european standards of harm [en 50126] - tu...
TRANSCRIPT
-
R. Slovák
OPERATIONAL PROCESS MODELLING
FOR SAFETY ANALYSIS OF RAILWAY SYSTEMS
ON EXAMPLE OF A LEVEL CROSSING PROTECTION
T ra ff ic P ro cess M od e l
F u n ctio n a l C o n tro lM o de l
T ra ff ic P ro cess M od e l
F u n ctio n a l C o n tro lM o de l
Bieleschweig Workshop, BS, October 11, 2007
L X _ O K S a fe _ d e fec t
F a il_ S a fe
L X _ re p a ir
H R
H a z a rd _ d e fe c t
F a il_ H a z a rd H a z a rd _ d e te c t io n
F R
M T D H
D epen da b il i ty M o de l M T T R
L X _ O K S a fe _ d e fec t
F a il_ S a fe
L X _ re p a ir
H R
H a z a rd _ d e fe c t
F a il_ H a z a rd H a z a rd _ d e te c t io n
F R
M T D H
D epen da b il i ty M o de l M T T R
• Motivation • Holistic model based approach for safety analysis• Modelling language • Level crossing example • Risk and system hazard analysis• Conclusions
-
European Standards for Railway applications:
Legislative guidance in the area of RAMS
Ø Safety: Freedom from unacceptable risk of harm [EN 50126]
Ø Risk: The probability of occurrence of a hazard causing harm and the degree of severity of the harm
SD 2004/49/EC
EN 50126
EN 50129
EN 50128
Motivation
degree of severity of the harm
Ø Hazard: A physical situation with a potential for human injury
Ø Proposal of three risk acceptance criterions(GAME, ALARP, MEM)
Ø General recommendation to formal methods application(e.g. RBD, Markov chains, state diagrams, Petri nets,…)
-
Risk analysis
THR‘s, SIL‘s for
Railway operation
ApportionmentAccident
Car in DZ Train in DZ Car in DZ Train in DZ
Enter detfailed
LX ctrlhazard
Diagnfailed
Warnung1 failed
Warnung2 failed
ABKfs
ABKfs
λΑ
λΚ
µ
λΒλΒ 7
2
4
5
Safety Methods
Hazard list
Preliminary hazard analysis
Safety targets
System functions specification
Safety requirements apportionment in the railway system design (EN 50126)
Functionalsafety requirements
Component‘ssafety requirements
System hazard analysis
THR‘s, SIL‘s forfunctional
assemblies
THR‘s, SIL‘s for technical
components
Apportionment
Technicalimplementation
specification
W a r n i n g 2 f a i l u r e
W a r n i n g 1 f a i l u r e
E n t e r d e tf a i l u r e
D i a g nf a i l u r e
L X c t r lh a z
f a i l u r e
I n i ts t a t e
9 e - 6 %
5 e - 6 %
3 e - 7 %
E n t e r d e tf a i l u r e
D i a g nf a i l u r e 5 e - 1 3 %
ABK
ABKfs
ABK
ABKfs
ABKfs
ABKfs
ABKABK
ABK
λΒ
µR
λΑ
λΑ
λΑ λΑλΒ
λΒ
λΚ
λΚ
λΚλΒ
µR
µR
µR
µR µΚ
µR17
3
5
6
8 9
10 11
µΚ
-
System functions specification
-Modularity- Hierarchy- Causality
- Temporality- formal/informal
-Scenarios (incl. system & human dependability) - causality
- stochastic temporality (rates)- stochastic causality (probabilities)- operation conditions (traffic flows)
- Individual tolerable risks for passengers, staff, LC users,
Availability,Reliability
requirements
Apportionment
Hazard list
Safetytargets
Form of apportionment inputs and outputs
passengers, staff, LC users, unauthorised persons, others
- time based rates
- Tolerable hazard rates for functions of system
requirements specification
- Tolerable failure rates for functions of system
requirements specification
Functional safety requirements
-
Fault treeAccident
Car in DZ Train in DZCar in DZ Train in DZ
Enter detfailed
LX ctrlhazard
Diagnfailed
Warnung1 failed
Warnung2 failed
W a r n i n g 2 f a i l u r e
W a r n i n g 1 f a i l u r e
E n t e r d e tf a i l u r e
D i a g nf a i l u r e
L X c t r lh a z
f a i l u r e
I n i ts t a t e
9 e - 6 %
5 e - 6 %
3 e - 7 %
E n t e r d e tf a i l u r e
D i a g nf a i l u r e 5 e - 1 3 %
Event tree
Reliability Block Diagram
• Different description means for different analysis tasks -> no transformations possible
• Missing integrating formal background -> limited verification
• No direct connection to the functional system state space -> event independence required
ABKfs
ABKfs
ABK
λΑ
λΚ
µR
λΒ
λλΒ
µ17
2
4
5
Markov chain
Drawbacks of conventional safety methods
independence requiredABKABKfs
ABK
ABKfs
ABKfs
ABKfs
ABKABK
ABK
λΒ
µR
λΑ
λΑ
λΑ λΑλΒ
λΒ
λΚ
λΚ
λΚ
µR
µR
µR
µR µΚ
µR1
3
6
8 9
10 11
µΚ
• Often limitation on exponentially distributed stochastic events
• Limitation on dependability description -> missing formal connection to functional breakdown (SRS, SDS) -> limited precisio n of safety target apportionment
Bayssian net
-
Risk analysis
THR‘s, SIL‘s for
Railway operation
ApportionmentAccident
Car in DZ Train in DZ Car in DZ Train in DZ
Enter detfailed
LX ctrlhazard
Diagnfailed
Warnung1 failed
Warnung2 failed
ABKfs
ABKfs
λΑ
λΚ
µ
λΒλΒ 7
2
4
5
CommonSafety Methods
Hazard list
Preliminary hazard analysis
Safety Targets
Common Safety Indicators
System functions Specification
Functional System function
Railway processHazard
consequences
Holistic model based safety requirements apportionment
Functional safety requirements
Component‘ssafety requirements
System hazard analysis
THR‘s, SIL‘s forfunctional
assemblies
THR‘s, SIL‘s for technical
components
Apportionment
Technical implementation
specification
W a r n i n g 2 f a i l u r e
W a r n i n g 1 f a i l u r e
E n t e r d e tf a i l u r e
D i a g nf a i l u r e
L X c t r lh a z
f a i l u r e
I n i ts t a t e
9 e - 6 %
5 e - 6 %
3 e - 7 %
E n t e r d e tf a i l u r e
D i a g nf a i l u r e 5 e - 1 3 %
ABK
ABKfs
ABK
ABKfs
ABKfs
ABKfs
ABKABK
ABK
λΒ
µR
λΑ
λΑ
λΑ λΑλΒ
λΒ
λΚ
λΚ
λΚλΒ
µR
µR
µR
µR µΚ
µR17
3
5
6
8 9
10 11
µΚ
System design specification
System design dependability
Functional dependability
System function specification
-
Railway process Hazard concequences
Functionaldependability
System functionspecification
PROcess
PROFUND: Holistic model based approach for safety analysis
Implementation specification
System design dependability
FUNctionality Dependability
-
Used level crossing example
-
Extended deterministic and stochastic Petri nets (E DSPN)
Applied class of Petri nets
Hierarchical Petri net class extension
-
Hazard
Fail-Safe
Input state
Ressource
Function
Function condition
…
State
Modelling approach Function-Ressource model [VDI 3682]
Intact
Output state
-
KollisionAuffaren
v < vZug1 Zug22 Züge imStrecken-abschnitt
Hazard Strecken-sicherung
Hazard Zug-
überwachung
Hazard System Strecke
Hazard System
Zug
FehlverhaltenFahrdienst-
leiter
FehlverhaltenLokführer
HazardZugdetektion
HazardSignalisierung
HazardSystemlogik
HazardGeschwindig-
keitüber-wachung
Hazard
Strecke-ZugKommunikat.
Funktions-
verlässlichkeit
Prozess
Implementierungs-verlässlichkeit
KollisionZusammen-
stoß
KollisionZusammen-
prall
KollisionFlankenfahrt
Zug imGefahrraum
Zug imAnnäherungs-
bereich.
Zug imAktivierungs-
bereich.
BÜSAaktiv
Warnungwahr-
genommen
Räumungrechtzeitig
JaNein Unfall
Kein Unfall
Kein Unfall
Ja
Nein
Ja
NeinJaNein Unfall
Kein Unfall
JaNein
Unfall
Kein Unfall
Kein Unfall
Ja
Nein
Ja
NeinJaNein Unfall
Kein Unfall
KFZ im BÜ Annäherungs-
bereich..
Ja
Nein
Ja
NeinNein
Folge UrsacheEreignisse
KFZ-Fahrer
BÜSA
KFZ-Fahrer
KFZ-Fahrer
Fahrweg-sicherung
Zugsicherung
Betriebs-steuerung
Fahrweg-anforderung
Fahrauftrag
Infrastruktur Zugdynamik
Befehle Meldungen BefehleMeldungen
Zugposition
Ortung
Ortungs-meldung
Ortungs-meldung
Befehle
Meldungen
Funktionalität
Prozess
Funktionalität
Prozess
System-definition
Funktiosan-forderungen
Generisches Funktions-
modell
Generische Hazardliste
Steuerungs-funktionen
Prozess-Steuerung
Schnittstelle
Umwelt-einflüsse
Sicherheits-relevante
Funktionen
Unfall-folgen
Mögliche Unfälle
Gefahren-identifikation
Preliminary hazard analysis
JaNein
Unfall
Kein Unfall
Kein Unfall
Ja
Nein
Ja
NeinJaNein Unfall
Kein Unfall
Unfall
Kein Unfall
JaNein
JaNein
Unfall
Ja
Ja
BÜSA
BÜSA
KFZ-Fahrer
KFZ-Fahrer
Betriebsan-forderungen
System-grenzen
Steuerungs-komponenten
Funktionen
Unfall-ursachen
Sicherheits-relevante
Komponenten
…
-
Funktion Ausfallart Auswirkung Gefährdung
Zugerkennung im Aktivierungsbereich
Verspätete oder keine Erkennung des Zuges
Verspätete oder keine Sicherung des BÜ
Ja
Aktivierung Verspätete oder keine
AktivierungVerspätete oder keine
Aktivierung des BÜJa
WarnungsanzeigeVerspätete,
unausreichende oder keine Warnunganzeige
Unausreichende Warnung des
Straßenverkehrs
Ja, insbesondere bei gleichzeitigem Ausbleiben
aller Warnungsarten
Erkennung der Räumung
Verspätete oder keine Erkennung der BÜ-
Räumung
Verspätete oder keine Entsicherung des BÜ
Möglich bei längerer Schließzeiten durch
Mißachtung der Warnung
DeaktivierungVerspätete oder keine
DeaktivierungVerspätete oder keine Deaktivierung des BÜ
Möglich bei längerer Schließzeiten durch
Mißachtung der Warnung
Zug imGefahrraum
Zug imAnnäherungs-
bereich.
Zug imAktivierungs-
bereich.
BÜSAaktiv
Warnungwahr-
genommen
Räumungrechtzeitig
JaNein Unfall
Kein Unfall
Kein Unfall
Ja
Nein
Ja
NeinJaNein Unfall
Kein Unfall
JaNein
Unfall
Kein Unfall
Kein Unfall
Ja
Nein
Ja
NeinJaNein Unfall
Kein Unfall
JaNein
Unfall
Kein Unfall
Kein Unfall
Ja
Nein
Ja
NeinJaNein Unfall
Kein Unfall
Unfall
Kein Unfall
JaNein
JaNein
Unfall
KFZ im BÜ Annäherungs-
bereich..
