3. Data on the operation of the Prague metro and its control systems
Data on metro operations – The Prague metro is large and complex, i.e. very complex system. Any more complex system consists of several subsystems, links and flows between them. Subsystems can be divided from the point of view of control into controlled and controlling. Another area is security systems that perform safety functions, i.e. mitigate risks, or perform an important function whose failure or poor performance leads to an increase in risk or directly to an accident [4]. The Prague metro system can generally be divided into separate operational subsystems (stations, trains, infrastructure), control systems (car computers, dispatch control centers, communication technology) and security systems that mitigate the effects of risks (security devices, signals, automatic switches) .
Figure 10 describes the relationships between control, security and controlled systems. External influences directly affect systems and can cause internal system errors that can lead to dangerous events. For these reasons, security systems are installed between the control and controlled systems, performing safety-relevant functions, which use control system inputs or identify unacceptable system faults or unacceptable external influences and perform their function in such a way as to bring the controlled system into a safe state, i.e. a state in which do not endanger themselves or those around them.
Obrázek 10. Schéma řízení systému pražského metra [4].
The subway control system, as well as other urban rail transport control systems, is a distributed system. Distributed systems are composed of subsystems (nodes) that perform given functions independently without being linked to others, but by connecting them other functions can be performed at higher levels. Thus, the subsystems of distributed systems perform some functions independently and other functions only after several subsystems (nodes) are connected, resulting in a complex distributed system with interdependencies [4].
Regardless of the function performed, metro subsystems can be further divided into categories:
- stationary systems – track, station and dispatch systems,
- mobile systems – trains and their equipment.
The following description of the Prague metro is based on the work [4].
3.1 Metro Praha as a controlled system
The control system of the Prague metro fulfills two basic functions – traffic and security. The protection function reduces the impact of disasters. The traffic function is controlled from the urban transport planning center, from which requirements in the form of timetables and traffic quality requirements are based. The stated requirements are fulfilled by controlled systems, i.e. infrastructure (transport routes and stations), means of transport and subsequent auxiliary systems.
The metro network forms the backbone of the entire public transport system in Prague. Passengers can use 61 stations on three lines A, B, and C, the length of which is approximately 65 km [4,11]. Transport is conducted on a track located in a tunnel, separated from the surrounding environment. Only in some sections in the depot area is the train running outside. The track is physically separated from the surrounding infrastructure and does not allow direct connection to other means of urban and suburban transport (suburban railway trains).
The metro network forms the backbone of the entire public transport system in Prague. Passengers can use 61 stations on three lines A, B, and C, the length of which is approximately 65 km [4,11]. Transport is conducted on a track located in a tunnel, separated from the surrounding environment. Only in some sections in the depot area is the train running outside. The track is physically separated from the surrounding infrastructure and does not allow direct connection to other means of urban and suburban transport (suburban railway trains).
Obrázek 11. Metro Praha – mapa linek [11].
The technology of the controlled system consists of separate units that provide the main or supporting functions of the operation. The subject units are controlled (managed) from a place on the unit’s control panel (so-called local control) or from a remote, centralized control center. The mentioned centers are either located in the technological rooms of the stations or in the central control room of the metro. From the above, it can be seen that the technological part includes metro control and security systems, but for the purposes of the presented work, control and security systems are divided into special categories [4]. Metro technological systems according to [4,72] include:
- energy devices:
- substations and distribution transformers (metro station routes are powered by several 22 kV power sources, each station also has its own UPS backup source in case of power failure, Protection and control systems also have their own independent sources), Safety equipment (station, track and their power supply),
- communication device:
- Communication cables,
- VHF connection with trains,
- automatic passenger check-in equipment,
- industrial television equipment,
- telephone equipment,
- radio equipment,
- clock device,
- electric fire alarm,
- electrical security signaling,
- machinery:
- escalators in stations,
- gas stations in stations and interstation sections,
- elevators in stations,
- maintenance workshops and warehouses in stations,
- air handling equipment:
- main ventilation,
- station air conditioning,
- ASDŘ – automated remote control system,
- mobile machinery and equipment:
- car park,
- equipment and means for cleaning waste, which include washing and sweeping carts, waste containers and a system of ladders and scaffolding for cleaning lighting equipment,
- · means of fire protection located in stations, which enable quick intervention in case of fire in underground spaces.
