ANNEX 4 : EXAMPLE STANDARDISED LEVEL CROSSING SYSTEM Guideline for the Application of CSM-DT from Regulation 2015/1136 ANNEX 4 : EXAMPLE STANDARDISED LEVEL CROSSING SYSTEM Roman Slovák, FOT, CH ERA, Valenciennes, 29-30 November 2016
Overview System definition List of functions Scope, assumptions and limits of the risk assessment Hazard identification and classification Applicability of CSM-DT Setting up of applicable category Allocated quantitative requirements Conclusions
1. System Definition Context Due to the high acquisition costs many level crossings (LC) on secondary lines remain equipped with only passive level crossing signs like the St. Andrew cross Solution Low-cost Level Crossing System (LCS) MICRO Simplification of the existing standardised type MINI Purpose To warn the road users against the railway traffic
2. List of functions Function MINI MICRO Warn the road user against the danger on LC X Inform the train driver on the LC system activation Warn the road user against the LC system failure flashing yellow light warns road users in the case LCS failure in which: the responsibility for passing over the level crossing lies fully with the road user. road users must be able to check that the track is safe to cross misjudging his ability to safely pass over the LC situation while a train is approaching has to be considered as an important risk
3. Scope and limits of the assessment Application parameters MINI MICRO Maximum density of road traffic [vehicles/h] 6 equal to 8 persons/h 1.5 equal to 2 persons/h Visibility for road traffic irrelevant adequate Maximum density of rail traffic [trains/h] 10 Maximum speed of trains [km/h] 100 Maximum number of tracks 1 Maximum hazard detection time [h] 8 the probability of the hazard detection by a third party at the LCS MICRO is much smaller than at the LCS MINI. The hazard detection time (HDT) of the MICRO is set to 8h
4a. Hazard identification Failure Mode and Effect Analysis (FMEA) used Considered operational condition of the LCS MICRO Not considered were consequences due to an accident involving release of danger goods as: This kind of extreme consequences of a LC accident is not present in any Swiss accident database. much lower probability of such a kind of accident due to designation of MICRO to local railway lines and very low traffic flows The consequences from a collision on LC on factory siding, where a transport with danger goods is credible, are additionally reduced by the general speed limit for tracks in factory sidings of 10 km/h
4a. Hazard identification Functional failure modes Cause HAZARD - Consequence at level of technical system Consequences at train level 1. Warning does not start LCS failed Road user is not warned against train arrival when required Road user is not informed to stop in front of the LC and may collide with a passing train on the LC 2. Warning starts when not required Spurious warning against train arrival Road user is unnecessarily required to stop in front of the LC Road traffic operation is unnecessarily disturbed 3. Warning is delayed in response Road user is not informed on time to stop in front of the LC and may collide with a passing train on the LC 4. Warning of the road user is not terminated after passing of the train Warning of the road user is not terminated after train passing 5. Warning of the road user is terminated before the train is passing the LC Train driver is not informed about the LCS system failure and does not stop the train to prevent a possible collision Road user is not warned against the train arrival when required 6. LCS is in a constant degraded state (yellow flashing light) LCS detected a failure of one of its functions Indication of the degraded state by yellow flashing light Road user is infomed to cross the LC on his own responsibility 7. LCS switches to a degraded state during the warning Indication of the degradeted state by yellow flashing light starts immediately after the warning (red constant light) Road user misinterprets the change of the warning from red to yellow and starts to pass the LC and thus may likely collide with a passing train
4b. Hazard classification The 7 functional failure modes are classified in the following 7 categories: failure modes 1 and 5 are resulting in the “non-warning” of the road user. failure modes 2 and 4 are resulting in a spurious warning of road users - road traffic operation is unnecessarily disturbed; failure mode 3 is resulting in a too late “warning”. failure mode 6 is resulting in operation of the level crossing in full responsibility of the road user failure mode 7 is resulting in a situation causing a high misinterpretation potential by the road user Bahnonline.ch
4b. Hazard classification Functional failure modes Cause Potential accident Potential for at least 1 fatality 1. Warning does not start LCS failed Collision train with road vehicle Collision train with person YES (i.e. risk not broadly acceptable) 2. Warning starts when not required No – Specific operational procedures must be defined to prescribe the actions of the road user NO (i.e. risk is broadly acceptable) 3. Warning is delayed in response 4. Warning of the road user is not terminated after passing of the train 5. Warning of the road user is terminated before the train is passing the LC Train driver is not informed about the LCS system failure and does not stop the train to prevent a possible collision 6. LCS is in a constant degraded state (yellow flashing light) LCS detected a failure of one of its functions Yes - but operation in full responsibility of the road user 7. LCS switches to a degraded state during the warning
5. Applicability of CSM-DT What are the conditions which have a credible potential to LEAD DIRECTLY to an accident in case of failure of the LCS? IF the following two conditions are met during the same period of time : the LCS MICRO is faulty. In concrete terms, this means: the function warning the road user against the train on LC is failed, AND there is a road user in the danger zone of the level crossing or approaching it THEN there is “a credible potential to lead directly to … a catastrophic … or a critical accident”,” …
6. Setting up of applicable category CSM DT HAZARD – Consequence at level of technical system Consequences at train level Potential accident Potential for at least 1 fatality Consequence limited to a specific area of train Associated CSM DT 1 Road user is not warned against arrival of train when required Road user is not informed to stop and prevent a collision with a train on the level crossing Collision train with road vehicle Collision train with person YES (i.e. risk not broadly acceptable) Yes (head of the train exposed to risk) 10‑ 7 h‑1 2. Spurious warning against arrival of a train Road user is required to stop on level crossing whereas not necessary Road traffic operation disturbed No – Specific operational procedures must be defined to prescribe the actions of the road user NO (i.e. risk is broadly acceptable) Not applicable 3. Warning of the road user is terminated before the arrival of the train Road user is not informed on time to stop and prevent a collision with a train on the level crossing Collision train with person 4. 5. 6. Indication of the degradeted state by yellow flashing light Road user is infomed to cross the level crossing in his own responsibility Yes - but operation in full responsibility of the road user 7. Indication of the degradeted state by yellow flashing light starts immediately after the warning (red constant light) before arrival of the train Road user misinterprets the change of the warning from red to yellow and enters the level crossing with high potential of a collision with a train
6. Setting up of applicable category of CSM DT In conclusion, if following “logical condition” is met: there is a road user in the danger zone of the LC or approaching it; AND during the same period of time the function warning the road user against the danger on LC is failed; OR the LCS entered into the degraded state during the warning before arrival of the train there is “a credible potential to lead directly to a critical accident” … “typically affecting a very small number of people and resulting in at least one fatality” The associated risk is acceptable if the frequency of occurrence of that logical condition mentioned in the section above is “… demonstrated to be less than or equal to 10–7 per operating hour”. The most credible CSM DT category applicable to that logical condition is therefore 10‑7 h‑1.
7a. Allocated quantitative requirements on system level General quantitative requirements on LCS given by the CSM-DT category of 10-7 h-1 (corresponds to SIL 3) Validation of the set requirement can be reached by: estimation of the resulting level crossing accident rate quantification of the corresponding fatality rate comparison with and independent risk acceptance criterion – e.g. MEM (Minimal Endogenous Mortality) from EN 50 126 Estimation of the accident rate requires consideration of potential accident scenarios including assumptions on human behaviour – modelling using Petri Nets (class EDSPN)
Formal modelling of the LC Potential accident scenarios Two accident situations considered: Collision train –> road vehicle Collision road vehicle –> train Estimation of situation specific risk reduction parameters Severity of accident not further refined – assumption 1.5 fatality per accident (worst case)
Formal modelling of the LC Description means (IEC 62551) Extended Deterministic and Stochastic Petri nets: Dynamics in a Petri net
Formal modelling of the LC Method and Tool Modelling Methodology: ProFunD [IEC 62551] Process Functionality Dependability -Tool
Allocated quantitative requirements on system level EDSPN provides resulting accident frequency in relation to the hazard rate of the entire LCS Validation by individual risk acceptance criterion MEM confirms acceptable accident rate resulting from the chosen DT (10-7 per hour) CSM-RA-DT class (b) 2x10-9 Acc/h derived from MEM
7b. Allocated quantitative requirements on subsystem level Considered subsystem functions in the EDSPN model of the LCS: Train recognition Warning lights Train clearing recognition Fault display (Yellow flashing light) Hazard recognition of all other functions Hazards of all functions have been considered as independent Possible dependencies (e.g. due to common power supply) would have to be additionally included in the model – out of scope of the system functional modelling
7b. Allocated quantitative requirements on subsystem level
7b. Allocated quantitative requirements on subsystem level Subsystem function Tolerable hazard rate Alternative tolerable hazard rate Train recognition 3.3x10-7 h-1 1x10-8 h-1 Warning lights Train clearing recognition 1x10-6 h-1 Fault display (Yellow flashing light) Hazard recognition of all other functions Considered hazard detection time of all subsystem functions: 8h Subsystem function’s requirements corresponds to SIL3 or alernativelly to combination of SIL 4 and SIL 2 elements
Analysing the influence of the variation of the hazard detection time
8. Conclusions from the risk assessment and allocation of CSM DT the design of the level crossing system is based on the safety requirements of CSM-DT class (b) (10-7hazards per hour) – SIL3 the hazard detection time of 8h does not have to be exceeded the sight condition of the road user on the track will be kept free; the road user is adequately informed on the meaning of the yellow flashing light indicating the degraded state of the level crossing system and the transfer of the full responsibility for crossing the track on himself;
8. Conclusions from the risk assessment and allocation of CSM DT the level crossing system is safely integrated within the railway infrastructure providing automatically information on his degraded state to the infrastructure manger (e.g. by an SMS) If the operational requirements cannot be met, additional limitations of the rail or road traffic are necessary (e.g. prohibition of the LC use by road users in case of yellow flashing light)
Thank you for your attention. Roman Slovák Federal Office of Transport FOT Risk Management & Management Support CH-3003 Bern Tel: +41 58 / 462 41 84 Email: roman.slovak@bav.admin.ch