Documente Academic
Documente Profesional
Documente Cultură
DNV-OS-D203
INTEGRATED SOFTWARE-
DEPENDENT SYSTEM
(TENTATIVE STANDARD)
APRIL 2010
© Det Norske Veritas. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including
photocopying and recording, without the prior written consent of Det Norske Veritas.
If any person suffers loss or damage which is proved to have been caused by any negligent act or omission of Det Norske Veritas, then Det Norske Veritas shall pay compensation to such person
for his proved direct loss or damage. However, the compensation shall not exceed an amount equal to ten times the fee charged for the service in question, provided that the maximum compen-
sation shall never exceed USD 2 million.
In this provision "Det Norske Veritas" shall mean the Foundation Det Norske Veritas as well as all its subsidiaries, directors, officers, employees, agents and any other acting on behalf of Det
Norske Veritas.
Offshore Standard DNV-OS-D203, April 2010
Introduction – Page 3
CONTENTS
CHAPTER 1
INTRODUCTION
CONTENTS PAGE
Sec. 1 General ....................................................................................................................................... 9
SECTION 1
GENERAL
A. About this Standard 205 A final key benefit is that this OS provides a flexible,
cost effective scheme of activities that may be tailored to suit
A 100 Introduction the needs: safety, environmental or business.
101 This Offshore Standard (OS) describes requirements for A 300 Scope of application
Integrated Software-Dependent System (ISDS). An ISDS is an
integrated system for which the overall behaviour is dependent 301 The requirements of this document apply to units where
on the behaviour of its software components. This standard specified onboard systems have undergone integration of soft-
describes required activities for the design, construction, inte- ware-dependent systems (ISDS). A class notation as specified
gration, commissioning and operations of units with ISDS in these rules can be assigned when this method or equivalent
onboard. It describes roles and responsibilities for the organi- methods have been used for integration on systems as specified
zations involved in such activities. in Chapter 2 of these rules.
102 Equipment and systems have become more complex, Guidance note:
automated, with a higher level of integration. This trend is The requirements in this chapter apply to marine and offshore
accelerating with time. This continuing evolution provides systems and cover integration activities that may be utilized to
assist in design, build, upgrade and/or operations of functional-
owners of units with opportunities but also it introduces chal- ity, dependability and performance of such systems. Examples of
lenges to the management of such systems, for their full life ISDS equivalent methods are CMMI and ISO 15288.
cycle. When an owner strives for high production and a safe
installation, demands have to be set upon the systems that con- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
trol the installation.
302 The rules address specific processes and activities to
103 The main challenge for Integrated Software Dependent develop and operate integrated software-dependent systems
Systems (ISDS) is how to engineer the various system ele- (ISDS). Application of such activities will provide additional
ments into a single system that meets all the necessary require- objective evidence of functionality, quality and dependability
ments, in terms of safety, functionality, reliability, etc. during normal, abnormal and degraded condition in accord-
Selecting and connecting system elements that may individu- ance with the relevant requirements and expected use, to the
ally satisfy the requirements is not sufficient. The challenge level of confidence required.
extends to the integration of the system elements and an under- Guidance note:
standing of their operation within the system, in particular the
effect both negative and positive that system elements may The objective is to develop and/or operate the specified target
system by applying of one or more integration process and activ-
have on each other, in order to deliver the emerging properties ities as described in these rules in order to provide objective evi-
of the system. dence of acceptable functionality, quality and dependability
104 This OS presents applicable best practices related to according to stated requirements and expected use.
work processes and quality assurance for the full lifecycle of Application of any ISDS process and method should provide
ISDS, where control, monitoring and safety systems serving additional broader and/or deeper integration when compared to
several functions can be integrated, or connected via commu- normal classification concept, design, construction, test and
nication networks. operation activities required for the target software-dependent
system(s).
A 200 Objectives ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
201 The objectives of this document are to: 303 In addition to the process and method requirements
— provide a common framework to improve the life cycle defined by DNV in these rules, functional, quality and depend-
economics of ISDS in the maritime and energy industries. ability requirements for the stated system(s) shall be specified.
