Professional Documents
Culture Documents
Introduction IEC61508-3:2010, 7.4.2.12 defines the requirements for using pre-existing software elements. To be compliant with the Route 2s, the requirements of IEC61508-2:2010, 7.4.10 shall be fullfilled by a preexisting software element. Quotation from IEC61508-3:2010: 7.4.2.12 Where a pre-existing software element is reused to implement all or part of a safety function, the element shall meet both requirements a) and below for systematic safety integrity: a) meet the requirements of one of the following compliance routes: - - Route 2S: proven in use. Provide evidence that the element is proven in use. See 7.4.10 of IEC61508-2;
According to the scope of IEC61508-2:2010 the requirements in IEC61508-2:2010 , 7.4.10 do not apply to software. Quotation from IEC61508-2:2010: 1.1 This part of the IEC61508 series e) specifies the requirements for activities that are to be applied during the design and manufacture of the E/E/PE safety-related systems (i.e. ..) except software,
Taking this into account, it is necessary to interpret , IEC61508-2:2010, 7.4.10 for software. This is done in the following for each subclause of IEC61508-2:2010 , 7.4.10.
The phrase .. clearly restricted and specified functionality .. from 7.4.10.1 needs an interpretation for software. Quotation from IEC61508-2:2010:
7.4.10.2 The documentary evidence required by 7.4.10.1 shall demonstrate that: a) the previous conditions of use (see Note 1) of the specific element are the same as, or sufficiently close to, those that will be experienced by the element in the E/E/PE safetyrelated system;
NOTE 1 The conditions of use (operational profile) include all the factors that may trigger systematic faults in the hardware and software of the element. For example environment, modes of use, functions performed, configuration, interfaces to other systems, operating system, translator, human factors. Rigorous conditions for similarity of operational profile may be found in IEC 61784-3.
The phrase sufficiently close to .. from 7.4.10.2 item a) needs an interpretation for software. Quotation from IEC61508-2:2010:
7.4.10.2 The documentary evidence required by 7.4.10.1 shall demonstrate that: b) the dangerous failure rate has not been exceeded in previous use.
NOTE 2 See IEC61508-7, Annex D, for guidelines on the use of a probabilistic approach to determining software safety integrity for pre-developed software based on operational experience NOTE 3 The collection of evidence for proven in use elements requires an effective system for reporting failures.
The item b) from 7.4.10.2 needs an interpretation for software. Quotation from IEC61508-2:2010: 7.4.10.3 When there is any difference between the previous conditions of use and those that
will be experienced in the E/E/PE safety-related system, then an impact analysis on the differences shall be carried out using a combination of appropriate analytical methods and testing, in order to demonstrate that the likelihood of any dangerous systematic faults is low enough that the required safety integrity level(s) of the safety function(s) that use the element is achieved.
The phrase When there is any difference between the previous conditions of use .. needs an interpretation for software. Quotation from IEC61508-2:2010:
7.4.10.4 A proven in use safety justification shall be documented, using the information available from 7.4.10.2, that the element supports the required safety function with the required systematic safety integrity. This shall include: a) the suitability analysis and testing of the element for the intended application; b) the demonstration of equivalence between the intended operation and the previous operation experience, including the impact analysis on the differences; c) the statistical evidence.
The phrase suitability analysis from 7.4.10.4 needs an interpretation for software.
Interpretation of subclause 7.4.10.1: The phrase .. clearly restricted and specified functionality .. from IEC61508-2:2010, 7.4.10.1 is interpreted as follows: I specifications : a. exist and are available, and b. fullfill the requirements of IEC61508-3:2010, 7.2 and c. describe the previous use. II The execution of the software with all claimed proven-in-use combinations of input data and sequences of function calls as well as the temporal relations of sequences of function calls which will occur in the proposed use shall be documented. III all combinations of: - input data and - sequences of function calls and - temporal relations of sequences of function calls which do not fall under the proven in-use claim shall comply with 7.4.10.3 Note: a mathematical partitioning of the input data can be helpful to identify all proven in-use combinations.
Interpretation of subclause 7.4.10.2: The phrase sufficiently close to .. from IEC61508-2:2010, 7.4.10.2 item a) is interpreted as follows: I the following features and phenomena of previous use shall be kept identical in the use of the element in the E/E/PE safety-related system to those occurring in the situations constituting the usage on which basis the Software is claimed to be proven-in-use: - environment (e.g. processor, memory, clock, bus behaviour), - configuration, - software interfaces, - libraries - operating system, - translator (compiler) II complete description of the conditions of use of the proven-in-use software shall be provided.
The item b) from IEC61508-2:2010, 7.4.10.2 is interpreted as follows: III a dangerous failure rate is not relevant for proven-in-use software because the behaviour of the software on all proven-in-use combinations of input data and sequences of function calls and the temporal relations of sequences of function calls is known from and is defined by its previous use. IV For the time period in which the behaviour of all proven in-use combinations of input data and sequences of function calls and the temporal relations of sequences of function calls is observed it is demonstrated that any individual failure of the software has been detected and reported (there was perfect failure detection in this observation period; particular care shall be taken concerning possibly masked failures) V the consequences of the reported failures are analysed, evaluated and documented.
Interpretation of subclause 7.4.10.3: The phrase When there is any difference between the previous conditions of use .. from IEC61508-2:2010, 7.4.10.3 is interpreted as follows: I see interpretation of 7.4.10.6 item II
5 Interpretation of subclause 7.4.10.4: The phrase suitability analysis from IEC61508-2:2010, 7.4.10.4 is interpreted as follows: I The possibility to use proven in-use software shall be derived from the software safety requirements specification (see IEC61508-3:2010, 7.2) of the E/E/PE safety-related system.
Interpretation of subclause 7.4.10.5: IEC61508-2:2010, 7.4.10.5 is interpreted as follows: I The use of proven-in-use software is limited to no-SIL, SIL 1 and SIL 2 because the methods classified as HR from the tables in annex A and B up to SIL 2 mainly address only black box aspects of behavior. II The evidence appropriate to the SIL as given is specified in IEC61508-3:2010 Annex A. Note 1: novelty of design is sufficiently covered by 7.4.10.1 and 7.4.10.2 a) Note 2: for SIL > 2 another route shall be taken (see IEC61508-3:2010 7.4.2.12) Interpretation of subclause 7.4.10.6: IEC61508-2:2010 ,7.4.10.6 is interpreted as follows: I Only proven-in-use combinations of: - input data and - sequences of function calls and - temporal relations of sequences of function calls shall occur in use for safety functions (see interpretation of 7.4.10.1). II the evidence that functions of the proven-in-use software that have not been adequately covered by the proven in use demonstration have no adverse effect on the safety integrity of the E/E/PE safety-related system, exists and is given.
Interpretation of subclause 7.4.10.7: IEC61508-2:2010, 7.4.10.7 is interpreted as follows: I modification to proven-in-use software shall comply with IEC61508-3:2010, 7.8. II after any modification at all, the formerly proven-in-use software is no longer to be considered as proven-in-use.