RiskCAT 61508 User`s Manual
Contents
1. SW safety requirements specification comprising e SW safety functions requirements specification and e SW safety integrity requirements specification SW architecture design description Development tools instruction Coding manual SW system design description SW module design specification Source code list Code review report SW operation and maintenance instruction SW modification procedures instruction SW modification request SW modification impact analysis report SW modification log SW user instruction A 2 The SW module test report is the only document mentioned twice in IEC 61508 part 1 table A 3 In IEC 61508 part 3 table 1 it is only mentioned as result of the Software module testing However it is not mentioned as result of code implementation So for purpose of clearness it has been deleted here as a result of code implementation Page 31 of 34 RiskCAT 61508 User s Manual 14 January 2006 Overall modification and retrofit e request e impact analysis report e log Overall decommissioning or disposal e impact analysis report e plan e log Document Table E E PES modification impact analysis report E E PES modification log for the related clauses please refer to Overall functional safety assessment report A 1 For RiskCAT following documents have been added to those given by IEC 61508 e QM System e Component e Code2. RiskCAT applies a three dimensional state to each measure The three state dimensions are e marked unmarked e selected deselected e with comment without comment The state marked may be assigned to one measure only at any time Marking of a measure is by a single left mouse button click It is visible by a box around the text describing the measure The state selected may be assigned to one several or even all measures at the same time Manual election of a measure is by a single left mouse button click It is visible by a tick v left of the text describing the measure Automatic selection is discussed later in this manual see chapters 4 6 Selection of groups of measures according to the degree of obligation to 4 9 Selection of measures related to key words The state with comment may be assigned to one several or even all measures at the same time Adding comments to a measure is via context menu depress of right mouse button in the measure list boxes It is visible by a E left of the text describing the measure 3 4 Measure colours The measures in screen part e are dynamically coloured depending on their level Possible grey Recommended black Highly recommended red Mandatory green NOT recommended red and informative pink as indicated by the SIL selected in screen area b CAUTION The screen shown in Figure 2 has all levels Recommended Highly reco
3. to all measures In case user feels this approach to be too weak it is suggested to increase the SIL manually from 0 to 1 6 5 About part 1 of the standard Requirements within Part 1 General Requirements are independent of SIL except three requirement It is presented in RiskCAT tab Assessment Part 1 does not make use of alternative requirements offering the possibility to choose between different approaches Within Part 1 there are requirements requiring that part 2 or 3 or certain clauses of those parts shall be applied This type of requirement has been skipped for purpose of RiskCAT Actual database for part 1 is based on pdf file dated 10 08 1999 size 643 897 Bytes containing the First edition of the standard dated 1998 12 That pdf includes the contents of the corrigendum 1 of April 1999 RiskCAT 61508 User s Manual 14 January 2006 Most Part 1 requirements are from clause 7 Overall safety lifecycle requirements RiskCAT presents these requirements in its area e Ib Control System in relation to the EUC All other Part 1 requirements are presented in RiskCAT area e la General 6 6 About part 2 of the standard Part 2 which is about system requirements makes use of SIL dependent requirements in 8 tables of its annexes which are about selection of techniques and measures Alternative requirements offering the possibility to choose between different techniques and measures are used i
4. 15 RiskCAT 61508 User s Manual 14 January 2006 5 1 5 2 5 3 6 6 1 6 2 6 3 6 4 Retrieval in the original standards Context related retrieval in the original standards The context related presentation of explanations to the clause provided by IEC 61508 itself The context related presentation of terms used in the measure texts given in IEC 61508 part 4 Project session storage in a file Project session reload from a file Result storage as RTF file MENU FUNCTIONS File menu Standard Text menu Help menu IEC 61508 SPECIFIC FEATURES Presentation of the degree of obligation of the requirements About the license for the standards supplied with RiskCAT About some Key Words in the individual measure presentation in RiskCAT About the Safety Integrity Level SIL 6 4 1 Safety Integrity Level in the Risk Graph Approach 6 4 2 Safety Integrity Level in the Probabilistic Approach 6 4 3 Safety Integrity Level 0 6 5 6 6 6 7 6 8 6 9 7 7 1 7 2 About part 1 of the standard About part 2 of the standard About part 3 of the standard About the other parts of the standard Abbreviations APPENDIX List of Documents List of Activities Page III 16 17 20 20 20 22 22 22 22 23 23 24 24 24 25 25 25 26 27 28 29 30 30 33 RiskCAT 61508 User s Manual 14 January 2006 Figures Figur 1E Risk AV G1 S08 Gre ct set Set Pa siete at ore Sa
5. January 2006 Capturing the required measures from IEC 61508 CATS felt that in part 2 there are three areas of weaknesses e It has been understood that IEC 61508 uses failure for the effect that E E PES does supply its specified function and it has been understood that IEC 61508 uses random failure for the physical transition of a hardware device to defect However in several cases feeling was that failure has been used instead of random failure For the RiskCAT measures a clear distinction between failure and random failure has been tried e Most clauses of IEC 61508 part 2 are valid for the E E PES as a whole Others are valid just for the hardware part For the RiskCAT measures a clear distinction between those two areas of validity has been tried by assigning them to the two areas 3 Control System and 4 Hardware e With respect to integration tests e Part 1 Table A 2 mentions Specification integration tests of programmable electronic and non programmable electronic hardware In part 2 7 5 2 neither the document is mentioned nor a related activity e Partl Table A 2 mentions Specification hardware architecture integration tests In part 2 7 5 2 neither the document is mentioned nor a related activity e Part 2 7 4 2 11 suggests that an E E PES integration tests specification should exist which is suggested by 7 5 2 1 as well However this spec is not
6. SIL No safety requirements Measures within the standard Measures Measures possible P recommended R General D D SW Architecture Tools prog languages Detailed D D Coding Semi formal methods I Module SW integration testing Dynamic analysis and testing Functional and black box testing Software module testing Test of each module as specified Show by tests that modules perform intended function Show by tests that modules do not perform unintended functions Documentation of test results Text for this clause may be interpreted as well as valid in case of failure in the test execution itself or a Specification of procedure for correction of SW based on test results Software integration testing Test specification concurrently during design and development Spec involving test cases test data types of test tools Testing in accordance with test spec Show by tests that SW interacts correctly to perform intended function Show by tests that SW does not perform unintended functions Documentation of test results including detected failures with reasons impact analysis for SW changes during integration Software module testing and Software integration testing Selection of techniques measures to comply to these requirements Probabilistic testing Dynamic analysis and testing Data recording and analysis Functional and black box testing Performance testing Avalanche stress testing Response timings
7. 1 Overall validation Overall operation Overall maintenance Overall modification and retrofit Decommissioning or disposal All phases Page 33 of 34 RiskCAT 61508 User s Manual 14 January 2006 For RiskCAT following activities have been added to those given by IEC 61508 e Assess e Conform e Manage Documents e Manage Safety e Reliability Computation e Review e NA not applicable Page 34 of 34
8. 34 RiskCAT 61508 User s Manual 14 January 2006 HI Result storage is started via the Standards Data to be stored Mv IEC 61508 T safety integrity l EA M measures selected M measures with iternnotes J measures not selected j Delimiter Char jf menu File For result storage Kal there are some options given in the menu in a self explaining manner The option to select a delimiter character supports an import of the stored data in i i i j j i i j l i tables by a text processor Store IEC 61508 results Safety Integrity Level 2 Value is valid Measure Reference in the Degree of Note part of IEC 61508 obligation for selected SIL Clear precise verifiable IEC 61508 Part2 M maintainable 7 2 2 2 specification Use of appropriate IEC 61508 Part2 M techniques to avoid 7 2 3 3 mistakes during specification Structured specification IEC 61508 Part2 HR Company Standard 7 2 3 3 Table B 1 Structure of the Specification according to form Spec from Quality Management System Computer aided IEC 61508 Part2 R Company Standard Use specification tools 7 2 3 3 Table B 1 of CALIBER For the meaning of the abbreviations in this column please refer to chapter 6 1 Presentation of the degree of obligation of the requirements Page 21 of 34 RiskCAT 61508 User s Manual 14 January 2006 5
9. Machine e All NA not applicable Page 32 of 34 Overall modification and retrofit procedures instruction because of part 1 clause 6 2 1 1 RiskCAT 61508 User s Manual 14 January 2006 7 2 List of Activities RiskCAT takes the activities listed as examples in IEC 61508 Part 1 tables A 1 A 2 and A 3 pages 103 105 107 as presented in the following table Activity Table Concept A 1 Overall scope definition Hazard and risk analysis Overall safety requirements Safety requirements allocation Overall operation and maintenance planning Overall validation planning Overall installation and commissioning planning Realisation see tables A 2 and A 3 E E PES safety requirements A 2 E E PES validation planning E E PES design and development E E PES architecture From Table A 2 From Table A 3 Software safety requirements Software validation planning Software design and development Hardware architecture Software architecture Software system design Hardware module design Software module design Component construction and or Coding procurement Software module testing Software integration Programmable electronic integration Programmable electronic integration Software operation and maintenance procedures Software safety validation Software modification E E PES integration A 2 E E PES operation and maintenance procedures E E PES validation E E PES modification Overall installation and commissioning A
10. Tae Taste ag a Saas Pagan aa Oh ats 3 Figure 2 RIskCAT Screen Parts irii enaren ae eaaa aE AERE ninaa A ART EST nadaa e lanai Sain 6 Figure 3 Presentation of the standard clauses in four levels nssssisensessesessesssesresessesersesserees 8 Page IV RiskCAT 61508 User s Manual 14 January 2006 Acknowledgements and trademarks All trademarks used in this manual are acknowledged Windows 9 NT 2000 and XP are trademarks of Microsoft PDF is a trademark of Adobe Corporation USA XpdfViewer is a trademark of Glyph amp Cog InstallShield is a trademark of Macrovision Corporation CATS Software Tools GmbH would like to thank our UK distributor PhaedruS Systems Ltd for proof reading amp editing the English version of this manual www phaedsys org CATS Software Tools GmbH thanks the DKE Deutsche Kommission Elektrotechnik Elektronik Informationstechnik im DIN und VDE and the IEC International Electrotechnical Commission for permission to reproduce extracts from International Standard IEC 61508 All such extracts are copyright of IEC Geneva Switzerland All rights reserved Further information on DKE is available from www dke de and on the IEC is available from www iec ch DKE and IEC have no responsibility for the placement and context in which the extracts and contents are reproduced by CATS Software Tools GmbH nor are DKE IEC in any way responsible for the other content or accuracy therein Page V RiskCAT 61508 User s M
11. and memory constraints Performance requirements Interface testing Measures informative I Measures not recommended NR Measures highly Measures recommended mandatory M HR 2a Control System 1a General 3b Software Lifecycle but not D D 3c Software Design and development D D 2b Hardware 1b Control System in relation to the EUC 3a Software Non Lifecycle Text for this clause may be interpreted as well as valid in case of failure in the test execution itself or as valid in case of failure in the SW under test Clause IEC 61508 Part3 7 4 7 4 Figure 1 RiskCAT 61508 screen RiskCAT is designed for use by embedded systems software professionals Experience of using Windows on PCs is required Page 3 of 34 RiskCAT 61508 User s Manual 14 January 2006 2 Installation First Start Deinstallation 2 1 The components of RiskCAT RiskCAT is an application for Windows 2000 NT XP It is distributed on an USB memory stick The USB memory stick has the following directory structure e RiskCAT_ 61508 with the subdirectory e XPDF e Tool Documentation e CATS _ Information The directory RiskCAT_61508 contains besides other files e The RiskCAT executable RiskCAT_61508_V54e exe e The help file RiskCAT_61508_V54e hIp e The help content file RiskCAT_61508_V54e cnt e The standard files TIEC61508_ GB_1 pdf The subdirectory XPDF of directory RiskCAT_61508 contains e Th
12. contained in Partl Table A 2 e as a conclusion RiskCAT uses E E PES integration tests specification However it does not use Specification integration tests of programmable electronic and non programmable electronic hardware 6 7 About part 3 of the standard As part 2 the part 3 which is about software requirements makes extensive use of SIL dependent requirements in its annexes which are about selection of techniques and measures Alternative requirements offering the possibility to choose between different techniques and measures are used in annexes to some extent as well RiskCAT presents those alternative sets of measures by grey shaded background Actual database for part 3 is based on pdf file dated 10 08 1999 size 537 549 Bytes containing the First edition of the standard dated 1998 12 That pdf includes the contents of the corrigendum 1 of April 1999 Most Part 3 requirements are from clause 7 Software safety lifecycle requirements RiskCAT presents these requirements in its areas e 3c Software Design and development D D and e 3b Software Lifecycle but not D D Page 27 of 34 RiskCAT 61508 User s Manual 14 January 2006 All other Part 3 requirements are presented in RiskCAT area e 3a Software Non Lifecycle The Tables of Part 3 Appendix A are not refining a special requirement but provide techniques and measures for a whole chapter of the standard So to ease ove
13. context by a single left mouse button click Otherwise the page selected by context related retrieval is somewhat arbitrary Edit note for measure View standard Measure explanation e Activate context menu depress right mouse button Literature while the pointer is in the measure window Term Definition e Choose Measure explanation RiskCAT will show the page of the standard highlighting the explanation in context The size of the standards window may be changed by positioning the mouse on the windows border preferred on the left or right hand side followed by pressing the left mouse button and then moving it If other PDF versions of the standards have been installed than those supplied by CATS RiskCAT may show the wrong page and may highlight the wrong clause Therefore only those standards supplied by CATS should be used with the RiskCAT tools Page 95 Boundary value analysis Checklists Control flow analysis Data flow analysis iafety Integrity level Oo zZ 2 z Error quessing a w SIL TSO Fagan inspections Sneak circuit analysis Symbolic execution 421 Afalls thrairniahatdanian raina Page 18 of 34 RiskCAT 61508 User s Manual 14 January 2006 4 16 The context related presentation of terms used in the measure texts given in IEC 61508 part 4 For certain terms IEC 61508 part 4 provides definitions The RiskCAT Normal Package offers an interface for context sen
14. different from the selected set So here DeSelect is only the inverse function to Select if SIL is the same for both actions The selection is in addition to already selected measures If the real interest is just to concentrate on the measures you are about to select then precautions need to be applied that at on starting measure selection no measures are already selected Example for the usage of selection of groups of measures IEC 61508 in certain places explicitly mentions that certain solutions are possible Key word in the standard is may If you doubt whether you may allocate a safety function across more than one safety related system you should select all possible measures and check them afterwards 3 For the degree of obligation please refer as well to chapter 6 1 Presentation of the degree of obligation of the requirements Page 11 of 34 RiskCAT 61508 User s Manual 14 January 2006 4 7 Selection of measures related to documents Standard measure group select Aspect based selection menu depress Copy measure to clipboard Edit note for measure View standard Measure explanation Literature Term Definition The document related selection functionality is activated via context of right mouse button in the measure window screen part e in Figure 2 CT Aner choice of Aspect selection aspect Document based E E PES modification log E E PE
15. LIDATION PLANNING atag Activities age 33 of this O PROGRAMMABLE ELECTRONIC INTEGRATION gt pag O RELIABILITY COMPUTATION le manual O REVIEW x Quit The selection is in addition to already selected measures So precautions need to be applied that at starting no measures are selected 4 9 Selection of measures related to key words The Keyword related selection functionality is activated via context menu depress of right mouse button in the measure window screen part e in Figure 2 The set of keywords has been created based on work with and discussion about IEC 61508 by the authors The selection is in addition to already selected measures So precautions need to be applied that at starting no measures are selected 4 10 Copying the actually marked measure into the clipboard The copy to clipboard functionality is activated via context menu in the measure window screen part e in Figure 2 Page 13 of 34 RiskCAT 61508 User s Manual 14 January 2006 The steps are e Mark the measure to be copied by a single left mouse button click Otherwise no measure will be found on the clipboard later on e Activate context menu depress right mouse button while the pointer is in the measure window e Choose Copy selected measure to clipboard to copy contents of the state line e Use an application with clipboard functionality e Insert or paste clipboard contents 4 11 Edit notes to th
16. Menu functions 5 1 File menu Functions within file menu are 5 2 Result storage see chapter 4 19 Result storage as RTF file Caliber result storage for future use Load project see chapter 4 18 Project session reload from a file Store project see chapter 4 17 Project session storage in a file Exit closes RiskCAT Standard Text menu Functions within standards text menu are Standard view by XpdfViewer see chapter 4 13 Retrieval in the original standards 5 3 Help menu Functions within help menu are Help Main texts of this user s manual are supplied as help About Informs about RiskCAT version and copyright lt RiskCAT Pon y V54e CodeAnalyzerToolSet IEC 61508 V5 4 e Copyright 1996 2005 by G Gloe and E U Mainka Page 22 of 34 The upper line in the besides figure identifies the version of RiskCAT 61508 V5 4e The lower line identifies the version of the database IEC 61508 V5 2 e which is included in RiskCAT RiskCAT 61508 User s Manual 14 January 2006 6 IEC 61508 specific features Importance of IEC 61508results from two objectives given in the scope of the standard e itis the basis for development of application sector international standards e itis usable for applications without sector standards To provide a good overall view on the measures required by IEC 61508 the main part requi
17. RiskCAT 61508 V5 4e User s Manual X 14 January 2006 PCATS a CodeAnalyzerToolSet RiskCAT 61508 Requirements derivation from Risk classes A Tool of the Code Analyzer Tool Set User s Manual Gunter Gloe amp Ernst Ulrich Mainka Hamburg www cats tools de RiskCAT 61508 User s Manual 14 January 2006 1 2 2 1 2 2 2 3 2 4 3 1 3 2 3 3 3 4 3 5 4 1 4 2 4 3 4 4 4 5 4 6 4 7 4 8 4 9 4 10 Contents OVERVIEW INSTALLATION FIRST START DEINSTALLATION The components of RiskCAT Local Operation on a PC Uninstallation on a local PC Network Installation of RiskCAT BASICS Screen parts Interrelationship between the screen parts Measure states Measure colours Structure of the measures presentation used with RiskCAT TASKS Selection of risk parameters Evaluation of Safety Integrity Level based on the risk parameters selected Manual pre selection of the Safety Integrity Level Structured overview on the recommended measures Selection of individual measures Selection of groups of measures according to the degree of obligation Selection of measures related to documents Selection of measures related to activities life cycle phases Selection of measures related to key words Copying the actually marked measure into the clipboard Edit notes to the marked measure Overview on defined terms in the measures texts Page II 10 10 10 11 12 13 13 13 14
18. S modification procedures instruction E E PES verification report Hazard and risk analysis description page 30 of this manual Quit selection the selection form shown on OCheracterstic 7 E E PES operation and maintenance instruction the left appears Ll E E PES safety plan Document E E PES safety requirements specification E E PES safety requirements specification Functions The set of documents is C Activity E E PES safety requirements specification Integri based on Tables A 1 to ME E PES user instruction A f IE 1 Part 1 sezai O E PES validation plan 3 of IEC 61508 Part 1 O E E PES validation report It is listed in Appendix E E PES verification plan 7 1 List of Documents Apart from the possibility to select according to the documents list RiskCAT offers selection according to activity life cycle phase Of course documents and life cycle phases are related to each other However in IEC 61508 a phase generally results in several documents and on the other hand a document may be used for different phases Therefore RiskCAT uses documents as well as activities If you are interested in a very specific selection you should just apply a single document or activity If your interest is to get a complete view you should run two selections after each other e In one or type selection choose the document of
19. ach provided by IEC 61508 part 5 Figure D 1 6 4 1 Safety Integrity Level in the Risk Graph Approach Below SIL 1 the IEC 61508 part 5 figures D 1 and D 2 denotes the SILs as No safety requirements and No special safety requirements Instead of this wording RiskCAT uses SIL 0 However the wording of the standard is presented in addition to the SIL number Beyond SIL 4 the IEC 61508 part 5 figures D 1 and D 2 denotes the SIL as A single E E PES is not sufficient or An E E PE SRS is not sufficient In addition to this wording RiskCAT chooses SIL 4 6 4 2 Safety Integrity Level in the Probabilistic Approach Table 3 of IEC 61508 part 1 is the basis for the probabilistic approach with RiskCAT It is restricted to a variation of the probability of a dangerous failure to 4 orders of magnitude from gt 10 hour to lt 10 hour In case the rate of dangerous failures may be gt 10 hour or needs to be lt 10 hour IEC 61508 does not provide any SIL RiskCAT results in SIL 0 if the rate of dangerous failures may be gt 10 hour RiskCAT results in SIL 4 if the rate of dangerous failures needs to be lt 10 hour and denotes the SIL as SIL not valid 6 4 3 Safety Integrity Level 0 RiskCAT developers feel that there is no clear prescription within IEC 61508 about the degree of obligation of the required measures below SIL 1 So RiskCAT for SIL 0 assigns the lowest degree of obligation which is possible
20. anual 14 January 2006 1 Overview Prerequisite to produce and certify high quality embedded systems including their software is to know about the functional and non functional Heal Nets requirements imposed on the embedded system od These requirements generally result from two different sources One source is the specific requirements from requirements from requirements of the customer or producer e g state of the art or customer or based on their applications or marketing standards project strategy The other sources are the requirements imposed on the embedded system and its software by the state of the art represented e g Requirements by national or international standards Specification RiskCAT is a tool of Code Analyzer Tool Set CATS for requirements capturing from standards thereby providing the starting point for high quality development and products in the area of embedded systems and their software The state of the art in quality of EEPES electrical electronic programmable electronic systems is provided to a large extent by IEC 61508 The design of RiskCAT is modular and widely configurable It is possible for CATS to adopt the tool to modifications and enhancements of the standards applied as well as the extension to additional standards or other technical rules The work tasks assisted by RiskCAT 61508 are 1 the selection of risk parameters 2 the evaluation of risk classes based
21. ay be either ler t f tion ma nan twice t f t zdz Rage 20 4 Safety Integrity level A 2 Indication whether the SI is for the sow demand mode or the high demand or continuous mode of op 5 a IF different SiLs in one system highest requirements OR independence a IF a single system which may be redundant is used for SIL 4 meet criteria 3 p Lower bounds for failure probabilities allocated to a single system are 10 exp 5 per demand respectiv as E 8 Documentation of safety requirements allocation G A w Exception of requirements from compliance for low complexity systems Clause IEC 61508 Partt 4 2 If other PDF versions of the standards have been installed than those supplied by CATS RiskCAT may show the wrong page and may highlight the wrong clause Therefore only those standards supplied by CATS should be used with the RiskCAT tools Page 19 of 34 RiskCAT 61508 User s Manual 14 January 2006 4 17 Project session storage in a file Project storage has two distinct purposes one for the normal user and another for the project leader or the quality manager e For the normal user it offers the possibility to interrupt and resume RiskCAT tool sessions For this purpose the actual status is stored in binary RiskCAT project files e For the project leader or the quality manager it offers the possibility to fill in the comments to the measures Thereby advice may be given to the normal user by w
22. ch by the approach tabs e RiskGraph or e Prob based Probability based Second step is selecting the risk parameter from the approach specific selection boxes For details of the IEC 61508 risk parameter selection see chapter 6 4 About the Safety Integrity Level SIL of this manual In the selection RiskGraph full text of risk parameters is presented in the RiskCAT Information line at bottom line of screen screen part f in Figure 2 4 2 Evaluation of Safety Integrity Level based on the risk parameters selected Safety Integrity level SIL 3 a v 650 2 Control System in 5 Software Non Lifecy The Safety Integrity Level is automatically processed by change of any influencing risk parameter It is displayed at the bottom of risk window Page 9 of 34 RiskCAT 61508 User s Manual 14 January 2006 4 3 Manual pre selection of the Safety Integrity Level 6 So0 2 Control System in The Safety Integrity Level applied to the measures can be modified directly and independently from risk parameter selection by using the up down switches of Safety Integrity Level control In this case the Safety Integrity Level background is greyed to indicate there is a mismatch between the SIL used and the risk parameters selected Safety Integrity level SIL 5 Software Non Lifecy 4 4 Structured overview on the recommended measures Each of the area tabs represents an
23. e XpdfViewer ActiveX Control Version 3 0 XpdfViewerCtrl ocx The sub subdirectory tl fonts in the subdirectory XPDF contains e the fonts needed by the XpdfViewer The directory Tool Documentation contains e The product description RiskCAT_61508_V5_Product_4 pdf e This user manual RiskCAT_61508_UserManual_54e pdf The directory CATS_Information contains e The product description RiskCAT_50128_V411_Product pdf e The description of the Static Analyzers of the Code Analyzer Tool Set Overview and Motivation StaticAnalyzers_5 pdf Because of licensing conditions the standard files e JEC61508 GB_1 pdf are for use with RiskCAT only 2 2 Local Operation on a PC RiskCAT 61508 does not need any installation Just run the executable file RiskCAT_61508 V54e exe from the directory RiskCAT 61508 on the USB memory stick Page 4 of 34 RiskCAT 61508 User s Manual 14 January 2006 CAUTION The execution of RiskCAT_61508_V54e is possible only from the original USB memory stick For backup purpose the stick contents may be copied to any backup device However RiskCAT_61508 V54e will operate from the memory stick only CAUTION The first execution of RiskCAT_61508_V54e will install the XpdfViewer ActiveX Control Version 3 0 on the local PC In case of version conflicts with a XpdfViewer already installed please contact CATS via info cats tools de 2 3 Uninstallation on a local PC As RiskCAT 61508 does not need any installatio
24. e are expressed explicitly in the tool Requirements from IEC 61508 related to production of further standards have not been implemented in RiskCAT Page 23 of 34 RiskCAT 61508 User s Manual 14 January 2006 6 2 About the license for the standards supplied with RiskCAT By contract with the German Chapter of the IEC DKE CATS has been asked to declare with RiskCAT The data from the international standards series IEC 61508 are in use with permission of the IEC International Electrotechnical Commission Geneva They have not been checked by IEC or their deputies Authoritative for the application of the standard are the versions with newest edition which may be received from VDE VERLAG GMBH Bismarckstr 33 D 10625 Berlin www vde verlag de The user shall pay attention to the national standards CATS declares that texts used correspond to the actual state of the IEC standards 2001 09 24 CATS 6 3 About some Key Words in the individual measure presentation in RiskCAT To a certain extent IEC 61508 clauses themselves give a condition for their applicability To ease identification of these conditionally applicable clauses RiskCAT presents the respective individual measures starting with the Key Word IF The end of the condition is denoted by 66499 Some clauses do not apply in the case of a certain condition e g clause 7 4 5 of part 2 This is presented by RiskCAT by the Key Word IF NOT Again the e
25. e marked measure Purpose of edit notes is to provide e Space for comments on a specific project e g to log the reasoning for not selecting particular measures for the project e Company specific frames of prescribed measures as well as company specific interpretations of measures e Log results from audits reviews or tests The edit measure note functionality is activated via context menu in the measure window A Measure Note 250 characters max _ Oy x The steps are Semi formal methods not applied Ve use structured e Mark the measure for which the item method SADT instead note shall be edited by a single left mouse button click Otherwise nothing visible to the user will occur e Activate context menu Depress right mouse button while the pointer is in the measure window screen part e in Figure 2 Cancel e choose Edit note for measure For looking to existing notes or modifying them choose Edit note for measure again Notes are saved via Project storage see chapter 4 17 Project session storage in a file of this manual They may be reloaded by Project reload Page 14 of 34 RiskCAT 61508 User s Manual 14 January 2006 4 12 Overview on defined terms in the measures texts As shown in the figure below terms defined in IEC 61508 part 4 are highlighted in bold type in the presentation of the measure texts ESIRiskCAT_V 5 1 lelx File Standard Text He
26. ed by the IEC 61508 measures and such not by RiskCAT as well Those are marked by Lines on beside the table indicate related pairs of documents Document Table Overall safety plan A 1 Overall concept description Overall scope description Hazard and risk analysis description Overall safety requirements specification comprising e Overall safety functions requirements specification and e Overall safety integrity requirements specification Safety requirements allocation description E E PES safety plan A2 for the related clauses please refer to Overall functional safety assessment plan E E PES safety requirements specification comprising e E E PES safety functions requirements specification and e E E PES safety integrity requirements specification E E PES architecture design description comprising e HW architecture design description and e SW architecture design description Page 30 of 34 RiskCAT 61508 User s Manual 14 January 2006 Document Table Hardware from Table A 2 Software from Table A 3 SW safety plan HW architecture design description no report to this spec in A 2 HW module design specification HW modules HW modules test report E E PES user instruction E E PES operation and maintenance instruction E E PES modification procedures instruction E E PES modification request
27. he opportunity to access the part if related PDF file is available Page 28 of 34 RiskCAT 61508 User s Manual 14 January 2006 6 9 Abbreviations Abbreviations used in CATS database of IEC 61508 ALARP DB D D E E PES EUC HW IF OR SFC SIL SW V V As low as reasonably practicable Database Design and development Electrical electronic programmable electronic system Equipment under control Hardware see chapter 6 3 About some Key Words in the individual measure presentation in RiskCAT see chapter 6 3 About some Key Words in the individual measure presentation in RiskCAT Systematic faults control Safety integrity level Software Verification and validation see chapter 6 3 About some Key Words in the individual measure presentation in RiskCAT Page 29 of 34 RiskCAT 61508 User s Manual 14 January 2006 7 Appendix 7 1 List of Documents RiskCAT takes the documents listed as examples in IEC 61508 Part 1 tables A 1 A 2 and A 3 pages 103 105 107 as presented in the following table The names used in these tables partly have been slightly modified e g Plan safety from table A 1 to Overall safety plan in RiskCAT The documents in colour are documents in pairs Yellow plans are related to green reports and one log e Cyan plans and specifications are related to MASEmANEponS Some of the documents listed in tables A 1 A 2 and A 3 are not address
28. hich means e g tools procedures forms compliance with the measure shall be achieved in a specific project If certain measures are not applicable in a specific project or for a specific part of a project background for this may be supplied as comment as well So the comments result in a company or project specific framework This framework or requirements capture may be stored and used as a starting point by the normal users The storage function is chosen by item Store project in File menu 4 18 Project session reload from a file e For a new session the framework prepared by the project leader or the quality manager may be loaded e An interrupted and stored tool session may be resumed The restore function is chosen by item Load project in File menu 4 19 Result storage as RTF file For further documentation e g creation of checklists or test plans RiskCAT offers storage as text file Rich Text Format RTF of e The selected risk parameter e The Safety Integrity Level SIL as shown in the risk window that is either the SIL resulting from risk parameters or the manually pre selected one e Three sets of measures e Measures contained in more than one set are stored once only For each measure following items are stored e The measure text text of the level 1 presentation e The reference to part as well as clause of IEC 61508 e The degree of obligation e The note Page 20 of
29. important theme within the scope of embedded controllers and their software And each of the topic tabs represents a coherent set of measures Just by selection of corresponding tabs RiskCAT provides an overview about the measures with respect to the topic given as tab text 4 5 Selection of individual measures Individual measures are Conformance to IEC61508 v Documentation Manat selected deselected by a double The information need not be contained in physical documents click with left mouse button Forms of documentation f lt 4 v Sufficient information for subsequent phases and verification Selection is visible by Sufficient information for management of functional safety j Sufficient information for implementation of functional safety a A check mark v to the left i Information as stated in the clauses of IEC 61508 OR justificat ofthe measure itself 1 General lt v__Accurateness conciseness understandability of dacumen e A check mark vA to the left Titles scope index i Documentation may take into account company procedures of the corresponding topic tab HS Revision Index Mia Search fnr relevant infnrmatinn e a check mark v to the left of the corresponding area tab The selection is in addition to already selected measures If the real interest is just to concentrate on the measures actually selected precautions need to be applied to de select any measures that may have been selected previously See
30. lp lece1508 gt Measures within the standard Measures Measures Measures highly Measures Measures not Measures possible P recommended recommended mandatory M recommended informative I R HR R HWW Architecture Behaviour under random failures o E ia i HW Fault avoidance 2 a 6 5 Probability of failure due to random hardware failures less than target failure measure Estimation of failure probability taking into account architecture Oo 0 Estimation of failure probability taking into account common cause failures v ao m IF Hardware fault tolerance gt 0 diagnostic test interval for required HYV failure probability see 7 4 3 2 1 als IF Hardware fault tolerance 0 low demand mode diaqnostic test interval for required HVV failure probability see 7 4 3 2 1 5 IF Hardware fault tolerance 0 high demand or continuous mode diagnostic test interval plus safety action time lt proces Bie IF target failure measure is not achieved Prescribed steps to improve the safety integrity Just scrolling through the measures provides an overview about the defined terms used in the measures texts Page 15 of 34 RiskCAT 61508 User s Manual 14 January 2006 4 13 Retrieval in the original standards RiskCAT offers an interface for viewing the original standards For this the XpdfViewer XpdfViewerCtrl ocx library is implemented NORME CEI INTERNATIONALE IEC INTERNATIONAL 61508 3 STAN DARD P
31. mmended Mandatory NOT recommended and informative All users who may be Page 7 of 34 RiskCAT 61508 User s Manual 14 January 2006 colour blind should go to 7 Software Design and development D D and Tab SW Architecture and set the SIL to 3 Then select in turn each of the measure settings to get the check mark V by the relevant measures 3 5 Structure of the measures presentation used with RiskCAT RiskCAT starts from standards So the original sets of measures are the standards represented by the standard tabs marked with a in Figure 2 A standard may consist of different parts as e g IEC 61508 has 7 parts The standard or even its parts may be such voluminous that it is not appropriate to use all measures as an entity This has been the reason to break down some standards into areas represented by the area tabs marked with c in Figure 2 Depending on the standard an area may consist of a part of a standard some clauses of a standard or some clauses of a part of a standard For details see the standard specific descriptions in this manual Most standards cover a variety of topics represented by the topic tabs marked with d in Figure 2 The approach has been to have an assignment between standards chapters and RiskCAT topics However in some cases standard chapters have been further split up because of a high number of measures or because of different matters covered in the same chapter A f
32. n so it does neither need any uninstallation Uninstallation of XpdfViewer is accomplished by running WINDOWS System Control gt Software gt Installation Uninstallation gt selecting the XpdfViewer control 2 4 Network Installation of RiskCAT RiskCAT offers two different possibilities for network installations e You may access RiskCAT 61508 V54e on the USB memory stick network wide or e you may use a disk drive based installation For both types of network installation a single RiskCAT executable is relocated on the server USB disk drive Additionally one XPDF Viewer is installed on each client automatically installation by RiskCAT in the start up phase CAUTION The number of simultaneous usage is limited by the licensed number of users Please contact us for further information via info cats tools de Page 5 of 34 RiskCAT 61508 User s Manual 14 January 2006 3 Basics 3 1 Screen parts Rj Riskcat_v 5 4e 3 i ji IEC 61508 MIEC 61508 ris Measures within the standard RiskGraph Prob based v res Measures Measures highly Measures Measures not Measures recommended recommended mandatory M recommended informative 1 R HR N General D D SVWV Architecture Tools prog languages Detailed D D Coding a Consequence Minor injury z Frequency of and exposure time in the hazardous zone Rare to more often e gt 7 Semi formal methods Module SW integration testing Dynamic analysis and tes
33. n these tables to some extent as well RiskCAT presents those alternative sets of measures by grey shaded background Within Part 2 there are requirements requiring that part 1 or certain clauses of this part shall be applied This type of requirement has been skipped for purpose of RiskCAT Tables A 16 to A 18 as well as B 1 to B 5 besides the importance require a certain SIL dependent effectiveness Effectiveness requirements are special for part 2 They are not presented in actual RiskCAT version The measures grouping in tables B 1 and B 4 as well as second grouping in table B 5 with the opportunity to choose just one method are valid only for R measures Choice is not allowed for HR measures Again this importance related grouping is special for part 2 It is not presented in actual RiskCAT version Actual database for part 2 is based on file dated 06 11 2000 size 919 951 Bytes containing the First edition of the standard dated 2000 05 All requirements contained in part 2 are given in clause 7 Lifecycle requirements on the E E PES On the one hand side these requirements are concerned with the control system as a whole hardware plus software These requirements are presented in RiskCAT area e 2a Control System On the other hand side these requirements are concerned just with the hardware only These requirements are presented in RiskCAT area e 2b Hardware Page 26 of 34 RiskCAT 61508 User s Manual 14
34. nd of the condition is denoted by To a certain extent again within a single IEC 61508 clause there is a choice between different measures To present this situation without splitting up the clause into too many individual measures RiskCAT uses the Key Word OR in its presentation To a certain extent again within a single IEC 61508 clause several measures are required e g several documents To present this situation without splitting up the clause into too many individual measures RiskCAT may give some of the measures the most important ones hopefully ending up with 6 4 About the Safety Integrity Level SIL The IEC 61508 provides several approaches to determine the Safety Integrity Level to be required for an E E PES CAUTION Using these approaches you should be aware that they are informative only So it is not appropriate to base decisions about sufficiency of a certain SIL on these approaches merely gt The original clause is in German language Because no official translation has been available this translation is by CATS Page 24 of 34 RiskCAT 61508 User s Manual 14 January 2006 RiskCAT supports IEC 61508 by implementation of two of these informative approaches e aprobabilistic quantitative approach according to IEC 61508 part 5 Annex C e the Risk Graph approach according to IEC 61508 part 5 Figure D 2 and Table D 1 CAUTION Please be aware that there is a different Risk Graph appro
35. next chapter of this manual for global selection de selection of measures Page 10 of 34 RiskCAT 61508 User s Manual 14 January 2006 4 6 Selection of groups of measures according to the degree of obligation The selection of groups according to the degree of obligation3 under the currently selected SIL of the measures is activated via context menu depress of right mouse button in the measure window screen part e in Figure 2 Standard measure group Aspect based selection Copy measure to clipboard Edit note for measure View standard Measure explanation Literature Term Definition IEC measure group selection x After choice of Standard measure group Measures to be de selected Selectionrange _ selection the selection form shown on the Measures possible Ce whole standard left appears Measures recommended C actual page a I Measures highly recommended If the whole standard is activated the 2 selection will be for all measures in all areas Select aera Smear er for all topics easures notreco C DeSelect If the actual page is activated the selection will be just for the measures in visible topic tab Quit OK The visibility of the selection is same as for individual measures selection CAUTION If you change the SIL between group selection and the DeSelect the set of deselected measures may be
36. obabili x 2b Hardware a ah 6 E 5 a2 cy S oO o ot a a g D N E m Safety Integrity level SIL No safety requirements 1b Control System in relation to the EUC 3a Software Non Lifecycle as well as valid in case of failure in the test execution itself or as valid in case of failure in the SW under test Clause IEC 61508 Part3 7 4 7 4 Figure 2 RiskCAT screen parts Standard tabs o p Risk window i Area tabs d Topic tabs e Measure window f Information line Page 6 of 34 RiskCAT 61508 User s Manual 14 January 2006 3 2 Interrelationship between the screen parts The screen parts c d and e are used to present the measures The Safety Integrity Level SIL selected in screen part b controls the degree of obligation of the measures given in screen part e However the two screen parts are largely independent from each other The screen relationship between the measures group parts c d amp e and the SIL block on the left may be adjusted This is accomplished by a single left mouse button click on the boarder line between the screen parts b and c and moving the mouse afterwards CAUTION The measures selected in screen part e are consistent with the safety integrity level shown in screen part b only if the RiskCAT usage is according to chapter 4 6 Selection of groups of measures according to the degree of obligation of this manual 3 3 Measure states
37. of licensed standard files With the Basic Package IEC 61508 parts 1 2 and 3 are available And with the Normal Package parts 4 and 7 are also provided The context related retrieval is activated via context menu in the measure window screen part e in Figure 2 The steps are Standard measure group select Aspect based selection Copy measure to clipboard a a e Mark the measure establishing the context by a single left mouse button click Otherwise the page selected by context related retrieval is somewhat arbitrary standard Measure explanation Literature e Activate context menu depress right mouse button Tarin Daiinidon while the pointer is in the measure window e Choose View standard RiskCAT will show the page of the standard highlighting the clause in context The size of the standards window may be changed by positioning the mouse on the windows border preferred on the left or right hand side followed by pressing the left mouse button and then moving it HE Planning including strategies tools evaluation of results oO aa 8 Verification in accordance with the plan a vo Documented evidence for satisfactory completion of verified phase a Documentation of verified items scale non conformances 5 4 Availability of information for correct execution of the next phase ZMA Verification of information for correct execution of the next phase p Verification of safety requirements archi
38. ompany templates in a project file project storage 18 the reloading of measure profiles 19 the result storage as text file Rich Text Format RTF consisting of e selected risk parameters e risk class e selected measures and e the notes related to the selected measures An important advantage of the tool supported approach is the possibility to vary interactively risk parameters risk classes and sets of process and realization measures defining alternative or optimized sets of measures to reach specified quality safety or reliability targets The purpose of RiskCAT 61508 is to assist the user in application of the IEC 61508 However it is of course not the purpose of the tool to replace the standard Anyhow the detailed and precise wording of the standards clauses needs to be considered to claim conformance with the standards RiskCAT s condensed presentation of the standards contents has been established for the purpose of ease of work overview and general navigation Page 2 of 34 RiskCAT 61508 User s Manual 14 January 2006 FA RiskCAT_ 5 4e File Standard Text Help leceis08 MIEC 61508 ris RiskGraph Prob based Consequence Minor injury x Frequency of and exposure time in the hazardous zone Rare to more often e gt x Possibility of avoiding the hazardous event Possible under certai x Probability of the unwanted occurrence Ja very slight probabili x Safety Integrity level
39. on the risk parameters selected 3 manual pre selection of risk class the structured overview on the recommended measures the selection of individual measures the selection of groups of measures according to the degree of obligation the selection of measures related to documents the selection of measures related to activities life cycle phases E SD oe the selection of measures related to key words 10 the copy function for actually marked measure into the clipboard 11 the possibility to edit notes for each individual measure 12 overview on defined terms in the measures texts The set of documents used is based on Tables A 1 to A 3 of IEC 61508 Part 1 The set of life cycle phases used is based on Tables A 1 to A 3 of IEC 61508 Part 1 Page 1 of 34 RiskCAT 61508 User s Manual 14 January 2006 13 retrieval in the original standards available only if user has installed pdf files of the concerned standard in the RiskCAT target installation directory 14 the context related presentation of the original standards clause 15 the context related presentation of explanations to the clause given in IEC 61508 itself available only for part of the clauses and only with the RiskCAT Normal Version 16 the context related presentation of terms used in the measure texts given in IEC 61508 part 4 available only with the RiskCAT Normal Version 17 the storage of measure profiles as project or c
40. rements and the contents of tables have been integrated as far as reasonably possible The number of tabs has been kept acceptable low by this 6 1 Presentation of the degree of obligation of the requirements Up to date IEC standards as IEC 61508 use four key words to identify their requirements the first three explanations are from chapter 3 Definitions of IEC 61226 shall indicates requirements that are mandatory for compliance with the standard should indicates requirements that are not mandatory for compliance with the standard but are strongly recommended may indicates that compliance with the recommendation is optional must not indicates requirements that are mandatory for compliance with the standard Furthermore IEC 61508 indicates in tables specific requirements related to Safety Integrity Levels SIL as highly recommended recommended possible or not recommended Within RiskCAT only one set of key words for the degree of obligation of requirements is used To realize this e shall requirements are classified as mandatory e should requirements are classified as highly recommended e may recommendations are classified as possible e mustnot requirements are classified as mandatory for all SILs Contents from notes and informative annexes have not been adopted to RiskCAT generally However in a very few cases it was felt that they are essential for application of the standard As a consequence thos
41. remi re dition First edition 1998 12 PUBLICATION FONDAMENTALE DE SECURITE BASIC SAFETY PUBLICATION S curit fonctionnelle des syst mes lectriques lectroniques lectroniques programmables relatifs a la s curit Partie 3 Prescriptions concernant les logiciels Functional safety of electrical electronic programmable electronic safety related systems Part 3 Software requirements The XpdfViewer provides the following functions First page Last page Previous page Next page Back to selection Go to page Find Find next Add page to hotlist Adjust to page height Adjust to page width Copy text to clipboard Page 16 of 34 Prerequisite for the retrieval is the availability of licensed standard files With the Basic Package IEC 61508 parts 1 2 and 3 are available And with the Normal Package parts 4 and 7 are also provided Retrieval is started via Standard Text menu The size of the standards window may be changed by positioning the mouse on the windows border preferred on the left or right hand side followed by pressing the left mouse button and then moving it RiskCAT 61508 User s Manual 14 January 2006 4 14 Context related retrieval in the original standards Besides the interface for full text browsing RiskCAT offers an interface for context sensitive browsing in original standards Again prerequisite for this task is the availability
