STSARCES project - final report


This project answers to a dedicated call for research in support to European Standardisation issued by the « Standard, Measurement and Testing » Programme.  STSARCES examines the validation aspects of safety-related parts of control systems for machinery with regards to the problems encountered with modern electronic and programmable electronic technologies. This research was carried out by 11 research organisations, notified bodies and manufacturers from 6 countries of the EU through a range of related issues, including software and hardware validation, to assist in the development of pr EN 954-2 “Safety of machinery, Safety related parts of control systems, part 2 validation”.

This report develops a framework for harmonized validation procedures, which should be standardised by CEN/CENELEC. The methodology is based on the overall safety lifecycle concept of a system, which is quite new in the field of the machinery sector, and covers both hardware and software. A significant part of the report deals with the software lifecycle, since it is not developed in EN 954.

The Markov modelling approach, also innovative when applied to the field of the machinery, has revealed very successful. The immense influence of the diagnostic coverage could be demonstrated and data on appropriate on-line test intervals for dedicated architectures, combined with realistic MTTF values, are provided and justified. This information provides fundamental advice for the system designer as well as hints for the persons carrying out the evaluations.

Attention has been given to prevent divergences from the requirements of the IEC 61508 since this norm has basic safety publication status. As a positive repercussion, STSARCES determines the validation methods of Programmable Electronic Systems in their uses for safety functions both in EN 954 and draft IEC 62061, a machine application standard derived from IEC 61508. It does allow defining credible and understandable links between categories (EN 954) and safety integrity levels or SILs (draft IEC 62061). This connection is indispensable during the design and development phases of control circuits for the machinery which make use of components based on the category concept, like mechanical, hydraulic, pneumatic, electro-mechanical ones, and PES better characterised by SIL concept.

An extensive presentation of the almost definitive results to ensure their wide acceptance by manufacturers has been carried out at the occasion of the International Conference on « Safety of Industrial Automated Systems », Montreal, October 1999. Thanks to its Organizing Committee, several sessions could be chaired by STSARCES members. The obtained feedback has influenced the presentation of this report, structured as a comprehensive guided tour through the lifecycle of systems, and with more deeply detailed technical contributions transferred to the annexes.


Annex 1               WP 1.1 : Software engineering tasks - Case tools

Annex 2               WP 1.2 : Software quality and safety requirements

Annex 3               WP 1.2 : Guide to evaluating software quality and safety requirements

Annex 4               WP 1.2 : Guide for the construction of software tests

Annex 5               WP 1.2 : Common mode faults in safety systems

Annex 6               WP 2.1 : Quantitative Analysis of Complex Electronic Systems using Fault Tree Analysis and Markov Modelling

Annex 7               WP 2.2 : Methods for fault detection

Annex 8               WP 3.1 : Safety Validation of Complex Components - Validation by Analysis

Annex 9               WP 3.2 : Validation of complex components : Intercomparison black box/white box tests

Annex 10            WP 3.3 : Safety Validation of Complex Components - Validation Tests

Annex 11            WP 4 : Applicability of IEC 61508 & EN 954. Task 1 : A study of the links and divergences between IEC 61508 and EN 954.

Annex 12            WP 4 : Task 2 : Machine Validation Exercise

Annex 13            WP 4 : Task 3 : Design Process Analysis

Annex 14            WP 5 : ASIC development and validation in safety components

1.                  INTRODUCTION

1.1.            Objective

1.2.            What are complex electronic systems ?

1.3.            Problems to solve

1.4.            EN 954-1 & IEC 61508

1.5.            View of test houses


2.1.            Increasing use of CES for safety applications

2.2.            Basis for the validation of CES


3.1.            Introduction

3.1.1.      The Overall Safety Lifecycle

3.1.2.      The E/E/PES Safety LifeCycle

3.1.3.      The Software LifeCycle software V-lifecycle software lifecycles : the Incremental lifecycle

3.1.4.      Lifecycle Requirements

3.2.            Specification

3.2.1.      Specification procedure for safety software

3.2.2.      Specification methods

3.2.3.      Case tools for safety software specifications

3.3.            Architecture

3.3.1.      Designated CES Architectures for Machinery Role of Architectures for Safety Related Systems

3.3.2.      Common Architectures for Machinery              Single channel system without fault detection in accordance with category B or 1 of EN 954‑1 channel system with implemented tests in accordance with category 2 of EN 954-1              Dual channel system with comparison in accordance with category 3 or 4 of EN 954-1              Dual channel system in mixed technology in accordance with category 3 of EN 954‑1              Triple channel system with comparison in accordance with category 4 of EN 954‑1

3.3.3.      Designated architectures of CES for the machinery sector

3.3.4.      Conclusions for designated CES Architectures for machinery

3.3.5.      Influence of Software Architecture Architecture and Common Cause Mode Failures (CMF) and their appearance mechanism Diversity              Recovery Blocks              N-version programming

3.3.6.      Key Questions for Software Fault Avoidance through Architecture              Software specifications              Software Design              Software coding

3.4.            Design and development

3.4.1.      Software with system architecture that can be parametrized by the user software design languages coding

3.4.2.      Fault detection in microcomputer hardware coverage to detect faults Integrated Circuits in ASICs model Flow experience

3.5.            Validation

3.5.1.      Introduction

3.5.2.      Validation process by analysis methods

3.5.3.      Verification and validation of software characteristics of safety software safety software verification and validation requirements of software verification requirements test requirements of critical software of validation and validation procedure

3.5.4.      Validation of hardware of fault detection principles validation tests


4.1.            Introduction

4.2.            Common requirements & differences between EN 954-1 and IEC 61508

4.3.            Practical difficulties encountered during machine validation using the EN 954-1 & IEC 61508 standards

4.3.1.      Selection of the machine and safety-related control system to be validated

4.3.2.      Hazardous events considered

4.3.3.      Matters arising from the application of EN 954-1

4.3.4.      Matters arising from the application of IEC 61508

4.4.            Conclusions from machine safety-related control system validation exercise

4.5.            Techniques & measures for machine validation

5.                  USER'S GUIDEDISCUSSION

5.1.            Validation methodology for SRCES

5.2.            What we cannot answer

6.                  CONCLUSIONS

6.1.            Contribution of STSARCES to the EN954

6.2.            Contribution of STSARCES to IEC 62061

6.3.            Experience exchange between partners for validation of complex electronic systems for machinery

6.4.            Validation of the project by external manufacturers