Clarifying design guidelines of level crossing logic with functional resonance analysis method

Author: Akimasa Okada
Day: Introduction Day
Session: Level Crossings

1. Introduction
Railway transportation becomes more important due to properties such as safety, energy-saving, and mass transit. Safety is the most important for the railway and availability is also required for stable operation. Recently, in addition to those properties, resilience, with which operation can be provided at least partly even under disorder, is drawing attention. In the field of signalling systems, resilience is considered to correspond to keeping safety under irregular situations. In East Japan Railway Company (JRE), logic of level crossings (LCs) which is configured with electric relays has achieved resilience because a vast number of LCs, more than six thousand, ensure safety in various situations including train disorder. While the relay-based logic achieves high safety, it should be replaced with software-based logic to improve maintainability and workability. The factors leading to the resilience of the current logic are useful for the software-based logic. However a large part of them are implicit. Therefore clarifying those factors is required. In this paper, we examined a safety analysis method called functional resonance analysis method (FRAM) to clarify those factors.
2. Method
FRAM is proposed in a field of resilience engineering as a method to express interactions among functions of a system. In FRAM each function has six aspects: input, output, precondition, time, control, and resource and the functions are connected through those aspects. Analysts discover characteristics of the system from the FRAM model. We applied FRAM to the reference LC logic patterns used in JRE and clarified implicit design guidelines.
3. Result
We obtained the eleven design guidelines from the FRAM analysis. The most significant one is a hierarchical logic structure found in all the reference logics. In the hierarchical structure, the functions configure the three layers: a physical-sensor layer like train detectors, a train-tracking function layer, and a warning layer. Each function interacts only with functions in the neighbouring layer. This simple structure is considered to enable safety logic of LCs where detail logic is strongly dependent on rail network. However, the physical sensor to stop warning is connected directly to the warning layer in addition to the traintracking function. From this direct connection, we found another success factor that the LC must start warning immediately if something wrong happens to the warning-stop sensor. We collected opinions from JRE signalling engineers about implicitness and importance of the obtained design guidelines. Almost all of them answered that the guidelines are important and natural but not documented.
4. Conclusion
In this paper, we clarified the design guidelines of the LC logic which are considered to achieve resilience at LCs. FRAM was applied to the reference logic patterns of JRE which show representative LC logics and include much implicit knowledge and know-hows. We extracted the eleven design guidelines, which are implicit and essential for the signalling engineer of JRE. We also ensured from this achievement that FRAM is useful to clarify implicit knowledge from an existing system. Those philosophies will be utilized for a next development of LC equipment.