Determination of Safety Level for the Train Protection System at Ringbanen in Copenhagen

Similar documents
C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

A study on the relation between safety analysis process and system engineering process of train control system

Understanding safety life cycles

Safety-critical systems: Basic definitions

Sharing practice: OEM prescribed maintenance. Peter Kohler / Andy Webb

AUSTRIAN RISK ANALYSIS FOR ROAD TUNNELS Development of a new Method for the Risk Assessment of Road Tunnels

Section 1: Multiple Choice Explained EXAMPLE

Ultima. X Series Gas Monitor

Manuscript of paper published in Accident and Analysis and Prevention, Volume 41 (2009), 48-56

PL estimation acc. to EN ISO

Lineside Signalling Layout Driveability Assessment Requirements

Lineside Signalling Layout Driveability Assessment Requirements

Safety Manual VEGAVIB series 60

Section 1: Multiple Choice

Analyses and statistics on the frequency and the incidence of traffic accidents within Dolj County

Safety Critical Systems

New Thinking in Control Reliability

Availability analysis of railway track circuit

The Safety Case. Structure of Safety Cases Safety Argument Notation

The IEC61508 Operators' hymn sheet

D-Case Modeling Guide for Target System

Safety-Critical Systems

Hazards Associated with High-Speed Rail (HSR) Operation Adjacent to Conventional Tracks

Nordel GRID DISTURBANCE AND FAULT STATISTICS

Accelerometer mod. TA18-S. SIL Safety Report

At each type of conflict location, the risk is affected by certain parameters:

Safety of railway control systems: A new Preliminary Risk Analysis approach

Our Approach to Managing Level Crossing Safety Our Policy

TRIM Queue, Vejle N Denmark. Evaluation report

Hazard Identification

HUMAN (DRIVER) ERRORS

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

An Application of Signal Detection Theory for Understanding Driver Behavior at Highway-Rail Grade Crossings

The Corporation of the City of Sarnia. School Crossing Guard Warrant Policy

Risk-based method to Determine Inspections and Inspection Frequency

Accident Precursor Monitoring in Metro Railways

Managing for Liability Avoidance. (c) Lewis Bass

USING HAZOP TO IDENTIFY AND MINIMISE HUMAN ERRORS IN OPERATING PROCESS PLANT

Safety Effects of Converting Intersections to Roundabouts

A systematic hazard analysis and management process for the concept design phase of an autonomous vessel.

Safety Manual VEGAVIB series 60

Session: 14 SIL or PL? What is the difference?

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Analysis of Safety Requirements for MODSafe Continuous Safety Measures and Functions

Chapter Pipette service & maintenance. Pipette specifications according to ISO Repair in the lab or return for service?

On proof-test intervals for safety functions implemented in software

SUMMARY OF SAFETY INVESTIGATION REPORT

What if there were no signs, signals or markings?? Throughout Ch 2 you will learn how signs, signals, and markings help regulate traffic flow.

The Best Use of Lockout/Tagout and Control Reliable Circuits

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

Three Approaches to Safety Engineering. Civil Aviation Nuclear Power Defense

Assessment of retaining levels of safety barriers

Summary Safety Investigation Report

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

Implementing Emergency Stop Systems - Safety Considerations & Regulations A PRACTICAL GUIDE V1.0.0

Collision Avoidance System using Common Maritime Information Environment.

Global Level Crossing Safety & Trespass Prevention Symposium 2016 Enabling safe performance at level crossings

People killed and injured per million hours spent travelling, Motorcyclist Cyclist Driver Car / van passenger

Reliable subsea gas transport; the history and contribution of DNV-OS-F101

CHAPTER 28 DEPENDENT FAILURE ANALYSIS CONTENTS

RISK ASSESSMENT. White Paper.

Deaths/injuries in motor vehicle crashes per million hours spent travelling, July 2007 June 2011 (All ages) Mode of travel

The following gives a brief overview of the characteristics of the most commonly used devices.

The Safety Case. The safety case

Land Use and Cycling. Søren Underlien Jensen, Project Manager, Danish Road Directorate Niels Juels Gade 13, 1020 Copenhagen K, Denmark

Surge suppressor To perform its intended functions, an AEI site must have the components listed above and shown in Fig. 4.1.

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI

CHEMICAL ENGINEEERING AND CHEMICAL PROCESS TECHNOLOGY Vol. IV - Process Safety - R L Skelton

Hydraulic (Subsea) Shuttle Valves

Indicators and Signs ANSG 604. Applicability NSW SMS. Publication Requirement. External Only. Document Status September 2018.

E. Agu, M. Kasperski Ruhr-University Bochum Department of Civil and Environmental Engineering Sciences

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Solenoid Valves For Gas Service FP02G & FP05G

Safety Management in Multidisciplinary Systems. SSRM symposium TA University, 26 October 2011 By Boris Zaets AGENDA

UNABRIDGED SUMMARY OF NORAC 8 TH EDITION CHANGES

Road Accident Analysis and Identify the black spot location On State Highway-5 (Halol-Godhra Section)

Operating instructions Electrical switching facility pco

Module 3 Developing Timing Plans for Efficient Intersection Operations During Moderate Traffic Volume Conditions

Definition of Safety Integrity Levels and the Influence of Assumptions, Methods and Principles Used

A review of traffic safety in Finnish municipalities

SPR - Pneumatic Spool Valve

A GUIDE TO RISK ASSESSMENT IN SHIP OPERATIONS

ANNEX II: RISK ASSESSMENT LARGE PASSENGER SHIPS - NAVIGATION * 1 SUMMARY... 1

A Continued Worker Safety Issue

Road design and Safety philosophy, 1 st Draft

Evaluating Grade Crossing Safety. Christopher C. Pflaum, Ph.D. Spectrum Economics, Inc. Overland Park, KS (913)

A Novel Gear-shifting Strategy Used on Smart Bicycles

2600T Series Pressure Transmitters Plugged Impulse Line Detection Diagnostic. Pressure Measurement Engineered solutions for all applications

Control Strategies for operation of pitch regulated turbines above cut-out wind speeds

Fatal Train accidents on Europe`s railways: Prof. Andrew Evans from CTS, Imperial College London. Wednesday, 02 March :00

Hazardous material transport accidents: analysis of the D.G.A.I.S. database

Reliability of Safety-Critical Systems Chapter 10. Common-Cause Failures - part 1

Modeling of the Safety and the Performance of Railway Operation via Stochastic Petri Nets

This test shall be carried out on all vehicles equipped with open type traction batteries.

Road Safety. Inspections

Product Overview. Product Description CHAPTER

Factors Leading to Older Drivers Intersection Crashes

FAQ sheet Dutch Cycling Embassy

Monthly Railway Occurrence Statistics July Table 1 Railway Occurrence and Casualty. January to July Average

Transcription:

Determination of Safety Level for the Train Protection System at Ringbanen in Copenhagen Søren Randrup-Thomsen & Lars Wahl Andersen, RAMBØLL, Bredevej 2, 2830 Virum Bent Nygaard, Banestyrelsen, Banehuset, Pakhusvej 10, 2100 København Ø Introduction Ringbanen will be a new S-line in Copenhagen and will be an improvement of the existing S-line in Copenhagen. Ringbanen enables quick and comfortable transfer to the existing S- line and Metro and bus lines within central areas of Copenhagen. The new line has 12 stations along the route. Figure 1-1 shows an overview of Ringbanen and the 12 stations from Hellerup in north to Ny Ellebjerg in south. Figure 0-1 The new railway line Ringbanen with the 12 stations. Trafikdage på Aalborg Universitet 2002 269

Determination of Safety Level for the Train Protection System at Ringbanen in Copenhagen In connection with construction of Ringbanen, three train protection and train interlocking systems shall be established. These systems shall provide the sufficient safety for the passengers using the circle line. Requirements to the safety connected with train protection systems are an important issue in present and future railway projects. Basics in formulating safety measures are given in ref. [4] and [5]. The present paper describes how to formulate the necessary requirements in order to achieve a sufficient safety level. Furthermore, specifications of how the requirements are to be selected and transferred to the actual provider of the train protection systems are given. Finally, examples of the chosen level of details in these specifications are given. 2 Acceptance criteria In order to determine the sufficient safety level for the passenger safety, the overall acceptance criteria for Ringbanen must be specified. Various arguments for choosing an appropriate safety level are available. For Ringbanen it has been chosen to require that the overall safety level shall be at least as good as on other comparable railway systems, ref. [1]. For this reason, it is required that the passenger safety at Ringbanen shall be at the same level as on S-banen the existing S-line operating in the Copenhagen area. Furthermore, the operator Banestyrelsen has formulated intentions of increasing the present safety level, ref. [8]. The safety level (also denoted the risk) is defined as a number of passenger fatalities pr. passenger km or pr. year. The safety level at S-banen is determined on basis of data material coevering several years regarding number and type of accidents, traffic intensity and the number of passengers on S-banen. From this information, the safety level at S-banen can be determined as 0,33 fatalities pr. billion passenger km. Before making a simple translation to a safety level for Ringbanen, considerations of whether or not the specified number can be taken as a basis for a similar specification on Ringbanen, shall be taken. Since a part of Ringbanen is build on existing parts of Sbanen and since no major differences between the two lines is expected, the accident types is considered to be representative for Ringbanen as well. Thus, based on an expected number of passengers of 80000 pr. year on Ringbanen and a total length of 11,5 km, the safety level for Ringbanen is determined as 0,027 fatalities pr. year. It is noted, that the acceptance criteria is an overall acceptance criteria based on all types of accidents during operation including amongst others accidents on stations not directly related to operation of the trains. For this reason, it is necessary to allocate parts of the overall risk to the risk related to specified items as train protection systems. 2.1 Allocation of risk The allocation of risk to various items within Ringbanen may be specified either on basis of statistical information or on basis of political-, economical- or other considerations. 270 Trafikdage på Aalborg Universitet 2002

At present, statistical information from S-banen (with a functioning train protection system) indicates that approximately 80% of the risk originates from accidents on the train stations leaving 20% of the risk to the operation of the trains. However, since the purpose of the present analysis is to determine safety level for the train protection system, a more detailed allocation of the risk may be carried out in order to determine the risk directly related to this part of the train operation. Thus, risk related to the rolling stock and to the tracks should be disregarded leaving the risk related to the train protection systems. Furthermore, also risk related to train protection systems could be divided into smaller fractions either to reflect the choice of details in technical specifications or in order to reflect differences in operational modes. The following two situations related to different operational modes with influence on the train protection system must as a minimum be specified: Normal operation: All components in the train protection system are fully functioning. Fall back strategy: Parts or all of the components of the train protection system is out of order (malfunctioning, maintenance, accidents etc.) It is noted that the risk allocated to each of the two operational situations may depend on the availability of the train protection system, ref. [3] (i.e. the train protection system may be extremely safe when functioning, but may be unavailable in a large fraction of time over a year due to a high degree of maintenance). It is obvious that there are large differences between the mechanisms yielding errors in the two cases. In the first case the normal operational mode the safety is related directly to the safety requirements for the software and the external equipment (cables, signals etc.). Thus, for this case, limits for the rate of errors leading to less restrictive functionality (dangerous errors) in the technical systems shall be determined. In the second case fall-back the safety is related to the procedures and how the procedures are complied and are thus directly depending on the human error rates. The allocation of risk is sketched in Figure 2-1. Trafikdage på Aalborg Universitet 2002 271

Determination of Safety Level for the Train Protection System at Ringbanen in Copenhagen Overall Acceptance criteria 80% [fatalities pr.year] 20% Stations and other locations Railway systems 30% 70% 95% Train protection systems and remote control systems 5% Tracks and rolling stock Train protection systems Remote control systems 56% 44% Normal functionality Operation after fall-back strategies Availability requirements Figure 2-1. Allocation of risk for Ringbanen It is seen from Figure 2-1, that by assigning an allocation ratio to each of the items, it is possible to determine the maximum acceptable number of passenger fatalities pr. year related to the specific item. The allocation ratios in the first row of Figure 2-1 are determined on basis of statistics. Ratios in the second and third rows are based on expert judgements, whereas the allocation in the last row is based on overall calculations of the absolute risk associated with fall-back strategies. It is obvious, that if operation after fall-back strategies never occur (100% availability), no allocation is needed and all 100% may be allocated to normal operation. This means that the allocation ratio depends on the availability. Therefore, it is necessary to assess the availability in order to determine the safety level of the train protection system during normal operation. 3 Determination of risk contributions The risk R is calculated as the product of a frequency f of accidents and the consequence of the accidents C. Since there is a difference in considering the two operational modes, the risk associated with the train protection system has two contributions: 272 Trafikdage på Aalborg Universitet 2002

