Upload
lamminh
View
218
Download
1
Embed Size (px)
Citation preview
1
CSM-RA in a mega-project
Perspectives from the Danish Signalling Programme
Fredrik Schumann, EMO Safety Manager – BDK Signalling Programme 3-11-2016
2
CSM-RA in a mega-project
– CSM versus Cenelec 50126, -28 and -29, status and challenges
– Signalling Programme rollout strategy in a CSM context
– Authorization for Test (Infrastructure), CSM context. A practical case
using CSM
– Focus: Fjernbane part of the SP
Fredrik Schumann, EMO Safety Manager, BDK SP
(With the SP since October 2015)
Perspectives from the Danish Signalling Programme
3
Signalling Programme
SP-org
SP-director
SP-board
Programmemanagement
Finance and Plan (PMO)
Secretariat
Rail-com
S-bane On-board
F-EastF-West F-IT
Kh-R
g
EMOTMS
Contractors
Safety and Commissioning(SP)
Kh-Rg board
Design, Development, Plan(anlæg)
4
Safety stakeholders – Signalling Programme
– NSA (National Safety Authority)
– G-ISA (General Independent Safety Assessor)
o Cover different roles (EU legislation), “bodies”: AsBo, DeBo, G-NoBo,
o CSM assessment as AsBo
– Suppliers (S-ISA, S-NoBo)
– Railway Undertakings (RU’s)
o DSB
o Others
– BDK Base Organisation
10
Project safety related deliverables
G-ISA assessment process
Haz record
AAPP
Safety Plan
Supplier specific safety related deliverables
GASCs & SASCs
HL HL
APIS system definition
G-I
SA
S-IS
A
G-ISA SAR
S-ISA SAR
S-ISA SoW/ Assessm. plans
Assessment
Agreement
Review
Audit
APIS SCs
11
CSM-RA in a mega-project
– Example 1 (probably several):
o Cenelec is still the ”foundation” and the principles are followed both by
supplier, customer and (all) ISA(s) for the signalling part
o CSM-RA is applied in addition and often to control a change which includes
other disciplines than Signalling
o CSM-RA Assessment (AsBo) could be done ”in-house”
– Example 2:
o Cenelec evidence from supplier being used directly to justify the
requirement of ”explicit risk estimation” in CSM-RA
– Conclusion: BDK SP is probably ”early” in implementing the CSM-RA
to the full extent
The situation in some other ERTMS / signalling programmes?
12
CSM-RA in a mega-project
– Supplier ISA (named S-ISA) is doing Cenelec based assessment
(business as usual)
– G-ISA (AsBo) is expecting to see evidence of CSM assessment from
the S-ISA
– Sometimes formalism and/or terminology are more of the problem
than the lack of substancial safety / assessment evidence?
– We are working to solve this with S-ISA, G-ISA and the NSA
Challenges we have met with CSM interpretation/understanding:
13
CSM-RA in a mega-project
– Installation of ”Passive” components, i.e. passive to the legacy:
o Markerboards
o Axle counters
o Foundations
o Cabinets
o Etc.
– Can be demonstrated to be non-significant changes to legacy railway
/ signalling as long as not placed in service
Signalling programme strategy / way of working
14
CSM-RA in a mega-project
– The change to the railway will become significant first when the
components will be powered / placed in service
– Point machines and level crossings will be significant once installed
and COS (ChangeOver System) can be the solution
– This ”generic” approach is necessary to support ”industrial rollout”
Signalling programme strategy / way of working
15
CSM-RA in a mega-project
– System definition, Hazid and significance evaluation must be done for
all installations – a lot of paperwork and a long ”approval chain”
– Specific system definition and significance eval to be done – but very
high volume (thousands of components only on EDL lines)
– Suppliers/subsuppliers skilled for design and installation work but not
necessarily for the CSM documentation work to meet BDK SP
expectations – realized too late by all parties
Challenges we have met:
16
CSM-RA in a mega-project
– Lack of installation strategy suited for CSM – time pressure when
timeslot for installation is available
– Signalling Programme and suppliers aligned too late with BDK Base
development of internal CSM process / procedures
– New approach / concept combined with the lack of skilled resources
Challenges we have met:
17
CSM-RA in a mega-project
– Authorization for Test (AfT) concept (under development)
– Assumption: Significant change to the railway
– We need to define:
o Safe test area within boundaries
o Safety management / organization during test
o Process
– We want to develop a generic approach for the EDL’s that can be
reused for the Rollouts
– The idea is that we invest a lot of work for the EDL – but we will
benefit from it for the rest of the Signalling Programme
The design and installation finalized – what’s next?
18
Customer Lead
Infrastructure sub-system (inc. TCC and new FTN)
Customer System
Integration
ETCS + STM Installation and
integration
ETCS + STM Lab verification
Train Fitment T1 T2
Onboard sub-system (repeated for each EDL fleet type)
ETCS + STM Installation and
integration
ETCS + STM Lab verification
Train Fitment T1 T2
Supplier Lead
Fjernbane Railway System Integration Roadmap 2. Site based testing – EDL basic
PICO SAT
Trial Running Scenario Testing
Trial Running
Performance and Timetable
SCO EDL
Notes: Lab testing and FAT will be completed prior to site testing. Onboard shows first train class and needs to be repeated for each class. Safety Case Part 1 is not part of TRRB Criteria for Trial Running
.
