Analysis of Safety Requirements for MODSafe Continuous Safety Measures and Functions

Transcription

1 European Commission Seventh Framework programme MODSafe Modular Urban Transport Safety and Security Analysis WP 4 - D4.2 Analysis of Safety Requirements for MODSafe Continuous Safety Measures and

2 Reviewed by: Authors: Document ID: WP 4 partners WP 4 (support by VDV) DEL_D4.2_UITP_WP4_110121_V2.0 Date: 21.January 2011 Contract No: of 120

3 Contract No Document type DEL Version V2.0 Status Final Date 21.January 2011 WP WP 4 Lead Author WP 4 Contributors Document ID Dissemination level Distribution WP 4 and external experts (VDV) Analysis of safety requirements of MODSafe continuous safety measures and functions DEL_D4.2_UITP_WP4_110121_V2.0 PU MODSafe consortium Document History: Version Date Author Modification V August 2010 WP 4 New document V December 2010 WP 4 and external experts (VDV) Consideration of comments from LUL, RATP, VDV, Ansaldo, AREVA V January 2011 WP 4 Consideration of comments from R&B, RATP, Ansaldo, Bombardier Approval: Authority Name/Partner Date WP responsible UITP (WP4 consensus of V1.1) 10/12/2010 EB members RATP (WP10 consensus of V2.0) 24/01/2011 Coordinator TRIT 25/01/ of 120

4 Table of contents 1 Summary of the document Bibliography Terms and abbreviations Terms Abbreviations System lifecycle and safety requirements Process for allocation of safety requirements of the semi-quantitative MODURBAN process Risk parameter used in the method Numerical interpretation of risk parameter Application of the method of the risk graph based method Mode of operation and grade of automation Definition of mode of operation Grade of automation Grade of automation 0 (GOA0): On-sight train operation Grade of automation 1 (GOA1): Non-automated train operation Grade of automation 2 (GOA2): Semi-automated train operation Grade of automation 3 (GOA3): Driverless train operation Grade of automation 4 (GOA4): Unattended train operation to be analysed Principle structure of basic functions for train operation List of MODSafe safety functions Ensure safe movement of trains Ensure safe route Ensure safe separation of trains Determine permitted speed Authorise train movement Supervise train movement Provide interface with external interlocking of 120

5 7.2.3 Supervise guideway Prevent collision with obstacles Prevent collision with persons on tracks Protect staff on track Supervise passenger transfer Control passenger doors Prevent person injuries between platform and train Prevent person injuries between train cars Ensure safe starting conditions Operate a train Put in or take out of operation Manage driving modes Manage movement of trains between two operational stops Manage depot and stabling areas Manage UGTMS transition areas Restrict train entry to station Manage the platform or siding stopping position of the train Change the travel direction Couple and split a train Supervise the status of the train Ensure detection and management of emergency situations Allocation of safety integrity requirements Overview of results Table of safety requirements for MODSafe safety functions Conclusion Annex Allocation of safety requirements to MODSafe safety functions Ensure safe movement of trains Ensure safe route Check route availability Set route Supervise route Supervise level crossing as secured Lock route of 120

6 Release route Ensure safe separation of trains Initialise UGTMS reporting trains location Determine train orientation Determine actual train travel direction Determine train location Locate non reporting trains by track sections Determine permitted speed Determine static speed profile Determine temporary infrastructure speed restrictions Determine permanent rolling stock speed restrictions Determine temporary rolling stock speed restrictions Authorise train movement Determine movement authority limit Determine train protection profile Authorise train movement by wayside signals Determine a zone of protection Stopping a train en route Authorise the entry of non-operative UGTMS trains into UGTMS territory Supervise train movement Determine actual train speed Supervise safe train speed Inhibit train stops Monitor speed limit at discrete location Supervise train rollaway Immobilisation of train Detect unauthorised movement of non-operative trains React to unauthorised movement of non-operative trains Detect intruding unequipped train Provide interface with external interlocking Drive train Supervise guideway Prevent collision with obstacles of 120

7 Supervise wayside obstacle detection device Supervise onboard obstacle detection device Prevent collision with persons on tracks Warn passengers to stay away from the platform edge React on emergency stop request from platforms Supervise platform doors Supervise platform tracks Supervise border between platform tracks and other tracks Supervise platform end doors Protect staff on track Protect staff on track Supervise passenger transfer Control passenger doors Authorise train doors opening Command doors opening Request doors closing Supervise doors closing Supervise closed and locked status of train doors Prevent person injuries between platform and train Prevent person injuries between platform and train Prevent person being trapped between platform screen doors and train Prevent person injuries between train cars Prevent person injuries between train cars Ensure safe starting conditions Authorise station departure (safety related conditions) Authorise station departure (operational conditions) Command station departure Operate a train Put in or take out of operation Awake trains Set train to sleep Manage driving modes Manage movement of trains between two operational stops of 120

8 Manage depots and stabling areas Manage UGTMS transition area Restrict train entry to station Manage the platform or siding stopping position of the train Change the travel direction Couple and split a train Couple trains automatically Split trains untimely uncoupling protection Supervise the status of the train Supervise UGTMS onboard equipment status prior to entering service Supervise UGTMS onboard equipment status during operation Test emergency braking performance React to detected train equipment failure Manage traction power supply on train Ensure detection and management of emergency situations Perform train diagnostic, detect fire/smoke and detect derailment, handle emergency situations Detect fire and smoke React to detected fire/smoke React to detected or suspected broken rail Monitor emergency calls React to passenger alarm device activation React to emergency release of train doors Detect loss of train integrity React to loss of train integrity Detect derailment Trigger emergency brake of 120

9 List of figures Figure 1 Safety functions in system lifecycle and MODSafe Figure 2 General procedure of the method for SIL allocation Figure 3 Risk graph according to VDV Figure 4 State diagram for continuous and high demand mode of operation Figure 5 GOA0 On-sight train operation Figure 6 GOA1 Train stops and wayside signals and fixed block system Figure 7 GOA1 Semi continuous speed supervision and fixed block systems with wayside signals 30 Figure 8 GOA1 Continuous speed supervision with cab signals Figure 9 GOA1 Continuous supervision of speed by system and wayside signals Figure 10 Responsibility of operations staff in GOA Figure 11 Responsibility of operations staff in GOA Figure 12 Responsibility of operations staff in GOA Figure 13 General procedure of the elaboration of the list of MODSafe safety functions of 120

