Automatic Evaluation Framework for Reliability and Safety of Multiple Train Detection Systems

Abstract

A train detection system is the basis of signaling and control in railway transportation, and there is a trend to apply multiple train detection systems simultaneously to improve reliability and safety. The ideal evaluation process for train detection systems should be able to determine their reliability and safety by considering the track layout, detection block, design and logic of the detection system, routing and frequency of trains, and train length (in relation to block length). Existing evaluation methods for train detection systems still require a few manual interactions and human judgment, which could be inefficient and subjective. Consequently, this research aims to develop a framework with automatic processes to generate all failure scenarios, calculate the probability of fail-safe conditions and wrong-side failures, and finally determine the reliability and safety index of the corresponding connection logic. Results of case studies demonstrate the applicability of the proposed framework to actual cases. The use of this framework can assist railways in identifying the appropriate design and logic of multiple train detection systems.

Keywords

rail rail safety system safety railroad operating technologies control

A train detection system plays a vital role in railway systems because the train braking distance is substantially greater than the sight distance ( 1 ). This detection system is also the basis of signaling and control systems. If an error occurs in the detection system, then the signaling system would fail to obtain the precise position of trains, giving the wrong instructions and putting the whole railway system at risk.

In a discussion of the most serious railway accidents in the U.S.A., the Washington Metro train collision must be mentioned ( 2 ), which killed 8 passengers and injured 80 people (Figure 1a). The investigation by the National Transportation Safety Board found that train detection failure was responsible for this accident. Although the metro system was using an automatic train operation (ATO) system, it was not able to prevent the accident because the ATO system needs to operate the train according to the location of adjacent trains. If the train detection system fails to accurately detect trains, then the ATO system would go blind and be unable to detect the train ahead of it, thus causing a collision.

Figure 1.

(a) Collision of Washington Metro in 2009 ( 2 ) and (b) dashcam view of the limited express train in the 2019 Jiadong incident ( 3 ).

A near-miss caused by train detection failure occurred in Taiwan on 28 August 2019. When a Taiwan Railways Administration (TRA) limited express train was about to go through Jiadong station after passing a home signal showing a green light, the driver was surprised to find a local train stopped ahead in the same block (Figure 1b) ( 3 ). Fortunately, the driver of the express train was able to spot the local train earlier and make a full stop less than 100 m behind it. According to the investigation report of the Taiwan Transportation Safety Board, this accident was caused by train detection failure in Jiadong station, thus causing the home signal to show the wrong aspect ( 3 ).

The main function of a train detection system is straightforwardly to demonstrate the occupancy of each detection block. In general, only two kinds of failure types exist ( 4 ):

no train is occupying a particular block in reality, but the detection system shows that the block is “occupied,” resulting in a fail-safe condition;

a train is occupying a particular block in reality, but the detection system shows that the block is “cleared,” resulting in a wrong-side failure (i.e., failures that are related to safety concerns).

This research focuses on the evaluation of the reliability and safety of multiple train detection systems. In general, failure modes, effects, and criticality analysis is often used for reliability evaluation, and hazard analysis is often adopted for safety evaluation ( 5 ). Fault tree analysis (FTA) is another common reliability analysis method, which can integrate the reliability of individual components to the overall system reliability ( 6 – 9 ). An improved FTA called dynamic FTA was developed to further improve the efficiency of the evaluation ( 10 , 11 ). Several safety analysis methods exist other than the conventional hazard analysis. Lucic ( 12 ) applied advanced cause–consequence analysis for safety analysis of train detection systems. Several studies ( 13 , 14 ) applied the Markov model for reliability and safety analysis of railway signaling systems. Nonetheless, these methods rely on manual enumerations to create possible scenarios related to reliability and safety concerns, which is complicated, time consuming, and difficult to fully automate.

An ideal evaluation process for train detection systems should be able to determine their reliability and safety by considering the track layout, detection block, design and logic of the detection system, routing and frequency of trains, and train length (in relation to block length). Existing methods in the literature for train detection system evaluation still require a few manual interactions and human judgment, which could be inefficient and subjective. In addition, the trade-off between reliability and safety is worthy of discussion among different designs and logic ( 15 ). Consequently, this research aims to develop a framework with automatic processes to evaluate the reliability and safety of the train detection system. The use of this process can assist railways in identifying the trade-off between reliability and safety of train detection systems with efficient and objective attributes.

Train Detection System in Taiwan Railways Administration

The most popular train detection systems are track circuit and axle counter. The track circuit is the simplest technology for the train detection system, and it has been used for railways for centuries ( 1 ). It exploits the electrical conductivity of the track and the axle of the train, and each block is separated by insulated joints. The track circuit is vulnerable to some extreme conditions, such as flooding and longitudinal crosstalk, because of electrical conductivity ( 16 ). An alternative train detection system, namely, the axle counter, has been applied for several decades. The simple frame of this technology consists of the axle counter itself and two wheel sensors on both ends of the block ( 17 ), as shown in Figure 2. The two wheel sensors at the two ends of the block calculate the number of passing axles and send the information to the axle counter (numbers in the parentheses under the wheel sensor represent the detected number of passing axles in Figure 2). If the calculated numbers received from the two sensors are different, then it means that a train is occupying this block. In contrast, this block is clear as long as the two received numbers are the same.

Figure 2.

Mechanism of the axle counter system: (a) cleared and (b) occupied.

In addition to the track circuit and axle counter, quite a few different types of train detection systems have also been developed and tested over the years, such as GPS-based systems ( 18 – 24 ), lidar sensors ( 25 , 26 ), radio frequency identification (RFID) tags ( 27 – 31 ), inertial navigation system ( 32 – 34 ), and others ( 35 , 36 ). However, most of these train detection systems have not been widely used because of reliability issues and safety concerns. The track circuit and axle counter are still the dominant choices with regard to train detection.

The evolution of the TRA detection system is summarized in Figure 3. In the past (Stage 1, before 2005), all blocks in TRA were equipped with only a track circuit. With the poor reliability of the track circuit system, the operator decided to adopt the axle counter system in addition to the existing track circuit in 2005 to improve the reliability of the train detection system. However, with two detection subsystems in the same block, a question is raised with regard to how the occupancy of the block can be determined if the outcomes from the track circuit and axle counter are different.

Figure 3.

Evolution of the Taiwan Railways Administration detection system before the Jiadong accident.

