1、Functional safety of electrical/electronic/ programmable electronic safety-related systems Part 3-1: Software requirements Reuse of pre-existing software elements to implement all or part of a safety function PD IEC/TS 61508-3-1:2016 BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1
2、15/05/2013 15:06National foreword This Published Document is the UK implementation of IEC/TS 61508-3-1:2016. The UK participation in its preparation was entrusted by Technical Committee GEL/65, Measurement and control, to Subcommittee GEL/65/1, System considerations. A list of organizations represen
3、ted on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 58
4、0 90008 2 ICS 25.040.40; 35.240.50 Compliance with a British Standard cannot confer immunity from legal obligations. This Published Document was published under the authority of the Standards Policy and Strategy Committee on 31 August 2016. Amendments/corrigenda issued since publication Date Text af
5、fected PUBLISHED DOCUMENT PD IEC/TS 61508-3-1:2016 IEC TS 61508-3-1 Edition 1.0 2016-07 TECHNICAL SPECIFICATION Functional safety of electrical/electronic/programmable electronic safety-related systems Part 3-1: Software requirements Reuse of pre-existing software elements to implement all or part o
6、f a safety function INTERNATIONAL ELECTROTECHNICAL COMMISSION ICS 25.040.40; 35.240.50 ISBN 978-2-8322-3516-4 Registered trademark of the International Electrotechnical Commission Warning! Make sure that you obtained this publication from an authorized distributor. PD IEC/TS 61508-3-1:2016 2 IEC TS
7、61508-3-1:2016 IEC 2016 CONTENTS FOREWORD . 3 INTRODUCTION . 5 1 Scope 6 2 Normative References . 6 3 Terms and definitions 6 4 Requirements 6 Bibliography . 10 PD IEC/TS 61508-3-1:2016IEC TS 61508-3-1:2016 IEC 2016 3 INTERNATIONAL ELECTROTECHNICAL COMMISSION _ FUNCTIONAL SAFETY OF ELECTRICAL/ELECTR
8、ONIC/PROGRAMMABLE ELECTRONIC SAFETY-RELATED SYSTEMS Part 3-1: Software requirements Reuse of pre-existing software elements to implement all or part of a safety function FOREWORD 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising all nat
9、ional electrotechnical committees (IEC National Committees). The object of IEC is to promote international co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and in addition to other activities, IEC publishes International Standards, Technic
10、al Specifications, Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with may participate in this preparatory work.
11、International, governmental and non- governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for Standardization (ISO) in accordance with conditions determined by agreement between the two organizations. 2) T
12、he formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects since each technical committee has representation from all interested IEC National Committees. 3) IEC Publications have the form of recommendat
13、ions for international use and are accepted by IEC National Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinterpretation by any end
14、user. 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications transparently to the maximum extent possible in their national and regional publications. Any divergence between any IEC Publication and the corresponding national or regional publicati
15、on shall be clearly indicated in the latter. 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any services carried out by independent
16、 certification bodies. 6) All users should ensure that they have the latest edition of this publication. 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and members of its technical committees and IEC National Committees for any person
17、al injury, property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC Publications. 8) Attention is drawn to the Normative refer
18、ences cited in this publication. Use of the referenced publications is indispensable for the correct application of this publication. 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent rights. IEC shall not be held responsible for
19、identifying any or all such patent rights. The main task of IEC technical committees is to prepare International Standards. In exceptional circumstances, a technical committee may propose the publication of a technical specification when the required support cannot be obtained for the publication of
20、 an International Standard, despite repeated efforts, or the subject is still under technical development or where, for any other reason, there is the future but no immediate possibility of an agreement on an International Standard. Technical specifications are subject to review within three years o
21、f publication to decide whether they can be transformed into International Standards. PD IEC/TS 61508-3-1:2016 4 IEC TS 61508-3-1:2016 IEC 2016 IEC TS 61508-3-1, which is a technical specification, has been prepared by subcommittee 65A: System aspects, of IEC technical committee 65: Industrial-proce
22、ss measurement, control and automation. The text of this technical specification is based on the following documents: Enquiry draft Report on voting 65A/780/DTS 65A/802/RVC Full information on the voting for the approval of this technical specification can be found in the report on voting indicated
23、in the above table. This publication has been drafted in accordance with the ISO/IEC Directives, Part 2. A list of all parts in the IEC 61508 series, published under the general title Functional safety of electrical/electronic/programmable electronic safety-related systems, can be found on the IEC w
24、ebsite. The committee has decided that the contents of this publication will remain unchanged until the stability date indicated on the IEC website under “http:/webstore.iec.ch“ in the data related to the specific publication. At this date, the publication will be transformed into an International s
25、tandard, reconfirmed, withdrawn, replaced by a revised edition, or amended. A bilingual version of this publication may be issued at a later date. PD IEC/TS 61508-3-1:2016IEC TS 61508-3-1:2016 IEC 2016 5 INTRODUCTION The requirements set out in this technical specification deal with the reuse of sof
26、tware elements when they are intended to form part of a safety function. In many fields of automation, software elements are used today in support of safety functions. Such applications will certainly be further developed and extended. Software engineers, however, do not always wish to write the sof
27、tware for these applications from scratch, but will in many cases use already existing software and integrate it with the new application which might be slightly different from the one for which the software was originally specified. In IEC 61508-3:2010, a requirement is given in 7.4.2.12. It offers
28、 three routes to the achievement of the necessary integrity for the pre-existing software element. The requirements to comply with the second route, Route 2 s , are defined in IEC 61508-2:2010, 7.4.10. This entails that IEC 61508-3:2010 dealing solely with software refers to requirements in IEC 6150
29、8-2:2010 which concerns complete systems including hardware but excluding software (see IEC 61508-2:2010, 1.1 enumeration “e“). This technical specification defines the requirements for software elements explicitly, because IEC 61508-2:2010 excludes software, and is intended to replace the text of t
30、he second bullet (“route 2 s ”) of a), 7.4.2.12 in IEC 61508-3:2010 in a future revision of IEC 61508-3. PD IEC/TS 61508-3-1:2016 6 IEC TS 61508-3-1:2016 IEC 2016 FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/PROGRAMMABLE ELECTRONIC SAFETY-RELATED SYSTEMS Part 3-1: Software requirements Reuse of pre-ex
31、isting software elements to implement all or part of a safety function 1 Scope This Technical Specification presents requirements by the application of which pre-existing software elements may be claimed to be proven-in-use for all or a part of safety function(s) of SIL1 or SIL 2. 2 Normative refere
32、nces The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) a
33、pplies. IEC 61508-3:2010, Functional safety of electrical/electronic/programmable electronic safety- related systems Part 3: Software requirements 3 Terms and definitions No terms and definitions are listed in this document. ISO and IEC maintain terminological databases for use in standardization at
34、 the following addresses: IEC Electropedia: available at http:/www.electropedia.org/ ISO Online browsing platform: available at http:/www.iso.org/obp 4 Requirements 4.1 Notes 1 to 4 below apply to the entire Clause 4 (4.2 to 4.9). NOTE 1 Any documentation required by a clause in this document could
35、either be available with the pre-existing software or could be included as part of the documentation of the safety related function. NOTE 2 A reused software function in this document means a function specified on the level of the requirements specification (see IEC 61508-3:2010, 7.2). A reused soft
36、ware function does not refer to a programming language construct. NOTE 3 Conditions are set for the data on the history of the pre-existing software in 4.2 b) and c). The fulfilment of these conditions does not entail that the software is deterministic: hidden internal states of the software can aff
37、ect its execution even when the required combination as specified in 4.2 b) and c) is exactly the same. The use of pre-existing software is thus restricted by 4.7. NOTE 4 In some cases (e.g. input data are analogue data or a clock signal) the demonstration of proven-in-use for software could be diff
38、icult. 4.2 An element shall only be regarded as proven-in-use when: a) its description: 1) exists and is available; 2) fulfils the requirements of IEC 61508-3:2010, 7.2; 3) describes the previous use, PD IEC/TS 61508-3-1:2016IEC TS 61508-3-1:2016 IEC 2016 7 and b) the execution of the software with
39、all combinations of all claimed combinations of input data, sequences of execution of the reused software function(s), timing relations within sequences of execution of the reused software function(s) which will occur in the intended use are documented; and c) combinations of all input data, sequenc
40、es of execution of the reused software function(s), timing relations within sequences of execution of the reused software function(s) which are not part of the proven-in-use claim, comply with 4.8, and d) the combinations described in 4.2 b) that will be used in the intended use have occurred in the
41、 previous use with the same relative frequency. This future frequency shall be justified in comparison to the previous use and documented. and e) there is adequate evidence to demonstrate the completeness of the documentation, and f) the element together with the hardware on which it will run will b
42、e subject to documented analysis of any operational experience of the integrated hardware and software element; suitability analysis of the hardware and software element; testing of the hardware and software element. This documentation includes: specification of the goals of the test runs from the p
43、roperties documented in 4.2 a), b) and d) above; details of the testing for each individual goal; an estimate of the confidence with which the testing established each individual goal; a demonstration that the estimated confidence is appropriate to the goal and the test results. NOTE 1 Suitability a
44、nalysis and testing focuses on the demonstration of a hardware and software elements performance within the intended application. The results of existing analyses and testing could be taken into account. This includes functional behaviour, accuracy, behaviour in the case of a fault, time response, r
45、esponse to overload, usability (e.g., avoidance of human error) and maintainability. NOTE 2 A mathematical partitioning of the input data can be helpful to identify all proven-in-use combinations. NOTE 3 By “input data” is meant all input data to the software element. For example, it can be that the
46、 hardware on which the software element runs generates internal data that are input to the software, such as diagnostics. NOTE 4 The timing relations most often found and most in need of verification are linear timing relations of the form (fastest possible time = execution time = longest possible t
47、ime). There are practical methods for verifying and checking the mutual consistency of timing requirements of such a form. 4.3 The documentary evidence required by 4.2 shall a) demonstrate that the following features and phenomena of the previous experience evaluated for the proven-in-use claim are
48、identical in the intended use of the element: hardware (e.g. processor, memory, clock, bus behaviour) and demand profiles; PD IEC/TS 61508-3-1:2016 8 IEC TS 61508-3-1:2016 IEC 2016 configuration (e.g., compiler options used in compiling the source code for the proposed use, initialisation of program
49、 variables and constants, the hardware configuration on which the software will execute); software interfaces; libraries (including source code libraries as well as libraries of binary code); operating system, interpreters (for example, those used to emulate processor architectures on processors which do not share that architecture); translator (compiler), linker, code generators; and b) contain a complete description of the conditions of use of the pre-
