[SystemSafety] Baseline Safety Assessment for a Linux-based OS to SIL 3 /ASIL D

Paul Sherwood paul.sherwood at codethink.co.uk
Thu May 8 09:57:38 CEST 2025 

On 2025-05-07 10:50, Prof. Dr. Peter Bernard Ladkin wrote:
> On 2025-05-07 10:55 , Paul Sherwood wrote:
>> .... please take a look at the Safety Assessment Report [2], and let 
>> me know your thoughts!
>> 
>> [2] 
>> https://marketing.codethink.co.uk/asset/20:ctrl-os-baseline-assessment
>> 
> Congratulations on progress! It looks as if you have reached a 
> milestone.

Thanks Peter! I agree it looks that way :-)

> But I am somewhat confused by the concepts used. The baseline 
> assessment appears to say that CTRL OS is <suitable for something> up 
> to SIL 3. That <suitable for something> doesn't occur in, for example, 
> your message title. Neither can I extract it from the baseline 
> assessment. People often try to use 61508 SILs as if they were some 
> kind of criticality level and a statement such as "assessment for CTRL 
> OS to SIL 3" reinforces that impression- But SILs are not criticality 
> levels, and this form of words doesn't have a meaning per se without 
> lots of other bits being filled in.

I confess even after all this time I still don't fully understand the 
linguistic nuances is this special "functional safety language", so 
thank you for your attempt at explanation.

> So here is a short explanation of the concepts behind safety 
> requirements (= SILs on safety functions) in 61508, followed by a 
> request for you to say what is being claimed in terms of these 
> concepts.
> 
> First, pure software does not have a SIL. Safety functions have SILs.

Excellent. Makes sense. And yet in 26262 world, somehow folks certify 
(pure) SEooC software to (say) "ASIL B", and then other folks may stick 
a couple of "ASIL B" things together and call the result "ASIL D". So I 
am also somewhat confused :)

> Second, a safety function is a function that ensures that the risk 
> attached to an operation O (or a collection of operations), that would 
> pose an unacceptable safety risk in the absence of that safety 
> function, is acceptable. Safety requirements in 61508 are SILs assigned 
> to safety functions (that verb "are" is literal).
> 
> Third, a SIL sets the required reliability of the safety function 
> (here, reliability in terms of the proportion of allowed failures/the 
> allowed failure rate). It follows that 61508 safety requirements are 
> reliability requirements on safety functions.
> 
> Fourth, software alone does not have a SIL because running software 
> alone can't result in any unsafe situation (except in the case in which 
> the processor on which it is running overheats, which is dealt with, 
> usually very effectively, by the hardware people). The software has to 
> be attached to some bits and pieces which move, or heat up, or react 
> and it is what those bits and pieces do that is monitored and possibly 
> controlled by a safety function. Software is assigned a systematic 
> capability (SC). Software essential to executing a safety function F 
> with SIL x is assigned SC x.
> 
> Fifth, safety functions are not generic things; they are specific to a 
> safety-related system. There is no provision for assigning a SIL to a 
> generic operation independent of the specific system for which that 
> operation is acting as a safety function. There is concomitantly no way 
> of assigning an SC to generic software which provides various 
> operations of use in building software to run safety functions.
> 
> Sixth, CRTL OS is generic software. There is no safety-related system 
> it is attached to (such as a chemical-reactor pressure vessel), from 
> which SILs for safety functions may be derived and thus SCs inherited 
> by the software driving those safety functions.
> 
> So, I am puzzled as to what is being asserted. I can't tell from the 
> baseline assessment what is being asserted. It is something like the 
> following.
> 
> [begin assertion]
> 
> CTRL has been assessed by exida to be suitable <for something> to SIL 3 
> <without a safety function being mentioned>
> 
> [end assertion]
> 
> Can you please tell me what is being asserted here about CTRL OS?
> 

IIUC exida's position is that CTRL OS "is a safety mechanism with very 
high diagnostic coverage". Not sure if/how this fits with your 
terminology as expressed above.

br
Paul

More information about the systemsafety mailing list