Level Crossing Technology 65 Selcat Project: Level Crossing Technology 67 1

Editors Very year more than 1200 El-Miloudi EL-KOURSI (INRETS) accidents occur at level Louahdi KHOUDOUR (INRETS) crossings in the european E Neda LAZAREVIC (INRETS) union with more than 330 people killed. Level crossings have been Laszlo TORDAI (UIC) identified as being a particular weak Roman SLOVÁK (TUBS) point in road infrastructure seriou- sely affecting road safety. SAFER EUROPEAN LEVEL CROSSING APPRAISAL These procedings present the first results of the SELCAT project AND TECHNOLOGY “Safer European Level Crossing Appraisal And Technology” funded by the European commission. SAFER EUROPEAN LEVELAPPRAISAL CROSSING TECHNOLOGY AND

Actes n°117 First Workshop Mai 2008 “Appraisal” Prix : 15,24 ¤ May 16th 2007 Editors 1 7 Villeneuve d’Ascq (France) ° 1 El-Miloudi EL-KOURSI INRETS-ESTAS N S Louahdi KHOUDOUR INRETS-ESTAS E Neda LAZAREVIC INRETS-ESTAS T C

Laszlo TORDAI UIC A Roman SLOVÁK TUBS

ISSN 0769-0266

ISBN 978-2-85782-663-7 Actes INRETS n °117 LES COLLECTIONS DE L’INRETS Conformément à la note du 04/07/2014 de la direction générale de l'Ifsttar précisant la politique de diffusion des ouvrages parus dans les collections éditées par l'Institut, la reproduction de cet ouvrage est autorisée selon les termes de la licence CC BY-NC-ND. Cette licence autorise la redistribution non commerciale de copies identiques à l’original. Dans ce cadre, cet ouvrage peut être copié, distribué et communiqué par tous moyens et sous tous formats.

Attribution — Vous devez créditer l'Oeuvre et intégrer un lien vers la licence. Vous devez indiquer ces informations par tous les moyens possibles mais vous ne pouvez pas suggérer que l'Ifsttar vous soutient ou soutient la façon dont vous avez utilisé son Oeuvre. Pas d’Utilisation Commerciale — Vous n'êtes pas autoriser à faire un usage commercial de cette Oeuvre, tout ou partie du matériel la composant. (CC BY-NC-ND 4.0) Pas de modifications — Dans le cas où vous effectuez une adaptation, que vous transformez, ou créez à partir du matériel composant l'Oeuvre originale (par exemple, une traduction, etc.), vous n'êtes pas autorisé à distribuer ou mettre à disposition l'Oeuvre modifiée.

Le patrimoine scientifique de l'Ifsttar

Le libre accès à l'information scientifique est aujourd'hui devenu essentiel pour favoriser la circulation du savoir et pour contribuer à l'innovation et au développement socio-économique. Pour que les résultats des recherches soient plus largement diffusés, lus et utilisés pour de nouveaux travaux, l’Ifsttar a entrepris la numérisation et la mise en ligne de son fonds documentaire. Ainsi, en complément des ouvrages disponibles à la vente, certaines références des collections de l'INRETS et du LCPC sont dès à présent mises à disposition en téléchargement gratuit selon les termes de la licence Creative Commons CC BY-NC-ND.

Le service Politique éditoriale scientifique et technique de l'Ifsttar diffuse différentes collections qui sont le reflet des recherches menées par l'institut : • Les collections de l'INRETS, Actes • Les collections de l'INRETS, Outils et Méthodes • Les collections de l'INRETS, Recherches • Les collections de l'INRETS, Synthèses • Les collections du LCPC, Actes • Les collections du LCPC, Etudes et recherches des laboratoires des ponts et chaussées • Les collections du LCPC, Rapport de recherche des laboratoires des ponts et chaussées • Les collections du LCPC, Techniques et méthodes des laboratoires des ponts et chaussées, Guide technique • Les collections du LCPC, Techniques et méthodes des laboratoires des ponts et chaussées, Méthode d'essai

www.ifsttar.fr

Institut Français des Sciences et Techniques des Réseaux, de l'Aménagement et des Transports 14-20 Boulevard Newton, Cité Descartes, Champs sur Marne F-77447 Marne la Vallée Cedex 2 Contact : [email protected]

Scientific editors El-Miloudi EL-KOURSI (INRETS) Louahdi KHOUDOUR (INRETS) Neda LAZAREVIC (INRETS) Laszlo TORDAI (UIC) Roman Slovák (TUBS)

Safer European Level Crossing Appraisal and Technology

First Workshop

“Level Crossing Appraisal” May 16th 2007 Villeneuve d’Ascq (France)

Actes INRETS N°117 Mai 2008

Safer European Level Crossing Appraisal and Technology

Scientific coordination: El-Miloudi El-Koursi, Senior researches at l’INRETS-ESTAS Louahdi Khoudour, researches at l’INRETS-LEOST Neda Lazarevic (INRETS-ESTAS) Laszlo Tordai (International Union of Railways) Roman Slovák (TUBS)

The research departments ESTAS and LEOST: ESTAS: Evaluation and Safety of Automated Transport Systems LEOST: Electronic, Waves and Signal Processing Research Laboratory for Transport BP 317 20, rue Élisée Reclus 59666 Villeneuve d’Ascq Cedex FRANCE Phone: +33 (0)3 20 43 83 40 – Fax: +33 (0)3 20 43 83 59 UIC Ile de France: Le diamant A, 14 rue de la République 92800 Puteaux FRANCE

List of authors: E. Schnieder, R. Slovák, F. Ohlendorf, A.G. Schielke, S. Hiraguri, K. Sato, A. Davies, A. Pira, F. Schiavi, M. Medjoudj, P. Yim, M. Woods, L. Khoudour, C. Machy, EM. El-Koursi, N. Lazarevic, N. Klassen, K. Rástocny, J. Zahradník, A. Janota, S. Impasto, A. Kassay

Institut National de Recherche sur les Transports et leur Sécurité INRETS Service des publications 2, avenue du Général Malleret-Joinville 94114 ARCUEIL CEDEX Phone: +33 (0)1 47 40 70 74 – Fax: +33 (0)1 45 47 56 06 www.inrets.fr

En application du code de la propriété intellectuelle, l’INRETS interdit toute reproduction intégrale ou partielle du présent ouvrage par quelque procédé que ce soit, sous réserve des exceptions légales

Fiche bibliographique

UR (1er auteur) Projet n° INRETS ESTAS Actes INRETS N° 117 Titre Safer European Level Crossing Appraisal and Technology

Sous-titre Langue Premier Workshop “Appraisal” 16 Mai 2007 Anglais

Auteur(s) Rattachement ext. El-Miloudi EL-KOURSI, Louahdi KHOUDOUR Neda LAZAREVIC, Laszlo TORDAI, Roman Slovák

Nom adresse financeur, co-éditeur N° contrat, conv.

Date de publication Mai 2008 Remarques Résumé Ce workshop international à réuni plus de 75 experts représentants les acteurs du milieu ferroviaire. Il a été dédié à l’état d’avancement de la technologie et des bases de données sur la sécurité des passages à niveau. Ce workshop à été organisé dans le cadre du projet « SELCAT » Safer European Level Crossing Appraisal and Technology Mots clés Sécurité, Ferroviaire, Passages à niveau, Technologie Nb de pages Prix Bibliographie 195 15,24 euros oui

Actes INRETS n°117 3 Safer European Level Crossing Appraisal and Technology

Publication data form

UR (1st author) Projet n° INRETS ESTAS Proceedings N° 117 Title Safer European Level Crossing Appraisal and Technology Subtitle Language First Workshop “Appraisal” May 16th 2007 English Author(s) Affiliation El-Miloudi EL-KOURSI, Louahdi KHOUDOUR Neda LAZAREVIC, Laszlo TORDAI, Roman Slovák

Sponsor, co-editor, name and address Contract, conv. N°

Publication date May 2008 Notes

Summary These procedings present the first results of SELCAT “ Safer European Level Crossing Appraisal And Technology” project funded by European commission. Key Words Safety, Level crossing, Railway appraisal Nb of pages Price Bibliography 195 15,24 euros yes

4 Actes INRETS n°117

Table of content

Acknowledgments 9

Preface 11

Agenda 13

SELCAT Objectives and Expectations 15

1. Motivation 15 2. Scientific and technical objectives of the SELCAT coordination action 16 3. Specific objectives of SELCAT 17 4. Consortium 18 5. Work plan of SELCAT 19 5.1. Coordination Activities 19 5.2. Dissemination activities 20 6. Expectations 20 7. Conclusion 21 References 22 Level crossing appraisal 23

Level Crossing appraisal and research in Western Europe 25

Particularities of Level crossing Installations at the Slovak Railways 29

1. Statistic Data on Railway Crossings 29 2. Particularities Related to Safety at Level Crossings of the Slovak Railways 30 2.1. Active Signalling 31 2.2. Rail Signal 31 3. Conclusions 33 Acknowledgements 33 References 33 Level Crossing Appraisal in China, India, Morocco, Russia, Japan 35

Conclusions 41 Level crossing appraisal in view of road sector Level crossings - The users´ perspective 45 Abstract 45

Actes INRETS n°117 5 Safer European Level Crossing Appraisal and Technology

SELCAT – Development of Level Crossing Knowledge Management System 47 1. Introduction 47 2. Main aims of the web portal 48 3. Knowledge formalisation 48 4. Knowledge collection 51 5. Documents 51 6. Level Crossing types 52 7. Accident statistics 53 8. Knowledge usage 54 9. Conclusions 55 References 55 Monitoring of Safety Performance activity 57 Definitions of common safety indicators on level crossings 59 Level crossing technology 65 Selcat Project: Level Crossing technology 67 1. Introduction 67 2. Identification of projects dealing with advanced technology 68 3. Identification of projects dealing with level crossings 69 4. Possible solutions using the advance technology to improve the level crossing safety 71 4.1. Current technologies used for object detection 71 5. Conclusions 75 6. References 75 7. annexe 1: Survey Questionnaire 76 7.1. Questionnaire 76 7.2. List of answers received and numbe of projects 77

Japanese Level Crossing Technology 79 1. Present situation of level crossings in Japan 79 2. Facilities of a level crossing in Japan 81 3. Breakdown of level crossing accidents 83 4. Japanese approach to enhance safety of a level crossing 84 Extraction of critical scenarios in a radio-based railway level crossing control system 91 Abstract: 91 1. Introduction 91 2. Method of extraction of feared scenarios 92 2.2. Dealing with continuous dynamics by temporal abstraction 93 2.3. ESA_PetriNet tool 94 3. Railway level crossing control system case study 94 3.1. General description 94 3.3. Possible Failures 96 3.4. Behaviour of the control system under failure 97

6 Actes INRETS n°117 Table of content

3.5. Feared events 98 4. Modelling 98 4.1. General view 99 4.2. Petri net model of the radio messages 100 4.3. Petri net model of the level crossing control system 101 4.4. Petri net model of the yellow light 101 4.5. Petri net model of the red light 102 4.6. Petri net model of sensors 103 4.7. Petri net model of the barrier (actuator) 103 4.8. Petri net model of the train 105 4.9. Petri net model of the road user 107 4.10. The whole Petri net model of the system 108 5. Extraction of feared scenarios using ESA_PetriNet tool 109 6. Conclusion 111 7. References 111 Appendix 113 Session 1 115 Level crossing safety requirements 115 Session 2 125 SELCAT project current results 125 Session 3 145 Level crossing appraisal 145 Session 4 185 Level crossing knowledge platform 185

Actes INRETS n°117 7

Acknowledgments

The first SELCAT Workshop was organised with the support of the European Commission and involved the following partners: Universities: — TUBS - Technical University of Braunschweig, Institute for Traffic Safety and Automation Engineering (D) — DITS - University of Rome, Department of Department of Hydraulic, Transport and Road (I) — UNIZA - University of Zilina, Department of Control & Information Systems (SK) — UB - University of Birmingham (GB) — VTU - University of Transport Sofia (BG) — EMI - Ecole Mohammadia D'Ingenieurs (MA)

Railway and Road Research Institutes: — INRETS - French National Institute for Transportation Safety Research (F) — RSSB - Railway Safety and Standards Board (GB) — CNTK - Railway Scientific and Technical Centre (PL) — DLR - German Aerospace Center, Institute of Transportation Systems(D) — VTT - Technical Research Centre of Finland (SF) — MULT - Applied signal processing and telecoms research centre (B) — RTRI - Railway Technical Research Institute (JP) — CARS - China Academy of Railway Sciences (CN) — VNIIZhT - All-Russian Railway Research Institute (RUS)

Road and Railway Organizations: — UIC - International Union of Railways (F) — ADAC - General German Automobile Association (D) — VPE - Railway allocation office (H) — ONCF - Office National des Chemins de Fer (MA) — RDSO - Research Design and Standards Organization (IN)

Actes INRETS n°117 9 Safer European Level Crossing Appraisal and Technology

Infrastructure Managers: — DB - German railways (D) — NR - Network Rail (GB) — RFI - Italian national railways (I) — NRIC - Bulgarian national railways (BG)

We would like to thank the European Commission for funding the project SELCAT and the European Rail Agency (ERA) for their active collaboration. Many thanks to the organisation team at INRETS for the success of this workshop (Nathalie Bourbotte, Daniel Bourbotte, Bernard Delsinne).

Many thanks also to the partners who contributed to the success of this workshop by presenting their work and providing a paper for these proceedings and all participants.

10 Actes INRETS n°117

Preface

The Coordination Action SELCAT (Safer European Level Crossing Appraisal and Technology), in response to the FP6 call in the area of “Sustainable Surface Transport Coordination Actions” in the objective “Increasing road, rail and waterborne safety and avoiding traffic congestion”, aims to contribute actively to the reduction of level crossing accidents. SELCAT aims to provide an overview of completed, current and planned existing research activities in Europe as well as in the USA, Canada, Japan, Morocco, China, Russia, India. The significant number of partners involved in SELCAT from the European railway and the road sector is designed to provide a sound basis for the successful fulfilment of this objective. One SELCAT activity is to contribute particularly to the dissemination and the exploitation of research results in level crossing areas. The SELCAT level crossing web portal, three specific workshops and organisation of special sessions on planned existing conferences will facilitate the dissemination and exploitation of the information collected during the project. These proceedings contain the work undertaken under the first SELCAT workshop “Level Crossing Appraisal”. The workshop was held on 16th may 2007 at INRETS, Villeneuve d’Ascq, France.

The document is divided into four main parts corresponding to the agenda of the workshop.

The first part provides an introduction to the SELCAT coordination action based on the project objectives and expectations.

The second part deals with the contributions made under Work Package 1: “Level Crossing Appraisal”. The contributions present the current safety performance on level crossings in the SELCAT partner-countries.

The third part comprises several papers representing the actual state of work in Work Package 2: “Level Crossing Technology”. It provides an overview of the technologies applied or applicable for the reduction of the operational risk on level crossings. This part includes also some methodological approaches for evaluation of the technologies’ benefit

As some of the presentations workshop could not be included in a written paper form, the last part of the document contains all presented slides.

Actes INRETS n°117 11

Agenda

Actes INRETS n°117 13

SELCAT Objectives and Expectations

Eckehard Schnieder [email protected] Roman Slovák [email protected] Institute for Traffic Safety and Automation Engineering, Technical University of Braunschweig Langer Kamp 8, 38106 Braunschweig, Germany Phone: +49 (0) 531 / 391-3317, Fax: +49 (0) 531 / 391-5197

1 Motivation Every year, more than 330 people are killed in more than 1200 accidents at road-rail level crossings in the European Union. Together with tunnels and specific road black spots, level crossings have been identified as being a particular weak point in road infrastructure, seriously affecting road safety [1]. In the case of railway transport level crossings can represent as much as 50% of all fatalities caused by railway operations. Up to now, the only effective solution appears to upgrade level crossing safety systems [2] even though in more then 90% of cases the primary accident cause seams inadequate or improper human behaviour rather than any technical, rail-based issue. High safety requirements for level crossing systems required in European railway sector standards create a high cost hurdle which hinders the technological upgrade of existing systems. Railway standards already include a risk based definition of safety, according to which only unacceptable levels of risk must be eliminated by the technical system. Nevertheless, the lack of an approved common safety methodology which would allow the industry to quantify the risk to be reduced still leads to the imposition of the highest safety integrity levels for technical solutions in most European countries. Several European projects include an investigation of methodologies and safety targets and indicators with the aim of defining a common European approach (e.g. SAMRAIL, SAMNET). A significant volume of research work has also been carried out l by European countries at a national level. One common application problem lies in the lack of a statistical base with sufficient volume and quality of information details. European databases like CARE2 (the Community database on Accidents on the Road in Europe) or the International Union of Railways (UIC) database do not provide the required inputs for

Actes INRETS n°117 15 Safer European Level Crossing Appraisal and Technology evaluation, in that they do not take account of individual human risk values. The lack of data standardisation for railway accident reporting makes it impossible to integrate the existing databases of different national road and rail organisations (e.g. railway infrastructure managers). To date the fact that level crossings are directly involved in only a very small proportion of road accidents has limited the involvement and commitment of the road sector in developing solutions to the problem. It is expected that this project will help improve the level of engagement of road traffic engineers and policy makers throughout the European Union, leading to the identification of better and smarter solutions and investments designed to facilitate their implementation.

