COULD THE RAILWAY SAFELY FLY? -...
-
Upload
nguyenthuy -
Category
Documents
-
view
218 -
download
2
Transcript of COULD THE RAILWAY SAFELY FLY? -...
COULD THE RAILWAY SAFELY FLY?
… the state-of-the-art approach for safety and reliability in the railway industry
1st Edition SAFETY DAY - ROSAS Center Fribourg 8. Sep. 2016
Georg Fons-Stankiewicz
THE BACKGROUND STORY …
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 2
WHAT DOES „SAFELY“ MEAN?
P 3COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016
… IN SEARCH OF A SAFE ITEM
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 4
Safe?
Yes!„Safety function“
OMG NO!
More or less!„Comfort function“
WHAT MAKES THINGS UNSAFE?
Hazard
The hazard is a „medium“ which can reasonably likely cause harm or damage
Fire
Electricity
Motorised traffic
Heavy or sharp items
…..
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 5
THE “ADJUSTMENT SCREWS” OF SAFETY
Severity (consequence)
The severity is the grade of damage caused by a hazard which became real event
Minor (reparable) damage / minor injury
Major (reparable) damage / severe injury
Major (irreparable) damage / single casualty
Catastrophic damage / multiple casualties
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 6
THE “ADJUSTMENT SCREWS” OF SAFETY
Likelihood of occurrence
The likelihood of occurrence (in this context) is the grade of probability that a harm or damage caused by a hazard
become real
Frequent – hazard experienced continuously
Probable – hazard often experienced
Occasional – hazard can occur several times
Remote – hazard can be expected to occur
Improbable – hazard may be assumed to occur exceptionally
Incredible – hazard may be assumed not to occur
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 7
THE MATTER OF SAFETY
Risk
The risk combines the probable (likelihood) grade of damage or harm (severity) of a hazard in a qualitative equation valid for a
particular system and application
Negligible
Tolerable
Undesirable
Intolerable
… or similar definitions
The risk is a subjective term which however can be well managed by adjusting (influencing) its components
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 8
THE SAFETY
Safety is the ability of a system in combination with its defined application to attenuate the likelihood and/or
consequences of a hazardous event to the acceptable level
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 9
RAILWAY STANDARDS AND REGULATIONS
CENELEC standards – EN 5012X family Based on the „Safety Bible“ IEC 61508
Adapted for application in the rail industry
EN50126: Railway Applications - The Specification and Demonstration of Reliability, Availability, maintainability and Safety (RAMS)
EN50128: Railway Applications -Communications, signalling and processing systems
EN50129: Railway Applications - Communications, signalling and processing systems –Safety related electronic systems for signalling
ERA (European Union Agency for Railways) requirements Technical Specifications for Interoperability (TSI)
Implementation guides for the Directive 2004/49/EC
National rules Apply “on top” of the European rules
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 10
RAMS – A RAILWAY SPECIFIC APPROACH
CENELEC Standard EN 50126
RAMS=Reliability, Availability, Maintainability, Safety
Interlink between „R“ „A“ „M“ and „S“ is inseparable
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 11
Railway RAMS
Safety Availability
Reliability &Maintainability
Operation &Maintenance
RAMS LIFE CYCLE
EN 50126
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 12
Risk Analysis3
System Requirements4
Apportionment of System Requirements
5
Design andImplementation
6
Manufacture7
Concept1
System Definition &Application Conditions
2
System Acceptance10
De-commissioningand Disposal
1411
MaintenanceOperation and
Installation8
System Validation(Including Safety Acceptance
and Commissioning)
9
THE SAFETY EVIDENCE STEPS
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 13
System Definition„what we want to do“
Safety Plan„how we want to proceed“
Hazard Log„what we need to consider“
Risk Analysis„how we need to consider“
Safety Requirements„what shall we do to mitigate“
Safety Case„did it all work well“
THE SAFETY APPROVAL PROCESS
Safety Acceptance
(Product, Generic Application, Overall/Specific Application)
Safety Approval
(Product, Application, Design, Implementation)
Safety Assessment Report (independent Body)
Safety Case
(Generic Product, Generic Application, Specific Application)
Safety Requirements Specification
