Dependability assessment of large railway systems

Grégory Buchheit, A3SI, Arts et Métiers ParisTech

Olaf Malassé, A3SI, Arts et Métiers ParisTech
Nicolae Brinzei, CRAN, University of Lorraine
Nadia Ammad, SNCF

Key Words: Timed and Colored Petri Nets, Quantitative Evaluation, Maintenance, RAMS, Formal Proof, Reliability Modeling

SUMMARY & CONCLUSIONS schedules, that normally is made once far in advance, and that
takes the line flow into consideration, in fact the performance
The dependability assessment of systems and in particular
of the infrastructure in normal and degraded conditions, and
their availability depends on the dysfunctional behaviors and
the line capacity which is how the infrastructure is used. On
maintenance policies of their subsystems and components.
the other hand, the resilience and robustness of the schedules
Railway systems are large due to the number of trains and
are verified in cases of perturbations in order to estimate the
routes but also complex due to the safety assured by the
recovery time after incidents. Concerning the design
signalization and the interlocking. There is a need of methods
engineering, the first major point is to validate and optimize
and tools which could give, at the same time to people in
the placement of components on the track in order to get the
charge of the design, operation and maintenance, the key to
best performances and the second point is to validate the
exploit the infrastructure at the best cost. The aim of this paper
dependability requirements for all the components in order to
is to show how it is possible to generate automatically a model
satisfy mainly the safety of users. Finally, the maintenance
which satisfies all these requirements and how to do a
engineering focuses on the preservation of the infrastructure in
performance analysis in order to get metrics in terms of
operational conditions and at best cost, and this involves
capacity of the line, needs of the maintenance.
validating the maintenance policies in terms of Life Cycle
1 INTRODUCTION Cost and in terms of organization for the regeneration and
servicing.
The performance assessment of railway infrastructure is a
These issues are answered by many improvements in each
key element for railway companies in order to satisfy the
department leading in methodologies adapted to their context,
economic pressure from the liberalization of rail transports (in
and feedback from many years of work. But, one of the main
Europe), the competition with other means of transportation,
problem is that, people in charge of the design, the
the search for the lowest cost from the customer point of view,
exploitation and the maintenance may not use the same
and last but not least, the actual financial difficulties from
formalism (specifications, evaluation,…) and tools
companies and countries. The market induces expectations
(automatons, Petri nets,…) to achieve their performance
concerning the safety of persons, but also on the efficient cost
analysis, because either other methods are not adapted to the
management, and the always increasing service quality, but
job, or they already exist but were developed in-house and are
it’s often a question of compromise. Furthermore, the
not easily upgradeable. So it could be interesting to use a
introduction of the unified European signaling systems
methodology which could take complexity into consideration
(European Railway Transport Management System), since a
but with a simple handling to be employed by the different
few years, in many countries, has involved an increase of the
staffs in order to get crossed representations of the costs, and
cost for those who managed to set it up, despite the fact that
also other kind of metrics like the flow of trains and the
maybe new markets have opened. These complaints are also
RAMS parameters. Few studies have shown similar interests,
true for other kind of activities.
because they are mainly focused on either the verification of
These facts induce an important challenge for all the
the specifications of systems [1], or the performance analysis
departments of railway companies and especially for the three
of systems but without taking dependability into account [2],
main departments: the operating, design and maintenance
[3].
engineering. But the expectations and depictions of each of
The paper is structured this way: after the introduction, a
these engineering are completely different, and it’s quite
description of the characteristics of the system under study is
difficult to find an optimum in terms of costs. This adds some
presented (in section 2), then the modeling methodology is
difficulties to the challenge.
described (in section 3), and finally a few results from cases
Indeed, the operating engineering focuses on two main
studies are treated (in section 4).
priorities. On one hand there is the validation of train
2 CHARACTERISTICS OF A RAILWAY INFRASTRUCTURE
A description of the functioning of a railway signaling
system is needed in order to understand the modeling
methodology and the approach adopted for the reliability
analysis.
The railway signaling system protects the routes and the
corridors, generally by avoiding collision of trains (face to
face) and also by avoiding catching of trains by adjusting the
spacing of trains. This is done thanks to many components on
the track that have special utilities.
We can distinguish the national historical signaling
systems and the interoperable one ETCS (European Train
Control System) that tend to be implemented in many
European countries. There are quite some differences between
these signaling systems, In France for instance, there are many
signaling systems which have demonstrated their faculties of
performance and safety. For example, BAL / KVB (Light
Automatic Block / Speed Control by Balises) with track
circuits on conventional lines which allows the detection of the
presence of a train on a track and also broken rails, and TVM
(Track-To-Train Transmission) on LGV (High Speed Tracks)
(See Figure 1)
Figure 1- French signaling systems
This system (trackside and on-board functions) has now
to coexist for several decades on some specific tracks with
ETCS which is available in three levels of command-control
evolution (ETCS 1 to 3). (See Figure 2)
Figure 2 - ETCS Level 1 and 2
So, it is important to assess the impact of the
superposition of the two signaling systems, which have
different philosophies, on the performance of the
infrastructure (maintenance steps, robustness of schedules).
But, due to the costs of design, validation, certification,
development and deployment of the facilities, there is a
coexistence of several generations of component technologies
(electromechanical, electronic, informatics), It is therefore to
model heterogeneous E/E/PE (Electrical / Electronic /
Programmable Electronic) systems, combining discrete parts
(signals and balises) and continuous (GSM-R - Global System
for Mobile Communications for Railways, TVM), managing
degraded modes in accordance with current standards and
rules.
Moreover, one infrastructure supports mission profiles
very different (freight, regional, high speed), and its
configuration in use is modified by the layout of routes, or
areas under maintenance. The model must consider the
infrastructure map, the implementation of the signals, the
potential routes, the traffic type and the characteristics of
trains (length, mass, braking and traction capacity), the
mission profile, the line profile, and the binding vehicle /
infrastructure (grip, transmission of data or signal
visibility,...).
A dichotomy based on the topology trackside/on-board
allows the following segregation:
- Trackside functions: they are achieved by control-
command equipment common to both signaling
systems, or specific to each. The route management
is ensured by interlocking poste of various
technologies (with relays - PRS, computerized –
PAI,...). From the second level of ERTMS, the RBC
(Radio Block Centre) will be involved in interlocking
poste, transmitting movement authorities to rolling
stock via GSM-R. Field centers host management
systems (command and control) of the signaling
devices, switches (motors and locks) and track
circuits (Block signaling) and encoders for KVB
speed control, and Lineside Electronics Unit (LEU)
for the balise but only for ETCS.
- Trackside/on-board Transmission: except specific
equipment for BAL / KVB (brushes for the repetition
of the signaling devices in the cabin, balise and
antennas for KVB), the lateral signaling devices is
common for BAL and ETCS Level 1. The
implementation of ETCS Level 1 requires the
infrastructure to be equipped with balise and rolling
stock with antennas. ETCS Level 2 implies in
addition, the deployment of radio relay on trackside
and GSM-R antennas on rolling stock.
- On-Board functions: BAL requires a simplified
repetition of signals in cabin system and
acknowledgment buttons, completed with a KVB
module (odometer sensors, computer rack, console)
for speed control. ETCS implies the presence of an
HMI and a specific European Vital Computer (EVC).
If the speed control is a continuous function of
ETCS, the brake control is a function dependent on
the train system.
For this project, our focus is on the infrastructure map, the
interlocking, the line profile and the signaling system. The
model of rolling stock will be reduced to a simplified
expression of its signaling system.
3 MODELLING METHODOLOGY
The proposed modeling methodology is based on a
decomposition approach like the hourglass design presented in
[4] which describes how the model is transformed in order to
be solved (See Figure 3).

