**Application of Cognitive Systems Engineering Approach to Railway Systems (System for Investigation of Railway Interfaces)**

Sanjeev Kumar Appicharla

Additional information is available at the end of the chapter

http://dx.doi.org/10.5772/61527

#### **Abstract**

This chapter presents the results of a cognitive systems engineering approach applied to railway systems. This application is through the methodology of 'System for Investiga‐ tion of Railway Interfaces – SIRI'. The utility of the chapter lies in highlighting errors in the current approaches to safety risk management.

**Keywords:** Cognitive systems Engineering, Systems safety engineeering, Human factors engineering, Risk and Decision Making

## **1. Introduction**

This chapter presents the results of a cognitive systems engineering approach to safety, 'System for Investigation of Railway Interfaces – SIRI'. The objectives of the application are to show:


© 2015 The Author(s). Licensee InTech. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

The above failings are demonstrated by means of a case study of Cambrian European Railway Train Management System – ERTMS – level crossing incident investigated by UK's Rail Accident Investigation Board(RAIB) in Jan 2012.

RAIB noted that a deviation to a safety critical requirement to interlock the function of the barriers with the function of train protection (braking system) was granted by the Signalling Standards Committee to the duty – holder organisation – Network Rail, without asking for a human factors analysis or risk assessment to support the deviation request. This incident occurred at the automatic barrier locally monitored type level crossing (ABCL). This chapter provides the causal factors behind the decision to grant a deviation to safety critical require‐ ments.

This chapter draws upon author's papers peer reviewed and published in the proceedings of the IET International System Safety Conferences since 2006, and publicly available literature [2, 3, 4, 7, 9, 11, 12].

The rest of the chapter is organised in this way: Section 1 provides the abstract of the chapter; Section 2 shows why wrong-but-popular approaches to safety risk management persist in the railway domain; Section 3 presents a case study using the SIRI methodology to help under‐ stand its application; Section 4 provides conclusions on subject matter of the chapter. Section 5 provides acknowledgements. Section 6 provides the references.

## **2. Explanation for persistence of wrong-but–popular approaches to safety risk management: Doing the wrong thing right**

OM. What instructions did the Blessed Lord give: Be compassionate. Be controlled. Be charitable.

Sri Adi Śhankarāchārya, 8th Century AD, Brihadaranyaka Upanishad

Translated by Prof V. Roebuck [79]

Everything is fine today that is our illusion.

Voltaire, quoted by Douglass W. Hubbard [29]

We have inherited the neural mechanisms that evolved to provide ongoing assessment of threat level, and they have not been turned off. Situations are constantly evaluated as good or bad, requiring escaping or permitting approach. Good mood and cognitive ease are the human equivalents of assessments of safety and familiarity.

Nobel laureate and psychologist, Prof Daniel Kahneman (pp. 90) [36]

OM is the sacred symbol to denote Brahman in the Hindu religious literature. More informa‐ tion can be gained about the nature and meaning of the symbol from reading Prof Roebuck's writings [79]. Prof Charles Perrow, originator of Normal Accident Theory, recounted the abnormal blessings he had received from his co-researchers in his preface to second edition of his book. Author speculates that Prof Charles Perrow did not know the source of abnormal blessings forthe success of Normal Accident Theory as he may have thought he had not prayed for its success [49, 79]. In his survey of risk assessment theories and practices, Charles Perrow did recognise the work of cognitive systems engineering experts and various kinds of rational‐ ities but opinied that these view points did not recognise the role of power in and of organisa‐ tions (pp. 379) [79]. Interpretating the reality of accident causal factors and represent them by means of fault free fault tree analytical representation to show errors in the systems engineer‐ ing steps, in the professional opinion of the author, helps mitigate the problem of discounting power of subject matter experts, and risk assessors in generating biased risk information in producer and client, systems engineering and regulatory organisations (pp.65) [52].

The above failings are demonstrated by means of a case study of Cambrian European Railway Train Management System – ERTMS – level crossing incident investigated by UK's Rail

RAIB noted that a deviation to a safety critical requirement to interlock the function of the barriers with the function of train protection (braking system) was granted by the Signalling Standards Committee to the duty – holder organisation – Network Rail, without asking for a human factors analysis or risk assessment to support the deviation request. This incident occurred at the automatic barrier locally monitored type level crossing (ABCL). This chapter provides the causal factors behind the decision to grant a deviation to safety critical require‐

This chapter draws upon author's papers peer reviewed and published in the proceedings of the IET International System Safety Conferences since 2006, and publicly available literature

The rest of the chapter is organised in this way: Section 1 provides the abstract of the chapter; Section 2 shows why wrong-but-popular approaches to safety risk management persist in the railway domain; Section 3 presents a case study using the SIRI methodology to help under‐ stand its application; Section 4 provides conclusions on subject matter of the chapter. Section

**2. Explanation for persistence of wrong-but–popular approaches to safety**

OM. What instructions did the Blessed Lord give: Be compassionate. Be controlled.

We have inherited the neural mechanisms that evolved to provide ongoing assessment of threat level, and they have not been turned off. Situations are constantly evaluated as good or bad, requiring escaping or permitting approach. Good mood and cognitive ease are the human equivalents of assessments of safety

OM is the sacred symbol to denote Brahman in the Hindu religious literature. More informa‐ tion can be gained about the nature and meaning of the symbol from reading Prof Roebuck's writings [79]. Prof Charles Perrow, originator of Normal Accident Theory, recounted the

Sri Adi Śhankarāchārya, 8th Century AD, Brihadaranyaka Upanishad

Nobel laureate and psychologist, Prof Daniel Kahneman (pp. 90) [36]

5 provides acknowledgements. Section 6 provides the references.

**risk management: Doing the wrong thing right**

Translated by Prof V. Roebuck [79]

Everything is fine today that is our illusion.

Voltaire, quoted by Douglass W. Hubbard [29]

Accident Investigation Board(RAIB) in Jan 2012.

82 Railway Research - Selected Topics on Development, Safety and Technology

ments.

[2, 3, 4, 7, 9, 11, 12].

Be charitable.

and familiarity.

From the vast literature on risk on the perspective of risk rationality in human affairs, it is easy to think of four types of rationalities: omniscient rationality, which is enjoyed by political economists like Nobel laureate Gary S. Baker, "bounded" or limited rationality advanced by organisational decision scientist is and some risk assessors like Nobel laureate Herbert A. Simon, irrationality as advocated by behavorial economists like Noble laureate Daniel Kahneman, reluctant rationality of participants in making choices and displaying regret after the fact who may regard false negative alarms (near miss incidents) as reliablity events [36, 62]. Typical example being NASA managerial judgements on the Challenger launch decision.

Neuro-scientists have identified human brain regions associated with emotional and cognitive side of information processing activity when an individual processes a risky stimulus [36, 50]. Studies cited by Nobel laureate Daniel Kahneman, Peter N.C. Mohr, and his co-workers draw attention to the fact that decision maker(s) when engaged in the tasks of revealing preferences or answering queries on uncertain situations such as questions on lottery, risk assessment, and risk management do consult their emotions, and these decisions can be called decisions under risk. Decision theorists like psychologists, philosophers, statisticians, and economists ap‐ proach decision making in a mathematical manner and are not prone to emotions and framing effects felt in the case of non-decision scientist(s) asserted in these research papers. The idea of risk as a rare event with odds of 1 in 400 or more with a consequence probability of 0.249% is possible is acknowedged by Prof David Hand, an expert statistician [26]. In other words, definition of rare events and estimation of the odds of their occurrence by expert statisticians may be prone to error is the thesis advanced by Prof David Hand. Evidence for this thesis is drawn by Prof David Hand from the case study of Sudden Infant Death Syndrome. Sir Roy Meadow's expert evidence led to erroneous legal prosecution of Sally Clarke. Rare event of train and vehicle collision on the Great Britain railway track was experienced by the members of the same family in the UK within a span of 15 years is cited as well [26]. The mean expected rate for such random events to occur as per Poisson's distribution is 0.741%. It is tempting to arrive at a conclusion that operational reliability of the railway is very high, i.e. 99.25% based upon the foregoing metric. Most pre–university students learn about stastitical distributions in their final year of secondary school leaving stage. Students of risk management can easily be laid into error if they are not careful in their thinking when making risk judgements that involve casual inferences (pp. 166–67) [36]. The litmus test for any student of decision making and risk management is the case of NASA Space Shuttle Accident in 1986. This case study alone poses challenge to statistical and rational decision theory, learning from past failure incidents, theories of control, system safety, and risk management [5, 36, 49]. The signal of less than adequate design shuttle vehicle flown by NASA and supported by its supplier, Morton Thiokol, till the pre-launch decision was obscured or buried under the noise generated by the hindsight observations of NASA manager's pre-launch decision [5]. To its credit, NASA, Langley Research News hosts the book on its website written by former Morton Thikol engineering director, Allan Madonald, who had a change of heart without any apparent reason on the pre-launch decision day and went along with engineer Roger Boisjoly who was opposed to the launch decision [5], [55]. Risk management expert Douglass Hubbard is of the view that Bayesian risk analysis may have helped in the case of NASA Challenger decision situation where the failure data was scanty [29]. Bayesian risk analysis can certainly help if prior information of categorial variables is available in the odds form and likelihood ratio of positive and negative rates are known as well. But we 've bear in mind Prof James Reason's thesis that most of us are not intutive bayesians [55]. Once Johann Wolfgang von Goethe observed that it is much easier to recognize error than to find truth; the former lies on the surface, this is quite manageable; the latter resides in depth, and this quest is not everyone's business. No accident researcher has the luxury of verifying correspondence between ideas of managerial oversight and risk seeking behavior apart from relying upon lessons learn from behavioral science risk literature (pp. 228) [53, 54].

The thesis advanced in the research papers in the area of cognitive psychology is that people who resist intutive responses to following bat–ball question do not need to reflect on the question again. The bat-–ball puzzle is as under. This question is to be answered in an intutive manner without solving it on a paper.

A bat and ball costs £1.10.

The bat costs one dollar more than the ball.

How much does the ball cost?

The intutive answer is 10 cents. Many thousands of university students have answered the bat–ball question. More than half of the undergraduate students at Harvard, MIT, Princeton gave the intutive–incorrect –answer.

The failure rate at other American universities is even more higher at 80% (pp. 44–45) [36]. The correct answer is 5 cents. Perhaps, a distinction between intelligence and rationality is needed is the suggestion made by these researchers (pp. 49) [36].

The author observes that intutive errors in decisions made by these undergraduate students cannot be explained by saying that these students are not skilled mathematicians. The author speculates that the psychological mechanisms involved in the perceptual and cognitive decision process by experimental subjects are as follows; mentally formulating the equations to represent the quantities of prices involved, and then subtracting the equations to identify one of the single unknown and arrive at its value by halving it. The difference between those who get the right and wrong answers is simply this: failure to divide in the final equation. These errors are attributed by cognitive psychologists to the property of overconfidence of subjects who answer the question as 10 cents. From the science of cybernetics perspective, the purpose of the bat–ball question is to trigger thinking activity on decisions on safety-related control systems where the safe state of the system cannot be perceived by sight and failures in risk management and safety assurance process are likely [12, 28, 44, 57].

and risk management is the case of NASA Space Shuttle Accident in 1986. This case study alone poses challenge to statistical and rational decision theory, learning from past failure incidents, theories of control, system safety, and risk management [5, 36, 49]. The signal of less than adequate design shuttle vehicle flown by NASA and supported by its supplier, Morton Thiokol, till the pre-launch decision was obscured or buried under the noise generated by the hindsight observations of NASA manager's pre-launch decision [5]. To its credit, NASA, Langley Research News hosts the book on its website written by former Morton Thikol engineering director, Allan Madonald, who had a change of heart without any apparent reason on the pre-launch decision day and went along with engineer Roger Boisjoly who was opposed to the launch decision [5], [55]. Risk management expert Douglass Hubbard is of the view that Bayesian risk analysis may have helped in the case of NASA Challenger decision situation where the failure data was scanty [29]. Bayesian risk analysis can certainly help if prior information of categorial variables is available in the odds form and likelihood ratio of positive and negative rates are known as well. But we 've bear in mind Prof James Reason's thesis that most of us are not intutive bayesians [55]. Once Johann Wolfgang von Goethe observed that it is much easier to recognize error than to find truth; the former lies on the surface, this is quite manageable; the latter resides in depth, and this quest is not everyone's business. No accident researcher has the luxury of verifying correspondence between ideas of managerial oversight and risk seeking behavior apart from relying upon lessons learn from behavioral science risk

84 Railway Research - Selected Topics on Development, Safety and Technology

The thesis advanced in the research papers in the area of cognitive psychology is that people who resist intutive responses to following bat–ball question do not need to reflect on the question again. The bat-–ball puzzle is as under. This question is to be answered in an intutive

The intutive answer is 10 cents. Many thousands of university students have answered the bat–ball question. More than half of the undergraduate students at Harvard, MIT, Princeton

The failure rate at other American universities is even more higher at 80% (pp. 44–45) [36]. The correct answer is 5 cents. Perhaps, a distinction between intelligence and rationality is needed

The author observes that intutive errors in decisions made by these undergraduate students cannot be explained by saying that these students are not skilled mathematicians. The author speculates that the psychological mechanisms involved in the perceptual and cognitive decision process by experimental subjects are as follows; mentally formulating the equations to represent the quantities of prices involved, and then subtracting the equations to identify one of the single unknown and arrive at its value by halving it. The difference between those who get the right and wrong answers is simply this: failure to divide in the final equation.

literature (pp. 228) [53, 54].

A bat and ball costs £1.10.

How much does the ball cost?

gave the intutive–incorrect –answer.

manner without solving it on a paper.

The bat costs one dollar more than the ball.

is the suggestion made by these researchers (pp. 49) [36].

When author compares and evaluates the foregoing behavorial science research findings against the research findings published within system safety research domain, then another type of culture of decision-making emerges. Complexity of a socio-technical system became the focus of attention of system safety researchers during the 1980s. Prof Charles Perrow (1984) argued that complexity of organisations and tight-coupling of systems render it difficult to foresee how rare accidents can occur. The problem of complexity poses serious challenge to formal system safety management processes. Evidence is available to show that the counter thesis of Normal Accident Theory namely, High Reliable Organisations, is negated by John Bushby's case study of two British railway accidents [16]. James Reason (1990) whilst advanc‐ ing a general view of accident causation in complex systems in the form of Swiss Cheese Model observed that system (normal) accidents have their origin in latent failures (fallible decisions) in supervisory control systems made at the corporate management, designer(s), and line management levels. He noted that identifying latent errors is a challenge faced by human factors researchers concerned with preserving the safety of complex, high-risk systems (pp. 199–216) [55]. Further, the author accepts Prof James Reason's idea of latent error that it is intimately bound up with the character of technology and accepts that tackling latent errors by identifying resident pathogens is the most effective way to improve the safety of complex systems (pp. 174) [55]. Prof Jens Rasmussen (1994) and his co-workers raised the question: are managers willing to spend the effort required for effective risk management? They argued senior managers like chief executive officers (CEOs) may not possess competence to deal with discipline of system safety management as they are usually drawn from finance or legal background (pp.159) [52]. System safety practitioners are to be found at lower levels in organisation in situations where the mean time between fatal accidents is large and the tenure of CEOs is short. In other words, CEOs do not get feedback on their performance in the field of system safety risk management. Further, they argued that Prof James Reason's approach will encounter problems if large number of 'less than adequate' conditions or decisions are identified from the past accidents using causal trees included in the Management Oversight and Risk Tree by William Johnson. However, applicant shows how the problem of representing various less than adequate latent failures by way of fault tree representation, taking into account the less-than-adequate decisions, is shown by the case study later on. This will show where interventions may be necessary.

It is common to observe three strategies to manage risks of fatal accidents [2, 52]. The strategy of emperical safety control used in the traffic and work domain is based upon 'safety on the average' for high-frequency and low-consequence traffic accidents. The problem with the strategy is that these measures may be degraded if the organisation is under economic pressure. Author finds that Network Rail's approach to change the specification of a signalling cable without checking for unsafe conditions that may be generated during operations is one example from the railway domain of this tendency to buckle under economic pressure as it

was done in 2011. Risk management strategy of making design improvements after learning lessons from investigation of medium size, infrequent accidents is practised within the railway and aircraft domains. The third, risk management strategy followed is through the control of hazards based upon use of multiple barriers or defences as in the nuclear domain based upon predictive risk analysis (pp. 35–159), [52]. Prof Trevor Kletz argued that organisations suffer from lack of memory in 2003 [38]. An UK Health & Safety Executive (HSE) Publication HSG 238 argued that safety-related control systems are bound to fail if the errors in the specification, design, testing, commissioning phases (lifecycle factors) of control systems are not checked and corrected [72, 73 ,74, 75]. Prof Nancy Leveson presented a new control systems engineering method, named STAMP, for accident analysis, which included representations of legal, sociotechnical systems as well [40]. Knut Rygh, Chief System Safety Engineer, Accident Investiga‐ tion Board, Norway, stated in 2005 publication that it is an establised fact that a systematic safety assessment is an accident investigation before the accident occurs (pp. 90–108) [63]. It follows from the foregoing research facts that an occurrence of incident or an accident implies that system safety case which documents the results of potential accident has either failed to investigate the potential hazard in a thorough manner or system case documentation ignored the hazard that could occur in the operations or lessons learnt from past accidents were forgotten or unknown dangerous unforeseen mode of operation has occurred or incident reporting system has failed or failures in risk management process were ignored or the independent safety analysts organisation has used the safety target of Mean Time to Unsafe Failure for safety case without using HAZOP + Fault Tree Analysis in the safety analysis of complex systems [29, 33, 34]. Prof Derek Hitchins (2007) stated that systems engineering cannot be carried out by the method discovered by Rene Descartes; dividing the problem space into its parts to analyse the parts and a holistic method as a frame of reference is necessary [28]. Following the financial crisis in 2007/2008, the idea of Black Swan event was popularised by Prof Nicholas Taleb [36]. Prof John Adams (2009) argued that economics of safety is a debate that is not settled as moral attitudes towards risk management are not stable; they depend upon the individual or social cultural perspective invovled in the debate [1]. Nobel laureate Daniel Kahneman (2011) argued that senior executives lack robust decision-making process and are prone to committing same errors like others as well [36]. Further, most railway, household kitchen, and weapons system projects fail to attain their objective due to planning fallacy as noted by him drawing upon the evidence of 2005 Oxford study. Prof David Hand (2015) argued using the evidence of 2008 financial crisis that risk inherent in the finance operations is better handled by Cauchy distribution as the decision-making framework of Gaussian means and variance leads to under-estimation of fat-tail risk events. During the financial crisis in 2008, it was revealed that Goldman Sachs's Chief Financial Officer (CFO) reported 25 standard deviation events occuring in a row in their operations [26]. Readers may wish to look up the probability of 25 Sigma event on the freely available online website – Wolfram Computational Engine. This works out to be 6.113 E-10–138 or a chance event of obtainning a head in all tosses of 456 fair coins. These rare events have occurred several times during the course of the past two decades. This failure in understanding risk is labelled in the safety risk literature as latent error. If latent errors are not cognised, then there is no way to address them. Therefore, switch to Bayesian risk management is required. However, Prof David Hand's work illustrates how abuse of statistics can occur [26].

The following are the definitions for latent and active errors.

was done in 2011. Risk management strategy of making design improvements after learning lessons from investigation of medium size, infrequent accidents is practised within the railway and aircraft domains. The third, risk management strategy followed is through the control of hazards based upon use of multiple barriers or defences as in the nuclear domain based upon predictive risk analysis (pp. 35–159), [52]. Prof Trevor Kletz argued that organisations suffer from lack of memory in 2003 [38]. An UK Health & Safety Executive (HSE) Publication HSG 238 argued that safety-related control systems are bound to fail if the errors in the specification, design, testing, commissioning phases (lifecycle factors) of control systems are not checked and corrected [72, 73 ,74, 75]. Prof Nancy Leveson presented a new control systems engineering method, named STAMP, for accident analysis, which included representations of legal, sociotechnical systems as well [40]. Knut Rygh, Chief System Safety Engineer, Accident Investiga‐ tion Board, Norway, stated in 2005 publication that it is an establised fact that a systematic safety assessment is an accident investigation before the accident occurs (pp. 90–108) [63]. It follows from the foregoing research facts that an occurrence of incident or an accident implies that system safety case which documents the results of potential accident has either failed to investigate the potential hazard in a thorough manner or system case documentation ignored the hazard that could occur in the operations or lessons learnt from past accidents were forgotten or unknown dangerous unforeseen mode of operation has occurred or incident reporting system has failed or failures in risk management process were ignored or the independent safety analysts organisation has used the safety target of Mean Time to Unsafe Failure for safety case without using HAZOP + Fault Tree Analysis in the safety analysis of complex systems [29, 33, 34]. Prof Derek Hitchins (2007) stated that systems engineering cannot be carried out by the method discovered by Rene Descartes; dividing the problem space into its parts to analyse the parts and a holistic method as a frame of reference is necessary [28]. Following the financial crisis in 2007/2008, the idea of Black Swan event was popularised by Prof Nicholas Taleb [36]. Prof John Adams (2009) argued that economics of safety is a debate that is not settled as moral attitudes towards risk management are not stable; they depend upon the individual or social cultural perspective invovled in the debate [1]. Nobel laureate Daniel Kahneman (2011) argued that senior executives lack robust decision-making process and are prone to committing same errors like others as well [36]. Further, most railway, household kitchen, and weapons system projects fail to attain their objective due to planning fallacy as noted by him drawing upon the evidence of 2005 Oxford study. Prof David Hand (2015) argued using the evidence of 2008 financial crisis that risk inherent in the finance operations is better handled by Cauchy distribution as the decision-making framework of Gaussian means and variance leads to under-estimation of fat-tail risk events. During the financial crisis in 2008, it was revealed that Goldman Sachs's Chief Financial Officer (CFO) reported 25 standard deviation events occuring in a row in their operations [26]. Readers may wish to look up the probability of 25 Sigma event on the freely available online website – Wolfram Computational Engine. This works out to be 6.113 E-10–138 or a chance event of obtainning a head in all tosses of 456 fair coins. These rare events have occurred several times during the course of the past two decades. This failure in understanding risk is labelled in the safety risk literature as latent error. If latent errors are not cognised, then there is no way to address them. Therefore, switch to Bayesian risk management is required. However, Prof David Hand's work illustrates how

86 Railway Research - Selected Topics on Development, Safety and Technology

abuse of statistics can occur [26].

Definition: Active errors are human errors, whose effects are felt almost immediately. For example, a road user may enter a level crossing space when it is not safe to do so due to wrongside failure of the level crossing as in the case of the Herefordshire level crossing accident in 2011 [2, 11].

Definition: Latent errors are human errors whose adverse consequences may lie dormant within the system for a long time, only becoming evident when they combine with other factors to breach system (production) defences. For example, wrong-side failure event of the level crossing caused by the signaller who raised the barrier needed a conjuction of events of lack of approach locking and a road user entering the crossing space simultaneously to manifest the Herefordshire level crossing accident in 2011 [2, 11]. The independent accident investigat‐ ing organisation, RAIB, reasoned, by way of counter-factual reasoning, that if the level crossing were to be fitted with approach locking facility, then the signaller would have been prevented from raising the road barriers, after they have been lowered. The causal statement was accepted by all organisations invovled in the situation according to the intutive frame of reference in the language of Prof Jens Rasmussen. Rather than questioning the scenario as to why the train did not stop at the level crossing signal fitted with Train Protection Warning System (TPWS) when stop signal was replaced, RAIB remained satisfied with the answer they found [2]. Based upon behavorial research discussed earlier, lack of cognitive reflection is implied and author concludes that this is a sign of irrationality. In human error terms, this act of omission can be called violation by element and duty holder as well.

Now, let us look at the other reasons for failures to recognise latent errors. First, lack of familiarty with the cognitive system engineering approach advocated by Prof Jen Rasmussen and his co-authors in the railway domain signalling and telegraph, human factors, safety and risk experts [52, 54]. Consequence of the lack of familiarity is the exclusion of certain stake‐ holders organisations' contribution to risk. Prof Jens Rasemussen's approach demands that cognitive system analysis shall include all stakeholder organisations and their contribution (positive or negative) towards system safety performance must be represented. These contri‐ butions are captured by way of a graphical representation in the form of Accimap [32, 52, 54]. Evidence for the lack of familiarity of contribution of human errors in management field can be seen in the case of the popular quantitative risk assessments made up of fault and event tree model. These representations are used by industrial practitioners for identifying accident precursors to safety risk, but do not include latent errors [24, 56]. The latent errors are errors committed in the areas of risk policy, domain-specific safety standards, which are industry consensus standards, and ignore errors in system design, risk assessments, independent safety assessments and reviews, and risk management that lead to less than sub-optimal diagnosis of potential or actual hazards. And as a result, risk assessors and managers pay less attention to less than adequate barriers for controlling hazards can be seen from the documentation on hazard analysis, modelling, risk analysis, and management of individual and societal risk concerns [17, 24, 60, 61, 72, 74, 75, 77]. Recommendations from the UK HSE Guidance on safety relevant control systems are not followed in these documents [73, 74]. When accidents do occur, front-line staff or members of public get blamed for less than adequate designs with which these actors have to grapple as it can be seen in the case of assertion made in the publication by a team of railway signalling and train driving managers and this blame culture was investigated as well [25, 80].

All psychologists hold the thesis that human mind cannot estimate the probabilities or likelihood of rare events which lie between the interval of zero to one percentile and ninetynine percentile of distribution of probabilities and errors in judgements arise due to basic inability in human thinking (pp. 315) [36]. Misconceptions of chances and lack of recognition of co-variation do occur in the railway industry is asserted by the author following Prof James Reason's work. For example, collision of a train with a vehicle on the track was regarded as once-in-a million kind of chance event by a member of public is cited by Prof David Hand [26]. The author found that the probability of Hixon level crossing accident was reckoned by S. Hall, a British Rail signalling expert (1991)to be one in a million kind of chance event [2, 11]. However, the RSSB (formerly Rail Safety and Standards Board) Report tells a different story of high likelihood of more than ten collisions events per year [59]. If readers think that progress may have been made since 1990s, then they will be disappointed to read that errors in risk modelling by Network Rail/RSSB All Level Crossings Risk Model were reported in the UK House of Commons Report in 2014 [71]. Combining two pieces of information such as RSSB's statistical data with the causes identified in the RAIB accident reports poses a problem of inferrring causes of level crossing accidents. This problem is logically equivalent to the problem of applying Bayes rule to the taxi-cab problem cited in the risk literature (pp. 166–167) [36].

Second explanation is that the majority of railway domain experts, i.e. engineers and managers, are not aware of errors in their statistical, economical, logical, ontological, and cosmological reasonings of railway accidents [26, 32, 36, 42, 50, 55, 67].

For example, if reliability, availability, maintainability, and safety properties of systems and human actors forming part of a given social-technical system are considered in an unified manner, then it is clear they are not to be treated as independent parameters as it is assumed in classical economical theories is demonstrated by sociologist Prof Charles Perrow and system safety theorist Prof Nancy Leveson as well [40, 49]. Prof Charles Perrow argued that errors in sub-systems in the system lifecycle factors may interact in unforseen ways; and as a result of these unwanted interactions, risk of an accident cannot be foreseen and pre-determined. Therefore, some high-risk technologies like nuclear plants that are prone to acccidents should be avoided. Rare events like nuclear power accidents require more time to manifest not withstanding the claims of risk assessors and managers to the contrary [13, 17, 49, 57]. The author found this reasoning to be true in the cases of NASA Space Shuttle Challenger and Japanense Nuclear accidents where errors in risk assessment led to under-estimating of fatal risk in terms of its likelihood [5, 6]. RSSB does not apply the requirements in the risk guidance from cognitive perspective issued to the industry to itself and fails to identify risk in its management systems are shown by the case study in the paper [58, 59, 60, 61].

The author is led to the insight on human and scoial cognition, drawn from works of Nobel laureates Herbert A. Simon, Daniel Mcfadden, and Daniel Kahneman, that cognitive errors in information processing activity do exist [36, 42, 55, 67]. Insight drawn from the work of Nobel laureate, Herbert Simon (1978), is that the fundamental limitation of human cognition

in organisational context gives rise to *satisficing behaviour*: tendency to settle for satisfacto‐ ry rather than optimal courses of action; this is discussed in the text on the topic of bounded rationality in Section 3.3.1 of the Chapter 2 on cognitive science tradition by James Reason [55]. In the same text, Reason observed that this is true for both individual and collective decision making and cites Cyert and March (1963) who demonstrated organisational planners are inclined to compromise their goal setting by choosing minimal objectives rather than those likely to lead to best outcome. Organisational behaviour needs to become the focus of attention [15]. Two examples of the necessity to focus on this social tendency to compromise goals can be read from the evidence of failure of the High Speed 2 Business Case in the UK House of Lords Economics Affairs Committee Report and failure in the case of Chinese ERTMS Train Crash [14, 68].

these actors have to grapple as it can be seen in the case of assertion made in the publication by a team of railway signalling and train driving managers and this blame culture was

All psychologists hold the thesis that human mind cannot estimate the probabilities or likelihood of rare events which lie between the interval of zero to one percentile and ninetynine percentile of distribution of probabilities and errors in judgements arise due to basic inability in human thinking (pp. 315) [36]. Misconceptions of chances and lack of recognition of co-variation do occur in the railway industry is asserted by the author following Prof James Reason's work. For example, collision of a train with a vehicle on the track was regarded as once-in-a million kind of chance event by a member of public is cited by Prof David Hand [26]. The author found that the probability of Hixon level crossing accident was reckoned by S. Hall, a British Rail signalling expert (1991)to be one in a million kind of chance event [2, 11]. However, the RSSB (formerly Rail Safety and Standards Board) Report tells a different story of high likelihood of more than ten collisions events per year [59]. If readers think that progress may have been made since 1990s, then they will be disappointed to read that errors in risk modelling by Network Rail/RSSB All Level Crossings Risk Model were reported in the UK House of Commons Report in 2014 [71]. Combining two pieces of information such as RSSB's statistical data with the causes identified in the RAIB accident reports poses a problem of inferrring causes of level crossing accidents. This problem is logically equivalent to the problem of applying Bayes rule to the taxi-cab problem cited in the risk literature (pp. 166–167) [36]. Second explanation is that the majority of railway domain experts, i.e. engineers and managers, are not aware of errors in their statistical, economical, logical, ontological, and cosmological

For example, if reliability, availability, maintainability, and safety properties of systems and human actors forming part of a given social-technical system are considered in an unified manner, then it is clear they are not to be treated as independent parameters as it is assumed in classical economical theories is demonstrated by sociologist Prof Charles Perrow and system safety theorist Prof Nancy Leveson as well [40, 49]. Prof Charles Perrow argued that errors in sub-systems in the system lifecycle factors may interact in unforseen ways; and as a result of these unwanted interactions, risk of an accident cannot be foreseen and pre-determined. Therefore, some high-risk technologies like nuclear plants that are prone to acccidents should be avoided. Rare events like nuclear power accidents require more time to manifest not withstanding the claims of risk assessors and managers to the contrary [13, 17, 49, 57]. The author found this reasoning to be true in the cases of NASA Space Shuttle Challenger and Japanense Nuclear accidents where errors in risk assessment led to under-estimating of fatal risk in terms of its likelihood [5, 6]. RSSB does not apply the requirements in the risk guidance from cognitive perspective issued to the industry to itself and fails to identify risk in its

management systems are shown by the case study in the paper [58, 59, 60, 61].

The author is led to the insight on human and scoial cognition, drawn from works of Nobel laureates Herbert A. Simon, Daniel Mcfadden, and Daniel Kahneman, that cognitive errors in information processing activity do exist [36, 42, 55, 67]. Insight drawn from the work of Nobel laureate, Herbert Simon (1978), is that the fundamental limitation of human cognition

investigated as well [25, 80].

88 Railway Research - Selected Topics on Development, Safety and Technology

reasonings of railway accidents [26, 32, 36, 42, 50, 55, 67].

Third, Prof James Reason advanced the idea of controlling safer operations by identifying the pathogens hidden in the senior and line management decisions and practices that feed into psychological precursors of unsafe acts is the best way of controlling safer operations [55]. These hidden pathogens are best discovered, as per the author's knowledge, by using the Management Oversight and Risk Tree to include human failings in risk assessment, risk management, engineering management, and investment management. This idea is supported byProf Jens Rasmussen as well. The problem of determining the risk in a qualitative or quantitaive manner is subject to professional biases is noted by Prof David Ball in the UK HSE Research Report 034 on how to understand and respond to the societal concerns. He observed that a risk management strategy cannot be promoted without a belief that one way of life, or one way of sharing risks and costs, is better than another [73]. Questions of will to impose harm on others and acting under ignorance are philosophical questions if we disregard the legal and bounded rationality perspective for a moment [66, 67]. Acting upon information generated by FN curves by means of RSSB's Safety Risk Model or FN curve data analysis without taking into account decision-making under uncertainty is an error is noted by Prof Andrew Evans in his study of transport accidents. The literaruture by Prof Andrew Evans shows how FN curves are constructed [76].

The HSE Report 034 had emphasised the need to incorporate plural views into decision making, while acknowledging that these will be based substantially on beliefs, values and ways of categorising the world, rather than upon objective information [73]. Role culture plays an important role is shown by Prof John Adams as well. In other words, bias will unavoidably be encountered, and ultimately the question may well come down to choosing one form of bias over another. Further, the following features characterise risk-based decision-making:


The Skills-Rules-Knowledge taxonomy advanced by Prof Jens Rasmussen is applicable to the co-operative archictecture of work which is applicable to the current regime of risk manage‐ ment within the Europe as well [53, 54, 55]. Duty of co-operation is mandated by the UK Rail Regulator as well [46]. Contrary to the advice that emerges from reading the management literature that safety and production planning should not be placed lower than finance and planning activity in the hierarchy of management concerns, it is common place to find economic concerns being prioritsed ahead of the safety concerns in the industrial context. From cognitive science perspective, this act of compromising safety is a violation (pp. 206), [55].

The cognitive biases and information processing flaws were identifed by Prof Andrew.P. Sage as well. These flaws affect information formulation for acquisition, analysis, and interpretation. These can be read from the works of Prof Andrew P. Sage [47]. These flaws are based on those identified in the works of 1974 Daniel Kahneman and Amos Tversky's paper [36].

The following are the biases that have come to the author's attention as a result of his own research on system risk assessment and management.


deviation in one direction will necessarily be followed by a deviation in the opposite direction. 'The shares have been falling for the railway firm, it is time to buy as the trend will reverse'. Gambler's fallacy can be seen as a factor in the explanation of Saint Peters‐ burg paradox described in the literature.

The expected value of the game as a sum of the product of probability of loss or gain multiplied by the values of the outcomes considered by the decision maker(s) or taker(s) is poor psychol‐ ogy is noted by Nobel Laureate, Daniel Kahneman. These type of erroneous arguments can be seen in the case of level crossings [25].


*Allais paradox:* Norms of Expected Utility Theory and axioms of Rational Choice were violated due to certainty effect by expert statisticians and future Laureates in Economics in the following decision situation is cited by Laureate economist Daniel Kahneman (pp. 310–321) [36], (pp. 39) [55].

Decision I: choose 61% of £520,000 or 63% of £500,000

The Skills-Rules-Knowledge taxonomy advanced by Prof Jens Rasmussen is applicable to the co-operative archictecture of work which is applicable to the current regime of risk manage‐ ment within the Europe as well [53, 54, 55]. Duty of co-operation is mandated by the UK Rail Regulator as well [46]. Contrary to the advice that emerges from reading the management literature that safety and production planning should not be placed lower than finance and planning activity in the hierarchy of management concerns, it is common place to find economic concerns being prioritsed ahead of the safety concerns in the industrial context. From cognitive science perspective, this act of compromising safety is a violation (pp. 206), [55].

The cognitive biases and information processing flaws were identifed by Prof Andrew.P. Sage as well. These flaws affect information formulation for acquisition, analysis, and interpretation. These can be read from the works of Prof Andrew P. Sage [47]. These flaws are based on those

The following are the biases that have come to the author's attention as a result of his own

**1.** *Incomplete data*. Failure to include uncertainty in the scientific estimates of reliability, availability, and maintainability of digital signalling systems including communication systems as a whole. I know the report is damning, and it may be based upon solid evidence, but how sure are we? We must allow for that uncertainty in our thinking.

