Re: [SystemSafety] ARRL: A Criterion for Composable Safety and Systems Engineering

From: Peter Bernard Ladkin < >
Date: Tue, 24 Sep 2013 12:39:39 +0200


I guess one is talking about http://hal.archives-ouvertes.fr/docs/00/84/85/21/PDF/8_-_20130065.pdf

On 9/24/13 11:27 AM, Braband, Jens wrote:
> .... IMHO it contains a lot of unfounded statements and also some obvious errors,

I agree there are some significant errors. I'll restrict myself here to the misconceptions concerning IEC 61508 SILs and safety requirements.

> -Table 1 is completely wrong.

Yes, it is completely and utterly wrong. It appears to correlate commercial-aerospace severity categories (for example, from AMC25) with IEC 61508 SILs. There is no conceptual relation between these whatever.

AMC25 severity classes are measures of how much damage is caused. It is measured by lives lost, injuries caused, and metal bent (or composites fractured).

IEC 61508 SILs are reliability classes of safety functions. It is measured by a rate of dangerous failures per operational hour.

> -Also table 2 is oversimplified, e. g. neither does ASIL-D correspond completely to SIL 3 or DAL B
> nor does SIL 4 to DAL A

That is quite correct; they don't correspond. DALs are requirements on system components. SILs are requirements on safety functions.

Best to keep straight the distinction between system components (or "items" in IEC 61508 terminology) and safety functions, which are behaviors implemented by system components.

> -A SIL is not a system property,...

That is quite correct.

> -A SIL level alone is not the top level safety requirement.

A SIL is never a top-level safety requirement. Proof is as follows.

See IEC 61508-1:2010 Section 7.5 Overall Safety Requirements:

[begin quote]

7.5.1 Objective

The objective of the requirements of this subclause is to develop the specification for the overall safety requirements, in terms of the overall safety functions requirements and overall safety integrity requirements, for the E/E/PE safety-related systems and other risk reduction measures, in order to achieve the required functional safety.

7.5.2 Requirements

7.5.2.1 A set of all necessary overall safety functions shall be developed based on the hazardous events derived from the hazard and risk analysis. This shall constitute the specification for the overall safety functions requirements.

[end quote]

So, there are overall safety requirements; these are derived from the hazard and risk analysis; and they are developed/specified *in terms of* (amongst other things) safety integrity requirements. A safety integrity requirement is a requirement that a specific safety function have a specific SIL.

I don't know why there should still be this level of confusion a decade and a half since the standard was published. I suspect it may have to do with the fact that buying the 61508 document is so expensive that most people don't do it and they rely for their understanding on hearsay.

I see two solutions to that problem, if it is one.

  1. Everyone should join their local standards committee, whereby a copy will be made available for free. However, the ensuing cost of refreshments at meetings will likely bankrupt the local standards organisation.
  2. The standards document should be much cheaper than it is; even free. I know a dozen people on this list who will support such a proposal for very good reason. Distributing standards free would trash the business model of the IEC (even though clever people could fix that model). But making it a lot less expensive would be something the IEC could do tomorrow, if it chose, and to my mind it should so choose.

PBL Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de



The System Safety Mailing List
systemsafety_at_xxxxxx Received on Tue Sep 24 2013 - 12:39:44 CEST

This archive was generated by hypermail 2.3.0 : Sat Feb 23 2019 - 09:17:06 CET