We will show that it is not possible to assess probabilistic safety properties for components whose use in a system is unknown to the assessor. The process itself, of assessing a component, creates the context within which a component has the determined probabilistic safety properties. We will further show that the decision to use the pre-integration assessment does not necessarily lead to a reduction in workload for demonstrating the overall system safety.
The construction of safety critical systems in Europe requires the assessment of the system’s safety. Among others IEC 61508 is a standard that is used widely. A special concept in that standard, the so called Safety Integrity Level (SIL) and its determination, is a constant object of debate, misunderstanding and criticism.
Broadly speaking a SIL quantitatively describes the ratio of presence and absence of behavior that leads to harm.
This paper has SILs as its topic, because it is a prominent topic. But the argumentation equally applies to other SIL-like safety labels. For that reason this paper assumes as few properties of safety labels (SaL) in general and SILs in particular, to be as broadly applicable as possible. For the same reason the reader is not required to have a deep understanding of IEC 61508 or SILs. From here on we will refer to SILs and SIL-like SaLs simply as safety SaLs. We will only use the term SIL where only SILs are meant.
The title of this paper was inspired from a thread [SCMLa]] on the Safety Critical Mailing List, hosted by the University of York [SCML]. The topic of the thread is a recurring one. It revolves around the question whether a component can have be attributed a SIL when the system the component will be used in is not yet known.
Manufacturers of components and tools that are employed in the construction of safety critical systems use this kind of predetermined SIL as a marketing feature. The rationale being that a SIL X certified component automatically satisfies all requirements of a SIL X system (sometimes referred to as a SIL X loop) it is used in.
Some examples of components and tools that were SIL certified without regard for the system they will be used in.
- TÜV SÜD certified Esterel’s Compiler to be of SIL 3 under IEC 61508. [ESTEREL] states that ”The SCADE KCG code generator already has been certified by TÜV SÜD to Safety Integrity Level 3 (SIL 3) under IEC 61508”.
- The proverbial SIL certified valve from [EMERSON].
- You will find plenty of other component products by just searching for ”SIL certified” using your favorite Internet search engine.
- The Eagle Logic Solver, a programmable logic controller [DET-TRONICS].
Context-Free Determination of Safety Labels (SaLs)
Some disambiguation of important concepts used here. The term SaL denotes a quantitative assertion about an object’s ratio of presence and absence of behavior that leads to harm. With component we denote an object that is used or intended to be used as a part of a system. Where a system is an object whose safety properties have to be demonstrated ultimately. Context-Free means that a SaL is determined without regard to a system within which the object may be integrated as a component.
An agency assigns a safety label to a component. The agency basically states that “It has been determined that object X can be classified with safety label Y”. Since the agency would be ill-advised to assert the safety of an object arbitrarily the agency must have a reason to assign a SaL. There must be an argument, in the philosophical sense [PARSONS], that supports the statement. Just to be clear: The agency need not be aware of the concept of argument as stated in [PARSONS], but whatever the reasoning behind the safety statement it can be stated in the form of a refined argument [PARSONS, p. 167]. Parsons lists five conditions for a successful argument [PARSONS, p. 171] of which the first is of importance to us.
“Every premise is among the statements assumed in the setting”
The setting in our case would be the justification for attributing a SaL to an object. Also the setting can be considered the unrefined argument. Within a refined argument only premises may be used that originate in the setting. Because we are only interested in showing that SaLs cannot be context-free we do not need to examine the other four conditions for successful arguments.
There must be at least one premise for the safety argument. Please note that the exact nature of the premises is not of importance. The premesis can be quantitative measurements from test runs as well as qualitative arguments as to why X has (or does not have) certain properties.
For the SaL of object X this means that the assigned SaL does only hold under the premises of the argument. In other words: The premises of the safety argument provide context within which the safety label is reasonably (or justifiably) applicable. So there cannot be context-free SaLs.
Implications for Integration
We will use the term predetermined safety label (PSL) to denote a safety label for an object, that has been determined by a vendor without explicit regard for a system in which it may be integrated. If a component is integrated into a system then the component’s environment may be consistent with the premises from the PSL. Therefor the integrator must demonstrate that:
- the component’s environment is consistent with the premises from the PSL
- or that inconsistencies do not invalidate the argument for the PSL.
In sufficiently complex systems the success of both of the above may not be foreseeable. It is a gamble to go down that route. Failure to show consistency between PSL and a given system’s requirements for safety means that the integrator has to make his own safety argument concerning the object X anyway. In order to be able to show (1) or (2) the complete argument, at least the complete list of premises, must be available to the integrator. Without it, neither (1) nor (2) can be established and the PSL must be regarded to be null and void. In other words: The safety argument for the system cannot be demonstrated to be applicable, even though it may be valid.
There is no such thing as a context-free SaL (or SIL for that matter). Nevertheless there are companies marketing products labeling them certified according to SIL X. If the product is likely to be used within the context of a larger system what is the value of the certification, apart from a marketing stunt? What the vendor would like to do is offer a product, that reduces the cost of being integrated into a safety critical context. The vendor also likes to market the product with a comparable quality criterion to demonstrate supremacy over a competitor’s product. For the engineer, tasked with demonstrating the safety of hisher whole system, this is of little value. It is unclear, and dependent both on the component as well as the system, if the engineer can make use of the PSL. The cost of demonstrating the applicability of the PSL may or may not be less than assessing the component for the system to be build. Furthermore a certification of a component to a given SaL does not have any implication of the fitness for purpose of one’s own system. An engineer who ignores these objections to applying a PSL at face value does not have a safety argument and so acts negligent. A vendor who does not supply supply an integrator with the complete reasoning why a certain SaL has been awarded does not help hisher customer.
When things go south it will be easy to point at the spots where the safety argument for a system has its holes.
[PARSONS] Terence Parsons, ”What is an Argument”, April 1996, The Journal of Philosophy, Vol 93, No. 4, pp. 164-185
[IEC] International Electrotechnical Commission, IEC61508, http://www.iec.ch/