Abstract: 1 Aim of the paper
Any expert have proposed a aiming to impose axle counters (ACs) as the sole target system in the European standards (TSIs), with as a consequence the gradual phase-out of track circuits (TCs). The stated purpose is to reduce the constraints imposed on rolling stock.
The aim of the paper is to show why the decision to impose axle counters in the ‘target system’ must not be made without an in-depth systems approach. This analysis has to consider the signalling functionalities, the safety principles and the rules of each country. The paper will show (and prove formally) that imposing a particular technology in any countries could lead to accident or reduce the capacity of the lines
2 Issues
Detecting the “inoccupancy” of a section of track is a safety-critical function. It must therefore be performed with a high level of safety, consistent with the other levels of the other safety functions. Choosing a particular technology for this function necessarily impacts on the whole system, and especially the following:
- the ways and means of operation and maintenance of the fixed plant;
- the design of the infrastructure and signalling installations;
- how safety is achieved in nominal operation and in degraded mode;
- and the interoperability-related aspects in the sense of the rolling stock-infrastructure interface, by the imposition of constraints on the rolling stock.
From the standpoint of operation, it is necessary to consider a number of specific constraints brought by the AC, and in particular that:
- it imposes the absolute block, in that it exhibits unsafe failure modes in permissive blocks;
- it does not allow sectional release in the signalboxes;
- it requires the train controller to apply special procedures in the event of malfunction, including on open track (resetting and verification that the track sections are clear of all traffic). This means that the information train controllers need to follow those procedures must be made available to them;
- it does not allow to fulfil some of the classic signalling functions on the French network, such as continuous train warning at level crossings.
From the standpoint of infrastructure management and maintenance, the track circuit is highly reliable and simple to maintain, whereas the axle counter makes it necessary for maintenance workers to follow special procedures, drawing on railway resources, since AC failures often require manual resettings that have no equivalent in TC systems. Any European Railways System was designed around the track circuit as detector of traffic. Accordingly, the TC’s replacement by ACs, keeping all else constant, would inevitably lead to hazardous situations.

In fact, from the standpoint of the railway system’s design, giving up the TC would entail taking into account all the constraints stemming from the AC’s inherent limitations. A study would need to be made for each type of interlock that exists on each national network in order to assess the impacts on the system design on the one hand and on the overall balance sheet on the other. Such an economic study would involve comparing the expected benefits for the rolling stock (namely “relaxed EMC requirements”, although ACs also pose some problems of EMC with rolling stock) with the costs tied to the re-design of the infrastructure (for example, an absolute block limits throughput) and the associated operating procedures (more frequent need of procedures to check that track sections have been cleared, for instance).

Also, from the safety standpoint, it must be noted that:
- the TC provides additional benefits that should not be underestimated, i.e.:
- detection of broken rails, an advantage likely to grow in importance as concrete sleepers or slab track become more widespread on high-speed lines (quickened destruction of cracked rails);
- detection of metal obstructions fallen onto the track;
- option to use the TC shorting bar or clip in emergencies;
- TCs are also less sensitive to tampering.
- Phasing out TCs would not respect the legal requirement to be ‘GAME’ in changing the system, from the standpoint of preventing the risk of running over a broken rail at speed (protective function not fulfilled by ACs). As a consequence, the loss of broken rail detection would require as-yet undefined compensating measures, e.g. close monitoring and grinding of rails with attendant higher maintenance, to be implemented in order to hope to prove to the safety authority the railway system’s “GAME-liness”.

As to interoperability, the constraints imposed upon rolling stock in relation to the track circuits (ability to shunt them, and EMC) are similar to the constraints (EMC) imposed in relation to axle counters, whose diversity is very considerable.
3 Results
Each technology has its domain of pertinence. Neither should be rejected out of hand. In the current state-of-the-art, neither of the two solutions allowing detecting the presence of trains is perfectly safe; signalling plant implicitly integrates the possibility of transient failures of the chosen solution. Each solution has its scope of relevance:
- The TC, through its occupancy detection function, provides, especially on high-traffic lines, a higher level of safety because of lower risks from human intervention, as much in maintenance, particularly corrective maintenance, as in degraded mode operation. Moreover, it ensures a continual check of the electrical integrity of the track. The TC’s reliability is all the better when the traffic is great and/or that the traction system is electric. Moreover, the TC is well suited to traffic increase, since it allows the block to be permissive and a greater operating flexibility (sectional release in signalboxes, etc.).
- However, the AC provides, for low-traffic lines, an economical solution to the control of clearing of long sections, without the risk of deshunting, albeit at the price of a stricter route locking (absolute block, no sectional release and so on) and greater operating complexity, in the event of disturbance or failure.
The deployment of ETCS 1 or 2, which requires a traffic detection system, in no way conditions a technological choice between Track Circuits and Axle Counters. Only ERTMS Level 3 will free us from the need for some physical detection of the track.

Abstract: The estimation of safety requirements for wayside train monitoring systems is becoming more and more relevant due to the fact that new technologies are currently developed to recognize various fault states in railway operation during vehicles run. If such systems try to enter the market soon, the question arises in the process of accreditation at the national notified body. To support this process the BP risk methodology was used in this paper to estimate the required safety integrity level for such monitoring devices.

Abstract: Usually, risk assessments are done qualitatively or quantitatively. Neither of these two approaches is satisfactory. For the future, risk assessment methods combining the advantages of both approaches are recommendable. Based on the life cycle process as described in DIN EN 50126, the paper discusses guidelines for the construction of semi-quantitative risk assessment methods and presents a semi-quantitative risk graph for the application to the railway sector, developed by following the guidelines.

Abstract: This paper describes how we adopted RAMS for railway signaling system management because we wanted to use this standard to railway signaling system for better performance, improvement of maintenance and reduction of troubles. The parameter that shows the customer impact level from a railway signalling equipment breakdown is selected for evaluating reliability and the risks are analyzed. Then problems have come into view and countermeasures are examined and some of them were implemented.

Abstract: East Japan Railway Company developed the IP Network-based Signal Control System, which was practically introduced in February, 2007, innovating the control techniques of the wayside signaling devices from the power control through conventional metallic cables to the digital information control through an optical network. This system is intended to improve the quality for the construction work of signaling devices by reducing wiring work due to large number of metallic cables and simplifying the operation tests. In this system, reliability is improved by making the duplex transimission lines including an optical network. In this paper, we describe reliability of the IP Network-based Signal Control System and discuss application to the Integrated Logical Controller that is currently under development.

Abstract: An approach to analysis of impacts of preventive maintenance on safety integrity level of a control system is presented in the paper. Suggested approach incorporates combination of Continuous Time and Discrete Time Markov Chain which allows full employment of advantages of Continuous Time Markov Chains as a stochastic modelling method. Deterministic behaviour of either periodic or non-periodic preventive maintenance is consecutively implemented through Discrete Time Markov Chain.

Abstract: Since the IEC 62278 (RAMS Standard) was published in 2002, its importance and impact to Japan have been conspicuous. On the contrary, various new train control systems based on information technology are under active development. Considering such situations, we assume that it is essential to establish an evaluation method to design railway-signalling systems which have an excellent balance to the RAMS indicators at low costs. We propose a basic method to evaluate the performance of a signalling system by a cost indicator based on the concept of RAMS, and confirmed that the method can evaluate systems appropriately considering grade of the line, circumstances and other factors.

Abstract: Today, Programmable Logic Controllers (PLCs) are widely applied to control safety critical systems. The correct
behavior of the controlling software has to be ensured under all circumstances. Efficient formal and non-formal methods to detect faulty behavior have been developed. But finding the cause of the buggy behavior is often still a manual process. Automation is required to enhance the debugging productivity.

