…and the value of virtuous witnesses
I have to say that I’ve never been terribly impressed with ISO 61508, given it purports to be so arcane that it require a priesthood of independent safety assessors to reliably interpret and sanction its implementation. My view is if your standard is that difficult then you need to rewrite the standard.
Which is where I would have parked my unhappiness with the general 61508 concept of an ISA, until I remembered a paper written by John Downer on how the FAA regulates the aerospace sector. Within the FAA’s regulatory framework there exists an analog to the ISA role, in the form of what are called Designated Engineering Representatives or DERs. In a similar independent sign-off role to the ISAs, DERs are paid by the company they work for to carry out a certifying function on behalf of the FAA.
Now as John Downer points out in ‘Watching the Watchmaker‘ perhaps we misunderstand the roles of the regulator and the regulated if we think of them in terms of straightforward technical rule-making on the one hand and compliance on the other. In reality no regulator has the resources, or is close enough to the face of live practice, to be able to effectively regulate technology without significant reliance upon the experts within that industry. Perforce the FAA falls back on a process of regulating by establishing who they can trust to make decisions, rather than directly regulating the decisions themselves. Seen from this perspective the role of the ISA is not only to act as a high priesthood interpreting the holy scriptures of ISO 61508 (for example) but also to act as trusted experts that we can rely upon.
The problem with this unstated ISA role becomes apparent when we compare how the FAA plays the regulatory game with that of other industry regulators. While the FAA vouchsafes the DERs as experts that we can trust, in other industries there is no equivalent act by the regulator. Which leads us to the question of how much we trust we can and should place in the role of Independent Safety Assessor? Where manufacturer ‘A’ employs the services of assessor ‘B’ and where the commercial outcomes of both parties are bound up with achieving a specific outcome one can I think reasonably question the degree of true independence. And as the Hadden-Cave inquiry into the crash of RAF Nimrod XV230 indicates, such trust should perhaps be tightly circumscribed indeed.
We have under the current arrangements of regulation via 61508 an inbuilt problem of trust, we do not trust the manufacturer, nor can we it appears place much trust in the independent assessor who is acting on our behalf. The solution is clearly for regulators who rely upon independent safety assessors to stop playing the game as as spectator sport and ensure that people who are implicitly acting in a regulatory role are accountable to the regulator.