Using STAMP to analysis Chinese High Speed Railway Accident --7.23 Yong-wen Railway Accident

Using STAMP to analysis Chinese High Speed Railway Accident --7.23 Yong-wen Railway Accident Lecturer: Li Chenling, Ph.D. candidate State Key Lab. of Rail Traffic Control and Safety Beijing Jiaotong University, China

Outline Motivation Experience of 7.23 accident analysis using STAMP Chinese railway system Some ideas about using CAST in operational and physical level Show the dynamic 7.23 Yong-Wen railway Accident Analysis Analysis Conclusions 2

Outline Motivation Experience of 7.23 accident analysis using STAMP Chinese railway system Some ideas about using CAST in operational and physical level Show the dynamic 7.23 Yong-Wen railway Accident Analysis Analysis Conclusions 3

Chinese High-speed Railway Accident On 23 rd July 2011 at 20:30:05 Two CRH train in same direction collided together Cause 40 deaths, 172 injures, interruption of traffic for 32 hours and 35 minutes 4

Regulations and Operation Rules 轨 道 交 通 控 制 与 安 全 Risk Control Structure of Chinese Railway System Safety Protection architecture Safety of Highspeed train is the goal Human is the backup scheme of technical system Technical system failure Human select right instructions safe Warnings Natural envirnment (like storm, flood,etc) Infrastructure (Line,bridge,etc) Basic equipment (traction power supply) CTC Train Control System (Trackside subsystem) Train Control System (Onboard subsystem) Maintenance Signaling System Dispatcher Driver Station worker Accidents will happen when the gap between High-speed Train the two kinds of responsibilities appears. (Real-time status Monitor ) 5

Experience Application of CAST and STPA to railroad safety in China [Dong Airong, MIT, MSc thesis, 2012] The standard Did not process consider of the CAST change of control structure Every component related in the operational level A system theoretic analysis of the 7.23 Yong-taiwen railway accident [Suo Dajiang, STAMP workshop 2012] Analysis Did not from analyze operational the change level of Component s roles and Component s roles and responsibilities Using STAMP to learn from Chinese High speed railway accident [Tang Tao & Niu Ru, STAMP workshop 2013] Notice Did the not control give structure a method was to show changing the process in the occurrence clearly. of accident happened

CAST + Based on a Static structure Only using text to create scenarios text description System was dynamic in the occurrence of accident happened Control structure kept changing Control structure was also a kind of important context for accident investigation So, we should use a dynamic view to analyze an accident.

Outline Background & Motivation Experience of 7.23 accident analysis using STAMP Chinese railway system Some ideas about using CAST in operational and physical level Show the dynamic 7.23 Yong-Wen railway Accident Analysis Analysis Conclusions 8

Operational and Physical level S0 S1 S2 A System state from S0 to S1,then to S2, eventually to A (accident happened) E1 Control structure Control structure & roles & resp. Roles & Resp. Rules & Regul. Actual Action Violated Reqs.&Cons. & mental mode or process mode flaws

Using CAST Step1: Select Events and determine states and the controllers Step2: Determine Rules and Regulations related to Operational and Physical level Step3: Obtain the requirements and responsibilities violated and the mental mode or process mode flaws in each change Step4: Obtain each controller s flaws

Outline Background & Motivation Experience of 7.23 accident analysis using STAMP Chinese railway system Some ideas about using CAST in operational and physical level 7.23 Yong-Wen railway Accident Analysis Analysis Conclusions 11

VCC1 I/O VCC1 DT VCC1 I/O VCC1 DT VCC1 DT VCC1 I/O VCC1 DT 轨 道 交 通 控 制 与 安 全 Signaling System Used in the Accident Onboard ATP TIU Speed BTM Balise CTC Dispatching Center CTC Station LEU Track Circuit Switches Train Control Center Interlocking 13

Related Events

Operational and Physical Level CTC Dipatcher Station Operator Status Display TSR Setting Routing CTC TSR Routing Status Display CTC Station Workstation TSR Status Block Status Track Circuit occupancy Status Signal Status Airong Dong[2012] Propulsion Brake Cab Signal Train Speed Signal Control Train Operator Mode Selection TSR Route Status Track Circuit Coding Signal Status TCC TSR Status Block Status Track Circuit occupancy Status Signal Status TC Status Balise Messaging Block Signal Track Circuit Balise Signal Display Operation Mode Overspeed Alarm Speed Limits Occupancy Status Ahead Movement Authority Limit Onboard ATP System Balise Status TSR Line Param Station Interlocking Computer Station Interlocking System including Track Circuits Brake Brake Status Train Subsystem

Step1a: Determine the controllers 5 controllers Roles Responsibilities

Step1b: Select Events

Step1c: Determine states

Steps2:Related Rules and Regulations 1. Regulation of railway technical operation[2007] 2. Railway transportation dispatching rules[2008] 3. Measures for the administration of railway passenger dedicated line[2009] 4. High-speed railway dispatching rules[2009] 5. Shanghai railway traffic organization rules[2007] 6. Joint control of train for Driver and Station worker[2009]

Step3 S0:Normal state Monitor traffic conditions in the sections between railway stations (Train status & Line Status)[From CTC system] Monitor stations status (Route Status)[From CTC system] Issue dispatching command[to TCC and CI by CTC system ] Get emergency information[from Train driver & Station watcher by ] Dipatcher Operation plan Status Display Train Operator Station Watcher Superviser Monitor station status[from CTC TCC CI system] ] Propulsion Brake Monitor ATP & Train status[from DMI] Selection ATP operation mode [To ATP by MDI] Give out Propulsion & Brake[To Train by Trig] ] Cab Signal Operation Mode Overspeed Alarm Mode Selection Train Signal Display Brake Status Display status Operation plan TCC CTC Track the section status between two stations [From TC] Encode signal [To TC] and give the movement authority to the Train[by TC] Control the signal light [To signal light] Give alarm for emergency information [To Station Watcher] MA TC TC status data TC Onboard System (ATP) Status Display MA TC data Perform calculation of the control profile based on the data [From TC] and automatically control the train Stop the Train when it receives abnormal or no signal [From TC] Show Train operation status[to Driver by DMI] Overspeed Alarm [To Driver] Description of requirements & responsibilities: Monitor stations status (Route Status)[From CTC system]

Step3 Control structure change Operation Dipatcher CTC Station Watcher TCC ASC(Regulation Req.) TC Operation Dipatcher Train Driver Onboard System (ATP) Train Station Watcher TCC Normal TC Train Driver Onboard System (ATP) Train

Step3 Roles and responsibilities change Monitor traffic conditions in the sections between railway stations (Train status & Line Status)[From CTC system] Monitor stations status (Route Status)[From CTC system] Issue dispatching command[to TCC and CI by CTC system ] Get emergency information[from Train driver & Station watcher by ] Dipatcher Operation plan Status Display Train Operator Station Watcher Superviser Monitor station status[from CTC TCC CI system] ] Propulsion Brake Monitor ATP & Train status[from DMI] Selection ATP operation mode [To ATP by MDI] Give out Propulsion & Brake[To Train by Trig] ] Cab Signal Operation Mode Overspeed Alarm Mode Selection Train Signal Display Brake Status Display status TSR CTC TCC Track the section status between two stations [From TC] Encode signal [To TC] and give the movement authority to the Train[by TC] Control the signal light [To signal light] Give alarm for emergency information [To Station Watcher] Get TSR information [From CTC] MA TC data TC status TC Onboard System (ATP) Status Display MA TC data Perform calculation of the control profile based on the data [From TC] and automatically control the train Stop the Train when it receives abnormal or no signal [From TC] Show Train operation status[to Driver by DMI] Overspeed Alarm [To Driver]

Step3 s actions after change s actual actions Dispatcher gives orders to D3115 train Driver

Step3 S1: Actual ASC Dispatcher gives orders to D3115 train Driver [DA1] Monitor traffic conditions in the sections between railway stations (Train status & Line Status)[From Station Watcher] Monitor stations status (Route Status)[From Station Watcher] Issue dispatching command[to Station Watcher] Get emergency information[from Train driver & Station watcher by ] Train Driver Station Watcher Propulsion Brake Cab Signal Operation Mode Overspeed Alarm Mode Selection Dipatcher Monitor station status[from TCC CI system] Monitor Train status[from Train driver by ] ] Safety Responsibilities & Constraints (Requirements) : Issue dispatching order to Train driver in time Mental mode flaws : Station watcher should send the line information to train driver in the ASC mode Monitor ATP & Train status[from DMI] Selection ATP operation mode [To ATP by MDI] Give out Propulsion & Brake[To Train by Trig] ] Get Section information and Route information [To Dispatcher by ] and to keep train safe Signal Display Brake Safety Responsibilities & Constraints (Requirements) : Issue dispatching order to Station watcher only Mental mode flaws : Station watcher should send the line information to train driver in the ASC mode Status Display TSR status TCC Track the section status between two stations [From TC] Encode signal [To TC] and give the movement authority to the Train[by TC] Control the signal light [To signal light] Give alarm for emergency information [To Station Watcher] Get TSR information [From Station Watcher] MA TC data TC status TC Onboard System (ATP) MA TC data Perform calculation of the control profile based on the data [From TC] and automatically control the train Stop the Train when it receives abnormal or no signal [From TC] Show Train operation status[to Driver by DMI] Overspeed Alarm [To Driver] Train

Step4: Obtain each controller s description with flaws Dipatcher Monitor traffic conditions in the sections between railway stations (Train status & Line Status)[From Station Watcher] Monitor stations status (Route Status)[From Station Watcher] Issue dispatching command[to Station Watcher & Train Driver] Dipatcher Get emergency information[from Train driver & Station watcher by ] Monitor traffic conditions in the sections between railway stations (Line Status)[From Yongjia Station Watcher & Wenzhounan Station Watcher] Monitor stations status (Route Status)[From Station Watcher] Dipatcher Issue dispatching command[to Station Watcher & D301 Train Driver] Get emergency information[from D301 Train Station Watcher driver & Yongjia Station watcher by ] Must not dispatch trains in a way that could Monitor lead to traffic a train conditions to train collision in the sections between railway stations (Line Status)[From Yongjia Station Watcher & Wenzhounan Station Watcher] Dipatcher Monitor station status[from TCC CI system] Monitor stations status (Route Status)[From Station Watcher] Status Display TCC Safety Responsibilities & Constraints (Requirements) : Monitor Train status[from Train driver by ] Issue dispatching command[to Station Watcher & D301 Train Driver] Report emergency information [To Dispatcher Get by emergency information[from D301 Train driver Safety & Yongjia Responsibilities (Requirements) : Issue dispatching order to Station watcher only Station watcher by ] ] Safety Responsibilities Monitor traffic Station (Requirements) conditions Watcher in the : sections between Adjoin Station Watcher Must not dispatch trains in a way that could lead to a Track the railway train to train section stations collision status between (Train status two & stations Line Status)[From TC] Station Watcher] Mental mode flaws : Monitor stations status (Route Status)[From Station Watcher] Station watcher should send the line information to train driver in ] Encode signal [To TC] and give the movement authority to TSR Issue Safety dispatching Responsibilities command[to (Requirements) Station Watcher] : the ASC mode Send Section information and Route information the Train[by TC] Monitor station status[from TCC CI system] Get emergency Monitor station information[from status[from TCC Train CI system] driver & Station watcher [To Driver by ] Control the signal light [To signal light] Status Display TCC Monitor Train status[from Train driver by ] by ] Report emergency information [To Dispatcher Give alarm for ] emergency information [To Station Watcher] by Adjoin Station Watcher Station Watcher Signal Display Get TSR information Report emergency [From Station information Watcher] [To Dispatcher by ] Track the section status between two stations [From TC] ] MA TC data Station Safety TC status Responsibilities Watcher Encode signal [To TC] and give the movement authority to Train Operator (Requirements) : ] TSR Monitor station status[from TCC CI system] Monitor station status[from TCC CI system] the Train[by TC] Send Section information and Route information Status Display TCC Safety Responsibilities TC Report emergency (Requirements) information : Monitor Train status[from Train driver by ] [To Dispatcher by Control the signal light [To signal light] [To Driver by ] Monitor station ] status[from TCC CI system] Give alarm for emergency information Safety Responsibilities [To Station (Requirements) Watcher] : Monitor Train MA TC data Report status[from emergency Train information driver by [To ] Dispatcher by ] Signal Display Get TSR information [From Station Track the Watcher] section status between two stations [From TC] Report emergency ] information [To Dispatcher by Monitor ATP & Train status[from DMI] Operation Mode MA TC data Encode signal [To TC TC] status and give the movement authority to ] Onboard Train System Driver ] (ATP) Status Display TSR TCC the Train[by TC] Selection ATP operation mode [To ATP by MDI] Overspeed Alarm Send Section information and Route information Safety Responsibilities & Constraints TC Control the signal light [To signal light] Give out Propulsion & Brake[To Train by Trig] [To Driver by ] (Requirements) : Give alarm for emergency information [To Station Watcher] Report emergency information [To Dispatcher Train Driver by Safety Responsibilities Safety (Requirements) Responsibilities :(Requirements) : Issue dispatching order to Train driver in time Track Signal Display Get MA TC TSR the information section datastatus [From between Station Watcher] two stations [From TC] Encode signal [To TC] and give the movement authority to ] Monitor ATP & Train status[from DMI] Mental mode Operation flaws Mode : TSR MA TC data TC status Mode Perform calculation of the control profile based on the data [From TC] and automatically Onboard System (ATP) Get Section information and Route Station Train watcher Driver should send the line information the Train[by TC] information Selection ATP operation mode [To ATP by MDI] Overspeed Alarm Selection control the train to train driver in the ASC mode Control the signal light [To signal light] [To Dispatcher by ] Safety and to Responsibilities keep train safe (Requirements) : Give out Propulsion & Brake[To Train by Trig] Signal Display Give alarm for emergency TC information [To Station Watcher] Monitor ATP & Train status[from DMI] Stop the Train when it receives abnormal or no signal [From TC] Get TSR information [From Station Watcher] Train Driver MA TC data Selection ATP operation mode [To ATP by MDI] Show Train operation status[to Driver by DMI] MA TC data TC status Train Monitor Driver ATP & Train Mode status[from DMI] Perform calculation Operation Mode of the control profile based on the data [From TC] and automatically Propulsion Give out Propulsion & Brake[To Train by Trig] Overspeed Alarm [To Driver] Selection ATP operation Selection mode [To ATP by control MDI] the Overspeed train Onboard System (ATP) Alarm TC Brake Cab Signal Give out Propulsion & Brake[To Train by Stop Trig] the Train when it receives abnormal or no signal [From TC] ] Monitor ATP Brake & Train status[from statusdmi] Get Section information and Route information Show Train operation status[to Safety Driver Responsibilities by DMI] MA TC data (Requirements) : Selection ATP operation mode [To ATP by MDI] Monitor ATP & Train status[from DMI] Operation [To Dispatcher by ] and to keep train safe Propulsion Overspeed Mode Mode Alarm [To Driver] Perform calculation Onboard of the control System profile based on (ATP) the data [From TC] and automatically Give out Propulsion & Brake[To Train by Trig] Selection ATP operation mode [To ATP by MDI] Overspeed Alarm Train Brake Cab Signal Brake Selection control the train Give out Propulsion & Brake[To Train by Trig] status Stop the Train when it receives abnormal or no signal [From TC] ] Safety Responsibilities Get Section information and Route information ] Show Train operation (Requirements) status[to Driver : by DMI] [To Dispatcher by ] and to keep train safe Train Propulsion Mode Perform Overspeed calculation Alarm of [To the Driver] control profile based on the data [From TC] and automatically Get Section information and Route information Brake Selection control the train [To Dispatcher by ] and to keep train safe Cab Signal Stop the Brake Train when statusit receives abnormal or no signal [From TC] Show Train operation status[to Driver by DMI] Propulsion Train Overspeed Alarm [To Driver] Brake Cab Signal Brake status Train

