session 5 for lm-diet-07aug2012!2!1
TRANSCRIPT
-
7/28/2019 Session 5 for Lm-diet-07aug2012!2!1
1/24
-
7/28/2019 Session 5 for Lm-diet-07aug2012!2!1
2/24
ATMS A Civilian Example
This presentation examines aspects of the application ofsafety engineering to a civil ian project, the Advanced TrainManagement System (ATMS), being executed under civiliansafety standards.
Using ATMS as an example, the presentation examinessome differences between these civil ian standards andDef(Aust)5679:2008.
ATMS is being developed by Lockheed Mart in in a partnering arrangementwith the Australian Rail Track Corporation (client) and Ansaldo STS (sub-contractor).
Copyright 2012 Lockheed Martin Corporation. All Rights Reserved.07 August 2012 2
-
7/28/2019 Session 5 for Lm-diet-07aug2012!2!1
3/24
ATMS What For?
Proposed replacement for existing Safety Working arrangements onARTCs inter-state rail network.
Improved Safety
Reduction in cost of network operation for ARTC
Increased Network Capacity
Cost Effectiveness of Current systems - either:
Capital intensive (both initial purchase and through-life support) - distributed fieldinfrastructure (e.g. signalling systems), and monitor train location based on trackcircuits OR
Man-power intensive reliant upon paper systems / human diligence to assess andincrementally deliver safe train authorities to train drivers (e.g. train order working,ToW), and monitor train location by voice comms from Driver to Controller
Current systems consider track as a series of track segmentsphysically delineated by signals, sign-boards etc.
Train speed and track segment size limit track capacity (trains / unit time).
Sections of ARTC Network already at capacity restricting rail networks capabilityto contribute to solving Australias freight transport challenge.
Copyright 2012 Lockheed Martin Corporation. All Rights Reserved.07 August 2012 3
-
7/28/2019 Session 5 for Lm-diet-07aug2012!2!1
4/24
ATMS What ?
Under all rail safe working systems, each train must possess an authority (insome form) to occupy and travel along a defined route on the track.
ATMS will replace the existing safe working arrangements for train control witha largely automated system.
ATMS provides
Centralised Control and monitoring of train authorities and locations
Centralised Control and monitoring of all track configurations
Centralised Control of track work gang authorities
Network Controllers with GUI-based means to request train authority paths
Authorities are incrementally issued to trains as it is safe to do so, having pre-configured the track for the issued authorities
Automated extension of authorities as safe to do so
Train based determination of location and speed and integrity (wholeness).
Train based executive oversees train movement and ensures the train remainssafe (brake application if necessary)
Copyright 2012 Lockheed Martin Corporation. All Rights Reserved.07 August 2012 4
-
7/28/2019 Session 5 for Lm-diet-07aug2012!2!1
5/24
ATMS Operational Benefits
Copyright 2012 Lockheed Martin Corporation. All Rights Reserved.07 August 2012 5
-
7/28/2019 Session 5 for Lm-diet-07aug2012!2!1
6/24
ATMS How?
ATMS uses electronic Movement Authorities:
Originated from Operator requests via Train Control System, TCS (similar to existing
arrangement)
Confirmed safe by vital computer (Authority Management Server AMS) in Network ControlCentre
Incorporating all speed restrictions including train type dependencies and temporaryrestrictions for degraded track conditions.
Delivered electronically to vital computer (Train Control & Display TC&D) in locomotive(untrusted 3G telco mobile comms)
Monitored, and where necessary vitally enforced, execution on train full driver informationprovision via in-cab display
Automatically updated to reflect changes to track conditions e.g. loss of comms to TrackInterface Units (TIU).
Automatically rolled-up & extended (per original operator request) as safe to do so.
Train location/speed (3 sensor data fusion) and integrity (EoT-HoT data) vitally monitored andreported
Vital central (AMS) control and monitoring of track configuration (points / track circuits) trackautomatically pre-configured to suit Authorities.
ATMS less reliant on trackside infrastructure and hence reduces associatedmaintenance costs.
ATMS Authorities are delineated by electronic (virtual) track segments (~200m length) supporting 15 trains/hr.
Copyright 2012 Lockheed Martin Corporation. All Rights Reserved.07 August 2012 6
-
7/28/2019 Session 5 for Lm-diet-07aug2012!2!1
7/24
ATMS Physical Architecture
Rail-Rail
InterfacesControl Point
Crossing
Trackside Interface
Units (TIUs)LocalCommunications
Key:
TRACKS
Network
Control
Servers
Aut hor it yManagement Server
*n
GPS
Trainborne
Trackside
Network Control Centre Communications
Network Control ler
Workstations
TCP/IP
Router
AMS,
Trainborne,
Trackside
Network
Controller(s)
Telstra
LDS TC&D
Copyright 2012 Lockheed Martin Corporation. All Rights Reserved.07 August 2012 7
-
7/28/2019 Session 5 for Lm-diet-07aug2012!2!1
8/24
ATMS Safety Framework
ATMS is being developed in accordance with European
Rail Safety Standards: EN50126:2001 Railway Applications The Specification and Demonstration of
Reliability, Availability Maintainability and Safety (RAMS)
Specifies systems and overall management approach to the achievement ofRAMS
EN50128:2001 Railway Applications Communications, Signalling and
Processing Systems Software for Railway Control and Protection Systems Specifies process and technical requirements for development of safety
related software
EN50129:2003 Railway Applications Communications, Signalling andProcessing Systems Safety Related Electronic Systems for Signalling
Specifies process and technical requirements for development of safety
related electronic systems including requirements for preparation of a SafetyCase
The above are a rail-specific application of the generic standard IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-relatedsystems.