Figure 3 - Hourglass design
The “User Interface” which can be multiple, converts the
diagrams into one “Intermediate Model”, from which a
“Formal Model” is obtained. Many formal models can be
analyzed using an appropriate “Solver”. This has the
advantage that if another user-interface has to be used, the
only requirement is to define and implement how it will be
transformed into the intermediate model. This also applies to
the addition of a new solver that doesn’t require changing the
user interface. This representation was adapted in order to
fulfill our needs in the specific case of a railway infrastructure.
The first step of the methodology is to create a diagram
serving as user interface and intermediate model under the
shape of a meta-model where we can have the overall
representation of the system including all of its characteristics,
properties and parameters by using many input formalism
(track plan, timetable, maintenance…). This has two
advantages: generating automatically a complete model, and
being user friendly. The tool (See Figure 4) developed by the
University of Oslo for a specific subway modeling project
(which is different from the studied infrastructure), has been
modified in order to take the requirements of a railway track
including its signaling systems and the dependability
parameters.
Figure 4 - RWSEditor - The meta-model tool
In this meta-model, the system is composed by the
instantiation of atomic components (representation of a formal
model described in step two) which could be simple
components (track, switch, turnout,…). For example, a signal
with three lights which serves as protecting the trains for
catching or collision (Green -> Full speed, Yellow -> Limited
speed, Red -> Stop) can be reused a large number of times on
a track. These components are then assembled, thanks to
specific properties. Parameters and properties are then passed
to the meta-model, such as the maximum speed allowed, or
the driving direction for the components, but also the type of
train and all of its characteristics (max speed, weight,
length,...). The tool can determine what components are
allowed to be connected to other. So, after the composition of
the infrastructure, trains and train routes, the meta-model is
transformed into a formal model based on timed colored Petri
nets (see step two) on the basis of XML data. This
transformation is possible and proved by some assumptions
over Petri nets composition [5].
The formal model layer of the hourglass design permits,
first, the modeling of atomic components in a pre-step as
shown as “Component model” (See Figure 3), and second, just
after the composition in the meta-model, the modeling of the
whole system, as “Formal model”. This is done in a tool
actively maintained and widely used called CPN Tools [6]
formerly from Aarhus University in Denmark and then
transferred at TU Eindhoven, The Netherlands.
Before stepping into the complete model, let’s jump to the
modeling of atomic components. In fact, the requirements for
these atomic components are specifications such as functional
which describes how the component or subsystem works and
is used in its environment, then dysfunctional with
dependability parameters, and also safety properties which
describes what are the degraded modes and the safe states, but
also the maintenance management which is here used as a
component but includes what are the reparation properties, and
last, the interlocking logic which protects the train and define
what are the routes that a train can drive on. Using these
information, a Petri net can be drawn for each of the
components family of the system.
Following the methodology and the step “Component
validation”, these atomic components have then to be proved
regarding to their specification and the referential of the
infrastructure operator. This can be done using model-
checking techniques such as Computational Tree Logic (CTL)
integrated in tool called ASK-CTL, or Linear Temporal Logic
(LTL) integrated into another tool called ASAP, and both
included in CPN Tools[7], and the composition of these
components can also be verified according to safety
specifications in railway. Then, the components are ready to
be composed in order to create a complete architecture.
In step two, a hierarchical representation of the system
infrastructure is used (See Figure 5) composed of granularity
levels which can be improved by more detailed subsystems
[8].
 pk_execution 10,pk_reprise 10},PenteMoy 0} p_ ,p _ p }, y } p_ ,p _ p }, y } p_ ,p _ p }, y }

Infos Canton 1 Infos Canton 2 Infos Canton 3 Infos Canton 4 Infos Canton 5 Infos Canton 6 Infos Canton 7 Infos Canton 8

InfoCanton InfoCanton InfoCanton InfoCanton InfoCanton InfoCanton InfoCanton InfoCanton

1`VL 1`VL 1`VL 1`VL 1`VL 1`VL 1`VL 1`VL 1`VL
ListSignal

ListSignal ListSignal ListSignal ListSignal ListSignal InfoCL ListSignal ListSignal ListSignal

NoTrain NoTrain NoTrain

Canton General track section Canton General track section Canton

if (Etat=true)
ListeSignal 1`[] 1`[]
then ListeSignalR
else ListeSignalL Chang Signal 6 Chang Signal 7
[] []
neNo=1, ListeSignalL ListUnit ListUnit
os, Itineraire 6 Itineraire 7
[(1,L2)], ListRoute ListRoute
FusionUNIT
5 Fusion UNIT
11
=160,
() ()
,
00,
nne=false,temps=2},
=0,

500, if (Etat=true) []
InfoCA Etat
=0, then InfoCR
Etat
else InfoCL
1`true InfoCR
on=60,
70, Infos Canton Aiguillage a
Aiguillage droite
InfoCanton BOOL

NoTrain NoTrain NoTrain NoTrain NoTrain

CantonGeneral track section
CantonGeneral track section
CantonGeneral track section
CantonGeneral track section
Canton General track section
ListeSignalR
1`{pkentree=15000,pksortie=17500,Numero=10,
Canton Railroad turnout limitation={Existence=false,v_lim=[10,160,160],pk_annonce=
pk_execution=9500,pk_reprise=13000},PenteMoy=0}
1`{pkentree=12500,pksortie=15000,Numero=9, 1`{pkentree=17500,p
limitation={Existence=true,v_lim=[30,160,160],pk_annonce=11000, limitation={Existence
pk_execution=12400,pk_reprise=12600},PenteMoy=0} pk_execution=9500,p

Infos Canton 9 Infos Canton 10 Infos Canton 11

InfoCanton InfoCanton InfoCanton

1`VL 1`VL 1`VL

ListSignal ListSignal ListSignal

NoTrain NoTrain NoTrain
[]
[]

Canton General track section Canton General track section Canton

1`[] 1`[] 1`[] 1`[] 1`[] 1`[] 1`[] 1`[]

Chang Signal 0 Chang Signal 1 Chang Signal 2 Chang Signal 3 Chang Signal 4 Chang Signal 5 Chang Signal 8 Chang Signal 9

Figure 5 - Hierarchical granularity level ListUnit []

Itineraire 1
ListRoute
ListUnit []

Itineraire 2
ListRoute
ListUnit []

Itineraire 3
ListRoute
ListUnit []

Itineraire 4
ListRoute
ListUnit []

Itineraire 5
ListRoute
ListUnit []

Itineraire 8
ListRoute
ListUnit []

