Karl, 
The answers to the questions you posed, from Jonathan Earthy, Lloyd's
Register's Principal Human Factors Specialist. 

I will chase up Bernard's comments on your article when he returns from
leave and will get it to you in the first week of Sept, if this suits. 

Dolly

-----Original Message-----
From: Earthy, Jonathan 
Sent: 18 August 2004 18:02
To: Robinson, Dolly
Cc: Twomey, Bernard
Subject: RE: dependable systems review


Dolly and Karl,

Luckily the answers are simple and, because both questions raise matters
of importance to the use of complex software intensive systems in marine
applications, should be of interest to your readers.  The following text
is only long because I have to type rather than discuss, hope that one
reply will do and have to assume that a full explanation is required
(apologies if this is not the case):

Question 1 Why a separate service?

The application of ISO 17894 (for example though DSR) gives benefits to
the Yard in terms of reduced rework.  This benefit is not part of
Classification.  DSR gives benefits to Class in terms of ease of
assessment.  It is unlikely that yards would want to make our life
easier.  Mainly, use of ISO 17894 gives benefits to Owners in terms of
assured effectiveness, productivity, crew satisfaction and safety of
complex, software intensive systems through life.  As you will note
safety is only one benefit for one stakeholder.  None of the other
benefits are related to Classification in a strict sense.  Therefore DSR
for any of the above benefits is outwith Class proper.

As far as safety, the business of Class, is concerned (and as you
presumably knew when you asked the question) each Classification Society
has to stay in step with IACS.  If Lloyd's Register unilaterally
enhanced its Rules to address the dependability of integrated, software
intensive systems its core service offering would be at odds with other
societies.  Regardless of the obvious benefits an extension to the scope
of Class of this magnitude will need to be carefully analysed by all
societies and developed as a Unified Requirement.  In addition, because
of the potential impact on navigation equipment, integrated bridges,
safety radio, etc., IMO will also have to get involved - if system
integration and dependability are to be a mandatory requirement for all
ship systems.  

Lloyd's Register was fully aware of this situation when it started its
work on marine software intensive system dependability and the
application of systems engineering to complex marine systems.  We
believe that it will take around ten years of awareness-raising and
evidence from incident analysis before the whole marine sector will be
ready to consider mandatory demonstration of system dependability. (And
even then the alternative of not using computers in any safety-related
applications may be preferred by some owners - if the manufacturers
still allow this option.)  However, our duty of care obliges us to offer
a mitigation for complex system risks (not only integration but also
usability, traceability, maintainability, etc.) to the marine sector.
This is DSR.  The training and analysis elements of the product raise
awareness. We have had a programme of dissemination running for five
years (through journals and conferences).  Now we have a product to
offer this can extend to the technical press.  Application of DSR will
provide examples of how the principles of ISO 17894 guide the
development and operation of dependable systems.  

Packaged as a separate service DSR can be applied to any ship system or
set of systems, regardless of type of system or the Class of the ship.

Having said all of this, either a drastic increase in reported incidents
where lack of system dependability is a causative factor, or a client's
use of programmable electronics in safety-related applications may
require us to act unilaterally in a shorter time frame.  


Question 2 Why not just use IEC 61508?

The Lloyd's Register Group is very aware of IEC 61508 and has applied it
in several sectors of industry (rail, aerospace, nuclear).  Our old
Applied Information Engineering department in Croydon even contributed
to its technical development.  61508 is one of the base standards for
ISO 17894.  However, for the achievement of system dependability it is
not sufficient.  Firstly, trial application and feedback from the user
and project groups associated with the European ATOMOS project (in which
17894 and DSR were developed) demonstrated that the marine sector will
not accept the full rigour and implications of 61508 (BTW further
discussion of this rather alarming issue alone could be another
article).  It looks as if a harmonisation document will always be
required for the marine sector, and we believe that for quite a long
time ISO 17894 will fulfil this function.  Secondly, 61508 strictly
addresses electrical, electronic and programmable electronic systems and
functional safety (i.e. if to have and how to develop protection
systems), unless your colleague was actually thinking of IEC 61511,
which was developed more for industrial process control than transport
systems.  (Incidentally, IEC 61508 does not apply to transport systems
in North America.)  Thirdly, ISO 17894 goes beyond the scope of 61508
and addresses not only the reliability and availability of protective
systems but all issues that make any system dependable, including
usability, maintainability, integration, match to requirements, quality,
etc. (the risk assessment guidance in 61508 is very useful in all cases
of course). Finally, the requirements of 61508 are presented as a
lifecycle (or even a methodology).  This imposes rigour that is only
necessary for attestation or certification.  Since it is early days for
any sort of structured systems development, let alone application of the
safety lifecycle, to marine IT this rigour is too constraining for
manufacturers.

Hope that this explains DSR and ISO 17894.

Best Regard

JV
--------------------------------------------------
Dr Jonathan Earthy 
Principal Human Factors Specialist
Research and Development Department
Lloyd's Register, 71 Fenchurch Street
London, EC3M 4BS

Tel: +44 207 423 1422
Direct: + 44 207 423 2304
Fax: +44 207 423 2061
Email: jonathan.earthy@lr.org

www.lr.org 
www.he-alert.org 
www.processforusability.co.uk/HFIPRA/HFIPRA.html