Copyright @ IFAC Programmable Devices and Systems, Ostrava, Czech Republic, 2000 SYSTEM WITH DEFINED LEVEL OF SAFETY Janota, A., Rastocny, K., Tomasov, P., Zahradnik, J. Department of Information & Safety Systems Faculty of Electrical Engineering University of tilina, Vel'kY die!, 01026 tilina, Slovakia Fax: +421 895252241, e-mail: {janot I rastoc I tomas I zahra} @fel.utc.sk Phone: +421895655559 Abstract: The paper deals with basic methods of analysis and synthesis of fail-safe systems. The fail-safe system is a system whose operation is in compliance with safety requirement specification and is required not to be incidental after a considered fault has occurred. Property of "being fail-safe" can be reached by applying various fail-safety techniques (inherent fail-safety, reactive fail-safety and composite fail-safety or their combinations) discussed in this paper. Fulfilling safety requirement specification must be proved (by written certificate) through appropriate qualitative and quantitative analysis of failure effects (incidental, systematic, environment effects) to system operation. Copyright © 2000 IFAC Keywords: control system, interlocking, traffic control, safety, fault detection, failure, command, computer systems I. INTRODUCTION An interlocking system is a part (subsystem) of the railway traffic control system. In control of the traffic process three hierarchical levels can be distinguished: procedural, operational and managerial ones. The highest risk of hazard occurrence exists on the procedural level. All parts of the traffic control system contribute to this risk. In this point the significant role is played by the interlocking system since it sets ("calculates") most commands given to change conditions of the traffic process. The resulting condition is operational one provided that the command is correct. The condition is considered faulty if for any reason the command given to change a condition is produced incorrectly or misinterpreted. Such a condition can lead (but not in all cases) to the accident with damages to property, health, lives and environment. For that reason the safety level must be 245 derived from the tolerable (acceptable) hazard rates for the traffic process. Before anything else let us assume that there is a mechanism of risk distribution between the interlocking system and other subsystems of the traffic control. Then the safety level of the interlocking system can be considered a rate usable to express a risk of incorrect production and misinterpretation of the commands produced by the interlocking system. Commands resulting from a correct procedure but using incorrect input quantities are also considered incorrect commands. The principal scheme of the one-stage process control is given in Fig. I.