RE: [sc] IEC 61508 maintenance

RE: [sc] IEC 61508 maintenance

From: Ross Hannan <ross_hannan_at_xxxxxx>
Date: Thu, 25 Oct 2007 17:10:07 +0100
Message-ID: <006201c81721$838c51b0$4101a8c0@xxxxxx>

Could you please not ask for read receipts with your posts.



Ross Hannan
Sigma Associates (Aerospace) Limited


-----Original Message-----
From: safety-critical-request@xxxxxx
[mailto:safety-critical-request@xxxxxx] On Behalf Of Rolf Spiker
Sent: 25 October 2007 16:39
To: safety-critical@xxxxxx
Subject: RE: [sc] IEC 61508 maintenance

Hi Bill,

I support your vision concerning the need for an kind of "test factor" in
relation with the given failure rates of safety related elements.
At this moment I support option 2 of Ron's mail. I feel sympathy for the
French (and others) point of view that the SFF is not an ideal parameter.
But I do not know a better one and it works most of the time and the others
are not coming with a better one. So far so good.

But your remark that a SIL 4 system needs always redundancy is not the
reality and you know that. In most case yes, but not always.

The Maglog hard wired system meets easily SIL 4 in non redundant
architecture. Over 40 years experience in the most harsh environments has
proven that too. This SIL 4  is much more true as the SIL 3 capability for
programmable systems and you know that too! 

Ok, I agree that both systems HIMA and Yokogawa are very particular and in
most other situations you are right about the HW fault tolerance.

But please state that in your answers!

Best regards,

Rolf Spiker of
Senior Safety Consultant
Phone : +31 318 414 505
Mobile: +31 (0)6 510 289 79
E Mail No1: rolf.spiker@xxxxxx
E Mail No2: spiker.rolf@xxxxxx
Mail address:
Att: R.Th.E. Spiker
Nassaulaan 41
6721DX  Bennekom
The Netherlands

Established Company address:
64 N. Main Street
Sellersville, PA 18960
USA - See:

The information in this e-mail is confidential and intended solely for the
person to whom it is addressed. If this message is not addressed to you,
please be aware that you have no authorization to read the rest of this
e-mail, to copy it or to furnish it to any person other than the addressee.
Should you have received this e-mail by mistake, please bring this to the
attention of the sender, after which you are kindly requested to destroy the
original message. cannot be held responsible or liable in any way
whatsoever for and/or in connection with any consequences and/or damage
resulting from the proper and complete dispatch and receipt of the content
of this e-mail.

-----Original Message-----
From: safety-critical-request@xxxxxx
[mailto:safety-critical-request@xxxxxx] On Behalf Of bill black
Sent: Thursday, October 25, 2007 11:41 AM
To: safety-critical@xxxxxx
Subject: RE: [sc] IEC 61508 maintenance


Safe Failure Fraction as currently defined in the standard is more
accurately stated as 1 - (Dangerous undetected failure rate/ Total failure
rate) although there is ongoing discussion about changes in the definition.

Presently the architecture of a safety system is determined by:
	1) the need to meet minimum fault tolerance determined by SIL and
	2) the need to meet the required dangerous failure rate or
probability of failure on demand depending on the mode of operation

If you remove the need for minimum fault tolerance then the architecture
will be determined only by reliability analysis.  My experience with
reliability data is such that I cannot support your proposal to base
architecture on reliability analysis alone.  

Without the requirements for minimum fault tolerance it would then be
possible to have SIL 3 or SIL 4 systems implemented in non redundant
architectures.  You may claim that in some cases redundant architectures are
not feasible in which case I believe you should limit your capability claims
for such systems.


Bill Black   

-----Original Message-----
From: safety-critical-request@xxxxxx
[mailto:safety-critical-request@xxxxxx] On Behalf Of Bertrand RICQUE
Sent: 24 October 2007 08:10
To: safety-critical@xxxxxx
Subject: [sc] IEC 61508 maintenance

Dear all,

plase take half a minute to read this :

Presentation of the context:
"IEC 61508 - Functional safety of electrical/electronic/ programmable
electronic safety-related systems" is the base IEC standard for future and
existing safety specific application standards.
Its scope is as follows:
"Systems comprised of electrical and/or electronic components have been used
for many years to perform safety functions in most application sectors.
Computer-based systems (generically referred to as programmable electronic
systems) are being used in all application sectors to perform non-safety
functions and, increasingly, to perform safety functions. If computer system
technology is to be effectively and safely exploited, it is essential that
those responsible for making decisions have sufficient guidance on the
safety aspects on which to make these decisions.
This International Standard sets out a generic approach for all safety
lifecycle activities for systems comprised of electrical and/or electronic
and/or programmable electronic (E/E/PE) elements that are used to perform
safety functions. This unified approach has been adopted in order that a
rational and consistent technical policy be developed for all
electrically-based safety-related systems. A major objective is to
facilitate the development of application sector standards."
It covers all equipment and software taking part in a safety function, from
the sensor to the actuator.
This standard:
- Is the base IEC standard for any development of safety related standards,
- Is also an EN and NF standard,
- Its harmonisation,- which would make its application mandatory and not
only volunteer -, by the European Commission is a pending and open issue.
This standard is more and more considered by aerospace and defence
industries, in particular for its software part (IEC61508-3), as a potential
future successor to DO178, but also to other standards in the field of
functional safety. It is already used by defence industries such as DCNS for
naval systems with IEC 61511 for example.
This materialises for example by well known software companies (such as
Estérel Technology for example) supplying tools for development (such as
SCADE based tools for example) with reference to IEC 61508 concepts (such as
SIL ? Safety Integrity Level for example).
Problem :
The standard is now under revision and, despite containing interesting
contributions to functional safety, promotes a concept which proves totally
inapplicable to aerospace and defence industries.
The concept in question is the Safe Failure Fraction (SFF) which aims to
characterise the quality of equipment versus safety by the ratio of "Safe"
failures to total failures. This concept, although very disputable for
equipment failing in only one dangerous direction, is obviously totally
inapplicable to equipment failing in multiple or variable dangerous
directions (such as the speed control of a steel plate winding, a landing
gear control, a flight control system or a landing gear brake system) for
If this concept was to remain included in the standard, it would either:
-       generate huge compliance problems for the aerospace and defence 
-       generate a problem for aerospace and defence industries to 
progressively converge toward this standard in the future
-       will have an uncontrolled impact on existing standards involved in 
our activities (such as digital networks as CAN for example)
The French IEC national committee is strongly opposing this concept with
some weak support from the US and Japanese national committees.
The British and German national committees are supporting this concept. 
Aerospace and defence industries are not represented in these committees.
This concept should be eliminated from the standard.
If your company agrees with this analysis and point of view, I kindly
request from you to write to your IEC National Committee a statement
supporting this position. If you don't know or have access to it you can
directly send it to the chairman of the committee ronbell@xxxxxx You
can also forward a copy of the

A lot of criticism has been read about the standard on this forum. It's time
to contribute positively. We are improving it but need some help to
eliminate wrong concepts.

I'm available for any further explanations and details.


Bertrand Ricque
Chef de Programmes Drones
SAGEM Défense Sécurité
27, rue Leblanc
75512 PARIS Cédex 15
Tel +33 1 58 12 43 60
Mob : +33 6 87 47 84 64
Fax +33 1 40 70 63 90
Email bertrand.ricque@xxxxxx

" Ce courriel et les documents qui y sont attaches peuvent contenir des
informations confidentielles. Si vous n'etes  pas le destinataire escompte,
merci d'en informer l'expediteur immediatement et de detruire ce courriel
ainsi que tous les documents attaches de votre systeme informatique. Toute
divulgation, distribution ou copie du present courriel et des documents
attaches sans autorisation prealable de son emetteur est interdite." 

" This e-mail and any attached documents may contain confidential or
proprietary information. If you are not the intended recipient, please
advise the sender immediately and delete this e-mail and all attached
documents from your computer system. Any unauthorised disclosure,
distribution or copying hereof is prohibited."

__________ NOD32 2617 (20071025) Information __________

This message was checked by NOD32 antivirus system.
Received on Thu 25 Oct 2007 - 17:10:40 BST