Safety assurance in rail signalling design.
In rail, the expectation for risk mitigation is exceptionally high.
A 500-tonne train travelling at 80kph across a public highway is a perilous proposition, yet we expect this operation to occur many times a day with no risk to either rail or road users.
How does the rail operator ensure that their systems are safe? Critically, what is ‘safe’?
First, they need to define what safe means for their railway and translate that into a specified minimum standard. Then they must satisfy themselves that the systems in use on their railway meet that standard.
In rail, SIL4 (Safety Integrity Level 4) is the commonly accepted standard for safety-critical products, with SIL4 offering the highest level of risk reduction.
There are arguments for lower SIL levels in safety applications (that is, lowered risk reduction in some circumstances could still be considered ‘safe’). However, the amount of due diligence required to prove this is considerable and could be considered in a future article.
Current practice mandates SIL4 for rail safety applications, and understandably so, think about the 500 tonnes travelling at 80kph towards a public highway. A risk reduction of 1,000,000 units (pick your poison) is, at the very least, comforting. It’s also theoretically achievable, so why would rail operators want anything less? Running a safe railway is their business and moral obligation.
Besides SIL4 certification, operators require compliance to their Type Approval requirements (not all of which are safety-related).
Type Approval is relatively straightforward. A process is followed, documentation is put in place, boxes are ticked, and (usually) after some confidence trialling, the product is approved for use on the rail operator’s network. However, the cornerstone of type approval of a safety product is the SIL4 certificate provided by the vendor.
So, does this mean that the signalling system is safe? – no, just the component products; the system is yet to be designed.
We all know the strength of a chain is determined by its weakest link.
However, simply buying SIL-certified components, integrating them according to grandfathered standards will likely not deliver the expected outcome. Additionally, contemplate elements that don’t have a SIL rating at all – for example, do you integrate in-service hardware from 1996?
If someone designs a circuit using SIL4 relays, is the functionality of the resulting circuit SIL4?
– It’s likely not.
Is it SIL anything?
– Um, SIL zero, SIL One?.
Is it safe?
– Well, it might be.
Hmm, is this the circuit protecting us from 500 tonnes travelling at 80 kph?
This chain is where the SIL4 product assurance and type approval flies out the window. The burden of safety assurance for the overall system falls firmly on the rail operator’s own determination of what is ‘safe’ and their processes to achieve that. This process is what I refer to as traditional signalling safety assurance.
Traditional signalling safety assurance involves layers of independent design review and testing carried out by experienced personnel who ‘know what to look for’.
This practice is generally supported by some engineering standards and signalling application principles. It is also reliant on the engineers involved having specific expertise with the technology in question. However, none of this results in a certified SIL level for the system (despite its SIL4 components) because the design doesn’t get assessed to that measure, just the rail operators own traditional signalling assurance process.
This process has, nevertheless, served the rail industry well over the last 40+ years. The odd wrong side (dangerous) outcomes, particularly those leading to a collision and/or loss of life, have been investigated, with learnings being disseminated to individuals who ‘know what to look for’.
Ok, let’s fast forward through those 40+ years and look at traditional signalling assurance in the modern world.
The foundation of traditional signalling safety assurance came about in the ’60s and ’70s—a process based initially on a system comprising of one technology; relays.
The introduction of CBI in the ’80s added a significant technology interface (relay-CBI) and a new specialist area of expertise, CBI technology.
The new interface challenged the incumbent traditional signalling assurance model with several CBI/relay interface wrong side issues taking those who ‘know what to look for’ by surprise. Further, this new technology meant that the product’s design into a signalling system was generally restricted to the technology vendor.
Modern system and component interfaces are far more complex than relay-relay and relay-CBI connections, and we’re no longer dealing with single-sourced vendor systems. Modern signalling systems often comprise of numerous integrated technologies. Critically, technology vendors don’t play nicely together. They don’t collaborate, and therefore they don’t have a great deal of understanding of the world outside of their product’s application.
We are now faced with isolated safety-critical technologies from multiple vendors that need to be joined together to form a safe system solution. This aspect is particularly prevalent with Commercial Off The Shelf (COTS) technologies which are commercially available building blocks.
For all the benefits of COTS, we need to be wary of ‘backyard’ solutions developed on an antiquated platform of assurance by people that don’t understand the inherent risks of doing so – we’re not designing relay circuits anymore.
The traditional signalling assurance process doesn’t work in a COTS environment. The sub-systems have become too complex, and the potential failure modes are not understood by those who ‘can no longer be expected to know what to look for’.
RCSA’s Approach to Signalling Safety Assurance
RCSA has been delivering signalling (yes, the traditional kind) for many years, but we have been developing COTS solutions over the past eight years. By doing so, we have had to rethink our engineering processes and, moreover, redefine our safety culture.
Our COTS team extends beyond signalling engineering, with systems integration and functional safety assurance expertise completing the capability.
Similarly, we’ve transformed our business systems and design tools to support certified safety systems’ development to a standard beyond compliance with our customer’s minimum requirements.
We recognise the need for safety assurance to keep pace with emerging technology. We’re meeting those needs by developing integrated solutions independently certified to internationally recognised CENELEC EN50126, EN50128, and EN50129 rail safety standards.
Such focus exceeds current Australian rail industry requirements, but it’s a bar we are happy to set. Furthermore, our solutions’ independent certification means our customers don’t have to carry this assurance obligation themselves so they can focus on their business objectives of running a safe and efficient railway.
RCSA is building the rail networks of the future, and we are embracing change to support that mission.
Please feel free to contact us to discuss our integrated solutions, our commitment to rail safety, and our passion for innovation.