Modular train control system for rolling stock and wayside applications up to SIL 4.
For embedded systems designers involved with safety-critical applications, the harsh reality is that there is no “margin for error”, no allowance for “tweaking” improvements on the fly and no time for addressing unanticipated problems with “Version 2.0.”
Component failure, human error and system upsets are all potential contributors to unacceptably dangerous outcomes in truly safety-critical applications for nuclear, avionic, railway or medical embedded control systems. In addition to the complexity of the actual computing functions, there are also considerations related to reliability, redundancy and fail-safe/fail-operational functions.
More than just a product – a process
The ultimate goal of a safety-critical design involves more than just delivering an end product. It includes establishing a methodical, verified and documented series of processes to span the full scope of product development and implementation. The whole process includes the choice of the system development model, the choice of the hardware architecture, definition of the redundancy architecture, the component selection, system implementation and testing – all that in accordance with the applicable market norms. Whether a board or system must be fail-safe/silent or fail-operational, the key consideration is to minimize failure situations with respect to the applicable safety level and to make those failures strictly calculable.
Open standard hardware – longevity
The use of general purpose hardware and software platforms opens the necessary interfaces to the standardized control electronics to the end user, and therefore full control over their own application. In addition to the advantage of independency from a single supplier, the second-most important benefit affects the obsolescence management. Using open systems, where control electronics and application remain separated, a single standard component becoming obsolete can be replaced with a minimum effort and without endangering the functionality of the end application.