FSD319: Software Safety Requirements Specification¶
Motivations¶
Not applicable: requirements have not already been specified. |
Software safety requirements specification is specified in FSD319: Software Safety Requirements Specification. They are derived from FSD114: 61508-1 E/E/PE system safety requirements specification and FSD120: System design requirements specification. There is no software developed without taking into account the safety requirements in FSD114: 61508-1 E/E/PE system safety requirements specification. |
In addition to EN-61508-3 clause 7.2.2.10 (MOTIVATION_319_010), FSD303: Techniques and measures specifies techniques and measures applied to achieve SIL3. |
The safety software runs on dedicated CPUs, with dedicated memory and watchdog. Flow control and RAM/Flash memory tests are used and data to and between safety CPUs are sent through black channel. The safety CPUs are not the same type nor has the same software. Accidental “DOS” behaviour on the interface between the CPUs and the safety CPU shall also be considered. Software executing in the safety CPUs shall be split in modules that have clearly defined interfaces. The functionality in one module shall have high cohesion. Global data that is not passed as a parameter to a method/function shall be avoided. |
The software developers have thoroughly discussed safety functions with the hardware designers. Different hardware modules (such as watchdogs) shall be used to fulfil the safety requirements. Capacity and timing on the safety CPUs shall be considered during software development, in particular, no blocking functions or tight loops will be allowed in the software design. |
The hardware and software together need to have enough performance to meet the requirement of the response time to all faults that require deactivation of the radio module (described in 7.2.2.10 below). CPU integrated hardware timers are used in interrupts to make sure that the unit goes into safe state if CPU time is not enough. |
a) A number of fault detection mechanisms shall be used, some in software and some assisted by hardware:
b) See Software safety requirements in this document. c) See Software safety requirements in this document. d) Safe functions are continously tested. e) See Software safety requirements in this document. |
The safety related software executes on CPUs where no non-safety related software executes. |
a) - b) See Software safety requirements in this document. |
a) Range and invalid value checks in software and all safety settings are protected by CRC. b) Range and invalid value checks in software. c) Range and invalid value checks in software. |
a) Consistency in the radio and CAN protocol. Software version and configuration is included in CRC/hash calculations, to ensure mismatch between units that communicate with each other results in no communication. b) Covered in software integration tests. c) Covered in FSD150: Validation tests of modes, power supply, and configuration and FSD322: Software Verification Plan. d) Covered in E/E/PE system safety validation tests. e) Covered in FSD124: GUI and Compiler function requirements, module tests and integration tests. |
a) Range and invalid value checks in software and all safety settings are protected by CRC. b) Only authorized personal have access to change safety settings (password). c) All safety settings are protected by CRC. |
Not applicable: no separate validation of software. |
Requirements¶
ID |
Title |
Source |
Status |
Derived |
|---|---|---|---|---|
RAM test |
PASS |
|||
RAM test |
PASS |
|||
RAM test |
PASS |
|||
RAM test |
PASS |
|||
Flash test |
PASS |
|||
Flash test |
PASS |
|||
Loss of power safe state |
PASS |
|||
Minimum voltage |
PASS |
|||
Minimum voltage |
PASS |
|||
Maximum voltage |
PASS |
|||
Maximum voltage |
PASS |
|||
Logic calculation interval |
PASS |
TEST_300_021; TEST_300_022; TEST_300_023; TEST_300_119; TEST_300_120; TEST_300_121 |
||
Logic calculation interval |
PASS |
|||
Logic calculation interval |
PASS |
|||
Block diagram |
PASS |
|||
Selectable maximum reaction time |
PASS |
|||
CPU-CPU communication |
PASS |
TEST_300_002; TEST_300_003; TEST_300_004; TEST_300_006; TEST_300_007; TEST_300_008; TEST_300_009; TEST_300_047; TEST_300_048; TEST_300_053; TEST_300_054; TEST_300_056 |
||
CPU-CPU communication |
PASS |
|||
CPU-CPU communication |
PASS |
TEST_300_002; TEST_300_003; TEST_300_004; TEST_300_006; TEST_300_007; TEST_300_008; TEST_300_009; TEST_300_047; TEST_300_048; TEST_300_053; TEST_300_054; TEST_300_056 |
||
CPU-CPU communication |
PASS |
TEST_300_002; TEST_300_003; TEST_300_004; TEST_300_006; TEST_300_007; TEST_300_008; TEST_300_009; TEST_300_047; TEST_300_048; TEST_300_053; TEST_300_054; TEST_300_056 |
||
CPU-CPU communication |
PASS |
|||
CPU-CPU communication |
PASS |
|||
IO ON/OFF states |
PASS |
TEST_SINGLE_INPUT_1; TEST_SINGLE_OUTPUT_1; TEST_GUI_ADVANCED_INPUT_1; TEST_GUI_ADVANCED_OUTPUT_1 |
||
IO ON/OFF states |
PASS |
TEST_SINGLE_INPUT_1; TEST_SINGLE_OUTPUT_1; TEST_GUI_ADVANCED_INPUT_1; TEST_GUI_ADVANCED_OUTPUT_1 |
||
IO ON/OFF states |
DREQ_114D; DREQ_11A; DREQ_126B; DREQ_126A; DREQ_13A; DREQ_2A |
PASS |
TEST_SINGLE_INPUT_1; TEST_SINGLE_OUTPUT_1; TEST_GUI_ADVANCED_INPUT_1; TEST_GUI_ADVANCED_OUTPUT_1 |
|
IO ON/OFF states |
PASS |
|||
Combined inputs OFF/ON signal combinations |
PASS |
|||
Redundant inputs |
PASS |
|||
Redundant outputs |
PASS |
|||
Input voltage range |
PASS |
|||
Transistor IO |
PASS |
|||
Transistor inputs monitored by both CPUs |
PASS |
|||
Analog mismatch check |
PASS |
|||
Input startup test |
PASS |
|||
Internal output failure |
PASS |
TEST_300_202; TEST_300_205; TEST_300_206; TEST_300_207; TEST_300_208; TEST_300_209 |
||
External output failure |
PASS |
RESULT_SINGLE_OUTPUT_1; TEST_CFB_OSSD_1; TEST_CFB_OSSD_2; TEST_CFB_OSSD_3 |
||
Both CPUs control outputs |
PASS |
|||
No user interface to control safety outputs |
PASS |
|||
Combined IO function |
PASS |
|||
OSSD |
PASS |
|||
Relay outputs |
PASS |
|||
Safe state |
PASS |
|||
Safe state non returning function |
PASS |
|||
Fault reaction time |
PASS |
|||
Operation modes |
PASS |
|||
Normal operation mode |
PASS |
|||
Safe state mode |
PASS |
|||
Configuration mode |
PASS |
|||
Configuration mode |
PASS |
|||
Configuration mode |
PASS |
|||
Configuration mode |
PASS |
|||
Configuration mode |
PASS |
|||
Configuration mode |
PASS |
|||
Configuration mode |
PASS |
|||
Configuration mode interfaces |
PASS |
|||
Configuration correct addressing |
PASS |
|||
Configuration correct addressing |
PASS |
|||
Configuration success or failure |
PASS |
|||
No user interface for unit setup |
PASS |
|||
Memory card replacement |
N/A |
|||
Start-up firmware check |
PASS |
|||
Start-up firmware version check |
PASS |
|||
Start-up configuration check |
PASS |
|||
Start-up check production data |
PASS |
|||
Start-up always safe |
PASS |
|||
Valid ID numbers |
PASS |
|||
Valid ID numbers |
PASS |
|||
Radio black channel |
PASS |
|||
Radio sequence counter |
PASS |
|||
Radio CRC |
PASS |
|||
Safe data hash |
PASS |
|||
Stateless safety information |
PASS |
|||
Timeout |
PASS |
|||
Global memories (safety information) |
PASS |
|||
Global memories (safety information) |
PASS |
|||
Global memories (safety information) |
PASS |
|||
Radio timeout |
PASS |
|||
Network same configuration |
PASS |
|||
Network same firmware |
PASS |
|||
SimpleCAN |
PASS |
|||
All code is safety code |
PASS |
|||
Internal voltages monitoring |
PASS |
|||
Internal voltages monitoring |
PASS |
|||
Internal voltages monitoring |
PASS |
RAM tests shall be performed in both CPUs continuously during operation. |
The time to test the whole RAM shall be less than 60 seconds. |
The complete RAM shall be tested at start up in both CPUs. |
The algorithm for testing the RAM shall be documented and motivated. |
Flash tests shall be performed in both CPUs continuously during operation. |
The complete flash memory shall be tested at start up in both CPUs. |
Loss of power shall result in safe state. |
The minimum power supply voltage shall be configurable between 7V and 30V. |
If the power supply voltage is below the configured minimum voltage for longer than 500ms, the system shall go into safe state. |
The maximum power supply voltage shall be configurable between 8V and 33V. |
