The Editor

Spectrum

As an engineer with experience in safety, reliability and quality and in the creation and application of relevant international standards, I would like to draw Spectrum readers' attention to IEC 61508, the recently-issued standard on safety of "programmable electronic safety-related systems".

First, it is worth reminding ourselves how this kind of standard is created. A member or a group makes a proposal to the appropriate body (in this case IEC), and, if the idea is approved, a drafting committee is set up. Inevitably such committees are comprised of people who represent the appropriate national bodies and the specialisation concerned. Since the decision has already been taken that the standard will be created, the committee works to produce it. If at some stage individual members question the value of the exercise they find themselves outvoted, since by this time the majority will inevitably be in favour of the project. Therefore, regardless of the value of the standard being created, and even if the committee represents a minority view in the field as a whole, the momentum created will take the standard to completion and eventual issue. Once the standard has been issued its change or removal is dificult to accomplish.

The creation process is not inappropriate, in principle, for standards that are necessary to regulate technologies, provide safety, etc. Examples are radio frequency allocations, wiring colour codes and e.m.i emissions. We all need these. However, when applied to "management systems" such as quality, reliability, environmental ptotection and safety it creates standards which generate bureaucracies, incur large costs and do not deliver improvements. In fact the effects are usually negative: the efforts to comply distract from the real work needed to provide excellent products and services. This has been the stark lesson of ISO9000 for quality systems, IEC300 for "dependability", and ISO14000 for environmental management. (It was impressive how quickly all of the ISO9000 accreditation businesses became expert in environmental management soon after ISO14000 was issued!). The continued existence and application of these standards is now maintained by strong vested interests, which prevail over the opinions of people who criticise them. (It is notable that all of the top teachers of quality, such as W.E.Deming, K. Ishikawa, J.R. Juran, etc. argued against the ISO9000 approach, and that Japanese industry has largely avoided it).

IEC61508 introduces a threat greater than inefficiency and cost, since it relates to safety. It describes methods that are inconsistent with actual best practice in systems, electronics and software industries. In particular, it requires the quantification of risk probabilities using methods that have been discredited, and which are disallowed by organisations such as the US Army, NASA, UK Ministry of Defence, etc. and which are not used by most of industry. It requires that system designs are assessed for safety, using these methods, by "independent" experts. It replaces common-sense, proven management, engineering and accountability principles with a dangerously misguided approach that will be parasitic on industry and which will do nothing to improve safety. It does not serve the interests of suppliers, users or the public. Its authors seem to be unrepresentative of these and ignorant of the practical and effective methods that are already in place to ensure safety.

Since the scope of potential application of the standard is vast (industrial controls, railway signalling, marine communication and navigation, transport applications such as flight systems, engine controls, brakes and air bag initiation, medical equipment, traffic control, etc.), the consequential scope for misguided effort and cost is frightening. Where will the army of assessors supposedly competent to review complex electronic and software designs come from? How will designers budget for the cost and time involved in the process? Who will bear the responsibility when accidents do happen? If, as must remain the case, it is the designer, what is gained by the assessment? One is left wondering how we have managed without all of this advice and control so far.

If the warning from ISO9000 were not enough, we have had a preview of this bureaucratisation of safety systems with the introduction of the UK Railway Safety Case Regulations as part of the rail privatisation process. A new layer of bureaucracy, cost and delay was imposed on all operations and projects, with zero or possibly negative impact on actual safety. The only ones who profited were the safety consultants. It is no surprise therefore that they support IEC61508, as is evident in the articles in the journal.

I have been surprised at the general lack of awareness of IEC61508 among engineers and managers involved in safety-related systems, on both sides of the Atlantic. I urge IEEE members to familiarise themselves with it and to assess its impact on their projects and responsibilities. In particular, I suggest that those with influence in the appropriate industries consider how it can be removed, and how this kind of standards creation can be prevented in future.

Patrick O'Connor

Nov 00