1 Guide for the application of the CSM design targets (CSM-DT) Annex 3 – Fitting existing passenger trains with an onboard Hot Box Detection system Workshop on CSM-DT, November 2016 Dragan JOVICIC, EU Agency for Railways

2 2. List of functions (also part of System Definition) Overview 1. System Definition 2. List of functions (also part of System Definition) 3. Scope, assumptions and limits of the risk assessment 4. Hazard Identification and Hazard Classification 5. Applicability of CSM DT: direct consequence, or presence of external barriers preventing the accident 6. Setting up of applicable category of CSM DT 7. Allocation of quantitative requirements - Alternative solutions or cases 8. Conclusions from the risk assessment and the allocation of CSM DT category

3 TS under assessment: onboard Hot Box Detection system 1TS under assessment: onboard Hot Box Detection system 1. System definition Visual and/or audible information on overheating of a wheelset and/or an axleboxe Transmit the information to the Train Driver Detect overheating of wheelsets and axleboxes Technical system under assessment Overheating of wheelsets and/or axleboxes Train Driver’s Cabin

4 TS under assessment: onboard Hot Box Detection system 2TS under assessment: onboard Hot Box Detection system 2. System definition – List of functions Detection of emerging failures of wheelsets and axleboxes (e.g. wheel bearing fatigue, loss of bearing lubrication in axleboxes, defective brakes, etc.) Existing System Change under assessment Rolling Stock: maintenance and opera- tional procedures [predeparture checks, periodic planned maintenance inspections and preventive maintenance operations] Trackside “hot box detectors” at regular distances to alarm traffic control center to: inform train driver for stopping train at an appropriate and agreed location reduce speed of trains arriving in opposite direction on adjacent tracks (lateral shock risks caused by blast) Install on existing trains “hot box detectors” which will (functions): monitor overheating of wheelsets and axleboxes in case of overheating, lit a lamp in driver’s cabin Train driver can stop safely and verify whether additional operational actions might be necessary (e.g. proceed with a speed restriction)

5 TS under assessment: onboard Hot Box Detection system 2TS under assessment: onboard Hot Box Detection system 2. Differences between existing system and change under assessment Instead of using a radio communication from Traffic Control Center, “hot box information to driver” is replaced by a “visual and/or audible indication”, using for example a wired connection or a train communication bus. Existing infrastructure HB detection system: trackside detectors laid down at regular distances along railway line  in case of failure, “hot box event” detected at next location (e.g. every 25 km, if speed 250 km/h, next HB in 6 minutes) Infrastructure detection is fault tolerant – HB event remains undetected only during time needed to reach next trackside HB detector. New trainborne HB detection system: HB detection continuous instead of being punctual e.g. every 25 km if HB detector fails, HB event remains undetected until detector is repaired (info for risk assessment - need for redundancy?) HB information not automatically available to IM  Traffic Controller cannot thus enforce necessary speed reduction on adjacent tracks to mitigate lateral shock risks caused by blast at crossing of two trains

6 TS under assessment: onboard Hot Box Detection system 3TS under assessment: onboard Hot Box Detection system 3. Scope, assumptions and limits of the risk assessment Functions not studied: some HB detection systems might also indicate increase of temperature gradient which influences operational procedures and emergency of driver’s reaction for stopping train safely locate accurately coach number, axle number and side of train where wheelset or axle box is overheating Limitations for the risk assessment: statistics of hot box occurrences used in the example are dependent on effectiveness of maintenance and operational procedures of RU SMS risk assessment is done by an RU which decides to fit some of its existing trains with a new trainborne hot box detection system the existing infrastructure hot box detection system is not removed and continues to be used the manner those two systems are used, with any necessary operational procedures, is not covered by risk assessment below. It needs to be analysed and evaluated in a separate risk assessment

7 TS under assessment: onboard Hot Box Detection system 3TS under assessment: onboard Hot Box Detection system 3. Scope, assumptions and limits of the risk assessment Limitations for the risk assessment: Failures of train driver are neither considered nor associated risk control measures proposed Risk assessment only focusses on technical aspects of the change It is assumed that associated human factor aspects are properly analysed and controlled through RU SMS Since with a trainborne HB detection system HB events can occur at any moment of time and at any location of track, operational procedures need to be defined with IM to manage a safe stopping of train at an appropriate and agreed location, including thus necessity to enforce by IM a speed reduction for trains on adjacent tracks in order to manage risks caused by blast at the crossing of two trains in opposite directions Although these considerations impact safe operation of railways, they do not condition setting up quantitative safety requirements for design of trainborne HB detection system  they must be addressed by a separate risk assessment

8 TS under assessment: onboard Hot Box Detection system 4(a) Hazard Identification– Use of an FMEA

9 TS under assessment: onboard Hot Box Detection system 4(b) Hazard Classification – Use of an FMEA

10 TS under assessment: onboard Hot Box Detection system 4(b) Hazard Classification – Use of an FMEA

11 Analysis approached through point 2.5.5. of Reg. 2015/1136 TS under assessment: onboard Hot Box Detection system 5. Applicability of CSM DT, based on point Analysis approached through point of Reg. 2015/1136 CSM-DT can be used if failure has “… a credible potential to lead directly to … a catastrophic … or a critical accident” In practice Single failure of HB Detector does not lead directly to an accident

12 TS under assessment: onboard Hot Box Detection system 5TS under assessment: onboard Hot Box Detection system 5. Applicability of CSM DT, based on point What conditions have a credible potential to LEAD DIRECTLY to an accident in case of failure of trainborne Hot Box Detection function?

13 Analysis approached through point 2.5.9. of Reg. 2015/1136TS under assessment: onboard Hot Box Detection system 5. Applicability of CSM DT, based on point Analysis approached through point of Reg. 2015/1136 “Where the failure of a function of the TS under assessment does not lead directly to the risk under consideration, the application of less demanding CSM-DT shall be permitted if the proposer can demonstrate that the use of barriers … allows the same level of safety to be achieved” What barriers external to HB Detector enable to prevent, detect and, when necessary, correct emerging failures of wheelsets and axleboxes (e.g. wheel bearing fatigue, loss of bearing lubrication in axleboxes, defective brakes or any other cause) that can lead to Hot Box Event hazard?

14 Barriers external to HB Detector: TS under assessment: onboard Hot Box Detection system 5. Applicability of CSM DT, based on point Barriers external to HB Detector: (a) Appropriate maintenance and operational procedures of SMS (Predeparture checks, periodic planned maintenance inspections and preventive maintenance operations) (b) Those SMS provisions either reduce frequency of occurrence of HB hazard or mitigate the severity of potential consequences of that hazard (c) Effectiveness of those external barriers has a direct impact on actual frequency of occurrence of HB events  proposer (i.e. RU ) has statistics of actual frequency of occurrence of HB events for its fleet  Knowledge of frequency of occurrence of HB events can thus be used to derive permissible frequency of occurrence of failures of “trainborne HB Detector and HB Event indication”

15 TS under assessment: onboard Hot Box Detection system 6TS under assessment: onboard Hot Box Detection system 6. Setting up of applicable category of CSM DT

16 TS under assessment: onboard Hot Box Detection system 6TS under assessment: onboard Hot Box Detection system 6. Setting up of applicable category of CSM DT

17 TS under assessment: onboard Hot Box Detection system 6TS under assessment: onboard Hot Box Detection system 6. Setting up of applicable category of CSM DT CSM-DT setup for failure of overall HB detection function Known from monitoring effectiveness of SMS

18 Use of Faut Trees (FTA) for Quantitative AllocationTS under assessment: onboard Hot Box Detection system 7. Allocation of quantitative requirements Available information for risk assessment Use of Faut Trees (FTA) for Quantitative Allocation Assumption for the risk assessment

19 CASE 1 – Use of a single trainborne Hot Box DetectorTS under assessment: onboard Hot Box Detection system 7. Allocation of quantitative requirements CASE 1 – Use of a single trainborne Hot Box Detector

20 TS under assessment: onboard Hot Box Detection system 7TS under assessment: onboard Hot Box Detection system 7. Allocation of quantitative requirements CASE 1 – Use of a single trainborne Hot Box Detector Analysis of results - 10–9 h–1 target for overall HB function achieved if: (1) total failure rate of HB Detector less 6.10–7 h–1 (2) HB Detector tested completely every 300 h (monthly maintenance) (3) HB event lamp tested every day (i.e. every 10 hours of operation) 6.10–7 h–1 too demanding quantitative safety requirement for HB Detector At border between SIL 2 & SIL 3 requirements for a TS in CENELEC 5012x standards

21 TS under assessment: onboard Hot Box Detection system 7TS under assessment: onboard Hot Box Detection system 7. Allocation of quantitative requirements CASE 1 – Use of a single trainborne Hot Box Detector If cost of a single HB Detector with demanding safety requirements and short maintenance intervals is unacceptable, or If loss of single HB Detector is unacceptable from operational and maintenance constraint points of view [disturbs not only traffic operation but requires also unplanned corrective maintenance to be done]  use of redundant HB detection architecture with higher frequency of occurrence of failure and longer maintenance intervals can be envisaged Reminder: (a) existing infrastructure HB detection system is fault tolerant: if a detector malfunctioning a HB event remains undetected during time needed to reach next trackside HB detector (b) new trainborne single HB Detection system is not fault tolerant: if detector fails a HB event can no longer be detected by train equipment as long as detector is not repaired [i.e. at planned monthly maintenance Test Interval]

22 CASE 2 – Use of redundant trainborne Hot Box Detector architectureTS under assessment: onboard Hot Box Detection system 7. Allocation of quantitative requirements Could (Quantitative) Safety Requirements for HB Detector be less demanding? CASE 2 – Use of redundant trainborne Hot Box Detector architecture

23 TS under assessment: onboard Hot Box Detection system 7TS under assessment: onboard Hot Box Detection system 7. Allocation of quantitative requirements CASE 2 – Redundant trainborne Hot Box Detector architecture – Monthly maintenance Analysis of results - 10–9 h–1 target for overall HB function achieved if: (1) total failure rate of HB Detector less 6.10–5 h–1 (2) HB Detector tested completely every 300 h (monthly maintenance) (3) HB event lamp tested every day (i.e. every 10 hours of operation) 6.10–5 h–1 100 times less demanding BUT HB Detector must be tested completely, and if necessary restored, every 300 hours [monthly maintenance]  Test Interval still short

24 TS under assessment: onboard Hot Box Detection system 7TS under assessment: onboard Hot Box Detection system 7. Allocation of quantitative requirements CASE 2 – Redundant trainborne Hot Box Detector architecture – Maint. every 6 months Analysis of results - 10–9 h–1 target for overall HB function achieved if: (1) total failure rate of HB Detector less 5.10–6 h–1 (2) HB Detector tested completely, and maintained if needed, every 6 months (3) HB event lamp tested every day (i.e. every 10 hours of operation) 5.10–5 h–1 10 times less demanding than CASE 1 – Advantage: HB Detector must be tested completely, and if necessary restored, every 6 months [i.e. Much longer TI]

25 Final decision on allocation of quantitative safety requirements TS under assessment: onboard Hot Box Detection system 7. Allocation of quantitative requirements Final decision on allocation of quantitative safety requirements Several alternative technical options analysed  several sets of safety requirements with corresponding acceptable maintenance intervals: CASE 1: one HB detector [λ< 6.10–7 h–1] – Monthly complete maintenance CASE 2(a): 2 HB detectors [λ< 6.10–5 h–1] – Monthly complete maintenance CASE 2(b): 2 HB detectors [λ< 5.10–6 h–1] – Complete maintenance every 6 months Decision on technical solution to use, and thus necessary maintenance intervals, will be taken based on balance between: (a) Product cost of HB Detector  high quantitative safety requirements imply more expensive TS (b) Frequency, testability and maintenance costs of HB Detector (c) Availability of HB Detector and acceptability of disturbing Traffic Operation in case of loss of a single HB Detector

26 TS under assessment: onboard Hot Box Detection system 7TS under assessment: onboard Hot Box Detection system 7. Allocation of quantitative requirements (Un)completeness of risk assessment Quantitative requirements applicable only to random hardware failures Although it seems extensive, risk assessment is not complete. For example, to install and integrate safely HB detection function in train, additional (safety) requirements, need to be defined by an overall risk assessment: (a) point 2.5.7(b) of Reg. 2015/1136 requires that ”the risks associated with the systematic failures and systematic faults…” need also to be “… controlled in accordance with safety and quality processes commensurate with the harmonised design target …” (b) mechanical constraints (size, weight, etc.) + physical interface requirements with train to be specified and communicated to manufacturer

27 TS under assessment: onboard Hot Box Detection system 7TS under assessment: onboard Hot Box Detection system 7. Allocation of quantitative requirements (Un)completeness of risk assessment (continuation) Overall risk assessment should determine, based on rolling stock architecture, installation constraints (e.g. most appropriate location on bogies) : (a) to enable detection of overheating of all four wheelsets of bogy; (b) control risks of damaging either HB Detector housing, or wiring interface for indication to driver of a detected HB Event, or both, by projections of ballast, snow and ice in winter conditions that can occur due to dynamic turbulences underneath train created at high speeds (d) relevant operational procedures defining actions to be taken in case of loss of communication between HB detectors and Driver’s Cabin (e) Human Factor aspects related to operational rules in case of HB Event to be analysed and controlled through RU SMS (f) etc. All relevant requirements for HB Detector, including allocated quantitative safety targets, must be transferred to manufacturer

28 TS under assessment: onboard Hot Box Detection system 8TS under assessment: onboard Hot Box Detection system 8. Conclusions from te risk assessment and CSM DT allocation Predictive risk assessment demonstrates that occurrence of hazard “HB event being undetected by TS when required” is acceptable if: (a) allocated quantitative requirement is used for design of HB Detector (b) HB detection lamp is tested every day (i.e. every 10 hours) in accordance with a dedicated procedure to be included in Train Driver’s Manual (c) HB Detector is tested in accordance with appropriate maintenance procedures at time intervals commensurate with defined quantitative requirement Those procedures need to be clearly written and part of RU SMS (d) HB detection function is safely integrated within train in compliance with requirements to be identified by additional risk assessment All safety requirements from risk assessment are registered in Hazard Record in compliance with Reg. 402/2013

29