- Home
- Machinery Directive
- History of the Machinery Directive 2006/42/EC
- Machinery directive 2006/42/EC
- Whereas of machinery directive 2006/42/EC
- Articles of machinery directive 2006/42/EC
- Article 1 of machinery directive 2006/42/EC - Scope
- Article 2 of machinery directive 2006/42/EC - Definitions
- Article 3 : Specific Directives of machinery directive 2006/42/EC
- Article 4 : Market surveillance of machinery directive 2006/42/EC
- Article 5 : Placing on the market and putting into service - machinery directive 2006/42/EC
- Article 6 : Freedom of movement - machinery directive 2006/42/EC
- Article 7 : Presumption of conformity and harmonised standards - machinery directive 2006/42/EC
- Article 8 : Specific measures - machinery directive 2006/42/EC
- Article 9 : Specific measures to deal with potentially hazardous machinery - machinery directive 2006/42/EC
- Article 10 : Procedure for disputing a harmonised standard - machinery directive 2006/42/EC
- Article 11 : Safeguard clause - machinery directive 2006/42/EC
- Article 12 : Procedures for assessing the conformity of machinery - machinery directive 2006/42/EC
- Article 13 : Procedure for partly completed machinery - 2006/42/EC
- Article 14 : Notified bodies - machinery directive 2006/42/EC
- Article 15 : Installation and use of machinery - machinery directive 2006/42/EC
- Article 16 : CE marking - machinery directive 2006/42/EC
- Article 17 : Non-conformity of marking - machinery directive 2006/42/EC
- Article 18 : Confidentiality - machinery directive 2006/42/EC
- Article 19 : Cooperation between Member States - machinery directive 2006/42/EC
- Article 20 : Legal remedies - machinery directive 2006/42/EC
- Article 21 : Dissemination of information - machinery directive 2006/42/EC
- Article 22 : Committee - machinery directive 2006/42/EC
- Article 23 : Penalties - machinery directive 2006/42/EC
- Article 24 : Amendment of Directive 95/16/EC - machinery directive 2006/42/EC
- Article 25 : Repeal - machinery directive 2006/42/EC
- Article 26 : Transposition - machinery directive 2006/42/EC
- Article 27 : Derogation - machinery directive 2006/42/EC
- Article 28 : Entry into force - machinery directive 2006/42/EC
- Article 29 : Addressees - machinery directive 2006/42/EC
- ANNEX I of machinery directive 2006/42/EC - Summary
- GENERAL PRINCIPLES of annex 1 of machinery directive 2006/42/EC
- 1 ESSENTIAL HEALTH AND SAFETY REQUIREMENTS of annex 1 - definitions - machinery directive 2006/42/EC
- Article 1.1.2. Principles of safety integration of annex 1 machinery directive 2006/42/EC
- Article 1.1.3. Materials and products annex 1 machinery directive 2006/42/EC
- Article 1.1.4. Lighting - annex 1 machinery directive 2006/42/EC
- Article 1.1.5. Design of machinery to facilitate its handling - annex 1 machinery directive 2006/42/EC
- Article 1.1.6. Ergonomics - annex 1 machinery directive 2006/42/EC
- Article 1.1.7. Operating positions - annex 1 machinery directive 2006/42/EC
- Article 1.1.8. Seating - annex 1 machinery directive 2006/42/EC
- Article 1.2.1. Safety and reliability of control systems - annex 1 of machinery directive 2006/42/EC
- Article 1.2.2. Control devices - annex 1 of machinery directive 2006/42/EC
- Article 1.2.3. Starting - annex 1 of machinery directive 2006/42/EC
- Article 1.2.4. Stopping - annex 1 of machinery directive 2006/42/EC
- Article 1.2.4.4. Assembly of machinery - Annex 1 of machinery directive 2006/42/EC
- Article 1.2.5. Selection of control or operating modes - annex 1 of machinery directive 2006/42/EC
- Article 1.2.6. Failure of the power supply - annex 1 of machinery directive 2006/42/EC
- Article 1.3. PROTECTION AGAINST MECHANICAL HAZARDS - annex 1 of machinery directive 2006/42/EC
- Article 1.4. REQUIRED CHARACTERISTICS OF GUARDS AND PROTECTIVE DEVICES - annex 1 of machinery directive 2006/42/EC
- Article 1.5. RISKS DUE TO OTHER HAZARDS - annex 1 of machinery directive 2006/42/EC
- Article 1.6. MAINTENANCE - annex 1 of machinery directive 2006/42/EC
- Article 1.7. INFORMATION - annex 1 of machinery directive 2006/42/EC
- Article 2. SUPPLEMENTARY ESSENTIAL HEALTH AND SAFETY REQUIREMENTS - annex 1 machinery directive 2006/42/EC
- Article 3. SUPPLEMENTARY ESSENTIAL HEALTH TO THE MOBILITY OF MACHINERY - annex 1 machinery directive 2006/42/EC
- Article 4. SUPPLEMENTARY REQUIREMENTS TO OFFSET HAZARDS DUE TO LIFTING OPERATIONS of machinery directive 2006/42/EC
- Article 5. SUPPLEMENTARY ESSENTIAL HEALTH AND SAFETY REQUIREMENTS FOR UNDERGROUND WORK of machinery directive 2006/42/EC
- Article 6. SUPPLEMENTARY REQUIREMENTS - HAZARDS DUE TO THE LIFTING OF PERSONS of machinery directive 2006/42/EC
- Annex II : Declarations of CONFORMITY OF THE MACHINERY, DECLARATION OF INCORPORATION - machinery directive 2006/42/EC
- Annex III of machinery directive 2006/42/EC - CE marking
- Annex IV of machinery directive 2006/42/EC
- Annex V of machinery directive 2006/42/EC
- Annex VI of machinery directive 2006/42/EC
- Annex VII - Technical file for machinery - machinery directive 2006/42/EC
- Annex VIII - Assessment of conformity of machinery directive 2006/42/EC
- Annex IX of machinery directive 2006/42/EC - EC type-examination
- Annex X of machinery directive 2006/42/EC - Full quality assurance
- Annex XI of machinery directive 2006/42/EC - Minimum criteria for the notification of bodies
- Annex XII of machinery directive 2006/42/EC - Correlation table between machinery directive 2006/42/CE and MD 1998/37/CE
- Machinery directive 1998/37/EC
- considerings of machinery directive 1998/37/CE
- articles of 1998/37/EC machinery directive
- Annex I of 1998/37/CE machinery directive
- Annex II of 1998/37/EC machinery directive
- Annex III of machinery directive 1998/37/CE
- Annex IV of machine directive 1998/37/EC
- Annex V of machines directive 1998/37/CE
- Annex VI of machines directive 1998/37/EC
- Annex VII of machines directive 1998/37/EC
- Annex VIII of 1998/37/CE machine directive
- Annex IX of machinery directive 1998/37/CE
- Machinery directive 1989/392/EC
- whereas of machinery directive machines 1989/392/EEC
- articles of machinery directive 1989/392/EEC
- Annex I of machinery directive 1989/392/EEC
- Annex II of machine directive 1989/392/EEC
- Annex III of machinery directive 1989/392/EEC
- Annex IV of machinery directive 1989/392/EEC
- Annex V of machinery directive 1989/392/EEC
- Annex VI of machine directive 1989/392/EEC
- Annexe VII of machinery directive 1989/392/EEC
- Amendments of 1989/392/EEC directive
- ATEX directives
- ATEX 94/9/EC directive
- Whereas of ATEX 94/9/CE directive
- Articles of ATEX 94/9/CE directive
- article 1 ATEX 94/9/EC directive
- article 2 ATEX 94/9/EC directive
- article 3 ATEX 94/9/EC directive
- article 4 : ATEX 94/9/EC directive
- article 5 : ATEX 94/9/EC directive
- article 6 : ATEX 94/9/EC directive
- article 7 : ATEX 94/9/EC directive
- article 8 ATEX 94/9/EC directive
- article 9 : ATEX 94/9/EC directive
- article 10 : ATEX 94/9/EC directive
- article 11 : ATEX 94/9/EC directive
- article 12 : ATEX 94/9/EC directive
- article 13 : ATEX 94/9/EC directive
- article 14 : ATEX 94/9/EC directive
- article 15 : ATEX 94/9/EC directive
- article 16 : ATEX 94/9/EC directive
- ANNEX I of ATEX 94/9/EC directive : CRITERIA DETERMINING THE CLASSIFICATION OF EQUIPMENT-GROUPS INTO CATEGORIES
- ANNEX II of ATEX 94/9/EC : directive ESSENTIAL HEALTH AND SAFETY REQUIREMENTS -EHSR
- ANNEX III of ATEX 94/9/EC directive : MODULE EC-TYPE EXAMINATION
- ANNEX IV of ATEX 94/9/EC directive : MODULE PRODUCTION QUALITY ASSURANCE
- ANNEX V of ATEX 94/9/EC directive : MODULE PRODUCT VERIFICATION
- ANNEX VI of ATEX 94/9/EC directive : MODULE CONFORMITY TO TYPE
- ANNEX VII of ATEX 94/9/EC directive : MODULE PRODUCT QUALITY ASSURANCE
- ANNEX VIII of ATEX 94/9/EC directive : MODULE INTERNAL CONTROL OF PRODUCTION
- ANNEX IX of ATEX 94/9/EC directive : MODULE UNIT VERIFICATION
- ANNEX X of ATEX 94/9/EC directive : CE Marking - Content of the EC declaration of conformity
- ANNEX XI of ATEX 94/9/EC directive: NOTIFICATION OF BODIES
- ATEX 99/92/EC Directive
- ATEX DIRECTIVE 2014/34/UE
- whereas of 2014/34/UE ATEX directive
- Articles of ATEX 2014/34/UE directive
- Annex 1 of ATEX 2014/34/UE directive
- Annex 2 of the ATEX 2014/34/UE directive
- Annex 3 of ATEX 2014/34/UE directive
- Annex 4 of ATEX 2014/34/UE directive
- Annex 5 of ATEX 2014/34/UE directive
- Annex 6 of ATEX 2014/34/UE directive
- Annex 7 of ATEX 94/9/EC directive
- Annex 8 of the ATEX 2014/34/UE directive
- Annex 9 of the ATEX 2014/34/UE directive
- Annex 10 of ATEX 2014/34/UE directive
- Annex 11 of ATEX 2014/34/UE directive
- Annex 12 of the ATEX 2014/34/UE directive
- Audits in Ex field - EN 13980, OD 005 and EN ISO/CEI 80079-34
- New ATEX directive
- RASE european project
- ATEX 94/9/EC directive
- IECEX
- Standardization & European Regulation
- Safety of machines : Standardization and European regulations
- European regulation for machines - standardization for machines - harmonized standards
- Standardization in machinery
- EN ISO 12100 - Décembre 2010
- EN ISO 12100-1 - January 2004
- EN ISO 12100-1:2003/A1
- EN ISO 12100-2 November 2003
- EN ISO 12100-2:2003/A1
- EN ISO 14121-1 September 2007
- ISO/TR 14121-2 - 2007
- EN 50205:2002 standard - Relays with forcibly guided (mechanically linked) contacts
- ISO 11161:2007
- ISO 13849-1:2006
- ISO 13849-2:2012
- ISO 13850:2006 - Safety of machinery -- Emergency stop -- Principles for design
- ISO 13851:2002 - Safety of machinery -- Two-hand control devices -- Functional aspects and design principles
- ISO 13854:1996 Safety of machinery - Minimum gaps to avoid crushing of parts of the human body
- ISO 13855:2010 - Safety of machinery -- Positioning of safeguards with respect to the approach speeds of parts of the human body
- ISO 13856-1:2013 Safety of machinery -- Pressure-sensitive protective devices -- Part 1: General principles
- ISO 13856-2:2013 - Safety of machinery -- Pressure-sensitive protective devices -- Part 2: General principles for design testing
- ISO 13856-3:2013 Safety of machinery -- Pressure-sensitive protective devices - Part 3: General principles for design
- ISO 13857:2008 Safety of machinery -- Safety distances to prevent hazard zones
- ISO 14118:2000 - Safety of machinery -- Prevention of unexpected start-up
- ISO 14119:2013- Interlocking devices associated with guards
- ISO 14120:2002 - Guards -- General requirements for the design and construction
- ISO 14122-1:2001 - Permanent means of access to machinery
- ISO 14122-2:2001 - Permanent means of access to machinery
- ISO 14122-4:2004 - Permanent means of access to machinery
- ISO 14123-1:1998 - Reduction of risks to health from hazardous substances emitted by machinery
- ISO 14123-2:1998 - Reduction of risks to health from hazardous substances emitted by machinery
- ISO 14159:2002 - Hygiene requirements for the design of machinery
- ISO 19353:2005 -- Fire prevention and protection
- ISO/AWI 17305 - Safety of machinery - Safety functions of control systems
- ISO/DTR 22100-2 - Safety of machinery -- Part 2: How ISO 12100 relates to ISO 13849-1
- ISO/TR 14121-2:2012 - Risk assessment - Part 2: Practical guidance
- ISO/TR 18569:2004 - Guidelines for the understanding and use of safety of machinery standards
