Guide for the application of CSM design targets (CSM DT)

Slides:



Advertisements
Similar presentations
Building a Cradle-to-Grave Approach with Your Design Documentation and Data Denise D. Dion, EduQuest, Inc. and Gina To, Breathe Technologies, Inc.
Advertisements

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
Gavin Astin 29 September 2011 Study overview. Study Overview 29 September About DNV Independent foundation with around 9,000 employees. Det Norske.
Chapter 10: Negotiating Intersections
PSAEA – CNRA Conference on OEF (Köln, 29-31/05/2006) The relationship between risk analysis and event analysis – PSA based Event Analysis P. De Gelder.
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO RISK IDENTIFICATION 2.
Reliability Chapter 4S.
Tony Gould Quality Risk Management. 2 | PQ Workshop, Abu Dhabi | October 2010 Introduction Risk management is not new – we do it informally all the time.
Safety Hazard Identification on Construction Projects Gregory Carter1 and Simon D. Smith2 ASCE, February 2006.
Event Trees Quantitative Risk Analysis. Event Trees - Overview Definitions Steps Occurrence frequency Mean Time between Shutdown Mean Time Between Runaway.
8th RESS IG IMMA contribution RESS-8-9. IMMA L6/L7 contribution IMMA has decided to provide the global expertise on L6/L7-vehicles at WP29 to address.
1 Satisfiability Testing in the Railway Industry Simon Chadwick Head of Research Westinghouse Rail Systems Limited, Chippenham, UK SAT2009 Twelfth International.
Frequency analysis and scenario development
University of Palestine software engineering department Testing of Software Systems Fundamentals of testing instructor: Tasneem Darwish.
ERT 312 SAFETY & LOSS PREVENTION IN BIOPROCESS RISK ASSESSMENT Prepared by: Miss Hairul Nazirah Abdul Halim.
ERT 322 SAFETY AND LOSS PREVENTION RISK ASSESSMENT
XpsOES : A New Tool for Improving Safety at Workplace Yasar Kucukefe, Ph.D., National Power Energy.
Presentation for Document ACSF-03-03_rev1 Oliver Kloeckner September rd meeting of the IG ASCF Munich, Airport Informal Document.
Lecture: Reliability & FMECA Lecturer: Dr. Dave Olwell Dr. Cliff Whitcomb, CSEP System Suitability.
Software Testing and Quality Assurance Software Quality Assurance 1.
1 Safety - definitions Accident - an unanticipated loss of life, injury, or other cost beyond a pre-determined threshhold.  If you expect it, it’s not.
Quality Assurance.
Safety-Critical Systems 7 Summary T V - Lifecycle model System Acceptance System Integration & Test Module Integration & Test Requirements Analysis.
CCR Deadlock By: Laura Weiland April 30, Project Description Implement a module to the Train Operating System (TOS) that manages the deadlock problem.
Reliability McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Chapter 1: Fundamental of Testing Systems Testing & Evaluation (MNN1063)
AUTOMATIC RAILWAY GATE CONTROLLING AND TRACK SWITCHING
WHAT IF ANALYSIS USED TO IDENTIFY HAZARDS HAZARDOUS EVENTS
Using functional analysis to determine the requirements for changes to critical systems: Railway level crossing case study Joe Silmon, Clive Roberts Centre.
Sample slides from the Drivers Edge: Strategies and Tactics Disc The following sample slides are from the first lesson. They are not as clear as what.
Drivers Edge: Interactive slides and videos Drivers Edge: Interactive slides and videos CATEGORY: Copyrighted Driver Education School Literature Copyright.
Failure Modes and Effects Analysis (FMEA)
A new fail-safe principle for railway signaling
UNIT IV TRACK CONSTRUCTION. POINTS AND CROSSINGS Point and Crossings are peculiar arrangement used in permanent way to guide the vehicle for directional.
Process Safety Management Soft Skills Programme Nexus Alliance Ltd.
1 Address: UIC Safety Database (SDB) System and Results.
Week#3 Software Quality Engineering.
Transmitted by the Experts of TRL (EC)
Guide for the application of the CSM design targets (CSM-DT) Annex 3 – Fitting existing passenger trains with an onboard Hot Box Detection system.
Guide for the application of the CSM design targets (CSM-DT)
Guide for the application of the CSM design targets (CSM-DT)
Workshop on CSM-DT, November 2016
Fault Trees.
Results from Formal Review Process of the Guide on CSM-DT
ANNEX 4 : EXAMPLE STANDARDISED LEVEL CROSSING SYSTEM
BASIC PROFESSIONAL TRAINING COURSE Module V Safety classification of structures, systems and components Case Studies Version 1.0, May 2015.
Accident investigations: developments and roles
Guide for the application of the CSM design targets (CSM-DT)
Poushali Pal AMIEEE, M. Tech in Information Technologies
Regulation (EU) No 2015/1136 on CSM Design Targets (CSM-DT)
Safety and Risk.
DEFINITIONS.
IAEA E-learning Program
Quality Risk Management
OVERVIEW: POSITIVE TRAIN CONTROL (ptc)
This presentation document has been prepared by Vault Intelligence Limited (“Vault") and is intended for off line demonstration, presentation and educational.
lesson 10.1 SEARCHING INTERSECTIONS
Sandia National Laboratories
Quantitative Risk Assessment
Fault Tolerance Distributed Web-based Systems
Designed-in Logic to Ensure Safety of Integration and Field Engineering of Large Scale CBTC Systems Author: Fenggang Shi.
Submitted by the experts of OICA
Sybert Stroeve, Henk Blom, Marco van der Park
RELIABILITY Reliability is -
Computer in Safety-Critical Systems
How to Safely Approach and Pass Through an Intersection
Definitions Cumulative time to failure (T): Mean life:
Mikael Olsson Control Engineer
A New Concept for Laboratory Quality Management Systems
Emergency Steering Function
Presentation transcript:

