Approval of Software & Specification of Software Presentation at Banekonferencen

15-05-07

Approval of Software &

Specification of Software

Presentation at

’Banekonferencen’

05-05-2015

Background of the speaker

Troels Winther, TÜV-SÜD Danmark, Software CV

Year Company Program Role SW language 1987-1990 Bombardier Sternol Programmør C

1991-1997 Bombardier Ebilock 850 Test Integrator Assembler 1997-2000 Chartec uP, Motorola Project Manager C / embedded 2000-2003 KMS VisIT Programmør Pascal/C++

Windows 2003-2006 Det Norske

Veritas

-- Assessor Member

WG EN50128:2011 2006-2013 Atkins/DSB Safety Departm. SW-approvals

2014 - Current TÜV-SÜD Danmark

CMS assessor

5/7/2015 3

Train can

not brake

Hazard

Hardware

Emergency fail

(pushbutton)

Collision

Software

AND

Train computer

CMS assessor - SVR

SW-assessor,

Report about SIL2 fullfilment

SIL2

SIL3

Software error

in TCMS

EN50126-suiten

•

EN50126 (Safety Management)

•

EN50129 (Safety case, SIL-determination)

•

EN50128 (Software)

•

EN50155 (Equipment)

•

EN50121 (EMC and noise)

Safety concerns functions: The two most important?

Rolling stock:

Infrastructure:

Emergency brake

Driving permit

Fire Detection Equipment

Pass. Information System

Allowed track speed

Train Dispatching (TMS)

About TÜV-SÜD - European capacity 1/2

•To my understanding, the TSI CCS itself do not have any

requirement to SW

•The TSI CCS contains requirements to so called

“Interoperability Constituents”. Such an IC can be a SW

module or SW application

•The interoperability relevant requirements are given on a

functional and system level, refer to Annex A

•TSI CCS is referring to mandatory EN norms as well

•This EN norms then contain requirements regarding the

development and manufacturing of SW (especially EN50128)

•Chapter 6.2.3 of TSI CCS is stating some requirements

regarding the assessment of ICs

6.1.2: Uanset hvilket modul der er valgt, gælder bestemmelserne i bilag A, indeks 47, indeks A1, indeks A2 ..der er underlagt kravene i grundparameteren sikkerhed

Software 1/6 – As media

About software:

•

Software is a physical file with billions of 0- og 1-numbers

•

Software is help- and useless without hardware to execute the software

•

Software is made by many people, who don’t know each other

•

=> Not suited for approval

EN50128 definition

• 3.1.31 software

intellectual creation comprising the programs, procedures, rules, data and any associated documentation pertaining to the operation of a system

• 3.1.32 software baseline

complete and consistent set of source code, executable files, configuration files, installation scripts and documentation that are needed for a software release. Information about

compilers, operating systems, preexisting software and dependent tools is stored as part of the baseline. This will enable the organisation to reproduce defined versions and be the input for future releases at enhancements or at upgrade in the maintenance phase

Software 2/6 – Function

001.. 0101.. 011.. 101.. 000.. 111.. Push button Detect smoke Data-file Colour on screen Gate opens Relay pulls IF ’Button’ = 001 AND Data = 011 THEN ’Colour

on screen’ = 101 ELSE ’Relay pulls’ = 111

IF

AND THEN

Software 3/6 – Input/outputs

001.. 0101.. 00 el. 01 101.. 000.. 111.. Data-file

Push button Colour on screen

Gate opens

Relay pulls Detect smoke

Software 5/6 – Component testing

0, 1 0101.. 00, 01, 10, 11 101.. 000.. 111.. Data-file 1 Data Button 00 01 10 11 0 1 2 3 4 5 6 1 2 3 4 5 6

Is it a software change, when data is changed?

Component test

Push button _{Colour on screen}

Gate opens

Relay pulls Detect smoke

Compon 1

Software 6/6 - Arkitecture

0, 1 0101.. 00, 01, 10, 11 101.. 000.. 111.. Data-file Colour on screen Gate opens Relay pulls

Component 2

Newly developed code

Compon. 4

Library

Component 3

Old code

from mother company

Component 5

COTS-code from industry

Component 6

Hardware micro

code

3 2 1 1

Tool 1

’Linker’ det hele sammen

til en fil

Install-fil

Tool 2

Data-

generering

0101.. Push button Detect smoke

Comp. 1

Pandoras box for infra structure

0, 1 0101.. 00, 01, 10, 11 101.. 000.. 111.. Set train route

Train detection Data-file Train drives Global ’Stop’

TMS

Balise

ERTMS

GSM-R

_{Radio block}

3 2 1 1

Tool 1

Transmission chanels

ERTMS. Level 2

Tool 2

Data-

C5

C4

C2

C3

CSM – Where is the system?

C1

001.. 0101.. 101.. 000.. Push button Smoke detection Colour on screen Gate opens

Cause Hazard Consequence Risk

Change is red dot

SW failure -

in green path,

Gate is not opening Smoke poisoning => safety requirement: EN50128, SIL2

Difficult arguments

”The supplier sent two very competent guys. We where sitting all weekend

together, fixing the bugs, testing the software, and now I am very

confident that it works”

”It is old software, the supplier say they can not fulfill EN50128”

”The changes are very small and does not concern the safety functions”

”It is only data changes, the software has not been changed”

Software requirements

5/7/2015 15

ISO9001 is basis

Tracability

Natural Language & Decision Tables

Approval & Specifying

Example from EN50128 om issue ’Test coverage’

5/7/2015 16

Specification: The supplier is recommended to state test coverage

Approval: The number gives confidence in approval – the supplier knows what they are doing l

Summary

5/7/2015 17

•ISO9001 is basis

•Tracability

•Architecture

•Independency

•Validator Releases

•Natural Language & Decision Tables

•Configuration Management

Final last words

5/7/2015 18

Var

CSM_System: THandle;

// Global variabel

// This function decides whether Software in CSM-System is approved

Function

Software_Approved

Boolean

;

Var

Test_done, Proces_done:

Boolean

;

Begin

Result := False;

If

((EN50128_followed = True)

OR

(T

est_done = True

AND

Proces_done = True))

Then

Begin

If

ISA_Report = SIL_Fulfilled

Then Begin

Result

:= True;

end

Else

end;

Q + A, Discussion