Position Paper. ETCS On-board Subsystem Reliability Requirement for Operational Safety

Similar documents
Technical Position Paper

Processes and Responsibilities. ERA ETCS Conference on Testing and Certification Lille March 29 th 2011

COMMISSION DIRECTIVE 2011/18/EU

Railway Interoperability and Safety Committee. Working document

Technical specifications for Interoperability (TSIs)

for European Commission regarding OPINION OF THE EUROPEAN UNION AGENCY FOR RAILWAYS ERA/OPI/ specifications test

ETCS Baselines, status, roadmap

INTEROPERABILITY UNIT

Guidance on the Application of the Control Command and Signalling TSI

DRAFT. Transition guide from former RIV/UIC regime to new TSI/GCU regime

Annex. Provisions on auditing notified conformity assessment bodies in the framework of Article 34 3 of the Agency Regulation 1

Contents A. INTRODUCTION... 2 A1. Purpose, scope and other addressees of the report... 2 A2. Significant organisational changes affecting the NSA...

STUDY TO EXAMINE JOB PROFILE AND TASKS OF TRAIN CREW MEMBERS NOT DRIVING TRAINS BUT PERFORMING OTHER SAFETY CRITICAL TASKS ON BOARD OF TRAINS

ERA SAFETY UNIT SAFETY REPORTING SECTOR GUIDANCE ON SAFETY RECOMMENDATIONS IN TERMS OF ARTICLE 25 DIRECTIVE 2004/49/EC

EUROPEAN COMMISSION DIRECTORATE-GENERAL FOR ENERGY

Evaluation of NHS111 pilot sites. Second Interim Report

Return of Experience on the approval processes for projects of retro-fit and upgrade vehicles with an ETCS On Board subsystem

New GMS Contract QOF Implementation. Dataset and Business Rules - Epilepsy Indicator Set (EP) Wales

European Maritime Safety Agency. Training on Maritime Security October Obligations for. Maritime Administrations

Delivery time frame for the EU portal and EU database

Temporary and occasional registration: Your declaration of intended medical service provision

NOTICE OF CALL FOR PROPOSALS. with a view to obtaining grants in the field of rail transport, in particular

THE HIRING SENTIMENT... 3 & 4 SECTORAL ANALYSIS... 5 FUNCTIONAL AREA ANALYSIS... 6 CITY BASED SCENARIO... 7 WORK EXPERIENCE BASED ANALYSIS...

PPP project «Kekava Bypass» Open Day #2. September 5 th 6 th, 2018

Engineering Waiver Management

Developing an Incremental Proposal for EU gas transmission. Draft Project Plan

New GMS Contract QOF Implementation. Dataset and Business Rules - Asthma Indicator Set

MILITARY STRATEGIC AND TACTICAL RELAY (MILSTAR) SATELLITE SYSTEM

GOVERNMENT OF MAURITIUS MANUFACTURING AND SERVICES DEVELOPMENT AND COMPETITIVENESS PROJECT (MSDC) LOAN NO MU PROCUREMENT PLAN FOR THE PERIOD

Cost effectiveness of telemedicine for the delivery of outpatient pulmonary care to a rural population Agha Z, Schapira R M, Maker A H

GAO DEFENSE INFRASTRUCTURE. DOD Needs to Determine and Use the Most Economical Building Materials and Methods When Acquiring New Permanent Facilities

COUNCIL OF THE EUROPEAN UNION. Brussels, 16 June /08 COSDP 539

Commission Guidelines for the implementation of the Clinical Trials Regulation NTA Ethics Oslo

Nicolas H. Malloy Systems Engineer

Protocol for Patients on oral Anticoagulants who wish to perform INR self testing. Anticoagulation service Bolton NHS Foundation Trust. April 2017.

