On the safety assessment of an automatic train operation system

The paper examines the automatic train operation system as part of the locomotive control and protection system, the remote supervision centre’s means for control of onboard and trackside machine vision facilities. The focus is on the dependence of the system’s safety and dependability on the dependability characteristics of its components and adverse weather effects. The criteria of a system’s wrong-side and right-side failures were defined, the graph models were constructed of the safety and dependability states of an automatic train operation system. The Markovian graph method of calculating the safety and dependability of complex systems was substantiated. That allowed defining such key safety indicators of an automatic train operation system as the mean time to wrong-side failure, probability of wrong-side failure, wrong-side failure rate. The study established that the safety of an automatic train operation system primarily depends on the dependability of machine vision facilities. The growth of the system’s wrong-side failure rate is limited to half the failure rate of machine vision facilities. It was also established that the dependability of an automatic train operation system is defined by the failure rate of a locomotive control and protection system and the failure rate of machine vision facilities. The conducted analysis allows concluding that in order to achieve an acceptable level of safety of an automatic train operation system, efforts should focus on machine vision redundancy, ensuring the SIL4 functional safety of on-board and trackside machine vision facilities, as well as regular comparison of the outputs of on-board and trackside machine vision facilities, redundant output comparison, integration of the outputs in motion. Additionally, adverse weather effects are to be countered by improving the efficiency of machine learning of the machine vision software.


Introduction
Ensuring the safety of a complex technical system, in which information is processed using neural networks, requires special methods of safety case preparation [1].
The primary problem associated with the development of such method consists precisely in the fact that the above computer system is unstable in terms of the structure of the information processing algorithm, and classical methods of probabilistic estimation in the form of two and more independent hardware and software information processors, application of different software products in the processors, etc. [2] are difficult to use as part of the safety case preparation.
That is why redundant information processors in the form of onboard machine vision cameras for safe obstacle detection are unlikely to achieve the required safety level due to the unknown testing time of such self-trained, i.e., ever-changing, system for vital information processing.
Braband and Shäbe [1] intended to use statistical methods for safety case preparation, as well supposed the obligatory inclusion in the processing system of an additional device, whose safety could be proven by conventional means due to its unchanging structure.
Shubinsky and Rozenberg [3,4] proposed using the so-called multi-level structures for safety case preparation that allow integrating safe systems and information systems with the introduction of the information processing criterion subject to the safety requirements. This approach has shown good results in the development of advanced onboard and trackside safety systems. An extremely important property of system safety evaluation was also used, i.e., obtaining reliable information on a facility's background in terms of safety.
For the purpose of safety case preparation of an intelligent system with a neural network, the principles of multi-level safety system should be used. The difference is that, in this case, the focus should be not on an individual intelligent device, i.e., an onboard machine vision camera, but on an entire system of technical assets within the locomotive's area of operation.
Indeed, the operation of a locomotive camera with a pre-designed software for processing obstacle information depends not only on the prior measures aimed at training the neural network, but also on specific factors that affect the operation of the camera hardware, software faults, etc. In addition, it should be noted that the effects of the external environment, i.e., snow, fog, rain, cause changes within the obstacle acquisition area, which directly affects safety, as it is associated with the length of the trains' braking path.
In this context, the situation ahead of the train is additionally monitored from the special control centre, where an operator driver supervises several locomotives [5].
The difficulty of this method consists in the fact that the critical component is the operator driver's response that, in turn, depends on the stability of the video image transmission from the onboard camera and the dependability of the broadband radio communications in a particular location.
On the other hand, dividing the information processing into two sub-processes (in the form of internal intelligent processing of information onboard for the purpose of decision-making on the track vacancy and in the form of communication of the original visual information to the operator driver for decision-making) allows improving safety. The criterion in this case is that the onboard system should have a high probability of false alarm, while the operator driver can rectify this situation using a special command transmitted to the locomotive by radio. In practice, if this principle was not used, driverless systems would stop, for instance, because of a plastic bag on the track.
It should be noted that the system includes trackside devices that supervise track vacancy in places with poor visibility [5]. Information from those trackside systems is communicated to the locomotive in real time, which greatly improves train safety. Thus, the used model is simplified, but it enables an analytical study of the problem. That constitutes the superiority of this approach to the construction of the research model as compared to more complex models. An interesting feature of the interaction between trackside and onboard machine vision assets is that, under the same environmental conditions, they can see the same objects either in the line of sight, or from different, including inverse, observation points.
The existence of objects acquired by two independent systems allows using this feature for cross-supervision of intelligent equipment, especially for the purpose of development of correct solutions by onboard intelligent systems that operate in more severe operating conditions (speed of movement, visibility limitations, etc.). The object comparison output can have the form of a comparison of images processed by trackside and onboard cameras represented as pre-processed image models, or it can contain an assumed inversion of the image of the same object if it is aimed by machine vision cameras from opposite points. This predefined feature of the output comparison safety system enables an improved independence of information processing. Each technical asset, including video cameras, contains elements of internal testing as a prerequisite factor when calculating their level of safe operation. Given that a comprehensive testing of an intelligent system with a neural component is a difficult matter, self-diagnosis using predefined observation objects should be employed. For instance, near the railway tracks, within the area covered by machine vision cameras or lidars, there are traffic lights, control cabinets, power and communication masts that are clearly associated with the linear coordinates, moreover if the locomotive uses a 3D map of the infrastructure assets.
Thus, the acquisition of such assets actually allows testing onboard cameras and sensors taking into account the parameters of detection distance and type of asset identification. If the rate of acquisition of such objects is high enough, then, for the distance of the locomotive's movement between these points, the probability of no failure or distortion of the information processing algorithm onboard can be calculated. The advantage of such method is the completeness of information processing, when, along the internal hardware testing, the required level of system safety can be achieved. The system itself in this case is a "black box", but with absolutely known outputs within an absolutely known space coordinate.

Conceptual safety model of an automatic train operation system
An automatic train operation system includes the following key facilities: • onboard train control and protection equipment; • supervision centre equipment; • trackside machine vision facilities; • onboard machine vision facilities. The conceptual safety model of an automatic train operation system contains a description of the dependability and safety states of the system's component facilities, their interrelations, as well as the effects of adverse weather conditions. This model is presented in the form of a system safety state graph ( Fig. 1).
For the purpose of system safety model construction, the following criterion of wrong-side failure is adopted: the failure of machine vision facilities and the remote supervision centre or undetected failure of the locomotive's control and protection system. Criterion of right-side failure: the failure of trackside machine vision facilities, remote supervision centre and adverse weather effects or detected failure of the locomotive's control and protection system. The mathematical description of the model will be based on the following considerations. The system is new and unique, no statistical information about it is available. Therefore, the system's random values distribution laws are not established. Based on the existing experience in railway control systems, it can be safely assumed that failures of such electronic devices, as the locomotive control and protection system, supervision centre equipment and machine vision facilities, are exponentially distributed. This assumption does not apply to random values of time to device restoration after failures, much less to random adverse weather effects. The problem of disturbing effects was theoretically examined by Schäbe and Viertl in [6]. Those models are also applicable to adverse weather effects. In order to ensure adequate results, the authors were forced to use a complex mathematical description of the random process of adverse effects on the locomotive's control system. The above circumstances complicate their practical application in mathematical simulation of the safety of the automatic train operation system.
In the absence of practical information, it is very difficult to predict the quantitative safety indicators of the automatic train operation system. In this paper, in the context of great uncertainty, we aim to identify the most significant factors affecting the system's safety. The assumption of the simplest flows of random events in the automatic train operation system fits this purpose. The simplest flows are ordinary, stationary and have no aftereffect. Due to the great uncertainty of the initial conditions their application, on the one hand, does not favour an accurate prediction of the safety characteristics of the system's behaviour. On the other hand, the resulting outputs can be considered as prerequisites guaranteed from below (as the worst case) to the construction of a safe automatic train operation system through neutralization of the most significant identified negative factors. Thus, the used model is simplified, but it enables the analysis of the problem. That constitutes the advantage of this approach over more complex models. Based on the above assumptions, let us adopt an exponential distribution of failures F i (t) and restorations Q i (t) of equipment components: where λ 1 is the failure rate of the locomotive control and protection system; λ 2 is the failure rate of the supervision centre equipment; λ 3 is the failure rate of the trackside machine vision facilities; λ 4 is the failure rate of the onboard machine vision facilities; μ 1 is the restoration rate of the locomotive control and protection system; μ 2 is the restoration rate of the supervision centre equipment; μ 3 is the restoration rate of the onboard machine vision facilities; μ 4 is the restoration rate of the trackside machine vision facilities and supervision centre equipment.
It is assumed that a failure of the locomotive control and protection system is detected with the probability of correct detection α. A possibility of non-detection of a failure of the locomotive's system exists and is .The probability of false detection is negligible.
Based on the above assumptions, let us assume that the law of distribution of random adverse weather conditions has the form of H(t)=1-exp(-γt), where γ is the rate of their effect on the safety of the automatic train operation system.
Under the above assumptions, the safety-specific behaviour of the automatic train operation system is represented by a Markov process.
For that purpose, we find the input parameters of the system safety model in the subsets of good (up and protective) states according to the graph in Fig. 1.
The distribution functions of the unconditional good time of the system presented with the state graph in Fig. 1 are as follows: (1) Hazardous states 6 and 7, as well as the edges that are part of those states, are excluded from the mathematical description as the study covers the behaviour of the automatic train operation system before it enters hazardous states.
The mathematical expectations of the system's good times are as follows: ; . (2) The probability of transitions between states i, j of the system is identified using formula , where λ ij is the rate of the system's transition from state i to state j. For example, the rate of transition from initial state 0 to state 1 (Fig. 1)

Results of the analysis of the safety indicators of the automatic train operation system
Using Shubinsky's Markovian graph method of calculating the safety of complex systems [7], such key safety indicators of an automatic train operation system as the mean time to wrong-side failure Т WS , the probability of wrong-side failure G WS (t), wrong-side failure rate λ WS can be identified.
The key safety indicator, mean time to wrong-side failure Т WS is identified using method [8] where is the weight of the expansion of the graph without the initial node 1 and set of hazardous states S WS ={6,7} and associated graph edges; is the weight of the expansion of the graph without the set of hazardous states and associated graph edges; is the weight of the k-th path from node i to node j; is the weight of the expansion of the graph without the nodes situated on the k-th path and without node j in the set of non-hazardous states S NH ={0,1,2,3,4,5,8} .
All boundaries intersect, since they have a common node 0.
Since, in actual control systems, between the rates of restorations and failures of electronic equipment the correlation is λ i <<μ i , with an error not exceeding the first order of smallness, the explicit expressions of the model's initial parameters can be significantly simplified. It is to be taken into account that the recovery rates of such trackside electronic assets as the supervision centre and machine vision facilities, are almost identical and deviations of tens of percentage points do not significantly affect the final results in the context of the above ratio between the failure and restoration rates. Then, μ 2 =μ 4 =μ and μ 1 =μ 3 =kμ, (0<k≤1), where k is the coefficient of logistical delays of restoration of onboard assets of the automatic train operation system.
The above changes in the initial parameters apply to the distribution functions , , , expectations and , transition probabilities , .
