IEC 61508
IEC 61508 (Functional Safety of Electrical / Electronic / Programmable Electronic Safety-related systems) is a generic functional safety standard which may be applicable to all cases where programmable devices are used to control the functioning of systems where safety is or may be a consideration.
A system to which IEC 61508 is applicable may have varying levels of risk to the user or different safety requirements. To accommodate this IEC 61508 has four Safety Integrity Levels (SIL 1 – 4), with SIL 4 representing projects with the most rigorous safety requirements.
Fitness for purpose litigation against companies and individuals is now an increasing risk. IEC 61508 is a technical standard used by lawyers to interpret laws. The relevant law in question for Europe is the General Product Safety Directive 2001/95/EC (GPSD). This states that the product creator has the responsibility to develop a safety critical product in a way which is compliant with ‘State-of-the-Art’ development principles. ‘State-of-the-Art’ simply refers to commonly accepted best practices, which in the case of electronic saftey related systems are now embodied in IEC 61508:2010 (or the previously mentioned standards derived from it which focus on specific industries). Where companies fail to employ accepted industry practices, they cannot use the “State-of-the-Art” legal defence against such litigation.
Testing tools for compliance with IEC 61508 recommendations
QA Systems enables organisations to accelerate IEC 61508 compliance with automated static analysis and software testing tools:
ANALYSE STATIQUE
Tool Certification
IEC 61508, Part 3 Annex A recommends that software tools are certified. Cantata testing tool has been classified and certified by SGS-TÜV GmbH, an independent third party certification body for functional safety, accredited by Deutsche Akkreditierungsstelle GmbH (DAkkS). Cantata has been classified as a Tool Confidence Level (TCL) 1 tool, and is usable in development of safety related software according to IEC 61508:2010 up to the Safety Integrity Level (SIL) D.
Cantata has been certified as a class T2 tool fulfilling the requirements of IEC 61508-3 sub-clause 7.4.4. Providing use of the tool follows the relevant version Safety Manual, Installation Manual, User Manual and this Standard Briefing then it has been certified as usable in development of safety related software according to IEC 61508 up to the highest Safety Integrity Level (SW-SIL 4).
The tool certification kit for IEC 61508 is available to ease our customers’ path to certification. This contains everything needed to prove that Cantata fulfills IEC 61508 recommendations as well as guidance to help you to achieve compliance.
Please contact us for more information about the tool certification kit.
Cantata Certificate
Software testing for IEC 61508 compliance
IEC 61508 Section 3, Table A.5 recommends software module testing and integration. The Cantata testing tool enables developers to automate their unit and integration testing and to verify IEC 61508 compliant code on host native and embedded target platforms.
Cantata helps accelerate compliance with the standard’s software testing requirements by automating:
IEC 61508 Table A.3 – Software design and development – support tools and programming language
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
|---|---|---|---|---|---|
| 1.&2.Suitable (strongly typed) programming language | HR | HR | HR | HR | Yes |
| 3. Language subset | — | — | HR | HR | Yes |
| 4a/b. Certified tools… | R/HR | HR | HR | HR | Yes |
| Key | |
|---|---|
| Hightly Recommended | HR |
| Recommended | R |
IEC 61508 Table A.4 – Software design and development – detailed design
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
|---|---|---|---|---|---|
| 3. Defensive programming | — | R | HR | HR | Yes |
| 4. Modular approach | HR | HR | HR | HR | Yes |
| 5. Design and coding standards | R | HR | HR | HR | Yes |
IEC 61508 Table A.5 – Software design and development – software module testing and integration
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
|---|---|---|---|---|---|
| 1. Probabilistic testing | — | R | R | R | Yes |
| 2. Dynamic analysis and testing | R | HR | HR | HR | Yes |
| 4. Functional and black box testing | HR | HR | HR | HR | Yes |
| 5. Performance testing | R | R | HR | HR | Yes |
| 7. Interface testing | R | R | HR | HR | Yes |
| 9. Forward traceability… | R | R | HR | HR | Yes |
IEC 61508 Table A.6 – Programmable electronics integration (hardware and software)
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
|---|---|---|---|---|---|
| 1. Functional and black box testing | HR | HR | HR | HR | Yes |
| 2. Performance testing | R | R | HR | HR | Yes |
IEC 61508 Table A.7 – Software aspects of system safety validation
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
|---|---|---|---|---|---|
| 1. Probabilistic testing | — | R | R | HR | Yes |
| 4. Functional and black box testing | HR | HR | HR | HR | Yes |
IEC 61508 Table A.8 – Modification
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
|---|---|---|---|---|---|
| 2. Reverify changed module | HR | HR | HR | HR | Yes |
| 3. Reverify affected software modules | R | HR | HR | HR | Yes |
| 5. Software configuration management | HR | HR | HR | HR | Yes |
IEC 61508 Table A.9 – Software Verification
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
|---|---|---|---|---|---|
| 3. Static analysis | R | HR | HR | HR | Yes |
| 4. Dynamic analysis and testing | R | HR | HR | HR | Yes |
IEC 61508 Table B.1 – Design and coding standards
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
|---|---|---|---|---|---|
| 1. Use of coding standard | HR | HR | HR | HR | Yes |
IEC 61508 Table B.2 – Dynamic analysis and testing
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
|---|---|---|---|---|---|
| 1.Boundary value analysis | R | HR | HR | HR | Yes |
| 2.Error guessing | R | R | R | R | Yes |
| 3.Error seeding | — | R | R | R | Yes |
