Introduction to part III - Overview of 61508
|
|
- Marcus Lang
- 7 years ago
- Views:
Transcription
1 to - Overview of rg> December 22, 2015
2 Outline to - to of Some of /pre-existing SW
3 intro Focus: System scope embedding functional safety Managing complexity - system context Provide Methodology of achieving tolerable risk Help you specify sound and consistent procedures Focus on generic aspects Says nothing about certification! is a basic safety standard - it is the basis for a number of application sector specific standards. No mater what derived standard you work with you should take the time to read Ed 2. to -
4 What is? A generic safety process template: procedural safety life-cylce -> safety case risk based approach (SIL/SC + ALARP) generic safety life-cycle specification guidance more than guide-lines. A major objective is to facilitate the development of application sector specific standards [-1 Ed 2 ] to -
5 scope Functional Safety Focus on a conceptually monolitic safety case Slanted towards systems of low complexity Targeting organisational, specification and design faults Limited considerations for human factors [ Note 2] Very limited considerations for security [ m)] You can t follow - it can guide you though on your path after you defined your path. to -
6 constraints System Level global safety context somewhat hardware centric no notion of failure mode (fail-safe/fail operational) slant towards low complexity PES must be heavily interpreted When you read it the first time it will seem vague, inprecise and inconsistent - and if you try to treat it as a checklist it is! to -
7 Context - reduce risk to an acceptable level: Social Economic Regulatory (National) to -
8 Context - reduce risk to an acceptable level: Social Economic Regulatory (National)...in a given context: must be reinterpreted in the specific context of its application - don t limit this to the technical aspects only. is not about a safety development lifecycle, it s about a system safety life-cycle - requirements to decommissioning. It does state requirements on the safety development lifecycle - and typically one of the fist steps will be to define eactly this life-cycle in the specific context. to -
9 Costs of faults Products with a year life-cycle Development: 20-30% Requirements 70% Design 15% Implementation 3% Integration 10% Testing 2% Maintenance: 70-80% And if you would include decommissioning some domains would have 99% of the coste there (e.g. Nuclear Power-plants - anybody have an idea how to dismantle them?) can help you save costs - if applied from the very outset of your project to -
10 Location of faults Primary cause by phase Frequ. % Inad. functional requirements specification 4 12 Inad. safety integrity requirements specification Total specification Total design and implementation 5 15 Total installation and commissioning 2 6 Inadequate operation 1 3 Inadequate maintenance 4 12 Total operation and maintenance 5 15 Inadequate modification 7 20 Inadequate de-commissioning 0 0 Total change control after commissioning 7 20 [HSE, Out of control, HSG 238, 2003] to -
11 Generic Goals Plan A - Hazard elimination to -
12 Generic Goals Plan A - Hazard elimination Plan B - Hazard mitigation to -
13 Generic Goals Plan A - Hazard elimination Plan B - Hazard mitigation Diagnostic tests can provide significant benefits in the achievement of functional safety of an E/E/PE safety-related system. However, care must be exercised not to unnecessarily increase the complexity which, for example, may lead to increased difficulties in verification, validation, functional safety assessment, and maintenance and modification activities. Increased complexity may also make it more difficult to maintain the long-term functional safety of the E/E/PE safety-related system. [-2 C.2 Note 2] All of IEC and its derived standards are only Plan B to -
14 Tollerable Risk - Definition tolerable risk risk which is accepted in a given context based on the current values of society [IEC -4 Ed ] [IEC Guide 51:1999, definition 3.7] to -
15 Tollerable Risk - Definition tolerable risk risk which is accepted in a given context based on the current values of society [IEC -4 Ed ] [IEC Guide 51:1999, definition 3.7] IEC can t say what your target risk goal is. Causes rate All causes (mid life including medical) pa All accidents (per individual) pa Accidents in the home pa Road traffic accidents pa Natural desaster (per individual) pa to - [Elsevier, Safety Critical Systems Handbook, Section 1.1]
16 Tollerable Risk - Context Different tollerable risks depending on relation to individual Context rate Employee 10 3 pa Public 10 4 pa Broadly acceptable risk 10 6 pa [HSE R2P2 - Reducing Risks, Protecting People] to -
17 Tollerable Risk - Context Different tollerable risks depending on relation to individual Context Employee Public Broadly acceptable risk [HSE R2P2 - Reducing Risks, Protecting People] rate 10 3 pa 10 4 pa 10 6 pa...and role of the individual Serious or fatal injury to a relatively small number of the occupants other than the flight crew. [RTCA DO 178C 2.3.2] to -
18 Tollerable Risk Tollerable risk is not a static property of a system it must be maintained over the lifetime of the system. initial development: to -
19 Tollerable Risk Tollerable risk is not a static property of a system it must be maintained over the lifetime of the system. initial development: reduce to atleast the specified safety target (thats what the SIL level expresses) reduce below the specified safety targets as far as economically feasible to -
20 Tollerable Risk Tollerable risk is not a static property of a system it must be maintained over the lifetime of the system. initial development: reduce to atleast the specified safety target (thats what the SIL level expresses) reduce below the specified safety targets as far as economically feasible operations: to -
21 Tollerable Risk Tollerable risk is not a static property of a system it must be maintained over the lifetime of the system. initial development: reduce to atleast the specified safety target (thats what the SIL level expresses) reduce below the specified safety targets as far as economically feasible operations: ensure the fielded systems achieve atleast the expected level. continuously strive to improve the systems safety and the organisational safety capabilities. to -
22 Tollerable Risk Tollerable risk is not a static property of a system it must be maintained over the lifetime of the system. initial development: reduce to atleast the specified safety target (thats what the SIL level expresses) reduce below the specified safety targets as far as economically feasible operations: ensure the fielded systems achieve atleast the expected level. continuously strive to improve the systems safety and the organisational safety capabilities. decommisioining: to -
23 Tollerable Risk Tollerable risk is not a static property of a system it must be maintained over the lifetime of the system. initial development: reduce to atleast the specified safety target (thats what the SIL level expresses) reduce below the specified safety targets as far as economically feasible operations: ensure the fielded systems achieve atleast the expected level. continuously strive to improve the systems safety and the organisational safety capabilities. decommisioining: extract lessons learned and feed into new developments to -
24 Tollerable Risk and SIL Why do we need the SIL concept? If risks where qunatifiable we could just use failure rates and be good? to -
25 Tollerable Risk and SIL Why do we need the SIL concept? If risks where qunatifiable we could just use failure rates and be good? What is with analysis level faults? Management faults? Methods/Tools? to -
26 Tollerable Risk and SIL Why do we need the SIL concept? If risks where qunatifiable we could just use failure rates and be good? What is with analysis level faults? Management faults? Methods/Tools? Can t quantify them! to -