2 Scientific and technical objectives of the SELCAT coordination action The Coordination Action SELCAT (Safer European Level Crossing Appraisal and Technology) started by September 1st, 2006 and is responding to the call of FP 6 in the area of “Sustainable Surface Transport Coordination Actions” towards the objective “Increasing road, rail and waterborne safety and avoiding traffic congestion”. It aims actively to contribute to the reduction of level crossing accidents by the: — Collection, analysis and dissemination of existing research results and the stimulation of new knowledge exchange in the area of level crossing safety. — Creation of circumstances whereby European partners, in the rail and road sectors, can make a significant contribution to the reduction of accidents, injuries and fatalities at level crossings. — Understanding and codifying of existing and planned research, — Comparison and harmonisation of data sources. — Exploring new technologies and harnessing appraisal techniques to optimise these. The activities of SELCAT should lead directly to the improvement and expansion of intermodal collaboration between the road and rail sectors. In accordance with the Commission White Paper on European Transport Policy [3] SELCAT will contribute to the investigation of new technologies for improved road and rail safety and to the implementation of the objectives of the Strategic Rail Research Agenda (SRRA) of the European Rail Research Advisory Council (ERRAC) [4] by focusing on the reduction of fatalities, the methodology of common risk assessment and the process of cost benefit analysis. Addressing safety methods, safety targets and indicators in connection with cost benefit analysis SELCAT will also harmonise with the aims of the work programme of the European Railway Agency (ERA) [5]. A key objective of

16 Actes INRETS n°117 SELCAT Objectives and Expectations

SELCAT is to evaluate the safety performance of European level crossings and to make recommendations on the common safety targets for this particular subsystem of railway transport. In addition, as a practical example, the level crossing will be used to provide a benchmark for the application of evaluation methodologies and can be used as important contribution to the adoption of the Common Safety Methods planned by ERA for implementation in 2008.

3 Specific objectives of SELCAT In order to reach the above-stated scientific and technological objectives and taking into account the current problems described, SELCAT intends to carry out the following coordination activities to: — Provide a knowledge base for the improvement of level crossing safety by carrying out an analysis of the results of those safety-related projects included in FP5 and FP6 relevant to Railway and Road Transport. — Provide an overview of existing and planned level crossing research and improvement activities in European countries and in Japan. — Analyse incident and accident data and databases related to level crossings in Europe and Japan. — Propose a standard for reporting level crossing accidents in European countries. — Set up a common level crossing accident information system. — Examine the potential for, and practicability of, existing and new technologies for improving the safety and performance of level crossing systems. — Investigate the applicability of those risk and cost-benefit analysis methods already available for the classification of technological solutions for the safer interface of rail and road traffic at level crossings. — Disseminate the results of the projects investigated by SELCAT (in FP5, FP6 and national research) by the . Organisation of three specific workshops . Organisation of a special session at existing planned conferences . Creation of a thematic Level Crossing web portal. Overall, the coordinating activities of SELCAT will contribute to the practical implementation of the Safety Directive of the European Parliament which prescribes a wide range of new duties for the various stakeholders in railway transport. By undertaking a deep analysis of completed and existing European research SELCAT aims to identify further research needs which can be addressed in FP7.

Actes INRETS n°117 17 Safer European Level Crossing Appraisal and Technology

4 Consortium The Consortium of SELCAT comprises 25 partners from the rail and road sectors, and academic and scientific areas. Beside the partners from Europe and Japan it involves also partners from Third Targeted Countries (TTC), who extended the consortium by January 1st, 2007. According their background the partners can be structured into 4 groups: Universities: — TUBS - Technical University of Braunschweig, Institute for Traffic Safety and Automation Engineering (D) — DITS – University of Rome, Department of Department of Hydraulic, Transport and Road (I) — UNIZA – University of Zilina, Department of Control & Information Systems (SK) — UB – University of Birmingham (GB) — VTU – University of Transport Sofia (BG) — EMI – Engineers’ Mohammadia School (MA)

Railway and Road Research Institutes: — INRETS - French National Institute for Transportation Safety Research (F) — RSSB – Railway Safety and Standards Board (GB) — CNTK - Railway Scientific and Technical Centre (PL) — DLR – German Aerospace Center, Institute of Transportation Systems (D) — VTT - Technical Research Centre of Finland (SF) — MULT – Applied signal processing and telecoms research centre (B) — RTRI - Railway Technical Research Institute (JP) — VNIIZhT – All Russian Railway Research Institute (RUS) — CARS – China Academy of Railway Science (CN) — RDSO – Indian Railways, Research, Design & Standards Organisation (IN)

Road and Railway Organisations: — UIC – International Union of Railways (F) — ADAC – General German Automobile Association (D)

Railway companies: — DB – German railways (D)

18 Actes INRETS n°117 SELCAT Objectives and Expectations

— NR – Network Rail (GB) — RFI – Italian national railways (I) — NRIC – Bulgarian national railways infrastructure company (BG) — ONCF – Railways of Morocco, National Office of the Railroads (MA).

The size of the SELCAT Consortium emphasises the shared common interest in the improvement of level crossing safety and confirms importance and relevance of the stated project objectives. The main role of railway infrastructure managers led by UIC (WP1 Leader) is to provide access to their existing national level crossing characteristics and statistics in order to estimate the totality of risk levels in the European context (WP1). Based on the findings of FP6, INRETS (WP 2 Leader) and other research institutes will analyse the technical feasibility of reducing catastrophic and individual risk using advanced technologies and harnessing legislative regulations. The ADAC, together with other institutions involved in road traffic research, will provide comments on the practical implementation of the proposed technical solutions and their classification. Taking into account the results of FP6 and their own experience and knowledge base, RSSB (WP 3 Leader) and the universities involved will analyse the methods which can be used for the evaluation of risk for individual level crossing users to derive the safety requirements for particular kinds of level crossing safety systems and subsystems. The planned project meetings will facilitate the exchange of information, ideas and views between all the participating partners. The workshops and conferences will result in the dissemination of results led by UIC (WP4 Leader) and incorporate further comments from the railway industry and the general public.

5 Work plan of SELCAT

5.1 Coordination Activities All the coordination activities are focused on the increase of level crossing safety addressing all possible influencing factors. The first factor of is learning from the current “state of the art” including an overview of the present status of level crossing accidents statistics and the research completed during FP5 and FP6 which is relevant to the areas of rail and road transport safety (WP1). The second influencing factor is an examination of advanced technologies which could be applied to decrease the number of level crossing accidents (WP2). The third critical factor is the need to understand how well aligned expenditure on level crossing upgrades is to operational risk evaluation, system safety, performance and cost-benefit analysis overall (WP3). The methodology to be used in WP3 will apply the results of WP1 (level crossing accident statistics) and of WP2 (level crossing technical solutions), but could also be applied to the investigation and design of any other safety critical transport control system.

Actes INRETS n°117 19 Safer European Level Crossing Appraisal and Technology

5.2 Dissemination activities This activity will encompass the most visible aspects of SELCAT. Three workshops will be organised. These Disseworkshops will underpin the dissemination activities and facilitate networking between participants. It is felt that face-to-face meetings of those directly involved in level crossing safety is absolutely necessary to create lasting collaboration between people and organisations with different backgrounds. Whenever possible, the workshop will be co-organised with other events on similar subjects, to save costs and create a bigger impact (e.g. the last Workshop takes place in Paris together with the 10th International Level Crossing Safety and Trespass Prevention Symposium). In addition to the workshops special sessions within accredited conferences in the transport sector are organised (e.g. EURNEX-Zel2007 Symposium taking place in Zilina, Slovakia) The Figure 1 shows the relationship between all SELCAT work packages.

Figure 1: Interconnections between planned activities of SELCAT.

Representation: WP 5 Meetings, Project coordination, Manage- Information ressources and ment exchange results

activities

information WP 1 Characteristics, exchange Level Statistics, crossing Requirements, information appraisal Standards input information output

Risk, FP5, FP6, Safety, EU Level WP 4 Workshops, WP 3 Performance, Crossing Dissemi- Conferences, Methodology Cost-Benefit Research and nation Web portal Analysis statistics Methods

WP 2 Technical & Level legislative Crossing solutions, technology Regulations

6 Expectations SELCAT aims to provide an overview of completed, current and planned existing research activities in Europe as well as in the USA, Canada and Japan. The significant number of partners involved in SELCAT from the European railways and the road sector is designed to provide a sound basis for the successful fulfilment of this objective. The SELCAT level crossing web portal,

20 Actes INRETS n°117 SELCAT Objectives and Expectations three specific workshops and the organisation of special sessions at existing conferences will facilitate the dissemination and exploitation of the information which will be collected during the project. SELCAT is designed to identify and review technological solutions for safety improvements within the areas of research, technological developments and system integration. SELCAT intends to analyse finished and ongoing projects (if available) from FP6 including the research not supported by EU funding as well as research undertaken in the USA, Canada and Japan. SELCAT intends to provide a spectrum of solutions aiming to reduce the current high accident statistics at level crossings taking into account the latest technological state-of-the-art. In addition to specific technological solutions SELCAT will particularly address the definition of safety requirements of particular options by analysing the expected operational conditions and the statistical databases available. The activities of SELCAT will be directed to obtain optimal operational performance of the infrastructure by focusing on transport safety and the underlying causes of accidents. By the design of system functionality as well its technical implementation computer based decision support tools will play a major role. SELCAT is proposing the first step towards European harmonisation in the level crossing area by providing a public database on level crossing requirements in European countries. The collection and structured access to level crossing statistics and their analysis is a necessary step for the definition of risk based safety requirements on each type of technical solution taking into account the different conditions of rail and road traffic. By carrying out these activities SELCAT will significantly contribute to the implementation of the Safety Directive of the European Parliament. Setting up the common information system and level crossing database will contribute to the harmonisation of railway safety cultures and to the further implementation of railway interoperability. In order to guarantee the smooth implementation of the planned database the project will be recommending a common standard of level crossing reporting.

7 Conclusion In itself the SELCAT project will not be able to eliminate level crossing accidents totally but in helping to reduce the current level it should also contribute to the reduction of road congestion and rail delays by providing a number of harmonised technological solutions to existing problems by applying technological solutions or by better understanding of the role of human factors.

Actes INRETS n°117 21 Safer European Level Crossing Appraisal and Technology

References

[1] http://europa.eu.int/comm/transport/road/roadsafety/roadinfra/levelcrossings/ind ex_en.htm

[2] Safety at Level Crossings, EC DG Tren, High Level Group Road Safety, 2003

[3] http://europa.eu.int/comm/energy_transport/library/lb_com_2001_0370_en.pdf

[4] Strategic Rail Research Agenda – Technical Annex, ERRAC, 2002, http://www.errac.org/docs/ERRAC_SRRA_Tech_Annex.pdf

[5] http://europa.eu.int/comm/transport/rail/era/doc/wp2005.pdf

22 Actes INRETS n°117

Level crossing appraisal

Actes INRETS n°117 23

Level Crossing appraisal and research in Western Europe

Franco Schiavi (UIC) UNION INTERNATIONALE DES CHEMINS DE FER 16 Rue Jean Rey 75015 Paris France schiavi @uic.asso.fr

The UIC Safety Database (UIC-SDB) is an internet application organised within the Infrastructure Forum activities. It is continuously maintained and developed in agreement with the Safety Platform, according to the necessities introduced by safety managers and EU Bodies. The Safety Database offers a high-speed access to the information on accidents and permits a live monitoring of railway safety. Results are expected in maintaining and increasing the current activity of benchmarking, analysis of trends and follow up actions as well as in helping to give a better understanding of each railway’s performance in relation to other transport modes. The Safety Database is particularly focused on: — Provide Members network with statistics on railway accidents and permit them a detailed analysis of safety statistics based on knowledge about their own circumstances. — Indicate the most critical areas where specific attention could result in a decrease in the overall incidence of accidents in Europe. — Complement national network Safety Management Systems, by providing a benchmarking with other networks performance. — Interpreter and validate cumulative frequency curves (S-curves), based on the accident’s data to provide relevant safety indicators to be adopted in the context of the pending Safety Directive Annexe I further development. — Provide a basis for setting appropriate safety targets for the future. — Assist European projects with benchmarking and analysis on accidents. UIC Safety Database collects information on railway accidents by type. They are grouped in:

Actes INRETS n°117 25 Safer European Level Crossing Appraisal and Technology

Collisions — Train collision with an obstacle — Train collision with another train Derailment Accidents to person caused by rolling stock in motion — Individual hit by train — Individual falling from a train Fire in rolling stock Accidents involving dangerous goods — Without dangerous goods release — In which dangerous goods are released Electrocution by traction power LEVEL CROSSING ACCIDENTS are train collision with an obstacle or individual hit by train located at the level crossing. It also records the number of: — Track subsidence/track deformation — Broken rail — (Wrong-side) signalling failure — Broken wheel or broken axle — Signal passed at danger (SPAD) Key findings Level crossing incidents and individuals hit by trains represent the highest levels of risk on an overall European level. Accidents to persons caused by rolling stock in motion, with the exception of suicides, represent 52 % and level crossing (LC) accidents 35 % of the total accidents. — In relation with the 570 accidents at level crossing registered in 2005 it is important to note that: first, 426 collisions with an obstacle within the clearance gauge (road vehicles) concur to the total; second only y 13 of these accidents caused a total of 100 victims to passengers (1 fatality and 99 seriously injured persons). — 6 passengers died and 101 were injured in LC accidents. 5 of those 6 passenger fatalities were at level crossings located in station areas: 3 persons died in Romania, in 3 different accidents, and 2 teenager girls in Great Britain in the same accident. — Level crossing accidents represent 35% of the total but they cause the most victims. the total number of victims is almost the same in the case of level crossing accidents and persons hit by trains (831 and 826 victims see table 6).At least 21 % of the accidents (practically all

26 Actes INRETS n°117 Level Crossing appraisal and research in Western Europe

the accidents at level crossing) were due to the non respect of the national laws and/or regulations. Recommendations At the present time, infrastructure managers are engaged in suppressing the most of level crossing and introducing solutions (footbridges, subways, etc...) to decrease the risk for passengers crossing the rails. The existing levels of safety are being better appreciated and hopefully increased by particular and collective studies and projects. Those concentrate on the safety of the system’s functions and on the characteristics of each subsystem. Nevertheless UIC recommends developing all the possible synergies with social partners, administrators and road transport bodies responsible for improving the interfaces between the rail system and its environment in order to maintain safety.

Actes INRETS n°117 27

Particularities of Level crossing Installations at the Slovak Railways

Karol Rástocny [email protected] Jirí Zahradník [email protected] Ales Janota [email protected] University of zilina, Faculty of Electrical Engineering, Department of Control and Information Systems, Univerzitná 8215/1, zilina 010 26, Slovakia Phone: +421-41-5133300, Fax: +421-41-5131515,

1 Statistic Data on Railway Crossings The Table 1 shows statistic data on number of level crossings and safety equipment installations. Data indicates that the given numbers have not been changed essentially in the recent period. The Slovak Railways (ZSR) operate mostly relay-based level crossing installations (LCIs) realised on the principle of inherent fail-safety (types AZD, ZSSR, VÚD,...). Electronic LCIs realised on the principle of composite fail-safety (ELEKSA by Siemens; PZZ-AC by AZD Prague and SPA 4 by Bombardier) are at the Slovak Railways used only sporadically (ca 3%). These LCIs may be operated with or without barriers.

Table 1: Numbers of level crossings at the Slovak Railways (ZSR)

2000 2006 Total number 2500 2355 Unprotected level crossings 1385 1251 Protected level crossings 1115 1104 - Manual (mechanical) LCIs 154 124 - Automatic LCIs without barriers 440 980 - Automatic LCIs with barriers 521

Actes INRETS n°117 29 Safer European Level Crossing Appraisal and Technology

At present accident data from level crossings of the Slovak Railways is processed and available for the period 1995 – 2002. Despite the fact that media closely watches accidents at level crossings, the Table 2 indicates that number of fatalities caused by accidents at level crossings represents only small percentage out of the total number of fatalities at Slovak roads. Even though it is necessary to pay attention to causes of these accidents in order to propose such measures that could make reduction of accidents at level crossings possible (under acceptable economic conditions).

