CONTROL AND

Purpose. The publication presents the importance and influence of railway traffic control system documentation on its safety. Furthermore, it presents certain selected issues of formal and semi-formal descriptions. Methodology . Development of correct and complete descriptions of the informal, semi-formal and formal becomes important in terms of safety requirements. Background documentation and forms of command-control and signaling system description are the base documents of safety proof. It seems necessary to implement the analysis of the design, manufacture process and operation of safety-related equipment into the work of the Polish railways. Firstly it is applied to traffic control devices. Findings . This publication also shows the importance of risk analysis, which is essential when deciding on the implementation of signaling systems to operate, which are required both in the regulations and making rational decisions about the implementation of the systems. Originality. The presented a problem changes the approach to certain data and makes us aware of their validity. Practical value . The presented problems can help understand certain legal requirements


Introduction
Safety is the basis of any rail transport and signaling system.Risk analysis is a key element of safety management systems in rail transport.The method used, good practices, practical and diligent approach to risk analysis largely determine the efficiency of activities and effectiveness of measures designated to improve railway safety.The importance of safety may be analyzed in terms of a wide range of factors.The diagram (Fig. 1) shows that documentation is an important element of the safety components.
Within the RTC systems, safety is the key factor which qualifies a particular system for release to service.Following Poland's accession to the EU structures within the area of safety, the following standards have become applicable: PN-EN 50126, EN 50128 and EN 50129].PN-EN 50126 standard determines the reliability, availability, maintainability and safety (RAMS), as a process based on the system life-cycle.This process defines particular stages of the system and procedures for approval before moving on to the next stage (requirement specification, design, implementation, etc.).Standard EN 50128 specifies the procedures and technical requirements for designing software for secure electronic system of railway control and security [8].It should be noted that this standard is not fully obligatory.Standard EN 50129 defines the requirements for the design, testing, commissioning and approval of electronic systems, subsystems and related signaling devices with security in railway applications.

Purpose
The introduction of electronic systems in the field of railway traffic control into the railway transport required defining the rules which would replace or supplemented the fail-safe principle.To this end, the safety integrity levels (SIL) were de- fined.The fact that they are in use means that the ail-safe principle is applied at the system function or module levels, and at the hardware lever, an analysis is carried out concerning the security measures preventing random and systemic damage, where the occurrence of random damage is associated with defects of memory, processors, etc. and the occurrence of systemic damage is associated with human errors throughout the entire system life cycle, which means that these also include, among other things, its design and maintenance.
Neither the fail-safe principle nor a high level of SIL, usually SIL4, which are interpreted as a guarantee of full security, do not ensure complete elimination of accidents and events in rail transport.According to the Community law, security means the absence of unacceptable risk (i.e.no hazard).In order to achieve security, according to the prevailing approach, in accordance with the Community law, it is necessary to manage security through security monitoring following respective risk management.Risk management involves scheduled application of management policies, procedures and practices in the field of risk analysis, risk valuation and hazard recording by infrastructure managers and railway carriers.Security monitoring is the systematic application of management strategies, priorities and plans by the same managers and carriers in order to maintain security.

