S AFE DEVICE SOLUTIONS IN RAILWAY TRAFFIC CONTROL SYSTEMS

 The paper deals with the problems of safe solutions of railway traffic control systems, using the example of modern solutions of protection systems applied at railway level crossings. The need for reliable, modern and safe railway traffic control devices has forced manufacturers in the railway industry to use high quality microprocessors in their structures. Devices used to safety traffic at intersections of railroads and roadways in one level shall be absolutely operational and reliable. Such solutions are the modern systems of automatic level crossing signaling made in computer technology. They use structural redundancy, programmable logic controllers, and have extensive self-diagnostic and technical diagnostic mechanisms. The paper presents selected analyses of railway traffic safety on the example of the automatic level crossing of system BUES 2000 type by Scheidt & Bachmann.


INTRODUCTION
The article aims to show the detailed but practical aspects of creating safe railway traffic control devices. The author's intention was to provide in an analytical manner of the complex process concerning the safety of the devices comprising the large railway traffic control system.
The need for reliable, modern and safe railway traffic control devices has forced manufacturers to use microprocessors, microcomputers and programmable circuits in their structures. To meet this trend, Scheidt & Bachmann has developed the fully microprocessor (computer) automatic level crossing system BUES 2000 type. It is characterized by an open and modular design. The use of appropriate processor modular software increases the safety guaranteed by the system.
The ever-increasing number of automobiles and the growth in railway traffic have a huge impact on the need to build and apply new solutions at railway level crossings. A level crossing is the intersection of a railway track and a road at one level. Due to the characteristics of railway vehicles, such as speed, weight, and braking distance, they have priority over vehicles on roads.
Railway traffic control systems, including automatic level crossing signaling, currently operated on Polish railway are realized in various technologies. The technology in which the automatic level crossing system is manufactured should allow for the insertion of new components during exploitation to replace those that are damaged or worn out. This should be done in such a way that the safety of the system and its functions are not compromised. Due to the technique of control functions realization, the automatic level crossing systems can be divided into three groups: relay, hybrid (relay-computer) and computer systems [1][2].
The publication uses an observational research method of recording specific facts and capturing them in their interrelationships and relationships. The data and problems presented in the article concerning safe solutions of devices used in railway traffic control systems have been appropriately interpreted as phenomena affecting the indicated elements of the safety process of the railway traffic control system.

REQUIREMENTS FOR SAFE SOLUTIONS RAILWAY TRAFFIC CONTROL SYSTEMS
The basic feature of safe implementation of control systems adopted in railway transport is the "fail-safe" principle, which states that no single fault can cause a dangerous situation. In contrast, the probability of multiple damage is negligibly small. In addition, the fault should be detected in the shortest possible time, thereafter a safe response leading to emergency control should be initiated. The "fail-safe" principle provides so-called structural safety, i.e., the property of an object to prevent the occurrence of failures that result in critical failure states. This principle can be implemented by [3][4][5]: multichannel processing and redundancy at the system, hardware and software level, -system self-testing. The consequences of a system error are the loss of important information that can affect safety. Damage refers to both software and hardware, and can be caused by human error at various stages of the system lifecycle.
Another important criterion is the reference to Safety Integrity Levels (SIL), which is contained in the standards of the European Committee for Electrotechnical Standardization CENELEC. Standardization recommendations related to secure ICT-enabled railway traffic control systems include [6]: documentation of safe system, -specification of software requirements, -software architectures, -methods of designing and launching software, -software verification, -methods of software and hardware integration, -checking and attestation the system, -software quality guarantee, -software maintenance. The safety and operational reliability of computer railway traffic control systems should be analyzed for two main issues [7]: technical devices that are part of the system, -software of the system. In order to meet the safety requirements, the system must consist of at least two computers linked together in such a structure that allows adequate data processing and mutual control, etc. There are also other systems that are based on a single computer unit. To achieve the required safety conditions, a second computer is used as a hot reserve.
For the safety of single-channel systems, appropriate software procedures are performed.
They involve encoding data and processing two programs on a single computer unit that test each other. It is best when programs are written by different groups of programmers.
The multi-channel systems used in the railway traffic control systems are usually two-or threechannel solutions ("2 out of 2" or "2 out of 3"). Safety is ensured in them by hardware and software redundancy. In these solutions, the results from two computers are compared, and the condition of safe "2 out of 2" system operation is full compatibility of all results obtained at the outputs of active channels. The occurrence of any error causes the system to react safely. In the "2 out of 3" system, a discordant result causes a third computer to be activated, and a concordant result on two computers is taken into account for data processing [2][3].
Creating of software safe should be based on a system lifecycle model that recommends [7]: methods of software control in each phase of its design taking into account replacement programming, -modular program structure assuming the possibility of designing software from proven modules, clear documentation subject to verification.