R + R train protection system = R fall back normal The two risk contributions are to be kept separate since frequencies as well as consequences are determined separately in the two situations. It must be expected that accidents tend to happen more frequent when the train protection system is out of order. However, the consequences of an accident may in this case be less severe since velocities of the train are lower than in the normal case and the train personnel are more alert. Thus, the two contributions are R f C and R = f C. normal = normal normal fall back fall back fall back From the overall acceptance criteria and from the subsequent allocation of risk to parts of the system, the value of is given. Thus, by using a stepwise procedure, the R train protection system frequency related to errors during normal operation can be found. This stepwise procedure allows for setting requirements to the safety level for the train control system during normal operation and is given in terms of a THR-value (Tolerable Hazard Rate). Often, the safety level is described in terms of the SIL-level (Safety integrity Level). Correspondance between THR and SIL is given in ref. [2]. The stepwise procedure are listed below: 1. Determine R from the overall acceptance criteria and the subsequent train protection system allocation of risk to the train protection system as shown in FigureFigure 2-1. 2. Determine the frequency and the consequence in fall-back situations and calculate R fall back fall back. The allocation ratio γ related to fall-back situations is γ = R R train protection system 3. Determine the consequence during normal operation and calculate the frequency of errors C normal ( 1 γ ) R f normal = C train protection system normal during normal operation. 4. The requirements to the components in the train protection system shall be specified in the form of a THR-value (Tolerable Hazard Rate, number of dangerous errors pr. hour). Thus, since the frequency f normal are determined on a yearly basis, conversion to errors pr. hour in operation shall be made. 3.1 Determination of risk allocated to the train protection system The determination of this specific part of the risk can be done by using allocation ratios as given in Figure 2-1. However, other than statistical background material and experience can be used to setting the allocation ratios. Political reasoning, intentions of increasing safety or other requirements may govern the choice of allocation parameters. Trafikdage på Aalborg Universitet 2002 273

Determination of Safety Level for the Train Protection System at Ringbanen in Copenhagen 3.2 Determination of frequency and consequence in fall-back situations The determination of parameters related to the estimation of frequencies and consequences will depend on how often fall-back situations appear (availability), how procedures are handled during fall-back (human actions), the type of accidents occurring if procedures are handled improperly and of the entire system (the traffic intensity, train types etc.). Availability The availability of the train protection system is a governing parameter for the determination of the risk contribution from fall-back situations. The availability can be determined from existing statistics or certain availability can be required of the supplier of the train protection system. Human actions In fall-back situations, the accidents occurs as a result of misinterpretation of procedures or due to errors during communication and are thus closely related to occurrence of various types of human errors. In an overall approach, the human error can be fixed as a general probability pr. action; usually the value 10-4 is used, ref [6]. In the more detailed analyses, fault tree analyses can be applied taking into account that probabilities of human errors vary depending on the considered situation, e.g. misunderstandings, lack of attention, mistakes etc. These probabilities of human errors vary in the region from 10-1 to 10-6 depending on type and also depending on the stress level, ref. [6]and [7]. Accident types and consequences Similar to the determination of the human error probability, the determination of accident types and corresponding consequences may be more or less detailed. In an overall approach, the accident types given in Table 3-1 can be used. Besides the values during fall-back situations also values in normal operational mode are shown to clarify the differences in the two situations. Accident C normal C fall-back Ratio r i Collision 5 1.25 1% Derailment 1 0.25 2% Other accidents 1 0.25 2% Near Miss 0 0 95% Table 3-1. Accident types and corresponding fatalities From Table 3-1 it is seen, that 0,022 fatalities are expected if an accident occurs in fall back situation and 0.09 in normal operational mode. In the more detailed analysis, the accident types may be refined (front-front collisions, frontend collisions, derailment due to high velocity, derailment due to point errors etc). By refining the accident types, also the number of fatalities for the various accident types should be more detailed. Furthermore, the consequence of occurrence of errors also depends on what type of component in the system is out of order (errors related to switches may cause derailments, errors related to signals may cause collisions etc.). An example of using detailed analysis 274 Trafikdage på Aalborg Universitet 2002