Methodology
The process of designing, manufacturing, deployment and operation of computerized controlcommand and signalling systems due to the complexity and compliance with the safety requirements while maintaining the conditions of integrity of the structure of hardware and software SIL 4 requires application of specific rules and procedures.In the area of knowledge relating to this process, there are a number of different standards developed by individual centres, academic and industrial societies which develop their own standards and do not meet the mutual compatibility requirements.Regardless of any individually developed methods, the process of control-command and signalling system development may proceed methodically based on the recommended scheme called the V cycle, taking into account the assumptions of the RAMS analysis.The diagram (Fig. 2) shows the scheme of the control-command and signalling system implementation process which lists each step of the process and shows that it is important to create records of every stage of the system development.Creation of the said records at every stage is intended to mitigate the number of errors committed in the course of the system development, thus increasing the level of security of such systems.The system design and development begin with the controlcommand and signalling system assumptions development which include informal description documents.In the Polish design and investment reality, these may include documents prepared at the stage of orders, e.g.Specification of Material Terms and Conditions of Order, Ordered Item Description and other informal documents, including an informal analysis of the specifications or documents specifying additional control-command and signalling system requirements completed a detailed formulation of principles of the controlcommand and signalling system.Documents such as the Specification of Material Terms and Conditions of Order, Ordered Item Description form the basis of performed tasks, which is why it is important that they contain clear and accurate information.
Once the informal documents are gathered, semi-formal description documents are designed.Based on the semi-formal description formal description is prepared which contains specification of data bases and the dependency relationship.On the basis of the formal specifications algorithms and software are developed.The process of creating the semi-formal and formal descriptions may also be automated by use of information systems.A sample description of the sequential formation of the specifications related to the drivers, confirming the adopted principle of applying the subsequent stages of design, was presented e.g. in [3], in accordance with IEC 61131 standard.In the process of creating a control system involves engineers and experts of different specialties including specialists who prepare the informal descriptions in natural language, specialists in control technique and technology as well as IT specialists and programmers.The knowledge and experience of the people involved in the system development is essential, otherwise confusion or errors may arise, which ultimately has material adverse impact on the safety level.
The informal control-command and signalling system description documents include, but are not limited to: − the above-said Specification of Material Terms and Conditions of Order, Ordered Item Description ; − instructions, e.g.[4] and other specific documents, depending on the specific requirements and objectives for which the control-command and signalling system is developed; − station work description (station work technology) − control-command and signalling equipment scheme.
The formal and semi-formal documents include, but are not limited to conduct ways specification within the station area with the demonstration of the way objects and safety facilities; − dependency table and/or other related documents; − scheme and table of inter-relations of a station track scheme (so-called track system model) − conducts runs cards; − contradictory runs table.
The formal description documents are collections of data and relations expressed, depending on the accepted standards, by more or less advanced syntactic and editorial forms.The sequence of development of the control-command and signalling system descriptions is shown in Fig. 3. Development of informal, semi-formal and formal (i-s-f) descriptions, and consequently the system designing should be in particular consistent with the assumptions and guidelines of many documents and regulations.The beginning of the design process is determined by the informal description documentation underlying the semi-formal description, which in turn becomes the basis for a formal description, which, as the only form of description, enables algorithmization and development of dependency computer software.This means that any errors committed or not detected at the first stage of the process, i.e. in the course of development of informal records, are usually reproduced in subsequent process stages.All forms of «i-s-f» description are mandatory documents also used i.a. for the purposes of validation, i.e. conformity (consistency) verification, assumptions and testing review.However, despite the clearly formulated guidelines for the design principles, in practice, there is no indication of all the substantive description elements.This enables the designers to achieve the various control-command and signalling system concepts.Certain conditions that should be fulfilled by any «i-s-f» descriptions were indicated.These conditions include clarity of information, completeness of documentation and the principle of generation of the subsequent document on the basis of algorithmization he previously developed documents.
The system documentation greatly influences the level of safety of a particular railway traffic control system.The most important documents of the control-command and signalling system include certification documents that are required un- In accordance with the above Directive, in order to be put into service, each subsystem or interoperability constituent shall receive an EC verification certificate, which is issued by the notified body.The notified body selected by the project contractor will be able to issue the certificate of EC verification after it has checked and confirmed that the subsystem or interoperability constituent meet all relevant Technical Specifications for Interoperability.The TSI requirements are checked at various stages of investment, i.e. at the design, construction and final testing stages.
Fig. 4. Stages of the process of obtaining approval to be put to service [5] In order to be put to service, the documentation of a given control-command and signaling system must be complete and in accordance with the requirements and standards cited in the TSI (Decision 2012/88/EU, as amended), namely also with the safety standards, i.e.PN-EN 50126, BS EN 50128 and BS EN 50129 standards.
The control-company subsystem must be built and installed in accordance with the Community law, and at the same time it must be compatible with the existing railway system to which it is activated.The notified bodies are responsible for the examination of the subsystem conformity with the essential requirements of the Community.On the other hand, the bodies authorized by the Member State of the European Union where the subsystem is to be placed in service, perform the tasks related to verification of compliance of the subsystem with the national regulations.
The certification process is based largely on an assessment of the correctness and consistency of documentation which is not always so obvious.The certification process is designed to increase safety, or to exclude unacceptable risks in the manufactured command-control and signaling system.

