Software Development of Safety- Critical Railway Systems

Similar documents
Overview of IEC Design of electrical / electronic / programmable electronic safety-related systems

Software in safety critical systems

IEC Functional Safety Assessment. Project: K-TEK Corporation AT100, AT100S, AT200 Magnetostrictive Level Transmitter.

Design of automatic testing tool for railway signalling systems software safety assessment

Introduction of ISO/DIS (ISO 26262) Parts of ISO ASIL Levels Part 6 : Product Development Software Level

University of Paderborn Software Engineering Group II-25. Dr. Holger Giese. University of Paderborn Software Engineering Group. External facilities

ELECTROTECHNIQUE IEC INTERNATIONALE INTERNATIONAL ELECTROTECHNICAL

Lecture 1: Introduction

Controlling Risks Safety Lifecycle

Rigorous Methods for Software Engineering (F21RS1) High Integrity Software Development

IEC Overview Report

Meeting DO-178B Software Verification Guidelines with Coverity Integrity Center

Reduce Medical Device Compliance Costs with Best Practices.

CSE 307: Principles of Programming Languages

ATSBA: Advanced Technologies Supporting Business Areas. Programming with Java. 1 Overview and Introduction

Ein einheitliches Risikoakzeptanzkriterium für Technische Systeme

MODELLING A RAILWAY SIGNALLING SYSTEM USING SDL

Volume I, Section 4 Table of Contents

Software development life cycle. Software Engineering - II ITNP92 - Object Oriented Software Design. Requirements. Requirements. Dr Andrea Bracciali

CASS TEMPLATES FOR SOFTWARE REQUIREMENTS IN RELATION TO IEC PART 3 SAFETY FUNCTION ASSESSMENT Version 1.0 (5128)

Implementation of ANSI/AAMI/IEC Medical Device Software Lifecycle Processes.

Failure Mode and Effect Analysis. Software Development is Different

Introducing Formal Methods. Software Engineering and Formal Methods

Hardware safety integrity Guideline

Certification Authorities Software Team (CAST) Position Paper CAST-13

Programming Languages

HS line TSI Conformity Certification and Safety Assessment

CSCI 3136 Principles of Programming Languages

Software Engineering. Software Processes. Based on Software Engineering, 7 th Edition by Ian Sommerville

RAMS Software Techniques in European Space Projects

Fourth generation techniques (4GT)

On the Method of Ignition Hazard Assessment for Explosion Protected Non-Electrical Equipment

Railway Business Strategy and R&D in Europe

Real Time Programming: Concepts

ida.com excellence in dependable automation

LSST Hazard Analysis Plan

Developing software which should never compromise the overall safety of a system

Version: 1.0 Latest Edition: Guideline

Instructor Özgür ZEYDAN BEU Dept. of Enve. Eng. CIV 112 Computer Programming Lecture Notes (1)

Software testing. Objectives

Chapter 13: Program Development and Programming Languages

Javadoc like technical documentation for CAPRI

Nuclear Safety Council Instruction number IS-19, of October 22 nd 2008, on the requirements of the nuclear facilities management system

CSC Software II: Principles of Programming Languages

KITES TECHNOLOGY COURSE MODULE (C, C++, DS)

Thomas Jefferson High School for Science and Technology Program of Studies Foundations of Computer Science. Unit of Study / Textbook Correlation

SAFETY MANUAL SIL RELAY MODULE

Medical Device Software Standards for Safety and Regulatory Compliance

TMT SOFTWARE REQUIREMENTS FOR LOW-LEVEL SUBSYSTEMS

MICHIGAN TEST FOR TEACHER CERTIFICATION (MTTC) TEST OBJECTIVES FIELD 050: COMPUTER SCIENCE

Introduction into IEC Software life cycle for medical devices

The EMSX Platform. A Modular, Scalable, Efficient, Adaptable Platform to Manage Multi-technology Networks. A White Paper.

