IEC 61508-3 maintenance work

We take part in the preliminary discussions regarding an updated edition of IEC 61508-3. The main topics for us are “Modern software development methods”, “Goalbased standards” and “Concurrent architectures including multi-core “.

Modern SW development methods normally include IID (Iterative and Incremental Development) which has been used for developing safety applications at least since 1972. When using modern SW development methods it is necessary to have “Process add-on’s” like traceability, configuration management and contact with the safety assessor.

Goalbased standards. In the last two decades there has been an increasing tendency towards a goal-based approach to regulation and standards (requirements for the manufacturers, what they have to do – that includes alternative ways of achieving compliance) compared to the earlier prescriptive regulations and standards (requirements that have to be met if a user wishes to  claim compliance with the standard). The reasons behind a goal-based approach are rapid technology changes, new development processes and the legal viewpoint. Too restrictive standards may be viewed as a barrier to trade. The requirement parts of the standards may then also be shorter, especially generic standards like IEC 61508 that covers several domains and topics. This is important since the increase in number of standards and their increase in volume are big challenges for the manufacturers.

Concurrent architectures including multi-core introduce challenges on how to implement the specification of a safety-critical system as simple as possible. Problems related to deadlock and livelock as well as latency, jitter and throughput are important. Appendix F in IEC 61508-3:2010 covers safety-critical parts mixed with non safety-critical or different systematic capability parts. This work will include concurrency, parallelism and multi-core of same systematic capability. Such parts need to communicate, and they need to wait for data to arrive or be sent and received. “Blocking” in this respect is viewed as yielding or waiting, much like non-blocking, lock-free and wait-free algorithms also are meant not to hold up parts of the system in such a way that implementation using these would  not be able to fulfill the specification. Such systems would need to show predictive behaviour with regards to functional and temporal correctness; to achieve this with the plurality of methodologies that exist would need e.g. a more comprehensive checklist than the present IEC 61508 or a goalbased approach. In this respect it is not given that “single-threaded” architectures would be simpler than concurrent, parallel or multi-core architectures, as any architecture may be viewed as more or less concurrent. In addition, methodologies like virtualization should also be covered in the updated IEC 61508. It is also important to emphasize that some solutions could create problems not found with other solutions, but one methodology might also completely remove a whole problem area of others. The new IEC 61508 should also try to show these matters.

At this private site there are some concurrency blog notes for engineers: www.teigfam.net/oyvind/home/technology/

 

Thor Myklebust, Øyvind Teig and Tor Stålhane, 2015-04-09