Guide for the application of the CSM design targets (CSM-DT) Annex 5 Example 4: Transmission of traction and brake command 29-30/11/2016, ERA workshop, Valenciennes Marc GEISLER DB AG, DB Systemtechnik, Head of Safety and Risk Assessment
Introduction / Disclaimer The example focusses only on the application of CSM-DT at a RST project. Before applying the CSM-DT, the significance of the change was assessed, it was decided that the risks are not broadly acceptable and that the hazards are to be controlled by “explicit risk estimation”. Disclaimer The illustrated example does not contain all details. It cannot thus be fully comprehensive. Several assumptions are taken to show how the allocation of CSM-DT can be done. In a real system, much more influencing parameters, scenarios and interactions must be considered in order to finally derive a complete and consistent set of safety requirements. The resulting figures and quantitative outcomes are thus purely fictive. The design of the technical system is carried out in compliance with specific safety and quality processes, commensurate with the allocated CSM-DT class/category, to control appropriately the systematic failures. Moreover the safe integration is not considered in the example.
Summary System Definition of the technical system under assessment List of functions of the technical system under assessment Hazard Identification and classification Allocation of CSM DT Consideration of existing Safety Barriers Conclusions from the risk assessment and allocation of CSM DT
1. System Definition of the technical system under assessment (1/2) Function under assessment „Transmit traction and brake demand“ The Master Controller is a control element used by the operator to activate the driving cab, define the direction of movement and set a throttle notch position The cab is activated by the operator when inserting a key into the controller. The key must be moved forward or backward to set a direction of motion. There is a throttle handle which controls 8 power levels delivered to traction motors. Moving the throttle handle forwards gives traction power while moving the handle backwards gives a dynamic brake effort.
1. System Definition of the technical system under assessment (2/2) The technical function comprises a lot of sub-functions. The presented example considers only a part of all elements. Only the functionality of the Master Controller used to control the traction demand requested by the train driver is considered within the example. The status of the train direction control switch is defined based on information from interfaces 1 to 4.
2. List of functions of the technical system under assessment The function “F1 Define Set Point” has interfaces to “T_direction control switch”, “T_onboard network” and “S_status direction control switch” for receiving or sending information (data transfer). The results of the assessment of the failure modes and the resulting 5 hazards are Untimely traction demand and Strong jerk Function Interface Source Information Target Transmit traction and brake demand 1 T_Master controller I_Throttle 1-8 F1 Define set point 2 T_direction control switch I_V oder R 3 T_onboard network I_74 V 4 I_traction set point S_status direction control switch
4. Hazard Identification and classification Inter-face Source Information Target Failure mode Hazard Classification 1 T_Master controller I_Throttle 1-8 F1 Define set point Set point is not defined No traction demand No safety consequences Set point is defined continuously Untimely traction demand Safety consequences possible (Haz1) 2 T_direction control switch I_V oder R Safety consequences possible (Haz2) Set point is defined wrongly Wrong side movement Not considered in the specific situation 3 T_onboard network I_74 V Safety consequences possible (Haz3) 4 I_traction set point S_status direction control switch Safety consequences possible (Haz4) Set point is defined too high Strong jerk Safety consequences possible (Haz5) Set point is defined too low No sufficient acceleration
4. Allocation process for CSM-DT – as defined in reg 4. Allocation process for CSM-DT – as defined in reg. 2015/1136 for Hazard 1 given given given given
4. Allocation process for CSM-DT – as defined in reg 4. Allocation process for CSM-DT – as defined in reg. 2015/1136 for Hazard 4 given given not given, because of specific operational pre-conditions given
4. Justification of allocation for Hazard 4 Affected People The parameter „Large number of people is affected“ is fulfilled. The parameter resulting in „Multiple Fatalities“ is not fulfilled. Both parameter are linked by an „AND“-gate both parameter must be true. 1E-9 1E-7 Def. (23) & §2.5.5(a) number of people Large ??? case a Def. (35) & §2.5.5(b) Very small number of people If only a very small number of people is affected, multiple fatalities cannot result case b Resulting Severity At least one fatality Multiple fatalities Only for hazard 1 the most demanding design target is required as the untimely traction demand could lead to overspeed and resulting in a collision or derailment and therefore resulting in a large number of fatalities. For hazard 4 specific scenarios are assumed, that the speed is that low, that the consequences are limited. Applying the pairwise comparison the resulting requirement is 1E-7 as the resulting risk is much lower than in case (a) but comparable with case (b).
4. Allocation of CSM DT for each hazard taking into account “direct”, “affected” and “severity” Initial Allocation by Proposer‘s team Haz Credible potential for direct consequences? Accident typically results in at least one fatality Typically a large number of people is affected? Accident typically results in multiple fatalities? CSM-DT 1 yes 1E-9 2 no N/A 1E-7 3 4 5 Classification by ERA Haz Credible potential for direct consequences? Typically a large number of people is affected? Accident typically results in multiple fatalities? Typically a very small number of people is affected? Accident typically results in at least one fatality CSM-DT 1 yes no N/A 1E-9 2 1E-7 3 4 5
5. Consideration of existing Safety Barriers The overall safety requirement of the function “transmit traction and brake demand” needs to take into account the operational specificities, such as the active barriers, the operational conditions, the operational rules etc. A single failure of the Master Controller does not directly lead to an accident. A less demanding safety requirement can be setup for the Master Controller than for the overall “transmit traction and brake demand” function…
5. Consideration of existing Safety Barriers The following barriers can prevent the failure of the Master Controller to result directly in the identified accident : two independent Brake Pressure Sensors (if braking is used, then the pressure will be detected, and the traction will be cut off automatically); Brake Controller and Power Supply (the brake controller cuts automatically (via the power supply contactor) the traction when a pressure sensor detects a braking). For the purposes of the example, it is assumed that : the Brake Pressure sensors work with a safety performance of 90%, and the Brake Controller and the Power Supply work with a safety performance of 50%
6. Conclusions from the risk assessment and allocation of CSM DT The allocation of CSM-DT is depending on influencing pre-conditions regarding System Surrounding Operation External Safety Barriers For one Main Function the allocation of CSM-DT to its Sub Functions can result in different classes In case external Safety Barriers exist, the initially allocation design requirement can be lowered, mutual recognition is not automatically given in that case. There is no overlap between the defined classes of CSM-DT The applicability of CSM-DT has been proven! CSM-DT, if used in early design, will impact the design choices, including depending on the project’s strategy
Thank you for your attention! Questions? For further information, visit our website: www.cer.be