Monday 11 May 2009

SIL

一个颇老的话题,不过今天又提起。组里某人看了safety-critical mail list里的关于SIL 3 vs SIL4的对话,结果引发出今天team meeting的讨论。老板无奈的说,软件SIL的问题都有decades, 就是没有什么进展,唯一办法就是尽量避免使用。

我个人认为,SIL本质上是跟安全风险挂钩,而安全风险又跟tolerable failure/hazard rate联系着,但软件的可靠性一直是争议性的领域,所以就有SIL determination/allocation问题。另一方面,就算拟定的软件SIL需求没有问题,如何完成它和保证它?所有规范和标准都是泛泛而谈软件开发流程,含糊带过。试问是否任何人使用了规范里高度建议的方法和技术,是否就可以称他开发的系统达到相应的SIL需求?

有时候想,SIL和quality/maturity levels都是差不多的概念,只不过前者是针对于安全性系统开发和来自于安全风险评估,而后者不需要。

没完没了,呵呵。
Posted by at
Labels:

7 comments:

  1. 轨道交通信号系统13 May 2009 at 21:49

    覆盖率或者说完整性是主要的指标

    ReplyDelete
  2. 轨道交通信号系统13 May 2009 at 21:52

    一定要说哪个软件的SIL等级是多少,尤其是危险侧实效率,那个说起来有难度。至于正规化的方法,好像欧洲有一些项目在用B语言。这个世界上应该还是有公司在认真做吧,只能我们没有认真而已

    ReplyDelete
  3. Unknown14 May 2009 at 07:51

    不知道软件SIL是怎么来计算的?是不是使用量化指标来衡量?
    我看很多简单的SIS里,考虑到logic unit可靠性相对 final element和sensor高很多,就都把logic unit做100%可靠元件来处理。

    ReplyDelete
  4. Hang25 May 2009 at 08:46

    Hehe, I think the problem is not about whether formal methods should be applied. The point is whether the notion of SIL can be useful or meaningful. I will talk about formal methods soon.

    ReplyDelete
  5. Unknown26 May 2009 at 07:12

    Well, I think a measure like SIL is necessary for reliabiltiy assessment of safety system, software included. And my concern is if SIL as a metric is good enough or we need to find a better one.

    ReplyDelete
  6. Hang26 May 2009 at 14:27

    Personally I'd suggest any possibility of removing SIL in the future. Currently we have the following model:
    Risk <--> SIL <--> Development Process

    Why not just linking the notion of risk directly with the development process/evidence if not impossible?

    Also, SIL is certainly not mandatory for reliability assessment. You can conduct any reliability assessment of safety functions/systems regardless of the level of safety integrity established.

    The reason SIL is required is that people trend to link the development process with some kind of qualitative metrics such as CMM/CMMI. That's why I said SIL was a bit similar to CMM/CMMI, though they are indeed different (historically).

    ReplyDelete
  7. Unknown27 May 2009 at 05:07

    SIL has both qualitative and quantitative requirements. For a SIS, it's not just software but also harewares. A SIL is appointed to a SIF of a SIS, not a SIS or part of SIS. In order to achieve certain SIL, we have quantitative measure for hardwars and qualitative measure for software(due to in capable of obtaining a quantittative measure). Another thing which worth metion is the uncertainty of risk, we can see quantitative requirement of SILs is an interval of probability or rate, this gives some margin for uncertainty.

    ReplyDelete

Subscribe to: Post Comments (Atom)