IKT1

Certification of safety-critical systemsfor the Oil & Gas and Railway domains using Agile methods

– exemplified by using the SafeScrum method

Thor Myklebust

SINTEF ICT

1510 – 1555

London, 25th of June 2015

IKT2

Introduction

SafeScrum

IEC 61508-3 and EN 50128 lifecycles

Current practice

Conclusion

Topics

IKT3

Why Railway and Oil&Gas?

Norway shall invest more than £10 billion in Rail in the period 2014-2023

Norway invested more than £10 billion in offshore projects in 2014

IKT4

Important goals Shorten the development time

Less time from the last written code line to the system is certified

Adequate plans

Less resources used on documentation

Faster introduction of new technology

.

Projects and project goals

Projects:• SUSS

• Safe Software

• NCEI Software

• ASHLEY

IKT

Agile methods

e.g. Scrum

5

A scrum is a method of restarting the game in rugby football

IKT

The agile life-cycle

Dev./test

Start-up TerminationEvaluation

Prioritizing

Release

a few days n * 1-4 weeks

a few days

product

Agile

IKT

Add-On to Scrum

7

Keeping track of how these relate

Stable

Add-On to Scrum:Involvement of the validator and/or assessor

Add-On to Scrum

Add-On to Scrum: tracing safety requirements

Add-On to Scrum: RAMS V&V

Add-On to Scrum:CM

IKT

Environmentdescription

RAMSvalidation

Scrum Phase 10

Backlog

SSRSPhases 1 - 4

OperationPhase 14

ModificationsPhase 15

Parts of Annex A.1 – A.7B.1 – B.3B.7 – B.9

High levelplans

Change Impact

Analysis

Change not implemented

Change implemented in

SSRS

New safety requirements from the customer

Requirement changes R

esults

Update of the User Manual?

Separation of concern and CIA

IKT

V-model and Separation of Concern

The main Scrum domain

"Outside SafeScrum"

IKT10

Separation of Concern

Upfront activities After sprints

• Safety requirements• Hazard/Risk• Architecture• System design

• Remaining validation activities

• RAMS evaluations• Remaining parts of the

Safety Case or similar

IKT11

Topics to be addressed when complying to safety standards

Definitions Lifecycle requirements Configuration management Change Impact Analysis Documentation Regression testing

Safety standards and us of an Agile method

IKT12

Safety standards intentionally do not include information related to

Safety standards

Topics Comments

Project management Agile methods have solutions for the SW team

Project organization Scrum has solutions for the SW team

Communication Agile methods have solutions for the SW team

Certification Agile methods have solutions for communicationDaily Scrum

IKT

Assessor

Duty to provide guidance (copy from the appointment of SINTEF as Notified Body)

A NoBo has a general duty to provide guidance

SINTEF ICT shall through its guidance point out possible faults or shortcomings of a product

so that the manufacturer can bring the product into line with the requirements from regulations

It is however the manufacturer's responsibility to find the actual technical solutions

13

IKT14

IEC 61508-3 includes lifecycle requirements

The requirements are based on the waterfall process methodology although "any software lifecycle model may be used provided all the objectives and requirements of this clause are met".

The current standard has not succeeded in presenting the requirements as model independent since the requirements are presented according to the waterfall model, including the V-model.

Goal-based approach to improve IEC 61508-3

IKT15

According to IEC 61508-3 , any lifecycle may be used provided that all the objectives and requirements are met

Although this is stated in the standard, it presents the requirements as if the V-model is the only model to be used

Only one requirement for the lifecycle has to be changed in the next edition of IEC 61508-3

However, notes should be added as part of some of the existing requirements

Goal-based approach to improve IEC 61508-3

IKT16

Goal-based approach to improve IEC 61508-3

Current IEC 61508-3 edition Future edition

7.1.2.4:“Provided that the software safety lifecycle satisfies the requirements of table 1, it is acceptable to tailor the V-model (see figure 6) to take account of the safety integrity and the complexity of the project.

7.1.2.4:Provided that the software safety lifecycle satisfies the requirements in chapter 7, it is acceptable to tailor the model chosen (e.g. V-model or Scrum) to take account of the safety integrity and the complexity of the project.

Ch.7: Software lifecycle requirements

IKT17

EN 50128 includes detailed requirements related to the organisation, roles and responsibilities.

Requirements related to documentation are specific in EN 50128 and 45 documents are listed in the standard.

Personnel competence requirements are strict and concrete involving required key competencies for 10 different roles.

EN 50128

IKT

Configuration management

18

Categories Comments related to Agile versus Waterfall

CM during development (including requirements for tools)

Different mainly because Agile results in• More builds/baselines• More deliveries/releases• More changes

CM when in use (architecture/design)

Similar

Configuration data Similar

IKT19

More information related to CM has to be presented in Part 7

Either as Text in Part 7 (prefered by the industry) or

More references in Part 7 E.g. refer to IEEE 828:2012 standard for Configuration Management

in Systems and Software Engineering

CM and IEC 61508 Part 7

IKT20

Requirements and information related to regression testing is currently weak in the two standards

Regression testing is more important when performing incremental development

Complete regression testing of a large or complex system will usually require much effort and resource

The standard approach is to repeat all tests. But in some cases this is impractical and expensive

Regression testing may also be necessary when performing non-code changes (change configuration files and databases)

Regression

IKT21

AAMI, the Association for the Advancement of Medical Instrumentation

Current practice

IKT

Current practice, Certification Bodies

22

Certification body Comments

TUV Nord Accept SafeScrum

TUV Rheinland Accept SafeScrum

TUV Sud Accept Adapted Agile methods

Exida Accept Adapted Agile methods

Lloyds Accept Adapted Agile methods

IKT23

Edition 2 of IEC 61508 does not stop the use of Agile methods

CIA, CM, Regression, "Add-on" and "Separation of Consern" are

addressed in the SafeScrum model

Two certification bodies accept SafeScrum and at least 3 other

main certification bodies accept "Adapted agile methods"

Provided that the software safety lifecycle satisfies the

requirements in chapter 7, it is acceptable to tailor the model

chosen (e.g. V-model or adapted Scrum) to take account of the

safety integrity and the complexity of the project

Conclusions

IKT24

Questions?thor.myklebust@sintef.no

https://no.linkedin.com/in/thormyklebust

www.sintef.no/sjs (Railway)

www.sintef.no/IEC61508 (Certification and Consultancy)

www.sintef.no/SafeScrum (Software development)