Table 2: Numbers of fatalities at level crossings and surface communications 1995 1996 1997 1998 1999 2000 2001 2002 Unprotected LCs 0 4 2 3 3 5 4 6 Manual 0 0 0 0 0 0 0 0 Automatic without barriers 3 4 8 8 5 3 6 8 Automatic with barriers 0 0 4 1 0 1 3 0 Level Crossings – totally: 3 8 14 12 8 9 13 14 Roads – totally: 698 640 828 860 671 647 625 626

Given information was obtained from official statistics of the Slovak Railways (ZSR) and Slovak Road Administration (Slovenská správa ciest).

2 Particularities Related to Safety at Level Crossings of the Slovak Railways Procedures related to railway traffic operation at level crossings are defined by the regulations [5]. Technical requirements for LCIs are defined by the standard [2]. If level crossing is unprotected (not equipped with any LC installation) then safety of traffic participants passing the level crossing is given by organisation measures. Such a railway level crossing must be equipped with St. Andrew cross and a road driver must be informed about approaching the level crossing via relevant road signs. According to the law [4] the driver is obligated to behave extremely carefully at the level crossing and to become sure he/she may safely pass the crossing. In the distance 30 m ahead the level crossing and when crossing it, the driver cannot exceed the speed limit 30 km per hour. If the level crossing is protected (equipped with some kind of LC installation) then the road driver approaching the level crossing may be informed about approaching rail vehicle via: — Audible warning (acoustic signal generated by mechanical or electronic equipment (bells, horns…); — Visual warning (two alternatively flashing red lights); — Protection in the form of barriers (full - or half-barriers).

30 Actes INRETS n°117 Particularities of Level crossing Installations at the Slovak Railways

2.1 Active Signalling A special particularity adopted at the Slovak Railways is use of so called “active signalling”. It is given by one flashing white light (integrated to the road signal). This signal informs road traffic participants that there is no rail vehicle in the level crossing area that could endanger them at the level crossing. The use of this active signalling brings several problems: — Majority of road traffic participants from abroad do not know (and thus do not understand) this signalling; — The standard [2] says that active signalling must be used at every protected level crossing except for exceptions specified in this standard. In many cases the bad interpretation of previously valid standard [1] caused using active signalling due to bad sight conditions at the level crossing. Such a solution was based on the law valid up to 1990 (Regulation No. 100/75 Zb.). That Regulation assumed that in the case of active signalling the railway operator took responsibility for safety at the level crossing and the road driver did not need to verify if he/she could cross it. Many road drivers (especially older ones) still trust in validity of this statement; — Ambiguity of meaning of information provided to road traffic participants. White light (active signalling) is situated at the road signal just below two red warning lights. If LC installation is not equipped with active signalling, then failure state of the LC installation (i.e. the state entered by the LC installation after occurrence of critical failure; LC installation is unable to inform road traffic participants about approaching of a rail vehicle) is signalised to the road traffic participant in the same way as the primary state (no rail vehicle in level crossing area). The road driver (in some cases, e.g. during the night) may not be able to distinguish between automatic level crossing with or without active signalling. LC installations with active signalling are constructed in such a way (requirements for technical safety result from the standard [2]) that active signalling is given only provided that there is no rail vehicle in the LC area. However, neither in this case the road driver is released from liability for safe crossing the rails. The law [4] says that if white light is flashing (active signalling) the driver is obliged to respect the speed limit 50 km per hour when being 50m or less to the level crossing.

2.2 Rail Signal One of possibility of how to minimize probability of rail vehicle coming to the unprotected level crossing consists in transmission of information about LC condition to the train driver. For this purpose it is possible to use a special autonomous signal, here called rail signal. The original function of this signal was to inform a driver of the train approaching the level crossing about the LC being in the warning state. In that case the rail signal must be situated inside

Actes INRETS n°117 31 Safer European Level Crossing Appraisal and Technology the approach section at the brake distance LZ from the LC and at the required visibility distance LD from the approach section boundary (Fig. 2).

Fig 2: Location of the rail signal inside the approach section

LD LZ

Such a solution is correct from the safety point of view but causes operation problems at the lines with high density of level crossings or mixed traffic, and increases investment costs for construction. The problems also result from the requirement to ensure required length of the approach section LA. This problem is so serious that rail signals are not very applied at the lines of the Slovak Railways. Currently valid standards and regulations make such a use of the rail signals possible that they inform train drivers about functionality of the LCIs and therefore they may (but need not) be located ahead of the approach section too (Fig. 3). In that case the length of the approach section does not depend on the distance of the rail signal from the level crossing. Advantage of this solution consists in the fact that in some cases the level crossing may be closed for road traffic participants for period significantly shorter than there is close period for previously mentioned solution.

Fig 3: Position of the rail signal ahead of the approach section

The necessary condition of such a solution is that the level crossing must always enter the warning state after the rail vehicle occupies the approach section. Current state-of-art of technology enables to fulfil this requirement. As an example we could mention the LC installation with a multi-channel structure and regular testing of integrity of the circuitry of road signal lights where sufficient condition for warning state activation is represented by the command coming from one channel at least. Considerations should also be taken to find out weather this solution is also suitable for relay-based LC installations

32 Actes INRETS n°117 Particularities of Level crossing Installations at the Slovak Railways operated at the lines of the Slovak Railways. These LCIs do not have check mechanisms being able to check integrity of circuitry of the road signal lights in regular time intervals. Analysis of influence of the structure of LC installation on its after-failure state is given in [3]. In this case the LC installation must be able to activate the warning period after occupying the approach section proved by the safety case.

3 Conclusions The current technology state does not make possible full substitution of organisation measures with technical measures to ensure safety at level crossings but it may minimize their extent. However, it is questionable if improving the technical safety of LC installations can significantly reduce accident rate because more than 90% of all accidents is caused by breaking the road traffic regulations by road traffic participants. Based on analysis of statistic data the following facts may be stated: — Failure of technical measures adopted for risk minimization (existing safety-related equipment) only negligibly contributes to the accident rate at level crossings; — Accident rate at level crossings is significantly influenced by road traffic participants not respecting the organisational measures to minimize risk (rules of road traffic). Improved safety at level crossings may be reached: — By increased availability of the LCIs; in the case of its failure the extent of organisation measures is even higher than under normal operation, organization measures are then also extended to the railway staff; — By more rigorous supervision of acceptance of organizational measures by road traffic participants; e.g. through using a recording equipment (camera systems) activated in the warning period to identify road traffic participants violating road traffic regulations and to take disciplinary actions.

Acknowledgements This work has been supported by the grant of the Ministry of Education of the Slovak Republic given to the scientific and technological project MVTS/SELCAT.

References 1. STN 34 2650: Railway Level Crossing Installations (Zeleznicné priecestné zariadenia) 1993

Actes INRETS n°117 33 Safer European Level Crossing Appraisal and Technology

2. STN P 34 2651: Railway Level Crossing Installations (Zeleznicné priecestné zariadenia) 1999 3. ZAHRADNÍK, J. - RÁSTOCNY, K.: Sicherheit des Verkehrs an Bahnübergängen der ZSR. Signal und Draht 6/98, pages 22 – 25, ISSN 0037-4997. 4. The Law No.315/96 Z.z. about operation at the surface communications and related regulations and rules (o premávke na pozemnych komunikáciách a s ním súvisiace vyhlásky a predpisy) 1996. 5. Z1: Railway traffic rules (Pravidlá Zeleznicnej prevádzky) 2005.

34 Actes INRETS n°117

Level Crossing Appraisal in China, India, Morocco, Russia, Japan

Alexander Kassay All-Russian Railway Research Institute 3-d Mytishchinskaya st., 10 129851 Moscow, Russian Federation [email protected]

Background Collisions between trains and road vehicles, and collisions between trains and pedestrians on road vehicle level crossings respectively represent the largest categories of train accidents in the LC area. While efforts to reduce this risk by the application of standardized risk reducing measures are being made, a substantial element of risk remains. VNIIZhT (Russia) has prepared this special topic report in form of presentation slides to provide the SELCAT participants with detailed data of the LC Classification and Analysis of the causes and consequences of accidents and incidents at road vehicle level crossings. Analyses were undertaken on the basis of data provided by the following countries: China, Japan, India, Morocco, Russia. This report provides information related to the number of different crossing types in individual countries. The report contains an overview of the trends in the total number of incidents, in which trains and road vehicles were involved at level crossings and also the total number of incidents associated with crossings A summary of LC accidents precursors in involved countries is provided along with some references related to effects of specific LC technologies and causal factors on the overall risk profile. The document describes conditions, in which level crossings are used as well as research themes. These data can be used to generate some discussion on potential additional counter measures that might be implemented to reduce the level of risk at level crossings. Characteristics of Involved Countries (geographical and railway-related data) Involved countries constitute more than a third of the mankind. The population of China, India, Japan, Morocco and Russia, taken together, is about 2 billion 705 ml. people.

Actes INRETS n°117 35 Safer European Level Crossing Appraisal and Technology

Table 1: Geographical data

As for the length of railway networks, Russia, China and India belong to the countries with the largest networks in the world. The number of LC: India – 36,399; Japan – 35,612; China – 12,000; Russia – 11,984; Morocco – 548. The number of LC/km is the highest in Japan followed by India, Morocco, China and Russia.

Table 2: Railway-related data

Russia The population is approximately 143 Mio. people and geographical area is approximately 17 Mio. square km. Railway transport in Russia carries about 80% of the volume of freight traffic (without taking into consideration pipeline transport) and about 50% of the passenger turnover of the transport system of the country. Russia’s rail network system is one of the world’s most extensive ones. Total network length is 85,290km. Total number LC is 11,984, 77% out of which are equipped with LC automatic signal system. Railway lines are running across the entire country from the Belarus border to the Pacific Ocean. The densest part of the network is in the European part of the country. Transsibirian main line is an important link for freight trains heading to the Pacific ports and to China and vice versa. Japan Basic characteristics of Japan as for 2004 are as follows: The population is approximately 130 Mio. people and the geographical area is about 380,000 square km. The length of all railway networks is approximately 27,000 km, 20,000 out of which are JR networks and 7,000 km – belong to private railway companies. The number of level crossings is 35,612. JR companies: 21,634 level crossings and private railway companies: 13,978 level crossings. The density of level crossing is very high (more than one level crossings per km) and it is a unique characteristic of Japanese railways. China The population is approximately 1,300 Mio. and geographical area is approximately 9 600,000 square km. The length of all railway networks is

36 Actes INRETS n°117 Level Crossing Appraisal in China, India, Morocco, Russia, Japan approximately 75,000 km. The number of level crossings is 12,000. Some economic data: Passenger Traffic Turnover - 620 billion person-km; Freight Traffic Turnover - 2,100 billion ton-km; Total Converted Turnover - 2,700 billion ton-km; Number of Locomotives - 17,022; Number of Passenger Cars - 41,353; Number of Freight Cars - 520,101. India The population is approximately 1,100 Mio. and the geographical area is approximately 3.3 Mio. square km. The length of all railway networks is approximately 63,221 km. The number of level crossings is 36,399. Indian Railways have the distinction of being one of the largest railway systems in the world under a single management with a staff of 1,442 thousand employees, having a daily transport output of 15 million passengers and 1.6 millions freight traffic, 7,031 stations. It runs 9,032 passenger trains and 5,700 freight trains daily with a fleet of more than 40,000 coaching vehicles, 7,700 locomotives and 228,000 freight cars. Indian Railway system has a very large population of level crossings. On average, there is a level crossing every one and a half kilometer, some are as close as 300 meters. Out of total 36,399 level crossings on IR, nearly 45% (16,600) are manned while the rest 55% (19,799) are unmanned. Morocco The population is approximately 32 Mio. and the geographical area is approximately 710,000 square km. The length of all railway networks is approximately 1,907 km (1st Category: 48; 2nd Category: 483; Pedestrians: 17). The number of level crossings is 548. Some additional data: Single Track Lines: 1,323km; Double Track Lines: 584 km; Maximum Speed Limit: 160 km/h; Project - High Speed Train by 2,012; Number of stations: 101. Level crossing types in involved countries There are a variety of crossings on national rail networks. The crossings are grouped into a number of generic types. LC types are given on the basis of country specific LC Classifications providing description of the minimum combinations of control measures with regard to level crossings operation. Level crossings may be broadly categorized on the basis whether or not the crossing system provides a warning to the user of when it is safe to use the crossing: LC without technology - static warning signs and/or pavement markings. Crossings that do not warn the user of the proximity of a train. Example: LC without warning signals, unmanned ; user controlled crosswalks — LC with technology - automatic signals and/or barriers; bells and flashing lights; adjustable ramp or combination thereof. Crossings incorporating devices that warn users when it is safe to use the crossing. These devices may be either visible or audible. Example: - LC with automatic full or half-barriers, manned or unmanned. LC Classification methods are different in involved countries, so there are different types, names and number of LC determined in each country. Nevertheless, by LC Classification following typical “main” attributes for

Actes INRETS n°117 37 Safer European Level Crossing Appraisal and Technology description of road and railway side functionality of crossing system are applied by all countries: — LC location — LC owner: public, private or special (industrial, military and other lines) — Traffic volume — Traffic speed — Road width — Road side visibility — LC equipment, providing active or passive road user protection Examples of national classified LC Group names: Morocco, RF and Japan – Categories; India – Classes; China - Types. References were made throughout the document to a series of different types of crossings within these categories. General conclusions are made in the end part of the document. A brief description of each crossing type is given within the LC Type Table of mentioned countries. Russia Network length in RF – 85,290 km, total LC number – 11,984. In Russian Federation, LCs are subdivided as follows: LC of common use; LC of not common use (on industrial, military and other lines). From another angle, LC are also subdivides into: o Guarded, i.e. manned LC with road signals for motorists, warning of the oncoming train, and o Unguarded unmanned LC without road signals for motorists with regard to oncoming trains There are 2,418 (20,18%) manned and 9,566 (79,82%) unmanned LC on Russian railways. LC total number on Russian railways is 11,984, 77 % out of which are equipped with LC automatic signal system. From the point of view of volumes of trains and motorists traffic, LC in Russia are subdivided into 4 types (Categories). The ranking of the individual LC depends on the size of traffic, both railway - and road-related.

The breakdown of LC categories. I – 560; II – 1,154; III – 1,603; IV – 8667.

LC classification on Russian railways differs from the SELCAT approach. In RF, LC of the first 3 categories may be manned. That’s why, proceeding from

38 Actes INRETS n°117 Level Crossing Appraisal in China, India, Morocco, Russia, Japan

SELCAT LC description approach, an effort was made to do an unofficial classification of LC types in Russia. Manned/unmanned distinction constitutes a basis for this classification. LC Types according to SELCAT Classification are: Type 1: Manned LC — Type 1.1: Automatic and Semi-automatic half-barriers with light signal system — Type 1.2: Electric and Mechanized half-barriers — Type 1.3: Automatic and Semi-automatic half-barriers with light signal system and adjustable ramp (UZP) Type 2: Unmanned LC — Type 2.1: LC with automatic light signal system — Type 2.2: LC without warning signal system In RF a general trend for decrease in the number of all LC types is to be observed, except for the Type 1.3 (LC equipped with the adjustable ramp). Its number grows. India Network length in India – 63,221km, total LC number – 36,399. On Indian Railways, the number of manned LC is 16,600 (45%) and unmanned LC – 19,799 (55%). There are 5 classes of LC. “Special” class and A class are signaled; road regularly open. B class is signaled to 50%, and C class – to 20%. At B and C road is regularly closed. In all cases LC are equipped with full width lifting barrier. Apart for D class – cattle, B and C may have mechanical full width swinging barrier. China Network length in China – 75,000 km, total LC number – 12,000. There are 3 types of LC in China: — Guarded driveway railway LC — Non-guarded driveway railway LC — Pedestrian cross walk LC Morocco Network length in Morocco – 1,907 km. Electrified Lines – 1,022 km. Total LC number – 548. There are 3 Categories of LC in Morocco, which can be also of Public or private type. — 1st Category - Manual Road Side Protection with following equipment: — 2nd Category - No barriers — Pedestrians. The number of LC has been decreasing within last years apart from Pedestrians LC, whose number remains the same for the last 4 years. Japan Network length in Japan – 27,000 km. Total LC number – 35,612. Approx. 88% of LCs are protected automatically. Japanese level crossings are classified

Actes INRETS n°117 39 Safer European Level Crossing Appraisal and Technology into three categories. Category 1 and 3 are automatically protected. Category 1 is equipped with the crossing warning sign, level crossing signals and barriers. The warning to road users is given by the crossing signal (flashing red lights) and audio signals, and the barriers are lowered. There are only full barrier level crossings except for a small minority in Japan. Category 3 is equipped with the warning sign and signals but is not equipped with barriers. Category 4 is equipped with only the warning sign. In other words, this type is not automatically protected. Accident statistics, trends, main accident reasons The crashes at railway level crossings represent a significant part of casualties in railway traffic. About 50% and more of train traffic accidents and resulting fatalities in involved countries occur at rail-road level crossings. Improving the traffic safety of rail-road level crossings is therefore an important issue when improving safety of train traffic. The crashes at railroad level crossings are more severe than road traffic crashes on average. To avoid these crashes it is important that the road user is aware that she or he is approaching the railroad level crossing. Within last years, the number of LC accidents in involved countries went down or is near the average of the last 3 years. Despite of input of the new equipment the number of injured and fatalities is sometimes higher or at the same level in a number of the countries compared with the previous period of time. Main cause – a rapid growth of motorization and traffic rules violation by car drivers, their peccancy.

