Skip to content

Using Models to Assure Emergent Behaviors in Railway Transportation Networks


Railway transportation networks are complex systems of systems which exhibit emerging behaviors. Emergence is the property that distinguishes a collection of things from a system which provides a behavior not attainable by any subset of system constituents. At the railway network level, the necessity of proving the desired emerging behaviors, revealing undesired patterns of behavior, and providing evidence that the rate of occurrence of a particular undesired one is below a specific threshold is stated in the RAMS standard. This short paper briefly discusses different aspects of this approach and elaborates on a successful example.


This short paper starts with a discussion of why having this perspective is important. Then the general steps of a framework for analyzing those behaviors are mentioned. This paper concludes with some further research directions.

Safety and System Complexity

A system is composed of constituents which are integrated in order to fulfill functions at a higher level. These functionalities are the characteristics which make a system greater than the sum of its constituents and are the result of the interaction between the constituents[1][2].

In the railway RAMS (Reliability, Availability, Maintainability, and Safety) standard [3], the goal of a railway system is defined as the achievement of “a defined level of rail traffic at a given time, safely and within certain cost limits”. This statement of the goal pinpoints the desired emergent behavior which is expected from a railway system. Due to the fact that component faults and human errors – through the hierarchy of the system – can lead to accidents, some undesirable phenomena such as accidents are emergent properties as well[3]. The prime purpose of the RAMS management process is to guarantee the achievement of the above-mentioned goal[3].

The two of the widely accepted and distinctive categories of emergent behaviors are weak, and strong emergence [2]. While technical systems mostly exhibit weak emergence, SoS can exhibit strong emergence due to their socio-technicality [4].

These two types can be captured by the use of modeling and simulations. Built on top of this statement, this short paper briefly discusses the common steps of model-centric approaches based on a survey of similar scientific attempts. To elaborate, a profound framework called FORMOSA is introduced.

Steps of the approach

The first step of the methodology is to develop a formal model of the domain which in this case is the railway domain. Upon validation of this formal language, by the help of a modeling tool, the system-of-interest is modeled by the user of the framework. This step is comprised of modeling the static aspects of the system (structural elements), modeling the dynamic aspects of the system (behavior of the elements and their interactions), and most importantly, modeling the safety or RAM target to be verified.

Validation of the model and the resulting confidence level shows the extent to which the results of the model are reliable. Next, this human-readable model is transformed into logically analyzable models. The type of property to be analyzed (safety or liveliness) and the type of analysis (happening or preventing an event) determines the next step which is execution. The weak patterns of emergence can be captured by formal analysis of the model including automated theorem proving and model-checking. On the other hand, strong patterns of behavior can be revealed by discrete event simulations.

FORMOSA A successful example

In [5], the ForMoSA (FORmal MOdels and Safety Analysis) is presented which is an integrated approach for the safety assessment of safety-critical systems. It combines formal methods with traditional safety analysis. The applicability of this methodology is illustrated in the case of autonomous control of level crossings using radio-based communication. The functional model of the system is augmented with failure mode data in order to create a formal fault tree analysis used a state-transition model. This inductive functional model is used alongside traditional safety analysis methods such as deductive cause-consequence analysis. This top-down analysis is used to determine critical factors. Model-checking is used to search the state-space for safety-related counter-examples.


Most of the literature which adopted a similar approach discussed covered the technical aspects of railway transportation networks. The social, organizational, and enterprise aspects need to be considered in the solution.

To confine the solution space and reduce the computational loads, some assumptions have been in most of the surveyed papers which result in loss of generality, incompleteness, and failure to draw robust network-wide conclusions. In this situation, the usability of the results of a formal analysis would be restricted to the representation of the feasibility or threats of a working regime in order to be used by a human decision-maker.

The influence of the human performers on the violation of safety in the operational phases is modeled in terms of human errors made against defined tasks. Such a conservative and safety-preserving reduction is also mentioned in RAMS[3]. Such an assumption removes the chances of capturing positive contributions of the human performers in hazardous situations and the emerging patterns of human-machine interaction.

One motive behind such an approach is to reduce the effects of errors made by humans during development by partly automating the process. The apportionment of tasks between humans and the automation requires more elaboration by defining when, who, and how to intervene.


[1] M. Jamshidi, System of Systems Engineering: Innovations for the 21st Century. 04 2008.

[2] L. Rainey and A. Tolk, Modeling and Simulation Support for System of Systems Engineering Applications, pp. 1–9. 01 2015.

[3] “Railway applications – the specification and demonstration of reliability, availability, maintainability and safety (RAMS) – part 1: Generic rams process,” Oktober 2017.

[4] M. Bjelkemyr, D. Semere, and B. Lindberg, “An engineering systems perspective on system of systems methodology,” pp. 108–114, 2007.

[5] A. Habermaier, F. Ortmeier, M. Gudemann, W. Reif, and G. Schellhorn, “The ForMoSA Approach to Qualitative and Quantitative Model-Based Safety Analysis,” in Railway Safety, Reliability and Security: Technologies and Systems Engineering, IGI Global, 2012.