- Email: [email protected]
Modern Procedures for the Definition of Safety and Availability Requirements
Copyright ~ IFAC Control in Transportation Systems, Braunschweig, Germany, 2000
MODERN PROCEDURES FOR THE DEFINITION OF SAFETY AND AVAILABILITY REQUIREMENTS
Peter Eberhard Mihm
Deutsche Bahn AG Research and Technology Center
Up to now the definition of technical reliability of railway components had been always a compromise between the possible technical state of the art, , the desired degree of railway service quality and economical reasons but there had been missing defined procedures for the definition of reliability parameters linking the operational requirements to technical units which can be used for the development of new systems by industry. The fullowing article describes the new procedures, their advantages and impacts on the system specifications process. Copyright (f) 2000 IFAC Keywords: Train control Reliability acteristics Systems design
1.
Safety analysis Performance char-
involved in the developing process, beginning from the definition of the requirements, the admission of the system by railway authorities till the realisation, proved by tests on trial sites which will start in late 1999. 2. Definition of safety requirements
General introduction
In general failures in technical railway systems will affect railway operation e.g. visible for the railway user in form of train delays or invisible e.g. higher costs for providence of rolling stock or infrastructure. Up to now the definition of technical reliability of railway components had been always a compr
In General modern safety standards defines of safety and requirements for hardware and software to achieve a certain level of safety but there had been missing procedures which describes how to define quantitative safety targets considering the operational requirements. To close this gap the European standardisation committee CENELEC set up a working group (WGAlO) to define procedures for the definition of "Safety Integrity Level's for Interoperability". Based on the outcome of this working group - represented in the CENELEC Report of WGAIO [I] - a process had been defined which allows to assign quantitative safety targets assigning tasks to railway operator and industry, (see fig I "General process overview") considering requirements of railway operation, state of the art of technical processes and expert knowledge of both sides.
Developing the RAMS-policies for the ETCSSystem it became necessary for DB-AG to developed together with European partners procedures how to attribute safety and availability requirements to the different onboard and infrastructure constituents of the ETCS-system. Applying this procedures and their results to ETCS constituents interoperable reliability performance of the ETCS systems, developed by different procedures will be assured in future applications. As these procedures consider the whole process of specification, admission, production and operation of ETCS constituents they can also be applied to other components of railway systems.
Requi. rements for ETCS products
Fig. I: General process overview
The following article describes the new procedures, their advantages and impacts for the institutions
431
Consequence Analysis
OpenrlionaI Risk
The different steps of this process and distribution of tasks between railway operator and industry are represented in fig.2 "Process of allocation of safety targets". According to the general life cycle of systems defined in the CENELEC standard prEN 50126 [2] the process starts with the definition of the system, its essential functions and also the definition of system bOlmdaries.
trees including causal and common cause failures analysis.
Railway 0pernI0r
I . System Definition 2. Hazard ldentificalion 3. Consequence Analysis 4. Risk estimalion 5 THR a1locaion
I
THR
I . Causal Analysts 2 CCF Analysts 3. SIL Allocation
fig.2 "Process of allocation of safety targets" The process continues with the identification of hazards using techniques like a Failure mode effect analysis till the analysis of consequences e.g. using cause consequence diagrams on basis of event trees and calculation of operational risks showing which kind of accident may arise from the considered hazard and how often this accident may occur.
fig. 3: Scheme of ETCS and its components One of the essential advantage of this process is that the defined procedure supports the communication between the involved parties (railway operator, national railway authority and railway industry) in the safety process, offering for the involved parties to get a better understanding and overview of operational risks, showing the consequences of hazards and allowing to compare different technical and functional solutions in respect of safe running of trains, showing the influences of risk reductions measures e.g. of operational rules, physical measures or risk reduction functions.
Hazard rateJh Safety integrity level 10-8 > THR > 10-9 SUA 10-7 > THR> 10-8 SIL 3 10-6 > THR> 10-7 SIL2 10-5 > THR > 10-6 SIL 1 Table 1: RelatIOnship between THR and Safety integrity levels (SIL) If possible measures to reduce the resultant or remaining risks to a tolerable degree have been considered in this process tolerable hazard rates can be allocated to system functions.
The process also allows railway operator and national railway authorities on basis of international tolerability criteria such as GAMAB (globalement aussi mal aussi bon) or MEM (minimum endogenous mortality) to decide if the remaining risk of a new railway system can be considered as tolerable.
