Re: [SystemSafety] words you cannot use at GM

From: RICQUE Bertrand (SAGEM DEFENSE SECURITE) < >
Date: Thu, 22 May 2014 15:18:31 +0200


Hello Thomas,

1 - Your assumption about what is currently discussed within the frame of the revision of 61511 is right.

2 - I am not allowed to disclose working documents outside the working groups and the national committees. I find this stupid because I feel that it is a good thing to share the opinions of a maximum of persons, but dura lex sed lex.

3 - 61511:2003 is paradoxaly (but not surprisingly) now inconsistent with 61508:2010 and as you cannot apply 61511 without 61508, I just consider that between 2010 and the date 61511 edition 2 will be officialised there is a black hole. So I don't care anymore about 61511:2003.

4 - My understanding of what is currently pushed by our US colleagues with very shy opposition (if any) from our german and French colleagues (most of them end-users) is even more pessimistic than the example given by Peter as I even don't see the if then else !

Bertrand Ricque
Program Manager
Optronics and Defence Division
Sights Program
Mob : +33 6 87 47 84 64
Tel : +33 1 58 11 96 82
Bertrand.ricque_at_xxxxxx

-----Original Message-----
Sent: Thursday, May 22, 2014 2:33 PM
Subject: Re: [SystemSafety] words you cannot use at GM

As I am currently travelling too, I allow myself to also respond quickly at this point: the suggested implementation of the SIF referred to as "SF", whose safety integrity shall be SIL1, is not in compliance with SIL 1 per IEC 61511:2003. I hear there are modiications underway in the emerging next edition, which may allow such an implementation. I have only informal & high-level information about this however, not enough to make any statement on compliance. Before I find time for a more detailed answer, for which I also would need some further clarifications from your side, I wpould like to ask Bertrand Rique, who appears to have detailed knowledge on both current and emerging editions of 61511, to provide his comment both regarding compliance with IEC 61511:2003 and the upcoming edition.

Med venlig hilsen / Best regards / Mit freundlichen Grüßen

Thomas Maier
E: Thomas.Maier_at_xxxxxx
T: +45 42 13 74 52

-----Oprindelig meddelelse-----
Sendt: 22. maj 2014 12:33
Emne: Re: SV: [SystemSafety] words you cannot use at GM

On 2014-05-21 10:14 , Maier, Thomas wrote:
> A correction regarding IEC 615011:
>
> That minimum failure rate per IEC 61511 is specified in Part 1 clause
> 8.2.2: “The dangerous failure rate of a BPCS (which does not conform
> to IEC 61511) that places a demand on a protection layer shall not be assumed to be better than *10^-5 per hour*.”

I grant you that my point was badly expressed, a disadvantage of responding quickly while multitasking on the train. But there is no correction to be made. Bertrand's response to you is abstract but correct.

Let me be more concrete. Suppose you have a safety function SF with SIL 1, which functionality is also provided by the BPCS. The function the BPCS provides, call it BCPS-SF, is by definition not a safety function.

Suppose you implement code in your SIS which does the following.

Now, how reliable does this safety-related code SIS-Supplementary-SF have to be?

Here is the reasoning. The required safety function is SF. The executing code implementing SF is

SF: IF <conditions> THEN BPCS-SF ELSE SIS-Supplementary-SF

The safety-related code here consists of SIS-Supplementary-SF (BPCS-SF is not safety-related by definition). The function SF gets SIL 1. <conditions> is determined by code part 1 above; the test for ELSE by code part 2. Let's assume they are perfect. You may assume that the rate at which the THEN fails is at most 10^(-5), and you need 10^(-6) overall. So....

.... all you need to demonstrate concerning SIS-Supplementary-SF is 10^(-1) reliability. QED.

PBL Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de

This e-mail may contain privileged or confidential information. If you are not the intended recipient: (1) you may not disclose, use, distribute, copy or rely upon this message or attachment(s); and (2) please notify the sender by reply e-mail, and then delete this message and its attachment(s). Underwriters Laboratories Inc. and its affiliates disclaim all liability for any errors, omissions, corruption or virus in this message or any attachments.



The System Safety Mailing List
systemsafety_at_xxxxxx #
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."

" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system." #

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Thu May 22 2014 - 15:18:45 CEST

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:06 CEST