Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide for the application of CSM design targets (CSM DT)

Published byPeter Mathews Modified over 6 years ago

Similar presentations

Presentation on theme: "Guide for the application of CSM design targets (CSM DT)"— Presentation transcript:

1 Guide for the application of CSM design targets (CSM DT)
Valenciennes – Workshop on CSM DT 29. – 30. November 2016 Johan L. Aase Chair EIM SAF WG

2 Table of Contents Introduction to example of CSM DT System definition
Interlocking Train detection Points Signalling ATC Basis for the example Simple hazard identification Fault Tree Analysis (FTA) Fault Tree Analysis - Calculation Result Conclusion Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

3 Introduction to example of CSM DT
EIM – SAF WG Introduction to example of CSM DT The main purpose is to give an understanding of the intention of the CMS DT (design target) and how it should be used in the design of a system, as required in the amendment to the regulation (EU) No 402/2013 on the common safety method for risk evaluation and assessment. The example shown in this presentation is the system of interlocking The example is simplified in order to make the example as straight forward as possible. It is not the purpose of this example to show the risk assessment of the system. The hazard identified in this example is only done for the purpose of understand the example. The values used in this example is only valid for the example and can not be copied to be used in a real design. The example shall not, and is not intended to, be used as part of real design of a interlocking system and the components used in this example. Where hazards arise as a result of failures of functions of a technical system, without prejudice to points and 2.5.4, the following harmonised design targets shall apply to those failures: (a) where a failure has a credible potential to lead directly to a catastrophic accident, the associated risk does not have to be reduced further if the frequency of the failure of the function has been demonstrated to be highly improbable. (b) where a failure has a credible potential to lead directly to a critical accident, the associated risk does not have to be reduced further if the frequency of the failure of the function has been demonstrated to be improbable. The choice between definition (23) and definition (35) shall result from the most credible unsafe consequence of the failure. Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

4 System definition - Interlocking
EIM – SAF WG System definition - Interlocking For the simplicity of the example we define the scope to only contain: Interlocking Train detection Points Signalling ATC (Automatic Train Control) Definition of interlocking: In railway signalling, an interlocking is an arrangement of signal apparatus that prevents conflicting movements through an arrangement of tracks such as junctions or crossings. The signalling appliances and tracks are sometimes collectively referred to as an interlocking plant. An interlocking is designed so that it is impossible to display a signal to proceed unless the route to be used is proven safe. The purpose of an interlocking is to control the train movement by using, in this case, train detection, points, signalling and automatic train control (ATC). Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

5 System definition – Train detection
EIM – SAF WG System definition – Train detection Train detection in this example is based upon the type where wheels and axels short out electrical circuit. By isolating a section of the track, the track can be divided into sections - which is known as a block. Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

6 System definition – Points
EIM – SAF WG System definition – Points The purpose of the point is simply to guide the train to the required track Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

7 System definition – Signalling
EIM – SAF WG System definition – Signalling Signalling in this example is the main signal indicating to the train driver if the next block is clear or occupied, and give signal to the train to continue into the next block or not. Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

8 System definition – ATC
EIM – SAF WG System definition – ATC The purpose of ATC in this example is to give information to the train to stop if the train passes or is about to pass a red signal. In this example only the infrastructure part of the ATC is taken into consideration. balise /bəˈliːz/ Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

9 Basis for the example EIM – SAF WG
The focus of the example is if the interlocking fails to give the correct information The situations given in the next slides are based upon: Two train, which in lack of control signal from the interlocking, will have the potential to collide. A train, which in lack of control signal from the interlocking, will have the potential to run into track workers. A train, because of fault in the control of a point, will have the potential to derail or collide with another train. In all cases shown we assume that the speed limit is set to 200 km/t In this example, an event tree is shown to indicate when and what type of consequence that will occur. Normally this would have been supplied by a proper hazard analysis, for instance FMEA, but for the simplicity of the example that is not shown here. Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

10 Simple hazard identification
EIM – SAF WG Simple hazard identification Hazard identification done by looking at train detection, points, signalling and ATC. Other system and other parts of the interlocking is left out for the sake of simplicity. Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

11 Simple hazard identification – Train detection
EIM – SAF WG Simple hazard identification – Train detection Train detection does not detect that the next block is occupied (either by train or track workers): Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

12 Simple hazard identification – Train detection
EIM – SAF WG Simple hazard identification – Train detection Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

13 Simple hazard identification – Train detection
EIM – SAF WG Simple hazard identification – Train detection RISK: Train detection fails. Consequence: Collision Train – Train Typical affected: A large group of people with multiple fatalities CSM DT: Catastrophic accident  10-9 per operating hours Collision Train – People Typical affected: A small number of people are typical affected with at least one fatality. CSM DT: Critical accident  10-7 per operating hours Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

14 Simple hazard identification – Points
EIM – SAF WG Simple hazard identification – Points Point moves while train is passing the point: A: B: Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

15 Simple hazard identification – Points
EIM – SAF WG Simple hazard identification – Points Point moves after train has passed main signal, but before arriving at the point: C: D: Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

16 Simple hazard identification – Points
EIM – SAF WG Simple hazard identification – Points Point moves after train has passed main signal, but before arriving at the point: E: F: G: Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

17 Simple hazard identification – Points
EIM – SAF WG Simple hazard identification – Points A, B C D, F G E Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

18 Simple hazard identification – Points
EIM – SAF WG Simple hazard identification – Points RISK: Points moves erroneously Consequence: Collision Train – Train Typical affected: A large group of people with multiple fatalities CSM DT: Catastrophic accident  10-9 per operating hours Derailment Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

19 Simple hazard identification – Signalling
EIM – SAF WG Simple hazard identification – Signalling Main signal shows green light instead of red, and the ATC does not work: Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

20 Simple hazard identification – Signalling
EIM – SAF WG Simple hazard identification – Signalling Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

21 Simple hazard identification – Signalling
EIM – SAF WG Simple hazard identification – Signalling RISK: Main signal gives wrong information Consequence: Collision Train – Train Typical affected: A large group of people with multiple fatalities CSM DT: Catastrophic accident  10-9 per operating hours Collision Train – People Typical affected: A small number of people are typical affected with at least one fatality. CSM DT: Critical accident  10-7 per operating hours Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

22 Simple hazard identification – ATC
EIM – SAF WG Simple hazard identification – ATC Main signal shows Stop, but the ATC gives the message “drive” to train A: Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

23 Simple hazard identification – ATC
EIM – SAF WG Simple hazard identification – ATC Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

24 Simple hazard identification – ATC
EIM – SAF WG Simple hazard identification – ATC RISK: ATC gives wrong information Consequence: Collision Train – Train Typical affected: A large group of people with multiple fatalities CSM DT: Catastrophic accident  10-9 per operating hours Collision Train – People Typical affected: A small number of people are typical affected with at least one fatality. CSM DT: Critical accident  10-7 per operating hours Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

25 Fault Tree Analysis EIM – SAF WG
In order to check to see if the requirement from the CSM DT is fulfilled a fault tree analysis (FTA) can be done, as shown in this example. The purpose is to show, based upon the hazards that could occur in the example shown above, that the top event will fulfil the requirements given by CSM DT: Catastrophic accident  10-9 per operating hours Critical accident  10-7 per operating hours If the design concur with CSM DT, then the design will be OK with regards to CSM DT. If it doesn’t concur with CSM DT, you will have to change the design or how the design is followed up. The top event for this example is the focus area mention earlier: “Interlocking fail to give the correct information” (G1)* *Refers to the figure of the FTA shown later in the presentation Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

26 Fault Tree Analysis EIM – SAF WG
Based upon the example of events show of above we can derive that there are 4 conditions that could cause the interlocking to fail, which could lead to the consequence of a train-train/train-people collision or a derailment: Train detection fails (G2)* Points moves erroneously (G3)* Main signal shows green light instead of red (G5)* ATC gives wrong information (G6)* We assume that: Condition 1 are independent of the other condition for the interlocking system to fail (G2)* Condition 2 are independent of the other condition for the interlocking system to fail (G3)* Both conditions 3 and 4 has to fail in order for the interlocking system to fail (G4)* *Refers to the figure of the FTA shown later in the presentation Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

27 Fault Tree Analysis EIM – SAF WG
For these four conditions we can derive events that will make each one of the four conditions to fail: Train detection fails (G2)* Wrong interpretation from interlocking (IntBE)* Track circuit fails to detect train (CirBE)* Points moves erroneously. (G3)* Point moves without control (PointBE)* Main signal shows green light instead of red (G5)* Main signal gives wrong information (SigBE)* ATC gives wrong information (G6)* Balise fault (BalBE)* *Refers to the figure of the FTA shown later in the presentation Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

28 Fault Tree Analysis EIM – SAF WG Based up on the information given,
we can setup the following fault tree: Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

29 Mean detection time + Negation time
EIM – SAF WG Fault Tree Analysis - Calculation In order to calculate the failure rate of the top event the following values are used: System Failure rate* per operating hour (λ) Mean detection time + Negation time (D&NT) Interlocking 1*10-9 0,5 hour (30 minutes) Track Circuit Points 1*10-8 Main signal Balise 1*10-6 *Failure rate of the system is used to calculate the FTA basic event with the assumption that if the system will fail, it will fail in the rate given by the design requirement of the failure rate of the system. We also assume that the system will be operating 24-7. Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

30 Calculated failure rate
EIM – SAF WG Fault Tree Analysis - Calculation In order to calculate the fault rate of the top event the following values are used: Event Event node Calculated failure rate per operating hour (λ) Interlocking basic event IntBE 5.0*10-10 Track Circuit basic event CirBE Points basic event PointBE 5.0*10-9 Main signal basic event SigBE Balise basic event BalBE 5.0*10-7 ATC gives wrong information G6 Main signal shows green light instead of red G5 1.0*10-9 Wrong information to train G4 5.0*10-16 Points moves erroneously G3 5.5*10-9 Train detection fails G2 Interlocking fail to give the correct information G1 6.5*10-9 Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

31 EIM – SAF WG Conclusion Failure rate of the top event (Interlocking fail to give the correct information) is 6*10-9 per operating hour. This does not meet the requirement of 1*10-9 of the CSM DT when it comes to catastrophic accidents (collision train-train), but will meet the requirement of 1*10-6 when it comes to critical accidents (collision train-people). To meet the CSM DT requirement for Catastrophic accidents some measures have to be done. Suggestions to fulfil the CSM DT requirement: Add a barrier into the design that will reduce or eliminate the hazard, and lower the rate of failure. Decrease the detection time and/or negation time. Add redundant systems to reduce the probability for the hazard to occur Guide for the application of CSM design targets (CSM DT) – 29. – 30. November 2016

32

Download ppt "Guide for the application of CSM design targets (CSM DT)"

Similar presentations

Building a Cradle-to-Grave Approach with Your Design Documentation and Data Denise D. Dion, EduQuest, Inc. and Gina To, Breathe Technologies, Inc.

Building a Cradle-to-Grave Approach with Your Design Documentation and Data Denise D. Dion, EduQuest, Inc. and Gina To, Breathe Technologies, Inc.
Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
Gavin Astin 29 September 2011 Study overview. Study Overview 29 September 2011 2 About DNV Independent foundation with around 9,000 employees. Det Norske.

Gavin Astin 29 September 2011 Study overview. Study Overview 29 September About DNV Independent foundation with around 9,000 employees. Det Norske.
Chapter 10: Negotiating Intersections

Chapter 10: Negotiating Intersections
PSAEA – CNRA Conference on OEF (Köln, 29-31/05/2006) The relationship between risk analysis and event analysis – PSA based Event Analysis P. De Gelder.

PSAEA – CNRA Conference on OEF (Köln, 29-31/05/2006) The relationship between risk analysis and event analysis – PSA based Event Analysis P. De Gelder.
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO RISK IDENTIFICATION 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO RISK IDENTIFICATION 2.
Reliability Chapter 4S.

Reliability Chapter 4S.
Tony Gould Quality Risk Management. 2 | PQ Workshop, Abu Dhabi | October 2010 Introduction Risk management is not new – we do it informally all the time.

Tony Gould Quality Risk Management. 2 | PQ Workshop, Abu Dhabi | October 2010 Introduction Risk management is not new – we do it informally all the time.
Safety Hazard Identification on Construction Projects Gregory Carter1 and Simon D. Smith2 ASCE, February 2006.

Safety Hazard Identification on Construction Projects Gregory Carter1 and Simon D. Smith2 ASCE, February 2006.
Event Trees Quantitative Risk Analysis. Event Trees - Overview Definitions Steps Occurrence frequency Mean Time between Shutdown Mean Time Between Runaway.

Event Trees Quantitative Risk Analysis. Event Trees - Overview Definitions Steps Occurrence frequency Mean Time between Shutdown Mean Time Between Runaway.
8th RESS IG IMMA contribution RESS-8-9. IMMA L6/L7 contribution IMMA has decided to provide the global expertise on L6/L7-vehicles at WP29 to address.

8th RESS IG IMMA contribution RESS-8-9. IMMA L6/L7 contribution IMMA has decided to provide the global expertise on L6/L7-vehicles at WP29 to address.
1 Satisfiability Testing in the Railway Industry Simon Chadwick Head of Research Westinghouse Rail Systems Limited, Chippenham, UK SAT2009 Twelfth International.

1 Satisfiability Testing in the Railway Industry Simon Chadwick Head of Research Westinghouse Rail Systems Limited, Chippenham, UK SAT2009 Twelfth International.
Frequency analysis and scenario development

Frequency analysis and scenario development
University of Palestine software engineering department Testing of Software Systems Fundamentals of testing instructor: Tasneem Darwish.

University of Palestine software engineering department Testing of Software Systems Fundamentals of testing instructor: Tasneem Darwish.
ERT 312 SAFETY & LOSS PREVENTION IN BIOPROCESS RISK ASSESSMENT Prepared by: Miss Hairul Nazirah Abdul Halim.

ERT 312 SAFETY & LOSS PREVENTION IN BIOPROCESS RISK ASSESSMENT Prepared by: Miss Hairul Nazirah Abdul Halim.
ERT 322 SAFETY AND LOSS PREVENTION RISK ASSESSMENT

ERT 322 SAFETY AND LOSS PREVENTION RISK ASSESSMENT
XpsOES : A New Tool for Improving Safety at Workplace Yasar Kucukefe, Ph.D., National Power Energy.

XpsOES : A New Tool for Improving Safety at Workplace Yasar Kucukefe, Ph.D., National Power Energy.
Www.bmvi.de Presentation for Document ACSF-03-03_rev1 Oliver Kloeckner 2.-3. September 2015 3rd meeting of the IG ASCF Munich, Airport Informal Document.

Presentation for Document ACSF-03-03_rev1 Oliver Kloeckner September rd meeting of the IG ASCF Munich, Airport Informal Document.
Lecture: Reliability & FMECA Lecturer: Dr. Dave Olwell Dr. Cliff Whitcomb, CSEP System Suitability.

Lecture: Reliability & FMECA Lecturer: Dr. Dave Olwell Dr. Cliff Whitcomb, CSEP System Suitability.
Software Testing and Quality Assurance Software Quality Assurance 1.

Software Testing and Quality Assurance Software Quality Assurance 1.

Similar presentations

Ads by Google