An Approach to Dependable Architectures and Components for Railways
by Andrea Bondavalli, Felicita Di Giandomenico and Luca Simoncini
Scientists at ISTI-CNR study methodologies and techniques to improve the definition and development of systems for railway applications. The envisaged solutions must guarantee the dependability and real-time requirements imposed by the application field while at the same time addressing the needs both of the market and of the technology.
Automatic systems for railway applications have traditionally been developed starting from proprietary architectures, in which the processors and memories were assembled using ad hoc components whereas the electronic components have generally been developed independently. A feature of this approach is that the components are designed in function of the overall system structure; this type of approach has positive and negative aspects.
Advantages are that:
- the design and implementation of ad hoc components facilitates validation of the system
- the entire system is controlled by the designer and there are no single parts protected by third party intellectual property rights; again this facilitates validation and procuring, mandatory actions for safety critical systems
- system redesign and updating is not dependent on third parties.
On the other hand:
- components and implementation technologies change and evolve very quickly; this means that some may be obsolete by the time that the design stage is completed and the system is ready for operation
- the operational life of the system tends to be extended which means that component upgrading may be required
- the strict dependence between system and components (through the design) means that it may be difficult to adapt the system to different contexts or to interface it with other systems, ie, re-configuration may be very difficult if not impossible
- systems with even slightly different requirements and specifications cannot reuse existing components; this means that new systems generally require a complete redesign, and experience gained when operating previous systems cannot be exploited
- any new system or major revision needs to be revalidated ex-novo.
Another major issue is the need to reduce both commissioning time and development and operational costs. This makes the use of COTS (components off-the-shelf) an increasingly popular choice.
It is clear from the above scenario that a strategic R&D activity aimed at the definition, prototyping, partial verification and validation of a generic, safety-critical and real-time architecture for railway systems is needed.
Such an activity should be able:
- to reduce design and development costs
- to reduce the number of components used by the subsystems
- to simplify the product evolution process and reduce associated costs
- to simplify product validation (and certification) through an incremental approach based on reuse
- to make the design of safety-critical parts more flexible.
The resulting architecture should have the following characteristics:
- use generic components (possibly COTS) which can be replaced when necessary without the need for system redesign or revalidation
- reliability/availability and safety properties must be associated with the overall architecture rather than only with intrinsic properties of its components, so that techniques for error detection, diagnosis and error recovery are as far as possible independent from specific hardware or software components
- openness of the system, so that it can interface and communicate with other systems through different communication systems (eg GSM-R, radio, ISDN, etc.)
- adoption of a hierarchical approach for functional and non functional properties, to facilitate validation
- strict conformance with railway standards; in particular with CENELEC EN 50126, 50128, 50128, 50129, 50159-1, 50159-2.
For this reason, we are currently investigating architectures/component solutions able to satisfy the dependability and real-time requirements imposed by the high criticality of the application field while also addressing the market and technology demands.
In recent years, the Esprit Project GUARDS 'Generic Upgradable Architecture for Real-time Dependable Systems', which studied the development of methods, techniques, and tools to support the design, implementation and validation of safety-critical real-time systems, has already investigated a number of these issues. This project involved major industries from the space, nuclear and railways sectors. A careful specification of the needs of industrial end-users was used by the academic partners to identify and define suitable safety-critical mechanisms and architectures; these were then implemented with the support of the expertise and tools of the technology providers.
Within the GUARDS project, a series of R&D activities were performed, spanning from the definition of components/mechanisms for fault tolerance to the set-up of a multi-techniques validation framework and the development of architectural instances appropriate for different application fields. However, more extensive research is needed today, to properly account for current technological competitiveness and other emerging challenges, such as integration and interoperability. The world market of railway systems has a strong growth trend, both at national and international levels, because of the need to optimise urban and suburban transport, to modernize the existing railway systems, to develop high-speed trains and to render European transport networks interoperable. In the next ten years, the European railway market plans to construct high speed lines for 12,500 km. In addition, 16,500 km of existing lines will have to be upgraded. The expected investment is in the range of 24 billion Euro.
Andrea Bondavalli, ISTI-CNR
Tel: +39 050 315 3068