This document answers some Frequently Asked Questions (FAQs) about the certification of computer software for industrial applications. The answers to the questions are not intended to provide a definitive technical answer but rather to inform the reader in a general manner.
SAFETY CERTIFICATION STANDARDS
Validated Software Corporation’s Validation Suite
IEC is the acronym for the International Electrotechnical Commission, the international standards and conformity assessment body for electrotechnology; specifically, functional safety of electrical/electronic/programmable electronic (E/E/PE) systems.
Location: Geneva, Switzerland.
Web site: www.iec.ch
CENELEC is the European Committee for Electro-technical Standardization. Most CENELEC standards are identical or very closely based on IEC international standards. Typically, IEC standards in the 60000 to 69999 range map directly to CENELEC standards, for example, IEC 61508 to EN 61508. CENELEC’s web site is: www.cenelec.org
MISRA is the acronym for the Motor Industry Software Reliability Association. Its mission is "To provide assistance to the automotive industry in the application and creation within vehicle systems of safe and reliable software".
It is not a certification agency, but an association that publishes guidelines for writing more reliable software for automotive systems manufacturers. It has published a "Guidelines for The Use Of The C Language In Vehicle Based Software" manual that is available directly from their web site.
The MISRA web site is: www.misra.org.uk
SAFETY CERTIFICATION STANDARDS
IEC 61508 was developed to create a standard for the functional safety of electrical/electronic/programmable electronic safety-related systems. IEC 61508 allows for the standalone certification of a software component, unlike FDA/CDRH. The documentation requirements of IEC 61508 tend to lean more heavily on design, usage, and manufacturing, due to the standalone component aspects of this certification. One of the most critical documents is the Safety Manual, which contains the rules and guidelines on how to use the software component in a system that is certified.
The IEC standard is published in seven parts, as shown in the table below:
IEC 61508 Part References Reference Full Part Title 61508-1 IEC 61508-1:1998, Functional safety of E/E/PE safety-related systems - Part 1: General requirements 61508-2 IEC 61508-2:2000, Functional safety of E/E/PE safety-related systems - Part 2: Requirements for E/E/PE safety-related systems 61508-3 IEC 61508-3:1998, Functional safety of E/E/PE safety-related systems - Part 3: Software requirements 61508-4 IEC 61508-4:1998, Functional safety of E/E/PE safety-related systems - Part 4: Definitions and abbreviations 61508-5 IEC 61508-5:1998, Functional safety of E/E/PE safety-related systems - Part 5: Examples of methods for the determination of safety integrity levels 61508-6 IEC 61508-6:2000, Functional safety of E/E/PE safety-related systems - Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 61508-7 IEC 61508-7:2000, Functional safety of E/E/PE safety-related systems - Part 7: Overview of techniques and measures
The first four parts of IEC 61508 define the way to comply with the specification. IEC 61508 can be used in a broad variety of safety-critical systems, including emergency shutdown systems in power plants, turbine controls, railway signaling systems, and other electromechanical systems in safety-critical environments.
In general, the documents created during the development and verification/validation process of a safety related system, shall contain all necessary information for the performance of the different phases to the V-model development process as documented in IEC 61508.
In parallel to the development process, test plans and test specifications have to be created for the performance of the verification and validation activities. These test plans can be designed such, that they also can be used to document the results, which are obtained at the execution of the verification and test steps.
The left wing shows the design documents, which are established during the development process.
The right wing contains the test records of the performance of the verification/validation steps.
Click on the Drawing to enlarge
The International Electrotechnical Commission Safety specifies Safety Integrity Levels (SILs) to quantify the chance of dangerous failures in electrical or electronic safety devices. The SIL is based on the probability of the device failing in performing its safety function.
SIL Probability of Failure 4 10-5 to 10-4 3 10-4 to 10-3 2 10-3 to 10-2 1 10-2 to 10-1
The level to which a particular system must be certified is selected by a process of failure analysis and input from the device manufacturers and the certifying authority (IEC authorized certifying agency, e.g., TÜV).
