- Email: [email protected]
Safety Licensing
Cllplri.l(11I
©
IF.·\C COlltrol. CIlI1lIHlt
( : ()Il1IllII 11 j('a(i()fl~
ROUND TABl.E DISCl'SS [O N
ill "I "rall!'i\>()nalillll.
Paris. Fralln'. ) ~IK ~I
SAFETY LICENSING ]. P. Georges HA "/"1'. Fm 1/(('
The session of CCCT '89 Symposium dealing with safety information processing was concluded by a round table about safety licensing. This round table was presided over by B. STERNER (S) assisted by R. GENSER (A). It was based on two submissions exposed by an operator, a manufacturer and a representative of a research institute. (1) Results of a safety software validation: SACEM by C. GALIVEL (F) - Regie Autonome des Transports Parisiens (RATP) and R. CHAPRONT (F) - GEC ALSTHOM (2) Approval procedure for automatic equipment of an unmanned metro by B. LE TRUNG (F) - Institut National de Recherche sur les Transports et leur Securite (INRETS). The present paper presents an abstract of this round table; texts of both submissions are reproduced.
Keywords:
Safety licensing; software validation, transit system.
The developme nt of a tran sit system is based on the work of the administration, of the manufacturer and of the operator.
of the complex ity of present system, he has to rely on teams which will carry out all necessary checks "instead of him". Then, this responsible has to ask himself whether he ma y rely on these teams. It is necessary to adopt rules that will make it possible to verify that everything has been actually done which had to be done.
It is obvious that the various development stages of a system , such as they were reminded of by Mr STERNER (need analysis, user functional analysis, manufacturer functional
analysis, tentative design, detailed design), are well formalized and ge nerally recognized.
Teams entr usted with validation have to deal with the difficult problem of choosing these methods which will be implemented. Exist these methods, then they generally have to be matched to the surveyed system which forms a particular
Those various phases, implemented by different teams cannot be achieved unless there is a good mutual understanding between all those teams.
case.
On the other hand, a validation phase is associated to each design phase with the purpose of ascertain that the system:
Due to the implementation of the coded monoprocessor, software validation is quite
essential in SACEM system development. The submission of Messrs GALIVEL and CHAPRONT
- complies with expressed needs - is safe, i.e. all unsafe abnormalities are eliminated.
renders an account of operator and manufacturer
validation and shows that two independent validations have to be carried out; each
As Hr GENSER noticed, the absolute safety of a system is a quality towards which efforts are te nding but which ca nnot be proved; a modern approach of a system consists therefore in fixing a hourly failure rat e not to be trespassed.
partner can take advantage of his own know-how and implement validation methods which are different and complemen tar y of those which are implemented by the other partner. Of course the choice of efficient methods is essential since the system is considere d able
One of the functions of the administration, as Mr LE TRUNG told, is precisely to install agencies concerned in fixing system safety targets; those agencies then verify that everything is done during system realization in orde r to comply with those targets.
to revenue operation when no error is l onger
detected. Round table promoters concluded by the wish that certificatio n will not only be dedicated to the only development phase. An external authority should proceed with examining safety conditions of railway systems during the whole life of the latter.
Accordi ng to Mr STERNER, when a safety "responsible " (e.g. the operator) is in front
[03
©
IF.·\C COlltrol. CIlI1lIHlt
( : ()Il1IllII 11 j('a(i()fl~
ROUND TABl.E DISCl'SS [O N
ill "I "rall!'i\>()nalillll.
Paris. Fralln'. ) ~IK ~I
SAFETY LICENSING ]. P. Georges HA "/"1'. Fm 1/(('
The session of CCCT '89 Symposium dealing with safety information processing was concluded by a round table about safety licensing. This round table was presided over by B. STERNER (S) assisted by R. GENSER (A). It was based on two submissions exposed by an operator, a manufacturer and a representative of a research institute. (1) Results of a safety software validation: SACEM by C. GALIVEL (F) - Regie Autonome des Transports Parisiens (RATP) and R. CHAPRONT (F) - GEC ALSTHOM (2) Approval procedure for automatic equipment of an unmanned metro by B. LE TRUNG (F) - Institut National de Recherche sur les Transports et leur Securite (INRETS). The present paper presents an abstract of this round table; texts of both submissions are reproduced.
Keywords:
Safety licensing; software validation, transit system.
The developme nt of a tran sit system is based on the work of the administration, of the manufacturer and of the operator.
of the complex ity of present system, he has to rely on teams which will carry out all necessary checks "instead of him". Then, this responsible has to ask himself whether he ma y rely on these teams. It is necessary to adopt rules that will make it possible to verify that everything has been actually done which had to be done.
It is obvious that the various development stages of a system , such as they were reminded of by Mr STERNER (need analysis, user functional analysis, manufacturer functional
analysis, tentative design, detailed design), are well formalized and ge nerally recognized.
Teams entr usted with validation have to deal with the difficult problem of choosing these methods which will be implemented. Exist these methods, then they generally have to be matched to the surveyed system which forms a particular
Those various phases, implemented by different teams cannot be achieved unless there is a good mutual understanding between all those teams.
case.
On the other hand, a validation phase is associated to each design phase with the purpose of ascertain that the system:
Due to the implementation of the coded monoprocessor, software validation is quite
essential in SACEM system development. The submission of Messrs GALIVEL and CHAPRONT
- complies with expressed needs - is safe, i.e. all unsafe abnormalities are eliminated.
renders an account of operator and manufacturer
validation and shows that two independent validations have to be carried out; each
As Hr GENSER noticed, the absolute safety of a system is a quality towards which efforts are te nding but which ca nnot be proved; a modern approach of a system consists therefore in fixing a hourly failure rat e not to be trespassed.
partner can take advantage of his own know-how and implement validation methods which are different and complemen tar y of those which are implemented by the other partner. Of course the choice of efficient methods is essential since the system is considere d able
One of the functions of the administration, as Mr LE TRUNG told, is precisely to install agencies concerned in fixing system safety targets; those agencies then verify that everything is done during system realization in orde r to comply with those targets.
to revenue operation when no error is l onger
detected. Round table promoters concluded by the wish that certificatio n will not only be dedicated to the only development phase. An external authority should proceed with examining safety conditions of railway systems during the whole life of the latter.
Accordi ng to Mr STERNER, when a safety "responsible " (e.g. the operator) is in front
[03