[SystemSafety] What do we know about software reliability?

Olwen Morgan olwen at phaedsys.com
Fri Sep 25 12:51:44 CEST 2020 

FWIW, I've always been sceptical about 61508. Do I detect a large dose 
of irony in the word "finessed"? I'd be more inclined to call it 
"fudged". In my view you cannot meaningfully speak of software 
reliability unless you have rigorous input-source and output-sink 
modelling (and many thanks, BTW, to Michael J, who kindly pointed out my 
omission of the output side in a previous posting).

Having had long and frustrating experience of random C shops, populated 
with what I call the "lumpenengineeriat", I have strong views in this 
matter. Things that one sees all the time are:

(1) Underassessment of system criticality,

(2) A "tick the boxes" mentality that ignores fitness-for-purpose of the 
practices upon which the box-ticking was putatively justified,

(3) Dire ignorance of and hostility towards soundly-based techniques,

(4) Haphazard use of CASE tools,

(5) Absence of intellectual discipline among engineers - s/w engineering 
does not require great intellectual puissance but it needs intellectual 
discipline by the train-load.

TBH, I've given up on expecting rapid progress in this field, if only 
because the standardisation itself has become, IMO, pretty 
dysfunctional. Everywhere there are tribal frictions where there ought 
to be constructive synthesis. You see this particularly in programming 
language standards, where it sometimes seems as if the language itself 
has engendered an in-group, inward-looking culture. How else could one 
be told that a technically sensible improvement was "not in the spirit" 
of a language? Call me a pessimist but I honestly believe we need to get 
specialists to look at this sort of thing from a sociolinguistic 
perspective.


Olwen



On 24/09/2020 12:35, Peter Bernard Ladkin wrote:
>
> On 2020-09-24 11:59 , Martyn Thomas wrote:
>> IEC 61508 ignore the probability that a hardware design is incorrect (we used to talk about
>> 'systematic errors' to distinguish them from random failures', but I haven't seen that expression
>> used recently).
> Yes, 61508 ignores probabilities attached to systematic failure, of either HW or SW. Deliberately.
> It is a controversial subject, as we see here in miniature.
>
> It is finessed by talking about objects (HW, SW or both) having a "systematic capability", which is
> a non-numerical quality saying how appropriate it is for that object to be used to implement a
> safety function with a given SIL. So for example an object with SC3 can be used to implement a SIL3
> safety function and an object with SC2 not.
>
> It goes along with a list of techniques and analysis types. Basically, you can claim a higher SC if
> you have used more of those techniques during development, and lower if fewer.
>
> The general idea is sort of right. If you have used SPARK thoroughly in your software development,
> used a validated SPARK-to-C compiler and a verified C compiler, and you have done it all right, then
> I think we can have more reliance on the machine code produced than if we farmed the specs out to
> some random C shop and took what they delivered without oversight or further analysis.
>
> However, I am sceptical about the way SC is handled in 61508, which is check-boxy: "have you used
> FM?" Yes/no. "Have you used semi-FM?" Yes/no. Not how or why or to do what. I am wary, but it is
> central to 61508.
>
> PBL
>
> Prof. Peter Bernard Ladkin, Bielefeld, Germany
> Styelfy Bleibgsnd
> Tel+msg +49 (0)521 880 7319  www.rvs-bi.de
>
>
>
>
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
> Manage your subscription: https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/pipermail/systemsafety/attachments/20200925/1afecf07/attachment.html>

More information about the systemsafety mailing list