资源描述
EN50128 2011 Seminar SummaryYao JunYao JunFeb.27,2012Feb.27,20121EN50128 2011 Seminar北京英华经纶交通运输有限公司(劳氏北京)于2012年2月9日在北京举办了EN50128新版标准研讨会,会议由 Professor Ali Hessami 讲解(欧标修订工作组WG11主席,负责EN50128:2011的修订)。Ali Hessami教授介绍了系统安全保障的基本概念,并从标准制定者的角度介绍了新版的EN50128,同时还谈到了EN50126系列标准的整合和未来。下面的ppt文档是基于本次研讨会的总结,也加入了个人的理解,并把我的提问和回答也都列出。如果有不正确的或者遗漏的地方,请及时指出,谢谢!2Main Differences between EN50128 2011 and EN50128 2001Main differences in New EN50128 are the following contents:Organization and rolePersonnel competenceSupport toolsApplication data or algorithmsDeployment and maintenance3Organization and RoleOrganization,role and independence requirements(section 5.1)Add the role of RQM(requirement manager),INT(Integritor)and TST(Tester)Add the description of these rolesThe independent requirements for roles are clearly explained.Example:4Person competencePersonnel competencies are added in Annex B of EN50128 2011.An example is shown:5Support Tools(1/2)Support Tools and Languages(Section 6.7)Provide evidence that potential failures of tools do not adversely affect the integrated toolset output in a safety related manner.ClassificationThree classes of tools so far as reliability and safety impact is concerned as T1,T2 and T3.Each class will place different requirements on the required assurance6Support Tools(2/2)T1 class(section 3.1.42)generates no outputs which can directly or indirectly contribute to the executable code(including data)of the software Example:a text editor,configuration control tools.T2 class(section 3.1.43)supports the test or verification of the design or executable code,where errors in the tool can fail to reveal defects but cannot directly create errors in the executable software.Example:a test coverage measurement tool and a static analysis tool T3 class(section 3.1.44)generates outputs which can directly or indirectly contribute to the executable code (including data)of the safety related system Example:a source code compilerA simple way to understand the three types of tools:T1-SIL0 T2-SIL1&2 T3-SIL3&47Application Data or algorithmsThis part is emphasized in the new EN50128.(section 8)“The requirements for the development of application algorithms are the same as the development of generic software as described in Clauses 1-7 and 9.“emphasize the importance of this part.Example 8Software DeploymentSoftware deployment(section 9.1):To ensure that the software performs as required,preserving the required software safety integrity level and dependability when it is deployed in the final environment of application.Key requiremntsFollow ISO 90003 as a minimumDefine and maintain baseline(Example:using CC)Release NotesError Detection in TransportDeployment Manual9Other Changes(1/6)SIL0 is not viewed as non-safety,which has safety impact below SIL1.Some requirements for SIL0 still needs to be achieved.Example:10Other Changes(2/6)Predeveloped software and COTS software are uniformly named as Pre-exisitng software(7.3.4.7).Example:11Other Changes(3/6)Overall Software Test is added to test the software requirementsObjective:To analyse and test the integrated software and hardware to ensure compliance with the Software Requirements Specification.Example:12Other Changes(4/6)Software module is modified as software component.Example13Other Changes(5/6)SWSIL is changed as SIL Example14Other Changes(6/6)Add software interface specification in the architecture design stage Example:15New Trends in EN standardsEN50126-X will be published in 2014(estimated)EN50126-1 RAMS in Railways(EN50126:1999)EN50126-2 Tools and Methods(New)EN50126-3 SMS for Railways(Many parties do not agree)EN50126-4 Functional Safety of Electronic Systems(EN50129:2003)EN50126-5 Software for Railway Applications(EN50128:2011)16Q&A(1/3)1.1.Section 7.3.4.7 b)For all software safety integrity levels the pre-existing software shall be included in the validation process of the whole software.Question:What is the real meaning of this sentence?Actually all of the pre-existing(COTS)software is included in the system validation.Do we need to carefully validate the pre-existing software especially and independently before validating the whole software or system?Answer(Ali Hessami):Yes.We shall do more than before about the pre-existing software.It is recommended that all of the functions of pre-existing software shall be checked.If the pre-existing software has passed the certification,only reviewing documents is enough.If the pre-exiting software does not have the certificate,all of the functions needs to be carefully tested before using.17Q&A(2/3)2.Diverse programming(D16)Diverse programming is a difficult method for implementation.If we can not assess the level of diversity,how could we claim that our own software diversity method is effective or not?For instance,we can implement two different methods in one computer or two different methods in two computers to achieve software diversity.Could you give us a suggestion which is better?Answer(Ali Hessami):It depends on the problem you want to solve.If two different methods in one CPU can achieve the goal(Hardware unrelated problem),it is OK.Or else,two different methods in two CPUs are necessary(hardware related problem).18Q&A(3/3)3.SIL TraceabilityIn developing safety critical software,the software with SIL4 could be traced by SIL4 and SIL0 software module.It is reasonable.But in some cases,the software with SIL0 may be traced by SIL4 software module.The reason is during implementing software,some software modules with SIL0 can not clearly isolated with SIL4 software modules.Therefore although the software requirement is SIL0,the implementing software module is SIL4.In principle,this scenario is not allowed but it indeed exists in the real software development.Could you tell us how to solve this problem?Answer(Ali Hessami):Usually we need to reconsider the SIL of software components if later these software components(Originally SIL0)indicate that they can not be clearly isolated from SIL4 software components.19
展开阅读全文
浙ICP备2021020529号-1 | 浙B2-20240490 