New Flaws Dispatcher gives an order to D301 train driver order under ASC mode [Control dysfunction] The failure of joint control mechanism between Wenzhounan Station watcher and D301 train driver [Control dysfunction] Dispatcher order in ASC mode & the incompletion Rules& Regulations. [Limit the flexibility of the driver, Increase the risk] Inadequate description of the conditions of mode transition in SRS of CTCS-2.[Limit the flexibility of the driver, Increase the risk]

First flaw S1: Actual ASC Dispatcher gives orders to D3115 train Driver [DA1] Monitor traffic conditions in the sections between railway stations (Train status & Line Status)[From Station Watcher] Monitor stations status (Route Status)[From Station Watcher] Issue dispatching command[to Station Watcher] Get emergency information[from Train driver & Station watcher by ] Train Driver Station Watcher Propulsion Brake Cab Signal Operation Mode Overspeed Alarm Mode Selection Dipatcher Monitor station status[from TCC CI system] Monitor Train status[from Train driver by ] ] Safety Responsibilities & Constraints (Requirements) : Issue dispatching order to Train driver in time Mental mode flaws : Station watcher should send the line information to train driver in the ASC mode Monitor ATP & Train status[from DMI] Selection ATP operation mode [To ATP by MDI] Give out Propulsion & Brake[To Train by Trig] ] Get Section information and Route information [To Dispatcher by ] and to keep train safe Signal Display Brake Safety Responsibilities & Constraints (Requirements) : Issue dispatching order to Station watcher only Mental mode flaws : Station watcher should send the line information to train driver in the ASC mode Status Display TSR status TCC Track the section status between two stations [From TC] Encode signal [To TC] and give the movement authority to the Train[by TC] Control the signal light [To signal light] Give alarm for emergency information [To Station Watcher] Get TSR information [From Station Watcher] MA TC data TC status TC Onboard System (ATP) MA TC data Perform calculation of the control profile based on the data [From TC] and automatically control the train Stop the Train when it receives abnormal or no signal [From TC] Show Train operation status[to Driver by DMI] Overspeed Alarm [To Driver] Train

First flaw Created Problems Dispatcher gives orders to D3115 train Driver [DA1] Station Watcher Monitor station status[from TCC CI system] Status Display TCC Line Monitor Train status[from failure Train driver by ] Dispatcher ] should send Track the section status between two stations [From TC] Encode signal [To TC] and give the movement authority to ] TSR the Train[by TC] Info. Send Section information and Route information Control the signal light [To signal light] [To Driver by ] Signal Display Give alarm for emergency information [To Station Watcher] Get TSR information [From Station Watcher] MA TC data TC status Train Driver Monitor ATP & Train status[from DMI] Selection ATP operation mode [To ATP by MDI] Give out Propulsion & Brake[To Train by Trig] ] Operation Mode Overspeed Alarm Get Section information and Route information Mode [To Dispatcher by ] and to keep train safe Selection Propulsion Brake Cab Signal Brake status NO one sent this information Train Dipatcher Safety Responsibilities & Constraints (Requirements) : Issue dispatching order to Station watcher only Monitor traffic conditions in the sections between railway stations (Train status & Line Station Status)[From Watcher] watcher should send Monitor stations status (Route Status)[From Station Watcher] Issue dispatching command[to Station Watcher] Get emergency information[from Train driver & Station watcher by ] TC Onboard System (ATP) MA TC data Perform calculation of the control profile based on the data [From TC] and automatically control the train Stop the Train when it receives abnormal or no signal [From TC] Show Train operation status[to Driver by DMI] Overspeed Alarm [To Driver]

Conclusion A dynamic analysis method based on CAST is created The CAST can be combined with dynamic analysis process This analysis accurately finds more interaction factor contributed to the accident.

Q&A! State Key Laboratory of Rail Traffic Control and Safety Beijing Jiaotong University, Beijing, China

Thank you! State Key Laboratory of Rail Traffic Control and Safety Beijing Jiaotong University, Beijing, China