RiskCAT 61508 User`s Manual
Contents
1. Page 38 of 57 RiskCAT 61508 User s Manual 20 February 2010 CAUTION If the results are intended to be stored as simple text file see chapter 9 2 Result storage as simple text usage of those characters in the note should be avoided which are intended to be the delimiter character Otherwise the import by the text processor applied for further processing will be unnecessary complicated 10 2 Comprehensive note to the marked prescription Purpose of the comprehensive notes is the same as for the simple notes which have been the initial means of RiskCAT The restriction of the simple notes to 500 characters in certain cases evolved to be a significant disadvantage So by the comprehensive notes an extension has been the aim The comprehensive note may be used in addition to a simple note fae Comprehensive note to prescription 64000 characters maximum per note et E Times NewRoman N2 Amen Bl z uaaa al a Sle BalNVolal ae ERBE SR 8 5 oO eal Ess snls A suggestion for the efficient handling of standards Before starting the real work an overview on the considered standard should be achieved This may beachiewed e g in technical discussions or in seminars Selection of the prescriptions from the considered standard relevant for the next working step which needs to be accomplished OR assurance that the standard does not provide guidance for the working step This may happen e g with the actual IE2. in the menu File Strings are enclosed in inthe prescription texts and in the notes are on replaced by For the export itself there is just one option given in the menu on X Noson the left in a self explaining manner Export for each selected prescription consists of delimiter between the values is the comma each value is enclosed in e two different keys e Object Identifier which enables DOORS to identify the prescription in a unique way Object Identifier consists of an integer number assigned to the prescription The Object Identifiers start with 2 They are consecutive when and only when all prescriptions are selected and as a consequence exported e RiskCAT Identifier of the prescription which enables the traceability of the prescription back to RiskCAT RiskCAT Identifier consists of see Figure 2 o the RiskCAT database identifier see chapter 10 7 Help menu o the area tab the prescription is assigned to o the topic tab the prescription is assigned to and o the line number of the prescription in its prescription window e the short form of the prescription in the prescription text are replaced by e the reference for the prescription in IEC 61508 e the degree of obligation of the prescription and e the Simple note to the prescription see chapter 10 1 Simple note to the marked prescription The sta
3. 7 Degree of obligation export in the menu File String items are enclosed in For the export itself there are 7 Comprehensive Note some options given in the menu on the left in a self explaining X room manner Finally the Export button needs to be pushed to choose the name of one of the export files and to start their generation Export of RiskCAT for Caliber RM are two files e Export Info txt with e the items delimiter character and e the text enclosure character used for the export e cvs with the information selected on the Caliber export form These files are inputs for the Caliber RM tools e Import factory and e Import utility The import by Caliber RM is specified in the Caliber RM user documentation Please apply that for the further procedure Page 34 of 57 RiskCAT 61508 User s Manual 20 February 2010 9 6 DOORS export With RiskCAT an export interface is available to DOORS by Telelogic AB This export interface is a package of its own and needs an extra licence x The export is by the steps Information to be exported e Selection of the prescriptions VW Key The checked information will be stored for those prescriptions which are selected as to be exported v left besides I Przsnp on SS the prescription s text and J Source The information will be seperated by ea single click on Doors IM Degree of obligation export
4. IF implementation of non safety and safety functions in the same SW highest SAL OR independence Inclusion of functions to execute proof and diagnostic tests Inclusion of self monitoring of control and data flow Clear identification of pre existing SW Justification for suitability of pre existing SW by operation experience OR V amp V Data and data generation languages are subject to these requirements 1a General 2a Control System 2b Hardware 3b Software Lifecycle but not D D 3c Software Design and development D D Selection according to obligation Selection according to aspect Copy prescription to clipboard Edit simple note for prescription Edit comprehensive note For prescription ition in the standard Prescrition s explanation in the standard 1b Control System in relation to the EUC 3a Software Non Lifecycle Term Definition fae Pdf viewer for file IEC61508_3_GB_2 pdf bl gt AR DET 61508 3 IEC 1998 45 7 4 2 3 Testability and the capacity for safe modification shall be considered during the design activities in order to facilitate implementation of these properties in the final safety related system NOTE Examples include maintenance modes in machinery and process plant 7 4 2 5 The design representations shall be based on a notation which is unambiguously defined or restricted to unambiguously defined features zizi If other PD
5. Tools prog languages Detailed D D Coding Semi formal methods Module SW integration testing Dynamic analysis and testing Functional and black box testing SW module testing Test of each module as specified Show by tests that modules perform intended function Show by tests that modules do not perform unintended functions Documentation of test results Text for this clause may be interpreted as well as valid in case of failure in the test execution itself or as valid in case of failure in the SW under test Specification of procedure for correction of SW based on test results SW integration testing Test specification concurrently during design and development Spec involving test cases test data types of test tools Testing in accordance with test spec Show by tests that SW interacts correctly to perform intended function Show by tests that SW does not perform unintended functions Documentation of test results including detected failures with reasons impact analysis for SW changes during integration SW module testing and SW integration testing Selection of techniques measures to comply to these requirements Probabilistic testing Dynamic analysis and testing Data recording and analysis Functional and black box testing Performance testing Avalanche stress testing Response timings and memory constraints Performance requirements Interface testing Required Quality Level Show by test
6. E E PES modification log regen gt The SW module test report is the only document mentioned twice in IEC 61508 part 1 table A 3 In IEC 61508 part 3 table 1 it is only mentioned as result of the Software module testing However it is not mentioned as result of code implementation So for purpose of clearness it has been deleted here as a result of code implementation RiskCAT 61508 User s Manual 20 February 2010 Document Table for the related clauses please refer to Overall functional safety assessment report Overall modification and retrofit e request e impact analysis report e log Overall decommissioning or disposal e impact analysis report e plan e log A 1 For RiskCAT following documents have been added to those given by IEC 61508 e QM System e Component e Code Machine e Overall modification and retrofit procedures instruction because of part 1 clause 6 2 1 1 e For each document By this those prescriptions are selected which relate to all documents In this version of RiskCAT there is no single selection to choose all prescriptions related to documents Page 55 of 57 RiskCAT 61508 User s Manual 20 February 2010 14 2 List of Activities RiskCAT takes the activities listed as examples in IEC 61508 Part 1 tables A 1 A 2 and A 3 pages 103 105 107 as presented in the following table Activity Table Concept A 1 Overall scope definition H
7. as well as the following ones 11 5 Deselect all menu CAUTION Clicking this menu item causes without additional confirmation the deselection of all prescriptions and a reset on the history file Page 43 of 57 RiskCAT 61508 User s Manual 20 February 2010 11 6 Compare SILs menu See chapter 7 Comparison of prescription s degree of obligation at different Quality Levels 11 7 Compare Standards menu Not available for RiskCAT 61508 11 8 Help menu Functions within help menu are see chapter 10 7 Help menu e Help Main texts of this user s manual are supplied as help e About Informs about RiskCAT version and copyright Page 44 of 57 RiskCAT 61508 User s Manual 20 February 2010 12 Context related help and hints Already the RiskCAT versions before have been equipped with several hints Starting with version 5 9 some context related help has been added to RiskCAT e g for the items in the menu functions The context related help is activated via the key F1 Page 45 of 57 RiskCAT 61508 User s Manual 20 February 2010 13 IEC 61508 specific features Importance of IEC 61508 results from two objectives given in the scope of the standard e itis the basis for development of application sector international standards e itis usable for applications without sector standards To provide a good overall view on the prescriptions required by IEC 61508 the main
8. product under consideration with the prescription and e some further information Below an example is given for the QualiCAT output which is based on the RiskCAT export The evaluation is about 167 prescriptions from a certain standard for power plant control systems The left number represents the target value for the compliance with the prescription the topic or the standard as a whole These target values are computed based on the necessary SIL and the degree of obligation of the prescription The right numbers represent the achieved values They are computed based on the test result the degree of obligation and the target values Page 36 of 57 RiskCAT 61508 User s Manual fae Qualicat RiskCAT_QualiCAT xml Datei Ansicht Fenster sus JA RiskCAT_QualiCAT xml 2 20 February 2010 lolx B RiskCAT_QualiCAT xml 0 70 lt 0 95 YGB R170 C DFB I 0 70 lt 1 00 Scope and range of application 0 70 lt 1 00 Responsabilities competencies v 0 70 lt 1 00 Process oriented structuring of the plant T 0 70 lt 1 00 Building of Functional Units FU 0 70 lt 1 00 Structure according to the I C assignments 0 70 lt 1 00 Structure and content of the documentation E 0 70 lt 1 00 Structure of the documentation hierarchy E 9 70 lt 1 00 Sorting criteria for the documentation that describes functions 0 70 lt 0 60 Scope of the Functional documentation 0 7
9. Copying from the standards into the clipboard The copying of extracts from the standards is via the function Copy text to clipboard provided by XpdfViewer which is described in chapter 5 2 Retrieval in the original standards Then the copying is in the window of the XpdfViewer The steps are e Marking of the standard s region to be copied by moving the mouse with the right button pressed and then e single left mouse button click on the symbol copy text to clipboard at the outmost right on the symbol bar After this e start of an application with clipboard functionality and e insertion of the clipboard contents 10 5 Project Session storage in a file Project storage has two distinct purposes one for the normal user and another for the project leader or the quality manager e For the normal user it offers the possibility to interrupt and resume RiskCAT tool sessions For this purpose the actual status is stored in binary RiskCAT project files e For the project leader or the quality manager it offers the possibility to fill in the comments to the prescriptions Thereby advice may be given to the normal user by which means e g tools procedures forms compliance with the prescription shall be achieved in a specific project If certain prescriptions are not applicable in a specific project or for a specific part of a project background for this may be supplied as comment as well So the comments res
10. The steps are ee e Mark the prescription establishing the context by a single left mouse button click Otherwise the page selected by context related retrieval is somewhat arbitrary Copy prescription to clipboard Edit simple note for prescription Edit comprehensive note For prescription Prescrition in the standard e Activate context menu depress right mouse Prescrition s explanation in the standard button while the pointer is in the prescription window Term Definition e Choose Prescription in the standard RiskCAT will show the page of the standard highlighting the clause in context The size of the standards window may be changed by positioning the mouse on the windows border preferred on the left or right hand side followed by pressing the left mouse button and then moving it Page 15 of 57 RiskCAT 61508 User s Manual 20 February 2010 General D D SW Architecture Tools prog languages Detailed D D Coding Semi formal methods Module SW integration testing Dynamic analysis and testing Functional and black box testing Determination of division of responsibility between supplier and user Design method which facilitates control of complexity expression of concurrency Consideration of testability and capacity for safe modification Design method which facilitates modification Unambiguous notation for design representation Minimisation of the safety related software part by design
11. a subset to this key word So if really all prescription related to a certain aspect shall be identified then the selection related to the respective key word needs to be added by a check of the prescriptions near by the already identified ones 6 7 Selection of prescriptions related to quality characteristics This is for future use Page 25 of 57 RiskCAT 61508 User s Manual 20 February 2010 7 Comparison of prescription s degree of obligation at different Quality Levels Starting with version 6 RiskCAT offers the possibility to select those prescriptions which have a different level of obligation at two different SILs By selection of all prescriptions followed by a deselect for the different ones this results in the prescriptions which have the same degree of obligation for the given SILs Comparison of prescriptions for different quality levels Quality level for comparison Selection range Comparison is for the prescriptions by Al standards 1 the Required Quality Level with the prescriptions by the quality level selected here Standard ISO 26262 2009 as a whole C Current area JASIL C C Currenttopic Selection type As result of the comparison those prescriptions select are selected which have different degrees of obligation at the two quality levels C Deselect C Deselect all X Execute Required Quality Level i AIL B Page 26 of 57 RiskCAT
12. clipboard Edit simple note For prescription Edit comprehensive note for prescription Prescrition in the standard Prescrition s explanation in the standard Term Definition fp RiskCAT_61508 5 9a English File Standard texts Terms Prescription selection Help Necessary Quality Prescriptions by the stan f informative hints possible P m Selection according to obligation Selection according to aspect recommended R Prescription selection according to degree of obligation Degree of obligation I Informative prescriptions IV Possible prescriptions M Highly recommended prescriptions M Mandatory prescriptions M prescriptions not recommended Selection range All standards Standard IEC 61508 1998 as a whole Current area Current topic Selection type Select C Deselect Deselect all 20 February 2010 according to the degree of The selection of groups according to the degree of obligation3 under the currently selected SIL of the prescriptions is activated via e the context menu depress right mouse button while the pointer is in the prescription window screen part d in Figure 2 or e via the menu Prescription selection After a single click on Selection according to obligation the selection form shown below will appear kon If the Standard as a whole is
13. part requirements and the contents of tables have been integrated as far as reasonably possible The number of tabs has been kept acceptable low by this 13 1 About the license for the standards supplied with RiskCAT By contract with the German Chapter of the IEC DKE CATS has been asked to declare with RiskCAT The data from the international standards series IEC 61508 are in use with permission of the IEC International Electrotechnical Commission Geneva They have not been checked by IEC or their deputies Authoritative for the application of the standard are the versions with newest edition which may be received from VDE VERLAG GMBH Bismarckstr 33 D 10625 Berlin www vde verlag de The user shall pay attention to the national standards CATS declares that texts used correspond to the actual state of the IEC standards 2001 09 24 CATS 13 2 Presentation of the degree of obligation of the requirements Up to date IEC standards as IEC 61508 use four key words to identify their requirements the first three explanations are from the introduction to IEC 61226 shall indicates requirements that are mandatory for compliance with the standard should indicates requirements that are not mandatory for compliance with the standard but are strongly recommended may indicates that compliance with the recommendation is optional must not indicates requirements that are mandatory for compliance with the standard must not is the
14. the SW architectural design Consideration of the suitability for configurable SW during development of the SW architectural design 2 Consideration of the feasibility for the design and implementation of the SW units during development of the SW architectural design Consideration of the testability of the SW architecture during development of the SW architectural design a M M M M Consideration of the maintainability during development of the SW architectural design M Modularity of the SW architectural design by using the principles listed below o Patd M M Encapsulation ofthe SW architectural design by using the principles listed below Minimum complexity of the SW architectural design by using the principles listed below HR Hierarchical structure of SW components HR Restricted size of SW components Restricted size of interfaces HR High cohesion within each SW component Restricted coupling between SW components Appropriate scheduling properties Restricted use of interrupts Developing the SW architectural design down to the level where the SW units which are to be treated as indivisible are identified Required Quality Level Consideration of the testability of the SW architecture during development of the SW architectural design Selected Prescriptions gt Clause 4 2 d 3 Figure 2 RiskCAT screen parts a Task tabs b Area tabs i Topic tabs d Prescription window SIL corner f Informati
15. 0 lt 0 00 Cover M Not Fulfilled L Major deficiencies _ Satisfactorily Fulfilled E Completely fulfilled 0 70 lt 0 30 Table of contents _ Not Fulfilled Major deficiencies _ Satisfactorily Fulfilled L Completely fulfilled 0 70 lt 0 70 Plant diagram schematic _ Not fulfilled _ Major deficiencies M Satisfactorily Fulfilled sof Completely Fulfilled T 9 70 lt 1 00 verbal description Not fulfilled _ Major deficiencies L Satisfactorily Fulfilled 4 Completely fulfilled 0 70 lt 1 00 Functional diagrams 0 70 lt 1 00 Document designation 0 70 lt 1 00 Application of the document identifier to Functional diagrams 0 70 lt 0 67 Interlinking of the Functional diagrams 0 m 0 Page 37 of 57 RiskCAT_QualiCAT xml fs YGB R170 C Requirement selected achieved values 3 Not Fulfilled 4 Major deficiencies 17 Satisfactorily Fulfilled 143 Completely Fulfilled Requirement selections 167 Requirements 167 Selected Calculated topic achieved values 34 Topics 1 Fulfilled Selected 2 Major deficiencies 31 Completely Fulfilled Calculated standard achieved value 1 Completely Fulfilled RiskCAT 61508 User s Manual 20 February 2010 10 Support 10 1 Simple note to the marked prescription Purpose of edit notes is to provide e Space for comments on a specific project e g to log the reasoning for not selecting particular prescriptions for the projec
16. 1508 6 Selection of prescriptions 6 1 The number of selected prescriptions 6 2 Selection of individual prescriptions 6 3 Selection of groups of prescriptions according to the degree of obligation Page II aaa u A DD rm _ o o o o GH 11 11 12 12 14 14 14 15 16 18 20 20 20 21 RiskCAT 61508 User s Manual 6 4 6 5 6 6 6 7 9 1 9 2 9 3 9 4 9 5 9 6 9 7 10 10 1 10 2 10 3 10 4 10 5 10 6 10 7 11 11 1 11 2 11 3 11 4 11 5 11 6 11 7 11 8 Selection of prescriptions related to documents Selection of prescriptions related to activities life cycle phases Selection of prescriptions related to key words Selection of prescriptions related to quality characteristics Comparison of prescription s degree of obligation at different Quality Levels Comparison of IEC 61508 with IEC 61508 Output of prescriptions Logging the history Result storage as simple text Result storage as formatted text ARTISAN Studio export Caliber RM export DOORS export QualiCAT export Support Simple note to the marked prescription Comprehensive note to the marked prescription Copying the actually marked prescription into the clipboard Copying from the standards into the clipboard Project session storage in a file Project session reload from a file Help menu Menu functions File menu Standard texts menu Terms menu Prescription selection menu Deselect all m
17. 61508 User s Manual 20 February 2010 8 Comparison of IEC 61508 with IEC 61508 This is applicable for several other RiskCATs but not for RiskCAT 61508 Page 27 of 57 RiskCAT 61508 User s Manual 20 February 2010 9 Output of prescriptions As basis for the production of further documents as e g checklists RiskCAT offers the possibility to export certain information as Rich Text Format RTF file For this purpose this RiskCAT version offers two presentations e A simple presentation which may be well edited and such easy be adopted to the formatting of existing documents e A formatted presentation which is used often as checklist without further editing Furthermore RiskCAT offers interfaces for the export of IEC 61508 prescriptions to the requirements management or to development environments These interfaces are available at extra expense 9 1 Logging the history Starting with version 6 RiskCAT is logging its operation for purpose of reproducibility When storing the results e g in File xyz rtf RiskCAT stores in the same directory as xyz rtf the history file named xyz rtf RiskCAT_HistFile txt If reproducibility may be of interest CATS suggests to save the history files together with the results themselves A reset on the history file is at e RiskCAT s start e Load Project chapter 10 6 e Deselect All chapter 11 5 Output of the history file is at e Store Project chapter 10 5 e R
18. C 61508 at several hardware steps Generation ofa checklist from the selected prescriptions OR transfer of the prescriptions into requirements management In case relevant prescriptions are not selected for a working step a note about the motivation for omitting the prescription should be made in the checklist respectively the requirements management Efficient help for this approachis by RiskCATs For the Development For V amp V as well as Assessment of products and processes of products and processes 5 Taking into account the prescriptions 6 Log compliance with the prescription in which have been selected the checklist respectively the requirements management by one sentence by including a reference on the work product which provides the compliance Efficient help for this approachis QualiCAT xo Page 39 of 57 RiskCAT 61508 User s Manual 20 February 2010 This sort of notes is initiated as well via the context menu The steps are e Mark the prescription for which the note shall be edited by a single left mouse button click Otherwise nothing visible to the user will occur e Activate context menu Depress right mouse button while the pointer is in the prescription window screen part d in Figure 2 e Choose Edit comprehensive note for prescription To have a look to an existing note to modify it or to delete it the note function is called again Prescriptions with comments are marked by lef
19. F versions of the standards have been installed than those supplied by CATS RiskCAT may show the wrong page and may highlight the wrong clause Therefore only those standards supplied by CATS should be used with the RiskCAT tools 5 4 The context related presentation of explanations to the clause provided by IEC 61508 itself For certain clauses IEC 61508 itself provides additional explanations mostly from part 7 of the standard RiskCAT offers an interface for context sensitive browsing the explanations from the original standard The context related explanation is activated via context menu in the prescription window Page 16 of 57 RiskCAT 61508 User s Manual 20 February 2010 Selection according to obligation The steps are ee Sae e Mark the prescription establishing the context Copy prescription to clipboard by a single left mouse button click Otherwise Edit simple note for prescription the page selected by context related retrieval is Edit comprehensive note for prescription somewhat arbitrary Prescrition in the standard Prescrition s explanation in the standard e Activate context menu depress right mouse button while the pointer is in the prescription window Term Definition e Choose Prescription s explanation in the standard RiskCAT will show the page of the standard highlighting the explanation in context The size of the standards window may be changed by positioning the mouse on the win