If the power supply voltage is above the configured maximum voltage for longer than 500ms, the system shall go into safe state. |
The logic shall be calculated once every millisecond. |
The logic calculation interval shall not deviate more than 0.1%. |
The logic shall complete execution within 812.5 us in both CPUs. If the logic takes longer than 812.5 us to execute, the unit shall enter safe state. |
The configuration shall be programmed by means of a block diagram language. |
The maximum reaction time from detecting a stop condition from an input until the stop condition is achieved (outputs set to zero/OFF) shall be selectable. |
Both CPUs shall send a message to the other CPU every millisecond. |
The CPU-CPU packets shall be protected by a 32bit CRC. |
The C2C communication channel shall be implemented as a white channel. |
The CPU2CPU communication shall be resistant to packet errors. |
If any CPU does not receive a packet from the other CPU for 20ms, the unit shall enter safe state. |
The CPU-CPU communication shall be implemented as a duplex communication channel. |
All inputs and outputs shall have a defined ON and OFF state. |
Transistor outputs shall be configurable with static and pulsed signal types according to FSD209 and FSD210. |
Transistor inputs shall be configurable to handle all required input types according to FSD209 and FSD210. |
Transistor inputs shall be able to distinguish between different pulsed signals specified in FSD209 and FSD210. |
A combination of ON and OFF conditions from inputs shall be able to be used for input logic conditions. |
Redundant inputs shall be configurable with:
|
Redundant outputs shall be configurable with 2-8 output pins with defined ON/OFF states. |
Transistor inputs shall be able to detect voltage levels between 0V and 33V. |
All transistor IOs shall be configurable as an input or output. |
Each input shall be monitored by both CPUs. |
The measured analog values for all inputs and outputs by each CPU shall be compared against the measured analog values of the other CPU. If either CPU detects a mismatch between the measured voltage on an input or an output and the received measured voltage from the other CPU, the unit shall enter safe state. |
A start-up test condition shall be configurable for all inputs. If start-up test is enabled the input must be in OFF state to be able to go to ON state. |
If an internal output failure is detected, the unit shall enter safe state. |
If an external output failure is detected, the relevant outputs shall go to safe state. |
CPU1 shall directly control every individual output. CPU2 shall control the main transistor for all outputs. |
There shall be no user interface to control safety outputs from any user interface, which include:
|
For the special I/O type “combined I/O”, the logic shall be able to use the I/O as both input and output within 4 ms. I.e., the input part shall be read at least every 4 ms. |
Every OSSD output from a unit shall be able to detect short circuits between any other OSSD output from the same unit. |
All relay outputs shall be continuously monitored by both CPUs. |
Safe state shall be achieved by turning off all outputs (relays, transistor outputs, radio, CAN). No continuous control is needed. |
The safe state shall be implemented as a non returning function. The only way to leave shall be to restart the CPU. |
When a dangerous fault is detected, the maximum delay until all affected outputs in the complete system have reached the safe state shall be the response time (DREQ7.3 and DREQ108.1) + 500ms. |
The following modes of operation shall be implemented:
|
In the normal mode of operation, the unit can communicate safety information via the different interfaces, and controls outputs based on inputs according to the user configuration. |
In the safe state all outputs shall be monitored and contiuously set to safe state. No safety communication shall be possible. |
The configuration mode shall be implemented as a non returning function. The only way to leave configuration mode is by a software reset or power cycle. |
In the configuration mode all outputs shall be continuously monitored and turned off. |
