Integrate hardware/software device testing for use in a safety-critical application

In train and transit applications, the occurrence of a single hazard (fault) may be quite catastrophic resulting in significant societal costs, ranging from loss of life to major asset damages. The axiomatic safety-critical assessment process (ASCAP) has been demonstrated as a competent method for assessing the risk associated with train and transit systems. ASCAP concurrently simulates the movement of n-trains within a given system from the perspective of the individual trains. During simulation, each train interacts with a series of appliances that are located along the track, within the trains and at a central office. Within ASCAP, each appliance is represented by a probabilistic multistate model, whose state selection is decided using a Monte Carlo process. In lieu of exercising this multistate model for a given appliance, the ASCAP methodology supports the inclusion of actual appliances within the simulation platform. Hence, an appliance can be fault tested in a simulation environment that emulates the actual operational environment to which it will be exposed. The ASCAP software can interface with a given appliance through an input/output (I/O) node contained within its executing platform. This node provides the ASCAP software with the capability of communicating with an external device, such as a track or an onboard appliance. When a train intersects with a particular appliance, the actual appliance can be queried by the ASCAP simulator to ascertain its status. This state information can then be used by ASCAP in lieu of its multi-state model representation of the appliance. This simulation process provides a mechanism to determine the appliance´s ability to perform its intended safety-critical function in the presence of hardware/software design faults within its intended operational environment. By being able to quantify these effects prior to deploying a new appliance, credible and convincing evidences can be prepared the to ensure that overall system safety will not be adversely impacted.