Automatic fault localization for PLCs is studied in this paper. Methods for automated debugging are analyzed and compared with respect to accuracy and run time. Strategies to efficiently debug faults are proposed and a discussion on determining faults on different granularity is given. The experimental results on industrial models show a high accuracy at low run time costs.

Abstract: Formal verification of software provides a higher level of assurance than classical software testing.
In this paper, we report on our experience with the Frama-C/Jessie verification tool
in the railway domain.
We analyse safety-critical requirements of a railway vehicle,
formalize them using the ANSI/ISO-C Specification Language (ACSL) and achieve
automated proofs to verify that the implementation satisfies the formal specification.
The main requirement for the successful application of Frama-C in the railway domain is its
qualification according to EN 50128.

Abstract: Security these days is global in dimension. It covers issues as climate change, health and the fight against terrorism. The most important components of transportation processes are safety and security of the process and the most important factor for process safety/security is a human factor. Major accidents in transportation process have been attributed to human factor and surprisingly, a human factor is the most poorly investigated aspect of the transportation safety/security process. Improving the human factors design of a process can produce not only improvements in safety, security and health but also gains in quality and productivity in transportation process. Human errors are regarded as one of the main causes for railway accidents these days. This paper discusses the transferability of human error probabilities for railways and identifies problems in handling methods and values for analysis the security issues concerning any undesirable human behaviour and its influence on safety and security of transportation process. The Markov model presented is one proposed solution to the problem. It takes into account both the positive and the negative human impact of violations.

Abstract: Functional safety has become an important aspect for engineering activities in
the automotive domain due to the upcoming introduction of the safety standard ISO 26262. This paper proposes a methodology to guide the safety related requirements
engineering process by means of OWL (Web Ontology Language) ontologies. These ontologies formalize necessary domain knowledge and serve as reference models to support semi-automated requirements discovery and to ease the certification process. Using OWL's logical base, knowledge inference is applied to reason about safety measures for ensuring compliance with the reference process (guidance). The proposed methodology has been implemented in a prototype toolchain and applied to a simple lane departure warning system as an example assistance and automation system. Lessons learned refer to conceptual (expressiveness) and technical (tooling efficiency) issues.

Abstract: This paper presents a methodology for assessing railway security systems. This methodology is based on a SADT model of the system and on a probabilistic evaluation of each function and sub-function of this model. As an illustration, this methodology is applied to assess a specific railway protection system : the determining of hot axle boxes. Risks involved with a hot axle box are also presented. Finally, results obtained in the case of a high-speed rail line are analysed.

Abstract: In this paper, we propose a new approach to automatically derive invariants from Programmable Logic Controller programs by symbolically rewriting Instruction List code. These invariants describe the relations between all variables and capture the behavior of the program. Usually, invariants are created by users and verified using formal verification techniques such as model checking or static analysis. The process of creating invariants, however, is error-prone and lengthy. Our approach generates these invariants automatically and removes the need to use formal verification techniques to verify them. Users only need to inspect the generated invariants and verify whether the program behaves as expected. Using three example programs of different sizes, we show that the generated invariants are easy to understand and that the approach indeed scales for larger programs.

Abstract: In this paper, a basic simulation of the longitudinal dynamics of parallel hybrid railway vehicles is presented. It is extended towards an optimization with respect to fuel consumption and emissions. An internal combustion engine, the primary power source, is supported by an electrical energy storage system with motor and generator allowing for joint usage of both energy sources. The energy buffer is discharged during power demand and recharged by recuperative braking. For the main components of the power train, interface variables representing power flow and energy, are defined. For the optimization of operating strategies an optimality criterion is introduced by a parameterizable performance index. An optimization of fuel consumption and emissions is considered for a parallel hybrid structure to minimize this performance index.

Abstract: A challenging problem for model checking is represented by railway interlocking systems. It is a well known fact that interlocking systems, due to their inherent complexity related to the high number of variables involved, are not amenable to automatic verification, typically incurring in state space explosion problems. The literature is however quite scarce on data concerning the size of interlocking systems that have been successfully proved with model checking techniques.
In this paper we attempt a systematic study of the applicability bounds for general purpose model checkers on this class of systems, by studying the typical characteristics of control tables and their size parameters. The results confirm that, although small scale interlocking systems can be addressed by model checking, interlockings that control medium or large railway yards can not, asking for specialized verification techniques.

Abstract: In order to support the market opening across Europe, the European Commission decided to define a common and harmonised approach for managing the railway safety. To take this forward, the EU Legislators have approved in April 2004 the railway safety directive 2004/49/EC. This directive allocates amongst others the task of defining a Common Safety Method (CSM) on risk evaluation and assessment to the European Railway Agency (ERA). The regulation 352/2009/EC covering this CSM on risk assessment was published in April 2009 in the EC official journal. In order to support the railway actors in the implementation of this Regulation, as well as in order to gain inputs for its upcoming revision, the European Railway Agency has started a series of dissemination workshops for the CSM on risk assessment. The objective of this paper is to summarise and highlight some points from the dissemination of the Common Safety Method on risk assessment.

Abstract: Computer aided dispatching systems for railway operations are designed to support dispatchers when detecting arising problems or undesirable situations within daily operation.
On a microscopic level, such systems can even be designed to determine detailed routing information, time margins and dwell times in such a way, that occupation times implied by train control systems can be calculated. This assures that the dispatching decisions remain valid with respect to operability.
While the core component, the dispatching algorithms and approaches are common research topics, an overall consideration of system modeling and integration within existing systems is less commonly evaluated. This paper tries to introduce a generic approach to dispatching system modeling by analysing fundamental functionalities and by abstract system definitions.

Abstract: System development processes are typically supported by dozens of different
tools that assist the designer in various phases of development like modeling,
verification, source code generation, testing. Tool-chains can be formed by the
integration of tools that are related to the subsequent steps of the process.
In this paper, we present a service-oriented, metamodel-driven, process-centric
approach for the definition and execution of these tool-chains. Related data
are handled as an important part of the process as the traceability of these is
needed for the certification of the systems. The implementation is provided as
an open, extensible framework. The approach is demonstrated using a model based
test case generation process applied for automotive and railway systems.

Abstract: The European Railway Agency (ERA) has the challenging task of establishing common safety targets (CSTs) and common safety methods (CSMs) throughout Europe. In this context also the harmonisation of risk matrices is discussed. The purpose of this paper is to provide a formal justification of risk matrices for technical systems and the means by which compliance with legal and regulatory requirements can be demonstrated. A proposal for a standard risk matrix applicable to technical systems is derive.

Abstract: In road traffic the sum of all drivers' individual behavior has an immediate impact on traffic flow. The framework of systems theory helps to explain empirically observable phenomena. In this paper a systems theoretic basis for traffic modeling is set out. A generic system model explains system properties and rearranges them in order to form an explanatory model for the complex behavior observable in a road transportation system. The interrelation between nanoscopic, microscopic and macroscopic traffic variables in traffic simulation is shown using the generic system model. It demonstrates that the approach lined out in this paper is of explanatory power for complex phenomena in the traffic modeling domain. In future this approach can be applied to the calibration and validation of Traffic Assistance Systems (TAS).

Abstract: The goal of our approach is the model-based prediction of the effects of driver assistance systems.
Starting with the integration of a computer model of the driver of a car into a simulation environment,
we face the problem of analysing the emergent effects of a complex system with discrete, numeric and
probabilistic components. In particular, it is difficult to assess the probability of rare events, though
we are specifically interested in critical situations which will be infrequent for any reasonable system.
For that purpose, we use a quantitative logic which enables us to specify criticality and other
properties of simulation runs. An online evaluation of the logic permits us to define a procedure which
guides the simulation towards critical situations and allows to estimate the risk of connected with the
introduction of the assistance system.