:00 AM
To: systemsafety at lists.techfak.uni-bielefeld.de<mailto:systemsafety at lists.techfak.uni-bielefeld.de>
Subject: Re: [SystemSafety] Critical systems Linux


On 21/11/2018 10:16, Peter Bernard Ladkin wrote:

<snip>

What it means is that TÜV Süd (those last two letters are lower-case) has investigated the system and says that it can be used in certain ways with certain properties which TÜV has claimed to have established to a certain "systematic capability". Since much of the evidence TÜV Süd will have looked at is IP, you as a user don't get all the required evidence for your safety case. TÜV just says "trust us" and many assessors do.

<snip>

Esterel's SCADE tool has been certified for use in safety-critical applications by one TuV but I've worked on a machine safety project in which another TuV appeared to discourage its use because, AFAI recall, they felt uneasy about the fitness-for-purpose of the generator that it used to create C code from system models.

Perhaps TuVs should print the certificates on toilet paper?



Olwen




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20181121/11956a75/attachment-0001.html>