10 List of tables Table 1 Frequency-consequence matrix or risk matrix Table 2 THR/SIL table according to EN Table 3 Risk reduction and SIL (example from IEC and used in VDV 331) Table 4 Grades of automation according to IEC Table 5 Application table description of risk analysis parameter Table 6 Example Application: Determine actual train speed Table 7 List of safety requirements for MODSafe safety functions Table 8 RA Check route availability for GOA1 to GOA Table 9 RA Set route for GOA Table 10 RA Set route for GOA1 to GOA Table 11 RA Supervise route for GOA1 to GOA Table 12 RA Supervise level crossing as secured for GOA1 and GOA Table 13 RA Lock route for GOA1 to GOA Table 14 RA Release route for GOA1 to GOA Table 15 RA Initialise UGTMS reporting trains location for GOA1 to GOA Table 16 RA Determine train orientation for GOA1 to GOA Table 17 RA Determine actual train travel direction for GOA1 to GOA Table 18 RA Determine train location for GOA1 (with wayside signals) Table 19 RA Determine train location for GOA1 to GOA4 (without wayside signals) Table 20 RA Locate non reporting trains by track sections for GOA1 to GOA Table 21 RA Determine static speed profile for GOA1 (with wayside signals) Table 22 RA Determine static speed profile for GOA1 to GOA4 (without wayside signals) Table 23 RA Determine permanent rolling stock speed restrictions for GOA1 to GOA Table 24 RA Determine movement authority limit for GOA1 (with wayside signals) Table 25 RA Determine movement authority limit for GOA1 to GOA4 (without wayside signals) Table 26 RA Determine train protection profile for GOA1 (with wayside signals) Table 27 RA Determine train protection profile for GOA1 to GOA4 (without wayside signals) Table 28 RA Authorise train movement by wayside signals for GOA0 (single track operation) Table 29 RA Indicate position of switches for GOA0 (signal for switch control) Table 30 RA Authorise train movement by wayside signals for GOA1 (for GOA2 to GOA4 also for mixed operation) of 120

11 Table 31 RA Authorise the entry of non-operative UGTMS trains into UGTMS territory for GOA1 to GOA Table 32 RA Determine actual train speed for GOA1 (with wayside signals containing allowed speed) Table 33 RA Determine actual train speed for all GOA1 to GOA4 (without wayside signals) Table 34 RA Supervise safe train speed for GOA1 (with wayside signals) Table 35 RA Supervise safe train speed for GOA1 to GOA4 (without wayside signals) Table 36 RA Inhibit train stops for GOA1 to GOA Table 37 RA Monitor speed limit at discrete location for GOA Table 38 RA Supervise train rollaway for GOA1 to GOA Table 39 RA React to unauthorised movement of non-operative trains for GOA1 to GOA Table 40 RA Provide interface with external interlocking for GOA1 to GOA Table 41 RA Supervise platform doors for GOA1 and GOA Table 42 RA Supervise platform doors for GOA3 and GOA Table 43 RA Protect staff on track for GOA1 to GOA Table 44 RA Authorise train doors opening for GOA1 to GOA4 (on passenger request) Table 45 RA Authorise train doors opening for GOA1 to GOA4 (automatically) Table 46 RA Supervise closed and locked status of train doors for GOA1 to GOA Table 47 RA Prevent person injuries between platform and train for GOA1 to GOA Table 48 RA Prevent person being trapped between platform screen doors and train for GOA1 to GOA Table 49 RA Supervise UGTMS onboard equipment status prior to entering service for GOA1 to GOA Table 50 RA Supervise UGTMS onboard equipment status during operation for GOA1 to GOA Table 51 RA Test emergency braking performance for GOA1 to GOA Table 52 RA Trigger emergency brake for GOA1 and GOA Table 53 RA Trigger emergency brake for GOA3 and GOA of 120

12 1 Summary of the document This deliverable concludes the results of the safety requirement allocation process to MODSafe safety functions. Therefore, the method to allocate safety requirements and the MODSafe safety functions are introduced. The allocation method is recommended in MODSafe deliverable 4.1 [13]. MODSafe safety functions are mainly taken from the international standard [10]. All MODSafe safety functions are subject to a safety and risk consideration to estimate appropriate safety integrity requirements. Finally allocated results shall represent potential generic values for safety integrity requirements, depending on the operational context. The deliverable is structured into the following clauses. Firstly, the method for safety requirement allocation and its according application conditions are explained (clause 5 and 6). Secondly, the MODSafe safety functions are introduced (clause 7). An exemplified application and results of the process can be found in clause 8 and 9. Detailed protocols of an allocation of safety requirements are shown in the annex. The scope of MODSafe is the urban guided transport sector in Europe covering metros, trams and other light rail systems under regard of different grades of automation. These grades of automation are distinguished from driving on sight up to unattended train operation. This deliverable covers mainly safety functions for system applications of UGTMS (or e.g. CBTC) for which the functional requirements are specified by [10] and by IEC [8] and for which the results of MODURBAN had been taken into account, including additional safety functions for system applications designated to train operation on sight (GOA0). This deliverable is written for MODSafe project partners and European transport authorities i.e. operators of urban guided transport systems. The focus of this document is put on safety functions and measures from the signalling domain specified for UGTMS, however if safety integrity requirements are assumed as independent from a UGTMS application specific information for the use by other systems is provided. This deliverable will not specify risk analyses for a specific application with a certain combination of safeguards or safety functions. Because of that all safety functions are regarded as independent from the allocation of Mandatory and Optional provided by in order to ensure that the user can trust in the determined safety integrity requirement if he chose a function or a safeguard for his application. Nonetheless, the described safety requirement allocation scheme may also be applied to areas others than signalling, e.g. interfaces between signalling equipment and vehicle equipment or other safety functions in general. It is therefore not necessary to deal with other domains in detail. This deliverable deals with safety requirements and is not applicable to security aspects. An analysis of security is covered in MODSafe WP 8 and 9 and according deliverables. Note: The title of this document is changed. In the MODSafe description of work the deliverable 4.2 is originally called: Analysis of common safety requirements allocation for MODSafe continuous safety measures and functions. An alteration is made since safety requirements for MODSafe safety function are not assumed to be common (i.e. in the meaning of Common Safety Measures/Targets issues by the European Railway Agency). However, these safety requirements shall rather be understood as recommendations for the appropriate urban guided rail systems. 12 of 120