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 14
THE (RAM)SAFETY CONCEPT
Optimised combination of RAMS „elements“
Fail-safety
well established within the railway industry
use of components with known failure modes
with a safe state (condition) existing in case of component/system failure
Safe State
must be reached in reaction to a dangerous system failure
dependencies on other RAMS aspects
… a broken (immobilised) train at the platform is „safe“ but not really „available“
Risk acceptance principles
ALARP (As Low As Reasonably Practicable)
GAMAB (Globalement Au Moins Aussi Bon)
MEM (Minimum Endogenous Mortality)
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 15
THE „BIBLE“ OF THE SAFETY CONCEPT
Risk evaluation and acceptance („example“ from EN 50126)
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 16
* Frequency of
occurrence of a hazardous event
Risk Levels
Frequent Undesirable Intolerable Intolerable Intolerable
Probable Tolerable Undesirable Intolerable Intolerable
Occasional Tolerable Undesirable Undesirable Intolerable
Remote Negligible Tolerable Undesirable Undesirable
Improbable Negligible Negligible Tolerable Tolerable
Incredible Negligible Negligible Negligible Negligible
Insignificant Marginal Critical Catastrophic
Severity Levels of Hazard Consequence
Risk Category Actions to be applied against each category
Intolerable Shall be eliminated
Undesirable
Shall only be accepted when risk reduction is impracticable and with the agreement of the Railway Authority or the Safety Regulatory Authority, as appropriate
Tolerable Acceptable with adequate control and with the agreement of the Railway Authority
Negligible Acceptable with/without the agreement of the Railway Authority
THE „BIBLE“ OF THE SAFETY CONCEPT
For the appropriate application:
Acceptance criteria shall be adapted by the Railway Authority
Severity levels shall be defined by the Railway Authority
Tolerability level shall be defined by the Railway Authority
….. but usually this “Bible” is taken “as is” …
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 17
THE SAFETY INTEGRITY
Safety Integrity is the ability of a system (function) to resist (dangerous) faults.
4 Safety Integrity Level (SIL) defined in EN 50129
In contrast to other standards no PFD (Failure on Demand) defined
Easier determination of SIL
Continuous control/signalling systems are in the majority of railway systems
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 18
THE ALLOCATION OF SIL
No clear and unique rule
ERA proposal for Risk Acceptance Criteria (RAC)
This proposal is a pragmatic way to link SIL/Severity/Frequency
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 19
FROM THE „TOOLBOX“
Human Factor in the safety chain
Human factor‘s „failure rate“
Several investigations carried out (eg. NASA)
≈ 10-3/h regarded as a good assumption
Human is a „no-SIL subsystem“
Indeed, human error is often a key factor of hazardous events
Santiago de Compostella, 24 July 2013, 79 fatalities, train driver error
Eckwersheim (Alsace), 14 November 2015, 11 fatalities, crew error
Bad Aibling, 9 February 2016, 12 fatalities, railroad manager error
Human (train driver/attendant, railroad manager, passengers …) must be supported by other barrier functions or safety related systems
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 20
FROM THE „TOOLBOX“
Safety (Related) Application Conditions (S(R)AC)
Non-technical means for risk mitigation
Hand over the responsibility for proper application to the user
Reduce technical effort and cost
…. but shifts the responsibility to a „no-SIL subsystem“
SACs must be documented in the safety case
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 21
FROM THE „TOOLBOX“
Barrier Functions
Barrier functions are functions able to stop the evolution of an accident that way than the next event in the accident evolution chain is not
reached.
Risks cannot be mitigated by technical means only
Several barrier functions can be defined
Active / passive / procedural
Physical / functional / symbolic / virtual
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 22
WHAT ABOUT THE SOFTWARE?
(S)SIL – Software SIL – EN 50128
5 SIL levels: Level 0 – Level 4
SSIL 0 only for non-safety relevant functions
EN50128 sets requirements on organisation and processes required for the required SSIL levels
EN50128 presents guidelines for good practices on software development, validation and verification
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 23
CAN SOFTWARE FAIL RANDOMLY?
Which failure rate to be assumed for a given (S)SIL?
…. no one. There are no software-related random faults
A software developed with the same SSIL as the SIL of the system on which it is running shall not adversely influence the system
…. but there is also a common conservative approach to assume same „artificial“ failure rate as the one corresponding to the system SIL
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 24
A SIMPLIFIED EXAMPLE
Gripping in the Passenger Door Unit
„Manage door system upon obstacles“ (function ´DBE´ acc. to EN 15380-4)
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 25
Citicality
EN 50126
Frequency
EN 50126
Risk EN
50126
H 01passanger change
/ standstillcrushing
Gripped by external doors due
to unrecognised personsPossible minor injury insignificant probable tolerable
H 02 drivingcrushing, dragging
against an obstacle
Departure of the train with
someone gripped by external
doors due to unrecognised
clamping of persons or clothes
by the doors.
Single fatality and/or severe
injury and/or significant damage
to the environment.
critical probable intolerable
H 03 driving falling out of the train
inadvertant reopening of the door
due to false positive obstacle
detection
Single fatality and/or severe
injury and/or significant damage
to the environment.
critical frequent intolerable
Hazard ID
State /
Operational-
Mode
Identified Hazard Assumption to HazardPossible Consequences /
Accident Potential
Evaluation of Risk
A SIMPLIFIED EXAMPLE
Gripping in the Passenger Door Unit
SIL requirement
SIL 1 for H 01
SIL 3 for H 02
SIL 3 for H 03
„Safe“ solution
The obstacle detection control is required SIL 1
SAC 01: The driver must check (eg. by looking in the rear-view-mirror) that nobody is clamped in the closed doors before departure (Frequency )
SAC 02: The traction must be deactivated or inhibited if an opened/unlocked door is detected (Frequency )
Assumption: both SAC 01 and SAC 02 decrease the frequency by 10³ independently
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 26
A SIMPLIFIED EXAMPLE
Gripping in the Passenger Door Unit
„Manage door system upon obstacles“ (function ´DBE´ acc. to EN 15380-4)
Reduced Risk
the mitigation definition is acceptable
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 27
Citicality
EN 50126
Frequency
EN 50126
Risk EN
50126
H 01passanger change
/ standstillcrushing
Gripped by external doors due
to unrecognised personsPossible minor injury insignificant remote negligible
H 02 drivingcrushing, dragging
against an obstacle
Departure of the train with
someone gripped by external
doors due to unrecognised
clamping of persons or clothes
by the doors.
Single fatality and/or severe
injury and/or significant damage
to the environment.
critical incredible negligible
H 03 driving falling out of the train
inadvertant reopening of the door
due to false positive obstacle
detection
Single fatality and/or severe
injury and/or significant damage
to the environment.
critical improbable tolerable
Hazard ID
State /
Operational-
Mode
Identified Hazard Assumption to HazardPossible Consequences /
Accident Potential
Evaluation of reduced Risk
A SIMPLIFIED EXAMPLE
Gripping in the Passenger Door Unit
Requirements definition for:
Doors system supplier:
„The obstacle detection shall fulfil SIL1“
„The unlocking/opening of the door shall be detectable independently from the doors control unit“
Integrator
„On detection of unlocked/opened door the traction system shall be inhibited“
Operator
„The driver shall make sure that all doors are closed and locked and nobody/nothing is clamped between the door leaves before departure“
„In case of inadvertent door unlocking/opening during train movement the driver shall apply emergency brake or significantly reduce speed and inform passengers if the emergency brake is not allowed (eg. in tunnel)“
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 28
COULD THE RAILWAY SAFELY FLY?
If this was required – YES
Standards and regulations sufficient to manage safety up to SIL4
Consistent processes to determine and manage risks
Practical „Toolbox“ of proven methods
Safety evidence based on traceability and transparency
Mature independent assessment and approval process
Whole Life Cycle covered
…
…. if it was required ?
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 29
ITS (BECOMING) REALITY!
The Maglev Train – the „flying“ railway
MagLev = Magnetic Levitation
… an old patent (1907) with the new face
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 30
https://www.flickr.com/photos/criminalintent/7391133386
https://commons.wikimedia.org/wiki/File%3ASC_Maglev_Test_Ride_(18277037338).jpg
NOW IT IS TIME FOR …
Copyright Statements:enrespro reserves all rights in this document and in the information contained therein. All pictures used in this presentation are free to use for commercial purposes acc. to the licence or legally purchased. The author of this presentation has however no way to determine the initial source of the pictures if not placed under the terms of the CC licence and therefore refuses any further liability.
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016P 31
… A DISCUSSION