FSD322: Software Verification Plan

Motivations

Motivation: EN-61508-3 clause 7.9.2.1/4 MOTIVATION_322_001

status: PASS tags: fsd322 Source: EN_61508_3_7_9_2_1, EN_61508_3_7_9_2_4

all phases in the software safety lifecycle, EN 61508-3:2010, figure 4, shall have complete and correct output documented when completed. Before closing a phase, the outputs shall be evaluated and then be used as input to the next phase.

Motivation: EN-61508-3 clause 7.9.2.2/3/5 MOTIVATION_322_002

status: PASS tags: fsd322 Source: EN_61508_3_7_9_2_2, EN_61508_3_7_9_2_3, EN_61508_3_7_9_2_5

There is no verification plan for phase Verification plan for software aspects of system safety. There is no verification plan for phase Software operation and maintenance procedures, as this is covered by FSD107: System verification plan, validation test specifications and results, phase E/E/PE system operation and maintenance procedures. Safety-related software can’t be configured, updated, changed etc. during operation.

Motivation: EN-61508-3 clause 7.9.2.6 MOTIVATION_322_003

status: PASS tags: fsd322 Source: EN_61508_3_7_9_2_6

See the result of SW lifecycle phases.

Verification plan

Definition of Validation test

The scope of this test level is to verify the functional safety requirements in a complete system environment. These test cases are for complete systems of one or more safety simplifiers, connected to I/Os.

Definition of System Integration test

The scope of this test level is to verify that interfaces between different components work as expected. A component could be either a HW or SW unit, or also an entire safety simplifier. Example: Testing the interface between two CPU’s in the same device. Testing the interface between CPU and HW, e.g. CPU and relay driver. Testing the radio interface between two units. Focus will normally be on one unit, or even a part of a unit - even though several units are often used.

Definition of SW Integration test

All integration tests will be run as system integration tests.

Definition of SW Module test

The scope in this test level is to focus on functional software building blocks. Example: To verify that the relay driver and the feedback of the state of the relays are deterministic. Some of these test cases will require several units present in the test setup, but most of the test cases can be executed with only one unit present, since the focus will be on internal software features in the unit under test.

Tests

TEST: 61508-3:2010 clause 7.9.2.7 activities TEST_322_001

status: PASS tags: fsd322 Derived: RESULT_322_001 Source: EN_61508_3_7_9_2_7

Verify that the points in 61508-3:2010 clause 7.9.2.7 activities have been performed: a) verification of software safety requirements; b) verification of software architecture; c) verification of software system design; d) verification of software module design; e) verification of code; f) verification of data; g) verification of timing performance; h) software module testing (see 7.4.7); i) software integration testing (see 7.4.8); j) programmable electronics integration testing (see 7.5); k) software aspects of system safety validation (see 7.7).

RESULT: 61508-3:2010 clause 7.9.2.7 activities RESULT_322_001

status: PASS tags: fsd322 Source: TEST_322_001

a) Performed in FSD319: Software Safety Requirements Specification. b) Performed in FSD304: System architecture description. c) Performed in FSD304: System architecture description. d) Performed in FSD304: System architecture description. e) Performed in FSD320: Code review. f) N/A: data is not available in the product. g) Performed in FSD300: Software Module Tests. Online testing implemented and verified in software. h) Performed in FSD300: Software Module Tests. i) Performed in FSD300: Software Module Tests, FSD124: GUI and Compiler function requirements, module tests and integration tests, and FSD150: Validation tests of modes, power supply, and configuration. j) Performed in FSD300: Software Module Tests, FSD124: GUI and Compiler function requirements, module tests and integration tests, and FSD150: Validation tests of modes, power supply, and configuration. k) N/A: no separate validation of software (see EN-61508-3 clause 7.3 (MOTIVATION_319_100) and linked requirements).

TEST: 61508-3:2010 clause 7.9.2.8 TEST_322_002

status: PASS tags: fsd322 Derived: RESULT_322_002 Source: EN_61508_3_7_9_2_8

Let persons knowledgeable in EN 61508:2010 and the application area review the software safety requirements specification to judge whether it fulfils the requirements in EN 61508-3:2010, clause 7.9.2.8. The specification passes if the reviewers find that it fulfils the requirements in 7.9.2.8.

RESULT: 61508-3:2010 clause 7.9.2.8 RESULT_322_002

status: PASS tags: fsd322 date: 2025-06-21 Source: TEST_322_002

The people outlined in FSD002: Management of functional safety have reviewed the software safety requirements specification and found that: a) the software safety requirements specification adequately fulfils the requirements in FSD114: 61508-1 E/E/PE system safety requirements specification. b) the software validation plan adequately fulfils the requirements in FSD114: 61508-1 E/E/PE system safety requirements specification. c) No incompatibilities was found between FSD319: Software Safety Requirements Specification and FSD114: 61508-1 E/E/PE system safety requirements specification. No incompatibilities was found between FSD319: Software Safety Requirements Specification and FSD116: System Validation Planning.

TEST: 61508-3:2010 clause 7.9.2.9 TEST_322_003

status: PASS tags: fsd322 Derived: RESULT_322_003 Source: EN_61508_3_7_9_2_9

Let persons knowledgeable in EN 61508:2010 and the application area review the software architecture to judge whether it fulfils the requirements in EN 61508-3:2010, clause 7.9.2.9. The architecture passes if the reviewers find that it fulfils the requirements in EN 61508-3:2010, clause 7.9.2.9.

RESULT: 61508-3:2010 clause 7.9.2.9 RESULT_322_003

status: PASS tags: fsd322 date: 2025-06-21 Source: TEST_322_003

The people outlined in FSD002: Management of functional safety have reviewed the software architecture and found that: a) Software architecture adequately fulfils the requirements in FSD304: System architecture description. b) The integration tests are deemed adequate as all requirements are covered by tests. c) Safety performance, testability, readability, and safe modification is deemed adequate. d) No incompatibilities were found.

TEST: 61508-3:2010 clause 7.9.2.10 TEST_322_004

status: PASS tags: fsd322 Derived: RESULT_322_004 Source: EN_61508_3_7_9_2_10

Let persons knowledgeable in EN 61508:2010 and the application area review the software system design to judge whether it fulfils the requirements in EN 61508-3:2010, clause 7.9.2.10.

RESULT: 61508-3:2010 clause 7.9.2.10 RESULT_322_004

status: PASS tags: fsd322 date: 2025-06-21 Source: TEST_322_004

a) The software system design adequately fulfils the requirements in FSD304: System architecture description. b) The integration tests are deemed adequate as all requirements are covered by tests. All applicable requirements have corresponding test cases. c) See 61508-3:2010 clause 7.9.2.9 (TEST_322_003). d) No incompatibilities were found. This is continuously reviewed during development.

Software design and development

TEST: 61508-3:2010 clause 7.9.2.11 TEST_322_005

status: PASS tags: fsd322 Derived: RESULT_322_005 Source: EN_61508_3_7_9_2_11

Let persons knowledgeable in EN 61508:2010 and the application area review the software module design to judge whether it fulfils the requirements in EN 61508-3:2010, clause 7.9.2.11.

RESULT: 61508-3:2010 clause 7.9.2.11 RESULT_322_005

status: PASS tags: fsd322 date: 2025-06-21 Source: TEST_322_005

The software module design adequately fulfils the requirements in FSD304: System architecture description. FSD300: Software Module Tests covers all parts of the module design specification. 1) Safety performance is deemed feasible. 2) The software module tests fully cover the software module design specification. 3) The code is deemed readable and maintainable by the developer team. 4) Modification is usually part of work packages and the changes to be made are specified in detail. This is deemed adequate by the developer team. d) 1) No incompatibilities were found. 2) No incompatibilities were found between module tests and specifications. 3) No incompatibilities were found between module tests and integration tests.

TEST: 61508-3:2010 clause 7.9.2.12 TEST_322_006

status: PASS tags: fsd322 Derived: RESULT_322_006 Source: EN_61508_3_7_9_2_12

Let persons knowledgeable in EN 61508:2010 and the application area review the code to judge whether it fulfils the requirements in EN 61508-3:2010, clause 7.9.2.12.

RESULT: 61508-3:2010 clause 7.9.2.12 RESULT_322_006

status: PASS tags: fsd322 date: 2025-06-21 Source: TEST_322_006

Static methods used are specified in FSD303: Techniques and measures in 61508-3 table B.2.

TEST: 61508-3:2010 clause 7.9.2.13 TEST_322_007

status: PASS tags: fsd322 Derived: RESULT_322_007 Source: EN_61508_3_7_9_2_13

Let persons knowledgeable in EN 61508:2010 and the application area review the data to judge whether it fulfils the requirements in EN 61508-3:2010, clause 7.9.2.13.

RESULT: 61508-3:2010 clause 7.9.2.13 RESULT_322_007

status: PASS tags: fsd322 date: 2025-06-21 Source: TEST_322_007

a) The general data structures are verified as part of the software review process. b) The interfaces between the CPUs, and the configuration data are considered here. 1) All communication data have versions, checksums, magic values, etc, to verify that the data is correct. The configuration structures shared between firmware and logic have version, magic value, and checksum to verify that the data is correct. 2) All data is complete and complies with the application requirements. 3) Compatibility is checked via the version field in all shared data structures. 4) Correctness is handled via the magic values and checksums. Incorrect data (corrupt, old, out of date, etc) is handled by this. Settings (operational parameters) have been verified against the application requirements. 1-3: See FSD300: Software Module Tests (specifically input handling). see b) above, 7.4.11.1 (MOTIVATION_129_058) and 7.4.11.2 (MOTIVATION_129_059).

TEST: Software module tests TEST_322_008

status: PASS tags: fsd322 Derived: RESULT_322_008 Source: EN_61508_3_7_9_2_14

Perform tests according to the software module test specification (FSD300: Software Module Tests). Test is passed if all software module test cases are passed.

RESULT: Software module tests RESULT_322_008

status: PASS tags: fsd322 date: 2025-06-21 Source: TEST_322_008

See FSD300: Software Module Tests for the results of the software module tests.

TEST: Software integration tests (verification 8) TEST_322_009

status: PASS tags: fsd322 Derived: RESULT_322_009

Perform tests according to the software integration test specification (FSD124: GUI and Compiler function requirements, module tests and integration tests and FSD150: Validation tests of modes, power supply, and configuration). Test is passed if all software integration test cases are passed.

RESULT: Software integration tests (verification 8) RESULT_322_009

status: PASS tags: fsd322 date: 2025-06-21 Source: TEST_322_009

See FSD124: GUI and Compiler function requirements, module tests and integration tests and FSD150: Validation tests of modes, power supply, and configuration for the results of the software integration tests.

TEST: System safety validation TEST_322_010

status: PASS tags: fsd322 Derived: RESULT_322_010

Perform tests according to the software safety validation plan. Test is passed if all software safety validation test cases are passed.

RESULT: System safety validation RESULT_322_010

status: PASS tags: fsd322 date: 2025-06-21 Source: TEST_322_010

See FSD133: System safety validation.