A diabolic dilemma: towards fully automated train control or a human centred design?

Proceedings of the 12th IFAC Symposium on Transportation Systems Redondo Beach, CA, USA, September 2-4, 2009

A diabolic dilemma: towards fully automated train control or a human centred design? John Stoop (1, 2), John Baggen (1), Jos Vrancken (1), Jaap Vleugel (1) Wim Beukenkamp (1) (1) Delft University of Technology, the Netherlands (2) Lund University, School of Aviation, Sweden ABSTRACT ERTMS is the acronym for European Rail Traffic Management System and is the future standard for a European rail traffic management and signalling system. It enables interoperable use of the European rail network without the need to adapt onboard equipment to different national signalling and protection systems. ERTMS aims at a more dynamic use of the railway infrastructure by separating trains based on their factual behaviour and dynamic characteristics. It gradually replaces track bound detection and signalling by onboard detection. Depending on the level of sophistication it applies internal instead of external information and trajectory clearance by automatic train detection and ultimately, integrity control and a moving block protection. A track capacity maximizing strategy under conditions of punctuality and financial incentives for private railway operators creates goal conflicts at the operational level. This may erode the safety principle of separation in time due to minimizing tracking times and creates flow instability at the saturation points. Ultimately, train control automation may lead to driver free operations by Automatic Train Operations. Such a fundamental change in safety assurance concepts requires either a choice for an almost perfect reliable engineering design, implementation and operational strategy or a conceptual alternative for train control, applying a human centred design approach. This creates a diabolic dilemma for the next development phase of ERTMS train control systems, introducing a human centred design as a new approach for the Dutch HSL, the Free Ride concept.

1 PHASES IN RAILWAY CONTROL In developing railway signalling in the Netherlands, three historical phases can be discriminated. 1.1 Manual control. In the early 19th century, the railway system was modelled after the military hierarchical organisation. A strict compliance with timetables and a scrupulous operation of signals and switches was the dominant safety concept to separate trains in time. Before technical safety fallback options were introduced, safety was dependent on self-disciplining and an almost flawless human compliance with regulations. A strict command and control structure by a labour intensive disciplining of a large number of railway employees provided the necessary safety on the railways. 1.2 Enhanced automation. After WWII semaphore signals were replaced by light signals and station controls changed to electromagnetic relay operated systems. The Dutch railway systems entered a second phase of train control by introducing a national designed and build ATP (Automatic Train Protection) system called ATB. The design limitations in the original version of ATB proved to become critical during 40 years of deployment, resulting in several unforeseen major accidents. These shortcomings could only recently be solved, while the ATB system as such already had been considered obsolete and not in compliance with European standards. The upgrading of this obsolete ATB

978-3-902661-50-0/09/$20.00 © 2009 IFAC

system on existing lines forces the Dutch government to invest simultaneously in a new ERTMS and introducing improved ATB versions until a full transition to ERTMS on the existing network becomes feasible. Because the organisational concept of hierarchical decision-making remained, a strict separation was maintained between train control and train capacity management. Such a separation was necessary to avoid conflicting interest in decision making within the organisation by negotiating safety versus capacity. By the introduction of ATB, responsibilities of the train driver did not change, aiming at full and strict compliance with regulations, signalling and driving instructions from the traffic control centre. 1.3 Automated Train Operations. ERTMS can be considered a third phase in controlling train driver behaviour by changing this behaviour from head up to head down display. By using ERTMS, the driver focuses on the information presented by the control system in the cab rather than on his interpretation of the outside environment. This reduces his role to monitoring the train system and staying within prescribed braking curves, anticipating intervention in case of disruptions and deviations. Ultimately this could evolve into a driverless train system. With ERTMS the influence of the driver on the train system has decreased from a nearly autonomous master of the train to a process operator, no longer in control of the system 2 ERTMS IN THE NETHERLANDS

251

10.3182/20090902-3-US-2007.0001

12th IFAC CTS (CTS 2009) Redondo Beach, CA, USA, September 2-4, 2009

ERTMS is a trend shift from technical compatibility across nations towards standardisation on the main EU network corridors. The Dutch HSL is part of the Paris/LondonBrussels-Cologne/Amsterdam(P/L-B/C/A) corridor. Several political choices have been made with respect to the Dutch ERTMS development: - Innovation in Public-Private Partnerships in contracting. On arguments of cost reduction and capacity increase during operations, a full separation between infra provider and operator has been accomplished. - The development and implementation phases are conducted concurrent instead of sequential. A simultaneous development of standards and software components is taking place, assuming an Off the Shelf availability of components. ERTMS is considered a pragmatic merging of two independent train control systems (ETCS) and communication systems (GSM-R): ERTMS= ETCS + GSM-R. Elaboration of the third principal component, the Traffic Management Level (TML), has not been incorporated in this pragmatic development. The Dutch High Speed Line is the first of international High Speed Train corridors to deploy ERTMS and is deployed on the corridor Amsterdam-Antwerp in order to reduce travel times between Amsterdam and Brussels. The Dutch project team opted for a full reliance on ERTMS, instead of a railway with a fall back system for the Corridor such as the proven French TVM 430. There have been several disruptions in implementation resulting in software upgrades. ERTMS version 2.2.2 proved to be cross-supplier incompatible but was contractually based deployed in the Netherlands, while version 2.3.0 would be the new operational standard, which was deployed in Belgium. It was not foreseen that version 2.3.0 was not downwards compatible. Only when the Dutch and Belgium HSL ERTMS systems were joined, software and corridor inconsistencies became apparent. As a result of time delays and cost increases, the necessity for upgrades and migration and expansion of the testing period was repeatedly discussed in Parliament. These discussions lead to an inquiry into the ERTMS deployment strategy. ERTMS is considered the future national standard for the Dutch railway systems, To enable a doubling of capacity for half the costs, while safety performance levels remain unchanged, several feasibility studies were commissioned searching for new train operating concepts beyond the present levels of incremental reconfiguration (Van Binsbergen et.al. 2008). 3 CONCEPTUAL LIMITATIONS Fully automated control systems however have their conceptual limitations. For reasons of economy of scale, local train control centres are closed down, replaced by a few large regional or even national centres. A remote situation awareness of such a centralised system under pressure of the need for more detailed and actual traffic information and communication increases the workload of the controllers in case of traffic flow disruptions and incident handling. Performance based punctuality demands and financial incentives in maximising track capacity initiate conflicts of interest among the business interests of various privatised stakeholders, while a trade-off between short-term

economical aspects against competing long-term public values, creates a ‘multiple principal agent problem’. This puts train controllers in a coping situation in which the specialised functionality of their organisation makes their tasks manageable and clearly demarcates their responsibilities, eliminating competing values from their scope (Steenhuisen and Van Eeten 2008). Such conflicts will be solved by the professional expertise and experience of front line operators, but may erode standards and norms, adapting operational practice to new demands and values. Eventually, such operational practices may undermine the resilience of the organisation, introducing new implicit operating performance standards and causing a potential drift into failure (Stoop and Dekker 2007). Automation finally has its limitations by design. With the increase in intensity, the system is loaded to its design limits. The fault tolerance in hierarchical systems decreases quadratic with intensity. At its saturation point, the traffic flow becomes instable. At the moment of initial failure, Operator Induced Oscillation becomes possible, fault handling may cause abrupt and progressive collapse of the overall system. To avoid initiating disturbances, an even stricter control effort over the task performance of the train driver by the train control centre is required. Conflict resolution is solely allocated to the traffic controller, who is forced to communicate simultaneously with several train drivers in picturing a mental model of the actual system state in order to provide the necessary adaptations to the clearances for the individual driver task performance. In case of multiple faults and secondary faults, eventually a gridlock situation occurs. This requires a failsafe system breakdown and gradual, safety critical restart of the traffic flow according to the original timetables. The underlying organizational mechanisms threating public values -such as safety- versus private business values -such as capacity and economy- can be identified as ‘coping behaviour’ which has evolved in order to deal with conflicting values (Steenhuisen & Van Eeten 2008). A simultaneous removing of safety margins and introducing conflicting goals during operations is a process which may have unforeseen consequences at the operator level. Is it possible to design resilience into the system to cope with these consequences? Two principal strategies are applied: recognition of value conflicts and subsequently, a structuring of the process of communication, coordination and cooperation among all stakeholders in their decision making processes, coping between quantifiable private performance indicators and qualitative public values; - elimination of the human involvement in disguised bad performance due to ambiguous and hybrid decision making values by developing an innovative train control system, based on modern technology and a new generation of signalling systems. 4 STRUCTURING DECISION MAKING During the development of the High Speed Line project in the Netherlands, several unforeseen project cost increases and planning delays emerged in deploying the ERTMS system. These disruptions raised questions in Parliament, requesting clarification into the reasons for the software upgrades, the

252

12th IFAC CTS (CTS 2009) Redondo Beach, CA, USA, September 2-4, 2009

-

-

-

-

-

necessary migration time and the reasonability and fairness of the testing period. The main conclusions of the investigations into the ERTMS software upgrade were: - the two main lines in contracting out the project have indicated the necessity to create oversight only by the end of the project. This division has not led to a role for an architect or systems integrator, responsible for the integral coherence of the overall system. The pivotal role of ERTMS emergent at the end of the project in the full scale testing phase of the integral system the technological development of ERTMS was underestimated. A continuous tension existed between incremental technological progress on one hand and the ambitions of innovative ERTMS and public-private partnership arrangements on the other hand. In particular the consequences of several technological design decisions have not been foreseen. Several Points of No Return in the design process have been passed without oversight of their consequences: - a choice for a new signalling system which was not yet operational at the time, was not compensated for by a qualified fallback option such as the TVM 430 signalling system for the French TGV or the similar Dutch ATB-NG system. Since then, other major projects such as the quadrupling of Amsterdam-Utrecht and other new lines do have such a fallback option; the choice for an innovative ERTMS system in the Netherlands resulting in a system leap in signalling technology was not in harmony with the more incremental process and evolutionary development of the Belgian signalling system on the same High Speed Corridor Amsterdam-Paris; a contractually based testing and deployment of ERTMS version 2.2.2 on the Dutch part took place while version 2.3.0 became the new standard and was implemented on the Belgium part, causing unnecessary complications, costs and delays; developing ERTMS was considered a conventional technical engineering effort, enabled by a decomposition of the system components in autonomous position finding and communication subsystems. Each consortium was assumed to be able to deliver these components ‘Off the Shelf’ as proven technology. Software architecture on the Traffic Management Level does not yet exist, while system integration in the testing phase was under pressure of earlier delays and strict time planning; no precautionary measures were taken to assure a smooth and efficient frequent upgrade of the signalling software during its operational phase, whereas it remained unclear how this upgrade will be accomplished. 5 TOWARDS FULL AUTOMATION? The discussion on full automation originates from the beginning of the process industry. Safety experts in the rapidly developing process industry wondered whether the sector needed a new safety approach, which should differ from more conventional sectors. The process industry shifted to a design concept in which humans are fallible factors, to be eliminated from the system by automation. Their remaining role is restricted to complying with rules, imposed by

management. There is no room for the operator in taking critical decisions. Learning in practice is replaced by modelling and by a centralised assessment of all interests by a single party; the corporate management. This full automation based design doctrine has become the role model for modern safety management. In this transition towards volume increase and process control, the process industry developed the concept of full automation and continuous production, replacing the earlier batch processes with their manual process control. Business continuity would only be interrupted due to change in production and maintenance. Transport processes however are fundamentally different. Instead of a fixed, isolated production site, hierarchical management with a centralised process control, a globally and permanently available network supplies an open access in time and place for autonomous users, each with their specific demands regarding service provision, origins and destinations in a random process of departures and arrivals. Such differences have a major impact on the role of the human operator in controlling vehicles and traffic flows. Consequently, rail transport systems have to apply different design principles for traffic process management and vehicle control. The control system supports the operator: it is a human centred design with delegated responsibilities. There is a strict separation between capacity management and traffic control. It is a distributed responsibility. The delegated responsibility. To prevent accidents and incidents, vehicles are separated in time and space. This creates a double redundancy. Time tables, signalling systems and in-vehicle automatic control equipment assures this separation and supports the observations and decisions of the drivers. These principles are under pressure. To maximize the availability of capacity and interconnectivity of the network, a maximum traffic density is desirable infringing on the principle of separation in time and space. ICT applications offer opportunities for a rapid reconfiguration in capacity management and traffic process control. Dynamic control opens up the opportunity for maximizing punctuality and minimizing tracking times. Consequently, separation in space is also under pressure, because these new technologies create the possibility of moving blocks, depending on the dynamic behaviour and characteristics of successive trains. Creating capacity without enlarging the physical size of the infrastructure, also puts high reliability demands on technology and requires good faith of the operator in the supporting technology in case of ‘beyond design’ situations. The distributed responsibility. In addition to this delegated responsibility there is another safety principle at a higher systems level, a distributed responsibility. Traffic management is separated from traffic control. This separation is introduced in order to prevent a conflict of interest in a situation where one individual or authority is responsible for balancing safety versus economy. The increase of ICT opportunities for dynamic adaptation also puts this principle under pressure. Full automation eliminates both operator and traffic controller, replacing them by computers, in which a black box defines what experience and expertise should be canned into computer algorithms, complying with predefined rules and procedures. Such a view captures any technological development at a rule-based level of decision-making. This