27 Tollerable Risk and SIL Why do we need the SIL concept? If risks where qunatifiable we could just use failure rates and be good? What is with analysis level faults? Management faults? Methods/Tools? Can t quantify them! For those non-quantifiable risk contributions SIL/SC expresses a level of rigour that is broadly accepted to relate to the severity implied by the allocated SIL/SC level. The SIL/SC does not imply that systematic faults have a failure rate or that a set of measures/rigour will result in a specific failure rate at the system level. to -
28 Tollerable Risk and SIL Why do we need the SIL concept? If risks where qunatifiable we could just use failure rates and be good? What is with analysis level faults? Management faults? Methods/Tools? Can t quantify them! For those non-quantifiable risk contributions SIL/SC expresses a level of rigour that is broadly accepted to relate to the severity implied by the allocated SIL/SC level. The SIL/SC does not imply that systematic faults have a failure rate or that a set of measures/rigour will result in a specific failure rate at the system level. Requirements of SIL/SC strive to ensure a consistent treatment of risks at all levels (organisation,process,technology,tools/methods) to -
29 Generic Goals - Example states goals not methods Structural test coverage (statements) 100 % to -
30 Generic Goals - Example states goals not methods Structural test coverage (statements) 100 % Where 100% coverage cannot be achieved (e.g. statement coverage of defensive code), an appropriate explanation/justification should be given to -
31 Generic Goals - Example states goals not methods Structural test coverage (statements) 100 % Where 100% coverage cannot be achieved (e.g. statement coverage of defensive code), an appropriate explanation/justification should be given Plan to use GCOV with a set of test-cases. to -
32 Generic Goals - Example states goals not methods Structural test coverage (statements) 100 % Where 100% coverage cannot be achieved (e.g. statement coverage of defensive code), an appropriate explanation/justification should be given Plan to use GCOV with a set of test-cases. -7 C.5.6 Error seeding to -
33 Generic Goals - Example states goals not methods Structural test coverage (statements) 100 % Where 100% coverage cannot be achieved (e.g. statement coverage of defensive code), an appropriate explanation/justification should be given Plan to use GCOV with a set of test-cases. -7 C.5.6 Error seeding Aim: To ascertain whether a set of test cases is adequate. What ever you applie from any clause,subclause or notes from an annex the first question is what is the goal of that requiremnt/statement -> Interpretation. to -
34 Strategies as Requirements states some strategies as requirements: Some clauses are stragey recommendations not even requirements: As far as practicable the design shall keep the safety-related part of the software simple. to -
35 Strategies as Requirements states some strategies as requirements: Some clauses are stragey recommendations not even requirements: As far as practicable the design shall keep the safety-related part of the software simple. Some clauses are not requiremnts at all: The overall, E/E/PE system and software safety lifecycle figures are simplified views of reality and as such do not show all the iterations relating to specific phases or between phases. Iteration, however, is an essential and vital part of development through the overall, E/E/PE system and software safety lifecycles. to -
36 Strategies as Requirements states some strategies as requirements: Some clauses are stragey recommendations not even requirements: As far as practicable the design shall keep the safety-related part of the software simple. Some clauses are not requiremnts at all: The overall, E/E/PE system and software safety lifecycle figures are simplified views of reality and as such do not show all the iterations relating to specific phases or between phases. Iteration, however, is an essential and vital part of development through the overall, E/E/PE system and software safety lifecycles. Some clauses are formal non-compliance waifers: Provided that the software safety lifecycle satisfies the requirements of Table 1, it is acceptable to tailor the V-model (see Figure 6) to take account of the safety integrity and the complexity of the project. to -
37 Monolitic Nature of Documented DLC - highly iterative tailoring V-model iteration to -
38 Monolitic Nature of Documented DLC - highly iterative tailoring V-model iteration Consolidated CDP - monolitic view verified input/outputs for each phase Once you reached a consisten state of work (e.g. before entering service) your overall consolidated work-products forma a waterfall model and all the intermediate states are no longer visible - that ideal waterfall model is purlely monolitic and fits exactly one system. to -
39 Mitigation by procedures Systematic problem We can t quantify systematic faults of HW/SW We can quantify faults of Humans - which are very often systematic faults (e.g. lack of understanding, prejudice, confirmatory bias, ignorance..) What prevents us from deteting cause? to -
40 Mitigation by procedures Systematic problem We can t quantify systematic faults of HW/SW We can quantify faults of Humans - which are very often systematic faults (e.g. lack of understanding, prejudice, confirmatory bias, ignorance..) What prevents us from deteting cause? blame to -
41 Mitigation by procedures Systematic problem We can t quantify systematic faults of HW/SW We can quantify faults of Humans - which are very often systematic faults (e.g. lack of understanding, prejudice, confirmatory bias, ignorance..) What prevents us from deteting cause? blame The mitgation Manage it - structured approach that can be traced 2 n eye principle (minimum 4) at all steps Complet,consisten -> prcesses, procedures and methods Effective, efficient -> state of the art in engineering. Add managed competence and you have IEC to -
42 Mitigation by procedures Systematic problem We can t quantify systematic faults of HW/SW We can quantify faults of Humans - which are very often systematic faults (e.g. lack of understanding, prejudice, confirmatory bias, ignorance..) What prevents us from deteting cause? blame The mitgation Manage it - structured approach that can be traced 2 n eye principle (minimum 4) at all steps Complet,consisten -> prcesses, procedures and methods Effective, efficient -> state of the art in engineering. Add managed competence and you have IEC The root-cause is that our meager brains can t handle the complexity of the systems we are building. to -
43 Principle It s simple - almost trivial... Achieving and Maintaining an acceptable level of risk by: to -
44 Principle It s simple - almost trivial... Achieving and Maintaining an acceptable level of risk by: Risk assessment to -
45 Principle It s simple - almost trivial... Achieving and Maintaining an acceptable level of risk by: Risk assessment Risk elimination to -
46 Principle It s simple - almost trivial... Achieving and Maintaining an acceptable level of risk by: Risk assessment Risk elimination Residual Risk Mitigation to -
47 Principle It s simple - almost trivial... Achieving and Maintaining an acceptable level of risk by: Risk assessment Risk elimination Residual Risk Mitigation Effective Risk Monitoring...a bit hidden. No system is risk free - but every system must stay in the tollerable range. to -
48 Flow -> Define system -> Identify potential hazards -> Map to risks -> Derive SIL requirement(s) for system -> Apply appropriate methods -> Deriove SIL requirement(s) for decomposition -> Apply appropriate methods -> Justify risk mitigation (safety case) -> Monitor the system - verify your claims to - This path is followed by all derived standards inside a framework for functional safety management. Note that it does not depend on the component being /OSS or bespoke.
