Last Modified 00-11-30
Simin Nadjm-Tehrani
Notes from "IEC 61 508: Functional safety of electrical/electronic/programmable electronic safety-related systems":
Normative requirements:
- The Equipment Under Control (EUC) risk shall be evaluated, or estimated
for each determined hazardous event.
- EUC risk: risk arising from the EUC or its interaction with the EUC
control system (assessed independently of countermeasures to reduce it).
- Either qualitative or quantitative hazard and risk analysis techniques
may be used.
- The information and results which constitute the hazard and risk
analysis shall be documented and maintained throughout the life cycle.
- Choice of method is the responsibility of the user.
Accident consequence:
As an example, four consequence categories are identified:
- Catastrophic
- Critical
- Marginal
- Negligible
Event frequency:
As an example, 6 frequency categories are identified:
- Frequent
- Probable
- Occasional
- Remote
-Improbable
-Incredible
Tolerable risk:
Risk which is accepted in a given context based on the current values of society.
Risk classes:
As an example, four risk classes are identified:
Class I Intolerable (unacceptable in
any circumstance)
Class II Undesirable and tolerable only if risk reduction
is impracticable or if the costs are grossly disproportionate to the improvement
gain
Class III Tolerable if the cost of risk reduction would
exceed the improvement gained
Class IV Negligible
Bombardier Transportation has built many unmanned systems in the world today. Examples include Vancouver skytrain, Detroit downtown people mover, Kuala Lampur LRT system 2. It is also designing the 4-axle single car unattended ART MK II system for the JFK International sirport AIRTRAIN.
Excerpts from a report published by Bombardier on how hazard analysis for Automated Guided Train (AGT) systems are performed:
"Hazard identification: The hazards, which must be controlled, are identified early in the concept cycle of system development, along with the contributing factors and possible sources for each. The hazards listed in this document are tracked in the hazard tracking database. As development progresses, safety analyses are performed, identified hazards are clarified, and the hazard tracking database is updated.
The hazards in this Preliminary Hazard Analysis (PHA) are split into two main categories: top-level hazards and low-level or subsystem-level hazards. Each top-level hazard is related to a series of low-level hazards..."
"System hazards: the system hazards and their contributing factors are identified in the PHA and developed in a fault-tree analysis. Each fault-tree is broken down into components in a similar manner. Each failure that leads directly to a primary hazard is identified, and for each of these failures, subsystem failures leading to the top-level failure individually, in conjunction with other subsystems, or as part of a set of actions, are identified..."
"AGT system fault-trees are created for the following primary hazards:
Dangers of assuming too much (P. G. Neumann)
The temperature of the fuel rods at Three Mile Island II increased from the normal 600 degrees to over 4000 degrees during the accident on March 28, 1979, partially destroying the fuel rods.The instruments to measure core temperatures were not standard equipment in reactors. Thermocouples had been installed to measure the temperature as part of an experiment on core performance, and were capable of measuring high temperatures. However, whenever the temperature rose above 700 degrees, the system had been programmed to produce a string of question marks on the printer - rather than the measured temperature. Furthermore, intended rather than actual value settings were displayed.
The venting of tritium-contaminated water and removal of radioactive waste to the Hanford waste-disposal site were not completed until August 12, 1993.
From the Health and Safety Executive (HSE) report into the Watford
South Junction rail accident, 8 August 1996.
Introduction
This was the first fatal train collision involving a death of a passenger
since 15 October 1994, when two passengers were killed in a collision at
Cowden, Kent and a special report has been prepared at the request
of the Health and Safety Commission (HSC), under Section 14(2)(a) of the
Health and Safety at Work etc Act 1974.
The accident occurred in the early evening of Thursday 8 August 1996,
when a passenger train passed a signal at danger and collided with an
empty coaching stock train. One passenger was killed, and a further
69 passengers required hospital treatment. Four members of the train crews
involved also sustained injuries. Since producing the report North
London Railways (NLR), the train operating company involved, has changed
its name to Silverlink.
The publication of this report has been delayed for legal reasons, because
on 10 January 1997, the driver of the passenger train was charged with
manslaughter by the Crown Prosecution Service, following an investigation
by the British Transport Police. On 11 March 1998 at Luton Crown
Court, the driver was found not guilty of the charge. It was not possible
to publish this report while proceedings against the driver were
outstanding.
Causes
HSE found that the primary cause of the accident was that the driver
of the North London Railways (NLR) passenger train, now owned by
Silverlink, did not react correctly to two signals set at caution -
he should have slowed down and prepared to stop. When he saw the following
signal, which was red, and applied the brakes the train was travelling
at about 110kph (68mph). The train eventually stopped 203m (222 yards)
past the signal and across the junction with another line. An empty
NLR coaching stock train, approaching at 80kph (50mph) on this line, was
unable to avoid colliding with the stationary passenger train.
HSE has also concluded that there were a number of mitigating and contributory factors, including:
the collision would have been avoided if Automatic
Train Protection (ATP) - a system aimed at preventing accidents from trains
overspeeding and passing signals at danger - had
been fitted to the train and track and had been in operation;
the wording of a Railway Signalling Standard was
imprecise. This led to a speed restriction sign being placed in an inappropriate
position, which gave confusing information to the
train driver;
the signal that was passed at danger had a shorter
than normal safety margin. This is known as 'an overlap' and is intended
to reduce
risks from minor misjudgements by drivers or increased
braking distances caused by things like wet leaves on the line.
See the full report for summary of recommendations.