Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide for the application of the CSM design targets (CSM-DT)

Published byStuart Banks Modified over 6 years ago

Similar presentations

Presentation on theme: "Guide for the application of the CSM design targets (CSM-DT)"— Presentation transcript:

1 Guide for the application of the CSM design targets (CSM-DT)
Annex 5 Example 2: Train door opening authorization 29-30/11/2016, ERA workshop, Valenciennes Olivier CASTELLANI SNCF – Rolling Stock – Project Manager for High Speed Train international homologation

2 Summary System Definition of the technical system under assessment
List of functions of the technical system under assessment Scope, assumptions and limits of the risk assessment Hazard Identification and classification Applicability of CSM DT Setting up of applicable category of CSM DT Allocated quantitative requirements, and alternative solutions or cases Conclusions from the risk assessment and allocation of CSM DT category

3 System Definition of the technical system under assessment
Door opening request by passenger Train at stop Train in a station Detection of platform in front of the door Driver’s authorization Local information Generic train information Through software, electronic, … Local door actuator opening

4 System Definition of the technical system under assessment
Speed In a station Central controller Door 1 actuator Open door Local controller (door 1) Driver’s authorization Generic train information Passenger pushes button Door in front of platform Local information for each door Door n actuator Open door Local controller (door n) Passenger pushes button Door in front of platform

5 List of functions of the technical system under assessment
The technical system under assessment is limited to 2 functions: Open door (in authorized situations) Train is at stop Train is in a station (e.g. balise at station entry) Driver has authorized the opening Door is in front of a platform Passenger request opening Close door On driver’s request (or train controller) If train no longer at stop If train no longer in station

6 Scope, assumptions and limits of the risk assessment
The train under consideration is not a suburban train. Therefore it is considered that only a few people might be standing in front of the door => if a single train door opens while not requested to, only a small amount of passengers will be endangered The train speed information is provided by a speed measurement system (e.g. tachymeter). All train generic information (train at stop, train in a station, etc.) is grouped into a common failure named “central controller” => the failure may come from the central controller itself, or from the information sent to it (e.g. “speed detector always sends a 0 km/h speed”). Only the technical components installed inside the rolling stock are considered in this function.

7 Hazard Identification and classification
Functional FMEA Function Functional Failure modes Technical local consequence (Hazard) At stop During circulation Single door Several / all doors Consequences for train Door opening Does not start Door does not open X NA Single door: passenger traffic is delayed, train is delayed Several doors / all doors: emergency evacuation hindered / impossible Starts when not asked to Door open when not authorized Single door at stop: fall of a passenger (the one leaning on the door) Single door during circulation: fall of multiple passengers (aspiration effect) Several doors / all doors: fall of multiple passengers Does not stop when asked to Door stays open (cannot close) Train is delayed (until the door(s) is/are condemned). If too many doors malfunction, the train will be cancelled Stops when not asked to Door stops opening (incomplete opening) Delay in response Delay in door opening Passenger traffic is delayed, train is delayed Degraded output (e.g. wrong output value) Door opens abruptly / too fast Passenger may have light injury Door closing Door does not close Door closes when not asked to Door stays closed (cannot open) Door stops closing (incomplete closing) Delay in door closing Door closes abruptly / too fast

8 Hazard Identification and classification
Extract of Functional FMEA (merge of identical Technical local consequence) Technical local consequence (Hazard) Consequences for train Potential accident Door opens abruptly / too fast Passenger may have light injury Light injury for 1 person Door closes abruptly / too fast Delay in door opening Passenger traffic is delayed, train is delayed None (no safety impact, only train delay) Delay in door closing Door stays open (cannot close) Train is delayed (until the door(s) is/are condemned). If too many doors malfunction, the train will be cancelled Door stays closed (cannot open) Door stops opening (incomplete opening) Door stops closing (incomplete closing) Door does not close Door closes when not asked to Door does not open Several doors / all doors: emergency evacuation hindered / impossible Potential for multiple fatalities in case of situation requiring evacuation (e.g. fire) Door open when not authorized Several doors / all doors: fall of multiple passengers Potential for multiple fatalities Single door at stop: fall of a passenger (the one leaning on the door) Potential of fatality Single door during circulation: fall of multiple passengers (aspiration effect) Single door: passenger traffic is delayed, train is delayed

9 Applicability of CSM DT
Extract of Functional FMEA (merge of identical Technical local consequence) Technical local consequence (Hazard) Consequences for train Potential accident Potential for at least 1 fatality? Direct consequence? Door opens abruptly / too fast Passenger may have light injury Light injury for 1 person No NA Door closes abruptly / too fast Delay in door opening Passenger traffic is delayed, train is delayed None (no safety impact, only train delay) Delay in door closing Door stays open (cannot close) Train is delayed (until the door(s) is/are condemned). If too many doors malfunction, the train will be cancelled Door stays closed (cannot open) Door stops opening (incomplete opening) Door stops closing (incomplete closing) Door does not close Door closes when not asked to Door does not open Several doors / all doors: emergency evacuation hindered / impossible Potential for multiple fatalities in case of situation requiring evacuation (e.g. fire) Yes Door open when not authorized Several doors / all doors: fall of multiple passengers Potential for multiple fatalities Single door at stop: fall of a passenger (the one leaning on the door) Potential of fatality Single door during circulation: fall of multiple passengers (aspiration effect) Single door: passenger traffic is delayed, train is delayed CSM-DT applicable

10 Setting up of applicable category of CSM DT
Extract of Functional FMEA (merge of identical Technical local consequence) Technical local consequence (Hazard) Consequences for train Potential accident Potential for at least 1 fatality? Accident limited to a specific area of the train Associated CSM-DT Door open when not authorized Several doors / all doors: fall of multiple passengers Potential for multiple fatalities Yes No 1,00E-09 Single door at stop: fall of a passenger (the one leaning on the door) Potential of fatality 1,00E-07 Single door during circulation: fall of multiple passengers (aspiration effect) Resulting hazards Hazard CSM-DT H1 Single door opens during stop when not authorized 1,00E-07 H2 All doors open during stop when not authorized 1,00E-09 H3 All doors open during circulation

11 Driver authorizes the opening Opening authorization
Allocated quantitative requirements, and alternative solutions or cases To allocate the requirements, a design has to be chosen “simpler” design (no redundancy): Thus: Central controller => 10-9 / h => SIL4 (see e.g. table A.1 of EN 50129) Local controllers => 10-7 / h => at least SIL2 (see e.g. table A.1 of EN 50129) Door opens Speed measure Speed criterion Local controllers Central controller Driver authorizes the opening Opening authorization Door closes Door opening required by passenger Hazard CSM-DT H1 Single door opens during stop when not authorized 1,00E-07 H2 All doors open during stop when not authorized 1,00E-09 H3 All doors open during circulation

12 Driver authorizes the opening Opening authorization
Allocated quantitative requirements, and alternative solutions or cases SIL4 central controller too expensive (and not typical for door systems) Design change (add of redundancy): H1: Single door opens during stop when not authorized Same than for previous solution => local controllers have to be SIL2 Door opens Speed measure Speed criterion Local controllers Central controller Driver authorizes the opening Opening authorization Door closes Hazard CSM-DT H1 Single door opens during stop when not authorized 1,00E-07 H2 All doors open during stop when not authorized 1,00E-09 H3 All doors open during circulation Door opening required by passenger

13 Allocated quantitative requirements, and alternative solutions or cases
H2: All doors open during stop when not authorized Requires central controller AND local controller to fail => SIL2 sufficient for local controllers since allocation is 10-7 / h λ ≤ 10-9 / h

14 Allocated quantitative requirements, and alternative solutions or cases
H3: All doors open during circulation Requires central controller AND speed measure to fail => SIL2 sufficient for local controllers since allocation is 10-7 / h λ ≤ 10-9 / h

15 Conclusions from the risk assessment and allocation of CSM DT category
If all central information sent by the central controller => higher requirement on the central controller (e.g. SIL4) If some information also sent to the local controller (independently from the central controller), then less stringent requirement for the central controller (e.g. SIL2) Design choices will largely impact the CSM-DT allocation, which is why their use is to be in the early stages, when design can still be impacted!

16 Thank you for your attention!
Questions? For further information, visit our website:

Download ppt "Guide for the application of the CSM design targets (CSM-DT)"

Similar presentations

Elevator Operator Training Contents  Hazards  Recordable Injury  Types of Elevators  Inspections  Check List  Authorized Operator  Load capacity.

Elevator Operator Training Contents  Hazards  Recordable Injury  Types of Elevators  Inspections  Check List  Authorized Operator  Load capacity.
International Energy Agency Hydrogen Implementing Agreement Proposed Task on Hydrogen Safety.

International Energy Agency Hydrogen Implementing Agreement Proposed Task on Hydrogen Safety.
1 Risk-based Evaluations and Trends of Railway Casualty Accidents on the National Railway of South Korea International Railway Safety Conference 2007.

1 Risk-based Evaluations and Trends of Railway Casualty Accidents on the National Railway of South Korea International Railway Safety Conference 2007.
Hazards Analysis & Risks Assessment By Sebastien A. Daleyden Vincent M. Goussen.

Hazards Analysis & Risks Assessment By Sebastien A. Daleyden Vincent M. Goussen.
CIS 376 Bruce R. Maxim UM-Dearborn

CIS 376 Bruce R. Maxim UM-Dearborn
Proposal to Modify Homologation Brake Test Procedure to Improve Safety on Proving Ground 18/09/2013 Mr. Klaus Vosteen ATP Executive Director Mr. Fran Martínez.

Proposal to Modify Homologation Brake Test Procedure to Improve Safety on Proving Ground 18/09/2013 Mr. Klaus Vosteen ATP Executive Director Mr. Fran Martínez.
Railtrack PLC Safety & Standards Directorate Railway Safety: Analysing Risks and Causes Sally Brearley Railtrack Safety and Standards Directorate 8 December.

Railtrack PLC Safety & Standards Directorate Railway Safety: Analysing Risks and Causes Sally Brearley Railtrack Safety and Standards Directorate 8 December.
SISTEMA Example One. Schneider Electric – Sistema Example 1 – June 2010 2 Example 1: Start/Stop Facility with Emergency Stop Device Circuit Diagram.

SISTEMA Example One. Schneider Electric – Sistema Example 1 – June Example 1: Start/Stop Facility with Emergency Stop Device Circuit Diagram.
Physics National 5 Assignment.

Physics National 5 Assignment.
Elevator Control System

Elevator Control System
SAFETY OF TRAFFIC COMPARED TO OTHER HUMAN ACTIVITIES IN FINLAND 1997-99 Otto Kärki and Kirsi Pajunen Technical Research Centre of Finland (VTT)

SAFETY OF TRAFFIC COMPARED TO OTHER HUMAN ACTIVITIES IN FINLAND Otto Kärki and Kirsi Pajunen Technical Research Centre of Finland (VTT)
FAULT TREE ANALYSIS (FTA). QUANTITATIVE RISK ANALYSIS Some of the commonly used quantitative risk assessment methods are; 1.Fault tree analysis (FTA)

FAULT TREE ANALYSIS (FTA). QUANTITATIVE RISK ANALYSIS Some of the commonly used quantitative risk assessment methods are; 1.Fault tree analysis (FTA)
1 Safety - definitions Accident - an unanticipated loss of life, injury, or other cost beyond a pre-determined threshhold.  If you expect it, it’s not.

1 Safety - definitions Accident - an unanticipated loss of life, injury, or other cost beyond a pre-determined threshhold.  If you expect it, it’s not.
Human Error and Biases. Human Error - Definition  An inappropriate or undesirable human decision or behavior that reduces, or has the potential for reducing,

Human Error and Biases. Human Error - Definition  An inappropriate or undesirable human decision or behavior that reduces, or has the potential for reducing,
1 ACSF Test Procedure Draft proposal – For discussion OICA and CLEPA proposal for the IG Group ACSF Tokyo, 2015, June 16-17 Informal Document ACSF-02-07.

1 ACSF Test Procedure Draft proposal – For discussion OICA and CLEPA proposal for the IG Group ACSF Tokyo, 2015, June Informal Document ACSF
Project Risk Management Sections of this presentation were adapted from A Guide to the Project Management Body of Knowledge 3 rd Edition, Project Management.

Project Risk Management Sections of this presentation were adapted from A Guide to the Project Management Body of Knowledge 3 rd Edition, Project Management.
6/11/04Part 11 Public Meeting1 Risk-Based Approach Scott M Revolinski Washington Safety Management Solutions Carolyn Apperson-Hansen Cleveland Clinic Foundation.

6/11/04Part 11 Public Meeting1 Risk-Based Approach Scott M Revolinski Washington Safety Management Solutions Carolyn Apperson-Hansen Cleveland Clinic Foundation.
1 Software Testing and Quality Assurance Lecture 38 – Software Quality Assurance.

1 Software Testing and Quality Assurance Lecture 38 – Software Quality Assurance.
Transmitted by the Experts of TRL (EC)

Transmitted by the Experts of TRL (EC)
Functional Safety in industry application

Functional Safety in industry application

Similar presentations

Ads by Google