Re: [SystemSafety] Degraded software performance [diverged from Fault, Failure and Reliability Again]

From: Michael J. Pont < >
Date: Thu, 5 Mar 2015 15:14:24 -0000


I'm not a statistician, and I'm not qualified to judge the details of your paper. In this case, I don't think that matters (but I accept that I may be wrong about this).

My perspective.

I spend my working life helping organisations to create software for embedded systems that need to have deterministic (real-time) behaviour. I've done work in the aerospace sector but most of the systems that I work on at present are in the ISO 26262 or IEC 61508 category.

I have personal concerns about IEC 61508-7 Annex D because I think it is too easy for organisations to get an RTOS "qualified" (and I think RTOSs are used far more often than they should be).

My interpretation of the current issue is very straightforward (I accept that you may call it na´ve): the software doesn't change. To talk about "software reliability" in the same sense as "hardware reliability" therefore makes no sense to me.

More specifically, the approach described in Annex D of IEC 61508 (2010) is - in my view - simply a form of "Black Box" testing. It is a long way from the type of test and verification process that I would expect to see for other software components in an IEC 61508 or related design.

Given your starting point, it's not clear to me that what you propose is really going to be very much better than the current version of Annex D (but I don't pretend that I have tried to do more than skim your paper).

As an alternative, it seems obvious to me that - if we have any faith in the rest of the standard - we should apply this development process to *all* parts of the system software (including the RTOS).

Even if we stuck with the present annex (or perhaps your alternative) but [i] replaced "software reliability" with "system reliability", and [ii] required detailed code and design reviews as an additional requirement, I'd feel happier.

Simply my views.


-----Original Message-----
From: systemsafety-bounces_at_xxxxxx [mailto:systemsafety-bounces_at_xxxxxx Peter Bernard Ladkin
Sent: 05 March 2015 13:46
To: systemsafety_at_xxxxxx Subject: Re: [SystemSafety] Degraded software performance [diverged from Fault, Failure and Reliability Again]


On 2015-03-05 13:29 , Michael J. Pont wrote:
> I believe that there are many people on this list who take the view
> that concept of "software reliability" (as used in this appendix) is
> flawed and unhelpful. Replacing this with another appendix that is
> based on the same concept does not seem to me to be a huge step forward.

There are more people on this list with a good publications record in the statistical evaluation of software than there are people who have recently expressed an opinion that the entire approach is flawed.

Not that numbers say anything, of course. Except in committee votes.

What is most obvious is that those denigrating statistical evaluation are almost exclusively aerospace. The clientele of IEC 61508 excludes aerospace and medical devices. I wonder, though, how aerospace, at least civil aerospace, can lecture anyone else on coherence when it can't align its practice with its written requirements?

It is almost equally obvious - at least to me - that almost none of the commentary addressed arguments which actually appear in the papers.

PBL Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Je suis Charlie Tel+msg +49 (0)521 880 7319

The System Safety Mailing List

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Thu Mar 05 2015 - 16:14:30 CET

This archive was generated by hypermail 2.3.0 : Fri Apr 26 2019 - 00:17:07 CEST