Safety-critical software in machinery applications

Timo Malm, Matti Vuori, Jari Rauhamäki, Timo Vepsäläinen, Johannes Koskinen, Jari Seppälä, Heikki Virtanen, Marita Hietikko & Mika Katara

ISBN 978-951-38-7790-3 (URL: http://www.vtt.fi/publications/index.jsp)
ISSN 1455-0865 (URL: http://www.vtt.fi/publications/index.jsp) Box 1000, FI-02044 VTT, Finland phone internat. +358 20 722 111, fax +358 20 722 4374 Timo Malm, Matti Vuori, Jari Rauhamäki, Timo Vepsäläinen, Johannes Koskinen, Jari Seppälä, Heikki Virtanen, Marita Hietikko & Mika Katara. Safety-critical software in machinery applications. Espoo 2011. VTT Tiedotteita – Research Notes 2601. 111 p. + app. 10 p. Keywords software, safety, safety-related, machinery, control system Abstract This report presents some important factors related to safety-critical software in machinery. The fol- lowing subjects are considered in the text, bearing in mind the subject: the role of safety-critical soft- ware in machinery, statistics of software faults, requirements, safety and security principles, risk and hazard modelling, agile development, safety process patterns, safety-related architectures, verification and validation, phases of development and formal methods. The general observation is that there are many methods for software design and it is difficult to choose the most relevant ones. The report shows some criteria for selecting methods and some aspects related to current topics. There are so many different safety-critical software applications in machinery that the research found the most interesting topics and then focused on them. The statistics show that most defects arise during the requirements specification and architectural design phases of the lifecycle. This is before any coding. The statistics also show that the defect densi- ty is higher in large programs, i.e. the number of defects increases exponentially as the program size grows. It may therefore be better to separate safety-critical and standard code in order to keep the first one small. The separation of modules and keeping the connections between modules under control and narrow is recommended in order to have advantages in testing, understanding of the program, limited error spreading, program development etc. There are many kinds of self-diagnostic and monitoring functions that may be complex and increase the number of defects, but they increase safety and are needed in safety-critical code. The standard IEC 61508-3, published in 2010, lays down many functional requirements for safety- critical programmable systems. However, there are also other standards related to functional safety and the safety of control systems. This paper also considers some aspects related to the safety of agile methods. The standards show the requirements related to the phases of the V-model, but agile methods are not considered. The functional safety of software is achieved through systematic (not intuitional) use of adequate methods in all phases of the programmable system lifecycle. Programmable systems contain hardware and software, both of which need to be considered in the validation process. 3 Preface This publication was written to help machinery developers produce good safety-related software. Pro- grammable systems and software in machines are evolving rapidly in many directions (e.g. towards large networks as well as small local systems) and we are therefore only able to give hints on specific important issues related to software safety. This document is constructed from separate articles related to specific topics. There are also short sections to complete and combine the topics. The project was funded by Tekes (Finnish Funding Agency for Technology and Innovation) and re- alized by VTT and Tampere University of Technology (TUT). It was supported by a group of compa- nies. The management and supporting group of the project consisted of Jari Räihä, Tekes; Juha Sipilä, Pekka Nykänen Pöyry/Tekes; Heikki Joensuu, Sami Salmi ABB; Matti Katajala, Safety Advisor; Kari Lehmusvaara, John Deere; Jouni Törnqvist, Bronto Skylift; Ari Lehtinen, Konecranes; Teemu Park- kinen, Sandvik; Tuula Mäntylä, Mika Maunumaa, Epec; Mika Karaila, Metso Automation; Matti Sundquist, Sundcon; Seppo Kuikka, TUT; Mika Katara, TUT; and Helena Kortelainen, Risto Tiusanen, VTT. Following researchers were working at the project and they had significant contribu- tion in gathering material to the report: Jarmo Alanen, Kari Hakkarainen, Jere Jännes (VTT), Antti Jääskeläinen, Jani Paalijärvi and Mikko Salonen (TUT). Moreover, the fruitful discussions with pro- ject collaborators Prof. Shmuel Katz (Technion, Israel) and Tor Stålhane (NTNU, Norway) are grate- fully acknowledged. Tampere 12.10.2011 Authors 4 Contents Abstract ......................................................................................................................... 3 Preface .......................................................................................................................... 4 1. Introduction .............................................................................................................. 8 1.1 The role of software in safety-critical systems..........................................................................8 1.2 Threats concerning software...................................................................................................9 1.3 Requirements for safety-related software .............................................................................. 11 1.3.1 SFS-EN ISO 13849-1 ............................................................................................. 12 1.3.2 SFS-EN 62061 ....................................................................................................... 13 1.3.3 IEC 61508.............................................................................................................. 14 2. Functional safety and security as elements of overall safety .................................. 16 2.1 Introduction .........................................................................................................................
