Are you sure that the drawings and documents that were approved by safety review did not change after review?
This is a fundamental problem in safety-critical engineering. It used to be simple: when schematics were drawn on paper, the safety reviewer would just stamp and sign the paper and it was clear to everyone that the contents of this particular piece of paper had been reviewed and approved. With digital documents, it is less obvious, because it is so easy to make copies to send to colleagues, and many projects don’t have the tools to ensure that what the reviewer approved is exactly what was used in the end.
Indeed, we recently received from a customer two versions of the same document, that both claimed to be version 1.0, but with different dates on them. This shows how fragile manual versioning processes are.
The CENELEC norms EN50126, EN50128, and EN50129 that we use in the rail and metro sector require the use of a configuration management system to keep track of all documents and versions. That solves part of the problem: the system can ensure that documents are unaltered.
A problem remains though: safety reviewers do not always have direct access to the configuration management system. They receive files via email or file transfer systems and write a report about the files they investigated. What if someone “fixes” something in these files after review, and stores the fixed ones as the “final version” without a proper new safety review? Will it be noticed?
It is the responsibility of the assessor to compare versions, but to do that, the assessor needs to be able to verify that the files considered by the reviewer were exactly the same as the ones delivered as the final version by the project. One convenient way of doing that is to use checksums, or hashes as they are sometimes called.
There are many kinds of checksums out there. The most common one to use currently is called sha256, or SHA-256, or “SHA-2, 256 bit”. It is used by most configuration management systems to discover if a file is corrupted, for example.
If you want to improve your process, and your way to ensure the integrity of files, there are many programs at your disposal. There are built-in programs in Linux and Mac and Windows to create and check sha256 checksums. When we used them, we found that we lacked some overview, in particular when there are many files to check. So we created a new tool that we hope will help the rail and metro domain to work in a more effective way with checksums: Prover Summit.
Prover Summit provides an easy-to-use interface to add several files of different file formats, create checksums of them, and allow their integrity checking based on these checksums afterward.
There are two major use cases:
1. Add the files you want to use for integrity checking and create their checksums. Store these generated checksums on disk in a checksums file. An example is: you have a set of drawings that have been verified using Prover Extractor, and you wrote a verification report about them. To make it clear exactly what you worked on, you include the checksums file with the report. To make it clear that they belong together, you add a checksum of the checksums file itself directly in the report.
2. Open a stored checksums file and check if the files you have are unaltered compared to the ones that were used to create the checksums file. One example for this use case is that you get a report, as mentioned above, and you get a set of files, hopefully, the same files as the report is supposed to be about. You want to check if these files have been modified since the report was written. Prover Summit will show you which files have been modified, so you can investigate the modifications, or confirm that the files are indeed unaltered.
Prover Summit provides some useful features for these use cases. For example, if you apply the first one, and modify the files after the checksums have been created while keeping Prover Summit open, it will notify you about the modification, so you know that you have to recreate them before adding them to the report. This can also be a useful way of discovering if some application you use is actually changing your files in ways you did not expect.
Or if you apply the second use case and you forgot to add some files, Prover Summit will notify you, so you know exactly which files are missing.
Contact us if you want to learn more about how you can use checksums in an effective way, or if you want to try Prover Summit. We are offering two-year licenses for free to our first users.
How safe and efficient are your rail control systems? Let’s find out!
Share this article
Learn more about how to develop specifications with Digital Twins
Fill out your information here.
More News & Articles
Prover is revolutionizing railway signaling with AI-powered design automation, leveraging Formal Methods and Digital Twins to enhance safety, efficiency, and modernization in the industry.
Prover iLock ensures all signaling system components meet requirements by integrating Schneider PLC code and relay logic into a Digital Twin of the complete interlocking system.
Prover will be exhibiting at InnoTrans 2024, taking place September 24-27 in Berlin. Visit us in hall 3.2 at booth 130.