A study on the relation between safety analysis process and system engineering process of train control system Abstract - In this paper, the relationship between system engineering lifecycle and safety lifecycle is Eui-Jin Joung, Jong-Woo Lee, Railway Signaling Telecommunication Research Team, Korea Railroad Research Institute (KRRI) 374-1, Woulam-dong, Uiwang-city, Kyonggi-do, 437-5, Korea. Email : {ejjoung, jwlee}@krri.re.kr Yang-Mo Kim Electrical Engineering Department Chungnam National University 22, Kung-dong, Taejon-city, 35-764, Korea. Email : ymkim@ee.chungnam.ac.kr investigated. V diagram, and IEC 6158 model are represented in both lifecycle model. V diagram easily shows the flow of information between phases. But it does not show the amount of work involved in each stage. IEC 6158 model describes the activities to be performed during each phase of the lifecycle. And also the risk assessment for the level crossing is presented. Pursuing pre-certified process to reduce the risk, it is convinced that the risk level of the level crossing used in Korean railway network is appropriate previously determined ALARP level. Keyword : Lifecycle, safety engineering, system engineering, Level Crossing, Risk Assessment 1. Introduction Having identified not only advantages, but also disadvantages to the use of computers within safetyrelated systems, it is clear that a programmable solution will not always be ideal for a given application. However, in many cases the advantages outweigh the problems and a computer-based approach is adopted. In certain circumstances a computer-based system is the only viable method of producing the required functions. The train control system is also used a computerized system. To analyze the train control system in all the phase, we investigate various lifecycle models used in the train control system. Mainly V diagram, and IEC 6158 model are represented for the investigation between system engineering and safety engineering. And for the quantitative analysis, The risk analysis of a level crossing is presented. 2. Lifecycle model We can use lifecycle models as a means of describing the development of a safety-critical system. A number of models have been devised to describe the various phases of a development project. Like all development projects process of developing a safety-related computer system has various phases, these may be represented diagrammatically using a lifecycle model. 2.1 The system engineering lifecycle An example of a widely used development lifecycle model is the V diagram. This model may be expanded to indicate the outcome of each phase. It may also show the flow of information between phases. An example of a relatively simple diagram is shown in Figure 1. In this model, data from early phases is used at a later stage. Exactly speaking the V model clearly illustrates the outcome of each phase of the development process, and also indicates the flow of information between phases. However, it does not show the amount of work involved in each stage or when that effort will be required.
Requirements analysis Service Requirements document Certified system Specification Certification Specification Verified system Top level design System test Design specification Integrated system Detailed design System integration Module design Tested module Construction/ coding Module test Development phase Output from phase Modules Figure 1. V diagram for system engineering lifecycle Another widely used lifecycle model is IEC 6158 and shown in Figure 2. The model separates the realization of the system into three sections to represent these aspects of the implementation such as electrical/electronic/programmable, other technologies, and external facilities. IEC 6158 considers the impact of modifications during the system's life. The standard describes in detail the activities to be performed during each phase of the lifecycle and outlines the inputs and outputs of each phase. 1.Concept 2. Overall scope definition 3. Overall system requirement 4. System requirement allocation 5. Overall operation & maintenance Overall 6. Overall validation 7. Overall installation & commissioning 8. Electrical /electronic / programmable 9. Other technologies 1. External facilities 11.Overall installation & commissioning 12. Overall validation 13. Overall operation & maintenance 14. Overall modification & retrofit 15. Decommissioning Figure 2. Lifecycle model from the IEC 6158 2.2 The safety lifecycle Some various lifecycle models are suitable for corporate, others for resource management or
costing. Figure 3 shows a typical safety lifecycle. This model emphasizes a top-down approach to design, as shown on the left-hand arm of the diagram and a bottom-up approach to testing, as shown on the righthand arm. In safety-critical applications, this model may also be used to focus attention on the safety aspects of the project. The starting point is determined by the system requirements. Generally the term requirements is taken to represent an almost abstract definition of what the system should do. And then these abstract requirements must be formalized into a functional requirement document. Once the functional requirements of the system have been established, hazard and risk analyses are performed to identify potential dangers in the system and to allocate an overall level of integrity. Safety requirement of the system is stated from the hazard and risk analyses. In order to ensure safety, safety requirement defined what the system must and must not do. Once a specification has been produced, this is used as the basis for the top-level design that defines the system architecture. One of the major aspects of this process is to partition the system into hardware and software. This hardware-software trade- off is a vital part of the design and must take into account many diverse considerations. In the design architecture phase, the project is split into a number of more manageable modules to simplify the design and testing processes. And then the detailed design of the hardware and the software of each of the module is followed. When this design stage is complete the modules will be constructed and tested individually. This testing forms part of the process of verification that is used to establish that each module satisfies its specification. Verification continues throughout the lifecycle and forms an important aspect of each phase. Once the various modules have been completed and verified, the process of system integration may begin. Once the system is complete and appears to be functioning correctly, the verification and validation of the entire system may begin. The final stage is to convince some external regulating body that the system is safe. For any system that is safety related, a more detailed hazard and risk analysis phase is required in order to determine an appropriate integrity level for the project. Requirements Completed system Hazard and risk analysis Certification Specification System validation Architectural design System verification Module design System integration and testing Module construction and testing Figure 3. V diagram for safety lifecycle IEC 6158 also describes an overall safety lifecycle, as shown in Figure 4. This again covers all aspects of a system's life, from conception to decommissioning, and also considers the diverse aspects of its realization. The form of the safety lifecycle is very similar to that of the system lifecycle, with the addition of a phase concerned with hazard and risk analysis. The importance of the safety lifecycle is that it focuses attention on the safety aspects of each phase of the development process. Each phase has an input, a defined function and an associated output or deliverable. This lifecycle provides a mechanism for verifying the results of each of the activities relevant to the safety of the system. The phases 1-4 of Figure 4 are concerned with determining the overall characteristics of the system and looking at its safety implications. The results of the preliminary hazard and risk analysis determine the technique. Conceptually, the hazard and risk analysis associated with phase 3 of this model is used within phase 4 to determine the appropriate integrity level for the system. Within the phase 5, the various safety
requirements identified in phase 4 are allocated to appropriate safety-related systems. In the system, high complexity should be avoided wherever possible. The safety of a system is determined not only by its design and development, but also by how it is installed, used and maintained. For this reason an overall strategy for commissioning, operation and maintenance is established at an early stage in the development process. Boxes 9, 1 and 11 of the safety lifecycle are concerned with the design and implementation of the various safety-related systems and features. Following the implementation of the various safetyrelated systems, these are combined during installation (phase 12), and the complete system then begins a process of validation and, if necessary, certification (phase 13). The operation and maintenance stages of the system's life are covered by phase 14 and any modification or retrofitting by phase 15. The eventual decommissioning of the system is addressed by phase 16. 1.Concept 2. Overall scope definition 3. Hazard and risk analysis 4. Overall system requirement 5. Safety requirement allocation 6. Overall operation & maintenance Overall 7. Overall validation 8. Overall installation & commissioning 9. Safety-related system : Electrical /electronic / programmable 1. Safety-related system : Other technologies 11. External risk reduction facilities 12.Overall installation & commissioning 13. Overall safety validation Back to appropriate overall safety lifecycle phase 14. Overall operation & maintenance 15. Overall modification & retrofit 16. Decommissioning Figure 4. Overall safety lifecycle from the IEC 6158 For a system validation and certification in the phase 13, the safety case is documented and adopted. The safety case is a record of all the safety activities associated with a system, throughout its life. One of the most important uses of the safety case is to support an application for certification. Here the regulatory authority will be looking for evidence that all potential hazards have been identified, and appropriate steps have been taken to deal with them. The safety case must also demonstrate that appropriate development methods have been adopted and that these have been performed correctly. One of the problems associated with the production of a safety case is that the issues concerned are always multidisciplinary. It may therefore be appropriate, and necessary, to involve staff with expertise in areas such as computer software; computer hardware; analogue electronics; electrical engineering; mechanical engineering; pneumatics; hydraulics; human factors; and psychology. This will involve numerous steps that in some ways resemble the components of a mathematical proof. For this reason, the production of the safety case represents one of the most difficult and most demanding aspects of the generation of safety critical systems. The Figure 5 represents interaction in the engineering safety management among the safety authority, project, independent safety assessor, and customer.
Prepare Preliminary Safety Plan Establish Hazard Log Endorse Preliminary Safety Plan Identify and Analyze Hazard Assess Risk Establish Safety Requirements Endorse Safety Requirements Prepare Safety Plan Endorse Safety Plan Implement Safety Plan Commission Safety Assessment Perform Safety Assessment Issue Safety Assessment Repor Prepare Safety Case Independent Safety Assessor Endorse Safety Case Safety Approval Transfer Safety Responsibility Safety Authority Project Customer Figure 5. Interaction in the engineering safety management 3. Risk assessment 3.1 Background The subject to analysis is the operation of an Automatic Level Crossing. The aim of this risk assessment is to determine whether changes are required in order to reduce the risk presented by Automatic Level Crossing that is compliant with the principle of ALARP. The specified level crossing for the calculation is balan on Korean railway network. According to the level crossing data 2, 14 traffics are crossing this crossing, and 368 trains are operated in this point per days. The classified rank is 1 st class. In Korea railway network, there are 3 types of classified level crossing described in Table 1. Table 1. Types of level crossing in Korea railway network classification Description 1 st class Barrier, alarm, and sign are operated day and night. 2 nd class Barrier, alarm, and sign are operated day only. 3 rd class Alarm, and sign are operated 3.2 Hazard Identification The frequency and severity of each hazard has been estimated using the Table 2. For the hazard, its estimated frequency and severity has been multiplied to obtain the hazard rank. - Estimated hazard : Failure of level crossing - Estimated frequency : 2 (1 to 1 years) - Estimated severity : 4 (Single fatalities) - Hazard rank : 8
Table 2. Estimated hazard rank Severity Multiple fatalities = 5 Single fatalities = 4 Multiple major injuries = 3 Major injuries = 2 Minor injuries = 1 f r e q u e n c y Daily to monthly = 5 25 2 15 1 5 Monthly to yearly = 4 2 16 12 8 4 1 to 1 years = 3 15 12 9 6 3 1 to 1 years = 2 1 8 6 4 2 Less than 1 yearly = 1 5 4 3 2 1 3.3 Causal Analysis Causal Analysis has been conducted to estimate the annual frequency of occurrence of each of the hazard. The fault tree to evaluate the frequency of occurrence of the hazard is presented on Figure 6. - Because the average of 368 trains traverse the crossing per day and protection is required for the crossing of each train for a period of approximately 3 seconds, then the probability of the event Train near level crossing is as follows. Probability = (3*368) / (36*24) =.128 - the probability of the event Controller indicates route clear when occupied is 4.*1-2 per annum per controller. - The probability of the event Track circuit failure is 3.*1-2 per annum. - The probability of the event Communication failure is 2.*1-2 per annum. - The probability of the event Timing sequence failure is 1. per annum. Using the above values, the probability of the hazard has been determined as follows. ((3.*1-2 + 2.*1-2 ) + 4.*1-2 + 1.) *.128 =.14 te that the probability of the hazard is dominated by the probability for the event Timing sequence failure.
Failure of Level Crossing to Protect Public from... Gate1 Failure to protect crossing Gate2 Train near crossing Event1 Train fails to activate controller Gate3 Controller indicates route clear when occupied Event2 Timing sequence failure Event3 Track Circuit failure Event4 Communication failure Event5 Figure 6. Fault tree for a hazard 3.4 Consequence Analysis The particular method of consequence analysis used to analysis this hazard is the Cause Consequence modeling technique. This is inductive method of analysis where the hazard is displayed at the bottom of a decision-tree structure. Possible protective barriers affecting event escalation are then identified, classified and assessed. The simple cause-consequence models constructed to investigate the consequences are presented in Figure 7. From the data above represented, there are 14 vehicles used the crossing per hour taking 3 seconds, and about 2 pedestrians use the crossing per day taking 9 seconds. And trains run for 17.5 hours per day on this line, then the probability of the vehicle and pedestrian being present at the crossing at any given time is as follows. Probability = (336*3+2*9) / (36*17.5) = 4.5*1-2 On this crossing point, the trains carrying 1 cars have 1 km/h running speed.
Probability of occurrence of hazard.99 5.*1-3 5.*1-3.99 7.*1-3 9.*1-4 2.1*1-3 Safe condition Train hits Near miss (1) Safe condition Near miss (2) Road user strikes pedestrian train Road user strikes crossing Prob=.3 Prob=.7 Road user strikes train Prob=.5 Pedestrian hit by train Prob=.5 Prob=.7 Prob=.3 Road user takes successful emergency action Prob=.9 Prob=.1 Pedestrian notices train and takes avoiding action Prob=.9 Prob=.1 Road user notices and makes controlled stop Prob=.9 Prob=.1 pedestrian at crossing Prob=.9 Prob=.1 other road user at crossing Failure of level crossing to protect public from train Failure of level crossing to protect public from train Figure 7. Cause-Consequence model for the hazard. 3.5 Loss Analysis Loss analysis has been conducted to determine the magnitude of potential safety losses associated with each hazard. Table 3 presents details of the loss modeling conducted. The incidents have been taken from the cause consequence diagram. The following incidents were identified. - Safety condition - Near miss - Train hits pedestrian - Road user strikes train - Road user strikes crossing It has been assumed that no losses arise from a safety condition. It has been assumed that : - The incident Train hits pedestrian results in no injuries to passengers, but 1 fatality to a member of the public. - The incident Road user strikes train results in 2 minor injuries to passengers, and a single major injury to a member of the public. - The incident Road user strikes crossing results in 1 minor injury to passengers, and 1 major injury to a member of the public. Using the currently accepted convention, The potential equivalent fatality is represented in Table 3. The annual frequency of each incident has been determined by multiplying the estimated frequency of the hazard by the estimated probability of the hazard leading to the incident once thc hazard has occurred. Table 3. Results of Loss Analysis for the hazard Incident Frequency Safety loss per incident Safety loss per annum (per annum) (PEF) (PEF) Passenger Public Passenger Public Train hits pedestrian 7.*1-4 1 7.*1-4 Near miss (1) 7.*1-4 Near miss (2) 9.8*1-4 Road user strikes train 1.2*1-4 1-2.1 1.2*1-6 1.2*1-5 Road user strikes crossing 2.9*1-4 5*1-3.1 2.9*1-6 2.9*1-5 3.6 Option Analysis Total per annum 4.1*1-6 7.4*1-4
Both structured brainstorming and a suitable checklist have been used to identify potential risk mitigation options for the hazard. Table 4 represents risk mitigation options that have been identified. Table 4. Result of options analysis Hazard description Hazard rank Option Failure of level crossing to 8 1. Modify crossing to have more protect the public from reliable controller passing trains (wrong side failure of level crossing) 2. Modify crossing sequence to provide greater crossing time 3. Rewire cable to controller to replace degraded cabling 3.7 impact analysis The result of the analysis of one of the options is presented modify crossing sequence to provide greater crossing time. Using this result, the probability of the event timing sequence failure can be reduced by an order of magnitude. Applying this revised failure probability within the previous causal analysis of the hazard leads to a reduced annual probability of occurrence of the hazard of 2.*1-2 The results of this revised analysis are presented in Table 5. Table 5. Results of Loss Analysis for the hazard Incident Frequency Safety loss per incident Safety loss per annum (per annum) (PEF) (PEF) Passenger Public Passenger Public Train hits pedestrian 1.*1-4 1 1.*1-4 Near miss (1) 1.*1-4 Near miss (2) 1.4*1-4 Road user strikes train 1.8*1-5 1-2.1 1.8*1-7 1.8*1-6 Road user strikes crossing 4.2*1-5 5*1-3.1 2.1*1-7 4.2*1-6 Total losses per annum (with mitigation) (A) 3.9*1-7 1.1*1-4 Total losses per annum (without mitigation) (B) 4.1*1-6 7.4*1-4 Total mitigated losses per annum (B-A) 3.7*1-6 6.3*1-4 3.8 Demonstration of ALARP and compliance We can define three groups exposed to the risks of their operations : employees (track side staff), passengers and the public. An average risk of fatality per annum for an individual in the respective group is represented in Table 6. Table 6. ALARP and Benchmark criteria for all of its operation Group Upper limit of Broadly Benchmark tolerability acceptable bound Employee 1-3 1-6 1-4 Passenger 1-4 1-6 1-5 Public 1-4 1-6 1-5 Automatic level crossing contribute 1%, 2%, and 5% of the total risk of all of operation, to employees, passengers and the public respectively. There are 1,8 crossing in the railroad network. Hence, it can be assumed that the fraction of total safety risk which is associated with a automatic level crossing is as follows. - fraction of total safety risk to employees = (1*.1)/1,8 = 5.5*1-5 - fraction of total safety risk to passengers = (1*.2)/1,8 = 1.1*1-4 - fraction of total safety risk to public = (1*.5)/1,8 = 2.8*1-4 The apportioned ALARP and benchmark can be determined by multiplying the criteria. The resulting apportioned criteria are given in Table 7. Table 7. Apportioned ALARP and Benchmark criteria Group Apportioned Apportioned Apportioned
upper limit of broadly acceptable benchmark tolerability bound Employee 5.5*1-8 5.5*1-11 5.5*1-9 Passenger 1.1*1-8 1.1*1-1 1.1*1-9 Public 2.8*1-8 2.8*1-1 2.8*1-9 In order to determine the total safety losses, the estimated safety losses associated with each of the hazards have been summed together. Table 8. Total safety losses Group Total safety losses associated with undertaking per annum Employee Passenger 7.8*1-7 Public 2.2*1-4 It is estimated that 1, different individuals are regular daily users of the crossing. So the average risk to each of these individuals is presented in Table 9. Table 9. Average safety losses per individual Group Average safety losses per individual per annum Employee Passenger 7.8*1-11 Public 2.2*1-8 From the Table 9, the average risk to a member of the public is between the apportioned broadly acceptable bound and apportioned upper limit of tolerability. It is therefore necessary to determine those risk mitigation measures that should be applied in order to reduce risks to ALARP level. We can consider some risk mitigation options which is associated with direct costs per annum, net costs per annum, annual mitigated safety loss, and annual monetary value of mitigated loss. The most appropriate option should be found in these options. From this analysis, we can chose an appropriate value, 7.9*1-4. The residual risk of the undertaking after implementation of this option is as follows. Residual risk = 2.2*1-4 2.199*1-4 = 1.*1-7 per annum. The average residual risk to the 1, regular daily users of the crossing is 1.*1-11 per annum. This is less than apportioned benchmark. 4. Conclusion Until now, the relationship between system engineering lifecycle and safety lifecycle is investigated. V diagram, and IEC 6158 model are represented in both lifecycle model. V diagram easily shows the flow of information between phases. But it does not show the amount of work involved in each stage. IEC 6158 model describes the activities to be performed during each phase of the lifecycle. Also the risk assessment for the level crossing is presented. The object is the specified level crossing used in Korean railway network. Pursuing pre-certified process to reduce the risk, it is convinced that the risk level of the level crossing is appropriate previously determined ALARP level. [Reference] 1. International Electrotechnical Commission, IEC6158, Functional safety of electrical/electronic/programmable electronic safety-related system. 2. CENELEC Draft pren5126, Railway application The specification and demonstration of dependability, reliability, availability, maintainability and safety (RAMS) 3. CENELEC Draft pren5128 : 1998, Railway application Software for railway control and protection system. 4. CENELEC ENV5129 : 1998, Railway application Safety related electronic systems for signaling, May 1998 5. HMRI, Guide to the Approval of Railway Works, Plants and Equipment, Health and Safety Executive, 1994