LEVEL CROSSING SIGNALING
For illustrate the organization of the automatic level crossing signaling devices can be used Figure 1. The protection is activated automatically when the train approaches the level crossing. At some distance from the level crossing, there are train interaction devices a1, b3 that activate the protection or, in the case of running on the wrong track -b1, a3. The approach of a train to a level crossing, depending on the traffic direction, is detected by one of railway sensors [8][9].
The signal that the train is approaching the level crossing, registered by the activating sensors (a1, b3 or at the entrance to the wrong track a3, b1) is sent to the control devices, which switch on the light and acoustic signaling and close the road barriers. Based on the input signals from these sensors, the control devices detect the direction of train movement over the sensor.
Release of the signal and opening of the level crossing barriers takes place when the effect of the moving train on the sensor a2, b2 to deactivate signaling located within the crossing is over. A train moving away should not continue to cause a warning by affecting on the last (disabling) sensor. The modern solutions of the automatic level crossing signaling systems can be additionally equipped with a warning discs on railway level crossings (ToP) for the engine-driver's and a remote control device for monitoring and checking the behaviour of the individual components of the level crossing system [4].
Warning on the level crossing should be activated 30÷90 seconds before train arrival. If the level crossing is equipped with half barriers, their lowering is started with a delay of several seconds from the moment of activating the warning [8-9].

DETERMINING THE LOCATION OF THE ACTIVATING SENSORS
The level crossing is a particularly dangerous place, which is why its safety devices are rated to the highest level SIL-4. It is important to determine the location of the sensors activating the automatic level crossing signaling on a railway line with 2 way traffic (Fig. 2).
The possibility of causing a train to strike a road vehicle that has not noticed the warning signal being sounded when entering the danger zone of the level crossing must be excluded. The following condition follows: tT  For the extreme condition, at t = T, the distance L2 can be determined: where: W1 -dangerous zone for a road vehicle, W2 -distance of the activating sensor from the level crossing (a1 or a3), V1 -highest road vehicle speed, V2 -highest rail vehicle speed.
The L1 danger zone can be determined as the sum of the distances: 2f -width of the structure gauge (standard 2f = 5m), d -distance of the traffic lights from the structure gauge (standard d = 3,2), d' -additional distance from which the warning signal is spotted by the driver of the road vehicle (standard d'=3m).

Fig. 2. Simplified configuration of level crossing safety devices with marked zones useful for determining the location of activating sensors [own elaboration]
, where the symbol descriptions are as before, and a1, a3 -wheel sensors activating signaling, a2 -downhill sensor -deactivating signaling protecting the level crossing

CONTROL DEVICES USED IN THE AUTOMATIC LEVEL CROSSING SIGNALING
The following functional groups of protection and traffic control devices can be distinguished in modern automatic level crossing systems [4,[8][9][10][11]: a) Track sensors -train sensors EOC type (Alstom ZWUS Katowice), -wheel sensors (otherwise known as axis counters) type: ELS-95 (Alstom ZWUS Katowice), CTI-3 (SPAI Katowice), RSR180 (Frauscher), AzE (Siemens), AS (Scheidt & Bachmann), -inductive loops FSSB type, b) Warning devices -level crossing traffic lights, -acoustic signal generators, -drives of road barriers, -warning discs on railway crossings, c) Control systems (usually based on programmable logic controllers PLC) d) Power Systems e) monitoring, recording, remote control and diagnostic systems -remote control device, -diagnostic centers, -modules and portable diagnostic panels. All crossing signaling systems have a dual-channel architecture in which the dual control and power channels are electrically separated and perform the same signaling algorithm independently of each other. They require application software that is appropriate to the traffic situation at the level crossing.
Modern automatic level crossing systems have control systems consisting of two identically built control channels equipped with, among others, programmable logic controllers (PLC). The operation of the controller PLC (Fig. 3) involves monitoring analog and digital inputs, making decisions based on the algorithm of system operation, and controlling the outputs accordingly [12][13].
Programmable logic controllers are industrial computers which, under the control of a real-time operating system, carry out the following tasks in the automatic level crossing system [3,12,14]: -collect signals and parameter measurements via input modules from analog and discrete sensors and devices at the level crossing, -execute application programs on the basis of adopted parameters and obtained data on the process of controlling level crossing signaling, -generate control signals according to the results of their calculations and transfer them via output modules to elements and executive devices on the protected level crossing, -transmit data using communication modules and links, -perform software and hardware diagnostic functions.

