Guide for the application of the CSM design targets (CSM-DT) Annex 5 Example 2: Train door opening authorization 29-30/11/2016, ERA workshop, Valenciennes Olivier CASTELLANI SNCF – Rolling Stock – Project Manager for High Speed Train international homologation

Summary System Definition of the technical system under assessment List of functions of the technical system under assessment Scope, assumptions and limits of the risk assessment Hazard Identification and classification Applicability of CSM DT Setting up of applicable category of CSM DT Allocated quantitative requirements, and alternative solutions or cases Conclusions from the risk assessment and allocation of CSM DT category

System Definition of the technical system under assessment Door opening request by passenger Train at stop Train in a station Detection of platform in front of the door Driver’s authorization Local information Generic train information Through software, electronic, … Local door actuator opening

System Definition of the technical system under assessment Speed In a station Central controller Door 1 actuator Open door Local controller (door 1) Driver’s authorization Generic train information Passenger pushes button Door in front of platform … Local information for each door Door n actuator Open door Local controller (door n) Passenger pushes button Door in front of platform

List of functions of the technical system under assessment The technical system under assessment is limited to 2 functions: Open door (in authorized situations) Train is at stop Train is in a station (e.g. balise at station entry) Driver has authorized the opening Door is in front of a platform Passenger request opening Close door On driver’s request (or train controller) If train no longer at stop If train no longer in station

Scope, assumptions and limits of the risk assessment The train under consideration is not a suburban train. Therefore it is considered that only a few people might be standing in front of the door => if a single train door opens while not requested to, only a small amount of passengers will be endangered The train speed information is provided by a speed measurement system (e.g. tachymeter). All train generic information (train at stop, train in a station, etc.) is grouped into a common failure named “central controller” => the failure may come from the central controller itself, or from the information sent to it (e.g. “speed detector always sends a 0 km/h speed”). Only the technical components installed inside the rolling stock are considered in this function.

Hazard Identification and classification Functional FMEA Function Functional Failure modes Technical local consequence (Hazard) At stop During circulation Single door Several / all doors Consequences for train Door opening Does not start Door does not open X NA   Single door: passenger traffic is delayed, train is delayed Several doors / all doors: emergency evacuation hindered / impossible Starts when not asked to Door open when not authorized Single door at stop: fall of a passenger (the one leaning on the door) Single door during circulation: fall of multiple passengers (aspiration effect) Several doors / all doors: fall of multiple passengers Does not stop when asked to Door stays open (cannot close) Train is delayed (until the door(s) is/are condemned). If too many doors malfunction, the train will be cancelled Stops when not asked to Door stops opening (incomplete opening) Delay in response Delay in door opening Passenger traffic is delayed, train is delayed Degraded output (e.g. wrong output value) Door opens abruptly / too fast Passenger may have light injury Door closing Door does not close Door closes when not asked to Door stays closed (cannot open) Door stops closing (incomplete closing) Delay in door closing Door closes abruptly / too fast

Hazard Identification and classification Extract of Functional FMEA (merge of identical Technical local consequence) Technical local consequence (Hazard) Consequences for train Potential accident Door opens abruptly / too fast Passenger may have light injury Light injury for 1 person Door closes abruptly / too fast Delay in door opening Passenger traffic is delayed, train is delayed None (no safety impact, only train delay) Delay in door closing Door stays open (cannot close) Train is delayed (until the door(s) is/are condemned). If too many doors malfunction, the train will be cancelled Door stays closed (cannot open) Door stops opening (incomplete opening) Door stops closing (incomplete closing) Door does not close Door closes when not asked to Door does not open Several doors / all doors: emergency evacuation hindered / impossible Potential for multiple fatalities in case of situation requiring evacuation (e.g. fire) Door open when not authorized Several doors / all doors: fall of multiple passengers Potential for multiple fatalities Single door at stop: fall of a passenger (the one leaning on the door) Potential of fatality Single door during circulation: fall of multiple passengers (aspiration effect) Single door: passenger traffic is delayed, train is delayed