**2.** *Defence-in-depth fallacy*. Fallacy on the part of computing science experts who entertain the idea that graceful degradation of automated information processes (fault tolerant architecture) shall be fail safe as the automated system is designed to stop the process under control if in doubt over the data (how the computer will doubt its input data, its own logic, and the outputs it generated if it has no access to real world like human beings

**3.** *Affect Heuristic and/or planning fallacy*. The transport programme has large benefits and no major costs. I suspect the affect heuristic. No one pays attention to the fact of failure of 90% of the large railway projects to attain the cost, and passenger targets has been cited in a 2005 study. The great and good in the company are agreed with the programme mission and they like their plans. I suspect *Affect* and *satisficing heuristic and planning*

**4.** *Narrative fallacy*. The consulting engineer is learning too much from the recent £1 billion project success, which is too tidy. The engineer has fallen for a *narrative fallacy.*

**5.** *Out of mind out of sight bias*. The fault tree and event tree analysis of the train crashes do not show any management and technical errors. I suspect '*out of mind out of sight bias'.*

**6.** *Blame Game.* The train failed in the tunnel. The communcation between the trackside and train-based equipment did not take place in the degraded scenario due to operator error.

**7.** *Gambler's fallacy*. Clear-cut information about the probablity of an event is not taken into account because people believe that chance is a self-correcting process, such that a

The computer simulation did not test this scenario. I smell the 'blame game'.

identified in the works of 1974 Daniel Kahneman and Amos Tversky's paper [36].

research on system risk assessment and management.

90 Railway Research - Selected Topics on Development, Safety and Technology

is not questioned?);

*fallacy* [36].

Decision II: choose 98% of £520,000 and 100% of £500,000


Some of the above latent human factors that may contribute to any of the potential ERTMS accident was noted by Sanjeev Appicharla in 2013 [6, 8]. The author refers the reader(s) to an excellent online 2010 report by Felix Redmill in the computing science domain on how to judge if the safety risks are ALARP via a decision-making process [57]. There is no unanimous agreement on the use of ALARP principle as per the UK House of Lords Report [77]. However, the Redmill's 2010 Report does not take into account all errors in information processing of choices revealed to us by economists and psychologists in general and Nobel laureates, Herbert A. Simon, Daniel Mcfadden, and Daniel Kahneman in particular [36, 42, 67]. The author does not subscribe to the idea automated risk assessement tools such as genetic alogrithms are of help. Readers may note that SIRI methodology is a engineering methodology to assist system and safety analysis of engineered systems by taking into account success and failure scenarios and based upon the theory of decision-making under uncertainty in the data and decisionmaking process [35, 37]. The challenges posed by problems of complexity, causality, overcon‐ fidence, human error, hindsight and outcome biases, bounded rationality, economic choices, cognitive limitations, out of sight out of mind bias, halo effect, omissions and oversight has to be met by any methodology to be used for decision making for the assurance of system safety risk management of complex engineered systems [55].

In this section, idea as to why some wrong approaches to safety risk management relying upon risk-benefit analysis or fault and event tree analysis or reactive risk management persist was discussed.

In the next section, the case study of ERTMS Cambrian Safety Critical Incident is taken up to show how the foregoing concepts are logically demonstrated in the case study of Cambrian ERTMS Safety Critical Incident.

## **3. Analysis and modelling of cambrian ERTMS safety critical incident**

**15.** *Measurement Fallacy.* Risk not measured is not managed. Let us quantify the risk of rare events according to Poisson method and justify that it is acceptable as the greater good of the society is served by ignoring so-called wider human factors. I suspect Measurement

**16.** *Concrete Jungle Fallacy.* European and American city dwellers have a much higher percentage of rectangularity in their environments than non-Europeans and so are more susceptible to Muller-lyer illusion. Muller-lyer illusion occurs when two lines of equally

**17.** *Coherence Bias.* The plan to implement the requirements as a decision rule has been agreed by domain experts. But this plan fails to meet the decision criteria for cognitive adequacy and safety requirements. Warnings about the inadequacy are dismissed as soon as raised. The operator's inattention due to distractions in the environment to execute the task is

**18.** *Fault and event tree analysis bias.* Goldman Sach's (error cited earlier) bug is not acknowl‐ edged by mechanical approach to change management in organisations without paying attention to the nature and behaviour of organisations and blindly relying upon methods

Some of the above latent human factors that may contribute to any of the potential ERTMS accident was noted by Sanjeev Appicharla in 2013 [6, 8]. The author refers the reader(s) to an excellent online 2010 report by Felix Redmill in the computing science domain on how to judge if the safety risks are ALARP via a decision-making process [57]. There is no unanimous agreement on the use of ALARP principle as per the UK House of Lords Report [77]. However, the Redmill's 2010 Report does not take into account all errors in information processing of choices revealed to us by economists and psychologists in general and Nobel laureates, Herbert A. Simon, Daniel Mcfadden, and Daniel Kahneman in particular [36, 42, 67]. The author does not subscribe to the idea automated risk assessement tools such as genetic alogrithms are of help. Readers may note that SIRI methodology is a engineering methodology to assist system and safety analysis of engineered systems by taking into account success and failure scenarios and based upon the theory of decision-making under uncertainty in the data and decisionmaking process [35, 37]. The challenges posed by problems of complexity, causality, overcon‐ fidence, human error, hindsight and outcome biases, bounded rationality, economic choices, cognitive limitations, out of sight out of mind bias, halo effect, omissions and oversight has to be met by any methodology to be used for decision making for the assurance of system safety

In this section, idea as to why some wrong approaches to safety risk management relying upon risk-benefit analysis or fault and event tree analysis or reactive risk management persist was

In the next section, the case study of ERTMS Cambrian Safety Critical Incident is taken up to show how the foregoing concepts are logically demonstrated in the case study of Cambrian

like fault and event trees are prone to error [13, 16, 17, 25, 55, 65, 78].

long parallel lines with arrow tails placed at the end visually appear longer.

ignored. I suspect group–think bias [4, 36].

92 Railway Research - Selected Topics on Development, Safety and Technology

risk management of complex engineered systems [55].

discussed.

ERTMS Safety Critical Incident.

Fallacy.

To manage the hazardous (potential or actual) situations, the different steps followed in the system and safety analysis as per SIRI methodology are as follows [3].


The last three steps may involve iterative process between them; processing of develop‐ ing understanding may require intermediate stages to store the results on a draft version to revisit the branches of Management Oversight and Risk Tree (MORT) questions from engineering and risk management perspectives. A red, green, amber light marking system may be needed as each sequence of energy transfer process may need to be revisited. Further, as the original Management Oversight and Risk Tree in 1974 was developed with an understanding that at the design phase engineers and their managers will be able to perceive, concieve, and act upon the identified hazards before the close out of the design process [35, 37]. However, as the railway domain does not use the concept of affordance of harm from the system as a design criterion as required by human factors engineering process, it is necessary to consider various heuristics used by designers and operators and resulting biases that may arise at the design as well as operational time in the risk assessment, safety verification, and valdiation phases [5, 6].

It is assumed that HAZOP Chair and Risk Analyst roles will be performed by competent persons. In terms of meeting systems engineeering and safety standards set by engineering institutions such as Institution of Electrical and Electronic Engineers – IEEE std 1220 or International Electro-technical Commission – IEC 61508 or sector-specific European Commit‐ tee for Electro-technical Standardisation – CENELEC 50126, the two stage processes of system and safety analysis can be complied and implemented with the help of SIRI methodology [6].

To produce a model of an operational railway, the model should be able to reflect the real world closely. The operational railway includes several interfaces in all operational circum‐ stances:


However, the present modelling languages suffer from a disadvantage in the sense that they tend to superimpose their own order on existing systems and fail to capture the rich partial order present in the system.

The application of the SIRI methodology to the incident situation under study is described. The RAIB Accident Investigation Report is used as the input document alongside the MORT (2002) questionnaire.

The RAIB Summary is reproduced here.

Shortly before 22:00 hrs on Sunday, 19 June 2011, a passenger train, travelling from Aberyst‐ wyth to Machynlleth, ran onto the level crossing at Llanbadarn while the barriers at the crossing were raised, and came to a stop with the front of the train about 31 metres beyond the crossing. There were no road vehicles or pedestrians on the crossing at the time. The immediate cause of the incident was that the train driver did not notice that the indicator close to the crossing was flashing red until it was too late for him to stop the train before it reached the crossing. Factors behind this included the driver's 'Increased work load' (his need to observe a screen in the cab at the same time as he should also be observing a lineside indicator), the design of the equipment associated with the operation of the level crossing, and the re-setting of the signalling system on board the train before it could depart from Aberystwyth. An underlying cause of the incident was that the signalling system now in use on the lines from Shrewsbury to Aberystwyth and Pwllheli does not interface with the automatic level crossings on these routes.

The RAIB has made six recommendations, three directed to Network Rail, two to Arriva Trains Wales, and one to the Rail Safety and Standards Board. These cover the development of engineering solutions to mitigate the risk of trains passing over automatic crossings which have not operated correctly; changes to the operating equipment of Llanbadarn crossing; the processes used by railway operators to request permission to deviate from published stand‐ ards; the operational requirements of drivers as trains depart from Aberystwyth; and the way in which drivers interact with the information screens of the cab signalling used on the Cambrian lines.

## **3.1. System analysis diagram**

institutions such as Institution of Electrical and Electronic Engineers – IEEE std 1220 or International Electro-technical Commission – IEC 61508 or sector-specific European Commit‐ tee for Electro-technical Standardisation – CENELEC 50126, the two stage processes of system and safety analysis can be complied and implemented with the help of SIRI methodology [6]. To produce a model of an operational railway, the model should be able to reflect the real world closely. The operational railway includes several interfaces in all operational circum‐

**a.** Man–machine interface (driver–line signals, signaller–automatic route setting, driver–

**b.** Machine–machine interface (interlocking – lineside signals, ATP-train brake, ERTMSinterlocking, ERTMS-fixed and mobile telephony, mobile telephony to ETCS, etc.)

**d.** Organisational interfaces (safety standards, failure management, hazard control between duty holders, between duty holders and industry bodies, between various types of

However, the present modelling languages suffer from a disadvantage in the sense that they tend to superimpose their own order on existing systems and fail to capture the rich partial

The application of the SIRI methodology to the incident situation under study is described. The RAIB Accident Investigation Report is used as the input document alongside the MORT

Shortly before 22:00 hrs on Sunday, 19 June 2011, a passenger train, travelling from Aberyst‐ wyth to Machynlleth, ran onto the level crossing at Llanbadarn while the barriers at the crossing were raised, and came to a stop with the front of the train about 31 metres beyond the crossing. There were no road vehicles or pedestrians on the crossing at the time. The immediate cause of the incident was that the train driver did not notice that the indicator close to the crossing was flashing red until it was too late for him to stop the train before it reached the crossing. Factors behind this included the driver's 'Increased work load' (his need to observe a screen in the cab at the same time as he should also be observing a lineside indicator), the design of the equipment associated with the operation of the level crossing, and the re-setting of the signalling system on board the train before it could depart from Aberystwyth. An underlying cause of the incident was that the signalling system now in use on the lines from Shrewsbury to Aberystwyth and Pwllheli does not interface with the automatic level crossings

The RAIB has made six recommendations, three directed to Network Rail, two to Arriva Trains Wales, and one to the Rail Safety and Standards Board. These cover the development of engineering solutions to mitigate the risk of trains passing over automatic crossings which have not operated correctly; changes to the operating equipment of Llanbadarn crossing; the

**c.** Man procedures (operational procedures, work instructions, etc.)

94 Railway Research - Selected Topics on Development, Safety and Technology

stances:

train, etc.)

organisations)

(2002) questionnaire.

on these routes.

order present in the system.

The RAIB Summary is reproduced here.

To enable, visualise, and reason about risk manager behaviour in general operating situation within the real world, the author has prepared an adapted version of diagram of Prof Jens Rasmussen's Skills-Rules-Knowledge Framework within Cognitive Science tradition. The diagram does not show actual mental world of an individual, but it is a model or a represen‐ tation to be used by SIRI Analyst to reason about certain behaviour in philosophical, teleolog‐ ical, cultural, and scentific traditions of thinking and reasoning reflected in the literature on risk. However, it should be noted that this model does not reflect real truths. As Prof David Hand has written, one must revert to religion or pure mathematics for learning absolute truths [26]. It only shows a frame to reason about heuristics which allows response (automatic or reasoned) to the questions on risks or operator's actions in the real danger situation as well as shortfalls in risk or investment actions reasoned in the mangerial thinking.

To enable easy comprehension of the context of the UK railway industry operations, a system diagram is prepared. This is shown in Figure 1. This is an architectural context diagram (ACD) showing stakeholder organisations involved in the context of the Cambri‐ an ERTMS Incident. From a systems engineering perspective, organisations forming part of the railway system are Network Rail and Passenger or Freight operating (not shown in the figure) companies, European Railway Agency, RSSB, RAIB are system supporting organisations whereas Department of Transport is the ultimate owner of the UK Railway System. Office of Rail Regulator, ORR, is a regulatory organisation. Element organisations like Alstom, Siemens, Ansaldo, Bombardier, Invensys, and Thales that supply signalling solutions are represented as contractors. Professional engineering societies which train, license, and certify individuals to meet the railway industrial needs are not represented in the diagram, but are recognised as institutions contributing to human capital develop‐ ment and as consequence to risk management as per Noble laureate and economist, Gary Becker's perspective [62]. Notified bodies or project safety organisations are treated as entities acting as contractors providing safety auditing, assessment, advice, and accredi‐ tion. The brief details of European Process validation and certification process is defined in the Section 5.5.3 of the uic Compendium on ERTMS [81].

From system analytical perspective, the definition of an organisation offered by Nobel Herbert Simon that organisations are adaptable systems made up of physical, technical, and human resources and exhibit what is known as 'satisficing behaviour' is accepted in this chapter [67]. The solid red lines in the above figure indicate safety critical interfaces and functions and dotted red line indicates influences emerging from accident investigations. Symbol 1 indicates ORR is legally independent of the Secretary of State. Symbol 2 indicates Passenger Focus is an independent body set up by the UK Government to protect the interests of passengers.

**Figure 1.** Architecture Context Diagram of the Railway Industry. Adapted from the UK National Audit Office Report (The UK National Audit Office 2010).

## **3.2. Hypothetical HAZOP study**

The description of hazard identification and analytical methods used in the SIRI methodology is available in the published litearture. It is a hazard identification technique promoted by the UK Intuition of Chemical Industry in the early 1970s [17].

From the information gathered from the summary section, paragraph 95 and 177 of the RAIB Report, the critical interface between stakeholder organisations, Network Rail, the owner of the rail infrastructure and Arriva Trains Wales (ATW), the passenger train operating company at the operational time is the interface between driver's eye ball and the driver crossing indicator [51]. This is identified as Driver\_ Perception of the Driver Crossing Indicator (DCI) and is the emergent property to be conserved in this study and operations as well.

The indicator was flashing red giving dynamic information to the train driver, but driver's response was delayed and the train did not stop ahead of the level crossing, indicating a safety critical deviation. From the SIRI methodological perspective, after Driver\_ Perception is a safety critical deviation as the event of driver perception occurred after the braking point despite stopping ahead of the crossing space. Reading of the para 100 and subsequent text of RAIB Report suggests that signaller made mistake in setting the routes which led to a timing sequence problem, leading to the event of the opening of the barriers prior to the event of train passing over the crossing space. The chain of events leading from this pre-cursor event is not discussed as the parameter of interest in the hypothetical HAZOP study is Driver\_ Perception of the Driver Crossing Indicator in the sequence of events desired and its late occurrence. Suffices to note that signaller's error is a latent error and it is clear that human factor analysis of the signaller's task post implementation was not carried out. This is a latent error from the Common Safety Method's perspective as well [11].

Moreover, the design intent of ERTMS signalling automatic train protection (ATP) system is to provide the signal to programmable electronic system giving information on safe speeds and stopping points in Full Supervision (FS) Mode [82]. Thus, from the ERTMS signalling system function perspective, the emergent property which is to be conserved by trackside subsystem to on-board train system critical interface is Provide\_ Signal.

But the national signalling infrastructure and human factors are excluded from the scope of Signalling Supplier's Consortium's (UNISIG) safety analysis. Further, the Compendium on ERTMS notes in Section 8.3.2 that the Index 47 document contained in the Chapter 6, risk analysis performed by two member states resulted in different interpretations of the hazard lists [82]. Given the fact that certain signalling entities and human factors are excluded, then the questions on the purpose of the European Train Control System(ETCS) *to provide the train driver with information to enable drive the train safely and to enforce respect for this information is* not satisfied if Driver \_Perception \_ Crossing Indicator is not included in the movement authority information. This discovery should provoke thoughts on the requirements management process used in the programme management of ETCS programes. This incident has shown that the design intent as per RGS GE/RT 8026 was not met [51].

The sample HAZOP worksheet for automatic train protection system adapted from the IEC 61822 standard for HAZOP study is shown in Figure 2. From reading the text in the para of the RAIB investigation, para 157 it is clear that the movement authority across the crossing was issued without stopping information ie No \_ Provide\_ Signal [51]. From this hypothetical HAZOP study and RAIB information, it is clear that trackside sub-system was not configured for the emergent property Provide\_ Signal at the ABCL Level Crossings. If a real HAZOP study were to be conducted, then this failure may provoke thinking about the adequacy of study of failure scenarios and barriers as well.

**3.2. Hypothetical HAZOP study**

(The UK National Audit Office 2010).

UK Intuition of Chemical Industry in the early 1970s [17].

96 Railway Research - Selected Topics on Development, Safety and Technology

The description of hazard identification and analytical methods used in the SIRI methodology is available in the published litearture. It is a hazard identification technique promoted by the

**Figure 1.** Architecture Context Diagram of the Railway Industry. Adapted from the UK National Audit Office Report

From the information gathered from the summary section, paragraph 95 and 177 of the RAIB Report, the critical interface between stakeholder organisations, Network Rail, the owner of the rail infrastructure and Arriva Trains Wales (ATW), the passenger train operating company at the operational time is the interface between driver's eye ball and the driver crossing indicator [51]. This is identified as Driver\_ Perception of the Driver Crossing Indicator (DCI)

The indicator was flashing red giving dynamic information to the train driver, but driver's response was delayed and the train did not stop ahead of the level crossing, indicating a safety critical deviation. From the SIRI methodological perspective, after Driver\_ Perception is a safety critical deviation as the event of driver perception occurred after the braking point despite stopping ahead of the crossing space. Reading of the para 100 and subsequent text of RAIB Report suggests that signaller made mistake in setting the routes which led to a timing sequence problem, leading to the event of the opening of the barriers prior to the event of train

and is the emergent property to be conserved in this study and operations as well.

Absence of the road user at the crossing space averted the potential accident. The real accident, if it had occurred, may have led to a range of outcomes with the loss of life as well as public and media outrage, if too many fatalities had resulted from it.

Figure 3 shows the schematic diagram of Llanbadarn ABCL facility. This figure may have to be zoomed to 180% or above to gain visual clarity. At the minimum, actions as planned under the risky scenario of raised barriers and stopping train front stopping 31 metres beyond the crossing space would have certainly resulted in a collision between the road and the rail vehicle, given the present understanding of laws of physics [48].

The absence of road user at the same time when the train passed the ABCL crossing space in error is judged by the SIRI analyst to be an 'act of God', as the intention of all stakeholder organisations such as regulating, specifying, developing, designing, manufacturing, supply‐


**Figure 2.** Sample HAZOP worksheet for ATP system.

**Figure 3.** Schematic diagram of Llanbadarn ABCL.

ing, utilising, and maintaining the ABCL design is to allow road users (without committing an error) to pass through the crossing space when barriers are raised.

Non-provision of engineered safety feature in the contemporary ABCL design is a signalling engineering induced (latent) error at the RSSB Standards Committee Level whereas driver's delay in departing and arriving at the strike in point may be signaller (active) induced error. The SIRI methodology adopts a system-induced error approach; and therefore, it is necessary to look at errors from a holistic perspective. The lack of compatability of requirements between Railway Group Safety Standard GE/RT 8026 and European Norm for ERTMS/ETCS System is a glaring omission in the area of railway safety risk management [46]. It shows intelligence failure on the part of all organisations. This type of failure was investigated in the GB Railway domain in 1976 by Barry A. Turner as well [78].

## **3.3. System safety analysis: Application of Energy Barrier Trace Analysis – EBTA, Skills– Rules–Knowledge (SRK) and Management and Oversight and Risk Tree (MORT) methods**

Management and Oversight and Risk Tree (MORT) is an analytical technique for identifying safety-related oversights, errors, and/or omissions, or assumed risks that lead to occurence of an incident or accident [17, 35]. The MORT diagram uses of the logic of fault tree. It contains two main branches. One related to control of technical factors denoted by letters SB, SD, etc., which are leaves of the causal tree and representing system life-cycle factors. Another branch relates to management branch denoted by letters such MA, MB. Leaves within these branches are noted by lower case letters a1, b2, etc., which relate these events to questions listed in the MORT User Manual [17, 35].

The MORT Report contains following acronyms:

LTA: less than adequate

DN: did not

FT: failed to

ing, utilising, and maintaining the ABCL design is to allow road users (without committing

Non-provision of engineered safety feature in the contemporary ABCL design is a signalling engineering induced (latent) error at the RSSB Standards Committee Level whereas driver's delay in departing and arriving at the strike in point may be signaller (active) induced error.

an error) to pass through the crossing space when barriers are raised.

**Figure 2.** Sample HAZOP worksheet for ATP system.

98 Railway Research - Selected Topics on Development, Safety and Technology

**Figure 3.** Schematic diagram of Llanbadarn ABCL.

HAP: hazard analysis process

The description of the concept of operations is drawn from the ORR documentation, RSSB Railway Group Standards, and is based upon the author's past experience of chairing HAZOP study at RSSB for generic ABCL facility and described using the generic Event Causal Factors (ECFA) analysis chart. This is shown in Figure 4. This may be required to enlarge till 180% to gain visual clarity on the computer screen.

The description of the expected event sequence to form a coherent description uses a particular notation of ECF analysis. The criteria to be used to read the event sequence diagram follows.


The Concept of Operations describes the operational scenario when the train is approaching the warning board and the train driver is in vigilant mode of information processing. However, the desription of the incident RAIB (paragraph 110) informs that the event of approaching the warning board was delayed due to train entering Staff Responsible, SR, mode [70]. The ABCL being located near the station inserted a delay in the normal specification of the ABCL task analysis, and no separate task analysis was performed by the Railway Understaking (RU) in question. The time to approach to the level crossing space is specified in the form of a time interval and no account was taken in the variation in the time for the tasks to be performed by the train driver due to differernt operating modes was undertaken by RSSB before granting deviation to the safety critical requirements specified in the Railway Group Standard – RGS GE/RT 8026 [51].

This is a latent error embedded into the system where engineering and organisational errors are committed. This is an instance of *Railway Senior Managers and Engineer Fallacies.* Further, this latent error refutes the European Railway Agency, and RSSB's idea that the management and regulation of the railway is designed to ensure that – if each transport operator meets its obligations with respect the safety of its own operation and the state also fulfils its duties – then the sum of the parts will lead to a whole that is safe. Further, the RSSB statement does not fit the idea of systems thinking that whole is more than sum of its parts. This idea is entertained by system engineers as well as human factors specialists. Moreover, this error does not align with the Best Practice of Decisions Under Risk of Prospect Theory, which is acknowledged by RSSB in its July 2014 document [6]. Given the nature of the latent error, it is clear that this decision not to conduct workload assessment is a violation from RSSB's own Best Practice for Human Factors Risk and Safe Decision Taking [58, 61].

Given the Concept of Operations diagram which the author has developed, introducing timing analysis into the scheme is not a difficult issue if the data from the human factors engineering is included as well. From the direct inspection of events sequence described in the diagrams shown in the Figure 4, the expected event labelled E-IM-13 in the Network Rail domain flashing white aspect, and contrary to the expected event labelled E-RU-6 in the Arriva Train Wales domain, the red light was perceived, suggesting that the barriers were raised and an obstruc‐ tion may be expected in the path ahead of the train.

Realising this fact, train driver applied brakes but the train did not stop short of the crossing. Since this constitutes a safety critical deviation, it is necessary to inquire further as to why the driver's response was slow and what shaped that behaviour. The train driver's action was a skill-based error type where the spatio-temporal response was delayed [12, 36, 55, 52].

Application of Cognitive Systems Engineering Approach to Railway Systems... http://dx.doi.org/10.5772/61527 101

**•** Each event should be derived from the one preceding event save for initiating event,

train operating (RU) domain, and user domain,

100 Railway Research - Selected Topics on Development, Safety and Technology

Human Factors Risk and Safe Decision Taking [58, 61].

tion may be expected in the path ahead of the train.

respective duty holder domain.

GE/RT 8026 [51].

**•** Colour coding is used to distinguish infrastructure manager (IM), railway undertaking or

**•** Events are labelled with number or letters to identify the sequential flow of events in

The Concept of Operations describes the operational scenario when the train is approaching the warning board and the train driver is in vigilant mode of information processing. However, the desription of the incident RAIB (paragraph 110) informs that the event of approaching the warning board was delayed due to train entering Staff Responsible, SR, mode [70]. The ABCL being located near the station inserted a delay in the normal specification of the ABCL task analysis, and no separate task analysis was performed by the Railway Understaking (RU) in question. The time to approach to the level crossing space is specified in the form of a time interval and no account was taken in the variation in the time for the tasks to be performed by the train driver due to differernt operating modes was undertaken by RSSB before granting deviation to the safety critical requirements specified in the Railway Group Standard – RGS

This is a latent error embedded into the system where engineering and organisational errors are committed. This is an instance of *Railway Senior Managers and Engineer Fallacies.* Further, this latent error refutes the European Railway Agency, and RSSB's idea that the management and regulation of the railway is designed to ensure that – if each transport operator meets its obligations with respect the safety of its own operation and the state also fulfils its duties – then the sum of the parts will lead to a whole that is safe. Further, the RSSB statement does not fit the idea of systems thinking that whole is more than sum of its parts. This idea is entertained by system engineers as well as human factors specialists. Moreover, this error does not align with the Best Practice of Decisions Under Risk of Prospect Theory, which is acknowledged by RSSB in its July 2014 document [6]. Given the nature of the latent error, it is clear that this decision not to conduct workload assessment is a violation from RSSB's own Best Practice for

Given the Concept of Operations diagram which the author has developed, introducing timing analysis into the scheme is not a difficult issue if the data from the human factors engineering is included as well. From the direct inspection of events sequence described in the diagrams shown in the Figure 4, the expected event labelled E-IM-13 in the Network Rail domain flashing white aspect, and contrary to the expected event labelled E-RU-6 in the Arriva Train Wales domain, the red light was perceived, suggesting that the barriers were raised and an obstruc‐

Realising this fact, train driver applied brakes but the train did not stop short of the crossing. Since this constitutes a safety critical deviation, it is necessary to inquire further as to why the driver's response was slow and what shaped that behaviour. The train driver's action was a skill-based error type where the spatio-temporal response was delayed [12, 36, 55, 52].

**Figure 4.** Representation of the concept of operations of ABCL Facility signalled by traditional lineside signalling

## **3.4. Energy barrier trace analysis**

From the RAIB Report(s), the information available from the stakeholder organisations websites, the following worksheet is generated. This worksheet forms the starting point of the root cause analysis.


**Table 1.** For Energy Barrier Trace Analysis (EBTA) worksheet

Logic of combinations may be applied to the following table. The author does not agree to the Pearson's idea that causation and correlation can be inferred in the same way [23].Credit to God is given at the user level crossings where no indication of approaching train can be percieved or passenger manages to escape the accident [73, 74]. Otherwise, the table indicates that level crossings are accidents waiting to happen. This table can be interpreted again using the Prof James Reason's Swiss Cheese Model as well. The ECFA activity yields information on unsafe acts. But the precursor information on regulatory, organizational oversights is available from the EBTA and MORT charts.

It is clear from the foregoing particular description of the ABCL incident by RAIB, an ineffective system was deployed. The method of application of the MORT under the SIRI Methodology has been described in 2011 and 2012 [2, 6, 7, 9]. Call for replacement for bridges is not met easily due to failure on the part of social actors to percieve the risk correctly. Further erroneous interactions between distant components of Route Manage‐ ment System and level crossings user's intention leading to fatality at the level crossing site are noted in the accident literature [70].

To consider how and why the hazardous system was deployed and safeguards were not provided, it is necessary to apply the MORT questionnaire, as an organisation framework, to the RAIB report and related literature to arrive at all factors involved in contributing to the incident. MORT audit questionnaire is freely available online at www. nri.eu.com [35, 37].

## **3.5. Information on hazard causal factors: SIRI MORT representation**

**3.4. Energy barrier trace analysis**

102 Railway Research - Selected Topics on Development, Safety and Technology

root cause analysis.

**condition SB1**

Kinetic hazard

**Harmful energy flow or harmful agent, adverse environmental**

(train movement into the crossing space) when barriers are raised

From the RAIB Report(s), the information available from the stakeholder organisations websites, the following worksheet is generated. This worksheet forms the starting point of the

**Barrier and controls to separate**

with movement and braking information when approaching level crossings) does not apply to national signalling infrastructure *(incomplete*

(not provided with information at level crossings). Latent error: *status quo bias* Obstacle detection (not provided).

Lifting barriers (provided) but not inerlocked with train movement.

Approaching locking (not identified in the RAIB report). Latent error: *habit*

Interlocking system (did not provide function of locking barriers with train

Latent error: *illusion of validity of driver's*

Did not provide bridges, underpass,

Latent error: *illusion of control.*

*data for safety analysis).* Latent error: *status quo bias* Restriction on train speed

Latent error: *habit bias*.

Latent error: *habit bias*.

braking function).

*expertise.*

etc.

Logic of combinations may be applied to the following table. The author does not agree to the Pearson's idea that causation and correlation can be inferred in the same way [23].Credit to

*bias*.

**energy and target**

**SB3**

None present at the time of incident ERTMS Cab Signalling (not provided

**vulnerable person or thing**

**Target**

**SB2**

**Table 1.** For Energy Barrier Trace Analysis (EBTA) worksheet

The application of MORT audit questions (2002 version) and the elicited following responses are characterised as human errors [35, 37]. Readers are requested to enlarge the images to make them readable. The Lessons learnt from the 2011 Incident and evidences drawn from the RAIB Report 11/2012 and 2010 RSSB Road and Rail Interface Report are described together with the evidence to support the reasoning in the form of a fault tree representation. The MORT Causal Trees for engineering and managerial are represented in Figure 5, Figure 6, and Figure 7. The hueristics and biases shown are not mapped to organisations involved in Figure 5. Such mapping may be carried out with the available information. The information contained in the MORT Top Tree derives from the managerial and engineering branches and evidences from the requirements for safety management system, generation, operation and maintenance of system safey case from UK and European Commissions Norms.

The inspection of the above diagram shows that how the hazards, and heuristics and biases involved in safety risk information processing at the knowldege -based level with a potential of loss of 32 lives with 99% probability as per standard Cauchy distribution with statistical median of 0.72 fatality per 1,000 ABCL level crossings and scale factor equal to 1 were not analysed. The neglect of base rates can be seen from the HS2 Risk Report [27]. Fault within fault tree analysis labelled as out of sight out of mind bias is self evident in this case study.

The mean weighted fatality rate of 0.72 fatalities for road vehicle passengers is taken from RSSB Report dated 2010 [60]. The basis of the calculations and more elaboration of the causal tree follows.

The information on the hazard causal factors will be appreciated when the information is placed in the frame of reference using the concept of operations diagram (see Figure 3).

 *Oversights and Ommissions MORT Branch Assumed Risk MORT Branch* 

*Figure 5: SIRI MORT Top Tree ( Page 1)*  **Figure 5.** SIRI MORT Top Tree (Page 1)

It should be noted that ERTMS Safety Experts do acknowledge that Command Control & Signalling Technical Interoperability Specification (TSI) cannot itself gaurantee the safety of system since the National Part of Signalling System and an interface to it is outside the TSI Scope (pp. 206) [82]. The way to integrate man–machine interactions, operational rules, or noninter-operability technical components into system safety analysis, as per the European Railway Agency, is to treat the safety performance of inter-operable constituents as a fixed factor and derive safety requirements for the non-TSI constituents. ERA arguments is that top down decomposition and allocation of probabilities ignores the human factors in risk assess‐ ments, fault tree analysis, and allocation of physical, human and social capital. The Consensus decision making process adopted at the RSSB Signalling Standards Committee level does not use any system analysis to detect conflicts between various types of requirements which give rise to human factor concerns. In other words, Group think bias due to assignable causes or optimism fallacy can manifest in such decision settings due to systematic human failings in lack of systems engineering process in specification of safety requirements, risk analysis & modelling and human factors investigation. ERA is aware of incompleteness of the generic risk analysis but RSSB does not include human factors concerns. biases involved in safety risk information processing at the knowldege -based level with a potential of loss of 32 lives with 99% probability as per standard Cauchy distribution with statistical median of 0.72 fatality per 1,000 ABCL level crossings and scale factor equal to 1 were not analysed. The neglect of base rates can be seen from the HS2 Risk Report[27]. Fault within fault tree analysis labelled as out of sight out of mind bias is self evident this case study. The mean weighted fatality rate of 0.72 fatalities for road vehicle passengers is taken from RSSB Report dated 2010 [60]. The basis of the calculations and more elaboration of the causal tree follows. The information on the hazard causal factors will be appreciated when the information is placed in the frame of reference using the concept of operations diagram (see Figure *3*) . It should be noted that ERTMS Safety Experts do acknowledge that Command Control & Signalling Technical Interoperability Specification (TSI) cannot itself gaurantee the safety of system since the National Part of Signalling System and an interface to it is outside the TSI Scope (pp. 206) [82]. The way to integrate man–machine interactions, operational rules, or non-inter-operability technical components into system safety analysis, as per the European Railway Agency, is to treat the safety performance of inter-operable constituents as a fixed

The inspection of the above diagram shows that how the hazards, and the heuristics and

Less than adequate competence of professional heads of signalling, risk assessment, inde‐ pendent review, operations, human factors, safety, and systems engineering disciplines at regulatory, safety, duty-holder, supplier and validation organisations is a natural conclusion that can be drawn from the case study. The Greek philosopher, Plato once asked who will factor and derive safety requirements for the non-TSI constituents. The top-down decomposition and allocation of probabilities ignores the human factors in risk assessments, fault tree analysis, and allocation of physical, human and social capital. The Consensus decision making process adopted at the RSSB Signalling Standards Committee level does not guard the guardians via Glaucon who thought it was absurd to consider their oversight (Plato's Republic). This was the original thesis stated by author in his 2006 publication [3]. The European Process for SafetyAuthorisation as defined in by Peter Winter in the UIC Compen‐ dium on ERTMS in 2009 for the safety certification did not assure the safety operability albiet technical inter-operability of components has been attained (pp.128) [81]. Identifying, inter‐ pretation of current state, evaluating of options, identification of target (safe) state, specifying the safety goal for the Cambrian ERTMS Implementation which forms five crucial stages of decision making of Skills-Rules-Knowledge Decision Model were less than adequate. The work groups invovled did not have the interest of public safety at the heart of their decision making activity (pp. 369) [49]. Management Oversight and Risk Tree's decision model provides the idea that noise generated by political rhetoric overshadows the signal of less than adequate design of level crossings. Author has observed the tendency on the part of safety organisations to club several safety and human factors engineering technqiues such as Hazop, Fault and Event Tree Analysis, Operator Task Analysis to conduct safety critical analysis and has raised this concerns with Chair of Human Factors Working Group of UK INCOSE set up recently [6]. The feedback on this document is awaited. However, the safety case for ERTMS/ETCS is difficult to generate using the existing safety management methods was argued by the author at RSSB in January 2010 [10].

Incomplete system definitions cannot be used for system safety analysis is learnt from the the literature of control systems engineering from the UK HSE Guidance Note HSG238 as well [73]. However, this vital fact has been omitted by RSSB research managers is learnt from reading this research paper published in 2011 [22]. In other words, if operator error and signalling technical error are contributory causes ( ignoring latent errors) then to attain SIL4 target for the overall system, the state of being at risk due to technical and signalling equipment failure has to exceed one chance per hundred billion opportunities per hour. This is under the assumption train driver's behavior is logically equivalent to a low demand SIL2 system from past data and including effect of immutable human nature discovered by David Hume. [65, 66, 80].

It should be noted that ERTMS Safety Experts do acknowledge that Command Control & Signalling Technical Interoperability Specification (TSI) cannot itself gaurantee the safety of system since the National Part of Signalling System and an interface to it is outside the TSI Scope (pp. 206) [82]. The way to integrate man–machine interactions, operational rules, or noninter-operability technical components into system safety analysis, as per the European Railway Agency, is to treat the safety performance of inter-operable constituents as a fixed factor and derive safety requirements for the non-TSI constituents. ERA arguments is that top down decomposition and allocation of probabilities ignores the human factors in risk assess‐ ments, fault tree analysis, and allocation of physical, human and social capital. The Consensus decision making process adopted at the RSSB Signalling Standards Committee level does not use any system analysis to detect conflicts between various types of requirements which give rise to human factor concerns. In other words, Group think bias due to assignable causes or optimism fallacy can manifest in such decision settings due to systematic human failings in lack of systems engineering process in specification of safety requirements, risk analysis & modelling and human factors investigation. ERA is aware of incompleteness of the generic

The mean weighted fatality rate of 0.72 fatalities for road vehicle passengers is taken from RSSB Report dated 2010 [60]. The basis of the calculations and more elaboration of the causal

The information on the hazard causal factors will be appreciated when the information is placed in the frame of reference using the concept of operations diagram (see Figure *3*) . It should be noted that ERTMS Safety Experts do acknowledge that Command Control & Signalling Technical Interoperability Specification (TSI) cannot itself gaurantee the safety of system since the National Part of Signalling System and an interface to it is outside the TSI Scope (pp. 206) [82]. The way to integrate man–machine interactions, operational rules, or non-inter-operability technical components into system safety analysis, as per the European Railway Agency, is to treat the safety performance of inter-operable constituents as a fixed

The inspection of the above diagram shows that how the hazards, and the heuristics and biases involved in safety risk information processing at the knowldege -based level with a potential of loss of 32 lives with 99% probability as per standard Cauchy distribution with statistical median of 0.72 fatality per 1,000 ABCL level crossings and scale factor equal to 1 were not analysed. The neglect of base rates can be seen from the HS2 Risk Report[27]. Fault within fault tree analysis labelled as out of sight out of mind bias is self evident this case

 *Oversights and Ommissions MORT Branch Assumed Risk MORT Branch* 

*Figure 5: SIRI MORT Top Tree ( Page 1)* 

104 Railway Research - Selected Topics on Development, Safety and Technology

**Figure 5.** SIRI MORT Top Tree (Page 1)

study.

tree follows.

Less than adequate competence of professional heads of signalling, risk assessment, inde‐ pendent review, operations, human factors, safety, and systems engineering disciplines at regulatory, safety, duty-holder, supplier and validation organisations is a natural conclusion that can be drawn from the case study. The Greek philosopher, Plato once asked who will

decomposition and allocation of probabilities ignores the human factors in risk assessments, fault tree analysis, and allocation of physical, human and social capital. The Consensus decision making process adopted at the RSSB Signalling Standards Committee level does not

factor and derive safety requirements for the non-TSI constituents. The top-down

risk analysis but RSSB does not include human factors concerns.

In other words, human error rate has to exceed SIL4 level if we include latent errors as well. The question of conjunction fallacy naturally arises if the final cause of the hazard is to be investigated together with its material (national signalling failure rate), formal (failure rate of risk management system), and effective causes (failure of human factors), as per Prof Jens Rasmussen's idea of Aristoteleian causal representation as applied to hazardous events and theory of probability as well (36), (pp. 53) [53]. Thus, the idea of fat tail risk has escaped the attention of ERTMS specification writers, European Rail Agency safety experts, and safety risk experts at GB rail national safety bodies and duty-holders. This social phenomena is not new. Aircraft industry shows similar tendecies as well [13, 49].

The meaning of hazards management is restricted to storing information on databases rather than eliminate hazards can be seen from a metro railway project Report in 2009 [30]. Further, the idea of conjunction of random failure events of redundant information processors has been paid attention, but fat tail risk problem showing up as group-think bias is not entertained in the risk literature by ERTMS designers, regulators, duty-holders, and standard bodies as noted

*Figure 6: SIRI MORT SB2 Branch.*  **Figure 6.** SIRI MORT SB2 Branch.

byNobel laureate Daniel Kahneman and Sanjeev Appicharla [4, 36]. Review of RSSB Safety Risk Model in 2012 did not refer to the errors that could occur in the usage of Bow-tie models as it has been shown in the accident investigation of loss of military aircraft, Nimrod in the Nimrod Report in 2009. Accident pre-cursor models do not include managerial, and engineer‐ ing oversight and tendencyto assume risks can be seen from this review. Less than adequate technical review of fault tree analysis can be seen from this reference [24]. Further, the Review Report did not raise concerns over the subject matter experts using normalising constants in the risk equation as highlighted by Prof Paul Slovic [25, 36, 78]. Further, the familiar short-cuts have been taken to selecction of goals, task and execution of decision process as per Prof Jens literature of control systems engineering from the UK HSE Guidance Note HSG238 as well[73]. However, this vital fact has been omitted by RSSB research managers is learnt from reading this research paper published in 2011[22]. In other words, if level crossing functionality or human factors limitations are needed to be integrated into the system, then by the use of logic of fault tree analysis, the safety requirements for national signalling (probability of failure of national signalling asset) and human factors ( probability of failure of human operator) contribution to the loss event shall be greater than the overall system risk target of one chance event, and failure rate of national signalling systems has to exceed one chance per billion opportunities per operating hours (pp. 208) [82].

Incomplete system definitions cannot be used for system safety analysis is learnt from the the

Incomplete system definitions cannot be used for system safety analysis is learnt from the the literature of control systems engineering from the UK HSE Guidance Note HSG238 as well[73]. However, this vital fact has been omitted by RSSB research managers is learnt from

functionality or human factors limitations are needed to be integrated into the system, then by

(probability of failure of national signalling asset) and human factors ( probability of failure of

reading this research paper published in 2011[22]. In other words, if level crossing

the use of logic of fault tree analysis, the safety requirements for national signalling

*Figure 7: SIRI MORT SA2 Branch.*  **Figure 7.** SIRI MORT SA2 Branch.

*Figure 6: SIRI MORT SB2 Branch.* 

byNobel laureate Daniel Kahneman and Sanjeev Appicharla [4, 36]. Review of RSSB Safety Risk Model in 2012 did not refer to the errors that could occur in the usage of Bow-tie models as it has been shown in the accident investigation of loss of military aircraft, Nimrod in the Nimrod Report in 2009. Accident pre-cursor models do not include managerial, and engineer‐ ing oversight and tendencyto assume risks can be seen from this review. Less than adequate technical review of fault tree analysis can be seen from this reference [24]. Further, the Review Report did not raise concerns over the subject matter experts using normalising constants in the risk equation as highlighted by Prof Paul Slovic [25, 36, 78]. Further, the familiar short-cuts have been taken to selecction of goals, task and execution of decision process as per Prof Jens

literature of control systems engineering from the UK HSE Guidance Note HSG238 as well[73]. However, this vital fact has been omitted by RSSB research managers is learnt from

reading this research paper published in 2011[22]. In other words, if level crossing

the use of logic of fault tree analysis, the safety requirements for national signalling

chance per billion opportunities per operating hours (pp. 208) [82].

Incomplete system definitions cannot be used for system safety analysis is learnt from the the

functionality or human factors limitations are needed to be integrated into the system, then by

(probability of failure of national signalling asset) and human factors ( probability of failure of human operator) contribution to the loss event shall be greater than the overall system risk target of one chance event, and failure rate of national signalling systems has to exceed one

*Figure 6: SIRI MORT SB2 Branch.* 

106 Railway Research - Selected Topics on Development, Safety and Technology

**Figure 6.** SIRI MORT SB2 Branch.

Rasmussen's SRK model of eight stage process of decision making and the potential hazard of train colliding with a road vechicle was not recognised by senior managers as per Prof James Reason's Swiss Cheese Model. The tendency not to eliminate risk within British Railway days is noted by risk and regulation expert, Prof Hutter [41]. naturally arises if the final cause of the hazard is to be investigated together with its material

In other words, human error rate has to exceed SIL4 level. The question of conjunction fallacy

The MORT results have shown the relevent hueristics and resulting biases incorporated into the MORT analysis shows a different risk picture than the expert railway safety and economic managers can imagine. An integrated analysis of quantified risk assessment, wider human factors via Swiss Cheese Model, and decision errors at the knowledge -based level called latent errors to show resident pathogens via cognitive systems engineering approach in an applica‐ tion of MORT is a novelty. This need is stated in RSSB Research Project calling for formal procedures to be applied to the task of assessment of rules and staff of RSSB as well [19, 2– 11]. The decisions taken by various organisations show that these stakeholder organisations were not optimising safety for the road users, passengers, and staff.

The incident occurred as RSSB/Network Rail did not consider inclusion of level crossing functionality into the Cambrian ERTMS Automatic Train Protection System. The decisionmaking process used by RSSB Signalling Standards Committee for deciding upon the imple‐ mentation of mandatory safety requirements specified within the Railway Group Standards was less than adequate as it failed to take into worst-case scenario of risk possible and the EU Techncial Specification for Inter-Operability did exclude the functionality. The hazard analysis process used to close out the hazards failed to take into account wider and local human factors due to this exclusion [49, 55, 69]. Further, linear interaction between Design of the System with Operator (train driver and level crossing user) is not an hidden interaction in the work situationand therefore, from a complex systems persective, the ABCL Incident is simply a component failure accident [55].

## **4. Conclusion**

The reasons for persisent use of wrong-but-popular approaches like cost-benefit analysis, and fault and event tree models for safety justification, identification of accident pre-cursors, and management of safety risk through independent safety assessment approach were presented in the chapter.

The Cambrian ERTMS case study has identified all engineering, managerial, organisational, and regulatory actions which have contributed to the ERTMS Safety Critical Incident using the SIRI methodology. The case study showed various heuristics and biases that were active in the railway industry. This is a novel use of hueristics and biases appraoch within the cognitive systems engineering tradition without omitting any stakeholder organisation in the SRK, MORT, and SCM analysis.

## **Acknowledgements**

The author expressed thanks to the InTech publishers for invitation to contribute to the book. The author expresses thanks to anonymous reviewers for pointing out drafting and typo‐ graphical errors in the text. Thanks are due to MORT team as well. Thanks are due to near and dear ones in the family as well. It is difficult to name every individual and organisation that has helped directly or indirectly in the production of case study.

## **Author details**

Sanjeev Kumar Appicharla1,2\*

Address all correspondence to: appicharlak@ yahoo.co.uk

1 Institution of Engineering and Technology, UK

2 International Council on Systems Engineering, UK

## **References**

Techncial Specification for Inter-Operability did exclude the functionality. The hazard analysis process used to close out the hazards failed to take into account wider and local human factors due to this exclusion [49, 55, 69]. Further, linear interaction between Design of the System with Operator (train driver and level crossing user) is not an hidden interaction in the work situationand therefore, from a complex systems persective, the ABCL Incident is simply a

The reasons for persisent use of wrong-but-popular approaches like cost-benefit analysis, and fault and event tree models for safety justification, identification of accident pre-cursors, and management of safety risk through independent safety assessment approach were presented

The Cambrian ERTMS case study has identified all engineering, managerial, organisational, and regulatory actions which have contributed to the ERTMS Safety Critical Incident using the SIRI methodology. The case study showed various heuristics and biases that were active in the railway industry. This is a novel use of hueristics and biases appraoch within the cognitive systems engineering tradition without omitting any stakeholder organisation in the

The author expressed thanks to the InTech publishers for invitation to contribute to the book. The author expresses thanks to anonymous reviewers for pointing out drafting and typo‐ graphical errors in the text. Thanks are due to MORT team as well. Thanks are due to near and dear ones in the family as well. It is difficult to name every individual and organisation that

has helped directly or indirectly in the production of case study.

Address all correspondence to: appicharlak@ yahoo.co.uk

1 Institution of Engineering and Technology, UK

2 International Council on Systems Engineering, UK

component failure accident [55].

108 Railway Research - Selected Topics on Development, Safety and Technology

SRK, MORT, and SCM analysis.

**Acknowledgements**

**Author details**

Sanjeev Kumar Appicharla1,2\*

**4. Conclusion**

in the chapter.


[16] Busby J. Failure to mobilise in reliability seeking organisations; two cases from the UK railways. J Manag Stud (Blackwell Publishing Limited) 2006;43(6):022–2380.

[17] Clifton, E. II. A. Hazard Analysis Techniques for System Safety. New Jersey: Wiley&

[18] Daniels K, Jane H. Strategy Reader: A Cognitive Perspective. 2nd Edition. Oxford:

[19] DNV Consulting. T220, Applicability of Formal Safety Assessment Process Approach to Rules and Standards Development within the Railway Industry. London: RSSB,

[21] European Commission Directorate General For Transport. Master Plan for Develop‐ ment and Pilot Installations of the European Rail Traffic Management System. Brus‐

[22] Bearfield GJ, Short R. Standardising safety engineering approaches in the UK rail‐ way. The Sixth International System Safety Conference. Birmingham: The Institution

[23] Gopnik A, Laura S. Causal Learning, Psychology, Philosophy, Computation. New

[24] Haddon-Cave, Sir Charles. The NIMROD Review. An Independant Review into the Broader Issues Surrounding the Loss of the RAF NIMROD MR2 Aircraft XV 230 in

[27] High Speed Two (HS2) Limited. High Speed Rail Cost and Risk Model. RisK Report,

[29] Hubbard DW. The Failure of Risk Management. First. New Jersey: John Wiley &

[30] Hughes D, Saeed A. Hazard management. Hazard Management, System Safety-Criti‐ cal Systems: Problem, Process, and Practice, Springer, Proceedings of the 17th Safety Critical Systems Symposium, Brighton, UK. London: Springer, The Safety-Critial Sys‐

[31] Reason J, Hollangel E, Paires J. Revisting the « Swiss Cheese » Model of Accidents.

Accident Model discussions, BRUXELLES: Eurocontrol Agency, 2006.

[25] Hall S, Van Der Mark P. Level Crossings*.* Hersham: Ian Allan Publishing, 2008.

[20] Einstein A. Relativity*.* London: Routledge, 1916–1952/2000.

2006, London: Her Majesty Stationary Office, 2009, 587.

London: High Speed Two (HS2) Limited, 2009.

[26] Hand, David. The Improbability Principle*.* London: Penguin, 2015.

[28] Hitchins D. Systems Engineering. Chichester: John Wiley & Sons, 2007.

Sons, 2005.

2004, 28.

Sons, 2009.

tems Club, 2009. pp. 23–37.

Blackell Publishers, 1998.

110 Railway Research - Selected Topics on Development, Safety and Technology

sels: European Commission, 1996.

of Engineering and Technology, 2011. 5.

York: Oxford Unvisersity Press, 2007.


[48] Penrose R. The Road to Reality. London: Jonathan Cape, 2004.

tion. New York: John Wiley& Sons, Inc, 1994.

112 Railway Research - Selected Topics on Development, Safety and Technology

upon Tyne, 2010.

Jan;10(1):18–24.

London: RSSB, 2008.

Science (Elsevier Science Limited) 1997;27(2/3):183–213.

[49] Perrow C. Normal Accidents. 1999. New Jersey: Princeton University Press, 1984.

[51] RAIB. Investigation Into Llabardarn Crossing, 01/2012. Derby: HMSO, June 2012.

[50] Peter N, Mohr C, Biele G, Hauke RH. Neural processing of risk. J Neuro-Sci 12 May 2010. http://www.jneurosci.org/content/30/19/6613.short (accessed March 12, 2015).

[52] Rasmussen J, Pejtersen AM, Goodstein LP. Cognitive Systems Engineering. First Edi‐

[53] Rasmussen J. Information Processing and Human -Machine Interaction: An Ap‐

[54] Rassmussen J. Risk management in a dynamic society: a modelling problem. Safety

[56] Redmill F. ALARP Explored No. CS-TR-1197. New Castle: University of Newcastle

[57] Rosenbluth A, Wiener N, Bigelow J. Behaviour, purpose, teleology. Philos Sci 1943

[58] RSSB. Good Practice Guide on Cognitive and Individual Risk Factors,RS/232 Issue 1.

[61] RSSB. Taking safe decisions. RSSB Risk Analysis-And Safety Reporting. July 2014. http://www.rssb.co.uk/Library/risk-analysis-and-safety-reporting/2014-guidance-tak‐

[62] Becker S. G. Human Capital. 3rd. Chicago: The University of Chicago Press, 1964.

[63] Safety-critical Systems Club. Proceedings of the Thirteen Safety Critical Systems

[65] Schopenhaeur A. On the Principle of Sufficient Reason. Translated by Karl Hille‐

[66] Schopenhaeur A. World as Will and Representation. Translated by R.B. Halldane and

[67] Simon H. Theories of bounded rationality. In: Decision and Organisation, pp. 161–

[59] RSSB. Road Rail Interface Report. London: The GB Railway Industry, 2010.

[60] RSSB. T169, Risk in Management Systems. London: RSSB, 2004.

ing-safe-decisions.pdf (accessed March 20, 2015).

Symposium. System Safety, London : Springer, 2005.

brand. New York: Prometheus Books, 1813/2006.

176. North Holland Publishing Company, 1972.

[64] Schlosser E. Command & Control. London: Penguin Books, 2014.

J. Kemp. London : Kegan Paul, Trench, Trubner & Co; Ltd, 1818.

[55] Reason J. Human Error*.* 17th edn. New York: Cambridge University Press, 1990.

proach to Cogntive Engineering. Amesterdam: Elsevier Sciences, 1986.


## **Chapter 4**

## **Experimental and Simulation Study of the Superstructure and Its Components**

## Jacek Kukulski

Additional information is available at the end of the chapter

http://dx.doi.org/10.5772/61517

#### **Abstract**

The issues discussed in this chapter are of interest of both the manufacturers and the ex‐ perts responsible for condition of the track superstructure. In general, stress in steel ele‐ ments may affect the energy state, phase changes, and corrosion. It may reduce fatigue strength and cause damage and cracks of the rails. It is one of the causes of accelerated development of standard railhead defects. Proper selection of, e.g., bending process pa‐ rameters provides uniform distribution and acceptable level of residual stresses in the bent components. Residual stresses that develop during manufacturing process in the railway turnout steel components can change their strength properties. The first part of this chapter presents ultrasonic measurement method and computer simulation that al‐ lowed to develop a method to diagnose state and distribution of residual stresses in steel components of the railway turnout (wing rails and switch blades) in the production proc‐ ess. The second part of this chapter includes experimental and simulation studies of su‐ perstructure in operational conditions. A track substructure with a crashed stone composite is a solution of reinforced standard track substructure. The results are used to draw conclusions concerning further development and possible modifications of a pro‐ posed solution. A significant number of simulation calculations also allow to determine the duration of guaranteed functionality of a reinforced track substructure.

**Keywords:** Railway turnout, residual stress, ultrasonic measurements, finite-element method, ABAQUS railway track, crashed stone composite

## **1. Introduction**

The development of the railway infrastructure at the turn of the 20th and 21st centuries and the increase in passenger train speed to *V*max = 300–350 km/h and freight train speed to *V*max = 140–160 km/h on some routes are the results of railway vehicle design improvement and railway infrastructure optimization.

© 2015 The Author(s). Licensee InTech. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Track superstructure allowing to reach high speeds and transfer even higher stresses and loads up to 25–30 tonnes per vehicle axle is required to meet very strict strength and durability requirements.

The infrastructure is subject to complex dynamic effects, changing with the increase in load and speed. In the last several decades, standard railway track structure have not change significantly, even though it is subject to studies and improvements aimed at increasing railway traffic safety and limiting operating costs.

The durability of the track superstructure is also affected by the quality of materials used, e.g., steel components used in production of railway turnouts. Steel components of the track superstructure (rails, switch blades) show internal stresses even in the manufacturing process due to process treatment including surface hardening and bending. The treatment introduces additional energy to the material, i.e., stresses, which does not weaken the material, although may affect component operation and result in damage.

## **2. Review of the literature**

Standard railway tracks include a permanent way with the rails and the sleepers on a ballast, operating under load in elasto-plastic state. The ballast is a source of permanent (plastic) deformation. The advanced technological and material solutions allow the operation of the rail bed under operating load in elastic state [1, 2]. Several developed mathematical models of the railway track, its components, and the effect of a vehicle on the track have been detailed in [4, 5].

Nowadays, a finite element method (FEM) is one of the most commonly used methods in addressing complex engineering issues. The method can be used in many fields, to easily create various areas and shapes of complex geometry. Numerical methods have been used in railway track component development for several decades. Extended studies have been performed by the Warsaw University of Technology, the Cracow University of Technology, and other research and development institutes. The studies have included residual stress analysis in steel turnout components, i.e., all rails, including flat-bottom rails.

The aim of the numerical calculations is to determine residual stresses in a rail after relieving and to determine the influence of different parameters on stress size and pattern. The results of numerical calculations have been compared to the results of ultrasonic stress measurements. The studies of international researchers have included modeling the effects observed as a result of rail rolling on roller straighteners. The studies [7] have included rail models and residual stress patterns after rolling simulation and the effect of the rolling process on stress size and pattern. A finite element method, as a basic tool in today's mechanics, has also found its use in railway track and bed development.

As mentioned in various studies, the authors of refs. [8, 12] have presented the results of numerical calculations for created models, as well as the results of measurements performed on testing track sections and in laboratory conditions. The author of this chapter uses FEM for simulation calculations of static and dynamic loads of the railway track components [13–15]. Standard railway tracks include a permanent way with the rails and the sleepers on a ballast, operating under load in elasto-plastic state. The ballast is a subject to permanent strain resulting in plastic deformation. The advanced technological and material solutions allow the operation of the rail bed under operating load in elastic state [16, 17]. The weakest point of the standard railway track is a compacted crushed stone layer. Several research studies on crashed stone quality, type, and grading as well as on the mechanical compaction methods [18] have been presented. The studies have not given satisfactory results in relation to the reduction of increase in non-uniform plastic strain intensity of the ballast. As a consequence, systematic and frequent repairs are required to eliminate unacceptable geometrical unevenness of a railway track. An energy generated at the wheel/rail interface is transmitted by the rail and rail fixings to the sleepers and via ballast to the rail bed causing an intense vibration field. Kinetic energy increases with the increase in train speed, and as a result, a vibration accelera‐ tion of rails, sleepers, ballast, and rail bed increases. It results in considerable tensile stresses within the ballast, affecting internal friction balance and causing ballast to breakup. The ballast subsidence (plastic strain) cannot be avoided, and at the same time it increases with the increase in ballast stresses and vibration acceleration.

Crashed stone ballast layer is subject to tensile stresses. Vibrations in the ballast layer cause acceleration exceeding the acceleration of gravity *g*, further reducing ballast resistance to tensile stresses. Crashed stone ballast layer at sleeper and ballast interface at operational loads is in a spatial compressive stress state. The principal stress tensor can be described as *σ*1*> σ*2*> σ*<sup>3</sup> > 0. It means that the crashed stone ballast is in a tri-axial compression state thus creating the best conditions for ballast operation. The most adverse conditions can be observed when the ballast is subject to pulsating and variable tensile stresses. Further analysis shows that the tensile stresses are most likely to occur near the rail fixing point, i.e., point of wheel-ballastcrashed stone ballast load transmission and in the areas from the side of the ballast face. Top ballast layer in those areas requires protection against factors that may cause deconsolidation. Stress analysis in the track subgrade shows that the tensile stresses decay in the track subgrade at the depth of 60 ÷ 80 cm.

## **3. Residual stress**

Track superstructure allowing to reach high speeds and transfer even higher stresses and loads up to 25–30 tonnes per vehicle axle is required to meet very strict strength and durability

The infrastructure is subject to complex dynamic effects, changing with the increase in load and speed. In the last several decades, standard railway track structure have not change significantly, even though it is subject to studies and improvements aimed at increasing

The durability of the track superstructure is also affected by the quality of materials used, e.g., steel components used in production of railway turnouts. Steel components of the track superstructure (rails, switch blades) show internal stresses even in the manufacturing process due to process treatment including surface hardening and bending. The treatment introduces additional energy to the material, i.e., stresses, which does not weaken the material, although

Standard railway tracks include a permanent way with the rails and the sleepers on a ballast, operating under load in elasto-plastic state. The ballast is a source of permanent (plastic) deformation. The advanced technological and material solutions allow the operation of the rail bed under operating load in elastic state [1, 2]. Several developed mathematical models of the railway track, its components, and the effect of a vehicle on the track have been detailed

Nowadays, a finite element method (FEM) is one of the most commonly used methods in addressing complex engineering issues. The method can be used in many fields, to easily create various areas and shapes of complex geometry. Numerical methods have been used in railway track component development for several decades. Extended studies have been performed by the Warsaw University of Technology, the Cracow University of Technology, and other research and development institutes. The studies have included residual stress analysis in steel

The aim of the numerical calculations is to determine residual stresses in a rail after relieving and to determine the influence of different parameters on stress size and pattern. The results of numerical calculations have been compared to the results of ultrasonic stress measurements. The studies of international researchers have included modeling the effects observed as a result of rail rolling on roller straighteners. The studies [7] have included rail models and residual stress patterns after rolling simulation and the effect of the rolling process on stress size and pattern. A finite element method, as a basic tool in today's mechanics, has also found its use

As mentioned in various studies, the authors of refs. [8, 12] have presented the results of numerical calculations for created models, as well as the results of measurements performed on testing track sections and in laboratory conditions. The author of this chapter uses FEM for

requirements.

in [4, 5].

railway traffic safety and limiting operating costs.

116 Railway Research - Selected Topics on Development, Safety and Technology

may affect component operation and result in damage.

turnout components, i.e., all rails, including flat-bottom rails.

in railway track and bed development.

**2. Review of the literature**

Residual stresses are considered stresses counteracting each other inside the component, which is not affected by any external loads. Internal loads are a measure of elastic strain energy stored in a specific body area and are additional component loads. Assuming a plane internal strain state of the stresses on the component surface (rail), normal and shear stresses can be defined [20], see Figure 1.

Components of plane stress state:


**Figure 1.** Components of plane stress state on rail surface [21].

The stresses on the rail surface are defined by normal stresses and tangential stresses *σn, σ<sup>t</sup> .* Each component at the rail surface without load meets the following condition:

$$
\sigma\_n = \begin{array}{c} 0 \ i\sigma\_t = 0 \end{array}
$$

For those conditions, the relation between strain and stress is as follows:

$$
\sigma\_z = \frac{1}{E} (\sigma\_z - \nu \sigma\_t) \tag{1}
$$

$$
\sigma\_t = \frac{1}{E} (\sigma\_t - \nu \sigma\_z) \tag{2}
$$

$$
\pi\_{\rm tr} = \mathbf{0} \tag{3}
$$

Residual stresses *σz* and *σ<sup>t</sup>* can be determined based on Equations (4) and (5):

$$
\sigma\_z = \frac{E}{1 - \nu^2} \left( \varepsilon\_z + \nu \varepsilon\_t \right) \tag{4}
$$

$$
\sigma\_t = \frac{E}{1 - \nu^2} \left( \mathfrak{x}\_t + \ \nu \mathfrak{x}\_z \right) \tag{5}
$$

where *σ<sup>t</sup>* tangential stress, *σ<sup>z</sup>* is the normal stress, *ε<sup>t</sup>* is the tangential strain, *εz* is the horizontal residual strain, and *ν* is the Poisson ratio.

## **3.1. The phenomenon of residual stresses**

The residual stress arises in the case of heterogeneous plastic deformation caused by


The stresses on the rail surface are defined by normal stresses and tangential stresses *σn, σ<sup>t</sup>*

0 0 *n t*

 s= = *i*

= - (1)

= - (2)

= (3)



Each component at the rail surface without load meets the following condition:

s

( ) <sup>1</sup> *z zt <sup>E</sup>*

( ) <sup>1</sup> *t tz <sup>E</sup>*

 0 *tn* t

( ) <sup>2</sup> <sup>1</sup> *z zt E*

( ) <sup>2</sup> <sup>1</sup> *t tz E*

 e

n

n

 e + ne

+ ne

can be determined based on Equations (4) and (5):

 s ns

 s ns

For those conditions, the relation between strain and stress is as follows:

**Figure 1.** Components of plane stress state on rail surface [21].

118 Railway Research - Selected Topics on Development, Safety and Technology

e

e

s

s

Residual stresses *σz* and *σ<sup>t</sup>*

*.*

**•** heterogeneous phase transitions

For steel railway superstructure components, occurrence and change in residual stresses are due to thermal stresses and plastic strain resulting from bending and cold rolling.

Thermal stresses are a result of non-uniform phase transitions due to thermal treatment, including surface hardening, used for shaping the steel turnout components. The treatment aims to increase hardness of the surface layer of a wing rail or a switch blade.

The effect of generating residual stresses in this case is more complex compared to heteroge‐ neous cold strain. It is affected by a temperature gradient and resulting thermal stresses, including phase change processes, recrystallization, relaxation, and dependence of material properties on temperature. For steel railway superstructure components, occurrence and change in residual stresses are due to thermal stresses and plastic strain resulting from bending and cold rolling. Thermal stresses are a result of non-uniform phase transitions due to thermal treatment, including surface hardening, used for shaping the steel junction components. The treatment aims to increase hardness of the surface layer of a wing rail or a switch blade.

Residual stresses in hardened steel components are due to a martensitic transformation at lower temperatures, where an overcooled austenite transforms into a martensite—a phase with lower density or other structures depending on requirements and thermal processes (hardening). The transformation of overcooled austenite can be conveniently analyzed based on an austenite decomposition graph, also called isothermal transformation diagrams (or time–temperature–transformation (TTT) diagrams). If the thermal and textural stresses overlap, as is the case with steel hardening, the direction and the size of residual stresses after the temperature is even in the component cross section are determined by the offset in the transformation initiation stage in the surface area and in the core in relation to the moment the thermal stress sign reverses. In other words, the textural stresses tend to increase or reduce the thermal stresses depending on the cross section, cooling rate, and steel hardening capacity [20].

The depth of hardened layer also affects the distribution of residual stresses after hardening. Non-uniform plastic strain or temperature gradient will thus result in residual stresses. The rails and switch blades after rolling and quenching do not often meet the requirements on straightness and require straightening using special roller straighteners. Maintaining the required rail straightness is particularly important at high travel speeds. The process introdu‐ ces significant longitudinal residual stresses. For rails straightened on the roller straighteners, as a result of variable strain of surfaces in contact and not in contact with the rollers, 150–300 MPa residual stresses over the running surface of a head and at the bottom of a rail foot, and –100 to 200 MPa compressive stresses at a rail web are recorded.

## **3.2. Experimental studies of residual stresses**

Residual stress values can be obtained by experiments and theoretical analysis. The methods of theoretical determination of residual stresses involve solving complex thermal, elastic, and plastic relations. It is a complex solution, due to lack of accurate data on actual loads exerted on an object. The theoretical analysis of residual stresses is bound up with the elastic theory and elastic properties, plastic flow and material hardening, heat transfer, phase transitions, thermal expansion, structure, and thickness of surface layer. The complexity of processes that occur in the material during process treatment means that the results of the theoretical analysis are based on simplified models and cannot be used to evaluate the residual stress state even in components with straight geometry and require use of the experimental method. The residual stresses have been the topic of interest for the researchers and scientist for several decades. Thus, various methods and techniques for measuring the residual stresses were developed. Generally, residual stress measurement methods in steel components can be divided into two categories: destructive and non-destructive methods. Destructive methods do not allow to determine the quality of tested objects without damage, whereas non-destruc‐ tive methods allow multiple tests on the same object.

Ultrasonic method used by the author to determine the residual stresses is based on the relation between ultrasonic wave velocity and stress. Ultrasonic wave velocity is determined with an accuracy of a fraction of a meter per second to measure the residual stresses with required precision. To measure the absolute values, the effects of temperature and non-uniform distribution of elastic properties and material texture on the wave velocity must be allowed for. A relatively easy and simple method is the ultrasonic measurement with DEBRO-35 instrument. The method uses electro-acoustic effects, i.e., a relation between stress and velocity or time the ultrasonic wave requires to cover a specific distance (at the surface zone). The residual stresses are measured using a special measuring head system that records longitudi‐ nal and lateral surface waves (Figure 2).

The meter measurement circuits allow for the effect of rail temperature change to the velocity of wave propagation. The head system features temperature sensor, providing information required for automatic compensation of a velocity of wave propagation at different temperatures.

The advantage of the method is the ability to perform non-destructive testing in field condi‐ tions, compact and easy-to-use system, and the ability to display the measurement results. In addition, the preparation of tested section surface does not require time-consuming operations.

#### *3.2.1. The experimental wing rail and switch blade tests*

Experimental rail section tests were performed on components subject to rolling, surface hardening and bending into wing rails used in the railway turnouts.

**Figure 2.** Special measuring head system in ultrasonic instrument DEBRO-35.

MPa residual stresses over the running surface of a head and at the bottom of a rail foot, and

Residual stress values can be obtained by experiments and theoretical analysis. The methods of theoretical determination of residual stresses involve solving complex thermal, elastic, and plastic relations. It is a complex solution, due to lack of accurate data on actual loads exerted on an object. The theoretical analysis of residual stresses is bound up with the elastic theory and elastic properties, plastic flow and material hardening, heat transfer, phase transitions, thermal expansion, structure, and thickness of surface layer. The complexity of processes that occur in the material during process treatment means that the results of the theoretical analysis are based on simplified models and cannot be used to evaluate the residual stress state even in components with straight geometry and require use of the experimental method. The residual stresses have been the topic of interest for the researchers and scientist for several decades. Thus, various methods and techniques for measuring the residual stresses were developed. Generally, residual stress measurement methods in steel components can be divided into two categories: destructive and non-destructive methods. Destructive methods do not allow to determine the quality of tested objects without damage, whereas non-destruc‐

Ultrasonic method used by the author to determine the residual stresses is based on the relation between ultrasonic wave velocity and stress. Ultrasonic wave velocity is determined with an accuracy of a fraction of a meter per second to measure the residual stresses with required precision. To measure the absolute values, the effects of temperature and non-uniform distribution of elastic properties and material texture on the wave velocity must be allowed for. A relatively easy and simple method is the ultrasonic measurement with DEBRO-35 instrument. The method uses electro-acoustic effects, i.e., a relation between stress and velocity or time the ultrasonic wave requires to cover a specific distance (at the surface zone). The residual stresses are measured using a special measuring head system that records longitudi‐

The meter measurement circuits allow for the effect of rail temperature change to the velocity of wave propagation. The head system features temperature sensor, providing information required for automatic compensation of a velocity of wave propagation at

The advantage of the method is the ability to perform non-destructive testing in field condi‐ tions, compact and easy-to-use system, and the ability to display the measurement results. In addition, the preparation of tested section surface does not require time-consuming operations.

Experimental rail section tests were performed on components subject to rolling, surface

–100 to 200 MPa compressive stresses at a rail web are recorded.

120 Railway Research - Selected Topics on Development, Safety and Technology

**3.2. Experimental studies of residual stresses**

tive methods allow multiple tests on the same object.

nal and lateral surface waves (Figure 2).

*3.2.1. The experimental wing rail and switch blade tests*

hardening and bending into wing rails used in the railway turnouts.

different temperatures.

#### *3.2.1.1. The transverse bending of the switch blades and wing rails* **3.2.1.1 The transverse bending of the switch blades and wing rails**

.

.

The specimens were bent in the steelworks manufacturing railway turnouts (former Koltram S.A., Zawadzkie), involved three- and four-point bending. Figures 3–6 show the method of section bending including the point of support and force causing the strain as well as cross sections used. The specimens were bent in the steelworks manufacturing railway turnouts (former Koltram S.A., Zawadzkie), involved three- and four-point bending. Figures 3–6 show the method of section bending including the point of support and force causing the strain as well as cross sections used.

**Figure 3.** Three-point transverse bending of the switch blade I60 (a) and wing rail (b) sections. Figure 3. Three-point transverse bending of the switch blade I60 (a) and wing rail (b) sections.

Figure 4. Four-point transverse bending of the switch blade I60 (a) and wing rail (b) sections.

Figure 5. Measurement places at the circumference of rail UIC 60.

660 mm

Figure 5. Measurement places at the circumference of rail UIC 60.

Figure 3. Three-point transverse bending of the switch blade I60 (a) and wing rail (b) sections.

Figure 4. Four-point transverse bending of the switch blade I60 (a) and wing rail (b) sections. **Figure 4.** Four-point transverse bending of the switch blade I60 (a) and wing rail (b) sections.

**Figure 5.** Measurement places at the circumference of rail UIC 60.

**Figure 6.** Measurement places at the circumference of rail I60.

#### *3.2.1.2. Results of residual stress measurement—bending process*

The diagrams (Figures 7–10) show example of longitudinal stress changes at the circumference of rail and switch blades after bending processes of selected sections. A horizontal axis represents a distance from the centre of a head rolling surface (measured at the rail and switch point surface), and vertical axis represents the longitudinal component of a residual stress.

Figure 6. Measurement places at the circumference of rail I60.

circumference of rail and switch blades after bending processes of selected sections. A

The diagrams (Figures 7–10) show example of longitudinal stress changes at the

**3.2.1.2 Results of residual stress measurement—bending process** 

residual stress.

Figure 7. Longitudinal stress changes at the circumference of rail UIC 60 before and after three point bending processes (section 300 mm). **Figure 7.** Longitudinal stress changes at the circumference of rail UIC 60 before and after three point bending process‐ es (section 300 mm).

**Figure 5.** Measurement places at the circumference of rail UIC 60.

122 Railway Research - Selected Topics on Development, Safety and Technology

**Figure 6.** Measurement places at the circumference of rail I60.

*3.2.1.2. Results of residual stress measurement—bending process*

The diagrams (Figures 7–10) show example of longitudinal stress changes at the circumference of rail and switch blades after bending processes of selected sections. A horizontal axis represents a distance from the centre of a head rolling surface (measured at the rail and switch point surface), and vertical axis represents the longitudinal component of a residual stress.

**Figure 8.** Longitudinal stress changes at the circumference of rail I60 before and after three point bending processes (section 150 mm).

**Figure 9.** Longitudinal stress changes on the top surface of rail UIC 60 before and after four point bending process (section 150 mm).

**Figure 10.** Longitudinal stress changes on the top surface of rail I60 before and after four point bending process (sec‐ tion 0 mm).

The results of measurements for residual stresses obtained with ultrasonic testing show after the bending tests that in case of four-point bending the distribution and size of residual stresses is more favorable and uniform compared to the three-point bending case. Numerous research works and service observations show that from practical point of view, the most dangerous proves to be the maximum tensile stress *σ*max, which may accelerate the development of cracking process and cause permanent deformation of the steel components.

## *3.2.2. Surface hardening switch blades and wing rails*

**Figure 9.** Longitudinal stress changes on the top surface of rail UIC 60 before and after four point bending process

124 Railway Research - Selected Topics on Development, Safety and Technology

**Figure 10.** Longitudinal stress changes on the top surface of rail I60 before and after four point bending process (sec‐

The results of measurements for residual stresses obtained with ultrasonic testing show after the bending tests that in case of four-point bending the distribution and size of residual stresses is more favorable and uniform compared to the three-point bending case. Numerous research works and service observations show that from practical point of view, the most dangerous

(section 150 mm).

tion 0 mm).

After the bending process, the switch blades and wing rails are subject to a pearlitizing process in the course of hardening the rolling surfaces. As a result of flame heating of a rolling surface to the depth of up to 20 mm, and subsequent cooling with water mist and compressed air, a fine pearlitic structure with specified hardness is obtained. The heat stream from flame heating is generated by the special nozzles (burners) installed on the surface hardening station. The temperature of heated running surface shall not exceed 673K (400°C). Figures 11 and 12 show hardening zones of steel components.

**Figure 11.** Heat treatment areas of the wing rail UIC 60 and actual frog point.

**Figure 12.** Heat treatment areas of the switch blade I60.

The diagrams presented further on (Figures 13 and 14) show examples of longitudinal stress changes at the circumference of rail and switch blade after hardening and bending processes for the selected sections.

**Figure 13.** Longitudinal stress changes at the circumference of rail I60 after heat treatment and after bending processes (section 300 mm).

**Figure 14.** Longitudinal stress changes at the circumference of rail UIC 60 after heat treatment and after bending proc‐ esses (section 150 mm).

## **3.3. FEM simulation studies**

The subject of the numerical analysis in this paper is simulation of three- and four-point bending, rolling, and surface hardening processes of the section samples of UIC 60 rail and I60 switch blade. The analysis concerns strains and stresses generated in the course of the abovementioned technological operations. The main purpose of the numerical calculations is to determine residual stresses in the rail after the relief that happens after bending and/or hardening process. It is also to define the influence of different test parameters on the size and distribution of stresses. Structure models and numerical calculations were made using the ABAQUS—a software with an extensive capabilities of non-linear analysis of physical issues, including mechanics of the deformable solids.

## *3.3.1. The material of the model*

**Figure 13.** Longitudinal stress changes at the circumference of rail I60 after heat treatment and after bending processes

126 Railway Research - Selected Topics on Development, Safety and Technology

**Figure 14.** Longitudinal stress changes at the circumference of rail UIC 60 after heat treatment and after bending proc‐

(section 300 mm).

esses (section 150 mm).

Figure 15 shows experimental curve–stress *σ* vs. strain *ε* for a single axis steel tensile test (black line). Young's modulus *E* = 210.000 MPa and Poisson ratio *ν* = 0.3 were used for calculations. Point A is defined with a non-proportional elongation proof stress *σ*<sup>A</sup> = 629.7 MPa. Point A in the approximation curve divides the elastic state from the plastic–elastic state with hardening. Point B is selected at the curvilinear hardening section for stress *σ*<sup>B</sup> = 900.0 MPa. Point C is determined by maximum stress achieved during test, i.e., temporary strength *Rm* = 1069.0 MPa. Besides, stress and strain values for the approximation curves (red line) were determined for each temperatures represented in Figure 15.

**Figure 15.** Experimental material curve and its approximation *σ – ε* depending on the heating temperature.

## *3.3.2. Load and boundary conditions*

The way of support and the load application used in the experiment were replaced by ideal boundary conditions in the numerical model. The calculation process was divided into two steps. The first corresponding to the loaded state condition, and the second corresponding to the condition realized state. The way of support was defined by reduction of the specific degrees of freedom in the nodes, which correspond to the experiment are present in the support sections (Figure 16). During simulation of the surface hardening, the rail may show longitu‐ dinal displacement as a result of material expansion due to rolling surface heating.

and loading—three and four point transverse bending. During simulation of the rail section rolling, the roller force on the rail and the roller speed are **Figure 16.** Finite element models of UIC 60 (a) and I60 (b) rail with boundary conditions and loading—three and four point transverse bending.

Figure 16. Finite element models of UIC 60 (a) and I60 (b) rail with boundary conditions

set. The load was increased gradually (incrementally), and the system of equation was solved to determine the increment in strain, stress, and displacement. The rail was supported by two adjacent rollers at specific centers (Figure 17). During simulation of the rail section rolling, the roller force on the rail and the roller speed are set. The load was increased gradually (incrementally), and the system of equation was solved to determine the increment in strain, stress, and displacement. The rail was supported by two adjacent rollers at specific centers (Figure 17).

#### *3.3.3. Results of numerical analysis*

**3.3.3 Results of numerical analysis** 

HM

and residual stress

a) b)

11 after relief.

reduced stress *σ*

Several simulation calculations covering different variants of section bending, surface hard‐ ening, and rolling process were performed. Figures 18–21 show the results of computer simulation for UIC 60 rail and I60 switch blade models. The figures show contours of the of reduced stress *σHM* and residual stress *σ*11 after relief.

Numerical calculation results shown in Figures 18–21 provided a number of interesting data in addition to the experimental tests. A location of extreme stresses around the periphery of analyzed objects may be determined based on the results obtained.

Figure 17. Finite element models of UIC 60 rail with boundary conditions and

Several simulation calculations covering different variants of section bending, surface hardening, and rolling process were performed. Figures 18–21 show the results of computer simulation for UIC 60 rail and I60 switch blade models. The figures show contours of the of

loading—the rolling process.

Experimental and Simulation Study of the Superstructure and Its Components http://dx.doi.org/10.5772/61517 129

**Figure 17.** Finite element models of UIC 60 rail with boundary conditions and loading—the rolling process.

**Figure 18.** Contours of reduced stress *σHM* of the rail UIC 60 (a) and I60 (b) switch blade section after three (a) and four (b) point bending.

#### **3.4. The evaluation of residual stresses**

*3.3.2. Load and boundary conditions*

128 Railway Research - Selected Topics on Development, Safety and Technology

The way of support and the load application used in the experiment were replaced by ideal boundary conditions in the numerical model. The calculation process was divided into two steps. The first corresponding to the loaded state condition, and the second corresponding to the condition realized state. The way of support was defined by reduction of the specific degrees of freedom in the nodes, which correspond to the experiment are present in the support sections (Figure 16). During simulation of the surface hardening, the rail may show longitu‐

(a) (b)

Figure 16. Finite element models of UIC 60 (a) and I60 (b) rail with boundary conditions and loading—three and four point transverse bending.

Figure 17. Finite element models of UIC 60 rail with boundary conditions and

Several simulation calculations covering different variants of section bending, surface hardening, and rolling process were performed. Figures 18–21 show the results of computer simulation for UIC 60 rail and I60 switch blade models. The figures show contours of the of

loading—the rolling process.

During simulation of the rail section rolling, the roller force on the rail and the roller speed are set. The load was increased gradually (incrementally), and the system of equation was solved to determine the increment in strain, stress, and displacement. The rail was supported by two

**Figure 16.** Finite element models of UIC 60 (a) and I60 (b) rail with boundary conditions and loading—three and four

During simulation of the rail section rolling, the roller force on the rail and the roller speed are set. The load was increased gradually (incrementally), and the system of equation was solved to determine the increment in strain, stress, and displacement. The rail was supported by two

Several simulation calculations covering different variants of section bending, surface hard‐ ening, and rolling process were performed. Figures 18–21 show the results of computer simulation for UIC 60 rail and I60 switch blade models. The figures show contours of the of

Numerical calculation results shown in Figures 18–21 provided a number of interesting data in addition to the experimental tests. A location of extreme stresses around the periphery of

adjacent rollers at specific centers (Figure 17).

reduced stress *σHM* and residual stress *σ*11 after relief.

adjacent rollers at specific centers (Figure 17).

*3.3.3. Results of numerical analysis*

**3.3.3 Results of numerical analysis** 

HM

and residual stress

a) b)

analyzed objects may be determined based on the results obtained.

11 after relief.

reduced stress *σ*

point transverse bending.

dinal displacement as a result of material expansion due to rolling surface heating.

Use of ultrasonic measurement method (DEBRO-35 measuring instrument) and computer simulation allowed to develop a method to diagnose state and distribution of residual stresses in steel components of the railway turnout (wing rails and switch blades) in the production process [15]. The method involves summation of residual stresses measured prior to treatment (bending, hardening) and stresses during simulation. The method allows to assess the level and distribution of residual stresses achieved using different bending or hardening processes. The example results of diagnosing residual stresses are shown in Figures 22 and 23.

**Figure 19.** Contours of residual stress *σ*11 of the rail UIC 60 and I60 switch blade section after three (a) and four (b) point bending.

**Figure 20.** Contours of residual stress *σ*11 of rail UIC 60 after rolling process [14].

**Figure 21.** Contours of residual stress *σ*11 on the head of rail UIC 60 after heat treatment.

**Figure 19.** Contours of residual stress *σ*11 of the rail UIC 60 and I60 switch blade section after three (a) and four (b)

**Figure 20.** Contours of residual stress *σ*11 of rail UIC 60 after rolling process [14].

130 Railway Research - Selected Topics on Development, Safety and Technology

point bending.

**Figure 22.** Comparison of measurement results of residual stress after cold bending (rail foot I60) with results summa‐ rizing stresses from the numerical analysis and measurements before bending (section 0 mm).

**Figure 23.** Comparison of measurement results of residual stress after cold bending (rail foot UIC60) with results sum‐ marizing stresses from the numerical analysis and measurements before bending (section 0 mm).

## **4. Operational research of superstructure**

#### **4.1. Experimental studies**

Using crashed stone composite in the form of a ballast bed reinforced with geogrids and local chemical stabilization of crashed stone is one of the possible answers to the question how to improve the ballast resistance to deformation. The solution has been developed by the Division of Transport Infrastructure of the Warsaw University of Technology Faculty of the Transport (by T. Basiewicz, K. Towpik, A. Gołaszewski) [22]. The proposed crashed stone composite comprises a layer of crashed stone reinforced with a geogrid and stabilized with a polyurethane resin. The track superstructure with a crashed stone composite ensures a complex mechanical and chemical resistance of the ballast to deconsolidation. Mechanical resistance is ensured by reinforcement with at least two geogrids. The first geogrid covers the area of ballast contact with a subgrade. After the first crashed stone layer is laid and compacted, the second geogrid is placed. After the second layer of crashed stone is laid (to obtain a required thickness of ballast under the sleeper, as per standard requirements), it is compacted and supplemented to the standard shape of a stockpile. In the final stage with a dynamic surface stabilization, the structure is chemically stabilized with a special polyurethane resin by injection. Figure 24 shows the layer of ballast reinforced with the geogrid and the resin.

The key purpose of the track geometry measurements for the track structures section with crashed stone composite was to evaluate the deformability of the track vs. the adjacent

Experimental and Simulation Study of the Superstructure and Its Components http://dx.doi.org/10.5772/61517 133

**Figure 24.** Track structures with crashed stone composite [13]. 1—rail UIC 60, 2—sleeper, 3—crashed stone layer with resin, 4—crashed stone layer, 5—top reinforcement (geogrid, geosynthetic), 6—bottom reinforcement (geogrid, geo‐ synthetic)

comparative track sections. Results of measurements, of the EM 120 measuring motor car, made during 17 trips between 2008 and 2013 were used in the evaluation of track geometry deformability. The traffic load in that period was approximately 18 Tg. Changes in the quality index result and changes in the standard deviation for vertical and horizontal track irregular‐ ities provide an indirect description of ballast bed deformation.

The values of the quality index "J" were computed as follows

$$J = \frac{\mathcal{S}\_z + \mathcal{S}\_y + \mathcal{S}\_w + 0.5\mathcal{S}\_e}{3.5} \tag{6}$$

where *Sz* is the standard deviation for vertical irregularities, *Sy* is the standard deviation for horizontal irregularities, *S*w is the standard deviation for track twist, and *S*e is the standard deviation for track gauge.

The studies [22] present complete test results covering the entire test period. Figures 25 and 26 show selected test results for track superstructure with crashed stone.

#### **4.2. Simulation studies**

**Figure 23.** Comparison of measurement results of residual stress after cold bending (rail foot UIC60) with results sum‐

Using crashed stone composite in the form of a ballast bed reinforced with geogrids and local chemical stabilization of crashed stone is one of the possible answers to the question how to improve the ballast resistance to deformation. The solution has been developed by the Division of Transport Infrastructure of the Warsaw University of Technology Faculty of the Transport (by T. Basiewicz, K. Towpik, A. Gołaszewski) [22]. The proposed crashed stone composite comprises a layer of crashed stone reinforced with a geogrid and stabilized with a polyurethane resin. The track superstructure with a crashed stone composite ensures a complex mechanical and chemical resistance of the ballast to deconsolidation. Mechanical resistance is ensured by reinforcement with at least two geogrids. The first geogrid covers the area of ballast contact with a subgrade. After the first crashed stone layer is laid and compacted, the second geogrid is placed. After the second layer of crashed stone is laid (to obtain a required thickness of ballast under the sleeper, as per standard requirements), it is compacted and supplemented to the standard shape of a stockpile. In the final stage with a dynamic surface stabilization, the structure is chemically stabilized with a special polyurethane resin by injection. Figure 24

The key purpose of the track geometry measurements for the track structures section with crashed stone composite was to evaluate the deformability of the track vs. the adjacent

marizing stresses from the numerical analysis and measurements before bending (section 0 mm).

shows the layer of ballast reinforced with the geogrid and the resin.

**4. Operational research of superstructure**

132 Railway Research - Selected Topics on Development, Safety and Technology

**4.1. Experimental studies**

The simulations complement the experimental tests performed at the section of "CMK" (railway central trunk line—an element of the Polish railways network). Figure 27 shows a schematic railway track model used in simulation calculations, allowing for the rigidity and attenuation of each railway superstructure component.

**Figure 25.** Values of the quality index "J" for different sections of existing subgrade (I1—section No.1 with geogrid; I2 —section No.1 with geosynthetic; and I3—section No.2 with geogrid) vs. reference sector IV.

**Figure 26.** Values of standard deviation for vertical irregularities for different sections of existing subgrade (I1—section No.1 with geogrid; I2—section No.1 with geosynthetic; and I3—section No.2 with geogrid) vs. reference sector IV.

The motion of the system may be expressed by the following differential equations:

$$\mathrm{EI}\frac{\partial^4 \mathbf{z}\_r}{\partial \mathbf{x}^4} + m\_s \frac{\partial^2 \mathbf{z}\_r}{\partial t^2} + \mathbf{c}\_{ps} \frac{\partial \mathbf{z}\_r}{\partial t} + k\_{ps} \mathbf{z}\_r - k\_{ps} \mathbf{z}\_s - \mathbf{c}\_{ps} \frac{\partial \mathbf{z}\_s}{\partial t} = \mathrm{P} \text{(t)} \delta \text{(x)},\tag{7}$$

$$m\_s \ddot{\mathbf{z}}\_s + c\_s \frac{\partial \mathbf{z}\_s}{\partial t} + k\_s \mathbf{z}\_s = k\_{ps} (\mathbf{z}\_r - \mathbf{z}\_s) + c\_{ps} \left(\frac{\partial \mathbf{z}\_s}{\partial t} - \dot{\mathbf{z}}\_s\right) \tag{8}$$

Experimental and Simulation Study of the Superstructure and Its Components http://dx.doi.org/10.5772/61517 135

**Figure 27.** The schematic railway track model used in simulation calculations: *P*(*t*)—concentrated force; *m*—mass of elements; *EI*—bending stiffness of rail; *c*—damping; *k*—stiffness.

## *4.2.1. Model geometry— Finite element grid railway track*

The motion of the system may be expressed by the following differential equations:

 ¶¶¶ ¶ + + +-- =

*ss s s s ps r s ps s z z mz c kz k z z c z t t* ¶ ¶æ ö + + = -+ - ç ÷ ¶ ¶ è ø

4 2 ( ) ( ), *r rr <sup>s</sup> s ps ps r ps s ps z zz <sup>z</sup> EI m c k z k z c P t x x t t t*

**Figure 26.** Values of standard deviation for vertical irregularities for different sections of existing subgrade (I1—section No.1 with geogrid; I2—section No.1 with geosynthetic; and I3—section No.2 with geogrid) vs. reference sector IV.

**Figure 25.** Values of the quality index "J" for different sections of existing subgrade (I1—section No.1 with geogrid; I2

—section No.1 with geosynthetic; and I3—section No.2 with geogrid) vs. reference sector IV.

134 Railway Research - Selected Topics on Development, Safety and Technology

() , *s s*

¶ ¶ ¶ ¶ (7)

&& & (8)

d

4 2

Structure models and numerical calculations were made using the ABAQUS—a software. A geometry of a numerical model is defined as a grid of nodes indicating position and size of finite elements. Simplified numerical models of the superstructure were developed, including a single sleeper or three sleepers buried in the ballast.

Due to the complex shape of modeled structures, apart from cuboids with six walls, additional three-dimensional components were also included, solids with a triangular base (with five walls). Square components are considered the most relevant for the description of the issues with bending as a prevailing treatment to better describe stress concentration and allow better approximation of curved shapes with lower number of elements. Figure 28 shows FE railway track models.

For simulation purposes, the interfaces between each of structure components were deter‐ mined since the development of a complete model grid with the same degree of detail is not feasible. The grids for various components may vary in size. The interface is a surface con‐ necting two adjacent grid segments with various grid densities to maintain the model con‐ tinuity (Figure 29). It enables a proper distribution of load on adjacent grids to maintain the 3D model homogeneity.

sleeper.

continuity (Figure 29). It enables a proper distribution of load on adjacent grids to maintain the 3D model homogeneity. Figure 28. FE railway models of the reinforced surface for (a) three sleepers and (b) one **Figure 28.** FE railway models of the reinforced surface for (a) three sleepers and (b) one sleeper.

Figure 29. The interfaces for (a) sleeper/ballast and (b) rail foot/sleeper interface (unilateral **Figure 29.** The interfaces for (a) sleeper/ballast and (b) rail foot/sleeper interface (unilateral constraints) [23].

#### *4.2.2. Material model*

**4.2.2 Material model** 

Table 1

In studies on the built simulation models, the parameters of stiffness and damping elements included in the track construction (Table 1) were also taken into consideration. 

Figure 29. The interfaces for (a) sleeper/ballast and (b) rail foot/sleeper interface (unilateral constraints) [23].

In studies on the built simulation models, the parameters of stiffness and damping

elements included in the track construction (Table 1) were also taken into consideration.

**Notation Parameter Value Unit**

*E*<sup>r</sup> Elastic modulus of rail 210,000 MPa 

constraints) [23].


**Table 1.** 1The parameters of stiffness and damping elements in the track construction model

### *4.2.3. Model load and support conditions*

Figure 28. FE railway models of the reinforced surface for (a) three sleepers and (b) one sleeper.

For simulation purposes, the interfaces between each of structure components were determined since the development of a complete model grid with the same degree of detail is not feasible. The grids for various components may vary in size. The interface is a surface connecting two adjacent grid segments with various grid densities to maintain the model continuity (Figure 29). It enables a proper distribution of load on adjacent grids to maintain

**Figure 28.** FE railway models of the reinforced surface for (a) three sleepers and (b) one sleeper.

136 Railway Research - Selected Topics on Development, Safety and Technology

(a) (b)

Figure 28. FE railway models of the reinforced surface for (a) three sleepers and (b) one sleeper.

For simulation purposes, the interfaces between each of structure components were determined since the development of a complete model grid with the same degree of detail is not feasible. The grids for various components may vary in size. The interface is a surface connecting two adjacent grid segments with various grid densities to maintain the model continuity (Figure 29). It enables a proper distribution of load on adjacent grids to maintain

Figure 29. The interfaces for (a) sleeper/ballast and (b) rail foot/sleeper interface (unilateral constraints) [23].

In studies on the built simulation models, the parameters of stiffness and damping elements

Figure 29. The interfaces for (a) sleeper/ballast and (b) rail foot/sleeper interface (unilateral constraints) [23].

**Figure 29.** The interfaces for (a) sleeper/ballast and (b) rail foot/sleeper interface (unilateral constraints) [23].

included in the track construction (Table 1) were also taken into consideration.

 

In studies on the built simulation models, the parameters of stiffness and damping

elements included in the track construction (Table 1) were also taken into consideration.

**Notation Parameter Value Unit**

*E*<sup>r</sup> Elastic modulus of rail 210,000 MPa 

 (a) (b)

the 3D model homogeneity.

the 3D model homogeneity.

a) b)

**4.2.2 Material model** 

*4.2.2. Material model*

Table 1

Means of support used in the course of testing were substituted with ideal boundary conditions in the numerical model. A static and dynamic cylinder thrust of the cylinder on the rail and the speed of cylinder rotation simulating the vehicle speed were set. The load was increased gradually (incrementally), and the system of equation was solved to determine the increment in strain, stress, and displacement. Support conditions are defined by a specific loss of degree of freedom, preventing from displacement in specific directions (Figure 30).

## *4.2.4. Results of simulation calculation*

The selected results of numerical calculations, obtained using 3D models of a reinforced railway track in different arrangements, are shown in diagrams as Huber–Misess reduced stress contours and strain maps. The Huber–Misess hypothesis of the largest shear stress and the shear strain energy hypothesis are used in the calculation of structures and machine parts with elastic–plastic materials. Figures 31 and 32 show numerical calculation results.

**4.2.3 Model load and support conditions** 

**4.2.3 Model load and support conditions** 

of degree of freedom, preventing from displacement in specific directions (Figure 30).

<sup>g</sup> Geogrid density 0.00132 kg/m3

conditions in the numerical model. A static and dynamic cylinder thrust of the cylinder on the rail and the speed of cylinder rotation simulating the vehicle speed were set. The load was increased gradually (incrementally), and the system of equation was solved to determine the

Means of support used in the course of testing were substituted with ideal boundary

conditions in the numerical model. A static and dynamic cylinder thrust of the cylinder on the

increment in strain, stress, and displacement. Support conditions are defined by a specific loss

Means of support used in the course of testing were substituted with ideal boundary

<sup>g</sup> Geogrid density 0.00132 kg/m3

(a) Figure 30. Finite element model of rail track with boundary conditions and loading for three sleepers and (b) one sleeper. **Figure 30.** (a) Finite element model of rail track with boundary conditions and loading for three sleepers and (b) one sleeper. machine parts with elastic–plastic materials. Figures 31 and 32 show numerical calculation results.

Figure 31. Contours of reduced stress *σ*HM at the end of calculation for (a) three sleepers **Figure 31.** Contours of reduced stress *σHM* at the end of calculation for (a) three sleepers and (b) one sleeper.

Within the course of simulation, the extreme stresses appeared at the wheel/rail interface. An increase in stress and strain is observed with the increase in a number of load cycles. A location of extreme stress values around the periphery and inside the analyzed structure may be determined based on the simulation results. The simulation calculations will be used to determine the strength properties of suggested track substructure reinforcement at various static and dynamic loads. The advantages of the simulation include a reduced cost compared to service tests and mapping of the load in these tests, which would have taken years in operating conditions a) b)

and (b) one sleeper.

<sup>g</sup> Geogrid density 0.00132 kg/m3

conditions in the numerical model. A static and dynamic cylinder thrust of the cylinder on the rail and the speed of cylinder rotation simulating the vehicle speed were set. The load was increased gradually (incrementally), and the system of equation was solved to determine the increment in strain, stress, and displacement. Support conditions are defined by a specific loss

(a) Figure 30. (a) Finite element model of rail track with boundary conditions and loading for three sleepers and (b) one sleeper.

The selected results of numerical calculations, obtained using 3D models of a

reinforced railway track in different arrangements, are shown in diagrams as Huber–Misess reduced stress contours and strain maps. The Huber–Misess hypothesis of the largest shear stress and the shear strain energy hypothesis are used in the calculation of structures and machine parts with elastic–plastic materials. Figures 31 and 32 show numerical calculation

and (b) one sleeper.

of degree of freedom, preventing from displacement in specific directions (Figure 30).

Means of support used in the course of testing were substituted with ideal boundary

Figure 32. Contours of strain maps for (a) three sleepers and (b) one sleeper. **Figure 32.** Contours of strain maps for (a) three sleepers and (b) one sleeper.

## **5. Duration of guaranteed functionality**

**4.2.3 Model load and support conditions** 

4.2.4 **Results of simulation calculation**

results.

The duration of guaranteed functionality is a graphic representation of a fatigue performance of any railway track component as a function of operating load. At the initial operational stage, a slope of a strain accumulation curve for railway track structure is close to 90° and results from the railway track stabilization (subsidence). The next stage includes operation under load until the slope of a strain accumulation curve aims to reach higher values. Based on the simulation results obtained by the author of this chapter, as well as test results [22], the author have attempted to plot the curves describing the service life of selected railway track compo‐ nents. Figure 33 shows test results and simulation results contributing to the plastic strain relation as a function of operating load.

The graph shows a comparison of plastic strain vs. load at the testing track section, with or without railway track reinforcement using a geogrid and a resin. A curve plotted using simulation calculations is also included, although due to a long calculation time, the simulation curve is limited to 18 Tg load. The determination of a strain accumulation curve slope requires further tests and analyses to increase the operating load and continue observations.

## **6. Development and testing of superstructure**

Within the course of simulation, the extreme stresses appeared at the wheel/rail interface. An increase in stress and strain is observed with the increase in a number of load cycles. A location of extreme stress values around the periphery and inside the analyzed structure may be determined based on the simulation results. The simulation calculations will be used to determine the strength properties of suggested track substructure reinforcement at various static and dynamic loads. The advantages of the simulation include a reduced cost compared to service tests and mapping of the load in these tests, which would have taken years in

**Figure 31.** Contours of reduced stress *σHM* at the end of calculation for (a) three sleepers and (b) one sleeper.

HM

and (b) one sleeper.

a) b)

at the end of calculation for (a) three sleepers

(a) (b)

Figure 31. Contours of reduced stress *σ*

<sup>g</sup> Geogrid density 0.00132 kg/m3

conditions in the numerical model. A static and dynamic cylinder thrust of the cylinder on the rail and the speed of cylinder rotation simulating the vehicle speed were set. The load was increased gradually (incrementally), and the system of equation was solved to determine the increment in strain, stress, and displacement. Support conditions are defined by a specific loss

of degree of freedom, preventing from displacement in specific directions (Figure 30).

(a) (b)

**Figure 30.** (a) Finite element model of rail track with boundary conditions and loading for three sleepers and (b) one

(a) Figure 30. Finite element model of rail track with boundary conditions and loading for three sleepers and (b) one sleeper.

reinforced railway track in different arrangements, are shown in diagrams as Huber–Misess reduced stress contours and strain maps. The Huber–Misess hypothesis of the largest shear stress and the shear strain energy hypothesis are used in the calculation of structures and machine parts with elastic–plastic materials. Figures 31 and 32 show numerical calculation

The selected results of numerical calculations, obtained using 3D models of a

reinforced railway track in different arrangements, are shown in diagrams as Huber–Misess reduced stress contours and strain maps. The Huber–Misess hypothesis of the largest shear stress and the shear strain energy hypothesis are used in the calculation of structures and machine parts with elastic–plastic materials. Figures 31 and 32 show numerical calculation

of degree of freedom, preventing from displacement in specific directions (Figure 30).

Means of support used in the course of testing were substituted with ideal boundary

conditions in the numerical model. A static and dynamic cylinder thrust of the cylinder on the rail and the speed of cylinder rotation simulating the vehicle speed were set. The load was increased gradually (incrementally), and the system of equation was solved to determine the increment in strain, stress, and displacement. Support conditions are defined by a specific loss

(a) Figure 30. (a) Finite element model of rail track with boundary conditions and loading for three sleepers and (b) one sleeper.

The selected results of numerical calculations, obtained using 3D models of a

Means of support used in the course of testing were substituted with ideal boundary

<sup>g</sup> Geogrid density 0.00132 kg/m3

operating conditions

results.

sleeper.

results.

**4.2.3 Model load and support conditions** 

**4.2.3 Model load and support conditions** 

138 Railway Research - Selected Topics on Development, Safety and Technology

4.2.4 **Results of simulation calculation**

4.2.4 **Results of simulation calculation**

a) b)

The track superstructure as a basic element of the railway system is crucial to the operation and safe management of the railway traffic. Changes in operating conditions of the railway, i.e., increased operational speeds of passenger trains up to 350 km/h or increased operational speeds of freight trains as well as increased permissible load up to 250 kN, result in higher

**Figure 33.** Theoretical model of duration of guaranteed functionality.

requirements for the track superstructures. The changes result in higher forces and vibration levels exerted on the superstructure. In addition, the economic aspects will force the designers and infrastructure operators to optimize the maintenance costs. A need to reduce the costs is one of the causes of using non-standard superstructures for high-speed rail networks. High operational speeds result in high ballast wear due to increased friction between the crashed stones. Increased wear requires more frequent ballast make up or replacement. Both standard requirements and technical specifications for interoperability (TSIs) guidelines for environ‐ mental protection, e.g., level of noise and vibrations are also key factors in improving track superstructure.

A question can be asked, if at the passenger train speeds over 350 km/h, is it reasonable to use standard ballast superstructure or use ballast-free solutions? More and more often, new solutions utilizing different materials used in the road engineering are also implemented in the railway solutions, including geomesh, geotextile, and various polyurethane resins, which may increase strength and durability of superstructures. It is also advisable to continue tests on fatigue effects at the rail/wheel interface and interactions between those surfaces. Incorrect mating between the railway vehicle and the rail may result in defects and damage to the running surface. Incorrect mating between the rail and the wheel may result from wheel polygonization and use of high-power trains, where incorrect wheel sidle protection (WSP) system is to prevent incorrect braking and starting. In high-speed trains, apart from basic braking system, also cleaning brake inserts are used to remove fouling from the running surfaces of wheels and railway track rails on which the trains travel.

## **7. Conclusions**

The data presented in this section are a result of experimental and simulation tests performed by the author during 10 years of the research and scientific career. The discussed issues are a subject of interest for both manufacturers and experts responsible for the condition of a track superstructure. The stresses may affect the internal energy state of the material, phase changes, and corrosion of the material, reduce fatigue strength, and cause damage to the rails. The stresses are also one of the causes of accelerated development of standard railhead defects. The presented method of residual stresses evaluation using ultrasonic testing and numerical analysis in the course of the production process provides control over size and distribution of internal stresses due to bending and hardening processes. Another area of interest was related with the track superstructure tests, in particular involved seeking design solutions to reduce the maintenance costs by extending the time between repairs of the track superstructure components. The optimization of the maintenance costs by using advanced solutions in the track superstructure design may be an interesting method to extend its durability. The presented test results are the inspiration to continue the research in this area and seek new solutions, e.g., optimizing maintenance costs of the railway infrastructure, and determining structure durability using simulations.

## **Author details**

Jacek Kukulski\*

requirements for the track superstructures. The changes result in higher forces and vibration levels exerted on the superstructure. In addition, the economic aspects will force the designers and infrastructure operators to optimize the maintenance costs. A need to reduce the costs is one of the causes of using non-standard superstructures for high-speed rail networks. High operational speeds result in high ballast wear due to increased friction between the crashed stones. Increased wear requires more frequent ballast make up or replacement. Both standard requirements and technical specifications for interoperability (TSIs) guidelines for environ‐ mental protection, e.g., level of noise and vibrations are also key factors in improving track

**Figure 33.** Theoretical model of duration of guaranteed functionality.

140 Railway Research - Selected Topics on Development, Safety and Technology

A question can be asked, if at the passenger train speeds over 350 km/h, is it reasonable to use standard ballast superstructure or use ballast-free solutions? More and more often, new solutions utilizing different materials used in the road engineering are also implemented in the railway solutions, including geomesh, geotextile, and various polyurethane resins, which may increase strength and durability of superstructures. It is also advisable to continue tests on fatigue effects at the rail/wheel interface and interactions between those surfaces. Incorrect mating between the railway vehicle and the rail may result in defects and damage to the running surface. Incorrect mating between the rail and the wheel may result from wheel polygonization and use of high-power trains, where incorrect wheel sidle protection (WSP) system is to prevent incorrect braking and starting. In high-speed trains, apart from basic braking system, also cleaning brake inserts are used to remove fouling from the running

surfaces of wheels and railway track rails on which the trains travel.

superstructure.

Address all correspondence to: jkukul@wt.pw.edu.pl

Faculty of Transport, Warsaw University of Technology, Warsaw, Poland

## **References**


[5] Szcześniak W. Selected Aspects of Rail—Interactions in a Vehicle–Railway Track– Substructure–Subsoil. Prace naukowe Budownictwo z. 129. Warszawa, 1995r. (in Pol‐

[6] Bogdański S, Olzak M, Stupnicki J. Numerical stress analysis of rail rolling contact

[7] Liu Y, Liu L, Mahadevan S. Analysis of subsurface crack propagation under rolling contact loading in railroad wheels using FEM. Engineering Fracture Mechanics, 2007,

[8] Kaewunruen S, Remennikov AM. Dynamic flexural influence on a railway concrete sleeper in track system due to a single wheel impact. Engineering Failure Analysis,

[9] Kaewunruen S, Remennikov AM. Nonlinear Finite Element Modelling Of Railway Prestressed Concrete Sleeper. The Tenth East Asia-Pacific Conference on Structural Engineering and Construction, August 3–5, 2005, Bankok, Thailand, Vol. 4, pp. 323–

[10] Kaewunruen S, Remennikov AM. Impact capacity of railway prestressed concrete

[11] ElSawwaf MA. Behavior of strip footing on geogrid-reinforced sand over a soft clay

[12] Dong Y-L, Han J, Bai X-H. Numerical analysis of tensile behavior of geogrids with rectangular and triangular apertures. Geotextiles and Geomembranes, April 2011,

[13] Kukulski J. Selected numerical calculations for reinforced track substructure at vari‐ ous static and dynamic loads. Proceedings of the First International Conference on Railway Technology: Research, Development and Maintenance, Civil-Comp Press, Stirlingshire, UK. DOI: 10.4203/ccp.98.146. 2012, Paper 146. ISBN 978-1-905088-52-2.

[14] Kukulski J. Distribution of residual stresses of railway superstructure steel compo‐ nents after the rolling processes. Przegląd Komunikacyjny 2011, z. 9–10, ISSN:

[15] Kukulski J. Evaluation of residual stresses condition in components of railway sur‐

[16] Leykauf G, Lechner B, Stahl W. Improved ballasted track for high- speed lines. "Rail

[17] D 71 ORE: Beanspruchung des Gleises, der Bettung und des Unterbaus durch Ver‐ kehrslasten. Beanspruchung der Bettung und des Unterbaus, Utrecht,1969, 72.

[18] Esveld C. Law maintenance ballastless track structures. Rail Engineering Internation‐

face. Conference Rail Vehicles. Kazimierz Dolny 2006 (in Polish).

sleepers. Engineering Failure Analysis, 2008, 16(5), pp. 1520–1532.

slope. Geotextiles and Geomembranes, February 2007, 25(1), pp. 50–60.

fatigue cracks. Optics and Lasers in Engineering 27, 1997, pp. 89–100.

74, pp. 2659–2674. DOI: 10.1016/j.engfracmech.2007.02.012

142 Railway Research - Selected Topics on Development, Safety and Technology

ish).

328.

29(2), pp. 83–91.

0033-22-32. Pages: 74–77 (in Polish).

Engineering," London, 2004.

al Edition, 1997, 3.

2008, 16(3), pp. 705–712.