Table: Sample of average incident statistics in involved countries (2004-2006):

Main accident causes in involved countries: Level crossing collisions are usually caused by motorist’s error and traffic rules violation up to 80 – 99%. Main accident causes on LC in involved countries are: Japan: — Passing across a level crossing just before a train passing through: 58% — Automobile is forced to stop in a level crossing due to an engine stall and so on: 22% — Contact or collision with side-body of a train: 14%

40 Actes INRETS n°117 Level Crossing Appraisal in China, India, Morocco, Russia, Japan

Russia: The main cause of accident in Russia – traffic rules violation (95% in 2006): — Motorist’s traffic rules violation while crossing the road level: Passing at road red light warning – 84% Bypass closed barriers – 8%; Others - 6% — Need for increase pedestrians’ and vehicle drivers’ knowledge of appropriate behaviour on level crossing – 98% of all cases — Malfunctions or faults of motorcars - 6-8% India: Accidents at unmanned level crossings are predominantly due to lapses on the part of road users – more than 50%. This accidents number for manned LC fluctuates – from 14 in 2002-2003 to 5 in 2004-2005, and for unmanned ones – from 86 in 2003-2004 to 65 in the subsequent two years. China: The situation with LC accidents on the Chinese railways essentially improved in the time from 1998 to 2002, decrease from 1,400 accidents to about 800 was achieved. Since then, this order of values has stabilized. Causes of LC accidents in China: — Violation of traffic rules by motorcar drivers: over 80% and this position increased in recent years. — Malfunctions or faults of motorcars: about 20% and it is becoming lower. — Other reasons: accidents caused by reasons other than the above two. It’s the lowest rate among the 3 causations and almost 0% last year. Morocco: Road users and pedestrians behavior. All the accidents occured at the LC 1st category are caused by the users’ violation especially the pedestrians who deliberately disregard the warning signals. In all countries manned LC equipped with corresponding technologies provide for a much higher safety level.

Conclusions Long-term objectives in involved countries: The most important task for all involved countries – to develop countermeasures to reduce the LC accidents both by implementing the operationally proved devices, technologies and introducing the actual research

Actes INRETS n°117 41 Safer European Level Crossing Appraisal and Technology themes on LC issues. There are some main approaches for long-term activities in involved countries: — Defining clear criteria for selecting the proper warning device to different types of railroad level crossings. — Securing absolute safety - to convert a level crossing into a flyover or subway, to abolish a level crossing and so on. — Securing functional safety — Enhancement of reliability of level crossing equipment (e.g. improvement of train detection, introduction of fail-safe micro computer-based devices) improvement of level crossing facilities to reduce human errors of road users (e.g. upgrading of level crossing category, improvement of visibility, rationalization of warning time, installation of ITV camera) — Introduction of devices to prevent accidents (e.g. obstruction warning device for a train, obstacle detecting device). Activities and trends on level crossings in the last years in involved countries: — LC types “without technology “ reduction — Active LC type safety level improvement by using new technologies and up-dated devices — All LC type number reduction strategy: building of tunnels or overbridges; design and construction of new railway sections in most difficult traffic areas. — The number of level crossings on the national rail network has fallen over the last years but the rate of reduction has slowed considerably so that over the past 3 years the number of crossings has remained roughly constant. — Automatically opened crossing and unmanned crossings create the greatest level of risk per crossing on the rail network and this could be reduced significantly by replacing them with lower risk crossing types. — Existing data recorded for level crossing incidents may affect the identification of causal trends. — There are a number of improvements that could be implemented on existing level crossings. — The merits of human factor research need to be assessed. — Improving drivers’ understanding and behavior through training, information, education and awareness is justified. — Working out new technologies for operation of crossings — Working out instructions for maintenance of crossings, for providing safe traffic and rules for carrying out of work on the crossings.

42 Actes INRETS n°117 Level Crossing Appraisal in China, India, Morocco, Russia, Japan

— Analyze of incidents and working out of measures for non – admission of infringements.

Actes INRETS n°117 43

Level crossing appraisal in view of road sector Level crossings - The users´ perspective

Norbert Klassen ADAC, Am Westpark 8, D - 81373 München Phone: +49 89 7676 6227, Fax: +49 89 7676 2598 [email protected]

Abstract Over the years air, energy, work and rail have implemented a fail safe system to achieve the highest safety standards as possible. The principle is that where humans act, safety must be in-built. This system is applied in general technical rail standards and train operation, but it is not applied in other areas such as platforms at stations and level crossings. The number of accidents and persons killed in total at level crossings is not very high, but the risk to get injured severely or killed is extremely high: Every fourth person involved in an accident is killed. Nevertheless over the last 10 years the number of accidents and persons killed at level crossings has been reduced by more than 50% in some European countries. Other European countries such as the Czech republic do not follow that positive trend. Efforts have been made where road and rail operators have cooperated in setting up guidelines for inspections, conduct joint inspections and inform drivers about the correct behaviour at level crossings. Comparisons between France, Poland , Czech Republic and Germany also show that the types of signalisations and the accident structure vary: The unsignalised level crossings are not necessarily the most risky crossings. This is different from what we know about road transport accidents statistics, where unsignalised crossings have higher risk. Therefore behaviour and rules on road rail crossings are to be examined. Representative surveys show that the knowledge about the correct behaviour at level crossings is unsufficient: One third of the drivers in Germany for example do not correctly know the rules implicit with the St Andrews cross and the blinking warning lights. This will not always lead to incorrect or risky

Actes INRETS n°117 45 Safer European Level Crossing Appraisal and Technology behaviour, but it leads to uncertainty and reduced confidence. The knowledge of highway code rules concerning road traffic lights and the related correct behaviour is much higher. Due to the extremely high severity risk, the safety of level crossings must be upgraded. To achieve a further drop in the good performing countries and a drop in the low performing European countries, rail and road authorities have to work together. They must apply common inspection guidelines taking into account the fact that level crossings are intermodal crossings and therefore inspections have to consider both tracks and inspectors have to conduct inspections jointly. Level crossings must apply to these standards and new technical innovations should be trialled. On the other hand drivers must be informed about correct behaviour via automobile clubs and the press using campaigns such as "Cross safely". The different national activities in Europe should be linked to learn from each other and cooperative projects such as the EU funded SELCAT are a good way forward.

46 Actes INRETS n°117

SELCAT – Development of Level Crossing Knowledge Management System

Roman Slovák, F. Ohlendorf, Arno G. Schielke, Eckehard Schnieder Institute for Traffic Safety and Automation Engineering, Technical University of Braunschweig, Langer Kamp 8, 38106 Braunschweig, Germany, Phone: +49 (0) 531 / 391-3317, Fax: +49 (0) 531 / 391-5197 [email protected]

1 Introduction The Coordination Action "SELCAT" (Safer European Level Crossing Appraisal and Technology), is responding to the call of FP 6 in the area of "Sustainable Surface Transport Coordination Actions" towards the objective "Increasing road, rail and waterborne safety and avoiding traffic congestion". It aims actively to contribute to the reduction of level crossing accidents by the: — collection, analysis and dissemination of existing research results and the stimulation of new knowledge exchange in the area of level crossing safety, — creation of circumstances whereby European partners, in the rail and road sectors, can make a significant contribution to the reduction of accidents, injuries and fatalities at level crossings, — understanding and codifying of existing and planned research, — comparison and harmonisation of data sources, — exploration of new technologies and harnessing appraisal techniques to optimise these. The activities of SELCAT should lead directly to the improvement and expansion of inter-modal collaboration between the road and rail sectors. The information collection, exchange and comparison should be provided by creation of a "Level Crossing Web portal". It should result also in the broad dissemination of safety and level crossing related research activities investigated by the SELCAT Project.

Actes INRETS n°117 47 Safer European Level Crossing Appraisal and Technology

The paper describes the formal information structure behind the intended Level crossing web portal as well as the steps of its development and population with relevant information. These includes — the semiformal structure modelling using Mind Maps, — the formal information relations modelling using Class diagrams and Ontology Web Language (OWL), — definition of the user interface for data providing and collecting and — definition of rules for user queries accessing the web portal.

2 Main aims of the web portal The web portal should represent a knowledge management system (KMS) for the level crossing domain. In particular it should make available: — structured access to the FP5 and FP6 results relevant to rail and road safety, — interactive access to the level crossing statistics database (population, accidents, types etc.), — risk evaluations using the interactive access to the accident statistics, — structured accessibility to the relevant national and international documents and studies (standards, railway guidelines etc.), — all public deliverables of SELCAT (documents, workshop and special session advertisement, etc.), — working documents of SELCAT (restricted area). High-structured and interconnected knowledge based on a precise terminology, including classification can be used for gaining new information. Such kind of knowledge organisation requires the task to build ontology.

3 Knowledge formalisation

Figure 1 shows the schematic representation of the knowledge formalisation steps which must be carried out in order to reach the stated functionality of the Web portal [Drewes et al. 2007].

48 Actes INRETS n°117 SELCAT – Development of Level Crossing Knowledge Management System

Figure 1: Development of formal structuring from informal requirements to ontology based representations

(1) The first step of the formalisation process concerns an informal abstract structuring of the Level Crossing domain. The main knowledge areas of the domain can be structured from the view of: — Functionality, — technology, — organisation, — statistics, — research. Figure 2 shows the informal structure of the level crossing domain related to the Knowledge Management System in form of a simple mind map. It represents the basic information structure which will be used trough the work plan of the whole SELCAT project. Structuring of the level crossing functionality is based on a generic approach [Meyer zu Hörste 2003]. A Level crossing is generally seen as crossing of railway and road traffic flows (basic dynamic or functional LC aspects) which safety related physical interaction must be prohibited by the operation functions of the level crossing safety system (static or physical LC aspects) [Schnieder 2003]. In order to describe the static LC aspects the generic approach identifies four basic operational functions (to detect, to inform, to warn and to protect) on

Actes INRETS n°117 49 Safer European Level Crossing Appraisal and Technology both traffic sides (see figure 3). The basic functions are further refined e.g. the function “to warn” is further split according to its general way of realisation (audible, visual, physical).

Figure 2. Informal structuring of the level crossing domain using mind maps

Construction guidelines Railway-sided functions Construction laws Construction standards Road-sided functions Functions/Technology Organisation Operational processes Operational guidelines Operational organisation Operational standards Operational laws Railway operational statistics Level crossing Capacity statistics 08.01.2007 - v23 Accident statistics Conference paper Performance statistics Statistical data Book Maintenance statistics RAMS-S Research Journal article Suicide statistics Project report Etc. Etc. Economical data Figure 3: Functional decomposition of a level crossing system

A step to technological concretisation represents a further refinement of the basic structure of static operation aspects. The final refinement level is given by a particular technological solution given by the level crossing type and the way of operation (automatic, manual). The dynamical aspects of the level crossing are covered by the definition of operation condition of the traffic flows. Here can be integrated also temporal aspects of the safety procedure of a level crossing. Beside the static and dynamic aspects big part of the domain knowledge concerns organisational aspects which also include construction laws and standards.

50 Actes INRETS n°117 SELCAT – Development of Level Crossing Knowledge Management System

As the safety issues and investigations are playing the key role in the project SELCAT various statistics are included as a separate part of the domain knowledge. (2) In the second step of the formalisation process a UML class diagram was build on the base of the presented mind map. The class diagrams have the ability to depict decomposition relations included in the informal mind map representation (e.g. composition, aggregation, inheritance). Using association and dependency connectors it is possible to describe different kinds of relation between classes. Beside this classes allow to define attributes and methods representing their static and dynamic concretisation respectively. (3) The Level Crossing class diagram was implemented and extended using the Ontology editing tool “Protégé” [Protégé]. The tool interface allows defining different kinds of relations and attributes of the class diagram. Labels and comments guarantee the readability of the diagram; their multilingual definitions allow a very simple translation operation in the knowledge system. (4) The Implementation of the level crossing ontology using “Protégé” allows generating automatically an Ontology Web Language [OWL] file using XML structures. This owl file is directly used for the implementation of the user interfaces as for connection with an internal database.

4 Knowledge collection In order to fulfil the expectations of intelligent KMS for level crossings different kinds of information have to be collected:

5 Documents Purpose of the document collection is to provide information about the national as well as European funded LC research, LC legislative background including safety requirements, technical parameters and features of different LC solutions, etc. The SELCAT KMS offers a interface which enable the user to identify, shortly describe (by an English abstract) and specify any relevant document. The specification is enabled by the use of keywords included in the basic information structure (see chapter 3). Finally the document can be uploaded in the document database. Providing an English abstract and the keywords of information structure allows including also documents in the country specific language whereby they are still identifiable for the web portal users.

Figure 4 shows example of a document described, classified and uploaded in the SELCAT KMS.

Actes INRETS n°117 51 Safer European Level Crossing Appraisal and Technology

Figure 4: Example of a document in the SELCAT KMS

6 Level Crossing types First SELCAT meetings have shown that lot of information concerning level crossings is not comparable as they are related to the country specific level crossing type or technology. For this purpose it was decided to collect information on level crossing types in the first stage. The approach which has been chosen bases on the mapping of each national LC type to the generic one given by the LC function and technology structure (section 3). Thus the SELCAT web portal offers an interface which allows identifying any country specific LC type. In this context a short description and a detailed specification on the base of the LC function and technology structure can be provided. Apart of this, representative pictures can be added to the specified LC types.

Figure 5 shows example of a defined and classified LC type.

52 Actes INRETS n°117 SELCAT – Development of Level Crossing Knowledge Management System

Figure 5: Example of a LC type in the SELCAT KMS

7 Accident statistics The Level crossing accident statistics are collected with the purpose to get overview about Level Crossing risk in an international context. In particular there are collected statistics about — the accident severity (fatalities, serious and light injuries), — the kind of the accident (car, bus, bicycle, pedestrian, etc) and — the accident causes (external, internal, technical, human). The figure 6 shows an example of level crossing statistics referring to one specific reference year. To be able to normalise the risk also some general information on the particular country will also be collected (population of LC types, length of railway network, train kilometres, etc.)

Actes INRETS n°117 53 Safer European Level Crossing Appraisal and Technology

Figure 6: Example of accident statistics associated with Level Crossing types

8 Knowledge usage After collecting the relevant information, the knowledge management system can be used for many different applications concerning level crossings. A few examples are expressed by the following query possibilities: — semantic Search through of all kind of documents according to the given classification key words using “or” resp. ”and” connecting operators, — search for particular LC types according to given feature (e.g. red flashing light, half barrier, etc.), — visualisation of a accident statistics for particular LC types in reference to a year or to a country, — evaluation of statistical risk for a specific region (country) and level crossing type including comparisons, — evaluation of statistical risk for a specific functional or technical level crossing configuration,

54 Actes INRETS n°117 SELCAT – Development of Level Crossing Knowledge Management System

— comparison of approximate costs of particular level crossing types in reference to different countries.

9 Conclusions Using ontology based systems as a backbone for the knowledge base of international level crossing offers a wide range of possibilities. The centralised OWL ontology offers different applications the same structure and allows including information in order to build up knowledge. The current state of implementation allows uploading and classifying all kinds of relevant documents, specifying LC types and associating of LC accident statistics. The detailed operation and LC type related structuring of the accident statistics can be used for estimation of actual operational risk on a general LC. These results evaluated from a large statistical base of all 15 involved countries in the SELCAT project can be applied for recommendations of Common Safety Targets required by the Safety Directive of the European Parliament from 2004.