42. rview and keep low the number of topic tabs the contents of the tables from Appendix A are presented together with the main part requirements as far as they are concerned with just one chapter However to provide the possibility of easy identification of the techniques measures from the appendix they are preceded by a To increase clarity RiskCAT 61508 is listing the three measures by Table B 6 Performance testing twice They are listed as well in area 3b Software Lifecycle but not D D as in area 3c Software Design and development D D 6 8 About the other parts of the standard Part 5 which is about the determination of safety integrity levels does not involve any requirement However extensive use has been made of this part in realizing the group box IEC 61508 risk Therefore RiskCAT offers the opportunity to access the part if related PDF file is available Part 4 is about terms only It is used by RiskCAT for purpose of the context related presentation of terms see 4 16 The context related presentation of terms used in the measure texts given in IEC 61508 part 4 Normal Package only Part 6 and part 7 are examples and explanations They are used by RiskCAT for purpose of the context related presentation of explanations especially part 7 see 4 15 The context related presentation of explanations to the clause provided by IEC 61508 itself Normal Package only Again RiskCAT offers t
43. sitive browsing the definitions from the original standard The defined terms used in the measures presentation are presented in bold The context related term definition is activated via context menu in the measure window The steps are e Go with the cursor to a defined bold term The type of the cursor which normally is then will change to d Standard measure group select Aspect based selection Copy measure to clipboard Edit note for measure view standard Measure explanation e Activate context menu depress right mouse button Literature while the pointer is in the measure window e Choose Term Definition RiskCAT will show the page of the standard highlighting the definition in context The size of the standards window may be changed by positioning the mouse on the windows border preferred on the left or right hand side followed by pressing the left mouse button and then moving it 0 a a a T Overall safety requirements I Safetey requirements allocation Frequency of and a 2 ime i 5 o peration and maintenance plan alidation plan installation and commissioning plan exposure time in the B 6 Q j d mai l Validation pl Installati d issioning pl hasardarne sana a RN 5 a ar 1 Sanne 1 3 a p 1 TI x 14 di 4 gt ml EJZ 3 5 12 mode of operation E way in which a safety related system is intended to be used with respect to the frequency of mi demands made upon it which m
44. tecture system design DQ E 3 SW safety requirements verification after specification before design including a my on SW architecture verification after architectural design including D0 E SW system design verification after system design including aS Fo SW module design verification after module design including 52 5 Code verification by static methods to ensure conformance to design ul DFViewForm IEC 61508 Part3 7 9 2 12 ld gt i gt system integration see 7 4 5 Ama aK _ set __at_ Page 38 If other PDF versions of the standards have been installed than those supplied by CATS RiskCAT may show the wrong page and may highlight the wrong clause Therefore only those standards supplied by CATS should be used with the RiskCAT tools Page 17 of 34 RiskCAT 61508 User s Manual 14 January 2006 4 15 The context related presentation of explanations to the clause provided by IEC 61508 itself For certain clauses IEC 61508 itself provides additional explanations mostly from part 7 of the standard RiskCAT offers an interface for context sensitive browsing the explanations from the original standard However only the RiskCAT Normal package offers access to part 7 aay ee group TER The context related explanation is activated via context Aspect based selection menu in the measure window The steps are Copy measure to clipboard e Mark the measure establishing the
45. ting Functional and black box testing Software module testing Test of each module as specified Show by tests that modules perform intended function Show by tests that modules do not perform unintended functions Documentation of test results Text for this clause may be interpreted as well as valid in case of failure in the test execution itself or ad Specification of procedure for correction of SW based on test results Software integration testing Test specification concurrently during design and development Spec involving test cases test data types of test tools Testing in accordance with test spec Show by tests that SW interacts correctly to perform intended function Show by tests that SW does not perform unintended functions Documentation of test results including detected failures with reasans impact analysis for SW changes during integration Software module testing and Software integration testing Selection of techniques measures to comply to these requirements Probabilistic testing Dynamic analysis and testing Data recording and analysis Functional and black box testing Performance testing Avalanche stress testing Response timings and memory constraints Performance requirements Interface testing 2a Control System 1a General 3c Software Design and development D D Possibility of avoiding the hazardous event Possible under certai 7 Probability of the unwanted occurrence ja very slight pr
46. urther structuring is by grey shaded areas in the measure window This presentation indicates that the marked requirements are alternatives to each other 1 Short form which is used for Overview purpose searching and selection via the RiskCAT window Rich text format output e g to create checklists 2 Standard text itself The detailed and precise wording of the standards clauses needs to be considered to claim conformance with the standards For each clause 3 Additional explanation provided by the standard itself As additional basis for detailed work development assessment As support for users not experienced with the standard Figure 3 Presentation of the standard clauses in four levels Page 8 of 34 RiskCAT 61508 User s Manual 14 January 2006 4 Tasks 4 1 Selection of risk parameters FARiskCAT_V 5 1 File Standard Text Help IEC61508 IEC 61508 ris RiskGraph Prob based Consequence Death to several peor x Frequency of and exposure time in the hazardous zone Frequent to permane 7 Possibility of avoiding the hazardous event Possible under certai v Probability of the unwanted occurrence mMeasures Meast possibli 3 Control System 1 General 4 Hardware Software Lifecycle but not D D iin relation to the EUC zycle Defining risk parameters is performed in the risk window First step is the selection of the approa
47. your specific interest as well as Al Terminate it with Ok e In the other or type selection choose the activity related to the document of your specific interest as well as All Terminate it again with Ok The selection is in addition to already selected measures So precautions need to be applied that at starting no measures are selected RiskCAT 61508 User s Manual 14 January 2006 4 8 Selection of measures related to activities life cycle phases As the with the document related selection functionality the activity related selection is activated via context menu depress of right mouse button in the measure window screen 66 499 part e in Figure 2 aspect related selection After choice of Aspect selection aspect Activity Se based selection the 7 OVERALL INSTALLATION AND COMMISSIONING a selection form shown on th C OVERALL INSTALLATION AND COMMISSIONING _ SC ECMO 9 S20W0 O i C QCheracteristic O OVERALL MAINTENANCE c left appears L OVERALL MODIFICATION C Document L OVERALL MODIFICATION AND RETROFIT se PE E COVERALL OPERATION The set of activities is based C OVERALL OPERATION AND MAINTENANCE PL on Tables A 1 to A 3 of IEC OVERALL SAFETY REQUIREMENTS C 61508 Part 1 It is listed in C Keyword O OVERALL SCOPE DEFINITION i O OVERALL VALIDATION og Appendix 7 2 List of O OVERALL VA
Download Pdf Manuals
Related Search