Bosch Security Systems | 2011-02
Praesideo 3.5
| Installation and User Instructions | EN54-16: 2008
en
| 56
c
details of any software tools used in the preparation of
the program (e.g. high level design tools, compilers,
assemblers).
The list can be composed on request and contains
high level design tools, compilers for various processors,
syntax validation tools, build tools, test tools, performance
validation tools, version control tools, defect tracking tools.
14.3 Software design
Praesideo is compliant.
In order to ensure the reliability of the VACIE the following
requirements for software design shall apply:
a
the software shall have a modular structure;
The modular structure of the Praesideo software is
documented in the software architecture documents.
b
the design of the interfaces for manually and
automatically generated data shall not permit invalid
data to cause an error in the program execution;
The interfaces between the modules and to external
components are well defined and described in the design
documents and external interface documents (Open
Interface). Asserts are used to validate inputs on
component boundaries.
c
the software shall be designed to avoid the occurrence
of a deadlock in the program flow.
Design guidelines are in place to avoid deadlocks. Multi
threading within components is avoided where feasible and
components have an input command queue for safe
decoupling of threads.
14.4 Program monitoring (see also Annex C)
Praesideo is compliant.
14.4.1
The execution of the program shall be monitored as
under 14.4.2 or 14.4.3. If routines associated with the main
functions of the program are no longer executed, either or
both of the following shall apply:
a
the VACIE shall indicate a system fault (as in 8.3);
Upon activation of a watchdog, a fault is reported after
restart of the failing component indicating the failing unit
and processor. If a restart of the failing component is not
possible, a less detailed fault will be reported. A system
fault is indicated when entering the fault condition.
b
the VACIE shall enter the fault warning condition and
indicate faults of affected supervised functions (as in
8.2.3, 8.2.4, 8.3, 8.4 and 8.5), where only these
functions are affected.
Upon activation of a watchdog, a fault is reported after
restart of the failing component indicating the failing unit
and processor.
14.4.2
If the program executes in one processor, the
execution of the routines in 14.4.1, it shall be monitored by a
monitoring device as in 14.4.4.
All processors used in the Praesideo system are either
guarded by a hardware watchdog or are monitored by a
processor that is guarded by a hardware watchdog.
14.4.3
If the program executes in more than one processor,
the execution of the routines in 14.4.1 shall be monitored in
each processor. A monitoring device as in 14.4.4 shall be
associated with one or more processors, and at least one
such processor shall monitor the functioning of any
processor not associated with such a monitoring device.
All processors are either guarded by a hardware watchdog
or are monitored by a processor that is guarded by a
hardware watchdog:.
The network controller is responsible for monitoring all
processors in the system. Upon failure of one of the
processors, either due to a watchdog failure or due to a
communication failure a fault is generated. Failure of the
network controller itself will cause the system fault output
contact to be de-energized to indicate a system fault.
14.4.4
The monitoring device of 14.4.2 and 14.4.3 shall
have a time-base independent of that of the monitored
system. The functioning of the monitoring device, and the
signaling of a fault warning, shall not be prevented by a
failure in the execution of the program of the monitored
system.
All processors are either guarded by a hardware watchdog
or are monitored by a processor that is guarded by a
hardware watchdog.
Additionally the correct operation of the main processor of
all system elements is validated by adding execution
checks on relevant locations in the code. This to assure that
no important flow is excluded from execution.
The network controller multi-threaded environment is
validated on correct operation by monitoring the threads: all
relevant threads must report to a single thread that is
responsible for resetting the watchdog. If threads do not
report within a given time frame the watchdog feeding
process is halted. This monitoring thread itself is
supervised by a hardware watchdog.
14.4.5
In the event of a system fault as specified in 14.4.1
a) or 14.6, those parts of the VACIE affected shall enter a
safe state not later than the indication of the system fault.
This safe state shall not result in the false activation of
mandatory outputs.
Upon restart of a unit other than the Network Controller, the
unit will be reinitialized and reordered to its expected state.
Upon restart of the network controller and subsequent loss
of the audio and communication network, all units will
assume a safe state. The network controller orders the
units to their initialization state and is responsive to new
stimuli when restarted.
Information about errors and fatal errors (those resulting in
a reboot) are saved in SRAM for post mortem analysis.
Additionally to the display, a fault indicator can be supplied
that indicates the presence of a fault.
Clause / Requirement
Compliance
Signature