ETCS as train control system will have in future a great impact of safe running of trains on ETCS equipped railway lines therefor the safety target for this new signalling system has to be defined very carefully, considering the tolerability of operational risk and also limits of technical realisation (e.g. claim limits of physical procedures). Using the above described process and the relatonship between tolerable hazard rates and safety integrity targets of table 1 quantitative and qualitative safety targets will be set up and taken into account by industry for the production of even such complex systems like ETCS with ist different kind of components (see figure 3). To prove that these safety target will be met by the technical solution the supplier has to elaborate a system design analysis documented e.g. by Fault 432
on the train delay so that adequate measures can be chosen to optimise the performance of the system and fulfil the operational requirement of punctuality considering also additional costs to improve the availability of components (e.g. by redundancy).
3. Procedures (or the definition o( availability targets To calculate the necessary technical availability according to operational needs DB-AG together with signal industries designed a new procedures called CADM [3] (Cost effective availability design method) which offers the following advantages: - to reduce design costs by avoiding overdesign of components - to evaluate different technical solutions and fallback scenarios - to set up evaluation test criteria and evaluation test plans - to calculate delay minutes and delay contributions by failure of system components (e.g. infrastructure, telecommunication and on board components) within a railway system
As example of a carried out CADM tables 5 and 6 show the results for a complex ETCS system, which consists of onboard equipment such as reliable computer, odometry, MM!. nu, ... but also of infrastructure components like balises, RBC (radio broadcasting centre), GSM-R radio (Base transmission stations BTS, cabling,), power supplies,....
References:
[1] Report R0009-004 (October 1999) Railway Applications - Systematic Allocation of Safety Integrity Requirements CENELEC
The first step of CADM consists of a clear definition of the system, its boundaries, subsystems and essential functions with their influence of railway operation. Using the expert knowledge of railway operation, operational rules and techniques of FMEA tables the consequences of fuilures of system functions and influences of degraded operational modes will be estimated and in a second step expressed in a quantifiable manner. Table 3 shows as an example the first step of a FMEA. Element
Failure effect Vehicle Loss of equipment mOllefT18nt reliable authority
computer
Operational Effect to conseQuences looeration Automatic brake Train delay application to between 15 HALT, continua- min (20%) tion on command till.more than 30min 1180%).
[2] prEN 50126 (July 1997) Railway Applications The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS) CENELEC [3] P.E. Mihm, H Newi, Dr. H Wegel (1997) "Anforderungen an die technische und betriebliche Verfiigbarkeit von Eisenbahneinrichtungen" VDITagung Systemoptimierung im spurgefiihrten Verkehr Miinchen 1997
Possible measures Reset of reliable computer if necessary change of locomotive
Table 3: Example ofsecond step of CADM - FMEA To define in a third step the probability of train delays for a whole railway system it is necessary to estimate the reliability of the essential system functions e.g. expressed in unavailability percentile, frequency of trains and functions within a railway system (see table 4). No Component Unawilability
Frequency of train delay in category
Factor
15-30 Min. U. OBE, EVe
2,ooE-06
ke
ke"U.
31-60 Min.
ke"U."P
ke·U."P
2,5 5,ooE 20% 1.00 E-06 80% 4.ooE-06 -06
Table 4: Example of CADM-train delay calculation In a next step the percentile contribution of different system functions to the overall train delay caused by system failures will be calculated. In case that the desired degree of availability this percentile contribution shows what component has a major influence
433
Tableia: Analysis of the operational effects of potential failures of ERTMSJETCS components No.
Failed component
Failed function
Cause of Interruption Operational interruption identification situation
Operational effects Brake to
1 1
2 ST, balise
3 Ballse telegrams all
2
Two adjacent baliaes
Balise telegrams all
Vehicle equipmen" reliable comouter Vehicle equipment, odometer
Safety
3
4 5
~
UJ
6
~
Vehicle equipment, mobile station Vehicle equipment, balise interrogator
04
6
5 yes
7
Any
yes
0 to dang. pt.
all
yes
0
Internal distance all measurement
yes
0
Radio interface
Yes
all
0 to dang. pt.
Reception, baliae all telegrams
Yes
0 to dang. pt.
