1. Human reliability in rail context

Presenter: Frederik-Alexander Adebahr (Technical University Berlin)

Different methods can be used for the assessment of human reliability in the context of railways. The 'ATO-RISK' project has carried out evaluations of existing methods and created a new method for the context of determining risk acceptance criteria for driverless driving. The workshop participants will be introduced to the following methods:

  • The Human Factors Method according to Albrecht Hinzen is considered common for Germany and its content has also been adopted in DIN_VDE_V_0831-103.
  • The method 'Railway Action Reliability Assessment' (RARA) of the RSSB is applied to real accidents in the UK.
  • The method proposed in ATO-RISK comprises a modification of RARA with regard to a generic use in science using the example of ATO.

In the workshop, example ATO functions from ATO-RISK will be discussed, the human factors method according to ATO-RISK will be applied and the results evaluated.

2. Risk Assessment for Driverless Train Operation on Main Lines – An Example

Presenter: Jens Braband (Siemens Mobility GmbH) and Hendrik Schäbe (TÜV Rheinland InterTraffic GmbH)

In the project "Risk Acceptance Criteria for Automatic Train Operation" (ATO-RISK) safety integrity requirements for Automatic Train Operation functions on German main lines have been derived. The main result besides the risk analysis is a system definition, mainly a function list, that has been checked against all relevant sources.

The risk assessment for the Grades of Automation 3 and 4 complies with the requirements of the CSM regulation using all risk acceptance criteria provided by the regulation: use of Code of Practice, comparison with Reference Systems as well as explicit risk analysis for future automatic operation modes based on DIN VDE V 0831-103. Additionally, as a further support of the results an analysis of human reliability up to the Grade of Automation 2 was performed.

The results, in particular related to obstacle detection, were validated, made plausible by alternative methods and merged to an overall result. It showed, that where some results by different methods deviated, those differences are explainable. For many variants of obstacle detection safety integrity requirements have been derived, that, slightly simplified, range from safety integrity levels (SIL) 1 to 2 (exceptionally up to 3).

The tutorial will focus in particular on the semi-quantitative risk assessment, comparing it also to quantitative approaches , and the validation of the results. Other aspects include the generalization of the results to other operation environments and some fallacies that occurred during the assessment.

3. Model Checking benefits and lessons learnt for V&V

Presenter: SafeRiver company

Model Checking is being more and more deployed in ground transportation industry (railways, automotive) for verification of complex embedded systems such as Automated Pilots for Driving Assistance or Autonomous Driving, Communication Based Train Control Systems, Smart Signalling Supervised Systems. Academic and early adopters community has achieved breakthroughs and developed methodologies that make model checking effective for supporting the V&V process and provide evidence of high level assurance.

The tutorial aims at demonstrating in a concrete way how Complex systems Verification and Validation may get profit of model checking SW products, in a mastered process.

First, it will explain where Formal Verification has an impact in the Development Cycle, for Operators and for System Providers (Tier 1) or Suppliers.

Second, we illustrate key concepts that need to be understood and mastered by the end user, without knowing much about theoretical foundations, thanks to typical proof of concept examples and actual business case demonstrations, supported by industrial model checkers.

Finally Integration of model-checkers in V&V process will be discussed, and we will explore how to drive a Model checking campaign that lead to valuable outcomes for safety evidence as well as intended functionality demonstration.

Lessons Learnt and challenges to be addressed will close this tutorial.

4. Code Generation and Automated Verification of EULYNX MBSE Artifacts

Presenter: Robert Schmid (Hasso-Plattner-Institut)

EULYNX (see https://www.eulynx.eu) developed a modularized digital interlocking architecture, defining subsystems and their communication interfaces, that has been taken up by the EU-RAIL System Pillar. Therefore, EULYNX is an important contributor to EU-RAIL and its architecture became the essential part of field elements control and monitoring in the wider System Pillar architecture encompassing CCS and TMS to the maximum extent.

A cornerstone of EULYNX engineering is a model-based systems engineering methodology (MBSE): All system requirements are derived from SysML models which can be checked for syntactic and semantic correctness, e.g., using Model-in-the-Loop testing.

Furthermore, the use of formal methods in combination with the system model allows to prove the compliance with overarching safety constraints in the modularized system. Finally, the modeling artifacts are a valuable input for bootstrapping an implementation process according to the relevant safety engineering standards and can be used to generate code for simulators.

This tutorial provides an insight into the EULYNX engineering process, the validation of EULYNX requirements as well as current developments aimed at supporting implementors and market adoption.