Itineraire 9
ListRoute
ListUnit

The first level consists of the main line with track Figure 6 - Railway track in Petri net
sections, stations, and also trains and the maintenance
We then tried to integrate the maintenance management
organization and procedures for the whole system. Then, a
and, for a preliminary test, choose to apply the procedure to a
level deeper will define the railway track with the use of
simplified model that is intended to represent a railway track,
different signaling systems, and for each of these systems,
but with lower complexity. In that model, we included
there is again one level deeper that contains single components
reliability parameters of components through failure rate with
and the interlocking devices. These single components will
exponential distribution used mainly for electronic
then be modeled with functional, dysfunctional and
components. Note that it is possible to use other type of
maintenance capabilities. Trains represented by colored tokens
distribution depending on the kind of components. The idea
with parameters (max speed, braking, etc), are not detailed in
here is when a failure occurs to a component, the subsystem
terms of functionality and failures, because their maintenance
will detect it and react mainly in going into a degraded mode
and use are different and don’t depend on the infrastructure.
which could be performing with lower performances. When
The third step, on the “Solver” level of the hourglass
the next failure occurs, the subsystem will stop because of the
design, is the performance analysis of the system. The metrics
inability using the faulty component. These procedures are
specifications have to be applied here in order to get data out
simple and may not really reflect a real railway system, but
of the Monte-Carlo simulation. This can be done thanks to the
they are quite right. The representation of the failure
state space analysis and monitors put on elements of the
procedure is shown in (See Figure 7).
model. Then, with help of scenarios, the model can be
simulated and analyzed, and results have to be computed in a
table.
4 RESULTS OF A PRELIMINARY STUDY
The above described modeling methodology, divided into
three steps, has been tested in different preliminary study
cases. In an earlier modeling project [8], a validation of train
schedules has been performed. It was based on a whole
infrastructure model that integrates both BAL and ETCS, but
without dependability parameters of components (only a
functional validation). It showed that Petri nets are well suited
to modeling railway infrastructure. But it demonstrated that it
is difficult to create the model of a large scale system without
making mistakes, and that the computation time is relatively
high both for the implementation of the model itself and for
the simulation.
Figure 7 - Failure procedure in Petri net
In order to be able to include the dependability
parameters, we applied the methodology to a generic Then, there is a corrective maintenance procedure that
infrastructure consisting in: a few sections, one interlocking, will fix the component and restore the system in operational
three stations and many trains. All the atomic pattern conditions. This procedure is subject to the availability of
components have been developed and can be implemented in spare parts, and operators and will have a delay in terms of
the model. Mean Time To Repair (MTTR). Moreover, there are also
The first layer of abstraction of the Petri net model (See priorities for the repair if the component is important either in
Figure 6) represents the railway line with many track sections terms of safety or if it is placed in a critical location. The
that are modeled using substitution transitions allowing maintenance management takes also into consideration the
hierarchical granularity levels. preventive aspect with almost the same parameters as for the
curative but with a proof interval test. Furthermore, other
maintenance parameters have been added, such as imperfect
maintenance which can degrade the performances of the
component in case of As Bad As Old (ABAO) procedure. It
means that a new component in an old environment doesn’t
have the same reliability parameters as a new one in a new
environment, and that the quality of the fix is less than
hundred percent.
It was then possible to make a performance analysis in
order to get a few data out of the model. With help of Monte-
Carlo simulation and monitors in CPN Tools, it was possible
to get some metrics related to the simplified model of a
railway infrastructure such as the Mean Time Between Failure
(MTBF) of a component, the availability of a subsystem, the
flow rate of the system, and the reparation time.
We’ve also measured that for a small system, the
computational time will increase as the model will grow and
becomes more complex due to the number of tokens, guards
and trajectories for the simulation. One of the goals is to be
able to simulate and evaluate the model in an adapted period
of time, so we will also have a look at how to either parallelize
or to partition the model, and also use high performance
computing.
Concerning the automatic generation of models, and the
use of the meta–model RWSEditor, we were able to generate
the same model as in (See Figure 6), but without dependability
parameters and with some lack in the interface which has no
impact on the model.
5 CONCLUDING REMARKS
The work that has been carried out in this paper
introduces a modeling methodology that tries to generate
automatically large systems, like railway systems, in order to
assess the dependability performances based on Petri nets. The
work aims at assessing together the maintenance management