49 System Safety to -
50 Types of Safety Inherently Safe to -
51 Types of Safety Inherently Safe Reactive Safety fault detection fault reaction self-check requirements to -
52 Types of Safety Inherently Safe Reactive Safety fault detection fault reaction self-check requirements Composite Safety fault tolerance detectability through isolation availability issues does not differenciate betwee fail-safe/fail-silent/fail-operational - it is a very generic process. to -
53 Functional Safety Architecture HW architectural protection: Redundancy/Replication HFT 1: 2oo2...NooM relevance of random errors (types) SIL/SC level [ /11] to -
54 Functional Safety Architecture HW architectural protection: Redundancy/Replication HFT 1: 2oo2...NooM relevance of random errors (types) SIL/SC level [ /11] Diversity: types of diversity effects of diversity safety case based on diversity [-6 Ed 1 Appendix E] The architecture is an essential component in SW safety. to -
55 (SW) -4 Definitions (global) Clause 5/6 Doc/Management (global) Development of Requirements (<- Part 5) 7.6 Allocation of safety functions 7.10 Implementation -> -2,-3-6 guide to application of -2/3-7 Methods is not a simple standard as it has strong horizontal and vertical linking of clauses. You must develop your path! to -
56 phase structure IEC -1 Ed 2 Phases 1-5 address analysis and requirements development (technology independent) Phases address realisation: planing, HW and SW Phases address operation and de-commissioning. IEC > -2 IEC > -3 Part 1 focus on the broader system aspects and supporting process, part 2 focusses on the system implementation and part 3 on software aspects. to -
57 (SW) to -
58 -3 Overview Functional Safety of software for E/E/PES safety related systems Tightly coupled to -2 Software is never maintained only modified [ ] Anything using an OS or libraries qualifies as high-complexity Previously developed software == Ed 2 provides relatively well defined routes for. FLOSS ==? pre-existing software: software developed prior to the application currently in question, including (commercial off-the shelf) and open source software [EN Ed ] to -
59 -4/5/6/7 provides the methods necessary to handle - notably -6 Appendix E gives a based SIL3 system concept overview! 4 - Definitions 5 - Guidance in assigning SIL 6 - Guidance in applying -2, Approved methodologies The problem is that too many engineers simply do not read it - your safety can t read it for you... to -
60 Safety Management Problem: Fault -> Error -> Failure -> Hazard -> Accident : Hazard identification is the key to functional safety management in and derived standards. Hazards are not limited to technical hazards -> organisation, methods, processes, tools... The main worry of functional safety management is to preserve consistency - this is in my opinion the main reason for the dominance of the monolithic safety model. Humans are very bad in finding inconsistencies in compex systems - a structured and traceable aproach is currently the only defence we have. to -
61 Safety Integrity Level (SIL) Discrete level (one out of a possible four) for specifying the safety integrity requirements of the safety functions to be allocated to the E/E/PE safety related systems, where safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest [ ] risk reduction needed to achieve acceptable risk level defined for continuous and low demand mode Note not all derived standards define SIL4! : if analysis results in SIL4 requirements -> go fix your system design [ IEC -1 Ed ] Safety Integrity Level can be assigned by quantitative or qualitative methods [-5]. to -
62 Safety-related (component) Safety-related electronic control system: Electronic control system of a machine who s failure can result in the immediate increase of the risk(s) [ ] Subsystem: Entity of the top-level architectural design of the SRECS where a failure where a failure of any subsystem will result in the failure of a safety related control function. [ ] Module: routine, discrete component or a functional set of encapsulated routines or discrete components belonging together [ ] to -
63 Diversity Types of diversity software: N-version programming hardware: different HW-platforms usage: diversity of access temporal: diversity of env-state level of diversity organisational specification (procedural vs. rule-driven) Selection (i.e. libraries, servers) implementation (i.e. languages) integration (i.e. compiler, generators) Diversity can address some of the worries of. to -
64 Options for SW 1 S Compliant development 2 S Proven in use 3 S Non-compliant development (pre-existing software) Note that pre-existing software does not mean pre-dating the standard but rather: pre-existing software: software element which already exists and is not developed specifically for the current project or safety-related system. [IEC -4 Ed ] to -
65 Proven-in-use Evidence - not specified clearly Route 2 S : compliance with the requirements for evidence that the equipment is proven in use [-2 Ed ] Requirements for proven in use elements [-2 Ed ] Field experience [-7 Ed 2 B5.4] Proven-in-use [-7 Ed 2 C ] In case of tools - Increased confidence from use [-3 A3 4b)] Especially the derived standards have a quite varying interpretation of evidence and multiple terms for. Proven-in-use is not going to be your main strategy for any complex component/system. to -
