How Continuous Delivery Can Change Railways
Continuous delivery can have a profound impact on delivery speed without compromising safety.
The railway sector is an essential part of the world's infrastructure, transporting people and goods across vast distances. It is crucial to ensure that railway systems run efficiently and reliably to provide safe and timely transport. In today's fast-paced world, the railway sector faces numerous challenges, including increasing age and risk of failures in infrastructure components, higher capacity expectations, and the need to make progress on climate change and carbon neutrality targets. In this context, speed and quality of execution have become mission critical.
In this world, average project durations of 10-20 years for new lines are unacceptable.
80 percent of the quality of the railway system is decided on the rail network. The current reliability and quality problems of rail transport are essentially capacity and obsolescence problems in the infrastructure. (Richard Lutz, CEO Deutsche Bahn, 2022)
Additional changes in the industry are caused by a technological shift towards digital CCS, a large-scale rollout of ETCS-enabled trains and lines and shorter lifecycles for software components. As software plays a bigger and bigger role in each of these advancements, we take inspiration from the software industry as well as safety-relevant development processes in other industries.
What is Continuous Delivery (CD)?
Continuous delivery is an approach to software development that emphasizes the importance of delivering high-quality software continuously and consistently.
This approach aims to shorten the software development cycle by automating the process of building, testing, and deploying software.
Examples include hot reloads, containerization, git hooks, modern observability tools and many more.
How does this apply to the railway sector?
Continuous delivery is not only applicable to software development but also to the manufacturing industry and finds increasing application in automotive and aviation, especially when it comes to safety-relevant equipment.
In the context of safety-relevant equipment manufacturing, continuous delivery aims to ensure that the equipment is developed and delivered consistently, meeting functional safety norms. Functional safety is a critical aspect of safety-relevant equipment that ensures that the equipment can perform its safety functions in all circumstances.
The cost of discovering a safety-related defect post-installation is measured in millions of Euros and the cost of human lives in the event of an unsafe operation is immeasurable. It is thus paramount to receive feedback earlier and more frequently in the development process to build more robust products. Complex team interactions, development dependencies and thorough tracability requirements in SIL-governed development processes may seem like a hurdle to continuous integration and delivery, but in fact demand it to keep transparency and thus quality high.
Hence, in the railway sector too, many actors ranging from infrastructure managers to equipment manufacturers and test laboratories are pushing for greater degrees of automation and an overhaul of current development and release (i.e., akkreditation, certification and commissioning) processes.
What is the Continuous Delivery lifecycle?
Continuous delivery in safety-relevant equipment manufacturing begins with the development of safety requirements. The safety requirements specify the intended functions of the equipment and the safety measures necessary to ensure that the equipment performs those functions safely. Once the safety requirements are established, the equipment development process can begin.
During the equipment development process, continuous delivery involves the frequent testing of the equipment's safety functions to ensure that it meets the safety requirements. The testing process is automated to ensure that it is consistent and reliable. The results of the testing are used to improve the equipment's design, ensuring that it meets the safety requirements and functional safety norms.
After the equipment is developed and tested, it must be deployed and integrated into the manufacturing process. Continuous delivery ensures that the equipment is deployed and integrated continuously and consistently, ensuring that it performs its safety functions reliably. The deployment process is automated, ensuring that the equipment is deployed consistently across different operating scenarios.
Finally, continuous delivery also involves ongoing maintenance of the safety-relevant equipment. The equipment is continually monitored to ensure that it is performing its safety functions effectively. If any issues arise, the equipment is quickly repaired or replaced, ensuring that the manufacturing process remains safe and reliable.
How to apply Continuous Delivery?
1. Formalization of Requirements
Requirements and documentation written in prose are hard to test and easily misinterpreted due to the inherent ambiguity of natural language. Verification using formalized, unambigious software tests or MBSE models is thus the first step. Software should be self-documenting or generated from models wherever possible.
Requirements and code must be tidally locked.
2. Robust tool chains
Critical to the success of continuous delivery are:
- the use of fast, highly reliable feedback mechanisms for correctness and quality of code artifacts throughout every stage of development
- robust delivery methods and homogenization of development and production environment to avoid unexpected side-effects
Any tools in use should have a wide, open and active user community. This ensures that defects, limitations and incompatibilities are more easily discovered and fixed by the community. This may in some cases pose a challenge as the CENELEC norm EN50128 requires tool qualification for tools used during the SIL-development process. Most general purpose tools are not (pre-) qualified, despite being more widely accepted and "battle-hardened" in the continuous integration and delivery community worldwide.
Fast and developer-friendly tooling is key, due to the goal of minimizing feedback cycles for better visibility of open issues. A second or more of response time will quickly derail developer focus and/or cause necessary verification steps to be postponed or skipped altogether. If parts of the process or tool chain are painful to use, they must be improved.
3. Trust building with assessors
Continuous delivery does not try to optimize for time-to-market, it optimizes for confidence. Likewise, creating confidence with assessors during certification and commissioning processes as fundamental to safety applications. Any innovation or change to the verification and validation routines, including the application of continuous delivery, should be evaluated in light of providing additional confidence to team and assessor.
Rather than mistaking human-readable or similarity to prior processes for safe, continuous integration and delivery must deliver evidence. This evidence is deliverd in the shape of vastly improved, thorough and closer-to-runtime-reality test results.
While the absence of defects in software cannot be proven by tests, they improve our confidence interval in the reliability of the system. Used in conjunction with model checking, formal verification, static analysis and other techniques, it is a crucial pillar in building safe applications.
Assessors should be present throughout the development process, witness the developer experience and be enabled to make better decisions with help of the evidence produced.
Conclusions
The continuous delivery approach involves developing safety requirements for the equipment and testing it frequently to ensure that it meets those requirements. Testing is automated to ensure consistency and reliability in the results, and any issues that arise during testing are used to improve the equipment's design. Once the equipment is developed and tested, it is deployed and integrated into the railway system, ensuring that it performs its safety functions consistently and reliably.
Continuous delivery also involves ongoing maintenance of the equipment, including monitoring its performance and addressing any issues that arise promptly. By embracing continuous delivery, railway companies can improve the safety and reliability of their operations, ensuring that their interlockings and CCS equipment perform their safety functions effectively and reliably at all times. This, in turn, helps to protect passengers, staff, and the environment from potential hazards and disruptions in railway operations.
Finally, albeit robust tool chains and processes are investment-intensive, they prevent significant financial loss in the mid- to long-term.