including the dysfunctional aspect of components, the design
including the functional and dysfunctional requirements, and
also the operation including the recovery capacity of a railway
infrastructure, in order to validate concrete scenarios of use,
and when needed, to initiate improvement actions in terms of
costs but still retaining safety as first requirement. The first
tests taken from the cases studies have shown encouraging
results for the functional part and the reliability analysis.
The modeling methodology is applied to a generalized
railway infrastructure, but could be extended to other railway
contexts and with some adaptation to other kind of large
systems with many identical components.
The interested readers may find the following aspects
interesting and relevant according to the authors point of view:
- The hourglass based-model decomposition is well
suited to model systems and in particular its ability to
use different kind of tools and methods according to
the needs of either users or the specific requirements
of the model
- The automatic generation of models from atomic
pattern components and their composition into a
complete model is particularly convenient for large
scale systems and allows to save time and avoid
insert errors while modeling
- The use of Petri nets allows, in one model, to validate
the functional and dysfunctional aspects of systems,
moreover the graphical representation and the formal
language simplify the modeling.
Further work has to be done on this modeling
methodology in trying to verify and validate each requirement
with the use of model checking techniques. Furthermore, the
computation time depends on the size of the model, so the use
of parallelization and partitioning of the Petri net should be
foreseeable in order to reduce this time.
Advances can also be planned in this methodology by
using optimization techniques in order to fit both costs and
safety requirements automatically.
ACKNOWLEDGMENT
We thank Mr Antoni, Mr Caron, Mr Hazotte and Mr
Lalouette from the French national railway company (SNCF).
We are also grateful to our colleagues from the University of
Munich in Germany for their cooperation in this work. We
also thank the University of Oslo in Norway and particularly
Mr Bjork, Mrs Chieh Yu and Mr Hagalisletto, for providing
the meta-model tool RWSEditor. And last but not least we
thank Mr Westergaard, the support team of CPN Tools, for the
help in using this software.
REFERENCES
1. P. Barger, W. Schön, M. Bouali, “A study of railway
ERTMS safety with colored Petri nets”, The European
Safety and Reliability Conference ESREL 2009, Prague,
(Sept.) 2009.
2. L. Jansen, M. Meyer zu Horste, E. Schnieder, “Technical
issues in modeling the European train control system
(ETCS) using coloured Petri nets and the Design/CPN
tools”, Proc. Workshop on Practical Use of Coloured
Petri Nets and Design/CPN, Aarhus, Danemark, 1998, pp
103-115.
3. M. Meyer zu Horste, E. Schnieder, “Modelling and
simulation of train control systems using Petri nets”,
FM’99 Formal Methods. LNCS, vol. 1709, 1999, pp
1867-1883.
4. M. Walter, Application-oriented evaluation of fault-
tolerant systems, TU Munich, Shaker Verlag, 2009.
5. A. M. Hagalisletto, J. Bjørk, I. Chieh Yu, P. Enger,
“Constructing and refining large scale railway models
represented by Petri Nets”, TransSMC, 2006.
6. K. Jensen, L.M. Kristensen, Coloured Petri Nets,
Springer-Verlag, 2009.
7. M. Westergaard, L.M. Kristensen, “JoSEL: A Job
Specification and Execution Language for Model
Checking”, CPN Workshop, 2008.
8. J. Lalouette, N. Brinzei, O. Malassé, « Evaluation des
performances du systeme de signalisation ferroviaire
européen superpose au système français, en présence de
défaillances », Lambda-Mu 17, La Rochelle, France,
 2010.
9. F. Flammini, “Model-based dependability evaluation of
complex critical control systems”, PhD Thesis, University
of Napoli, 2006.
BIOGRAPHIES
Grégory Buchheit
Arts et Métiers ParisTech
4, rue Augustin Fresnel
Metz, F-57078, France
e-mail: gregory.buchheit@ensam.eu
Gregory Buchheit graduated from the Paul-Verlaine
University in Metz with a Master’s Degree in computer
science in 2003. He then joined the A3SI team of Arts et
Métiers ParisTech center from Metz as a design engineer in
functional safety, doing training courses, consulting and
research activities. He is doing a PhD degree in the field of the
operational performance evaluation of embedded safety
critical systems in collaboration with the TU Munich in
Germany and the French national railway company SNCF.
Olaf Malassé
Arts et Métiers ParisTech
4, rue Augustin Fresnel
Metz, F-57078, France
e-mail: olaf.malasse@ensam.eu
Olaf Malassé is Assistant Professor at Arts et Métiers
ParisTech center from Metz after having started his career at
the IUT from Cholet. He received his Ph.D. degree from the
INPL in 1994. His work have evolved from the robust control
of electromechanical actuators (PhD), to the modelling of
complex systems and the functional safety of automated
systems constrained by safety and security imperatives,. He is
head of the competence center A3SI « Automatisme et
Simulation pour la Sûreté/Sécurité des Systèmes Industriels »
at Arts et Métiers ParisTech Metz.
Nicolae Brinzei
CRAN, University of Lorraine - CNRS
2, avenue de la Forêt de Haye
54518 Vandoeuvre-lès-Nancy Cedex, France
e-mail: nicolae.brinzei@univ-lorraine.fr
Nicolae Brinzei is associate professor at the Lorraine
University and at the Research Centre for Automatic Control
in Nancy. He works in the field of dynamic reliability and his
research concerns the development of tools for modeling and
dependability assessment of automated control systems by
means of Markov chains, stochastic Petri nets or stochastic
hybrid automata.

View publication stats