Safety-Critical RTS, PhD Course: Vignettes
Notes from "IEC 61 508: Functional safety of electrical/electronic/programmable electronic safety-related systems":
- The Equipment Under Control (EUC) risk shall be evaluated, or estimated for each determined hazardous event.
- EUC risk: risk arising from the EUC or its interaction with the EUC control system (assessed independently of countermeasures to reduce it).
- Either qualitative or quantitative hazard and risk analysis techniques may be used.
- The information and results which constitute the hazard and risk analysis shall be documented and maintained throughout the life cycle.
- Choice of method is the responsibility of the user.
As an example, four consequence categories are identified:
As an example, 6 frequency categories are identified:
Risk which is accepted in a given context based on the current values of society.
As an example, four risk classes are identified:
- Class I Intolerable (unacceptable in any circumstance)
- Class II Undesirable and tolerable only if risk reduction is impracticable or if the costs are grossly disproportionate to the improvement gain
- Class III Tolerable if the cost of risk reduction would exceed the improvement gained
- Class IV Negligible
Bombardier Transportation has built many unmanned systems in the world today. Examples include Vancouver skytrain, Detroit downtown people mover, Kuala Lampur LRT system 2. It is also designing the 4-axle single car unattended ART MK II system for the JFK International sirport AIRTRAIN.
Excerpts from a report published by Bombardier on how hazard analysis for Automated Guided Train (AGT) systems are performed:
"Hazard identification: The hazards, which must be controlled, are identified early in the concept cycle of system development, along with the contributing factors and possible sources for each. The hazards listed in this document are tracked in the hazard tracking database. As development progresses, safety analyses are performed, identified hazards are clarified, and the hazard tracking database is updated.
The hazards in this Preliminary Hazard Analysis (PHA) are split into two main categories: top-level hazards and low-level or subsystem-level hazards. Each top-level hazard is related to a series of low-level hazards..."
"System hazards: the system hazards and their contributing factors are identified in the PHA and developed in a fault-tree analysis. Each fault-tree is broken down into components in a similar manner. Each failure that leads directly to a primary hazard is identified, and for each of these failures, subsystem failures leading to the top-level failure individually, in conjunction with other subsystems, or as part of a set of actions, are identified..."
"AGT system fault-trees are created for the following primary hazards:
- vehicle and platform doors hazard, and
- wrong position registered
- wrong speed registered
- wrong travel direction
- unidentified train on track
- underbraked train (underbrake demand)
- switch hazard
- door hazard
From the Health and Safety Executive (HSE) report into the Watford
South Junction rail accident, 8 August 1996.
This was the first fatal train collision involving a death of a passenger
since 15 October 1994, when two passengers were killed in a collision at
Cowden, Kent and a special report has been prepared at the request of the Health and Safety Commission (HSC), under Section 14(2)(a) of the
Health and Safety at Work etc Act 1974.
The accident occurred in the early evening of Thursday 8 August 1996,
when a passenger train passed a signal at danger and collided with an
empty coaching stock train. One passenger was killed, and a further 69 passengers required hospital treatment. Four members of the train crews
involved also sustained injuries. Since producing the report North London Railways (NLR), the train operating company involved, has changed
its name to Silverlink.
The publication of this report has been delayed for legal reasons, because
on 10 January 1997, the driver of the passenger train was charged with
manslaughter by the Crown Prosecution Service, following an investigation by the British Transport Police. On 11 March 1998 at Luton Crown
Court, the driver was found not guilty of the charge. It was not possible to publish this report while proceedings against the driver were
HSE found that the primary cause of the accident was that the driver
of the North London Railways (NLR) passenger train, now owned by
Silverlink, did not react correctly to two signals set at caution - he should have slowed down and prepared to stop. When he saw the following
signal, which was red, and applied the brakes the train was travelling at about 110kph (68mph). The train eventually stopped 203m (222 yards)
past the signal and across the junction with another line. An empty NLR coaching stock train, approaching at 80kph (50mph) on this line, was
unable to avoid colliding with the stationary passenger train.
HSE has also concluded that there were a number of mitigating and contributory factors, including:
the collision would have been avoided if Automatic
Train Protection (ATP) - a system aimed at preventing accidents from trains
overspeeding and passing signals at danger - had been fitted to the train and track and had been in operation;
the wording of a Railway Signalling Standard was
imprecise. This led to a speed restriction sign being placed in an inappropriate
position, which gave confusing information to the train driver;
the signal that was passed at danger had a shorter
than normal safety margin. This is known as 'an overlap' and is intended
risks from minor misjudgements by drivers or increased braking distances caused by things like wet leaves on the line.
See the full report
for summary of recommendations.
Page responsible: Simin Ndjm
Last updated: 2004-11-10