International safety standard IEC 61508‐7 Annex D prescribes sampling sizes of safety critical software (SW) inputs needed to be consecutively processed correctly in order to ascertain that the SW meets a certain safety integrity level (SIL) with a certain statistical confidence level. The sample sizes in Annex D Table D.1 are derived from a Bernoulli sampling model which requires that the sampled inputs be uniformly distributed.
The simulations reported in this paper are intended to answer the question: If one uses the sample sizes as prescribed in IEC 61508‐7 Annex D but the sampled safety critical SW inputs are not uniformly distributed, do the confidence levels in Table D.1 still hold? The answer is NO. When the sampled safety critical SW inputs are not uniformly distributed, the confidence levels attained depend not only on the sample size but also on the distributions of both the sampled safety critical SW inputs and the distribution of those safety critical SW inputs that will not be correctly processed. Since it is impossible to know the distribution of safety critical SW inputs that will not be correctly processed, it is impossible to know the confidence levels attained if the sampled safety critical inputs are not uniformly distributed. Consequently, SW cannot be safety certified according to Annex D unless the SW tester can demonstrate that the safety critical SW inputs used in the tests were uniformly distributed.