Difficulties encountered in the application of risk acceptance principles, as defined in the Common Safety Methods, to justify the safety of the integration of a ETCS on Board equipment into an existing vehicle

Almudena Andujar, Marta Peralta (Alstom)

22/06/2013

TRANSPORT

BDK_TRB_CRL_PRES_0189_Overall Project Presentation - P 2

Background information: Signalling program contract structure

BDK Signalling

Program

Fjernbane

(ERTMS L2)

Infrastructure

East

Alstom

West

Thales

Onboard System

Frame contract

Subcontracts

GSMR-R Voice STM

Danish STM

(Siemens)

Swedish STM

(Ansaldo)

GSM-R

S-bane (CBTC)

Siemens

BDK_TRB_CRL_PRES_0189_Overall Project Presentation - P 3

Background information: Stakeholders Context

BDK_TRB_CRL_PRES_0190_ETCS Onboard Subsystem Development - P 4

Background information:Overview of Alstom On Board project

• 4 test trains (1 type) to be equipped with ETCS OB baseline

2.3.0.d

• White fleet to be equipped with ETCS OB baseline 3

• 17 types of trains

• Yellow fleet with ETCS OB baseline 3

• 17 types of trains

• Operation on DK conventional lines under STM-DK supervision

• Operation on ETCS L2 lines under ETCS supervision

BDK_TRB_CRL_PRES_0190_ETCS Onboard Subsystem Development - P 5

Difficult concepts: not clearly defined, not clearly understood

It has been a long road to start converging in the understanding of

these definitions:

• System definition

• Safe integration

• Definition of “significant change”

• Definition of “code of practice”

Consequence: time and effort wasted in endless disscussions, with

a significant economic impact; particularly when some of the

misunderstandings result in the unrequired involvement of ISAs,

and NoBos.

BDK_TRB_CRL_PRES_0190_ETCS Onboard Subsystem Development - P 6

What “system”?

• The ISA that supervises the complete signaling project and advises the NSA, expects to receive a 'Railway Level' Safety Case (or Safety Argument). This would then be assessed by G-ISA. In their opinion the IM is a system integrator and must therefore take overall safety responsibility for the work performed by the suppliers and RU’s.

• According to the contract, Alstom is responsible for obtaining the necessary approvals for the delivery.

• Alstom position is that it is responsible for the authorization related to its deliverables, i.e., the OB subsystems.

• There are ongoing discussions on who is responsible for obtaining the authorization for placing in service related to the vehicle. We are trying to converge to a solution, but at the beginning, our Customer understood that it was Alstom responsibility to supply the evidences and documentation required for the different approvals related to the vehicle: e.g.,

� Approval for testing:

� Significant change assessment related to the tests to be performed, considering the possible change on the

existing safety rules for performing tests (safety management system of both, the RU and the IM)

� System definition taking into consideration the test environment

� Authorization for placing in service the vehicle

� Significant change assessment considering not only technical aspects but operational and organizational.

� System definition per type of vehicle, even describing details of equipment not interfacing with the CCS OB

SS

� EC certificate of verification: for TSI CCS and also TSI SRT and Loc&Pas for the changes on the vehicle.

� Safety case covering the vehicle

Safe integration

• The IOD, Article 15 says:

“Without prejudice to Chapter V, each Member State shall take all appropriate steps to ensure that these subsystems may be placed in service only if they are designed, constructed and installed in such a way as to meet the essential requirementsconcerning them when integrated into the rail system. In particular, they shall check:− the technical compatibility of these subsystems with the system into which they are being integrated,− the safe integration of these subsystems in accordance with Articles 4(3) and 6(3) of Directive 2004/49/EC.

• There is no legal definition of Safe Integration. In a preliminary note from ERA [CSM RA and APS, ERA, 01-02-2013, version 1.0] the following definition is used:

“Safe Integration (SI) is the action of making sure that the integration of a structural subsystem in a system will have no adverse effect on the safety of that system during operation.”