CROSSING SIGNALING SYSTEM
The automatic level crossing signaling BUES 2000 type is one of the most technologically advanced and safe computer solutions for railway traffic control systems. This system is designed to secured railway level crossings at the rail level. The control of the operation of the level crossing protection devices and the monitoring of the correct operation of the signaling is carried out on three levels (Fig. 4). These include [4,15]: -diagnostic level, -management (control) level, -executive level.
The control of these levels is done in two channels. Both the system for transferring information between levels and between channels in the same level is done using two data transfer bus circuits.
The BUES 2000 signaling uses inductive loops to detect the presence of a train in the zone of influence of a railway level crossing (Fig. 5). The on/off loop system consists of two loops with operating frequencies of 60kHz and 80kHz to distinguish the train direction over the loop. In a turn-on loop arrangement, the 60kHz loop is always the first in the direction of train travel to the level crossing, while in a turn-off loop arrangement, it is the first for the correct direction of travel on a given track. The signal read from the loop is fed simultaneously to both control systems. This advanced level crossing train location system is based on intelligent data analysis. The design of the system under consideration enables a high degree of safety for the detection of the railway vehicle [4,11].

MODULAR PROCESSORS SCHEIDT & BACHMANN GMBH
All of the modular processors are universal, i.e. each of them can be used in a BUES 2000 level crossing system as a central module, as a track or as a light/road-barriers module. The type of function performed depends on the location in the system.
The basic control of the BUES 2000 automatic level crossing signaling system takes place on the management level. This level takes over the supervision of all processes related to the level crossing safety function. The management level consists of three duplicate modular processors Scheidt & Bachmann GmbH (central processor, light/barrier processor, track processor), a central program memory and a service keypad. Visualization is done on an alphanumeric LCD display 4x 20 characters (Fig. 6). Each module processor is duplicated (Fig. 7) and processes independent program fragments of the selected module in real time. The use of appropriate software of modular processor ensures that the required degree of safety guaranteed by the system is maintained. The function that a module processor performs is programmable [16].
The central module performs the general control functions of the devices and supervises all the centralized tasks of the level crossing protection process. The light/barrier module performs the process of controlling the operation of traffic lights and drives of road barriers and checks that they are functioning correctly. The track module is responsible for processing the information received from the tracks sensors and for controlling their correct operation.  The diagnostic level of the BUES 2000 signaling system consists of a diagnostic module located in a container (shown in Figure 8) and a diagnostic center in a railway control room.
The diagnostic module provides quick access to information about irregularities in the operation of level crossing signaling systems, while the executive level takes over the actual processes control directly in the level crossing protection devices. The software of the diagnostic module allows for online diagnosis of the devices [4,16].
The most important functions of the diagnostic module [4,15]:

CHARACTERISTICS OF OTHER CONTROL COMPONENTS IN BUES 2000 SIGNALING
The "COMMUNICATION IMAGE" monitor ( Fig. 9) is particularly important for the safe control of the level crossing devices of the system BUES 2000. It includes command menus, notepads, a telegram display area, an area containing signal lights reflecting the operation of the level crossing devices, and onscreen buttons to operate this monitor. Data presentation in the form of a graph shows the overall track layout and the status of individual modules and actuators. The system shows status changes, such as the opening and closing of drives of road barriers or the occupancy of train sensors, clearly and in real time, errors are also displayed [11]. The remote control device is a diagnostic center located in the railway control room. It is possible to connect dozens of level crossings located up to several kilometers from the traffic station where it is located. The centrum diagnostic reacts to messages sent by the level crossing signaling. The control centrum software allows to read the messages of faulty operation of the level crossing devices via a telephone modem. All fault conditions are logged and cause an alarm condition when detected [17].
The HSM 10E type drive of road barriers (Fig. 10) used in the level crossing signaling of the BUES 2000 system has a modern modular design. Among other things, it uses a specialized microcontroller for motor applications. The movement of the road barrier in the hydraulic system is provided by a pump which is driven by an asynchronous motor controlled by a frequency converter from the electronics module. Motor control is by microcontroller and power controllers. In addition, the electronics system can communicate directly with the level crossing devices. The information exchange is realized by the CAN bus [4,18].

OF RAILWAY CONTROL DEVICES
The main safety criterion for computer railway traffic control devices is the so-called Tolerable Hazard Rate (THR), which is determined by the relationship (5) [5,19]: where: λi -intensity of damage in the channel i, tdi -system response time to an error in the channel i.
For systems with a single processing channel, the value of the THR equals the damage intensity λ. It is different for systems consisting of two processing channels, and the formula for the THR factor is then as follows: where: td -response time to damage, tTF -average time to failure in the channel.
From relation (6) the reduction of critical damage intensity in degree 2td/tTF. Safety solutions of railway control devices are classified into four Safety Integrity Levels (SIL). For each of the Safety Integrity Levels, the maximum permissible THR values are determined according to Table 1. The most demanding in terms of hazard intensity is SIL-4 [5,19].
The diagnostic time for individual faults is particularly important for the safety of the automatic level crossing signaling system. This time is determined by the following relation (7): T sf = k 1000• (7) where: k -redundancy factor (is: 1 for "2 out of 2" systems and 0,5 for "2 out of 3" systems), λ -the sum of the average damage intensities of the elements for which a simultaneous failure could lead to a hazard. On the other hand, the diagnostic time for dual faults is calculated based on the formula (8): The total fault intensity required to determine the THR value must take into account many parameters, including the intensity of faults in the transmission channel, the redundancy of transmission channels, and the code protection used [5]. Table 1. Relation between Safety Integrity Levels and THR acceptable hazard intensity [5,20] Safety Integrity Levels THR permissible hazards intensity 1/(hour·function) 4 10 -9 ≤THR≤10 -8 3 10 -8 ≤THR≤10 -7 2 10 -7 ≤THR≤10 -6 1 10 -6 ≤THR≤10 -5 Fig. 11. Example construction of a modern system for collecting and storing exploitation data from devices and railway control systems [own elaboration]

CONTROL DEVICES ON THEIR EXPLOITATION
Another underestimated issue affecting the safety of railway control devices is the constant acquisition of information from the current exploitation of the devices and its collection. They can be used to build models of occurring exploitation phenomena and will allow to determine, e.g. on the basis of simulation, the expected behavior of the object in the future. The railway control devices often operates under very difficult exploitation and environmental conditions. Long-term experience in the exploitation of these devices confirms the dependence of their functioning on the correct operation of individual components and on effective management of their exploitation.
Collecting and archiving information on the technical state of the railway control devices can be used for the proper prevention of the devices, for the predictive maintenance of railway traffic and the proper use of the railway control devices, and above all for maintaining safety of the transportation process.
Modern systems for collecting and processing of exploitation data are used to collect data from computer-based railway control devices (Fig. 11). Systems for collecting data from railway traffic control devices and systems are most often based on dedicated software for tracking, recording and analyzing exploitation data. The purpose of these systems is to collect and present on a uniform software platform the statuses of devices from the railway network for maintenance purposes. Information on the status of the railway signaling devices can be collected via interfaces directly from these devices or from dedicated diagnostic systems by the manufacturers. This information is sent over links to integration gateways that act as local data buffers. The such unit collects data on the status of devices from a specific area of the railway network. After encryption, the information about the status of the railway traffic control devices is sent to the central server. Information collected in the central database is analyzed on an ongoing basis and can be used by appropriate automated inference systems [20].

CONCLUSIONS
This publication contains significant thoughts author's and information regarding the safety of computerized devices used directly in railway traffic control. These contents, which were available fragmentarily in various publications, have now been compiled in a single article and supported by an analysis of a concrete example, i.e. the BUES 2000 automatic level crossing signal system by the German company Scheidt & Bachmann.
Safety of modern computer railway traffic control systems results from the use of programmable logic controllers, based on two-channel solutions, differentiation of programs in both control channels, the possibility of immediate detection of faults in the devices, as well as the possibility of ongoing monitoring of the system and recording all events and failures. This allows for a significant increase in control and monitoring functions. With regard to the automatic level crossing signaling system, an important feature is the registration of events and the history of its operation. In microprocessor solutions, from the safety point of view, issues of secure transmission, self-testing for possible errors and mutual testing of control channels.
The purpose of controlling and protecting traffic on a level crossing is to ensure a high level of safety. Regardless of the type and design of the automatic level crossing signaling system, manufacturer, or technology, and the duration of its exploitation, safety must be at the SIL-4 level and the durability of these devices should be no less than 20 years. The safety-relevant THR value for a SIL-4 level in the case of a railway traffic control system must be between 10E-6 and 10E-5. These are very excessive values for THR.
In the publication, the author presents an engineering method for calculating the Tolerable Hazard Rate for a selected railway traffic control device (with a single or duplicate processing channel) and, on this basis, determining its Safety Integrity Level.
The BUES 2000 level crossing system has a certain flexibility, i.e. it tolerates errors that do not affect its basic functions. Otherwise, it goes to a state defined as safe. The warning devices of the BUES 2000 signaling are controlled using the "2 out of 2" safety principle. This means that in order to change the state of the device from the waiting state to the warning state (closing of the level crossing signaling), it is required that both control channels work out compatible commands and at the same time. The same principle is used for the transition of the level crossing signaling devices from the warning state to the waiting state (opening).