The safety of multi-computer systems for railway transport management and control

III INTERNATIONAL CONFERENCE

TRANSPORT SYSTEMS TELEMATIC S TST'03

ZESZYTY NAUKOW E POLITECHNIKI ŚLĄSKIEJ 2003

TRANSPORT z.51, nr kol. 1608

r a il c o n tro l system s, f a i l s a fe system s, s a fe ty c o m p u te r n e tw o rk s

Andrzej LEW IN SK I1 Tomasz PERZYNSKI2

THE SAFETY OF MULTI- C OMPUTER SYSTEMS FOR RAILWAY TRANSPORT MANAGEM ENT AND CONTROL

T h e m a in aim o f th is w o rk is safety c h arac te ristic s o f h ie ra rc h ic al, d e co m p o se d in to sev e ra l layers ra ilw a y m a n a g e m e n t an d c o n tro l sy ste m s b ased o n E R T M S /E T C S re q u ire m e n ts a n d c o n fig u re d from d issip a te d c o m p u te rs c o n n e c te d b y n e tw o rk stan d ard s. T h e sa fe ty a n aly sis re la te d to re lia b ility and fu n c tio n a l p a ra m e ters c o rre s p o n d s to M ark o v p ro cess m o d e llin g th e ex p lo ita tio n o f m u ltic o m p u te r sy ste m s c o m p o se d fro m a ssu m e d n u m b e r o f co u p le d co m p u ters.

BEZPIE CZEŃSTWO W IE LO KOMPUTEROWYCH SYSTEM ÓW NADZORU I STEROW ANIA STOSOW ANYCH W TRANSPORCIE KOLEJO WYM

C elem re fe ra tu j e s t c h a ra k te ry sty k a b e zp iec z eń stw a zło ż o n eg o , w ie lo k o m p u te ro w e g o sy stem u z arz ą d z a n ia i s te ro w a n ia ru c h e m k o le jo w y m o p a rte g o n a w y m a g an iac h E R T M S /E T C S i sk o n fig u ro w a n e g o z ro z p ro sz o n y c h sy ste m ó w k o m p u tero w y ch p o łą c zo n y c h z a p o ś re d n ic tw e m sieci.

A n a liz a b e z p ie c z e ń s tw a o d n o s z ą c a się d o n ie z aw o d n o ści i p a ra m e tró w fu n k c jo n a ln y c h k o re sp o n d u je z p ro c e se m M a rk o w a m o d e lu ją c y m p ra c ę sy ste m ó w w ie lo k o m p u te ro w y c h z ło ż o n y ch z p rz y ję te j liczby p o łą c zo n y c h k o m p u te ró w .

1. THE SAFETY CO M PU TER NETW ORK FOR RAILWAY TRA N SPORT M ANAGEM ENT AND CONTROL

The problem s o f coupled com puters in the duplex systems applied in railw ay control have been presented in the [8]. The problem o f safety defined with respect to two computers structure m ay be easy extended towards multi-com puter structures, treated both as systems with repair and systems w ithout repair.

The standardisation com m ittee CENELEC suggests the following assum ptions about reliability o f com puter systems applied in railway signalling and management. Corresponding

1 F acu lty o f T ra n sp o rt, R ad o m U n iv e rsity o f T e c h n o lo g y , 2 6 -6 0 0 R ad o m , le w in sk i@ k iu x .m a n .ra d o m .p l 2 Facu lty o f T ra n sp o rt, R ad o m U n iv e rsity o f T ec h n o lo g y , 2 6 -6 0 0 R adom , p e rz y n sk i@ k iu x .m a n .ra d o m .p l

322 Andrzej LEW IŃSKI, Tom asz PERZYŃSKI to assumption that the ratio between safety integrity levels may be as 100:1, the common failure rates (regarding system level including transm ission) for subsystem s are:

- System Integrity Level 4 - 1 0 “9 h '1 - System Integrity Level 3 - 1 0"7 h '1 - System Integrity Level 2 - 10’’ h '1 - System Integrity Level 1 - 10‘3 h '1

Table I C la ss ific a tio n o f c o m p u te r sy ste m s in ra ilw a y tra n sp o rt c la ssific a tio n (C E N E L E C )

R eq u ired in te g rity o f safety

C onsequences o f system fau lt

C h a ra c te ristic s o f system

T y p e o f system

4 Very high Lost o f human life To prevent the train collision and derailment

Fail-safe system

3 High Injuries or illness To identify the train integrity or characteristics

High integrity system

2 M edium Environmental

pollution

To m anage the railway traffic

Safety involved system

1 Low Loss or dam age o f

property

To inform the passenger

Low integrity system

0 N on-safety

related

Loss o f non-safety related inform ation

To m anage the railway

N on-safety related system

S a fe ty c ritic a l s y ste m s S a fe ty e sse n tia l) sy ste m s

These typical reliability param eters presented by producers o f com puter controllers and confirm ed by m aintenance records together with known tim e characteristics o f designed systems give possibility o f safety evaluation [3].