13 2 Bibliography [1] COMITÉ EUROPÉEN DE NORMALISATION ÉLECTROTECHNIQUE: EN Railway applications The specification and demonstration of reliability, availability, maintainability and safety (RAMS), CENELEC 1999 [2] COMITÉ EUROPÉEN DE NORMALISATION ÉLECTROTECHNIQUE: CLC/TR Railway applications The specification and demonstration of reliability, availability, maintainability and safety (RAMS) - Part 2: Guide to the application of EN for safety, CENELEC 2006 [3] COMITÉ EUROPÉEN DE NORMALISATION ÉLECTROTECHNIQUE: EN Railway application communication, signalling and processing systems safety related electronic systems for signalling, CENELEC 2003 [4] EUROPEAN UNION: Commission Regulation (EC) No 352/2009 of 24 April 2009 on the adoption of a common safety method on risk evaluation and assessment as referred to in Article 6(3)(a) of Directive 2004/49/EC of the European Parliament and of the Council, Official Journal of the European Union L108/ [5] INTERNATIONAL ELECTROTECHNICAL COMMISSION: IEC Ed. 2.0: Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems - Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems, IEC 2010 [6] INTERNATIONAL ELECTROTECHNICAL COMMISSION: IEC Ed. 2.0: Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems - Part 4: Definitions and abbreviations, IEC 2010 [7] INTERNATIONAL ELECTROTECHNICAL COMMISSION: IEC Ed. 2.0: Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems - Part 5: Examples of methods for the determination of safety integrity levels, IEC 2010 [8] INTERNATIONAL ELECTROTECHNICAL COMMISSION: IEC Railway Applications - Automated Urban Guided Transport (AUGT) - Safety Requirements, IEC 2006 Note: IEC is a European standard. [9] INTERNATIONAL ELECTROTECHNICAL COMMISSION: IEC Railway applications - Urban guided transport management and command/control systems (UGTMS) - Part 1 System principles and fundamental concepts, IEC 2009 Note: IEC is a draft European standard (pren). [10] INTERNATIONAL ELECTROTECHNICAL COMMISSION: Railway applications - Urban guided transport management and command/control systems (UGTMS) - Part 2 Functional requirement specification, IEC 2010 Note 1: For the compilation of MODSafe deliverable 4.2 the CDV (committee draft for vote) of was available only. Note 2: IEC is a draft European standard (pren). [11] MODULAR URBAN TRANSPORT SAFETY AND SECURITY ANALYSIS: Deliverable 2.1 First list of hazards, preliminary hazard analysis, MODSafe WP [12] MODULAR URBAN TRANSPORT SAFETY AND SECURITY ANALYSIS: Deliverable 2.2 Consistency analysis and final hazard analysis, MODSafe WP [13] MODULAR URBAN TRANSPORT SAFETY AND SECURITY ANALYSIS: Deliverable 4.1 State of the art analysis and review of results from previous projects, MODSafe WP [14] MODULAR URBAN TRANSPORT SAFETY AND SECURITY ANALYSIS: Deliverable 4.3 Analysis of on demand functions and systematic failures, MODSafe WP4 (not yet published, planned 2011) 13 of 120

14 [15] MODULAR URBAN GUIDED RAIL SYSTEMS: D80 Comprehensive operational, functional and performance requirements, MODURBAN MODSYSTEM WP [16] MODULAR URBAN GUIDED RAIL SYSTEMS: D86 Safety conceptual approach for functional and technical prescriptions, MODURBAN MODSYSTEM WP [17] VERBAND DEUTSCHER VERKEHRSUNTERNEHMEN: VDV Schriften 161-Teil 2 Sicherheitstechnische Anforderungen an die elektrische Ausrüstung von Stadt- und U-Bahn- Fahrzeugen, VDV 2009 [18] VERBAND DEUTSCHER VERKEHRSUNTERNEHMEN: VDV Schriften 331 Sicherheitsintegritätsanforderungen für Signal- und Zugsicherungsanlagen gemäß BOStrab, VDV 2007 [19] VOM HÖVEL, RÜDIGER; BRABAND, JENS ; SCHÄBE, HENDRIK: The probability of failure on demand the why and the how, Proceedings of the International Conference on Computer Safety, Reliability and Security SafeComp Terms and abbreviations 3.1 Terms Term Definition Reference Accident Danger point Driving mode An accident is an unintended event or series of events that results in death, injury, loss of a system or service, or environmental damage. The location after the end of movement authority beyond which the front of the train may not pass without creating a hazardous situation. A driving mode describes how a train should be driven in a defined situation and can be performed either by an acting driver or automatically. EN MODURBAN UGTMS Emergency braking Grade of automation Brake or combination of brakes which ensures that the train will stop with the brake rate agreed between authority having jurisdiction, transport authority and train manufacturer. Automation level of train operation, in which Urban guided Transport (UGT) can be operated, resulting from sharing responsibility for given basic functions of train operation between operations staff and system IEC Hazard A condition that could lead to an accident. EN of 120

