Re: [SystemSafety] Separating critical software modules from non-critical software modules

From: Eliop < >
Date: Tue, 23 Jul 2013 10:55:15 +0200

Hello, Myriam.
Just one remark (though many could be made): I have sometimes found that, if the amount of non-safety related software is not big, and the development team is small, it is better (cheaper) to develop the whole of it as if every function were SIL 4. Using a unique process, methodology, set of tools, and set of practices is a big advantage, even if it would not be necessary for every function / component.

2013/7/23 M Mencke <menckem_at_xxxxxx

> Dear All,
> For any software development project, many software modules are involved,
> where some are defined as safety critical, others are not. For example, in
> railway signaling, communications modules are likely to be defined as
> critical, whereas other modules such as those involving data storage or
> other basic functions are not. An analysis may be performed with the
> objective of demonstrating that the safety critical modules are entirely
> independent from the non critical modules, leading to the conclusion that
> the application of a programming standard for safety critical software is
> only required for those modules defined as safety critical (note the phrase
> “with the objective of demonstrating…”; I would hesitate before drawing the
> conclusion that the analysis really demonstrates what it is supposed to
> demonstrate).
> In my field the EN 50128 would be applied, however, it could be any
> standard for safety critical software. Thus, the software is developed
> applying the standard only to the modules which have been defined as
> “safety critical”. In order to supposedly save time/money, etc., the rest
> of the modules are developed as non-critical software, either as SIL 0
> functions or according to a standard programming standard. My question is
> whether such an approach is really valid, given that the application of a
> safety critical standard does not only involve the application of specific
> language features, it involves an entire development life cycle, and I find
> it difficult to see how the modules defined as “non-critical” then do not
> form part of that life cycle. I’m not saying it is not valid, but I would
> like to know how others see this.
> Additionally, if the same programmers are involved in the programming of
> both critical and non-critical modules, does it really make sense that they
> only pay attention to the features required for safety critical software
> when programming the critical modules, and modify their programming style
> for the rest of the modules (or revert back to their “usual” style)? These
> questions also depend on what you consider as critical, for example, for a
> control system with a HMI, you could only consider communication modules
> critical, however, you need a GUI to display the status of the elements an
> operator has to control correctly. Some operations performed by the
> operator may not have the potential to generate a hazard with a high
> severity level, because there are mitigations in place. However, that
> doesn’t necessarily mean that the software responsible for displaying the
> information should not be programmed according to a safety critical
> standard. I am aware that these questions don’t have an “easy” answer; any
> opinions would be appreciated.
> Kind Regards,
> Myriam.
> _______________________________________________
> The System Safety Mailing List
> systemsafety_at_xxxxxx >

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Tue Jul 23 2013 - 10:55:22 CEST

This archive was generated by hypermail 2.3.0 : Sun Apr 21 2019 - 00:17:06 CEST