Approval of Software & Specification of Software Presentation at
Approval of Software & Specification of Software Presentation at ’Banekonferencen’ 05-05-2015 15-05-07 Background of the speaker Troels Winther, TÜV-SÜD Danmark, Software CV Year Company Program Role SW language 1987-1990 Bombardier Sternol Programmør C 1991-1997 Bombardier Ebilock 850 Test Integrator Assembler 1997-2000 Chartec uP, Motorola Project Manager C / embedded 2000-2003 KMS VisIT Programmør Pascal/C++ Windows 2003-2006 Det Norske Veritas -- Assessor Member WG EN50128:2011 2006-2013 Atkins/DSB Safety Departm. SW-approvals 2014 - Current TÜV-SÜD Danmark Assessor SW-approvals -- CMS assessor Hazard SIL2 Software error in TCMS HardwareSIL3 Emergency fail (pushbutton) Train can not brake Collision AND Software SW-assessor, Train computer Report about SIL2 fullfilment CMS assessor - SVR 5/7/2015 3 EN50126-suiten • EN50126 (Safety Management) • EN50129 (Safety case, SIL-determination) • EN50128 (Software) • EN50155 (Equipment) • EN50121 (EMC and noise) Safety concerns functions: The two most important? Rolling stock: Infrastructure: Emergency brake Driving permit Fire Detection Equipment Pass. Information System Allowed track speed Train Dispatching (TMS) About TÜV-SÜD - European capacity 1/2 Mail-answer from Dr. Jan Richard, Zurich, concerning EN50128 and TSI: •To my understanding, the TSI CCS itself do not have any requirement to SW •The TSI CCS contains requirements to so called “Interoperability Constituents”. Such an IC can be a SW module or SW application •The interoperability relevant requirements are given on a functional and system level, refer to Annex A •TSI CCS is referring to mandatory EN norms as well •This EN norms then contain requirements regarding the development and manufacturing of SW (especially EN50128) •Chapter 6.2.3 of TSI CCS is stating some requirements regarding the assessment of ICs About TÜV-SÜD - European capacity 2/2 6.1.2: Uanset hvilket modul der er valgt, gælder bestemmelserne i bilag A, indeks 47, indeks A1, indeks A2 ..der er underlagt kravene i grundparameteren sikkerhed Software 1/6 – As media About software: • Software is a physical file with billions of 0- og 1-numbers • Software is help- and useless without hardware to execute the software • Software is made by many people, who don’t know each other • => Not suited for approval EN50128 definition • 3.1.31 software intellectual creation comprising the programs, procedures, rules, data and any associated documentation pertaining to the operation of a system • 3.1.32 software baseline complete and consistent set of source code, executable files, configuration files, installation scripts and documentation that are needed for a software release. Information about compilers, operating systems, preexisting software and dependent tools is stored as part of the baseline. This will enable the organisation to reproduce defined versions and be the input for future releases at enhancements or at upgrade in the maintenance phase Software 2/6 – Function IF ’Button’ = 001 AND Data = 011 THEN ’Colour on screen’ = 101 ELSE ’Relay pulls’ = 111 Push button 001.. Colour on screen 101.. IF Gate opens Detect smoke 0101.. 000.. AND THEN Relay pulls Data-file 011.. ELSE 111.. Software 3/6 – Input/outputs Push button 001.. Detect smoke 0101.. Data-file 00 el. 01 Colour on screen 101.. Gate opens 000.. Relay pulls 111.. Software 5/6 – Component testing Push button Colour on screen 101.. 1 2 0, 1 Detect smoke 0101.. 3 6 5 Gate opens 000.. 4 Component test Data-file 00, 01, 10, 11 Data Button 0 1 00 01 10 1 5 11 Relay pulls 111.. 2 3 6 4 Is it a software change, when data is changed? Software 6/6 - Arkitecture Push button 0, 1 Detect smoke 0101.. Data-file 00, 01, 10, 11 Tool 2 Datagenerering 1 Component 2 Newly developed code Compon 12 3 Compon. 4 Library 1 Component 3 Old code from mother company Component 5 COTS-code from industry Colour on screen 101.. Gate opens 000.. Relay pulls 111.. Component 6 Hardware micro code Tool 1 ’Linker’ det hele sammen til en fil Install-fil 0101.. Pandoras box for infra structure Set train route 0, 1 Train detection 0101.. Data-file 00, 01, 10, 11 1 Comp. 1 2 3 TMS Global ’Stop’ 1 Balise Train drives 101.. 000.. ERTMS 111.. GSM-R Tool 2 Datagenerering Radio block Tool 1 Transmission chanels ERTMS. Level 2 0101.. CSM – Where is the system? Push button 001.. C1 C2 Smoke detection 0101.. C3 Colour on screen 101.. Gate opens C5 C4 Cause Hazard Consequence Risk Change is red dot SW failure in green path, Gate is not opening Smoke poisoning => safety requirement: EN50128, SIL2 000.. Difficult arguments ”The supplier sent two very competent guys. We where sitting all weekend together, fixing the bugs, testing the software, and now I am very confident that it works” ”It is old software, the supplier say they can not fulfill EN50128” ”The changes are very small and does not concern the safety functions” ”It is only data changes, the software has not been changed” 5/7/2015 14 Approval & Specifying Independency Software requirements Tracability ISO9001 is basis Natural Language & Decision Tables 5/7/2015 15 Example from EN50128 om issue ’Test coverage’ Specification: The supplier is recommended to state test coverage Approval: The number gives confidence in approval – the supplier knows what they are doing l 5/7/2015 16 Summary •ISO9001 is basis •Tracability •Architecture •Independency •Validator Releases •Natural Language & Decision Tables •Configuration Management 5/7/2015 17 Final last words Var CSM_System: THandle; // Global variabel // This function decides whether Software in CSM-System is approved Function Software_Approved Boolean; Var Test_done, Proces_done: Boolean; Begin Result := False; If ((EN50128_followed = True) OR (Test_done = True AND Proces_done = True)) Then Begin If ISA_Report = SIL_Fulfilled Then Begin Result := True; end Else ….To be done end; 5/7/2015 18 Q + A, Discussion 5/7/2015 19
© Copyright 2024