20. GB_2 pdf MaA aeo AlAs DET NORME CEI INTERNATIONALE IEC INTERNATIONAL 61508 3 STAN DARD Premi re dition First edition 1998 12 PUBLICATION FONDAMENTALE DE SECURITE BASIC SAFETY PUBLICATION Securite fonctionnelle des systemes lectriques electroniques electroniques programmables relatifs a la s curit Partie 3 Prescriptions concernant les logiciels Functional safety of electrical electronic programmable electronic safety related systems Part 3 Software requirements asl pdf page 1 of 52 L Page 14 of 57 RiskCAT 61508 User s Manual 20 February 2010 The size of the standards window may be changed by positioning the mouse on the windows border preferred on the left or right hand side followed by pressing the left mouse button and then moving it The XpdfViewer provides the following functions e First page e Find next e Last page e Adjust to page height e Previous page e Adjust to page width e Next page e Copy text to clipboard e Go to page see as well chapter 10 4 Copying from e Find the standards into the clipboard 5 3 Context related retrieval in the original standards Besides the interface for full text browsing RiskCAT offers an interface for context sensitive browsing in original standards The context related retrieval is activated via context menu in the prescription window screen part d in Figure 2 Selection according to obligation
21. ION The approaches described here being implemented on the informative part 5 of IEC 61508 are not applicable for the binding determination of the necessary SIL During recent years they have been used especially in Germany for a first orientation 4 1 Manual selection of the Safety Integrity Level Required Quality Level The Safety Integrity Level SIL may be manually selected si gt in the SIL corner SIL 0 a SIL 1 The selected SIL is used to determine the degree of SIL2 obligation of the IEC 61508 prescriptions Page 11 0f57 RiskCAT 61508 User s Manual 20 February 2010 4 2 SIL determination via the necessary risk reduction This approach is activated by selecting the RiskCAT task tab Necessary Quality followed by Risk reduction The approach is based on IEC 61508 part 5 figure C 1 ERiskcAT 61508 Y6 1d English with database IEC 61508 6 7 English File Standard texts Terms Prescription selection Deselect all Compare Quality Level Help Necessary Quality IEC 61508 1998 Risk reduction Risik Graph IEC 61508 5 Figure D 2 Consequence of hazardous event Other technology safety related systems External risk E E PE reduction safety related facilities systems Tolerable risk target Frequency of hazardous Necessary risk reduction event wi EUC and the EUC control system Safety integrity of external risk reduction facilities and safety related sys
22. RiskCAT 61508 V6 1 A lt User s Manual gt i VOR CodeAnal ToolS 20 February 2010 odeAnalyzerToolSet RiskCAT 61508 Requirements on High Quality Embedded Systems and their Software A Tool of the Code Analyzer Tool Set User s Manual CATS Software Tools GmbH Hamburg www cats tools de RiskCAT 61508 User s Manual 20 February 2010 Contents 1 Overview 1 1 A suggestion for the efficient handling of standards 1 2 Usage of RiskCAT 1 3 Short description of RiskCAT 2 Installation First Start Deinstallation 2 1 The components of RiskCAT 2 2 Local Operation on a PC 2 3 Uninstallation on a local PC 2 4 Network Installation of RiskCAT 2 5 Network Uninstallation 3 Basics 31 Screen parts 3 2 Interrelationship between the screen parts 3 3 Prescription states 3 4 Prescription colours 3 5 Structure of the prescriptions presentation used with RiskCAT 4 Determination of the necessary SIL 4 1 Manual selection of the Safety Integrity Level 4 2 SIL determination via the necessary risk reduction 4 3 SIL determination via a risk graph 5 Information about the prescriptions 51 Structured overview on the recommended prescriptions 5 2 Retrieval in the original standards 5 3 Context related retrieval in the original standards 5 4 The context related presentation of explanations to the clause provided by IEC 61508 itself 5 5 The context related presentation of terms used in the prescription texts given in IEC 6
23. USB disk drive Additionally one XPDF Viewer is installed on each client CAUTION The number of simultaneous usage is limited by the licensed number of users The installation procedure for the two installation types differs In case of CATS USB memory stick usage e The stick just needs to be connected to the server and e the local XPDF Viewer installation needs to be performed by calling the XpdfViewerCtrl 3 1 00 04 exe located in the stick directory XPDF Installation before the first RiskCAT 61508 client session is started For a server disk drive based installation The contents of the CATS USB memory stick or of the CATS CD need to be copied into a suitable RiskCAT target directory on the server disk e As for the USB memory stick usage the local XPDF Viewer installation needs to be performed by calling the XpdfViewerCtrl 3 1 00 04 exe located in the stick directory XPDF Installation before the first RiskCAT 61508 client session is started For the Network Installation the name of the executable should be kept unchanged The Network Installation will show just after each start for an instance a black window This is a necessary behavior It is no fault 2 5 Network Uninstallation The network uninstallation is performed by e uninstallation of client based XPDF Viewers by calling XpdfViewerCtrl 3 1 00 04 exe and in case of server disk drive based installations additionally by e deletion of the RiskCAT 61508 components copied o
24. User s Version Manual 2002 10 26 G Gl e 2004 06 05 e aus Abschnitt 2 1 das De Installieren der Demo G Gl e 2004 07 21 Version rausgenommen e Key Word IF NOT aufgenommen e Die Erweiterungen f r V5 aufgenommen 2004 08 11 e midas dll entfernt G Gl e e Installation De Installation berarbeitet e Anhang 7 2 Dokumente berarbeitet 2004 10 22 e zus tzliche Dokumente und Aktivit ten korrigiert G Gl e e im Abschnitt 1 gleich zu Beginn neben dem Bild Software gt embedded system e Zusammenhang der Bildschirmteile eingef gt e keine Anwahl als Precondition f r gute Selectionen eingef gt e Gr ssen nderung Normenfenster beschrieben 2005 12 17 V5 4 e in 1 die farbliche Unterscheidung der V4 G Gl e Funktionalit t rausgenommen e in 4 7 und 4 8 erg nzt Appendix of this manual e 7 3 gel scht e Screen Shots zum Teil ausgewechselt wegen nderungen am pdf viewer e Screen Shots Erl uterung neu wegen neuer Bezeichnung der areas e nderungen von Chris Hills eingearbeitet e Von Lieferung ber CD auf USB memory stick umgestellt e Den Anfang von Kapitel 6 4 Text vor 6 4 1 berarbeitet 2006 02 12 V5 5 e Doors Export erg nzt G Gl e e Caliber RM Export erg nzt 2006 08 28 V5 6 e Structure of the functions adopted to the RiskCAT G Gl e poster Page V RiskCAT 61508 User s Manual 20 February 2010 2008 08 12 V5 8 In Kap 10 1 d
25. activated the selection will be for all prescriptions in all areas for all topics If Current area is activated the selection will be for all topics in the active area The visibility of the selection is same as for individual prescriptions selection 3 For the degree of obligation please refer as well to chapter 13 2 Presentation of the degree of obligation of the requirements Page 21 of 57 RiskCAT 61508 User s Manual 20 February 2010 If Current topic is activated the selection will be just for the prescriptions in active topic The visibility of the selection is same as for individual prescriptions selection CAUTION If the SIL is changed between group selection and the Deselect the set of deselected prescriptions may be different from the selected set So here DeSelect is only the inverse function to Select if SIL is the same for both actions The selection is in addition to already selected prescriptions If the real interest is just to concentrate on the prescriptions you are about to select then precautions need to be applied that at starting prescription selection no prescriptions are already selected Example for the usage of selection of groups of prescriptions IEC 61508 in certain places explicitly mentions that certain solutions are possible Key word in the standard is may If you doubt whether you may allocate a safety function across more than one safety related sys
26. alidity has been tried by assigning them to the two areas 2a Control System and 2b Hardware e With respect to integration tests e Part 1 Table A 2 mentions Specification integration tests of programmable electronic and non programmable electronic hardware In part 2 7 5 2 neither the document is mentioned nor a related activity e Partl Table A 2 mentions Specification hardware architecture integration tests In part 2 7 5 2 neither the document is mentioned nor a related activity e Part 2 7 4 2 11 suggests that an E E PES integration tests specification should exist which is suggested by 7 5 2 1 as well However this spec is not contained in Partl Table A 2 e asaconclusion RiskCAT uses E E PES integration tests specification However it does not use Specification integration tests of programmable electronic and non programmable electronic hardware 13 7 About part 3 of the standard As part 2 the part 3 which is about software requirements makes extensive use of SIL dependent requirements in its annexes which are about selection of techniques and prescriptions Alternative requirements offering the possibility to choose between different techniques and prescriptions are used in annexes to some extent as well RiskCAT presents those alternative sets of prescriptions by grey shaded background Actual database for part 3 is based on pdf file dated 10 08 1999 size 537 549 Bytes c
27. azard and risk analysis Overall safety requirements Safety requirements allocation Overall operation and maintenance planning Overall validation planning Overall installation and commissioning planning Realisation see tables A 2 and A 3 E E PES safety requirements A 2 E E PES validation planning E E PES design and development E E PES architecture From Table A 2 From Table A 3 Software safety requirements Software validation planning Software design and development Hardware architecture Software architecture Software system design Hardware module design Software module design Component construction and or Coding procurement Software module testing Software integration Programmable electronic integration Programmable electronic integration Software operation and maintenance procedures Software safety validation Software modification E E PES integration A 2 E E PES operation and maintenance procedures E E PES validation E E PES modification Overall installation and commissioning A 1 Overall validation Overall operation Overall maintenance Overall modification and retrofit Decommissioning or disposal Page 56 of 57 RiskCAT 61508 User s Manual 20 February 2010 For RiskCAT following activities have been added to those given by IEC 61508 e Assess e Manage Documents e Manage Safety e Reliability Computation e Review e For each activity By this those prescriptions are selected which r
28. been made of this part in realizing the group box IEC 61508 risk Therefore RiskCAT offers the opportunity to access the part if related PDF file is available Part 4 is about terms only It is used by RiskCAT for purpose of the context related presentation of terms see 5 5 The context related presentation of terms used in the prescription texts given in IEC 61508 Normal Package only Part 6 and part 7 are examples and explanations They are used by RiskCAT for purpose of the context related presentation of explanations especially part 7 see 5 4 The context related presentation of explanations to the clause provided by IEC 61508 itself Normal Package only Again RiskCAT offers the opportunity to access the part if related PDF file is available Page 51 of 57 RiskCAT 61508 User s Manual 20 February 2010 13 9 Abbreviations used in the RiskCAT Database ALARP DB D D E E PES EUC HW IF NO OR SFC SIL SW V V As low as reasonably practicable Database Design and development Electrical electronic programmable electronic system Equipment under control Hardware see chapter 13 3 About some Key Words in the individual prescription presentation in RiskCAT see chapter 13 3 About some Key Words in the individual prescription presentation in RiskCAT see chapter 13 3 About some Key Words in the individual prescription presentation in RiskCAT Systematic faults control Safet
29. chieved This may be achieved e g in technical discussions or in seminars 2a Selection of the prescriptions from the considered standard relevant for the next working step which needs to be accomplished OR 2b assurance that the standard does not provide guidance for the working step 3a Generation of a checklist from the selected prescriptions OR 3b transfer of the prescriptions into requirements management 4 In case relevant prescriptions are not selected for a working step a note about the motivation for omitting the prescription should be made in the checklist respectively the requirements management Efficient help for this approach is by RiskCATs For the Development For V amp V and QA as well as Assessment of products and processes of products and processes 5 Taking into account the prescriptions 6 Log compliance with the prescription in which have been selected the checklist respectively the requirements management by one sentence by including a reference on the work product which provides the compliance Efficient help for this approach is QualiCAT RiskCAT 61508 User s Manual 20 February 2010 1 2 Usage of RiskCAT RiskCATs may be used to determine those requirements which shall be applied during process development development of a whole embedded system or just specific work products verification amp validation quality assurance or assessment for purpose of compliance with state of the art g
30. content file RiskCAT_61508_V61_English cnt e The standard files IEC61508_1_GB_2 pdf IEC61508_2 GB_2 pdf IEC61508_3_GB_2 pdf IEC61508_4_GB_2 pdf and IEC61508_7_GB_2 pdf The subdirectory XPDF of directory RiskCAT_61508 contains e The XpdfViewer ActveX Control Version 3 0 XpdfViewerCtrl ocx The sub subdirectory tl fonts in the subdirectory XPDF contains e The fonts needed by the XpdfViewer The directory Tool Documentation contains e The product description RiskCAT_V61_Product pdf e This user manual RiskCAT_61508_V61_English_UserManual pdf The directory CATS_Information contains e Some material about CATS products and courses except of RiskCAT 61508 The directory XPDF Installation contains e The XpdfViewerCtrl 3 1 00 04 exe XPDF installer This setup is an option supplied with an extra licence only Page 5 of 57 RiskCAT 61508 User s Manual 20 February 2010 Because of licensing conditions the standard files e TEC61508_ _GB_ pdf are for use with RiskCAT only 2 2 Local Operation on a PC RiskCAT 61508 itself does not need any installation So just run the executable file RiskCAT_61508_V61_English exe from the directory RiskCAT_61508 on the USB memory stick RiskCAT 61508 uses the XpdfViewer ActiveX Control which needs installation This installation is automatically during the first run Prerequisite for this are administrator rights Especially for Windows Vista and Windows 7 administrator mode is neces
31. cription A ets C Activity life cycle phase C EIEIPES integration tests report OR combination E E PES integration tests specification C AND combination C EIEIPES modification impact analysis report Keyword E E PES modification log Selection type C EIEIPES modification procedures instruction O EIEIPES operation and maintenance instruction Select C EIEIPES safety plan C Deselect O EIEIPES safety requirements specification _ EIEIPES safety requirements specification Functions Deselect all O EIEIPES safety requirements specification Integrity xl kon Those prescriptions which relate to all documents are identified by For each document In this version of RiskCAT there is no single selection to choose all prescriptions related to documents The set of documents is based on Tables A 1 to A 3 of IEC 61508 Part 1 It is listed in Appendix 14 1 List of Documents page 53 of this manual Apart from the possibility to select according to the documents list RiskCAT offers selection according to activity life cycle phase Of course documents and life cycle phases are related to each other However in IEC 61508 a phase generally results in several documents and on the other hand a document may be used for different phases Therefore RiskCAT uses documents as well as activities If you are interested in a very specific selection you should just apply a single document or activity If your int
32. ctivated via context menu depress of right mouse button in the prescription window screen part d in Figure 2 or via the menu Prescription selection After a single click on Selection according to aspect the selection form shown below will appear xi r Selection aspect Activity life cycle phase Selection range Oo oe All standards Quality characteristic O Coding Sally Snarastensll C Component construction and or procurement Standard IEC 61508 1998 as a whole O Concept c Document work product CO Decommissioning or disposal cogent area O EIE PES architecture Currenttopic Activity life cycle phase O E EIPES design and development U E EIPES integration 7 Selection combination C Keywor E EIPES modification A i awor E E PES operation and maintenance procedures OR combination EIEIPES safety requirements C AND combination E E PES validation E EIPES validation planning r Selection type OOSWOROOOCL For each activity Hazard and risk analysis Select HWY architecture Hwy module design Deselect Manage Documents C Deselect all Manage Safety Ml Overall installation and cammissionina z kon The set of activities is based on Tables A 1 to A 3 of IEC 61508 Part 1 It is listed in Appendix 14 2 List of Activities page 56 of this manual Those prescriptions which relate to all activities are identified by For each activ
33. d in part 1 and state the border conditions for the determination of the necessary SIL Their disadvantage is the impossibility to determine for a certain task the right SIL in a simple manner However this is not surprising because the determination of the SIL and by this determination of the tolerable risk is a social political legal decision which may be different in different countries as well as for different industries e The informative explanations of the IEC 61508 They may be found in part 5 and allow in a straight forward way to determine the SIL necessary for a certain task They are useful for a first orientation But it is strongly advised not to use these explanations for the decision about tolerable number of injured persons environmental or material damage The normative prescriptions for the determination of the necessary SIL may be selected with RiskCAT in a simple way as well as other prescriptions Please refer for this purpose to chapter 5 Information about the prescriptions This chapter addresses two possibilities for orientation about the necessary SIL which are given by IEC 61508 part 5 They are provided via the task tab Necessary Quality The determination of risk parameters may be with one of the two approaches e Reducing of the risk to a tolerable level or e Risk Graph For Details about the approaches see chapter 13 4 About the Safety Integrity Level SIL of this manual CAUT
34. dows border preferred on the left or right hand side followed by pressing the left mouse button and then moving it A Boundary value analys s iafety Integrity level N Checklists SIL 12 Control flow analysis 3 4 Data flow analysis Fagan inspections Sneak circuit analysis Symbolic execution 1Afalls thraiaheddacian ra imram 2 Control Syste oO Z Fa E Error quessing N un If other PDF versions of the standards have been installed than those supplied by CATS RiskCAT may show the wrong page and may highlight the wrong clause Therefore only those standards supplied by CATS should be used with the RiskCAT tools Page 17 of 57 RiskCAT 61508 User s Manual 20 February 2010 5 5 The context related presentation of terms used in the prescription texts given in IEC 61508 For certain terms IEC 61508 part 4 provides definitions RiskCAT provides an interface for context sensitive browsing the definitions from the original standard The defined terms used in the prescription s presentation are presented in bold The context related term definition is activated via context menu in the prescription window The steps are e Go with the cursor to a defined bold term The type of the cursor which normally is D then will change to Selection according to obligation Selection according to aspect Copy prescription to clipboard Edit simple note for prescription Edt comprehensive na
35. elate to all activities In this version of RiskCAT 61508 there is no single selection to choose all prescriptions related to activities Page 57 of 57
36. ements specification and e E E PES safety integrity requirements specification E E PES architecture design description comprising e HW architecture design description and e SW architecture design description Hardware Software from Table A 2 from Table A 3 SW safety plan RiskCAT 61508 User s Manual 20 February 2010 Document Table SW safety requirements specification comprising e SW safety functions requirements specification and e SW safety integrity requirements specification HW architecture design description SW architecture design description SW architecture integration tests specification Development tools instruction no report to this spec in A 2 Coding manual SW system design description HW module design specification SW module design specification HW modules Source code list Code review report HW modules test report SW module integration test report no spec for this test PE integration test report SW user instruction SW operation and maintenance instruction SW modification procedures instruction SW modification request SW modification impact analysis report SW modification log A 2 E E PES user instruction E E PES operation and maintenance instruction E E PES validation report E E PES modification procedures instruction E E PES modification request E E PES modification impact analysis report
37. en werden of this manual Most standards cover a variety of topics represented by the topic tabs screen part c The approach has been to have an assignment between standards chapters and RiskCAT topics However in some cases standard chapters have been further split up because of a high number of prescriptions or because of different matters covered in the same chapter A further structuring is by grey shaded areas in the prescription window This presentation indicates that the marked requirements are alternatives to each other 1 Short form which is used for e Overview purpose searching and e selection via the RiskCAT window e Rich text format output e g to create checklists 2 Standard text itself e The detailed and precise wording of the standards clauses needs to be considered to claim conformance with the standards O S Fe O 2p ab a fe O 0 p O LL 3 Additional explanation provided by the standard itself As additional basis for detailed work development assessment As support for users not experienced with the standard Optional Figure 3 Presentation of the standard clauses in four levels Page 10 of 57 RiskCAT 61508 User s Manual 20 February 2010 4 Determination of the necessary SIL Practical experience shows that at determination of the necessary Safety Integrity Level difference is not made between e The normative prescriptions of the IEC 61508 They may be foun
38. enu Compare SILs menu Compare Standards menu Help menu Page III 20 February 2010 22 24 25 25 26 27 28 28 28 29 32 34 35 36 38 38 39 40 41 41 41 42 43 43 43 43 43 43 44 44 44 RiskCAT 61508 User s Manual 20 February 2010 12 Context related help and hints 45 13 IEC 61508 specific features 46 13 1 About the license for the standards supplied with RiskCAT 46 13 2 Presentation of the degree of obligation of the requirements 46 13 3 About some Key Words in the individual prescription presentation in RiskCAT 47 13 4 About the Safety Integrity Level SIL 48 13 4 1 Safety Integrity Level in the quantitative approach via risk reduction 48 13 4 2 Safety Integrity Level in the Risk Graph Approach 48 13 4 3 Safety Integrity Level in the Probabilistic Approach 48 13 4 4 Safety Integrity Level 0 48 13 5 About part 1 of the standard 48 13 6 About part 2 of the standard 49 13 7 About part 3 of the standard 50 13 8 About the other parts of the standard 51 13 9 Abbreviations used in the RiskCAT Database 52 14 Appendix 53 14 1 List of Documents 53 14 2 List of Activities 56 Figures Figured RiskQAT 26262 Sereen sn HH 4 Figure 2 RISKCAT sereen par sense eier 8 Figure 3 Presentation of the standard clauses in four levels u nsessesenseneennnenn 10 Page IV RiskCAT 61508 User s Manual 20 February 2010 Version Index Date of For RiskCAT Changes Author
39. erest is to get a complete view you should run two selections after each other e In one or type selection choose the document of your specific interest as well as For each document Terminate it with Execute e In the other or type selection choose the activity related to the document of your specific interest as well as For each activity Terminate it again with Execute CAUTION RiskCATs assign prescriptions to documents in a restricted way E g for a chapter about requirements specification it may happen that several prescriptions are not assigned to the Requirements Specification And if there is a series of prescriptions each related to a similar set of documents it may happen that RiskCAT assigns the first prescription to documents A and B the second one to document C and the third one to documents D E and F So if really all prescription related to a certain document shall be identified then the selection related to the respective document needs to be added by a check of the prescriptions near by the already identified ones Furthermore it needs to be taken into account that there is a certain amount of prescription valid For each work product Page 23 of 57 RiskCAT 61508 User s Manual 20 February 2010 6 5 Selection of prescriptions related to activities life cycle phases As with the document related selection functionality the activity related selection is a
40. esult storage simple chapter 9 2 and Result storage formatted chapter 9 3 e Export to further tools chapters 9 4 to 9 7 9 2 Result storage as simple text For further documentation e g creation of checklists or test plans RiskCAT offers storage of various information separated by a Delimiter Character as text file Rich Text Format RTF This result storage is started via the menu File followed by a single click on Result storage simple For the storage there are some options given in the menu below in a self explaining manner The option to select a delimiter character in the storage format area supports an import of the stored data in tables by a text processor It is suggested to avoid point colon comma and semicolon as delimiter because these characters are used in the prescription texts Point colon and comma are used as well in the clause references Page 28 of 57 RiskCAT 61508 User s Manual 20 February 2010 Simple result storage x prescriptions to be stored storage data storage format M selected prescriptions 7 risk parameters N I prescriptions with simple note VW SIL J unselected prescriptions x caneu CAUTION Purpose of the results checklists is to use them with access to RiskCAT because RiskCAT may present the context of the checklist selection as well as the possibility for retrieval in the original standard Usage of the checklists with
41. he EUC Modification and retrofit 1 Planning of modification or retrofit activities prior to IEC 61508 Parti M carrying out 7 16 2 1 2 Initiation of modification and retrofit by authorised request IEC 61508 Parti M only 7 16 2 2 3 Request determines affected hazard proposed change IEC 61508 Parti M reason 7 16 2 2 4 Impact analysis including assessment of the impact IEC 61508 Parti M 7 16 2 3 5 Documentation of impact analysis IEC 61508 Part1 M 7 16 2 4 Page 30 of 57 RiskCAT 61508 User s Manual 20 February 2010 Authorization of modification or retrofit depending on IEC 61508 Parti M impact analysis 7 16 2 5 7 Modifications impacting safety cause repetition of earlier IEC 61508 Part1 M phases 7 16 2 6 NO usage of test procedures for initial installation and IEC 61508 Part1 M commissioning for operations without checking 7 16 2 6 Note 2 M Chronological documentation of modifications analysis IEC 61508 Part1 reverification 7 16 2 7 2a Control System Modification 10 Maintained documentation including detailed spec of IEC 61508 Part2 M change 7 8 2 1 11 Maintenance of a system initiating changes and informing IEC 61508 Part2 M users 7 8 2 2 12 Level of expertise tools for modifications at least that IEC 61508 Part2 M of initial development 7 8 2 3 Reverification and revalidation after modification IEC 61508 Part2 7 8 2 4 3b Soft
42. ht mouse left of the text describing the I button in the prescription list boxes It is visible by a prescription 3 4 Prescription colours The prescriptions in the Prescription window screen part d are dynamically coloured The colour depends on the degree of obligation which may be influenced by the SIL selected in the SIL corner screen area b Usage is made of Informative pink Possible grey Highly recommended blue and Mandatory green For those users who may be colour blind or for usage with certain beamers the degree of obligation is given in the Prescription window by characters left besides the prescription text in addition to the colour Page 9 of 57 RiskCAT 61508 User s Manual 20 February 2010 3 5 Structure of the prescriptions presentation used with RiskCAT RiskCAT starts from standards So the original sets of prescriptions are the standards represented by the task tabs screen part a A standard may consist of different parts as e g IEC 61508 which has 7 parts The standard or even its parts may be such voluminous that it is not appropriate to use all prescriptions as an entity This has been the reason to break down some standards into areas represented by the area tabs screen part b Depending on the standard an area may consist of a part of a standard some clauses of a standard or some clauses of a part of a standard For details see chapter Fehler Verweisquelle konnte nicht gefund
43. ie Quelle f r shall should ge ndert G Gl e von IEC 61226 Kap 3 nach Introduction Grund ist zweite IEC 61226 Fassung 2005 02 Two misprints corrected in chapter About part 1 of the standard Three misprints corrected in chapter About part 2 of the standard Chapter added Abbreviations used in this Manual Screenshots revised 2008 12 06 V5 9 Screenshots aktualisiert G Gl e Kapitel 4 erforderlicher SIL vollst ndig berarbeitet e Measure gt Prescription 2010 01 20 V6 1 New document basis derived from an intermediate G Gl e version of the RiskCAT 26262 V6 1 User s Manual from 2010 02 01 Page VI RiskCAT 61508 User s Manual 20 February 2010 Acknowledgements and trademarks All trademarks used in this manual are acknowledged ARTISAN Studio is a trademark of ARTISAN Software Tools Ltd CaliberRM is a trademark of Borland Software Corporation DOORS is a trademark of Telelogic AB InstallShield is a trademark of Macrovision Corporation PDF is a trademark of Adobe Corporation USA Windows NT 2000 and XP are trademarks of Microsoft XpdfViewer is a trademark of Glyph amp Cog CATS Software Tools GmbH would like to thank our UK distributor PhaedruS Systems Ltd for proof reading amp editing the English version of this manual www phaedsys org CATS Software Tools GmbH thanks the DKE Deutsche Kommission Elektrotechnik Elektronik Informationstechnik im DIN und VDE and the IEC In
44. includes the contents of the corrigendum 1 of April 1999 Most Part 1 requirements are from clause 7 Overall safety lifecycle requirements RiskCAT presents these requirements in its area e Ib Control System in relation to the EUC All other Part 1 requirements are presented in RiskCAT area e la General 13 6 About part 2 of the standard Part 2 which is about system requirements makes use of SIL dependent requirements in 8 tables of its annexes which are about selection of techniques and prescriptions Alternative requirements offering the possibility to choose between different techniques and prescriptions are used in these tables to some extent as well RiskCAT presents those alternative sets of prescriptions by grey shaded background Within Part 2 there are requirements requiring that part 1 or certain clauses of this part shall be applied This type of requirement has been skipped for purpose of RiskCAT Tables A 16 to A 18 as well as B 1 to B 5 besides the importance require a certain SIL dependent effectiveness Effectiveness requirements are special for part 2 They are not presented in actual RiskCAT version The prescriptions grouping in tables B 1 and B 4 as well as second grouping in table B 5 with the opportunity to choose just one method are valid only for R prescriptions Choice is not allowed for HR prescriptions Again this importance related grouping is special for part 2 It is not presented in ac
45. inverted shall Furthermore IEC 61508 indicates in tables specific requirements related to Safety Integrity Levels SIL as highly recommended recommended possible or not recommended The original clause is in German language Because no official translation has been available this translation is by CATS Page 46 of 57 RiskCAT 61508 User s Manual 20 February 2010 Within RiskCAT only one set of key words for the degree of obligation of requirements is used To realize this e shall requirements are classified as mandatory e should requirements are classified as highly recommended e may recommendations are classified as possible e must not requirements are classified as mandatory for all SILs Contents from notes and informative annexes have not been adopted to RiskCAT generally However in a very few cases it was felt that they are essential for application of the standard As a consequence those are expressed explicitly in the tool Requirements from IEC 61508 related to production of further standards have not been implemented in RiskCAT 13 3 About some Key Words in the individual prescription presentation in RiskCAT To a certain extent IEC 61508 clauses themselves give a condition for their applicability To ease identification of these conditionally applicable clauses RiskCAT presents the respective individual prescriptions starting with the Key Word IF The end of the condition i
46. ity In this version of RiskCAT there is no single selection to choose all prescriptions related to activities CAUTION RiskCATs assign prescriptions to activities in a restricted way E g for a chapter about requirements specification it may happen that several prescriptions are not assigned to Specify requirements And if there is a series of prescriptions each related to a similar set of activities it may happen that RiskCAT assigns the first prescription to activities A and B the second one to activity C and the third one to activities D E and F So if really all prescription related to a certain activity shall be identified then the selection related to the respective activity needs to be added by a check of the prescriptions near by the already identified ones Furthermore it needs to be taken into account that there is a certain amount of prescription valid for For each activity Page 24 of 57 RiskCAT 61508 User s Manual 20 February 2010 6 6 Selection of prescriptions related to key words The Keyword related selection functionality is activated via context menu depress of right mouse button in the prescription window screen part d in Figure 2 The set of keywords has been created based on work with and discussion about IEC 61508 by CATS CAUTION RiskCATs assign prescriptions to key words in a restricted way E g for a series of prescriptions about CCF it may happen that RiskCAT assigns only
47. iven in standards Development Work Process Product Products Evaluation E of results ualiCAT prescriptions RiskCAT Fj S Assessment plan 1 3 Short description of RiskCAT RiskCAT is a tool of Code Analyzer Tool Set CATS for requirements capturing from standards thereby providing the starting point for high quality development and products in the area of embedded systems and their software The state of the art in quality of E E PES electrical electronic programmable electronic systems is provided to a large extent by IEC 61508 The design of RiskCAT is modular and widely configurable It is possible for CATS to adopt the tool to modifications and enhancements of the standards applied as well as the extension to additional standards or other technical rules RiskCAT supports e the determination of the necessary Safety Integrity Level SIL e information about the prescriptions given by IEC 61508 e selection of those prescriptions relevant for the actual step of work e the export of the selected prescriptions for further work Besides this RiskCAT offers some support functions Page 2 of 57 RiskCAT 61508 User s Manual 20 February 2010 The work tasks assisted by RiskCAT 61508 are 1 Determination of the necessary SIL the selection of the normative prescriptions for determination of the necessary SIL the evaluation of the necessary SIL via the risk reduction needed for informati
48. n the server Last installations based on Setup have been in 2006 So this approach would need adoption to the actual environments RiskCAT 61508 User s Manual 20 February 2010 3 Basics 3 1 Screen parts Mm RiskCAT 26262 Y6 1a English with database ISO 26262 1 1 English 4 Ioj x File Standard texts Terms Prescription selection Deselect all Compare Quality Level Compare Standards Help Necessary Quality 150 26262 2009 Prescriptions by the standard informative hints possible P recommended R highly mandatory M dl NA recommended HR 2 Management 3 Concept 4 System development 5 HW Development v 6 SW Development 7 Production and Operation 8 Supporting Processes 9 Analyses Overview Initiation Spec of SW requirements SW architectural design 1 SW architectural design 2 Unit design and Implementation 1 Unit design and Implementation 2 Unit testing SW Integration Verification SW configuration Objectives of the clause on the SW architectural design Availability of the SW requirements spec Availability of the Safety plan Availability of the SV verification plan Availability of the SVV verification report Description of the SW architectural design with appropriate levels of abstraction by using the notations below Informal notations 2 Semi formal notations Formal notations M v Consideration of the verifiability of the SW architectural design during development of
49. nd its version The lower line identifies the version of the database which is included in RiskCAT RiskCAT 61508 User s Manual 20 February 2010 11 Menu functions 11 1 File menu Functions within file menu are e Load project see chapter 10 6 Project session reload from a file v Load project XML e Store project see chapter 10 5 Project session storage in a Store project XML file Result storage simple e Result storage simple see chapter 9 2 Result storage as simple Result storage formatted text e Result storage formatted see chapter 9 3 Result storage as formatted text e ARTISAN Studio export see chapter 9 4 ARTISAN Studio export e Caliber RM export see chapter 9 5 Caliber RM export e Doors export see chapter 9 6 DOORS export e QualiCAT export see chapter 9 7 QualiCAT export e Exit closes RiskCAT ARTISAN Studio export Galiber RM export Doors export QualiCAT export Exit 11 2 Standard texts menu Functions within standards text menu are e Standard view by XpdfViewer see chapter 5 2 Retrieval in the original standards 11 3 Terms menu See chapter 5 5 The context related presentation of terms used in the prescription texts given in IEC 61508 11 4 Prescription selection menu See chapter 6 3 Selection of groups of prescriptions according to the degree of obligation
50. ndard used IEC 61508 the selected SIL date and time of the export as well as the tool identification are logged just once in the export file Page 35 of 57 RiskCAT 61508 User s Manual 20 February 2010 9 7 QualiCAT export QualiCAT is the CATS tool to evaluate the compliance with a whole standard e g IEC 61508 the topics of the standard or the individual prescriptions in a project or by a product during verification amp validation or assessment The export interface to QualiCAT is part of RiskCAT CT x The export is by the steps Information to be exported Sel fth PP Z Standard Area Phase The information checked will be stored as election OF the prescriptions interface file for those prescriptions which to be exported V left besides H Presripilon are sagter the prescription s text and zn e a single click on QualiCAT J Degree of obligation export in the menu File By this the form shown on the left will appear X No export Exported are in XML format as tree structure e the used standard IEC 61508 e the selected ASIL e the area tab the prescription is assigned to e the topic tab the prescription is assigned to e the short form of the prescription in the prescription text are replaced by e the reference for the prescription in IEC 61508 e the degree of obligation of the prescription e an initial value for the achieved compliance of the project
51. oaches to determine the Safety Integrity Level to be required for an E E PES CAUTION Using these approaches you should be aware that they are informative only So it is not appropriate to base decisions about sufficiency of a certain SIL on these approaches merely 13 4 1 Safety Integrity Level in the quantitative approach via risk reduction RiskCAT presents SIL 0 if a rate of dangerous failures gt 10 demand may be accepted RiskCAT presents SIL 4 if the rate of dangerous failures needs to be lt 10 demand Additionally RiskCAT then presents only in the window for the approach Risk reduction Necessary SIL is gt 4 13 4 2 Safety Integrity Level in the Risk Graph Approach Below SIL 1 the IEC 61508 part 5 figures D 1 and D 2 denotes the SILs as No safety requirements and No special safety requirements Instead of this wording RiskCAT uses SIL 0 However the wording of the standard is presented in addition to the SIL number Beyond SIL 4 the IEC 61508 part 5 figures D 1 and D 2 denotes the SIL as A single E E PES is not sufficient or An E E PE SRS is not sufficient In addition to this wording RiskCAT chooses SIL 4 13 4 3 Safety Integrity Level in the Probabilistic Approach Table 3 of IEC 61508 part 1 is the basis for the probabilistic approach with RiskCAT It is restricted to a variation of the probability of a dangerous failure to 4 orders of magnitude from gt 10 hour to l
52. obligation of the prescription and e the Simple note to the prescription see chapter 10 1 Simple note to the marked prescription The standard used IEC 61508 the selected SIL date and time of the export as well as the tool identification are logged just once in the export file Page 32 of 57 RiskCAT 61508 User s Manual 20 February 2010 Based on the export by RiskCAT 61508 the prescriptions may imported by ARTiSAN Studio as shown in the figure below req Package Manuelles Modellieren requirement General_No_LC_Conformance_1 id IEC 61508 V5 6g_General_No_LC_Conformance_1 txt Um mit der IEC 61508 Ubereinzustimmen allen ihren Anforderungen entsprechen Verbindlichkeit M mandatory Quelle ee IEC 61508 Teil 1 4 1 Page 33 of 57 RiskCAT 61508 User s Manual 20 February 2010 9 5 Caliber RM export With RiskCAT an export interface is available to Caliber RM by Borland Software Corporation This export interface is a package of its own and needs an extra licence xl The export is by the steps Information to be exported ar e Selection of the prescriptions VW Key The checked information will be stored for those prescriptions which are selected as to be exported Y left besides Iv Presription textfile in cvs format the prescription s text and 7 Source The information will be seperated by e asingle click on Caliber RM ss ce 29
53. on line g Counter corner Page 8 of 57 RiskCAT 61508 User s Manual 20 February 2010 3 2 Interrelationship between the screen parts The screen parts b c and d are used to present the prescriptions The Safety Integrity Level SIL selected in the SIL corner screen part e controls the degree of obligation of the prescriptions given in screen part d 3 3 Prescription states RiskCAT presents the individual requirements in the Prescription window screen part d including their state The three state dimensions are e marked unmarked e selected deselected e with comment without comment The state marked may be assigned to one prescription only at any time Marking of a prescription is by a single left mouse button click It is visible by a box around the text describing the prescription The state selected may be assigned to one several or even all prescriptions at the same time Manual election of a prescription is by a single left mouse button click It is visible by a tick V left of the text describing the prescription Automatic selection is discussed later in this manual see chapters 6 3 Selection of groups of prescriptions according to the degree of obligation to 6 6 Selection of prescriptions related to key words The state with comment may be assigned to one several or even all prescriptions at the same time Adding comments to a prescription is via context menu depress of rig
54. ontaining the First edition of the standard dated 1998 12 That pdf includes the contents of the corrigendum 1 of April 1999 Most Part 3 requirements are from clause 7 Software safety lifecycle requirements RiskCAT presents these requirements in its areas e 3c Software Design and development D D and e 3b Software Lifecycle but not D D Page 50 of 57 RiskCAT 61508 User s Manual 20 February 2010 All other Part 3 requirements are presented in RiskCAT area e 3a Software Non Lifecycle The Tables of Part 3 Appendix A are not refining a special requirement but provide techniques and prescriptions for a whole chapter of the standard So to ease overview and keep low the number of topic tabs the contents of the tables from Appendix A are presented together with the main part requirements as far as they are concerned with just one chapter However to provide the possibility of easy identification of the techniques prescriptions from the appendix they are preceded by a To increase clarity RiskCAT 61508 is listing the three prescriptions by Table B 6 Performance testing twice They are listed as well in area 3b Software Lifecycle but not D D as in area 3c Software Design and development D D 13 8 About the other parts of the standard Part 5 which is about the determination of safety integrity levels does not involve any requirement However extensive use has
55. out access to RiskCAT is not intended An example for a result storage mandatory prescriptions for SW modification is shown below Prescriptions of IEC 61508 for SIL 1 on 2008 12 08 18 18 elaborated with RiskCAT_61508 V5 9a English The selected prescriptions are Availability of SW modification procedures prior to modification IEC 61508 Part3 7 8 2 1 M Initiation of modification by authorised request only IEC 61508 Part3 7 8 2 2 M Documented impact analysis for proposed SW modification IEC 61508 Part3 7 8 2 3 7 8 2 4 M Modifications pertaining to earlier lifecycle phases cause return to these phases IEC 61508 Part3 7 8 2 5 M Planning including staff specification of modification verification IEC 61508 Part3 7 8 2 6 M Modification in accordance with the plan IEC 61508 Part3 7 8 2 7 M Detailed documentation including request configurations IEC 61508 Part3 7 8 2 8 M Reverification and revalidation of data and results IEC 61508 Part3 7 8 2 9 M Assessment of modification depending on impact analysis and SW SIL IEC 61508 Part3 7 8 2 10 M Selection of techniques measures to comply to these requirements IEC 61508 Part3 7 8 Table A 8 M 9 3 Result storage as formatted text Besides the possibility of simple format storage which means for own formatting RiskCAT offers storage as ready formatted Rich Text Format RTF table This result storage is started via the menu File follo
56. pectiv amp 8 Documentation of safety requirements allocation A A w Exception of requirements from compliance for low complexity systems Clause IEC 61508 Part1 4 2 If other PDF versions of the standards have been installed than those supplied by CATS RiskCAT may show the wrong page and may highlight the wrong clause Therefore only those standards supplied by CATS should be used with the RiskCAT tools Page 18 of 57 RiskCAT 61508 User s Manual 20 February 2010 List of defined terms architecture channel common cause failure configuration management dangerous failure detected diagnostic coverage diagnostic test interval divers E E PE E E PES error EUC EUC control system functional safety functional safety assessment hardware safety integrity hazard hazardous event high demand or continuous mode Browsing of terms is possible as well independently from the prescription s context via the Terms menu The window shown aside presents the terms in alphabetic order By double click on a term in the list the term definition is displayed Page 19 of 57 RiskCAT 61508 User s Manual 20 February 2010 6 Selection of prescriptions 6 1 The number of selected prescriptions Starting with version 5 9a RiskCAT shows in the Counter Corner screen part g the number of selected prescriptions Selected Prescriptions 102 6 2 Selection of individual p
57. red Quality Level V2 A slight probability that the unwanted occurrences will come to pass and few unwanted occurrences are Selected Prescriptions jus x likely 0 SIL 3 r The complete text of the selected risk parameter is displayed in the information line screen part f After changing a risk parameter the Safety Integrity Level is calculated automatically After changes the SIL is transferred to the SIL corner screen part e The value shown in the SIL corner may be changed manually CAUTION Please note that IEC 61508 part 5 presents by figure D 1 another Risk Graph which is different Page 13 of 57 RiskCAT 61508 User s Manual 20 February 2010 5 Information about the prescriptions 5 1 Structured overview on the recommended prescriptions Each of the area tabs represents an important theme within the scope of embedded controllers and their software And each of the topic tabs represents a coherent set of prescriptions Just by selection of corresponding tabs RiskCAT provides an overview about the prescriptions with respect to the topic given as tab text 5 2 Retrieval in the original standards 1EC61508 1 pdf RiskCAT offers an interface for viewing the IEC61508 2 pdf original standards via the XpdfViewer 1EC61508 3 pdF XpdfViewerCtrl ocx library IEC61508 4 pdf IEG61508 5 pdf JEG61506 6 pdf IEC61508 7 pdf Retrieval is started via Standard texts menu coos ET viewer for file IEC61508_3_
58. rescriptions 2 Management 3 Concept Individual prescriptions are V 6 SW Development 7 Production and Oper S 1 ted deselected by a double click with left mouse button Selection is visible by em Mit e a check mark Y to the left v SW architectural design 1 SW architectural design 2 of the prescription itself Unittesting SW Integration e a check mark V to the left Objectives of the clause on the SW architectural design of the corresponding topic M Availability of the SW requirements spec tab M Availability of the Safety plan X M v Availability of the SW verification plan e acheck mark Y to the left M Availability of the SW verification report of the corresponding area M Description of the SW architectural design with appropriate le tab H informal notations Formal notations Consideration of the verifiability of the SYY architectural design H The selection is in addition to already selected prescriptions If the real interest is just to concentrate on the prescriptions actually selected precautions need to be applied to de select any prescriptions that may have been selected previously The selection de selection of several prescriptions is described in next chapter of this manual Page 20 of 57 RiskCAT 61508 User s Manual 6 3 Selection of groups of prescriptions obligation Selection according to obligation Selection according to aspect Copy prescription to
59. rt function editing simple notes for each individual prescription editing comprehensive notes for each individual prescription the overview on the terms defined by IEC 61508 which are used by the prescription presentations the copy function for actually marked prescription into the clipboard Page 3 of 57 RiskCAT 61508 User s Manual 20 February 2010 e the copy function from the standard into the clipboard e the storage of prescription profiles as project or company templates in a project file project storage e the reloading of prescription profiles e on line help An important advantage of the tool supported approach is the possibility to vary interactively risk parameters risk classes and sets of process and realization prescriptions defining alternative or optimized sets of prescriptions to reach specified quality safety or reliability targets feRiskcat 61508 Y6 1d English with database IEC 61508 6 7 English File Standard texts Terms Prescription selection Deselect all Compare Quality Level Help Necessary Quality IEC 61508 1998 Prescriptions by the standard informative hints possible P recommended R highly mandatory M not recommended NA recommended HR NR 1a General 1b Control System in relation to the EUC 2a Control System 2b Hardware 3a Software Non Lifecycle 3b Software Lifecycle but not D D 3c Software Design and development D D General D D SW Architecture
60. s denoted by eea Some clauses do not apply in the case of a certain condition e g clause 7 4 5 of part 2 This is presented by RiskCAT by the Key Word IF NOT Again the end of the condition is denoted by To a certain extent again within a single IEC 61508 clause there is a choice between different prescriptions To present this situation without splitting up the clause into too many individual prescriptions RiskCAT uses the Key Word OR in its presentation To a certain extent again within a single IEC 61508 clause several prescriptions are required e g several documents To present this situation without splitting up the clause into too many individual prescriptions RiskCAT may give some of the prescriptions the most important ee ones hopefully ending up with As explained in chapter 13 2 Presentation of the degree of obligation of the requirements there are mandatory prescriptions key word shall as well as forbidden ones key word must not Obligation of both is mandatory to the same extent To arrive at a simplification we succeeded in several standards to transfer the forbidden prescriptions by inversion into mandatory ones However for IEC 61508 this has been successful only to a minor extent Key words for the inversion is NO Page 47 of 57 RiskCAT 61508 User s Manual 20 February 2010 13 4 About the Safety Integrity Level SIL The IEC 61508 provides several appr
61. s that SW interacts correctly to perform intended function Selected Prescriptions SIL4 Clause IEC 61508 Part3 7 4 8 3 0 Figure 1 RiskCAT 61508 screen The purpose of RiskCAT 61508 is to assist the user in application of the IEC 61508 However it is of course not the purpose of the tool to replace the standard Anyhow the detailed and precise wording of the standards clauses needs to be considered to claim conformance with the standards RiskCAT s condensed presentation of the standards contents has been established for the purpose of ease of work overview and general navigation RiskCAT is designed for use by embedded systems software professionals Experience of using Windows on PCs is required Page 4 of 57 RiskCAT 61508 User s Manual 20 February 2010 2 Installation First Start Deinstallation 2 1 The components of RiskCAT RiskCAT is an application for Windows 2000 NT XP It is distributed on an USB memory stick The USB memory stick has the following directory structure e RiskCAT_61508 with the subdirectory e XPDF e Tool Documentation e CATS Information e XPDF Installation Besides this the stick optionally contains the installation file for the server disk drive based network installation of RiskCAT setup exe The directory RiskCAT_61508 contains the files e The RiskCAT executable RiskCAT_61508_V61_English exe e The help file RiskCAT_61508_V61_English hlp e The help
62. sary to run RiskCAT For earlier versions of RiskCAT the experience showed that the automatic installation of XpdfViewer ActiveX Control sometimes failed In this case please execute XpdfViewerCtrl 3 1 00 04 exe from the directory XPDF Installation CAUTION The execution of RiskCAT_61508_V61_English is possible only from the original USB memory stick For backup purpose the stick contents may be copied to any backup device However RiskCAT_ 61508 V61 English will operate from the memory stick only CAUTION The first execution of RiskCAT_61508_V61_English will install the XpdfViewer ActiveX Control Version 3 0 on the local PC In case of version conflicts with a XpdfViewer already installed please contact CATS via info cats tools de 2 3 Uninstallation on a local PC As RiskCAT does not need any installation so it does neither need any uninstallation Uninstallation of XpdfViewer is accomplished by running WINDOWS System Control gt Software gt Installation Uninstallation gt selecting the XpdfViewer control 2 4 Network Installation of RiskCAT RiskCAT offers two different possibilities for network installations e You may access RiskCAT_ 61508 V61 English on the CATS USB memory stick network wide or e you may use a server disk drive based installation For both types of network installation a single RiskCAT executable is relocated on the server Page 6 of 57 RiskCAT 61508 User s Manual 20 February 2010
63. scriptions which are selected as to be exported vv left besides Z Presription interface file the prescription s text and W Source e a single click on ARTISAN J Degree of obligation Studio export in the menu lt TD 9 I Simple Note File By this the form shown on the A Export left will appear Export for each selected prescription is delimiter between the values is e three different keys e Name of the prescription which enables ARTISAN Studio to identify the prescription in a unique way Name consists of see Figure 2 othe area tab the prescription is assigned to o the topic tab the prescription is assigned to and o the line number of the prescription in its prescription window e Package of the prescription which enables ARTiSAN Studio to connect prescriptions which address similar contents Package consists of see Figure 2 o the area tab the prescription is assigned to e Identifier of the prescription which enables the traceability of the prescription back to RiskCAT Identifier consists of see Figure 2 o the RiskCAT database identifier see chapter 10 7 Help menu o the area tab the prescription is assigned to o the topic tab the prescription is assigned to and o the line number of the prescription in its prescription window e the short form of the prescription e the reference for the prescription in IEC 61508 e the degree of
64. t e Company specific frames of prescribed prescriptions as well as company specific interpretations of prescriptions e Logresults from audits reviews or tests The simple note functionality is activated via context menu in the prescription window The steps are e Mark the prescription for which the note shall be edited by a single left mouse button click Otherwise nothing visible to the user will occur e Activate context menu Depress right mouse button while the pointer is in the prescription window screen part d in Figure 2 e Choose Edit simple note for prescription Simple note to prescription 500 characters maximum x Structured method SADT is apllied instead of semi formal methods xo For looking to existing notes or modifying them choose Edit simple note for prescription again Prescriptions with comments are marked by E left besides the prescription text The mark is the same for a simple note a comprehensive note see chapter 10 2 Comprehensive note to the marked prescription and the usage of both notes in parallel Notes are saved via Store project see chapter 10 5 Project session storage in a file of this manual They are reloaded by Project load The simple notes may be exported via the prescription output see chapter 9 Output of prescriptions Exception is the export to QualiCAT because the notes may not be used by QualiCAT until now
65. t 10 hour In case the rate of dangerous failures may be gt 10 hour or needs to be lt 10 hour IEC 61508 does not provide any SIL RiskCAT results in SIL 0 if the rate of dangerous failures may be gt 10 hour RiskCAT results in SIL 4 if the rate of dangerous failures needs to be lt 10 hour and denotes the SIL as SIL not valid 13 4 4 Safety Integrity Level 0 RiskCAT developers feel that there is no clear prescription within IEC 61508 about the degree of obligation of the required prescriptions below SIL 1 So RiskCAT for SIL 0 assigns the lowest degree of obligation which is possible to all prescriptions In case user feels this approach to be too weak it is suggested to increase the SIL manually from 0 to 1 13 5 About part 1 of the standard Requirements within Part 1 General Requirements are independent of SIL except three requirement They are presented in RiskCAT tab Assessment Part 1 does not make use of alternative requirements offering the possibility to choose between different approaches Page 48 of 57 RiskCAT 61508 User s Manual 20 February 2010 Within Part 1 there are requirements requiring that part 2 or 3 or certain clauses of those parts shall be applied This type of requirement has been skipped for purpose of RiskCAT Actual database for part 1 is based on pdf file dated 10 08 1999 size 643 897 Bytes containing the First edition of the standard dated 1998 12 That pdf
66. t besides the prescription text The mark is the same for a simple note a comprehensive note see chapter 10 2 Comprehensive note to the marked prescription and the usage of both notes in parallel In this RiskCAT version export of the comprehensive notes is possible only via formatted text see chapter 9 3 Result storage as formatted text Notes are saved via Store project see chapter 10 5 Project session storage in a file of this manual They are reloaded by Project load CAUTION In this RiskCAT version graphics and tables in notes may not be properly stored and or exported CAUTION The comprehensive notes may be exported only as part of formatted text see chapter 9 3 Result storage as formatted text 10 3 Copying the actually marked prescription into the clipboard The copy to clipboard functionality is activated via context menu in the prescription window screen part d in Figure 2 The steps are e Mark the prescription to be copied by a single left mouse button click Otherwise no prescription will be found on the clipboard later on e Activate context menu depress right mouse button while the pointer is in the prescription window e Choose Copy selected prescription to clipboard to copy contents of the state line e Use an application with clipboard functionality e Insert or paste clipboard contents Page 40 of 57 RiskCAT 61508 User s Manual 20 February 2010 10 4
67. te for prescription e Activate context menu depress right mouse button while the pointer is in the prescription window Prescrition in the standard Prescrition s explanation in the standard Term Definition e Choose Term Definition RiskCAT will show the page of the standard highlighting the definition in context The size of the standards window may be changed by positioning the mouse on the windows border preferred on the left or right hand side followed by pressing the left mouse button and then moving it 7 ee eee eee a T Overall safety requirements Safetey requirements allocation Frequency of and a exposure time in the 5 Ereren and maintenance Da _ Validation Ted 5 Installation and commissioning plan hasarda e sana SAPDFViewForm xl 14 dl 4 gt ml ES 3 5 12 mode of operation je way in which a safety related system is intended to be used with respect to the frequency of demands made upon it which may be either nand mod here the frequency for ti mad than kan E vic t lo Hg Page 20 L 5a 2 Indication whether the SiL is tothe 2 low demand mode or the hic hd j ch a qh demand or continuous mode of op atam megri seve 5 a IF different SiLs in one system highest requirements OR independence a IF a single system which may be redundant is used for SIL 4 meet criteria 3 o E Lower bounds for failure probabilities allocated to a single system are 10 exp 5 per demand res
