Safety-related application software

When developing application SW, it is preferable to separate SW performing non-safety basic machine functions from safety related functions. Where the software performs both non-safety and safety functions, then all the software shall be treated as safety related.

Configuration management processes and modifications management processes shall be defined and documented.

Software configuration management shall allow a precise and unique software version.

Modifications or changes to SW shall be subject to an impact analysis that identifies all software parts affected and the necessary re-design, re-review and re-test activities to confirm that the relevant software safety requirements are still satisfied.

The Standard describes two different levels of application software: SW level 1 and SW level 2. SW level 3 is not addressed in this Standard.

SW Level 1

This is an application software making use of a limited variability language (LVL) due to the use of pre-designed hardware and software modules. Example of systems using LVL: Safety PLC with LVL or Safety programmable relay.

The following languages are LVL: ladder diagram, function block diagram and sequential function chart

Clause 8.3 of the standard gives detailed requirements regarding the SW safety life cycle, SW design, Module design, coding, testing, modification management and documentation.

Software safety requirements specification shall be developed for each subsystem based on the SCS specification and architecture, documented, and managed throughout the lifecycle of the SCS.

A SW safety lifecycle model like the simplified V-model can be used.

Fig. 15 – V-model for SW Level 1

The left side represents requirements i.e., things to achieve. The right-side details testing of the software.

The output of each phase shall be checked against the requirements of the input of the same phase.

It is recommended to use pre-designed approved software modules wherever possible but, if the library modules provided by the manufacturer is not satisfactory, the design of customized software modules can also be developed according to this simplified V-model.

Each module which was not previously assessed shall be tested against the test cases. Software testing shall include failure simulation and the associated failure reaction depending on the required safety integrity.
 

SW Level 2

Software Level 2 is introduced to support Full Variability Language (FVL). Example of systems using FVL: Safety PLC with FVL complying with this Standard.

The following languages are FVL: Ada, C, Pascal, Instruction List, assembler languages, C++, Java, and SQL.

The maximum achievable SIL for SW level 2 is SIL 2.

SW levels 2 is of increased complexity in comparison with SW level 1 due to the use of fully variable programming languages. Therefore, a more detailed V-model shall be used.

Fig. 16 – V-model of software safety lifecycle for SW level 2

The left side represents requirements, i.e., things to achieve. The right-side details testing of the software.

Clause 8.4 of the standard gives detailed requirements regarding the SW safety life cycle, SW design, Module design, coding, testing, modification management and documentation.

The design shall include self-monitoring of control flow and data flow appropriate to the SIL of the SCS.

The inputs of the software design specification must be related in a straightforward manner to the desired outputs and vice versa.

The SW system design shall follow a modular approach with a limited module size, a fully defined interface and one entry/one exit point in subroutines and functions. Each module shall have a single, clearly understood function. The maximum module size shall be limited to one complete safety function.

Where previously developed software library modules are to be used as part of the design, their suitability in satisfying the safety requirement specifications of the SW shall be demonstrated.

Integration test cases of the SW shall be performed and documented.

Software testing shall also include failure simulation and the related failure reaction. Functional testing as a basic measure shall be applied. Code should be tested by simulation where feasible.

Testing of software includes two types of activities: both Static analysis and dynamic analysis shall be performed.

SW level 3

For application SW compliant with SIL 3, IEC 61508-3 must be applied.

A high level of competence is required to design according to SW level 3. Factors that make the use of IEC 61508-3 for SW level 3 more appropriate than the use of SW 2 are:

  • High degree of complexity of the safety function
  • Large number of safety functions
  • Large project size.