STSARCES project - final report

Summary

This project answers to a dedicated call for research in support to European Standardisation issued by the « Standard, Measurement and Testing » Programme.  STSARCES examines the validation aspects of safety-related parts of control systems for machinery with regards to the problems encountered with modern electronic and programmable electronic technologies. This research was carried out by 11 research organisations, notified bodies and manufacturers from 6 countries of the EU through a range of related issues, including software and hardware validation, to assist in the development of pr EN 954-2 “Safety of machinery, Safety related parts of control systems, part 2 validation”.

This report develops a framework for harmonized validation procedures, which should be standardised by CEN/CENELEC. The methodology is based on the overall safety lifecycle concept of a system, which is quite new in the field of the machinery sector, and covers both hardware and software. A significant part of the report deals with the software lifecycle, since it is not developed in EN 954.

The Markov modelling approach, also innovative when applied to the field of the machinery, has revealed very successful. The immense influence of the diagnostic coverage could be demonstrated and data on appropriate on-line test intervals for dedicated architectures, combined with realistic MTTF values, are provided and justified. This information provides fundamental advice for the system designer as well as hints for the persons carrying out the evaluations.

Attention has been given to prevent divergences from the requirements of the IEC 61508 since this norm has basic safety publication status. As a positive repercussion, STSARCES determines the validation methods of Programmable Electronic Systems in their uses for safety functions both in EN 954 and draft IEC 62061, a machine application standard derived from IEC 61508. It does allow defining credible and understandable links between categories (EN 954) and safety integrity levels or SILs (draft IEC 62061). This connection is indispensable during the design and development phases of control circuits for the machinery which make use of components based on the category concept, like mechanical, hydraulic, pneumatic, electro-mechanical ones, and PES better characterised by SIL concept.

An extensive presentation of the almost definitive results to ensure their wide acceptance by manufacturers has been carried out at the occasion of the International Conference on « Safety of Industrial Automated Systems », Montreal, October 1999. Thanks to its Organizing Committee, several sessions could be chaired by STSARCES members. The obtained feedback has influenced the presentation of this report, structured as a comprehensive guided tour through the lifecycle of systems, and with more deeply detailed technical contributions transferred to the annexes.

 


Annex 1               WP 1.1 : Software engineering tasks - Case tools

Annex 2               WP 1.2 : Software quality and safety requirements

Annex 3               WP 1.2 : Guide to evaluating software quality and safety requirements

Annex 4               WP 1.2 : Guide for the construction of software tests

Annex 5               WP 1.2 : Common mode faults in safety systems

Annex 6               WP 2.1 : Quantitative Analysis of Complex Electronic Systems using Fault Tree Analysis and Markov Modelling

Annex 7               WP 2.2 : Methods for fault detection

Annex 8               WP 3.1 : Safety Validation of Complex Components - Validation by Analysis

Annex 9               WP 3.2 : Validation of complex components : Intercomparison black box/white box tests

Annex 10            WP 3.3 : Safety Validation of Complex Components - Validation Tests

Annex 11            WP 4 : Applicability of IEC 61508 & EN 954. Task 1 : A study of the links and divergences between IEC 61508 and EN 954.

Annex 12            WP 4 : Task 2 : Machine Validation Exercise

Annex 13            WP 4 : Task 3 : Design Process Analysis

Annex 14            WP 5 : ASIC development and validation in safety components


1.                  INTRODUCTION

1.1.            Objective

1.2.            What are complex electronic systems ?

1.3.            Problems to solve

1.4.            EN 954-1 & IEC 61508

1.5.            View of test houses

2.                  ANALYSIS OF PRESENT SITUATION

2.1.            Increasing use of CES for safety applications

2.2.            Basis for the validation of CES

3.                  ACHIEVING SAFETY BY FOLLOWING THE LIFE CYCLE

3.1.            Introduction

3.1.1.      The Overall Safety Lifecycle

3.1.2.      The E/E/PES Safety LifeCycle

3.1.3.      The Software LifeCycle

3.1.3.1.The software V-lifecycle

3.1.3.2.Other software lifecycles : the Incremental lifecycle

3.1.4.      Lifecycle Requirements

3.2.            Specification

3.2.1.      Specification procedure for safety software

3.2.2.      Specification methods

3.2.3.      Case tools for safety software specifications

3.3.            Architecture

3.3.1.      Designated CES Architectures for Machinery

3.3.1.1.The Role of Architectures for Safety Related Systems

3.3.2.      Common Architectures for Machinery

3.3.2.1.              Single channel system without fault detection in accordance with category B or 1 of EN 954‑1

3.3.2.2.Single channel system with implemented tests in accordance with category 2 of EN 954-1

3.3.2.3.              Dual channel system with comparison in accordance with category 3 or 4 of EN 954-1

3.3.2.4.              Dual channel system in mixed technology in accordance with category 3 of EN 954‑1

3.3.2.5.              Triple channel system with comparison in accordance with category 4 of EN 954‑1

3.3.3.      Designated architectures of CES for the machinery sector

3.3.4.      Conclusions for designated CES Architectures for machinery

3.3.5.      Influence of Software Architecture

3.3.5.1.Software Architecture and Common Cause

3.3.5.2.Common Mode Failures (CMF) and their appearance mechanism

3.3.5.3.Software Diversity

3.3.5.4.              Recovery Blocks

3.3.5.5.              N-version programming

3.3.6.      Key Questions for Software Fault Avoidance through Architecture

3.3.6.1.              Software specifications

3.3.6.2.              Software Design

3.3.6.3.              Software coding

3.4.            Design and development

3.4.1.      Software

3.4.1.1.Interface with system architecture

3.4.1.2.Software that can be parametrized by the user

3.4.1.3.Pre-existent software

3.4.1.4.Software design

3.4.1.5.Development languages

3.4.1.6.Software coding

3.4.2.      Fault detection in microcomputer hardware

3.4.2.1.Diagnostic coverage

3.4.2.2.Methods to detect faults

3.4.2.3.Requirements

3.4.2.3.1.Complex Integrated Circuits
3.4.2.3.2.Technology
3.4.2.3.3.Faults in ASICs

3.4.2.3.4.Phase model

3.4.2.3.5.Design Flow

3.4.2.3.6.Field experience

3.5.            Validation

3.5.1.      Introduction

3.5.2.      Validation process

3.5.2.1.Validation by analysis

3.5.2.2.Testing methods

3.5.3.      Verification and validation of software

3.5.3.1.Presentation

3.5.3.1.1.Specific characteristics of safety software
3.5.3.1.2.Evaluating safety software
3.5.3.1.3.Software verification and validation requirements

3.5.3.2.Verification of software

3.5.3.2.1.Presentation
3.5.3.2.2.Software verification requirements
3.5.3.2.3.Software test requirements

3.5.3.3.Validation of critical software

3.5.3.3.1.Methods of validation
3.5.3.3.2.Specification and validation procedure

3.5.4.      Validation of hardware

3.5.4.1.Validation of fault detection principles

3.5.4.2.HW validation tests

4.                  APPLICABILITY OF EN 954 AND IEC 61508 TO THE MACHINERY SECTOR

4.1.            Introduction

4.2.            Common requirements & differences between EN 954-1 and IEC 61508

4.3.            Practical difficulties encountered during machine validation using the EN 954-1 & IEC 61508 standards

4.3.1.      Selection of the machine and safety-related control system to be validated

4.3.2.      Hazardous events considered

4.3.3.      Matters arising from the application of EN 954-1

4.3.4.      Matters arising from the application of IEC 61508

4.4.            Conclusions from machine safety-related control system validation exercise

4.5.            Techniques & measures for machine validation

5.                  USER'S GUIDEDISCUSSION

5.1.            Validation methodology for SRCES

5.2.            What we cannot answer

6.                  CONCLUSIONS

6.1.            Contribution of STSARCES to the EN954

6.2.            Contribution of STSARCES to IEC 62061

6.3.            Experience exchange between partners for validation of complex electronic systems for machinery

6.4.            Validation of the project by external manufacturers