Applying Safety Concepts and Principles in Vital Controller Design

Abstract

A vital controller is safety critical and its failures, if not mitigated in time, can contribute to hazards in the application system. With electronics advancing and automation increasing, the expanding complexity of a vital controller creates challenges in designing it and assessing its safety integrity level. Typically, traditional safety engineering approaches are not effective for providing systematic guidance to design vital controllers and also not cost efficient for justifying their safety integrity. Through practice on developing multiple Communications-Based Train Control systems, we have identified an approach to using a set of safety concepts as guidance for both safety critical controller design and its safety integrity assessment. These safety concepts are categorized as intrinsic fail-safe, reactive fail-safe, and composite fail-safe. An effective combination of them is applying the composite fail-safe concept in checked redundancy techniques for designing the architecture of a controller, the reactive safety concept for identifying self-testing and monitoring mechanisms in each checked redundant channel, and the intrinsic fail-safe concept for ensuring safe interfaces to other controllers and controlled devices. This paper presents the approach for using these safety concepts and discusses their application principles and verification factors for achieving high safety integrity level of a controller.