Achieving functional safety with legacy software is bound to be a challenge, especially when it represents your first venture into such a certification process.
Functionally Safe Positioning with the LDRA tool suite
Mark Pitchford, Technical Specialist with | LDRA Software Technology
Renishaw plc is one of the world's leading engineering and scientific technology companies, with expertise in precision measurement and healthcare. The company supplies products and services used in applications as diverse as jet engine and wind turbine manufacture, through to dentistry and brain surgery. It is also a world leader in the field of additive manufacturing (also referred to as metal 3D printing), where it is the only UK business that designs and makes industrial machines which ‘print' parts from metal powder.
Renishaw has more than 70 offices in 35 countries, with around 4,500 employees worldwide. Around 2,900 people are employed within the UK where the company carries out the majority of its research and development and its manufacturing.
Renishaw has an established and successful product in their RESOLUTE true-absolute, fine pitch optical encoder system, which is the world's first absolute encoder capable of 1 nm resolution up to 100 m/s for linear systems, and 32-bit resolution up to 36 000 rev/min for rotary systems.
In some markets, encoder position feedback is required to be functionally safe: one prime example of such a market involves machinery requiring safe motion functions, such as Safely-Limited Speed, or SLS. Using an encoder system that is already rated for use in these applications can make machine certification significantly easier. Adopting these advanced machine safety functions allows machine builders to make safer machines, capable of higher functionality, shorter set-up times and reduced machine downtime.
Renishaw had not previously developed absolute encoder products certified to functional safety standards. The first venture into any such certification is always a challenge, and the pre-existence of significant code from an established product introduced slightly different hurdles to those expected of a “clean sheet” project.
The whole project referenced 3 parts of IEC 61508:2010:
-
Part 1: General Requirements
-
Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
-
Part 3: Software Requirements
For the Renishaw software team, the primary focus was on part 3 of the standard.
Requirements Granularity
The existing RESOLUTE product was developed in a systematic and professional way, but IEC 61508 demanded a different level of detail. One result of that was a more granular development process, in contrast to an approach that transitions straight from high-level requirements to coding.
Tool Qualification
IEC 61508 Part 4, Section 3.2.11 defines a “software off-line support tool” as “a software tool that supports a phase of the software development life cycle and that cannot directly influence the safety-related system during its run time.”
Software off-line tools are divided by the standard into the following classes:
T1: generates no outputs which can directly or indirectly contribute to the executable code (including data) of the safety related system;
T2: supports the test or verification of the design or executable code, where errors in the tool can fail to reveal defects but cannot directly create errors in the executable software
T3: generates outputs which can directly or indirectly contribute to the executable code of the safety related system
The LDRA tool suite falls into the category of class T2, and has been verified as fully qualified to validate software applications for industrial safety (IEC 61508) by TÜV SÜD and SGS-TÜV Saar.
For the RESOLUTE FS project, Renishaw were required to provide a report to confirm that the results they were generating from the tool suite were as expected.
Static Analysis
Liz Smith, a Senior Software Engineer on the RESOLUTE FS project, described how the team approached their development work:
"The position determination and checking algorithms in RESOLUTE make it particularly well-suited to functionally safe operation." she said. “A high percentage of the firmware was already written, but the original development process did not meet the demands of IEC 61508 to level SIL2, so we weren’t sure exactly what we required tool-wise.” With the new, detailed requirements in place, static analysis was a logical starting point for re-engineering the code.
“We had decided to retrospectively apply the MISRA C:2012 standard to achieve the necessary compliance , and knew that our existing tools were not capable of that. The availability of LDRArules as a stand-alone item gave us the opportunity to experience the quality of both the tool and the support, without investing in the whole tool suite at that stage. The decision to put this “toe in the water” with LDRA was made easier by the supportive recommendation of consultants SIRA, who were very helpful throughout and especially in preparing us for audit by CSA.”
The retrospective application of MISRA C:2012 to the existing source code proved less challenging than at first thought. “We approached the upgrading of the code on a file-by-file basis, and although that was onerous to begin with, we soon got in to the flow of things. LDRArules helped significantly in that the MISRA guidelines are frequently broken down in the LDRA reporting schema to less generic, more concise definitions.”
“This improved granularity often made it easier to understand just what each individual rule violation related to. The detailed explanations in the LDRA documentation reinforced that, and LDRA’s support team were always at hand when we needed more help.”
Unit Test
Renishaw’s successful experience with LDRA’s Static Analysis tools lead to the decision to acquire the TBrun Unit Test tool. “To comply with the requirements of the standard, we needed an efficient way of unit testing, and of showing code coverage associated with that testing.” said Liz. “That caused no issues for the tool itself and the LDRA support team were again very helpful in getting us past any sticking points.”
Although it is possible to develop Unit Test using a simulator, Renishaw opted to do all of their testing on their target hardware, the Analog Devices Blackfin DSP BF534. Renishaw are very familiar with both the device and its debugging environment, and there was very little overhead involved in downloading and executing the tests on target.
In addition to completing the Unit Tests to demonstrate adherence to the IEC 61508 standard, Renishaw were also keen on the ability to perform regression tests with ease. “During development, regression tests allowed us to ensure that new modifications didn’t affect existing functionality” said Liz. “Less obviously, they also give the ability to easily confirm that software is functioning in accordance with requirements if problems ever arise”.
Product Launch, and beyond
“Following the IEC 61508 process gave us a great deal of confidence as the RESOLUTE FS product was launched” said Liz. “The LDRA tool suite provided us with the information that was required, such as code coverage, and it allowed us to test requirements that would not have been so completely proven by traditional methods.”
The task of recoding in adherence to this standard has been a great learning experience for everyone involved. Liz continued: “The net effect was that we could focus functional code reviews on high risk requirements only, where we wanted an extra pair of eyes to ensure that implementation was correct; which saved many man hours.”
There is little that the team would have changed in retrospect. One exception centered around the tool version used for certification. “During our development process, there was a revision of the tool suite which had a feature revision that would have been useful for us,” said Liz, “We decided to stick with the declared version rather than upgrade, but with hindsight perhaps we could have consulted with LDRA and the CSA to see whether that could have been handled differently.”
The EPD team are now keen advocates of the software development processes laid down by the standard, and they are potential trailblazers for Renishaw via their Quality Focus Group. But perhaps the most ringing endorsement of all comes from within the encoder software team. Liz said: “The LDRA products were bought with the specific aim of certification for RESOLUTE FS but the beneficial effect on the development process has been such that we will continue to follow IEC 61508 methodologies and apply the tool suite in future.”
As though to confirm that, the team have just purchased a Target License Package from LDRA to allow them to develop tests for an NXP microprocessor for a new encoder product, and intend to use the LDRA tool suite to help them pursue test-driven development in future projects.