Safety-Critical HMIs

Written by Ryan McKinley, Vital Assurance Ltd. and Blake Kozol, Deuta America Corporation
image description

Photo: Shutterstock/wellphoto

RAILWAY AGE, MARCH 2021 ISSUE (expanded version): Exploring train control system Human Machine Interface requirements.

Requirements for safety-relevant Human Machine Interfaces (HMIs) for train operators are becoming more common around the world. The evolution toward safety-relevant HMIs for train control is already well under way in Europe and Asia, most notably as part of the widespread adoption of the European Train Control System (ETCS), with more than 50,000 miles of the worldwide rail network equipped or contracted to be equipped with ETCS (8). While HMI safety requirements have not yet become widespread in North American rail applications, the anticipated re-emergence of HMI safety requirements could soon be an example of history repeating itself. 

In North America, the original cab signaling Aspect Display Units (ADUs) brought wayside signal aspects into the cab to provide continuous signal visibility to the locomotive engineer, reducing the risk of the engineer missing or misinterpreting the displayed aspect. These ADUs included incandescent light points that were treated with the same care as wayside signals, including hot and cold filament checking and light-out detection. Many of these safety critical ADUs remain in service today. 

Over time, the advancement of HMI and automatic train control (ATC) technologies contributed to a general reduction in the safety responsibilities of both the train operator and the train control display. As LED indicator light point array and eventually full electronic displays emerged, lighting technology made safety checking more difficult. ATC systems provided increased automation and protection against train operator errors that previously would have led to collision or derailment. Safety functionality was increasingly allocated to safety-critical controllers onboard the train and along the wayside while being removed from the display itself. The logic in easing safety requirements of the display was simple: “If the ADU is wrong, the ATC will still respond safely.” 

In almost all industries involving automation, system capabilities continually increase over time—and so does complexity. Providing more information and decision making to human operators presents increasing risk (2). This holds true in the rail industry, as the scope and capabilities of train control systems have continued to evolve along with the train control system’s integration with other sensitive systems that support railway operations such as Energy Management Systems (EMS). 

HMIs used with ATC systems may be referred to by a variety of acronyms including ADU, CDU (cab display unit), DMI (driver machine interface), SDU (signal display unit), TOD (train operator display), OCD (onboard cab display), etc. Regardless of name, these HMI devices typically provide continuously updated speed and movement information, used by the train crew for purposes of complying with movement authorities and bulletins. Other examples of onboard HMI functionality include: 

  • Display of warning and enforcement messages.
  • Train start-up commands and status (e.g., initialization, departure test). 
  • Selection and display of operating mode. 
  • Entry and display of train physical and operating characteristics.
  • Operator inputs (e.g., function keys or touchscreen) regarding current operating conditions, such as switch positions, track locations (e.g., Track 1 vs. Track 2), or the presence of other trains. 
  • Operator acknowledgment/acceptance/rejection of authority or bulletin information. 
  • Display of energy management data. 

These functions vary in criticality: Performing a departure test may generally be regarded as not safety-critical, while manually entering operational data that affects braking algorithms or inputting information that factors into the determination of train location or movement authority limits could potentially have significant safety implications. 

Considerations of safety-relevant HMIs have been under way in the industrial automation and process control industry in the past and are more recently being explored in the automotive industry (1, 2, 6). These considerations are largely driven by the ubiquitous increase in system functionality and complexity mentioned above and an increasing acknowledgment of the criticality of human machine interfaces in system design (2, 7). 

Railroads in other countries around the world are also requiring train operator displays to ensure safe operations for both display (machine to human) and input (human to machine) functions. This includes ETCS, one of the largest and most complex interoperable train control systems in the world. ETCS is a publicly standardized, multi-supplier system which is deployed not just in Europe but in many other countries such as China, Saudi Arabia, South Korea, and Australia – making it one of the most robust international train control standardization efforts in history. 

In North America, rail operators that have implemented ATC systems, such as Positive Train Control (PTC) and Communications-Based Train Control (CBTC), over the past 20 years, typically have not included Safety HMIs because they were not required to do so by any regulatory agency and did not identify benefits that warranted the cost.

Importantly, there are many differences in the environment and framework of how HMI safety is managed between the European and North American rail environments. 

European Union rail policy is geared toward the creation of a safe and interoperable “Single European Railway Area.” In 2004, the EU established the European Union Agency for Railways (ERA) which was given the responsibility of developing the technical and legal framework for creating the Single European Railway Area. ERA is the design authority for the European Rail Traffic Management System (ERTMS), which is a single interoperable control, command, signaling and communication system. ERTMS includes ETCS, which is a cab-signaling system that incorporates ATP (automatic train protection), GSM-R (Global System for Mobile communications for Railways) and operating rules. The EU intends for ERTMS to reduce purchasing and maintenance costs of these systems while increasing train speed, infrastructure capacity and safety level. 

UNISIG is an industrial consortium that works with the ERA to develop, maintain and update the ERTMS/ETCS technical specifications. Eight companies—Alstom, AŽD Praha, Bombardier, CAF, Hitachi Rail STS, MERMEC, Siemens, and Thales—are Full Members. Technical specifications for ETCS and GSM-R are published in the Control Command and Signaling (CCS) Technical Specification for Interoperability (TSI), which includes mandatory and informative specifications. 

The CCS TSI mandatory specifications include quantitative safety requirements for Driver-Machine Interface (DMI) functions. The quantitative safety requirements are provided in terms of a Tolerable Hazard Rate (THR), which is in units of failures per hour, calculated by UNISIG in the Functional Safety Analysis of ETCS DMI for ETCS Auxiliary Hazard (3). The Functional Safety Analysis identifies several dozen DMI hazardous situations and uses event tree analysis to derive THR requirements for these hazards, considering the consequences of the hazards and barriers to their occurrence. The THR requirements were then used to derive a corresponding safety integrity level (SIL) according to EN 501295. 

EN 50129 expresses the degree of safety integrity for a safety-related function as one of four discrete SILs (from SIL 1 to SIL 4) or as Basic Integrity. SIL 4 has the highest level of safety integrity. The Functional Safety Analysis identified two hazardous DMI conditions with a SIL 2 requirement (SIL2: 10-7 ≤ THR < 10-6) and five hazardous conditions with a SIL 1 requirement (SIL1: 10-6 ≤ THR < 10-5). Remaining hazardous conditions had no SIL requirement or do not include a THR/SIL assessment. The two conditions with SIL 2 requirement were: 

  1. False presentation of train speed (THR = 7.4E-7 failures/hour). 
  2. False isolation command (THR = 2E-7 failures/hour), which refers to an erroneous but valid input to the DMI that commands ETCS to transition to Isolation mode. Isolation mode physically disconnects (i.e., isolates) ETCS from the vehicle braking system. 

Because the DMI functions must achieve the derived SIL, ETCS railroads implement a Safety HMI that is certified capable of achieving a minimum of SIL 2 for the related functions. 

With high-speed rail projects under way in California and Texas, and under consideration in other parts of the country, it is possible that Safety HMIs may appear in the final solutions for those projects. For example, the California High Speed Rail Design Criteria currently specifies an ATC system targeted to be equivalent to ERTMS. The FRA’s proposed rule of particular applicability (RPA) (9) for the Texas Central Railroad (TCRR) notes that TCRR intends to implement a high-speed passenger rail system based upon the Tokaido Shinkansen and its N700 series trainset. While these HSR projects are planned to be completed several years from now, other projects that are more applicable to the North American rail industry today and the years to come are those involving PTC. 

For more than a decade, North American railroads worked to meet the PTC deadline required by the Rail Safety Improvement Act of 2008, which was original set for Dec. 31, 2015 and ultimately extended to a final deadline of not later than Dec. 31, 2020. Now that most North American railroads have successfully achieved FRA safety certification of their initial PTC implementations, the railroads are exploring ways to further enhance operational and safety benefits of PTC. Safety requirements are therefore likely to increase. PTC 2.0, elimination of train orders via radio, increasing prevalence of international supply chain and international standards may all contribute to this trend. The distribution of costs and efforts to improve system safety will be a function of mitigating the most hazards at the lowest cost, which is also influenced by the availability of affordable and proven solutions. 

PTC systems typically include an HMI, mounted in the locomotive cab, which displays continuously updated speed and movement information. The train crew uses this information to maintain awareness of train speed and location for purposes of complying with movement authorities and bulletins. 

PTC systems can be divided into safety-critical and non-safety critical functions. The safety-critical functions can be further broken down into vital and non-vital functions. Vital functions are those that are shown to be compliant with the safety assurance criteria and processes outlined in 49 CFR Part 236 Appendix C and which have been shown through analysis to achieve a mean time to hazardous event (MTTHE) greater than or equal to 109 hours. Non-vital functions are not required to fulfill these same qualitative and quantitative criteria. 