— provide requirements for involved organizations to ensure In this context all main and additional class requirements
that integration activities are planned, executed and man- applicable for the target software-dependent system apply.
aged according to best practices. Guidance note:
Upon special agreement other rules and requirements may be
202 Applying this OS helps owners and operators find a bal- made applicable if relevant. In the case that rules and require-
ance between the opportunities and the cost of automation and ments have conflicting requirements, such conflicts should be
manage the risk related to poor quality, incorrect functionality clarified, concluded, and documented in each case.
and unsafe behaviour of a function during the entire life cycle. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
203 For system integrators (typically builders or yards) and
suppliers the application of this document provides a common 304 This document expresses requirements for ISDS devel-
framework to help deliver on schedule and achieve functional- opment, construction and operations in the Maritime and
ity and quality targets. It is an efficient tool for system integra- Energy industries. Systems under consideration are any of the
tors and suppliers to communicate and resolve key issues systems involved in operation in these sectors. There is no lim-
related to the integration challenge at an early stage and itation concerning their size or complexity. This document
throughout the whole life cycle. addresses all systems in scope, including the controlled sys-
tems, the control systems and the interfaces between the two.
204 This document recommends an approach for managing
the risk and it gradually creates confidence in the ISDS. It does 305 This document expresses requirements on the processes
not impose a new quality system. The focus of this OS is on to manage ISDS throughout the life cycle. It describes how
which processes shall be implemented to be compliant, and not product requirements should be developed and does not spec-
how they can be implemented. Existing project quality systems ify any specific product requirements. Other rules and stand-
shall reference the ISDS OS as an applicable document and the ards provide product specific requirements which shall be
DNV-RP-201 Integrated Software-Dependent System as rec- followed in addition.
ommended guidelines. 306 Within the ISDS elements, the scope of the ISDS class
notation shall apply to software created, modified, parameter- tions are not permitted unless formally and rigorously justified,
ized, tuned and/or configured for the specific project in scope. and accepted by all parties.
Standard software shall be qualified for use in the ISDS 102 Should: Indicates a recommendation that a certain
project, according to the activities required by this OS. course of action is preferred or particularly suitable. Alterna-
Guidance note: tive courses of action are allowable under the standard when
Standard components off the shelf (COTS), in this case software, agreed between contracting parties, but shall be justified, doc-
cannot be subject to the ISDS review. When using COTS, the umented and approved by DNV.
processes for acquiring, and qualifying the use of the software
should be reviewed and checked for compliance. For example, 103 May: Indicates permission, or an opinion, which is per-
the activity C.ACQ.7 (acceptance and transitioning of COTS) is mitted as a part of conformance with the standard.
expected to be performed for each COTS acquired and included 104 Can: Indicates a conditional possibility.
in the final ISDS. The ISDS activities focus on assembling the
various COTS software together in a controlled and integrated C 200 Definitions
process.
201 Activity: A defined body of work to be performed,
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- including its required input and output information.
[IEEE 1074:2006]
A 400 Structure of this document 202 Approval (of activities): An activity (as defined by this
401 This document consists of three chapters and one appen- OS) is approved when the findings demonstrate is imple-
dix: mented successfully for the phase.
203 Assessment (of activities): An examination of one or
— Chapter 1 gives the general scope of the document, back- more processes within the ISDS project by a trained team of
ground, definition and references, professionals using the ISDS reference model as the basis for
— Chapter 2 presents an overview of the ISDS activities and establishing findings and determining, at a minimum, strengths
management processes, and describes the ISDS activity and weaknesses.
requirements which are further detailed in DNV-RP-D201
Integrated Software-Dependent Systems. 204 Availability: The ability for the system to provide access
— Chapter 3 describes the class notations and the classifica- to its resources in a timely manner for a specified duration.
tion activities [IEC IEV 191-02-05]
— Appendix A lists the information requirements for each 205 Canonical Data Model: The canonical data model
role. (CDM) is a common model of the data exchanges, for all par-
ticipants in the ISDS project. All data exchanged between sub-
system boundaries shall be recorded in the CDM. All data
exchanged by systems provided by different participant organ-
B. References izations shall be recorded in the CDM. The data description
shall include 1) semantic information (the meaning of the data
B 100 International or national references for the users and the unit, the importance of the data); 2) tech-
101 This standard is provided as a facilities standard, and is nical information: format, precision, plausibility interval,
complementary to the standards listed in Table B1. default values, standards applicable, criticality or safety level
(when applicable), and 3) exchange scenario information
Table B1 International or national references (when is the data sent (originator event), which system (equip-
ment) sends it, which frequency, which protocols are used,
Reference Title which system(s) receive it, when do they receive it, which
ARP 4761 Guidelines and methods for conducting the transformations are applied (if any) and what could happen in
safety assessment process on civil airborne case of errors.
systems and equipment
ECSS-E-40B: 2003 Space engineering 206 Code review:Systematic examination (often as peer
review) of computer source code intended to find and fix mis-
IEC IEV 191 Dependability and quality of service takes overlooked in the initial development phase, improving
IEC 61508 Functional safety of electrical/electronic/pro- the overall quality of software. Code review may also be partly
grammable electronic safety-related systems automated.
IEEE 610.12:1990 Glossary of software engineering terminology
207 Common cause failure: Failure of multiple items occur-
IEEE 1074:2006 Developing software life cycle processes ring from a single cause that is common to all of them.
EN 13701:2001 Glossary of space systems terminology [EN 13701:2001].
ISO 9000 Quality management systems 208 Common mode failure: Failure of multiple identical
B 200 DNV references items that fail in the same mode. Note: Common mode failures
are a particular case of common cause failures.
201 The latest revision of the DNV Offshore standards listed [EN 13701:2001].
in Table B2 applies. 209 Configurable code: Code (source code or executable
code) that can be tailored by setting values of parameters.
Table B2 Offshore Standards and other DNV references [ECSS-E-40B: 2003].
Standard Title
210 Configuration Management: The management of fea-
DNV-RP-D201 Recommended practice for Integrated Software- tures and assurances through control of changes made to
Dependent Systems
requirements, hardware, software, firmware, documentation,
test, test fixtures and test documentation of an automated infor-
mation system, throughout the system lifecycle.
C. Definitions 211 Consequence (failure): Ranking of the seriousness of
the failure (business, environmental and safety).
C 100 Verbal Forms 212 Commercial off-the-shelf: Software or hardware, gener-
101 Shall: Indicates a mandatory requirement to be followed ally technology or computer products, that are ready-made and
for fulfilment or compliance with the present standard. Devia- available for sale, lease, or license to the general public.
213 Control function: a function in the ISDS system which Guidance note:
responds to input signals from the environment, the process Examples of causes of systematic failures include human error
and/or the operator and generates output signals causing the in:
system to operate in the desired manner. [Taken and adapted
from IEC 61508, part 4, §3.3.4] — the safety requirements specification
— the design, manufacture, installation, operation of the hard-
214 Criticality: Combined measure of the severity of a fail- ware
ure mode and its probability of occurrence. — the design, implementation, etc. of the software.
215 Decision Gate (or Milestone): A scheduled event mark- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
ing the completion (or not) of the preceding phase. The various
roles shall be present and shall have provided before hand their 225 Failure propagation: Any physical or logical event
set of deliverables for review and approval. Of the roles has the caused by failure within a product which can lead to failure(s)
responsibility for taking the decision to step through the gate of products outside the boundaries of the product under analy-
or not. Some gates are managed by the owner, others are man- sis.
aged by the system integrator.
226 Fault: Abnormal condition that may cause a reduction
216 Defect: Non-fulfilment of a requirement related to an in, or loss of, the capability of a functional unit to perform a
intended or specified use. [ISO 9000:valid version]. required function excluding the inability during preventive
217 Dependability: Collective term used to describe the maintenance or other planned actions, or due to lack of exter-
availability performance and its influencing factors: reliability nal resources [IEC 61508-4].
performance, maintainability performance and maintenance 227 Finding: the result of approval, assessment and renewal
support performance. See also RAMS, to which it adds Secu- activities by DNV, identifying the most important issues, prob-
rity. [IEC IEV 191-02-03]. lems or opportunities for improvement within the ISDS scope.
218 Process area: A set of activities dealing with consistent Findings are inferences drawn from corroborated evidence.
objectives and skills within the system lifecycle. 228 Functional Safety: Functional safety is part of the over-
219 Emerging System Property: A property of a system all safety that depends on a system or equipment operating cor-
which cannot be observed, measured, tested or verified at the rectly in response to its inputs. Neither safety nor functional
sub-system or equipment level. safety can be determined without considering the systems as a
whole and the environment with which they interact.[IEC
Guidance note: 61508].
The properties of a feedback loop cannot be determined by look- 229 GSR: Generic System Requirement: an attribute of the
ing at one of the individual pieces of the loop. system or its function, relating to functionality, quality or
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- RAMS, as seen by the owners and operators.
230 Independent: Applied to the verifier responsibility. The
220 Error: A discrepancy between a computed, observed or level of independence is the one defined by IEC 61508.
measured value or condition and the true, specified or theoret-
ically correct value or condition. [IEC 61508-4]. 231 Integration testing: Testing in which software compo-
nents, hardware elements, or both are combined and tested to
Guidance note: evaluate the interaction between them.[IEEE 610.12:1990].
An error can be caused by a faulty item, e.g. a computing error
made by faulty computer equipment. 232 Initial Operational Capacity: for a system developed in
stages, describes the capabilities of the first delivery of the sys-
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- tem to the operator. Additional deliveries may increase the
capabilities over time.