Guideline on good pharmacovigilance practices (GVP)

GUIDELINES ON MEDICAL DEVICES CLINICAL INVESTIGATIONS: SERIOUS ADVERSE EVENT REPORTING

Monthly and Quarterly Activity Returns Statistics Consultation

Responsibility of NoBo & DeBo in the authorization process

BASINGSTOKE AND NORTH HAMPSHIRE HOSPITALS NHS FOUNDATION TRUST

LASD/Metro Transit Security Program

UNCLASSIFIED. FY 2017 Base FY 2017 OCO. Quantity of RDT&E Articles Program MDAP/MAIS Code: 493

ONR GUIDE LC22: MODIFICATION OR EXPERIMENT ON EXISTING PLANT. Nuclear Safety Technical Inspection Guide. NS-INSP-GD-022 Revision 3 TABLE OF CONTENTS

Maintenance Review Board PR.MRB

FORCE XXI BATTLE COMMAND, BRIGADE AND BELOW (FBCB2)

Changes to Chemical Labels and SDS - Speaker s notes

Demand and capacity models High complexity model user guidance

Delegations will find attached document EEAS 02246/8/14 REV 8.

Scottish Hospital Standardised Mortality Ratio (HSMR)

Unemployment and Changes in the Rate of Unemployment

Oct-15 As above CK/JG. Aug/Sep TU Reps

IDEA II PROJECT A WALK-THROUGH

Department of Mathematics, Sacred Heart College, Vellore Dt 3

UNCLASSIFIED. R-1 ITEM NOMENCLATURE PE N: Air Control

AGENCY WORK BUSINESS INDICATOR: NOVEMBER 2016 EVOLUTION OF NUMBER OF HOURS WORKED BY AGENCY WORKERS IN EUROPE. Sept 2016.

Preliminary Traffic Scenario - Definition

Keele Clinical Trials Unit

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a DECISION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Energy Technology Development and Demonstration Programme (EUDP)

The Environmental Noise (England) Regulations 2006

Training Requirements for the Specialty of Medical Microbiology

Erasmus+ Application Form. Call: A. General Information. B. Context. B.1. Project Identification

Erasmus+ Application Form. Call: 2014 KA2 Cooperation and Innovation for Good Practices. A. General Information. B. Context

STANDARD OPERATING PROCEDURE

London, Brunei Gallery, October 3 5, Measurement of Health Output experiences from the Norwegian National Accounts

New GMS Contract QOF Implementation. Dataset and Business Rules - Asthma Indicator Set (AST) Wales

UKRI Future Leaders Fellowships Overview of the scheme

GENERAL TENDER CONDITIONS

Erasmus+ Application Form. Call: A. General Information. B. Context. B.1. Project Identification

Forecasts of the Registered Nurse Workforce in California. June 7, 2005

NHS performance statistics

POLICY ON THE IMPLEMENTATION OF NICE GUID ANCE

MILITARY STRATEGIC AND TACTICAL RELAY (MILSTAR) SATELLITE SYSTEM

Case Study. Check-List for Assessing Economic Evaluations (Drummond, Chap. 3) Sample Critical Appraisal of

Guidance on the preparation of dossiers for harmonised classification and labelling (CLH) under Regulation (EC) No.

Welcome to the Totaljobs Employment Index

CONSULTATION PAPER BY DG INTERNAL MARKET AND SERVICES ON THE PROFESSIONAL QUALIFICATIONS DIRECTIVE 15 March 2011

This is the consultation responses analysis put together by the Hearing Aid Council and considered at their Council meeting on 12 November 2008

Mission-Based Test & Evaluation Strategy: Creating Linkages between Technology Development and Mission Capability

THE ACQUIS COMMUNAUTAIRE & DIRECTIVE 2005/36/EC, amended by 2013/55/EU

Rules for Non Trackside Sponsors joining the Sentinel Scheme

Access to Microdata in EUROSTAT.

