EN ISO 13849-1:2021Safety of machinery - Safety­ related parts of control systems

Annex N
(informative)
Avoiding of systematic failure in software-design

N.1 Selection of fault avoiding measures for the design of safety-related software

The following tables give guidance for the selection of fault avoiding measures for safety-related embedded software (SRESW) or safety-related application software (SRASW). Table N.1 gives an overview for the clustering of the selection measures. Table N.2 should be used for SRASW in LVL, and Table N.3 should be used for SRESW & SRASW in FVL.

EXAMPLE For a subsystem with PL r of c and category 2 case 2 is chosen for the functional channel and case
1 is chosen for the test channel.

For Tables N.3 and N.4, the following abbreviations are used:

— r = recommended means that the use of this measure improves the quality of the software, but its use is not mandatory;

— m = mandatory means that this measure should always be used;

— “-“ means that this measure is not required.

channel 1 AND 2 means that SRESW or SRASW is used in both functional channels of category 3 or 4;

channel 1 OR 2 means that SRESW or SRASW is only used in one of two functional channels of category 3 or 4;

pre-assessed platform means that the hardware and the internal software (SRESW) is designed for safety applications and already assessed to comply with this document or IEC 61508/62061 for the required performance level.

The fault avoiding measures for SRESW and SRASW in Table N.2 and Table N.3 are graded according to the category and PL:

a) PL a and b are typically realized using a category B structure with software used in the logic block of the functional channel.

b) PL c and d may be realized using a category 2 structure with software used in the logic block of the functional channel or in the test equipment block in the testing channel. For the testing channel the requirements are reduced by one performance level.

c) PL d and e may be realized using a category 3 structure with software used in the logic block of the functional channels. “Channel 1 and channel 2” means that software is only used in one or both functional channels. “Channel 1 or channel 2” means that software is used only in one of both functional channels, in this case the requirements are reduced by one performance level.

d) SRASW in PL d and e may also be realized using a pre-assessed platform (safety-related hardware in combination with operating system and programming tool). In this case, only one application software is used for both functional channels.

4

5

6

N.2 Example for software validation
N.2.1 Example for Software validation

In this validation example pre-assessed software modules are used. The validation is done by test cases at the inputs of the pre-assessed software modules to check their usage in the context of the whole application software. The number of test cases do not claim completeness.

N.2.2 Coding guidelines

Coding should be done according to the coding guidelines required by the manufacturer of the software platform, if relevant, or according to an “in house guideline” but not being in contradiction with those coding guidelines of the software platform used by the user.

7

7

8

9

1

1

12