References [2004/49/EC 2004] 2004/49/EC (2004). Safety Directive 2004/49/EC. European Parliament and Council of 29th April [Meyer zu Hörste 2003] Meyer zu Hörste, M. (2003). Methodische Analyse und generische Modellierung von Eisenbahnleit- und -sicherungssysteme. Dissertation, Technische Universität Braunschweig. [Schnieder 2003] Schnieder, E. (2003). Control for traffic safety - safety of traffic control. In: Tsugawa, S.; Aoki, M., Hrsg.: CTS 2003 - Preprints, S. 1- 13, Tokyo, Japan, August 2003. 10th IFAC Symposium on Control in Transportation System/Tokyo, Japan. [Drewes et al. 2007] J. Drewes, R. Slovak, L. Tordai, E. Schnieder: FORMS/FORMAT 2007 – Proceedings of Formal Methods for Automation and Safety in Railway and Automotive Systems (G. Tarnai and E. Schnieder Eds.), Braunschweig, 2007, pp 355-360 [Protégé] URL: http://protege.stanford.edu/ [OWL] URL : http://www.w3.org/TR/owl-features/

Actes INRETS n°117 55

Monitoring of Safety Performance activity

Actes INRETS n°117 57

Definitions of common safety indicators on level crossings

Angelo Pira (ERA) European Railway Agency 160 Boulevard Harpignies 59300 Valenciennes France [email protected]

Actes INRETS n°117 59 Safer European Level Crossing Appraisal and Technology

60 Actes INRETS n°117 Définitions of common safety indicators on level crossings

Actes INRETS n°117 61 Safer European Level Crossing Appraisal and Technology

62 Actes INRETS n°117 Définitions of common safety indicators on level crossings

Actes INRETS n°117 63 Safer European Level Crossing Appraisal and Technology

64 Actes INRETS n°117

Level crossing technology

Actes INRETS n°117 65

Selcat Project: Level Crossing technology

Louahdi .Khoudour (INRETS-LEOST) [email protected] Caroline Machy (MULTITEL) [email protected] El-MiloudiI. El-Koursi (INRETS-ESTAS), [email protected] Neda Lazarevic (INRETS-ESTAS) [email protected] Stefano Impastato (DITS) [email protected] Inrets, 20 rue élisée Reclus, BP 317 59666 Villeneuve d’Ascq Cedex, France

1. Introduction SELCAT is designed to identify and review technological solutions for safety improvements within the area of Research, technological development and integration. The domain, here addressed, is in particular “Developing technologies to sense and predict natural and infrastructure conditions affecting safety and efficiency of transport operations”. This paper deals with SELCAT Workpackage 2 dedicated to identify level crossings technology. The aim of the work package is to provide a study about possible technological solutions to reduce the number of accidents on level crossings. It is divided in three main tasks which are the followings: Task 1: The basis for the study is the results of FP5, FP6 or other national or regional projects dealing with advanced technology with special regard on the ground transport application. The special interest should be paid to the safety critical application, systems with man machine interface and low-cost implementation. Task 2: As a structure for the study a suitable concept of modularisation of a generic level crossing safety system is to be used. Applying results from WP2, task 1, set of possible technical solution and improvements of contemporary technology will be elaborated. The focus has to be given to the new train recognition systems, object detection equipments etc.

Actes INRETS n°117 67 Safer European Level Crossing Appraisal and Technology

Task 3: The study should be extended by a set of recommendation how to increase the human awareness and respect to the level crossing safety system connected with proposed technical solutions. Due to the advancement of the project, this paper will deal only with the two first tasks.

2. Identification of projects dealing with advanced technology According to the objectives of WP2, task 1, WP2 team has organized a questionnaire to collect information about projects dealing with advanced technology applied or applicable for level crossing safety. The questionnaire proposed has been sent to all Partner involved in SELCAT. Each partner has been invited to collect information about project so listed (see survey research form in annex 1): — European; — National; — Other typologies. Other information has been asked: project status (e.g. completed, on going, etc); contract type, etc. The survey has identified a total of 25 projects strictly related to Level crossings. 7 partners have supplied the data so far. 25 projects (dealing exclusively with level crossing safety) have been identified, out of which only 4 are from European countries, 18 from China, 2 from Russia, and 1 from India. Only 1 EU project (Safetrain) under the FP4. Figures 1 and 2 shows that the distribution of the kind of tools developed and the types of results produced within the 25 projects received.

Figure 1: Distribution of projects by type of tools developed

LC project Tools developed 14 12 12 10 10 8

6 4 3

2 1 0

Other Hard Tools Soft Procedures

68 Actes INRETS n°117 Selcat Project: Level Crossing technology

Figure 2: Distribution of projects by type of results

LC project Type of results 14 13 12 10

6 5 5 4 2 2 0 Other Prototype Results Report Demonstrator

3. Identification of projects dealing with level crossings The project represented on this section are focused on level crossing safety and are the results of survey launched in task 1. Tables 1 and 2 provide respectively the technical content and the distribution of the 25 project by country. It is very surprising to notice that most of the projects identified corresponding to national or regional initiatives. There is only one European project belonging to the 4th framework.

Table 1: Information on survey LC project

N. of Countries N. of # Name of project Acronym EU programme Countries Involved Partner 1 BDK-2000 Warning-alarm System for Level Crossing BDK-2000 None 1 CN 5 DJ-1 Operation Monitoring and Wireless Warning Device for 2 Crossing DJ-1 None 1 CN 3 3 DZJ-I Intelligent Monitor for Level Crossings DZJ-I None 1 CN 1 4 PLC Automated Signal Control System for Crossings PLC None 1 CN 2 5 PM-1 New Railway Covering-Surface for Level Crossings PM-1 None 1 CN 1 6 WDK96-1 Wireless Crossing Alarm Device WDK96-1 None 1 CN 4 7 Study on the Level Crossing Security 1990X009 None 1 CN 1 8 Testing Platform for Crossing Devices 1996208015 None 1 CN 1 9 Security Monitoring System for Crossing Operation 2001213007 None 1 CN 2 10 Crossing Operation Recording Device 1999201014 None 1 CN 1 Reducing Signal Faults and Improving Reliable Technology: 11 Study on Crossing Signals 2006X018-D None 1 CN 1 12 Railway Crossing Safety Protection System 2002B-017 None 1 CN 3 13 Study on Railway Crossing Safety Prevention Device 2001G028 None 1 CN 2 The Equipment to Display Approaching Speed and Time of 14 Train at Crossing 1999207017 None 1 CN 1 15 Rubber Flooring with Wear-Resistance for Level Crossing 1999211001 None 1 CN 2 16 Research on Safety Defending Equipment of Crossing 2002YJ13 None 1 CN 1 17 Research on Safety Management of Level Crossing 1995F034 None 1 CN 1 18 Micro-Computer Axle Counter Crossing Signal Equipment CX9907 None 1 CN 4 The integration of satellite positioning into safety critical 19 railway applications ECORAIL 3 AU, FR, IT 6 20 Obstacle Detection at Level Crossings None 1 UK 1

Train Crashworthiness for Europe Railway Vehicle Design NL, PL, D, P, 21 and Occupant Protection SafeTrain FP4 6 UK, FR 15

22 Train Actuated Warning Device TAWD None 1 IN 1

23 Adjastable ramp for level crossing protection UZP None 1 RU 1

24 Universal adjastable ramp for level crossing protection UZPu None 1 RU 1 25 In-vehicle warning system for railway level crossings None 1 FI 1

Actes INRETS n°117 69 Safer European Level Crossing Appraisal and Technology

Table 2: Number of LC projects by Country Country N. of project AU 1 CN 18 DE 1 FI 1 FR 2 IN 1 IT 1 NL 1 PT 1 PL 1 RU 2 UK 2

Table 3 provides the LC crossings project with their technical content and the types of tools developed. We can conclude from the figure 3 that the tools developed are very varied: software, hardware, procedures.

Table 3: LC project - Tools developed

Results # Name of project Acronym Other Prototype Report Demonstrator 1 BDK-2000 Warning-alarm System for Level Crossing BDK-2000 Other DJ-1 Operation Monitoring and Wireless Warning Device for 2 Crossing DJ-1 Prototype 3 DZJ-I Intelligent Monitor for Level Crossings DZJ-I Prototype 4 PLC Automated Signal Control System for Crossings PLC Other 5 PM-1 New Railway Covering-Surface for Level Crossings PM-1 Other 6 WDK96-1 Wireless Crossing Alarm Device WDK96-1 Prototype 7 Study on the Level Crossing Security 1990X009 Report 8 Testing Platform for Crossing Devices 1996208015 Prototype 9 Security Monitoring System for Crossing Operation 2001213007 Prototype 10 Crossing Operation Recording Device 1999201014 Prototype Reducing Signal Faults and Improving Reliable Technology: 11 Study on Crossing Signals 2006X018-D Report 12 Railway Crossing Safety Protection System 2002B-017 Prototype 13 Study on Railway Crossing Safety Prevention Device 2001G028 Report The Equipment to Display Approaching Speed and Time of 14 Train at Crossing 1999207017 Prototype 15 Rubber Flooring with Wear-Resistance for Level Crossing 1999211001 Prototype 16 Research on Safety Defending Equipment of Crossing 2002YJ13 Prototype 17 Research on Safety Management of Level Crossing 1995F034 Report 18 Micro-Computer Axle Counter Crossing Signal Equipment CX9907 Prototype The integration of satellite positioning into safety critical 19 railway applications ECORAIL Demonstrator 20 Obstacle Detection at Level Crossings Report

Train Crashworthiness for Europe Railway Vehicle Design 21 and Occupant Protection SafeTrain Demonstrator 22 Train Actuated Warning Device TAWD Prototype 23 Adjastable ramp for level crossing protection UZP Other 24 Universal adjastable ramp for level crossing protection UZPu Other 25 In-vehicle warning system for railway level crossings Prototype

70 Actes INRETS n°117 Selcat Project: Level Crossing technology

Figure 3: LC project - Tools developed

LC project Type of results 14 13 12 10 8 6 5 5 4 2 2 0 Other Prototype Results Report Demonstrator

4. Possible solutions using the advance technology to improve the level crossing safety Most of the level crossings are equipped with the most performing signalization equipments, such as red light, automatic full/half barrier, notices... Those equipments are not able to avoid all dangerous behaviors. Nowadays, most of the collisions occurring at highway-rail intersection are due to drivers not seeing a train coming or believing that they can beat the train. That is why the precise identification of trapped vehicles/pedestrians inside the barriers may reduce the risk of collisions between trains and vehicles. Obstacle detection system seems to be a significant solution to improve level crossing safety and lower the number of fatalities. An obstacle detection system on level-crossing must answer the following requirements: — Improvement of the safety for both pedestrians and vehicles (car, truck, motorbike, bicycle). — Cause no or minimal delays for train and road users. — Accuracy for safety and productivity reasons. — Be reasonable in terms of costs to install, operate and maintain. — Be practical to install, use and maintain. We will first summarize a study on the existing technologies used for object detection at level crossing. Then we will present developed and tested systems of obstacle detection. And finally, we will compare these new concepts.

4.1. Current technologies used for object detection The detection of a vehicle/pedestrian or other obstacles on the level crossing when a train is approaching, requires the installation of a detector. Several

Actes INRETS n°117 71 Safer European Level Crossing Appraisal and Technology technologies are capable of doing this, such as optical or sonic sensor, inductive loop, radar and video imaging. The choice of the appropriate detector can hardly depend on external factors, e.g. environmental conditions or the size of object to detect. A study [1] has been leaded by RSSB, Rail Safety and Standard Board – a UK company which aims to provide knowledge, analysis and a substantial level of technical expertise, powerful information and risk management tools – on research into obstacle detection at level crossings. The obstacle detectors can de divided into two major categories: conventional and newel. — Conventional obstacle detection systems: The conventional obstacle detection has been used to prevent crashes between trains and vehicles. o Optical beam The principle is as follows: optical emitters are placed on one part of the crossing, each which emits a directed optical beam having a defined field of emission. Then a photon detector having a defined field of view intersects the field of emission of the emitter. If the beams are interrupted, it means that an object is located on the crossing. Optical beam detectors have one major advantage: — Easy to replace But they have many important disadvantages: — Expensive — Need to have several detectors along the crossing — Traffic needs to be stopped for installation — Unusable in period of heavy snow o Sonic detectors The ultrasonic method relies on differences in ultrasonic reflection times for detection. They transmit pulses of ultrasonic energy towards the roadway. The pulse is then reflected back quicker when a vehicle passes through. Sonic detectors have the following advantages: — Can detect both stopped and moving vehicles. However, the disadvantages are: — Expensive to purchase and install. — Extremely sensitive to environmental conditions (inaccurate in congested conditions) o Inductive loop: It is probably the most common form of vehicle detection. A wire is embedded under the roadway. A magnetic flux is generated around it. When a vehicle is passing over the wire, the flux is cut causing an increase in inductance, and the detection of an obstacle.

72 Actes INRETS n°117 Selcat Project: Level Crossing technology

Inductive loops have many advantages: — Easy to install — Not subjected to environmental conditions The disadvantages are: — High cost of installation and maintenance because need an important number of loop to be efficient — Traffic must be delayed to install. — Can not detect pedestrians. — Obstacle detection systems using newel methods o Radar method Microwaves are sent from a transmitter based at the side of the roadway. The microwaves are reflected back to a receiving antenna with a different frequency. This change is picked up and reflects the presence of an object (figure 4).

Figure 4: Illustration of installed radar scanner

The advantages are: — Traffic does not need to be disrupted for installation — Immune to electromagnetic interference The disadvantages making radar less popular use: — Hard to maintain o Video imaging Video surveillance is one of the newest technologies being experimented with. A camera is placed above the intersection and looks down upon it. Real time conditions can be conveyed from the intersection directly into the train cab (figure 5). Therefore, the train's engineer can actually see if the intersection is clear and stop in time if it is not.

Actes INRETS n°117 73 Safer European Level Crossing Appraisal and Technology

Figure 5: Object detection using one single CCD camera

The advantages are: — High accuracy — Cameras can be installed without disrupting the traffic The disadvantages are: — Testing is still occurring. — Costs are high. Those five technologies have been evaluated due to some criteria, as detailed in the following table 4.

Table 4: Technology comparison

Technology

Criteria Optical Sonic Radar Inductive Video Beam loop Environmental conditions 2 2 4 5 3

Cost of installation 3 1 2 2 2

Time of installation 2 4 4 2 5

Life time 3 3 2 4 3

Detects both vehicles/pedestrians 2 3 5 1 5

Accuracy 1 1 3 4 3

Total 13 14 20 18 21

74 Actes INRETS n°117 Selcat Project: Level Crossing technology

5. Conclusions Optical beam and sonic detector are definitely too expensive and not enough accurate because they need a high number of sensor. They are also too much sensible to environmental conditions. The most relevant technologies for object detection at level crossing are radar, inductive loop and video. The problem with inductive loop is that it detects metal objects. Nowadays, many vehicles use fibre glass, aluminium which are not well detected by the system. Afterwards, the maintenance of such a system is hard because it is located below the road. That is why we are focusing on the study of video and radar. and now present some realisations and utilisations of these technologies. Regarding some results already obtained in the framework of Selcat, existing radar technologies seems to be the most robust and accurate systems to level crossing object detections. But they still remain expensive. Consequently, the Activity Detection of ACIC deserve to be tested in order to see results comparing to radar technologies. We still do have in mind that the aim of the SELCAT project is to find affordable solutions improving safety on level crossings, so all solutions must be evaluated in order to be compared.

6. References [1] Research report T522 on “Obstacle detection at level crossing”, written by Arthur D.Little from Rail Safety and Standard Board (RSSB), October 2006 [2] https://cip.honeywell.com/sol-rail-safety.html http://www.scheidt-bachmann.com/content/view/119/238/ [3] http://www.getransportation.com/na/en/crossguard.html [4] G.L.Foresti. “A real-time system for video surveillance of unattended outdoor environments”, Transactions on circuits and system for video technology, Vol 8, No. 6, October 1998. [5] M.Ohta. “Level Crossing Obstacle Detection System Using Stereo Cameras”, QR of RTRI, Vol 46, No. 2, June 2005. [6] http://www.acic.eu

Actes INRETS n°117 75 Safer European Level Crossing Appraisal and Technology

7. annexe 1: Survey Questionnaire

7.1 Questionnaire

76 Actes INRETS n°117 Selcat Project: Level Crossing technology

7.2 List of answers received and numbe of projects

Country Institution Answer N. of project Germany ADAC China CARS yes 18 Poland CNTK Germany DB Italy DITS yes 0 Germany DLR Morocco EMI France INRETS Belgium MULT yes 3 United Kingdom NR Bulgary NRIC Morocco ONCF India RDSO yes 1 Italy RFI yes 0 United Kingdom RSSB Japan RTRI yes 0 Germany TUBS United Kingdom UB France UIC Slovakia UNIZA Russia VNIIZht yes 2 Hungary VPE Finland VTT yes 1 Bulgary VTU

Actes INRETS n°117 77

Japanese Level Crossing Technology

Shigeto Hiraguri (RTRI), [email protected] Kazutoshi Sato (RTRI) [email protected] Signalling and Telecommunications Technology Div. Railway Technical Research Institute, Japan

1 Present situation of level crossings in Japan The length of all railway networks of Japan is approximately 27000 km which consists of 20000 JR networks and 7000 km private railway company’s networks. In 2004, the number of level crossings is 35612 which consist of 21634 level crossings of JR (former Japanese National Railway) companies and 13978 level crossings of private railway companies (Figure1). The density of level crossing is very high (more than one level crossings per one kilometre), and that is a unique characteristic of Japanese level crossing.

Figure 1: The number of LCs in Japan

Japanese level crossings have two specific features which are “bottle neck crossings” and “stop of cars in front of a level crossing”. “Bottleneck crossing” is defined as follows.

Actes INRETS n°117 79 Safer European Level Crossing Appraisal and Technology

— A level crossing which is closed to road traffic at least 40 minutes in the peak hour. or — A level crossing which shuts off more than 5000 road traffic (the product of “the number of road vehicles” and “the time of blocking road traffic”) in a day. There are approximately 1000 bottleneck crossing, and over 50% of them exist in Tokyo and Osaka, the largest cities in Japan (Figure 2).

Figure 2: Bottleneck crossing in Japan

“Stop of cars in front of a level crossing” is regulated by the road traffic law of Japan. Hence, automobiles have to stop once before passing through the level crossing. Figure 3 shows the number of accidents at level crossings in recent years, and it decreases year by year. However, 410 accidents occurred and it is equivalent of 48% of total railway accidents in 2004. Furthermore, the number of casualties in level crossing accidents is 285 (39% of total accidents) and the number of fatalities in level crossing accidents is 146 (45% of total accidents) in 2004. In JR companies, 444 railway accidents occurred in 2004, of which 218 accidents occurred at level crossings. In other words, 0.34 level crossing accidents occurred per million kilometres of train operation.

Figure 3: The number of accidents at Lcs

80 Actes INRETS n°117 Japanese Level Crossing Technology

2 Facilities of a level crossing in Japan Facilities of a level crossing in Japan have conformity with the Regulation (Technological standard) and the Guidance (Notice) established by Ministry of Land, Infrastructure and Transport. The Regulation is called “Shorei” in Japanese, and the Guidance is called “Kaishakukijun” in Japanese. “Shorei” specifies the target performance so as not to impede technological development, and is applied to all railway companies of any scale from companies which operate Shinkansen to minor public railway companies. An example of “Shorei” and “Kaishakukijun” is as follows. [Shorei (example)] We have to take into consideration the safety and smooth passage of a level crossing for passengers, for that purpose, the level crossing protection device shall be installed. [Kaishakukijun (example)] The crossing warning sign shall be installed at a level crossing. In a high speed line (over 130km/h and less 160km/h), the automatic barrier machine and the obstacle detecting device shall be installed. A visible distance of the road warning device shall be more over 45m.

Railway companies shall establish their practical standard which has conformity with “Shorei” (Regulation) and “Kaishakukijun” (Guidance). The structure of the regulation and the guidance are shown in Figure 4.

Figure 4: Ministry Regulation and Guidance in Japan

Facilities of a level crossing in Japan are shown in Figure 5. It consists of a crossing warning sign which is similar to St. Andrew Cross of European level crossings, a road warning device which consist of blinking led lights with audible warning and barriers controlled automatically.

Actes INRETS n°117 81 Safer European Level Crossing Appraisal and Technology

Figure 5: Facilities of a LC in Japan

Japanese level crossings are classified into three categories. Category-1 and Category-3 are automatically protected. Category-1 is equipped with the crossing warning sign, level crossing signals and barriers. The warning to road users are given by the crossing signal (blinking of red lights) and audio, and the barriers protect road traffic. There are only full barrier level crossings except for minor special cases in Japan. Category-3 is equipped with the warning sign and signals but is not equipped with barriers. Category-4 is equipped with only the warning sign. In other wards, this type is not automatically protected. There are 30448 (85.5%) category-1 level crossings, 1117 (3%) category-3 level crossings and 4047 (11.4%) category-4 level crossings. An example of control sequence of doubled half barrier level crossing is shown in Figure 6. Electronic train detectors for activating warning (A) and for stopping warning (B) are installed. When a train passes the detector A, the level crossing is activated and warning by blinking of led lights and audible alarm starts. After 4 seconds, lowering entrance side barrier starts and it is completed after 6 seconds. After the completion of lowering entrance side barrier, lowering exit side barrier starts and it is completed after 6 seconds too. The minimum warning time, from the level crossing is activated to the train reaches the level crossing, is 31 seconds. These figures are standard value and specific values of each level crossing are defined in consideration with conditions of each crossing.

Figure 6: An example of control sequence

82 Actes INRETS n°117 Japanese Level Crossing Technology

3 Breakdown of level crossing accidents Over 400 accidents occurred at level crossings in each year, but few accidents were caused by railway companies (Figure 7). In other words, almost all accidents were caused by a human error of road users.

Figure 7: LC accidents caused by railway companies

As shown in Fig.3, 410 accidents occurred at level crossings in 2004. The percentages of accidents in each level crossing category are generally in proportion to the ratio of the number of level crossings. In other words, 78% of accidents occurred at category-1, 5% occurred at category-3 and 17% occurred at category-4 (Figure 8). Most accidents arose from “passing a level crossing just before a train passing” and its percentage is 58%. Other major causes are “automobile is forced to stop in a crossing due to engine stall” (22%) and “automobile contacts or collides with side body of a train” (14%) (Figure 9). Contact or collision with side body occurs when a car skids due to icy road even though a car driver brakes and so on. Most objects of collision with a train are automobiles and tracks (58%), and pedestrians account almost quarter (Figure 10).

Figure 8: Accidents in each category (2004)

Actes INRETS n°117 83 Safer European Level Crossing Appraisal and Technology

Figure 9: Causes of accidents (2004)

Figure 10: Objects of collision with a train (2004)

4 Japanese approach to enhance safety of a level crossing Japanese approaches to reduce level crossing accidents are classified into two aspects which are “securing absolute safety” and “securing functional safety”. Main measures for securing absolute safety are acceleration of converting a level crossing into a flyover and an abolishment of a level crossing. Over 40% of intersections of road and railway have been converted into flyovers and approximately 300 level crossings are abolished every year. Main measures for securing functional safety are enhancement of reliability of level crossing protection device, improvement of level crossing facilities to reduce a human error of a road user and introduction of devices to prevent a level crossing accident. Details of these measures are as follows. Enhancement of reliability of level crossing protection device There are two main measures to realise the enhancement of reliability.

84 Actes INRETS n°117 Japanese Level Crossing Technology

First measure is enhancement of secure train detection by introduction of an improved electronic train detector, adoption of another train detector for redundancy and modification of a train detection method from intermittently one to continuous one. Another measure is enhancement of secure device control by introduction of a micro-computerised level crossing controller, introduction of an observation system for quick repair in case of failure and installation of a battery as a preventive measure against failure of power supply. Improvement of level crossing facilities to deduce a human error of a road user There are four main measures to realise the improvement of facilities. First measure is to upgrade level crossing category from category 3 or 4 to category 1. Second measure is improvement of level crossing visibility by enhancement of maintenance of a road sign by road administrator (Figure 11), reinforcement of a lighting device for a level crossing (Figure 12), emphasis of level crossing facilities using reflective paints (Figure 13) or improved barriers (Figure 14) and introduction of improved road warning devices (Figure 15).

Figure 11: An example of a road sign installed by road administrator

Figure 12: A lighting device for a LC

Actes INRETS n°117 85 Safer European Level Crossing Appraisal and Technology

Figure 13: Examples of emphasis of a LC using reflective paint or device

Figure 14: Examples of improved road warning devices

Figure 15: Examples of improved barriers

Third measure is rationalisation of a warning time. The warning time of a level crossing which exists between stations is influenced by fluctuation of train speed. In this case, introduction of an improved controller using axle counters is an effective measure. On the other hand, the warning time of a level crossing which exists near a station is influence by train class (e.g. high speed train or low speed train, passing train or stopping train). In this case, introduction of improved level crossing controller using a transponder is an effective measure. Fourth measure is installation of ITV camera for vicious road users at particular level crossings. The image is not monitored continuously, but it is recorded. Introduction of devices to prevent a level crossing accident A control box to stop an approaching train in an emergency is introduced (Figure 16). Road users are able to push a button equipped with the box and he/she inform his/her operation of a railway operator. The contact telephone number of the railway operator is indicated below the box.

86 Actes INRETS n°117 Japanese Level Crossing Technology

Figure 16: A control box to stop an approaching train

Obstruction warning devices and obstacle detecting devices are installed. There are two types of the obstruction warning device. Type 1 is "flashing light signal" (Figure 17) and type 2 is "fuse signal" (Figure 18). An obstacle detecting device detects obstacles automatically and an obstruction warning device is activated immediately to notify an accident at a level crossing to an approaching train driver. Type 1 gives warning by blinking red lights. From a train driver, it seems that red right is rotating. Type 2 gives warning by blinking red lights. A visible distance of the obstacle warning device is more than 800m, and it is longer than minimum emergency braking distance, 600m (Figure 19).

Figure 17: Type 1 "flashing light signal"

Figure 18: Type 2 "fuse signal"

Figure 19: Obstacle warning device

Obstacle detecting devices are classified into three types. Figure 20 shows the number of level crossing accidents and the number of installed obstacle

Actes INRETS n°117 87 Safer European Level Crossing Appraisal and Technology detecting devices in JR East. The number of accidents has decreased along with installation of obstacle detecting devices.

Figure 20: Effect of installation of obstacle detecting devices in JR East

There are three types of the obstacle detecting device. Type 1 uses laser beam or infrared rays and detects obstacle by shutting off of the beam.

Figure 21: Structure and installation example of type1

Figure 22: Mechanism of type 1

Type 2 uses loop coil and detects obstacle by change of signal frequency when a car exists above the coil.

Figure 23: Structure and installation example of type 2

88 Actes INRETS n°117 Japanese Level Crossing Technology

Figure 24: Mechanism of type 2

Type 3 uses three-dimensional laser radar. This type has been developed recently and one of its features is that it can detect obstacle's height and detailed position in a detecting area.

Figure 25: Structure of type 3

Figure 26: An examples of detection result of type 3 and comparison with actual image

Actes INRETS n°117 89

Extraction of critical scenarios in a radio-based railway level crossing control system

Malika Medjoudj (LAGIS) [email protected] Pascal Yim (LAGIS) [email protected] LAGIS, Ecole Centrale de Lille, BP 48, 59651 Villeneuve d’Ascq Cedex, France

Abstract: This paper deals with safety of the level crossing control system. We propose one way of the safety evaluation witch consist on the extraction of feared scenarios in Petri net model of the system by using ESA_PetriNet tool (Extraction Scenarios & Analyzer by Petri Net model). These scenarios characterise the sequences of actions leading to dangerous situations. The continuous dynamic of the system is partially taken into account by temporal abstractions.

1. Introduction One way to evaluate the safety [Laprie 1992] of complex system such as a level crossing control system (lccs) is the extraction of critical scenarios leading to the feared states. A qualitative analysis method of safety, aiming the extraction of all the critical scenarios from a Petri Net model [Murata 1989] of computer-controlled systems was developed by [Medjoudj and al 2004]. This approach witch is an extension of a method developed by [Demmou and al 2002] but which operated only on the discrete aspect of the system, takes into account the continuous aspect of the system and the temporal specifications. This approach base on linear logic determines more precisely the exact conditions of the occurrence of the feared event, i.e what has led the system to leave its normal operation and to evolve into the feared state. The originality of this approach is that the order of occurrence of the events is taken into account, and impossible scenarios with respect to continuous dynamics and temporal

Actes INRETS n°117 91 Safer European Level Crossing Appraisal and Technology specifications of the system are eliminated. The automation of all stages of the process has led to the development of ESA_PetriNet tool (Extraction & Scenarios Analyser by PetriNet model) [Medjoudj and al., 2006] that has been interfaced with TINA tool (Time Petri Net Analyzer) [Berthomieu B and al 2004]. We will use in this paper ESA_PetriNet tool to extract dangerous scenarios from the level crossing benchmark published by [Jansen and Schneider, 2000]. We will present the method of extraction of feared scenarios and the basic of the algorithm in section 2, the level crossing control system in section 3, its Petri Net modelling in section 4, the use of ESA_PetriNet tool to generate the critical scenarios in the section 5 and we will end by a conclusion.

2 Method of extraction of feared scenarios The application of this method requires the modelling of the system by a time Petri Net model and identifying the places of nominal behaviour. The appropriate Petri net modelling of computer-controlled systems is a Predicate Transitions Differential Stochastic Petri net (PTDS Petri net) as they are generally hybrid (discrete and continuous dynamics) and there safety analysis require taking into account failures. A temporal abstraction is necessary to translate this model to a time Petri net by associating to the transitions a temporal interval of firing corresponding to the time which the system can spend to reach the state in question. A preliminary analysis will refine fields of variables according to various accessible markings by reasoning on the invariants of places. Indeed, the invariants of places determine the possible dynamics, and which other places can be simultaneously marked when a token is present in a given place. The method of extraction of feared scenarios is made up of two steps (Medjoudj and al., 2004): a backward reasoning and a forward reasoning. The backward reasoning takes as an initial marking in the reversed Petri net model (the initial Petri net in which all the arcs are reversed), the only target state (feared) and seeks exhaustively all the scenarios making it possible to consume the initial marking (feared state since forward reasoning) and reach a final marking composed only of places associated to the normal operation. The forward reasoning takes as an initial state these places of normal operation in the initial Petri net model. The objective is to locate the junctions between the feared behaviour and the normal operation of the system as well as the conditions implied in these junctions. Thus we have not only the explanation of the dangerous behaviour but also of strategies allowing its avoidance. A significant point of the method is that the context in which occurred the feared event is enriched gradually. The enrichment (of marking) consists on putting tokens in empty places in the Petri net model when it is necessary to make evolves the system and generate scenarios. The invariant of places are used as a mechanism of checking the coherence of the enrichment of marking. Indeed the new tokens added are removed if they do not respect the dynamics of the system.

92 Actes INRETS n°117 Extraction of critical scenarios in a radio-based railway level crossing control system

Each scenario is given in form of a partial order between the events necessary to the appearance of the feared event what differs from a failure tree, which gives a whole of static combinations of the partial states necessary for obtaining the feared state.

2.2 Dealing with continuous dynamics by temporal abstraction This method takes into account the conditions associated to the firing of certain transitions. These conditions are thresholds involving continuous variables. By temporal approximation of the hybrid dynamics, these thresholds are transformed to durations, which correspond to time that the system puts to reach when the transitions are enabled. From a qualitative point of view, the objective is to determine the firing order of the transition. Thus, when we enrich the marking, we can find situation where two transitions t1 and t2 are enabled if only the ordinary Petri net is considered, but whose are such as t1 will be always fired before t2 if the temporal abstraction is also considered. In the generation of the scenarios only the firing of t1 will be considered since that of t2 before t1 would be in fact incoherent with the continuous dynamics. This appears in the form of a priority: if t1 and t2 are enabled, only the case of t1, priority, is examined. The taking into account of these precedence relations coming from the continuous dynamics and not specified by the ordinary Petri net allows to reduce the number of scenarios generated by eliminating a certain number of incoherent scenarios with respect to continuous dynamics.

Figure 1: Temporal abstraction and priority due to the thresholds of transitions

Let us consider an example. In figure1 we suppose that the differential- algebra system associated to the place P1 guarantees that the variable x is increasing. We associate to the transition t1 the threshold x = v1 and to the transition t2 the threshold x = v2 with v1 < v2. Finally, we suppose that when the token arrives in the place P1 we have always x < v1. So, if the place P3 is marked, the transition t1 will be fired before t2 since the threshold associated to t1 is lower than that of t2. In this case we don’t consider the scenario associated to the firing of t2. On the other hand, if t3 is already fired for example if we

consider that t1 is a stochastic transition corresponding to a failure (place P3 empty) and if the place P2 is marked, t1 cannot be fired and then t2 will be fired.

Actes INRETS n°117 93 Safer European Level Crossing Appraisal and Technology

In the example above, finally only one type of scenarios is examined, those for which the transition t2 is fired after t3. So, there is a precedence relation between the firing of t3, which empties the place P3 and that of t2, however there is no place connecting t3 to t2. This precedence relation is so, a consequence of continuous dynamics and thresholds associated to transitions t1 and t2. We are talking in this case about indirect precedence relation and about indirect causality. The direct precedence relations and causality are those that are highlighted by the only Petri net, i.e. by the only discrete aspect.

2.3 ESA_PetriNet tool ESA_PetriNet tool uses two output files of TINA tool as input files. The first file is a textual description of the Petri net model of the system and the second contains the invariant of places. The indirect precedence between certain transitions firing resulted by the temporal abstraction of continuous dynamics, is expressed in the algorithm in the form of rules of priority (a certain transition is not fired if another is enabled). The transition time interval of TINA tool permits to express this rule of priority. If we take the example of figure 1, if there is an intersection between the time interval associated to transitions t1 and t2, they will have the same priority of firing and the two scenarios will be generated. The steps of the algorithm are detailed in [Medjoudj, 2006]. We note that only one execution of the algorithm generates automatically several scenarios. All the possible and coherent scenarios with respect to the continuous dynamics and the temporal constraints of the system are generated.

