Safety Enhancement of Railway Traffic by Modern Supervision Systems
F. BELMONTE, K. BERKANI, J.L. BOULANGER, W. SCHÖN
Université de Technologie de Compiègne (UTC), Laboratoire HEUDIASYC, B.P. 20529 F-60205 Compiègne, France.
Abstract New generation of supervision systems in industry can achieve operation from display process variables to all automated control where human is just monitoring automaton. In railway specific industry, supervision is organised in switching zones and aims to be centralised in an Integrated Control Centre. Such centres implements integrated and computer based systems that perform train protection, train operation and supervision. Thus railway dispatchers using supervision have their tasks considerably simplified. Although considered today as not safety critical, railway supervision systems can contribute to safety in some scenarios where an appropriate decision of a supervision operator could notably reduce the severity of accidents. That is in particular the case for residual scenarios (intervention of maintenance teams on the tracks, manual operation of trains not protected by train protection system, coupling / uncoupling, emergency requiring the stop and the evacuation of a train…) only covered by procedure, thus requiring a human intervention by a person supposed correctly informed on the state of the system, thanks to the data provided by the supervision system
1. Introduction
Whatever the degree of human presence aboard trains, all railway lines have however a system which centralizes for operators of a central room, as well the operations of traffic control (signalization, traced routes etc.) as operations of traffic regulation. Formerly analogical, today technology is becoming numerical. Thus, it is now possible to generalize the centralization of many functionalities formerly carried out locally by operators on-site (signals and switching devices handling, traction energy management, disturbance management, public places monitoring). Train Control Centres have evolved over time to include many other functions than the initial ones of tactical and strategic control over the traffic network. In keeping with technological developments, customer requirements on Train Control Centres have become ever more sophisticated, requiring increasing numbers of functions in order to extract the best from their existing assets. In the same way, low cost systems are now requested, offering increased functionality for a given cost. Facing the need for cost reduction, instead of purchasing a Control System for each type of application (traffic, energy, auxiliaries, telecommunications etc.), customers now request just one control system able to offer a fully integrated feature set. This technological development improvement must be accompanied by an evolution of operator’s culture. On the one hand, the increasingly frequent use of numerical technology in safety functions requires rigorous process development. On the other hand, the activity of human operators changed much: operators on-site (drivers, pointsmen) are becoming more and more supervisors of automats. They must apprehend, analyze the remote situation and as far as possible often act with the help of remote controls. This paper first presents a state of the art of modern industrial supervision systems, including the widest possible panel of activities (urban and intercity railway, civil and military nuclear applications, chemistry, air traffic...). As an illustration of consequences of inappropriate actions or decisions, accidental scenarios where supervisors decision could have play a role on the severity of consequence are analyzed. In particular the accident that occurred in Suburban Station “Gare de Lyon” in Paris in 1988: June 27, 1988 will be analyzed. The paper will then present experimental results performed using a modern railway supervision platform similar to a real one (ALSTOM Transport’s supervision product: ICONIS™), installed in Compiègne research centre. Using this platform, it is possible to re-create in laboratory real accidental scenarios, and to be able to confront human operators with these situations, in order to analyze their comportment and their decisions.
2. State of the art of modern industrial supervision systems
Industrial process supervision covers a wide range of applications, from simple control to complex and heterogeneous system control. Industrial process could be defined by whole actions animating the system to achieve a task. For example railway transportation process is defined by all sub-systems operations (tracks, trains, energy, driver …) that transport passenger or freight in time and safely from one place to another. Usually processes are classified by the nature of the set of their representation variable. A representation variable evaluates or measures an action in the process. For example in railway traffic process the set of representation variables includes all variables that describe the traffic as the number of trains on tracks, occupancy of each track section, late or advance in daily program , etc. If each representative variable has a countable definition domain, the process is called discrete, else if it is uncountable the process is called continuous, finally if the set of representative variable contains discrete and continuous variable the process is known to be hybrid. The aim of this section is present the industrial survey on supervision of each representative class of process including of course railway applications.
2.1. Industrial survey
A general industrial supervision survey was performed from March 2005 to January 2006 (see Table 1).
Company Places visited Domain What to supervise
CEA LIL (Laser line integration) High technology, defence and Sequential actions to perform prototype experiment one shot
LMJ (Laser Mega Joules) High technology, defence and Sequential actions to perform experiment one shot
CFF Computer-controlled all-relay Mainline railway transport Route control interlocking Lausanne’s station
Regional operation process Mainline railway transport Traffic flow control
CRNA-Nord North French air traffic control Aerial transport Route control
EDF (CIPN) Nuclear power plant engineering Energy production Power plant
RATP Centralized Traffic Control CTC Metro transport Route control & Traffic flow (Bourdon) control
CTC RER A Urban railway transport Route control & Traffic flow control
CTC 14th line (METEOR) Automatic metro transport Route control & Traffic flow control Company Places visited Domain What to supervise
CTC 4th line Metro transport Route control & Traffic flow control
SANOFI- Vitry (94) production unit Pharmaceutical, chemical industry Discrete or continuous AVENTIS chemical processes
SNCF Computer-controlled all-relay Mainline railway transport Route control interlocking Paris Montparnasse station
Centralised traffic control of French’s High-speed railway transport Route co ntrol & Traffic flow South-West high-speed line control
Transpole CTC Lille Automatic metro transport Route control & Traffic flow control Table 1: Industrial supervision survey The visit of the engineering centre of nuclear production has revealed that everything is controlled from a single control room. In this room, the operators vary the electrical power emitted according to the consumers needs and the reactor behaviour is managed regardless the operating mode. The computerized supervision is a specific post of this room. It is not related to the reactor behaviour. Although non critical for safety, this system is very appreciated by the operators because it provides information allowing the checking of the analysis carried out starting from the conventional instruments without the data processing assistance. Being unable to prove the reliability of the information provided by the computer based supervision, the use of this one in a situation of preservation of nuclear safety or safety of the auxiliary systems and people is formally prohibited. The use of such a system of supervision is a help which makes it possible to the operator to release a little bit his cognitive resources. The continuous formation of the operators and the regular carrying out of crisis simulations on simulator is very significant in order to guarantee the training and the effectiveness of the operator facing a real degraded situation where the assistance systems are no more used. Within the framework of the medicine (drugs) product ion, the SANOFI-AVENTIS company implements supervision activities of its workshops of production or of management of general flows (water-nitrogen- oxygen). The manufacturing unit is made up of heterogeneous workshops. On the one hand, the treatment processes can be continuous or discrete and on the other hand the supervision systems of each workshop are supplied by different industrialists. The monitoring and the control of a workshop are integrated in the same system. This system is always centralized in a supervision room but can be locally redundant for a particular tool. The workshops are reconfigurable and thus the supervision systems too. The safety requirements evolve according to the products to manufacture. A safet y constraint can be transformed to an operation rule according to the preparation in progress. The reconfiguration campaigns are long and heavy tasks to validate. All the wiring of the relay cards guarantee safety and the alarms treatment is completely redone. The Laser Mega Joules (French Atomic Energy Commission, LMJ is still in construction) will be a single shot system that permits to reproduce the physical context of a thermonuclear reaction in a little sphere. An experiment requires a long preparation and the sequence of the shooting itself lasting between a half hour and an hour shall be under the control of the supervision and control system by a second or so of the shooting. The last second shall be entirely managed by a system of an electronical a nd optical synchronization without human intervention (real time constraint is lower than nanosecond). The supervision system shall also ensure the acquisition and the storage of the experiment result. Each operator of the supervision shall have a specific profession and supervision screens specific to their professions. They all have an emergency stopping device making it possible to cancel the sequence of the shooting. The management of the air and railway traffic is based on the following two concepts: – the route control that manages the conflicts and redirects the trains and the planes – the traffic flow control which control late, advance and flow traffic management. The Northern CRNA in Athis-Mons controls the air navigation of the northern area of France. The air- traffic controllers handle only traffic control operations and do not manage the regulation. An evolution of the supervision application is in the process of integration. The new system is called ERATO [1]. The studies for a new computerized system offering the possibility to increase the capacity of the air navigation while respecting the safety levels have started in the mid eighties. These studies gave birth to a debate about going to a fully automatic operation of the air control, notably in the USA following the social movements in the air navigation sector that have marked the beginning of the decade in this country. This debate has focused on the fact that the presence of the operator is a factor of flexibility and safety and that the tool should be built around the operator. The solution suggested in ERATO was to decrease the quantity of information to be evaluated by the controllers. For example, some filters have offered the possibility to automate certain tasks such as the detection of some conflicts. The detection is implemented by procedures stemming from different used logics (fuzzy, defects …). Moreover, when a controller needs to focus his attention on a precise point, although the system offers filters, ERATO authorizes the access to all the data by clicking on icons to visualize all the necessary information. Lastly, the design of the data presentation through the IHM in ERATO was concerned about facilitating the construction of a common knowledge through the co-operation of the various actors. This section started with a brief definition of process to supervise (continuous or discrete), these activities surveyed show the disparity of implementation, motivation and the role in safety of supervision of continuous, discrete processes. Furthermore this survey let introduce a specific kind of process: traffic. Also well studies in aerial activities the railway supervision must be clarified.
2.2. Railway Integrated Control Centre
Railway supervision system includes 3 hierarchical levels (Figure 1): (1) Route control level includes field control and commands as route setting, train control and protection functions. (2) Traffic flow control level insures conflict solving, and time graph monitoring functions. Finally (3) the highest level performs management, coordination of lower levels and planning tasks. There is further implementation of the three levels. One could separate each level in three control room, this is particularly the case of large railway networks with lot of inter connexions, these kinds of networks are segmented in switching zone where signal boxes achieve route control level. Generally, centralized traffic control (CTC) centre gathers further switching zones, CTC achieves traffic flow control level. Finally, coordination control centre manages the entire network, it could be international, national or regional organised. Other implementation centralise the three level of supervision in a unique centralised room called operation control centre (OCC). This is typically the case of metro and urban railway network. Indeed, such networks are characterized by their unique line and their rare connections with other network, which simplify coordination tasks.
Figure 1. Railway supervision hierarchical levels
These kinds of implementations could be explained by the technology used until today that not permitted to integrate very large network control in a single room. With the emergence of high intensive computerized systems in railway supervision, operational company, whichever their characteristic, use more and more integrated control centre (ICC) (see Figure 2). ICC could gather operation and control or the three levels of supervision of railway network. ICC is the generalisation of urban application OCC of all types of railway supervision. Newest networks as high-speed line in France use an ICC called train- regulating signal box that deliver both level one and two of high-speed line. The third level cannot be integrated in such circumstance because of the existence of few connections with other national switching zone (as specific signal boxes for large stations managements for example). Indeed, management and planning must be decided in a highest regional or national commandment. It arises from the visits carried out in the railway field four operating modes of ICC: – Nominal: normal course of the operations as it was planned in the operating program; – Stressed: on the edge of the nominal mode; – Degraded: beyond the nominal mode; – Crisis: it is necessary to continue the supervision in order to eliminate any possible post-accidental residual risk. At the same time, Automatic Train Control system (ATC) performs three underlying functions in railway application, protection, driving assistance and supervision. In this system supervision function is performed at the ICC and the train driver’s tasks could be simplified considerably and safety stems from protection.
Figure 2. Photography of ICC
2.3. Automatic Train Control
ATC system is composed of three subsystems giving in decreasing order of underlying safety: Automatic Train Protection, Automatic Train Operation and Automatic Train Supervision. The followings sections present each subsystem.
2.3.1. Automatic Train Protection Automatic Train Protection system performs a range of functions that protect passengers and equipments against principal dangers related to railway circulation (collisions between trains, collisions with objects, excessive speed, derailments). The line is cut out in sectors called blocks or track sections. Spacing between trains is ensured by the function of block occupancy management. Train detection by track circuits (one track circuit per block) indicates train position and insures trains spacing. The guiding principle of railway safety consists, via side signals indications, to authorize the presence of only one train by section. In the majority of cases, sections are fixed (fixed block) and side signalling consists of traffic lights in limits of each block. For the most recent systems, blocks are moving with the train and their length are evolving with train’s speed and way occupation (moving block), which allows an optimization of line’s transport capacity. In both cases system ATP is able to detect incompatible speeds in accordance to stop limit distances at the end of sections and at extreme the penetration on occupied sections (and naturally acts as consequence by an emergency braking of the train if one of these events occurs). The usual terminology distinguishes from the ATP the interlocking whose essential function is to prevent incompatible movements of trains on the switching zones. 2.3.2. Automatic Train Operation ATO Automatic Train Operation or “autopilot” controls fully or partially the trains according to a fixed timetable. Timetables are defined each day to prepare and organize exploitation. ATO manages programmed stops in stations, doors control and the dwell time respect. Then it starts again the train after each stop in case of integral automated system. In partial automation cases, doors opening, doors closure and depart order are given by aboard operator (driver or “attendant”).
2.3.3. Automatic Train Supervision ATS Automatic Train Supervision insures monitoring of all subsystems which compose the line (trains included) and regulation functions. Each components state are represented on visualisation panels called Schematic Control Panel (SCP) presenting a global view of the line and on the working stations of operators which can provide more or less detailed sights and tables or graphs of telemetries. Information presented can thus be more or less fine according to operational constraints' of the line. The ATS thus makes it possible to apprehend in a total way the state of line operation (by the synoptic in general presented at SCP which presents in real time information as sections occupied, switching points position, energy state, etc.). It can also focus operator attention on particular equipment (fixed or on board a train) via telemetries also updated in real time, allowing alarms visualisation on which operators can obtain details. The ATS also presents data making it possible to ICC operators to carry out traffic flow control (for intercity networks, this function is carried out by a particular operator called regulator) which consists to decide the appropriate actions in case of incident to restore a (possibly degraded) mode of operation. Depending of the detail of the situation, other trains on the line could be delayed in order to manage intervals.
2.4. Safety
CENELEC is a safety reference frame. It is particularly applicable to railway domain and is composed of the following standards: EN 50126 [3], EN 50128 [4] and EN 50129 [5]. With this reference frame, the safety measure can take a value among five possible. The smallest SIL (Safety Integrated Level) is 0 when the evaluated application is not critical. The highest SIL is 4 when the evaluated application is very critical. For example, an application is SIL 4 when many humans’ lives are concerned. As we explained, safety is ensured by the ATP (Automatic Train Protection) functions and interlocking. At the beginning, all these features were implemented with safety relays and analogical circuits. These implementations use intrinsic fail safe design (no single failure or likely combination of failures can lead the system to a less safe state than that before the failure). Since several years, numerical systems are emerged in ICC implementation. These systems are SIL 3-4. Thus, the development of such systems needs rigorous methods like those presented in the safety reference CENELEC. These methods concern as much hardware devices as software ones. Finally, numerical systems have several advantages. They are flexible and they have a smaller size than relays and analogical circuits. For these reasons, ATP and interlocking implementation with numerical solutions will be generalized in the future. ATO (Automatic Train Operation) features are built on a complex system control. The main consequence is that SIL 3-4 insurance is not reached for this system. Nevertheless, when ATO failures occur, the ATP is charged to catch up the problem. For example, ATO can emit an order that cause an inopportune acceleration. In this case, as ATP controls safely the speed, it can cause the stopping of the train by emergency braking. Thus, ATC safety approach is built on ATO, which is not safety designed. Similarly, ATS is not considered classically as safety critical like ATO. In addition, the ATS conception is based on COTS (Commercial Off the Shelf) components. The main objective is to reduce the manufacturing costs. But, the SIL level of COTS components is practically not established. Moreover, the safety analysis of COTS components is practically impossible because the required data are not provided. Nevertheless, several accidents and incidents analysis clearly showed that although the origin of a safety problem could never be attributed to the ATS, an adapted management of a crisis situation and an adequate decision of a quite well informed supervision operator could seriously reduce accidental scenarios consequences. More precisely ATS features assist the operator to execute procedures adapted to the different scenarios an exploitation mode. And, an important report has been done: more the exploitation mode is degraded, more the ATS role is important to ensure safety. The present context, underlaid by a legitimate concern for the profitability of the infrastructures, considering the competition of road transport (either transport of passengers or transport of freight), generally leads to operating the lines up to their maximum capacity (at least during certain time slots), which thus provokes a strained flow management, requiring, when an operator’s intervention is needed, very short delays. Additionally, the human operator getting used to the automation of some tasks which were his in a recent past, is very little trained to act when those helps are not available to him, cases that are precisely situations of crisis. The result of this is at best a clearly enlarged period before the appropriate reaction, effect which adds itself to the growth of traffic mentioned above. In the worst cases, given that the instructions do not usually consider thoroughly the scenarios in which the information about the state of the system is unavailable or very damaged, some completely inappropriate actions from the human operator can be observed (so as to make the situation even worse). The analysis of such scenarios often shows that the operator, for lack of complete and reliable information about the state of the system, creates for himself a coherent but erroneous mental outline in great hurry, on which his decisions will be based; the tension linked to the crisis making him carrying on regardless of other possible plans compatible with the information available to him. In some extreme emergency situation such as fire in trains requiring an evacuation, ATS operators could take the adequate decisions to reduce the consequences of the problem. They are assisted by the ATS information. An example of emergencies is the loss of the emergency braking system of the train that led to the “Gare de Lyon” accident in 1998. This example is detailed in the next section. It is in such circumstances that good operators decisions defined from good information are determining. Even if they are the ultimate solution, they can avoid catastrophic scenarios.
3. Accidents: Gare de Lyon 1988
The example of the accident in Gare de Lyon presented hereafter illustrates a case in which, in a very exceptional circumstance due to serious mistakes made by a driver, the command post operators were not able (for lack of having the right information and the suitable procedures at their disposal) to prevent a collision with tragic consequences. But the detailed analysis of the scenario shows’ as very often in those circumstances, that for lack of a clear understanding of the situation, none of the actors (post operators or driver himself) have been able (whereas it was possible for them) to do any actions that could have reduced the seriousness of the accident, failing to avoid it. Even worse, actions having clearly contributed to worsen the situation can be observed in the scenario (without the responsibility resting on the operators who were applying the procedures). In the underground station of Paris Lyon, on June the twenty-seventh nineteen eighty-eight, at ten past seven pm, a train without brakes collided with another train full of people and about to leave, at about 37 miles per hour, causing the death of 56 people and injuring 57, at the end of the following scenario [6]: · Giving the excuse that her children were going to be left alone at school, a passenger committed the offence of stopping the train in a station where no stop was planned: first human mistake; · In order to remove the emergency braking (which results from this) to set off again, the driver made a certain number of erroneous manipulations (not detailed here) having the effect of removing the pneumatic brake (the one on which security lies) on the whole train: second human mistake. Those manipulations, which are extremely serious professional misconducts, are obviously the primary and main cause of the accident, all the barriers quoted hereafter only can contribute to reduce the gravity of the consequences; · The driver did not carry out any test (although compulsory) before starting off again, which would have allowed him to check that the train was without pneumatic brake: third human mistake. One of the reasons for this is that the instruction manual was not properly formatted: fourth human mistake (the control possibly appearing in fast reading as only applying to a specific situation, and not to the whole manoeuvres onto the brake see Figure 3) a first important point is here underlined: the interaction between man and the system, concerning the clarity of the writing and even the presentation of the instructions; · The driver realized, when approaching the station, that there no longer was any pneumatic brake and he sent a warning message from his radio, heard by the controllers and by the pointsmen, without giving his name or identifying his train (preposterous behaviour which is unfortunately common in such situations of extreme tension, as more than one assistance service could testify): fifth human mistake. All the limits of a system in which the identification of a train only lies on the message transmitted orally by its driver can be seen through this. · The driver retreated at the back of the train and informed the passengers. He did not think about using the electric brake which, although not usually used for security reasons, could have noticeably reduced the seriousness of the accident: sixth human mistake. Another point of railway culture is alluded to here: the laudable concern to separate the safety functions from the other functions can lead the drivers not to think about those non safety functions as the last bastion (in this case, the electric brake is presented in all railway trainings as a speed reducer, the emergency brake being the pneumatic brake); · The controllers, instead of evacuating the station, wasted a precious time in attempting to identify the train in distress: seventh human mistake. One realizes here how determining a suitable intervention from a well-informed command post would have been; The pointsmen thought that they were applying a safety procedure while they were pressing a button having the effect of turning all the signals into red. Actually, it worsened the situation because it also subsequently prevented any movement from the switches: eighth human mistake. It thus became impossible to send the runaway train to an empty railway. It then inexorably headed for the railway where a crowded train was still about to leave because its master controller was late (which he was to be reproached with during the preliminary investigation because it widely contributed to the presence of many people in the train).
