- single channel with periodic self-test and monitoring (H.2.16.7);
- dual channel (homogenous) with comparison (H.2.16.3);
- dual channel (diverse) with comparison (H.2.16.2).

NOTE Comparison between dual channel structures can be performed:

- by the use of a **comparator** (H.2.18.3) or
- by reciprocal comparison (H.2.18.15).

**H.11.12.1.2.2 Control** functions with software class B shall have one of the following structures:

- single channel with functional test (H.2.16.5);
- single channel with periodic self-test (H.2.16.6);
- dual channel without comparison (H.2.16.1).

A software class C structure is also acceptable for a software class B structure.

**H.11.12.1.3** Other structures are permitted if they can be shown to provide an equivalent level of safety to those in H.11.12.1.2.

#### H.11.12.2 Measures to control faults/errors

**H.11.12.2.1** When **redundant memory with comparison** is provided on two areas of the same component, the data in one area shall be stored in a different format from that in the other area (see **software diversity**).

**H.11.12.2.2** Controls with software class C using dual channel structures with comparison shall have additional fault/error detection means (such as periodic functional tests, periodic self-tests, or independent monitoring) for any fault/errors not detected by the comparison.

**H.11.12.2.3** For **controls** with software class B or C, means shall be provided for the recognition and control of errors in **transmissions** to external safety-related data paths. Such means shall take into account errors in data, addressing, **transmission** timing and sequence of protocol.

**H.11.12.2.4** For **control** with software class B or C, the manufacturer shall provide, within the control, measures to address the **fault**/errors in safety-related segments and data indicated in Table H.1 and identified in Table 1, requirement 68.

# Table H.1 (H.11.12.7 of edition 3) – Acceptable measures to address fault/errors a (1 of 6)

| Component <sup>b</sup> | Fault/error   | B C |    | Example of acceptable measures <sup>c d e</sup>                      | Definitions |
|------------------------|---------------|-----|----|----------------------------------------------------------------------|-------------|
|                        |               |     |    |                                                                      |             |
| 1. CPU                 |               |     |    |                                                                      |             |
| 1.1                    |               |     |    |                                                                      |             |
| Registers              | Stuck at      | rq  |    | Functional test, or                                                  | H.2.16.5    |
|                        |               |     |    | periodic self-test using either:                                     | H.2.16.6    |
|                        |               |     |    | <ul> <li>static memory test, or</li> </ul>                           | H.2.19.6    |
|                        |               |     |    | <ul> <li>word protection with single bit<br/>redundancy</li> </ul>   | H.2.19.8.2  |
|                        | DC fault      |     | rq | Comparison of redundant CPUs by either:                              |             |
|                        |               |     |    | <ul> <li>reciprocal comparison</li> </ul>                            | H.2.18.15   |
|                        |               |     |    | <ul> <li>independent hardware comparator, or</li> </ul>              | H.2.18.3    |
|                        |               |     |    | internal error detection, or                                         | H.2.18.9    |
|                        |               |     |    | redundant memory with comparison, or                                 | H.2.19.5    |
|                        |               |     |    | periodic self-tests using either                                     |             |
|                        |               |     |    | <ul> <li>walkpat memory test</li> </ul>                              | H.2.19.7    |
|                        |               |     |    | <ul> <li>Abraham test</li> </ul>                                     | H.2.19.1    |
|                        |               |     |    | <ul> <li>transparent GALPAT test; or</li> </ul>                      | H.2.19.2.1  |
|                        |               |     |    | word protection with multi-bit redundancy,<br>or                     | H.2.19.8.1  |
|                        |               |     |    | static memory test and word protection                               | H.2.19.6    |
|                        |               |     |    | with single bit redundancy                                           | H.2.19.8.2  |
| 1.2                    |               |     |    |                                                                      |             |
| Instruction            | Wrong         |     | rq | Comparison of redundant CPUs by either:                              |             |
| decoding and           | decoding      |     |    | <ul> <li>reciprocal comparison</li> </ul>                            | H.2.18.15   |
| execution              | and execution |     |    | <ul> <li>independent hardware comparator, or</li> </ul>              | H.2.18.3    |
|                        |               |     |    | internal error detection, or                                         | H.2.18.9    |
|                        |               |     |    | periodic self-test using equivalence class test                      | H.2.18.5    |
| 1.3                    |               |     |    | Functional test, or                                                  | H.2.16.5    |
| Programme              | Stuck at      | rq  |    | periodic self-test, or                                               | H.2.16.6    |
| counter                |               |     |    | independent time-slot monitoring of the program sequence, or         | H.2.18.10.4 |
|                        |               |     |    | logical monitoring of the programme sequence                         | H.2.18.10.2 |
|                        |               |     |    | Periodic self-test and monitoring using either:                      | H.2.16.7    |
|                        | DC fault      |     | rq | <ul> <li>independent time-slot and logical<br/>monitoring</li> </ul> | H.2.18.10.3 |
|                        |               |     |    | <ul> <li>internal error detection, or</li> </ul>                     | H.2.18.9    |
|                        |               |     |    | comparison of redundant functional channels by either:               |             |
|                        |               |     |    | <ul> <li>reciprocal comparison</li> </ul>                            | H.2.18.15   |
|                        |               |     |    | – independent hardware comparator                                    | H.2.18.3    |

| Component <sup>b</sup> | Fault/error  | Software class |    | Example of acceptable measures <sup>c d e</sup>         | Definitions |
|------------------------|--------------|----------------|----|---------------------------------------------------------|-------------|
|                        |              | В              | С  |                                                         |             |
| 1.4                    |              |                |    |                                                         |             |
| Addressing             | DC fault     |                | rq | Comparison of redundant CPUs by either:                 |             |
|                        |              |                |    | <ul> <li>reciprocal comparison</li> </ul>               | H.2.18.15   |
|                        |              |                |    | <ul> <li>independent hardware comparator; or</li> </ul> | H.2.18.3    |
|                        |              |                |    | Internal error detection; or                            | H.2.18.9    |
|                        |              |                |    | periodic self-test using a <b>testing pattern</b> of    | H.2.16.7    |
|                        |              |                |    | the address lines; or                                   | H.2.18.22   |
|                        |              |                |    | full bus redundancy, or                                 | H.2.18.1.1  |
|                        |              |                |    | multi-bit bus parity                                    | H.2.18.1.2  |
| 1.5                    |              |                |    |                                                         |             |
| Data paths             | DC fault     |                | rq | Comparison of redundant CPUs by either:                 |             |
| instruction            | and          |                |    | reciprocal comparison, or                               | H.2.18.15   |
| decoding               | execution    |                |    | independent hardware comparator, or                     | H.2.18.3    |
|                        |              |                |    | Internal error detection, or                            | H.2.18.9    |
|                        |              |                |    | periodic self-test using a <b>testing pattern</b> , or  | H.2.16.7    |
|                        |              |                |    | data redundancy, or                                     | H.2.18.2.1  |
|                        |              |                |    | multi-bit bus parity                                    | H.2.18.1.2  |
| 2.                     |              |                |    |                                                         |             |
| Interrupt              | No interrupt | rq             |    | Functional test; or                                     | H.2.16.5    |
| handling and           | or too       |                |    | time-slot monitoring                                    | H.2.18.10.4 |
| execution              | frequent     |                |    | 5                                                       |             |
|                        | interrupt    |                |    |                                                         |             |
|                        | No interrupt |                | rq | Comparison of redundant functional                      |             |
|                        | or too       |                | '4 | channels by either                                      |             |
|                        | frequent     |                |    | reciprocal comparison,                                  | H.2.18.15   |
|                        | interrupt    |                |    |                                                         | H.2.18.3    |
|                        | •            |                |    | independent hardware comparator, or                     |             |
|                        | related to   |                |    | Independent time-slot and logical monitoring            | H.2.18.10.3 |
|                        | different    |                |    |                                                         |             |
|                        | sources      |                |    |                                                         |             |

| Tablo | ц 1 | 12 | of | 6) |
|-------|-----|----|----|----|
| Table | Π.1 | (2 | ΟT | 0) |

| Component <sup>b</sup> | Fault/error    | Software class |     | Example of acceptable measures <sup>c d e</sup>                       | Definitions |
|------------------------|----------------|----------------|-----|-----------------------------------------------------------------------|-------------|
|                        |                | ВС             |     |                                                                       |             |
| 3.                     |                |                |     |                                                                       |             |
| Clock                  |                | rq             |     | Frequency monitoring, or                                              | H.2.18.10.1 |
|                        |                |                |     | time slot monitoring                                                  | H.2.18.10.4 |
|                        | Wrong          |                | rq  | Frequency monitoring, or                                              | H.2.18.10.1 |
|                        | frequency      |                |     | time-slot monitoring, or                                              | H.2.18.10.4 |
|                        | (for quartz    |                |     | comparison of redundant functional channels                           |             |
|                        | synchronized   |                |     | by either:                                                            |             |
|                        | clock:         |                |     | <ul> <li>reciprocal comparison</li> </ul>                             | H.2.18.15   |
|                        | harmonics/     |                |     | <ul> <li>independent hardware comparator</li> </ul>                   | H.2.18.3    |
|                        | subharmonics   |                |     |                                                                       |             |
|                        | only)          |                |     |                                                                       |             |
| 4. Memory              |                |                |     |                                                                       |             |
| 4.1                    |                |                |     |                                                                       |             |
| Invariable             | All single bit | rq             |     | Periodic <b>modified checksum</b> ; or                                | H.2.19.3.1  |
| memory                 | faults         |                |     | multiple checksum, or                                                 | H.2.19.3.2  |
|                        |                |                |     | word protection with single bit redundancy                            | H.2.19.8.2  |
|                        | 99,6 %         |                | rq  | Comparison of redundant CPUs by either:                               |             |
|                        | coverage of    |                | . 9 | <ul> <li>reciprocal comparison</li> </ul>                             | H.2.18.15   |
|                        | all            |                |     | <ul> <li>independent hardware comparator, or</li> </ul>               | H.2.18.3    |
|                        | information    |                |     |                                                                       | 11.2.10.0   |
|                        | errors         |                |     | redundant memory with comparison, or                                  | H.2.19.5    |
|                        |                |                |     | periodic cyclic redundancy check, either                              |             |
|                        |                |                |     | <ul> <li>single word</li> </ul>                                       | H.2.19.4.1  |
|                        |                |                |     | <ul> <li>double word, or</li> </ul>                                   | H.2.19.4.2  |
|                        |                |                |     | word protection with multi-bit redundancy                             | H.2.19.8.1  |
| 4.2                    |                |                |     |                                                                       |             |
| Variable               | DC fault       | rq             |     | Periodic static memory test, or                                       | H.2.19.6    |
| memory                 |                | -              |     | word protection with single bit redundancy                            | H.2.19.8.2  |
| ,                      | DC fault       |                | rq  | Comparison of redundant CPUs by either:                               |             |
|                        | and dynamic    |                |     | <ul> <li>reciprocal comparison</li> </ul>                             | H.2.18.15   |
|                        | cross links    |                |     | <ul> <li>independent hardware comparator, or</li> </ul>               | H.2.18.3    |
|                        |                |                |     | redundant memory with comparison, or                                  | H.2.19.5    |
|                        |                |                |     | periodic self-tests using either:                                     | 1.2.10.0    |
|                        |                |                |     | <ul> <li>walkpat memory test</li> </ul>                               | H.2.19.7    |
|                        |                |                |     | <ul> <li>Abraham test</li> </ul>                                      | H.2.19.1    |
|                        |                |                |     | <ul> <li>Abraham test</li> <li>transparent GALPAT test, or</li> </ul> | H.2.19.1    |
|                        |                |                |     | word protection with multi-bit redundancy                             | H.2.19.2.1  |

# Table H.1 (3 of 6)

| Component <sup>b</sup>         | Fault/error           | r Software class |    | Example of acceptable measures <sup>cde</sup>                                                                                               | Definitions                           |
|--------------------------------|-----------------------|------------------|----|---------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
|                                |                       | В                | С  |                                                                                                                                             |                                       |
| 4.3                            |                       |                  |    |                                                                                                                                             |                                       |
| Addressing                     | Stuck at              | rq               |    | Word protection with single bit redundancy                                                                                                  | H.2.19.18.2                           |
| (relevant to                   |                       |                  |    | including the address, or                                                                                                                   |                                       |
| variable                       | DC fault              |                  | rq | comparison of redundant CPUs by either:                                                                                                     |                                       |
| memory and                     |                       |                  |    | <ul> <li>reciprocal comparison, or</li> </ul>                                                                                               | H.2.18.15                             |
| invariable                     |                       |                  |    | <ul> <li>independent hardware comparator, or</li> </ul>                                                                                     | H.2.18.3                              |
| memory)                        |                       |                  |    | full bus redundancy                                                                                                                         | H.2.18.1.1                            |
|                                |                       |                  |    | Testing pattern, or                                                                                                                         |                                       |
|                                |                       |                  |    | periodic cyclic redundancy check, either:                                                                                                   | H.2.18.22                             |
|                                |                       |                  |    | <ul> <li>single word</li> </ul>                                                                                                             | H.2.19.4.1                            |
|                                |                       |                  |    | <ul> <li>double word, or</li> </ul>                                                                                                         | H.2.19.4.2                            |
|                                |                       |                  |    | word protection with multi-bit redundancy including the address                                                                             | H.2.19.8.1                            |
| 5. Internal data<br>path       |                       |                  |    |                                                                                                                                             |                                       |
| 5.1 Data                       | Stuck at              | rq               |    | Word protection with single bit redundancy                                                                                                  | H.2.19.8.2                            |
|                                | DC fault              |                  | rq | Comparison of redundant CPUs by either:                                                                                                     |                                       |
|                                |                       |                  |    | <ul> <li>reciprocal comparison</li> </ul>                                                                                                   | H.2.18.15                             |
|                                |                       |                  |    | <ul> <li>independent hardware comparator, or</li> </ul>                                                                                     | H.2.18.3                              |
|                                |                       |                  |    | word protection with multi-bit redundancy                                                                                                   | H.2.19.8.1                            |
|                                |                       |                  |    | including the address, or <b>data redundancy</b> , or                                                                                       | H.2.18.2.1                            |
|                                |                       |                  |    | testing pattern, or                                                                                                                         | H.2.18.22                             |
|                                |                       |                  |    | protocol test                                                                                                                               | H.2.18.14                             |
| 5.2 Addressing                 | Wrong<br>address      | rq               |    | Word protection with single bit redundancy including the address                                                                            | H.2.19.8.2                            |
|                                | Wrong                 |                  | rq | Comparison of redundant CPUs by:                                                                                                            |                                       |
|                                | address and           |                  |    | <ul> <li>reciprocal comparison</li> </ul>                                                                                                   | H.2.18.15                             |
|                                | multiple              |                  |    | <ul> <li>independent hardware comparator, or</li> </ul>                                                                                     | H.2.18.3                              |
|                                | addressing            |                  |    | word protection with multi-bit redundancy,<br>including the address, or full bus<br>redundancy; or testing pattern including the<br>address | H.2.19.8.1<br>H.2.18.1.1<br>H.2.18.22 |
| 6<br>External<br>communication | Hamming<br>distance 3 | rq               |    | Word protection with multi-bit redundancy, or CRC – single word , or                                                                        | H.2.19.8.1<br>H.2.19.4.1              |
|                                |                       |                  |    | transfer redundancy, or                                                                                                                     | H.2.18.2.2                            |
|                                |                       |                  |    | protocol test                                                                                                                               | H.2.18.14                             |

| Component <sup>b</sup> | Fault/error            | ror Software class |    | Example of acceptable measures <sup>c d e</sup>                                  | Definitions              |
|------------------------|------------------------|--------------------|----|----------------------------------------------------------------------------------|--------------------------|
|                        |                        | В                  | С  |                                                                                  |                          |
| 6.1<br>Data            | Hamming<br>distance 4  |                    | rq | CRC – double word, or                                                            | H.2.19.4.2               |
|                        |                        |                    |    | <b>data redundancy</b> or comparison of redundant functional channels by either: | H.2.18.2.1               |
|                        |                        |                    |    | <ul> <li>reciprocal comparison</li> </ul>                                        | H.2.18.15                |
|                        |                        |                    |    | <ul> <li>independent hardware comparator</li> </ul>                              | H.2.18.3                 |
| 6.2                    | Wrong                  | rq                 |    | Word protection with multi-bit redundancy,                                       | H.2.19.8.1               |
| Addressing             | address                |                    |    | including the address, or CRC – single word                                      | H.2.19.4.1               |
|                        |                        |                    |    | including the addresses, or                                                      |                          |
|                        |                        |                    |    | transfer redundancy or                                                           | H.2.18.2.2               |
|                        |                        |                    |    | protocol test                                                                    | H.2.18.14                |
|                        | Wrong and              |                    | rq | CRC – double word, including the address, or                                     | H.2.19.4.2               |
|                        | multiple               |                    |    | full bus redundancy of data and address, or                                      | H.2.18.1.1               |
|                        | addressing             |                    |    | comparison of redundant communication channels by either:                        |                          |
|                        |                        |                    |    | <ul> <li>reciprocal comparison</li> </ul>                                        | H.2.18.15                |
|                        |                        |                    |    | <ul> <li>independent hardware comparator</li> </ul>                              | H.2.18.3                 |
| 6.3<br>Timing          | Wrong point<br>in time | rq                 |    | Time-slot monitoring, or scheduled transmission                                  | H.2.18.10.4<br>H.2.18.18 |
|                        |                        |                    | rq | Time-slot and logical monitoring, or                                             | H.2.18.10.3              |
|                        |                        |                    |    | comparison of redundant communication channels by either:                        |                          |
|                        |                        |                    |    | <ul> <li>reciprocal comparison</li> </ul>                                        | H.2.18.15                |
|                        |                        |                    |    | <ul> <li>independent hardware comparator</li> </ul>                              | H.2.18.3                 |
|                        | Wrong                  | rq                 |    | Logical monitoring, or                                                           | H.2.18.10.2              |
|                        | sequence               |                    |    | time-slot monitoring, or                                                         | H.2.18.10.4              |
|                        |                        |                    |    | scheduled transmission                                                           | H.2.18.18                |
|                        |                        |                    | rq | (same options as for wrong point in time)                                        |                          |
| 7.                     |                        |                    |    |                                                                                  |                          |
| Input/output           | Fault                  | rq                 |    | Plausibility check                                                               | H.2.18.13                |
| periphery              | conditions             |                    |    |                                                                                  |                          |
|                        | specified in           |                    | rq | Comparison of redundant CPUs by either:                                          |                          |
|                        | Clause H.27            |                    | -  | <ul> <li>reciprocal comparison</li> </ul>                                        | H.2.18.15                |
|                        |                        |                    |    | <ul> <li>independent hardware comparator, or</li> </ul>                          | H.2.18.3                 |
| 7.1                    |                        |                    |    |                                                                                  |                          |
| Digital I/O            |                        |                    |    | input comparison, or                                                             | H.2.18.8                 |
|                        |                        |                    |    | multiple parallel outputs; or                                                    | H.2.18.11                |
|                        |                        |                    |    | output verification, or                                                          | H.2.18.12                |
|                        |                        |                    |    | testing pattern, or                                                              | H.2.18.22                |
|                        |                        |                    |    | code safety                                                                      | H.2.18.2                 |

# Table H.1 (5 of 6)

| Component <sup>b</sup>             | Fault/error         | Software class |    | Example of acceptable measures <sup>c d e</sup>         | Definitions |
|------------------------------------|---------------------|----------------|----|---------------------------------------------------------|-------------|
|                                    |                     | ВС             |    |                                                         |             |
| 7.2                                |                     |                |    |                                                         |             |
| Analog I/O                         |                     |                |    |                                                         |             |
| 7.2.1 A/D- and                     | Fault<br>conditions | rq             |    | Plausibility check                                      | H.2.18.13   |
| D/A- convertor                     | specified in        |                | rq | Comparison of redundant CPUs by either:                 |             |
|                                    | Clause H.27         |                |    | <ul> <li>reciprocal comparison</li> </ul>               | H.2.18.15   |
|                                    |                     |                |    | <ul> <li>independent hardware comparator, or</li> </ul> | H.2.18.3    |
|                                    |                     |                |    | input comparison, or                                    | H.2.18.8    |
|                                    |                     |                |    | multiple parallel outputs, or                           | H.2.18.11   |
|                                    |                     |                |    | output verification, or                                 | H.2.18.12   |
|                                    |                     |                |    | testing pattern                                         | H.2.18.22   |
| 7.2.2 Analog<br>multiplexer        | Wrong<br>addressing | rq             |    | Plausibility check                                      | H.2.18.13   |
|                                    |                     |                | rq | Comparison of redundant CPUs by either:                 |             |
|                                    |                     |                |    | <ul> <li>reciprocal comparison</li> </ul>               | H.2.18.15   |
|                                    |                     |                |    | <ul> <li>independent hardware comparator, or</li> </ul> | H.2.18.3    |
|                                    |                     |                |    | input comparison or                                     | H.2.18.8    |
|                                    |                     |                |    | testing pattern                                         | H.2.18.22   |
| 8.                                 |                     |                |    |                                                         |             |
| Monitoring                         | Any output          |                | rq | Tested monitoring, or                                   | H.2.18.21   |
| devices and                        | outside the         |                |    | redundant monitoring and comparison, or                 | H.2.18.17   |
| comparators                        | static and          |                |    | error recognizing means                                 | H.2.18.6    |
|                                    | dynamic             |                |    |                                                         |             |
|                                    | functional          |                |    |                                                         |             |
|                                    | specification       |                |    |                                                         |             |
| 9.<br>Custom                       | Any output          | ra             |    | Periodic self-test                                      | H.2.16.6    |
| chips <sup>f</sup>                 | outside the         | rq             |    |                                                         | 11.2.10.0   |
| cnips <sup>,</sup><br>for example, |                     |                |    | Deviadio colf toot and monitoring                       |             |
| ASIC,                              | static and          |                | rq | Periodic self-test and monitoring, or                   | H.2.16.7    |
| GAL, Gate                          | dynamic             |                |    | dual channel (diverse) with comparison, or              | H.2.16.2    |
| array                              | functional          |                |    | error recognizing means                                 | H.2.18.6    |
|                                    | specification       |                |    |                                                         |             |

Table H.1 (6 of 6)

 $\label{eq:rq:coverage} \mbox{rq:} \quad \mbox{Coverage of the } \mbox{fault is required for the indicated software class.}$ 

<sup>a</sup> Table H.1 is applied according to the requirements of H.11.12 to H.11.12.2.12 inclusive.

<sup>b</sup> For **fault**/error assessment, some components are divided into their subfunctions.

<sup>c</sup> For each subfunction in the table, the software class C measure will cover the software class B **fault**/error.

<sup>d</sup> It is recognized that some of the acceptable measures provide a higher level of assurance than is required by this standard.

<sup>e</sup> Where more than one measure is given for a subfunction, these are alternatives.

<sup>f</sup> To be divided as necessary by the manufacturer into subfunctions.

**H.11.12.2.5** Measures others than those specified in H.11.12.2.4 are permitted if they can be shown to satisfy the requirements listed in Table H.1.

**H.11.12.2.6** Software **fault**/error detection shall occur not later than the time declared in requirement 71 of Table 1. The acceptability of the declared time(s) is evaluated during the **fault** analysis of the **control**.

Part 2 standards may limit this declaration.

**H.11.12.2.7** For **controls** with functions, classified as Class B or C, detection of a **fault**/error shall result in the response declared in Table 1, requirement 72. For **controls** with functions declared as class C, **independent** means capable of performing this response shall be provided.

**H.11.12.2.8** The loss of **dual channel** capability is deemed to be an error in a **control** function using a **dual channel** structure with software class C.

**H.11.12.2.9** The software shall be referenced to relevant parts of the **operating sequence** and the associated hardware functions.

**H.11.12.2.10** Where labels are used for memory locations, these labels shall be unique.

**H.11.12.2.11** The software shall be protected from **user** alteration of safety-related segments and data.

**H.11.12.2.12** The software and safety-related hardware under its control shall be initialized to, and terminate at, a declared state as indicated in Table 1, requirement 66.

H.11.12.3 Measures to avoid errors

Void.

## H.11.12.3.1 General

For **controls** with software class B or C the measures shown in Figure H.1 to avoid systematic **faults** shall be applied.

Measures used for software class C are inherently acceptable for software class B.

The content of this is extracted from IEC 61508-3 and adapted to the needs of this standard.



- 201 -

Figure H.1 – V-Model for the software life cycle

Other methods are possible if they incorporate disciplined and structured processes including design and test phases.

# H.11.12.3.2 Specification

# H.11.12.3.2.1 Software safety requirements

**H.11.12.3.2.1.1** The specification of the software safety requirements shall include:

- a description of each safety related function to be implemented, including its response time(s):
  - functions related to the application including their related software classes;
  - functions related to the detection, annunciation and management of software or hardware **faults**;
- a description of interfaces between software and hardware;
- a description of interfaces between any safety and non-safety related functions.

Examples of techniques/measures can be found in Table H.2.

## Table H.2 – Semi-formal methods

| Technique/Measure                                                   | References (informative)    |  |  |
|---------------------------------------------------------------------|-----------------------------|--|--|
| Standards identification                                            |                             |  |  |
| Semi-formal methods                                                 |                             |  |  |
| <ul> <li>Logical/functional block diagrams</li> </ul>               |                             |  |  |
| <ul> <li>Sequence diagrams</li> </ul>                               |                             |  |  |
| <ul> <li>Finite state machines/state transition diagrams</li> </ul> | B.2.3.2 of IEC 61508-7:2010 |  |  |
| <ul> <li>Decision/truth tables</li> </ul>                           | C.6.1 of IEC 61508-7:2010   |  |  |

Other methods to comply with the requirements can be applied.

# H.11.12.3.2.2 Software architecture

**H.11.12.3.2.2.1** The description of software architecture shall include the following aspects:

- 202 -

- techniques and measures to control software faults/errors (refer to H.11.12.2);
- interactions between hardware and software;
- partitioning into modules and their allocation to the specified safety functions;
- hierarchy and call structure of the modules (control flow);
- interrupt handling;
- data flow and restrictions on data access;
- architecture and storage of data;
- time based dependencies of sequences and data.

Examples of techniques/measures can be found in Table H.3.

#### Table H.3 – Software architecture specification

| Technique/Measure                                                   | References (informative)    |
|---------------------------------------------------------------------|-----------------------------|
| Fault detection and diagnosis                                       | C.3.1 of IEC 61508-7:2010   |
| Semi-formal methods:                                                |                             |
| <ul> <li>Logic/function block diagrams</li> </ul>                   |                             |
| <ul> <li>Sequence diagrams</li> </ul>                               |                             |
| <ul> <li>Finite state machines/state transition diagrams</li> </ul> | B.2.3.2 of IEC 61508-7:2010 |
| <ul> <li>Data flow diagrams</li> </ul>                              | C.2.2 of IEC 61508-7:2010   |

**H.11.12.3.2.2.** The architecture specification shall be verified against the specification of the software safety requirements by static analysis.

NOTE Acceptable methods for static analysis are:

- control flow analysis;
- data flow analysis;
- walk-throughs/design reviews.

#### H.11.12.3.2.3 Module design and coding

NOTE 1 The use of computer aided design tools is accepted.

NOTE 2 For Defensive Programming (for example, range checks, check for division by 0, **plausibility checks**), see C.2.5 of IEC 61508-7:2010.

**H.11.12.3.2.3.1** Based on the architecture design, software shall be suitably refined into modules. Software module design and coding shall be implemented in a way that is traceable to the software architecture and requirements.

The module design shall specify:

- function(s),
- interfaces to other modules,
- data.

Examples of techniques/measures can be found in Table H.4.