The 11th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications

22-25 September, 2021, Cracow, Poland

Fundamentals of Implementation of Safety

Movement of Trains under Integration
of Control Systems with Hardware for Railway
Infrastructure Facilities Monitoring
Dmitry Efanov 1,2, German Osadchy 2, Igor Aganov 2
1
Peter the Great St. Petersburg Polytechnic University,
29 Polytechnicheskaya str., St. Petersburg, Russian Federation, [email protected], https://www.spbstu.ru/
2
Scientific and Technical Center “Integrated Monitoring Systems” LLC,
4-K Fuchika str., St. Petersburg, Russian Federation, [email protected], https://ntc-ksm.ru/

Abstract—The authors show that safety systems ute to the increase in the number of functions implement-
of railway automation and remote control canʼt ensure ed by TDM systems. A large amount of diagnostic infor-
safety when reaching the limit states of railway infrastruc- mation only leads to an increase in the workload on the
ture objects with which they do not directly interact. This expert technologist and does not contribute to a quantum
is the cause of the train traffic safety incident. Conditions
for the safety train control system architecture are formu-
leap in improving traffic safety. Today, the scientific
lated. The necessity of integration of hardware for diagnos- community pays attention to this problem. It is high time
tics and monitoring with train control systems in railway to increase the importance of TDM systems (not only the
transport for the implementation of the barrier function railway automatics hardware are discussed here, but at-
is noted. It is proposed to output the alarm signal through tention is paid to the monitoring systems of all the infra-
the hardware interfaces to the train control systems for the structure facilities), linking them directly with the sys-
speed limits data communication to the train movements tems of railway automation and remote control (RARC),
controller and the locomotive driver when passing the ob- as the final links in the entire structure of devices ensur-
ject under test (up to a complete stop). ing the safety of train traffic, and their implementation
Keywords—railway automation and remote control sys-
of the barrier function. Please note that with the current
tems, systems of diagnostics and monitoring, railway infra- state of the operating TDM systems and current regulato-
structure objects, survivability index of the object being diag- ry framework, this is not so simple, but it does not look
nosed, integration of control system with monitoring system, unrealizable either. Let us pay attention to the peculiari-
train traffic safety, barrier functions of monitoring system. ties of the implementation of RARC facilities, as well
as the possibility of their integration with hardware for
I. INTRODUCTION diagnostics and monitoring.
Technical diagnostics and monitoring (TDM) systems
are widely used in the field of automation of processes II. RAILWAY AUTOMATION AND REMOTE CONTROL
control and production, which fully applies to the infra- SYSTEMS AND THEIR SAFETY
structure of the railway complex. In each of the facilities All specialists in the RARC have known since their
(artificial structures, tracks, power supply, automation student days that RARC systems ensure the safety
and remote control, etc.), to maintain high failure robust- movement of trains with the required traffic capacity
ness and safety of railway infrastructure objects, both [1, 2]. The architecture of RARC systems is built in such
manual and automated methods of technical diagnostics a way as to exclude all possible internal dangerous fail-
and monitoring are used. However, all these methods are ures [3].
designed to automatically obtain diagnostic information The theoretical foundations for the synthesis of safety
for its subsequent analysis by expert technologists. There- RARC systems, for example, in Russia, were laid in the
fore, TDM systems currently implement only one key works of professors Sapozhnikovs [4, 5], where RARC
function – automatic data acquisition & storage systems are represented as single-cycle and multi-cycle
to automate maintenance procedures. machines (combinational circuits and finite-state ma-
The development of monitoring technologies, the im- chines, FSM). A dangerous failure is defined as a type II
provement of the hardware components for diagnostics error in the operation of circuits – the appearance at the
equipment, and methods of recognition and classification output (or outputs) of the circuit of a false signal
of states, forecasting, and complex data analytics contrib- of logical 1 (“control signal”), based on which the protec-

978-1-6654-2605-3/21/$31.00 ©2021 IEEE 391

Authorized licensed use limited to: UNIVERSIDADE DE SAO PAULO. Downloaded on July 29,2022 at 23:34:25 UTC from IEEE Xplore. Restrictions apply.
tion of the circuit from dangerous failures is determined signal protecting the section of the track. Another exam-
and proposals are formulated for choosing the best struc- ple is the collapse of the overhead structures and its fall-
ture of safety circuits. It is shown that there are different ing into the zone of structure clearance conflict also will
implementations for the same scheme, but they are differ- not lead to the automatic enabling the restrictive indica-
ent in terms of protection. The introduced concept tion at the traffic light protecting the site (moreover, such
of a dangerous failure allows proving the theorem on the an indication cannot be given in the RARC system manu-
absence of dangerous failures in a FSM. ally when such a defect is detected, except by violating
Theorem 1. There are no dangerous failures in the principles of their operation). The RARC system is built
FSM if and only if for all false transitions Si→Sf and for in such a way that it is safe “in itself” but is not protected
all false events k the condition is satisfied: from failures of external and interacting with the rolling
ES i ® S f E f (k ) Ç Edank = Æ, (1) stock objects that do not directly trigger the automation
devices (implementation of the “barrier function”). This
where ESi ® S f is a set of words corresponding to false feature of the interaction of railway infrastructure facili-
transitions of the FSM from the state Si to the state Sf; ties is a consequence of a number of accidents and disas-
ters, among which we can mention the recent collapse
E f ( k ) is a set of words that transfer the FSM from the of the railway bridge across the Kola River (1436 km of
state Sf to the states representing false events from the set the Oktyabrskaya railway, 1 June 2020) [8]. Here, the
Ek; Edank is a set of words that transfer the FSM into RARC system did not give an alarm signal to the locomo-
tive, and only the attentiveness of the locomotive driver
dangerous states. allowed to avoid a disaster.
The conditions introduced based on regular expres- The above examples show that the RARC systems re-
sions made it possible to formulate algorithms for the alize functions of safety train passage with restrictions.
synthesis of FSMs that exclude their transitions These restrictions are associated with the principles of the
to dangerous states in case of any failures, the probability implementation of automation equipment: they are simp-
of which should be considered. To exclude dangerous ly not designed to record the technical condition
failures in the FSM, it is sufficient to prohibit all danger- of railway infrastructure facilities. RARC systems pro-
ous false transitions. vide and control the spatial separation of trains, the auto-
Half a century later, the principles of implementation mation equipment themselves, and partly the condition
of RARC systems have not changed, and the concept of the railway track.
of RARC safety is interpreted in the same and earlier Let us go back to expression (1). If we consider it in
formulated paradigm. RARC systems are implemented relation to the railway transport system, then the set
according to technologies that imply the use of highly
Edank in it does not include any of words corresponding
reliable components, elements with asymmetric failure
characteristics, self-checking circuits, principles of self- to false transitions in dangerous states of railway infra-
control and self-diagnosis, coding methods, redundancy, structure facilities, and formula (1) itself does not provide
and diversification, etc. [6]. RARC systems are certified the conditions for the transition to the set of safety states
for compliance with the safety integrity level SIL 4 [7]. of protected states of the transport systems.
The safety of the transportation process in railway Theorem 2. Dangerous failures in the operation
transport is understood as the ability of the transport of railway infrastructure facilities will not appear when
system not to compromise the safety of the transported any of their transition to a set Edan j of dangerous states
cargo, hardware, environmental objects, to the safety
of the health and life of passengers, technical personnel, will lead to a transition to a protected state of the train
and the population in the zone of influence of the trans- control system:
portation process. ES i ® S f E f (k ) Ç Edan j = Esaf j . (2)
Here are a few counterexamples showing that alt-
In (2) Esaf j is a set of words that transfer the FSM in-
hough the RARC systems are implemented safely (inter-
nal failures do not lead to the initiation of dangerous to safety states.
situations in the movement of trains, external failures Here, the protected state can be interpreted as a de-
do not affect the ability of RARC to perform safety algo- crease in the speed of passing to a certain value, up to
rithms), but they do not exclude dangerous situations a complete stop (analog of a signal with different speed
in the transportation process. For example, the widening gradations). For example, due to the failure the bridge
of the track due to external destabilizing factors, the low- structures experience an abnormal load automatically
ering of the rail as a result of the partial collapse of the recorded by technical diagnostics hardware, at which the
ballast section, dangerous buckles of rails, etc. – these are speed of movement should be limited, but not the move-
those dangerous conditions of the track bed structure that ment itself. Then this information can be “reported”
will not be fixed by means of RARC: if there is an empty to the train movements controller and the locomotive
track for a movement, the track circuit will continue driver automatically. If the bridge collapsed, then
to work, and a permissive indication will light up at the an immediate signal should be received to stop traffic

