Académique Documents
Professionnel Documents
Culture Documents
Sandeep Patalay1 CMC Americas, Inc., Pittsburgh, PA, 15220 A railway signalling system is safety critical system that controls the traffic which includes train routes, shunting moves and the movements of all other railway vehicles in accordance with railway rules, regulations and technological processes required for the operation of the railway system. The overall signalling system consists of Microprocessor based Wayside controllers, On-board systems controlling the railway vehicle and supervision systems to monitor the vehicle movements from a centralized location. The complex nature of railway signalling rules and operational practices adopted by different railroads pose a difficult task for the software development of these systems. The complex nature of the software poses an even more challenging task during the Independent Verification and Validation of the system. The CENELEC set of standards is the widely accepted as the governing standard for design, development and Independent Verification and Validation (IV&V) of railway signalling systems. This paper describes the challenges faced during the different phases of IV&V of safety critical railway signalling software which is unique compared to other domains.
Nomenclature
IV&V ATP On-Board CENELEC = = = = Independent Verification and Validation Automatic Train Protection Embedded systems used on the Train European standards for Railway Signalling
I. Introduction
IV&V is the most important phase of any safety critical system life cycle. The result of this phase decides the final outcome of the project and decides whether the product is fit for use. The IV&V of safety critical software for railway signalling applications is faced with many challenges due to the complexity of the systems and the variations it has depending upon the geography and environment in which it needs to operate. This paper particularly focuses on the experiences and challenges during different phases of the IV&V in a railway signalling project. The following areas will be discussed: 1) 2) 3) 4) Systematic Problems Challenges during Software Analysis Challenges during System Integration and Field Validation Testing Challenges during Test Result Analysis
Senior Systems Engineer, Embedded Systems Group, CMC Americas, Inc., sandeep.patalay@cmc-americas.com. 1 American Institute of Aeronautics and Astronautics
Since the software and hardware is so complex, complete test of the system is not possible and most of the faults are revealed at the field Installation stage or during normal working of the system in field. 8) The software is often changed for every geographical location and results in specific code for each location. When the software structure is not in a generic form, it becomes difficult for the test engineer to develop test cases for every possible scenario. 9) The lack of standardization in the railway working principles results in incomplete test cases as test engineers are not well versed with all types of railroads. 10) Increase in the complexity of the software leads to difficulty in testing, since most of the railway systems are sequential machines they are error prone and are very difficult to test.
7)
2)
3)
4)
5)
6)
7)
2)
3) 4) 5)
3) 4)
5)
VI. Conclusion
Railway signalling is very specialized and unique area where high level of planning is required for all the phases of the project lifecycle especially for the IV&V of safety critical software. Poor planning at the start of the project usually result in cost overruns and delays. In our experience with railway signalling projects, generally limited budgets and time is allocated to IV&V phase which in realty takes the majority of the project budget. If the IV&V phase is planned well in advance and sufficient managerial responsibility is assigned specifically for this task, the projects can be completed in time and with better results, which in turn makes the job of the safety assessor easy. We suggest the following mitigation measures to ensure a successful IV&V of railways signalling systems: 1) Care should be taken to recruit test engineers who at least have basic knowledge of railway signalling and associated systems. 2) In case the test engineers are new recruits, they should be put through rigorous training before being assigned critical tasks such as writing test procedures and analyzing the test data logs. 3) Regular training sessions should be conducted for the test engineers in the project to impart in-depth knowledge of the system.
4)
5) 6)
7)
Encourage test engineers to be innovative in their testing methods instead of just following the regular patterns, this way more errors in the system are revealed which often get undetected with traditional test methods. Create an environment where test engineers regularly interact with the design team to share each ones experiences and concerns Create a dedicated managerial team to monitor all the test activities occurring a different sites and coordinate them. Better co-ordination between the Lab and field test teams leads to better analysis of the system. Never follow the approach of parallel testing activities, for example, the system integration tests should never be planned in parallel with the unit tests.
Acknowledgments
The author would like to express his gratitude to Stephen A. Jacklin from the NASA Ames Research Center for his encouragement to take up this study and present my experiences with IV&V in railway signalling domain.
References
S.Vinogradov, V.Okulevich, M.Gitsels, Approaches to meet Certification Requirements for Mission-Critical Domains, Software Engineering Conference (Russia), 16th Nov. 2006 2 Ulrich Haspel, Gunni S. Frederiksen., The Automated Copenhagen Metro In The First Year Of Operation - Experience And Outlook, 9th International Conference On Automated People Movers 2-5 September 2003, Singapore 3 K.K Bajpayee, Emerging Trends in Signalling on Indian Railways in IRSTE Conference, 2003 4 Peter Wigger, Experience with Safety Integrity Level (SIL) Allocation in Railway Applications, WCRR 2001 25. 29. November 2001, Kln 5 Dr. Hendrik Schbe, The Safety Philosophy Behind the CENELEC Railway Standards, ESREL 2002, Lyon, March 19-21, 2002 6 G.Biswas, S.Kumar,T.K.Ghoshal,V.Chandra, Independent Verification and validation of Software with reference to UFSBI, presented at IRSTE Seminar, 1999. 7 Chinnarao Mokkapati, Terry Tse, Alan Rao A Practical Risk Assessment Methodology for Safety-Critical Train Control Systems, Office of Research and Development Washington, D.C. 20590, DOT/FRA/ORD-09/15 8 EN 50126: Railway Applications - The Specification and Demonstration of Dependability, Reliability, Availability, Maintainability and Safety (RAMS). Issue: March 2000. 9 prEN 50129: Railway Applications- Communications, signalling and processing systems - Safety related electronic systems for signalling. Issue: May 2002 10 prEN 50128: Railway Applications- Communications, signalling and processing systems - Software for railway control and protection systems. Issue: March 2001
1