Raksha Kavach vs CENELEC

Raksha Kavach vs CENELEC standards : an appreciation by the inventor and mentor

• The advent of ACD has opened a new chapter of introspection of Indian railways’ perspective and understanding of safety.


• The CENELEC standards and the Safety Integrity levels  if not understood in proper perspective can do more harm than good to a railways financial status. The European railways evolved the standards to create a level playing field for all the manufacturers and with pre-designed acceptable / tolerable hazard levels, which sets the levels of quality assurance procedures.


• First, one should remember the heavy investments already done over the years in the signaling systems, which are designed to prevent the various accidents and are safety critical. One cannot overnight replace them nor it is necessary. The number of accidents of dangerous nature involving heavy loss of lives , which happen when a passenger train collides with another, prompted the Konkan railway to seek and design a cost effective solution, without replacing the existing expensive signal systems which have substantial residual life as well as working satisfactorily most of the time.


• Designed as an additional layer with the prime object of preventing dangerous collision type of accidents involving loss of lives, the ACD is innovated. Not a “signaling” sytem, hence does not require application rigid railway specific standards- “ not safety critical” category under signal engineers technical terms- makes it more economic to manufacture using mass manufactured commercially widely used equipment components.


• Whenever we make our requirements too specialized, we will be forced to pay higher rates because of low numbers of production. Unlike commercial fast moving electronic goods, where prices fall with volumes, special purpose instrument grade electronics do not fall in unit prices as volumes are low and not fast moving too! Only against firm order, manufacturer starts production. To control prices as well as assure quality, one needs to have a loyalty based long term relationships with indicated volumes for delivery promised.


• Technology development is an intellectually challenging, and break through in the technology with innovation, quite often create products which cannot be covered by existing standards. By nature, standards evolve keeping in view developed products, commercially stabilized, for ensuring uniformity of quality. So technology break through may actually lead and standards lag.


• Knowledge embedded devices are the new generation technology development, where intelligence is built in distributed devices having enough knowledge and analyzing capacity, to inter-communicate and compare decisions of each other and with concurrence take action. Such innovation requires different standards to be evolved.


• CENELEC standards are not meant to be secret knowledge of any single group or department- all manufacturers and persons dealing with safety of railways should have basic understanding of the standards- so that informed administrative decisions may be taken after due diligence. Else administrations may end up taking need less & financially destructive decisions out of hype created with inappropriate application of standards.


• It is ultimately the definition of acceptable level of or tolerable level of hazard rate for a function- it is rate not just probability; decides process.


• If you have already an existing system, with certain level defined hazard rate, any addition to the system can be designed by first agreeing on how much we want to reduce the hazard rate- and the required quantum of hazard rate for the new system for the specified function can be derived. For the targeted rate, the levels of manufacturing processes and software control are detailed in the CENELEC- in terms of SIL numbers.


• Systems added as supplemental, which do not give any indication to the operating /running staff – no signal functions to guide- get classified as non-signal and “non-safety” system. It is terminology of signaling group. But any system which acts to change an operating system to a relatively safer mode – but does not give any signals over riding or replacing the existing system, DOES FILL GAPS AND SAFETY AGAINST COLLISION CAN BE IMPROVED. So safety is assured- in the sense that hazard rate is improved , thus improving safety- but it is technically  “ non-vital” and “non-safety” system- but in colloquial terms a safety device as it actually prevents collisions!


• The fact that two out of two computers agree for allowing the trains to move normally, but even if one finds unusual situation can initiate action to automatically bring the system to a safer mode of reducing speed and stopping short of one another- in fact makes it much more powerful system than being claimed now. When we network, and introduce logical checks & balances, while we don’t give any indications to the drivers or stationmasters. They will continue to depend upon existing signal and control systems only, and the new system being totally free from any inputs from the running staff, creates a silent Raksha Kavach, just watching and acting only if collision type of situation arises. The entire process is in background and does not involve staff- no human element is involved.


• Any failure of Raksha Kavach  is such that it shall never give any kind of misleading information to the driver nor to the station master to give clearnce nor authorization of any type to act.


• Any possible complacency factor is avoided by totally remaining silent and not prompting the driver to do anything on regular basis. It is more in the nature of insurance for the drivers in terms of knowledge that his safety while running, is assured when unforeseen factors beyond his comprehension and not provided by the existing signals, occur, the Raksha Kavach stands by him most of the time.


• In the world there is nothing “deterministic” as some people tend to use the word as compared to “probability” based systems. In fact one can only talk in terms of acceptable hazard rates- that is the risk rate of getting a hazardous decision- it is not about failure of system- it is about giving a wrong and misleading indication, which is sought to be minimized in the European standards laid down in CENELEC.  


• Redundancies in processes, equipment, alternate paths for information integrity and concurrence of more than one process as well as decision making systems, all add up to eliminating a wrong decision from the system.


• Keeping in view the future road map for the ACDs, the first version need not be more than of SIL 0 level for controlling the manufacturing processes, but because of its design and system configuration is able achieve functionality generally assigned SIL 4 level! This is the amazing breakthrough for keeping down the costs for the focused goal of just avoiding collisions and loss of life.


• It is like a number of simple thinking units which are individually fallible and not too reliable, but when networked, the probability of both of them or three of them simultaneously failing is made remote- suppose the risk of hazard rate of probability is say, “q” , the the probability of both of them simultaneously failing to agree to give wrong result is q2.  Going back to Panchtantra, a large number of ants, each individually may be too weak and not as complexly enabled as a snake, one to one, but when the ants group together, can prevail over the more superior snake.


• Each ACD may be not as sturdy as a robust SIL 4 standard computerized equipment with 10-12rate of hazard risk, but even with 10-6, for each, once we insist that both should agree to commit a hazardous result, then it becomes the same as the single system of very high reliability.


• In case of ACD network, it is distributed intelligence and more than one thinking unit has to agree among themselves, to allow the operation to continue, else act to forcibly shift the operational level to a safer mode.


• If the system is upgraded to include train control in positive manner, by giving indications and granting authorizations, then the upgrade path will be to adopt the methods to ensure laid down tolerable hazard rate for this purpose, because, the existing signal and train control system will get replaced.


• Another question, which crops up is that at SIL0 level, whether no quality assurance is needed. It is not so. The processes are almost on the same pattern, except the level of reliability needed is not as severe, as it would have been, had it been a case of signaling system.


• In terms of reliability of information inputs improvements in ACD design since Amritsar trials are:


• In addition to GPS inputs, tachometer inputs supplement to cover for shadows


• Double GPS systems for improving the sampling rates over the points and crossings zone, further improving the accuracy of DC profile.


• Use of VX works – a reliable real time operating system in place of DOS used in Amritsar trials.


• Instead of complicated software used for detecting reversals of DMUs, , converting a loco into a banking loco, trailing loco in a double heading case etc, now the mechanical devices used to achieve this function are interlocked electronically to the ACD, which now eliminates a number of logical errors which took place in Amritsar trials.


• More than 500 test cases devised by the ETDC will be completed for the software, with certification for quality assurance and with independent assessors at the level of internationally reputed TUV of Germany.


• Incubation period of 90 days yielding data will be used to correct for shortcomings, if any, in the GPS/Radio/Deviation count profiling and identification of DZ ( i.e., stations where deviation count has not worked or too large a junction station, so exit track Ids are given by the station ID) get corrected.


• Additionally the ACD Advisory council of Konkan Railway, chaired by the Head of Reliability assessment for space programme of ISRO, along with expert members from communication, reliability and electronic equipment testing experts will continue to monitor the development process.  


•     A difference in appreciation between European and Indian view point helps in deciding certain issues:


• With reference to giving warnings to the road users, the possible complacency factor which gets introduced to the road users, who when the system does not function may assume safety and neglect taking their own precautions while crossing an unmanned gate, is a situation not allowed in Europe, as much because of legal damage implications. So they allow no indications and allow the road user to fend for himself.


• In India we have a choice: we may give the indications to the road users, with a disclaimer board that absence of danger warnings may not mean it is safe- but the warning signs are only to assist but warn them not to get complacent


• Alternatively, introduce one fail-safe relay device at the interface with the warning device- which could be a simple road signal, may remain yellow always, but turns red in case of failure of the equipment or at approach of a train. The warning board can continue.


• Whether we adopt this or not is a conscientious decision- a matter of tolerable hazard  risk rate we are comfortable with. Whether a value of 10-6 is adequate for our conditions. In my opinion European concept of not adopting even the 99.99% protection, because of fear that we may be held responsible for the failure of 10-3 or-6 , seems not too logical.


• Ultimately every railway administration has to decide the acceptable rate of tolerable hazard risk vs social costs. Any step we take, should improve existing levels. The Raksha Kavach causes a quantum jump in safety levels of any signaled system “almost” eliminating dangerous life-losing collisions.  

(image placeholder)
B. Rajaram