Software Design. Design (I) Software Design Data Design. Relationships between the Analysis Model and the Design Model

Safety Regulation Group SAFETY MANAGEMENT SYSTEMS GUIDANCE TO ORGANISATIONS. April

ISMS Implementation Guide

IEC Functional Safety Assessment. ASCO Numatics Scherpenzeel, The Netherlands

Chapter 12 Programming Concepts and Languages

Introduction to Automated Testing

Embedded Systems. Review of ANSI C Topics. A Review of ANSI C and Considerations for Embedded C Programming. Basic features of C

Safety critical software and development productivity

Programming Languages

Systems Assurance Management in Railway through the Project Life Cycle

Manufacturing View. User View. Product View. User View Models. Product View Models

COMP 356 Programming Language Structures Notes for Chapter 10 of Concepts of Programming Languages Implementing Subprograms.

Clinical Risk Management: Agile Development Implementation Guidance

Applying 4+1 View Architecture with UML 2. White Paper

Common Safety Method for risk evaluation and assessment

CHAPTER 1 ENGINEERING PROBLEM SOLVING. Copyright 2013 Pearson Education, Inc.

A System-safety process for by-wire automotive systems

SOFTWARE-IMPLEMENTED SAFETY LOGIC Angela E. Summers, Ph.D., P.E., President, SIS-TECH Solutions, LP

Safety Management Systems (SMS) guidance for organisations

D6 INFORMATION SYSTEMS DEVELOPMENT. SOLUTIONS & MARKING SCHEME. June 2013

ESKITP5023 Software Development Level 3 Role

Topics. Introduction. Java History CS 146. Introduction to Programming and Algorithms Module 1. Module Objectives

Chapter 13 Computer Programs and Programming Languages. Discovering Computers Your Interactive Guide to the Digital World

An Easier Way for Cross-Platform Data Acquisition Application Development

To introduce software process models To describe three generic process models and when they may be used

Software Engineering Introduction & Background. Complaints. General Problems. Department of Computer Science Kent State University

OKLAHOMA SUBJECT AREA TESTS (OSAT )

REQUIREMENTS OF SAFETY MANAGEMENT SYSTEM

Space project management

find model parameters, to validate models, and to develop inputs for models. c 1994 Raj Jain 7.1

Experience with Safety Integrity Level (SIL) Allocation in Railway Applications

Value Paper Author: Edgar C. Ramirez. Diverse redundancy used in SIS technology to achieve higher safety integrity

Objectives. Distributed Databases and Client/Server Architecture. Distributed Database. Data Fragmentation

-.% . /(.0/ ) 53%/( (01 (%((. * 7071 (%%2 $,( . 8 / 9!0/!1 . # (3(0 31.%::((. ;.!0.!1 %2% . ".(0.1 $) (%+"",(%$.(6

Building Reusable Software Component For Optimization Check in ABAP Coding

CSE4213 Lecture Notes

Open EMS Suite. O&M Agent. Functional Overview Version 1.2. Nokia Siemens Networks 1 (18)

Design methods. List of possible design methods. Functional decomposition. Data flow design. Functional decomposition. Data Flow Design (SA/SD)

50 Computer Science MI-SG-FLD050-02

R214 SPECIFIC REQUIREMENTS: INFORMATION TECHNOLOGY TESTING LABORATORY ACCREDITATION PROGRAM

Basic Fundamentals Of Safety Instrumented Systems

Software Development Processes. Software Life-Cycle Models. Process Models in Other Fields. CIS 422/522 Spring

Software-based medical devices from defibrillators

SIL manual. Structure. Structure

1.1 WHAT IS A PROGRAMMING LANGUAGE?

1. Software Engineering Overview

Transcription:

Ada Europe 2015 / 24 th June 2015 Software Development of Safety- Critical Railway Systems siemens.com/answers

Summary 1. Main Standards 2. Basic Concepts Definition System Lifecycle 3. EN50128 Introduction Development Lifecycle Organization Features of ADA How does Ada help? Page 2

Chapter 1 MAIN STANDARDS siemens.com/answers

Main Standards CENELEC 50126:1999: Railway Applications Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS) Defines a process, based on the system life cycle and tasks within it, for managing RAMS. CENELEC 50128:2001 or 50128:2011: Railway Applications Communications, signalling and processing systems - Software for Railway Control and Protection Systems Specifies procedures and technical requirements for the development of programmable electronic systems for use in railway control and protection applications. CENELEC 50129:2003: Railway Applications Communications, signalling and processing systems - Safety Related Electronic Systems for Signalling Defines the conditions that shall be satisfied in order that a safety-related electronic railway system can be accepted as adequately safe for its intended application. Specifies procedures and information for identifying the credible failure modes of hardware components. The CEN and CENELEC trademarks and domain names are reserved for use by CEN and CENELEC and their respective Members in the promotion of their standardization activities and their deliverables and other services Page 4