Indeed, according to NPRD-2011 camera sub-assembly [9], the failure rate of the machine vision facilities is to be and for the supervision centre. According to EN 50129 [10], the failure rate of the locomotive control and protection system must be SIL4, i.e., . According to IEC 61508-2 (A4, first line) [12], the probability of non-detection of failure is to be less than . In most cases, the restoration rate of the electronic programmable equipment of the automatic train operation system exceeds , which is higher than the failure rate by four or more orders of magnitude. This allows -within an acceptable margin of error -excluding from the explicit expression those terms of the sum that are several orders of magnitude smaller than the other terms. The above considerations allow developing the explicit expression (6) of the mean time to wrong-side failure of the automatic train operation system to an acceptable applied mathematical expression , where (7) Upon transformation of formula (7), we deduce that -with an error not exceeding the first order of smallnessthe mean time to wrong-side failure of the automatic train operation system can be represented as , (8) The limit value of the time to wrong-side failure of an automatic train operation system occurs in the absence of adverse weather effects ( ) and when compliance with IEC 61508-2 [11] ( ) is ensured. By substituting these values into formula (8), we deduce the output of the mathematical simulation. It indicates that the safety of an automatic train operation system primarily depends on the dependability of the machine vision facilities, i.e., .
If the failure rate values of the trackside and onboard machine vision facilities are close, this expression modifies into , where T is the mean time to failure of the machine vision facilities.
As the system's flow of wrong-side failures is multiply rarefied in relation to the right-side failure flow of the initial item that is a simplest one, then, according to [12,13] a multiply rarefied, irregularly simplest failure flow is also a simplest one with constant parameter . (9) In the limit, the rate of wrong-side failures of the automatic train operation system tends to , i.e., half of the failure rate of the machine vision facilities. The probability of wrong-side failure with an error not exceeding the first order of smallness is defines as

Results of the analysis of the dependability indicators of the automatic train operation system
The dependability model of the automatic train operation system is transformed from the conceptual safety model of such system (Fig. 1) by eliminating hazardous states and associated edges. The state graph of the dependability model is shown in Fig. 2. . This indicator is none other than the system's mean time to rightside failure. This indicator is to be analysed due to the fact that improving safety involves bringing the system into the safe (non-operational) state in every alarm case, whenever possible. It is therefore important to identify which factors affect the dependability of a system with machine vision in the course of its design according to this architecture.
Using the graph in Fig. 2 and method [7] we deduce .
Under the assumptions of Items 2 and 3, this expression transforms into . (11) As noted above in Item 2, in accordance with NPRD-2011 camera sub-assembly [9], the failure rate of the machine vision facilities is to be and that of the supervision centre is to be . Therefore, can be assumed without noticeable loss of evaluation accuracy. In addition, the machine vision and supervision centre equipment overwhelmingly contain electronic assets whose restoration rate is about the same . Therefore, we can assume that and expression (11) modify into . (12) As with the system's safety assessment, let us assume that the limit value of time to right-side failure of the automatic train operation system takes place in the absence of adverse weather effects ( ). Then, formula (12) will modify into .
As noted in Item 2, for the purpose of the problem at hand, . Given the above, we deduce the marginal estimate of dependability of the automatic train operation system in terms of mean time to right-side failure: .
Consequently, the dependability of an automatic train operation system is defined by the failure rate of the locomotive control and protection system (λ 1 ) and the machine vision facilities (λ). These components of the automatic train operation system must be the focus of attention in the context of ensuring an acceptable level of the system's dependability.

Conclusion
The above analysis allows concluding that in order to achieve an acceptable level of safety of the automatic train operation system, the efforts should focus on the following: -redundancy of machine vision facilities; -ensuring the SIL4 functional safety of onboard and trackside machine vision facilities (dual channel and dual versioning of software, use of independent channels, etc.); -regular comparison of the outputs of onboard and trackside machine vision facilities, redundant output comparison, integration of the outputs in motion.
Additionally, it is required to ensure compliance with EN 50129 in terms of SIL4 functional safety of the locomotive control and protection system. Adverse weather effects should also be countered by increasing the efficiency of machine learning of the machine vision software.