Re: [SystemSafety] Modelling and coding guidelines: "Unambiguous Graphical Representation"

From: SPRIGGS, John J < >
Date: Thu, 17 Mar 2016 13:09:13 +0000

Hi Matthew,
I do not know the provenance, but I will speculate. Twenty-four hours a day for three hundred and sixty-five days is 8760 hours (I would, of course, have used 8766). It probably arises from someone in committee saying “Surely, a failure-free year is sufficient”. The document was, after all, developed by an industry association of equipment suppliers, I assume that they would not want to make it too hard. I know ED-109 is not for avionics, but if they had read across from the then-current JAR-25 requirements for civil avionics, which did not use risk matrices, preferring hard limits, they would have found a larger number of hours was required for the equivalent assurance level (and then, perhaps, they should be looking for a 95% confidence level rather than saying, “We assume that there was a single failure just after we stopped monitoring at time T, so we will use the quantity 1/T to compare with the limit in the JAR”…

From: Matthew Squair [mailto:mattsquair_at_xxxxxx Sent: 17 March 2016 12:45
Cc: Peter Bernard Ladkin; systemsafety_at_xxxxxx Subject: Re: [SystemSafety] Modelling and coding guidelines: "Unambiguous Graphical Representation"

Strangely that COTS low number has been 'used in anger' on a project of mine. Any idea were it came from?

Matthew Squair

MIEAust, CPEng
Mob: +61 488770655
Email; Mattsquair_at_xxxxxx Web:

Peter wrote: "... let me refer you to the current edition of IEC 61508, Parts 2 and 3. The conditions on "proven in use" for SW are to my mind incoherent. "

IEC61508 is not alone in being incoherent on this matter, EUROCAE Document ED-109 (RTCA/DO-278, if you prefer) sets assurance levels on the basis of the severity of the risk that is being mitigated but, in a note about using service history to support assurance for COTS and the like, it suggests a (low) numbers of failure-free hours that can be used to claim achievement of some assurance levels. But, surely, that is "likelihood", which should be orthogonal to severity.

The newer version, ED-109A (RTCA/DO-278A) does not have this note, which may be why some have said that the COTS requirements are much more onerous than in the original...


-----Original Message-----
From: systemsafety [mailto:systemsafety-bounces_at_xxxxxx Sent: 16 March 2016 07:23
Subject: Re: [SystemSafety] Modelling and coding guidelines: "Unambiguous Graphical Representation"

immediately. You should not copy or use this email or attachment(s) for any purpose nor disclose their contents to any other person.

NATS computer systems may be monitored and communications carried on them recorded, to secure the effective operation of the system.

Please note that neither NATS nor the sender accepts any responsibility for viruses or any losses caused as a result of viruses and it is your responsibility to scan or otherwise check this email and any attachments.

NATS means NATS (En Route) plc (company number: 4129273), NATS (Services) Ltd (company number 4129270), NATSNAV Ltd (company number: 4164590) or NATS Ltd (company number 3155567) or NATS Holdings Ltd (company number 4138218). All companies are registered in England and their registered office is at 4000 Parkway, Whiteley, Fareham, Hampshire, PO15 7FL.

The System Safety Mailing List

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Thu Mar 17 2016 - 14:09:54 CET

This archive was generated by hypermail 2.3.0 : Sat Feb 23 2019 - 10:17:08 CET