Chapter 2 BASIC CONCEPTS siemens.com/answers

Basic Concepts: Definitions (I) Reliability: probability that an item can perform a required function under given conditions for a given time interval (t1, t2). Availability: ability of a product to be in a state to perform a required function under given conditions at a given instant of time or over a given time interval assuming that the required external resources are provided. Maintainability: probability that a given active maintenance action, for an item under given conditions of use can be carried out within a stated time interval when the maintenance is performed under stated conditions and using stated procedures and resources. Safety: freedom from unacceptable risk of harm. Page 6

Basic Concepts: Definitions (II) Hazard: physical situation with a potential for human injury and/or damage to environment. Risk: probable rate of occurrence of a hazard causing harm and the degree of severity of the harm. Frequency of occurrence Severity of a hazardous event Insignificant Marginal Critical Catastrophic Frequent Undesirable Intolerable Intolerable Intolerable Probable Tolerable Undesirable Intolerable Intolerable Frequency Occasional Tolerable Undesirable Undesirable Intolerable Remote Negligible Tolerable Tolerable Undesirable Improbable Negligible Negligible Tolerable Tolerable Incrededible Negligible Negligible Negligible Negligible Tolerable Hazard Rate (THR): A rate which guarantees that the resulting risk does not exceed a target individual risk. Page 7

Basic Concepts: Definitions (III) Safety Integrity Level (): classification number which determines the techniques and measures that have to be applied in order to reduce residual software faults to an appropriate level. THR per hour and per function Safety Integrity Level 10-9 THR < 10-8 4 10-8 THR < 10-7 3 10-7 THR < 10-6 2 10-6 THR < 10-5 1 Validation: activity of demonstration, by analysis and test, that the product meets, in all respects, its specified requirements. Verification: activity of determination, by analysis and test, that the output of each phase of the life-cycle fulfils the requirements of the previous phase. Page 8

Basic Concept: System Lifecycle (I) Sequence of phases, each containing tasks, covering the total life of a system. Provides a structure for planning, managing, controlling and monitoring all aspects of a system. Fundamental to the successful implementation of 50126 standard. Page 9

Basic Concept: System Life Cycle (I) 1. Concept Develop an initial understanding of the system. 2. System definition and application conditions Establish system mission profile. Define the boundary of the system. Establish the application conditions. Define the scope of system hazard analysis. Page 10

Basic Concept: System Life Cycle (II) 3. Risk Analysis Undertake project related risk analysis. 4. System requirements Specify system and its acceptance criteria. 5. Apportionment of system requirements Specify sub-system and component requirements and their acceptance criteria. Page 11

Basic Concept: System Life Cycle (III) 6. Design and implementation Perform design analysis and testing conforming to the requirements. Perform design conforming to the requirements. Perform implementation and validation conforming to the requirements. 7. Manufacturing Implement a manufacturing process. Manufacture and test sub-assembly of components. Page 12

Basic Concept: System Life Cycle (IV) 8. Installation Assemble and install the system. 9. System validation Validate the system and external risk reduction measures. Commission the system and external risk reduction measures. Prepare, and if appropriate accept, the Application Specific Safety Case for the system. 10. System acceptance Accept the system for entry into service. Page 13

Basic Concept: System Life Cycle (V) 11. Operation and maintenance Operate (within specified limits), maintain the system within RAMS requirements. 12. Performance monitoring Maintain confidence in the RAMS performance of the system. 13. Modification and retrofit Control system modification and retrofit tasks to maintain system RAMS requirements. 14. Decommissioning and disposal Control system decommissioning and disposal. Page 14

Chapter 3 EN50128 siemens.com/answers

EN50128: Introduction Objective Specifying procedures and technical requirements for the development of programmable electronic systems for use in railway control and protection applications Scope Applicable exclusively to software and the interaction between software and the system of which it is part: Application programming Operating system Support tools Firmware. Page 16

