[SystemSafety] RE : Qualifying SW as "proven in use"

Date: Tue, 18 Jun 2013 10:41:00 +0200

Hi Peter,

Let's start some miles behind.

There are 2 ways to claim that anything is compliant to 61508: 1 - Compliance. Yes, I know, it looks stupid as the way to claim compliance is nor ruled by the standard neither by the market. I can claim it on the ground of my reputation without having to bring any proof. Let's assume: on the basis of analysis made by firms having a strong reputation on the market. 2 - Proven use.

Proven in use: what a nice idea.

The standard is about safety. A manufacturer cand esign and put on the market a new equipment and get it "certified " for "compliance" for a given use (restricted operational and functional environment) for a "safety" purpose. Let's say safety critical pupose.

Now let's go to your paper. First of all, you choose the example of a manufacturer, but we must rememeber that the standard adresses anybody. So a user could do it. Let's assume the user has more or less the same problems than the manufacturer.

There are two possibilities for the previous use of the C equipment: 1 - previously used in a safety application with all the associated usual safety requirements (in particular dysfunctional requirements). Then it means obviously that the plant/application was NOT already compliant to 61508. Let's assume this is possible, although I doubt that plenty of users will shout it to the public... 2 - previously used in a non safety application. We can imagine that there are non-safety applications presenting very similar characteristics. I have however some doubts but lets assume it.

>From a manufacturer point of view, it can be interesting to re-use C, most probably parts of C as C-SW, in new products. Honestly, I don't see any manufacturer going to the market saying: hey guys, here is my very old equipment that I have re-packaged and will sell you twice the price for safety applications with a nice SIL 3 stamp. The need is more like: hello, my dear certification company, here is my new product, it made of well known pieces, so please don't charge us too much for the certificate. You can consider C-SW as "proven in use", here are the data.

>From an end-user point of view, (and this is what was in mind of the writers - "was" because it is becoming too demanding, and they are loosing the rules in 61511, pushing BTW 61508 for manufacturers only ...), if one can get rid of case 1, the issue is not to change anything in an existing plant and to, would an inspector ask strange questions, proove that the plant is the safest in the world and complies to any possible regulation. For competent and responsible end-users, the need it to have a framework to properly select equipments on sound basis and not on manufacturers data sheets.

That's the context at business level. It is clear that points 1 and 2 of Martyn, in a non regulated context, will remain a dream for ever...

When it goes to technical level:
* Concerning manufacturers, in the industries at the origin of the standard, I don't know a single one having a solid process to collect data from the users. Some adjust the calculated MTBF with the return rate for repair in the factories. Concerning electronic equipment, if an expensive piece of hardware is not attached to the electronic board, it is usually thrown to the garbage... Most of them don't knwo at alla where and how are installed the equipement. It is actually the opposite The users are the best organised to gather data (OREDA, EIREDA, etc...). So I think that the issue is very theoretical for manufacturers. * Concerning end-users, before even entering in your considerations (I fully support BTW), and remaining within the concerns of the writers of the standard (shaping a much narrower picture actully):

I am rather pessimistic about the outcomes in 61511. As far as 61508 is concerned, my opinion, converging more and more with several opinions expressed here is that:

* Concerning software, the requirements must obviously be very stringent
* This will implicitely so much limit the applicability of the concept that it will become useless for end-users and PLCs,
* May-be it will be applicable for very tiny parts of firmware for manufacturers
* It will de-facto create an insconsistency with 61511 if 61511 doesn't align on 61508 requirements

Bertrand Ricque

Date d'envoi : lundi 17 juin 2013 12:32
À : systemsafety_at_xxxxxx Objet : [SystemSafety] Qualifying SW as "proven in use"


there is a significant question how SW can be qualified as "proven in use" according to IEC 61508:2010. There is a judgement in some quarters (notably the German national committee) that the criteria in IEC 61508:2010 are inappropriate. I think it wouldn't be out of place to say that many in the IEC 61508 Maintenance Teams find the current criteria unsatisfactory in one way or another.

We in Germany have been discussing the issue and possible solutions for a couple of years, and recently the discussion has gone international. There seems to be a general feeling that qualifying SW statistically via the approach given by the exponential failure model is not practical, because the data requirements are overwhelming - it is regarded by most as implausible that companies will have the requisite data to the requisite quality even for SIL 2. But even if you qualify your SW for SIL 2 or higher without such data, then at some point some data will exist and people use such data as evidence that the original assessment was accurate. But what sort of evidence does it offer? The answer is probably a lot less than you might be convinced it does.

There seems to me to be a lack of examples where things can go wrong - at least a lack of examples specifically adapted to assessments according to IEC 61508:2010. So I wrote one up - fictitious but I hope still persuasive - to illustrate what (some of) the assurance issues are. I hope it can aid the debate.



Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de

The System Safety Mailing List
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."
" This e-mail and any attached documents may contain confidential or proprietary information. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system."

The System Safety Mailing List
Received on Tue Jun 18 2013 - 10:41:50 CEST

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:05 CEST