3. Railway level crossing control system case study

3.1. General description This case study concerns a decentralized radio-based railway level crossing control system taken from a realistic specification of a new radio-based train control system, which has been developed for the German Railways. It is presented by [Jansen and Schneider, 2000] and studied by [Collart-Dutilleul and al 2006] using a transformation of a p-time Petri net model of the system to automata in the purpose of avoiding forbidden states. This modelling is of a high level of abstraction and does not take into account the failures of the system. Although, simplification has been made in the presentation of this example, it remain especially interesting as it is well known by the railway specialists, takes into account software and hardware specification, hybrid dynamic and temporal constraints. Our aim is a whole modelling of the system using a Petri nets model by taking into accounts the hybrid dynamic, temporal constraints and failures. Then, applying the method described above to extract critical scenarios.

94 Actes INRETS n°117 Extraction of critical scenarios in a radio-based railway level crossing control system

3.2. Composition of the system and specification The radio-based level crossing control system is used in an intersection area between a single track railway line and a road (figure 2). To avoid collision, trains and road traffic must not enter at the same time this crossing zone called danger zone. The level crossing is controlled by means of signals radio communication between a train-borne control system (on-board system), a level crossing control system and an operation centre which supervises interactions between the two preceding components. It is important to note that transmission times on the network may vary and radio telegrams may be lost. The railway crossing is equipped with half barriers, a red and a yellow road traffic light. Road users shall stop at the level crossing if possible when the yellow light is shown and must stop when the red light is shown as the level crossing is closed for road users in this case. The yellow light and the red light never must be shown together and when both are off the danger zone can be crossed by road users. The traffic lights and barriers at the level crossing are controlled by the level crossing control system which will be activated (turn on) with the approach of a train to the level crossing. When the level crossing control system is activated, it carries out a sequence of actions at a specific timing to ensure a safely closing of the crossing and the danger zone to be free of road traffic. First, the yellow light is switched on, then after 3 seconds it is switched off and the red light is switched on. After 9 seconds the barriers are started to be lowered within a maximum time of 6 seconds. If the barriers have been completely lowered within this time, the level crossing control system signals the safe state of the level crossing and the train can cross it. When the train has completely passed the danger zone, the level crossing may be opened for road traffic. In the level crossing opening phase, the barriers are first opened then the red traffic light and the level crossing control system are switched off.

Figure 2: Railway level crossing

The half barriers are used to block the entry lane on either side of the level crossing. As there are no barriers for the exit lanes, imprudent road users may enter the crossing area on the opposite lane if the closure time of the level crossing exceeds 240 seconds. A general view of the normal operating of the level crossing control system is given in figure 3.

Actes INRETS n°117 95 Safer European Level Crossing Appraisal and Technology

The train is equipped on board by a route map which contains the positions of danger points at level crossings and provides information for the train (lineside equipment or signal staff) when or where to send an activation order to the corresponding level crossing control system. The train on-board system sends so a radio message to the level crossing control system in order to close the level crossing in time and let the train pass through without any delay or braking action. It will also set a breaking curve for speed supervision making the train stop at the danger point in a failure situation. The level crossing control system acknowledges receipt of the activation order to the train. After receipt of the acknowledgement the on-board system waits the necessary time for the closing of the level crossing, then sends a status request to the level crossing control system. If the level crossing is in a safe state it will be reported to the train which allows cancelling the breaking curve and safely pass over the level crossing. The vehicle sensor at the rear of the level crossing will be triggered allowing the opening of the level crossing.

Figure 3: General view of the nominal behaviour of the level crossing control system

3.3. Possible Failures A main cause of failures is the malfunctioning of sensors or actuators. The main physical structures, communication systems and the control systems

96 Actes INRETS n°117 Extraction of critical scenarios in a radio-based railway level crossing control system themselves may be failed. Failure may occur at any time. Defective devices will be repaired after some time but will not take place when a train approaching or passing the level crossing in case of non recoverable failure. In this case study, only a limited number of failures are taken into account: — Failure of the yellow or the red traffic light — Failure of barriers (actuators) — Failure of vehicle sensor — The delay or loss of telegrams on the radio network The traffic lights and the vehicle sensor are constantly supervised and defect is immediately reported to the level crossing control system. Failure of the barriers can only be detected by time-out when barriers fail to reach upper or lower end position in time or at all.

3.4. Behaviour of the control system under failure The level crossing control system detects the occurrence and repair of failures of traffic lights and vehicle sensor and immediately reports them as an event to the operations centre. Train operation is not suspended on the affected track section until repair. When the train sends a status request, if in the sequel it does not receive the status report with the safe state of the level crossing before entering its breaking curve the on-board system will apply the breaks until the status report will be received or the train has come to a stand still. If the status report is received before stand still, breaks are released and train can continue its run. If not a request is prompted on the driver’s display to make sure that the level crossing can be passed safely and to confirm the safe state on the display. If meanwhile the status has been received the message is cancelled from the display, the break are released and the driver does not need to confirm anymore. Otherwise the driver has to confirm the safe state of the level crossing in order to release the breaks and continue its run. The train supervises a maximum arrival time of 240 seconds to avoid long waiting times of road users. If the train detects that it cannot arrive at the level crossing within a specified time and still is able to stop before the danger point it cancels the activation order by sending a deactivated order to the level crossing. In this situation the train discards any information received from the level crossing and supervises a breaking curve ending at the danger point. The level crossing will be opened upon receipt of the deactivation order. The driver has to confirm as described above the safe state before passing unclosed level crossing. The level crossing control system will not be activated if the red traffic lights or the vehicle sensor are defective and it will not send an acknowledgment to the train. If the level crossing control system has been activated, a minimum green time is considered since the last deactivation of the level crossing before switching on the yellow light for 3 seconds. If the yellow traffic light becomes

Actes INRETS n°117 97 Safer European Level Crossing Appraisal and Technology defective either before or during the yellow light period, the traffic lights are switched to red and the red light period of 9 seconds is extended correspondingly by the messing time of the yellow light period. If the red traffic light fails after activation of the level crossing control the closing procedure has to be cancelled unless the barriers have yet begun to be lowered. The failure state of the level crossing must be reported if the barriers fail to be completely lowered within a maximum duration of 6 seconds or if in the meantime the red traffic light has become defective. The current status of the level crossing will be reported to the train upon request. If the vehicle sensor becomes defective the level crossing control system can not be deactivated anymore by passing train. Consequently the barriers remain lowered and the red traffic light remains switched on. However, the level crossing control system supervises a maximum closure time starting from the red light be switched on. The exceeding of the maximum closure time will be reported to the operation centre by the level crossing control system. The operation centre finds out, whether the train has yet passed the level crossing or not. In the first case, the operations centre sends a deactivation order to the level crossing. Otherwise the train is still approaching or just running on the level crossing and the rules for late arrival at the level crossing apply as described above.

3.5. Feared events There is lot of feared events in the system, but we will only interest to the catastrophic event: the collision, it means the presence of a train and a road user in the danger zone at the same time.

4. Modelling Petri nets has been used with success as a formal model for traffic signal control [Wang and al 1993, List and Cetin 2004], urban traffic control [Avram and al 2004, Febbraro and al 2004], and level crossing control system [Padberg and Gajewsky 2000] aiming security. In this deal we will the modelling of the level crossing control system by a t- time Petri net model (temporal interval associated to the transition). Although the appropriate abstraction of certain dynamic of the system is a pt-arc-time Petri net (temporal interval associated to the arc related places to transition) or a P-time Petri net (temporal interval associated to the places) we have chosen the t-time Petri net model as the principal of the ESA-PetriNet tool is based on the priority of firing of conflictive transitions.

98 Actes INRETS n°117 Extraction of critical scenarios in a radio-based railway level crossing control system

4.1 General view

Figure 4: General view of the model

In the general view given in figure 4, msgi represent radio messages. The message msg1 is sent by the train to the lccs to switch on when the on-board system detects the approaching of a level crossing. The message msg2 represents the receipt acknowledgement of the activation order. The message msg3 corresponds to the status request of the level crossing and the message msg4 represents the safe state of the level crossing reported to the train. Note that, transmission times on the radio network may vary and messages may be lost as represented in figure 5. The radio message is represented by the place msgi. The time interval [dmi, dMi] associated to the out put transition of place msgi means that the transmission time may vary between the minimal value dmi and the maximum one dMi. According to the radio message and the crossing state, the train will pass with out braking, with braking, come to a stand still and stop.

Figure 5: Petri net model of a radio message

Actes INRETS n°117 99 Safer European Level Crossing Appraisal and Technology

The dely1 corresponds to the maximum closure time of 240 seconds supervised by the level crossing control system starting from the red lights be switched on. Crossing the danger zone by the train and the road user are respectively represented dz1 and dz2. The message msg7 corresponds to the deactivation order of the opening of the level crossing sent by the train it detects that it can not arrive at the level crossing within the maximum supervised arrival time of 240 seconds. In this paper, we will interest to the feared scenario corresponding to the presence of a train and a road user in the danger zone at the same time (collision). This is represented by the Petri net model of the figure 6, where the transition E_fail representing the feared event can be fired only when both places dz1 (presence of a train in the danger zone) and dz2 (presence of a road user in the danger zone) are marked. Place S_fail represents the feared state (collision).

Figure 6: Petri net model of feared sate

4.2. Petri net model of the radio messages

Figure 7: General view of radio messages exchanges

Figure 7 represents a general view of different radio messages exchanged between the on-board system and the level crossing control system. To simplify the case study, we have not presented the radio messages exchanged with the operations centre like the failure and repair of different devices.

100 Actes INRETS n°117 Extraction of critical scenarios in a radio-based railway level crossing control system

4.3. Petri net model of the level crossing control system

Figure 8: Petri net model of the level crossing control system

A detailed view of the lccs is given in figure 8. Note that messages msg1 and msg2 are the same as in figure 4. Places lccs_off and lccs_on1 correspond respectively to the mode off and on of the level crossing control system. Transition on1 will be fired after reception of the activation order msg1, to switch to the activated mode if the vehicle sensor (place ss_ok) and the red traffic light (place red_off) are not defective. The level crossing control system will be deactivated if the place lccs_on2 or lccs_on3 is marked. Place lccs_on2 will be marked when the barriers are opened after closure. Place lccs_on3 corresponds to the cancelling of the closing procedure if the red traffic light fails after the activation of the level crossing control system. The green time passed since the last deactivation of the level crossing will be added in section 4.8.

4.4. Petri net model of the yellow light

Place yell_off1 in figure 9 represents the mode off of the yellow light. It will be switched to the activated mode (place yell_on) when the level crossing is activated (place lccs_on1 marked). After 3 seconds of the activation of the yellow light, it will be deactivated (marking of yell_off1 and yell_off2 places). The yellow light can fail in the deactivated mode (yell_ko1) or in the activated mode (yell_ko2).

Figure 9: Petri net model of the yellow light

Actes INRETS n°117 101 Safer European Level Crossing Appraisal and Technology

Figure 10 represents a Petri net model of failure and repair of the devices that may be faired in the system (traffic lights, vehicle sensor and barriers). Failure and repair are represented respectively by the stochastic transition faili and repi. While failure may occur at any time, repair will not take place when there is a train approaching or passing the level crossing. This is represented by the minimal value of reparation dri.

Figure 10: Petri net model of failure and repair

4.5. Petri net model of the red light

Figure 11: Petri net model of the red light

The model is similar to the yellow light. The red traffic light can be in mode off (place red_off), mode on (place red_on), fail before activation (place red_ko1) or after activation (place red_ko2). We note three cases of the activation mode of the red light represented in figure 11 according to the time activation of the yellow light. In case (a), the yellow light was activated for 3 seconds before the lights traffic switch to the red. In this case the place yell_off2 is marked and transition on3 can be fired to switch to the activated mode of the red traffic for 9 seconds. This delay is represented by the time

interval [9, 9] related to the transition cls1 that corresponds to the order of lowering barrier as it will be described in § 4.7. The dely1 is the same as described in figure 4. The red traffic light can be deactivated when the barrier will be completely opened represented by the place br4 (that will be described in § 4.7. Place lccs_on2 is the same as described in figure 8 (§ 4.3). In case (b), the yellow traffic light becomes defective before the yellow light period (place yell_ko1). In this case the red traffic light period of 9 seconds is extended to 12 seconds to take into account the yellow light period. This is represented by the time interval [12, 12] attached to the transition cls2 that corresponds to the order

102 Actes INRETS n°117 Extraction of critical scenarios in a radio-based railway level crossing control system of lowering barrier as it will be described in § 4.7. In case (c), the yellow traffic light becomes defective during the yellow light period (place yell_ko2). In this case, the red light period of 9 seconds is extended correspondingly to the missing time of the yellow light period. This is represented by the time interval ]9, 12[ associated to the transition cls3 that will be described in § 4.7.

4.6. Petri net model of sensors

Figure 12: Petri net model sensor i

The system contains three sensors: a sensor for the barriers loading, a sensor for the barriers closing and a vehicle sensor. Figure 12 represents the Petri net model of a sensor i. As described in (§ 4.4), a sensor i can be defective (place si_ko) and repaired by firing transition repi.

4.7. Petri net model of the barrier (actuator) 4.7.1. Closing

Figure 13: Petri net model of the barriers closing

Actes INRETS n°117 103 Safer European Level Crossing Appraisal and Technology

To simplify the Petri net model, we assume that figure 13 represents the closing of the two half barriers which are actuated by an actuator for opening (place act1_ok). Note that places dely2, dely3, dely4 are the same as in figure 11. The place br1 represents the continuous dynamic of the closing barriers. Its temporal abstraction is represented by the temporal interval [1, 6] attached to the transition

Cls4 as the maximum closure time is 6 seconds and we suppose that the minimum closure duration is 1 second. If the opening actuator fails before the barriers have completely closed (act1_ko marked), the immediate transition fail8 will be fired and the dynamic of place br1 will be interrupted. This corresponds to the blocking of the barriers in opening represented by the marking of the place bck1. If the sensor that detect that the door is closed is defective (marking of place s1_ko), the transition cls4 can not be fired and the level crossing is considered in a fail state. This is represented by the firing of transition fail14 in + the temporal interval ]6, 6 ]. Figure 14 represents the cancelling of the closing procedure if the red traffic light fails after the activation of the level crossing control system before the barriers begun to be lowered. This is represented by firing the immediate transitions fail10, fail11, or fail12 according to the activation mode of the red light represented in figure 11. Place lccs_on3 corresponding to the order of deactivation of the level crossing will be marked.

Figure 14: Petri net model of cancelling of the closing barriers

4.7.2. Opening The Petri net model is similar to the Petri net model of closing. The dynamic of the barriers opening is determined by the position of the actuator for opening (place act2_ok). The dynamic of the opening is represented by the temporal interval [1, 6]. This dynamic can be interrupted if the actuator fails before the end of the opening procedure. In this case the immediate transition fail9 will be fired and the place bck2 corresponding to blocking on opening will be marked. If the sensor of opening is defected (place s2_ko marked) the transition fail15 will be fired after 6 seconds. We note four cases for barriers opening represented in figure 15. Case (a) corresponds to the nominal behaviour. In this case, the vehicle sensor is not defective (place s2_ok) and the train has completely passed the danger zone in time (marking of the place trn12 as it will be detailed in section 4.8). The maximum closure time is represented by the temporal

104 Actes INRETS n°117 Extraction of critical scenarios in a radio-based railway level crossing control system interval [0, 240] associated to the transition opn1. In case (b), the train detects that it can not arrive to the level crossing in time and it sends a deactivation order to open the level crossing. This is represented by the message msg7. In case (c) and (d) the vehicle sensor is defective and the level crossing can not be opened by passing of the train. In this case, the exceeding of the maximum closure time is reported to the operations centre that finds out wither the train has passed the level crossing or is still approaching. Accordingly the operations centre sends a deactivation order (c) in the first case and (d) in the second case.

Figure 15: Petri net model of the barriers opening

4.8. Petri net model of the train 4.8.1 Nominal operating and late arrival

The detailed Petri net model of the train is given in figure 16. Place trn1 (figure 16a) corresponds to the approaching of the train a level crossing. When the on-board system detects the approaching of a train, it sends a radio message msg1 to the level crossing control system to switch on by firing the transition tr1. Place bc represent the setting of a breaking curve for speed supervision to make the train stop at the potential danger point in a failure

Actes INRETS n°117 105 Safer European Level Crossing Appraisal and Technology situation. After receipt of the acknowledgement (place msg2), the on-board system waits an appropriate time (18 seconds) for the level crossing to be closed and sends the statute request (place msg3) to the level crossing control system. The level crossing is reported to the train to be in a safe state (place msg4) if the barriers are completely lowered (place br2) and the red traffic light in the activated mode (place red_on). After reception of the safe state of the level crossing, the train cancels the breaking curve (place bc) and passes the level crossing with out braking. This is represented by firing transitions tdz1 and tr6. The continuous dynamic of the train is represented by the temporal interval [dti, dTi] attached to transitions tri and tdz1. This means that the tokens has to remain in the input places of this transitions at least dti and at most dTi. Place trn7 and trn12 represents the train

out of the danger zone. Transition tr7 can be fired after a green time duration dg to specify a non infinite behaviour of the track. Transition trn14 is fired if the train detects that it can not arrive at the level crossing within the maximum supervised arrival time of 240 seconds (late arrival) and still is able to stop before the danger point. It sends a deactivation order to the level crossing (place msg7) and discards any information received so far from the level crossing and supervises a breaking curve (firing transition tr15 after a green time duration dg).

Figure 16: Petri net model of the train

106 Actes INRETS n°117 Extraction of critical scenarios in a radio-based railway level crossing control system

4.8.2. Breaking and stand still Figure 16b represents the case in which the train does not receive the status report with the safe state of the level crossing before entering its breaking curve. Note that places trn4, bc, msg4, red_on, br2, trn6, trn12, dz1, msg7 and trn11 + + are the same as in figure 16a. The temporal interval [dMi , dMi ] represents the fact that the train does not receive the status report before entering its breaking curve. In this case the on-board system apply the breaks (place trn8) until the status report will be received. The transition tr9 will be fired to release the breaks and continue the run if the status report is received before a stand still (place trn9). Place trn10 represents the request prompted on the driver’s display to make sure that the level crossing can be passed safely. Transition tr11 is fired if meanwhile the status report has been received. Otherwise transition tr12 will be fired to confirm the safe state by sending the message msg5. If the level crossing is in its safe state the transition (place msg6), the transition tr13 will be fired otherwise the train will stop (place trn14).

4.9. Petri net model of the road user

Figure 17: Petri net model of the road user

Places road_user and dz2 in the figure 17 represent respectively the road user in the entrance of the danger zone and crossing the danger zone. The road user may pass the level crossing only if the red traffic light is not in its activated mode (place red_on is not marked) or the level crossing is still open. It means that road users may pass when the red traffic light is off (place red_off) or in its defective mode (place red_ko1 or red_ko2) even if the half barriers are lowered as they can pass in the opposite lane or when the half barrier are not yet lowered (place dely2, dely3 or dely4 marked). To simplify, note that we are focussing on the red traffic light as the yellow traffic light is included in this cases: the yellow traffic light can be activated when the red traffic light is off or defected before switching on (red_ko1) and the its defection is taken into account by dely3 or dely4. The transition usr represents the non-finite behaviour of the road users.

Actes INRETS n°117 107 Safer European Level Crossing Appraisal and Technology

4.10. The whole Petri net model of the system Places labelled with “N” in figure 18, modelling the whole system, represent normal operating and transitions labelled with “F” will be added to forbidden transitions and can not be fired. This transitions concern repair and non-finite behaviour as repair of defective devices will not take place when there is a train approaching or passing the level crossing and we are interesting in this paper only to one round. We will seek the feared scenarios corresponding to the presence of both train and road user in the danger zone, i.e. all the scenarios which lead to the marking of the place S_fail.

Figure 18: Whole Petri net model of the system

108 Actes INRETS n°117 Extraction of critical scenarios in a radio-based railway level crossing control system

5. Extraction of feared scenarios using ESA_PetriNet tool A general view of ESA_PetriNet and TINA tools is given in figure 19. To use ESA_PetriNet, we first edit the Petri net model of the system on the graphic editor of TINA tool to generate two input files: a descriptive file of the Petri net model and a file containing the invariant of places. The generated scenarios can be illustrated in the form of a precedence graph. ESA_PetriNet generates a total of 196 scenarios (nominal and feared) in which 88 are feared. Note that the actual version of ESA_PetriNet generates non minimal scenarios, so most of the generated scenarios are redundant. This explains the important number of the scenarios generated. Note also that this version of ESA_PetriNet support continuous dynamics and temporal constraints and an important number of incoherent scenarios are yet eliminated. We have chosen these parameters:

dmi = 0, dmi = 4, dti = 1, dTi = dg = 10, dri = 250 Figure 19: Screen shots of TINA and ESA_PetriNet tools

The 88 feared scenarios correspond to the follow situations: 1) Crossing of both the road user (tdz4) and the train (tdz1) the danger zone when the red traffic light fails after activation (fail4). We note three categories of scenarios according to the way of the train crossing. — The train is crossing without braking: sc10, sc13, sc19, sc22, sc16, sc25, sc30, sc33, sc36, sc41, sc46, sc53, sc61, sc65, sc69, sc76, sc80, sc84, sc91, sc95, sc102, sc108, sc112, sc116, sc123, sc127, sc131, sc138, sc142, sc149. These scenarios are represented by sc1a: {tr4, tr5, tdz1, fail4, tdz4, E_fail} — The train is crossing with braking before stand still: sc50, sc57, sc62, sc66, sc73, sc77, sc81, sc88, sc92, sc99, sc104, sc109, sc113, sc120, sc124, sc128, sc135, sc139, sc146, sc154, sc157, sc162,

Actes INRETS n°117 109 Safer European Level Crossing Appraisal and Technology

sc165, sc168, sc173, sc176, sc181. These scenarios are represented by sc1b: {fail4, tdz4, tr8, tr9, tdz1, E_fail} — The train is crossing after stand still: sc54, sc71, sc86, sc172, sc180, sc161, sc97, sc118, sc133, sc144. These scenarios are represented by sc1c: {lost4, tr13, tdz1, fail4, tdz4, E_fail}.

Figure 20: Graphe de précédences des scenarios sc1a, sc1b et sc1c

The precedence graph of these three scenarios is given in figure 20. Ii and Fi represent respectively initial and final events. 2) Crossing of the road user the danger zone before the barriers to be lowered (tdz5, tdz6 or tdz7) then, crossing of the train (tdz1). In this situation, the road user may be slow down stopped or break down on the danger zone. We note three categories of scenarios according to the mode of activation of the red traffic light and each category contain deferent scenarios according to the way of train crossing. — In the case of the activation of the red traffic light after the yellow light period (place dely2 marked), we find the scenario sc21a: {tr4, tr5, tdz1, tdz5, E_fail}, sc21b: {tdz5, tr8, tr9, tdz1, E_fail} and sc21c: {lost4, tr13, tdz1, tdz5, E_fail}. The scenario sc21a corresponding to the crossing of the train without braking regroups the scenarios sc3, sc5 and sc11. The scenario sc21b corresponding to the crossing of the train with braking before stand still regroups the scenarios sc23, sc28, and sc44. The scenario sc21c representing to the crossing of the train after stand still corresponds to the scenario sc37. — In the case of the activation of the red traffic light after the yellow traffic light become defective in its activated mode (place dely4 marked) we find the scenario sc22a: {tr4, tr5, tdz1, tdz6, E_fail}, sc22b: {tdz6, tr8, tr9, tdz1, E_fail} and sc22c: {lost4, tr13, tdz1, tdz6, E_fail}. The scenario sc22a corresponding to the crossing of the train without braking regroups the scenarios sc1, sc2 and sc7. The scenario sc22b corresponding to the crossing of the train with braking before stand still regroups the scenario sc17, sc20 and sc34.The scenarios sc22c representing the crossing of the train after stand still corresponds to the scenario sc26.

110 Actes INRETS n°117 Extraction of critical scenarios in a radio-based railway level crossing control system

— In the case of the activation of the red traffic light when the traffic light become defective in its deactivated mode (place dely3 marked), we find the scenario sc23a: {tr4, tr5, dz1, tdz7, E_fail}, sc23b: {tdz7, tr8, tr9, tdz1, E_fail} and sc23c: {lost4, tr13, tdz1, tdz7, E_fail}. The scenario sc23a corresponding to the crossing of the train without braking regroups the scenarios sc6, sc9 and sc14. The scenario sc23b corresponding to the crossing of the train with braking before stand still regroups the scenario sc31, sc39 and sc51.The scenarios sc23c representing the crossing of the train after stand still corresponds to the scenario sc47. To facilitate the identification of the feared scenarios among the scenarios of normal operating, ESA_PetriNet tool illustrates them with different colour.

6. Conclusion We have presented in this paper one way of the safety analysis of a level crossing control system which consist on the extraction of feared scenarios. After a whole modelling of the level crossing control system par Petri net model, we have used ESA_PetriNet tool "Extraction & Scenarios Analyzer by Petri Net model" to extract the dangerous scenarios by taking into account the continuous aspect of the system and the temporal specifications. After analysing the extracted feared scenarios, we note the importance of adding a sensor to allow detection of road users in the danger zone to improve the security of the level crossing. Among the perspectives of this work the quantification of theses scenarios by a Monte Carlo simulation [Kalos and al 86] that has been implemented in ESA_PetriNet [Medjoudj and Labeau 2007]. We can also check different temporal constraints and taking into account the minimality of the scenarios to eliminate the unnecessary events and the redundancies.

7. References Avram, C. C., F. Basile, R. K. Boel, C. Carbone and P. Chiacchio, «A hybrid model for urban traffic control». IEEE Int. Conf. on Systems, Man, and Cybernetics (SMC'04), The Hague, Netherlands pp. 1795 -1800. 2004. Berthomieu B., Ribet P.O., Vernadat F., The tool TINA - Construction of abstract state spaces for Petri nets and time Petri nets. International Journal of Production Research, Vol.42, N°14, pp.2741-2756, 15 Juillet 2004. Collart-Dutilleul S., Deffossez F., Bon P., Safety requirements and p-time Petri nets : a level crossing case study, IMACS-IEEE Multiconference on Computational Engineering in Systems Applications, p.1118-1123, oct 2006.

Actes INRETS n°117 111 Safer European Level Crossing Appraisal and Technology

Demmou H., Khalfaoui S., Riviere N., Valette R., «Extracting critical scenarios from a Petri net model using linear logic», Journal Européen des Systèmes Automatisés (APII-JESA), Vol.36, N°7, p.987-999, 2002 Febbraro, A. Di, D. Giglio and N. Sacco, «Urban Traffic Control Structure Based on Hybrid Petri Nets». IEEE Trans. on Intelligent Transportation Systems, vol. 5, no. 4, pp. 224-237. 2004. Girard J.Y., « Linear Logic », Theoretical Computer Science, 50, p.1-102, 1987. Jansen L., Schnieder E., Traffic Control Systems Case Study : Problem Description and a Note on Domain-based Software Specification, Rapport, Technical University of Braunschweig, 2000. Kalos M.H., Whitlock P.A., «Mont Carlo methods», Volume I: basics, John Wiley and Sons, New York, 1986. Laprie J.C, « Dependability: basic concepts and terminology (in English, French, German, Italian, and Japanese), Vol.5, Springer, 1992, 265p. List, G.F. and M. Cetin, «Modeling traffic signal control using Petri nets». IEEE Trans. on Intelligent Transportation Systems, vol. 5, no. 3, pp. 177- 187. 2004. Malika Medjoudj, Pierre-Etienne Labeau., Estimation Monte Carlo de la probabilité d’atteindre des états redoutés basée sur la prédétermination de ces scénarios, PENTOM 2007, 2-10 juillet 2007, Mons, Belgique. 12 p Medjoudj M., « Contribution à l’analyse des systèmes pilotés par calculateurs: Extraction de scénarios redoutés et vérification de contraintes temporelles ». Thèse doctorale de l’Université Paul Sabatier. Mars 2006, Toulouse. Medjoudj M., Demmou H., Valette R., «ESA_PetriNet tool: Extraction Scenarios & Analyzer by Petri Net model: Application to the extraction of feared scenarios in a landing gears system», ESM’2006, European Simulation and Modeling Conference, 23-25 October 2006, LAAS, Toulouse, France, p. 375-382. Medjoudj M., Khalfaoui S., Demmou H., Valette R., «A method for deriving feared scenarios in hybrid systems»,Probabilistic Safety Assessment and Management (PSAM'7 - ESREL'04), 14-18 June 2004, Berlin, Allemagne. Murata T., “Petri nets: Propreties, analysis and applications,” Proc. IEEE, vol. 77, pp. 541-580, Apr. 1989. Padberg J., Gajewsky M., «Rule-Based Refinement of Petri Nets For Modeling Train Control Systems», In S. Kozak and M. Huba, editors, Proc. of the IFAC Conference on Control Systems Design (CSD'2000), pages 299-304. Elsevier Science, 2000. Wang, H., G.F. List and F. DiCesare, «Modeling and evaluation of traffic signal control using timed Petri nets». Proc. Systems, Man and Cybernetics, vol. 2, pp. 180-185. 1993.

112 Actes INRETS n°117

Appendix

Actes INRETS n°117 113

Session 1

Level crossing safety requirements

Actes INRETS n°117 115

Session 1: Level crossing safety requirements

Actes INRETS n°117 117 Safer European Level Crossing Appraisal and Technology

118 Actes INRETS n°117 Session 1: Level crossing safety requirements

Actes INRETS n°117 119 Safer European Level Crossing Appraisal and Technology

120 Actes INRETS n°117 Session 1: Level crossing safety requirements

Actes INRETS n°117 121 Safer European Level Crossing Appraisal and Technology

122 Actes INRETS n°117 Session 1: Level crossing safety requirements

Actes INRETS n°117 123

Session 2

SELCAT project current results

Actes INRETS n°117 125

Actes INRETS n°117 127 Safer European Level Crossing Appraisal and Technology

128 Actes INRETS n°117 Session 2: SELCAT project current result

Actes INRETS n°117 129 Safer European Level Crossing Appraisal and Technology

130 Actes INRETS n°117 Session 2: SELCAT project current result

Actes INRETS n°117 131 Safer European Level Crossing Appraisal and Technology

132 Actes INRETS n°117 Session 2: SELCAT project current result

Actes INRETS n°117 133 Safer European Level Crossing Appraisal and Technology

134 Actes INRETS n°117 Session 2: SELCAT project current result

Actes INRETS n°117 135 Safer European Level Crossing Appraisal and Technology

136 Actes INRETS n°117 Session 2: SELCAT project current result

Actes INRETS n°117 137 Safer European Level Crossing Appraisal and Technology

138 Actes INRETS n°117 Session 2: SELCAT project current result

Actes INRETS n°117 139 Safer European Level Crossing Appraisal and Technology

140 Actes INRETS n°117 Session 2: SELCAT project current result

Actes INRETS n°117 141 Safer European Level Crossing Appraisal and Technology

142 Actes INRETS n°117 Session 2: SELCAT project current result

Actes INRETS n°117 143 Safer European Level Crossing Appraisal and Technology

144 Actes INRETS n°117

Session 3

Level crossing appraisal

Actes INRETS n°117 145

Actes INRETS n°117 147 Safer European Level Crossing Appraisal and Technology

148 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 149 Safer European Level Crossing Appraisal and Technology

150 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 151 Safer European Level Crossing Appraisal and Technology

152 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 153 Safer European Level Crossing Appraisal and Technology

154 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 155 Safer European Level Crossing Appraisal and Technology

156 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 157 Safer European Level Crossing Appraisal and Technology

158 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 159 Safer European Level Crossing Appraisal and Technology

160 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 161 Safer European Level Crossing Appraisal and Technology

162 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 163 Safer European Level Crossing Appraisal and Technology

164 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 165 Safer European Level Crossing Appraisal and Technology

166 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 167 Safer European Level Crossing Appraisal and Technology

168 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 169 Safer European Level Crossing Appraisal and Technology

170 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 171 Safer European Level Crossing Appraisal and Technology

172 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 173 Safer European Level Crossing Appraisal and Technology

174 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 175 Safer European Level Crossing Appraisal and Technology

176 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 177 Safer European Level Crossing Appraisal and Technology

178 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 179 Safer European Level Crossing Appraisal and Technology

180 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 181 Safer European Level Crossing Appraisal and Technology

182 Actes INRETS n°117 Session 3: Level crossing appraisal

Actes INRETS n°117 183

Session 4

Level crossing knowledge platform

Actes INRETS n°117 185

Session 4: Level crossing knowledge platform

Actes INRETS n°117 187 Safer European Level Crossing Appraisal and Technology

188 Actes INRETS n°117 Session 4: Level crossing knowledge platform

Actes INRETS n°117 189 Safer European Level Crossing Appraisal and Technology

190 Actes INRETS n°117 Session 4: Level crossing knowledge platform

Actes INRETS n°117 191 Safer European Level Crossing Appraisal and Technology

192 Actes INRETS n°117 Session 4: Level crossing knowledge platform

Actes INRETS n°117 193 Safer European Level Crossing Appraisal and Technology

194 Actes INRETS n°117

Dépôt légal

Actes INRETS n°117 195

Laszlo TORDAI UIC A Roman SLOVÁK TUBS

ISSN 0769-0266

ISBN 978-2-85782-663-7 Actes INRETS n °117 LES COLLECTIONS DE L’INRETS