View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by NORA - Norwegian Open Research Archives Reliability assessments of railway signaling systems: A comparison and evaluation of approaches Lichao Tang Safety, Health and Environment Submission date: June 2015 Supervisor: Eirik Albrechtsen, IØT Co-supervisor: Mary Ann Lundteigen, Institutt for produksjons- og kvalitetsteknikk Terje Sivertsen, Jernbaneverket Norwegian University of Science and Technology Department of Industrial Economics and Technology Management i Problem Description Railway signaling systems are used to ensure the safe operation of railway traffic. Such signaling systems have evolved from purely relay-based systems (e.g. NSI-63, NSB-84) to computerized systems (e.g., NSB-94 and Merkur). Signaling systems may be designed to accommodate large stations with multiple tracks, like Oslo S, or smaller two-track stations, with single entry and departure track. The main focus on this master thesis is devoted to the latter, as most stations in Norway are of this type. It is vital to demonstrate that the reliability and availability of railway signaling systems are according to railway authority regulations, and references standards such as EN 50126, EN 50128, and EN 50129. The last mentioned standards were introduced after NSB-94 was put into operation, which means that some of the prevailing requirements were not fully adapted. One example is the compilation of a technical safety report, to document the reliability performance and compliance against EN 50129. The main purpose of this master thesis is to suggest an approach for developing the technical safety report in accordance with EN 50129, with focus on the steps necessary to carry out a reliability assessment. The approach is based on a review of how such assessments have been carried out in the past, also utilizing experience from reliability assessments carried out before the compilation of a technical safety report became mandatory. Detailed tasks: 1. Define and describe what are the main safety-critical functions in relation with signaling systems, supported by functional block diagrams that identify the most important com- ponents. 2. Identify and explain requirements for setting reliability targets and assessing reliability of the functions, with basis in the mentioned standards. 3. Identify and describe the main content of a technical safety report, in light of regulatory requirements and the EN standards, and explain the relationship between technical safety reports generated for a generic product, generic application, and a specific application. 4. Document and discuss previous adoptions of the requirements, with basis in previously ii developed technical safety reports. Elaborate in particular on the methods used to quan- tify the reliability of the individual functions, and the data to support the analyses. 5. Propose an approach for developing a technical safety report, including the methods, data, and other input (e.g., documentation) at each step. 6. Demonstrate the application of the approach by using a case study for one selected safety- critical function (e.g. setting green light signal). iii Preface This master project is written for TIØ4925 - Health, Safety and Environment, Master’s Thesis at Norwegian University of Science and Technology (NTNU) spring 2015. This project was written in cooperation with Norwegian National Rail Administration. Railway signaling systems are used to ensure the safe operation of railway traffic. Such sig- naling systems have been evolved from purely relay-based systems to computerized systems. It is important to demonstrate that the reliability and availability of railway signaling systems are according to railway authority regulations, and reference standards such as EN 50126, EN 50128 and EN 50129. Those standards were introduced after NSB-94 had been put into operation, which means that some of the prevailing requirements were not fully adopted. One example is the compilation of a technical safety report, which is to document the reliability performance and compliance against EN 50129. The main purpose of this master thesis is to suggest an approach for developing the techni- cal safety report in accordance with EN 50129, with focus on the steps necessary to carry out a reliability assessment. The approach is based on a review of how such assessments have been carried out in the past, also utilizing experience from reliability assessments carried out before the compilation of a technical safety report became mandatory. Trondheim, 2015-06-11 Lichao Tang iv Acknowledgment First of all, I would like to express sincere gratitude to Professor Mary Ann Lundteigen for her as- piring guidance, invaluably constructive criticism and friendly advice during this master thesis. I would like to thank Terje Sivertsen, who provided an oppturnity for writing this thesis for Nor- wegian National Rail Administration. Terje has years of extensive experience of signaling sys- tems. During my visit to Norwegian National Rail Administration, he provided me with valuable suggestions on my thesis. Without his help, I could not finish my thesis. I am also grateful to Geir Melting, who helped me a lot on finding relevant documents. Finally, I would like to thank my family for grateful support during my whole study. Their en- couragement made me never feel lonely when I spent seven years aboard. LC.T v Summary and Conclusions The railway signaling system is the key system to ensure the safe operation of railway traffic. It is therefore important to have a safe and reliable railway signaling system. The railway au- thority defines requirements that should be complied with. The technical safety report is a vital documentation for the demonstration of fulfillment of requirements to the railway authority. A literature review of the signaling system is presented first. It describes the different tech- nologies used for railway signaling system. Moreover, challenging problems in the design of two track station, based on the situations in Norway, were discussed. In addition, some relevant regulations and standards were introduced. Further, safety-critical functions performed by a signaling system were presented. The meth- ods for determination of tolerable hazard rate, which is the safety requirements for safety-critical functions, were introduced. These methods distinguished two different demand modes, i.e., low-demand mode and high-demand mode. It described different roles and responsibilities involved for the whole signaling system life cycle. As a safety case is a product from one phase of system life cycle, a brief introduction to safety case was presented. The discussion of differences among three categories of safety cases was followed. The structure of technical safety report and the different categories of technical safety reports were described. Two technical safety reports from Norwegian National Rail Administration were evaluated in the light of the requirements from EN 50129. In particular, the reliability measures of safety- critical functions that were presented in the reports were discussed in this thesis. Some exam- ples of inadequacy from these technical safety reports were discussed. An approach for improv- ing the inadequacy was proposed. Finally, it performed a fault tree analysis as a comparison with the method used in the tech- nical safety report. Contents Problemdescription........................................i Preface................................................ iii Acknowledgment.......................................... iv Summary and Conclusions....................................v 1 Introduction 2 1.1 Background..........................................2 1.2 Motivation...........................................3 1.3 Objectives...........................................3 1.4 Limitations...........................................4 1.5 Structure of the Report....................................4 2 Introduction to railway signaling system6 2.1 Railway Signaling System..................................6 2.2 Norwegian Railway Signaling System........................... 10 2.2.1 Challenges in Design of a Two Track Station................... 11 2.2.2 Standards and Regulations............................. 13 2.2.3 Regulatory Practice in Norway........................... 15 3 Reliability concepts 17 3.1 The Generic IEC 61508 Standard.............................. 17 3.2 Safety-Critical Systems.................................... 17 3.3 Safety Functions........................................ 18 3.4 Safety Integrity Level..................................... 21 vi CONTENTS vii 3.4.1 Intention of the SIL concept............................. 22 3.5 THR Determination..................................... 23 3.5.1 THR for Continuous Mode Functions....................... 23 3.5.2 THR for Low-demand Mode Functions...................... 26 3.5.3 THR Determination Method Used in Norway.................. 30 4 Safety case 32 4.1 Different Roles and Responsibilities............................ 32 4.2 Safety Case........................................... 34 4.2.1 Different Categories of Safety Case......................... 35 5 Technical Safety Report 37 6 Evaluate of existing technical safety report 40 6.1 Adoption of TSR for Existing Installations......................... 40 6.2 Report 1 SATSR for NSB-94................................. 40 6.2.1 Reliability Assessment in This Report....................... 42 6.3 Report 2 GPTSR for Merkur................................