Re: [SystemSafety] Paper on Software Reliability and the Urn Model

From: Peter Bernard Ladkin < >
Date: Wed, 25 Feb 2015 12:41:49 +0100

On 2015-02-25 12:20 , Martyn Thomas wrote:
> Can you list all the assumptions that are necessary before drawing conclusions about future
> reliability from the operational history?

Let me address the context first. Annex D has been published in a highly-referenced standard for 17 years now, and in my judgement it is awful. It doesn't stress even the basic assumptions, and I have anecdotal evidence that people are coming to assessors, having plugged in the numbers from Table D.1 of Annex D, and saying "see, we got the numbers, so approve the software". In cases in which, for example, the SW has been through lots of different versions. For example, an RTOS. Doesn't work. So in my opinion Annex D should say !!DOESN'T WORK!! in big red letters.

Annex D needs rewriting. I don't think it's going to stop the above behavior if it's just omitted from the next version of IEC 61508. Besides, taking something out of a standard in which it's been for 17 years is a political task well beyond any political capabilities I might have.

Someone needs to suggest what should be in a rewrite. That's the point of the current exercise, a contribution to that.

Can we get it right (you ask above)? Dunno. You be the judge when the paper is available. If there is stuff wrong in it, I promise you it will be fixed. If there's critical stuff missed out, it'll get put in.

And of course it's only input. What will come out of IEC deliberations I cannot predict.

PBL Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Je suis Charlie
Tel+msg +49 (0)521 880 7319

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Wed Feb 25 2015 - 12:41:55 CET

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:07 CEST