If the newly added axle counter was connected with the existing track circuit in series (Table 1), then the outcome status of the whole system would be occupied if either of the subsystems shows “occupied.” This idea was the connection logic adopted by TRA initially in 2005 (Stage 2). Compared with the original track circuit system, this logic with two subsystems would improve the safety of the train detection system because any subsystem detects that the block would be occupied. However, this connecting logic would suffer from low reliability, because any fail-safe conditions from either the axle counter system or the track circuit system would harm the reliability of the train detection system. Ironically, TRA adopted the axle counter to improve the reliability of the train detection system. Thus, TRA decided to change the serial connection to the parallel connection in 2010 (Stage 3) ( 37 ), that is, only if the two subsystems show “occupied” would the whole system show “occupied.”Table 2 shows all corresponding scenarios in the parallel connection.

Table 1.

Detection Logic and Outcome of Serial Connection

Subsystem 1	Subsystem 2	System outcome
Occupied	Occupied	Occupied
Occupied	Cleared	Occupied
Cleared	Occupied	Occupied
Cleared	Cleared	Cleared

Table 2.

Detection Logic and Outcome of Parallel Connection

Subsystem 1	Subsystem 2	System outcome
Occupied	Occupied	Occupied
Occupied	Cleared	Cleared
Cleared	Occupied	Cleared
Cleared	Cleared	Cleared

As can be seen, a trade-off exists between reliability and safety. Although the parallel connection may improve the reliability of the whole system, it could pose a threat to the safety of the system. If a train is occupying this section in reality but one of the subsystems (track circuit or axle counter) fails to show “occupied,” then the whole system would show “cleared” because of the parallel connection logic (wrong-side failure). Compared with the failure type in the serial connection (fail-safe), this condition is much more dangerous because the following train will not be able to perceive the train ahead.

Since 2012, TRA has started to replace all the track circuits with axle counters (Stage 4). As a result, two axle counter subsystems are present per block. However, they still maintain the parallel connection logic on the dual axle counter system. On 28 August 2019, one of the two axle counters in the detection block, 1RAT, in Jiadong station failed to detect train occupancy (wrong-side failure). The block would be detected as clear even though the other axle counter could still detect trains properly because of the parallel connection between the two subsystems. At this time, a local train of TRA first approached Jiadong station (Figure 4a) and then went undetected while occupying 1RAT (Figure 4b). Following the local train in the same direction, a limited express train scheduled to pass this station approached Jiadong station a few minutes later. The train detection system did not perceive the local train. Therefore, the following express train was granted the green light and routing to pass this station (Figure 4c). Fortunately, the express train came to a full stop less than 100 m behind the local train, but both trains were undetected while occupying 1RAT (Figure 4d).

Figure 4.

Status of the train detection system shown on the monitor at Jiadong station (the red marks indicate that the block is “occupied”): (a) the local train (blue) occupied block 11T, (b) the local train stopped in block 1RAT, but the monitor did not show “occupied,” (c) the limited express train (orange) scheduled to pass when receiving a green light from the home signal, and (d) the limited express train stopped in block 1RAT just behind the local train, but the monitor still did not show “occupied.” (Color online only.)

This near-miss indicates the importance of evaluating the design and logic of train detection systems. Although each subsystem meets the reliability and safety regulations individually, this condition does not necessarily imply that the whole system under a specific connection logic would meet the requirement as well. By definition, reliability means the probability that a system will perform a required function for a given period of time when used under the stated operating conditions ( 38 ). Thus, in the reliability index, we should consider all failure types that may affect normal operation. As for the safety index, we should consider those failures with safety concerns that consist only of wrong-side failures. To evaluate these failures, an important step is to enumerate all the failure scenarios along with their probability for each connection logic to identify the most desirable logic for the train detection system.

It is essential for the proposed evaluation framework to be able to consider the possible design and logic of multiple train detection systems. With regard to TRA, there are sections that have been equipped with two axle counters, along with a track circuit that was used before, while some have only one axle counter along with one track circuit. The following are possible logics and designs with these equipment:

single system: track circuit;

single system: axle counter;

dual system with serial connection: track circuit + axle counter;

dual system with serial connection: axle counter + axle counter;

dual system with parallel connection: track circuit + axle counter;

dual system with parallel connection: axle counter + axle counter;

dual system with primary-and-secondary connection: axle counter + axle counter;

triple system with two out of three logics: track circuit + axle counter + axle counter.

Methodology

Enumerating possible normal and failure scenarios would be the most direct and intuitive method to evaluate the reliability and safety index of train detection systems. However, several key elements should be considered in this evaluation framework. During the analytical processes, determining which detection blocks in the layout are occupied by operating trains at any point is necessary. Therefore, the track layout and the detection blocks should be obtained before the enumeration. Furthermore, the design and logic of the detection system, the routing and frequency of trains, and train length (in relation to block length) are also essential input data.

Figure 5 shows the comprehensive framework, including two main modules: the automatic scenario enumeration module and reliability and safety evaluation module. This framework is designed for multiple train detection systems, which is suitable for either the track circuit or axle counter. The automatic scenario enumeration module processes the input data and generates the train detection data for each scenario. These data will then be used to generate the reliability and safety index in the reliability and safety evaluation module.

Figure 5.

Framework for reliability and safety evaluation: (a) automatic scenario enumeration module and (b) reliability and safety evaluation module.

Automatic Scenario Enumeration Module

This module has three processes: track layout storage process, failure mode generation process, and train detection data generation process, along with the following input datasets: “track layout,”“detection block,”“routing and frequency of trains,” and “train length” (Figure 5a). The detailed procedures of these processes are discussed in the following few sections.

Track Layout Storage Process

The first process in this module is to define the analyzed section in the railway network, which may be a single track, double track, intermediate station, terminal station, and so on. In this research, we use the data structure of a doubly linked list to process the track layout with corresponding detection blocks. With this data structure, all the possible track layouts could be discussed. Figure 6 shows how a particular track layout and its detection blocks (Figure 6a) can be processed into a doubly linked list (Figure 6b). The numbers in the squared brackets can be viewed as the route indicators, along with “left” or “right” for the direction. For example, if the route in a certain scenario is “Block A → Block B → Block C2 → Block D,” then we only have to assign that the route indicator after “Start” is “right[0],” the route indicator after “Block A” is “right[0],” the route indicator after “Block B” is “right[1],” and so on. Thus, we can simply use “right[00100]” to represent this route.

Figure 6.

(a) Sample track layout along with its detection blocks and (b) corresponding form in a doubly linked list.

Failure Mode Generation Process

In addition to storing the track layout and its detection blocks, we also have to deal with the failure mode of the train detection system. For a detection system in a single block, only two kinds of failure types occur: fail-safe conditions or wrong-side failures. In the beginning, the process should identify all the causes leading to those two failure types and then categorize them into three groups:

causes of fail-safe condition only: anything that would lead to power outage in an axle counter or a track circuit, such as power supply failure or transmission failure;

causes of wrong-side failure only: short-circuit in any relay;

causes of both the fail-safe condition and wrong-side failure: wheel sensor malfunction (only in an axle counter system).

For the fail-safe condition, anything that would cause a power outage in the train detection system would cause the axle counter to always show “occupied” whether a train is present or not. For the wrong-side failure, if any relay is short-circuited, then the train detection system would always show “cleared” even if a train is in this block. Wheel sensor malfunction may cause both the fail-safe condition and wrong-side failure.

After all the failure types and their related causes are listed, the process can enumerate all the possible failures to the block or sensor level and create all failure modes considering the track layout. Having two blocks or two sensors fail at the same time is highly unlikely. Thus, the process only considers failure combinations with only one component failure in this research.

Figure 7 shows a sample track layout under an axle counter system with eight blocks (i.e., A2T, A1T, 11T, 1RBT, 1RAT, 12T, B1T, and B2T) along with 10 wheel sensors (i.e., A, B, C, D2, E2, D1, E1, F, G, and H). For the axle counter system, each wheel sensor can be shared by two adjacent blocks (e.g., B is used by A2T and A1T; C is used by A1T and 11T). Possible failures from a power outage or short-circuit are block based, so eight possible failures exist for each of the eight blocks. Wheel sensor malfunction is sensor based, so 10 possible failures may occur. A total of 26 failure modes may happen according to this track layout and the detection blocks, including 8 modes of power outage from 8 blocks, 8 modes of short-circuit from 8 blocks, and 10 modes of wheel sensor malfunction from 10 wheel sensors.

Figure 7.

Sample track layout.

The proposed process treats all components as independent components; however, common-cause failures, such as power failures, may affect multiple components at the same time. For example, if the power supply fails, all corresponding blocks would fail to detect trains. Considering all components as independent components actually is a conservative estimation. Another possible consideration is that the failure rate of a component could vary over time because of wear out. However, preventive maintenance is commonly applied in railway systems; therefore, constant failure rates can be used to estimate the performance of electronic components.

Train Detection Data Generation Process

The previous process identifies all the possible failures to block or sensor levels according to the track layout and detection blocks. To determine the train detection data about which detection sections in the layout are occupied by operating trains at any point, the train detection data generation process takes into account the routing and frequency of trains and the train length, and enumerates all possible failure scenarios followed by the corresponding train detection data with two subprocesses: (1) failure scenario enumeration and (2) axle counter data generation.

Part I: Failure Scenario Enumeration

The number of failure scenarios and their probability caused by a failure mode depends on the routing and frequency of trains and the train length (in relation to block length). In this part, the process enumerates all the failure scenarios based on those failure modes generated in the previous process, along with routing and frequency of trains and train length. For the example in Figure 7, if three types of trains of different lengths are operating in this section, with four different routings for each type of train, then there is a total of 312 different failure scenarios in total (3 × 4 × 26). Each failure scenario would be stated, including train length, routing number, failure mode, and the type of train detection system. For example, if three types of train of different lengths—80, 120, and 160 m—and four routings from routing 1–4 exist in this simple case, then a failure scenario would be presented as “An 80-m train passes through routing 1, while block A1T has power outage under an axle counter system.”

Part II: Train Detection Data Generation

After all failure scenarios are enumerated, train detection data can be simulated and recorded by sending a train to a particular routing in the analyzed section (according to the characteristics of each scenario) with the occupation status of all blocks at each time frame. Instead of storing all the statuses of every second of the operation, the developed process stores the data only whenever a change occurs in the occupation status. For example, if a train is occupying block A2T in Figure 7, then the process would not record the next status until the train moves to the next block (occupying A2T and A1T); the information is known as event-based data. The track layout data stored by the previous process are based on each block; thus, this process also generates all occupation status block by block. For example, if the process visits block A1T in Figure 7, then the possible occupation status may include “a train occupies only A1T,”“a train occupies both A2T and A1T,”“a train occupies 11T and A1T,”“a train occupies A2T, A1T, and 11T,” and so on, depending on the train and block lengths. The process involves three main steps: firstly, the occupation status for each possible relationship between train and block lengths is determined, then the impact on axle counter data from possible failure modes is identified, and lastly, the complete train detection data with these occupation statuses for both normal and failure scenarios are generated.

Step 1: Normal Occupation Status. A train may occupy multiple blocks depending on the relationship between train and block lengths (Figure 8). This step summarizes all the possible relationships between train and block lengths. In this study, because it is not possible for a train to occupy five blocks at a time in the TRA system, this process considers only those four conditions shown in Figure 8. For convenience, one of the blocks is always assigned as the “current block” in each condition. If the number of blocks that a train occupies is odd, we simply assign the middle block to be the “current block.” If the number is even, we assign the middle left-hand block to be the “current block.” According to the direction of the train, we also can assign the “previous block,”“next block,” and so on.

Figure 9 summarizes all relationships between train and block lengths. If a train is occupying a block that is longer than itself, then there will be a moment when this train occupies this block only. If the block is shorter than the train itself, then the train would never occupy this block without occupying other blocks. In this condition, all the occupation statuses of this block will indicate that two or more blocks are occupied. To determine how many blocks would be occupied, we should also observe the length of the adjacent block. If the train is longer than the total length of this block and its adjacent block, then there would be a status in which the train occupies at most four blocks at the same time. Finding three continuous blocks with their total length shorter than that of a passing train is a rare occurrence, which is why we discuss only the length relationships of at most two adjacent blocks in the following steps. This situation is the reason a train cannot occupy five blocks at a time in the TRA system, as stated in the previous section. To apply to other railways with possibly longer trains, additional conditions, trains occupying more blocks, should be added in Figure 8 and the relationship between train length and block length (Figure 9) should also be expanded to cover all possible relationships.

Figure 8.

Four different conditions caused by different length relationship: a train occupying (a) one block, (b) two blocks, (c) three blocks, and (d) four blocks.

Figure 9.

Relationship between train length and block length.

After all the relationships are listed, the process can then generate the corresponding occupation status. For example, if the occupied block is longer than the train, then three possible statuses of occupying this block exist: (1) A2T and A1T (status 0), (2) only A1T (status 1), (3) A1T and 11T (status 2), as shown in Figure 10. According to the definition of “current block” stated in step 1, status 0 is also counted in the scenario where block A2T is the “current block.” Thus, status 0 can be ignored because it has already been considered. As a result, only two occupation statuses exist while block A1T is being analyzed. The occupation status of other relationships between train and block lengths can be obtained by the same procedure (Table 3). In Table 3, “1” represents “occupied” and “0” represents “cleared.”

Table 3.

Occupation Status Table of Each Length Relationship in the Normal Case

Failure mode	Status				Current < Train < Current + Previous								Current + Previous < Train
		Current > Train			Current + Next > Train				Current + Next < Train				Current + Next > Train				Current + Next < Train
		Block			Block				Block				Block				Block
		Prev	Curr	Next	Prev	Curr	Next	Next Next	Prev	Curr	Next	Next Next	Prev	Curr	Next	Next Next	Prev	Curr	Next	Next Next
Normal	s = 1	0	1	0	1	1	1	0	1	1	1	0	1	1	1	0	1	1	1	0
Normal	s = 2	0	1	1	0	1	1	0	1	1	1	1	0	1	1	0	1	1	1	1

Note: Prev = previous; Curr = current.

Step 2: Abnormal Occupation Status. Step 1 only generates the axle counter data without any failure in the train detection system. Step 2 then determines how failure modes would affect the axle counter data. The process for power outage and short-circuit failures is straightforward. The former allows the failure block to always show “occupied,” while the latter allows the failure block to always show “cleared.”

The process for wheel sensor malfunctions is more complicated. For each detection block, the two wheel sensors at each end should be considered, as well as the other two sensors from the adjacent detection blocks. As shown in Figure 11, four wheel sensors (A–D) should be considered when generating the occupation status of block A1T.

Figure 10.

Occupation status for block A1T, which is longer than the passing train.

Figure 11.

Occupation status for block A1T, which is longer than the passing train with wheel sensor B malfunction (the gray shade status belongs to block A2T).

In Figure 11, block A1T (the current block) is longer than the passing train with wheel sensor B malfunction. At status 0, the train moves into block A1T. However, block A1T fails to show “occupied” because of the malfunction of wheel sensor B. At status 1, the train occupies only block A1T, but block A2T still stays “occupied” because wheel sensor B cannot detect that the train has already left A1T. At status 2, the train moves into block 11T, which causes block A1T to turn “occupied” because the wheel sensor C is normally operating. After discussing all the failure scenarios, we summarize all the occupation statuses in Table 4. The occupation status in red color in Figure 11 represents that they are different from the normal case, which indicates wrong outputs from the axle counter system.

Table 4.

Occupation Status Table of Each Length Relationship With Failure Mode

Failure mode	Status	Current > Train			Current < Train < Current + Previous								Current + Previous < Train
		Current > Train			Current + Next > Train				Current + Next < Train				Current + Next > Train				Current + Next < Train
		Block			Block				Block				Block				Block
		Prev.	Curr.	Next	Prev.	Curr.	Next	Next Next	Prev.	Curr.	Next	Next Next	Prev.	Curr.	Next	Next Next	Prev.	Curr.	Next	Next Next
Power outage	s = 1	0	1	0	1	1	1	0	1	1	1	0	1	1	1	0	1	1	1	0
Power outage	s = 2	0	1	1	0	1	1	0	1	1	1	1	0	1	1	0	1	1	1	1
Short-circuit	s = 1	0	0	0	1	0	1	0	1	0	1	0	1	0	1	0	1	0	1	0
Short-circuit	s = 2	0	0	1	0	0	1	0	1	0	1	1	0	0	1	0	1	0	1	1
Sensor A malfunction	s = 1	1	1	0	1	1	1	0	1	1	1	0	1	1	1	0	1	1	1	0
Sensor A malfunction	s = 2	1	1	1	1	1	1	0	1	1	1	1	1	1	1	0	1	1	1	1
Sensor B malfunction	s = 1	1	0	0	1	1	1	0	1	1	1	0	1	1	1	0	1	1	1	0
Sensor B malfunction	s = 2	1	1	1	1	1	1	0	1	1	1	1	1	1	1	0	1	1	1	1
Sensor C malfunction	s = 1	0	1	0	1	1	0	0	1	1	0	0	1	1	0	0	1	1	0	0
Sensor C malfunction	s = 2	0	1	0	0	1	0	0	1	1	1	1	0	1	0	0	1	1	1	1
Sensor D malfunction	s = 1	0	1	0	1	1	1	0	1	1	1	0	1	1	1	0	1	1	1	0
Sensor D malfunction	s = 2	0	1	1	0	1	1	0	1	1	1	1	0	1	1	0	1	1	1	0

Note: Prev. = previous; Curr. = current.

Step 3: Train Detection Data Generation. After the corresponding occupation status table is constructed, the complete axle counter data can then be generated. According to a particular scenario, such as “A 160-m train passes through route 1 (A2T→A1T→11T→1RBT→ 12T→B1T→B2T) while block 11T has power outage,” the process would visit block by block with the assigned routing. In each visited block (as the current block), the process checks the length relationship and the failure mode, and identifies the corresponding occupation status based on the occupation status tables (Tables 3 and 4). Table 5 presents the axle counter data for this particular scenario. For the scenario related to power outages and short-circuits, the block with the particular failures would show occupied or cleared specifically; thus, the process would automatically assign such failure block to fix at “1” or “0.” As shown in the example in Table 5, block 11T always shows “1” throughout this scenario because of the power outage. The complete train detection data can be generated by going through all possible failure scenarios, as enumerated by the earlier process (Part I: Failure Scenario Enumeration).

Table 5.

Train Detection Data for the Scenario: “A Westbound 160-m Train Passes Through Route 1 While Block 11T has Power Outage Under Serial Connections of Two Axle Counter Subsystems”

Current block	Status	A2T	A1T	11T	1RBT	12T	B1T	B2T
A2T	s = 1	1	0	1	0	0	0	0
A2T	s = 2	1	1	1	0	0	0	0
A1T	s = 1	1	1	1	0	0	0	0
A1T	s = 2	1	1	1	1	0	0	0
11T	s = 1	0	1	1	1	0	0	0
11T	s = 2	0	0	1	1	0	0	0
1RBT	s = 1	0	0	1	1	0	0	0
1RBT	s = 2	0	0	1	1	1	0	0
12T	s = 1	0	0	1	1	1	1	0
12T	s = 2	0	0	1	1	1	1	1
B1T	s = 1	0	0	1	0	1	1	1
B1T	s = 2	0	0	1	0	0	1	1
B2T	s = 1	0	0	1	0	0	0	1
B2T	s = 2	0	0	1	0	0	0	1

Reliability and Safety Evaluation Module

The previous module generates the train detection data of normal and failure scenarios with only one train detection system per block. In reality, the design of a train detection system may have one to three train detection subsystems per block with corresponding connection logic. The reliability and safety evaluation module (Figure 5b) then computes the reliability and safety index by considering the design and logic of the detection system, that is, the number of train detection subsystems and its/their corresponding logics for train detection. The detailed process of this module is shown in Figure 5b.

Part I: System Output Data Generation

The first part of this module generates the system output on the basis of the train detection data, as well as the design and logic of the detection system.

If only one train detection system (either axle counter or track circuit) is present per block, then the system output for a block is straightforward. For a detection system composed of two subsystems, several connection logics are used when dealing with inconsistent output of the two subsystems: (1) series, (2) parallel, and (3) primary–secondary. The concept of series and parallel connections is discussed in Tables 1 and 2. For the primary–secondary system, only one train detection subsystem (the primary system) detects the occupancy of a block at a time; thus, the other subsystem, the secondary subsystem, is the hot backup. If the primary detection subsystem has a detectable failure, the operator can switch to the secondary detection subsystem. For a detection system composed of three subsystems, the most common logic is to adopt the two-out-of-three rule for detection, which means the occupancy status is based on at least two of the subsystems with the same status.

Table 6 shows the system output for the scenario “A westbound 160-m train passes through route 1 while subsystem 1 of block 11T has power outage under serial connections of two axle counter subsystems.”

Table 6.

System Output Data for the Scenario: “A Westbound 160-m Train Passes Through Route 1 While Block 11T has Power Outage Under Serial Connections of Two Axle Counter Subsystems”

Current block	Status	A2T		A1T		11T		1RBT		12T		B1T		B2T
		Subsystem		Subsystem		Subsystem		Subsystem		Subsystem		Subsystem		Subsystem
		1	2	1	2	1	2	1	2	1	2	1	2	1	2
A2T	s = 1	1	1	0	0	1	0	0	0	0	0	0	0	0	0
	s = 1	1		0		1		0		0		0		0
	s = 2	1	1	1	1	1	0	0	0	0	0	0	0	0	0
	s = 2	1		1		1		0		0		0		0
A1T	s = 1	1	1	1	1	1	1	0	0	0	0	0	0	0	0
	s = 1	1		1		1		0		0		0		0
	s = 2	1	1	1	1	1	1	1	1	0	0	0	0	0	0
	s = 2	1		1		1		1		0		0		0
11T	s = 1	0	0	1	1	1	1	1	1	0	0	0	0	0	0
	s = 1	0		1		1		1		0		0		0
	s = 2	0	0	0	0	1	1	1	1	0	0	0	0	0	0
	s = 2	0		0		1		1		0		0		0
1RBT	s = 1	0	0	0	0	1	0	1	1	0	0	0	0	0	0
	s = 1	0		0		1		1		0		0		0
	s = 2	0	0	0	0	1	0	1	1	1	1	0	0	0	0
	s = 2	0		0		1		1		1		0		0
12T	s = 1	0	0	0	0	1	0	1	1	1	1	1	1	0	0
	s = 1	0		0		1		1		1		1		0
	s = 2	0	0	0	0	1	0	1	1	1	1	1	1	1	1
	s = 2	0		0		1		1		1		1		1
B1T	s = 1	0	0	0	0	1	0	0	0	1	1	1	1	1	1
	s = 1	0		0		1		0		1		1		1
	s = 2	0	0	0	0	1	0	0	0	0	0	1	1	1	1
	s = 2	0		0		1		0		0		1		1
B2T	s = 1	0	0	0	0	1	0	0	0	0	0	0	0	1	1
	s = 1	0		0		1		0		0		0		1
	s = 2	0	0	0	0	1	0	0	0	0	0	0	0	1	1
	s = 2	0		0		1		0		0		0		1

Note: The blue area indicates the system output by integrating the two subsystems (color online only).

Part II: Reliability and Safety Index Generation

The second part of this module then computes the probability of fail-safe conditions and wrong-side failures, and then determines the reliability and safety index.

Probability Calculation of Scenarios with Both Fail-Safe Conditions and Wrong-Side Failures

For each failure scenario, this process compares the system output of all statuses of normal and failure scenarios to determine the failure type: fail-safe condition, wrong-side failure, or both. As long as one of the blocks of a scenario experiences such failure, this scenario would be viewed as a scenario with such failure. If the system output of one or more blocks is “occupied” while the normal scenario should be “cleared,” then it means that a fail-safe condition would happen in this scenario, and this scenario would be viewed as a fail-safe scenario. If the system output of one or more blocks is “cleared” while the normal scenario should be “occupied,” then it means that a wrong-side failure would happen in this scenario, which is viewed as a wrong-side failure scenario. If a scenario has both fail-safe conditions and wrong-side failures, then it would be viewed as both a fail-safe scenario and a wrong-side failure scenario. To obtain the probability of these failure scenarios, several probability values should be inputted in this part, such as the probability of the cause of failure, different train lengths, and different routings. Equation 1 can then be used to calculate the probability of these failure scenarios. Here, Prob_s indicates the probability of scenario s; fr_s indicates the probability of the cause of failure in such a failure mode; t_s is the probability of the train length in scenario s; r_s is the probability of the particular routing in scenario s:

Pro b_{s} = f r_{s} \times t_{s} \times r_{s}

(1)

Reliability and Safety Index

For the reliability index, the probability of all the scenarios related to the reliability performance should be considered. The reliability index is defined by comparing the reliability of a particular design against the base design (Equation 2). In Equation 2, RELl indicates the scenarios that are related to the performance of reliability under connection logic l. Here, RELb indicates the base scenario. In this research, the system with single-track circuit (per block) represents the base case, since this is the original train detection system for TRA:

Reliability Index = 1 - \frac{\sum_{s \in RE L_{l}} Pro b_{s}}{\sum_{s \in RE L_{b}} Pro b_{s}}

(2)

The safety index considers scenarios with wrong-side failures, which can be defined by Equation 3. The safety index is computed by comparing the safety of a particular design against the base design (Equation 3). In Equation 3, WSFl indicates the wrong-side failures under connection logic l, whereas WSFb indicates the wrong-side failures under the base scenario:

Safety Index = 1 - \frac{\sum_{s \in WS F_{l}} Pro b_{s}}{\sum_{s \in WS F_{b}} Pro b_{s}}

(3)

With these two indices, comparing the performance of both reliability and safety among different connection logics is convenient, and helps one to choose the most suitable logic in a certain railway section.

Case Study

A railway network contains several sections with different track layouts. In analyzing the reliability and safety of the train detection system, each section should be analyzed specifically with corresponding characteristics. Two sections near two station areas—Fangshan and Jiadong stations—on South Link Line in TRA are analyzed in this case study. Track circuits were originally used on this line, but it was recently switched to two axle counter subsystems before the Jiadong incident mentioned earlier. With multiple train detection systems on this line, possible train detection logics include the following: (1) single system with a track circuit; (2) single system with an axle counter; (3) dual system with serial connection (track circuit + axle counter); (4) dual system with serial connection (axle counter + axle counter); (5) dual system with parallel connection (track circuit + axle counter); (6) dual system with parallel connection (axle counter + axle counter); (7) dual system with primary-and-secondary connection (axle counter + axle counter); and (8) triple system with two out of three logics (track circuit + axle counter + axle counter). All possible design logics are evaluated through the proposed framework for reliability and safety in the case studies.

Case 1: Fangshan Station Area

Fangshan station area is a single-track section with only two tracks in the station area (Figure 7). This area has 8 blocks and 10 wheel sensors in this area. Table 7 shows the train lengths, routing, and probability of the three main causes of failures. The probabilities of causes of failure of the axle counter are based on the specification and warranties (in probability) of the axle counter system used by TRA, while the probabilities of the track circuit are based on the existing track circuit system ( 7 ). The probabilities of train length and routings are based on the recent timetable of this station area. For example, if there are 50 trains passing through this station area and five of them are 80 m long, the probability of 80-m trains would be 10%.

Table 7.

Input Data of Case 1

Train length	Probability (%)
80 m	30
120 m	40
240 m	30
Route	Probability (%)
Westbound through 1RAT	40
Westbound through 1RBT	10
Eastbound through 1RAT	40
Eastbound through 1RBT	10
Causes of failure (Axle counter)	Probability
Fail-safe conditions (ex: power outage)	1.33 × 10⁻⁶
Wrong-side failures (ex: short-circuited)	2.00 × 10⁻¹⁰
Wheel sensor malfunction	8.78 × 10⁻⁷
Causes of failure (track circuit)	Probability
Fail-safe conditions (ex: power outage)	9.10 × 10⁻⁶
Wrong-side failures (ex: short-circuited)	1.48 × 10⁻⁶

The automatic scenario generation module first stores the track layout through the track layout storage process. It then creates all the failure modes by applying the failure mode generation process, and finally generates the train detection data of each failure scenario by using the train detection data generation process, with 312 failure scenarios (26 failure combinations × 3 types of train × 4 routes) in total.

With the train detection data, the probability of each cause of failure, and the design and logic of the detection system, the reliability and safety evaluation module then computes the reliability and safety index accordingly (Table 8). According to the definition of reliability in TRA, it only considers scenarios that may interrupt the system operation, that is, fail-safe conditions from power outages or wheel sensor malfunctions. With regard to safety, wrong-side failures, caused by short-circuits and wheel sensor malfunctions, are considered in the safety index.

Table 8.

Evaluation Output of Case 1

Connection logic	Probability of fail-safe conditions (10⁻⁶)	Reliability index (%)	Probability of wrong-side failures (10⁻⁶)	Safety index (%)
Single (TC)	63.74	na	10.36	na
Single (AC)	16.34	+74.36	7.03	+32.19
Series (TC + AC)	80.08	−25.64	0.00	+100.00
Series (AC + AC)	32.68	+48.73	0.00	+100.00
Parallel (TC + AC)	0.00	+100.00	17.39	−67.81
Parallel (AC + AC)	0.00	+100.00	14.05	−35.63
Primary-and-secondary (AC + AC)	7.02	+88.98	7.03	+32.19
2 out of 3 (TC + AC + AC)	0.00	+100.00	0.00	+100.00

Note: TC = track circuit; AC = axle counter; na = not applicable.

Comparing the results of serial and parallel connections, parallel connections, that is, Parallel (track circuit [TC] + axle counter [AC]) and Parallel (AC + AC), have relatively high reliability indices from the least probability of the fail-safe condition, resulting in higher reliability. However, their safety levels are substantially worse. Serial connections, that is, Series (TC + AC) and Series (AC + AC), and two-out-of-three logic have the highest safety level among all the logics. However, the reliability index of Series (TC + AC) is the worst among all logics, whereas the reliability of Series (AC + AC) is a little better because of the advantage of the axle counter over the track circuit. A trade-off exists between parallel and serial connections.

The primary-and-secondary connection has a relatively high reliability index and a positive safety index. With the advantage of the additional detection sensors, two-out-of-three logic has not only the highest reliability index but also the highest safety index. In practice, the rule of thumb with regard to signal and train control is that the safety level can never be compromised while introducing new systems or upgrading existing systems. If the track circuit is the base case, the operator should never choose parallel connection logic. If the station area is already equipped with a two axle counter system along with the original track circuit, two-out-of-three is the best logic in either reliability or safety. If dual systems are preferred, both Series (AC + AC) and primary–secondary connections are reasonable choices for this section because their reliability and safety indices are all positive (better than the base case).

Case 2: Jiadong Station Area

Jiadong station is the place where the near-miss caused by train detection failure occurred in 2019. Therefore, identifying the most appropriate design and logic is an important task. This is a single-track section with three tracks in the station area (Figure 12). Twenty-two blocks along with 25 wheel sensors are found in this area. Since the double track and electrification project of TRA South Link Line is in progress, the track layout in case 2 (Figure 12) is different from that in the Jiadong accident (Figure 4). Table 9 shows the train lengths, routing, and probability of the three main causes of failures.

Table 9.

Input Data and Evaluation Output of Case 2

Train length	Probability (%)
80 m	45
120 m	26
180 m	10
240 m	13
280 m	6
Route	Probability (%)
Westbound through 1RAT	41
Westbound through 1RBT	5
Westbound through 1RCT	4
Eastbound through 1RAT	41
Eastbound through 1RBT	5
Eastbound through 1RCT	4
Causes of failure (axle counter)	Probability
Fail-safe conditions (ex: power outage)	1.33 × 10⁻⁶
Wrong-side failures (ex: short-circuited)	2.00 × 10⁻¹⁰
Wheel sensor malfunction	8.78 × 10⁻⁷
Causes of failure (track circuit)	Probability
Fail-safe conditions (ex: power outage)	9.10 × 10⁻⁶
Wrong-side failures (ex: short-circuited)	1.48 × 10⁻⁶

Figure 12.

Track layout of Jiadong station.

Similar to the process of Case 1, 2070 failure scenarios are generated in Case 2 according to the 69 failure modes (22 with a power outage, 22 with a short-circuit, and 25 with a wheel sensor malfunction). The train detection data generation process would enumerate complete train detection data based on the 2070 scenarios, followed by system output generation and reliability and safety evaluation from the reliability and safety evaluation module (Table 10).

Table 10.

Evaluation Output of Case 2

Connection logic	Probability of fail-safe conditions (10⁻⁶)	Reliability index (%)	Probability of wrong-side failures (10⁻⁶)	Safety index (%)
Single (TC)	182.12	na	29.60	na
Single (AC)	45.06	+75.26	18.44	+37.70
Series (TC + AC)	227.18	−24.74	0.00	+100.00
Series (AC + AC)	90.12	+50.52	0.00	+100.00
Parallel (TC + AC)	0.00	+100.00	48.04	−62.30
Parallel (AC + AC)	0.00	+100.00	36.88	−24.61
Primary-and-secondary (AC + AC)	18.44	+89.88	18.44	+37.70
2 out of 3 (TC + AC + AC)	0.00	+100.00	0.00	+100.00

Note: TC = track circuit; AC = axle counter; na = not applicable.

With more blocks and sensors, the probability of the fail-safe conditions and wrong-side failures is higher in this case (Table 10). The relative reliability and safety performances of these eight connection logics are similar to those from Case 1. A trade-off still exists between parallel and serial connections. However, the reliability and safety indices among all the logics in this case are different from Case 1. For example, the reliability index of the serial connection with track circuit and axle counter, that is, Series (TC + AC), is −24.74%, which is higher than case 1 (reliability index = −25.64%), thereby implying that the reliability of Series (TC + AC) in this case does not drop as much as that in Case 1.To prevent similar near-miss incidents from happening again, two-out-of-three is still the best logic among all, since this station area is already equipped with two axle counter subsystems along with the original track circuit. If continuing the use of the track circuit is not preferred, both Series (AC + AC) and primary-and-secondary connections are reasonable choices for this section.

Discussion

With this automatic evaluation framework, the exact ratio of the improvement or degradation of the reliability and safety for multiple train detection systems can be derived. According to Tables 8 and 10, it is clear that Series (TC + AC), Parallel (TC + AC), and Parallel (AC + AC) are all inadequate logics because of the decrease in either reliability or safety levels. Considering the trade-off between safety and reliability in dual axle counter systems, choosing primary-and-secondary connection or Series (AC + AC) for Jiadong and Fangshan station areas are both reasonable, since the reliability and safety are both higher than the base case. Two-out-of-three logic performs even better, but the maintenance cost would also be higher because of the additional train detection subsystem (track circuits). To choose the most suitable logic, other aspects, such as cost, cross-sectional consistency, field conditions, and so forth, should also be considered, but those aspects are beyond the scope of this research. For the South Link Line of TRA, the aim is to identify an appropriate logic to improve reliability and safety without needing additional maintenance cost; therefore, it is recommended to choose primary-and-secondary logic.

Conclusion

This research proposes an automatic framework to evaluate the reliability and safety of multiple train detection systems. The developed processes first generate all failure scenarios, then calculate the probability of fail-safe conditions and wrong-side failures, and finally determine the reliability and safety index of the corresponding connection logic. Results of the case studies demonstrate the applicability of the proposed framework to actual scenarios. The recommendation of choosing primary-and-secondary logic for the South Link Line were adopted by TRA. Using this framework can assist railways in identifying the appropriate design and logic of multiple train detection systems.

Footnotes

Author Contributions

The authors confirm their contributions to this research as follows: study conception and design: K.C. Hsueh, Y.C. Lai; data collection: K.C. Hsueh; analysis and interpretation of results: K.C. Hsueh; draft manuscript preparation: K.C. Hsueh, Y.C. Lai. All authors reviewed the results and approved the final version of the manuscript.

Declaration of Conflicting Interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.

ORCID iD

Yung-Cheng Lai

References

Palmer

J. W.

The Need for Train Detection. Proc., IET Professional Development Course on Railway Signalling and Control Systems, Birmingham, UK, IET, 2010, pp. 52–64.

National Transportation Safety Board. Collision of Two Washington Metropolitan Area Transit Authority Metrorail Trains Near Fort Totten Station Washington, D.C., June 22, 2009. Railroad Accident Report. Publication PB2010-916302. National Transportation Safety Board, Washington, D.C., 2010.

Taiwan Transportation Safety Board. The Investigation Report of TRA’s Train Number 3501 and 333 Coexisted at the Same Signal Block. Publication TTSB-ROR-21-02-001. Taiwan Transportation Safety Board, New Taipei City, 2021.

Thorat

S. B.

Jagtap

Murthy

Pal

Kalyankar

N. V.

Intelligent Computing in Railway Signal Engineering. Presented at 6th International Conference on Computer Sciences and Convergence Information Technology, Seogwipo, South Korea, 2011.

Railway Bereau, Ministry of Transportation and Communications (MOTC). The South-Link Line Railway Electrification Project – The Turnkey Project of Mechanical and Electrical Systems – System Assurance Documents. Publication K001-0CR-RAM-0001-0. Railway Bureau, MOTC, New Taipei City, 2020.

Chen

S. K.

T. K.

Mao

B.H.

Reliability Evaluations of Railway Power Supplies by Fault-Tree Analysis. IET Electric Power Applications, Vol. 1, No. 2, 2007, pp. 161–172.

Wang

Analysis on Reliability and Security of ZPW-2000A Track Circuit System Based on FMEDA and FTA. Sensors & Transducers, Vol. 25, 2013, pp. 161–168.

Zhang

Zhao

Zhou

Quan

Safety Analysis of ZPW-2000A/K Track Circuit System Based on Risk Estimation. Proc., 2013 International Conference on Electrical and Information Technologies for Rail Transportation (EITRT2013)-Volume I, Springer, Berlin, Heidelberg, 2014, pp. 383–392.

Jiang

Wang

Liu

Reliability Assessment of ZPW-2000A Track Circuit Using Bayesian Network. Proc., 11th International Conference on Reliability, Maintainability and Safety (ICRMS), Hangzhou, China, IEEE, New York, 2016, pp. 1–4.

10.

Wang

Chen

Yang

Fault Diagnosis of Train Network Control Management System Based on Dynamic Fault Tree and Bayesian Network. IEEE Access, Vol. 9, 2020, pp. 2618–2632.

11.

Liu

Kalbarczyk

Smart Maintenance via Dynamic Fault Tree Analysis: A Case Study on Singapore MRT System. Presented at 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, Denver, CO, 2017.