| 4. Test case execution from model-based test case generation | R | R | HR | HR | Yes |
| 6.Equivalence class and partition testing | R | R | R | HR | Yes |
| 7. a) Structural test coverage (entry points) | HR | HR | HR | HR | Yes |
| 7. b) Structural test coverage (statements) | R | HR | HR | HR | Yes |
| 7. c) Structural test coverage (branches) | R | R | HR | HR | Yes |
| 7. d) Structural test coverage (conditions, MC/DC) | R | R | R | HR | Yes |
IEC 61508 Table B.3 – Functional and black-box testing
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
|---|---|---|---|---|---|
| 2. Test case execution from model-based test case generation | R | R | HR | HR | Yes |
| 4. Equivalence class and input partition testing including boundary value analysis | R | HR | HR | HR | Yes |
IEC 61508 Table B.5 – Modelling
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
|---|---|---|---|---|---|
| 2a. Finite state machines (FSM) | — | R | HR | HR | Yes |
IEC 61508 Table B.6 – Performance testing
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
|---|---|---|---|---|---|
| 2. Response timing and memory constraints | HR | HR | HR | HR | Yes |
| 3.Performance requirements | HR | HR | HR | HR | Yes |
IEC 61508 Table B.7 – Semi-formal methods
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
|---|---|---|---|---|---|
| 4a. Finite state machines | R | R | HR | HR | Yes |
IEC 61508 Table B.9 – Modular approach
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 | Cantata |
|---|---|---|---|---|---|
| 1. Software module size limit | HR | HR | HR | HR | Yes |
| 2. Software complexity control | R | R | HR | HR | Yes |
| 3. Information hiding/encapsulation | R | HR | HR | HR | Yes |
| 4. Parameter number limit | R | R | R | R | Yes |
| 5. One entry/exit point… | HR | HR | HR | HR | Yes |
Start a free trial to evaluate Cantata using your code.
Static analysis for IEC 61508 compliance
Part 3 of IEC 61508 addresses the software requirements of a safety-related system mandating the use of better development processes, including the use of coding standards such as MISRA to encourage further gains in software quality. It includes several tables that define the methods that must be considered in order to achieve compliance with the standard.
The following tables identify where Static Analysis can be used to ensure and demonstrate compliance with IEC 61508.
Please contact us for more information on Static Analysis tools for IEC 61508.
IEC 61508 Section 6 – Additional Requirements for Management of Safety-Related Software
| Reference |
|---|
| 6.2 Requirements |
| 6.6.2 Function safety planning |
| Key | |
|---|---|
| Hightly Recommended | HR |
| Recommended | R |
IEC 61508 Table 1 – Software Safety Lifecycle – Overview
| Reference |
|---|
| 10.1 Software safety requirements specification – – |
| 10.2 Validation plan for software aspects of system safety – – |
| 10.3 Software design and development |
|
| 10.4 Programmable electronics integration – – |
| 10.5 Software operation and modification procedures – – |
| 10.6 Software aspects of system safety validation |
IEC 61508 Section 7.4.4 – Requirements for Support Tools, Including Programming Languages
| Reference |
|---|
| 7.4.4.2 Software off-line support tools shall be selected as a coherent part of the software development activities |
| 7.4.4.10 The software or design representation (including a programming language) selected shall: |
| b) use only defined language features |
| d) contain features that facilitate thedetection of design or programmingmistakes |
| 7.4.4.12 Programming languages for the development of all safety-related software shall be used according to a suitable programming languagecoding standard |
| 7.4.4.13 A programming language coding standard shall specify good programming practice, proscribe unsafe language features (e.g.undefined language features), promote code understandability. |
| 7.9 Software verification |
| 7.9.2.12 Verification of the code |
IEC 61508 Table A.2 – Software Design and Development – Software Architecture Design
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|---|---|---|---|---|
| 14. Static resource allocation | — | R | HR | HR |
IEC 61508 Table A.3 – Software design and development – support tools and programming language (copy 1)
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|---|---|---|---|---|
| 1. Suitable programming language | HR | HR | HR | HR |
| 2. Strongly typed programming language | HR | HR | HR | HR |
| 3. Language subset | — | — | HR | HR |
| 4a. Certified tools and certified translators | R | HR | HR | HR |
| 4b. Tools and translators: increased confidence from use | HR | HR | HR | HR |
IEC 61508 Table A.4 – Software design and development – Detailed design
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|---|---|---|---|---|
| 3. Defensive programming | — | R | HR | HR |
| 5. Design and coding standards | R | HR | HR | HR |
| 6. Structured programming | HR | HR | HR | HR |
IEC 61508 Table A.9 – Software Verification
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|---|---|---|---|---|
| 3. Static analysis | HR | HR | HR | HR |
IEC 61508 Table B.1 – Design and coding standards
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|---|---|---|---|---|
| 1. Use of coding standard to reduce likelihood of errors | HR | HR | HR | HR |
| 2. No dynamic objects | R | HR | HR | HR |
| 3a. No dynamic variables | — | R | HR | HR |
| 4. Limited use of interrupts | R | R | HR | HR |
| 5. Limited use of pointers | — | R | HR | HR |
| 6. Limited use of recursion | — | R | HR | HR |
| 7. No unstructured control flow in programs in higher level languages | R | HR | HR | HR |
| 8. No automatic type conversion | R | HR | HR | HR |
IEC 61508 Table B.8 – Design and coding standards
| Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|---|---|---|---|---|
| 3. Control flow analysis | R | HR | HR | HR |
| 4. Data flow analysis | R | HR | HR | HR |
| 7. Symbolic execution | — | — | R | R |