Re: [SystemSafety] Fault, Failure and Reliability Again (short)

From: SPRIGGS, John J < >
Date: Wed, 4 Mar 2015 16:02:56 +0000


... and the process/quality requirements of RTCA/DO-178 are selected on the basis of risk severity, not the probability, or failure rate.

John

-----Original Message-----
Sent: 04 March 2015 15:58
To: 'Peter Bernard Ladkin'; systemsafety_at_xxxxxx Subject: Re: [SystemSafety] Fault, Failure and Reliability Again (short)

Some time back I had the opportunity to sit down with the heads of the FAA certification panel (we were doing something unusual) and we discussed this to a great extent. The outcome is that for the purposes of certification the failure rate of software is not considered as the FAA do not believe it possible to reliably calculate a failure rate for software.

The figure of 10^(-9) applies ONLY to hardware; software is required to meet the process/quality requirements as given in DO-178 and verified means of audit (i.e. they come in and work you over ;-).

Cheers.

-----Original Message-----
From: systemsafety-bounces_at_xxxxxx [mailto:systemsafety-bounces_at_xxxxxx Sent: 04 March 2015 14:55
To: systemsafety_at_xxxxxx Subject: Re: [SystemSafety] Fault, Failure and Reliability Again (short)

On 2015-03-04 15:22 , Peter Bernard Ladkin wrote: > I didn't say "standards", I said certification requirements.

I take that back. I in fact said "certification standards". What I meant was, US 14 CFR 25.1309(b) :

[begin quote]
(b) The airplane systems and associated components, considered separately and in relation to other systems, must be designed so that-
(1) The occurrence of any failure condition which would prevent the continued safe flight and landing of the airplane is extremely improbable, and
(2) The occurrence of any other failure conditions which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions is improbable.
[end quote]

and CS-25.1309(b) :

[begin quote]
(b) The aeroplane systems and associated components, considered separately and in relation to other systems, must be designed so that -
(1) Any catastrophic failure condition
(i) is extremely improbable; and
(ii) does not result from a single failure; and
(2) Any hazardous failure condition is extremely remote; and
(3) Any major failure condition is remote.
[end quote]

Suppose you have a piece of kit whose behavior can result in a failure condition (which would prevent..../ catastrophic), and this kit is digital and its behavior is largely governed by SW logic.

Here's a fault tree / causal failure graph / BBN:

<kit fails catastropically> <--- ((HW fails in such-and-such a way) OR (SW fails in such-and-such a way))

The regs set a numerical condition on the left-hand node: namely, extremely improbable, which is to say a probability of 10^(-9) per operating hour (used not to mean it, but does now). You've got to get that from equivalent sorts of measures on the RHS.

I take it people are content with doing it for the LH disjunct: HW fails at (less than) probability X per operating hour.

So, now who's going to tell me you don't need to do it for the RH disjunct?

PBL Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Je suis Charlie Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de



The System Safety Mailing List
systemsafety_at_xxxxxx
---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com

_______________________________________________
The System Safety Mailing List
systemsafety_at_xxxxxx

***************************************************************************
If you are not the intended recipient, please notify our Help Desk at Email information.solutions_at_xxxxxx
immediately. You should not copy or use this email or attachment(s) for any purpose nor disclose
their contents to any other person.

NATS computer systems may be monitored and communications carried on them recorded, to 
secure the effective operation of the system.

Please note that neither NATS nor the sender accepts any responsibility for viruses or any losses
caused as a result of viruses and it is your responsibility to scan or otherwise check this email
and any attachments.

NATS means NATS (En Route) plc (company number: 4129273), NATS (Services) Ltd 

(company number 4129270), NATSNAV Ltd (company number: 4164590)
or NATS Ltd (company number 3155567) or NATS Holdings Ltd (company number 4138218). All companies are registered in England and their registered office is at 4000 Parkway, Whiteley, Fareham, Hampshire, PO15 7FL. *************************************************************************** _______________________________________________ The System Safety Mailing List systemsafety_at_xxxxxx
Received on Wed Mar 04 2015 - 17:03:04 CET

This archive was generated by hypermail 2.3.0 : Thu Apr 25 2019 - 18:17:07 CEST