68. tem you should select all possible prescriptions and check them afterwards 6 4 Selection of prescriptions related to documents Selection according to obligation The selection of groups of Selection according to aspect prescriptions according to documents is activated via Copy prescription to clipboard Edit simple note For prescription Edit comprehensive note for prescription e the context menu depress right mouse button while the pointer is in the prescription window screen part d in Figure 2 or Prescrition in the standard Prescrition s explanation in the standard e via the menu Prescription selection fae RiskCAT_61508 5 9a English After a single click on Selection File Standard texts Terms Prescription selection Help ee Necessary Quality Selection according to obligation form shown below will appear iran by the stand Assisi aspec ccording to aspect informative hints possible P recommended R i Term Definition RiskCAT 61508 User s Manual 20 February 2010 Selection of prescriptions according to aspects x r Selection aspect Document work product r Selection ange CO Code review report ce O Code Machine IEC 61508 as a whole Jual aracteristic I sally Gnarasiarisit O Code Source C Actual page only M Coding manual _ Document work product C Component Selection combination EIEIPES architecture design des
69. tems matched to the necessary risk reduction IEC 1662 98 Required Quality Level 10exp 4 Selected oe al fr 2 gt 5 After changing failure rate of the EUC Equipment under control without extra safety system or Tolerable risk target the Safety Integrity Level is calculated automatically After changes the SIL is transferred to the SIL corner screen part e The value shown in the SIL corner may be changed manually 4 3 SIL determination via a risk graph This approach is activated by selecting the RiskCAT task tab Necessary Quality followed by Risk Graph The approach is based on IEC 61508 part 5 figure D 2 and table D 1 Page 12 of 57 RiskCAT 61508 User s Manual 20 February 2010 ERiskcat 61508 Y6 1d English with database IEC 61508 Y6 7 English ol x File Standard texts Terms Prescription selection Deselect all Compare Quality Level Help Necessary Quality IEC 61508 1998 Risk reduction Risik Graph IEC 61508 5 Figure D 2 Necessary SIL determination Consequence c3 Death to several people x Frequency of and exposure time in the hazardous zone F1 Rare to more often exposure in the hazardous zone x Necessary Safety Integrity Level Possibility of avoiding the hazardous event E P1 Possible under certain conditions x Probability of the unwanted occurrence MSIL Configuration Consequence Frequency Avoidance Requi
70. ternational Electrotechnical Commission for permission to reproduce extracts from International Standard IEC 61508 All such extracts are copyright of IEC Geneva Switzerland All rights reserved Further information on DKE is available from www dke de and on the IEC is available from www iec ch DKE and IEC have no responsibility for the placement and context in which the extracts and contents are reproduced by CATS Software Tools GmbH nor are DKE IEC in any way responsible for the other content or accuracy therein Page VII RiskCAT 61508 User s Manual 20 February 2010 1 Overview Prerequisite to produce and certify high quality embedded systems including their software is to know about the functional and non functional Real Nere requirements imposed on the embedded system N These requirements generally result from two different sources One source is the specific requirements from requirements from requirements of the customer or producer e g state of the art or customer or based on their applications or marketing standards project strategy The other sources are the requirements imposed on the embedded system and its software by the state of the art represented e g Requirements by national or international standards Specification 1 1 A suggestion for the efficient handling of standards For all activities 1 Before starting the real work an overview on the considered standard should be a
71. tual RiskCAT version Actual database for part 2 is based on file dated 06 11 2000 size 919 951 Bytes containing the First edition of the standard dated 2000 05 All requirements contained in part 2 are given in clause 7 Lifecycle requirements on the E E PES On the one hand side these requirements are concerned with the control system as a whole hardware plus software These requirements are presented in RiskCAT area e 2a Control System On the other hand side these requirements are concerned just with the hardware only These requirements are presented in RiskCAT area e 2b Hardware Page 49 of 57 RiskCAT 61508 User s Manual 20 February 2010 Capturing the required prescriptions from IEC 61508 CATS felt that in part 2 there are three areas of weaknesses e It has been understood that IEC 61508 uses failure for the effect that E E PES does supply its specified function And it has been understood that IEC 61508 uses random failure for the physical transition of a hardware device to defect However in several cases feeling was that failure has been used instead of random failure For the RiskCAT prescriptions a clear distinction between failure and random failure has been tried e Most clauses of IEC 61508 part 2 are valid for the E E PES as a whole Others are valid just for the hardware part For the RiskCAT prescriptions a clear distinction between those two areas of v
72. ult in a company or project specific framework This framework or requirements capture may be stored and used as a starting point by the normal users The storage function is chosen by item Store project XML in the File menu Starting with version 6 RiskCAT is logging its operation for purpose of reproducibility When storing the project e g in File abc Project xml RiskCAT stores in the same directory as abc Project xml the history file named abc Project xml RiskCAT_HistFile txt If reproducibility may be of interest CATS suggests to save the history files together with the projects themselves 10 6 Project session reload from a file e For a new session the framework prepared by the project leader or the quality manager may be loaded e An interrupted and stored tool session may be resumed The restore function is chosen by item Load project XML in the File menu Page 41 of 57 RiskCAT 61508 User s Manual 10 7 Help menu Functions within help menu are 20 February 2010 e Help Main texts of this user s manual are supplied as help e About Informs about RiskCAT version and copyright V6 1a English CATS with database CodeAnalyzerToolSet 150 26262 V1 1 English P 4 N RiskCAT 26262 Copyright 1996 2010 by CATS Software Tools GmbH wiww cats tools de info cats tools de The upper line in the besides figure identifies the tool a
73. ve purpose only the evaluation of the necessary SIL via a risk graph for informative purpose only the manual SIL selection 2 Information about prescriptions the structured overview on the prescriptions given by IEC 61508 retrieval in the original standards the context related presentation of the original standards clause the context related presentation of explanations to the clause given in IEC 61508 itself such explanations are available for part of the clauses only the context related presentation of terms used in the prescription texts given in IEC 61508 3 Selection of prescriptions the selection of individual prescriptions the selection of groups of prescriptions according to the degree of obligation the selection of prescriptions related to documents the selection of prescriptions related to activities life cycle phases the selection of prescriptions related to key words 4 Comparison of prescriptions at different Quality Levels 5 Comparison of standard xyz with IEC 61508 not available with RiskCAT 61508 6 Export the result storage as simple text file as basis for further processing by the user the result storage as formatted text file e g as ready checklists or test plans the result export to ARTISAN Studio option at extra expense the result export to CaliberRM option at extra expense the result export to DOORS option at extra expense the result export to QualiCAT 7 Suppo
74. ware Lifecycle but not D D Modification Availability of SW modification procedures prior to IEC 61508 Part3 M modification 7 8 2 1 Initiation of modification by authorised request only IEC 61508 Part3 7 8 2 2 Documented impact analysis for proposed SW IEC 61508 Part3 modification 7 8 2 3 7 8 2 4 Modifications pertaining to earlier lifecycle phases cause IEC 61508 Part3 return to these phases 7 8 2 5 Planning including staff specification of modification IEC 61508 Part3 verification 7 8 2 6 Modification in accordance with the plan IEC 61508 Part3 7 8 2 7 Detailed documentation including request configurations IEC 61508 Part3 2 7 8 2 8 Reverification and revalidation of data and results IEC 61508 Part3 7 8 2 9 Assessment of modification depending on impact analysis IEC 61508 Part3 and SW SIL 7 8 2 10 Selection of techniques measures to comply to these IEC 61508 Part3 requirements 7 8 Table A 8 Page 31 of 57 _ i _ _ _ _ co N op O1 gt 20 21 22 3 2 RiskCAT 61508 User s Manual 20 February 2010 9 4 ARTiSAN Studio export With RiskCAT an export interface is available to ARTISAN Studio by ARTISAN Software Tools Ltd This export interface is a package of its own and needs an extra licence Xi The export is by the steps Information to be exported f e e e Selection of the prescriptions IV Key The information checked will be stored for i those pre
75. wed by a single click on Result storage formatted For the storage there are some options given in the menu below in a self explaining manner For the comprehensive user s note see 10 2 Comprehensive note to the marked prescription Page 29 of 57 RiskCAT 61508 User s Manual 20 February 2010 CAUTION Purpose of the results checklists is to use them with access to RiskCAT because RiskCAT may present the context of the checklist selection as well as the possibility for retrieval in the original standard Usage of the checklists without access to RiskCAT is not intended Formatted result storage x prescriptions to be stored storage data storage format IV selected prescriptions I tisk parameters I prescriptions with notes V SVVSIL 4 unselected prescriptions z p p V number starting with 1 IV source C csvtext with separator f V degree of obligation M obligation at comparison vertical table orientation horizontal table orientation I empty column for comments I prescription in compared standard I simple user s note J comprehensive user s note X cancel An example for the formatted text result storage mandatory prescriptions for SW modification is shown below Prescriptions of IEC 61508 for SIL 1 on 2008 12 08 18 36 elaborated with RiskCAT_61508 V5 9a English The selected prescriptions are 1b Control System in relation to t
76. y integrity level Software Verification and validation see chapter 13 3 About some Key Words in the individual prescription presentation in RiskCAT Page 52 of 57 RiskCAT 61508 User s Manual 20 February 2010 14 Appendix 14 1 List of Documents RiskCAT takes the documents listed as examples in IEC 61508 Part 1 tables A 1 A 2 and A 3 pages 103 105 107 as presented in the following table The names used in these tables partly have been slightly modified e g Plan safety from table A 1 to Overall safety plan in RiskCAT The documents in colour are documents in pairs e Yellow plans are related to BERERHEBBHS and one log e Cyan plans and specifications are related to MABENIINEROHS Some of the documents listed in tables A 1 A 2 and A 3 are not addressed by the IEC 61508 prescriptions and such not by RiskCAT as well Those are marked by Document Table Overall safety plan A 1 Overall concept description Overall scope description Hazard and risk analysis description Overall safety requirements specification comprising e Overall safety functions requirements specification and e Overall safety integrity requirements specification Safety requirements allocation description E E PES safety plan A 2 for the related clauses please refer to Overall functional safety assessment plan E E PES safety requirements specification comprising e E E PES safety functions requir
Download Pdf Manuals
Related Search