The paper Aims to reduce the cost of onboard train control systems by using an architecture with a single-channel source of information (in this case, axle counters) and a two-channel receiver of information (in this case, an on-board control system) instead of the conventional architecture, whereas the generator and receiver are to have at least two channels. Additionally, in order to ensure the system’s safety, the failure detection mechanism embedded in the most common multichannel architecture that involves comparing the outputs of the onboard unit’s channels is complemented by software verification algorithms that enable a SIL4-compliant level of correct failure detection of the single-channel device (in this case, an axle counter). This level is primarily characterized by the quantitative indicator “probability of correct detection” and achieving the goal requires calculating the acceptable and, at the same time, achievable range of this probability and the performance parameters of the verification algorithms, of which it is a function. Methods. The paper shows two safety models of an onboard train control system, i.e., the conventional architecture with two-channel generating and receiving devices and the architecture with a single-channel source and a two-channel receiver of information. The graph models feature similar states and only differ in terms of the model parameters. By applying the topological method [1] to the conditions of the problem, within both models, formulas were derived for calculating the mean time to hazardous failure, rate and probability of hazardous failures. Input values were identified, including the probabilities of correct detection of failure of the on-board system and axle counter, the values of those safety indicators were calculated, allowing to attribute the system to one of the four discrete safety integrity levels. Results. The paper defines the probabilistic performance indicators of failure detection software and hardware for an architecture with a single-channel source and a two-channel receiver of information. Indicator definition involves setting maximum permissible values that enable the quantitative safety indicators (mean time to hazardous failure, rate and probability of hazardous failures) not worse than those of a conventional architecture with twochannel generating and receiving devices. The efficiency parameters that are the most safetycritical due to their significant effect on correct failure detection (in this case, the axle counter) are identified. The findings show that it is possible to reduce hardware-related costs without compromising compliance with the safety requirements when using single-channel sources (in this case, axis counters) and two-channel receivers of information (in this case, an on-board control system) that feature software enabling an appropriately high level of correct failure detection (in this case, of an axle counter).
Read full abstract