The following table lists the documents and records you may need to provide for a 510(k) submission:
Software Life Cycle Data List Document Title Type Section PSAC Plan for Software Aspects of Certification Document 11.1 SDP Software Development Plan Document 11.2 SVP Software Verification Plan Document 11.3 SCMP Software Configuration Management Plan Document 11.4 SQAP Software Quality Assurance Plan Document 11.5 SRS Software Requirements Standards Document 11.6 SDS Software Design Standards Document 11.7 SCS Software Code Standards Document 11.8 SRD Software Requirements Data Document 11.9 SDD Software Design Description Document 11.10 Source Code Software 11.11 Executable Object Code Software 11.12 SVCP Software Verification Cases and Procedures Document 11.13 SVR Software Verification Results Records 11.14 SECI Software Life Cycle Environment Configuration Index Document 11.15 SCI Software Configuration Index Document 11.16 PRs Problem Reports Records 11.17 Software Configuration Management Records Records 11.18 Software Quality Assurance Records Records 11.19 SAS Software Accomplishment Summary Document 11.20
IEC 61508-3 defines specific verification objectives that must be satisfied; these include:
Verification of software development processes
Review of software development life cycle artifacts
Functional Verification of software
Requirements-based testing and analysis
Structural Coverage Analysis
Structural Coverage Analysis is generally perceived to be the most difficult task to undertake by people unfamiliar with rigorous code development and testing. Furthermore, an operating system is tightly integrated with the hardware, cache, interrupts, memory management, and process/task management, thereby making structural testing even more difficult. These low-level aspects create a significant challenge to the verification process.
A variety of commercial tools are available to assist in this challenging task.
See our Code Coverage Tools page for a list of known vendors in this space.
Validated Software Corporation’s Validation Suite™
Validated’s Validation Suites are packages of standards, plans, requirements, designs, and tests to address manufacturers requiring safety certification documentation for projects. Validation Suites are typically developed for software products widely used in safety-critical products. The use of our Validation Suites allows developers to concentrate on their core product and lower their costs by purchasing an essentially off-the-shelf Validation Suite as a component.
Due to different requirements for different certification levels, the amount of documentation will differ, but, in general, the following documentation will be provided in Level A through Level C Validation Suites.
Validation Suite Component Item Plan for Software Aspects of Certification (PSAC) 11.1 Software Development Plan (SDP) 11.2 Software Verification Plan (SVP) 11.3 Software Configuration Management Plan (SCMP) 11.4 Software Quality Assurance Plan 11.5 Software Requirements Standard 11.6 Software Design Standard 11.7 C Language Coding Standard 11.8
Software Requirements Document (SRD)
Microprocessor Port Requirements and Design Documents
Software Design Document
Software Source Code, Test Code and Build Code
Software Port Image 11.12 Software Unit Test Plans and Procedures 11.13 Software Integration Test Plans and Procedures 11.13 Software Unit Test Reports 11.14 Software Integration Test Report 11.14 Software Test Coverage Report 11.14 Software Life Cycle Environment Configuration Index 11.15 Software Configuration Index 11.16 Software Problem Report History 11.17 Software Change History 11.18 Software Quality Assurance Data 11.19 Software Accomplishment Summary (SAS) 11.20
In addition, Validated also offers port-specific documentation to provide all the board support package (BSP) documentation, for example:
Port Software Design Description, Special I/O Port Software Design Description, Special 80x86 Protected Mode Port
Q. Do I also have to pay another manufacturer for a production license when I purchase a Validation Suite?
Yes. The Validated Suite does not include a production license for the software.
Yes. The Validation Suite contains all source code to the product and all source code to test files, all test scripts, and all build/make files. Please note however that all of the products we validate are licensed by another manufacturer. As such we can not ship source code to a product until we receive confirmation from the manufacturer that you have a valid license in place with them.
No. The source code we provide is functionally identical to the manufacturers original code. In some cases the code may belong to a "safety-critical" version of the manufacturers product, but this is the exception not the rule.
Yes. Depending upon the system changes between projects, the Validation Suite can be used for multiple projects. (Note that additional license fees for both MicroC/OS-II and the Validation Suite may apply, regardless of re-use.)
MicroC/OS-II was chosen for many reasons:
MicroC/OS-II is a very stable operating system that has been used in tens of thousands of systems and hundreds of commercial applications. It has been in use for over 10 years, with minor modifications made periodically.
MicroC/OS-II has been “open source” since its creation. Therefore, it has been reviewed by thousands of individuals. But, unlike some open source projects, revisions are tightly controlled and reviewed by Micrium, and then openly reviewed by the MicroC/OS-II community.
MicroC/OS-II was written against a very strict coding standard, which improves readability, understandability, and maintainability – all key aspects of creating software used in critical systems.
Every line of MicroC/OS-II is well documented. This is extremely rare in the software industry and is ideal for safety certification where the mapping of requirements to source code to test for every line of code is required.
All Validated Software products can be ordered from the Validated Software Sales office.