[SystemSafety] Critical systems Linux

Olwen Morgan olwen at phaedsys.com
Wed Nov 21 19:35:05 CET 2018 

On both occasions when I've seen SCADE proposed for critical system 
developments, there has been no convincing economic nor technical 
justification for using it. It's fine for systems of the scale that you 
put in aircraft but I've seen several bare-metal software engineers 
seduced by the TuV certification only to point out the them that a chain 
of simpler, cheaper tools could do the job just as well.

Alas the silver bullet mentality is ever present among certain kinds of 
systems engineers.


Olwen


On 21/11/2018 18:07, Ferrell, Uma D. wrote:
>
> Use of any type of tool (Tool Qualification) is subject to assessment 
> of fitness-of-purpose on a case-by-case basis in aviation as well. I 
> can certainly see some regulators being enamored by the features of a 
> specific tool without thinking about the purpose of the tool on a 
> specific project. This is a common pitfall.
>
> *From:*systemsafety 
> <systemsafety-bounces at lists.techfak.uni-bielefeld.de> *On Behalf Of 
> *Olwen Morgan
> *Sent:* Wednesday, November 21, 2018 1:01 PM
> *To:* systemsafety at lists.techfak.uni-bielefeld.de
> *Subject:* Re: [SystemSafety] Critical systems Linux
>
> Just to be clear, I wasn't casting aspersions on SCADE but on the 
> situation in which one TuV looks askance at something to which another 
> TuV gives qualified approval. As it happened, SCADE was a steam hammer 
> to crack a nut on the machine safety project to which I referred. It 
> ended up using Coloured Petri-Nets instead.
>
> TuV Sud had issued the certification (subject to assessment of 
> fitness-for-purpose on a case-by-case basis) and it was TuV Rheinland 
> that looked askance at it. I gathered at the time (maybe mistakenly) 
> that TuV Rheinland is more familiar with safety of machinery 
> applications than is TuV Sud and possibly thereby brought a somewhat 
> more rigorous point of view to bear on the matter.
>
> I'm not a huge fan of SCADE but that's just a personal foible. 
> Thinking in terms of Petri-Nets comes easier to me than does thinking 
> in terms of temporal logic.
>
> Olwen
>
> On 21/11/2018 14:14, Tom Ferrell wrote:
>
>     As someone who frequently audits specific projects where
>     organizational level approvals have been granted by TÜV Süd, I
>     would suggest their focus tends to be more broad and not to the
>     same depth that I am accustomed to for aviation.  The KCG code
>     generator contained within SCADE has been qualified multiple times
>     for aviation work. This qualification is based on the fact that
>     KCG is built on a formal language, LUSTRE.  The proofs
>     accomplished to demonstrate the model to code conversion have been
>     looked at repeatedly and found to be complete and correct in all
>     cases that I am aware of.
>
>     *From:*systemsafety
>     [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] *On
>     Behalf Of *Olwen Morgan
>     *Sent:* Wednesday, November 21, 2018 9:00 AM
>     *To:* systemsafety at lists.techfak.uni-bielefeld.de
>     <mailto:systemsafety at lists.techfak.uni-bielefeld.de>
>     *Subject:* Re: [SystemSafety] Critical systems Linux
>
>     On 21/11/2018 10:16, Peter Bernard Ladkin wrote:
>
>     <snip>
>
>         What it means is that TÜV Süd (those last two letters are
>         lower-case) has investigated the system and says that it can
>         be used in certain ways with certain properties which TÜV has
>         claimed to have established to a certain "systematic
>         capability". Since much of the evidence TÜV Süd will have
>         looked at is IP, you as a user don't get all the required
>         evidence for your safety case. TÜV just says "trust us" and
>         many assessors do.
>
>     <snip>
>
>     Esterel's SCADE tool has been certified for use in safety-critical
>     applications by one TuV but I've worked on a machine safety
>     project in which another TuV appeared to discourage its use
>     because, AFAI recall, they felt uneasy about the
>     fitness-for-purpose of the generator that it used to create C code
>     from system models.
>
>     Perhaps TuVs should print the certificates on toilet paper?
>
>     Olwen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20181121/c07f9435/attachment.html>

More information about the systemsafety mailing list