Re: [sc] CENELEC assessment criteria for SIL 3 vs SIL 4

Re: [sc] CENELEC assessment criteria for SIL 3 vs SIL 4

From: Martyn Thomas <martyn_at_xxxxxx>
Date: Fri, 15 May 2009 09:54:05 +0100
Message-ID: <4A0D2DAD.1080208@xxxxxx>

This really doesn't look like your normal quality of argument.

Firstly, you write: 

"Seriously though, this has always happened in the past, e.g. for
bridges, planes, etc. where we find out new things like wind-induced
resonance in bridges or fatique cracking in aircraft, and then fix the
problem. "

In *neither* of these cases were the designers ignoring the
well-established and widely understood science or engineering. These
accidents could not have been foreseen given the state of knowledge,
and these errors will probably never be made again. That is not the
situation with computer-based systems, where the industry is ignoring
scientific results that have been well established for decades. When a 
catastrophe occurs, no-one will be able to claim that "we didn't know 
that what we were doing was unscientific". Their only defence will be 
"Yes, it was wrong but we were just following the rules" - which is the 
same argument that UK politicians are currently using to justify their 

Secondly, you write:

"And in fact if we look at actual
accident rates for aircraft, it is clear that they are much safer than
they have any right to be (given the limits identified by Butler &
Finelli and  Littlewood & Strigini), e.g. 10**-5 /flight for 100
critical avionics functions would mean an accident every 1000 flights,
equivalent to 20,000 aircraft accidents per year worldwide!:

But this is a completely false comparison. TheButler/Finelli and 
Littlewood/Strigini results relate to what can be proved during 
certification. The accident rates relate to what is actually achieved. 
It's no surprise that the industry achieves a lower failure rate than 
they are able to prove during certification, because it's far easier to 
develop reliable software than it is to demonstrate that you have done 
so. But that does not justify having standards that ask for evidence 
that it is impossible to provide, or that require development processes 
that are costly, unscientific, and that fail to yield adequate evidence 
for safety. We can celebrate the fact that teams of dedicated engineers 
achieve wonderfully low accident rates whilst simultaneously criticising 
the unscientific nature of the standards that they are compelled to 
comply with. In practice, I believe that avionics companies typically 
use far stronger software engineering methods than the standards 
require, and rightly so. But if we rely on this, and on their very good 
accident history, we may as well do away with certification entirely and 
rely on trusting the commercial pressures to keep the companies doing 
good work. We could call it "light-touch" regulation. It worked for the 
banks, for decades ....


Martyn Thomas CBE FREng

> ware]
Received on Fri 15 May 2009 - 09:53:49 BST