66 Softwares role in safety As far as practicable the design shall minimize the safety-related part of the software.[ ] constraints on software: Architectural constraints (HW) [ ] Probability of dangerous random HW failures [ ] Requirements for systematic SIL (SILCL) [ ] is a derivative for the Machine sector. This is well in line with Ed to -
67 previously developed software - Ed 1 if standard or previously developed software is to be used as part of the design then it shall be clearly identified. [-3 Ed ] The software suitability in satisfying the specification of requirements for software safety (see 7.2) shall be justified. [-3 Ed ] Suitability shall be based upon evidence of satisfactory operation in a similar application... [-3 Ed ] or having been subject to the same verification and validation procedures as would be expected for any newly developed software [-3 Ed ] Constraints from the previous software environment shall be evaluated [-3 Ed ] This is very strongly reflected in EN Ed 1 (Rail signaling) to -
68 previously developed software Ed 2 Route 3 S (pre-existing software elements only): compliance with the requirements of IEC -3, [ ] Route 3 S assessment of non-compliant development. Compliance with [-3 Ed a)] provide a safety manual (see Annex D of IEC -2 and Annex D of this standard) that gives a sufficiently precise and complete description of the element to make possible an assessment of the integrity of a specific safety function that depends wholly or partly on the pre-existing software element. [-3 Ed b)] to -
69 Route 3 S Requirements a) documented software safety requirements b) satisfies the objectives of -3 c) documented design d) evidence includes the hardware e) evidence of systematic V&V f) side-effect freedom of dead code g) credible failures have been identified h) well defined configuration i) satisfaction of safety manual constraints Note that this is really very much simplified - more on this later to -
70 Ed2 Concluding Remarks Read it first - take your time How: part 1 (with part 4 and 7 on your desk) part 5 part 2 (with part 4,7 and 1 on your desk) part 3 (with part 4,7 and 1 on your desk) part 6 Make sure all engineers involved in the safety related project read it (CM, QA, testers, coders, managers, piza-deliverer...) The big problem - no fast route into - if you don t have the time in your plan - don t do safety. to -
ELECTROTECHNIQUE IEC INTERNATIONALE 61508-3 INTERNATIONAL ELECTROTECHNICAL
61508-3 ª IEC: 1997 1 Version 12.0 05/12/97 COMMISSION CEI ELECTROTECHNIQUE IEC INTERNATIONALE 61508-3 INTERNATIONAL ELECTROTECHNICAL COMMISSION Functional safety of electrical/electronic/ programmable
More informationIEC 61508 Overview Report
IEC 61508 Overview Report A Summary of the IEC 61508 Standard for Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems exida Sellersville, PA 18960, USA +1-215-453-1720
More informationHardware safety integrity Guideline
Hardware safety integrity Comments on this report are gratefully received by Johan Hedberg at SP Swedish National Testing and Research Institute mailto:johan.hedberg@sp.se Quoting of this report is allowed
More informationOverview of IEC 61508 - Design of electrical / electronic / programmable electronic safety-related systems
Overview of IEC 61508 - Design of electrical / electronic / programmable electronic safety-related systems Simon Brown The author is with the Health & Safety Executive, Magdalen House, Bootle, Merseyside,
More informationIEC 61508 Functional Safety Assessment. Project: K-TEK Corporation AT100, AT100S, AT200 Magnetostrictive Level Transmitter.
61508 SIL 3 CAPABLE IEC 61508 Functional Safety Assessment Project: K-TEK Corporation AT100, AT100S, AT200 Magnetostrictive Level Transmitter Customer: K-TEK Corporation Prairieville, LA USA Contract No.:
More informationControlling Risks Safety Lifecycle
Controlling Risks Safety Lifecycle Objective Introduce the concept of a safety lifecycle and the applicability and context in safety systems. Lifecycle Management A risk based management plan for a system
More informationVersion: 1.0 Latest Edition: 2006-08-24. Guideline
Management of Comments on this report are gratefully received by Johan Hedberg at SP Swedish National Testing and Research Institute mailto:johan.hedberg@sp.se Quoting of this report is allowed but please
More informationFrequently Asked Questions
Frequently Asked Questions The exida 61508 Certification Program V1 R8 October 19, 2007 exida Geneva, Switzerland Sellersville, PA 18960, USA, +1-215-453-1720 Munich, Germany, +49 89 4900 0547 1 Exida
More informationUniversity of Paderborn Software Engineering Group II-25. Dr. Holger Giese. University of Paderborn Software Engineering Group. External facilities
II.2 Life Cycle and Safety Safety Life Cycle: The necessary activities involving safety-related systems, occurring during a period of time that starts at the concept phase of a project and finishes when
More informationUnderstanding Safety Integrity Levels (SIL) and its Effects for Field Instruments
Understanding Safety Integrity Levels (SIL) and its Effects for Field Instruments Introduction The Industrial process industry is experiencing a dynamic growth in Functional Process Safety applications.
More informationPABIAC Safety-related Control Systems Workshop
Health and and Safety Executive PABIAC Safety-related Control Systems Workshop KEY STANDARDS FOR ELECTRICAL & FUNCTIONAL SAFETY OF PAPERMAKING MACHINES: APPLICATION & USE Steve Frost HM Principal Electrical
More informationHow to Upgrade SPICE-Compliant Processes for Functional Safety
How to Upgrade SPICE-Compliant Processes for Functional Safety Dr. Erwin Petry KUGLER MAAG CIE GmbH Leibnizstraße 11 70806 Kornwestheim Germany Mobile: +49 173 67 87 337 Tel: +49 7154-1796-222 Fax: +49
More informationTesting of safety-critical software some principles
1(60) Testing of safety-critical software some principles Emerging Trends in Software Testing: autumn 2012 Matti Vuori, Tampere University of Technology 27.11.2012 Contents 1/4 Topics of this lecture 6
More informationSelecting Sensors for Safety Instrumented Systems per IEC 61511 (ISA 84.00.01 2004)
Selecting Sensors for Safety Instrumented Systems per IEC 61511 (ISA 84.00.01 2004) Dale Perry Worldwide Pressure Marketing Manager Emerson Process Management Rosemount Division Chanhassen, MN 55317 USA
More informationA methodology For the achievement of Target SIL
A methodology For the achievement of Target SIL Contents 1.0 Methodology... 3 1.1 SIL Achievement - A Definition... 4 1.2 Responsibilities... 6 1.3 Identification of Hazards and SIL Determination... 8
More informationCertification of a Scade 6 compiler
Certification of a Scade 6 compiler F-X Fornari Esterel Technologies 1 Introduction Topic : What does mean developping a certified software? In particular, using embedded sofware development rules! What
More informationISO 26262 Functional Safety Draft International Standard for Road Vehicles: Background, Status, and Overview
ISO 26262 Functional Safety Draft International Standard for Road Vehicles: Background, Status, and Overview Barbara J. Czerny, Joseph D Ambrosio, Rami Debouk, General Motors Research and Development Kelly
More informationFrequently Asked Questions
Frequently Asked Questions The exida Certification Program Functional Safety (SIL) Cyber-Security V2 R3 June 14, 2012 exida Sellersville, PA 18960, USA, +1-215-453-1720 Munich, Germany, +49 89 4900 0547
More informationSUCCESSFUL INTERFACE RISK MANAGEMENT FROM BLAME CULTURE TO JOINT ACTION
SUCCESSFUL INTERFACE RISK MANAGEMENT FROM BLAME CULTURE TO JOINT ACTION SUMMARY Axel Kappeler, Principal James Catmur, Director Interfaces are important because they are everywhere. However, interfaces
More informationFundamental Principles of Software Safety Assurance
Fundamental Principles of Software Safety Assurance Tim Kelly tim.kelly@york.ac.uk Context Lack of agreement in the details of requirements of software safety assurance standards has long been recognised
More informationIntroduction of ISO/DIS 26262 (ISO 26262) Parts of ISO 26262 ASIL Levels Part 6 : Product Development Software Level
ISO 26262 the Emerging Automotive Safety Standard Agenda Introduction of ISO/DIS 26262 (ISO 26262) Parts of ISO 26262 ASIL Levels Part 4 : Product Development System Level Part 6 : Product Development
More informationSAFETY LIFE-CYCLE HOW TO IMPLEMENT A
AS SEEN IN THE SUMMER 2007 ISSUE OF... HOW TO IMPLEMENT A SAFETY LIFE-CYCLE A SAFER PLANT, DECREASED ENGINEERING, OPERATION AND MAINTENANCE COSTS, AND INCREASED PROCESS UP-TIME ARE ALL ACHIEVABLE WITH
More informationTÜV Rheinland Functional Safety Program Functional Safety Engineer Certification
TÜV Rheinland Functional Safety Program Functional Safety Engineer Certification The TÜV Rheinland Functional Safety Program is a unique opportunity to provide certified evidence of competency in functional
More informationSafeProd. Functional safety in complex products. www.sp.se/safeprod
SafeProd Functional safety in complex products www.sp.se/safeprod Johan Hedberg SP Swedish National Testing and Research Institute Phone: +46 33 165071, E-mail: johan.hedberg@sp.se Participants SP Swedish
More informationIs your current safety system compliant to today's safety standard?
Is your current safety system compliant to today's safety standard? Abstract It is estimated that about 66% of the Programmable Electronic Systems (PES) running in the process industry were installed before
More informationcodebeamer INTLAND SOFTWARE codebeamer Medical ALM Solution is built for IEC62304 compliance and provides a wealth of medical development knowledge
codebeamer Medical ALM Solution is built for INTLAND Traceability matrix Medical wiki Risk management IEC 62304 compliance codebeamer INTLAND codebeamer Medical ALM Solution is built for Medical Device
More informationCASS TEMPLATES FOR SOFTWARE REQUIREMENTS IN RELATION TO IEC 61508 PART 3 SAFETY FUNCTION ASSESSMENT Version 1.0 (5128)
CASS TEMPLATES FOR SOFTWARE REQUIREMENTS IN RELATION TO PART 3 SAFETY FUNCTION ASSESSMENT Version 1.0 (5128) Report No. T6A01 Prepared for: The CASS Scheme Ltd By: The 61508 Association All comment or
More informationA Quality Requirements Safety Model for Embedded and Real Time Software Product Quality
A Quality Requirements Safety Model for Embedded and Real Time Product Quality KHALID T. AL-SARAYREH Department of Engineering Hashemite University Zarqa 13115, Jordan khalidt@hu.edu.jo Abstract safety
More informationSILs and Software. Introduction. The SIL concept. Problems with SIL. Unpicking the SIL concept
SILs and Software PG Bishop Adelard and Centre for Software Reliability, City University Introduction The SIL (safety integrity level) concept was introduced in the HSE (Health and Safety Executive) PES
More informationIBM Rational Rhapsody
IBM Rational Rhapsody IBM Rational Rhapsody Reference Workflow Guide Version 1.9 License Agreement No part of this publication may be reproduced, transmitted, stored in a retrieval system, nor translated
More informationHow To Integrate Software And Systems
September 25, 2014 EFFECTIVE METHODS FOR SOFTWARE AND SYSTEMS INTEGRATION P R E S E N T E D B Y: D R. B O Y D L. S U M M E R S 1 Software Engineer (Quality) Defense and Space The Boeing Company - Seattle,
More informationMethods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons
Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons 1 Introduction by W G Gulland (4-sight Consulting) The concept of safety integrity levels (SILs) was introduced during the
More informationValue Paper Author: Edgar C. Ramirez. Diverse redundancy used in SIS technology to achieve higher safety integrity
Value Paper Author: Edgar C. Ramirez Diverse redundancy used in SIS technology to achieve higher safety integrity Diverse redundancy used in SIS technology to achieve higher safety integrity Abstract SIS
More informationSoftware in safety critical systems
Software in safety critical systems Software safety requirements Software safety integrity Budapest University of Technology and Economics Department of Measurement and Information Systems Definitions
More informationReducing Steps to Achieve Safety Certification
Reducing Steps to Achieve Safety Certification WP-01174-1.0 White Paper This white paper describes the successful steps in achieving certification for an FPGA implementation of an application certified
More informationReduce Medical Device Compliance Costs with Best Practices. mark.pitchford@ldra.com
Reduce Medical Device Compliance Costs with Best Practices mark.pitchford@ldra.com 1 Agenda Medical Software Certification How new is Critical Software Certification? What do we need to do? What Best Practises
More informationHow To Write Software
1 Medical Device Software - Software Life Cycle Processes IEC 62304 2 Credits John F. Murray Software Compliance Expert U.S. Food and Drug Administration Marcie R. Williams Medical Device Fellow Ph.D.
More informationSAFETY LIFECYCLE WORKBOOK FOR THE PROCESS INDUSTRY SECTOR
SAFETY LIFECYCLE WORKBOOK FOR THE PROCESS INDUSTRY SECTOR SAFETY LIFECYCLE WORKBOOK FOR THE PROCESS INDUSTRY SECTOR The information and any recommendations that may be provided herein are not intended
More informationProject Risk Management: IV&V as Insurance for Project Success
Project Risk Management: IV&V as Insurance for Project Success Introduction Software development projects can be expensive and risky: Ever more complex mission-critical requirements lead to increasingly
More informationAn introduction to Functional Safety and IEC 61508
An introduction to Functional Safety and IEC 61508 Application Note AN9025 Contents Page 1 INTRODUCTION........................................................... 1 2 FUNCTIONAL SAFETY.......................................................
More informationSoftware Engineering. Introduction. Software Costs. Software is Expensive [Boehm] ... Columbus set sail for India. He ended up in the Bahamas...
Software Engineering Introduction... Columbus set sail for India. He ended up in the Bahamas... The economies of ALL developed nations are dependent on software More and more systems are software controlled
More informationCertification Authorities Software Team (CAST) Position Paper CAST-9
Certification Authorities Software Team (CAST) Position Paper CAST-9 Considerations for Evaluating Safety Engineering Approaches to Software Assurance Completed January, 2002 NOTE: This position paper
More informationSoftware quality engineering. Quality assurance. Testing
4 Software Quality Engineering c Jeff Tian, to be published by John Wiley, 2005 Software quality engineering Quality assurance Testing Figure 1.1. engineering Scope and content hierarchy: Testing, quality
More informationASSESSMENT OF THE ISO 26262 STANDARD, ROAD VEHICLES FUNCTIONAL SAFETY
ASSESSMENT OF THE ISO 26262 STANDARD, ROAD VEHICLES FUNCTIONAL SAFETY Dr. Qi Van Eikema Hommes SAE 2012 Government/Industry Meeting January 25, 2012 1 Outline ISO 26262 Overview Scope of the Assessment
More informationTÜV FS Engineer Certification Course www.silsupport.com www.tuv.com. Being able to demonstrate competency is now an IEC 61508 requirement:
CC & technical support services TÜV FS Engineer Certification Course www.silsupport.com www.tuv.com Being able to demonstrate competency is now an IEC 61508 requirement: CAPITALISE ON EXPERT KNOWLEDGE
More informationRisk Assessment for Medical Devices. Linda Braddon, Ph.D. Bring your medical device to market faster 1
Risk Assessment for Medical Devices Linda Braddon, Ph.D. Bring your medical device to market faster 1 My Perspective Work with start up medical device companies Goal: Making great ideas into profitable
More informationSOFTWARE VERIFICATION RESEARCH CENTRE SCHOOL OF INFORMATION TECHNOLOGY THE UNIVERSITY OF QUEENSLAND. Queensland 4072 Australia TECHNICAL REPORT
SOFTWARE VERIFICATION RESEARCH CENTRE SCHOOL OF INFORMATION TECHNOLOGY THE UNIVERSITY OF QUEENSLAND Queensland 4072 Australia TECHNICAL REPORT No. 99-30 A Survey of International Safety Standards Axel
More informationProcess Models and Metrics
Process Models and Metrics PROCESS MODELS AND METRICS These models and metrics capture information about the processes being performed We can model and measure the definition of the process process performers
More informationSafety and security related features in AUTOSAR
Safety and security related features in Dr. Stefan Bunzel Spokesperson (Continental) Co-Authors: S. Fürst, Dr. J. Wagenhuber (BMW), Dr. F. Stappert (Continental) Automotive - Safety & Security 2010 22
More informationSafety and functional safety A general guide
Safety and functional safety A general guide This document is an informative aid only. The information and examples given are for general use only. They do not describe all the necessary details for implementing
More informationSpace project management
ECSS-M-ST-80C Space project management Risk management ECSS Secretariat ESA-ESTEC Requirements & Standards Division Noordwijk, The Netherlands Foreword This Standard is one of the series of ECSS Standards
More information1. Software Engineering Overview
1. Overview 1. Overview...1 1.1 Total programme structure...1 1.2 Topics covered in module...2 1.3 Examples of SW eng. practice in some industrial sectors...4 1.3.1 European Space Agency (ESA), software
More informationSAFE SOFTWARE FOR SPACE APPLICATIONS: BUILDING ON THE DO-178 EXPERIENCE. Cheryl A. Dorsey Digital Flight / Solutions cadorsey@df-solutions.
SAFE SOFTWARE FOR SPACE APPLICATIONS: BUILDING ON THE DO-178 EXPERIENCE Cheryl A. Dorsey Digital Flight / Solutions cadorsey@df-solutions.com DIGITAL FLIGHT / SOLUTIONS Presentation Outline DO-178 Overview
More informationImplementation of ANSI/AAMI/IEC 62304 Medical Device Software Lifecycle Processes.
Implementation of ANSI/AAMI/IEC 62304 Medical Device Software Lifecycle Processes.. www.pharmout.net Page 1 of 15 Version-02 1. Scope 1.1. Purpose This paper reviews the implementation of the ANSI/AAMI/IEC
More informationWhen COTS is not SOUP Commercial Off-the-Shelf Software in Medical Systems. Chris Hobbs, Senior Developer, Safe Systems
When COTS is not SOUP Commercial Off-the-Shelf Software in Medical Systems Chris Hobbs, Senior Developer, Safe Systems 2 Audience and Assumptions Who will benefit from this presentation? Software designers
More informationTen steps to better requirements management.
White paper June 2009 Ten steps to better requirements management. Dominic Tavassoli, IBM Actionable enterprise architecture management Page 2 Contents 2 Introduction 2 Defining a good requirement 3 Ten
More informationISO 26262 Introduction
ISO 26262 Introduction Prof. Christian Madritsch 2012 Table of Contents Structure of ISO 26262 Management of Functional Safety Product Development System Level Product Development Hardware Level Product
More informationDRAFT REGULATORY GUIDE
DRAFT REGULATORY GUIDE SOFTWARE IN PROTECTION AND CONTROL SYSTEMS Issued for public comments by the Atomic Energy Control Board October 1999 Atomic Energy Control Board Commission de contrôle de l énergie
More informationSAFETY, PROCESS CONTROL, SOFTWARE
THE DESIGN AND VALIDATION OF SOFTWARE USED IN CONTROL SYSTEMS - SAFETY IMPLICATIONS J Brazendale* and I Lloyd** This paper gives an overview of software engineering and its role in safety. Strategies for
More informationMedical Device Software Standards for Safety and Regulatory Compliance
Medical Device Software Standards for Safety and Regulatory Compliance Sherman Eagles +1 612-865-0107 seagles@softwarecpr.com www.softwarecpr.com Assuring safe software SAFE All hazards have been addressed
More informationSystems Assurance Management in Railway through the Project Life Cycle
Systems Assurance Management in Railway through the Project Life Cycle Vivian Papen Ronald Harvey Hamid Qaasim Peregrin Spielholz ABSTRACT Systems assurance management is essential for transit agencies
More informationLSST Hazard Analysis Plan
LSST Hazard Analysis Plan Large Synoptic Survey Telescope 950 N. Cherry Avenue Tucson, AZ 85719 www.lsst.org 1. REVISION SUMMARY: Contents 1 Introduction... 5 2 Definition of Terms... 5 2.1 System... 5
More informationESRS guidelines for software safety reviews
IAEA Services Series No. 6 ESRS guidelines for software safety reviews Reference document for the organization and conduct of Engineering Safety Review Services (ESRS) on software important to safety in
More informationSafety-Critical Systems: Processes, Standards and Certification
Fachbereich 17 - Mathematik/Informatik Arbeitsgruppe Softwaretechnik Warburger Straße 100 33098 Paderborn Safety-Critical Systems: Processes, Standards and Certification for the Seminar Analysis, Design
More informationPeter Mileff PhD SOFTWARE ENGINEERING. The Basics of Software Engineering. University of Miskolc Department of Information Technology
Peter Mileff PhD SOFTWARE ENGINEERING The Basics of Software Engineering University of Miskolc Department of Information Technology Introduction Péter Mileff - Department of Information Engineering Room
More informationSoftware Life Cycle Process - DO-178B
1(19) Cross reference tables for H ProgSäk (E) and DO-178B A comparison has been made between requirement areas covered by H ProgSäk (E) and DO-178B respectively. Tables for correspondences and differences
More informationSOFTWARE DEVELOPMENT STANDARD FOR SPACECRAFT
SOFTWARE DEVELOPMENT STANDARD FOR SPACECRAFT Mar 31, 2014 Japan Aerospace Exploration Agency This is an English translation of JERG-2-610. Whenever there is anything ambiguous in this document, the original
More informationJOURNAL OF OBJECT TECHNOLOGY
JOURNAL OF OBJECT TECHNOLOGY Online at www.jot.fm. Published by ETH Zurich, Chair of Software Engineering JOT, 2006 Vol. 5. No. 8, November-December 2006 Requirements Engineering Tasks Donald Firesmith,
More informationCriteria for Flight Project Critical Milestone Reviews
Criteria for Flight Project Critical Milestone Reviews GSFC-STD-1001 Baseline Release February 2005 Approved By: Original signed by Date: 2/19/05 Richard M. Day Director, Independent Technical Authority
More informationHardware in the Loop (HIL) Testing VU 2.0, 182.117, WS 2008/09
Testen von Embedded Systems Hardware in the Loop (HIL) Testing VU 2.0, 182.117, WS 2008/09 Raimund dkirner Testing Embedded Software Testing the whole system including the physical environment is not possible
More informationDesign Verification The Case for Verification, Not Validation
Overview: The FDA requires medical device companies to verify that all the design outputs meet the design inputs. The FDA also requires that the final medical device must be validated to the user needs.
