[SystemSafety] Critical systems Linux

Olwen Morgan olwen at phaedsys.com
Wed Nov 21 19:01:28 CET 2018 

Just to be clear, I wasn't casting aspersions on SCADE but on the 
situation in which one TuV looks askance at something to which another 
TuV gives qualified approval. As it happened, SCADE was a steam hammer 
to crack a nut on the machine safety project to which I referred. It 
ended up using Coloured Petri-Nets instead.

TuV Sud had issued the certification (subject to assessment of 
fitness-for-purpose on a case-by-case basis) and it was TuV Rheinland 
that looked askance at it. I gathered at the time (maybe mistakenly) 
that TuV Rheinland is more familiar with safety of machinery 
applications than is TuV Sud and possibly thereby brought a somewhat 
more rigorous point of view to bear on the matter.

I'm not a huge fan of SCADE but that's just a personal foible. Thinking 
in terms of Petri-Nets comes easier to me than does thinking in terms of 
temporal logic.


Olwen


On 21/11/2018 14:14, Tom Ferrell wrote:
>
> As someone who frequently audits specific projects where 
> organizational level approvals have been granted by TÜV Süd, I would 
> suggest their focus tends to be more broad and not to the same depth 
> that I am accustomed to for aviation.  The KCG code generator 
> contained within SCADE has been qualified multiple times for aviation 
> work. This qualification is based on the fact that KCG is built on a 
> formal language, LUSTRE.  The proofs accomplished to demonstrate the 
> model to code conversion have been looked at repeatedly and found to 
> be complete and correct in all cases that I am aware of.
>
> *From:*systemsafety 
> [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] *On 
> Behalf Of *Olwen Morgan
> *Sent:* Wednesday, November 21, 2018 9:00 AM
> *To:* systemsafety at lists.techfak.uni-bielefeld.de
> *Subject:* Re: [SystemSafety] Critical systems Linux
>
> On 21/11/2018 10:16, Peter Bernard Ladkin wrote:
>
> <snip>
>
>     What it means is that TÜV Süd (those last two letters are
>     lower-case) has investigated the system and says that it can be
>     used in certain ways with certain properties which TÜV has claimed
>     to have established to a certain "systematic capability". Since
>     much of the evidence TÜV Süd will have looked at is IP, you as a
>     user don't get all the required evidence for your safety case. TÜV
>     just says "trust us" and many assessors do.
>
> <snip>
>
> Esterel's SCADE tool has been certified for use in safety-critical 
> applications by one TuV but I've worked on a machine safety project in 
> which another TuV appeared to discourage its use because, AFAI recall, 
> they felt uneasy about the fitness-for-purpose of the generator that 
> it used to create C code from system models.
>
> Perhaps TuVs should print the certificates on toilet paper?
>
> Olwen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20181121/64d2a2d4/attachment.html>

More information about the systemsafety mailing list