- ISO/TR 23849:2010 - Guidance on the application of ISO 13849-1 and IEC 62061 in the design of safety-related control systems
- STABILITY DATES FOR Machinery STANDARDS
- harmonized standards list - machinery-directive 2006/42/CE
- Publication of harmonised standards for machinery directive 2006/42/EC - 9.3.2018
- Harmonized standard list - machinery directive 2006/42/EC - 9.6.2017
- Harmonized standards for machinery - OJ C 2016/C173/01 of 15/05/2016
- Harmonized standards for machinery -OJ C 2016/C14/102 of 15/01/2016
- Harmonized standards for machinery - corrigendum OJ C 2015/C 087/03 of 13/03/2015
- harmonized standards for machinery - OJ C 2015/C 054/01 of 13/02/2015
- Application guide for machinery directive 2006/42/EC
- Guide to application of the machinery directive 2006/42/CE - July 2017
- Guide to application of the Machinery Directive 2006/42/EC - second edition June 2010
- Guide to application of machinery directive - 1-2 : The citations
- Guide to application of machinery directive - § 3 to § 31 The Recitals
- Guide to application of machinery directive - § 32 to § 156 - The Articles
- Guide to application of machinery directive - § 157 to § 381 - Annex I
- Guide to application of machinery directive - § 382 to § 386 - ANNEX II Declarations
- Guide to application of machinery directive - § 387 - ANNEX III CE marking
- recommendation for use - machinery directive 2006/42/EC
- Notified bodies under the machinery directive 2006/42/CE
- Safety of Ex, ATEX and IECEx equipments : Standardization
- Standardization in Ex Field
- The transposition of the ATEX 94/9/EC Directive to the 2014/34/EU directive
- harmonized standards list - ATEX directive 2014/34/EU
- Harmonized standard list for ATEX 2014/34/UE - 12-10-2018
- Harmonized standard list for ATEX 2014/34/UE - 15.6.2018
- Harmonized standard list for ATEX 2014/34/UE - 12-07-2019
- Harmonized standard list for ATEX 2014/34/UE - 9.6.2017
- Harmonized standards list ATEX 2014/34/UE directive - OJ C 126 - 08/04/2016
- Guide to application of the ATEX Directive 2014/34/EU
- application guide of 2014/34/EU directive - preambule, citations and recitals
- Guide to application of the ATEX 2014/34/UE directive - THE ARTICLES OF THE ATEX DIRECTIVE
- Guide to application of the ATEX 2014/34/UE directive - ANNEX I CLASSIFICATION INTO CATEGORIES
- Guide to application of the ATEX 2014/34/UE directive - ANNEX II ESSENTIAL HEALTH AND SAFETY REQUIREMENTS
- Guide to application of the ATEX 2014/34/UE directive - ANNEX III MODULE B: EU-TYPE EXAMINATION
- Guide to application of the ATEX 2014/34/UE directive - ANNEX IV MODULE D: CONFORMITY TO TYPE
- Guide to application of machinery directive - § 388 - ANNEX IV machinery and mandatory certification
- Guide to application of the ATEX 2014/34/UE directive - ANNEX V MODULE F: CONFORMITY TO TYPE
- Alignment of ten technical harmonisation directives - Decision No 768/2008/EC
- ATEX 94/9/EC directive documents
- ATEX 94/9/EC guidelines
- ATEX 94/9/EC guidelines 4th edition
- 1 INTRODUCTION of ATEX 94/9/EC guidelines 4th edition
- 2 OBJECTIVE OF THE ATEX DIRECTIVE 94/9/EC - ATEX 94/9/EC guidelines 4th edition
- 3 GENERAL CONCEPTS of ATEX 94/9/EC directive ATEX 94/9/EC guidelines 4th edition
- 4 IN WHICH CASES DOES DIRECTIVE 94/9/EC APPLY - ATEX 94/9/EC guidelines 4th edition
- 5 EQUIPMENT NOT IN THE SCOPE OF DIRECTIVE 94/9/EC - ATEX 94/9/EC guidelines 4th edition
- 6 APPLICATION OF DIRECTIVE 94/9/EC ALONGSIDE OTHERS THAT MAY APPLY - ATEX 94/9/EC guidelines 4th edition
- 7 USED, REPAIRED OR MODIFIED PRODUCTS AND SPARE PARTS - ATEX 94/9/EC guidelines 4th edition
- 8 CONFORMITY ASSESSMENT PROCEDURES - ATEX 94/9/EC guidelines 4th edition
- 9 NOTIFIED BODIES - ATEX 94/9/EC guidelines 4th edition
- 10 DOCUMENTS OF CONFORMITY - ATEX 94/9/EC guidelines 4th edition
- 11 MARKING - CE marking -ATEX 94/9/EC guidelines 4th edition
- 12 SAFEGUARD CLAUSE AND PROCEDURE - ATEX 94/9/EC guidelines 4th edition
- 13 EUROPEAN HARMONISED STANDARDS - ATEX 94/9/EC guidelines 4th edition
- 14 USEFUL WEBSITES - ATEX 94/9/EC guidelines 4th edition
- ANNEX I: SPECIFIC MARKING OF EXPLOSION PROTECTION - ATEX 94/9/EC guidelines 4th edition
- ANNEX II: BORDERLINE LIST - ATEX PRODUCTS - ATEX 94/9/EC guidelines 4th edition
- ATEX 94/9/EC guidelines 4th edition
- Harmonized standards list - ATEX 94/9/EC directive
- Harmonized standards list ATEX 94/9/EC directive - OJ C 126 - 08/04/2016
- Harmonized standards list ATEX 94/9/EC - OJ C 335 - 09/10/2015
- Harmonized standards list ATEX 94/9/EC - OJ-C 445-02 - 12/12/2014
- Harmonized standards list ATEX 94/9/EC - OJ-C 076-14/03/2014
- Harmonized standards list ATEX 94/9/EC - OJ-C 319 05/11/2013
- ATEX 94/9/EC guidelines
- European regulation for ATEX 94/9/EC ATEX directive
- Guide to application of ATEX 2014/34/EU directive second edition
- Safety of machines : Standardization and European regulations
- Latest news & Newsletters
- Functional safety
- Terms and definitions for functional safety
- Safety devices in ATEX
- The SAFEC project
- main report of the SAFEC project
- Appendix 1 of the SAFEC project - guidelines for functional safety
- Appendix 2 of the SAFEC project
- ANNEX A - SAFEC project - DERIVATION OF TARGET FAILURE MEASURES
- ANNEX B - SAFEC project - ASSESSMENT OF CURRENT CONTROL SYSTEM STANDARDS
- ANNEX C - safec project - IDENTIFICATION OF “USED SAFETY DEVICES”
- Annex D - SAFEC project - study of ‘ Used Safety Devices’
- Annex E - Determination of a methodology for testing, validation and certification
- EN 50495 standard for safety devices
- The SAFEC project
- Safety components in Machinery
- STSARCES - Standards for Safety Related Complex Electronic Systems
- STSARCES project - final report
- STSARCES - Annex 1 : Software engineering tasks - Case tools
- STSARCES - Annex 2 : tools for Software - fault avoidance
- STSARCES - Annex 3 : Guide to evaluating software quality and safety requirements
- STSARCES - Annex 4 : Guide for the construction of software tests
- STSARCES - Annex 5 : Common mode faults in safety systems
- STSARCES - Annex 6 : Quantitative Analysis of Complex Electronic Systems using Fault Tree Analysis and Markov Modelling
- STSARCES - Annex 7 : Methods for fault detection
- STSARCES - Annex 8 : Safety Validation of Complex Components - Validation by Analysis
- STSARCES - Annex 9 : safety Validation of complex component
- STSARCES - Annex 10 : Safety Validation of Complex Components - Validation Tests
- STSARCES - Annex 11 : Applicability of IEC 61508 - EN 954
- STSARCES - Annex 12 : Task 2 : Machine Validation Exercise
- STSARCES - Annex 13 : Task 3 : Design Process Analysis
- STSARCES - Annex 14 : ASIC development and validation in safety components
- Functional safety in machinery - EN 13849-1 - Safety-related parts of control systems
- STSARCES - Standards for Safety Related Complex Electronic Systems
- History of standards for functional safety in machinery
- Basic safety principles - Well-tried safety principles - well tried components
- Functional safety - detection error codes - CRC and Hamming codes
- Functional safety - error codes detection - parity and chechsum
- Functional safety and safety fieldbus
- ISO 13849-1 and SISTEMA
- Prevention of unexpected start-up and machinery directive
- Self tests for micro-controllers
- Validation by analysis of complex safety systems
- basic safety principles - safety relays for machinery
- Download center
- New machinery regulation
- Revision of machinery directive 2006/42/EC
- security for machines
STSARCES - Annex 1 : Software engineering tasks - Case tools
Annex 1
Software engineering tasks - Case tools
Final Report of WP1.1
CONTENTS
FORWARD
1. ELECTRONIC SYSTEMS RELATED TO SAFETY
1.1 Dependable electronic systems
1.1.1 Need for a system approach
1.1.2 Operation safety process
1.1.3 Obtaining and validating a dependable system
1.1.4 Explicit operation safety for mecatronic systems
1.2 Evaluating safety software
1.2.1 Specific features of safety software
1.2.2 Evaluating safety software
1.3 Requirements for safety software
2. SPECIFICATION AND VALIDATION OF SAFETY SOFTWARE
2.1 Requirements for specification
2.2 Methods of specification
2.3 CASE Tools for specification
2.4 Specification and validation procedure
3. CONCLUSION
4. APPENDIXES
4.1 “Specification methods” sheets
4.2 “Specification tools” sheets
4.3 Bibliography
FORWARD
The work described in this report was done within the framework of the European project STSARCES, acronym for “Standards for Safety Related Complex Electronic Systems”. This project groups together the main French and European organisations INRS, INERIS, CETIM, HSE, BIA, INSHT, SP, TÜV, and VTT, as well as the companies JAY ELECTRONIQUE and SICK AG, directly concerned by the safety of industrial systems. Five themes are treated by the various partners : software safety, equipment safety, validation of the safety of complex components, the connection between the European standard EN 954 and the project for an international standard CEI 61508, and the taking into account of technological innovations.
An in-depth study of the development methods and techniques for systems was also led. The contribution of the work done by CETIM concerns the drafting of safety software specifications and their validation. They highlight the importance of the global system approach.
Over the past years, traditional command systems have been replaced by programmed systems at an accelerated rate. The functionalities of these programmed systems has increased and become increasingly sophisticated, making them complex to produce. Their complexity indirectly causes an increase in potential faults in design and therefore failures in the systems designed.
The complexity and size of the present systems are such that it is impossible to eliminate all faults contained by a final control. To ensure that software development is mastered, it is necessary to established an adapted process.
Unlike mechanical systems, it is difficult to foresee the various failure modes. At the research office level, analysis of uncertain behaviour is not exhaustive and it is difficult to control and eliminate risks.
Since the software behaviour cannot be predicted and since potential incorrect behaviour cannot be quantified, it is impossible to analyse failure modes as for mechanical systems. Unlike equipment which may break down due to physical faults, software does not age and is really only affected by faults in design of human origin.
Introducing digital technology thus demands that designers make fundamental changes in their methods of approaching problems to be treated.
During the lifetime of software, one of the most delicate steps is to express needs in specifications. Drafting and evaluating specifications are important steps, especially for safety software.
Industrial fields in advanced technology (aeronautics, energy, railway transport, telecommunications) have integrated all of these concerns in the framework of developing their software. Concerning other sectors, such as mechanics, assistance, practical and easy operation documents must be made available to research offices, encouraging the appropriation of safety software development techniques, and more especially, their specifications.
The main work today is essentially done in the universities. It is not easily accessible to non specialists and its implementation requires an intellectual effort and a significant investment in training and in computer tools.
The CETIM work is part of this “Safety software specification” vision. Our goal is to reduce the distance between the state of the art and present practices, thus making methods and tools easier to use.
1. ELECTRONIC SYSTEMS CONCERNING SAFETY
1.1 Dependable electronic systems
1.1.1 Need for a system approach
Often safety needs and the verification of their implementation are tasks accomplished afterwards. To take the safety aspect into account when expressing needs implies a modelisation of the system which is different from that obtained when only the performance and cost aspects are considered.
In fact, while defining the functional needs of a system provides a description of their service the system is to render, defining safety needs describes the behaviour which the system must avoid. This description leads to identifying the functions which the system must fulfil in order to reduce the possibility that the behaviour to be avoided occurs.
From a system point of view, the safety concept may be planned on various levels. At a global lever, which is that of the mission, safety expresses the absence of accidents or incidents, concerning people, needs or the environment, and it is associated with the safety function. At the component level, it expresses the absence of behaviour which could cause an accident for the specified mission. Finally, the safety concept may also be considered at an output piloted by a component.
To ensure a determined level of safety, risks must be analysed first. This analysis process is continuous and iterative. It intervenes early in system development. The idea is to identify dangerous phenomena and attempt to eliminate them. In order to do this, the dangerous state must be suppressed at the system operational level, or all dangerous phenomena must be suppressed.
Since it is impossible to eliminate all dangerous phenomena cannot be eliminated, the associated risks must be evaluated and estimated. When a risk is considered high, measures must be imagined to reduce it, either by decreasing its severity, or by decreasing its probability of occurring.
Risk analysis is led on four levels :
- Very early in the life cycle : preliminary analysis of risks identifies critical functions (safety functions) and highlights dangers.
- At the system level : makes it possible to identify risks introduced by interface between sub-systems and risks of human errors.
- At the sub-systems level : each sub-system is analysed and the safety criteria, during normal operation or in a degraded mode, concerning the sub-system is identified.
- At the support and operations level : analysis identifies the procedures to reduce danger during use and maintenance of the system.
1.1.2 Operation safety process
The most traditional process, in the automobile industry and in mechanics, to ensure operational safety of systems is based on experience feedback. Engineers collect and analyse operational dependability data in order to eliminate and control risks of failures. This systems safety approach is issued from an industrial culture mainly based on system testing, rather than on analysis.
A second process is based on system dependability. This approach measures the probability of random failures, rather than the probability of a risk of an accident. It is not efficient to test the safety of systems and software.
A consequence of these two approaches is the use of well-tried components. Safety is not the property of an isolated element, but the combination of the equipment, the software and the environment in which the system is used.
The system approach to safety mainly consists in identifying risks as early as possible and classifying them, in order to undertake corrective actions to eliminate or minimise them before system design choices are made firm.
Several models of life cycles have been developed :
The cascade model is simple. A certain number of steps (or phases) is agreed upon. A step must end with the production of certain documents or software. The results of the step are thoroughly reviewed, and the next step is taken only when this review is considered satisfactory.
The V model, which is more recent, presents a more realistic approach to the relationship between development activities and verification activities, when there is a software code.
Cascade and V models have disciplined the software development process, by identifying its main activity and by specifying their sequencing. However, the linear vision introduced by these models and their rigidity have called by modifications and extensions of these models.
The first evolutionary model is the incremental model. Only one sub-assembly is developed at a given time. Core software is first developed, then increments are successively developed and integrated.
Another form of evolutionary development consists in relying on modelling, a common practice in the field of engineering. Producing models makes it possible to specify the needs and desires of the user, either globally or by focussing on certain functions.
A representative model of this approach is the spiral model. Development according to this model begins with a preliminary analysis of needs which is refined during the initial cycles, taking into account constraints and risk analysis. The originality of this model is to surround the development itself with phases devoted to risk analysis and to the determination of safety objectives.
At present, there is a strong tendency to prefer the definition of system development models in order to master the development of complex systems (the standard MIL-STD 499B prepared by the American department of defence, version EIA/IS-632 of which applies to commercial systems).
In order to harmonise system safety evaluation methods, ITSEC criteria (Information Technology Security Evaluation Criteria) and a method of evaluation ITSEM (Information Technology Security Evaluation Manual) have been elaborated. In this method, the evaluation process is based on two aspects :
- The study of dependability, which strives to analyse whether or not the system is apt to fulfil its safety objectives, in its design principle,
- The study of compliance, which strives to analyse whether or not safety functions and mechanisms are correctly installed.
The standard IEC61508 presents a development model for critical electrical/electronic/ programmable electronic systems. This model presents a generic development process. The approach adopted distinguishes four levels of criticality.
Depending on the levels of criticality identified for a system and for the software, this standard recommends the application of operation safety methods and techniques.
The various models described above mix fundamentally different activities, development itself and verification, and conserve the strict sequencing of activities.
The standard DO-178B, specific to the aeronautics industry, makes this separation. It recommends system structures which use design techniques allowing for partitioning, heterogeneous redundancy and monitoring. It offers a new software development model, the process model [LAP95]. Its B review consider that information on the system level are necessary as an entrance point into the software development process.
An explicit operation safety development model is proposed by LAAS-CNRS [LAP95]. It presents a global view and summarises the main activities required to develop a dependable operating system : fault prevention, fault tolerance, fault elimination and fault forecast.
The state of the art shows that developing a dependable system requires the integration of operation safety activities throughout the life cycle. It therefore becomes necessary to be able to certify critical systems, no longer only software.
1.1.3 Obtaining and validating a dependable system
Figure 1.1 shows the relationship between use of means, in a “traditional” quality process, to strive for a system exempt from faults, and the operation safety process, which implements other operation safety means in order to strive for a system exempt from failures.
While fault prevention attempts to prevent faults from occurring or from being introduced, fault forecasting attempts to estimate the presence, creation and consequences of faults.
Certain methods of evaluation are entirely ordinal, such as AMDEC (Analyse des Modes de Défaillance, de leurs Effets et de leur Criticité – Analysis of Failure Modes, their Effects and their Criticality) or APR (Analyse Préliminaire des Risques – Preliminary Risk Analysis); others are entirely based on probability such as MARKOV chains. Finally, certain methods may be used for both aspects, such as dependability diagrams and failure tree diagrams.
 |
Figure 1.1 : Elements comprising operation safety.
Three types of processes may be distinguished from among the forecasting methods :
- The inductive process moves from a particular situation to a more general situation. This is a detailed study of the effects consequences of failures have on a system,
- The deductive process moves from a more general situation to a more particular situation. This is the study of the causes of a failure on a system,
- The hybrid process is a combination of the two preceding processes.
Methods of evaluation based on probability require a modelling activity which consists in elaborating an analytical model parameterised with the rate of failure of each component in the system.
The two most recognised and most used models are MIL-HDBK-217F and RdF93. The MIL-HDBK-217F model is recognised on an international level and remains the reference in the electronic industry. The RdF93 model is a dependability collection published by CNET in France, more particularly for the telecommunications sector.
Fault elimination attempts to reduce the presence of faults, in quantity and severity, by three phases : verification, diagnostic and correction. After the correction phase, non regression must be verified, in order to ensure that elimination of the fault did not have any undesirable consequences.
Fault tolerance attempts to provide a service capable of fulfilling the function or functions despite the faults.
In many sectors of activity, the cost restriction does not allow for use of material redundancy. However, some fault tolerance techniques may be implemented in order to improve the dependability and safety of electronic systems :
- Watchdogs to check that the process is not blocked,
- Timer degradation to ensure processing speed,
- Inlet networks to filter parasites,
- Protection diodes, against overpressure (transitory or load dump),
- Inlet tests (limit values or loss of information),
- Outlet tests (intelligent power circuit for the diagnosis),
- Checksum on the read-only memory to detect memorisation errors which affect the software.
1.1.4 Explicit operation safety for mecatronic systems
A global mecatronic system is composed of two main sub-assemblies : the physical system which identifies the various mechanical hydraulic, pneumatic, electric, etc. parts, and the electronic system which integrates the actuators and the sensors, as well as the electronic command unit (equipment and software). The structure of the piloting system consists in expressing a global functional view (white box) of the system.
Operation safety studies must be applied when developing the system. The solution chosen must be justified and accompanied by the tracability of operation safety requirements on each of the three levels of knowledge of the system (global system, electronic piloting system and software).
 |
Figure 1.2 : Explicit operation safety process.
1.1.4.1 Establishing safety objectives
A safety objective for the global system may be allotted according to the return of experience with systems previously developed, based on expert judgement. The operation safety study must set a realistic objective. The objective for electronic systems is expressed by a rate of failure.
Allotting a safety objective for each function must be in keeping with the dependability objective expressed for the overall electronic system. Other complementary objectives may be necessary for maintenance actions.
1.1.4.2 Mecatronic system specification
Once the various events feared have been identified for the mecatronic system, the operation safety demands must be specified. The first step is to express operation safety assurance criteria which will be used to establish confidence in the operation safety level of the system.
The second step is to define the operation safety means which must be implemented to ensure control of operation safety when designing the electronic system.
The operation safety study of function and physical structures of the electronic system is composed of various activities. It is mainly accomplished by AEEL (analyse des effets des erreurs sur le logiciel – analysis of the effect of errors on the software) and by failure tree diagrams.
Using the software failure tree diagrams makes it possible to complete the AEEL, in order to warn against faults in design. The study is run on the software structure (specification and/or general design), in order to study the potential failure combinations which cause feared events in the software. Analysis of minimum cuts makes it possible to rank the critical elements of the software.
|
Types of software errors |
Classes of errors used |
|
Calculation error |
Evaluation of an incorrect equation, incorrect result to an operation
|
|
Algorithm error |
Error in instruction sequencing, (un)conditional incorrect branching, incorrect processing loop
|
|
Error in task synchronisation |
Incorrect synchronisation primitive type, unexpected synchronisation parameter
|
|
Error in data processed |
Error in definition, error in initialisation, error in manipulation, modification of the value of data
|
|
Error in interfacing between procedures |
Error in procedure instruction, error in procedure outlet, error in parameter transmission between procedures
|
|
Error in transferring data with the environment |
Error in defining data, error in data transmission,, incorrect transfer periodicity
|
Table 1.2 : Example of software error typology.
1.2 Evaluating safety software
1.2.1 Specific characteristics of safety software
Software is an intellectual creating including programs, procedures, rules and all associated documents, related to implementation of the programmed system. Software is materialised by specifications, a code (program) and documentation.
Software development is often difficult to control. Moreover, software is rarely a finished product; it evolves from one version to another, within very short periods of time. It is a paradoxical product, which may become obsolete, but is not subject to wear. On the contrary, it is best when used frequently. Finally, software development is essentially devoted to product design and testing and little emphasis is placed on series production.
One of the most important characteristics of software is that it is a product with countless inputs and which processes combinations far greater than the brain capacity. As a consequence, software behaviour cannot be fully apprehended by man. It is therefore separated into different modules. Nevertheless, it remains difficult to fully control the complexity of the product.
1.2.2 Evaluating safety software
The problem raised by software evaluation is to obtain justified confidence in the software behaviour. The software is often analysed according to the method used for its development.
The evaluation is then based on a wide variety of criteria such as its structure, its development process, or the manner in which it was written, even though, in fact, only its behaviour should be evaluated. This is why it is rather difficult to distinguish between development methods and evaluation methods. These two types of methods increasingly overlap one another.
Finally, it is interesting to note that there are no specific methods for critical software. The methods used for critical software and those used for traditional software differ by the requirements of the standards. The major difference, in fact, resides in the budget and the time devoted.
Evaluating software may have highly varied significations. In general, two levels of evaluation are frequently distinguished : validation and verification.
1.3 Software safety requirements
Expressing software safety requirements, as well as the taking into account and follow-up of these requirements throughout the software development cycle, remains within the field of avant garde projects to date. Information concerning these requirements is not actually diffused to the general public and often remains limited to a circle of experts.
Work concerning software safety requirements has be initiated by organisations such as ISdF (Institut de Sûreté de Fonctionnement – Operation Safety Institute), INRS (Institut National de Recherche et de Sécurité – National Institute for Research and Safety), as well as by INRETS (Institut National de REcherche sur les Transports et leur Sécurité – National Institute for Research concerning Transport and Safety) within the framework of research projects such as CASCADE (Certification and Assessment of Safety Critical Application Development) and ACRUDA. In general, all of this work resembles the needs of avionics, nuclear and railway transport fields.
Thus, based on collected information concerning practices in the industrial environment in the field of software safety, mainly in the defence, transport and space sectors, and concerning use of work and reflections by European groups (PDCS and EWICS/TC7) and national groups (AFCET and ISdF), work done by IsdF reflection groups has led to the elaboration of two synthesis documents. An initial guide to elaborate the safety requirements for the software, for the provider, and a second guide to develop software with strict safety requirements, for the contracting party have thus been drafted.
2. SPECIFICATION AND VALIDATION OF SAFETY SOFTWARE
2.1 Specification requirements
A study run by HSE concerning primary causes of failures on a population of 34 accidents, shows that the main part (44.1%) is caused by poor specification.
Special attention must be paid to :
- Adequation faults. Adequation between the need recognised and the actual need must be ensured,
- Over-specification. This may lead to unnecessary restriction and exclude certain solutions,
- Under-specification. This may allow for a manoeuvre margin which is too wide concerning the chosen solutions, and may lead to unacceptable choices,
- Unfortunate consequences of certain requests. Impossible or non verifiable objectives should not be specified. Requests to apply standards or guides should only be made once their contributions and negative impacts have been carefully considered,
- The form. It is recommended that enunciation remains precise, that styles “in keeping with the rules of the art” be avoided, that terminology be defined, that references from one document to another be avoided, that there be a constant concern for tracability and verification.
Requirements concerning the product and the processes, which may be applied to the software and its entities and auxiliary services, must be established by contract. A fair compromise must be made between contractual requirements which are necessarily severe, and the minimum freedom to be granted to the developer, i.e. which engages responsibility and motivation.
Formulating operation safety objectives must be quantitative, in terms of the rate or critical failures and/or qualitative, with a list of feared events, a qualitative analysis, the respect for specific procedures and regulations.
From the point of view of software output safety, feared events must be described perfectly. It is recommended that a preliminary list of accepted degraded operation modes be established as early as possible.
It is highly inadvisable to simply formulate quantitative requirements for the software.
2.2 Validation and specification methods
2.2.2 Specification methods
Three types of specification language may be distinguished : specification in ordinary language, semi-formal specification and formal specification.
Ordinary language is chosen as the specification language if it is usually used. It may prove to be ambiguous, contradictory and incomplete, since two major problems persist :
- Difficulty of expression : man does not think with words only.
- Difficulty of interpretation : a text need not be complex to be difficult to interpret. Specification may thus be interpreted differently depending on the definitions one possesses or those consider to be the definitions used by the drafter.
Informal specifications written in ordinary language are generally incomplete, incoherent, ambiguous, contradictory and erroneous; at best, errors introduced are discovered late in the life cycle of the software. As a consequence, it seems reasonable that they not be used for safety software.
Table 1.3 provides several specification methods and their main characteristics.
Contrary to ordinary language, specifications implemented by formal methods are not ambiguous, are precise, the semantics of notations is clearly defined. If one is familiar with the representation used, formal methods are a good means of communication and documentation.
In fact, formal methods are more than a tool for representation; they are also a technique for drafting specifications which restrains the designer to make abstractions and finally results in a better comprehension and modelisation of the specifications. It is sometimes even possible to make simulations.
Use of a formal method requires considerable investments in time and training. Formal methods are a significant step forward for the development and evaluation of critical software.
Table 1.4 provides a non exhaustive list of formal methods.
Name |
Place in the Life cycle and Purpose of The method |
Observations |
|
RdP Réseau de Pétri Pétri Network |
Specification Development |
Method based on transition systems, using tokens and spaces. It makes it possible to demonstrate properties such as non-blocking, vivacity or equity of a set of co-operating processes. It is often used to specify parallelism and synchronisation.
|
|
Statecharts |
Specification Development |
Specification method based on transition systems.
|
|
SADT (Structured Analysis Design Technique) |
Specification, design Development |
Graphic specification method. It uses boxes to represent data or activities and arrows to represent flows between data or these activities. It is sometimes designated as a semi-formal design method and is often used in industry.
|
|
SART (Structured Analysis Real Time) |
Specification Development |
Real time extension proposed for the structured S.A. method of E. Yourdon and T. de Marco. One of the most widely used structured software analysis methods for real time applications.
|
|
Z |
Specification, design Development |
Formal specification language based on the Zermelo theory of sets. It makes it possible to express functional conditions of the problem to be translated into set notation.
|
|
LDS |
Specification Development |
Specification and functional description language. It is subject to a CCITT standard.
|
|
CCS |
Specification Development |
Formalism used to describe parallelism semantics. It is based on process algebra and remains very abstract and impossible to be used to make useful conclusions.
|
|
CSP |
Specification Development |
Presents the same characteristics as CCS.
|
Table 1.3 : Specification methods which contribute to evaluating software.
|
Name |
Place in the Life cycle and Purpose of The method |
Observations |
|
VDM (Vienna definition method) |
Specification, Design Development Static evaluation |
The oldest and best established formal specification language. It is also a development method. It combines concrete notions such as types of data and abstract notions such as the theory of sets. Before – after predicates (pre and post conditions) where what does not change must be clarified, guides the refining of the specifications. Proof is required and written using a three value logic (True, False and Undefined). This particular logic does not simplify the establishment or the verification of proof. There is no mechanism to decompose or compose specifications or refinings. VDM has been chosen by the EEC, the English Standards Institution Committee and ISO to be used as the basis to develop a specification language standard.
|
|
B |
Specification, Design Development Static evaluation |
Formal method of specification based on the theory of sets and first order logic. Specifications are modelled using abstract machines. These machines, inspired by the object oriented design method, have three parts. The first describes the state and properties of the machine; the second specifies the operations which make it possible to modify the state; and the third records the composition connections with other machines. Specifications are developed using vertical iterations by refining and horizontal iterations by machine construction. Proof obligations are obtained by a substitution calculation. The B method is implemented by Atelier B, which strives to cover the entire development of software, from specifications and the production of proof obligations to code generation.
|
|
RAISE |
Specification, Design Development Static evaluation |
Set of tools which uses a specification formalism referred to as RSL and which combines the VDM method and process algebra.
|
|
CLEAN ROOM |
Specification, Design Development Static and dynamic evaluation |
Combines a formal method and a traditional software workshop. Specifications are written in PDL (Program Description Language) making it possible to define abstract machines. Development is done manually using refining and the generation of proof obligations. Finally, a series of statistic tests makes it possible to evaluate the dependability of the software developed. |
|
FDM (Formal Development methodology) |
Specification, Design Development Static evaluation |
Combines a specification language (Ina jo) and an assertion drafting language (Ina Mod). It implements abstract machines, refinings justified by proof obligations. It has the support of an interactive demonstrator, ITP, which takes care of proof, but remains rather limited. FDM is certified by the US National Computer Security Centre for safety applications. |
Table 1.4 : Formal methods which contribute to software evaluation.
2.2.3 Methods of validation
The first step is to make certain that software specifications are in compliance with user needs. This verification is relatively difficult to make since the user often expresses his needs in an informal, incomplete, imprecise or yet incoherent manner. This activity therefore mainly rests on the experience and the know-how of experts in the field.
The second level of evaluation corresponds to moving from specifications to the final code; the final code must be in compliance with the software specifications. This evaluation is in fact devoted to the software development process. Its success depends on the methods and tools issued from the software engineering.
The third level of evaluation, corresponding to moving from the final code to the software behaviour, consists in executing the final code to check the software behaviour. This level of evaluation is based on dynamic methods and is automatically controlled for the most part.
The fourth level of evaluation consists in making certain that the final code is in compliance with the user needs. For the same reasons as those expressed for the first level of evaluation, which are inherent to the nature of the user needs, this compliance is very difficult to demonstrate.
The fifth level of evaluation, corresponding to moving from specifications to software behaviour, consists in checking that the software behaviour is in compliance with what is described in the specifications. This activity was previously referred to as verification. It is also mentioned in documentation as the answer to the question, “Have we built the software correctly”. To date, this evaluation may be done by tests for which the initial sets have been elaborated based on specifications.
Over a longer period of time and by the intermediary of more elaborate methods, this evaluation may be done by program synthesis techniques or specification simulation techniques.
Finally, the sixth level represents the total evaluation activity.
 |
Figure 1.3 : Software evaluation activities.
2.3 CASE tools for specification and validation
The first CASE tools (Computer Aided Software Engineering) were developed as of 1985 in order to help software developers better understand and apply functional analysis methods and specification methods.
Despite the diversity of the tools available on the market today, the research we have done to identify those which enable safety software specification has remained sterile.
Appendix 4.2 contains the sheets of the 9 most renowned products.
Although oriented towards safety software development, the SCADE product (Safety Critical Application Development Environment) by VERILOG, does not have a sheet since it is not well adapted to small and medium sized applications.
2.4 Specification and validation procedure
The role played by specification for operating safety is to explicit “what to do?”, resulting from refining the specifications after functional analysis and preliminary risk analysis. It forms the interface between the analyst and the software designer, specifying the safety restrictions, such as execution time, inputs and outputs, the behaviour desired in case of failure, etc.
We contacted 7 French companies in order to report on the methods and tools used in the software development process, notably for critical software. Very few companies use specific methods. Among the companies which systematically implement software engineering methods and tools are companies involved in the automobile and nuclear industries.
It was very difficult for us to establish a procedure based on industrial practices concerning critical software specification. The interviews obtained with specialists from different horizons, enabled us to synthesise the following procedure for specification :
The specification phase is often based on the experience of the person in charge of drafting the specification.
It is necessary to :
- Provide a precise definition of the composition and role of the analysis and specification team
- have final users intervene early
- plan project reviews and their contents
- have the client express his needs as extensively as possible
- Facilitate “client”-developer” communication
- For specification, in so far as possible, use an adequate method and possibly an adequate tool
- (CASE tools ensure the unity of the dictionary and make it easier to avoid systematic transcription faults)
- a good drawing is worth 1,000 words
- imagine being in the client’s position and adopt his logic and his manner of expressing himself
- use neutral vocabulary for both parties, client / specification person or team
- incite the client to enter into the developer logic, in order that he may formalise his need better
- the client will thus express the needs he considers “evident” and therefore not necessary to be stated
- begin by making a functional analysis and a specification of the overall system
- make as complete a description as possible of the environment-operator-application interactions
- define the role of the operator
- take into account the application ergonomics : screens, alarm control, diagnostic, interventions for maintenance, etc.
- divide to rule better
- wait for the right moment in the system description before dividing specification tasks among the members of a team
- decrease the complexity by carefully chosen divisions
- minimise the information exchange flows
- do not decompose the system into more than three level, since complexity increases quickly and overall control may be lost
- decompose critical functions into primitive functions. Impasses may thus be highlighted.
- in parallel, during specification, specify the manner in which to check objective expectations (acceptance files) and the means necessary to complete the verification
- take the referential into full consideration : standards, guides, technical documents, etc., before referring to them in the specifications
- select elements which may be realised and measured in relation with the size of the application, the structure and culture of the company which develops the software
- validate the specifications by an internal audit type action done by a person / team other than that concerned by specification and development
- include the final user of the application
3. CONCLUSION
Faced with the fact that few software fault models exist, essentially design faults, the software operation safety procedure to be established must be based on the combined implementation of various complementary techniques.
Over and above the development process, it has been explained that organisation and management dimensions play an important role in safety software projects. The need to express safety requirements for the software, to take into account and follow-up these requirements throughout the development cycle is absolutely necessary. In addition to operation safety activities, the procedure must also include “quality” activities depending on the criticality of the software developed.
There is a great difference between software development practices and theoretical works which treat the subject.
It is difficult to elaborate an operation safety methodology for small and average sized companies. Organisational restriction, and more particularly the lack of operation safety culture, greatly complicate the elaboration of an operation safety process. There are no specific software safety specification tools for small and average sized applications.
Safety software specification is a very important phase in the life cycle. The procedure proposed highlights the prime importance of the role of communication between the person (team) doing the specification and the final user (client) and the necessity to use adapted methods and tools.
4. APPENDIXES
(see pdf file)
English
