[SystemSafety] SIL ratings to be scrapped?

Gerry R Creech grcreech at ra.rockwell.com
Thu Aug 22 13:30:11 CEST 2013 

Myriam,

Isn't 'high demand' also a demand mode, that happens to use PFH and 
different from continuous mode? 

In continuous mode, we can only take credit for diagnostics that can 
detect a failure and carry out the specified action within the process 
safety time.
In high demand mode, we can take credit for diagnostics where the ratio of 
the test rate to the demand rate equals or exceeds 100.

 
 
Best regards,
 
Gerry Creech



From:   M Mencke <menckem at gmail.com>
To:     Peter Bernard Ladkin <ladkin at rvs.uni-bielefeld.de>
Cc:     System Safety List <systemsafety at techfak.uni-bielefeld.de>
Date:   22/08/2013 11:10
Subject:        Re: [SystemSafety] SIL ratings to be scrapped?
Sent by:        systemsafety-bounces at lists.techfak.uni-bielefeld.de



Regarding the high demand and low demand mode, it makes sense to apply 
these modes for some elements. However, in the railway standards, the 
concept of low demand is already not being considered. In EN 50129, the 
following is stated:
?NOTE: In contrast to other standards the SIL table in this standard has 
only one column for
frequencies (formerly called high demand or continuous mode) and does not 
have a column for
failure probabilities on demand (formerly called demand mode). The reasons 
to restrict to one
mode are
 
· Less ambiguity in determination of SIL.
 
· All demand mode systems can be modelled as continuous mode systems.
 
· Continuous control and command signalling systems are clearly the 
majority in modern railway signalling applications.
 
The SIL table has been constructed taking into account other relevant 
international standards.?
In my opinion, the existence of two different approaches to the 
application of the SIL concept, where one only considers high demand mode 
and the other considers both, contributes to the reasons why there are 
misunderstandings regarding the use of SIL. This is particularly true for 
engineers new to the industry or potential customers who consult the 
standard relevant to their sector in order to try to gain an understanding 
of the SIL concept. 
Imagine a situation where a ?newcomer? to the railway industry consults 
the railway standards for an overview of SILs, and their understanding of 
the SIL concept is gained based on the assumption that only one mode of 
operation is considered, the high demand mode. This engineer (or 
technician, manager, etc.) then decides that he would like to extend his 
knowledge and reads, for example, the IEC 61508 where the ?high demand? 
and ?low demand? modes are introduced. This does not appear to aid the 
reader in providing a clear explanation of the application of the concept. 
Your response may be ?well, in that case the reader should read the 
available literature?, to gain an in-depth understanding. However, this 
may not always be possible, due to time constraints, etc., particularly in 
the case of a customer or a manager. 
Additionally, even though the standard argues that continuous demand are 
the majority in modern railway signalling applications, as Peter just 
mentioned, passenger emergency braking systems on trains are meant to be 
used only occasionally. Given that only high demand mode is considered in 
the railway standards, should the railway standard definition of ?high 
demand? then be applied for this type of system, or is it required to 
refer ?back? to IEC 61508?...
Note: I write in Hiberno English. For example, words ending in the suffix 
?ing? preceded by ?l? are spelled with a double ?l? rather than a single 
"l", as in ?signalling?, ?modelling?.
Regards,
Myriam.


2013/8/22 Peter Bernard Ladkin <ladkin at rvs.uni-bielefeld.de>
To back up Martin's caveat with other reasons:

I would not argue for scrapping "low-demand" on the sole basis it is 
inappropriately applied - I think there need to be significantly more 
reasons than that.

Reactor SCRAM systems are only meant to be used occasionally. Similarly, 
passenger-emergency-braking systems on trains.

System functions which are invoked occasionally tend to not work when 
invoked. Emergency slides on commercial transport aircraft exits work as a 
rule-of-thumb about half the time, which is why the emergency-evacuation 
certification test is performed with only half the available exits.

So for such systems and functions there need to be defined proof tests and 
a defined interval for proof tests. And those intervals are dependent upon 
how often you think the demand for the function is likely to arise.

You don't have such things as proof tests or associated intervals for 
continuously-operating safety-relevant functions, such as fly-by-wire 
control systems or ETCS.

Now, I agree that such things as proof tests are not relevant for pure SW 
"elements" (to use the 61508 preferred terminology), but that SW mostly 
sits inside something which executes the function and for which proof 
tests are relevant. How are you going to deal with these differences 
appropriately if the standard scraps the distinction?

PBL



On 8/22/13 9:30 AM, Jensen, Martin Faurschou Jensen wrote:
I agree with the arguments below when it comes to systems, but we have to 
keep in mind that 61508 is also used for the development of single 
elements. For a sensor, designed and developed for use in a SIS, the 
demand mode makes sense, as this only needs to detect and report a 
situation, and does not need to contribute in maintaining the safe state 
afterwards.

-----Original Message-----
......On Behalf Of ECHARTE MELLADO JAVIER

Sent: 22. august 2013 09:20
To: Peter Bernard Ladkin; systemsafety at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] SIL ratings to be scrapped?

I have discussed this mater several times. I think that low demand 
criteria should disappear because it is usually a fallacious argument.

PBL


Prof. Peter Bernard Ladkin, Faculty of Technology, University of 
Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de




_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20130822/8e8181a1/attachment-0001.html>

More information about the systemsafety mailing list