ABSTRACT
The method is developed around an operational scenario that involves the removal of an immobilised train from an area controlled by a signalman. A value for the mean time between immobilising failures (MTBIF) of the on-board ETCS is estimated on the basis of a proposed set of operational parameters and its sensitivity to parameter changes is analysed using a spider diagram.
Introduction
The technical specification for interoperability (TSI) relating to control command and signalling (CCS) sub-systems of the trans-European rail network (TEN) was formally issuedby the European Commission (EC) in January 2012 [1]. Availability and reliability specifi cations for the CCS sub-systems are included in Section 4.2.1.2 and Annex A 4.2.1.b of the document. Index 28 in Annex A has been specifi cally reserved for quantitative requirements, but no values have been included.
In the absence of trans-European mandatory quantitative requirements for the ETCS the infrastructure managers (IMs) have to derive their own set of requirements, either project specific or at national level, using different considerations: commercial, safety or both. This situation may be regarded as contradictory to the interoperability principles, specifically for the ETCS on-board sub-system. It could potentially lead to occurrence of degraded situations which, if not adequately managed, could decrease the overall safety of the rail system.
In January 2015 the EC published an amendment to the CCS TSI [2]. Quantitative reliability requirements, however, are still missing. Instead, the following statement is included under Article 1, 2(e):
‘Compliance with the following calculated values shall be ensured:
(1) Mean time of hours of operation between failures of a CCS on-board sub-
system requiring the isolation of the train protection functions: [open point].’
In an attempt to address the open point in the CCS TSI amendment, this paper describes a possible approach for deriving a quantitative reliability specification for the on-board ETCS sub-system. Using operational safety considerations, and a set of operational parameters, the proposed method is used to derive a value for the Mean Time Between Immobilising Failures (MTBIF). In the context of this paper an ‘immobilising failure’ is defined as a failure of the onboard sub-system requiring the isolation of the train protection functions so that the train can only finish its mission without CCS on-board supervision.
Approach
Basic considerations
The proposed method for deriving the numerical reliability specification takes into consideration the latest amendment to the CCS TSI [2], from which it is concluded that –
- the CCS TSI specifies reliability requirements for the on-board ETCS sub-system, similar requirements for the track-side sub-system are not included;
- the reliability requirement for the on-board sub-system applies to immobilising failures, i.e. failures that require the isolation of the train protection functions;.
- the reliability requirement should be derived on the basis of operational safety considerations to enable IMs to manage degraded situations without compromising the overall system safety.
Further points have been taken into consideration when developing the proposed approach.
- The system safety level is degraded when a single immobilising failure occurs, as the movement of a train with isolated ETCS protection function could create hazardous situations for all trains in the area.
- The derivation of the reliability requirement for the on-board subsystem needs to be based on the most severe operating conditions. This would ensure that the requirement thus derived is applicable to the whole transEuropean rail system and therefore conformant with the interoperability principles.
- An immobilising failure can be caused by the failure of a single sub-system constituent or by a combination of such failures, including both hardware and software. Sub-system integration issues between its constituents can also generate immobilising failures.
Based on the above considerations an operational scenario has been developed and analysed for the purpose of deriving the reliability requirement for the on-board ETCS sub-system.
Analysis scenario
The operational scenario developed for the purpose of this analysis is described in Table 1.
A number of operational parameters are characteristic of the scenario described above and these are discussed in Table 2.
Method
Using the above operational scenario, it is proposed that:
- The reliability specification for the onboard ETCS sub-system is stated as an MTBIF value, in agreement with the CCS TSI [2];
- The MTBIF value is estimated from the requirement that HE, the frequency of a second immobilising failure, is kept below a pre-defi ned threshold to ensure that the overall rail system safety is not degraded;
- The pre-defined threshold is set to a level which is generally acceptable across the trans-European rail network in accordance with the interoperability principle.
A number of operational parameters are characteristic of the scenario described above and these are discussed in Table 2:
Reliability Requirement
Derivation
The reliability R(t), of an item at time t, is defined as the probability of that item surviving to time t [3]. If the item failure rate, λ, is constant, i.e. steady state reliability, the reliability is given by the expression
The probability that the item fails between 0 and time t is then
Applying the above to the operational scenario described previously, the probability of a train experiencing an immobilising failure caused by any onboard system (including ETCS sub-system) during the peak-hour period Tph is given by the expression
For steady-state reliability the failure rate IFccs can be substituted with 1/MTBIF and considering that N trains are present in the controlled area during time Tph, the foregoing probability becomes
Similarly, the probability of a second train experiencing an immobilising failure in the time Tr taken to remove the first train is given by the expression
The probability of both incidents happening is then given by the product of (a) and (b)
If Fph is the frequency of peak-hour periods in the controlled area, then the estimated frequency HE of the hazardous event will be given by the following, Equation (c):
For values of x << 1
and Equation (c) can be written as
and hence
Calculation
A specification for the on-board ETCS sub-system MTBIF can be estimated by inserting suitable operational parameter values in Equation (10). To ensure the specification applicability across the transEuropean rail network the operational parameter values selected for use should be based on the most severe operation conditions. A possible set of values proposed for this calculation is given in Table 3.
The required MTBIF value derived using the above parameters is 113,950 hrs.
Sensitivity analysis
The sensitivity of the derived MTBIF specifi cation to parameter changes has been assessed using the spider diagram given in Figure 1, which shows how the value of the required MTBIF varies when the operational parameters are varied either side of their standard values proposed in Table 3. It is concluded from this diagram that the reduction of the hazardous event frequency, HEhas the biggest impact on the required MTBIF value.
Conclusions
The analysis presented above indicates that:
- A reliability requirement specification for the on-board CCS could be expressed as the Mean Time Between Immobilising Failures;
- Using operational safety considerations and parameter values generally applicable to the trans-European rail network, a minimum MTBIF value of 100,000hrs for the CCS on-board subsystem has been derived.
- Since both, the operational scenario and the parameter values used in the analysis, are generally applicable to the trans-European network, it is concluded that the minimum MTBIF value of 100,000hrs could be used to close out the open point in the CCS TSI.
- The derived MTBIF value appears to be most sensitive to variations in the acceptable frequency level of the hazardous event used in the operational scenario.
References
[1] European Commission Decision on the “Technical specification for
interoperability relating to controlcommand and signalling sub-systems of the trans-European rail system”, 2012/88/EU,Brussels, 25 Jan 2012.
[2] European Commission Decision amending Commission Decision 2012/88/EU on the “Technical specification for interoperability relating to control-command and signalling sub-systems of the trans-European rail system”, C(2014) 9909 final, Brussels,5 Jan 2015.
[3] D.J. Smith, Reliability, Maintainability and Risk, Practical methods for engineers, 5th Edition, ButterworthHeinemann, 1997.
t: +44 (0)1908 782277