Another busy morning in the office, coffee poured, all set for the day ahead.
An email arrives asking for sign off to authorize a new release of a safety critical electronic control board on an in-service train. I could do the sign off in the blink of an eye, but am I fully aware of exactly what I am signing?
It raises some ethical questions which are frequently encountered by engineers in a safety industry. What makes us believe that the design we have is safe enough for public use? Or, furthermore, how could we reach the reassuring level of awareness that our design is safe and effective, indeed if it is even ready to leave the door of our development department?
In this blog I will look at a couple of thoughts which might provide further ideas on how to reach such decisions in the railway industry.
#1 – Application of the Cone of Uncertainty for the Railway RAMS processes
Cone of Uncertainty is a well-known phenomenon for all project managers. It elaborates the fact that any estimates mature over time, precision and tolerances evolve as projects advance.
The new revision of the railway Reliability, Availability, Maintainability and Safety (RAMS) standard EN50126-1:2017, along with the EN50129:2003 and EN50128:2011 standards, also provide fundamental principles for railway software and hardware engineering safety and quality professionals.
One of the key principles is the phase model for RAMS lifecycle that is elaborated in EN50126-1:2017 Chapter 7. Applying Cone of Uncertainty concept to the Railway RAMS lifecycle, however, is a rare find. Merging these two pieces together could provide additional value for us to understand and to assess more precisely the nature of the maturity evolution of the safety and the other RAMS characteristics over time.
Safety characteristics evolve gradually. They should be well established in the Concept phase and they should incorporate further granularity and details as projects advance. The diagram above indicates the level of uncertainty involved for the assessment of the potential safety maturity of the design in any early phases of RAMS lifecycle. Commercialization sometimes demands otherwise, and asking for a release of the safety design before RAMS System Acceptance phase is a good idea. This diagram also could be a help to assess and add the level of uncertainty involved in decisions for releasing a safety critical embedded system in a railway domain.
In our next post we will be looking at further aspects of assessing the safety and quality maturity of railway embedded control electronics (including software, hardware, tooling and housing) based on the following:
· EN 50128:2011, Railway applications – Communication, signalling and processing systems – Software for railway control and protection systems
· EN 50129:2003, Railway applications – Communication, signalling and processing systems – Safety related electronic systems for signalling.
By Szabolcs Agai – Functional Safety Consultant