Approval of Software & Specification of Software Presentation at Banekonferencen 05-05-2015

Approval of Software & Specification of Software Presentation at Banekonferencen 05-05-2015 15-05-07

Background of the speaker Troels Winther, TÜV-SÜD Danmark, Software CV Year Company Program Role SW language 1987-1990 Bombardier Sternol Programmør C 1991-1997 Bombardier Ebilock 850 Test Integrator Assembler 1997-2000 Chartec up, Motorola Project Manager C / embedded 2000-2003 KMS VisIT Programmør Pascal/C++ Windows 2003-2006 Det Norske Veritas -- Assessor Member WG EN50128:2011 2006-2013 Atkins/DSB Safety Departm. SW-approvals 2014 - Current TÜV-SÜD Danmark -- Assessor SW-approvals

CMS assessor Software error SIL2 in TCMS Hardware SIL3 Emergency fail (pushbutton) AND Hazard Train can not brake Collision Software SW-assessor, Report about SIL2 fullfilment Train computer CMS assessor - SVR 5/7/2015 3

EN50126-suiten EN50126 (Safety Management) EN50129 (Safety case, SIL-determination) EN50128 (Software) EN50155 (Equipment) EN50121 (EMC and noise) Safety concerns functions: The two most important? Rolling stock: Emergency brake Fire Detection Equipment Pass. Information System Infrastructure: Driving permit Allowed track speed Train Dispatching (TMS)

About TÜV-SÜD - European capacity 1/2 Mail-answer from Dr. Jan Richard, Zurich, concerning EN50128 and TSI: To my understanding, the TSI CCS itself do not have any requirement to SW The TSI CCS contains requirements to so called Interoperability Constituents. Such an IC can be a SW module or SW application The interoperability relevant requirements are given on a functional and system level, refer to Annex A TSI CCS is referring to mandatory EN norms as well This EN norms then contain requirements regarding the development and manufacturing of SW (especially EN50128) Chapter 6.2.3 of TSI CCS is stating some requirements regarding the assessment of ICs

About TÜV-SÜD - European capacity 2/2 6.1.2: Uanset hvilket modul der er valgt, gælder bestemmelserne i bilag A, indeks 47, indeks A1, indeks A2..der er underlagt kravene i grundparameteren sikkerhed

Software 1/6 As media About software: Software is a physical file with billions of 0- og 1-numbers Software is help- and useless without hardware to execute the software Software is made by many people, who don t know each other => Not suited for approval EN50128 definition 3.1.31 software intellectual creation comprising the programs, procedures, rules, data and any associated documentation pertaining to the operation of a system 3.1.32 software baseline complete and consistent set of source code, executable files, configuration files, installation scripts and documentation that are needed for a software release. Information about compilers, operating systems, preexisting software and dependent tools is stored as part of the baseline. This will enable the organisation to reproduce defined versions and be the input for future releases at enhancements or at upgrade in the maintenance phase

Software 2/6 Function IF Button = 001 AND Data = 011 THEN Colour on screen = 101 ELSE Relay pulls = 111 Push button 001.. IF Colour on screen 101.. Detect smoke 0101.. AND THEN Gate opens 000.. Data-file 011.. ELSE Relay pulls 111..

Software 3/6 Input/outputs Push button 001.. Detect smoke 0101.. Colour on screen 101.. Gate opens 000.. Data-file 00 el. 01 Relay pulls 111..

Software 5/6 Component testing Push button 0, 1 1 2 Colour on screen 101.. Detect smoke 0101.. 6 5 4 3 Gate opens 000.. Data-file 00, 01, 10, 11 Data Button 0 Component test 00 01 10 11 1 2 Relay pulls 111.. 1 5 3 6 4 Is it a software change, when data is changed?

Software 6/6 - Arkitecture Push button 0, 1 Detect smoke 0101.. Data-file 00, 01, 10, 11 Tool 2 Datagenerering Compon 1 3 2 Compon. 4 Library 1 Component 5 COTS-code from industry 1 Component 2 Newly developed code Component 3 Old code from mother company Component 6 Hardware micro code Tool 1 Linker det hele sammen til en fil Colour on screen 101.. Gate opens 000.. Relay pulls 111.. Install-fil 0101..

Pandoras box for infra structure Set train route 0, 1 Train detection 0101.. Comp. 1 3 2 1 1 TMS Train drives 101.. Global Stop 000.. Data-file 00, 01, 10, 11 Balise ERTMS 111.. GSM-R Radio block Tool 2 Datagenerering Tool 1 Transmission chanels ERTMS. Level 2 0101..

CSM Where is the system? Push button 001.. Smoke detection 0101.. C1 C4 C2 C3 C5 Colour on screen 101.. Gate opens 000.. Cause Hazard Consequence Risk Change is red dot SW failure - in green path, Gate is not opening Smoke poisoning => safety requirement: EN50128, SIL2

Difficult arguments The supplier sent two very competent guys. We where sitting all weekend together, fixing the bugs, testing the software, and now I am very confident that it works It is old software, the supplier say they can not fulfill EN50128 The changes are very small and does not concern the safety functions It is only data changes, the software has not been changed 5/7/2015 14

Approval & Specifying Independency Software requirements Tracability ISO9001 is basis Natural Language & Decision Tables 5/7/2015 15

Example from EN50128 om issue Test coverage Specification: The supplier is recommended to state test coverage Approval: The number gives confidence in approval the supplier knows what they are doing l 5/7/2015 16

Summary ISO9001 is basis Tracability Architecture Independency Validator Releases Natural Language & Decision Tables Configuration Management 5/7/2015 17

Final last words Var CSM_System: THandle; // Global variabel // This function decides whether Software in CSM-System is approved Function Software_Approved Boolean; Var Test_done, Proces_done: Boolean; Begin Result := False; If ((EN50128_followed = True) OR (Test_done = True AND Proces_done = True)) Then Begin If ISA_Report = SIL_Fulfilled Then Begin Result := True; end Else.To be done end; 5/7/2015 18

Q + A, Discussion 5/7/2015 19