[SystemSafety] EUROCAE document 039/ ED-80
Peter Bernard Ladkin
ladkin at rvs.uni-bielefeld.de
Tue Oct 14 11:22:43 CEST 2014
On 2014-10-14 09:34 , SPRIGGS, John J wrote:
> In my experience, when people compare safety standards and guidelines that use "levels" to inform assurance activities, they assume that the levels are in some way equivalent. That is usually a false assumption, as is the case here; there is absolutely no correlation between the SILs of IEC61508 and the levels of ED-80 or ED-12.
Yes, this seems to be coming up about a couple of times a month in my environment at the moment. I
am not completely sure why. Let's try to lay it to rest. Here are a couple of short paragraphs.
IEC 61508 is based on the concept of functions of the equipment under control not being acceptably
safe (according to some unspecified social convention). It requires additional functions, called
safety functions, to be installed to render some dangerous situations benign and thus achieve
acceptable safety. These safety functions may themselves fail, but they must not fail often enough
to vitiate acceptable safety. So there is a reliability condition imposed on each safety function,
to specify the level of acceptable failure of the safety function. The reliability condition is
called a SIL and there are four of them, although logically there are a couple of additional
categories which are conflated with one or other of the four.
Design Assurance Levels (DALS) in the airborne segment of commercial aviation have a different
focus. Certification of commercial airplanes and airborne equipment considers deleterious
consequences of things happening contrary to purpose (breaking or other misbehavior). These are
called "effects", and they are subdivided into severities: "no effect", "minor", "major",
"hazardous" and "catastrophic" effects. This conceptualisation is long-standing, from way before
digital-electronic kit made its way into commercial aircraft. A DAL is assigned to a piece of kit
mirroring the severity of a failure of the kit.
A SIL is a safety function reliability condition and does not depend in any way on the severity of
the hazard it is intended to mitigate. A DAL depends on the severity of the hazard occurring through
a failure and not at all on the frequency of such a failure.
A SIL is a required-reliability condition and not a severity assessment. A DAL is a severity
condition and not a reliability condition.
Further, a SIL, being a reliability condition, is expressed probabilistically. A DAL is an absolute
condition. However, the evidence regarded as necessary to claim that a DAL has been achieved (the
Acceptable Means of Compliance criteria) has probabilistic/statistical aspects.
PBL
Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
More information about the systemsafety
mailing list