Dependability in open proof software with hardware virtualization—The railway control systems perspective

• The paper describes how open software can be applied in combination with platform-specific extensions, in the development of complex systems.
• The approach is illustrated in a case study on verification, validation and certification of safety-critical railway control systems.
• A discussion on the dichotomy open source vs open models is provided.

Using the openETCS initiative as a starting point, we describe how open software can be applied in combination with platform-specific, potentially closed-source extensions, in the development, verification, validation and certification of safety-critical railway control systems. To achieve certification credit for safety-critical system developments, evidence about numerous development, verification and validation artifacts has to be provided. Our focus is therefore on open models, and a model-driven development approach ensures that a large portion of the artifacts is automatically generated from the model. This strategy is illustrated by means of the ETCS standard, as far as applicable to the ETCS on-board computer managing train control and train protection. We show that a domain-specific language is suitable to cover all modeling aspects for this computer, starting from the ETCS standard itself and ending at supplier-specific adaptations extending the re-usable core model in concrete developments. In order to re-use certification credits once achieved for the re-usable core model, we suggest virtualization of run-time environments, so that suppliers can embed re-usable core components as binary code into their ETCS target platforms. A detailed analysis is provided, indicating how future changes in the standard and project-specific adaptations, extensions and restrictions, can be accounted for in a new ETCS development, while minimizing the re-certification effort. It is shown for all phases of the development life cycle how the peer-reviewing capacity of the openETCS community may contribute to the correctness of the phases’ outputs, thereby increasing overall system dependability, with special emphasis on safety and security.