Models Oriented Approach for Developing Railway Safety-Critical Systems with UML

Models Oriented Approach for Developing Railway Safety-Critical Systems with UML

Jean-Louis Boulanger (CERTIFER, France), Alban Rasse (MIPS, France) and Akram Idani (LIG / VASCO, France)
DOI: 10.4018/978-1-60566-731-7.ch019
OnDemand PDF Download:
No Current Special Offers


This chapter presents an approach for certified design of railway critical systems. This approach, which realizes the software development cycle, relies on metamodeling architecture and model-transformations. It combines semi-formal UML models and formal models in order to check, proof and generate code by refinement; we use the process algebra FSP to check the dynamic behavior and B to generate proved code. Initially, the authors select an UML subset, which could be uses to model the key aspects of critical systems. Then, from this subset, the authors perform projections to obtain B and FSP models which are exploited by tools for checking, refinement and proof.
Chapter Preview


The design of safety-critical software systems is a very difficult task, see Sanz Ricardo and Arzen, Karl-Eric Arzen (2003). Moreover, the failures of these systems can produce tragic material, environmental or human consequences. In this context, it is necessary to propose an approach, which allows to produce reliable software applications. With this aim, standards were proposed. The references standard are most often European (CENELEC reference system: EN 50126 CENELEC (2000), EN50129 CENELEC (2001) and EN50128 CENELEC (2003)), indeed International (CEI 61508 IEC (2000)).

The later one (applicable to all type of electrical/electronic/programmable safety-related system) is furthermore the founding one: many aspects of EN50126, EN50128 and EN50129 are railway applications of CEI61508 prescriptions. Figure 1 presents the link between the general standard CEI 61508 and the domain specific standard such as railways standard or the next automotive standard called ISO 26262.

Figure 1.

Link between CEI 61508 and specific norms


Figure 2 presents the scope and application areas of each of the CENELEC standards concerned with the development and certification of safety-critical application in railway sector. Facing the complexity of new systems, the RAMS (Reliability, Availability, Maintainability and Safety) requirements are an essential point in the project development of railway transportation systems.

Figure 2.

Scope and application areas of CENELEC Standards


As a particularly important example, systems known as safety critical are systems, which can in case of failure cause important damage to people and by extension to the goods or the environment. For this class of systems, it is necessary to perform analyses in order to demonstrate the absence of failures scenarios, whatever are the causes of elementary faults involved in these scenarios (physical, environment, development, interaction, ...), which could lead to this kind of consequences. Not all systems share the same criticality level; there are scales, which make it possible to define levels, which are associated to safety targets. In the field of the complex electronic and/or programmed systems, CEI standard 61508 (IEC (2000)) defines the concept of SIL (Safety Integrity Level).

The SIL makes it possible to quantify (See table 1) the safety level of a system and consequently to evaluate criticality. It can take the following values 0 (system without impact on the safety of people), 1 (system which can cause light wounds), 2 (system which can cause serious wounds), 3 (system which can cause the death of a person: individual accident) and 4 (system which can cause the death of a whole of people: collective accident). Design of SIL 3 or 4 systems (that one finds in many fields related for example to transport, energy production, as in many sectors of industrial production) is subjected to the respect of technical reference frames.

Table 1.
Link between THR (tolerable hazard rate) and SIL (safety integrity level)
Probability of failure (by hour) THRSIL
10-9 <= ... <10-84
10-8 <= ... < 10-73
10-7 <= ... <10-62
10-6 <= ... <10-51

Key Terms in this Chapter

RAMS: Reliability, Availability, Maintainability and Safety

SIL: Safety Integrated Level

Formal method: Formal methods are particular kind of mathematically-based techniques for the specification, development and verification of software and hardware systems.

Metamodel: A metamodel is a representation (a model) of a modeling language; it formalizes the aspects and the concepts used by a modeling language, and models the domain in question.

Safety: is the state of being “safe”, the condition of being protected against physical, financial, environmental or other types or consequences of failure, damage, error, accidents, harm or any other event which could be considered non-desirable.

MDA: Model Driven Architecture

Certification: Certification refers to the confirmation of certain characteristics of an object, person, or organization. This confirmation is often, but not always, provided by some form of external review or assessment.

UML2: Unified Modeling Language

Complete Chapter List

Search this Book: