1. Field of the Invention
The invention relates to railway control safety critical systems. More particularly, the present invention relates to control systems in railway safety critical application systems with low hazard rates, as is needed in the railway industry. Railway safety critical application systems (“safety critical systems”) include by way of non-limiting example train management systems, back office server, onboard units for automatic intervention if a train exceeds safeguarded speed limits, data recorders that record operational information, train speed and position determination equipment, brake and throttle control, sub-system status and diagnostics, wireless data communications exchanged between trackside/landside and train side (e.g., via wireless radio communications) and train crew communications. As used herein, the term “train” is a locomotive alone, locomotive with cars, or an integrated locomotive/car vehicle, (e.g., light rail or subway).
2. Description of the Prior Art
Railway trains are equipped with safety critical systems that are required to have high availability and low hazard rates (a “hazard” is commonly understood as “physical situation with a potential for human injury and/or damage to environment” (IEC 62278)). “Railway operators and governmental regulators often require exceedingly low hazard rates that satisfy their high demand for operational safety.”). Safety critical systems are typically operated with electronic control systems. Over time those systems are gravitating to processor or controller operated digital electronic systems that communicate with each other over one or more communications data buses.
In order to meet railway safety objectives, control system hardware is often of proprietary dedicated design with documented testing and validation. Digital electronic controller operating systems and application software are also validated. Electronic data communications utilize validated security codes for data integrity checks, such as hash codes or cryptographic attachments, in order to assure data integrity upon transmission between the systems. Validation processes require time and expense. Given the relatively limited demand and sales volume of railway safety critical systems, as compared to demand for general commercial and consumer electronics (e.g., personal computer hardware, software and operating systems), the railway safety critical systems controllers and related equipment are expensive to manufacture and have longer product lifecycles than those sold in the general electronics applications fields.
However, consumer and commercial personal computers (PC's) cannot be directly substituted for existing railway safety critical systems control systems. PC's are often only having a data failure rate of no more than 10−4 per operational hour, which is insufficient to meet railway systems required hazard. Additionally, PC commercial operating system software is not validated for use in railway safety critical systems.
There is a need in the railway industry to replace railway-domain specific proprietary design safety critical system control system hardware and operating system software with more readily available general purpose commercial off the shelf (“COTS”) products, where feasible. Substitution of COTS subsystems for railway-domain specific proprietary design subsystems potentially can simplify overall system design, shorten system design cycles, and allow the railway safety critical system prime supplier to focus its efforts on overall system application and integration issues, where it has greater expertise than general consumer or COTS electronics sub-vendors.
There is also a need in the railway industry to reduce safety critical system control system procurement costs and increase the number of qualified sub-vendors by substituting COTS products for railway-domain specific products, when validation of the substitutes is cost effective. The railway customer and safety critical system prime supplier may also benefit from outsourcing design and manufacture of subsystem components to sub-vendors whom may have broader design expertise for their respective commercial components.
There is an additional need in the railway industry to streamline safety critical system procurement timelines by simplifying and aggregating validation procedures. For example, if commercial off-the-shelf (COTS) control system hardware and software components already meet recognized and documented reliability validation standards; there may be no need to revalidate those same products for railway critical system applications. Rather, the safety critical system validation may be consolidated and simplified by a general system validation process that includes contributions of already validated commercial off-the-shelf products, thereby streamlining procurement timelines and processes.