Figure 3. Brake purge manual simplified reproduction
This example clearly underlines the fact that even though security does not directly lie on them, the ATS can play a part in what could be called the last and ultimate barrier of a system of defence in depth. Their contribution to the management of crises can then reveal itself determining for the final consequences (rail disaster or major perturbation of the running). However, the context of the search for an increase of the capacity of the infrastructures leads to exploiting them as far as possible, consequently making the increase of the situations of crisis inevitable, as well as the decrease of available time to manage them. One can identify at least eight human mistakes in the scenario that led to the accident (the driver of the train about to leave being late is not taken into account, although it was considered as a misconduct during the investigation), being the matter of non-fulfilment, of partial fulfilment, or of unsuitable fulfilment of an instruction or a procedure. All of them were not unavoidable, especially the one that was deliberate (the passenger must have been aware of not respecting a rule that forbids to use the warning signal except in an emergency). For the others, the absence or the insufficient clarity of a procedure is blatant. Particularly among the human mistakes taken into account, the one made during the photo setting of the driving manual and which made the execution of the instruction relatively likely, appears clearly. Taking into account the human factor as early as the conception if the device is essential, above all for the writing of the corresponding technical documentation which must be considered as an integral part.
4. SPICA Rail platform
Studies on human operator behaviours experiments will be performed at the University of Technology of Compiègne (UTC) using a supervision platform “SPICA-Rail” similar to a real one (Alstom Transport’s supervision product: ICONIS™), installed in our research center (see photography Figure 4). This equipment will of course include an “environment simulator” making it possible to do “as if” the experimental platform would be really connected to a railway network. The main interest will be the possibility to re-create in laboratory real accidental scenarios, and to be able to confront human operators with these situations, in order to analyze their comportment and their decisions.
Figure 4. Photography of SPICA-Rail platform
This platform is already installed but still in validation process. Such experiments suppose a clear definition of requirements to define the most adapted railway network to analyze contribution of supervision’s process in safety. ICONIS™ product is a generic product of railway supervision based on SCADA. For each project, an instance is defined from generic modules of ICONIS™ and data defining project properties as for example: track plan, stations, switching points or signalization rules. The ATS system installed in UTC includes three levels of control on traffic: manual automated and optimized. The network simulated is divided into interlocking zones (or switching zone). Each zone disposes of local ATS system where operator could take control supervision locally. The global supervision is centralized in a central ATS which gather all local ATS information and command. SPICA-Rail could simulate the control and the supervision of an entire network by integrating traffic control functions. It includes a wide range of traffic control and management functions including for example: signalling supervision, route setting, train tracking, train describer and timetable management. In order to simulate crises situation, personal subject of experiment behaviour will start from an automatic control level in which all operations have an objective to comply with an operational schedule (timetable) and network regulation. Experiments consist with increasingly insert disturbance on the network and evaluate human behaviours. 5. Conclusion
Safety development of supervisory software is far from obvious, but we argue that well-understood interfaces between man and machine could contribute in safety. Major problem come from bad requirements. Our purpose intends to analyse human supervisor behaviour in such particular serious cases in order to highlight lack in requirements. Capability for safety and automate working adequacy of human performance are the underlying research plan. As a conclusion we expect to propose a methodology to develop new supervision systems taking into account human factor from the beginning of the design process. That will make it possible to use a process by feed forward (anticipation based on preliminary studies [2]) instead of a process by feedback.
References
[1] Leroux, M., ERATO (en route air traffic organizer), International Symposium on Aviation Psychology, 6th, Columbus, OH; UNITED STATES, pp. 514-519. 1991 [2] Norman, D.A., The invisible computer: Why good products can fail, the personal computer is so complex, and information appliances are the solution, Cambridge MA: The MIT Press,. 1998. [3] CENELEC EN 50126: Applications ferroviaires – Spécification et démonstration de Fiabilité, Disponibilité, Maintenabilité et Sécurité (FMDS), 1999. [4] CENELEC EN 50128: Applications ferroviaires – Système de signalisation, de télécommunication et de traitement – Logiciels pour systèmes de commande et de protection ferroviaire, (2001). [5] CENELEC EN 50129: Applications ferroviaires – Système de signalisation, de télécommunication et de traitements – Systèmes électroniques relatifs à la sécurité pour la signalisation, (2001). [6] Mémoire sur l’accident de la gare de Lyon, Report, FENVAC : Fédération Nationale des Victimes d’Accidents Collectifs.