refining as well the human error probabilities as the accident types is given in the fault tree in Figure 3-1. Front-End collision AND Train not monitored by HKT because of shunting Train enters illegal route Train already occupies route Train fails to stop Remote control centre does not intervene OR OR OR Engine driver starts illegally Remote control centre gives permission to proceed on a wrongful basis Drives too fast Poor visibility Wet leaves/ice prevent stop in time Poor braking capacity Tries to intervene, but does not have enough time Fails to intervene Figure 3-1. Example of fault tree for the detailed risk analysis Determination of risk contribution in fall-back situations In the overall approach for Ringbanen, the yearly frequency of an accident is estimated on basis of the following parameters: Number of trains pr. hour = 8.7 Hours of operation pr. day = 19 Availability = 99.5% (corresponding to 35 hours pr. year) Probability of human error pr. action = 1 10-4 The yearly frequency of an accident can on this basis be calculated to 0.06. Hereby risk contribution in fall-back situations becomes 6.8 10-4 fatalities pr. year corresponding to 44% of the risk allocated to train protection systems. 3.3 Determination of frequency and consequence during normal operation Since 44% of the risk allocated to the train protection system are used in fall back situations, the remaining 56% of the risk should be used for the train protection system during normal operation of the trains. Thus, by knowing the consequence of accident during normal operation estimated to 0.09 fatalities during normal operation (Table 3-1) the yearly frequency of accidents could be determined as 0.0081. 3.4 Determination of THR for the train control system The estimated frequency can be transferred into a THR-value by taking into account the numbers of hours each year, where trains on Ringbanen is expected to be in operation. Hereby a THR-value of 1.35 10-6 is found. It should be emphasized, that this value covers the entire train protection system including internal objects (plc, software, I/O units etc.) and external objects (cables, signals etc.). Thus, if a THR-value is desired separately for the internal and external objects, an additional allocation of the risk should be carried out. Trafikdage på Aalborg Universitet 2002 275

Determination of Safety Level for the Train Protection System at Ringbanen in Copenhagen Furthermore, it is noted that the used allocation ratios are based on statistics and engineering judgements and may vary. In Figure 3-2 is shown the effect of varying some of the parameters governing the THR-value. THR [Occurrence of errors pr. h ] 1.E-09 1.E-08 1.E-07 1.E-06 10% 30% Low Medium High 10% 50% 70% 0% 10% 30% 90% SIL 4 SIL 3 SIL 2 SIL 1 1.E-05 Railway systems Train protection Remote control Fall-back strategies 99% Near miss Figure 3-2. Sensitivity analysis of the THR-value for the train protection system It is seen that varying important input parameters changes the THR-value. However, the changes to the THR-value are limited and in general the THR-value for Ringbanen will be at a value corresponding to a Safety Integrity Level (SIL) between 1 and 2, ref. [2]. 4 Conclusion In the present paper, a method for determining the required safety level for a train protection system has been demonstrated. It is shown, that the determination relies on certain requirements in form of an overall acceptance criteria and of the availability of the train protection system. The overall THR-value for the train protection system at Ringbanen has been determined and corresponds to a SIL-level between 1 and 2. The basis for this determination is an overall acceptance criterion that states, that the safety at Ringbanen should be at least as good as on other comparable railways. Furthermore, it is not sufficient for the supplier to demonstrate a SIL level of 1-2 for the train protection system. Simultaneously, an availability of 99.5% has to be demonstrated in order to fulfil the requirements to the overall safety level. 276 Trafikdage på Aalborg Universitet 2002

5 Referencer [1] Acceptkriterier for Ringbanen, RAMBØLL for Banestyrelsen, August 2001 [2] Railway applications, Systematic allocation of safety integrity requirements, CENELEC Report R009-004, June 2001 [3] Railway applications the specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS), EN 50126, CENELEC, September 1999 [4] Railway applications software for railway control and protection systems, pren 50128, CENELEC, May 2000 [5] Railway applications safety Related electronic systems for signalling, ENV 50129, CENELEC, May 1998 [6] A Guide to Practical Human Reliability Assessment, Barry Kirwan, Terry & Francis, 1994 [7] An Engineers View of Human Error, Trevor A. Kletz, Institution of Chemical Engineers, Rugby, UK, 1991 [8] Oplæg om Jernbanesikkerhed, Banestyrelsen, September 2000. [9] Funktionsudbud for Sikringanlæg og Togkontrol med tilhørende Bilagsmapper, Banestyrelsen. Ringbanen Baneteknik December 2001. Trafikdage på Aalborg Universitet 2002 277

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback