Vectus Ltd. 2008 Copyright Page 1 Safety Process in Vectus ’ PRT Project Inge Alme: Safety Manager Jörgen Gustafsson: CTO

Vectus Ltd. 2008 Copyright Page 1

Safety Process in Vectus’ PRT Project

Inge Alme: Safety ManagerJörgen Gustafsson: CTO


Overview of the process including

• Requirements

• Criteria

• Analyses

• Documentation


• Law: Rail vehicles, track and other systems have to be approved by the Rail Agency before putting into service.

• Regulation: A safety case for the system is required for an approval.

• The regulations are according to the process in the standard EN 50126 (Demonstration of Reliability, Availability Maintainability and Safety)

• Manufacturer or operator/owner shall apply for approval and provide all documents for the safety case.

• There has to be an operator also approved by the Rail Agency. An approved vehicle is allowed to be put into service by an operator with a safety certificate. (There also has to be an infrastructure owner)

Laws and regulations in Sweden

3


Approval requirements

• Safety process / safety case (described in more detail)

• Compliance with international standards agreed to be applicable for various aspects of the system, e.g. noise, EMC, electrical installations, doors.

• Fulfillment of certain agreed functionality if not suitably covered by any international standards.

• Various documentation, e.g. descriptions, validation plan, maintenance plan and manuals, operating procedures etc.


Safety Acceptance Criteria

For the generic PRT system: • Maximum 0.3 fatalities per billion person kilometers for passengers in PRT system. • A fatality risk of maximum 1·10-6 per year for the most exposed third person

For each subsystem:• A single failure shall not lead to undesirable events, loss of lives or serious injuries. If such

failures are identified, they must be controlled through either maintenance or operational actions

For future changes in concept:• Changes shall as a minimum not increase the risks in the system. If any increasing risk is

identified, necessary mitigations should be implemented according to the ALARP-principle

In railway, metro, trams etc. there are often specific requirements for individual parts of the complete system, usually derived over time based on historic performance. Distribution of levels for individual parts are not always optimized for best overall performance, and are sometimes based on certain operating conditions (e.g. certain size of a system, certain technical solution etc). We wanted to have criteria which are independent of system size and technical solutions, hence a new approach with a generic target has been set.


Safety criteria, perspective

Third person risk (our criterium: 1·10-6 per year for the most exposed third person)• The same as the average annual risk for a Swede to die in a railway level crossing accident • About the same level as the average risk of dying struck by lightning• A factor 40 less risk than the average risk of dying in a fire• Many oil & gas installations use the criterium 1·10-5 for the most exposed third person

The risk level for third person is very low compared to other “involuntarily” risks (note that our criterium is for the most exposed person compared to the average person in above examples)

Passenger risk (our criterium: 0.3 fatalities per billion person kilometers)• Swedish rail statistics fluctuate between 0.3 and 0.6 in the period from 1995-2004• The average number for railway systems in EU countries + Switzerland and Norway was 0.58 (in

2000)• The corresponding number for bus passengers in Norway was 0.65 (1992-2001)• The corresponding number for airplanes in Norway was 0.20 (1992-2001)


Safety Acceptance Criteria

Risk matrix for the test site

Consequence Frequency

Negligible / Ins ignificant

(poss ible minor injury)

Margina l (minor

persona l injury / threa t

to env. dam.)

Critica l (1 fa ta lity / s ignificant

env. damage)

Catas trophic (>2 fata lities /

major env. damage)

Frequent (>10 per year)

2 1 1 1

Probable (1 - 10 per year)

3 2 1 1

Occas iona l (0,1 - 1 per year)

3 2 2 1

Remote (0,01 - 0,1 per year)

4 3 2 2

Improbable (0,0002 - 0,01 per year)

4 4 3 3

Incredible (< 0,0002 per year)

4 4 4 4


Safety process, requirements

1. Concept with intended operation and preliminary safety targets

2. Specification with technical description, safety plan and safety requirements

3. Design with standards, risk analysis and safety measurements

4. Validation with test reports, manuals, main-tenance plans and future modification process

5. Safety case, independent assessors report and infrastructure manager track admittance

6. Approval for operation with conditions


Basis for Safety Process

• EN 50126 / IEC 62278 (RAMS-standard)

• IEC 61508 for electronic safety systems (this standard is more generic than EN 50128 and EN 50129 that is used for traditional railway systems)

The Swedish Railway Agency has required a third party assessment of the Safety Instrumented System (SIS) of the PRT system, i.e. a third party verification of the compliance with IEC 61508


Safety Organization in the Project

Vectus

Swedish Rail Agency

SD Station and Foundation

SD = Safety Documentation

SD CabinSD Track and ChassisSD Control System incl. SIS

Noventus WGH TDI Skanska

Safety Management- Safety Plan

- Safety requirements - Safety ReportCase

- Hazard Log- Test Program

- Manuals- Etc.

Scandpower(Norway)

3rd party assessor for control system

Requirements Prove fulfillment of requirements

Application

Contract

Reporting

3rd party assessor for track

Contract

Reporting

Jacobs Babtie(England)


Safety Process in the Project

2005 2006 2007 2008

Concept risk analysis

Safety Plan

Safety requirments

Start up meeting 3rd Party Assessment

3rd Party Work Shops (5 in total)

Presentation of 3rd Party Assessment Report to SRA

Preliminary Hazard Assessment

Site Risk Analysis Safety

Analyses of subsystems (7 in total)

Safety Analysis for Safety Instr. System

QRA

Safety Case

Hazard Log

Safety Audit


Methods used in safety analyses

• FMECA = Failure Mode, Effects and Criticality Analysis(done for all parts of the safety instrumented system and control system)

• FTA = Fault Tree Analysis(done for all parts of the safety instrumented system and relevant parts of control system)

• ETA = Event Tree Analysis(done for all identified accident scenarios)

• Analysis of safety critical functions(done for all subsystems)

• The Risk Graph method(done to identify the right SIL-requirements)


Main results of analyses

• The passenger risk is quantified to 0.165 fatalities per billion person kilometres, which is well below the acceptance criterion of 0.3 fatalities per billion person kilometres

• The fatality frequency for the most exposed third person, i.e. a person who is not choosing to be exposed to the risk of the PRT system, is calculated to 1.9·10-7 per year. This is also well below the acceptance criterion of maximum 1·10-6.

• All subsystems are analysed with regard to the single failure principle and a number of safety critical maintenance activities are identified and implemented


Safety case trivia

• More than 1200 pages in total.

• The hazard log contains over 200 items that are followed up with actions.

• The quantitative risk analysis includes 78 different sensitivity calculations to check out the criticality of different input factors.

• This is the first time a quantitative risk analysis is performed for a total railway system in Sweden.


Requirements for Third Party Assessment of SIS

• Formal requirements: IEC 61508, Chapter 1– Documentation– Management of Functional Safety– QA, incl. verification and validation activities

• Hardware requirements: IEC 61508, Chapter 2– Hardware specification and development– Avoidance and control of systematic failures– Reliability of components (SIL): Probability of Failure on Demand (PFD)– Structure/topology of components (redundancy)– Avoidance and control of systematic failures– Diversity and independence– Testing

• Software requirements: IEC 61508, Chapter 3– Software specification and development– Software implementation– Testing


Focus of third party assessment

FSA Part 1

FSA Part 2


Results – Third Party Assessment

The results from the Third Party

Assessment are documented in

two reports:

• Functional Safety Assessment (FSA) for the Control System of the PRT System

• Functional Safety Assessment (FSA) - On-site Observation for the PRT System


Approval status

VECTUS PRT safety case for the generic application, i.e. over and beyond what is requried for the test track as such, will be accepted with the completion of the ongoing testing activities.


www.vectusprt.com

www.vectusprt.se

Documents

Vectus Ltd. 2008 Copyright Page 1 Safety Process in Vectus ’ PRT Project Inge Alme: Safety Manager Jörgen Gustafsson: CTO