SIT
TRRB SAT Authorisation for Test
Final Commissioning Board (ORR)
ETCS + STM Installation and
integration
ETCS + STM Lab verification
APIS Onboard (STM)
NoBo Certification
GSM-R sub-system (inc. FTN)
QoS (packet & switched)
APIS update GSM-R Phase 3
Rules available (latest date) First drivers needed First operators needed
Rules update c.80% drivers trained c.80% operators trained All drivers trained
Safety Case Part 2
Train Fitment
Rules handed over
S1 S2(a+b)
(S3) S4b S4c S4d
S5
T1 T2
TRRB TR Safety Case Part 1 (APIS)
S4a
T3
TRRB CT
APIS onboard (ETCS) TTSV report
Track-Train System Validation
Key
Installation and Site
Integration Testing
Functional Testing
Trial Running
Safety Milestone
Operational Milestone
Customer Integration
Testing
Safety Case activities
Safety Case Part 1 (Technical) Safety Case Part 2 (Operational)
SRAC Evidence and Hazard Closure
Technical Evidence
Safety Case (Test)
APIS
BDK Operational Rehearsal
19
Authorization for Test AfT
S
c
e
n
a
r
i
o
s
Hazard Id
(Specific hazards)
SRB TRRB
Test Activities
AfT
Area
Process
System Def.
Organisation
Hazard Record For Test
Operational issues
CSM-RA Hazard
Management (Generic hazards)
20
S
c
e
n
a
r
i
o
s
Hazard Id
(Specific hazards)
SRB TRRB
Test Activities
AfT
Area
Process
System Def.
Organisation
Supplier/SP safety interfaces for test
Hazard Record For Test
Operational issues
CSM-RA Hazard
Management (Generic hazards)
QA on content
•Hazard identification
•Hazard analyses
•Hazard mitigations (technical causes)
Safety Plan for Test
(input/review)
Signal layouts (from
engineering Data)
Hazard mitigations from relevant
GASCs +
Data validation (if needed)
Participation of technical specialists
(depending on scope)
Ad Hoc participation of technical specialists,
depending on safety related
issues Participation
(mainly time)
Product
(time + documentation)
Legend:
Railway Safety Case for Test
(BDK responsibility)
22
Hazard workshops – Interfaces (examples)
– 01) Legacy area/Test border
– 07) Shunting area/Test border
– 17) Possession area/Test border
– 10) Bridge Guard
– 08) Buffer stops
– 09) Adjacent tracks
Borders
23
Hazard workshops – Interfaces
– 05) Full barrier
– 04) Half barrier
– 03) Warning (lights only)
– 06) Passenger warning
– 15) Farm crossings
– 21) Staff crossings
Crossings
24
Hazard workshops – Interfaces
– 20) Foreign objects
– 13) Trespassers
– 19) Road vehicles via underpass/bridge
– 14) Catenary
Maintenance people
– 12) External maintainer with own remit
– 11) Track workers on adjacent tracks
Unauthorized/Infrastructure
25
Hazard workshops – Interfaces
– 18) Track vehicles/Test border
– 13) Unreported trains/vehicles
Platforms
– 02) Platforms
Track Vehicles
26
Hazard workshops - Hazard Analysis
– Hazard repository containing 52 overall hazards
– Condensed in to 18 Hazard Groups
o Example 1: Train exceeding authorized speed
o Example 2: Train authorized to enter line section occupied by another train
– 1) Identifying hazard groups where technical mitigations from
supplier are relevant / could be used as (part of) mitigation.
Participation from supplier (3-5 workshops?)
o This will identify the need for finalized parts of Safety Documentation when
the actual mitigation is needed
27
Hazard workshops – Hazard Analysis
– 2) Identifying hazards where mitigations can only be done
with BDK procedure or technical mitigation outside supplier
scope
– 3) Creating the Hazard Record for test (BDK)
– 4) Review of the Hazard Record for test (BDK + supplier)
– 5) Assessment of ”full package” with G-ISA
28
AfT Hazard workshops - Hazard Analysis
– 2) Identifying hazards where mitigations can only be done
with BDK procedure or technical mitigation outside supplier
scope (BDK)
– 3) Creating the Hazard Record for test (BDK)
– 4) Review / finalize (BDK+supplier)
– 5) Assessment by the G-ISA
29
HOW we provide a safe environment
29
There is a separate activity that provides the evidence for hazards created by testing…
External Interfaces for Test Area
Provides
context to Test
Area interfaces
Hazard Record for Test
focused on Test Area
External Interfaces
Provides
the top level
hazards
Hazard Record for Test
for specific testing situation (including both External
Interfaces and Inside Test Area)
Hazard Record for Test
for specific testing situation (including both External
Interfaces and Inside Test Area)
Hazard Record for Test
for specific testing situation (including both External
Interfaces and Inside Test Area)
Hazard Record for Test
for specific testing situation (including both External
Interfaces and Inside Test Area)
Test Intentions Specific Location
Provides
context for
specific test
situation
Is basis
for
Fje
rnb
an
e H
azard
Rep
osit
ory