Certification of the development of safe software

The standard IEC 61508 is valid since July 2001 and it has established itself as the central standard for safety technology during the last years. On the one hand, the IEC 61508 serves as a basic standard for implementing further fields of application, such as the IEC 61511 (process industry) and the IEC 61800 (drive engineering), and on the other hand it can be applied independently (stand-alone).

IEC 61508 - the new standard

The IEC 61508 describes the safety life cycle and the requirements for electric, electronic and programmable electronic systems (E/E/PES) which are used to accomplish safety functions.

IEC 61508 part 3 clearly defines the requirements for software components which are part of a safe system (E/E/PES) in order to achieve a particular degree of safety. The following safety-relevant software components are considered:

• Operating systems
• System software
• Networked software
• Functions for man-machine interfaces
• Utilities
• Firmware
• User programs

Due to the demands made by the IEC 61508 and the required certification, the development effort of software being a part of a safety system is much higher than for a standard development and assumes special knowledge regarding project management and realization concerning the contents.

Some of the demands defined by the IEC 61508-3:

• Use of a V model (validation and verification)
• QS manual (process, documents...)
• Safety requirement specification
• Requirement tracking
• Development at the same time with tests
• Diversified or redundant structure
• Parallel validation measures
• Requirement management
• ... and many more

KW-Software supports the categories SIL2 and SIL3

Concerning the contents, in many cases the safety category SIL3 is relevant. This is due to the application which requires a 2-channel and - within safety relevant fields - mostly diversified software structure.  A successful realization of such a software structure including the necessary vertical redundancy checks and synchronization points assumes many years of experience. This applies also for systems which need to fulfill the safety category SIL2. Here, some simplifications of the hardware and software architecture are of course possible compared to category SIL3. For SIL2 solutions, KW-Software fully supports 2-channel architectures as well as 1-channel architectures.

KW-Software: Great know-how for the realization of safety-relevant software

Security Integration Levels (SIL)

What is a SIL?

In the standard IEC 61508, Security Integration Levels designate the ranges (stages) for the failure probability of safety functions within safety-relevant electric, electronic and programmable electronic (E/E/PE) systems. In this context, a safety function means the functionality of a E/E/PE system implemented for risk minimization. This means that the safety function must preserve or establish a safe system state as response to exactly predefined events.

Important: SIL classifies the characteristic of the safety function but not of the component or system itself. Applied to the components of KW-Software this means: SAFEGRID, SAFEPROG and SafeOS do not possess the "property SIL3", but these components can be used in safety functions of systems which fulfill the conditions up to SIL3.

Valuation of software components

In this context, software is treated in the same way as each other system component and this means: Looked at the software out of context, it has no SIL. By integrating it into a system, the safety-relevant software component takes on its intended (sub)task within the safety function and can thus be classified with a Security Integration Level. Which level the software component is able to achieve, depends on several factors, such as the conditions during the development process, the properties of the implementation and specification and much more.

The development process for safe software components at KW-Software is certified according to IEC 61508. As the safe programming system SAFEPROG in combination with the safe runtime system SafeOS can be used up to SIL3, this implies: SAFEPROG and SafeOS have been developed with adequate technologies and measures which ensure that these software components fulfill the requirements according to SIL3 within the intended safety function regarding the probability of failure on demand.

Criteria for SIL classification

Safe Failure Fraction, SFF: