Approval of Software & Specification of Software Presentation at

Approval of Software &
Specification of Software
Presentation at
’Banekonferencen’
05-05-2015
15-05-07
Background of the speaker
Troels Winther, TÜV-SÜD Danmark, Software CV
Year
Company
Program
Role
SW language
1987-1990
Bombardier
Sternol
Programmør
C
1991-1997
Bombardier
Ebilock 850
Test Integrator
Assembler
1997-2000
Chartec
uP, Motorola
Project Manager
C / embedded
2000-2003
KMS
VisIT
Programmør
Pascal/C++
Windows
2003-2006
Det Norske
Veritas
--
Assessor
Member
WG EN50128:2011
2006-2013
Atkins/DSB
Safety Departm.
SW-approvals
2014 - Current
TÜV-SÜD
Danmark
Assessor
SW-approvals
--
CMS assessor
Hazard
SIL2
Software error
in TCMS
HardwareSIL3
Emergency fail
(pushbutton)
Train can
not brake
Collision
AND
Software
SW-assessor,
Train computer
Report about SIL2 fullfilment
CMS assessor - SVR
5/7/2015
3
EN50126-suiten
• EN50126 (Safety Management)
• EN50129 (Safety case, SIL-determination)
• EN50128 (Software)
• EN50155 (Equipment)
• EN50121 (EMC and noise)
Safety concerns functions: The two most important?
Rolling stock:
Infrastructure:
Emergency brake
Driving permit
Fire Detection Equipment
Pass. Information System
Allowed track speed
Train Dispatching (TMS)
About TÜV-SÜD - European capacity 1/2
Mail-answer from Dr. Jan Richard, Zurich, concerning EN50128 and TSI:
•To my understanding, the TSI CCS itself do not have any
requirement to SW
•The TSI CCS contains requirements to so called
“Interoperability Constituents”. Such an IC can be a SW
module or SW application
•The interoperability relevant requirements are given on a
functional and system level, refer to Annex A
•TSI CCS is referring to mandatory EN norms as well
•This EN norms then contain requirements regarding the
development and manufacturing of SW (especially EN50128)
•Chapter 6.2.3 of TSI CCS is stating some requirements
regarding the assessment of ICs
About TÜV-SÜD - European capacity 2/2
6.1.2: Uanset hvilket modul der er valgt, gælder bestemmelserne i bilag A, indeks 47, indeks
A1, indeks A2 ..der er underlagt kravene i grundparameteren sikkerhed
Software 1/6 – As media
About software:
• Software is a physical file with billions of 0- og 1-numbers
• Software is help- and useless without hardware to execute the software
• Software is made by many people, who don’t know each other
• => Not suited for approval
EN50128 definition
• 3.1.31 software
intellectual creation comprising the programs, procedures, rules, data and any associated
documentation pertaining to the operation of a system
• 3.1.32 software baseline
complete and consistent set of source code, executable files, configuration files, installation
scripts and documentation that are needed for a software release. Information about
compilers, operating systems, preexisting software and dependent tools is stored as part of
the baseline. This will enable the organisation to reproduce defined versions and be the input
for future releases at enhancements or at upgrade in the maintenance phase
Software 2/6 – Function
IF ’Button’ = 001 AND Data = 011 THEN ’Colour
on screen’ = 101 ELSE ’Relay pulls’ = 111
Push button
001..
Colour on screen
101..
IF
Gate opens
Detect smoke
0101..
000..
AND
THEN
Relay pulls
Data-file
011..
ELSE
111..
Software 3/6 – Input/outputs
Push button
001..
Detect smoke
0101..
Data-file
00 el. 01
Colour on screen
101..
Gate opens
000..
Relay pulls
111..
Software 5/6 – Component testing
Push button
Colour on screen
101..
1
2
0, 1
Detect smoke
0101..
3
6
5
Gate opens
000..
4
Component test
Data-file
00, 01, 10,
11
Data
Button
0
1
00
01
10
1
5
11
Relay pulls
111..
2
3
6
4
Is it a software change, when data is changed?
Software 6/6 - Arkitecture
Push button
0, 1
Detect smoke
0101..
Data-file
00, 01, 10,
11
Tool 2
Datagenerering
1
Component 2
Newly developed code
Compon 12
3
Compon. 4
Library
1
Component 3
Old code
from mother company
Component 5
COTS-code from industry
Colour on screen
101..
Gate opens
000..
Relay pulls
111..
Component 6
Hardware micro
code
Tool 1
’Linker’ det hele sammen
til en fil
Install-fil
0101..
Pandoras box for infra structure
Set train route
0, 1
Train detection
0101..
Data-file
00, 01, 10, 11
1
Comp. 1 2
3
TMS
Global ’Stop’
1
Balise
Train drives
101..
000..
ERTMS
111..
GSM-R
Tool 2
Datagenerering
Radio block
Tool 1
Transmission chanels
ERTMS. Level 2
0101..
CSM – Where is the system?
Push button
001..
C1
C2
Smoke detection
0101..
C3
Colour on screen
101..
Gate opens
C5
C4
Cause
Hazard
Consequence Risk
Change is red dot
SW failure in green path,
Gate is not opening
Smoke poisoning =>
safety requirement:
EN50128, SIL2
000..
Difficult arguments
”The supplier sent two very competent guys. We where sitting all weekend
together, fixing the bugs, testing the software, and now I am very
confident that it works”
”It is old software, the supplier say they can not fulfill EN50128”
”The changes are very small and does not concern the safety functions”
”It is only data changes, the software has not been changed”
5/7/2015
14
Approval & Specifying
Independency
Software requirements
Tracability
ISO9001 is basis
Natural Language & Decision Tables
5/7/2015
15
Example from EN50128 om issue ’Test coverage’
Specification:
The supplier is recommended to state test coverage
Approval: The number gives confidence in approval – the supplier knows what they are doing
l
5/7/2015
16
Summary
•ISO9001 is basis
•Tracability
•Architecture
•Independency
•Validator Releases
•Natural Language & Decision Tables
•Configuration Management
5/7/2015
17
Final last words
Var
CSM_System: THandle; // Global variabel
// This function decides whether Software in CSM-System is approved
Function Software_Approved Boolean;
Var
Test_done, Proces_done: Boolean;
Begin
Result := False;
If ((EN50128_followed = True) OR
(Test_done = True AND Proces_done = True)) Then Begin
If ISA_Report = SIL_Fulfilled Then Begin
Result := True;
end
Else ….To be done
end;
5/7/2015
18
Q + A, Discussion
5/7/2015
19