Findings
The approach to the safety of rail transport in Poland and in Europe undergoes significant modification.These changes were initiated in 2004 under the provisions of the Directive on rail safety.This Directive makes it clear that all operators of railway systems, infrastructure managers and railway carriers should bear full liability for the security of the system, each one to their respective extent.This issue is a novelty in the rail industry and causes a lot of confusion of interpretation disputes, in particular due to the fact that it falls within the overlaping areas of technical and management sciences.The units assessing the adequacy of the risk management process in railway transport were forced to undertake activitied under the Commission Regulation (EC) No 352/2009 [10] on the adoption of a common safety method on risk evaluation and assessment, and the Commission Implementing Regulation (EU) No 402/2013 on the common safety method for risk evaluation and repealing Regulation (EC) No 352/2009.The introduction of the provisions of these regulations created the need for a systematic approach to risk management processes, including risk evaluation and assessment, which apply to all changes of the railway system considered significant.Risk analysis and risk are inherently connected to the security of the system, therefore they are one of the important elements in deciding on the application of the system.
The provisions of Polish and European standards require that the risk analysis be carried out not only with respect to the safety analysis, but also require that the risk analysis be a mandatory part of the decision-making process concerning the implementation of the system into service.The command-control and signaling system documentation should be prepared at every stage of the manufacturing, implementation or operation process.With the development of appropriate documentation, especially at the stage of the concept and design, the system can be considered safe.
Currently, a lot of risk analysis methods are applied such as E.g. the event tree analysis, fault tree analysis, or analysis of the types and effects of unfitness.The IEC 60300-3-9 standard recommends a risk analysis in the following order: − scope delineation (area); − identification of hazards and their consequences; − risk assessment (impact and frequency); − review − documentation; − updated analysis.

Originality
The infrastructure managers and railway carriers, by making changes in their activities, and accepting changes in subcontractors, regardless of whether these changes are of a technical nature, whether operational or organizational, are obliged to perform risk valuation, which is assessing the acceptability of risk introduced by the amendment.Such an assessment it is also required from the contracting entities and producers and contractors if they engage a notified body to carry out the EC verification procedure of the subsystem.This requirement means a commitment of contracting entities, manufacturers and contractors to carry out the assessment of the acceptability of risk introduced by the construction, modernization, renewal of the subsystem.Based on the criteria of risk acceptability, the acceptability of a specific risk is assessed; these criteria are used to determine whether the level of risk is low enough not to make it necessary to take immediate action to reduce it.The risk assessment resulting from a significant change, is carried out by verification of application of codes of practice or by comparison with similar systems or by open risk estimation.The choice of method is left to the infrastructure manager, the carrier, the contracting entity, manufacturer or contractor who conducts evaluation of the acceptability of risks arising from the significant changes and cannot be imposed by an independent Assessment Unit.In the event of any significant change it is required to carry out an independent assessment of the adequacy of the risk management process and its results, conducted by the Assessment Unit.With each change into the system or of any risk analysis must be created by appropriate documentation, which would later be assessed by the competent assessment bodies.
At each stage of creating a command-control and signaling system errors may occur, which then affect the proper operation of the system or its safety.The diagram (Fig. 5) shows an example of the cause of errors which, at a certain stage of development of the system, may cause a decrease the level of security.The main factor in reducing the level of security is the human factor.Often at the first stage of the creation of the system documentation errors arise due to lack of knowledge and training among the staff, which at the later stages can lead to serious financial losses, and more.The organization of the competence of personnel of all stakeholders is certainly a difficult challenge.

Conclusion
The influence of the command-control and signaling system documentation on the safety of such systems, as presented in this publication, demon- strates the importance of correct documentation created in the process of release to service.Preparation of informal and semi-formal description documents is obligatory, but nevertheless they must comply with the relevant requirements and should be analyzed in terms of risk assessment.The formal description documents enable algorithmization by developing a series of tools relevant to the design documentation for the command-control and signaling system of under safe conditions, that is, i.a. the development of the safety confirmation.The question of formalizing the description of signaling systems, although a number of secure computer systems have been developed, is still valid.The search for new forms of standardization of documentation -descriptions of signaling systems, and including the formalization of the description, is used to minimize the risk to preserving the condition of the integrity of the system-level design process.When creating informal or formal documents it is crucial that they are prepared by competent personnel which have a large impact on the correctness of these documents, which of course also results in an increase in the level of security of the system.

Fig. 1 .
Fig. 1.Safety components and test methods for rail transport

Fig. 3 .
Fig. 3. Descriptions of the control-command and signalling system