Ein einheitliches Risikoakzeptanzkriterium für Technische Systeme



Similar documents
Common Safety Method for risk evaluation and assessment

Safety Analysis based on IEC 61508: Lessons Learned and the Way Forward

Measure 9: Updating the interoperability directives on high-speed and conventional railway networks First page:

How to Overcome Challenges in Placing in Services of Rolling Stock Vehicles in Europe

Prof. Dr. Jens Braband (Siemens AG) Risk Assessment in IT Security for Functional Safety

Railway Safety Directive 2004/49/EC

Great Britain s Rail Safety Performance and Trends in 2013/14

Index of issues discussed

Dominic Taylor CEng MIET MIMechE MIRSE MCMI, Invensys Rail

PABIAC Safety-related Control Systems Workshop

SOFTWARE VERIFICATION RESEARCH CENTRE SCHOOL OF INFORMATION TECHNOLOGY THE UNIVERSITY OF QUEENSLAND. Queensland 4072 Australia TECHNICAL REPORT

University of Paderborn Software Engineering Group II-25. Dr. Holger Giese. University of Paderborn Software Engineering Group. External facilities

Basic Fundamentals Of Safety Instrumented Systems

Experience with Safety Integrity Level (SIL) Allocation in Railway Applications

Directive 2001/16 - Interoperability of the trans- European conventional rail system

Risk Assessment / Risk Management Protocol

Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons

COMMISSION RECOMMENDATION. of

RISK MANAGEMENT FOR INFRASTRUCTURE

Prokrustes säng. och HMI-design

SUPPORTING THE RAIL INDUSTRY UNIQUE SOLUTIONS FOR UNIQUE SITUATIONS

RAILWAY SAFETY PERFORMANCE IN THE EUROPEAN UNION

Strategic Plan for Control Period 5, Issue Two

Designing an Effective Risk Matrix

Hardware safety integrity Guideline

The two separate aspects of RAC validation: Why they need to be considered together

How To Know How Many Major Transport Accidents In Norway

Maintenance of EMU - a new approach for management and technology

Operating Concept and System Design of a Transrapid Maglev Line and a High-Speed Railway in the pan-european Corridor IV

Cloud computing for maintenance of railway signalling systems

3 RBC INTERFACE TO INTERLOCKINGS IN FINLAND

Final report. on the activities of the. Task Force Freight Wagon Maintenance

Applicable standards in CR Rolling stock - Freight wagons TSI (2006/861/EC)

RATP safety approach for railway signalling systems

Sensitivity Analysis of Safety Measures for Railway Tunnel Fire Accident

Version: 1.0 Latest Edition: Guideline

E-newsletter 1 st edition, December 09

Tutorial T3. Engineering. Safety-Related Requirements for Software-Intensive Systems. Donald Firesmith, Software Engineering Institute, USA

Monitoring and Reporting Drafting Team Monitoring Indicators Justification Document

Choose certainty. Add value.

Criticality Analysis for COTS Software Components. Fan Ye; University of York, York, UK Tim Kelly; University of York, York, UK

Fit for the European Rail Market Training Competence - Certification

(e.g. elderly and disabled)

The European Fire Safety Standard CEN TS Railway Interiorsexpo Amsterdam November 2008

The planned delivery date of the two studies, defined in the Mandate (Point 3.2 of the Annex) is 4 November 2010.

Safety Risk Impact Analysis of an ATC Runway Incursion Alert System. Sybert Stroeve, Henk Blom, Bert Bakker

Certification of a Scade 6 compiler

Value Paper Author: Edgar C. Ramirez. Diverse redundancy used in SIS technology to achieve higher safety integrity

OCCURRENCE REPORTING IN RAILWAYS. DG workshop Valenciennes, 29 October 2014 EKSLER Vojtech

Assessment of freight train derailment risk reduction measures: A1 Existing measures

Engineering Inspection Plans For Entity in Charge of Maintenance Certificates. May 2012

Safety Management Systems (SMS) guidance for organisations

COMMISSION IMPLEMENTING DECISION. of XXX

Guidance for Industry: Quality Risk Management

Is load testing during initial acceptance inspection still the contemporary method?

The need for Safety Intelligence based on European safety data analysis

Technical Bulletin. Understanding Servo Safety Functionality and SIL ratings

RISK ASSESSMENT BASED UPON FUZZY SET THEORY

RAIL FREIGHT CORRIDOR 1 NSA WORKING GROUP GUIDELINE FOR CCS AUTHORISATION ON RAIL FREIGHT CORRIDOR 1

The Contribution of Rail in Mitigating Climate Change

Rail research Successes and challenges

Guideline. Date:

Railway Institute research and implementation

A Quality Requirements Safety Model for Embedded and Real Time Software Product Quality

IQ-C Action plan for rail freight corridor Rotterdam-Genoa

Safety-Critical Systems: Processes, Standards and Certification

Siemens AG Mobility Division Nonnendammallee Berlin Germany

Rail Automation. What is ACSES? usa.siemens.com/rail-automation

Trainguard Sirius CBTC

Insurance Review: Consultation November 2006

OJ L 191, , p. 26. OJ L 2, , p. 1.

Selecting Sensors for Safety Instrumented Systems per IEC (ISA )

Risk Assessment in Accordance with EN ISO and EN ISO 12100:2010

SAFETY MANUAL SIL Switch Amplifier

EUROPEAN COMMISSION ENTERPRISE AND INDUSTRY DIRECTORATE-GENERAL. Space, Security and GMES Security Research and Development

Railroad Accident Brief

FAA Perspective on ICAO's Progress on NOx Emissions as well as on Efforts for CO 2, Particulate Matter, and Noise Standards

Functional Safety Hazard & Risk Analysis

Your Power. Traction energy

The Ministry of Transport, Public Works and Water Management of the Netherlands

EUROPEAN RAILWAY AGENCY

Space project management

LSST Hazard Analysis Plan

New Challenges In Certification For Aircraft Software

SAFETY MANUAL SIL SMART Transmitter Power Supply

CAUSES OF AIRCRAFT ACCIDENTS

The Annex to ED Decision 2012/007/R (AMC/GM to Part-ORA) is amended as follows:

COMMISSION REGULATION (EU)

Software Classification Methodology and Standardisation

Intermediate report on the development of railway safety in the European Union

Research and Innovation Staff Exchange Frequently Asked Questions (FAQs)

ELECTROTECHNIQUE IEC INTERNATIONALE INTERNATIONAL ELECTROTECHNICAL

Machineontwerp volgens IEC 62061

Annex to the Accreditation Certificate D-PL according to DIN EN ISO/IEC 17025:2005

Rail safety statistics August 2014

The risk of derailment and collision, and safety systems to prevent the risk

FIRE RISK ASSESSMENT STUDY FOR A HIGH SPEED TRAIN. By Paul Mann Principal RAMS and Systems Assurance Advisor. Section 1.0 Background...

European Distribution System Operators for Smart Grids. Position paper on Electric Vehicles Charging Infrastructure

Role of the systems engineer in safety critical systems. Dr. Cecilia Haskins, CSEP Keynote address WOCS 27. September 2012

Transcription:

ETCS Prüfcenter Wildenrath Interoperabilität auf dem Korridor A Ein einheitliches Risikoakzeptanzkriterium für Technische Systeme Siemens Braunschweig, Oktober 2007 Prof. Dr. Jens Braband Page 1 2007 TS RA, Prof. Dr. Jens Braband The European Railway Agency (ERA) The European Railway Agency (http://www.era.eu.int), established by European Regulation 881/2004, has the mission of reinforcing railway safety and interoperability throughout Europe. The European Railway Agency develops harmonised measures for rail safety. These measures concern common safety targets and common safety methods (CSMs), the definition of common safety indicators and the harmonisation of documents relating to safety certification. Common safety methods describe how safety levels, the achievement of safety targets and compliance with other safety requirements are assessed in the various Member States. In this context, UNIFE (Union of European Railway Industries) has agreed on a proposal which includes a risk acceptance criterion for technical systems. Page 2 2007 TS RA, Prof. Dr. Jens Braband

Scope of Presentation within CSM Recommendation This presentation deals only with explicit risk analysis and risk acceptance criteria for it Page 3 2007 TS RA, Prof. Dr. Jens Braband Definition of Technical System A technical system is a product developed by a supplier including its design, implementation and support documentation. Notes: The development of a technical system starts with its System Requirements Specification and ends with its safety approval. Human operators and their actions are not part of a technical system. Maintenance is not included in the definition, although maintenance manuals are. Page 4 2007 TS RA, Prof. Dr. Jens Braband

Definition of Function A function is defined in this context as a specific purpose or objective to be accomplished that can be specified or described without reference to the physical means of achieving it (IEC 61226:2005). Note: A function transfers (considered as a black-box) input parameters (material, energy, information) into aim related output parameters (material, energy, information). Page 5 2007 TS RA, Prof. Dr. Jens Braband Risk Acceptance Criterion for Technical Systems UNIFE has agreed on the risk acceptance criterion for technical systems (RAC-TS): Any failure mode of a function resulting in a hazard that has a credible immediate potential for catastrophic consequences shall not occur with a rate of occurrence higher than 10-9 per operating hour. Catastrophic consequences are defined by EN 50126 as Fatalities and/or multiple severe injuries and/or major damage to the environment. Credible potential means that it must be likely that the particular failure mode will result in an accident with catastrophic consequences. Immediate in this context means that no credible barriers exist that could prevent an accident. The purpose of this criterion is to define a design target against which risk analysis methods can be calibrated. Page 6 2007 TS RA, Prof. Dr. Jens Braband

FAQ: How is RAC-TS Related to the Overall Railway Risk? It is only indirectly related, as RAC-TS is a semi-quantitative criterion and the focus is on the avoidance of potentially catastrophic events. If a scenario as described by RAC-TS occurs, only rarely is the outcome a catastrophic accident. For example, although some derailments have a catastrophic potential, only 2 fatalities resulted from 529 cases in 2005 in EU-25 (EUROSTAT data). Thus, simple approaches such as multiplying the number of functions by the quantitative RAC-TS design target will yield meaningless risk estimates. Page 7 2007 TS RA, Prof. Dr. Jens Braband FAQ: Is RAC-TS a Risk Assessment Method? Or, in other words: Is RAC-TS directly applicable? Yes, but only if the failure relates to a function of a technical system the potential is catastrophic and there are no credible barriers to prevent an accident. Such functions are rare in railways, but there are examples: failure of an ATP system in high-speed or automated operation undetected wrong setting of points in main-line operation complete loss of braking capability However, in most cases RAC-TS is not directly applicable. Page 8 2007 TS RA, Prof. Dr. Jens Braband

FAQ: What Functions is RAC-TS Applicable to? pren 0015380-4 Railway applications Classification system for rail vehicles Part 4: Function groups The normative section of pren 0015380-4 defines three hierarchical function levels (extended in informative annexes to five). In total, pren 0015380-4 defines several hundred functions relating to trains. In general, the recommendation is to select the functions from the first three levels of pren 0015380-4 (but not below), taking into account the product breakdown structure. For functions outside the scope of pren 0015380-4, the appropriate functional level shall be decided by comparison, based on expert judgment. Page 9 2007 TS RA, Prof. Dr. Jens Braband Example: Functions (based on pren 0015380-4) Code =BED =CFD =CLB =DB =EBF =FB =GB =GC =JBP =KEB =KF =KGB =KGC Function Description Manage signalling of fire Manage emergency alarm from passengers Control tilting Provide external access Ensure adequate reaction on unintended uncoupling Provide electrical energy for traction Provide acceleration and dynamic brake force Provide deceleration and keep the train at standstill Provide Detection of Non Rotating Axle ATC On-board Automatic train operation Control Switches Control Signals Remarks Management of fire alert Functions associated with the management of the external doors Page 10 2007 TS RA, Prof. Dr. Jens Braband

FAQ: How can RAC-TS be Applied to Other Scenarios? RAC-TS can easily be applied to scenarios which differ only with respect to a few independent parameters from RAC-TS reference conditions. We assume that for a particular parameter p the relationship to risk is multiplicative. We assume that in the reference condition p* applies and in the alternative scenario p. In this case, only the parameter ratio p*/p is relevant and the rate of occurrence can be reduced. This procedure can be iterated if the parameters are independent. Page 11 2007 TS RA, Prof. Dr. Jens Braband FAQ: How can RAC-TS be Applied to Other Scenarios? Example: We assume that the actual potential of the consequence (e.g. critical) is ten times less than the potential under reference conditions (which is catastrophic). Then the requirement is 10-8 /h. We assume that an additional barrier (independent of the consequences) is identified which is effective in 50% of cases. Then the requirement is 5 x 10-7 /h. Page 12 2007 TS RA, Prof. Dr. Jens Braband

FAQ: How can RAC-TS be Used with Common Risk Assessment Methods? RAC-TS can be used to calibrate risk assessment methods (see the simple example below for a risk matrix). Depending on the particular method, trade-offs can be made (e.g. lower consequences resulting in a lower design target). Intolerable Tolerable RAC-TS Page 13 2007 TS RA, Prof. Dr. Jens Braband Justification: Necessity Concerning risk analysis, and in particular risk apportionment, ERA recently reached the following conclusions: Apportionment of CST to define common safety requirements is not feasible in the first set of CSTs nor in the second set of CSTs due to insufficient official data on accident causation Even if such data were available, top down apportionment of a high-level CST expressed in terms of fatalities in order to derive common safety requirements is anyway not recommended due to the high uncertainty and variability To define such quantitative safety requirements, in particular within the TSIs, it is rather suggested to agree on common risk acceptance criteria directly applicable to the sub-systems or constituents being assessed. Page 14 2007 TS RA, Prof. Dr. Jens Braband

Justification: Technical Arguments In the European TSI-CCS, a reference for a tolerable risk is given which could be generally applied to new functions or systems: For the safety-related part of one onboard unit as well as for one trackside unit, the safety requirement for ETCS Level 2 is a tolerable hazard rate of 10-9 / hour. Several projects have proposed the same target for all safety-critical functions, e.g. Euro-Interlocking for electronic interlockings. This requirement is very similar to specific risk analysis results already assessed and approved by the EBA. This approach is similar to that in civil aviation (see SAE ARP 4754), where this criterion has been successfully used for more than 20 years. It has been shown from operational experience with large aircraft fleets of, e.g. Boeing 737s, that the overall safety level has actually been met in practice. Page 15 2007 TS RA, Prof. Dr. Jens Braband Justification: Normative and Legal Arguments For a programmable electronic control system implementing the corresponding safety function, this would, according to IEC 61508-1 (the basic safety publication for programmable electronic systems in all sectors) or EN 50129, equate to a requirement of level SIL 4. It also constitutes the highest integrity level that can be demanded according to the CENELEC and IEC standards. It is also known that higher levels of integrity for complex systems cannot credibly be claimed. The target level of risk behind RAC-TS is already tolerated in TSI- CCS and civil aviation. Page 16 2007 TS RA, Prof. Dr. Jens Braband

Justification: Economic Arguments Accident investigation and statistics demonstrate that human errors with organisational factors or flaws in the safety culture are very, not to say the most, important factors contributing to accidents. The contribution from technical system failures becomes negligible for signalling systems and the like (credible estimates put it at well below 1%). This has been demonstrated both theoretically and empirically. Generally, the safety level of existing technical systems is sufficient. Due to its negligible contribution to the overall risk, increasing the technical safety level is not cost-effective (e.g. SAMNet, IRSE). Harmonising and standardising the existing high safety level of technical systems would enhance the competitiveness of the European rail industry. Page 17 2007 TS RA, Prof. Dr. Jens Braband Conclusions UNIFE has proposed a pan-european harmonised risk acceptance criterion for technical systems (RAC-TS). A wide range of arguments were presented justifying RAC-TS on normative, legal and economic grounds. An outline was also given showing how it can be applied per se or as a reference point for the calibration of certain risk analysis methods. It is to be expected that RAC-TS will simplify discussions on the appropriate safety requirements and so save time and money in railway projects without reducing the level of safety. Last but not least, a harmonised criterion promises to increase standardisation and hence the competitiveness of the entire rail sector. Page 18 2007 TS RA, Prof. Dr. Jens Braband

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information