7
Vehicle equipment, M\11
Cab signalling, inputs driver
all
Yes
0
8
Vehicle equipment, TIU
Brake control
all
yes (safe reaction)
0
9
Vehicle equipment, power SUDDly BTS
Power supply
all
yes
0
Radio supply vehicle
all
yes
Transmission system Transmission system Transmission system Transmission IYStem RBC function incl. S2m inter· face Interface route protection
all
yes
all
yes
10
11 12 13 104 15
16
BSC
MSC TransmissiOn! reaion Transmission! reaion RBC centre
RBC centre
Next danger point
0 to dang. pt.
0 to dang. pt.
0 to dana. pt.
all
yes
0 to dang. pt.
all
yes
0 to dana. pt.
all
yea
0 to dang. pt.
all
yes
0 to dang. pt.
ConTlnue With
8 RBC
Action
9 None
Delay minutes Frequency ratio 15- > 0530 5 15 30 12 10 11 13 0.1
0.7 0.3 Braking to danger point, continuation after reception of first ball.. possible, otherwise continuation on command V100 Automatic brake application to HALT, disconnect RBC, continuation on command DriverBrake application to HALT. continuation dependent. on command, or change of locomotive (v <1(0) V160 Completion of running permiaaion
braldng to danger point, continuation on command
0.3
Conclusions and advice
15 Detection tolerates failure of one ball.. Fault indication, failure of ballses limited locally
16 Observe bailie configurations before danaer DOlnts Check simplified opera-lions procedures
Mean 104 0 5
RBCor V100
Assumptions and preconditions
0.2
0.8
041
Fault Indication
Change of locomotive tf neeessary
0.2
0.8
41
Fault indication
Independent speed Indicator important
0.3
0.7
0.5
0.5
38 Fault Indication, running permission availabie may be comDleted 34 Fault Indication, running permission avaIlable may be completed
Redundant train radio is Important, change of locomotive tf necessarY Change of locomotive If neeesaary
0.2
0.8
41
Fault Indication, redundant train radio available
Independent speed indicator Important
0.2
0.8
41
Fault Indication, close air shutoff cock
0.2
0.8
041
Fault Indication
Running permission avall-able may be compfeted 0.3 0.2
10 11 1.0
0.7
75 19
1.0
75
0.7
19
0.7
19
Fault indication, running loermllllon may be completed Running permission avall-able may be comoleted RunnIng permission avail-able may be completed Running permission avail-able may be compfeted Running perrnisston avall-able may be completed
Speed Indicator independent of power supply necessary, redundant train radio Redundant illumination in area of danger points, re-dundant train radio, sub-sidiary signals [(permit V100) Redundant train radio, subsidlary signals necessary Redundant train radio, subsidlarv slanals necessary Redundant train radio, sublidlary slanall necessary Redundant train radio, subsidlarv sionals necessary Redundant train radio, subsidiary signals necessary
Running permission avall-able Replacement operation RBC may be completed (signal box centre by redundant commumust not alter route) nicatlon If necessary
Table 2: Probable delay contribution of ERTMS-components in case of failure Component
No
1
.l>-
Unavailabiily
Factor
U.
k.
3
2
•
Delayed train to delay class k.*U.
1-5Min.
5
6
Delay contribution
%
5-15 Min.
%
15-30 Min.
%
31-60 Min.
%
61-90 Min.
%
7
8
9
10
11
12
13
1.
15
1 ST, Balise
1,OOE-06 500,2 5,00E-04 5,0 E-05
6,37%
2 Two adjoined balises 3 OBE, EVC
1,00E-12 500,2 5,00E-10 3,5 E-10 2,00E-06 2,5 5,00E-06
0,00%
4 OBE, Odometer
2,00E-05
5 OBE, mobile interface
2,50E-06
1,5 E-10
0,00%
Total 6-14
Seconds
16
i %
17
18
5,00E-05
0,00900
0,27%
1,00E-06
0,10% 4,00E-05
0,74%
5,00E-10 5,00E-06
0,00908 0,01230
0,00% 0,37%
2,5 5,00E-05
1,00E-05
0,97% 4,00E-05
7,37%
5,00E-05
0,12300
3,66%
2,5 6,25E-06
1,88E-06
0,18% 4,38E-06
0,81%
6,25E-06
0,01453
0,43%
6 OBE, Baliseinterrogator
2,00E-04
2,5 5,00E-04
2,50E-04 24,31% 2,50E-04 46,09%
5,OOE-04
1,02750
30,59%
7 OBE, MMI
2,50E-08
2,5 6,25E-08
1,25E-08
0,00% 5,00E-08
0,00%
6,25E-08
0,00015
0,00%
8 OBE, TIU
1,20E-04
2,5 3,00E-04
6,00E-05
5,83% 2,40E-04 44,25%
3,00E-04
0,73800
21,97%
9 OBE, power supply'
2,OOE-06
2,5 5,00E-06
1,00E-06
0,10% 4,00E-06
0,74%
5,00E-06
0,01230
0,37%
1,45E-03
0,91602
27,27%
3,84E-05
0,02650
0,79%
4,00E-06 36,36% 4,00E-06
0,01812
1,10E-04
0,12705
7,00E-06 63,64% 7,00E-06
0,03171
10 BTS
2,00E-05
11 BSC
4,00E-06
72,7 1,45E-03 7,3 E-04 92,65% 2,9 E-04 68,33% 4,36E-04 42,41% 9,6 3,84E-05 7,7 E-06
0,98% 2,3 E-05
5,41% 7,68E-06
0,75%
3,3 E-05
7,75% 7,70E-06
7,49%
V)
12 MSC
1,00E-06
4 4,00E-05
13 Cable BTS-BSC
2,00E-05
5,5 1,10E-04
14 Cable BSC-MSC
2,00E-06
3,5 7,00E-06
15 RBC-Centre RBC function including S2m interface
1,00E-06
12,5 1,25E-05
3,8 E-06
0,85%
1,25E-05
0,01444
0,43%
16 RBC-Centre Interface route protection
2,00E-05
12,5 2,50E-04
7,5 E-05 17,62% 1,75E-04 17,01%
2,50E-04
0,28875
8,60%
VI
7,9 E-04
Total 1-16
100% 4,3 E-04
0,88% 8,75E-06
100% 1,03E-03
100% 5,42E-04
100%
1,1 E-05 100 %
2,79E-03
3,3594 100,00%
probability of train delays: 0,28% average delay: 20,1 Min. probability of train delay> 5 Min.:
1
power supply of components for the ERTMS system
'."
I
I
... I
0,20%
MODERN PROCEDURES FOR THE DEFINITION OF SAFETY AND AVAILABILITY REQUIREMENTS
Peter Eberhard Mihm
Deutsche Bahn AG Research and Technology Center
Up to now the definition of technical reliability of railway components had been always a compromise between the possible technical state of the art, , the desired degree of railway service quality and economical reasons but there had been missing defined procedures for the definition of reliability parameters linking the operational requirements to technical units which can be used for the development of new systems by industry. The fullowing article describes the new procedures, their advantages and impacts on the system specifications process. Copyright (f) 2000 IFAC Keywords: Train control Reliability acteristics Systems design
1.
Safety analysis Performance char-
involved in the developing process, beginning from the definition of the requirements, the admission of the system by railway authorities till the realisation, proved by tests on trial sites which will start in late 1999. 2. Definition of safety requirements
General introduction
In general failures in technical railway systems will affect railway operation e.g. visible for the railway user in form of train delays or invisible e.g. higher costs for providence of rolling stock or infrastructure. Up to now the definition of technical reliability of railway components had been always a compr
In General modern safety standards defines of safety and requirements for hardware and software to achieve a certain level of safety but there had been missing procedures which describes how to define quantitative safety targets considering the operational requirements. To close this gap the European standardisation committee CENELEC set up a working group (WGAlO) to define procedures for the definition of "Safety Integrity Level's for Interoperability". Based on the outcome of this working group - represented in the CENELEC Report of WGAIO [I] - a process had been defined which allows to assign quantitative safety targets assigning tasks to railway operator and industry, (see fig I "General process overview") considering requirements of railway operation, state of the art of technical processes and expert knowledge of both sides.
Developing the RAMS-policies for the ETCSSystem it became necessary for DB-AG to developed together with European partners procedures how to attribute safety and availability requirements to the different onboard and infrastructure constituents of the ETCS-system. Applying this procedures and their results to ETCS constituents interoperable reliability performance of the ETCS systems, developed by different procedures will be assured in future applications. As these procedures consider the whole process of specification, admission, production and operation of ETCS constituents they can also be applied to other components of railway systems.
