Models Oriented Approach for Developing Railway Safety-Critical Systems with UML

Introduction

The design of safety-critical software systems is a very difficult task, see Sanz Ricardo and Arzen, Karl-Eric Arzen (2003). Moreover, the failures of these systems can produce tragic material, environmental or human consequences. In this context, it is necessary to propose an approach, which allows to produce reliable software applications. With this aim, standards were proposed. The references standard are most often European (CENELEC reference system: EN 50126 CENELEC (2000), EN50129 CENELEC (2001) and EN50128 CENELEC (2003)), indeed International (CEI 61508 IEC (2000)).

The later one (applicable to all type of electrical/electronic/programmable safety-related system) is furthermore the founding one: many aspects of EN50126, EN50128 and EN50129 are railway applications of CEI61508 prescriptions. Figure 1 presents the link between the general standard CEI 61508 and the domain specific standard such as railways standard or the next automotive standard called ISO 26262.

Figure 1.

Link between CEI 61508 and specific norms

Figure 2 presents the scope and application areas of each of the CENELEC standards concerned with the development and certification of safety-critical application in railway sector. Facing the complexity of new systems, the RAMS (Reliability, Availability, Maintainability and Safety) requirements are an essential point in the project development of railway transportation systems.

Figure 2.

Scope and application areas of CENELEC Standards

As a particularly important example, systems known as safety critical are systems, which can in case of failure cause important damage to people and by extension to the goods or the environment. For this class of systems, it is necessary to perform analyses in order to demonstrate the absence of failures scenarios, whatever are the causes of elementary faults involved in these scenarios (physical, environment, development, interaction, ...), which could lead to this kind of consequences. Not all systems share the same criticality level; there are scales, which make it possible to define levels, which are associated to safety targets. In the field of the complex electronic and/or programmed systems, CEI standard 61508 (IEC (2000)) defines the concept of SIL (Safety Integrity Level).

The SIL makes it possible to quantify (See table 1) the safety level of a system and consequently to evaluate criticality. It can take the following values 0 (system without impact on the safety of people), 1 (system which can cause light wounds), 2 (system which can cause serious wounds), 3 (system which can cause the death of a person: individual accident) and 4 (system which can cause the death of a whole of people: collective accident). Design of SIL 3 or 4 systems (that one finds in many fields related for example to transport, energy production, as in many sectors of industrial production) is subjected to the respect of technical reference frames.