Expected Roadway Project Crash Reductions for SMART SCALE Safety Factor Evaluation. September 2016

MINIMUM CRITERIA FOR REACH AND CLP INSPECTIONS 1

NHS Performance Statistics

Archive and Retention Policy

1 NQS National Regulations Aim Insurance While on the Excursion Excursion Risk Assessment Form...

CWE Flow-based Market Coupling Project. at EMART Energy 2012

AGENCY WORK BUSINESS INDICATOR: SEPTEMBER 2015

consultation A European health service? The European Commission s proposals on cross-border healthcare Key questions for NHS organisations

Notice of Proposed Amendment Requirements for apron management services at aerodromes

Request under the Freedom of Information Act 2000 (the FOI Act )

EPSC s activities are directed towards four principal objectives:

Intertek Health, Environmental & Regulatory Services

Exhibit R-2, RDT&E Budget Item Justification

Education in Shifting the Balance

Sustainable Use of Regional funds - for Nature.

Contract of Sponsorship

UK GIVING 2012/13. an update. March Registered charity number

Board Briefing. Board Briefing of Nursing and Midwifery Staffing Levels. Date of Briefing August 2017 (July 2017 data)

Transcription:

Position Paper ETCS On-board Subsystem Reliability Requirement for Operational Safety 06.10.2014

TABLE OF CONTENTS 1. Introduction... 3 1.1 Background... 3 1.2 Purpose... 4 1.3 Scope... 4 1.4 References... 4 1.5 Document structure... 4 1.6 Abbreviations... 5 2. APPROACH... 5 2.1 Definitions... 5 2.2 Principles... 6 2.3 Assumptions... 7 2.4 Analysis scenario... 7 2.5 Operational parameters... 8 3. RELIABILITY REQUIREMENT... 9 4. DEMONSTRATION... 10 Appendices Appendix 1 Reliability requirement calculation... 11

1. Introduction 1.1 Background The European Commission (EC) Decision 2012/88/EU of 25 January 2012 [1] lays down the Technical Specification for Interoperability (TSI) relating to the Control- Command and Signalling (CCS) subsystems of the trans-european rail system. Availability and Reliability requirements for the On-board and Track-side subsystems are covered in Section 4.2.1.2 and Annex A 4.2.1.b of the document. However, Index 28 in Annex A, marked as Reserved, does not contain any quantitative Reliability requirements for the ERTMS/ETCS subsystems. As a result, Infrastructure Managers (IM) and/or Railway Undertakings had to derive quantitative Reliability requirements, either contract specific or at national level, using different considerations: commercial, Safety or both [2]. This approach could be seen as going against the principles of interoperability, particularly with regards to the CCS On-board subsystem, and could potentially lead to degraded situations the management of which could decrease the overall Safety of the system. In an attempt to resolve this issue, in December 2012 UNISIG produced a paper [3] in which a Mean Time Between Immobilising Failures (MTBIF) for the On-board subsystem was derived based on Operational Safety considerations. Note: In the context of the UNISIG document, an immobilising failure is defined as in general the CCS On-board subsystem is switched off and the train can only finish its mission without CCS On-board subsystem supervision. After reviewing the UNISIG document, the members of the European Rail Infrastructure Managers (EIM) rejected the proposed MTBIF value as being too low and generally below the values that had already been derived or observed independently by EIM members. Disagreement with the Operational parameters assumed in the paper in order to derive the MTBIF value was also indicated on the basis that they were not covering the full range of values seen across the trans- European system. However, EIM have indicated agreement with the following principles: o Minimum Reliability requirements for the On-board subsystem should be defined in the TSI CCS, whilst Reliability requirements for the Trackside subsystems would be determined at a national level; o The minimum Reliability requirements for the CCS On-board subsystem apply only to immobilising failures ; o The minimum Reliability requirements for the On-board subsystem are linked to Operational Safety.

Following consultation with the European Rail Agency (ERA) and in particular the workshop of 29 April 2014, the Railway Interoperability and Safety Committee (RISC) are proposing an amendment of the TSI CCS [4] to include, among others, the principles outlined above and corresponding quantitative Reliability requirements for the On-board subsystem. However, agreement on the numerical value to be included in the revised document is yet to be reached. 1.2 Purpose The purpose of this document is to propose a quantitative Reliability requirement for the ETCS On-board subsystem for inclusion in the amendment of the TSI CCS and therefore applicable to the trans-european rail system. This requirement is derived based on Operational Safety principles and applies only to the On-board subsystem failures requiring isolation of the train protection functions. 1.3 Scope The scope of this document covers the Reliability of the ETCS On-board subsystem with its functional constituents as defined in the TSI CCS [1]. 1.4 References [1] European Commission Decision on the Technical Specification for Interoperability relating to the Control-Command and Signalling subsystems of the trans-european rail system, Ref: 2012/88/EU, 25 Jan 2012. [2] ERTMS Users Group, Reliability Study Oct 2009/Feb 2010, Issue A05, Ref: NR/EE/REP/00184, Sep 2010. [3] UNISIG, ERTMS/ETCS Reliability Requirement for CCS Onboard Subsystem from the viewpoint of operational safety, Issue 1.0.3, 14 Dec 2012. [4] RISC, Draft Commission Decision amending Commission Decision 2012/88/EU on the technical specification for interoperability relating to the control-command and signalling subsystems of the trans-european rail system, Ref: 08/57-ST30, 16 May 2014. 1.5 Document structure In addition to this section, Introduction, the document includes further sections as follows: o Section 2: describes the approach to deriving the Reliability requirement; o Section 3: includes the quantitative Reliability requirement for the ETCS On-board subsystem; o Section 4: describes the proposed approach to demonstrating compliance with the requirement.

1.6 Abbreviations CCS EC EIM ERA ERTMS ETCS EU IM MTBIF TSI Control Command & Signalling European Commission European Rail Infrastructure Managers European Rail Agency European Rail Traffic Management System European Train Control System European Union Infrastructure Managers Mean Time Between Immobilising Failures Technical Specification for Interoperability 2. APPROACH 2.1 Definitions The following terminology is used throughout this document: Failure Failure Mode Immobilising Failure Mean Time Between Immobilising Failures Means the termination of the ability of an item to perform a required function with the required performance Means the effect by which the Failure is observed A Failure of the CCS On-board subsystem requiring isolation of the train protection function The arithmetic mean of the time between successive independent Immobilising Failures

2.2 Principles The derivation of the Reliability requirement for the CCS On-board subsystem presented in this paper follows the following principles: ID Principle Rationale 1 Minimum Reliability requirements for CCS On-board subsystem are included in the TSI CCS. Reliability requirements for the CCS Track-side subsystem are derived at national level. 2 The minimum Reliability requirement for the CCS Onboard subsystem is derived based on Operational Safety considerations. 3 The minimum Reliability requirement for the CCS Onboard subsystem applies to Immobilising Failures only. 4 The system Safety level is decreased when a single Immobilising Failure occurs. 5 The Infrastructure Managers do not have the authority to deny access to their network to vehicles having lower Reliability than the minimum requirement. 6 The Infrastructure Managers cannot apply higher track access charges to vehicles having lower Reliability than the minimum requirement. 7 The Reliability requirement for the CCS On-board subsystem is related to the most severe Operating conditions in the trans-european system. 8 An Immobilising Failure can occur as the result of a failure of a single constituent of the CCS On-board subsystem (single point failure) or as a result of a combination of failures of two or more constituents. 9 An Immobilising Failure can be caused by functional failure of CCS On-board subsystem constituents or failure of the interface between subsystem constituents. The requirements for the CCS Onboard subsystem are applicable to the trans-european system. The Reliability of the Track-side subsystem is managed at national level by the Infrastructure Managers. To enable Infrastructure Managers to manage degraded situations without decreasing the overall Safety of the system. An Immobilising Failure requires isolation of the train protection function and its removal from service, thus generating a degraded situation. The train movement with CCS Onboard protection function isolated could create hazardous situations for all the trains in the area. As per European Union Rules and Regulations. This is against the EC legislation. The requirement needs to be applicable to each specific ERTMS/ETCS implementation in the EU. All causes of Immobilising Failures need to be considered. Subsystem integration issues at the interface between constituents can generate Immobilising Failures.

2.3 Assumptions The general assumptions used in the derivation of the Reliability requirement for the CCS On-board subsystem are as follows: ID Assumption Rationale 1 Immobilising Failures of the CCS On-board subsystem include both hardware and software failures. 2 A train experiencing an Immobilising Failure cannot continue its mission. 3 The derivation of the minimum Reliability requirement assumes steady-state Reliability, i.e. constant failure rates. 4 The minimum Reliability requirement for the CCS Onboard subsystem is expressed as Mean Time Between Immobilising Failures (MTBIF). 5 Derivation of the minimum Reliability requirement is based on an operational scenario where the railway network in an area controlled by a signalman is at its busiest time of the day: peak hours. It is assumed that two such busy periods occur during a typical operational day: morning peak and afternoon peak. In accordance with the Systems Engineering principles, the hardware and software elements cannot be separated as both contribute to the successful operation of a system/subsystem. As a result of the Immobilising Failure the train protection function needs to be isolated and hence the CCS On-board supervision is lost. The train mission is terminated. The Safety considerations during a Reliability growth period would be different from the steady-state operation. Therefore the approach to managing degraded situations during that period would be different. As stated in the amendment to the TSI CCS [4] In accordance with Principle 7 in previous section, most severe Operating conditions need to be used in deriving requirements. 2.4 Analysis scenario The scenario analysed for the purpose of deriving the Reliability requirement is based on the UNISIG paper [3] and the principles outlined above and can be described as follows: o Operating environment: the railway network in an area controlled by a signalman during peak hours. o Operating status: the railway network is in Normal Operation state.

o A train moving through the area experiences an Immobilising Failure. This can be caused by the CCS On-board subsystem or any other Onboard subsystem. Thus a degraded situation has occurred. o The signalman needs to confirm the failure and manage the safe removal of the train from the area. o During the time it takes to remove the affected train and return the controlled area to its Normal Operation, the likelihood of a second train experiencing an Immobilising Failure, caused by the CCS On-board subsystem or any other On-board subsystem, must be as low as reasonable practicable. 2.5 Operational parameters The Operational parameters involved in the scenario described above are as follows: Parameter (units) Description Comments PE (events/yr per controlled area) Tpe (hrs) The frequency of peak hour periods within the controlled area. The duration of the peak hour period when the railway network is at its busiest. This would depend on national railway and location of the controlled area. Typically two such periods per day are observed: morning peak and afternoon peak. It would depend on national railway and location of controlled area. IFccs (failures/hr) Failure rate for Immobilising Failures of the CCS On-board subsystem Under steady-state Reliability conditions, IF CCS = 1/MTBIF; An MTBIF value needs to be derived as the Reliability requirement for the CCS On-board subsystem. r N The ratio between failure rate for Immobilising Failures caused by any On-board subsystems other than CCS to the failure rate IFccs for CCS. Number of trains present within controlled area at the time Immobilising Failure occurs This would depend on type of rolling stock, its age, maintenance regime, etc. Higher values of this parameter are expected for old rolling stock where CCS On-board subsystem is retro-fitted; lower values are expected for new, modern rolling stock. Varies at national level from IM to IM. The number would vary according to the size of the railway network, train frequency, number of control centres, etc.

Parameter (units) Description Comments Tr (hrs) HE (events/yr per controlled area) Time taken to remove affected train from the area and return to Normal Operation The frequency of a second Immobilising Failure occurring within the controlled area during time Tr. Would vary according to the number of trains N and also rolling stock class, size of the network, time of the day (peak, off-peak), etc. This would depend on the failure rate IF CCS, the time Tr and the number of trains in the area N. Acceptable values would vary at national level from IM to IM. 3. RELIABILITY REQUIREMENT The minimum Reliability requirement for the CCS On-board subsystem is: MTBIF = 100,000hrs The equation used to estimate this value is given below (for detailed calculations see Appendix 1): MTBIF( hrs) (1 r) 2 xnx( N 1) xt xtr HE( event / yr) / PE( event / yr) pe The Operational parameters used in the equation above to estimate the MTBIF value are given in the table below: Parameter Value Justification PE 730 events/yr Two peak periods per day have been assumed throughout the year. Tpe 3hrs Typical duration of a peak period. r 10 A typical value can be estimated from data collected from rolling stock with fitted CCS On-board subsystem. From UK operational experience with class 158 on Cambrian Line ETCS application, an approximate value of 7 has been estimated. Since most stringent Operation conditions need to be considered, a value of 10 for this parameter is considered suitable.

Parameter Value Justification N 50 A value of 30 trains has been quoted for the Netherlands, whilst in the UK values just over 50 trains have been observed around busiest areas at peak time. The maximum value of 50 trains is considered to cover most stringent Operation conditions. Tr 2hrs This is considered to be maximum time required under stringent Operation conditions (peak time, busy area, etc) to remove faulty train and return to normal operations. HE 0.1 events/yr per area The value of this parameter depends on the risk acceptability criteria used by each IM. To check acceptability of the proposed value, consideration should be given to the following: o o 0.1 events/yr at local level (controlled area/signalman) translates into 1 hazardous event occurrence every 10yrs; At national level, for 10 controlled areas/signalmen, this value translates into 1 hazardous event every year. 4. DEMONSTRATION To ensure that the relevant IM are given all the information they need to define appropriate procedures for managing degraded situations, the applicant for the authorisation of a CCS On-board subsystem shall provide to the IM calculated Reliability values for failure modes requiring the isolation of the train protection functions.

Appendix 1 Reliability requirement calculation

1. Reliability at time t, R(t), can be defined as the probability of an item to survive to time t; for steady-state Reliability, the item failure rate is constant and the reliability can be estimated as: R ( t ) e t where λ is the item failure rate. 2. The probability of item failing between 0 and time t is then: F ( t ) 1 R ( t ) 1 e t 3. Using the above definitions, the probability of a train experiencing an Immobilising Failure, caused by any On-board subsystem, during the peak period Tpe within the controlled area can then be written as: 1 e IF CCS x(1 r) xtpe 4. For N trains present in the controlled area during the time Tpe, the probability that at least one of them fails is then: 1 e IF CCS x(1 r) xnxtpe 5. Similarly, the probability of at least one other train experiencing an Immobilising Failure caused by any On-board subsystem within the time interval Tr taken to remove the first failed train and return to Normal Operation can be written as: 1 e IF CCS x(1 r ) x( N 1) xtr 6. Both events described above (items 4 and 5) need to happen in order to give rise to a hazardous event HE and therefore the two probabilities need to be multiplied to obtain the probability of a hazardous event: (1 e IF CCS ) x(1 e x( 1 r ) xnxtpe IF x(1 r ) x( N 1) xtr CCS )

7. The exponential function e -x can be expanded into a series as follows: e x 1 x x 2 2! x 3 3!... n 0 ( x) n! n and for values of x << 1, the above series can be approximated with: e x 1 x 8. Using this approximation, the probability of a hazardous event at 6) above can be written as: IF x( 1 r) xnxtpe x IF x(1 r) x( N 1) xtr CCS CCS Note: a comparison between the probability values calculated using Eqs 6) and 8) with Operation parameter values given in Section 3 is shown at the end of this Appendix. 9. If PE is the frequency of peak hour periods in the controlled area during which N trains are present, then the frequency of hazardous events can be estimated as: HE( event/ yr) PE( event/ yr) x(1 r) 2 2 xnx( N 1) xifccs ( failure/ hr) xt pe xtr 10. The above equation can be solved for IF CCS (failure/hr): IF CCS HE ( event / yr ) / PE ( event / yr ) ( failure / hr ) 2 (1 r ) xnx ( N 1) xt xtr pe or MTBIF( hrs) IF CCS 1 ( failure / hr) 2 (1 r) xnx( N 1) xt xtr HE( event / yr) / PE( event / yr) pe

11. Using the Operation parameter values given in Section 3, 2 (1 10) x50x(50 1) x3( hrs) x2( hrs) MTBIF( hrs) 113, 950hrs 0.1( event / yr) / 730( event / yr)

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback