Re: [SystemSafety] Statistical Assessment of SW With Deliberate Unreliability for a SIL requirement

From: Heath Raftery < >
Date: Tue, 27 Jan 2015 08:59:37 +1100


Apologies this reply is out of order - corporate IT is a disconnected beast. This is in reply to the original thread subject, regarding a "Maintenance Mode".

I tend to agree that 61508 is quite clear about software faults being only systematic, not random.

However when constructing a case based on a proven-in-use argument, then I would think that the statistical fitness for purpose is all you have to go on. Whether there is code present that can disable safety functions - deliberately or accidentally - is moot if the proven in use argument shows that it does not occur given the intended operating environment.

If you're treating the software as a black box, you must assume there are bugs and/or a deliberate hobbling mode. All that matters is that it is fit for purpose to the surety level requirement.

Heath

On 22/01/2015 12:15 AM, jean-louis Boulanger wrote:
> I am surprised ....
>
> I read "Can such SW be presented as "black box" with statistical
> evidence of its fitness for purpose, and accepted for use based on the
> statistical assessment?"
>
> For software it's not possible to have statistical evidence.
> the failure is 1 (yes the software have fault and failure appear)
>
> The DAL/SSIL ... help us to replace statistical by confidence level
>
> for unspecified cod,n deactivated code e and/or dead code ... we have
> some recommandation related to the design assurance level
>
>
> 2015-01-21 14:08 GMT+01:00 RICQUE Bertrand (SAGEM DEFENSE SECURITE)
>
> If it is unspecified and cannot be activated, wouldn’t it be
> considered as dead code under DO ?____
>
> __ __
>
> Bertrand Ricque____
>
> Program Manager____
>
> Optronics and Defence Division____
>
> Sights Program____
>
> Mob : +33 6 87 47 84 64 <tel:%2B33%206%2087%2047%2084%2064>____
>
> Tel : +33 1 58 11 96 82 <tel:%2B33%201%2058%2011%2096%2082>____
>
>
> __ __
>
> *Nick Tudor
> *Sent:* Wednesday, January 21, 2015 2:07 PM
> *To:* RICQUE Bertrand (SAGEM DEFENSE SECURITE)
> *Cc:* Peter Bernard Ladkin; The System Safety List
> *Subject:* Re: [SystemSafety] Statistical Assessment of SW With
> Deliberate Unreliability for a SIL requirement____
>
> __ __
>
> Under Do, not on statistical evidence. The functionality has to be
> shown that it cannot be activated unintentionally and this is not
> done through statistical analysis...."the one in a million chance
> happens 9 times out 10" [Pratchet]____
>
>
> ____
>
> Nick Tudor____
>
> Tudor Associates Ltd____
>
> Mobile: +44(0)7412 074654 <tel:%2B44%280%297412%20074654>____
>
> www.tudorassoc.com <http://www.tudorassoc.com>____
>
> Image supprimée par l'expéditeur.____
>
> __ __
>
> *77 Barnards Green Road*____
>
> *Malvern*____
>
> *Worcestershire*____
>
> *WR14 3LR
> *Company No. 07642673**____
>
> *VAT No:116495996*____
>
> __ __
>
> *www.aeronautique-associates.com
> <http://www.aeronautique-associates.com>* ____
>
> __ __
>
> On 21 January 2015 at 12:59, RICQUE Bertrand (SAGEM DEFENSE
> SECURITE) <bertrand.ricque_at_xxxxxx > <mailto:bertrand.ricque_at_xxxxxx >
> Do you think it violates ARP and DO ?
>
> Bertrand Ricque
> Program Manager
> Optronics and Defence Division
> Sights Program
> Mob : +33 6 87 47 84 64 <tel:%2B33%206%2087%2047%2084%2064>
> Tel : +33 1 58 11 96 82 <tel:%2B33%201%2058%2011%2096%2082>
>
> -----Original Message-----
> From: systemsafety-bounces_at_xxxxxx > <mailto:systemsafety-bounces_at_xxxxxx > [mailto:systemsafety-bounces_at_xxxxxx > <mailto:systemsafety-bounces_at_xxxxxx > Behalf Of Peter Bernard Ladkin
> Sent: Wednesday, January 21, 2015 11:30 AM
> To: The System Safety List
> Subject: [SystemSafety] Statistical Assessment of SW With Deliberate
> Unreliability for a SIL requirement
>
> I am working with others on a reformulation of IEC 61508 Part 7
> Annex D, on the statistical assessment of software presented with
> black-box functionality.
>
> Rainer Faller brought up an interesting example. He has seen SW
> which is proposed to be used in a safety-related application, which
> has a Safety Requirements Specification (SRS) in that application,
> and which has a "Debug/Maintenance" mode, triggered by a specific
> input sequence known to the SW developer of course, but not
> necessarily to the system developer who wishes to use it in the new
> safety-related application.
>
> Can such SW be presented as "black box" with statistical evidence of
> its fitness for purpose, and accepted for use based on the
> statistical assessment?
>
> I've written a White Paper on the case, RVS White Paper 8, available
> at
> http://www.rvs.uni-bielefeld.de/publications/WhitePapers/LadkinFallerExample20150101.pdf
>
> PBL



The System Safety Mailing List
systemsafety_at_xxxxxx Received on Mon Jan 26 2015 - 22:59:52 CET

This archive was generated by hypermail 2.3.0 : Fri Apr 26 2019 - 05:17:07 CEST