392

Authorized licensed use limited to: UNIVERSIDADE DE SAO PAULO. Downloaded on July 29,2022 at 23:34:25 UTC from IEEE Xplore. Restrictions apply.
(analog of a restrictive indication of a traffic light signal). (or a subsystem) with high operational reliability can
These are two examples of protected states of the be used to identify the dangerous state of the object under
transport system. It should be emphasized that this pro- diagnosis and monitoring with a given reliability
tected state should be present precisely in the RARC D Î [ 0;1] : D > Dlim , Dlim – some specified limit
system since it is responsible for generating a control
of confidence value close to 1. In practice, this value
signal for movement.
should be normalized and standardized.
III. CONCEPT FOR THE IMPLEMENTATION From the above considerations, it follows that the
OF A SAFETY TRAIN CONTROL SYSTEM RARC facilities are the final links, which must not only
ensure their safe functioning in the direct “contact” with
In Fig. 1, conventionally in the form of FSM sub- the infrastructure facilities but also implement a barrier
graphs, a safety train control system is presented. For the function when fixing the failures of the objects of the
RARC system, a fragment of the implementation of one entire railway infrastructure. In addition, the precise fol-
of the control functions of floor-standing technological lowing this paradigm in RARC facilities implementation
objects was selected. For TDM systems, two states are will improve the safety of train traffic and reduce the
shown: 1 – parameters are OK, 2 – dangerous state of the risks of failure of railway infrastructure facilities.
object being diagnosed. Since the RARC systems in this paradigm are not im-
In the general case, q TDM systems can be installed plemented at present, their “build-up” can be used in the
at the facility, each of which shall generate an “alarm” following sense:
y j = 1, j Î {i1 , i2 ,..., iq -1 , iq } . These are TDM systems for 1. Using the risk-based approach, the set of the
track bed structure objects, overhead line suspension, most probable hazardous states of railway infrastructure
bridges, the RARC equipment, etc., “high-level proto- facilities is determined.
types” of which are already used in railways [9 – 16]. 2. Systems of automatic technical diagnostics and
Each of such TDM systems
sy measures a number of pa- monitoring of parameters are being improved.
3. For each of the dangerous states, control measur-
rameters X = x1 x2 × .... × xn -1 xni j , j Î {i1 , i2 ,..., iq -1 , iq } ,
ij ij ij ij
ing points, diagnostic periods and conditions for the oc-
ij ij

generates information messages to its users, and also currence of events are determined using mathematical
calculates a certain indicator (let us call it as survivability modeling methods and technical diagnostics.
index of the object under diagnosis I L Î [ 0;1] ) and de- 4. A subsystem for dangerous events recording
is being implemented.
termines the alarm signal value y j = 1, 5. A subsystem for integrating with RARC objects
j Î {i1 , i2 ,..., iq -1 , iq } . is being implemented. Thus, item 5 implies the presence
of feedback for considering the monitoring results in the
The condition for the transition from any functional process of regulating train traffic (Fig. 2). The co-authors
state Sf of the train control system to the protected state of this article have repeatedly spoken about the need for
SΘ of the train control system can be written as: such a link in their speeches, reports, and articles.
S f ® SQ : yi1 Ú yi2 Ú ... Ú yiq-1 Ú yiq = 1. (3) Currently, there are no technical solutions that would
The functional state Sf here means any of the foreseen allow linking the monitoring system with the train control
states of the RARC system (healthy, operative, system. First of all, this is not determined by regulatory
or inoperative protective state [6]), are considered in its documents, and the monitoring system does not impose
implementation. Strictly speaking, the signals y j , requirements for compliance with any of the safety integ-
rity levels. Thus, such integration is possible, but with
j Î {i1 , i2 ,..., iq -1 , iq } , from various TDM systems should a highly reliable and safe implementation of the monitor-
be “included” into the signal groups of the RARC system ing system. This is definitely a technically difficult task
during its improvement. The conditions for the transition that cannot be done instantly.
of the RARC system from one state to another state are The use of technical monitoring hardware allows,
determined based on the values of the input actions of the in fact, to manage risks caused by failures of the object
system X a = x1a x2a × ... × xna -1 xna and the generated vector being diagnosed and from untimely maintenance and
a a
repairs (M&R). Here it is necessary to note the function
of alarm signals Y a = yi yi × ... × yi yi . In other words, the of the possibility of managing the M&R processes, for
1 2 q -1 q

transitions are carried out when the inputs example, justified and timely professional heating

)( y y )
of railway overhead line suspension elements when de-
a a
( a a
X Y = x1 x2 × .... × xn -1 xn
a
a
a
a
i1 i2
× .... × yi yi
q -1 q
are affected, tecting the conditions of ice formation using monitoring.
causing the output values of the system In fact, the possibility of energy management and energy
Z = z1 z2 × .... × z p -1 z p , , where p is the set of outputs of the efficiency improvement of infrastructure facilities
is being realized [17].
RARC systems. Also, one alarm signal In the first case, it becomes possible to influence the
y = yi Ú yi Ú ... Ú yi Ú yi , generated by a software tool
1 2 q -1 q
value of the failure rate λF, which, given the constant

393

Authorized licensed use limited to: UNIVERSIDADE DE SAO PAULO. Downloaded on July 29,2022 at 23:34:25 UTC from IEEE Xplore. Restrictions apply.
values of losses ΠF from the failure effect to the techno- Reducing risks (6) also helps to reduce dangerous
logical process helps to reduce the risk due to failure: failures in the operation of infrastructure facilities of the
RF = P F lF . (4) railway complex.
In the second case, it becomes possible to influence Fig. 2 shows the elements of hardware and software
the value of the intensity of M&R λM, which, with con- controls in rectangular blocks, and processes, messages,
stant values of losses ΠM from a decrease the speed of the actions in blocks with rounded edges. The implementa-
technological process, helps to reduce the risk from tion of TDM systems shall make it possible to move from
maintenance: the automation of measurement procedures to the for-
mation of road maps for the maintenance of facilities
RM = P M lM . (5)
under diagnosis, risk management from failures and un-
A decrease in λF value is possible due to early diagno- timely M&R, as well as to the generation of an alarm
sis of developing malfunctions and detection signal for the implementation of the barrier function.
of catastrophic (limit, pre-failure and other synonyms Data storage and data processing systems, as well
used in various fields of technology) condition. as the organization of ETL (from English “Extract, Trans-
A decrease in ΠM value is possible due to the formation form, Load”) processes for such a system, require careful
of the predicted service times of the device and engineering study at the design and development stage.
an increase in the service life of the object under diagno- Monitoring systems shall have universal
sis. Thus, the operation of TDM systems is aimed structures that ensure their modular and easily integrated
at minimizing the risk of losses from the operation of the implementation, which contributes to an increase in the
railway infrastructure: technical immunity of the objects being diagnosed. The

( )
integration of TDM systems with train control systems
ì RF lF ® min;
mi
ï lF ÎlF significantly increases the resistance of the latter
í (6) to manifestations of external destabilizing factors and
î
( )
ï RM lM ® lmin
mi .
M ÎlM
makes it possible to exclude potential cases of reduced
train traffic safety.

Safety train control system

Fragment of the graph of the RARC system

1 2 3 4
~ ~ ~ ~
X aY a X aY a ~ ~
X aY a ~ ~
~ ~ X aY a
Z Z ~ ~
Z Z
y =1 y =1
y =1 y =1
Θ

y =1

1st TDM system qth TDM system

1 2 1 2
~ ~ ~i ~i
X i1 X i1 Xq Xq
yi1 = 0 yi1 = 1 yi q = 0 yi q = 1

Figure 1. Principles of TDM systems and train control systems integration

394

Authorized licensed use limited to: UNIVERSIDADE DE SAO PAULO. Downloaded on July 29,2022 at 23:34:25 UTC from IEEE Xplore. Restrictions apply.
 Technological Process (Transportation Process)

Safety train control system

RARC system

Risk due to failure, Risk due to prolonged

Management of risks due

Management of risks due

RF=ΠFλF M&R, RM=ΠMλM

to untimely M&R
to failures

Implementation of the Object under Operation of the object

functioning algorithm diagnostics under diagnosis

“Failure” events, λF Sensors “Maintenance” events, λM

Transducers

Polling and control Data storage and data

algorithms processing devices

The circuit for data

processing and output Algorithms for filtering
of monitoring results “raw” data,
synchronization, data
classification

Hardware and software tools for storing, analyzing data,

and forming a “Digital Twin”

Diagnosis Forecast

Survivability index
Residual resource
I L Î [0;1]
Information messages y j Alarm

TDM system

Figure 2. Structure of a safety train control system

The authors of the article propose at the first stage the the direct participation of mobile units [18]. In addition,
integration with the RARC systems in some indirect it is advisable to connect also with warning systems for
form – to transfer the alarm signal from the monitoring workers on the way and drivers through train talker. Fol-
facilities to the dispatch control system of the RARC lowing such a paradigm, the authors of the paper laid
devices. Further, this information is perceived by the down the possibility of implementing the barrier function
station duty officer and the train movements controller, in the developed engineering structure monitoring system
which will allow, although not automatically, but much (ESMS) of railway bridge crossings.
more quickly than in the event of a dangerous event with

395

Authorized licensed use limited to: UNIVERSIDADE DE SAO PAULO. Downloaded on July 29,2022 at 23:34:25 UTC from IEEE Xplore. Restrictions apply.
 IV. CONCLUSIONS [6] D.V. Gavzov, V.V. Sapozhnikov, and Vl.V. Sapozhnikov
“Methods for Providing Safety in Discrete Systems”, Automation
The authors of the article draw attention to the fact and Remote Control, 1994, vol. 55, issue 8, pp. 1085-1122.
that the train control systems implemented in the modern [7] D.J. Smith, and K.G.L. Simpson “Functional Safety:
paradigm are safe with regard to the spatial separation A Straightforward Guide to IEC 61508 and Related Standards”,
Butterworth-Heinemann; 1st edition (June 26, 2001), 208 p.
of trains, but not safe taking into account the state of the [8] Russia's Rail Link to Port of Murmansk Severed by Bridge
railway infrastructure, with which they do not directly Collapse, https://www.reuters.com/article/us-russia-bridge/russias-
interact. The conditions are formulated under which it is rail-link-to-port-of-murmansk-severed-by-bridge-collapse-
possible to significantly increase the safety of train traf- idUSKBN2390X7
[9] Y. Park, S.Y. Kwon, and J.M. Kim “Reliability Analysis of Arcing
fic, taking into account the technical condition of railway Measurement System Between Pantograph and Contact Wire”,
infrastructure facilities. Implementation of a safety train The Transactions of the Korean Institute of Electrical Engineers,
control system is possible by integrating the TDM sys- 2012, Vol. 61, No. 8, pp. 1216-1220.
tems with the RARC systems. In this case, alarms should [10] T. Asada “Novel Condition Monitoring Techniques Applied to
Improve the Dependability of Railway Point Machines”,
in a semi-automated (and subsequently in the fully auto- University of Birmingham, UK, Ph. D. thesis, May 2013, 149 p.
matic) mode implement barrier functions to limit the [11] T. Böhm “Remaining Useful Life Prediction for Railway Switch
speed of trains in the event of a dangerous situation at the Engines Using Artificial Neural Networks and Support Vector
object being diagnosed (up to a complete stop of the Machines”, International Journal of Prognostics and Health
Management 8 (Special Issue on Railways & Mass
train). Transportation), December 2017, pp. 1-15.
It should be noted that in the future (and in the very [12] H. Wang, A. Núñez, Z. Liu, J. Chen, and R. Dollevoet “Intelligent
near future), the monitoring systems will be integrated Condition Monitoring of Railway Catenary Systems: A Bayesian
with protective signals, facilities of alerting track work- Network Approach”, The 25th International Symposium on
Dynamics of Vehicles on Roads and Tracks, 14-18 August 2017,
ers, as well as with coding subsystems transmitting sig- Rockhampton, Australia, pp. 1-6.
nals along the rails to the locomotive. This is possible [13] Z. Liu, and Vl.L. Markine “Correlation Analysis and Verification
only if the regulatory framework and the TDM systems of Railway Crossing Condition Monitoring”, Advanced Sensors
themselves are improved to such a level that will make for Real-Time Monitoring Applications, eds. O. Korostynska and
A. Mason, MDPI, Basel, Switzerland, 2021, pp. 223-243,
it possible to diagnose with high reliability and predict doi: 10.3390/s19194175.
changes in the state and parameters of the objects being [14] T. Neumann, D.N. Guzmán, and J.C. Groos “Transparent Failure
diagnosed. Diagnostics for Railway Switches Using Bayesian Networks”,
Signal+Draht, 2019 (111), issue 12, pp. 23-31.
REFERENCES [15] M. Wernet, M. Brunokowski, P. Witt, and T. Meiwald “Digital
Tools for Relay Interlocking Diagnostics and Condition
[1] T. Takashige “Signalling Systems for Safe Railway Transport”, Assessment”, Signal+Draht, 2019 (111), issue 11, pp. 39-45.
Japan Railway & Transport Review 21, 1999, pp. 44-50. [16] H. Wang, A. Núñez, Z. Liu, J. Chen, and R. Dollevoet “Intelligent
[2] C. Hall “Modern Signalling: 5th edition”, UK, Shepperton: Ian Condition Monitoring of Railway Catenary Systems: A Bayesian
Allan Ltd, 2016, 144 p. Network Approach”, The 25th International Symposium on
[3] G. Theeg, and S. Vlasenko “Railway Signalling & Interlocking: Dynamics of Vehicles on Roads and Tracks, 14-18 August 2017,
3ed Edition”, Germany, Leverkusen PMC Media House GmbH, Rockhampton, Australia, pp. 1-6.
2020, 552 p. [17] D.W. Efanow, and G.W. Osadtschiy “Energy Efficiency
[4] V.V. Sapozhnikov, and Vl.V. Sapozhnikov “On Synthesis of Categories for Safety Installations”, Signal+Draht, 2020 (112),
Finite Automata Excluding Dangerous Failures”, Automation and issue 4, pp. 36-42.
Remote Control, 1972, Vol. 33, Issue 8, pp. 1331-1335. [18] J.M. Kokurin, and D.V. Efanov “Technological Foundations of
[5] Vl.V. Sapozhnikov “Synthesis of Train Traffic Control Systems at Traffic Controller Data Support Automation”, Proceedings of
Railway Stations with the Exception of Dangerous Failures” (in 17th IEEE East-West Design & Test Symposium (EWDTS’2019),
Russ.), Moscow: Nauka, 2021. Batumi, Georgia, September 13-16, 2019, pp. 176-180,
doi: 10.1109/EWDTS.2019.8884410

396

Authorized licensed use limited to: UNIVERSIDADE DE SAO PAULO. Downloaded on July 29,2022 at 23:34:25 UTC from IEEE Xplore. Restrictions apply.