Functional Safety Analysis of ETCS DMI

Transcription

1 Functional Safety Analysis of ETCS DMI Final Safety Analysis Report for European Railway Agency December 2009

2 Document History and Authorisation Issue Date Changes 0a 20 July 2009 Initial draft. 0b 22 July 2009 Interim draft for internal review. 0c 24 July 2009 Updated to internal review comments July 2009 First formal issue for ERA review. 01a September 2009 Updated to comments at Steering Group meeting 01b 6 November 2009 Updated to written review comments from ERA & Stakeholders November 2009 Issued to ERA 02a December 2009 Updated at Steering Group meeting Dec December 2009 Final revision 04 December 2009 Updated to final ERA comments at last Steering Group meeting Compiled by: Nick Brierley Signed: e-sig NPB Date: December er 2009 Verified by: Ken Bott Signed: Approved by: e-sig KGB Date: December 2009 Wim Dommisse Signed: e-sig WD Date: December 2009 This document was prepared for European Railway Agency. The information herein is confidential and shall not be divulged to a third party without the prior permission of European Railway Agency. Lloyd s Register Rail, its affiliates and subsidiaries and their respective officers, employees or agents are, individually and collectively, referred to in this clause as the Lloyd s Register Group. The Lloyd s Register Group assumes no responsibility and shall not be liable to any person for any loss, damage or expense caused by reliance on the information or advice in this document or howsoever provided, unless that person has signed a contract with the relevant Lloyd s Register Group entity for the provision of this information or advice and in that case any responsibility or liability is exclusively on the terms and conditions set out in that contract. European Railway Agency 2010

3 Distribution Lis ist Name Organisation From (Issue) To (Issue) Wim Dommisse Lloyd s Register Rail BV 0a Current Peter Sheppard Lloyd s Register Rail UK 0a Current Ken Bott Lloyd s Register Rail UK 0a Current Edwin Bottelier Lloyd s Register Rail BV 0a Current Joost Peters Lloyd s Register Rail BV 0a Current Daan Kers Lloyd s Register Rail BV 0a Current Project Files Lloyd s Register Rail BV & UK 0a Current Dominique Ligier ERA (File copy) 01 Current ERA Steering Group distribution list ERA and Steering Group members 01 Current Uncontrolled copies as required (62612rnpb ETCS DMI Final Report v04)

4 Contents 1 Introduction Purpose Scope Assumptions References Abbreviations and Glossary System Under Inspection Context & Core Hazard Operating Modes Assessed DMI Functions Assessed Methodology Approach System Boundary, Hazards and THRs Hazard Consequence and Likelihood Tolerable Risk and THR Quantification Safety Analyses and Results Hazard Identification Hazard Schedule Functional Safety Analysis DMI Hazard Safety Requirements Discussion Constraints and Exported Requirements Conclusions Appendix A ETCS DMI Functional Analysis (FFA) A.1 DMI Functions and Interfaces A.2 Functional Analysis Appendix B Appendix C DMI Hazard Schedule Fault Trees Appendix D Event Trees D.1 Notes to read in conjunction with Event Tree models D.2 Primary Event Trees (Hazardous Situation development) D.3 Secondary Event Trees (Immediate Effects and Consequences) Appendix E Appendix F Event Tree Data Description ETCS Core Hazard DMI related Hazardous Events Appendix G Hazard Log, Safety Requirements, ents, Constraints and Exported Requirements G.1 Safety Requirements G.2 Constraints and Exported Requirements Page 1

5 List of Figures Figure 1 - ERTMS/ETCS system Reference Architecture... 9 Figure 2 ETCS DMI Core Functions Figure 3 Study Methodology Figure 4 Bow Tie Diagram Figure 5 Functions and THRs Figure 6 Function, THR and ETCS Component Relationship Figure 7 - Pyramidal Relationship of Functions, Hazards and Causes Figure 8 Hazard Identification and Assurance List of Tables Table 1 Operating Modes & Transitions Table 2 Hazard Severity Levels and Equivalent Fatalities Table 3 Summary of Hazard Schedule Table 4 Summary of Top-Level hazards Page 2

6 1 Introduction 1.1 Purpose Lloyd s Register Rail (LR Rail) have received a contract from the European Railway Agency (ERA) to undertake a functional safety analysis of the ETCS DMI. The goal of this study is to: Identify hazards associated ated with the DMI that are at the same level as,, and independent of, the ETCS Core Hazard (ETCS CH ), and,, taking into account the consequences of the hazards and barriers to their occurrence, to provide supporting analysis to permit the future quantification n of Tolerable Hazard Rate (THR) requirements for these DMI hazards This Final report presents a summary of the work undertaken, setting out the methodology applied and results of the analysis. This report builds upon the initial work reported in the Interim report [ 2] Issue 2 of this report was reviewed at the meeting with the ERA Steering Group in December 2009, following which it has been updated to incorporate steering group member s comments. 1.2 Scope The scope and methodology applied were as set out in the Interim report [ 2], with one additional item clarified in preparation of this Final report (see clause ) The following items are explicitly included/excluded for the study overall: Include: ETCS Levels 0, 1 and 2, and permitted transitions including exit to STM. ETCS modes according to level specified above, and transitions between them as defined in the ETCS system requirements specified in SUBSET-026 revision 2.3.0d [ 3]. The interface between the DMI and its users (Driver, Train Preparer, Maintainer) in operation) Exclude: Technical and functional interfaces between the DMI and other ETCS sub-systems. Errors by railway staff other than users of the DMI e.g. Signaller whilst in degraded operation. Ergonomic design and justification of the DMI display. Application Data input / configuration of the DMI. Errors in operational rules. Errors in non-etcs railway systems. Specific Transmission Modules (STMs) allowing interaction with legacy signalling systems The DMI is treated as a functional black-box, with consideration limited to the display of information to the user and the entry of data for the ETCS On-board Sub-System, as defined in the ETCS DMI document [ 9] and Subset-026 [ 3], as the analysis must be technology independent to permit any supplier s compliant inter-operable product to be Page 3

7 used. A corollary is that even though there is a specification for the ETCS Driver Machine Interface, the ergonomic suitability of the DMI itself is outside the scope of this study The scope of consideration of consequence severity is limited to passengers, in line with existing ETCS work such as that reported/summarised in Subset 091 (stated scope for the study [ 2] Section 1.3) The failure modes identified for passenger stock may equally apply to freight trains, for example, a rough ride / excessive speed arising due to DMI errors could cause shifted loads, increased chances of gauge infringement, buffer locking, broken couplings, derailment (uneven loading, exacerbation of track defects), etc, that can also potentially lead to severe consequences. Separate consequence severities are not set for freight trains in the UNISIG work for ETCS and have therefore not been considered in this study As agreed at the Technical Meeting on 23 rd March 2009 [ 12], Text messages track to train cannot be used for the delivery of safety critical information unless other information/communications between the two parties concerned is provided (e.g. a Written Order), so that the recipient s understanding of the message can be verified. This clarification of the scope for the study arose following the identification of hazardous effects that could lead directly to severe consequences. This constraint imposed upon the study results in the need for applications to provide some form of additional support or communication in the use of safety critical text messages, and in turn imposes a Safety Requirement on the application of the DMI or ETCS OBSS There is no Interoperable specification for the communication between the DMI and the Kernel. Accordingly, the behaviour of the kernel in receipt of erroneous data from the DMI cannot be determined. It is considered likely that corrupted or invalid messages will simply be rejected by the Kernel, but this cannot be assumed, nor can the response of the Kernel to the receipt of invalid data. Accordingly, this study can only assess the situation where the DMI sends erroneous data that is still a valid data/message to the kernel. The impact of the DMI issuing invalid erroneous data to the Kernel will need to be addressed by the product suppliers as this is not a specified Interoperable requirement There is currently no completely Interoperable specification for the process and role of the DMI in confirming Train Data input, and accordingly it cannot be assessed in this study. Whilst corruption of Train Data by the DMI is part of the ETCS Core Hazard, it is possible that other DMI failures could result in incorrect Train data being confirmed as valid when it is not. Such validation should be carried out by the Driver but in this case the confirmation could be inserted by a DMI failure. Similarly, it is possible (though unlikely) that a DMI error could mask or hide an incorrect data input by a Driver such that in the validation activity (in whatever form this was implemented) the wrong data appeared correct. Depending upon how the as advised to ETCS definition is interpreted in this respect (e.g. when the data is first entered into the ETCS OBSS or only after it has been confirmed by the User as correct), there may be additional Non Core Hazard failures. Accordingly, potential failure modes of the DMI during data input and validation using the DMI, should be assessed in the future if a harmonised DMI data entry procedure is agreed or as part of each applications substantiation of the data input and validation process Recovery from situations where a DMI failure has caused ETCS Intervention or the reason for Intervention is not indicated depends upon National Rules and specific circumstances at the location. Sufficiency of the rules and procedures regarding recovery from such Page 4

8 situations is therefore not modelled, and will need to be justified as part of each Country s application. 1.3 Assumptions The following assumptions have been made with regard to, or in the course of performing, the functional safety analysis. The list includes three additional Assumptions ( A9, A10, & A11) raised in preparation of this Final report arising from completion of the safety analysis. A1 A2 A3 A4 A5 A6 A7 A8 A9 The ETCS on-board equipment will be compliant with the relevant and current UNISIG specifications, notably Subset 026 version 2.3.0d. Any interfacing system, and action of components of the ETCS On-board system other than the DMI, are assumed to be working correctly. A control separate to the DMI itself is provided to initiate ISOLATION mode (IS) and is required to be used when IS Mode is adopted. This separate isolation control doubles as an indication that overrules any indication on the DMI because the IS control interfaces directly with the train brake circuits. Erroneous indication of IS mode to a driver will result in the adoption of the National Rules for IS mode. This may include working to a secondary speed indicator. The Override function is available in SH mode. N.B. The function is available in 2.3.0d, but the requirement to display this in SH mode is not currently defined in 2.3.0d but is proposed for release via a current Change Request. The Geographical Position function is provided. [Provision being an Infrastructure Option dependent upon the ETCS trackside subsystem, SRS 4.5.2]. There is no Interoperable requirement to display Service or Emergency brake applications on the DMI unless initiated by the ETCS, i.e. the indication is of a brake demand as part of system Intervention/Trip. However, applications are known to indicate that braking is actually being applied. A display to the driver that is obviously incorrect / invalid through the inclusion of garbled text or non valid characters will be recognised by the driver and the unit taken out of service at the earliest opportunity. Accordingly, only erroneous but valid data and messages need to be addressed. The impact of invalid erroneous data exchange between the DMI and Kernel will be addressed by the product suppliers as this is not a specified Interoperable requirement (see clause above). A10 Normal operation of automatic Level Crossings (train not stopping) is encompassed within the ETCS CH as the approach speed profile is assumed to be part of the train supervision speed profile (where the former has been advised to ETCS), and thus exceedance of the speed envelope even with an incorrect DMI speed indication is Core Hazard. A11 When required to use Geographical Position information (GPI) and none is displayed on the DMI when requested to do so, the driver has a choice of what to do. If the driver reports that no information is available, it is assumed that National Rules will ensure safe recovery from the situation. Page 5

