1. Field of the Invention
The invention relates to railway control critical or vital systems. More particularly, the present invention relates to control systems in railway critical or vital application systems with low hazard rates, as is needed in the railway industry. Railway vital application systems (“vital systems”) include by way of non-limiting example train management systems, onboard units for automatic intervention if a train exceeds safeguarded speed limits, data recorders that record operational information, train speed and position determination equipment, brake and throttle control, sub-system status and diagnostics, wireless data communications exchanged between trackside/landside and train side (e.g., via wireless radio communications) and train crew communications. As used herein, the term “train” is a locomotive alone, locomotive with cars, or an integrated locomotive/car vehicle, (e.g., light rail or subway).
2. Description of the Prior Art
Railway trains are equipped with critical or vital systems that are required to have high availability and low hazard rates (a “hazard” is commonly understood as “physical situation with a potential for human injury and/or damage to environment” (IEC 62278)). Rail way operators and governmental regulators often require a hazard rate of no more than 10−9 per operational hour for a vital function (i.e., about one hazard per 114 thousand years of operation). Critical or vital systems are typically operated with electronic control systems. Over time those systems are gravitating to processor or controller operated digital electronic systems that communicate with each other over one or more communications data buses.
In order to meet railway safety objectives, control system hardware is often of proprietary dedicated design with documented testing and validation. Digital electronic controller operating systems and application software are also validated. Electronic data communications utilize validated security codes for data integrity checks, such as hash codes or cryptographic attachments, in order to assure data integrity upon transmission between the systems. Validation processes require time and expense. Given the relatively limited demand and sales volume of railway vital systems, as compared to demand for general commercial and consumer electronics (e.g., personal computer hardware, software and operating systems), the railway vital systems controllers and related equipment are expensive to manufacture and have longer product lifecycles than those sold in the general electronics applications fields.
However, consumer and commercial personal computers (PC's) cannot be directly substituted for existing railway vital systems control systems. PC's often only have a data failure rate of no more than 10 per operational hour, which is insufficient to meet railway systems required hazard rates of no more than 10−9 per operational hour. Additionally, PC commercial operating system software is not validated for use in railway vital systems.
There is a need in the railway industry to replace railway-domain specific proprietary design vital system control system hardware and operating system software with more readily available general purpose commercial off the shelf (“COTS”) products, where feasible. Substitution of COTS subsystems for railway-domain specific proprietary design subsystems potentially can simplify overall system design, shorten system design cycles, and allow the railway vital system prime supplier to focus its efforts on overall system application and integration issues, where it has greater expertise than general consumer or COTS electronics sub-vendors.
There is also a need in the railway industry to reduce vital system control system procurement costs and increase the number of qualified sub-vendors by substituting COTS products for railway-domain specific products, when validation of the substitutes is cost effective. The railway customer and vital system prime supplier may also benefit from outsourcing design and manufacture of subsystem components to sub-vendors whom may have broader design expertise for their respective commercial components.
There is an additional need in the railway industry to streamline vital system procurement timelines by simplifying and aggregating validation procedures. For example, if commercial off-the-shelf (COTS) control system hardware and software components already meet recognized and documented reliability validation standards, there may be no need to revalidate those same products for railway critical system applications. Rather, the vital system validation may be consolidated and simplified by a general system validation process that includes contributions of already validated commercial off-the-shelf products, thereby streamlining procurement timelines and processes.