Dr. Aris Thorne, Principal Systems Engineer, Hailstone Automated Mining
“How long?”
Big Ned’s twin-brain system caught a second latent fault last Tuesday. This time, it was a temperature sensor drift on the LiDAR. The wheel-tick algorithm said “clear path.” The LiDAR algorithm said “soft ground.” The comparator threw a fault, the truck coasted to a stop, and a technician found a smoldering bearing.
I spent that night cross-referencing. Section B.6.9 (Software error effect analysis) with D.2.2 (Diverse programming). I realized: our single codebase was the real hazard. The counter overflow was trivial to fix. But what other latent overflows were sleeping in the memory? iec 61508-7
And somewhere in a German standards committee meeting, a ghost editor smiled. Because they wrote that volume for exactly this moment: when the rules run out, and only the principles remain.
Not fancy. Not new. Just a table. On the left: “Technique.” On the right: “Recommended SIL.” Buried in the footnotes:
At the post-mortem, Elena asked the room: “Why didn’t we think of this before?” The wheel-tick algorithm said “clear path
She made 61508-7 required reading for every systems engineer. Not for certification. For humility.
The next morning, I didn’t propose a new hardware architecture. I proposed a : two independent software teams, two different compilers, two different algorithms for obstacle detection—running in lockstep. One calculates distance by wheel ticks. The other by LiDAR odometry. If they disagree by more than 2%, the truck stops immediately —not because of a sensor, but because of a logical contradiction.
“Because we only read the parts that tell us what to do. This part tells us how to think.” I realized: our single codebase was the real hazard
“Eight weeks. No hardware spin. Just a second firmware image and a comparator.”
“It’s in the standard,” I said, sliding the open binder toward her. Page 147. Table C.5: “Diverse programming – Recommended for SIL 3 and SIL 4.”
The autonomous haul truck, “Big Ned,” had just killed three hundred meters of conveyor belt before lunch. The emergency stops fired—eventually. But the shredded rubber and twisted steel were a $2 million mistake. My boss, Elena, didn’t yell. She just tapped the incident report and said, “Your safety loop missed its SLF.”