253

12th IFAC CTS (CTS 2009) Redondo Beach, CA, USA, September 2-4, 2009

-

-

-

-

leaves the knowledge-based level of decision making solely - harmonization of the interoperability demands should be settled at a European level of testing and certification to the responsibility of managers and governance. Full automation however, leaves non-routine situations, which - application of a life-cycle approach in the upgrading of software, modification of configurations and training of cannot be anticipated in the design of the operations. They operators to provide the feasibility of a continuous will emerge as unforeseen properties when the system has to adaptation to new demands and operational conditions perform under pressure, the so-called ‘normal accidents’ (Perrow 1984). Feedback from practical experience enable - such a continuous adaptation capability should not be restricted to the technological development, but should also transport systems to develop into Non Plus Ultra systems: incorporate organizational resilience in assessing and systems that could not be outrivaled because practical balancing safety information values during tactical and experiences are rapidly incorporated in adapted operations. operational control decisions, ecological Driver-MachineThe erosion of both delegated and distributed responsibilities Interface design and Safety Integrity Level assured leads to so-called ‘sacrificial decision-making’. Risk certification of safety critical components. decision-making is reduced to a single actor issue. If such safety critical decisions are not explicitly countered in the conceptual design phase of technology and organisations and In order to assess safety proactively in a next generation high assessed at an institutional level, catastrophic consequences speed train control systems, several aspects should be incorporated in the design to facilitate task design and may occur in practice. training requirements: - the definition and allocation of functions, identification of 6 A THIRD PHASE IN TRAIN CONTROL inherent operator tasks and their physical parameters to be 6.1 Introduction controlled by measurable performance indicators This systems engineering potential has been demonstrated in - the simulation and feedback to the design processes of the a feasibility study into the deployment of a new railway systems performance at various phases of the development, concept beyond the boundaries of present railway based on a good theoretical basis and adequate modeling configurations It aims at doubling the number of trains for - assessment of the information value with respect to half the costs per passenger kilometre, maintaining present information processing and decision making in its safety performance levels. Regarding the train control operational contexts, by establishing operating envelopes functionality, a new Free Ride concept was developed in identification of dynamic local control requirements in a analogy with the Free Flight concept in aviation (Van nested control loop configuration, Because low action Binsbergen et.al.2008). Instead of the full automation frequency rates and time delays at higher control loop paradigm, a human centred design approach is applied. levels induce inherent instability effects on the actual Four innovations are required for the Free Ride concept: performance levels, such local control should be allocated transfer of responsibilities from traffic control towards the as low as feasible train driver from the perspective of delegated and - the discrepancy between intended outcomes and actual distributed responsibility and a transfer from a track-bound outcomes of any control actions create a confidence issue control to a vehicle-bound control strategy for the operator. Anticipated results indicate an option for introduction of a self-learning software, based Business best actions to the operator in each phase and situation, in Model Driven Engineering, Functional Request order to create a dynamic anticipation on future system Specifications, Use Cases and elaboration of a Traffic states. Such anticipation calls for an ecological design of Management Level in the ERTMS software architecture the operators working environment and requires transition replacing hierarchical planning of capacity by a dynamic management from research to the design of control devices allocation and interactive management of disruptions, (Van Dam, Mulder & Van Paassen 2006). adding resilience to the organisational design - certification and validation at an integral systems level, 6.2 Four innovations replacing a repetitive upgrade and migration of component The Man-Machine Interfacing certification at a modular level. Introducing a next generation of control strategies for the The Free Ride concept eliminates the conflict of interest transport sector is accompanied by challenges in the manbetween safety and control, by applying a performance based machine-interfacing. Such challenges should be based on a local control strategy instead of a centralised compliance proactive task analysis and simulation (Sheridan 2006). based approach, restricting incident management and For the human part of the ETCS system, the processing of handling to the local level of the network (Van Binsbergen information in automated systems adds a cognitive et.al. 2008). Such a concept allocates the incident handling component in the control change concept from rule based responsibilities and control options to the local level, which compliance towards knowledge based control strategies (Van only can be overruled by a centralised control only to avoid a Dam, Mulder & Van Paassen 2006). network gridlock system state. This cognitive component becomes critical when the planned As prerequisites for a reliable and robust transition towards transfer of train control from infrastructure towards the enhanced automation and human centered design, the vehicle is implemented in the level 3 phase of the ERTMS following transition requirements are emerging: development. At the level 3 phase, a similarity with the free rejection of full automation as the ultimate resolution for flight concept in aviation emerges. The concept of user dynamic traffic capacity management, replaced by a human preferred trajectories becomes inevitable in combining the centered distributed and delegated design

254

12th IFAC CTS (CTS 2009) Redondo Beach, CA, USA, September 2-4, 2009

freedom to select spatial separation and tactical planning of ability to predict, plan and produce. In order to achieve resilience in the system, can we restrict ourselves to a lower efficient conflict-free trajectories. This concept requires a functional modeling of the systems level of a single agent and the organisational level of visualization of workspace affordances, introducing the novel an in-company environment, recovering from an undefined interface of a State Vector Envelope. Identification of such an threat to its functioning accepting sacrificial losses? Envelope becomes necessary in order to handle conflict Resilience engineering has the potential of offering understanding and situation awareness, to visualize on the opportunities in solving complex problems by taking into display the anticipated maneuver intentions and to analyze account the dynamics, multidisciplinarity and complexity at the driver problem solving abilities in exceptional situations. the overall systems level. This requires reflection on the There are neither standards, nor certification criteria for such systems architecture. A transition into various systems states becomes feasible in applying chaos and complexity theory to a human centered design yet. the concept of systems control and a re-introduction of the Traffic management software design The application of business networking and embedded conceptual design phase in system change (Bertuglia 2005, service networks linked to high speed railway developments Hendriksen 2008). have had their impact on business processes and ICT International certification of railway systems applications. In a networked business environment, much Historically, safety assessment of the integral railway system attention has to be paid to the flexibility towards a timely and was a delegated responsibility with respect to testing and rapid adaptation of the network to new demands and changes certification, conducted along the lines of incremental in the configuration. In service software architecture, development and implementation. This close cooperation business processes and business rules play a central role. The with a leading role for the national industry did neither process flow which is used to determine the sequence and require a European harmonization of standards nor a safety execution of activities is normally specified beforehand by assessment by an independent certification body. Before the rigid process modeling. This limits the flexibility of the 1990’s, standardization was a consensus based expert processes and creates a difficult, time-consuming and costly judgment between working groups of technical experts in the railway industry. Today, safety has become a European incorporation of changes in the process. By identifying points of variation, change sections can be standardization issue envisaging independent assessment of isolated from the stable parts of the process enabling an required -and preferably quantifiable- performance levels. easier incorporation of these changes (Van Eijndhoven 2008). Within the EU, three layers of certification exist (Kazatsay Business rules can be expressed in near natural language, 2005): providing an easy transition from requirements to - the European Directive 96/48/EC on interoperability defined at a general level for the whole system specifications and allows a faster implementation of changes. Although this software design approach has not yet been - the level of a mandatory compliance with design standards, formulated as a complex set of Technical Specifications for applied on a large scale basis in transport systems, it provides Interoperability (TSI) defining critical constituents and perspectives for flexibility and dynamic control (Van interfaces for each sub-system Eijndhoven 2008). - implementation of these TSI’s as European specifications at Organisational design by Resilience Engineering the national level on a voluntary basis. In order to solve conflicts of interest between safety and capacity at a higher systems level, a new managerial There is no single notified body at the European level with arrangement is required. In analogy with a Harbour Master testing and certification authority. The newly established and Airport Master, a Rail Master is allocated the strategic European Railway Agency (ERA) is in its first phases of safety responsibility for dealing with all system performance implementation. There are no safety integrity levels established requirements such as capacity, economy, environment and for train control systems complying with the EU Directive energy. Finally, a new international, sectorial entity is 2004/49/EC (Ceccarelli et.a.l. 2008). required in order to assess safety at an integral systems level For the HSL-South Corridor, a trail and error approach series with respect to systems integration of track, rolling stock, of software versions have evolved. The final HSL-South 2.3.0.C software version was the merging product of the safety assurance and systems certification. Rather than speaking in terms of events with an undesired or industrial UNISIG 2.2.2 software development and the Dutchunforeseen consequence due to which a substandard safety Belgian governmental Opvolgingscommissie 2.2.2 version performance of a system, caused by a failure of a component negotiations, in which the ‘C’ additionally indicates the HSLor process, safety can be considered a normal consequence of South Corridor specific application of the generic 2.3.0 version performance variability. Safety should be achieved by (Stoop et.al. 2007). controlling this variability rather than constraining it Apart from the GSM-R communication component of ETCS, (Hollnagel 2008). Hollnagel defines resilience as: the ability only the EVC (European Vital Component) machine part of to effectively adjust its functioning prior to or following the train control system is submitted to SIL level 4 certification changes and disturbances, so a system can continue its requirements. The DMI (Driver Machine Interface) wireless functioning after disruption or mishap, while in the presence upgradeable component is not considered safety critical, of continuous stresses. Therefore systems should be able to despite its function as an information sink and command cope with responses to the actual, critical, potential and source for the driver and control system. Industrial versions of factual situations. A transparency in various stable and the DMI with self-diagnosing and automatic restart capabilities unstable system states should be available supported by the are not yet available on the market. A European project to

255

12th IFAC CTS (CTS 2009) Redondo Beach, CA, USA, September 2-4, 2009

Ceccarelli et.a.l. (2008) A resilient SIL2 Driver machine Interface for Train Control Systems. Third International Conference on Dependability of Computer Systems DepCoSRELCOMEX 2008

satisfy the demands for redundant architecture and rigorous development process has just started (Ceccarelli et.al. 2008). At present, an EU certification regime that facilitates innovative and conceptual change at the level of Automated Train Operations does not yet exist.

Van Dam, Mulder, Van Paassen (2006) Ecological Interface Design of a Tactical Airborne Separation Assistance Tool. Journal of IEEE transactions on systems, man, and cybernetics. In press

7 CONCLUSIONS In assessing the safety of the ERTMS system development three principal conclusions can be drawn: - High Speed Line train signalling and control design has initially not been seen in the Netherlands as a systemcritical design aspect but a standard technology which could be bought ‘Off the Shelf’. However, software design concepts, system architecture, organisational and institutional arrangements and international system certification are critical success factors; - There is a dilemma in conceptual choices for either conventional extrapolation towards full automation or innovative human centred design. Shifting from a technological perspective in systems development towards a social engineering is not sufficient. There is a need to integrate all design dimensions across the various system life phases and levels. There is a need for a railway architect and system integrator; - a choice for a human centred design train control strategy implies four critical innovations, which each define scientific as well as design challenges: man-machine interfacing, traffic management software design, resilient organisational design and international certifications. The eventual transition from level 2 towards level 3 might provide some redundancy and time to reflect on the dilemma between automation and human centred control strategies.

Van Eijndhoven (2008) Increasing flexibility by combining business processes with business rules. TNO Information and Communication Technology. Hendriksen (2008). Feasibility of the Complexity theory in learning from Naval Disasters. Delft University of Technology, 2008 Hollnagel (2008). Remaining Sensitive to the Possibility of Failure. Ashgate Studies in Resilience Engineering Kazatsay (2005) European Standardization Bodies as a catalyst in creating an integrated European railway system. CEN conference, The Future of railway Standards in Europe. Lille, 14 november 2005 Steenhuisen and Van Eeten (2008). Invisible Trade-Offs of Public values: Inside Dutch railways. Public Money & Management, pp 147-152, June 2008 Stoop et.al. (2007). HSL safety signalling system ERTMS. An independent investigation into the usefulness of adapting the ERTMS safety signalling system. Commissioned by the Research and Verification Department of the Dutch Parliament. Delft University of Technology, 23 May 2007 (In Dutch with English summary)

REFERENCES Bertuglia & Vaio (2005). Non-linearity, Chaos and Complexity. Second edition, Oxford University Press, Oxford

Stoop and Dekker (2007). Are safety investigates proactive? 33rd ESReDA seminar Future Challenges of Accident Investigation. Ispra, Italy, November 13-14, 2007

Van Binsbergen, Van Eeghen, Polinder, Stoop, Wiegmans and Zigterman (2008) Quick-scan Double Rail. TRAIL Research School, Delft University of Technology, June 2008

Fig 1 Free Ride traffic control diagram

Junction

Station

Track

Traction

Surrounding vehicles

Transportscenario BusinessModel

Maintenance Traffic Management Model Incidentanalysis

Free Ride Module

Traffic environment

Feedbacklearning Conflictdetection

Conflictidentification

Central static

Dynamic traffic control

capacity management

Ecologic interface

Conflcitresolution

Vehicle Status Module

Actual vehicle control interactive cooperation

256

Train Control Unit