[SystemSafety] Proposed rewrite of IEC 61508 "proven in use" assessment conditions for SW

From: Peter Bernard Ladkin < >
Date: Sun, 07 Jul 2013 13:39:41 +0200


the German national committee tasked with IEC 61508 Part 3 (SW) matters has been working for some time on developing the assessment requirements for SW elements to be considered adequately "proven in use". (Please note that the term "proven in use" is a technical term in IEC 61508; one may query whether it is appropriate - I think it is appropriate - but for current purposes I suggest we just accept it.)

On 17 June I started a thread entitled "Qualifying SW as "proven in use"" and referred to a white paper I wrote at
http://www.rvs.uni-bielefeld.de/publications/WhitePaper/LadkinPiUessay20130614.pdf That white paper had two parts: one detailed via a hypothetical example the problems one might have if the assessment requirements are too lax (specifically, the problems that arise with the current assessment conditions in IEC 61508-3:2010); the second suggested an approach to assessment via Markov processes (which could be extending, maybe, to Bayesian Belief Networks, if one has some information about the internal architecture of the SW - grey box rather than black box).

I had originally tried to approach the issue of modelling how SW behaves by suggesting that it behaves as a (arbitrarily complicated) finite-state machine (FSM), but that approach foundered in two ways:
(1) there is inherent non-determinism in (a) the use of source-code languages which do not have a
demonstrably unambiguous semantics; (b) in the use of many compilers (especially those which "optimise"); (c) maybe in the linkers; (d) maybe in the realisation of the opcode instructions in HW; and
(2) there are no mature statistical techniques for determining to a given degree of confidence
whether exhibited behavior is that of an FSM.

For Point (2) I am *very* grateful for numerous discussions with Bev Littlewood. Bev also suggested that the Markov-process approach might be a way to accommodate Point (1); hence the suggestion in my white paper referenced above.

Members of the IEC Maintenance Team for the 61508 SW part who are interested in the "proven in use" assessment conditions met in Frankfurt on 29 April. The Chair, Audrey Canning, asked the German members at the meeting to prepare a proposal for replacement of the "proven in use" conditions by some we consider more apt. The ultimate goal is formally a "Technical Specification", which is an IEC publication, and possible incorporation into the next edition of IEC 61508-3, which is provisionally scheduled for 2016 (after the formal two-year maintenance action, which is anticipated to start in 2014). The German committee (rather, the subcommittee tasked with SW matters) finished its proposal on 4 July and there is now a text which we would like to offer for general commentary to experts who are not necessarily on the IEC 61508-SW Maintenance Team and who are not necessarily involved with 61508 standardisation committees at all.

The text consists of a series of clauses in IEC-standards format, and is about three pages long. We have made a serious attempt to include explicitly the conditions under which the future failure-behavior behavior/frequency of SW can be inferred with some given degree of confidence from past failure behavior, as explained in detail to us over the last four years by Bev Littlewood. Basically, that which is necessary to ensure that the relevant statistical properties of the future proposed use are identical to those of the recorded past use (one of which is, of course, that the recording is veridical!).

(Note: I specifically use the term "failure behavior" of SW to indicate that it is the behavior of
running SW which is being talked about, not the static pattern which is source code or object code, and to avoid the trope that that static pattern is not capable of failure in the normal engineering sense, since failure is a behavior which a static pattern ipso facto cannot have.)

The text will eventually become public (we discussed how it should appear on the DKE WWW site). We would like general commentary, but we also have to figure out how to mutate general commentary into something which fits on the formal IEC comment form. So at this point, rather than distribute it generally as an attachment to a message here, we would like to distribute it to those people who explicitly express an intent to read it and comment.

I would like to invite people here to send me a short e-mail note (private, please, to avoid "spamming" the list) expressing an intent to read the short proposed "proven in use" clauses and comment. Comment can be of any form, including general messages to this list, but I would reserve the right to come back to you with a request to shoehorn your points into the formal IEC format
(caveat: this can be far more annoying than it might first appear :-) ).

Again, many thanks to Bev for his substantial support. Any mistakes are ours, not his. Indeed, he might be hard put to recognise anything he said in what we've written :-)

Next task is to revise Part 7 Annex D. I'll keep this list advised on that as well. The moral drawn from our discussions so far is that there is both more and less to qualifying pre-existing SW for new future use in a safety-related application than ensuring that the statistical properties in the future use are, to some specified degree of confidence, identical to those determined in the past.


Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de

The System Safety Mailing List
Received on Sun Jul 07 2013 - 13:39:54 CEST

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:05 CEST