Method for the testing of safety-related software; pilot study

Project No. IFA 5124


completed 12/2012


Microprocessor systems are now commonly used throughout the world. Technical devices increasingly now feature processors and microcontrollers (chips) of various sizes. Users are often not even aware that an item of equipment contains such a chip. With the growing trend towards the standardization of hardware, the emphasis is increasingly shifting towards the software. As the importance of software increases, however, so does that of software faults, i. e. faults caused during programming and constituting de-facto design faults. These are described as systematic faults. Where the problem only affects an item of consumer equipment, the consequences are often mild. Where safety equipment is affected, however, the consequences may be lethal. Microprocessors have become an accepted part of safety components and safety-related controls in industrial applications. When software becomes increasingly more extensive, however, who will be able to guarantee that it is free of faults? Besides careful planning and quality management of development, a further important element is the testing of software (verification and validation). These processes check the software for, among other things, its correctness, clarity/readability, ease of maintenance and freedom from contradictions. Mere reading through the lines of code is often no longer realistic, nor is mere testing of the end product.


For several decades, the IFA has served as a test body for software-controlled safety and control equipment. In order to address the problem – also faced by manufacturers – of software testing, a survey of the latest literature was first required in order to determine the current state of scientific and technical progress, and to select methods suitable for use in the field. Support for university projects addressing software testing was also planned.


The survey conducted during the project identified the tools suitable for use for static software analysis and thus for testing of the software. It was found that the manufacturers of these tools claim that the majority of possible software errors are detected by inspection of the source code in accordance with programming guidelines (such as MISRA). They also promote the software tools' feature of applying metrics (quality parameters) to the source code. The IFA's experience in its capacity as a body for the testing of safety-related software has shown however that the observance of programming guidelines and metrics alone is not sufficient for the assurance of safe software. Practical experience has also shown that the manufacturers hardly ever apply formal specification languages or perform the checking permitted by these languages of the programmed software for its compliance with the requirements set out in the specification.

The IFA has procured such a tool in consideration of the survey of static analysis tools.

Last Update:



Financed by:
  • Deutsche Gesetzliche Unfallversicherung e. V. (DGUV)
Research institution(s):
  • Institut für Arbeitsschutz der Deutschen Gesetzlichen Unfallversicherung (IFA)

-cross sectoral-

Type of hazard:

mechanical hazards


safety technology (engineering), equipment safety, accident prevention

Description, key words:

software errors, testing of safety-related software, safety-related controls