The configuration mode shall only be possible to enter at startup by a software reset. |
Code which handles configuration shall only be reachable in configuration mode. |
The configuration mode shall be protected by a password. If the password is incorrect, the unit shall ignore the request to enter configuration mode. |
If the configuration tool is connected but does not activate the configuration state, the Safety Simplifier shall work as normal. |
All configuration attempts when not in configuration mode shall be rejected. |
The unit shall be able to enter configuration mode and be configured via the following interfaces:
|
The PC tool shall verify that the destination unit is the correct unit specified by the user. |
The PC tool shall allow the user to visually identify units via radio and CAN. |
After downloading a configuration to one or more units, the PC software shall present the the success or failure to the user. |
There shall be no code that implements a user interface to setup or replace a unit from scratch, except that which is defined in Memory card replacement (DREQ_10B). |
There shall be a means to replace a unit by transferring its memory card to a new unit and following a replacement procedure. |
The firmware data in flash shall be protected by a 32bit CRC which shall be checked at start-up. If the CRC does not match, the unit shall not start. |
Both CPUs shall check each others SW version at start-up. If either CPU detects that the other CPU has a different SW version, the unit shall enter safe state. |
Both CPUs shall check at start up that the configuration is
|
Production data shall be protected by a 32bit CRC and checked at start-up. |
The software shall be designed so that there are no safety issues if it is restarted, no matter in what manner the restart was performed. |
If the ID number in the production data is equal to 0x00000000 or 0xFFFFFFFF, the unit shall enter safe state. |
The validity of the configured serial numbers shall be checked at start-up. The serial numbers settings are invalid if the network ID = 0, or if the serial number setting for the node itself does not match the serial number in its production data. |
The radio communication shall be implemented as a black channel. |
A sequence counter shall be used to protect from repeated packets. Receiving nodes shall discard packets with bad sequence counter. |
All radio messages shall be protected by 24 bits CRC over the complete radio packet. |
All radio messages shall include a 32 bit hash of all the safety information in the packet, and shall additionally be seeded with the following information:
Note This guarantees that all nodes in a radio network agree on the information above. |
No state information shall be used between packets. Every packet shall contain all safety related information. |
All failure indications shall be implemented by detecting absence of safety packets (timeout). |
Each node in a network shall have a configurable number of global memories, in multiples of 16, between 0 and 256. |
Each node in a network shall be able to use the global memories of any other node in the network. |
If a node in a network does not receive the global memories from another node within the specified radio timeout, the memories shall be set to zero. |
The radio timeout shall be configurable between 4ms up to 60000ms. |
All nodes in a network shall verify that they are running the same configuration. This shall be implemented by seeding the communication checksum/hash with the configuration hash. |
All nodes in a network shall verify that they are running the same firmware. This shall be implemented by seeding the communication checksum/hash with the firmware hash. |
The CAN communication shall be implemented as SimpleCAN. All requirements of SimpleCAN shall be fulfilled. |
All code shall be considered safety code/safety related. This means all techniques and measures, code standards, and verification methods shall be applied to all code. |
The CPU1 3.3V (3V3A) voltage shall be monitored by CPU2. |
The CPU2 3.3V (3V3B) voltage shall be monitored by CPU1. |
The SIO_PWR voltage shall be monitored by both CPUs. |