221 Evidence: information, documents or interview results
used as indicators of the implementation of ISDN activities. 233 Integrated System: An integrated system is a set of ele-
ments which interact according to a design, where an element
222 Failure: The termination of the ability of a functional of a system can be another system, called a subsystem, which
unit to perform a required function on demand. may be a controlling system or a controlled system and may
Note: a fault in a piece of equipment may lead to the failure of include hardware, software and human interaction.
its function, itself leading to a fault in other linked pieces of [IEC 61508-4].
equipment, etc. (see below failure propagation).
Guidance note:
223 Failure, Random Hardware: Failure, occurring at a ran- The INCOSE SE focuses more on the intent of the system: 'An
dom time, which results from one or more of the possible deg- integrated system is an integrated set of elements that accomplish
radation mechanisms in the hardware. [IEC 61508-4]. a defined objective.
Guidance note: ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
A major distinguishing feature between random hardware fail-
ures and systematic failures (see below), is that system failure 234 Interview: oral interaction with those implementing or
rates (or other appropriate measures), arising from random hard- using the ISDS processes within the project. Interviews are
ware failures, can be predicted with reasonable accuracy but sys- typically held with various groups or individuals, such as
tematic failures by their very nature cannot be accurately project leaders, managers, and project members. A combina-
predicted. That is, system failure rates arising from random hard- tion of formal and informal interviews may be held, using
ware failures can be quantified with reasonable accuracy but interview scripts or exploratory questions developed to elicit
those arising from systematic failures cannot be accurately statis- the information needed. A presentation or demonstration may
tically quantified because the events leading to them cannot eas-
ily be predicted. serve as an interview if interaction between the appraisal team
and presenter can ensue.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
235 ISDS Element: Integrated Software Dependent System
224 Failure, Systematic: Failure related in a deterministic Element. A component, subsystem or control circuit, etc. that
way to a certain cause, which can only be eliminated by a mod- is a part of the ISDS.
ification of the design or of the manufacturing process, opera- 236 Maintainability: The ability of a system under given
tional procedures, documentation or other relevant factors. conditions of use, to be retained in, or restored to a state in
[IEC 61508-4]. which it can perform its functions, when maintenance is per-
formed under given conditions and using stated procedures achieve or maintain a safe state, taking into account (a) specific
and resources. hazardous event(s).
237 Milestone:See Decision Gate. 254 Software ISDS Element: A software component of an
238 MoSCoW: Must have, Should have, Could have, Won’t ISDS.
have (but would like). MoSCoW is a prioritization technique 255 Software product: Set of computer programs, proce-
applied to requirements, specifically software requirements, in dures, documentation and their associated data.
the Dynamic Systems Development Method (DSDM).
256 Software unit Separately compilable piece of source
239 Nonconformity: The non fulfilment of specified require-
ments, a particular kind of defect. code. Also called "Module" or "Package".
240 Non-compliance: A Nonconformity to the process and 257 System Safety Analysis: A systematic, comprehensive
method requirements as expressed in these rules. evaluation of the implemented system to show that the relevant
requirements are met. [ARP 4761]. Also, Safety & Security
241 Obsolescence (Risk): Risk associated with technology Application Area: a set of best practices to implement safety
within the system that becomes obsolete before the end of the
Expected Shelf or Operations Life, and cannot provide the and security activities, provided by the FAA, to be used for
planned and desired functionality. This risk may be mitigated process assessment and improvement.
by the Portability Generic System Requirement. 258 Stress testing: Testing that evaluates a system or soft-
242 Peer review: A process of subjecting an author's work to ware component at or beyond its value limits.
the scrutiny of others who are experts in the same field. Test case: A specification of a test in terms of:
243 Probability (failure): For hardware, probability that an — a description of the purpose of the test
item fails to operate when required.
This probability is estimated by the ratio of the number of fail- — pre-conditions (e.g. the state of the software under test)
ures to operate for a given number of commands to operate, to — actions organized in one or several scenarios
the number of commands [IEC IEV-191-29-1]. — post-conditions (expected reaction).
244 Preliminary System Safety Analysis; A systematic eval- 259 Unit and ISDS Element testing: A process for testing
uation of a proposed system architecture and implementation
based on the Functional Hazard Assessment and failure condi- components to ensure functionality as defined for the compo-
tion classification to determine safety requirements for all nent, before integration.
items. [ARP 4761]. 260 Validation: Confirmation, through the provision of
245 Reliability, Availability, Maintainability, (Functional) objective evidence that the requirements for a specific
Safety: A set of commonly linked generic system attributes that intended use or application have been fulfilled. [ISO
often need to be dealt with in a systematic manner. See also 9000:valid version].
Dependability.
261 Verification: Confirmation through the provision of
246 Record: Information or documents stating results objective evidence that the specified requirements have been
achieved or providing evidence of activities performed. fulfilled. [ISO 9000:valid version].
247 Regression testing: Selective retesting of a system or 262 ISDS XML Format: A format describing a structure for
component to verify that modifications have not caused unin-
tended effects and that the system or component still complies the delivery of information compliant to this OS’ information
with its specified requirements. [IEEE 610.12:1990]. requirements and facilitating the verification process.
248 Reliability: The capability of the ISDS to maintain a C 300 Abbreviations
specified level of performance when used under specified con-
ditions. 301 The abbreviations in Table C1 are used.
249 Review: Activity undertaken to determine the suitabil- Table C1 Abbreviations
ity, adequacy and effectiveness of the subject matter to achieve CDN Canonical Data Model
established objectives. [ISO 9000:valid version].
CL<n> Confidence Level <n> (n=0 to 3)
250 Revision control: Management of multiple revisions of COTS Commercial off-the-shelf
the same unit of information (also known as version control, CPU Central Processing Unit
source control or (source) code management).
HW Hardware (as opposed to software)
251 Risk: Combination of the probability of occurrence of an IO Input/Output (also I/O)
incident and the severity of that incident. See IEC 61508 for IOC Initial Operational Capacity
more information.
ISDE ISDS Element
252 Safe State: State of the system when safety is achieved ISDS Integrated Software Dependent System
[IEC 61508-4]. MTTF Mean Time To Failure
Guidance note: MTBF Mean Time Between Failures
In going from a potentially hazardous condition to the final safe MTTR Mean Time To Repair
state, the ISDS may have to go through a number of intermediate OS Offshore Standard
safe states. For some situations a safe state exists only so long as
the ISDS is continuously controlled. Such continuous control PSSA Preliminary System Safety Analysis
may be for a short or an indefinite period of time. RAMS Reliability, Availability, Maintainability, Safety
RP Recommended Practice
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
SI System Integrator
253 Safety function: for the purpose of this OS, a control SSA System Safety Analysis
function implemented in the ISDS system which is intended to SW Software
CHAPTER 2
TECHNICAL PROVISIONS
CONTENTS PAGE
Sec. 1 General ..................................................................................................................................... 15
Sec. 2 Confidence levels and Scope.................................................................................................... 16
Sec. 3 Integrated Software-dependent Systems Process and Method................................................. 19
Sec. 4 ISDS Requirements for Owners ............................................................................................... 24
Sec. 5 ISDS Requirements for Operators............................................................................................ 26
Sec. 6 ISDS Requirements for System Integrators ............................................................................. 28
Sec. 7 ISDS Requirements for Suppliers ............................................................................................ 31
Sec. 8 Requirements for Independent Verifiers .................................................................................. 33
SECTION 1
GENERAL
SECTION 2
CONFIDENCE LEVELS AND SCOPE
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Figure 1
ISDS Elements Confidence Level assessment
SECTION 3
INTEGRATED SOFTWARE-DEPENDENT SYSTEMS PROCESS AND METHOD
Figure 1
Process chart
— The whole system has been verified (compliance with C 300 Solution Definition (SOL)
respect to requirements). 301 The Solution Definition process area encompasses the
— The whole system has been validated (it fulfils the user activities needed to establish the technical solution of the sys-
needs). tem: investigating of alternative, selection of the solution. It
— The whole system has been deployed in its target environ- produces the overall architecture of the system, structured into
ment. ISDS Elements.
— Documentation and training has been delivered
C 400 Design (DES)
B 600 Operation phase (E) 401 The Design process area aims at providing detailed
601 In this phase the system is under operation. Maintenance architecture, modelling and detailed interfaces of ISDS Ele-
and small upgrades are performed as needed. Configuration of ments and Subsystem Elements of the system.
the system is kept under control all along the life of the system
under operations. Obsolescence is managed. RAMS and GSR C 500 Implementation (IMP)
objectives are monitored. Issues are tracked and corrected as 501 Implementation covers the coding and parameterization
needed. needed to develop the ISDS Elements, as well as the associated
602 The end of life of the system is planned for, to take into support documentation.
account integration issues during the switch from the old sys- C 600 Acquisition (ACQ)
tem to the replacement system, if necessary.
601 Acquisition includes the activities related to subcon-
603 Large upgrades should be managed as a separate project, tracting: proposals, invitation to tender, supplier selection,
following a distinct lifecycle based on this document. contract establishment, contract execution, supplier monitor-
Guidance note: ing, deliverables reception, verification and acceptance.
The difference between small and large upgrades depends on the 602 In this document, the “Acquirer” may be the system
subject system, ship or unit. The owner should be responsible for
assigning the use of the OS for a given upgrade. A rule of thumb integrator, and major suppliers . The word “Supplier” is used
is that any planned upgrade resulting in the shutdown of the unit for the other entities which provide parts of the system.
or ship for any extended period of time should be managed as a
whole project using this document as an applicable document. C 700 Integration (INT)
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- 701 The integration process area covers the assembly and
interface control activities of the different parts of the system.
604 This phase shall end with the successful passage of the
M5: ready for decommissioning C 800 Verification (VER)
801 The verification process area addresses the verification
— Before undertaking the replacement, the replacement sys- that each product complies with its specification.
tem has been accepted.
— During replacement, the RAMS and GSR requirements C 900 Validation and Acceptance (VAL)
shall be degraded, if so required, in a controlled manner, 901 The validation and acceptance process area covers the
explicitly described. activities aiming at controlling that the system fulfils its
— After replacement, no part of the replaced system shall intended use in its target environment. These activities apply to
continue to provide undocumented services. final system, but also to the intermediate work products.
C 1000 Reliability, Availability, Maintainability
and Safety (RAMS)
C. Process Areas
1001 The Reliability Availability Maintainability and Safety
C 100 Introduction (RAMS) process area gathers the activities aiming at identify-
ing and satisfying the expected system requirements. It com-
101 A process area is a group of activities related to a same prises the analysis, rules and mechanisms to ensure they will
type of processes. The activities from one process area are usu- be fulfilled. See the DNV-RP-D201 for further description on
ally undertaken by a certain type of actors in the project, with terms reliability, availability and maintainability as applied to
dedicated skills. integrated software dependent systems.
102 The process areas we used to structure the practices are Guidance note:
described here below. The RAMS process area is sometimes called the dependability
process area. It must be noted however that the dependability
C 200 Requirements Engineering (REQ) word may refer to different properties, sometimes including only
201 This process area gathers the activities needed to elicit, safety, and sometimes adding reliability and maintainability but
document and manage the requirements, all along the lifecycle not availability. The acronym RAMS is therefore the choice for
of the system. It is mainly focused on the beginning of the limiting the risks of misunderstanding. In addition to the 4 base
system requirements, additional system requirements may be
development on eliciting the needs that should be fulfilled by prescribed by the owner or operator. The DNV-RP-D201 pro-
the system, giving rise to set of requirements and scenarios for vides guidelines for defining and measuring system require-
the system. The set of requirements will then be managed all ments.
along the development but also during operations, to keep con-
trol on the functionalities of the system and how all the system ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
A B C D E
Concept Engineering Construction Acceptance Operations
Requirements
Engineering
Solution
Definition
Design
Implementation
Acquisition
Integration
Verification
Validation
Reliability, Availability,
Maintainability, Safety
Supportive
Processes
Interface requirements,
design, behaviour,
Supplier prototypes, simulators Supplier
B A
ISDE Specifications ISDE Specifications ISDE Specifications ISDE Specifications
Deadlines Deadlines Deadlines Deadlines
Budget Budget Budget Budget
Interface Constraints Interface Constraints Interface Constraints Interface Constraints
Interface req., Interface req.,
design, behaviour design, behaviour
101 Independent Verifier: The Independent Verifier is an F. Activities and Confidence Levels
organization that is mandated to independently verify that the
system is developed according to the expected rules, standards, F 100 General
processes and quality. This responsibility can be undertaken by
either the owner or a third party organization. For systems with 101 As described previously, this document provides a scal-
high Confidence Level (CL3), this responsibility shall be able approach for good practices implementation. For systems
undertaken by a third party company. which potential consequences of non-performance are negligi-
ble, the set of expected activities can be quite low, whereas for
systems with high safety, environmental or business implica-
tions, a complete set of activities will be expected.
E. Activities 102 For each Confidence Level, this document identifies a
consistent set of required activities, which number increases as
E 100 General Confidence Level increases. As a result, activities required at
level 2 are the ones required for level 1 plus several others, and
101 The next four s define the activities required for each for level 3 we will find the whole set of activities described in
role. this OS.
102 An activity is defined in this OS as a defined body to per- 103 At Confidence Level 0, no activity is required, except
form, with an expected outcome. the preliminary assessment of Confidence Level of the system.
103 Each required activity has a unique identifier. The iden- Once the confidence level is confirmed to be at level 0, no
tifier is structured in three parts: X.YYY.NN. other activities are required by this OS.