9 A12 Following a DMI failure, the responses of the rest of the ETCS On-Board Sub-System, and any other train system, to the fault arising within the DMI are assumed to occur according to specification. A13 Incorrect actual train speed displayed on the DMI is assumed to have an equal likelihood of being erroneously higher than actual as of being lower. A14 The kernel will not permit a transition to level STM if the train does not have STM equipment fitted (see MMI-1d in Appendix B). 1.4 References 1 Support for the Safety Analysis of the ETCS DMI. ERA/2008/ERTMS/OP/01, 22 July rnpb Safety Analysis of ETCS DMI, Interim Safety Analysis Report, Issue 2 2 nd June ERTMS/ETCS Class 1, System Requirement Specification, Subset 026, version 2.3.0d; UNISIG. 4 ERTMS/ETCS Class 1, FIS for the Man-Machine Interface, Subset 033, version 2.0.0; UNIISIG. 5 ERTMS/ETCS Class 1, UNISIG Causal Analysis Process, Subset 077, version 2.2.2; UNISIG. 6 ERTMS/ETCS Class 1, MMI Modes and Effects Analysis (two documents), Subset 079, version 2.2.2; UNISIG. 7 ERTMS/ETCS Class 1, Safety Analysis (five documents), Subset 088, version ; UNISIG. July ERTMS/ETCS Class 1, Safety Requirements for the Technical Interoperability of ETCS in Levels 1 & 2, Subset 091, version ; UNISIG. October ETCS Driver Machine Interface, ERA_ERTMS_015560, version /12/ ETCS and GSM-R principles and rules. EEIG 06E222, version 3, 18/12/ HAZID Brainstorming Report rnpb ETCS DMI safety Analysis. HAZID Meeting report, version 1.0, 25 March N.B. version 2 will be issued following completion of the HAZID and Hazard Schedule assurance activity /01/002 hya , Stage 2 HAZID, Minutes Of Meeting 23 rd March RSSB Guidance on the use of Cost-Benefit Analysis in making decisions affecting safety, 28 th February RSSB Research & Development project T440, The weighting of non-fatal injuries, RE: FW: ERA doc et ERA doc. D Jovicic to N Brierley, 28 th April /01/002 hya , Stage 3 Interim report. Minutes ERA Steering Group meeting, 11 th May Letter trace queries DMI SA Traceability, version 01, 28 September Letter 62612Lnpb Gap analysis, Conclusions of Traceability and Gap Analysis and Impact on Event Tree Models for the Safety Analysis of ETCS DMI version 02, Page 6

10 19 ERA response to trace queries DMI SA Traceability v01 issued by RE: ETCS DMI Safety Analysis - Queries arising from Traceability assessment to SUBSET-079 analysis, D Ligier to N Brierley, 05 October : Abbreviations and Glossary Abbreviation ACK ATP CCF CMF DMI EoA ERA ERTMS ET ETA ETCS ETCHCH FIS FMEA FTA FWI GPI GSM-R HAZID HAZOP HS IE INAPP JRU L0 L1 L2 LOSS LR Rail LSP LX LXI MA Definition Acknowledge or Acknowledgement Automatic Train Protection Common Cause Common Mode Driver Machine Interface End of Authority European Railway Agency European Rail Traffic Management System Event Tree Event Tree Analysis European Train Control System ETCS Core Hazard Functional Interface Specification Modes and Effects Analysis Fault Tree Analysis Fatalities and Weighted Injuries Geographical Position Information Global System for Mobile Communications - Railways Hazard Identification meeting/activity Hazard and Operability study Hazardous Situation Immediate Effect Inappropriate Authority (for train movement provided) Juridical Recording Unit ETCS Level zero ETCS Level one ETCS Level two Loss, or reduced, level of ETCS supervision and protection. Lloyd s Register Rail Limited (UK or BV) Loss of Standstill Protection Level Crossing Level Crossing Incident Movement Authority Page 7

11 Abbreviation Definition MMI N/A OBSS OUTWITH OVS RAM RAP RBC RSF SPAD SReq Man Machine Interface (earlier term for DMI ) Not Applicable On Board Sub-System Operation out side the control of the signaller and signalling system Overspeed Reliability, Availability and Maintainability Roll Away Protection Radio Block Centre Right Side Signal Passed At Danger Safety Requirement (SReq to distinguish from Staff Responsible mode) SRS Safety Requirement Specification (Subset 026) STM SvL THR TPWS TRN TSR UBA Vmax Specific Transmission Module Supervised Location Tolerable Hazard Rate Train Protection and Warning System Train Running (or Reporting) Number Temporary Speed Restriction Unexpected Brake Application Maximum permitted train speed Erroneous but valid is used within this report to indicate where an item of data or text is correct with respect to the ETCS specification at the DMI boundary, but is not the correct value or text that it should be. For example, a displayed train speed of 200 kph when the actual train speed was 220 kph. The validity primarily concerns the message containing the data / text as being uncorrupted and whole (complete), and text being correct and complete, it is does not extend to whether the message is permitted at that specific time and Level / Mode combination An Erroneous but valid item of data may therefore still be rejected by the ETCS Kernel, depending upon the nature of the data item and the in-built protection within the ETCS specification, e.g. the acceptance time window for acknowledgements, or product (e.g. setting bounds for valid data values). Similarly, the display to the driver may be valid in that it is a standard display icon or message, but not permitted in the current configuration, through which the driver may identify the fault limiting THR : The limiting THR is that hazard / scenario that places the most onerous requirement on the DMI. For DMI hazard rates (frequencies), the limiting value will be the lowest one as this is the more difficult to provide by the DMI product Level 0 is used to define the situation where the train is ETCS-equipped but the trackside is not. Page 8

12 2 System Under Inspection 2.1 Context & Core Hazard The role of ETCS as it is defined by the ETCS reference architecture in the railway environment, has been defined [SUBSET ] as: To provide the Driver with information to allow him to drive the train safely and to enforce respect of this information. The Core Hazard for the reference architecture is defined [SUBSET ] as: Exceedance of the safe speed / distance as advised to ETCS. The reference architecture is presented schematically in the figure below, along with a delineation of the boundary for this assessment: Limit of DMI Safety Analysis: Note: Interaction with the Driver, train preparer, and maintainer fall within the study, but their actions are assumed to be correct, and only failures caused by the DMI itself are considered. Figure 1 - ERTMS/ETCS system Reference Architecture Apportionment of the THR for the top-level hazard to the hazard rates of the UNISIG grouping of constituents is undertaken in Subset-088 Part 3. This apportionment is based on a defined Mission Profile. The existing safety analysis of the ETCS system reported in SUBSET-088 [ 7] and 091 [ 8] identified ten subsidiary hazardous situations (HS) associated with the DMI (prefixed with the identity MMI- ). Whilst these hazardous situations undoubtedly contribute to the ETCS CH, due to the specific definition Page 9

13 of the ETCS CH, this study has identified that under certain operating Modes their failure can also result in a non Core hazard event, namely one of the DMI Hazards identified as part of this study. 2.2 Operating Modes Assessed Table 1 summarises the ETCS operating modes and how they were addressed during the study. The shaded rows are outside the scope of this assessment. Mode Functions Included Transitions Included Comment Full Supervision (FS) Y Y Limited Supervision (LS) N N Not in version 2.3.0d. Expected to be introduced at revision 3 of the SRS. On Sight (OS) Y Y Staff Responsible (SR) Y Y Shunting (SH) Y Y Unfitted (UN) Y Y Passive Shunting (PS) N N Not in version 2.3.0d. Expected to be introduced at revision 3 of the SRS. Sleeping (SL) N {1} Y Stand By (SB) Y Y Trip (TR) Y Y Post Trip (PT) Y Y System (SF) Y Y Isolation (IS) N {1} Y No Power (NP) N {1} Y Non Leading (NL) Y Y STM National (SN) and STM European (SE) N N (from) Y (to) No ETCS role. Once established in Level STM, the DMI and its role lies solely with the country railway authority. Outside remit for this work [ 1]. Reversing (RV) Y Y Table 1 Operating Modes & Transitions Note {1} For IS, NP & SL modes the DMI has no active function, but erroneous functions need to be considered Transitions from SL mode were generally addressed under the mode then adopted. When a sleeping engine is awoken following a safety critical fault, the transition to SF and application of the brakes is delayed until the on-board leaves SL mode, leading to a transition SL SB SF. The indication to be displayed by the DMI in this situation is therefore the transient status of SB followed by adoption of the SF status indications. Page 10

14 2.3 DMI Functions Assessed The assessment was limited to ETCS functionality in terms of information provided to, or by, the DMI, and the required user behaviour related to these. Subset 026 [ 3] defines the ETCS functionality and responsibilities of the system and user The DMI functionality is defined in SUBSET-026 Chapter 4.7, in terms of the inputs and outputs with the User i.e. the DMI display screen. Information exchanged between the DMI and the Kernel is not explicitly defined, though this can be implicitly identified from the overall functioning. Furthermore, the message structure for information exchange between the Kernel and DMI is not an Interoperable specification As agreed at the first ERA Working Group technical meeting (item 4.6 of [ 12]), the THRs for the ETCS DMI should be defined on a functional basis. However, the functions defined in SUBSET for the DMI are not at the same level as the ETCS CH, and therefore a definition of DMI functions at the same level as the ETCS CH is required At the most basic level the DMI is an Input / Output device, providing a mechanism to receive and send information, albeit with some processing during the transfer. The DMI has two interfaces with the User and with the Kernel. The core DMI functions are therefore related to these two interfaces Whilst intuitively it may be expected that the DMI will have functions associated with receiving and transferring information, at the level of the ETCS CH, it is considered that the functions of the ETCS DMI reduce to no more than two. The basis for this is set out in Appendix A as part of the top-level, top-down Functional Analysis, and is illustrated in the figure below: DMI Core Functions IF2.1 - Receive data input from User (driver, train preparer, maintainer) F1 F1 Convey information from the Kernel via the DMI (audio and visual) to the User IF1.2 Display information to the User (driver, train preparer, maintainer) IF2.2 - Send data / information to the Kernel / ETCS Kernel F2 Convey information from the User to the Kernel F2 ETCS DMI Kernel IF1.1 - Receive information for display from Kernel / ETCS Kernel Figure 2 ETCS DMI Core Functions Page 11

