Safety Analysis of Operational Rules and Specifications

Kurzfassung

Since 2005 the Institute of Transportation Systems at DLR develops a method and a software tool for the examination of distributed technical systems, such as railway vehicles, with regard to the relation to safety of their elements. The starting point of the analysis is the output of the system, i.e. the actions performed which influence the environment, e.g. acceleration, braking or signaling. The tool helps to identify the safety-related signals generated by the various subsystems or components. Knowing the critical paths of information transmission, actions can be taken to reduce error-proneness. It can be analyzed to what extent the safety will improve when implementing appropriate products, such as signal relays, or adding redundant or fall-back elements or when changing the related safety levels. To bring the European Railways closer together and enable safe cross country rail traffic the European Train Control System (ETCS) has been developed as one technical component of the European Rail Traffic Management system (ERTMS). To run the ERTMS/ETCS in several countries, not only a common technology but also harmonized operational rules are needed. Hence, the national operational rules must be modified. After the modification of the operational rules it has to be verified that the rules allow safe rail traffic, are not in conflict with the existing rules and have been formulated unambiguously. As operational rules consist of instructions how to act, they are comparable to software and even to hardware logic, while the staff acting to the rules can be seen as systems performing actions and communication to each other, just like technical systems do. Therefore it seems plausible and possible to treat operational rules like software and hardware logic and use the same methods and tools for the analysis. A first approach to the analysis of operational rules shows, that it is possible to represent rules in a form that comprises all necessary information needed by the tool to perform the analysis. The output of the tool presents the components and information paths which are relevant to the safe operation of the system and where human involvement bears the risk of hazards. With this result it is possible to identify ways to support the staff in its task or even replace the staff by a more reliable electronic system. With those actions the system gets not only safer, but staff can be relieved from safety-related tasks or even deployed in other services. The knowledge about safety related and non-safety related tasks and information paths allows also using the most appropriate technology in system design and optimizing safety and life cycle costs. Tool and method allow also allocating various attributes to the elements. Therefore the systems information paths can also be analyzed regarding the characteristic of these paths, e.g. which kind of processors are involved in the generation of information or actions. The paper discusses the principles of the software tool developed by DLR, its application and potential future developments.