Design and Implementation of a Novel Architecture for the Safety Level Improvement in Automatic Train Operations

Cataldo Luciano Saragaglia, Giovanni Mezzina, Mario Barbareschi, Giuseppe Narracci, Diana Serra and Daniela De Venuto

Presentation title

Design and Implementation of a Novel Architecture for the Safety Level Improvement in Automatic Train Operations

Authors

Cataldo Luciano Saragaglia, Giovanni Mezzina, Mario Barbareschi, Giuseppe Narracci, Diana Serra and Daniela De Venuto

Institution(s)

Polytechnic of Bari and Rete Ferroviaria Italiana SpA

Presentation type

Technical presentation

Abstract

As per its global definition, a system is defined as safety-critical when its failure can lead to loss of life, or to significant property or environmental damage. Safety-critical Systems (SCSs) find application in a wide range of domains, such as civil and military infrastructure (e.g., nuclear and power plants), transportation (e.g., aerospace, railway, automotive) to space and telecommunication, medical devices, and so on.

Exploiting a proof of concept application in the railway sector and in particular in the Automatic Train Operation (ATO) framework, we present the steps that, jointly with Rete Ferroviaria Italiana, we carried out for the design of a safety-oriented architecture, starting from a risk analysis up to the design and testing phases, passing through the most warning scenarios identification.

At date, Autonomous Trains (ATs) embed the Automatic Train Operation (ATO) framework under the supervision of the European Train Control System (ETCS) [1]. However, the nature of the ATs missions could lead to ETCS deactivation and, thus, to unsafe scenarios. Currently, no solutions allowing safe ATOs without the supervision of ETCS have been proposed. To bridge this gap, we designed and tested a first-of-a-kind model-based architecture implementing the application layer of an onboard vital control board that partially replaces the ETCS.

The proposed architecture is designed to monitor various equipment of the ATO framework, ensuring a real-time analysis of inputs such as vital signals, received through dedicated interfaces, to evaluate the general system operativity and data from tachometer sensors to calculate the speed of the train [2].

The system has the role of directly controlling the activation and the reset of the emergency brakes (to lead the train in the safest scenarios) and can exploit all the above information to stop the train in hazardous situations. The implemented model exploits a deterministic event-tree logical network for the dynamic dangers assessments. The system also proposes hazard mitigation actions and provides an interface for remote commands and supervision from the trackside-connected operator realizing a human-in-the-loop (HIL) framework.

The model-based architecture has been implemented via Simulink/Stateflow confirming its compliance with MISRA: C and EN50128 constraints [3]. The extracted code has been integrated on a dedicated vital control board based on Ultrazed-EG (AES-ZU3EG) by AVNET® as a computation core. Testing results on intervention timing in unsafe scenarios showed that the proposed safety-oriented system can react in real-time (max: 12 ms) setting the train in a safe condition. The intervention time achieved eliminates the human intervention for the activation of the emergency braking system when ETCS is isolated or in fault.

References

[1] M. Ďuračík, E. Kršák, M. Meško and J. Ružbarský, Software architecture of Automatic Train Operation, 2019 IEEE 15th International Scientific Conference on Informatics, 2019, pp. 000051-000054

[2] J. Hwang and H. Jo, RAMS management and assessment of railway signaling system through RAM and safety activities, 2008 International Conference on Control, Automation and Systems, 2008, pp. 892-895

[3] CENELEC EN 50128- Railway applications - Communication, signalling and processing systems - Software for railway control and protection systems.