More informationVirtual Platforms Addressing challenges in telecom product development
white paper Virtual Platforms Addressing challenges in telecom product development This page is intentionally left blank. EXECUTIVE SUMMARY Telecom Equipment Manufacturers (TEMs) are currently facing numerous
More informationBEST PRACTICE FOR THE DESIGN AND OPERATION OF HIGH HAZARD SITES
BEST PRACTICE FOR THE DESIGN AND OPERATION OF HIGH HAZARD SITES Lyn Fernie and Jo Fearnley AK EHS & Risk, Aker Kvaerner Engineering Services Ltd, Ashmore House, Stockton on Tees, TS18 3RE. The idea of
More informationApplying 4+1 View Architecture with UML 2. White Paper
Applying 4+1 View Architecture with UML 2 White Paper Copyright 2007 FCGSS, all rights reserved. www.fcgss.com Introduction Unified Modeling Language (UML) has been available since 1997, and UML 2 was
More informationGuidance Notes on Job Safety Analysis for the Marine and Offshore Industries
Guidance Notes on Job Safety Analysis for the Marine and Offshore Industries Outline What is Job Safety Analysis (JSA)? Why is JSA important to the marine and offshore industries? What is in the ABS GN
More informationF15. Towards a More Mature Test Process. Anne Mette-Hass. P r e s e n t a t i o n
Towards a More Mature Test Process Anne Mette-Hass International Conference On Software Testing, Analysis & Review November 19-23 Stockholm, Sweden P r e s e n t a t i o n F15 Friday 23rd November, 2001
More informationEffective Compliance. Selecting Solenoid Valves for Safety Systems. A White Paper From ASCO Valve, Inc. by David Park and George Wahlers
Effective Compliance with IEC 61508 When Selecting Solenoid Valves for Safety Systems by David Park and George Wahlers A White Paper From ASCO Valve, Inc. Introduction Regulatory modifications in 2010
More informationDesign of automatic testing tool for railway signalling systems software safety assessment
Risk Analysis VI 513 Design of automatic testing tool for railway signalling systems software safety assessment J.-G. Hwang 1, H.-J. Jo 1 & H.-S. Kim 2 1 Train Control Research Team, Korea Railroad Research
More informationRisk Management Procedure
Purpose of this document Develop and document procedures and work instructions for Risk Management to cover the project Stages set out in the Project Process Map. The purpose of this procedure is to identify
More informationSystem Requirement Checklist
System Requirement Checklist Page 1 System Requirement Checklist The System Requirement (SR) document template (IDA-MS-SR) provides guidance and template material for use by IDA projects in producing project-specific
More informationSoftware Development Processes. Software Life-Cycle Models. Process Models in Other Fields. CIS 422/522 Spring 1998 1
1 Software Development Processes Sequential, Prototype-based RAD, Phased, Risk-based Spiral (c) 1998 M Young CIS 422/522 1/10/99 1 Software Life-Cycle Models Breaking projects down into pieces for... Planning
More informationida.com excellence in dependable automation
IEC 61508 Maintenance Status IEC 61508 Maintenance Projekt ist aus dem zulässigen Zeitrahmen gelaufen Viele Baustellen auch durch neue Mitglieder (Frankreich, USA, IEC 61511 Team) Bestehende Anforderungen,
More informationCompliance ow - managing the compliance of dynamic and complex processes
Loughborough University Institutional Repository Compliance ow - managing the compliance of dynamic and complex processes This item was submitted to Loughborough University's Institutional Repository by
More informationHow to design safe machine control systems a guideline to EN ISO 13849-1
How to design safe machine control systems a guideline to EN ISO 13849-1 SP Technical Research Institute of Sweden Johan Hedberg Andreas Söderberg Jan Tegehall SP Electronics SP REPORT 2011:81 How to design
More informationSoftware Process for QA
Software Process for QA Basic approaches & alternatives CIS 610, W98 / M Young 1/7/98 1 This introduction and overview is intended to provide some basic background on software process (sometimes called
More informationPORTFOLIO, PROGRAMME & PROJECT MANAGEMENT MATURITY MODEL (P3M3)
PORTFOLIO, PROGRAMME & PROJECT MANAGEMENT MATURITY MODEL (P3M3) 1st February 2006 Version 1.0 1 P3M3 Version 1.0 The OGC logo is a Registered Trade Mark of the Office of Government Commerce This is a Value
More informationWhat is Functional Safety Management?
What is Functional Safety Management? This document gives a brief overview of what Functional Safety Management includes DISCLAIMER: Whilst every effort has been made to ensure the accuracy of the information
More informationObject Oriented Design
Object Oriented Design Kenneth M. Anderson Lecture 20 CSCI 5828: Foundations of Software Engineering OO Design 1 Object-Oriented Design Traditional procedural systems separate data and procedures, and
More informationIEC 61508 Functional Safety Assessment. ASCO Numatics Scherpenzeel, The Netherlands
IEC 61508 Functional Safety Assessment Project: Series 327 Solenoid Valves Customer: ASCO Numatics Scherpenzeel, The Netherlands Contract No.: Q09/04-59 Report No.: ASC 09-04-59 R003 V1 R3 61508 Assessment
More informationIntroduction to a Requirements Engineering Framework for Aeronautics
J. Software Engineering & Applications, 2010, 3, 894-900 doi:10.4236/jsea.2010.39105 Published Online September 2010 (http://www.scirp.org/journal/jsea) Introduction to a Requirements Engineering Framework
More informationThe Role of CM in Agile Development of Safety-Critical Software
The Role of CM in Agile Development of Safety-Critical Software Tor Stålhane1, Thor Myklebust 2 1 Norwegian University of Science and Technology, N-7491, Trondheim, Norway 2 SINTEF ICT, Strindveien 2,
More informationInternal Quality Management System Audit Checklist (ISO9001:2015) Q# ISO 9001:2015 Clause Audit Question Audit Evidence 4 Context of the Organization
Internal Quality Management System Audit Checklist (ISO9001:2015) Q# ISO 9001:2015 Clause Audit Question Audit Evidence 4 Context of the Organization 4.1 Understanding the organization and its context
More informationSoftware-based medical devices from defibrillators
C O V E R F E A T U R E Coping with Defective Software in Medical Devices Steven R. Rakitin Software Quality Consulting Inc. Embedding defective software in medical devices increases safety risks. Given
More informationA Methodology for Safety Case Development. Foreword
A Methodology for Safety Case Development Peter Bishop Adelard, London, UK Robin Bloomfield Adelard, London, UK Adelard Foreword This paper was presented in Industrial Perspectives of Safety-Critical Systems:
More informationTÜ V Rheinland Industrie Service
TÜ V Rheinland Industrie Service Business Area: Automation / Functional Safety Contact Minsung Lee +82-2-860-9969 mailto : minsung.lee@kor.tuv.com Sales Account Manager for Functional Safety Fax +82-2-860-9862
More informationSAFETY MANUAL SIL Switch Amplifier
PROCESS AUTOMATION SAFETY MANUAL SIL Switch Amplifier KCD2-SR-(Ex)*(.LB)(.SP), HiC282* ISO9001 2 With regard to the supply of products, the current issue of the following document is applicable: The General
More informationRisk Management Primer
Risk Management Primer Purpose: To obtain strong project outcomes by implementing an appropriate risk management process Audience: Project managers, project sponsors, team members and other key stakeholders
More informationSafety controls, alarms, and interlocks as IPLs
Safety controls, alarms, and interlocks as IPLs Angela E. Summers, Ph.D., P.E. SIS-TECH Solutions 12621 Featherwood Dr. Suite 120, Houston, TX 77034 Keywords: safety controls, alarms, interlocks, SIS,
More information