1、Functional safety ofelectrical/electronic/programmable electronic safety-related systemsPart 3-1: Software requirements Reuse of pre-existing software elements to implement all or part of a safety functionPD IEC/TS 61508-3-1:2016BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/
2、2013 15:06National forewordThis Published Document is the UK implementation of IEC/TS61508-3-1:2016.The UK participation in its preparation was entrusted by TechnicalCommittee GEL/65, Measurement and control, to Subcommittee GEL/65/1,System considerations.A list of organizations represented on this
3、committee can be obtained onrequest to its secretary.This publication does not purport to include all the necessary provisions ofa contract. Users are responsible for its correct application. The British Standards Institution 2016.Published by BSI Standards Limited 2016ISBN 978 0 580 90008 2ICS 25.0
4、40.40; 35.240.50Compliance with a British Standard cannot confer immunity fromlegal obligations.This Published Document was published under the authority of theStandards Policy and Strategy Committee on 31 August 2016.Amendments/corrigenda issued since publicationDate Text affectedPUBLISHED DOCUMENT
5、PD IEC/TS 61508-3-1:2016IEC TS 61508-3-1 Edition 1.0 2016-07 TECHNICAL SPECIFICATION Functional safety of electrical/electronic/programmable electronic safety-related systems Part 3-1: Software requirements Reuse of pre-existing software elements to implement all or part of a safety function INTERNA
6、TIONAL ELECTROTECHNICAL COMMISSION ICS 25.040.40; 35.240.50 ISBN 978-2-8322-3516-4 Registered trademark of the International Electrotechnical Commission Warning! Make sure that you obtained this publication from an authorized distributor. PD IEC/TS 61508-3-1:2016 2 IEC TS 61508-3-1:2016 IEC 2016 CON
7、TENTS FOREWORD . 3 INTRODUCTION . 5 1 Scope 6 2 Normative References . 6 3 Terms and definitions 6 4 Requirements 6 Bibliography . 10 PD IEC/TS 61508-3-1:2016IEC TS 61508-3-1:2016 IEC 2016 3 INTERNATIONAL ELECTROTECHNICAL COMMISSION _ FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/PROGRAMMABLE ELECTRONI
8、C SAFETY-RELATED SYSTEMS Part 3-1: Software requirements Reuse of pre-existing software elements to implement all or part of a safety function FOREWORD 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising all national electrotechnical comm
9、ittees (IEC National Committees). The object of IEC is to promote international co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and in addition to other activities, IEC publishes International Standards, Technical Specifications, Technica
10、l Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with may participate in this preparatory work. International, governmental
11、 and non-governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for Standardization (ISO) in accordance with conditions determined by agreement between the two organizations. 2) The formal decisions or agree
12、ments of IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects since each technical committee has representation from all interested IEC National Committees. 3) IEC Publications have the form of recommendations for international use a
13、nd are accepted by IEC National Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinterpretation by any end user. 4) In order to promote
14、 international uniformity, IEC National Committees undertake to apply IEC Publications transparently to the maximum extent possible in their national and regional publications. Any divergence between any IEC Publication and the corresponding national or regional publication shall be clearly indicate
15、d in the latter. 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any services carried out by independent certification bodies. 6) Al
16、l users should ensure that they have the latest edition of this publication. 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and members of its technical committees and IEC National Committees for any personal injury, property damage o
17、r other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC Publications. 8) Attention is drawn to the Normative references cited in this publicat
18、ion. Use of the referenced publications is indispensable for the correct application of this publication. 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent rights. IEC shall not be held responsible for identifying any or all such
19、patent rights. The main task of IEC technical committees is to prepare International Standards. In exceptional circumstances, a technical committee may propose the publication of a technical specification when the required support cannot be obtained for the publication of an International Standard,
20、despite repeated efforts, or the subject is still under technical development or where, for any other reason, there is the future but no immediate possibility of an agreement on an International Standard. Technical specifications are subject to review within three years of publication to decide whet
21、her they can be transformed into International Standards. PD IEC/TS 61508-3-1:2016 4 IEC TS 61508-3-1:2016 IEC 2016 IEC TS 61508-3-1, which is a technical specification, has been prepared by subcommittee 65A: System aspects, of IEC technical committee 65: Industrial-process measurement, control and
22、automation. The text of this technical specification is based on the following documents: Enquiry draft Report on voting 65A/780/DTS 65A/802/RVC Full information on the voting for the approval of this technical specification can be found in the report on voting indicated in the above table. This pub
23、lication has been drafted in accordance with the ISO/IEC Directives, Part 2. A list of all parts in the IEC 61508 series, published under the general title Functional safety of electrical/electronic/programmable electronic safety-related systems, can be found on the IEC website. The committee has de
24、cided that the contents of this publication will remain unchanged until the stability date indicated on the IEC website under “http:/webstore.iec.ch“ in the data related to the specific publication. At this date, the publication will be transformed into an International standard, reconfirmed, withdr
25、awn, replaced by a revised edition, or amended. A bilingual version of this publication may be issued at a later date. PD IEC/TS 61508-3-1:2016IEC TS 61508-3-1:2016 IEC 2016 5 INTRODUCTION The requirements set out in this technical specification deal with the reuse of software elements when they are
26、 intended to form part of a safety function. In many fields of automation, software elements are used today in support of safety functions. Such applications will certainly be further developed and extended. Software engineers, however, do not always wish to write the software for these applications