• Safe integration is addressed in Recommendations 2011/217/EC preamble 1:

“(g) for placing in service a vehicle, safe integration includes two aspects: safe integration between the vehicle’s relevant subsystems (only in the case of the first authorization) and safe integration between the vehicle and the network concerned.—Where the interface between a vehicle and a network is covered by either a TSI requirement or a national rule, the applicant considers it as a code of practice. In that case the hazard(s) for which requirements have been identified in such TSI or national rule are considered as checked through the fulfilment of the requirements of either the TSI or the national rule. This means that if the requirements of the TSI or the national rule cover the essential requirement of safety (i.e. allrelevant hazards), the safe integration is demonstrated through the implementation of the TSI or the national rule.— If there are hazards for which requirements are not covered in the TSI or in national rules this indicates that the TSI or national rules do not fully meet the essential requirements. In that case the deficiency must be addressed in accordance withArticle 7 of Directive 2008/57/EC. These missing requirements should be considered in future revisions of TSIs in order to achieve a full coverage of the interoperable interfaces by TSIs progressively. In the meantime the risks are managed by the applicant by comparison with a reference system or an explicit risk analysis in accordance with Regulation (EC) No 352/2009.— For the sake of interoperability, it is necessary that technical compatibility and safe integration between vehicle and network are demonstrated on a rule based approach. To that end, the TSI should exhaus-tively cover both aspects;

Safe integration

Safe integration, between what and what? And who has to guarantee it?

• Safe integration of the CCS On Board with the RS in the vehicle?

• Safe integration of the CCS On Board with the CCS TRACK?

• Safe integration of the CCS On Board in the existing operational

environment?

• Etc., etc.

Compliance with the Functional and technical specifications of the interfaces to other subsystems & analysis of the impact of the CCS OB in the RS equipment.

Interface to the subsystem rolling stock

• Compatibility with track-side train detection systems

• Electromagnetic compatibility between rolling stock and control command

• track-side equipment.

• Guaranteed train braking performance and characteristics

• Position of control-command on-board antennae

• Physical environmental conditions

• Electromagnetic compatibility

• Isolation of on-board ETCS functionality

• Data interfaces

• Hot axle box detectors

• Vehicle headlights

• Driver Vigilance

• Odometry

• Interface to data recording for regulatory principles

• And an analysis of the physical interfaces between the CCS sub system and the vehicle to demonstratethat neither the performance (RAM) nor the safety are degraded because of the CCS OB installation.

Significant change:

• Who is the “proposser”?

• Who defines what a significant change is?

• Does the evaluation of “significant change” need to be assessed?

• In case the change is found to be significant,

• Does the change need to be validated by an Independent

Body?

• Does the “changed subsystem” need to be reassessed by an

Independent Body?

• Alstom claimed that the installation of Alstom ETCS OB subsystem in the vehicle is nota significant change of the RS subsystem; i.e., the characteristics of the RS equipment(structure, command and control system for all train equipment, current-collection devices traction and energy conversion units, braking, coupling and running gear (bogies, axles, etc.) and suspension, doors, man/machine interfaces (driver, on-board staff and passengers, including the needs of persons with reduced mobility), passive oractive safety devices and requisites for the health of passengers and on-board staff)

• However, the change has been declared significant “a priori”. We are in charge to demonstrate that indeed it is not so, and that the basic parameters and the interfaces with other subsystems/TSIs as defined in chapter 4.2 of the TSI CCS have been taken into account in the design of the subsystem.

• Test of ETCS OB equipment on site have been also considered a significant change,because of the different organization required for these tests. And they are consequently managed following the directrives of the CSM for RA.

Significant change: example

BDK_TRB_CRL_PRES_0190_ETCS Onboard Subsystem Development - P 14

What is a code of practice:

• Is the “best practice” a code of practice?

• TSIs are code of practice, but which TSI do we need to use?

• Does the TSI loc&pass need to be applied when a CCS OB

equipment is installed?

• And which TSI will cover the TRU in baseline 3? How is the

functionality of the Juridical Recording Unit of the ETCS going to

be managed?

www.alstom.com