12.

Lucic

Holistic Safety Performance Forecasting for Train Detection System. Presented at IEEE International Conference on Systems, Man and Cybernetics, Waikoloa, HI, 2005.

13.

Chandra

Vijaya Kumar

Reliability and Safety Analysis of Fault Tolerant and Fail Safe Node for Use in a Railway Signalling System. Reliability Engineering & System Safety, Vol. 57, No. 2, 1997, pp. 177–183.

14.

Moumin

M. A.

Addis Ababa Institute of Technology School of Electrical and Computer Engineering. Doctoral dissertation. Addis Ababa University, Ethiopia, 2017.

15.

Mulazzani

Reliability Versus Safety. IFAC Proceedings, Vol. 18, No. 12, 1985, pp. 141–146.

16.

Thurston

Kozol

Axle Counters vs. Track Circuits—Safety in Track Vacancy Detection and Broken Rail Detection. Presented at American Railway and Maintenance-of-Way Association 2010 Annual Conference and Exposition, Orlando, FL, 2010.

17.

Nikolić

M. V.

Kosić

B. D.

Milanović

M. D.

Antonić

N. M.

Stojković

Ž. M.

Kokić

I. Z.

Railway Axle Counter Prototype. Presented at 22nd Telecommunications Forum Telfor, Belgrade, Serbia, 2014.

18.

Sasaki

Position Detection System Using GPS for Carbody Tilt Control. Quarterly Report of RTRI, Vol. 46, No. 2, 2005, pp. 73–77.

19.

Filip

Bazant

Mocek

Cach

GPS/GNSS Based Train Position Locator for Railway Signalling. WIT Transactions on The Built Environment, Vol. 50. WIT Press, Southampton, 2000.

20.

Yasutaka

A New Train Position Detection System Using GPS. Railway Technology Avalanche, Vol. 9, 2005, p. 53.

21.

Barkovskis

Salmins

Ozols

García

M. A. M.

Ayuso

F. P.

WSN Based on Accelerometer, GPS and RSSI Measurements for Train Integrity Monitoring. Proc., 4th International Conference on Control, Decision and Information Technologies (CoDIT), IEEE, New York, 2017, pp. 0662–0667.

22.

Liu

Cai

B. G.

Wang

Y. P.

Wang

Shangguan

A GPS/Compass Based Train Integrated Positioning Method for High-Speed Railways. Proc., IEEE-APS Topical Conference on Antennas and Propagation in Wireless Communications (APWC), IEEE, New York, 2012, pp. 1201–1204.

23.

Bai-Gen

Jian

Qin

Jiang

A GNSS Based Slide and Slip Detection Method for Train Positioning. Proc., Asia-Pacific Conference on Information Processing, IEEE, New York, 2009, pp. 450–453.

24.

Shin

K. H.

Joung

E. J.

Lee

J. H.

The Study on Scheme for Train Position Detection Based on GPS/DR. Proc., KSR Conference, The Korean Society for Railway, Daejeon, 2006, pp. 802–810.

25.

Stein

Spindler

Kuper

Lauer

Rail Detection Using Lidar Sensors. International Journal of Sustainable Development and Planning, Vol. 11, No. 1, 2016, pp. 65–78.

26.

Jiang

Zong

Cai

Rizos

Wang

Liu

Shangguan

A Seamless Train Positioning System Using a LiDAR-Aided Hybrid Integration Methodology. IEEE Transactions on Vehicular Technology, Vol. 70, No. 7, 2021, pp. 6371–6384.

27.

Cho

B. K.

RFID Antenna for Position Detection of Train. In Future Information Technology ( Park

Pan

Kim

C. S.

Yang

, eds.), Springer, Berlin, Heidelberg, 2014, pp. 903–908.

28.

Cho

B. K.

Hwang

H. C.

Kim

J. H.

Ryu

S. H.

RFID System Response Test for Position Detection of 420km/h High-Speed Train. Proc., International Conference on ICT Convergence (ICTC), IEEE, New York, 2013, pp. 972–973.

29.

Lee

S. K.

K. Y.

Yoo

G. G.

Suh

S. C.

Park

J. H.

Kim

G. C.

A Study on Train Position Detection and Reliability Assessment Using RFID. Proc., KSR Conference, The Korean Society for Railway, Changwon,2011, pp. 226–231.

30.

Wenxiang

L. I.

Huang

The Position Design of Rail Transit Train Based on RFID-Geomagnetic Combined Positioning. Proc., International Conference on Electronic Industry and Automation (EIA 2017), Atlantis Press, Xiamen, 2017, pp. 172–176.

31.

Zhu

Tsang

K. F.

C. K.

Chi

H. R.

An Automatic RFID Detection Based Railway Identification System. Proc., IEEE Symposium on Product Compliance Engineering (ISPCE), IEEE, New York, 2018, pp. 1–5.

32.

Cho

S. Y.

Chae

M. S.

Shin

K. H.

Reliability Analysis of the Integrated Navigation System Based on Real Trajectory and Calculation of Safety Margin Between Trains. IEEE Access, Vol. 9, 2021, pp. 32986–32996.

33.

Mazl

Preucil

Sensor Data Fusion for Inertial Navigation of Trains in GPS-Dark Areas. Proc., IEEE IV2003 Intelligent Vehicles Symposium (Cat. No. 03TH8683), IEEE, New York, 2003, pp. 345–350.

34.

Zheng

Hua

Jia

Zhao

Train Integrated Positioning Method Based on GPS/INS/RFID. Proc., 35th Chinese Control Conference (CCC), IEEE, New York, 2016, pp. 5858–5862.

35.

Jiang

Chen

Cai

Wang

ShangGuan

Rizos

A Multi-Sensor Positioning Method-Based Train Localization System for Low Density Line. IEEE Transactions on Vehicular Technology, Vol. 67, No. 17, 2018, pp. 10425–10437.

36.

Malvezzi

Vettori

Allotta

Pugi

Ridolfi

Cuppini

Salotti

Train Position and Speed Estimation by Integration of Odometers and IMUs. Proc., 9th World Congress on Railway Research, International Union of Railways (UIC), Lille, France, 2011, pp. 22–26.

37.

Taiwan Railways Administration (TRA). Field Trip About the Reliability and Related Techniques of Railway Signaling Systems in Japan. Publication C09704213. TRA, Taipei, 2009.

38.

Ebeling

C. E.

An Introduction to Reliability and Maintainability Engineering. McGraw-Hill Companies, Inc., New York, NY, 1997.