CLUG 2.0 LOC-OB Hazard Analysis
For railway operations, safety is of the highest importance and must be carefully monitored and assessed throughout the life cycle of a system from the engineering phases to the operation and maintenance activities until the removal of the system from operation.
One of the main objectives of the CLUG2.0 project is to perform Reliability, Availability, Maintainability and Safety (RAMS) studies in order to define safety targets for the Localisation On-Board (LOC-OB) system developed as part of the project.
These safety analyses are performed in compliance with rules or standards applicable for the targeted Safety Integrity Level (SIL) of the CLUG LOC-OB System. It shall be performed within the limits of a defined operational context, as proposed in WP2 (see the “LOC-OB SYSTEM DEFINITION AND REQUIREMENTS SPECIFICATION” document for WP2 content)
The first stage of safety activities carried out under the CLUG2.0 project was to produce a Preliminary Hazards Analysis (PHA) of the LOC-OB system. The aim of this PHA is to identify hazards, to assess the severity of the potential accidents that could occur and to mitigate the risks associated with the hazards. The results of the CLUG project have been reused and consolidated in the frame of CLUG2.0. This document identifies a list of RAMS requirements on the system as a black box (from an external viewpoint, i.e. from the consumers’ point of view) as it was assumed in WP2 deliverables.
An approach adapted to the context of a research project
For the PHA, the analysis is limited to the outputs, inputs and when possible extended to some operational contexts (including start of mission and automatic or manual driving) of the LOC-OB system. It is based on the deliverables provided by WP2. Moreover, the system context used to carry out this PHA is based on the existing ERTMS/ETCS for level 2, where the concepts of independent on-board vehicle localisation component and digital map are added. It can be adapted for Hybrid train detection of ERTMS/ETCS or automatic driving, when inputs for this level are available.
The method used to carry out the risk analysis follows the principles applicable to the risk-management process defined in the Common Safety Methods of the Railway Safety Directives. The main phases of this analysis can be defined as follows:
One of the problems faced was that the future context of use of the LOC-OB system is not completely defined. This has made it difficult to provide Hazard Identification. Therefore, it has been decided to use several approaches in parallel in order to identify hazards. Firstly, an analysis made by comparison with existing systems, using the list of hazards defined in ETCS subset 091. A complementary analysis considering hazards related to other user needs (including ATO, Perception, Door Management) or to functions not covered by the current version of European regulations was performed. Then, an analysis of new technologies and new services related to the LOC-OB system was carried out to identify potential hazards. Finally, a classic railway-accident analysis was performed.
Risk assessment and safety requirements
Following hazard identification at the ERTMS/ETCS system level, derived hazards and fear events have been identified. Then, the analysis has provided for each LOC-OB function the possible feared events leading to the LOC-OB hazards and the barriers to be put in place.
The final stages of the study consisted of establishing safety requirements and safety-related application conditions. Based on our knowledge of the context in which the LOC-OB is used, the most important and consolidated requirements arising from this analysis are as follows:
- RA-RAMS-03: The true train position shall always be inside the confidence interval
- RA-RAMS-04: The true train speed shall always be inside the confidence interval.
- RA-RAMS-05: The true train acceleration shall always be inside the confidence interval.
- RA-RAMS-08: The track-edge ID provided by LOC-OB shall always be the track edge occupied by the real position of the train front end.
These requirements providing 1D data are associated with functions for which the safety target is the most critical in the railway domain (SIL4). For the functions providing 3D data, the user needs are not mature enough to conclude a defined safety level.