[SystemSafety] A question about ISO26262

SPRIGGS, John J John.SPRIGGS at nats.co.uk
Fri Feb 17 10:38:25 CET 2017


If you are looking for the document Martyn mentions below, open the UK CAA's "Air Traffic Services Safety Requirements" at http://www.caa.co.uk/cap670 and go to Part B, Section 3, which is called "SW 01: Regulatory Objectives for Software Safety Assurance in ATS Equipment".

John

From: systemsafety [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Martyn Thomas
Sent: 16 February 2017 18:16
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] A question about ISO26262


David,

I'll use the standard's term "element" as a generic word for functions, processes and other bits of software, as I don't have the standard available and it's not necessary to be more precise to make the point that I want to make.

It's certainly possible for an element to meet its functional specification whilst preventing another element from doing so - for example by taking too many processor cycles, or holding a shared resource, or by using storage that is also being used by another element.

Drew has expressed his view that an element that "spams" another has failed, and I wouldn't disagree. But the practical question will often focus on the assurance that a safety-critical function cannot be disrupted by other elements, and it will generally be impractical to assess the total possible behaviour of every system element in order to assure the safety critical elements. In practice it will be necessary to show that the safety-critical functions cannot be disrupted by any elements at a lower assurance level (DAL, SIL or whatever) and this will in general require architectural protection (e.g. separate processors or a high integrity scheduler and supervisor). I think the UK CAA standard SW01 may have addressed this in some detail (if not, I'm fairly sure there's a paper by Adelard on the subject, possibly written by Robin Bloomfield).

Regards

Martyn

On 16/02/2017 10:37, David Haworth wrote:

However, it is possible to imagine scenarios where, in the absence

of a protection mechanism, an element causes another element to fail

while still continuing to perform its own function flawlessly.

***************************************************************************
If you are not the intended recipient, please notify our Help Desk at Email information.solutions at nats.co.uk
immediately. You should not copy or use this email or attachment(s) for any purpose nor disclose
their contents to any other person.

NATS computer systems may be monitored and communications carried on them recorded, to 
secure the effective operation of the system.

Please note that neither NATS nor the sender accepts any responsibility for viruses or any losses
caused as a result of viruses and it is your responsibility to scan or otherwise check this email
and any attachments.

NATS means NATS (En Route) plc (company number: 4129273), NATS (Services) Ltd 
(company number 4129270), NATSNAV Ltd (company number: 4164590) 
or NATS Ltd (company number 3155567) or NATS Holdings Ltd (company number 4138218). 
All companies are registered in England and their registered office is at 4000 Parkway, 
Whiteley, Fareham, Hampshire, PO15 7FL.

***************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20170217/14fab196/attachment-0001.html>


More information about the systemsafety mailing list