Applicability of CSM DT Extract of Functional FMEA (merge of identical Technical local consequence) Technical local consequence (Hazard) Consequences for train Potential accident Potential for at least 1 fatality? Direct consequence? Door opens abruptly / too fast Passenger may have light injury Light injury for 1 person No NA Door closes abruptly / too fast Delay in door opening Passenger traffic is delayed, train is delayed None (no safety impact, only train delay) Delay in door closing Door stays open (cannot close) Train is delayed (until the door(s) is/are condemned). If too many doors malfunction, the train will be cancelled Door stays closed (cannot open) Door stops opening (incomplete opening) Door stops closing (incomplete closing) Door does not close Door closes when not asked to Door does not open Several doors / all doors: emergency evacuation hindered / impossible Potential for multiple fatalities in case of situation requiring evacuation (e.g. fire) Yes Door open when not authorized Several doors / all doors: fall of multiple passengers Potential for multiple fatalities Single door at stop: fall of a passenger (the one leaning on the door) Potential of fatality Single door during circulation: fall of multiple passengers (aspiration effect) Single door: passenger traffic is delayed, train is delayed CSM-DT applicable

Setting up of applicable category of CSM DT Extract of Functional FMEA (merge of identical Technical local consequence) Technical local consequence (Hazard) Consequences for train Potential accident Potential for at least 1 fatality? Accident limited to a specific area of the train Associated CSM-DT Door open when not authorized Several doors / all doors: fall of multiple passengers Potential for multiple fatalities Yes No 1,00E-09 Single door at stop: fall of a passenger (the one leaning on the door) Potential of fatality 1,00E-07 Single door during circulation: fall of multiple passengers (aspiration effect) Resulting hazards Hazard CSM-DT H1 Single door opens during stop when not authorized 1,00E-07 H2 All doors open during stop when not authorized 1,00E-09 H3 All doors open during circulation

Driver authorizes the opening Opening authorization Allocated quantitative requirements, and alternative solutions or cases To allocate the requirements, a design has to be chosen “simpler” design (no redundancy): Thus: Central controller => 10-9 / h => SIL4 (see e.g. table A.1 of EN 50129) Local controllers => 10-7 / h => at least SIL2 (see e.g. table A.1 of EN 50129) Door opens Speed measure Speed criterion Local controllers Central controller Driver authorizes the opening Opening authorization Door closes Door opening required by passenger Hazard CSM-DT H1 Single door opens during stop when not authorized 1,00E-07 H2 All doors open during stop when not authorized 1,00E-09 H3 All doors open during circulation

Driver authorizes the opening Opening authorization Allocated quantitative requirements, and alternative solutions or cases SIL4 central controller too expensive (and not typical for door systems) Design change (add of redundancy): H1: Single door opens during stop when not authorized Same than for previous solution => local controllers have to be SIL2 Door opens Speed measure Speed criterion Local controllers Central controller Driver authorizes the opening Opening authorization Door closes Hazard CSM-DT H1 Single door opens during stop when not authorized 1,00E-07 H2 All doors open during stop when not authorized 1,00E-09 H3 All doors open during circulation Door opening required by passenger

Allocated quantitative requirements, and alternative solutions or cases H2: All doors open during stop when not authorized Requires central controller AND local controller to fail => SIL2 sufficient for local controllers since allocation is 10-7 / h λ ≤ 10-9 / h

Allocated quantitative requirements, and alternative solutions or cases H3: All doors open during circulation Requires central controller AND speed measure to fail => SIL2 sufficient for local controllers since allocation is 10-7 / h λ ≤ 10-9 / h

Conclusions from the risk assessment and allocation of CSM DT category If all central information sent by the central controller => higher requirement on the central controller (e.g. SIL4) If some information also sent to the local controller (independently from the central controller), then less stringent requirement for the central controller (e.g. SIL2) Design choices will largely impact the CSM-DT allocation, which is why their use is to be in the early stages, when design can still be impacted!

Thank you for your attention! Questions? For further information, visit our website: www.cer.be 