[SystemSafety] An open source vehicle

Wed May 11 10:08:14 CEST 2022

We do of course have more detailed requirements in ISO 26262 on independence, it will be interesting to see how the proposals for IEC 61508 Ed3 align to these.

David Ward

-----Original Message-----
From: systemsafety <systemsafety-bounces at lists.techfak.uni-bielefeld.de> On Behalf Of Peter Bernard Ladkin
Sent: 11 May 2022 08:35
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] An open source vehicle

On 2022-05-10 23:27 , Stefano Costa wrote:
>
> Well actually my understanding is that building safe hardware and
> software is (also) a matter of independent review and test, and of
> course this ought not to be done by the same individuals developing or
> designing the architecture. This is a reason for medium to big
> corporations perhaps being more into safety, not the only one of
> course

I suspect there is very much more going on behind the scenes than is evident from brief descriptions. It is not as if engine-control SW is not safety-critical - remember Bookout/Toyota.
That means inter alia that functional safety standards must be fulfilled.

If we are not talking about road vehicles, then we would be talking IEC 61508. (ISO 26262 is the appropriate standard for road vehicles, obviously, but I know about 61508 text and much less about
26262 text.) If you are writing SW nominally conformant with IEC 61508-3, then there are between 50 and 60 documentation requirements that you must fulfil.

That is a lot of documentation for a single person. It is a lot of work even for a small company.
Not only that, but it is not as if these requirements are all clear and well-explained. Reading the standard and understanding what is thereby required is a non-trivial skill, most efficiently practiced by organisations set up to do this as part of their regular business.

A single person can of course write 61508-conformant SW. But this will usually be done through subcontracting to an organisation responsible for ensuring that the 61508 documentation requirements are fulfilled (and seen to be fulfilled).

And it is not as if all the nominal requirements are rational -- see the comment about subclause
7.7.2.7.a) below. So the organisation has to know what is rational and what is not rational and must fulfil the irrational requirements rationally. That usually requires experience and some negotiation.

IEC 61508 also has some vague guidance on who should review and test, that is, what counts as relative independence. Edition 3 will have more specifics on that. (Some credit is due. Theo Hannen worked this out in detail for the German mirror committee, where it was discussed on many occasions.
Some of this work, but by no means all, has made it into the CD of Edition 3).

IEC 61508-8 also says (subclause 7.7.2.7.a) "testing shall be the main validation method for software". Anyone intellectually familiar with the science and engineering of SW knows this is, as Americans of my generation say, a crock. SW is assigned a Systematic Capability (SC) such that a safety function with SILx may be operationally involve SW with SCx (or higher). If the "systematic"
(that is, design-related) failures of the safety function are intended to be comparably rare with random HW failures, then it was already well-known through two simple arguments four years before the first publication of IEC 61508 that this rarity of failure is not possible to achieve through testing the SW (Littlewood-Strigini in CACM, Butler-Finelli in IEEE TSE) for SC2-SC4.

PBL

Prof. i.R. Dr. Peter Bernard Ladkin, Bielefeld, Germany
Tel+msg +49 (0)521 880 7319
Tel+https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rvs-bi.de%2F&data=05%7C01%7Cdavid.ward%40horiba-mira.com%7C97a92004d183434f15ec08da3320d033%7Caa85aed398b34cdab14015ccbb32c3b5%7C1%7C0%7C637878513968545555%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fbCRCfUkKTcCstihTQ9s2yAN2cuREaQj%2F2ydAtrxvHs%3D&reserved=0

HORIBA MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
Registered in England and Wales No. 9626352
VAT Registration  GB 100 1464 84

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.