could the railway safely fly? -...

COULD THE RAILWAY SAFELY FLY?

… the state-of-the-art approach for safety and reliability in the railway industry

1st Edition SAFETY DAY - ROSAS Center Fribourg 8. Sep. 2016

Georg Fons-Stankiewicz

THE BACKGROUND STORY …

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 2

WHAT DOES „SAFELY“ MEAN?

P 3COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016

… IN SEARCH OF A SAFE ITEM



Safe?

Yes!„Safety function“

OMG NO!

More or less!„Comfort function“

WHAT MAKES THINGS UNSAFE?

Hazard

The hazard is a „medium“ which can reasonably likely cause harm or damage

Fire

Electricity

Motorised traffic

Heavy or sharp items

…..



THE “ADJUSTMENT SCREWS” OF SAFETY

Severity (consequence)

The severity is the grade of damage caused by a hazard which became real event

Minor (reparable) damage / minor injury

Major (reparable) damage / severe injury

Major (irreparable) damage / single casualty

Catastrophic damage / multiple casualties



THE “ADJUSTMENT SCREWS” OF SAFETY

Likelihood of occurrence

The likelihood of occurrence (in this context) is the grade of probability that a harm or damage caused by a hazard

become real

Frequent – hazard experienced continuously

Probable – hazard often experienced

Occasional – hazard can occur several times

Remote – hazard can be expected to occur

Improbable – hazard may be assumed to occur exceptionally

Incredible – hazard may be assumed not to occur



THE MATTER OF SAFETY

Risk

The risk combines the probable (likelihood) grade of damage or harm (severity) of a hazard in a qualitative equation valid for a

particular system and application

Negligible

Tolerable

Undesirable

Intolerable

… or similar definitions

The risk is a subjective term which however can be well managed by adjusting (influencing) its components



THE SAFETY

Safety is the ability of a system in combination with its defined application to attenuate the likelihood and/or

consequences of a hazardous event to the acceptable level



RAILWAY STANDARDS AND REGULATIONS

CENELEC standards – EN 5012X family Based on the „Safety Bible“ IEC 61508

Adapted for application in the rail industry

EN50126: Railway Applications - The Specification and Demonstration of Reliability, Availability, maintainability and Safety (RAMS)

EN50128: Railway Applications -Communications, signalling and processing systems

EN50129: Railway Applications - Communications, signalling and processing systems –Safety related electronic systems for signalling

ERA (European Union Agency for Railways) requirements Technical Specifications for Interoperability (TSI)

Implementation guides for the Directive 2004/49/EC

National rules Apply “on top” of the European rules



RAMS – A RAILWAY SPECIFIC APPROACH

CENELEC Standard EN 50126

RAMS=Reliability, Availability, Maintainability, Safety

Interlink between „R“ „A“ „M“ and „S“ is inseparable



Railway RAMS

Safety Availability

Reliability &Maintainability

Operation &Maintenance

RAMS LIFE CYCLE

EN 50126



Risk Analysis3

System Requirements4

Apportionment of System Requirements

5

Design andImplementation

6

Manufacture7

Concept1

System Definition &Application Conditions

2

System Acceptance10

De-commissioningand Disposal

1411

MaintenanceOperation and

Installation8

System Validation(Including Safety Acceptance

and Commissioning)

9

THE SAFETY EVIDENCE STEPS



System Definition„what we want to do“

Safety Plan„how we want to proceed“

Hazard Log„what we need to consider“

Risk Analysis„how we need to consider“

Safety Requirements„what shall we do to mitigate“

Safety Case„did it all work well“

THE SAFETY APPROVAL PROCESS

Safety Acceptance

(Product, Generic Application, Overall/Specific Application)

Safety Approval

(Product, Application, Design, Implementation)

Safety Assessment Report (independent Body)

Safety Case

(Generic Product, Generic Application, Specific Application)

Safety Requirements Specification



THE (RAM)SAFETY CONCEPT

Optimised combination of RAMS „elements“

Fail-safety

well established within the railway industry

use of components with known failure modes

with a safe state (condition) existing in case of component/system failure

Safe State

must be reached in reaction to a dangerous system failure

dependencies on other RAMS aspects

… a broken (immobilised) train at the platform is „safe“ but not really „available“

Risk acceptance principles

ALARP (As Low As Reasonably Practicable)

GAMAB (Globalement Au Moins Aussi Bon)

MEM (Minimum Endogenous Mortality)



THE „BIBLE“ OF THE SAFETY CONCEPT

Risk evaluation and acceptance („example“ from EN 50126)



* Frequency of

occurrence of a hazardous event

Risk Levels

Frequent Undesirable Intolerable Intolerable Intolerable

Probable Tolerable Undesirable Intolerable Intolerable

Occasional Tolerable Undesirable Undesirable Intolerable

Remote Negligible Tolerable Undesirable Undesirable

Improbable Negligible Negligible Tolerable Tolerable

Incredible Negligible Negligible Negligible Negligible

Insignificant Marginal Critical Catastrophic

Severity Levels of Hazard Consequence

Risk Category Actions to be applied against each category

Intolerable Shall be eliminated

Undesirable

Shall only be accepted when risk reduction is impracticable and with the agreement of the Railway Authority or the Safety Regulatory Authority, as appropriate

Tolerable Acceptable with adequate control and with the agreement of the Railway Authority

Negligible Acceptable with/without the agreement of the Railway Authority

THE „BIBLE“ OF THE SAFETY CONCEPT

For the appropriate application:

Acceptance criteria shall be adapted by the Railway Authority

Severity levels shall be defined by the Railway Authority

Tolerability level shall be defined by the Railway Authority

….. but usually this “Bible” is taken “as is” …



THE SAFETY INTEGRITY

Safety Integrity is the ability of a system (function) to resist (dangerous) faults.

4 Safety Integrity Level (SIL) defined in EN 50129

In contrast to other standards no PFD (Failure on Demand) defined

Easier determination of SIL

Continuous control/signalling systems are in the majority of railway systems



THE ALLOCATION OF SIL

No clear and unique rule

ERA proposal for Risk Acceptance Criteria (RAC)

This proposal is a pragmatic way to link SIL/Severity/Frequency



FROM THE „TOOLBOX“

Human Factor in the safety chain

Human factor‘s „failure rate“

Several investigations carried out (eg. NASA)

≈ 10-3/h regarded as a good assumption

Human is a „no-SIL subsystem“

Indeed, human error is often a key factor of hazardous events

Santiago de Compostella, 24 July 2013, 79 fatalities, train driver error

Eckwersheim (Alsace), 14 November 2015, 11 fatalities, crew error

Bad Aibling, 9 February 2016, 12 fatalities, railroad manager error

Human (train driver/attendant, railroad manager, passengers …) must be supported by other barrier functions or safety related systems




Safety (Related) Application Conditions (S(R)AC)

Non-technical means for risk mitigation

Hand over the responsibility for proper application to the user

Reduce technical effort and cost

…. but shifts the responsibility to a „no-SIL subsystem“

SACs must be documented in the safety case




Barrier Functions

Barrier functions are functions able to stop the evolution of an accident that way than the next event in the accident evolution chain is not

reached.

Risks cannot be mitigated by technical means only

Several barrier functions can be defined

Active / passive / procedural

Physical / functional / symbolic / virtual



WHAT ABOUT THE SOFTWARE?

(S)SIL – Software SIL – EN 50128

5 SIL levels: Level 0 – Level 4

SSIL 0 only for non-safety relevant functions

EN50128 sets requirements on organisation and processes required for the required SSIL levels

EN50128 presents guidelines for good practices on software development, validation and verification



CAN SOFTWARE FAIL RANDOMLY?

Which failure rate to be assumed for a given (S)SIL?

…. no one. There are no software-related random faults

A software developed with the same SSIL as the SIL of the system on which it is running shall not adversely influence the system

…. but there is also a common conservative approach to assume same „artificial“ failure rate as the one corresponding to the system SIL



A SIMPLIFIED EXAMPLE

Gripping in the Passenger Door Unit

„Manage door system upon obstacles“ (function ´DBE´ acc. to EN 15380-4)



Citicality

EN 50126

Frequency

EN 50126

Risk EN

50126

H 01passanger change

/ standstillcrushing

Gripped by external doors due

to unrecognised personsPossible minor injury insignificant probable tolerable

H 02 drivingcrushing, dragging

against an obstacle

Departure of the train with

someone gripped by external

doors due to unrecognised

clamping of persons or clothes

by the doors.

Single fatality and/or severe

injury and/or significant damage

to the environment.

critical probable intolerable

H 03 driving falling out of the train

inadvertant reopening of the door

due to false positive obstacle

detection



to the environment.

critical frequent intolerable

Hazard ID

State /

Operational-

Mode

Identified Hazard Assumption to HazardPossible Consequences /

Accident Potential

Evaluation of Risk



SIL requirement

SIL 1 for H 01

SIL 3 for H 02

SIL 3 for H 03

„Safe“ solution

The obstacle detection control is required SIL 1

SAC 01: The driver must check (eg. by looking in the rear-view-mirror) that nobody is clamped in the closed doors before departure (Frequency )

SAC 02: The traction must be deactivated or inhibited if an opened/unlocked door is detected (Frequency )

Assumption: both SAC 01 and SAC 02 decrease the frequency by 10³ independently





„Manage door system upon obstacles“ (function ´DBE´ acc. to EN 15380-4)

Reduced Risk

the mitigation definition is acceptable



Citicality

EN 50126

Frequency

EN 50126

Risk EN

50126

H 01passanger change

/ standstillcrushing

Gripped by external doors due

to unrecognised personsPossible minor injury insignificant remote negligible

H 02 drivingcrushing, dragging

against an obstacle

Departure of the train with

someone gripped by external

doors due to unrecognised

clamping of persons or clothes

by the doors.



to the environment.

critical incredible negligible

H 03 driving falling out of the train

inadvertant reopening of the door

due to false positive obstacle

detection



to the environment.

critical improbable tolerable

Hazard ID

State /

Operational-

Mode

Identified Hazard Assumption to HazardPossible Consequences /

Accident Potential

Evaluation of reduced Risk



Requirements definition for:

Doors system supplier:

„The obstacle detection shall fulfil SIL1“

„The unlocking/opening of the door shall be detectable independently from the doors control unit“

Integrator

„On detection of unlocked/opened door the traction system shall be inhibited“

Operator

„The driver shall make sure that all doors are closed and locked and nobody/nothing is clamped between the door leaves before departure“

„In case of inadvertent door unlocking/opening during train movement the driver shall apply emergency brake or significantly reduce speed and inform passengers if the emergency brake is not allowed (eg. in tunnel)“



COULD THE RAILWAY SAFELY FLY?

If this was required – YES

Standards and regulations sufficient to manage safety up to SIL4

Consistent processes to determine and manage risks

Practical „Toolbox“ of proven methods

Safety evidence based on traceability and transparency

Mature independent assessment and approval process

Whole Life Cycle covered

…

…. if it was required ?



ITS (BECOMING) REALITY!

The Maglev Train – the „flying“ railway

MagLev = Magnetic Levitation

… an old patent (1907) with the new face



https://www.flickr.com/photos/criminalintent/7391133386

https://commons.wikimedia.org/wiki/File%3ASC_Maglev_Test_Ride_(18277037338).jpg

NOW IT IS TIME FOR …

Copyright Statements:enrespro reserves all rights in this document and in the information contained therein. All pictures used in this presentation are free to use for commercial purposes acc. to the licence or legally purchased. The author of this presentation has however no way to determine the initial source of the pictures if not placed under the terms of the CC licence and therefore refuses any further liability.



… A DISCUSSION

could the railway safely fly? -...

Documents