The safety o f multi- com puter systems for railway transport m anagem ent and control 323 2. SAFETY AND RELIABILITY PARAM ETERS OF CO M M U N ICA TED

NETW ORKED COM PUTERS

For com puter networks with greater num ber o f com m unicating com puters (both with repair and w ithout repair approach) this approach m ay be extended in the way presented in the Fig. 1.

In the model with repair o f dispatcher system [4] (Fig. 5.a) the failure for both computers m ay be assum ed as an identical, Am = Ar = A (typical value is less than 10‘5h‘

'), similarly the repair rates pm- = P r- = P- (typical value o f repair tim e equal to p .'1 is less than 10'5h ''), and probability o f correct switch p (typical value is equal to 1 - 1 O'6 ).

For system com posed with two main computers plus one “reserve” com puter the probability o f dangerous failures is m ore difficult to calculate, but we can estim ate that

(1-p) A. 2 (1-p) A 3(1 -p) A P 2 = F*21 "^^22 ~ =---

p p p

( 1)

“reserve” com puter the n2(l-p ) A

2 p

(2⁾ a)

0

b)

W e can show, that for system with n active computers and one total probability o f dangerous failures P2 is approximately equal to

n n i (1 -p) A n (n + l) (1-p) A.

P 2 = I P 2i » L --- = --- *

¡=1 i-i P 2 p

Fig. 1 M o d ellin g o f m u ltic o m p u te r stru c tu re s a) sy stem s w ith re p a ir b) sy ste m s w ith o u t re p a ir

324 Andrzej LEW IŃSKI, Tom asz PERZYŃSKI This approach for system s w ithout repair m ay be extended in the w ay presented in the Fig. 6.b. System w ith three parallel com puter (“2 from 3 ”) has the probability o f dangerous failures equal to

X I X I X 2

P 2 = lim P 2 (t) = » I n » i A + p 2 A + p p 2

(3) For com puter netw orks with greater num ber o f com m unicating com puters without repair this result m ay be extended in the way:

X 2 X (n -1 ) A. n-1 (i A) X"-'

P2 = lim ,_»» P2 (t) = --- . . . --- = F I ---« (n-1)! — X + p 2 3 .+ P (n-l)A . + p /=7 (i X + p ) p'1"1

I n » \

(4) It is obvious that for increasing n the structure with repair the probability o f P2 will be greater (and safety m easure S = 1 - P2 will be worse) than for one active plus one reserve computers).

3. CONCLUSIONS

This result em phases the sense o f redundancy. The fundamental rule o f fail safe introduced in the [4]:

X P 2 » ( 1 - Pfs) — Pd

(5) where pfs is prbability o f fail safe failures (corresponding to the CENELEC requirenm ents the

Pf s value m ust be better than 1- 10° , it means that one failure for thousand failures occurred may be critical). Corresponding to (2) for systems with repair

n 2( l- p )

Pfs » Pfs ~ 1 - --- f o r n > 2 2

( 6)

The safety o f m ulti- com puter systems for railway transport m anagem ent and control 325 and for systems w ithout repair (4)

P f s ~ 1 - (n-1)! (X / p) n"2 for n > 2

(7) The main conclusion confirm the well-known rule that parallel system w ithout repair is better for safety applications than system with reserve and reconfiguration (without repair).

The analysis o f safety criteria (probabilistic or time m easures) for real systems based on computer networks is more com plicated. The estimation o f rates A. and p, necessary for evaluation is difficult because such param eters are rather unknown and m ay be determined with respect to tests elaborated during several years [3], (The estimation o f p; in systems without repair com posed with several computers is rather sophisticated with respect to characteristics o f m ultiple switches). The repair rate may be estimated during special safety tests.

The railw ay m anagem ent system m ay be treated as a large com puter network integrating typical com puter controllers dedicated to different functions on the distinguished levels corresponding to hierarchical multilevel approach. Such techniques com bine different net technologies and transm ission techniques: copper cables, fibre optics and radio transmission (GSM -R). The com puter network may be treated as an approach to ERTMS project, where all systems are integrated in the form o f one hierarchical system o f European railway, w here the co-operation o f m any com puter systems is assumed.

BIBLIOGRAPHY

[1] R ailw ay A p p lic a tio n : T h e sp é c ific a tio n o f d e p en d a b ility , re lia b ility , av ailab ility , m a in ta in a b ility an d safety (R A M S ), R e p o rt o n th e EN 5 0 1 2 6 s tan d a rd , C E N E L E C 1997.

[2] D Ą B R O W A -B A JO N M ., K O N O P IŃ S K I L ., L E W IŃ S K I A ., „ W y b ran e k o m p u te ro w e s y ste m y sterow ania ru ch em k o le jo w y m n a tle e u ro p e jsk ic h z aleceń n o rm a liz a cy jn y ch ” , P ro b lem y K olejnictw a, Z e szy t 116, 1994.

[3] K O N O P IŃ S K I L ., L E W IŃ S K I A ., „ S y stem w sp o m ag a ją c y o c en ę n ie z aw o d n o ści k o m p u tero w y ch sy ste m ó w ste ro w a n ia ru c h e m k o le jo w y m ” , M ate riały M ięd zy n aro d o w ej K o n feren cji B E Z P IE C Z E Ń S T W O I N IE Z A W O D N O Ś Ć S Y S T E M Ó W ‘K O N B IN 2 0 0 1 ’, S z c zy rk , 2001.

[4] L E W IŃ S K I A ., „ P ro b le m y o p ro g ra m o w a n ia b ezp iec z n y ch sy stem ó w k o m p u te ro w y c h w zasto so w an iach tra n sp o rtu k o le jo w e g o ” , S e ria M o n o g ra fie N r 4 9 , W y d aw n ictw o P o litech n ik i R ad o m sk ie j, R ad o m , 2001 [5] L E W IŃ S K I A ., K O N O P IŃ S K I L ., „ C o m p u te r n e tw o rk sy ste m s fo r ra ilw a y tra n s p o rt co n tro l and

m a n a g e m e n t” , II M ię d z y n a ro d o w a K o n fe re n c ja T E L E M A T Y K A S Y S T E M Ó W T R A N S P O R T O W Y C H , K ato w ice -U stro ń , 200 2 .

[6] L E W IŃ S K I A ., P E R Z Y Ń S K I T ., „ N o w e ro z w ią za n ia k o m p u teró w steru ją cy c h w sy ste m a c h sterow ania ru ch em k o le jo w y m na p rz y k ła d z ie sy ste m ó w ssp ” , p race k o n feren cji T R A N S P O R T W X X I W IE K U , W y d ział T ra n s p o rtu P o litec h n ik i W a rsz a w sk ie j, O fic y n a W y d aw n ic z a P o litec h n ik i W arszaw sk iej, W arsz a w a 2 0 0 1 .

[7] L E W IŃ S K I A ., P E R Z Y Ń S K I T ., „ N ew c o m p u te r co n tro l sy ste m s in P o lish S ta te R ailw ay s” , I M ięd z y n a ro d o w a K o n fe re n c ja N a u k o w a T E L E M A T Y K A S Y S T E M Ó W T R A N S P O R T O W Y C H , K ato w ice -U stro ń , 200 1 .

326 Andrzej LEW IŃSKI, Tom asz PERZYŃSKI

[8] L E W IŃ S K I A ., P E R Z Y Ń S K I T ., „ T h e sa fe ty p ro b le m s o f c o m p u te r n e tw o rk s in tra n s p o rt applications”, II M ięd z y n a ro d o w a K o n fe re n c ja T E L E M A T Y K A S Y S T E M Ó W T R A N S P O R T O W Y C H , Katowice- U stro ń , 20 0 2 .

[9] L E W IŃ S K I A ., K O N O P IŃ S K I L ., „T h e sa fe ty o f d e ce n tralise d c o m p u te r sy stem fo r ra ilw a y transport m a n a g e m e n t a n d c o n tro l” , p ra c e M ię d z y n a ro d o w e j K o n fe re n c ji K O N B IN 2 0 0 3 , G d y n ia 2003, T R A N S P O R T W X X I W IE K U , W y d ział T ra n sp o rtu P o litec h n ik i W arsz a w sk ie j, W y d a w n ic tw a Instytutu T e c h n ic z n e g o W o jsk L o tn icz y c h , N r 1 /2 0 0 3 .

Reviewer: Ph. D. Jerzy Mikulski