Re: [SystemSafety] SIL ratings to be scrapped?

From: Peter Bernard Ladkin < >
Date: Thu, 22 Aug 2013 11:35:54 +0200


To back up Martin's caveat with other reasons:

I would not argue for scrapping "low-demand" on the sole basis it is inappropriately applied - I think there need to be significantly more reasons than that.

Reactor SCRAM systems are only meant to be used occasionally. Similarly, passenger-emergency-braking systems on trains.

System functions which are invoked occasionally tend to not work when invoked. Emergency slides on commercial transport aircraft exits work as a rule-of-thumb about half the time, which is why the emergency-evacuation certification test is performed with only half the available exits.

So for such systems and functions there need to be defined proof tests and a defined interval for proof tests. And those intervals are dependent upon how often you think the demand for the function is likely to arise.

You don't have such things as proof tests or associated intervals for continuously-operating safety-relevant functions, such as fly-by-wire control systems or ETCS.

Now, I agree that such things as proof tests are not relevant for pure SW "elements" (to use the 61508 preferred terminology), but that SW mostly sits inside something which executes the function and for which proof tests are relevant. How are you going to deal with these differences appropriately if the standard scraps the distinction?

PBL On 8/22/13 9:30 AM, Jensen, Martin Faurschou Jensen wrote:
> I agree with the arguments below when it comes to systems, but we have to keep in mind that 61508 is also used for the development of single elements. For a sensor, designed and developed for use in a SIS, the demand mode makes sense, as this only needs to detect and report a situation, and does not need to contribute in maintaining the safe state afterwards.

> -----Original Message-----
> ......On Behalf Of ECHARTE MELLADO JAVIER
> Sent: 22. august 2013 09:20
> To: Peter Bernard Ladkin; systemsafety_at_xxxxxx > Subject: Re: [SystemSafety] SIL ratings to be scrapped?
>
> I have discussed this mater several times. I think that low demand criteria should disappear because it is usually a fallacious argument.

PBL Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de



The System Safety Mailing List
systemsafety_at_xxxxxx Received on Thu Aug 22 2013 - 11:36:06 CEST

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:05 CEST