3.2 Protection systems
Safety devices in railway traffic, specifically in metro traffic, ensure the safe operation of trains on the track. Their main task is to reduce the realization of risks associated with excessive train speed, bad track settings (defense against train collisions) and the like. Security devices are divided into three basic groups [4]:
- station safety equipment (ATC, ATS),
- track safety devices,
- train safety devices (ATP).
The purpose of station security devices is to secure train travel routes in such a way as to prevent train collisions, i.e. to ensure safe passage along the selected travel route. The Prague metro uses the AŽD 71 relay security device adapted for metro operation. In new stations and in selected metro stations with track branches, an electronic device (SZZ) of type ESA 11 M with connection to relay devices is used.
The ESA 11 M device is installed in the selected type station, which is controlled either locally from the control PC device, in an emergency from the emergency panel, remotely on the ASDŘ-D device in the station by an SPT worker (independent operating technician) or using the ASDŘ-D system at the train operator’s workplace dispatcher from the central control room. Station or track security equipment is also referred to in English. Interlocking [4].
The track safety device ensures the movement of subsequent trains and excludes the movement of trains in the opposite direction on the same track. In the case of the Prague metro, the AŽD 71 and ESA 11 M relay devices are operated [4].
Train security devices ensure reception of signal signs of main signals and autoblock signals on the train and automatic braking of the train if the driver does not respond to a signal ordering a reduction of speed or a stop. In the international concept, VZZs are part of the ATC (Automatic Train Control) system, which is divided into parts ATP (Automatic Train Protection) and ATO (Automatic Train Operation) [4,71,73].
The ATP system is located in the station and on the track, which sends control messages to the mobile part of the ATP on the train. The train receives the relevant data and uses the ATP unit to process the information, evaluate it and perform the relevant operations. The ATP mobile unit cooperates with the ATO unit, which controls the train movement, ensures the so-called automatic train guidance according to the mode to which the train movement mode is set. In fully automatic mode, the ATO unit controls take-offs and smooth driving.
Often, the ATO unit also performs normal train functions, such as automatic reporting, opening and closing doors, and the like. In the case of manual metro operation, the system only performs safety functions, such as monitoring the maximum permitted speed (indicated by the driving profile, reduced by the train driver or remotely by another worker through the ATP system, etc.).
Other safety functions of the system include, for example, allowing the train to pass through the station, allowing the train to leave the station, and canceling commands. It can also be used to transmit messages to the train with information about the train number or even information about timetables and the like [4,71,73]. Three VZZ systems operate in the Prague metro, i.e. LZA, ARS and MATRA [4].
3.3 Metro Control Systems and UGTMS
The control systems of the Prague metro are called ASDŘ, which means automated traffic control system. From the point of view of European standards, this is not a completely accurate name, but it has already been established in the operation of the Prague metro for many years. Dispatcher workplaces are located at the following stations for each metro route A, B and C separately [4]:
- ASDŘ-D of the train dispatcher (for traffic control),
- ASDŘ-E energy dispatcher,
- ASDŘ-T technological control room,
- ASDŘ-O lighting system,
- communication and security dispatch,
- fire department,
- depot dispatch with fleet management.
From the point of view of traffic control, the ASDŘ-D system is important, which is used to ensure automatic control of certain functions of technologies and security devices. For example, for SZZ, the ASDŘ-D system performs automatic road construction, that is, based on the selected start and end of the road, the ASDŘ-D system generates a sequence of commands for the construction of the road [4].
Another function of ASDŘ-D is the remote control of technologies and security devices, here they are safety-relevant commands that perform certain safety functions, since incorrect execution of the process can cause an accident. For example:
- incorrect choice of train gear or an unauthorized or unexecuted STOP command can cause an accident, either a train collision with a person or a derailment, etc.,
- misreporting to passengers at the station in the event of a fire or other emergency may cause panic, injury or loss of life, i.e. affect safety.
In the case of future metro development and the requirement for automated operation, the requirements for the safety functions of the ASDŘ system will increase, as can be seen from the functions of the traffic control system according to the European standard EN 62290 [74], described below.
Urban Guided Transport Management and Command/Control System (UGTMS) systems are defined by the EN 62290 standard [74]. The standard is divided into three parts. The first part defines the levels of control automation, the so-called GOA (Goal Of Automation) and sets general requirements for control systems. The second part of the standard contains a list of mandatory and optional functional requirements that the UGTMS system must meet. Part three contains the security requirements for the system.
In the case of fully automated operation, without a driver or operator, the safety requirements for the system are specified in the EN 62267 standard [75].
By using the current ASDŘ control system, the operation of the Prague metro can be classified as GOA 2, which means semi-automated operation. describes the basic functions of the UGTMS and the division of responsibilities between the human and the electronic system according to the established GOA.
Table 5 Levels of UGTMS automation according to [74].
Table 6 contains the requirements for the system interface, i.e. it divides the basic functions of the system according to the given degree of automation. If we define the Prague metro as a GOA2 mode system according to [74], the control system must perform basic functions to ensure the safe movement of trains, train control. Other functions may be performed by other independent subsystems. According to the EN 62290 standard, the UGTMS system (i.e. ASDŘ-D) must be able to form an interface with the subsystems listed in the subject standard, if they are used. Table 6 describes the interface, environment and system boundaries in accordance with the mentioned standard [74] and compares them with the real state of operation of the Prague Metro; details are in [4].
Table 6 System interface requirements [4].
Table legend: Items marked in bold are used in the controlled system and are part of the control system (ASDŘ-D). Items to which the control system has dependencies are marked in italics. The crossed-out functions or subsystems are not considered for the operation of the Prague metro. | |
ASDŘ-D (UGTMS) | Operational control equipment |
Line equipment (includes point-to-point transfer between track and train) | |
Train equipment (includes location, speed and time measurement) | |
Data communication system (includes data communication of track equipment, communication between track equipment and train equipment) | |
Control | Central interface with staff |
Local interface with staff | |
Track equipment (e.g. switches, signals and signals, track circuits, axle counters, track speed control equipment, adjacent control centers, automatic stops, level crossings) | |
Existing closures | |
Traffic planning | |
Information systems and communication | Audio communication (e.g. communication with staff, with passengers) |
Stations | Auxiliary equipment (e.g. elevators/escalators) |
Fire detection/fire protection | |
Platform/track disturbance detection (e.g. passengers on tracks) | |
Rozhraní s jinými zařízeními (např. nouzové rukojeti, zařízení nouzového volání, zařízení pro detekce/uzavření nechráněného prostoru, odbavovací tlačítko/vlak připraven k odjezdu) | |
CCTV monitoring | |
Information for passengers on the track | |
Audio communication | |
Train | Doors, drive, brakes, train connecting devices (e.g. electrical inter-vehicle jumpers) |
Interface with train service personnel | |
Equipment for detecting obstacles, derailments, fire/smoke | |
Unprotected space detection, device for closing the unprotected space | |
Door release emergency stop handle/emergency button | |
Interfacing with other devices (e.g. lighting, heating, ventilation, air conditioning (HVAC), battery) | |
Train diagnostics (for maintenance) | |
Condition of the train (in terms of serviceability) | |
Monitoring with CTTV | |
Information for train passengers | |
Audio communication | |
Infrastructure | Kolej (např. detekce zlomené kolejnice) |
Tunnel ventilation (for example fire and smoke detection) | |
Intrusion detection system | |
Interface with other devices (e.g. pressure seals) | |
Traction | Traction power management |
High voltage circuit breaker | |
Maintenance | Maintenance system |
The functions for automatic fare collection with localization and the platform doors listed in the table are not yet installed in the Prague metro system, however, in case of further development (for example, for the planned route D, which targets GOA 4), the mentioned functions and safety measures according to EN 62267 are necessary [ 75] to consider.
see: Smart train, metro and tramway systems | IEC
4.4 Metro Control System Transmission System and UGTMS
The general description of the metro system is based on the description of the control system of the Prague metro ASDŘ [4], and the European standard for defining the functions and parameters of the control system for the control of urban rail traffic [74], i.e. the UGTMS system. From a technical point of view, the metro system can be divided into control, controlled and protection or security systems, which have mutual links and some common inputs and outputs, as mentioned above. The input of the system is information from the traffic planning process, i.e. planned timetables, service schedules and the like. The output of the system is the provision of transport performance in the required quality and in the transport mode and the reduction of the impacts of disasters in the case of the protection mode [4].
Table 7 contains the general subway system according to [4] and contains the assignment of blocks and system interfaces (technical and functional) according to UGTMS, following Figure 10, Table 6, and according to [63].
Table 7 General model of the subway system.
Oblast | Input | Output |
Control system | external influences, traffic planning, managed METRO system | security device, controlled METRO system |
Protection system | external influences, control system | Controlled system |
Controlled system METRO | external influences, security system, control system | control system, traffic quality and traffic performance, reducing the impact of disasters (metro protection function) |
The mentioned functions and breakdown according to UGTMS are used for high-level entry requirements for the system. However, they do not provide a detailed description of function links, parameters of individual subsystems, safety and quality requirements. The mentioned properties must always be specified according to the local requirements and conditions of related and superior systems, including links to surface transport, geological and climatic conditions, the degree of threat of all relevant disasters, etc.
Next, we will focus primarily on the requirements and features of the core of the UGTMS system, which is a critical part of the management system and its interface, i.e.:
- operational control equipment,
- track equipment (includes point transfer between track and train),
- train equipment (includes location, speed and time measurement),
- data communication system (includes data communication of track equipment with operational control equipment, communication between track equipment and train equipment).
Figure 12 describes the relationship between the theory (paragraphs 2.4.5 and 3.3), i.e. the general description of the system, and the real state according to [10].
Figure 12. System model according to EN 62290 and real state [10,63,74].
On the left side of Figure 12, the breakdown of the UGTMS system according to management level (operational planning, traffic management, train management) is shown, on the right side the real layout of the ASDŘ-D system for traffic management of the Prague metro, i.e. the dispatching workplaces connected by a communication channel to the central nodes of the system (interfaces to other technological or business systems are also shown on this layer), central nodes are connected by their own communication infrastructure with station and track subsystems. Red points on the right side of Figure 11 indicate critical communication interfaces and transmission environments according to [63]. Designation Cat. 1-3 means the category of the transmission environment (system) according to the railway standard EN 50159 [76].
With a certain degree of abstraction, blocks of the UGTMS system and real elements of the ASDŘ-D control system of the Prague metro can be assigned to the classification of the cyber-physical system according to Figure 8 from paragraph 2.4.5 [63]:
- řídicí centrum (obrázek 8) – provozní řídicí zařízení – centrální uzly systému ASDŘ-D (respektive staniční řídicí uzly),
- systém (obrázek 8) – traťové a vlakové zařízení – staniční systémy a rozhraní, traťové přístupové body, vlakové komunikační jednotky, vlakové počítače,
- system (Figure 8) – track and train equipment – station systems and interfaces, track access points, train communication units, train computers,
- transmission environment A, B (Figure 8) – data communication systems – dispatch center network, network of station and track nodes, radio transmission environment.
3.5 Results of the analysis of knowledge and practice from the railway environment and metro operation
Previous works within the framework of master’s and doctoral studies are focused on:
- model cases (model subway station) [1,4,20,77,78],
- case studies [10,63],
- analyzes of the causes and consequences of railway accidents [16,43,73,79,80],
- comparison of the conformity of the standard and current practice in transport and industry with the legislation and their critical assessment [21,40,78,81-83],
inductive and deductive analyzes [43,48,84].
On the basis of the above results, and mainly according to the comparison of the conformity of norms and practice, it can be stated that there are fundamental shortcomings in practice:
The mentioned works analyzed many shortcomings and critical points of the railway system, for which in most cases they propose specific procedural and technical measures.
- Top management with a proactive approach and approach to integral risk is not properly established.
- There is a lack of interdisciplinary communication and linkage between the individual SMS layers.
- Safety requirements are not addressed comprehensively; not all priority (i.e. significant) risks may be identified.
- The All-Hazard-Approach concept is missing in all layers of safety management.
- Absence of Defense-In-Depth concept for critical objects.
- The approach to safety and security is considered separately in Czech and European legislation and does not address interdependencies that can affect security.
- Railway regulations and standards do not sufficiently address the security of railway equipment.
- Connections and flows beyond the system boundaries are not considered.
From the point of view of the management system, the following organizational vulnerabilities were identified:
- Poorly performed process analysis, poorly set processes and work instructions that do not respect modern safety management approaches.
- Insufficient organization, inflexible organizational structure.
- Ignorance of the requirements from higher layers of SMS or their misunderstanding. Insufficient interdisciplinary communication, inconsistency in terminology.
- Insufficient monitoring, confusing information about sources of system risks towards higher management levels and vice versa.
- Insufficient links between processes and roles in the project, interdependence of individual roles.
- Lack of competence in the given role, unclear definition of roles and their responsibilities, insufficient education, training and training.
The current legislation requires an extensive set of technical and organizational measures to mitigate the known weaknesses of the system, especially when it comes to traffic management under normal conditions, or in the event of known traffic emergencies, i.e. according to the Defense-In-Depth approach (paragraph 2.1.7) it is about secure operation in the event of deviations or in abnormal conditions. If the environmental conditions exceed the expected and known limit, for example during critical disasters, the legislative requirements and thus also the organizational capabilities of the companies begin to fail. Another aspect leading to failure is also the level of enforcement of legislation (ie enforcement of security).
Case studies on the management system from the perspective of cyber-physical systems further point to the following facts:
- Elements of active and passive safety are implemented only on the basis of experience, i.e. non-conceptually, without determining the criticality scales of assets and risks, without taking into account the connection with important surrounding and superior systems; from the point of view of integral security, these are clear vulnerabilities in the area of system security.
- It is not possible to ensure unlimited availability of the system due to the large number of entities participating in the operation under different environmental conditions; however, system availability can be improved by increasing information performance.
- Due to the interfaces of systems of different natures, the timeliness and validity of error reports towards users are considerably limited (systems have different requirements for confidentiality, availability and integrity of information, other principles and measures).
- Continuity of system operation is affected by system availability, that is, it also depends on information performance; each entity introduces certain uncertainties and uncertainties into the system that degrade the information performance, and therefore the continuity of the system is actually dependent on the entity with the worst information performance.
- The accuracy of the system is always more or less limited by the range, which is narrowed by low information performance, poorer securing of information assets and higher system complexity (complexity).
Based on the analysis of the causes and consequences of railway acc
- Human Machine Interface (HMI) problems.
- Problems at the interfaces of cyber-physical systems.
- Problems at the interfaces of socio-technical systems.
- Determination of responsibilities, not only between subjects, but also between processes of systems, i.e. technological works.
The above-mentioned facts, vulnerabilities and problems point to the complexity of SoS, which are characterized by their interconnectedness, i.e. interdependence. According to the knowledge presented in Chapter 2, interdependencies are by their nature physical, cyber, local and logical [6] and under abnormal and critical (over-design) conditions lead to system losses, and cause systems not to properly perform their functions and endanger themselves and their surroundings .
Specific issues that interact and need to be considered within SMS based on the above analyzes are:
- inhomogeneities and anisotropy of systems and their environment – lead to hysteresis,
- interfaces of systems and processes (HMI, cyber-physical, socio-technical, various criticalities, etc.) – different natures of interfaces and their indeterminacy of states under certain conditions lead to failures,
- cascading phenomena – lead to escalation and higher impact of failure.
metro je fajn