EN50128: Development Lifecycle and Documentation System Development Phase System Requirements Specification System Safety Requirements Specification System Architecture Description System Safety Plan Software Planning Phase Software Development Plan Software Quality Assurance Plan Software Config Management Plan Software Verification Plan Software Integration Test Plan Software/Hardware Integration Test Plan Software Validation Plan Software Maintenance Plan Software Maintenance Phase Software Maintenance Records Software Change Records Software Assessment Phase Software Assessment Report Software Requirements Specification Phase Software Requirement Specification Software Requirements Test Specification Software Requirements Verification Report Software Validation Phase Software Validation Report Sotfware Architecture & Design Phase Software Architecture Specification Software Design Specification SW Architecture and Design Verification Report Software Module Design Phase Software Module Design Specification Software Module Test Specification Software Module Verification Report Code Phase SW Source Code & Supporting Documentation Software Source Code Verification Report Software/Hardware Integration Phase Software/Hardware Integration Test Report Software Integration Phase Software Integration Test Report Software Module Testing Phase Software Module Test Report Objective Structure development into defined phases and activities. Recording evidences required by the external assessor. Page 17

EN50128: Organisation Organisation: 50128:2001 Organisation: 50128:2011 Page 18

EN50128: Features of ADA (I) Structured Programming paradigm aimed at improving the clarity, quality, and development time of a computer program by making extensive use of subroutines, block structures and for and while loops in contrast to using simple tests and jumps such as the goto statement. Statically Typed Process of verifying the type safety of a program based on analysis of the source code. If a program passes a static type-checker, then the program is guaranteed to satisfy some set of type-safety properties for all possible inputs. Strongly Typed Classify values and expression in types allowing interacting when they are the same type. Page 19

EN50128: Features of ADA (II) Imperative Focused on describing how a program operates. It expresses commands to take action. Wide-Spectrum Designed to be simultaneously a low-level (no abstraction from a computer's instruction set architecture) and a high-level language (strong abstraction from the details of the computer). Object-oriented Based on the concept of "objects", which are data structures that contain data, in the form of fields, often known as attributes; and code, in the form of procedures, often known as methods. Page 20

EN50128: How does ADA help (50128:2001)? (I) 1. ADA ADA is recommended. Selection subset of language. Definition of Coding Standard. Definition of Style Guide. TECHNIQUE/MEASURE SW0 SW1 SW2 SW3 1. ADA R HR HR R R 2. MODULA-2 R HR HR R R 3. PASCAL R HR HR R R 4. Fortran 77 R R R R R 5. 'C' o C++ (unrestricted) R - - NR NR 6. Subset of C or C++ with coding standards R R R R R SW4 7. PL/M R R R NR NR 8. BASIC R NR NR NR NR 9. Assembler R R R - - 10. Ladder Diagrams R R R R R 11. Functional Blocks R R R R R 12. Statement List R R R R R Requirements: 1. For software safety integrity levels 3 and 4, when a subset of languages 1, 2, 3 and 4 is used the recommendation changes to HR. 2. For certain applications, languages 7 and 8 may be the only ones available. For software safety integrity levels 3 and 4 where a HR option is not available, it is strongly recommended that there is a subset of these languages and a precise set of coding standards in order to raise the recommendation to R. 3. For information on assessing the suitability of a programming language, see entry in the bibliography for Suitable Programming Language, B.62. 4. If a specific language is not in the table, it is not automatically excluded. However, it should conform to B.62. NR=Not Recommended; H=Recommended; HR=High Recommended; M=Mandatory Page 21