27、 from scratch, but will in many cases use already existing software and integrate it with the new application which might be slightly different from the one for which the software was originally specified. In IEC 61508-3:2010, a requirement is given in 7.4.2.12. It offers three routes to the achieve
28、ment of the necessary integrity for the pre-existing software element. The requirements to comply with the second route, Route 2s, are defined in IEC 61508-2:2010, 7.4.10. This entails that IEC 61508-3:2010 dealing solely with software refers to requirements in IEC 61508-2:2010 which concerns comple
29、te systems including hardware but excluding software (see IEC 61508-2:2010, 1.1 enumeration “e“). This technical specification defines the requirements for software elements explicitly, because IEC 61508-2:2010 excludes software, and is intended to replace the text of the second bullet (“route 2s”)
30、of a), 7.4.2.12 in IEC 61508-3:2010 in a future revision of IEC 61508-3. PD IEC/TS 61508-3-1:2016 6 IEC TS 61508-3-1:2016 IEC 2016 FUNCTIONAL SAFETY OF ELECTRICAL/ELECTRONIC/PROGRAMMABLE ELECTRONIC SAFETY-RELATED SYSTEMS Part 3-1: Software requirements Reuse of pre-existing software elements to impl
31、ement all or part of a safety function 1 Scope This Technical Specification presents requirements by the application of which pre-existing software elements may be claimed to be proven-in-use for all or a part of safety function(s) of SIL1 or SIL 2. 2 Normative references The following documents are
32、 referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. IEC 61508-3:2010, Functi
33、onal safety of electrical/electronic/programmable electronic safety-related systems Part 3: Software requirements 3 Terms and definitions No terms and definitions are listed in this document. ISO and IEC maintain terminological databases for use in standardization at the following addresses: IEC Ele
34、ctropedia: available at http:/www.electropedia.org/ ISO Online browsing platform: available at http:/www.iso.org/obp 4 Requirements 4.1 Notes 1 to 4 below apply to the entire Clause 4 (4.2 to 4.9). NOTE 1 Any documentation required by a clause in this document could either be available with the pre-
35、existing software or could be included as part of the documentation of the safety related function. NOTE 2 A reused software function in this document means a function specified on the level of the requirements specification (see IEC 61508-3:2010, 7.2). A reused software function does not refer to a
36、 programming language construct. NOTE 3 Conditions are set for the data on the history of the pre-existing software in 4.2 b) and c). The fulfilment of these conditions does not entail that the software is deterministic: hidden internal states of the software can affect its execution even when the r
37、equired combination as specified in 4.2 b) and c) is exactly the same. The use of pre-existing software is thus restricted by 4.7. NOTE 4 In some cases (e.g. input data are analogue data or a clock signal) the demonstration of proven-in-use for software could be difficult. 4.2 An element shall only
38、be regarded as proven-in-use when: a) its description: 1) exists and is available; 2) fulfils the requirements of IEC 61508-3:2010, 7.2; 3) describes the previous use, PD IEC/TS 61508-3-1:2016IEC TS 61508-3-1:2016 IEC 2016 7 and b) the execution of the software with all combinations of all claimed c
39、ombinations of input data, sequences of execution of the reused software function(s), timing relations within sequences of execution of the reused software function(s) which will occur in the intended use are documented; and c) combinations of all input data, sequences of execution of the reused sof
40、tware function(s), timing relations within sequences of execution of the reused software function(s) which are not part of the proven-in-use claim, comply with 4.8, and d) the combinations described in 4.2 b) that will be used in the intended use have occurred in the previous use with the same relat
41、ive frequency. This future frequency shall be justified in comparison to the previous use and documented. and e) there is adequate evidence to demonstrate the completeness of the documentation, and f) the element together with the hardware on which it will run will be subject to documented analysis
42、of any operational experience of the integrated hardware and software element; suitability analysis of the hardware and software element; testing of the hardware and software element. This documentation includes: specification of the goals of the test runs from the properties documented in 4.2 a), b
43、) and d) above; details of the testing for each individual goal; an estimate of the confidence with which the testing established each individual goal; a demonstration that the estimated confidence is appropriate to the goal and the test results. NOTE 1 Suitability analysis and testing focuses on th
44、e demonstration of a hardware and software elements performance within the intended application. The results of existing analyses and testing could be taken into account. This includes functional behaviour, accuracy, behaviour in the case of a fault, time response, response to overload, usability (e
45、.g., avoidance of human error) and maintainability. NOTE 2 A mathematical partitioning of the input data can be helpful to identify all proven-in-use combinations. NOTE 3 By “input data” is meant all input data to the software element. For example, it can be that the hardware on which the software e
46、lement runs generates internal data that are input to the software, such as diagnostics. NOTE 4 The timing relations most often found and most in need of verification are linear timing relations of the form (fastest possible time = execution time = longest possible time). There are practical methods
47、 for verifying and checking the mutual consistency of timing requirements of such a form. 4.3 The documentary evidence required by 4.2 shall a) demonstrate that the following features and phenomena of the previous experience evaluated for the proven-in-use claim are identical in the intended use of
48、the element: hardware (e.g. processor, memory, clock, bus behaviour) and demand profiles; PD IEC/TS 61508-3-1:2016 8 IEC TS 61508-3-1:2016 IEC 2016 configuration (e.g., compiler options used in compiling the source code for the proposed use, initialisation of program variables and constants, the har
49、dware configuration on which the software will execute); software interfaces; libraries (including source code libraries as well as libraries of binary code); operating system, interpreters (for example, those used to emulate processor architectures on processors which do not share that architecture); translator (compiler), linker, code generators; and b) contain a complete description of the conditions of use of the pre-existing software. NOTE 1 The c