104 The first part of the activity identifier refers to the phase. 104 At Confidence Level 1, the expected activities aims at
See Sec.3 B above. ensuring that system is kept under control during its develop-
ment and operations. This means that expected content of each
105 The second part of the activity identifier refers to the part of the system is thoroughly managed, in terms of require-
process area. See Sec.3 C above. ments and configuration. Moreover, it is required at that level
106 The third part of the activity identifier is a unique that activities are planned and controlled, to ensure that
number for the activity. expected tasks can effectively be performed. For the same rea-
sons, it is also required that subcontracting activities are care-
Guidance note: fully managed at that level. Confidence level 1 targets best
For example, A.REQ.2 is the identifier of the 2nd activity of the practices for the management of integration.
requirements process area for the concept phase. B.DES.1 is the
1st activity of the design process area in the engineering phase. 105 Confidence Level 2 systems involve a more detailed
E.RAMS.1 is the 1st activity of the RAMS process area in the control of the engineering activities. At that level, it must be
operations phase. ensured that development is performed with a complete, con-
sistent and verified approach. Thus, architecture, design,
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- development, integration, verification and validation tasks
shall comply with a large set of expected activities. At this needed for such safety and reliability demanding systems. It
level, risk management activities as well as RAMS require- encompasses generalization of independent verification proce-
ments identification and tracking should be performed. This dures for engineering activities (design, specifications, coding,
level introduces also the independent verifier, who shall under- testing), as well as the activities needed to ensure RAMS
take processes verification. Confidence level 2 adds best prac- expectations, such as failure analyses or applying specific
tices of system integration engineering. design patterns (e.g.: redundancy). Confidence level 3 adds
106 Confidence Level 3 requires additional activities, best practices for high integrity systems integration.
SECTION 4
ISDS REQUIREMENTS FOR OWNERS
A 400 Acceptance phase performed by the owner, depending on the confidence level:
401 No activities need to be performed by the owner at con-
fidence level 0, in this phase. Table A6 Owner Operations Ref Confidence
Activities Level
402 The following table describes the activities that shall be Ref 1 2 3
performed by the owner, depending on the confidence level:
Requirements engineering
Table A5 Owner Acceptance Confidence Level Manage change requests E.REQ.1 X X X
Activities Ref 1 2 3 Acquisition
Requirements engineering Manage and monitor obsolescence E.ACQ.1 X X
Manage change requests D.REQ.1 X X X Validation
Supportive processes Perform validation through opera- E.VAL.1 X X
tional scenarios
Establish a control system on D.SUP.3 X X X
deployed configuration Supportive processes
Control processes D.SUP.5 X X X Transfer Responsibility for system E.SUP.1 X X X
configuration management to oper-
Monitor project status against plan D.SUP.6 X X X ator
Track risks D.SUP.7 X X X Analyze impacts of modification E.SUP.5 X X X
Decide and track risks mitigation D.SUP.8 X X requests and decide changes
actions Control processes E.SUP.7 X X X
A 500 Operations phase Monitor project status against plan E.SUP.8 X X X
Track risks E.SUP.9 X X X
501 No activities need to be performed by the owner at con-
fidence level 0, in this phase. Decide and track risks mitigation E.SUP.10 X X
actions
502 The following table describes the activities that shall be
SECTION 5
ISDS REQUIREMENTS FOR OPERATORS
SECTION 6
ISDS REQUIREMENTS FOR SYSTEM INTEGRATORS
SECTION 7
ISDS REQUIREMENTS FOR SUPPLIERS
SECTION 8
REQUIREMENTS FOR INDEPENDENT VERIFIERS
Table A1 Independent Verifier Mandatory activities Table A4 Independent Verifier Confidence Level
There are no activities required at confidence level 0. Construction Phase activities Ref 1 2 3
Verification
103 The following table describes the activities that shall be
Perform independent code analy- C.VER.8 X
performed by the independent verifier, depending on the con- sis
fidence level:
Perform independent ISDS ele- C.VER.9 X
ment qualification
Table A2 Independent Confidence Level
Verifier Concept Phase Supportive processes
Ref 1 2 3
activities Independently control processes C.SUP.8 X X
Verification during construction
Independently verify overall A.VER.3 X A 400 Acceptance phase
design
401 No activities need to be performed by the independent
A 200 Engineering phase verifier at confidence level 0, in this phase.
