Iec 61508-7 Now

That was the key. We had done event trees. We had modeled the truck hitting a person, a wall, a drop-off. We never modeled the truck “forgetting” its own odometry—because that wasn’t a physical event. It was a ghost in the logic.

The next morning, I didn’t propose a new hardware architecture. I proposed a : two independent software teams, two different compilers, two different algorithms for obstacle detection—running in lockstep. One calculates distance by wheel ticks. The other by LiDAR odometry. If they disagree by more than 2%, the truck stops immediately —not because of a sensor, but because of a logical contradiction.

She meant the Safety Lifecycle phase. But I heard the unspoken accusation: You didn’t think of everything. iec 61508-7

That’s when I opened the heavy, blue-covered binder: . The nerdy sibling. Part 1 is management. Part 2 is hardware. Part 3 is software. Part 7? That’s the “overview of techniques and measures.” Most engineers treat it like an encyclopedia you only touch during a TÜV audit. I treated it like a prayer book.

I retreated to my office, a tomb of stacked binders and coffee cups. On my screen was the post-mortem: a single, latent software fault. A counter variable in the obstacle-avoidance logic would overflow after 32,767 wheel rotations. Not on day one. Not on day ten. But on day forty-seven—today. The truck thought it had traveled negative distance. It “forgot” the rock pile. That was the key

I raised the blue binder.

“Eight weeks. No hardware spin. Just a second firmware image and a comparator.” We never modeled the truck “forgetting” its own

She made 61508-7 required reading for every systems engineer. Not for certification. For humility.

Not fancy. Not new. Just a table. On the left: “Technique.” On the right: “Recommended SIL.” Buried in the footnotes:

The Oracle in the Appendix

She looked at the page. Then at the shredded conveyor belt photo. Then back at me.