session 5 for lm-diet-07aug2012!2!1

7/28/2019 Session 5 for Lm-diet-07aug2012!2!1

1/24


2/24

ATMS A Civilian Example

This presentation examines aspects of the application ofsafety engineering to a civil ian project, the Advanced TrainManagement System (ATMS), being executed under civiliansafety standards.

Using ATMS as an example, the presentation examinessome differences between these civil ian standards andDef(Aust)5679:2008.

ATMS is being developed by Lockheed Mart in in a partnering arrangementwith the Australian Rail Track Corporation (client) and Ansaldo STS (sub-contractor).

Copyright 2012 Lockheed Martin Corporation. All Rights Reserved.07 August 2012 2


3/24

ATMS What For?

Proposed replacement for existing Safety Working arrangements onARTCs inter-state rail network.

Improved Safety

Reduction in cost of network operation for ARTC

Increased Network Capacity

Cost Effectiveness of Current systems - either:

Capital intensive (both initial purchase and through-life support) - distributed fieldinfrastructure (e.g. signalling systems), and monitor train location based on trackcircuits OR

Man-power intensive reliant upon paper systems / human diligence to assess andincrementally deliver safe train authorities to train drivers (e.g. train order working,ToW), and monitor train location by voice comms from Driver to Controller

Current systems consider track as a series of track segmentsphysically delineated by signals, sign-boards etc.

Train speed and track segment size limit track capacity (trains / unit time).

Sections of ARTC Network already at capacity restricting rail networks capabilityto contribute to solving Australias freight transport challenge.



4/24

ATMS What ?

Under all rail safe working systems, each train must possess an authority (insome form) to occupy and travel along a defined route on the track.

ATMS will replace the existing safe working arrangements for train control witha largely automated system.

ATMS provides

Centralised Control and monitoring of train authorities and locations

Centralised Control and monitoring of all track configurations

Centralised Control of track work gang authorities

Network Controllers with GUI-based means to request train authority paths

Authorities are incrementally issued to trains as it is safe to do so, having pre-configured the track for the issued authorities

Automated extension of authorities as safe to do so

Train based determination of location and speed and integrity (wholeness).

Train based executive oversees train movement and ensures the train remainssafe (brake application if necessary)



5/24

ATMS Operational Benefits



6/24

ATMS How?

ATMS uses electronic Movement Authorities:

Originated from Operator requests via Train Control System, TCS (similar to existing

arrangement)

Confirmed safe by vital computer (Authority Management Server AMS) in Network ControlCentre

Incorporating all speed restrictions including train type dependencies and temporaryrestrictions for degraded track conditions.

Delivered electronically to vital computer (Train Control & Display TC&D) in locomotive(untrusted 3G telco mobile comms)

Monitored, and where necessary vitally enforced, execution on train full driver informationprovision via in-cab display

Automatically updated to reflect changes to track conditions e.g. loss of comms to TrackInterface Units (TIU).

Automatically rolled-up & extended (per original operator request) as safe to do so.

Train location/speed (3 sensor data fusion) and integrity (EoT-HoT data) vitally monitored andreported

Vital central (AMS) control and monitoring of track configuration (points / track circuits) trackautomatically pre-configured to suit Authorities.

ATMS less reliant on trackside infrastructure and hence reduces associatedmaintenance costs.

ATMS Authorities are delineated by electronic (virtual) track segments (~200m length) supporting 15 trains/hr.



7/24

ATMS Physical Architecture

Rail-Rail

InterfacesControl Point

Crossing

Trackside Interface

Units (TIUs)LocalCommunications

Key:

TRACKS

Network

Control

Servers

Aut hor it yManagement Server

*n

GPS

Trainborne

Trackside

Network Control Centre Communications

Network Control ler

Workstations

TCP/IP

Router

AMS,

Trainborne,

Trackside

Network

Controller(s)

Telstra

LDS TC&D



8/24

ATMS Safety Framework

ATMS is being developed in accordance with European

Rail Safety Standards: EN50126:2001 Railway Applications The Specification and Demonstration of

Reliability, Availability Maintainability and Safety (RAMS)

Specifies systems and overall management approach to the achievement ofRAMS

EN50128:2001 Railway Applications Communications, Signalling and

Processing Systems Software for Railway Control and Protection Systems Specifies process and technical requirements for development of safety

related software

EN50129:2003 Railway Applications Communications, Signalling andProcessing Systems Safety Related Electronic Systems for Signalling

Specifies process and technical requirements for development of safety

related electronic systems including requirements for preparation of a SafetyCase

The above are a rail-specific application of the generic standard IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-relatedsystems.

Legislation and Regulation Copyright 2012 Lockheed Martin Corporation. All Rights Reserved.

07 August 2012 8


9/24

EN50126 Systems Approach

The systems approach specified in EN50126 (et seq) is similar to thatspecified in familiar Defence standards e.g. Def(Aust)5679.

It partitions the life-cycle of a system into 14 phases, which onlypartially align with the familiar development phases.

Requires the early establishment of subsequent maintenance of theSystem Safety Plan describing a familiar set of safety activities andartefacts culminating in the Safety Case.

Requires early definition of the following:

Legislative and Regulatory requirements

Definition of the system, its objectives, boundary and application context (cf.

CONOPS) Identification of hazards at system boundary, the associated external events /

mitigations (co-effectors) and thence consequences (Accidents and Scenarios)

Definition of quantitative tolerable hazard rate (in some form)



10/24


11/24

Life-Cycle View - ATMS



12/24

Hazard Assessment

The system Hazards exist on the system boundary, they are a representation of the purpose /objectives of the system - e.g. Loss of aircraft control due to failure of flight control system, or a

consequence of those objectives e.g. RadHaz arising from the objective to survey an air-space byradar.

Hazard Assessments generally exploit the concept of the risk associated with a hazard as being acombination of the severity of the worst credible consequence that may arise from the hazard andthe likelihood of the consequence. Mathematically:

Hazard Risk = Max(Severity) * Likelihood

Whilst likelihood may be estimated as a mathematical quantity (probability), quantifying severity is

less straight-forward and in most cases is represented as a scale of severity: e.g. Catastrophic(multiple fatalities) Minor / Insignificant (minor injuries ).

In many cases, hazard likelihood is also represented on a progressive scale: Frequent (almostcertain occurrence) Improbable/Remote (possible but unlikely). EN50126 includes Incredible extremely unlikely.

Various means of combining these scales are employed, the Risk Matrix being widespread and isused with a corresponding scale of risk acceptability:



13/24

Risk Acceptability The objective of these analyses is to identify the level of

risk for a given hazard (or the system as a whole) that maytolerated, and hence the level of assurance that needs tobe provided that the system will not enter the hazardousstate(s).

What level is tolerable? What frequency / severity ofaccident is acceptable ?

Various acceptability thresholds have been promulgated:

ALARP / SFAIRP as low as reasonably practicable / so far

as is reasonably practicable: reduce risk until the cost offurther reduction is grossly disproportionate to the further riskreduction.

GAMAB globalement au moins aussi bon: Considering riskat a whole, the risk of any new system should be at least noworse than the risk of the system it replaces.

MEM minimum endogenous mortality: Establishesquantitative risk levels so as not to significantly degrade the

lowest level technological life risk in developed countries(~2E-4 f/c/a).

DRA - Differential Risk Aversion: Society is more acceptingof many accidents with few fatalities than few accidents withmany fatalities, acts as a modifier to the above.

In addition to legislative or regulatory requirements,EN50126 anticipates that the Rail Authority (Acquirer) willdefine quantitative tolerable hazard criteria (in some form)

to the system developer. Copyright 2012 Lockheed Martin Corporation. All Rights Reserved.

07 August 2012 13


14/24

Hazard Assessment Def(Aust)5679

Def(Aust)5679 requires the identification of the Accidents and associated

Scenarios (sequence of events) that leads from the occurrence of a Hazard toan Accident:

Accident Severity measured on the familiar scale: Catastrophic - Minor

Accident Scenario Likelihood - measured as a scale of external mitigation effectivenesswhich is quasi-quantified in steps of 100 (e.g. Low :1 to 0.01, Med: 0.01 0.0001, High:

session 5 for lm-diet-07aug2012!2!1

Documents