Legislation and Regulation Copyright 2012 Lockheed Martin Corporation. All Rights Reserved.
07 August 2012 8
-
7/28/2019 Session 5 for Lm-diet-07aug2012!2!1
9/24
EN50126 Systems Approach
The systems approach specified in EN50126 (et seq) is similar to thatspecified in familiar Defence standards e.g. Def(Aust)5679.
It partitions the life-cycle of a system into 14 phases, which onlypartially align with the familiar development phases.
Requires the early establishment of subsequent maintenance of theSystem Safety Plan describing a familiar set of safety activities andartefacts culminating in the Safety Case.
Requires early definition of the following:
Legislative and Regulatory requirements
Definition of the system, its objectives, boundary and application context (cf.
CONOPS) Identification of hazards at system boundary, the associated external events /
mitigations (co-effectors) and thence consequences (Accidents and Scenarios)
Definition of quantitative tolerable hazard rate (in some form)
Copyright 2012 Lockheed Martin Corporation. All Rights Reserved.07 August 2012 9
-
7/28/2019 Session 5 for Lm-diet-07aug2012!2!1
10/24
-
7/28/2019 Session 5 for Lm-diet-07aug2012!2!1
11/24
Life-Cycle View - ATMS
Copyright 2012 Lockheed Martin Corporation. All Rights Reserved.07 August 2012 11
-
7/28/2019 Session 5 for Lm-diet-07aug2012!2!1
12/24
Hazard Assessment
The system Hazards exist on the system boundary, they are a representation of the purpose /objectives of the system - e.g. Loss of aircraft control due to failure of flight control system, or a
consequence of those objectives e.g. RadHaz arising from the objective to survey an air-space byradar.
Hazard Assessments generally exploit the concept of the risk associated with a hazard as being acombination of the severity of the worst credible consequence that may arise from the hazard andthe likelihood of the consequence. Mathematically:
Hazard Risk = Max(Severity) * Likelihood
Whilst likelihood may be estimated as a mathematical quantity (probability), quantifying severity is
less straight-forward and in most cases is represented as a scale of severity: e.g. Catastrophic(multiple fatalities) Minor / Insignificant (minor injuries ).
In many cases, hazard likelihood is also represented on a progressive scale: Frequent (almostcertain occurrence) Improbable/Remote (possible but unlikely). EN50126 includes Incredible extremely unlikely.
Various means of combining these scales are employed, the Risk Matrix being widespread and isused with a corresponding scale of risk acceptability:
Copyright 2012 Lockheed Martin Corporation. All Rights Reserved.07 August 2012 12
-
7/28/2019 Session 5 for Lm-diet-07aug2012!2!1
13/24
Risk Acceptability The objective of these analyses is to identify the level of
risk for a given hazard (or the system as a whole) that maytolerated, and hence the level of assurance that needs tobe provided that the system will not enter the hazardousstate(s).
What level is tolerable? What frequency / severity ofaccident is acceptable ?
Various acceptability thresholds have been promulgated:
ALARP / SFAIRP as low as reasonably practicable / so far
as is reasonably practicable: reduce risk until the cost offurther reduction is grossly disproportionate to the further riskreduction.
GAMAB globalement au moins aussi bon: Considering riskat a whole, the risk of any new system should be at least noworse than the risk of the system it replaces.
MEM minimum endogenous mortality: Establishesquantitative risk levels so as not to significantly degrade the
lowest level technological life risk in developed countries(~2E-4 f/c/a).
DRA - Differential Risk Aversion: Society is more acceptingof many accidents with few fatalities than few accidents withmany fatalities, acts as a modifier to the above.
In addition to legislative or regulatory requirements,EN50126 anticipates that the Rail Authority (Acquirer) willdefine quantitative tolerable hazard criteria (in some form)
to the system developer. Copyright 2012 Lockheed Martin Corporation. All Rights Reserved.
07 August 2012 13
-
7/28/2019 Session 5 for Lm-diet-07aug2012!2!1
14/24
Hazard Assessment Def(Aust)5679
Def(Aust)5679 requires the identification of the Accidents and associated
Scenarios (sequence of events) that leads from the occurrence of a Hazard toan Accident:
Accident Severity measured on the familiar scale: Catastrophic - Minor
Accident Scenario Likelihood - measured as a scale of external mitigation effectivenesswhich is quasi-quantified in steps of 100 (e.g. Low :1 to 0.01, Med: 0.01 0.0001, High: