[SystemSafety] SCSC

paul_e.bennett at topmail.co.uk paul_e.bennett at topmail.co.uk
Thu Jul 18 16:48:12 CEST 2019 

On 18/07/2019 at 2:28 PM, "Olwen Morgan" <olwen at phaedsys.com> wrote:
>
>On 17/07/2019 11:24, Jon Hind wrote:
>> Well that was a nostalgic link - who remembers (about 1993 at 
>BAFTA, 
>> London ? ) a stand-up row between a speaker who was claiming 
>many 9's 
>> - at least 5 or possibly 6 for his controller and an audience 
>member 
>> (next to, but not me) who definitely disagreed ?
>> Thinking about it it may have been an InstMC event not SCSC.
>>
>I've yet to see a software system reliability calculation that I 
>find 
>anywhere near convincing. Nobody ever seems minded to check 
>whether the 
>statistical independence assumptions on which the modelling relies 
>are 
>actually satisfied by the system under consideration. And that's 
>quite 
>apart from even harder issues of system performance drift, which 
>can 
>easily invalidate critical invariance assumptions. If you raise 
>this 
>sort of thing as an issue, you tend to get called a pedant - even 
>if all 
>you ask for is relevant caveats to be put in the system 
>documentation.
>
>Olwen

With one contract I was involved with, the client requirements documentation
stated that they would not accept any integrity claims above 10E-2 for any single
channel of control that relied on software. They were only a little more lenient on
pure electronic hardware, and most forgiving on relay based systems that used
Force-Guided Contact Relays.

In order to meet the overall Systems Integrity Requirements it was necessary to
devize a system with multiple channels that checked each other with differing
technology for the logic, up to and including mechanical interlocking of the most
critical machine movements.

So, someone claiming many nines on a single channel will quickly earn my scorn,
I am taking one channel as reliant on one processor die. The comment I saw earlier
in this list "If it's on the same die it won't fly." is the right sided thinking, which means
that even the on-chip watchdogs would be considered part of the same channel, and
not able to be considered independent enough. I am not saying we don't use those
in-built watchdogs, but we also need to add further independent means of checking
and intervention to prevent faulty actions.

Regards

Paul E. Bennett IEng MIET
Systems Engineer
Lunar Mission One Ambassador
-- 
********************************************************************
Paul E. Bennett IEng MIET.....
Forth based HIDECS Consultancy.............
Mob: +44 (0)7811-639972
Tel: Due to relocation - new number TBA. Please use Mobile.
Going Forth Safely ..... EBA. www.electric-boat-association.org.uk..
********************************************************************

More information about the systemsafety mailing list