15 2.3.6 The DMI functions reduce to: F1 Convey information from the Kernel via the DMI (audio and visual) to the User,, and F2 Convey information from the User to the Kernel The reason that failures associated with receiving and processing / transferring data are not separate Core DMI functions (i.e. IF1.1 and IF2.1) is that these do not exist independently, and in practice are causal events of the Top Level DMI functions F1 and F2. These linkages are illustrated in the schematic with the dotted lines Thus failure to correctly accept or transfer information received from a User (e.g. the Driver), can only manifest itself as failure of the DMI to either display the required output to the User, or transmit the requisite information to the rest of the ETCS On-Board equipment Function F1 resides at the ETCS system boundary. Whilst F2 is internal to the ETCS On- Board Sub-System equipment, any impact will manifest itself at the ETCS system boundary, since with the rest of the ETCS On-Board Sub-System equipment working correctly, the failure will percolate through the system unaltered [Path C], or arise due to the correct functioning of the ETCS On-Board Sub-System equipment [Path B]. An example of a Path B situation is ETCS Intervention as a result of not receiving a Level Transition acknowledgement within the required time frame. The paths are illustrated in the figure below: User input DMI Direct DMI hazard at DMI user interface boundary e.g. incorrect speed indication [Path A] ETCS On-Board Sub-System System DMI error results in protective action by ETCS On-Board Sub-System equipment e.g. Intervention leading to unexpected brake application [Path B] DMI error unaffected by ETCS On-Board Sub- System equipment e.g. corruption of configuration data (ETCS CH ), [Path C] It is noted that in normal operation application of the train braking system, either under Service or Emergency braking is not considered to present a hazard. In most instances Service braking is controlled, and severe braking (Service or Emergency) only occurs when a hazard is present, such that any impact of the severe braking is acceptable as being a lesser consequence than that which could occur if braking was not undertaken e.g. collision. Whilst the risk of such a brake application is low, and can arise in non-etcs fitted trains for a variety of causes, where this arises due to a DMI failure, it is recorded in the analysis for completeness. UBA will have a different, and potentially worse effect, on freight trains but this has not been considered further within this study (see clauses & 1.2.7). Page 12

16 The example above of a DMI fault that is unaffected by the rest of the ETCS On-Board Sub- System equipment [path C in the figure in Section 2.3.9], is where the DMI could potentially receive correct configuration data at the DMI user interface, and provide erroneous but valid values to the Kernel. In this instance, the error results in the ETCS CH (MMI-3 Falsification of drivers train data input), and as such falls outside the scope of this DMI functional safety analysis and is not considered further This study does not extend to deriving a Safety Integrity Level (SIL) requirement for the DMI. Should a SIL be derived at a future time, it is noted that the DMI s role in relation to the ETCS CH, would also need to be considered. Accordingly, whilst an analysis of the DMI functions and their failure modes presented herein is likely to derive the limiting THR requirements for the DMI, the contribution of other ETCS On-Board Sub-System components also needs to be considered, if only to an extent to confirm that these are not more onerous. Page 13

17 3 Methodology 3.1 Approach The overall approach is summarised in the schematic below. Figure 3 Study Methodology The methodology was refined during the course of the study in response to agreements and clarifications at the Steering Group meetings. One variation to the above process was that the SUBSET-079 mapping, gap analysis and refinement of the hazard Schedule was completed as part of Task T4 rather than T3 as illustrated above LR Rail s proposal for the study [ 1] envisaged an initial focus on hazard identification and causal analysis, followed by derivation of THRs for the top-level hazards using a comparative approach to the ETCS CH severity and accident loss The Invitation To Tender from the ERA similarly required the identification of causal events. As far the goal of the project in determining THRs, however, this is of no value since the causal events at component level cannot be quantified because the DMI must be treated as a Black Box with no knowledge of the internal architecture or technologies used (as it is only the required functions that are Interoperable constituents). The presentation of causal events (referred to as Hazardous Situations in SUBSET-088) are more failure modes under which there reside specific root cause failures. Page 14

18 3.1.5 In practice, a comparison of the severity and loss requires some form enumeration, since in some cases the severities will be the same. As noted in Section 3.4, due to ongoing work by the Common Safety Methods working group, THRs are not now to be derived as part of this current study. Nevertheless, the fact remains that the only practicable method of deriving THRs (as opposed to assuming a value and iterating to consider its acceptability) is to work back from the end risk by developing Consequence Loss models. Such models are then open to review and modification regarding the quantitative values to be applied once the logic of the model is accepted This study therefore continued to develop the schedule of hazards and Event Tree Analysis (ETA) of their development in order to support future enumeration Consequence Loss models are most effectively described through ETA, which has become the focus of the study rather than the development of Fault Trees (causal analysis) which cannot be quantified The relationship between cause, consequence, risk and THRs is illustrated in the bow tie diagram below: FTA - 1 THR ETA - 1 FTA - n HAZID & Causal analysis Consequence & Loss R I S K DMI boundary hazards Figure 4 Bow Tie Diagram 3.2 System Boundary, Hazards and THRs As noted above, hazards only reside at the boundary of a system or product. For this study, the boundary is that of the DMI element of the ETCS On-Board Sub-System equipment. It is noted that part of this boundary is also part of the external ETCS On- Board Sub-System boundary Given the coincident boundary and the nature of the ETCS CH, some of the DMI failures will result in the ETCS CH (and are therefore not within the scope of this study), whilst conversely, failures in other elements of the ETCS On-Board Sub-System equipment may lead to the same effect as the identified DMI hazards. Thus there may be causal events of the hazard identified under the two DMI functions F1 and F2 arising from faults within the rest of the ETCS On-Board Sub-System equipment as discussed in Section This is illustrated in Figure 5 and Figure 6 below: Page 15

19 User input DMI The ETCS On-Board Sub-System comprises a number of Functions: Which have associated THRs: ETCS On-Board Sub-System Core Function (speed & distance as advised to ETCS) DMI Function 1 DMI Function 2 Kernel Function x Odo Function y THR ETCS CH THR DMI F1 THR DMI F2 THR Kernel Fx THR Odo Fy THR BTM Fz BTM Function z N.B. The DMI, Kernel, Odo, etc. functions are in addition to any role they have as part of the ETCS Core Function Figure 5 Functions and THRs THRs are assigned at a Functional level but may, explicitly or implicitly, be composed of a series of THRs from different system components, of which the DMI is but one element. To verify that a THR has been achieved, it is necessary to summate all possible contributors (the causal event side of the Bow Tie in Figure 4). However, to set a limiting THR value by reverse engineering from the worst outcome of functional failure, a target can be set by identifying simply the scenario that presents the highest risk, and assuming that this always occurs, which will result in the lowest potential THR value. Thus, all other possible failure outcomes will be less onerous than that assumed in deriving the THR. Whilst pessimistic, this worst-case approach avoids the need for a top down apportionment of risk to the DMI. ETCS Core Function ETCSCH THR ETCSCH = Lowest of THRMMI or THRODO or THRKERNEL or THRBTM. 1E-09 Safety Analysis (SUBSET-088) Confidence ETCSCH can be achieved in practice DMI F1 DMI F1 Hazards (H1, H2, H3) THR F1 = Lowest of THR DMI F1 or THRODO F1 or THRKernel F1 or. THR x BTM F1 DMI F2 DMI F2 Hazards (H4, H5) THR F2 = Lowest of THR DMI F2 or THRODO F2 or THRKernel F2 or. THR x BTM F2 Boundary of ETCS DMI Study Page 16

20 Figure 6 Function, THR and ETCS Component Relationship For the existing consideration of the ETCS CH, no apportionment has been made between the overall THR and the elements of the ETCS On-Board Sub-System equipment which may cause it. Separate THRs for Odometry, Kernel, DMI, etc. have not therefore been developed with regard to the Core Hazard, but are encompassed within the overall ETCS CH THR. The different contributors that have been considered and are illustrated in the analysis reported in SUBSET For this study of DMI hazards in addition to any contribution to the ETCS CH, there is a difference in that whilst the DMI top-level functions have been derived from a top down failure analysis of the core DMI functions, only the DMI contribution is being explicitly considered. Thus, the analysis reported herein can only be used to determine the THRDMI F1 and not the THR F1 as illustrated by the red boxes in Figure Whilst it is expected that the integrity requirements of other ETCS OBSS components arising to address the ETCS Core hazard would mean that DMI failures were dominant with regard to functions F1 and F2, this would need to be verified as part of any quantification activity. It should be noted therefore that quantification of the Event Trees would derive a THR for the function, and that this may include failures outside the DMI element of the ETCS on-board interoperability constituent. For example, hazardous situations arising from failures of the DMI to send requests or data to the Kernel are addressed explicitly in this analysis, but there are equivalent failures of the Kernel to accept and process such received information that would result in the same failure consequence as the DMI hazardous situation As noted above, there may be a number of hazards that can arise associated with a single Function, and a number of hazardous situations that give rise to each Hazard. The ETCS CH relates to the single (principal) ETCS Core Function, for which 10 MMI (i.e. DMI) related Hazardous Situations 2 where identified and modelled along with contributions from other ETCS On-Board Sub-System equipment in SUBSET-088. These ETCS CH DMI Hazardous Situations are presented in Appendix F The DMI related Hazardous Situations associated with the ETCS CH are identified with a prefix MMI-. It is possible that the same failure mode could result in a non-core Hazard effect in a particular ETCS Level and Mode combination. To cater for such situations the MMI failure identities are retained in this analysis to differentiate them from failures that only result in Non Core hazards which are prefixed DMI As an example, MMI-2a in SUBSET-088 is False presentation of speed or distance. If the speed or distance limit is not advised to ETCS then it is not part of the ETCS CH. Thus, any limit that the Driver is responsible for achieving, based on their understanding of train speed (mostly Level 0 limits, but some Level 1 / Level 2, e.g. stopping short of another rail vehicle in OS mode or stopping in a platform), would be non-core. MMI-2a can therefore result in an ETCS Core Hazard and also a Non Core hazard. 1 For example, the hardware managing Input/Output data transmission for the DMI may be as unreliable at its connections on the kernel I/O ports. In such cases, failure of the DMI to send or receive information may be of the same order as the Kernel failing to receive or send information. 2 Hazardous Situations are not true causal events, being more akin to failure modes, though they are the limit used in the SUBSET-088 FTA analysis, as true causal events cannot be identified because the technology and internal workings of the ETCS On-Board Sub-System equipment is not mandated for interoperability. Page 17

21 Hazardous Events associated with the ETCS CH cover MMI-1 to MMI-4, along with a further division in a, b, c sub-elements. The additional DMI hazards derived in this study use the Hazard identity as a first identifier, followed by an a, b, c delineation similar to that used for the MMI failures. Thus, the DMI Hazardous Situation name is immediately identifiable to the hazard which it falls within; e.g. DMI-03a is the first Hazardous Situation associated with Hazard H The linkage between Functions, Hazards and Hazardous Situations is a pyramidal structure, with the THR being applicable at the top-level Function level, though it would be possible to set THRs at the Hazard level, these would need to be aggregated for all hazards associated with a particular Function. Highest (limiting) risk Event F THR Function Medium risk contributing Event Low risk Event THR HAZARD Boundary Hazards (H) Hazardous Situations Causal events Figure 7 - Pyramidal Relationship of Functions, Hazards and Causes Whilst there is a range of Hazardous Situations identified under each DMI Hazard, the generic nature of the DMI Hazards is such that the Hazardous Situations are specific variations of the generic failure mode. As such, whilst they may be seen as causal events in the context of the DMI Hazard, they are in fact failure modes of the DMI, which in turn Page 18

22 have true causal events within the black box of the DMI sub-system element, which can only be fully assessed as part of each implementation of the ETCS OBSS by each supplier Accordingly, the Hazardous Situations strictly reside at the DMI sub-system boundary, and represent more specific instances of the top-level generic hazards of the DMI (H1 to H5 see Section 4.1). With more than 30 separate DMI Hazardous Situations identified, when comparing Non Core hazard DMI hazards with the single ETCS Core Hazard, it may be simpler to do this just at the top-level more generic description (hazards H1 to H5) rather than numerous separate hazardous situations detailed in Table 3 in Section For example, DMI-01a: DMI fails to provide Warning indication, could arise from a variety of technology and implementation specific failures including a software error, failure of elements of the DMI display, or internal workings of the DMI such as display drivers, input/output buffering, internal cabling/ connections, system memory or problems with the annunciation circuits / speakers Being, in effect, a failure mode, the Hazardous Situation must develop further in many instances in order for harm to occur, and the intermediate states between initial failure and harm may be the same for a number of different Hazardous Situations. The intermediate states are referred to in this analysis as the Immediate Effect of the Hazardous Situation. For example, the displaying of an incorrect train speed on the DMI does not itself cause immediate harm, but could result in the train running at a higher speed than intended (referred to herein as Overspeed [OVS]), which could cause harm. The Overspeed is an Immediate Effect 3 that can arise from other Hazardous Situations The Event Tree models developed will support the future quantification of the top-level functional THRs if such an approach is adopted. The Hazard Schedule and ETA models in Appendix B and Appendix D respectively illustrate the Immediate Effects along with the barriers/shaping factors that can prevent the Immediate Effect occurring, and mitigation and controls that can limit the potential harm Event Tree models have been developed for each and every Hazardous Situation to illustrate the barriers and shaping factors between each and potential Immediate Effect states. However, not every Hazardous Situation may need to be quantified in any future assessment. Whilst every Immediate Effect situation will need to be quantified, they are generic modules to a number of Hazardous Situations and in turn Hazards, and thus in deriving a THR only the limiting Hazardous Situations (i.e. initiating events) would need to be quantified Thus, provided that the Immediate Effect models are representative or worst case for all potential transfers into them, the number of transfers is immaterial in deriving a THR. Accordingly, only the Hazardous Situations with the highest frequency of transfer will need to be modelled in order to robustly derive the associated THR, and only then as far the stage where the Immediate Effect commences. Furthermore, if there are any Hazardous Situations that directly lead to the Immediate Effect, then this will bound all other situations (be the limiting scenario) as situations where one or more further effects or conditions need to occur for the Immediate Effect stage to be reached will have additional steps in the sequence which will reduce the frequency. 3 Accepted that Overspeed may not be immediate but the term is used as an impact / state that potentially leads to harm. Page 19

23 The methodology applied therefore determines the limited set of Immediate Effect states and maps these to the Hazardous Situations. Each Immediate Effect is then modelled for a worst or representative case so that is can apply (or bound) all possible transfers to it. In this manner a wide range of DMI functional failures can be seen to result in a much smaller set of harmful outcomes, and the number of events requiring possible future quantification is reduced. 3.3 Hazard Consequence and Likelihood A severity classification was applied to each hazardous outcome / consequence in accordance with that already adopted for the ETCS CH as defined in SUBSET-077 clause To simplify the Event Trees each of these categories has been given an ID in the range S1 to S4 as indicated in Table 2 below modes that result in end effects that are not safety related, i.e. those that do not put the passenger at risk, may present no hazard, but could degrade the Reliability, Availability or Maintainability (RAM) of the DMI, resulting in delays and service impact. Degraded reliability and availability lead to operation of the train in a degraded mode, with increased driver's responsibility, which can indirectly impact the safety. ID Severity Level Consequence to Passenger S1 Insignificant Possible minor injury S2 Marginal Minor injury S3 Critical Single severe injury S4 Catastrophic Single fatality and/or multiple injuries Table 2 Hazard Severity Levels and Equivalent Fatalities When considering quantitative THR requirements at a future stage, outside of this report, it may be necessary to account for the total risk posed by a hazard for different consequence groupings, e.g. a very high frequency Critical hazard outcome may pose a higher risk than a low frequency Catastrophic consequence The CENELEC standards provide no criteria to formally compare different accident consequences. In the UK, a concept of Fatalities and Weighted Injuries (FWI) has been derived to provide a relative weighting to different accident consequences, through a concept of equivalent fatalities. The UK Rail Safety and Standards Board (RSSB) recommendations and supporting investigations may be useful in this regard [ 13], [ 14]. 3.4 Tolerable Risk and THR Quantification Quantitative THRs are not being derived in this study as specified at the technical meeting on 11 th May 2009 [ 16]. The methodology described in Section 3.2 would permit quantitative THRs to be derived through a process of quantifying the Event Tree models to determine the outcome that poses the highest risk to a passenger. Initially the analysis would assume a frequency of one failure per hour. Having determined the highest risk outcome for a frequency of one per hour, which is likely to result in an unacceptable risk, the limiting THR could be derived by adjusting the frequency until an acceptable (tolerable) Page 20

24 worst-case individual risk is achieved. In practical terms, this is simply the ratio between the risk derived with a frequency of one, and the risk of death target that is deemed tolerable For example, if the worst-case risk of death outcome of a DMI functional failure at a frequency of one per hour was 1E-06, and the tolerable risk of death to a passenger set at 1E-09 per hour, then the limiting THR would become 1E-03 per hour When determining the tolerable risk of death for such an approach for the DMI, the risk posed by the ETCS On-Board Sub-System as a whole will need to be considered to ensure that the risk in totality is acceptable As all Hazardous Situations have been modelled in the ETA, it would be possible for any future THR quantification activity to populate all trees and sum the risk posed, rather than taking the single most onerous sequence. This approach is not recommended as it could derive a highly pessimistic THR, as when a DMI failed, it would be likely to result in a single (or very few co-incident) DMI Hazardous Situations. Quantifying the whole ET model would imply that ALL failure modes / Hazardous Situations occurred concurrently which is of course a very pessimistic and unrealistic assumption. Therefore, a limiting THR could be derived by selecting the highest risk sequence. Page 21

25 4 Safety Analyses and Results 4.1 Hazard Identification A number of hazard identification activities have been undertaken, both previously and reported in ETCS SUBSET reports, and as part of this DMI study. The studies include an FMEA of the DMI inputs and outputs for ETCS Level 1 and Level 2 operation reported in SUBSET-079 [ 6], and a HAZID workshop looking similarly at operation in ETCS Level 0 as part of this study [ 11] From these studies a DMI Hazard Schedule was derived. A number of assurance activities were also been undertaken to confirm the content of the hazard schedule, and to ensure its completeness. The hazard identification and assurance activities are summarised in Figure 8 and discussed in the following text: BOTTOM - UP Functional Analysis SUBSET-079 L1 / L2 TOP DOWN Generic DMI Function Analysis HAZARD SCHEDULE BOTTOM - UP Functional Analysis L0 HAZID ASSURANCE Review of SUBSET-079. Self consistency check of HAZID output. Mapping of existing SUBSET-079 DMI Hazardous Situations. Gap analysis for functions in 2.3.0d not assessed in SUBSET-079. Peer review of Hazard Schedule Self consistency checks of Hazard Schedule Figure 8 Hazard Identification and Assurance The initial Hazard Schedule was peer reviewed, looking in particular for self-consistency such that complementary hazardous situations were identified. For example, if there is a Hazardous Situation associated with failure to display information a driver, is there an equivalent Hazardous Situation where the DMI receives an associated reply from the Driver but fails to send this to the Kernel? The content of the Hazard Schedule was also reviewed during the development of the Event Trees and in further internal reviews and workshops within this study A similar self-consistency review was undertaken for the HAZID summary table [ 11]. This review took particular interest with the interface between the DMI and the rest of the ETCS On-Board Sub-system, information transferred across this boundary was often discussed at the HAZID, but the treatment of this interface is not explicit in the HAZID summary report which is structured around the Input and Output function at the User interface of the DMI The Hazard Schedule assurance activities included an analysis of the HAZID study to identify potential areas where the HAZID table did explicitly cover a DMI activity or keyword (e.g. Page 22

26 Absent, Incorrect). This review was undertaken by a competent person who did not attend the HAZID to provide independence In many cases it was found that the HAZID had considered the various situations, even if these were not explicitly identifiable, while in a small number of situations some additional occurrences were made explicit; e.g. no new Hazards were found but a second, complementary Hazardous Situation was been formalised The Hazard Schedule is considered robust and complete as far as the top-level DMI hazard identification (Hazards H1 to H5 see Section 4.2 below) is concerned. The assurance and assessment activities are not yet considered complete as recent effort has concentrated and developed examples of the Event Tree analysis, and thus further Hazardous Situations may be identified in completing these activities. Accordingly, at this first issue of this report the mapping to SUBSET-079 and Gap analysis remain to be completed. These activities are not expected to raise any additional Immediate Effect consequences, but the work needs to be completed to ensure that all Hazardous Situations have been determined. 4.2 Hazard Schedule The Functions, hazards, associated Hazardous Situations and their Immediate Effects (IE) are summarised in the Hazard Schedule, reported in full in Appendix B, along with explanations of the impacts and associated notes and comments for context The Hazard Schedule is too extensive to summarise fully in the main body of the report. Table 3 below provides a full summary of the top level (generic) DMI hazards and associated Hazardous Situations. An Event Tree has been developed for each Hazardous Situation showing the Barriers / Shaping Factors associated with the development to an Immediate Effect. Function Top-Level DMI Hazard Hazardous Situation Potential Impact (IE) (see Appendix B for scenario development) F1 H1 -Information NOT displayed on the DMI when it should have been DMI-01a 01a: DMI fails to provide Warning indication DMI-01b 01b: Valid DMI data obscured by erroneous DMI output (audio or visual) UBA: Unexpected Brake Application Overspeed - OVS UBA DMI-01c 01c: UBA to display request for acknowledgement DMI-01d 01d: As DMI-03a in H3. DMI fails to display Geographical Position data Page 23