The concept and the implementation of the Software Watchdog have been inspected based on the documentation provided by the manufacturer, see /D1/. Further the test activities concerning the correct implementation of the Software Watchdog performed by the manufacturer have also been inspected. Finally functional and fault insertion testing for the Software Watchdog implementation has been successfully performed at the manufacturer’s site, see /D4/. The inspection showed that the relevant requirements of the above standards are fulfilled.
It can be concluded that the implemented Software Watchdog together with the Hardware Watchdog provides a high diagnostic coverage concerning the detection of random hardware failures as required for SIL3 applications. Further this measure is also able to control systematic failures caused by software, hardware or environmental influences up to a high degree. Description and evaluation of new hardware A new remote analog input module called RMP420S has been introduced. The purpose of the new module is to interface to analog input current and/or analog input voltage channels. The RMP420S has the same structure as the previously already approved remote IO modules. The main difference being that the module provides a multi-purpose front-end. During functional and fault insertion testing it has been shown that the new hardware module RMP420S is capable of reading in analog current and analog voltage signals with the required hardware safety integrity.
In particular it has been shown through a combination of analysis, see document 339381, and testing see D2, that the required safe failure fraction of 90% will be reached. Further calculations performed by Kongsberg Maritime show that the safety related reliability of the new hardware module is comparable to the previously approved modules, see document 339381. The RMP420S module can be used with defined safety loops as specified in the user manual, see document 323935. The central processing unit called RCU500 has been upgraded to a new version called RCU501 in order to accommodate the change of the communication bus from PBUS to RBUS. Similarly the previously approved remote digital input module RDIO401S has also been updated in order to implement the new communication bus.
These changes have been successfully tested during the functional and fault insertion testing of the RBUS components, see /D4/. All new hardware components have been tested regarding their environmental and EMC behaviour in an accredited test laboratory. The environmental testing has been conducted using the requirements described in /N4/. For the EMC testing additionally the testing with higher EMC levels according to EN 62061 has been performed. For the test results see documents 198508-1, 198696 and 1910541. The test reports show that the testing has been performed successfully and that the relevant requirements are fulfilled. The test results are accepted by the test institute, see /D5/. The new hardware components are powered through a 24 V supply. Therefore the electrical safety of the new components is ensured. It can be concluded that the new hardware modules RCU501, RDIO420S and RMP420S fulfil the requirements for use in safety related applications up to SIL 3 with low demand mode of operation. Description and evaluation of changes to the development process The previous certification found that the development process did not fulfil all the requirements regarding the avoidance of faults during the different relevant life cyle phases of the AIM release, see report /T3/. During the course of the current certification Kongsberg Maritime has introduced a requirement’s tracking process using the tool DOORS. The new requirement’s tracking is applied to all new documents being generated. Also Kongsberg Maritime has started to re-write the AIM specification and the AIM architecture specification, see documents 331443 and 331444. The AIM specification has been generally agreed. The AIM architecture specification needs further work which will be performed during the certification of the next AIM release. A V&V plan for the AIM Safe system has also been established, see 338369. Further a test specification for the AIM Safe system has been generated, see 338370.All these measures have helped to greatly improve the process of establishing proper specifications, doing appropriate designs based on these specifications and defining the required testing for these designs. Although the process of establishing the system level requirements is not yet complete it can nevertheless be said that for all new components and functionality the required measures for the avoidance of faults as detailed in 338369 have been effectively applied during the development, design and testing of the AIM Safe system. Further the procedure for performing minor changes, bug fixes and updates to the AIM Safe system, the so called Track Procedure, has been substantially revised, see PRO-2099. In particular the procedure now includes detailed provisions in order to identify the safety relevance of changes, the requirement for performing an impact analysis and determining the required change activities depending on the safety relevance of the change. The revised change procedure has already been applied to the latest changes performed on the system. It can be said that the revised track procedure provides the necessary requisites in order to ensure that upcoming minor changes to the AIM Safe system will be executed in a manner which guarantees the safety integrity of the AIM Safe system under the assumptions that it will be properly applied. It can be concluded that the implemented changes to the development process have been pivotal in order to fulfil the requirements regarding the avoidance of faults during the different relevant life cycle phases of the AIM Safe system. It has been agreed that further improvements will be implemented during the course of the next certification.
Reviews
There are no reviews yet.