5. Conclusion Hazard Analysis for GNSS-based Train Localisation - - PowerPoint PPT Presentation

Debiao Lu, Daohua Wu, Prof. Dr.-Ing. Dr. h.c. Eckehard Schnieder Institute for Traffic Safety and Automation Engineering, TU Braunschweig, Germany IAIN 2012, Cairo

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based Approach According to EGNOS SoL and Railway RAMS

Outline

1. Background 2. System Performance: QoS 3. From Aviation to Railway 4. Hazard Analysis 5. Conclusion

• 1. Background

GNSS for Railways

• ERTMS (European Railway Traffic Management System)
• ETCS
• GSM-R
• requires self-sustaining train localisation.
• GNSS has capability locating everywhere on the globe, with 24 hours a day.
• EGNOS provide services for safety-related system plus integrity monitoring.
• The SoL service is intended to support a wide range of transport domains.

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 2

• 1. Background

Safety Requirements

EGNOS has safety of life requirements:

• Nevertheless, the main objective of the EGNOS SoL service is to support civil aviation
• perations down to Localizer Performance with Vertical guidance (LPV).
• A summary of Safety of Life (SoL) service performance requirements for civil aviation

is provided, both requirements for Non Precision and Precision Approaches have been issued by ICAO. US RTCA DO-254 US RTCA DO-178B Railway safety-related applications need to satisfy railway standards and legislations. Functional Safety (IEC 61508) EN 50126 (RAMS), EN 50129 EN 50128

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 3

Differences!

• 2. Quality of Service (QoS)

How to categorise?

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 4

Category Property Characteristic Quantity Value Concept Event Object Relation 1 n 1 n 1 n 1 1

Intentionality Abstraction

• 2. Quality of Service (QoS)

Quality descriptions in GNSS Domain

GNSS QoS : Accuracy, Continuity, Availability and Integrity

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 5 Quality of EGNOS SoL Accuracy Integrity Concept Property Trueness Characteri stic Measurement Deviation of the Position Quantity Availability of Accuracy Performance Percentage Time-To-Alarm (TTA) Time Standard Deviation (2 sigma) Reliability of Integrity Service (Integrity Risk) Percentage/ Time Interval Availability of Integrity Performance Percentage Alarm Limit (Horizontal/ Vertical) Confidence Inteveral Precision (Horizontal/ Vertical) Reliability (Continuity Risk) Percentage/ Time Interval

• 2. Quality of Service (QoS)

Quality descriptions in Railway domain

Railway QoS : Reliability, Availability, Maintainability and Safety

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 6 Concept Property Characteristic Quantity Quality of Railway RAMS Reliability Safety Availability Maintainability Availability Probability MTTR MTTF MTTF A   Maintainability Probability SIL allocated by Tolerable Hazard Rate Hazard Rate Distribution THR Reliability Probability Reliability Probability Distribution

MTTR M 

Failure Probability Failure Probability Distribution Failure Rate

) ( ) ( ) ( t R t f t

up up up

 

• 2. Quality of Service (QoS)

Quality descriptions in Railway domain as a whole

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 7

Object Item, System, Ressource

Dependability

Maintenance MTTR Operation MTTF maintenance performance reliability performance fault up state failure defect down state Availability V = MTTF MTTF + F availability performance MTBF (external) Ressource

VDI 4004 Part 5 Draft

• 2. Quality of Service (QoS)

Railway and GNSS QoS Comparison

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 8

• 3. From Aviation to Railway

EGNOS SoL service performance requirements

EGNOS SoL Service Performance Requirements (ICAO)

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 9

Typical Operation Horizontal Accuracy (95%) Vertical Accuracy (95%) Integrity Time-to- Alert (TTA) Horizontal Alert Limit (HAL) Vertical Alert Limit (VAL) Continuity Availability En-route (continental low density) 3.7 km (2.0 NM) N/A 1x10-7/h 5 min 7.4 km (4 NM) N/A 1x10-4/h to 1x10-8/h 0.99 to 0.99999 En-route Terminal 0.74 km (0.4 NM) N/A 1x10-7/h 15s 1.85 km (1 NM) N/A 1x10-4/h to 1x10-8/h 0.99 to 0.99999 Non precision approach 220 m (720 feet) N/A 1x10-7/h 10s 556 m (0.3 NM) N/A 1x10-4/h to 1x10-8/h 0.99 to 0.99999 Approach

• perations with

vertical guidance 16 m (52 feet) 20 m (66 feet) 1x10-7 to 2x10-7 approach 10s 40 m (130 ft) 50m (164 feet) 1x10-6/15 s to 8x10-6/15 s 0.99 to 0.99999

• 3. From Aviation to Railway

SoL relation to RAMS

From Integrity Risk to Safety Aviation: Integrity Risk (per approach 150 seconds) Railway: Safety (Tolerable Hazard Rate per hour per function) Per approach to per hour

• formal way
• certifiable way
• applicable way

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 10

Railway QoS Aviation QoS Value Reliability Continuity Risk 8x10-6/15 s Availability Availability 0.99 to 0.99999 Maintainability Related to Availability Safety Integrity Risk 2x10-7/approach

• 3. From Aviation to Railway

Integrity and PFH

Integrity is ability of the system to provide timely warnings to user of when the system should not be used for navigation. Requires to provide timely warnings only when GNSS SIS cannot be used. IR is defined as unacceptable probability of dangerous failure per operation. It does not require to guarantee integrity over some period of time. It is guaranteed by continuity, but only for, the most critical phase of operation. Safety is defined as freedom from unacceptable risk of harm. [EN 50126] The risk is defined in safety-related systems by means of Probability of dangerous Failure per Hour (PFH).

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 11

• 3. From Aviation to Railway

Petri Net

Petri Net: formal modelling tool (different forms in this presentation) Graphical and Mathematical modelling tools

• graphical tool
• visual communication aid
• mathematical tool
• state equations, algebraic equations, etc

Suitable for:

• Concurrent
• Asynchronous
• Distributed
• Parallel
• Nondeterministic
• Stochastic systems

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 12

p2 t1 p1 t2 p4 t3 p3

• 3. From Aviation to Railway

Translation Integrity to Hazard Rate

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 13

initial state up state period 1 up state period 2 faulty state ... ... 1 hour state faulty state up state period 3 up state period 24 faulty state

24 approaches 24 x 150s = 1 hour

• 3. From Aviation to Railway

Reliability

Continuity: The ability of the system to perform its function without interruption during the intended operation. Reliability: The probability that an item can perform a required function under given conditions for a given time interval (t1, t2).

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 14

faulty state initial state up state

• 3. From Aviation to Railway

Quantitative Numbers

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 15

Transition Proportion Work 0.0416666 Fail 1.96555x10-7 THR(/hour) 4.7x10-6 Transition Proportion Work 0.00416271 Fail 7.8651x10-6 Reliability(/hour) 1.9x10-3 Safety Reliability Railway QoS Value Aviation QoS Value Reliability 1.9x10-3/hour Continuity Risk 8x10-6/15 s Availability 0.99 to 0.99999 Availability 0.99 to 0.99999 Maintainability Related to Availability Safety 4.7x10-6/hour Integrity Risk 2x10-7/approach

faulty state initial state up state

initial state up state period 1 up state period 2 faulty state ... ... 1 hour state faulty state up state period 3 up state period 24 faulty state

• 4. Hazard Analysis Process

Satellite based localisation Unit (Salut)

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 16

GNSS Receiver

Eddy Current Sensor (ECS)

On-board Digital Track Map (ODTM) WGS-84 Location GNSS measured Velocity ECS measured Velocity Fusion Velocity Fusion Location Fusion Location Non-fusion Location (only GNSS) Safe Location (only Velocity) On-board Computer Absolute Location Map Match Relative Location Map Match Safe Location

• 4. Hazard Analysis Process

Satellite based localisation Unit (Salut)

Petri net Model (Poseidon)

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 17

• 4. Hazard Analysis Process

Satellite based localisation Unit (Salut)

Generic Function of Salut: generate a safe location

• ther movement parameters

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 18

Category Function

• 1. Determination of discrete

train position 1.1 Geographic localisation of train 1.2 Topologic localisation of train 1.3 Monitor train integrity

• 2. Determination of

movement parameters 2.1 Measurement of velocity 2.2 Measurement of acceleration 2.3 Measurement of driven distance 2.4 Determine direction of vehicle

• 4. Hazard Analysis Process

Satellite based localisation Unit (Salut)

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 19

GNSS up state GNSS faulty state ECS up state ECS faulty state hazardous event system faulty inhibitor arc test arc ECS fail ECS restore GNSS fail GNSS restore

ECS



ECS



GNSS



GNSS



ECS



GNSS



hazard



• 5. Conclusion & Outlook

Conclusion:

• A means of description of QoS for aviation and railway by iglos
• A methodology for translating aviation QoS to railway
• Hazard analysis method based on Petri net

Outlook:

• Hazard analysis process
• Dependability Analysis of Salut

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 20

Questions

Hazard Analysis for GNSS-based Train Localisation Unit with Model Based approach According to EGNOS SoL and Railway RAMS | 02.10.2012 | M. Sc. Debiao Lu | IAIN 2012 | Slide 21

Thanks for your attention!

• M. Sc. Debiao Lu

lu@iva.ing.tu-bs.de iVA, TU Braunschweig, DE