Entwurf und Analyse sicherheitsrelevanter Kommunikationsarchitekturen

Abstract

In the future, system engineers of railway control systems have to consider digital communication between components more than ever. The number of communicating systems rises steadily, while the offer of commercial off the shelf products for digital transmission networks is also growing. Safety protocols be included in the architecture in order to guarantee that safety-critical systems could be used on unsafe transmission channels. Safety layers have to detect different types of message errors to grant functional safety. It is highly recommended to prove the specification of a safety protocol with model checking methods to ensure a correct specification. The safety reaction on such errors must be a safe state, which usually stops the communication service until the system is reinitialised or reset by an operator. Therefore a safe communication reduces the fault tolerance against arbitrary transmission errors and lowers the reliability of the communication architecture. To improve the fault tolerance against message errors it is necessary to use a reliable message transmission service before the safety check is executed. A reliable transmission service can be included in the safety layer, in the upper protocol layer of the grey channel or in both layers. A naive combination of fault-tolerance mechanisms in the grey channel and safety layers will not necessarily increase the overall fault-tolerance: if, for example, lost messages in the grey channel lead to retransmissions after timeouts, the message eventually passed to the receiving safety layer may be out-dated and therefore has to be discarded. As a consequence, it is necessary to perform analyses whether the design of safety related communication architectures is safe and reliable. This thesis describes a common concept for reliability and safety analysis of communication architectures in safety-critical systems. Case studies of industrial sized communication architectures evaluate this new approach. Besides, the analysis results are used to improve the design.