This paper was produced by the IRSE's International Technical Committee (ITC) and published in IRSE NEWS October 2017.

In the long history of railway signalling, its unique safety technologies have continuously evolved on the basis of the lessons learned from accidents. When microelectronics and computers were applied to railway signalling during the 1980s, many detailed, in-depth studies were carried out on the basis of conventional safety practices based on a fail-safe philosophy, which were all rather qualitative and deterministic. Later a risk-based approach which deals with probability of hazardous failure was introduced, and although the importance of fail-safe as best practice has not changed, there is nowadays a tendency to think that the quantitative approach, based on hazardous failure probability, has more importance and relevance than the qualitative and deterministic one. Is this the direction we should be taking, particularly in view of the coming generation change of new signal engineers with much more of an IT background? We should be thinking how safety is determined and managed within the context of railway signalling.

This paper explores the concept of "fail-safe", how relevant it is in today's signalling technology and systems, and the use of alternative approaches to determing how safe a system is. Comparisons are made with other industries, where IEC61508 is used. Approaches such as Goal-Structured Notation (GSN) and STAMP/STPA (Systems Theoretic Accident Model and Processes / System-Theoretic Process Analysis) are briefly reviewed. Reference is made to a recent UIC work on the safety of signalling relays, and the concept of security and how it relates to safety are also explored.