201 No activities need to be performed by the independent 402 The following table describes the activities that shall be
verifier at confidence level 0, in this phase. performed by the independent verifier, depending on the con-
202 The following table describes the activities that shall be fidence level:
performed by the independent verifier, depending on the con-
fidence level: Table A5 Independent Verifier Confidence Level
Acceptance Phase activities Ref 1 2 3
Table A3 Independent Confidence Level Validation
Verifier Engineering Phase Ref 1 2 3 Perform independent validation & D.VAL.4 X
activities verification
Independently control processes D.SUP.9 X X
Verification
Perform independent selected B.VER.3 X X A 500 Operations phase
design reviews
Verify independently Technical B.VER.4 X
501 No activities need to be performed by the independent
Specification verifier at confidence level 0, in this phase.
Verify independently Design B.VER.5 X 502 The following table describes the activities that shall be
documents performed by the independent verifier, depending on the con-
Verify canonical data model B.VER.6 X X fidence level:
Reliability, Availability, Main-
tainability and Safety Table A6 Independent Verifier Confidence Level
Operations Phase activities Ref 1 2 3
Perform independent Criticality B.RAMS X
Analysis. .3 Validation
Supportive processes Perform independent validation & E.VAL.4 X
Independently control proc- B.SUP.8 X X verification
esses Independently control processes E.SUP.9 X X
CHAPTER 3
CONTENTS PAGE
Sec. 1 Introduction .............................................................................................................................. 37
Sec. 2 Information Requirements........................................................................................................ 38
Sec. 3 Approval and Assessment ........................................................................................................ 39
App. A Information Requirement Tables ............................................................................................. 41
SECTION 1
INTRODUCTION
A. General be included in the class notation. The list is not limitative, other
systems may be included.
A 100 General
101 This chapter provides the basis for DNV ISDS classifi- Table B2 System list
cation. System
102 A complete description of principles, procedures, appli- DP Dynamic Positioning System
cable class notations and technical basis for offshore classifi- ESD Emergency Shut Down System
cation is given by the offshore service specifications, see PCS Process Control System
Table A1. PMS Power Management System
CMS Conditioning Monitoring Systems
Table A1 Offshore Service Specifications
SPS Subsea Production System
Ident. No Title OTS Operator Training System
DNV-OSS-101 Rules for Classification of Offshore Drilling DS Drilling Systems
and
Support Units ST Steering
DNV-OSS-102 Rules for Classification of Floating Production, PROP Propulsion
Storage and Loading Units
B 300 Scope
301 The owner shall specify the systems in scope, prior to
reaching the first decision gate of the newbuilding or upgrade
B. Class Notation project.
B 100 General 302 The owner shall specify the confidence level, prior to
reaching the concept decision gate of the newbuilding or
101 Units built and tested in compliance with the require- upgrade project.
ments of this OS may be assigned one of the optional class
notations for integrated software-dependent systems shown in 303 The ISDS scope shall include the control functions for
Table B1. each system.
SECTION 2
INFORMATION REQUIREMENTS
SECTION 3
APPROVAL AND ASSESSMENT
the class notation may be assigned to the unit. 502 Every 5 years, the Society shall perform a renewal
assessment, reviewing responsible party activities and required
C 500 In operation assessment information. Important changes to the process or to the ISDS
501 Yearly, the Society shall perform an assessment focus- systems may require an early renewal assessment.
ing on maintenance and configuration management.
APPENDIX A
INFORMATION REQUIREMENT TABLES
A. Owner Information Requirements for each activity to be performed. Such outcomes are expected
by the latest before the end of the phase, and may be delivered
The following table presents the information requirements to DNV or reviewed onsite. Sufficient delay shall be provided
applicable to the owner role. At least one outcome is expected for performing the review and assessment.
Unit Z290 Unit/System design verification & validation report (by Owner rep- A 1 A.DES.2
System resentatives)
System Z040 System request for proposal (RfP): A 1 A.ACQ.1
Equipment - functional specifications,
- GSRs
System Z290 System concept presentation: A 2 A.VAL.1
- Simulations, A.VAL.2
- Prototypes.
- Minutes of System Concept Review Meeting.
Unit Z290 Minutes of meetings, E-mails and other relevant information A 1 A.SUP.9
System
Equipment
Software
B. Operator Information Requirements each activity to be performed. Such outcomes are expected by
the latest at the end of the phase, and may be delivered to DNV
The following table presents the information requirements or reviewed onsite.
applicable to the operator role. An outcome is expected for
C. System Integrator Information Requirements expected for each activity to be performed. Such outcomes are
expected by the latest at the end of the phase, and may be deliv-
The following table presents the information requirements ered to DNV or reviewed onsite.
applicable to the system integrator role. An outcome is
D. Supplier Information Requirements each activity to be performed. Such outcomes are expected by
the latest at the end of the phase, and may be delivered to DNV
The following table presents the information requirements or reviewed onsite.
applicable to the supplier role. An outcome is expected for