15 Term Definition Reference Mode of operation Movement authority Non-operative UGTMS trains Operation control centre Reporting train Risk Way in which a safety function operates, which may be either low demand mode, high demand mode or continuous mode. Note 1: Definition is based on IEC part 4. Note 2: A more detailed definition will be given in MODSafe deliverable 4.3 depending on the definition of the concept of low demand. Permission for a train to run, within the constraints of the infrastructure, up to a specific location. Non UGTMS equipped trains and trains with inoperative UGTMS equipment. Centre from which operation of the line or the network is supervised and managed. UGTMS equipped trains able to report its location and other relevant information. The rate of occurrence of accidents and incidents resulting in harm (caused by a hazard) and the degree of severity of that harm. For more information refer to sub-clause 6.1 IEC CLC/TR Safety Freedom from unacceptable level of risk of harm. EN Safety function Safety integrity Safety integrity level Safety measure Tolerable hazard rate Transport authority Function to be implemented by an E/E/PE safety-related system or other risk reduction measures that is intended to achieve or maintain a safe state for the EUC, in respect of a specific hazardous event. The ability of a safety-related system to achieve its required safety functions under all the stated conditions within a stated operational environment and within a stated period of time. A number which indicates the required degree of confidence that a system will meet its specified safety functions with respect to systematic failures. Means a set of actions either reducing the rate of occurrence of a hazard or mitigating its consequences in order to achieve and/or maintain an acceptable level of risk. Rate of occurrence of a hazard that would result in an acceptable level of risk for that hazard (normally judged acceptable by a recognised body e.g. railway authority or railway support industry by consultation with the safety regulatory authority or recognised by the safety regulatory authority itself) Entity which is responsible for safe and orderly operation of a transport system. IEC EN EN Commission regulation (EC) No 352/2009 CLC/TR IEC IEC of 120

16 Term Definition Reference Urban guided transport Urban guided transport system operator Zone of protection Urban Guided Transport (UGT) is defined as a public transportation system in an urban environment with selfpropelled vehicles operated on a guideway. The urban guided transport system operator (UGTSO) is an entity which is responsible for safe and orderly operation of an urban guided transport system. (Note: For safety aspects the term UGTSO is equivalent to the term railway authority as used in EN 50126) A zone where no train is allowed to run as a response to various kinds of incidents. MODURBAN MODSafe 3.2 Abbreviations Abbreviation A ATO ATS C CBTC CENELEC D E E/E/PE EN EUC G GOA HMI IEC MA MODSafe MODURBAN Nr OCC P Definition Frequency of, and exposure time in, the hazardous zone Automatic train operation Automatic train supervision Consequence reduction probability Communication-based train control Comité Européen de Normalisation Électrotechnique (European Committee for Electrotechnical Standardisation) Deliverable Exposure probability to hazard Electrical/electronic/programmable electronic European standard Equipment under control Possibility of failing to avoid the hazardous event Grade of automation Human machine interface International electrotechnical commission Movement authority Modular urban transport safety and security analysis Modular urban guided rail systems Number Operations control centre Accident probability reduction 16 of 120

17 Abbreviation pren RA RAMS TFM THR THR i TPP S SIL SL SPAD STO UGTMS VDV W WP Draft European standard Risk analysis Definition Reliability, availability, maintainability, safety Target failure measure Tolerable hazard rate Initial THR Train protection profile Consequences of hazardous events Safety integrity level Severity level Signal passed at danger Semi automated train operation Urban guided transport management and command/control systems Verband Deutscher Verkehrsunternehmen (Association of German public transport undertakings) Probability of the unwanted occurrence Work package 17 of 120

18 4 System lifecycle and safety requirements This deliverable has to be read in the light of the European standard EN which requires a system lifecycle for railway applications. Within this lifecycle the determination of safety requirements is indispensible to be performed in the first four phases, which are mainly under responsibility of the transport authority. Phase four, which is called system requirements, is of special interest in this context. Alongside other tasks, the recommended safety related tasks are: Specify system safety requirements (overall) Define safety acceptance criteria (overall) Define safety related functional requirements Establish safety management The third point is based on risk analysis to be performed in phase 3. This is within the scope of this deliverable. In particular EN states: The RAMS requirements, for the system under consideration, shall include: [..] Functional requirements and supporting performance requirements, including safety functional requirements and safety integrity requirements for each safety functions [1]. The operator (i.e. railway authority) is responsible to determine the SIL for the system according to the prevailing operation and local circumstances. Therefore, this deliverable shall: Introduce the MODSafe safety functions Allocate safety requirements to the MODSafe safety functions Safety requirements for the MODSafe safety functions depend on the risk associated with the functions. It is assumed that hazardous situations and the associated risk may arise from functional failures of the safety functions that contributed to cover the hazardous situation in a first place. Availability aspects are not considered. An undetected termination or insufficient performance of the tasks, provided by the safety function, is considered safety relevant. When speaking about basic functions for train operation, functions are meant to e.g. ensure safe route or to supervise passenger transfer. Many functions are based on external devices providing inputs (e.g. switch, emergency stop handle) and are intended to provide outputs to external devices (e.g. switch, platform screen door). Each function is realised by realisation entities (e.g. objects, staff, etc.) and intended to be implemented in an E/E/PE safety related system or subsystem. In the subsequent lifecycle phase five, which is not in the scope of this deliverable, system requirements including safety requirements are assigned to the system architecture and used for the design of systems, sub-systems, components and external devices. Because of that, the determination of safety integrity requirements for a function, taken into account their interfaces to other functions or external devices, shall be determined in a generic way in order to allow its use for different system approaches. This shall be done by the main contractor/system supplier, compare [1]. 18 of 120

19 The results of the deliverable shall be incorporated in the overall MODSafe approach. In particular, the identified MODSafe safety functions shall be used to act as hazard control measures to cover relevant hazards, delineated in the MODSafe hazard log of MODSafe WP2 ([11], [12]) and MODSafe WP3. Furthermore, the list of MODSafe safety functions is input to the functional model developed in MODSafe WP5. Figure 1 gives an overview of the tasks, treated in this deliverable, within the overall system lifecycle and the MODSafe project. Figure 1 Safety functions in system lifecycle and MODSafe 19 of 120

20 5 Process for allocation of safety requirements The origin of the method for an allocation of safety requirements, which shall be used in this deliverable, is the MODURBAN 1 deliverable D86 [16]. However, a comparison of different safety requirement allocation methods is presented in MODSafe deliverable 4.1 [13]. As one outcome of the MODSafe deliverable 4.1 certain criteria have been specified as being advantageous for a safety requirement allocation method. With respect to the method, a detailed description and additional information about the method and possible alternative applications can be found in MODURBAN deliverable D86 and MODSafe deliverable 4.1. Additionally, a second method is outlined in a brief form to ease subsequent analyses. 5.1 of the semi-quantitative MODURBAN process Risk parameter used in the method Starting point of the method is the risk matrix introduced in the European and meanwhile international standard EN or IEC respectively. The matrix describes the correlation of the rate of occurrence of accidents and incidents resulting in harm (caused by a hazard) and the degree of severity of that harm [2]. Subsequently, the risk matrix, see Table 1, provides a risk level which can be e.g. tolerable or intolerable, according to the combination of frequency of occurrence and the severity level of hazard consequences. Table 1 Frequency-consequence matrix or risk matrix Frequency of occurrence of hazardous event Risk levels frequent undesirable intolerable intolerable intolerable probable tolerable undesirable intolerable intolerable occasional tolerable undesirable undesirable intolerable remote negligible tolerable undesirable undesirable improbable negligible negligible tolerable tolerable incredible negligible negligible negligible negligible insignificant marginal critical catastrophic Severity levels of hazard consequence Following EN the parameter describing the severity level of hazard consequences can be understood as: 1 MODURBAN is a European research and development project covering metros and light rail systems. 20 of 120

21 Catastrophic: Critical: Marginal: Insignificant: Fatalities and/or multiple severe injuries and/or major damage to the environment Singe fatality and/or severe injury and/or significant damage to the environment Minor injury and/or significant threat to the environment Possible minor injury Additionally to the two introduced risk parameter, such as severity level and frequency of occurrence, three more parameters are mentioned in the context of the MODURBAN method. These are parameter which may reduce the initial risk, so far expressed by the severity level only. MODURBAN D86 describes the parameter for risk reduction (or risk reduction measures) like this: Exposure Probability to Hazard E: Is there good reason to conservatively assume that members of the risk group (e.g. passenger) are exposed to the hazard clearly less than permanently (by orders of magnitude in probability)? Accident Probability Reduction P: Is there good reason to conservatively assume that the evolvement of a certain hazard into an accident can be clearly controlled by additional barriers or circumstances (reduction of rate by orders of magnitude)? Consequence Reduction Probability C: Is there good reason to conservatively assume that the members of the risk group (e.g. passenger, workers or neighbours) can clearly avoid being subject to the hazard (by orders of magnitude) or reduce considerably the potential damage (by severity class)? Considering the severity level of hazard consequences and the three risk reduction measures, a rate of frequency can be estimated which represents the tolerable risk and corresponds to the tolerable hazard rate (THR) Numerical interpretation of risk parameter An actual application is started with an estimation of the possible hazard consequences of a wrong side failure of the safety function. This is followed by a description of the operational or environmental circumstances to estimate valid risk reduction measures and its according numerical values. For that purpose, a initial THR 2 has to be estimated, which does not consider any risk reduction measures and is only estimated by the severity of the potential hazard consequences, graded in four severity levels (SL). With the help of Table 2 leaving out the SIL so far the level of severity can be expressed as follows: Catastrophic: THR = 10-9 /h (SL4) Critical: THR = 10-8 /h (SL3) Marginal: THR = 10-7 /h (SL2) 2 Considering its estimation, actually this initial THR is a tolerable hazard rate since it leaves out any consideration of possible risk reduction measures. However, setting all risk reduction measures initially to a value of 1 (1 = no impact), the actual tolerable hazard rate can be understood as initial THR (initial in the meaning that risk reduction measures are not considered so far). 21 of 120

22 Insignificant: THR = 10-6 /h (SL1) The risk reduction measures can be understood in the following way, as described in MODURBAN deliverable D86: E=1: Exposure of members of the risk group to hazard is conservatively to be assumed frequent or permanent E=10-1 : Exposure of members of the risk group to hazard can conservatively assumed to be rare, only in exceptional cases (e.g. passengers in a turn back train, passengers walking into the tunnel etc.) E=10-2 : Exposure of members of a risk group to hazard is only in very rare cases to be expected (e.g. passengers in depot etc.) P=1 There can no additional barrier be conservatively assumed that would reduce the probability of the hazard evolving into an accident. P=10-1 : There exists means or circumstances to clearly reduce the probability that a certain hazard evolves into an accident (e.g. additional barriers than the one being subject to analysis, driver that notices positioning failure and corrects manually, personnel onboard/in station that notice an otherwise undetected open door at train departure etc.) P=10-2 : There exist two means or circumstances to clearly reduce independently the probability that a certain hazard evolves into an accident (e.g. a personnel onboard/in station notices an otherwise undetected open door at train departure and an independent door interlock senses the open door before train departs). C=1 There is no reason to conservatively assume that a member of the risk group (e.g. passenger) may avoid being subject to the consequences of a certain hazard. C=10-1 There is good reason to conservatively assume that a member of the risk group (e.g. passenger) can avoid being subject to the consequences of a certain hazard (e.g. in low headway train operation a passenger fallen into station tracks may climb out or move into emergency bay, driver notices overspeed protection system failure and reduces himself manually speed to avoid catastrophic accident and collide in Severity Level SL3 instead of SL4) C=10-2 There are two independent good reasons to conservatively assume that a member of the risk group can avoid being subject to the consequences of a certain hazard (e.g. passenger on track in Tramway operations can move away from track and driver can stop the train in time, Overspeed Protection Failure at End of Track (SL4-SL3) noticed by driver and manual speed reduction reduces further consequence to SL2) Based on the initial THR (THR i ) and considering the three risk reduction measures a final THR can be calculated by dividing the initial THR by the risk reduction measures. (1) THR = THRi E P C The safety integrity level can be determined by using the following table: 22 of 120

23 Table 2 THR/SIL table according to EN Tolerable Hazard Rate THR per hour and per function Safety Integrity Level SIL THR 4: 10-9 THR < 10-8 SIL 4 THR 3: 10-8 THR < 10-7 SIL 3 THR 2: 10-7 THR < 10-6 SIL 2 THR 1: 10-6 THR < 10-5 SIL Application of the method The method shall be applied to one particular function. All numerical values apply to this particular function and shall be expressed in the unit per hour. The procedure is described in the following figure in a general manner: Figure 2 General procedure of the method for SIL allocation Severity of Consequences: Catastrophic THR = 10-9 /h Critical THR = 10-8 /h Marginal THR = 10-7 /h Insignificant THR = 10-6 /h Expose of members: Frequent E = 1 Rare E = 0,1 Very rare E = 0,01 Consequences reduction: No barrier C = 1 One barrier C = 0,1 Two barriers C = 0,01 Accident reduction: No barrier P = 1 One barrier P = 0,1 Two barriers P = 0,01 Level of safety integrity: THR = 10-9 /h SIL4 THR = 10-8 /h SIL3 THR = 10-7 /h SIL2 THR = 10-6 /h SIL1 During an application to allocate safety requirements to safety functions the following aspects shall be considered: 23 of 120

24 The exposure probability to the hazard (E) shall be used to describe whether persons are involved in a regularly occurring hazardous situation or not. In other words, the hazardous situation can be observed frequently but for example passengers are not exposed to every instance of the hazardous situation. This risk reduction measure does not describe a demand rate how often a particular hazard arises with passenger permanently exposed to the hazard. Examples for the first case are maintenance hazards. These hazards occur frequently, but passengers are not exposed to them on a regular basis. Whereas passenger, which are frequently exposed to the hazard of emergency brake failure because they are permanently on board of the train. However, this latter hazard occurs not regularly and the hazard rate is usually described with a demand rate and other relevant rates. The issue of safety functions required in a low demand mode of operation is treated in MODSafe deliverable 4.3 [14]. The risk reduction measures abbreviated with P and C using the idea of barriers reducing either the accident frequency or the severity of hazard consequences. These barriers can be understood as means or reasons to reduce risk. If a risk reducing barrier can be assumed, the value of how efficient the barrier acts to reduce risk is not considered. If a barrier can be considered, it is estimated with a factor of 1:10. If the risk reduction shall be estimated with a higher value, two independent means or reasons have to be considered. With respect to a calibration of results, the particular result for a hazard arising from a failure of a safety function with direct credible potential and catastrophic hazard consequences is estimated with 10-9 per hour, according to the method described here. This estimation originates from the European regulation 352/2009 for the heavy railway sector [4]. In particular it states: For technical systems where a functional failure has credible direct potential for a catastrophic consequence, the associated risk does not have to be reduced further if the rate of that failure is less than or equal to 10-9 per operating hour. [4] However, by no means shall any assumptions be made on the applicability of the European Regulation 352/2009 to the domain of Urban Guided Transport. It is even anticipated that Urban Railways such as metro, light rail and tramway are explicitly excluded as it is stated in clause 2 (3) of the European Regulation 352/2009. Therefore, the above mentioned value of 10-9 per hour is only mentioned as a reference value for acceptable safety regardless of the specific railway domain. 5.2 of the risk graph based method For some generic safety functions the German VDV 331 [18] defines required safety integrity levels thus these safety integrity levels can be applied to the system in question. The background of the risk graph is part 5 from IEC [7]. According to IEC the quantitative component ( Target Failure Measure (TFM) which is equivalent to Tolerable Hazard Rate (THR) ) can be derived directly from the SIL. It shall be noted that the congruency of the results obtained by the semi-quantitative allocation method from MODURBAN had been verified with an independent method, the risk graph semi-quantitative method outlined before. In the deliverable D86 of MODURBAN, all considered continuous safety functions had been analysed applying both methods and the obtained results were identical in all cases. Due to the identity of results this present analysis applies one method as representative method for both. Since the MODURBAN method is an agreed method from the European project MODURBAN and the results found broad consensus at European level, the semi-quantitative MODURBAN method 24 of 120

25 is used. Anyway, the risk analysis and specified safety requirements which can be found on the VDV331 for some of the function were found compatible and may therefore serve as a guideline of the functions under consideration are covered by the VDV331. S1 S2 S3 S4 A1 A2 A1 A2 G1 G2 G1 G2 W W W Severity of loss - S1 Minor injury - S2 Serious permanent injury to one or more persons; death to one person - S3 Death to several people - S4 Very many people killed Duration of stay - A1 Rare to more often exposure in the hazardous zone - A2 Frequent to permanent exposure in the hazardous zone Averting the danger - G1 Possible under certain conditions - G2 Almost impossible Probability of the unwanted occurrence - W1 very slight - W2 slight - W3 relatively high The analysis follows the principles described in IEC calibrated within VDV331/332 to the process to be regarded. The safety function is analysed according to four attributes, which are: S consequences of hazardous events A frequency of, and exposure time in, the hazardous zone G possibility of failing to avoid the hazardous event W probability of the unwanted occurrence. Figure 3 Risk graph according to VDV 331 The result of the risk analysis provides a necessary minimum risk reduction from which the safety integrity levels (SIL) can be derived directly. The connection between the results of the analysis for safety functions derived from the risk graph and safety integrity level are shown in Table 3. Table 3 Risk reduction and SIL (example from IEC and used in VDV 331) Tolerable Hazard Rate (THR) Necessary minimum risk reduction Safety integrity level - No safety requirements - 1 No special safety requirements 10-6 to <10-5 2, to < to <10-7 5, to < An E/E/PE SRS is not sufficient 25 of 120

26 6 Mode of operation and grade of automation One goal of this deliverable is to recommend the deduced safety requirements to European urban guided transport system operators as potential generic safety integrity requirements. This can be done if safety functions do not, or only weakly, depend on an operational context. For the purpose of MODSafe, two criteria are considered to describe the operational context. These are the mode of operation and the grade of automation under regard of an unambiguous, consistent and complete functional requirement specification. 6.1 Definition of mode of operation The mode of operation can be understood as the way in which safety functions operate, according to IEC part 4 [6]. This international standard differentiates between three modes of operations with respect to the frequency of demand: low demand mode: where the safety function is only performed on demand, in order to transfer the EUC into a specified safe state, and where the frequency of demands is no greater than one per year; or high demand mode: where the safety function is only performed on demand, in order to transfer the EUC into a specified safe state, and where the frequency of demands is greater than one per year; or continuous mode: where the safety function retains the EUC in a safe state as part of normal operation [6] However, it shall be noted that apart from the definition of a strict number of events (demand) per year, IEC proposes to explicitly consider the diagnostics in all three modes of operation, if the ratio of the diagnostic test rate to the demand rate equals or exceeds 100 [5]. Taking into account this ratio, any specific demand rate and the associated safety level of the safety function can be calculated for a specific case. The above categorisation is not necessary in this case. This issue will be addressed in detail in the MODSafe deliverable 4.3 and therefore, shall not be discussed in more detail in this deliverable. Additionally, IEC states that if the total demand rate arising from all the demands on the system exceeds 1 per year then the critical factor is the dangerous failure rate of the E/E/PE safety-related system. Hence, the operational mode for high demand and continuous can be treated as one, considering the demand rate. For safety functions acting in a high demand or continuous mode of operation it is expected that a failed safety function is equivalent to an unsafe state or a hazard. Expressed in a state diagram the system would turn from a safe state to an unsafe state by the wrong side failure rate of the safety function (λ SF ), see figure below. (The label µ R might be equivalent to a repair or restore rate.) 26 of 120

27 Figure 4 State diagram for continuous and high demand mode of operation However, for safety functions with a low frequency of demand, this would not necessarily be true. It is expected that for safety functions acting in a low demand mode of operation, the consequences of a hazard are not immediately severe. The probability that an accident will happen immediately after the failure of the low demand safety function is anticipated considerably lower than 1. For example, in operations with two minute headway, or even less, a train running in the wrong direction would immediately collide with other trains. Hence, a determination of the train travel direction is required to work safely in every case. But, devices for a detection of derailment can be broken with only one requirement: detect derailment if a derailment has occurred. So, a failure of a derailment detection device leads to an accident only, if a demand (a derailment) is given, which is a very rare event compared to the potential failure of travel direction. Therefore, it is assumed that for safety functions, acting not in a high demand or continuous mode of operation, other safety relevant criteria have to be considered such as the frequency of demand and the diagnostic test interval of the safety function. An approach which takes into account these considerations is presented in [19]. This perspective is in line with the IEC but the safety requirement allocation method proposed here does not take into account these issues in an appropriate manner. This process cannot be applied to these functions required in a low demand mode of operation and has to be considered separately. This issue is covered in MODSafe deliverable 4.3. Moreover, IEC part 5 corroborates the belief to select the most appropriate method for SIL allocation since the mode of operation has to be considered and some methods are only suitable for low demand mode and vice versa. For the purpose of this document, safety functions are considered which act clearly in a continuous mode of operation which might be equivalent to a frequency of demand which would be clearly more often than once a year (e.g. functions associated with train movement and passenger exchange which are in everyday use and not exceptional situations like emergency cases). Another characteristic of the analysed safety functions is that wrong side failure, are expected to lead to a hazardous situation with direct severe hazard consequences. 27 of 120

28 6.2 Grade of automation The following definitions of grade of automations (GOA) are proposed by IEC [9]. Basis of the differentiation between GOA are shared responsibilities between operational staff and the system according to the basic functions of train operation. Information which functions are realised by system or by staff can be found in Table Grade of automation 0 (GOA0): On-sight train operation In this grade of automation the driver has full responsibility and no system is required to supervise his activities. However, points and single tracks can be partially supervised by the system [9]. In terms of responsibilities for operational staff this means the following, see figure below: Ensure safe separation of trains Observation of guideway and stopping the train in hazardous situations Control of acceleration and braking Supervision of safe speed Control and supervise switches Supervision of train departure Operate train and detect hazardous situations Figure 5 GOA0 On-sight train operation Grade of automation 1 (GOA1): Non-automated train operation In this grade of automation, the driver is in the front cabin of the train observing the guideway and stops the train in the case of a hazardous situation. Acceleration and braking are commanded by the driver in compliance with wayside signals or cab-signal. The system supervises the activities of the driver. This supervision may be done at specific locations, be semi-continuous or continuous, notably in respect of the signals and the speed. Safe departure of the train from the station, including door closing, is the responsibility of the operations staff. [9] 28 of 120

29 In terms of responsibilities for operational staff this means the following: Observation of guideway and stopping the train in hazardous situations Adherence to signals Control of acceleration and braking Supervision of train departure Operate train and detect hazardous situations For GOA1 the following applications of train control and protection systems with their characteristics and safety functions are regarded in this deliverable. Train stops and wayside signals and fixed block system: Detection of trains by wayside devices as basis for safe separation of trains Authorisation of movement by wayside signals Supervision of train movements by train stops and possibly speed supervision by wayside equipment at discrete locations Danger point Train detection by wayside devices Train stops at discrete locations Speed supervision at discrete location Figure 6 GOA1 Train stops and wayside signals and fixed block system Semi continuous speed supervision and fixed block systems with wayside signals: Detection of trains by wayside devices as basis for safe separation of trains Authorisation of movement by wayside signals Supervision of train movements including permitted speed by train protection profile, which is provided at discrete locations or in dedicated areas (semi-continuous speed supervision) 29 of 120

30 Movement authority limit Speed restriction within intended route of train Train protection profile Danger point Train location relative to TPP Train detection by wayside devices Balise at discrete locations Infil-loop in dedicated areas Figure 7 GOA1 Semi continuous speed supervision and fixed block systems with wayside signals Continuous speed supervision with cab signals: Localisation of trains by reporting trains as basis for safe separation of trains Authorisation of movement by cab signals derived from train protection profile which is provided continuously Supervision of train movements including permitted speed by train protection profile Movement authority limit Speed restriction within intended route of train Train localisation by reporting trains Danger point Train location relative to TPP Train protection profile Figure 8 GOA1 Continuous speed supervision with cab signals 30 of 120

31 Continuous supervision of speed by the system and wayside signals: Localisation of trains by reporting trains as basis for safe separation of trains Authorisation of movement provided by wayside signals Supervision of train movements including permitted speed by train protection profile Movement authority limit Speed restriction within intended route of train Train localisation by reporting trains Danger point Train location relative to TPP Train protection profile Figure 9 GOA1 Continuous supervision of speed by system and wayside signals Grade of automation 2 (GOA2): Semi-automated train operation In this grade of automation, the driver is in the front cabin of the train observing the guideway and stops the train in the case of a hazardous situation. Acceleration and braking is automated and the speed is supervised continuously by the system. Safe departure of the train from the station is the responsibility of the operations staff (door opening and closing may be done automatically). [9] In terms of responsibilities for operational staff this means the following, see figure below: Observation of guideway and stopping the train in hazardous situation Supervision of train departure Operate train and detect hazardous situations 31 of 120

32 Movement authority limit Speed restriction within intended route of train Train location Authorised speed Figure 10 Responsibility of operations staff in GOA Grade of automation 3 (GOA3): Driverless train operation In this grade of automation, additional measures are needed compared to GOA2 because there is no driver in the front cabin of the train to observe the guideway and stop the train in case of a hazardous situation. In this grade of automation, a member of the operations staff is necessary onboard. Safe departure of the train from the station, including door closing, can be the responsibility of the operations staff or may be done automatically. [9] In terms of responsibilities for operational staff this means the following, see figure below: Supervision of train departure Operate train and detect hazardous situations Movement authority limit Speed restriction within intended route of train Train location Authorised speed Figure 11 Responsibility of operations staff in GOA3 32 of 120

33 6.2.5 Grade of automation 4 (GOA4): Unattended train operation In this grade of automation, additional measures are needed compared to GOA3 because there are no onboard operations staff. Safe departure of the train from the station, including door closing, has to be done automatically. More specifically, the system supports detection and management of hazardous conditions and emergency situations such as the evacuation of passengers. Some hazardous conditions or emergency situations, such as derailment or the detection of smoke or fire, may require staff interventions. [9] Fully unattended train operation does not cover responsibilities for operational staff on board of train or station. Human responsibility remains, but moves party to OCC staff and also to maintenance staff (in order to be sure that all functions are available during the mission). Movement authority limit Speed restriction within intended route of train Train location Authorised speed Figure 12 Responsibility of operations staff in GOA4 7 to be analysed The origin of the majority of the MODSafe safety functions is the international standard IEC part 2 [10], which covers functions of an urban guided transport management and command/control system (UGTMS). 7.1 Principle structure of basic functions for train operation 33 of 120

34 The principle structure of the MODSafe safety functions is taken from the IEC part 1 [9]. The table below outlines the structure. It shows general functions required for train operation as well as the associated grade of automation for each basic function. 34 of 120

35 Table 4 Grades of automation according to IEC Basic functions of train operation Ensuring safe movement of trains Driving Supervising guideway Ensure safe route Ensure safe separation of trains Ensure safe speed Control acceleration and braking Prevent collision with obstacles Prevent collision with persons on tracks On-sight train operation Nonautomated train operation Semi automated train operation Driverless train operation Unattended train operation GOA0 GOA1 GOA2 GOA3 GOA4 X (points command/ control in system) S S S S X S S S S X X (partly supervised by system) S S S X X S S S X X X S S X X X S S Supervising passenger transfer Control passenger doors X X X X S Prevent person injuries between cars or between platform and train Ensure safe starting conditions X X X X S X X X X S Set in / set off operation X X X X S Operating a train Supervise the status of the train Perform train diagnostic, Ensuring detect fire/smoke and detection and detect derailment, management handle emergency X X X X of emergency situations situations (call/evacuation, supervision) NOTE X = responsibility of operations staff (may be realised by UGTMS system) S = shall be realised by UGTMS system X X X X S S and/or staff in OCC 7.2 List of MODSafe safety functions For a selection of safety function from the following criteria are considered: The MODSafe safety function shall act as safety function ( obviously intended to be realised in an ATO or ATS subsystem are not considered.) This criterion also applies to MODSafe safety functions which are newly added to the list. 35 of 120

36 Most safety functions are directly taken from but were complemented by the work previously done in the context of the MODURBAN project. Since this draft standard is based on MODURBAN, namely on the deliverable D80 [15] compatibility to the MODURBAN work is maintained in principle. Besides, more recent considerations regarding urban guided transport management and command/control system have been taken into account during the elaboration of. Therefore, direct reference to this draft standard is appropriate. Some MODURBAN functions from D86 [16] have also been taken into account where suitable, especially those functions which were subject to risk analyses and a safety requirement allocation in D86. Compatibility and consistency with the more recent work in MODSafe shall be achieved when taking into account the D86 analyses. Complementary to the IEC and the MODURBAN analyses new functions are added or existing functions are clarified in terms of a more appropriate naming (cf. Figure 13). Especially those functions which are important for higher grades of automation, such as derailment detection, guideway intrusion detection or the detection of intruding unequipped trains have been added. Therewith, more recent developments in this field shall be considered. IEC function names and structure (complement MODURBAN list) Reviewed and discussed by WP4 Create a list of functions Select functions MODSafe example functions for WP4 MODURBAN D86 functions, risk analysis and SIL allocation process Check compatibility with MODURBAN analysis results SIL allocation to these functions Deliverable 4.2 Figure 13 General procedure of the elaboration of the list of MODSafe safety functions Each MODSafe safety function will be analysed according to the grade of automation and therefore taking into account the operational context of each function. It has been agreed for the project to concentrate efforts on safety relevant functions. Risk and safety considerations are made primarily for GOA1 to 4. In GOA0 the driver has full responsibility for safe train separation and for ensure safe speed and no technical management and command/control system is assumed to implement any of 36 of 120