Ja
Nein
Ja
Nein
Ja
Nein
Folge UrsacheEreignisse
KFZ-Fahrer
BÜSA
BÜSA
BÜSA
KFZ-Fahrer
KFZ-Fahrer
KFZ-Fahrer
KFZ-Fahrer
Prozess
FMEA ETA
Hazard BÜSA
HazardZugdetektion
HazardBÜ-
Steuerung
HazardBÜ-
Warnung
Funktionsverlässlichkeit
Prozess
Fehlverhalten KFZ-Fahrer
FTA
Function Component
Train detection Track circuit
Warning acitivation Control unit
Warning 4 x red traffic light
Train leaving detection Wheel detector
Warning deactivation Control unit
Technical implementation
Preliminary hazard analysis for level crossing
-
(Train approaching area)Annäherungsbereich des Zuges
Train
(Car approaching area)Annäherungsbereich des KFZ
EDSPN modelling of the railway traffic process on a level crossing
Undesire event: contemporaneous occupancy of danger zone by a car and a train
-
(Train approaching area)Annäherungsbereich des Zuges
Train Train
(Car approaching area)Annäherungsbereich des KFZ
EDSPN modelling of the railway traffic process on a level crossing
Train_leaves_DZ
Train_approaching Train_enters_DZ Train_in_DZ
Train_enters_approaching_area
Train_out_of_LX
-
Car _out_of_LX
Car_enters_approaching_area
Car_enters_DZCar_approaching Car_in_DZ
Car_leaves_DZ
Car_enters_Train_approach
No_accident
Accident
Accident
_no_train
PROFUND: AnforderungsanalyseEDSPN Modellierung des Verkehrsprozesses (I)
Train_leaves_DZ
Train_approaching Train_enters_DZ Train_in_DZ
Train_enters_approaching_area
Train_out_of_LX
Car_enters_Train_passNo_accident Accident
removal
-
Car_enters_approaching_area
Car_leaves_DZ
Transition‘s parameter determination
-
Quantitative Analysis
0,003
Road Traffic Flow [Cars/h]
RV9
GS4
U1
Train_enters_approaching_area,Car_enters_approaching_area,
Car_enters_DZ_IIITrain_enters_DZ
Accident_removal
Train_leaves_DZ,Car_leaves_DZ
Qualitative and quantitative analysis of the traffic process on the level crossing
QualitativeAnalysis
0
0,001
0,002
0,1 1 10 100 1000
road traffic flow [car/h]
indi
vidu
alris
k[fa
talit
ies/
pers
on*y
ear]
]
4 trains/h
2 trains/h
0,25 trains/h
-
Process
Function
Process
Accidents
Road and railway
operation
Protection Function
Function
Process
Function’s dependa
bility
Function
Function’s dependa
bility
Function
Protection systemfunction
Protection system function‘s failures
Car driver‘s behaviour
EDSPN model for level crossing risk analysis
-
Car driver behavior risk analysis
-
Level crossing protection system risk analysis
-
Protection system implementation
EDSPN model for level crossing system hazard analysis
Protection system implementation‘s failures
-
Level crossing system hazard analysis(sensitivity analysis)
-
Results of system hazard analysis (after optimisation of safety requirements)
-
The holistic modelling by Petri nets allows describing:
• the desired transport operation tackling theØ Transport processØ Control and protection functionsØ Control and protection equipment & devicesØ Control and protection staff
• the undesired potential transport behaviour given by
Holistic modelling approach (summary)
• the undesired potential transport behaviour given byØ accidents and their possible consequencesØ unfulfilled operational functions including functional hazardsØ failures of technical subsystems and components including
technical hazardsØ unintentional errors of the humans having responsibilities in regular
or fall-back operation, in the maintenance or surveillanceØ intentional actions of external human misuse
-
Ø System hazard identification
Ø Qualitative and quantitative safety analysis
Ø Quantitative performance analysis
Petri nets Modelling supports the introduction of the
new safety philosophy of the latest European Standa rds
Conclusions
Ø Quantitative performance analysis
Ø Integrated evaluation of all aspects of dependability (RAMSS)
Ø Sensitivity and cost benefit analysis
Ø Holistic approach to the safety analysis