The New York City Transit (NYCT) Signal Modernization Program has been ongoing since the mid-1990s. The current phase of modernization involves the procurement of Solid State Interlocking (SSI) systems that are designed to replace relay-based interlockings. SSI procurement has necessitated significant adjustments to NYCT’s system deployment processes, most notably in the areas of design, implementation, test, maintenance, and safety certification. NYCT has successfully met the challenge of applying the updated deployment processes to multiple, concurrent system procurements. The most fundamental change to the NYCT procurement approach required a shift from the traditional design-build model of acquisition for relay-based systems to a software-based development lifecycle for SSIs. The relay-based Interlocking systems’ design-build model has traditionally involved the realization of complex relay logic with well-known hardware components such as relays, trip-stops, signals and switch machines. The SSI systems’ software model however requires additional consideration of software and hardware development phases, such as designated in the V-lifecycle. V-model phases include requirement, design, implementation, and test. For SSI systems, NYCT adopted a “double” V-Life cycle approach, one V for the supplier’s SSI hardware and software (executive) platform, and one V for the SSI application (site-specific field) logic. At NYCT, the first V is dedicated to the suppliers’ executive platform. Hardware and software comprising the supplier platform are verified to meet safety and performance requirements. Safety analyses such as Fault Tree Analysis, Failure Modes and Effects Analysis, Timing Analysis, and Hazard Analysis are generated by SSI suppliers. System Safety Concepts, e.g., Numerical Assurance, Checked Redundancy, Intrinsic Fail-Safety are also assessed. NYCT’s second V is dedicated to the application software, i.e., the site-specific relay-based logic, which is implemented as Boolean logic within the SSI. For the Booleans, the process of traditional circuit checking is supplemented by Model Checking, wherein NYCT General Safety Properties are used to verify the site-specific logic. Model Checking provides assurance that safety properties are met throughout the entire interlocking design, for every system state, and does not rely on a manual review process. This paper will focus on the benefits NYCT has realized as a result of adopting Model Checking as a requirement for safety certification, along with an overview of the NYCT SSI safety certification process.
The concept of operations for NYCT systems is changing as a result of Automatic Train Supervision (ATS) Communications-Based Train Control (CBTC), and Solid State Interlocking (SSI) deployment. Train dispatchers are dealing with a higher degree of automation with ATS systems; and similarly, train operators are adjusting to a split between automated and manual processes with CBTC systems. The emerging CBTC and SSI systems are becoming Information Technology (IT) infrastructure and digital-control based. While CBTC is increasing the overall safety of the signaling system, it is also increasing system complexity, especially from an analysis point of view. These issues are addressed at NYCT by the implementation of DoDAF, which the U.S. Department of Defense Architecture Framework, an Enterprise Architecture. This paper discusses VSI’s application of DoDAF with a focus on the safety certification mission. It begins with an overview of DoDAF, followed by a description of Views and Product-models, the building blocks of DoDAF. Each section presents a high-level description of each View, along with exemplary Product-model descriptions, 1 or 2 per View. In addition, two system capability requirements, Safe Train Separation and Control Speed to Restriction Limits, are examined and mapped throughout the model.
How could the safety of a system be proven? Is it possible to apply the rigor of mathematical proofs to large, complex software systems? This paper addresses these questions through a presentation of the use of the Event-B [1] language to prove the safety of the New York City Transit (NYCT) Communications-Based Train Control (CBTC) systems.
For over a decade, the benefits of Formal Methods software system development techniques have been realized in safety critical applications in a variety of industries, such as aerospace, aviation, and of course rail-transit. Many of these Formal Methods techniques have focused on the development of new systems. In new system development, Formal Methods provide assurance of error-free specification, design, and software code implementation, often via automated code generators. Legacy systems have been largely excluded from the Formal Methods field, due to a perception that their use would entail costly re-engineering, require specialized knowledge, and would necessitate a large learning curve. However, Formal Methods may be used for Verification and Validation (V&V) of legacy systems without the costly risk factors enumerated above. A description of the methodologies used is provided, including a description of how the process is tailored to new acquisitions and deployments of legacy systems. The modeling was fully integrated in the rail property and contractor development processes. As each design phase progressed, the formal methods process provided an increased level of confidence with regard to safety assurance and the correctness of the system design. This was achieved by generating formal proofs for each safety critical function, and by refining these formal proofs into progressively lower-level elements. These proofs then provided criteria for design reviews, code reviews, and test scenarios. The benefits of obtaining formal, that is, mathematical, formula-based, proofs of system design and consistency is indisputable. The criteria for evaluation are objective and thorough. One need not rely on the adequacy of peer reviews and manually generated test cases. Formal Methods V&V is therefore a cost-effective process that provides proof of correctness early in the system development life-cycle.
Fault Tree Analysis (FTA) is one of the key safety evaluation techniques used by New York City Transit (NYCT). First developed over 50 years ago, this technique continues to provide valuable insight for failure analysis of systems. Its use is widespread in safety-critical systems analysis across industry boundaries, including defense, nuclear, aerospace, chemical [1], and transportation industries. FTAs provide a systematic, top-down methodology to safety analysis. As such, it complements other safety analysis techniques, such as Failure Modes Effect Analysis (FMEA), which is a bottom-up failure analysis [2]. Formal Methods analyses, including Theorem Proving and Model Checking, are powerful development and analysis methodologies, both used by NYCT, that provide assurance of product’s correctness and safety. With these other safety analysis techniques, the FTA continues to play a key role in the NYCT Safety Program. This paper will examine how NYCT uses FTAs for the safety analysis of microprocessor-based signaling systems. FTAs are used by NYCT throughout the system lifecycle. Initially, during the system development phase, NYCT requires system suppliers to develop Fault Tree Analyses of their systems, as a requirement for NYCT safety certification and deployment. For the system maintenance phase, NYCT uses the outputs of suppliers’ analyses to develop and enforce maintenance and operational procedures. In this manner, NYCT’s use of FTA provides full lifecycle value by providing design, maintenance, and operational insight into the causes of hazardous events. Through the examination of example fault trees and an overview of the FTA process, this paper will present the NYCT’s implementation of this powerful analysis tool, and will describe the benefits gained from using this methodology.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.