16h00 FONS STANKIEWICZ GeorgFons Railway Safe To fly-CH-Frib-080916

COULD THE RAILWAY SAFELY FLY?
… the state-of-the-art approach for safety and reliability in the railway industry
1st Edition SAFETY DAY - ROSAS Center Fribourg 8. Sep. 2016

Georg Fons-Stankiewicz
THE BACKGROUND STORY …
COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

P2
1ST EDITION SAFETY DAY - ROSAS CENTER FRIBOURG 8. SEP. 2016
WHAT DOES „SAFELY“ MEAN?

P3
… IN SEARCH OF A SAFE ITEM
Safe?
OMG NO!
More or less!
Yes! „Comfort function“
„Safety function“

P4
WHAT MAKES THINGS UNSAFE?
Hazard
The hazard is a „medium“ which can reasonably likely cause
harm or damage
 Fire
 Electricity
 Motorised traffic
 Heavy or sharp items
 …..

P5
THE “ADJUSTMENT SCREWS” OF SAFETY
Severity (consequence)
The severity is the grade of damage caused by a hazard

which became real event
 Minor (reparable) damage / minor injury

 Major (reparable) damage / severe injury
 Major (irreparable) damage / single casualty
 Catastrophic damage / multiple casualties

P6
THE “ADJUSTMENT SCREWS” OF SAFETY
Likelihood of occurrence
The likelihood of occurrence (in this context) is the grade of

probability that a harm or damage caused by a hazard
become real
 Frequent – hazard experienced continuously

 Probable – hazard often experienced
 Occasional – hazard can occur several times
 Remote – hazard can be expected to occur
 Improbable – hazard may be assumed to occur exceptionally
 Incredible – hazard may be assumed not to occur

P7
THE MATTER OF SAFETY
Risk
The risk combines the probable (likelihood) grade of damage or

harm (severity) of a hazard in a qualitative equation valid for a
particular system and application
 Negligible
 Tolerable
 Undesirable
 Intolerable
 … or similar definitions
The risk is a subjective term which however can be well managed

by adjusting (influencing) its components

P8
THE SAFETY
Safety is the ability of a system in combination with its

defined application to attenuate the likelihood and/or
consequences of a hazardous event to the acceptable level

P9
RAILWAY STANDARDS AND REGULATIONS
CENELEC standards – EN 5012X family

 Based on the „Safety Bible“ IEC 61508
 Adapted for application in the rail industry
 EN50126: Railway Applications - The Specification and Demonstration of Reliability,
Availability, maintainability and Safety (RAMS)
 EN50128: Railway Applications -Communications, signalling and processing systems
 EN50129: Railway Applications - Communications, signalling and processing systems –
Safety related electronic systems for signalling
ERA (European Union Agency for Railways) requirements

 Technical Specifications for Interoperability (TSI)
 Implementation guides for the Directive 2004/49/EC
National rules
 Apply “on top” of the European rules

P 10
RAMS – A RAILWAY SPECIFIC APPROACH
CENELEC Standard EN 50126
 RAMS=Reliability, Availability, Maintainability, Safety

 Interlink between „R“ „A“ „M“ and „S“ is inseparable
Railway RAMS
Safety Availability
Reliability & Operation &

Maintainability Maintenance

P 11
RAMS LIFE CYCLE
1
Concept
EN 50126
2 11 14
System Definition & 10
Operation and De-commissioning
System Acceptance
Application Conditions Maintenance and Disposal
3
Risk Analysis
4
System Requirements 9
System Validation
(Including Safety Acceptance
and Commissioning)
5
Apportionment of
System Requirements
6 8
Design and
Implementation Installation
7
Manufacture

P 12
THE SAFETY EVIDENCE STEPS
System Definition Safety Plan

„what we want to do“ „how we want to proceed“
Hazard Log Risk Analysis

„what we need to consider“ „how we need to consider“
Safety Requirements
„what shall we do to mitigate“
Safety Case
„did it all work well“

P 13
THE SAFETY APPROVAL PROCESS
Safety Requirements Specification
Safety Case
(Generic Product, Generic Application, Specific Application)
Safety Assessment Report (independent Body)
Safety Approval
(Product, Application, Design, Implementation)
Safety Acceptance
(Product, Generic Application, Overall/Specific Application)

P 14
THE (RAM)SAFETY CONCEPT
Optimised combination of RAMS „elements“

 Fail-safety
 well established within the railway industry
 use of components with known failure modes
 with a safe state (condition) existing in case of component/system failure
 Safe State
 must be reached in reaction to a dangerous system failure
 dependencies on other RAMS aspects
 … a broken (immobilised) train at the platform is „safe“ but not really „available“
 Risk acceptance principles

 ALARP (As Low As Reasonably Practicable)
 GAMAB (Globalement Au Moins Aussi Bon)
 MEM (Minimum Endogenous Mortality)

P 15
THE „BIBLE“ OF THE SAFETY CONCEPT
Risk evaluation and acceptance („example“ from EN 50126)

* Frequency of
occurrence of a Risk Levels
hazardous event
Frequent Undesirable Intolerable Intolerable Intolerable
Probable Tolerable Undesirable Intolerable Intolerable
Occasional Tolerable Undesirable Undesirable Intolerable
Remote Negligible Tolerable Undesirable Undesirable
Improbable Negligible Negligible Tolerable Tolerable
Incredible Negligible Negligible Negligible Negligible
Insignificant Marginal Critical Catastrophic
Severity Levels of Hazard Consequence
Risk Category Actions to be applied against each category

Intolerable Shall be eliminated
Shall only be accepted when risk reduction is impracticable and
Undesirable with the agreement of the Railway Authority or the Safety
Regulatory Authority, as appropriate
Acceptable with adequate control and with the agreement of the
Tolerable
Railway Authority
Negligible Acceptable with/without the agreement of the Railway Authority

P 16
THE „BIBLE“ OF THE SAFETY CONCEPT
For the appropriate application:
 Acceptance criteria shall be adapted by the Railway Authority

 Severity levels shall be defined by the Railway Authority
 Tolerability level shall be defined by the Railway Authority
….. but usually this “Bible” is taken “as is” …

P 17
THE SAFETY INTEGRITY
Safety Integrity is the ability of a system (function) to resist

(dangerous) faults.
 4 Safety Integrity Level (SIL) defined in EN 50129
 In contrast to other standards no PFD (Failure on Demand) defined

 Easier determination of SIL
 Continuous control/signalling systems are in the majority of railway systems

P 18
THE ALLOCATION OF SIL
 No clear and unique rule 

 ERA proposal for Risk Acceptance Criteria (RAC)
 This proposal is a pragmatic way to link SIL/Severity/Frequency

P 19
FROM THE „TOOLBOX“
Human Factor in the safety chain

 Human factor‘s „failure rate“
 Several investigations carried out (eg. NASA)
 ≈ 10-3/h regarded as a good assumption
   Human is a „no-SIL subsystem“   

 Indeed, human error is often a key factor of hazardous events
 Santiago de Compostella, 24 July 2013, 79 fatalities, train driver error
 Eckwersheim (Alsace), 14 November 2015, 11 fatalities, crew error
 Bad Aibling, 9 February 2016, 12 fatalities, railroad manager error
 Human (train driver/attendant, railroad manager, passengers …) must

be supported by other barrier functions or safety related systems

P 20
Safety (Related) Application Conditions (S(R)AC)
 Non-technical means for risk mitigation

 Hand over the responsibility for proper application to the user
 Reduce technical effort and cost
 …. but shifts the responsibility to a „no-SIL subsystem“
 SACs must be documented in the safety case

P 21
Barrier Functions
Barrier functions are functions able to stop the evolution of an accident

that way than the next event in the accident evolution chain is not
reached.
 Risks cannot be mitigated by technical means only

 Several barrier functions can be defined
 Active / passive / procedural
 Physical / functional / symbolic / virtual

P 22
WHAT ABOUT THE SOFTWARE?
(S)SIL – Software SIL – EN 50128
 5 SIL levels: Level 0 – Level 4

 SSIL 0 only for non-safety relevant functions
 EN50128 sets requirements on organisation and processes required for
the required SSIL levels
 EN50128 presents guidelines for good practices on software
development, validation and verification

P 23
CAN SOFTWARE FAIL RANDOMLY?
Which failure rate to be assumed for a given (S)SIL?
 …. no one. There are no software-related random faults

 A software developed with the same SSIL as the SIL of the system on
which it is running shall not adversely influence the system
…. but there is also a common conservative approach to assume same

„artificial“ failure rate as the one corresponding to the system SIL

P 24
A SIMPLIFIED EXAMPLE
Gripping in the Passenger Door Unit

„Manage door system upon obstacles“ (function ´DBE´ acc. to EN 15380-4)
State / Evaluation of Risk

Possible Consequences /
Hazard ID Operational- Identified Hazard Assumption to Hazard Citicality Frequency Risk EN
Accident Potential
Mode EN 50126 EN 50126 50126
passanger change Gripped by external doors due
H 01 crushing Possible minor injury insignificant probable tolerable
/ standstill to unrecognised persons
Departure of the train with
someone gripped by external Single fatality and/or severe
crushing, dragging
H 02 driving doors due to unrecognised injury and/or significant damage critical probable intolerable
against an obstacle
clamping of persons or clothes to the environment.
by the doors.
inadvertant reopening of the door Single fatality and/or severe
H 03 driving falling out of the train due to false positive obstacle injury and/or significant damage critical frequent intolerable
detection to the environment.

P 25
 SIL requirement
 SIL 1 for H 01
 SIL 3 for H 02
 SIL 3 for H 03
 „Safe“ solution
 The obstacle detection control is required SIL 1
 SAC 01: The driver must check (eg. by looking in the rear-view-mirror) that nobody is
clamped in the closed doors before departure (Frequency  )
 SAC 02: The traction must be deactivated or inhibited if an opened/unlocked door is
detected (Frequency  )
 Assumption: both SAC 01 and SAC 02 decrease the frequency by 10³ independently

P 26

„Manage door system upon obstacles“ (function ´DBE´ acc. to EN 15380-4)
Reduced Risk
State / Evaluation of reduced Risk

Possible Consequences /
Hazard ID Operational- Identified Hazard Assumption to Hazard Citicality Frequency Risk EN
Accident Potential
Mode EN 50126 EN 50126 50126
passanger change Gripped by external doors due
H 01 crushing Possible minor injury insignificant remote negligible
/ standstill to unrecognised persons
Departure of the train with
someone gripped by external Single fatality and/or severe
crushing, dragging
H 02 driving doors due to unrecognised injury and/or significant damage critical incredible negligible
against an obstacle
clamping of persons or clothes to the environment.
by the doors.
inadvertant reopening of the door Single fatality and/or severe
H 03 driving falling out of the train due to false positive obstacle injury and/or significant damage critical improbable tolerable
detection to the environment.
 the mitigation definition is acceptable

P 27

Requirements definition for:
 Doors system supplier:

 „The obstacle detection shall fulfil SIL1“
 „The unlocking/opening of the door shall be detectable independently from the doors
control unit“
 Integrator
 „On detection of unlocked/opened door the traction system shall be inhibited“
 Operator
 „The driver shall make sure that all doors are closed and locked and nobody/nothing is
clamped between the door leaves before departure“
 „In case of inadvertent door unlocking/opening during train movement the driver shall apply
emergency brake or significantly reduce speed and inform passengers if the emergency
brake is not allowed (eg. in tunnel)“

P 28
COULD THE RAILWAY SAFELY FLY?
If this was required – YES
 Standards and regulations sufficient to manage safety up to SIL4

 Consistent processes to determine and manage risks
 Practical „Toolbox“ of proven methods
 Safety evidence based on traceability and transparency
 Mature independent assessment and approval process
 Whole Life Cycle covered
…
…. if it was required ?

P 29
ITS (BECOMING) REALITY!
The Maglev Train – the „flying“ railway

MagLev = Magnetic Levitation
… an old patent (1907) with the new face
https://commons.wikimedia.org/wiki/File%3ASC_Maglev_Test_Ride_(18277037338).jpg
https://www.flickr.com/photos/criminalintent/7391133386

P 30
NOW IT IS TIME FOR …
… A DISCUSSION
Copyright Statements:
enrespro reserves all rights in this document and in the information contained therein.
All pictures used in this presentation are free to use for commercial purposes acc. to the licence or legally
purchased. The author of this presentation has however no way to determine the initial source of the pictures if not placed
under the terms of the CC licence and therefore refuses any further liability.

P 31

16h00 FONS STANKIEWICZ GeorgFons Railway Safe To fly-CH-Frib-080916

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

16h00 FONS STANKIEWICZ GeorgFons Railway Safe To fly-CH-Frib-080916

Uploaded by

Copyright:

Available Formats

COULD THE RAILWAY SAFELY FLY?

1st Edition SAFETY DAY - ROSAS Center Fribourg 8. Sep. 2016

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

The severity is the grade of damage caused by a hazard

 Minor (reparable) damage / minor injury

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

The likelihood of occurrence (in this context) is the grade of

 Frequent – hazard experienced continuously

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

The risk combines the probable (likelihood) grade of damage or

The risk is a subjective term which however can be well managed

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

Safety is the ability of a system in combination with its

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

CENELEC standards – EN 5012X family

ERA (European Union Agency for Railways) requirements

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

CENELEC Standard EN 50126

 RAMS=Reliability, Availability, Maintainability, Safety

Reliability & Operation &

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

System Definition Safety Plan

Hazard Log Risk Analysis

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

Safety Requirements Specification

Safety Assessment Report (independent Body)

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

Optimised combination of RAMS „elements“

 Risk acceptance principles

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

Risk evaluation and acceptance („example“ from EN 50126)

Risk Category Actions to be applied against each category

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

For the appropriate application:

 Acceptance criteria shall be adapted by the Railway Authority

….. but usually this “Bible” is taken “as is” …

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

Safety Integrity is the ability of a system (function) to resist

 In contrast to other standards no PFD (Failure on Demand) defined

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

 No clear and unique rule 

 This proposal is a pragmatic way to link SIL/Severity/Frequency

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

Human Factor in the safety chain

   Human is a „no-SIL subsystem“   

 Human (train driver/attendant, railroad manager, passengers …) must

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

Safety (Related) Application Conditions (S(R)AC)

 Non-technical means for risk mitigation

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

Barrier functions are functions able to stop the evolution of an accident

 Risks cannot be mitigated by technical means only

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

(S)SIL – Software SIL – EN 50128

 5 SIL levels: Level 0 – Level 4

COULD THE RAILWAY SAFELY FLY? - G. FONS-STANKIEWICZ

Which failure rate to be assumed for a given (S)SIL?

 …. no one. There are no software-related random faults

…. but there is also a common conservative approach to assume same