[SystemSafety] Statistical Assessment of SW With Deliberate Unreliability for a SIL requirement

Heath Raftery heath.raftery at restech.net.au
Mon Jan 26 22:59:37 CET 2015 

Apologies this reply is out of order - corporate IT is a disconnected 
beast. This is in reply to the original thread subject, regarding a 
"Maintenance Mode".

I tend to agree that 61508 is quite clear about software faults being 
only systematic, not random.

However when constructing a case based on a proven-in-use argument, then 
I would think that the statistical fitness for purpose is all you have 
to go on. Whether there is code present that can disable safety 
functions - deliberately or accidentally - is moot if the proven in use 
argument shows that it does not occur given the intended operating 
environment.

If you're treating the software as a black box, you must assume there 
are bugs and/or a deliberate hobbling mode. All that matters is that it 
is fit for purpose to the surety level requirement.

Heath

On 22/01/2015 12:15 AM, jean-louis Boulanger wrote:
> I am surprised ....
>
> I read "Can such SW be presented as "black box" with statistical
> evidence of its fitness for purpose, and accepted for use based on the
> statistical assessment?"
>
> For software it's not possible to have statistical evidence.
> the failure is 1 (yes the software have fault and failure appear)
>
> The DAL/SSIL ... help us to replace statistical by confidence level
>
> for unspecified cod,n deactivated code e and/or dead code ... we have
> some recommandation related to the design assurance level
>
>
> 2015-01-21 14:08 GMT+01:00 RICQUE Bertrand (SAGEM DEFENSE SECURITE)
> <bertrand.ricque at sagem.com <mailto:bertrand.ricque at sagem.com>>:
>
>     If it is unspecified and cannot be activated, wouldn’t it be
>     considered as dead code under DO ?____
>
>     __ __
>
>     Bertrand Ricque____
>
>     Program Manager____
>
>     Optronics and Defence Division____
>
>     Sights Program____
>
>     Mob : +33 6 87 47 84 64 <tel:%2B33%206%2087%2047%2084%2064>____
>
>     Tel : +33 1 58 11 96 82 <tel:%2B33%201%2058%2011%2096%2082>____
>
>     Bertrand.ricque at sagem.com <mailto:Bertrand.ricque at sagem.com>____
>
>     __ __
>
>     *From:*njtudor at gmail.com <mailto:njtudor at gmail.com>
>     [mailto:njtudor at gmail.com <mailto:njtudor at gmail.com>] *On Behalf Of
>     *Nick Tudor
>     *Sent:* Wednesday, January 21, 2015 2:07 PM
>     *To:* RICQUE Bertrand (SAGEM DEFENSE SECURITE)
>     *Cc:* Peter Bernard Ladkin; The System Safety List
>     *Subject:* Re: [SystemSafety] Statistical Assessment of SW With
>     Deliberate Unreliability for a SIL requirement____
>
>     __ __
>
>     Under Do, not on statistical evidence.  The functionality has to be
>     shown that it cannot be activated unintentionally and this is not
>     done through statistical analysis...."the one in a million chance
>     happens 9 times out 10" [Pratchet]____
>
>
>     ____
>
>     Nick Tudor____
>
>     Tudor Associates Ltd____
>
>     Mobile: +44(0)7412 074654 <tel:%2B44%280%297412%20074654>____
>
>     www.tudorassoc.com <http://www.tudorassoc.com>____
>
>     Image supprimée par l'expéditeur.____
>
>     __ __
>
>     *77 Barnards Green Road*____
>
>     *Malvern*____
>
>     *Worcestershire*____
>
>     *WR14 3LR
>     *Company No. 07642673**____
>
>     *VAT No:116495996*____
>
>     __ __
>
>     *www.aeronautique-associates.com
>     <http://www.aeronautique-associates.com>* ____
>
>     __ __
>
>     On 21 January 2015 at 12:59, RICQUE Bertrand (SAGEM DEFENSE
>     SECURITE) <bertrand.ricque at sagem.com
>     <mailto:bertrand.ricque at sagem.com>> wrote:____
>
>     Do you think it violates ARP and DO ?
>
>     Bertrand Ricque
>     Program Manager
>     Optronics and Defence Division
>     Sights Program
>     Mob : +33 6 87 47 84 64 <tel:%2B33%206%2087%2047%2084%2064>
>     Tel : +33 1 58 11 96 82 <tel:%2B33%201%2058%2011%2096%2082>
>     Bertrand.ricque at sagem.com <mailto:Bertrand.ricque at sagem.com>
>
>     -----Original Message-----
>     From: systemsafety-bounces at lists.techfak.uni-bielefeld.de
>     <mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de>
>     [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de
>     <mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de>] On
>     Behalf Of Peter Bernard Ladkin
>     Sent: Wednesday, January 21, 2015 11:30 AM
>     To: The System Safety List
>     Subject: [SystemSafety] Statistical Assessment of SW With Deliberate
>     Unreliability for a SIL requirement
>
>     I am working with others on a reformulation of IEC 61508 Part 7
>     Annex D, on the statistical assessment of software presented with
>     black-box functionality.
>
>     Rainer Faller brought up an interesting example. He has seen SW
>     which is proposed to be used in a safety-related application, which
>     has a Safety Requirements Specification (SRS) in that application,
>     and which has a "Debug/Maintenance" mode, triggered by a specific
>     input sequence known to the SW developer of course, but not
>     necessarily to the system developer who wishes to use it in the new
>     safety-related application.
>
>     Can such SW be presented as "black box" with statistical evidence of
>     its fitness for purpose, and accepted for use based on the
>     statistical assessment?
>
>     I've written a White Paper on the case, RVS White Paper 8, available
>     at
>     http://www.rvs.uni-bielefeld.de/publications/WhitePapers/LadkinFallerExample20150101.pdf
>
>     PBL

More information about the systemsafety mailing list