Requi. rements for ETCS products
Fig. I: General process overview
The following article describes the new procedures, their advantages and impacts for the institutions
431
Consequence Analysis
OpenrlionaI Risk
The different steps of this process and distribution of tasks between railway operator and industry are represented in fig.2 "Process of allocation of safety targets". According to the general life cycle of systems defined in the CENELEC standard prEN 50126 [2] the process starts with the definition of the system, its essential functions and also the definition of system bOlmdaries.
trees including causal and common cause failures analysis.
Railway 0pernI0r
I . System Definition 2. Hazard ldentificalion 3. Consequence Analysis 4. Risk estimalion 5 THR a1locaion
I
THR
I . Causal Analysts 2 CCF Analysts 3. SIL Allocation
fig.2 "Process of allocation of safety targets" The process continues with the identification of hazards using techniques like a Failure mode effect analysis till the analysis of consequences e.g. using cause consequence diagrams on basis of event trees and calculation of operational risks showing which kind of accident may arise from the considered hazard and how often this accident may occur.
fig. 3: Scheme of ETCS and its components One of the essential advantage of this process is that the defined procedure supports the communication between the involved parties (railway operator, national railway authority and railway industry) in the safety process, offering for the involved parties to get a better understanding and overview of operational risks, showing the consequences of hazards and allowing to compare different technical and functional solutions in respect of safe running of trains, showing the influences of risk reductions measures e.g. of operational rules, physical measures or risk reduction functions.
Hazard rateJh Safety integrity level 10-8 > THR > 10-9 SUA 10-7 > THR> 10-8 SIL 3 10-6 > THR> 10-7 SIL2 10-5 > THR > 10-6 SIL 1 Table 1: RelatIOnship between THR and Safety integrity levels (SIL) If possible measures to reduce the resultant or remaining risks to a tolerable degree have been considered in this process tolerable hazard rates can be allocated to system functions.
The process also allows railway operator and national railway authorities on basis of international tolerability criteria such as GAMAB (globalement aussi mal aussi bon) or MEM (minimum endogenous mortality) to decide if the remaining risk of a new railway system can be considered as tolerable.
ETCS as train control system will have in future a great impact of safe running of trains on ETCS equipped railway lines therefor the safety target for this new signalling system has to be defined very carefully, considering the tolerability of operational risk and also limits of technical realisation (e.g. claim limits of physical procedures). Using the above described process and the relatonship between tolerable hazard rates and safety integrity targets of table 1 quantitative and qualitative safety targets will be set up and taken into account by industry for the production of even such complex systems like ETCS with ist different kind of components (see figure 3). To prove that these safety target will be met by the technical solution the supplier has to elaborate a system design analysis documented e.g. by Fault 432
on the train delay so that adequate measures can be chosen to optimise the performance of the system and fulfil the operational requirement of punctuality considering also additional costs to improve the availability of components (e.g. by redundancy).
3. Procedures (or the definition o( availability targets To calculate the necessary technical availability according to operational needs DB-AG together with signal industries designed a new procedures called CADM [3] (Cost effective availability design method) which offers the following advantages: - to reduce design costs by avoiding overdesign of components - to evaluate different technical solutions and fallback scenarios - to set up evaluation test criteria and evaluation test plans - to calculate delay minutes and delay contributions by failure of system components (e.g. infrastructure, telecommunication and on board components) within a railway system
As example of a carried out CADM tables 5 and 6 show the results for a complex ETCS system, which consists of onboard equipment such as reliable computer, odometry, MM!. nu, ... but also of infrastructure components like balises, RBC (radio broadcasting centre), GSM-R radio (Base transmission stations BTS, cabling,), power supplies,....
References:
[1] Report R0009-004 (October 1999) Railway Applications - Systematic Allocation of Safety Integrity Requirements CENELEC
The first step of CADM consists of a clear definition of the system, its boundaries, subsystems and essential functions with their influence of railway operation. Using the expert knowledge of railway operation, operational rules and techniques of FMEA tables the consequences of fuilures of system functions and influences of degraded operational modes will be estimated and in a second step expressed in a quantifiable manner. Table 3 shows as an example the first step of a FMEA. Element
Failure effect Vehicle Loss of equipment mOllefT18nt reliable authority
computer
Operational Effect to conseQuences looeration Automatic brake Train delay application to between 15 HALT, continua- min (20%) tion on command till.more than 30min 1180%).
[2] prEN 50126 (July 1997) Railway Applications The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS) CENELEC [3] P.E. Mihm, H Newi, Dr. H Wegel (1997) "Anforderungen an die technische und betriebliche Verfiigbarkeit von Eisenbahneinrichtungen" VDITagung Systemoptimierung im spurgefiihrten Verkehr Miinchen 1997
Possible measures Reset of reliable computer if necessary change of locomotive
Table 3: Example ofsecond step of CADM - FMEA To define in a third step the probability of train delays for a whole railway system it is necessary to estimate the reliability of the essential system functions e.g. expressed in unavailability percentile, frequency of trains and functions within a railway system (see table 4). No Component Unawilability
Frequency of train delay in category
Factor
15-30 Min. U. OBE, EVe
2,ooE-06
ke
ke"U.
31-60 Min.
ke"U."P
ke·U."P
2,5 5,ooE 20% 1.00 E-06 80% 4.ooE-06 -06
Table 4: Example of CADM-train delay calculation In a next step the percentile contribution of different system functions to the overall train delay caused by system failures will be calculated. In case that the desired degree of availability this percentile contribution shows what component has a major influence
433
Tableia: Analysis of the operational effects of potential failures of ERTMSJETCS components No.
Failed component
Failed function
Cause of Interruption Operational interruption identification situation
Operational effects Brake to
1 1
2 ST, balise
3 Ballse telegrams all
2
Two adjacent baliaes
Balise telegrams all
Vehicle equipmen" reliable comouter Vehicle equipment, odometer
Safety
3
4 5
~
UJ
6
~
Vehicle equipment, mobile station Vehicle equipment, balise interrogator
04
6
5 yes
7
Any
yes
0 to dang. pt.
all
yes
0
Internal distance all measurement
yes
0
Radio interface
Yes
all
0 to dang. pt.
Reception, baliae all telegrams
Yes
0 to dang. pt.
7
Vehicle equipment, M\11
Cab signalling, inputs driver
all
Yes
0
8
Vehicle equipment, TIU
Brake control
all
yes (safe reaction)
0
9
Vehicle equipment, power SUDDly BTS
Power supply
all
yes
0
Radio supply vehicle
all
yes
Transmission system Transmission system Transmission system Transmission IYStem RBC function incl. S2m inter· face Interface route protection
all
yes
all
yes
10
11 12 13 104 15
16
BSC
MSC TransmissiOn! reaion Transmission! reaion RBC centre
RBC centre
Next danger point
0 to dang. pt.
0 to dang. pt.
0 to dana. pt.
all
yes
0 to dang. pt.
all
yes
0 to dana. pt.
all
yea
0 to dang. pt.
all
yes
0 to dang. pt.
ConTlnue With
8 RBC
Action
9 None
Delay minutes Frequency ratio 15- > 0530 5 15 30 12 10 11 13 0.1
0.7 0.3 Braking to danger point, continuation after reception of first ball.. possible, otherwise continuation on command V100 Automatic brake application to HALT, disconnect RBC, continuation on command DriverBrake application to HALT. continuation dependent. on command, or change of locomotive (v <1(0) V160 Completion of running permiaaion
braldng to danger point, continuation on command
0.3
Conclusions and advice
15 Detection tolerates failure of one ball.. Fault indication, failure of ballses limited locally
16 Observe bailie configurations before danaer DOlnts Check simplified opera-lions procedures
Mean 104 0 5
RBCor V100
Assumptions and preconditions
0.2
0.8
041
Fault Indication
Change of locomotive tf neeessary
0.2
0.8
41
Fault indication
Independent speed Indicator important
0.3
0.7
0.5
0.5
38 Fault Indication, running permission availabie may be comDleted 34 Fault Indication, running permission avaIlable may be completed
Redundant train radio is Important, change of locomotive tf necessarY Change of locomotive If neeesaary
0.2
0.8
41
Fault Indication, redundant train radio available
Independent speed indicator Important
0.2
0.8
41
Fault Indication, close air shutoff cock
0.2
0.8
041
Fault Indication
Running permission avall-able may be compfeted 0.3 0.2
10 11 1.0
0.7
75 19
1.0
75
0.7
19
0.7
19
Fault indication, running loermllllon may be completed Running permission avall-able may be comoleted RunnIng permission avail-able may be completed Running permission avail-able may be compfeted Running perrnisston avall-able may be completed
Speed Indicator independent of power supply necessary, redundant train radio Redundant illumination in area of danger points, re-dundant train radio, sub-sidiary signals [(permit V100) Redundant train radio, subsidlary signals necessary Redundant train radio, subsidlarv slanals necessary Redundant train radio, sublidlary slanall necessary Redundant train radio, subsidlarv sionals necessary Redundant train radio, subsidiary signals necessary
Running permission avall-able Replacement operation RBC may be completed (signal box centre by redundant commumust not alter route) nicatlon If necessary
Table 2: Probable delay contribution of ERTMS-components in case of failure Component
No
1
.l>-
Unavailabiily
Factor
U.
k.
3
2
•
Delayed train to delay class k.*U.
1-5Min.
5
6
Delay contribution
%
5-15 Min.
%
15-30 Min.
%
31-60 Min.
%
61-90 Min.
%
7
8
9
10
11
12
13
1.
15
1 ST, Balise
1,OOE-06 500,2 5,00E-04 5,0 E-05
6,37%
2 Two adjoined balises 3 OBE, EVC
1,00E-12 500,2 5,00E-10 3,5 E-10 2,00E-06 2,5 5,00E-06
0,00%
4 OBE, Odometer
2,00E-05
5 OBE, mobile interface
2,50E-06
1,5 E-10
0,00%
Total 6-14
Seconds
16
i %
17
18
5,00E-05
0,00900
0,27%
1,00E-06
0,10% 4,00E-05
0,74%
5,00E-10 5,00E-06
0,00908 0,01230
0,00% 0,37%
2,5 5,00E-05
1,00E-05
0,97% 4,00E-05
7,37%
5,00E-05
0,12300
3,66%
2,5 6,25E-06
1,88E-06
0,18% 4,38E-06
0,81%
6,25E-06
0,01453
0,43%
6 OBE, Baliseinterrogator
2,00E-04
2,5 5,00E-04
2,50E-04 24,31% 2,50E-04 46,09%
5,OOE-04
1,02750
30,59%
7 OBE, MMI
2,50E-08
2,5 6,25E-08
1,25E-08
0,00% 5,00E-08
0,00%
6,25E-08
0,00015
0,00%
8 OBE, TIU
1,20E-04
2,5 3,00E-04
6,00E-05
5,83% 2,40E-04 44,25%
3,00E-04
0,73800
21,97%
9 OBE, power supply'
2,OOE-06
2,5 5,00E-06
1,00E-06
0,10% 4,00E-06
0,74%
5,00E-06
0,01230
0,37%
1,45E-03
0,91602
27,27%
3,84E-05
0,02650
0,79%
4,00E-06 36,36% 4,00E-06
0,01812
1,10E-04
0,12705
7,00E-06 63,64% 7,00E-06
0,03171
10 BTS
2,00E-05
11 BSC
4,00E-06
72,7 1,45E-03 7,3 E-04 92,65% 2,9 E-04 68,33% 4,36E-04 42,41% 9,6 3,84E-05 7,7 E-06
0,98% 2,3 E-05
5,41% 7,68E-06
0,75%
3,3 E-05
7,75% 7,70E-06
7,49%
V)
12 MSC
1,00E-06
4 4,00E-05
13 Cable BTS-BSC
2,00E-05
5,5 1,10E-04
14 Cable BSC-MSC
2,00E-06
3,5 7,00E-06
15 RBC-Centre RBC function including S2m interface
1,00E-06
12,5 1,25E-05
3,8 E-06
0,85%
1,25E-05
0,01444
0,43%
16 RBC-Centre Interface route protection
2,00E-05
12,5 2,50E-04
7,5 E-05 17,62% 1,75E-04 17,01%
2,50E-04
0,28875
8,60%
VI
7,9 E-04
Total 1-16
100% 4,3 E-04
0,88% 8,75E-06
100% 1,03E-03
100% 5,42E-04
100%
1,1 E-05 100 %
2,79E-03
3,3594 100,00%
probability of train delays: 0,28% average delay: 20,1 Min. probability of train delay> 5 Min.:
1
power supply of components for the ERTMS system
'."
I
I
... I
0,20%