Guide for the application of CSM design targets (CSM DT) Valenciennes – Workshop on CSM DT 29. – 30. November 2016 Johan L. Aase Chair EIM SAF WG

Table of Contents Introduction to example of CSM DT System definition Interlocking Train detection Points Signalling ATC Basis for the example Simple hazard identification Fault Tree Analysis (FTA) Fault Tree Analysis - Calculation Result Conclusion Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Introduction to example of CSM DT EIM – SAF WG Introduction to example of CSM DT The main purpose is to give an understanding of the intention of the CMS DT (design target) and how it should be used in the design of a system, as required in the amendment to the regulation (EU) No 402/2013 on the common safety method for risk evaluation and assessment. The example shown in this presentation is the system of interlocking The example is simplified in order to make the example as straight forward as possible. It is not the purpose of this example to show the risk assessment of the system. The hazard identified in this example is only done for the purpose of understand the example. The values used in this example is only valid for the example and can not be copied to be used in a real design. The example shall not, and is not intended to, be used as part of real design of a interlocking system and the components used in this example. 2.5.5. Where hazards arise as a result of failures of functions of a technical system, without prejudice to points 2.5.1 and 2.5.4, the following harmonised design targets shall apply to those failures: (a) where a failure has a credible potential to lead directly to a catastrophic accident, the associated risk does not have to be reduced further if the frequency of the failure of the function has been demonstrated to be highly improbable. (b) where a failure has a credible potential to lead directly to a critical accident, the associated risk does not have to be reduced further if the frequency of the failure of the function has been demonstrated to be improbable. The choice between definition (23) and definition (35) shall result from the most credible unsafe consequence of the failure. Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

System definition - Interlocking EIM – SAF WG System definition - Interlocking For the simplicity of the example we define the scope to only contain: Interlocking Train detection Points Signalling ATC (Automatic Train Control) Definition of interlocking: In railway signalling, an interlocking is an arrangement of signal apparatus that prevents conflicting movements through an arrangement of tracks such as junctions or crossings. The signalling appliances and tracks are sometimes collectively referred to as an interlocking plant. An interlocking is designed so that it is impossible to display a signal to proceed unless the route to be used is proven safe. The purpose of an interlocking is to control the train movement by using, in this case, train detection, points, signalling and automatic train control (ATC). Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

System definition – Train detection EIM – SAF WG System definition – Train detection Train detection in this example is based upon the type where wheels and axels short out electrical circuit. By isolating a section of the track, the track can be divided into sections - which is known as a block. Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

System definition – Points EIM – SAF WG System definition – Points The purpose of the point is simply to guide the train to the required track Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

System definition – Signalling EIM – SAF WG System definition – Signalling Signalling in this example is the main signal indicating to the train driver if the next block is clear or occupied, and give signal to the train to continue into the next block or not. Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

System definition – ATC EIM – SAF WG System definition – ATC The purpose of ATC in this example is to give information to the train to stop if the train passes or is about to pass a red signal. In this example only the infrastructure part of the ATC is taken into consideration. balise /bəˈliːz/ Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Basis for the example EIM – SAF WG The focus of the example is if the interlocking fails to give the correct information The situations given in the next slides are based upon: Two train, which in lack of control signal from the interlocking, will have the potential to collide. A train, which in lack of control signal from the interlocking, will have the potential to run into track workers. A train, because of fault in the control of a point, will have the potential to derail or collide with another train. In all cases shown we assume that the speed limit is set to 200 km/t In this example, an event tree is shown to indicate when and what type of consequence that will occur. Normally this would have been supplied by a proper hazard analysis, for instance FMEA, but for the simplicity of the example that is not shown here. Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Simple hazard identification EIM – SAF WG Simple hazard identification Hazard identification done by looking at train detection, points, signalling and ATC. Other system and other parts of the interlocking is left out for the sake of simplicity. Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Simple hazard identification – Train detection EIM – SAF WG Simple hazard identification – Train detection Train detection does not detect that the next block is occupied (either by train or track workers): Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Simple hazard identification – Train detection EIM – SAF WG Simple hazard identification – Train detection Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Simple hazard identification – Train detection EIM – SAF WG Simple hazard identification – Train detection RISK: Train detection fails. Consequence: Collision Train – Train Typical affected: A large group of people with multiple fatalities CSM DT: Catastrophic accident  10-9 per operating hours Collision Train – People Typical affected: A small number of people are typical affected with at least one fatality. CSM DT: Critical accident  10-7 per operating hours Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Simple hazard identification – Points EIM – SAF WG Simple hazard identification – Points Point moves while train is passing the point: A: B: Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Simple hazard identification – Points EIM – SAF WG Simple hazard identification – Points Point moves after train has passed main signal, but before arriving at the point: C: D: Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Simple hazard identification – Points EIM – SAF WG Simple hazard identification – Points Point moves after train has passed main signal, but before arriving at the point: E: F: G: Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Simple hazard identification – Points EIM – SAF WG Simple hazard identification – Points A, B C D, F G E Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Simple hazard identification – Points EIM – SAF WG Simple hazard identification – Points RISK: Points moves erroneously Consequence: Collision Train – Train Typical affected: A large group of people with multiple fatalities CSM DT: Catastrophic accident  10-9 per operating hours Derailment Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Simple hazard identification – Signalling EIM – SAF WG Simple hazard identification – Signalling Main signal shows green light instead of red, and the ATC does not work: Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Simple hazard identification – Signalling EIM – SAF WG Simple hazard identification – Signalling Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Simple hazard identification – Signalling EIM – SAF WG Simple hazard identification – Signalling RISK: Main signal gives wrong information Consequence: Collision Train – Train Typical affected: A large group of people with multiple fatalities CSM DT: Catastrophic accident  10-9 per operating hours Collision Train – People Typical affected: A small number of people are typical affected with at least one fatality. CSM DT: Critical accident  10-7 per operating hours Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Simple hazard identification – ATC EIM – SAF WG Simple hazard identification – ATC Main signal shows Stop, but the ATC gives the message “drive” to train A: Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Simple hazard identification – ATC EIM – SAF WG Simple hazard identification – ATC Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Simple hazard identification – ATC EIM – SAF WG Simple hazard identification – ATC RISK: ATC gives wrong information Consequence: Collision Train – Train Typical affected: A large group of people with multiple fatalities CSM DT: Catastrophic accident  10-9 per operating hours Collision Train – People Typical affected: A small number of people are typical affected with at least one fatality. CSM DT: Critical accident  10-7 per operating hours Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Fault Tree Analysis EIM – SAF WG In order to check to see if the requirement from the CSM DT is fulfilled a fault tree analysis (FTA) can be done, as shown in this example. The purpose is to show, based upon the hazards that could occur in the example shown above, that the top event will fulfil the requirements given by CSM DT: Catastrophic accident  10-9 per operating hours Critical accident  10-7 per operating hours If the design concur with CSM DT, then the design will be OK with regards to CSM DT. If it doesn’t concur with CSM DT, you will have to change the design or how the design is followed up. The top event for this example is the focus area mention earlier: “Interlocking fail to give the correct information” (G1)* *Refers to the figure of the FTA shown later in the presentation Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Fault Tree Analysis EIM – SAF WG Based upon the example of events show of above we can derive that there are 4 conditions that could cause the interlocking to fail, which could lead to the consequence of a train-train/train-people collision or a derailment: Train detection fails (G2)* Points moves erroneously (G3)* Main signal shows green light instead of red (G5)* ATC gives wrong information (G6)* We assume that: Condition 1 are independent of the other condition for the interlocking system to fail (G2)* Condition 2 are independent of the other condition for the interlocking system to fail (G3)* Both conditions 3 and 4 has to fail in order for the interlocking system to fail (G4)* *Refers to the figure of the FTA shown later in the presentation Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Fault Tree Analysis EIM – SAF WG For these four conditions we can derive events that will make each one of the four conditions to fail: Train detection fails (G2)* Wrong interpretation from interlocking (IntBE)* Track circuit fails to detect train (CirBE)* Points moves erroneously. (G3)* Point moves without control (PointBE)* Main signal shows green light instead of red (G5)* Main signal gives wrong information (SigBE)* ATC gives wrong information (G6)* Balise fault (BalBE)* *Refers to the figure of the FTA shown later in the presentation Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Fault Tree Analysis EIM – SAF WG Based up on the information given, we can setup the following fault tree: Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Mean detection time + Negation time EIM – SAF WG Fault Tree Analysis - Calculation In order to calculate the failure rate of the top event the following values are used: System Failure rate* per operating hour (λ) Mean detection time + Negation time (D&NT) Interlocking 1*10-9 0,5 hour (30 minutes) Track Circuit Points 1*10-8 Main signal Balise 1*10-6 *Failure rate of the system is used to calculate the FTA basic event with the assumption that if the system will fail, it will fail in the rate given by the design requirement of the failure rate of the system. We also assume that the system will be operating 24-7. Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Calculated failure rate EIM – SAF WG Fault Tree Analysis - Calculation In order to calculate the fault rate of the top event the following values are used: Event Event node Calculated failure rate per operating hour (λ) Interlocking basic event IntBE 5.0*10-10 Track Circuit basic event CirBE Points basic event PointBE 5.0*10-9 Main signal basic event SigBE Balise basic event BalBE 5.0*10-7 ATC gives wrong information G6 Main signal shows green light instead of red G5 1.0*10-9 Wrong information to train G4 5.0*10-16 Points moves erroneously G3 5.5*10-9 Train detection fails G2 Interlocking fail to give the correct information G1 6.5*10-9 Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

EIM – SAF WG Conclusion Failure rate of the top event (Interlocking fail to give the correct information) is 6*10-9 per operating hour. This does not meet the requirement of 1*10-9 of the CSM DT when it comes to catastrophic accidents (collision train-train), but will meet the requirement of 1*10-6 when it comes to critical accidents (collision train-people). To meet the CSM DT requirement for Catastrophic accidents some measures have to be done. Suggestions to fulfil the CSM DT requirement: Add a barrier into the design that will reduce or eliminate the hazard, and lower the rate of failure. Decrease the detection time and/or negation time. Add redundant systems to reduce the probability for the hazard to occur Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.