EN50128: How does ADA help (50128:2001)? (II) 4. Modular Approach Object Oriented Language. Structured Language. 6. Analyzable Programs High Level Computer Programming Language. 7. Strongly Typed Programming Language Extremely Strong Typing Language. 8. Structured Programming Structured Language. 10. Language subset Coding Standard indicates subset. 11. Validated Translator Demonstrate with Ada Conformity Assessment Test Suite (ACATS). TECHNIQUE/MEASURE SW 0 SW 1 SW 2 SW 3 SW 4 1. Formal Methods, including CCS, CSP, HOL, - R R HR HR LOTOS, OBJ, Temporal Logic, VDM, Z and B, for instance. 2. Semi-Formal Methods R HR HR HR HR 3. Structured Methodology, including JSD, MASCOT, R HR HR HR HR SADT, SDL, SSADM and Yourdon, for instance. 4. Modular Approach HR M M M M 5. Design and Coding Standards HR HR HR M M 6. Analysable Programs HR HR HR HR HR 7. Strongly Typed Programming Language R HR HR HR HR 8. Structured Programming R HR HR HR HR 9. Programming Language R HR HR HR HR 10. Language Subset - - - HR HR 11. Validated Translator R HR HR HR HR 12. Translator Proven in Use HR HR HR HR HR 13. Library of Trusted/Verified Modules and R R R R R Components 14. Functional and Black-box Testing HR HR HR M M 15. Performance Testing - HR HR HR HR 16. Interface Testing HR HR HR HR HR 17. Data Recording and Analysis HR HR HR M M 18. Furry Logic - - - - - 19. Object Oriented Programming - R R R R Requirements: 1. A suitable set of techniques shall be chosen according to the software safety integrity level. 2. For software safety integrity levels 3 and 4, the approved set of techniques shall include one from techniques 1, 2 and 3, together with techniques 11 or 12. The remaining techniques shall still be treated according to their recommendation. NR=Not Recommended; H=Recommended; HR=High Recommended; M=Mandatory Page 22

EN50128: How does ADA help (50128:2001)? (III) 3. Absence Dynamic Objects 4. Absence Dynamic Variables 5. Limited Use of Pointers No generic, untyped pointers or implicitly declare any pointer. Coding Standard. TECHNIQUE/MEASURE SW 0 SW 1 SW 2 SW 3 1. Existence of Coding Standards HR HR HR HR HR 2. Coding Style Guide HR HR HR HR HR 3. Absence of Dynamic Objects - R R HR HR 4. Absence of Dynamic Variables - R R HR HR 5. Limited Use of Pointers - R R R R 6. Limited Use of Recursion - R R HR HR 7. Absence of Unconditional Branches - HR HR HR HR SW 4 Requirement: It s admitted that techniques 3 and 4 may be present as part of a validated compiler or translator. NR=Not Recommended; H=Recommended; HR=High Recommended; M=Mandatory Page 23

EN50128: How does ADA help (50128:2001)? (IV) 2. Information Hiding/Encapsulation Package Specification. Extremely Strong Typing. 3. Parameter Number Limit 4. One Entry/One Exit Point in Subroutines and Functions Coding Standard. 5. Fully Defined Interfaces Package Specification. TECHNIQUE/MEASURE SW0 SW1 SW2 SW3 1. Software Module Size Limit HR HR HR HR HR 2. Information Hiding/Encapsulation R HR HR HR HR 3. Parameter Number Limit R R R R R 4. One Entry/One Exit Point in Subroutines and Functions SW4 R HR HR HR HR 5. Fully Defined Interfaces HR HR HR M M Requirement: A suitable set of techniques shall be chosen according to the software safety integrity level. NR=Not Recommended; H=Recommended; HR=High Recommended; M=Mandatory Page 24

EN50128: How does ADA help (50128:2011)? (I) 1. ADA ADA is recommended. Selection subset of language. Definition of Coding Standard. Definition of Style Guide. TECHNIQUE/MEASURE SW0 SW1 SW2 SW3 1. ADA R HR HR HR HR 2. MODULA-2 R HR HR HR HR 3. PASCAL R HR HR HR HR 4. C or C++ R R R R R 5. PL/M R R R NR NR 6. BASIC R NR NR NR NR 7. Assembler R R R NR NR 8. C# R R R R R 9. Java R R R R R 10. Statement List R R R R R Requirements: SW4 1. The selection of the languages shall be based on the requirements given in 6.7 and 7.3. 2. There is no requirement to justify decisions taken to exclude specific programming languages. NOTE 1 For information on assessing the suitability of a programming language see entry in D.54 Suitable Programming Languages. NOTE 2 If a specific language is not in the table, it is not automatically excluded. It should, however, conform to D.54. NOTE 3 Run-time systems associated with selected languages which are necessary to run application programs should still be justified for usage according to the Software Safety Integrity Level. NR=Not Recommended; H=Recommended; HR=High Recommended; M=Mandatory Page 25

EN50128: How does ADA help (50128:2011)? (II) 4. Modular Approach Object Oriented Language. Structured Language. 7. Analyzable Programs High Level Computer Programming Language. 8. Strongly Typed Programming Language Extremely Strong Typing Language. 9. Structured Programming Structured Language. 11. Language subset Coding Standard indicates subset. 12. Object Oriented Programming Object Oriented Language. 13. Procedural Programming ADA use the concept of procedure call. Page 26 TECHNIQUE/MEASURE SW 0 SW 1 SW 2 SW 3 1. Formal Methods - R R HR HR 2. Modelling R HR HR HR HR 3. Structured Methodology R HR HR HR HR 4. Modular Approach HR M M M M 5. Components HR HR HR HR HR 6. Design and Coding Standards HR HR HR M M 7. Analysable Programs HR HR HR HR HR 8. Strongly Typed Programming Language R HR HR HR HR 9. Structured Programming R HR HR HR HR 10. Programming Language R HR HR HR HR 11. Language Subset - - - HR HR 12. Object Oriented Programming R R R R R 13. Procedural Programming R HR HR HR HR 14. Metaprogramming R R R R R SW 4 Requirements: 1. An approved combination of techniques for Software Safety Integrity Levels 3 and 4 is 4, 5, 6, 8 and one from 1 or 2. 2. An approved combination of techniques for Software Safety Integrity Levels 1 and 2 is 3, 4, 5, 6 and one from 8, 9 or 10. 3. Metaprogramming shall be restricted to the production of the code of the software source before compilation. NR=Not Recommended; H=Recommended; HR=High Recommended; M=Mandatory

EN50128: How does ADA help (50128:2011)? (III) 3. Absence Dynamic Objects 4. Absence Dynamic Variables 5. Limited Use of Pointers No generic, untyped pointers or implicitly declare any pointer. Coding Standard. 7. No Unconditional Jumps 9. Entry/Exit Point Strategy 10. Limited Number of subroutine parameters 11. Limited Use of Global Data Coding Standard. TECHNIQUE/MEASURE SW0 SW1 SW2 SW3 SW4 1. Coding Standards HR HR HR HR HR 2. Coding Style Guide HR HR HR HR HR 3. No Dynamic Objects - R R HR HR 4. No Dynamic Variables - R R HR HR 5. Limited Use of Pointers - R R R R 6. Limited Use of Recursion - R R HR HR 7. No Unconditional Jumps - HR HR HR HR 8. Limited size and complexity of HR HR HR HR HR Functions, Subroutines and Methods 9. Entry/Exit Point strategy for Functions, Subroutines and Methods R HR HR HR HR 10. Limited number of subroutine R R R R R parameters 11.Limited use of Global Variables HR HR HR M M Requirement: It s admitted that techniques 3 and 4 may be present as part of a validated compiler or translator. NR=Not Recommended; H=Recommended; HR=High Recommended; M=Mandatory Page 27

EN50128: How does ADA help (50128:2011)? (IV) 1. Information Hiding Package Specification. TECHNIQUE/MEASURE SW0 SW1 SW2 SW3 SW4 2. Information Encapsulation Package Specification. Extremely Strong Typing. 3. Parameter Number Limit Coding Standard. 1. Information Hiding HR HR HR HR HR 2. Information Encapsulation R HR HR HR HR 3. Parameter Number Limit R R R R R 4. Fully Defined Interfaces HR HR HR M M Requirement: 1) Information Hiding and encapsulation are only highly recommended if there is no general strategy for data access. NOTE Technique/measure 4 is for Internal Interfaces. NR=Not Recommended; H=Recommended; HR=High Recommended; M=Mandatory 4. Fully Defined Interfaces Package Specification. Page 28

THANK YOU VERY MUCH FOR YOUR ATTENTION Thank you for your attention Page 29

Contact page Javier Rodríguez de los Santos Mass Transit ATP Manager Siemens Rail Automation S.A.U. Spain /R&D Department C/ Ronda de Europa, 5 28760 Tres Cantos Madrid Phone: +91 678 98 80 E-mail:javier.rodriguez@siemens.com www.siemens.es Page 30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information