Examples of safety-critical PTC functions include location determination, speed enforcement, switch protection, temporary speed restriction protection, consist determination, and movement authority protection. Some of the existing safety-critical functions have been assessed in the railroads’ safety documentation as vital while others have been assessed as non-vital. Some obvious targets for safety enhancement are safety-critical functions that were initially assessed as non-vital because they did not fulfill the criteria for vital systems mentioned above. The railroads may look to make these previously non-vital functions vital by implementing a variety of onboard, office, wayside, and/or communications solutions. 

Because the onboard PTC display is a potential contributor to several potential hazards, a safety HMI could be implemented to enhance the safety of several non-vital functions. Hazards could result from false button press inputs which provide the onboard controller incorrect: 

  1. Indication that train crew has received dispatcher permission to pass a signal at stop or enter a main track. 
  2. Switch position or selection of occupied track (Track 1 vs. Track 2), resulting in incorrect train location determination. 
  3. Input or acceptance of train consist information, resulting in incorrect braking calculations. 
  4. Indication that the train crew has received employee in charge (EIC) permission to enter a work zone. 
  5. Indication that the train crew has confirmed all conditions (e.g., relevant train arrivals) have been met for the train to proceed on a conditional authority. 
  6. Indication of flagger protection at a highway grade crossing warning system (HGCWS) malfunction, allowing more permissive train movement through crossing limits than what actual conditions permit. 

PTC designs typically assume that missing or erroneous display information does not affect safety because the onboard controller will initiate enforcement in the event the train crew fails to respond. However, PTC safety analysis should determine if hazards could occur if, as examples, a train crew were to rely on erroneously displayed speed information when the PTC system is in a non-enforcing state, or if the train crew were to believe they are operating under PTC protection when the display erroneously indicates they are not. 

Along with PTC functions, Locomotive EMS are also increasingly incorporated into PTC displays. EMS provide additional safety-relevant controls for throttle position and dynamic braking, relying on critical inputs from a human operator. Additionally, the flexibility of potential functionality expansions, such as the ability to safely display and acknowledge movement authorities and work zone entry permissions without radio transcription, could result in increased efficiency as well as safety. 

With Safety HMI technology now having been proven in use and providing safety benefits to justify the cost, North American railroads may find that the time has come to incorporate these technologies into their new or updated ATC implementations. Railroads are likely to find the incremental additional cost of safety HMIs insignificant given the potential added benefits. 

Undoubtedly North American ATC systems will continue to evolve, driven by a desire to increase functionality, safety and operational efficiencies. Safety HMIs represent an example of technological advancement that may help railroads to leverage innovations to their advantage. As ETCS-based railroads have already deployed tens of thousands of such applications, the risks of new technology introduction are largely mitigated. Our industry aspires to continually improve safety and efficiency for the future; with safety-relevant HMI devices, the future may have roots in the past. 

References

1. https://passive-components.eu/functional-safety-for-automotive-hmi-systems/

2. https://osha.europa.eu/en/publications/human-machine-interface-emerging-risk

3. UNISIG, Functional Safety Analysis of ETCS DMI for ETCS Auxiliary Hazard, Subset-118, Issue 1.4.0, June 20, 2016 (https://www.era.europa.eu/sites/default/files/filesystem/ertms/ccstsiapplicationguide-informativespecifications/setofspecifications3etcsb3r2gsm-rb1/index053-subset-118v140.pdf

4. Daedalus, I-ETMS® Positive Train Control (PTC) Human Factors Evaluation, November 26, 2013. (Submitted to FRA by North American Class I railroads in Positive Train Control Safety Plans (PTCSPs); redacted versions of PTCSPs available at www.regulations.gov) 

5. EN50129:2003, Railway applications – Communication, signaling and processing systems – Safety related electronic systems for signaling 

6. ABB and DEUTA-WERKE announce Safe HMI equipped with PROFINET/PROFIsafe fieldbus (automation.com) https://www.automation.com/en-us/products/product01/abb-and-deuta-werke-announce-safe-hmi-equipped-wit

7. Control Engineering | Growing role of human/machine interaction in risk management. https://www.controleng.com/articles/growing-role-of-human-machine-interaction-in-risk-management/

8. https://www.thalesgroup.com/en/worldwide/transportation/magazine/etcs-signalling-without-frontiers

9. https://www.govinfo.gov/content/pkg/FR-2020-03-10/pdf/2020-03521.pdf

Tags: , ,