A System Safety Program shall be instituted(制定) during the CBTC system planning/design phase and shall continue throughout the system life cycle. The CBTC System Safety Program shall emphasize the prevention of accidents by identifying and resolving hazards in a systematic manner. A CBTC System Safety Program Plan (SSPP) shall be developed for each CBTC application. The CBTC SSPP shall be prepared in accordance with the requirements of E.1 of Annex E or the requirements of the American Public Transit Association’s Manual [B1] or equivalent requirements, as approved by the authority having jurisdiction. 在CBTC系统设计阶段应当制定一个系统安全计划,并且在系统生命周期内一直存在。CBTC系统安全计划应当着重于以一种系统的方式来识别和解决危害,以阻止事故的发生。SSPP应当为每个CBTC应用建立。
Implementation of the CBTC SSPP shall specifically recognize configuration management issues, given the importance of software and hardware configuration control in maintaining system safety. 5.3.2 CBTC hazard identification and risk assessment process CBTC危害识别和风险评估过程
Hazard analyses shall be employed during the design of a CBTC system to assist in the identification and evaluation of potential hazards to assess their likelihood and severity and to document their resolution. As a minimum, a preliminary hazard analysis (PHA) shall be conducted for each new CBTC system project.
Other detailed analyses, including system/subsystem hazard analyses, failure modes, effects and criticality analyses, fault tree analyses, and operational and support hazard analyses, shall also be conducted if mandated by the CBTC SSPP. These analyses shall be conducted in accordance with E.2, E.3, E.4, and E.5 of Annex E or equivalent requirements, as approved by the authority having jurisdiction.
All hazards identified through the CBTC System Safety Program shall be assessed in terms of the severity or consequence of the hazard and the probability of occurrence. This shall be accomplished in general accordance with the criteria outlined in E.6 of Annex E or the equivalent, as approved by the authority having jurisdiction. Risk assessment estimates shall be used as the basis in the decision-making process to determine whether individual system or subsystem hazards shall be eliminated, mitigated, or accepted. This
process shall include full documentation of the hazard resolution activities.
Hazards shall be resolved through a design process that emphasizes the elimination of the hazard. The
effectiveness of the hazard resolution strategies and countermeasures shall be monitored to determine that
no new hazards are introduced. In addition, whenever substantive changes are made to the system, analyses
shall be conducted to identify and resolve any new hazards.
As a minimum, a CBTC system shall address the following critical/catastrophic system hazards through the
a) Train-to-train collisions (rear-end, sideswipe, head-on); hazard to be addressed through train separation assurance (see 6.1.2), rollback protection (see 6.1.4), parted consist protection (see 6.1.6),
route interlocking protection (see 6.1.11), and traffic direction reversal interlocks (see 6.1.12)
b) Train-to-structure collisions; hazard to be addressed through end-of-track protection (see 6.1.5)
页眉值得一读
and
restricted route protection (see 6.1.16)
c) Train derailments; hazard to be addressed through overspeed protection (see 6.1.3), route interlocking protection (see 6.1.11), and (where specified by the authority having jurisdiction) broken rail detection (see 6.1.14)
d) Collisions between trains and highway vehicles (where highway crossing at grade exists within the
limits of CBTC territory); hazard to be addressed through grade-crossing warning devices that may
include interfaces to the CBTC system (see 6.1.15)
e) Hazards to work crews and work trains; hazards to be addressed through CBTC work zone protection functions (see 6.1.13)
f) Hazards to passengers associated with train movement with train doors open; hazards to be
addressed through interface between the CBTC system and the train door system (where required by
the authority having jurisdiction) to provide door opening control protection interlocks (see 6.1.8), zero speed detection (see 6.1.7), and departure interlocks (see 6.1.9)
g) Hazards associated with collisions with objects on the track; hazards to be addressed through inter-
faces between the CBTC system and intrusion detection devices (where specified by the authority having jurisdiction) (see 6.1.16) 5.3.3 CBTC vital functions CBTC安全功能
To eliminate or control to a level acceptable to the authority having jurisdiction those hazards judged to be unacceptable or undesirable through the risk assessment process of 5.3.2, a CBTC system shall include, as a minimum, the vital functions identified in 6.1.
All vital functions of a CBTC system shall be designed and implemented in accordance with fail-safe principles. Documentation of the means used, and proof that fail-safe principles have been met and the mean time between hazardous event (MTBHE) requirements of 5.3.4 have been satisfied, shall be required for every CBTC system.
Verification that the processor-based portions of a CBTC system meet these minimum system safety requirements shall be completed in accordance with IEEE Std 1483-2000.
5.3.4 Quantitative CBTC safety performance requirements
For any CBTC system application, the CBTC wayside and train-borne equipment located within any
contiguous portion of a one-way route that can be traversed by a train traveling at the specified maximum
authorized speed for one hour or less shall have a total calculated aggregate MTBHE (total of all critical and
catastrophic hazards) of at least 109 operating hours. This includes the maximum number of other trains that
can be located in this contiguous portion of a one-way route under the specified peak operating headway.
页眉值得一读
System safety documentation shall support these calculations and substantiate the methodology used to
arrive at the result. For the purposes of MTBHE calculations, a hazardous event shall include, as a minimum, the occurrence of any of the specific hazards identified in 5.3.2.
NOTE—If the end-to-end trip time for a given route is greater than 1 h, the MTBHE requirement for that route would be
adjusted proportionately. As an illustrative example, if the specified end-to-end trip time (per 5.2) for a given one-way
route is 2 h, and if the route includes 4 sets of wayside CBTC equipment, and if a maximum of 10 trains can be operating
on the route at a given time (when operating at the specified peak headway, per 5.1), then the MTBHE of the combined
4 sets of wayside CBTC equipment and 10 sets of train-borne CBTC equipment on that route would be at least 0.5 × 109 operating hours.
6Information on references can be found in Clause 2.IEEE
PERFORMANCE AND FUNCTIONAL REQUIREMENTS Std 1474.1-2004 Copyright ? 2005 IEEE. All rights reserved. 13 5.3.5 Basic safety design principles
5.3.5.1 Normal transit system operations with no CBTC hardware failures
A CBTC system shall respond safely and correctly perform all ATP functions within the normal range of
inputs and other operating and environmental conditions.
All conditions necessary for the existence of any permissive state or action shall be verified to be present
before the permissive state or action is initiated by a CBTC system. The requisite conditions shall be verified
to be continuously present for the permissive state or action to be maintained.
System safety shall not depend on the correctness of actions taken or procedures used by operating personnel.
Procedures shall not be considered a substitute for safety functions that are to be vested in specific CBTC
components or equipment.
5.3.5.2 Abnormal transit system operations with no CBTC hardware failures
A CBTC system shall respond safely under conditions of abnormal system loading, abnormal/improper
inputs, and other abnormal external influences such as electrical, mechanical, and environmental factors.
5.3.5.3 Response to CBTC hardware failures
A CBTC system shall respond safely under conditions of credible hardware failure.
NOTE—The AREMA Communications & Signals Manual, Part 17.3.3 [B2], provides examples of credible hardware failures.
Failure to perform a logical operation or absence of a logical input, output, or decision shall not
页眉值得一读
cause an
unsafe condition, i.e., system safety shall not depend upon the occurrence of an action or logical decision.
Hazard analyses shall consider all credible CBTC hardware failure modes. Justification shall be provided for
conceivable failure modes that are not considered credible. The effect of each credible CBTC failure mode
shall be classified as either self-revealing or non-self-revealing, as follows:
— No credible single point CBTC hardware failure, whether self-revealing or non-self-revealing, shall
cause an unsafe condition.
— No credible CBTC hardware failure in combination with one or more non-self-revealing failure shall
cause an unsafe condition. In the instance of a non-self-revealing failure, a subsequent failure shall not be considered independent.
— The probability of a critical or catastrophic hazard arising as a result of combinations of simulta-
neous independent self-revealing failures shall be considered in the calculated CBTC MTBHE. 5.3.5.4 Recovery from CBTC hardware failures
A combination of functional elements of the CBTC system itself, an auxiliary wayside system (if specified
by the authority having jurisdiction), and/or operating procedures shall provide for the safety of train move-
ment under failure conditions, including failure recovery.IEEE
Std 1474.1-2004 IEEE STANDARD FOR COMMUNICATIONS-BASED TRAIN CONTROL (CBTC)
14 Copyright ? 2005 IEEE. All rights reserved.
5.4 System assurance requirements
5.4.1 General
The ability of a CBTC system to accomplish the functional requirements of this standard, under normal conditions and under conditions of equipment failure, is of paramount importance to the authority having jurisdiction. This subclause establishes qualitative availability, reliability, and maintainability criteria for CBTC systems and equipment in order to meet or exceed the on-time performance and fleet availability objectives of the authority having jurisdiction, and thereby minimize delays experienced by passengers. In addressing CBTC equipment failures, a distinction shall be made between the following failure types:
a) Type 1: Those failures, or combination of failures, that impact on-time performance of the transit system.
b) Type 2: Those failures, or combination of failures, that do not impact on-time performance of the transit system, but do result in some other loss of specified CBTC functionality.
c) Type 3: Those failures that do not impact on-time performance of the transit system or result in a loss of any specified CBTC functionality (e.g., because of equipment redundancy).
The CBTC system availability requirement (see 5.4.2) shall include consideration of all Type 1 failures, as well as the mean time to restore service (MTTRS) for Type 1 failures. The CBTC
页眉值得一读
system mean time between functional failure (MTBFF) requirement (see 5.4.3) shall include consideration of all Type 1 and Type 2 failures.
The CBTC system mean time between failure (MTBF) requirement (see 5.4.3) shall include consideration of all Type 1, Type 2, and Type 3 failures.
While system availability, system MTBFF, and system MTBF predictions traditionally consider only hard-ware failures, measurements of achieved system availability, system MTBFF, and system MTBF shall also consider software errors (i.e., software fails to perform intended function) as well as hardware failures.
The following general recommended practices apply:
1) Components and materials should be selected and appropriate standards of quality control and test procedures should be employed to ensure the lowest practical hardware failure rates for individual items of CBTC equipment (i.e., maximize the hardware portion of the system MTBF). 2) Unless non-redundant equipment is sufficiently reliable to satisfy the overall system availability requirements, appropriate levels of equipment redundancy should be employed such that the failure of a single component, processor, or device will not render the CBTC system unavailable or an oper-ationally critical function nonoperative (i.e., maximize the system MTBFF).
3) A CBTC system should incorporate degraded modes of operation to minimize the operational impacts of equipment failures and to permit train movements to continue safely (i.e., maximize sys-tem availability).
4) CBTC system downtime or unavailability of an operationally critical function should be minimized through the use of local and remote diagnostic capabilities and appropriate operating and mainte-nance procedures [i.e., minimize mean time to repair (MTTR)]. 5.4.2 System availability requirements
Quantitative CBTC system availability requirements shall be established by the authority having jurisdiction with appropriate consideration of the impacts of CBTC system and subsystem failures on the operation of the transit system. Typical methods for defining CBTC system availability are provided in Annex F. IEEE
PERFORMANCE AND FUNCTIONAL REQUIREMENTS Std 1474.1-2004 Copyright ? 2005 IEEE. All rights reserved. 15
As specified by the authority having jurisdiction, system availability analysis/modeling shall be used to predict the system availability for a given CBTC system configuration, based on equipment reliability/maintainability calculations, equipment redundancy provisions, and other defined assumptions. As specified by the authority having jurisdiction, system availability demonstration tests shall be performed to determine actual CBTC system availability over a defined period, to a given confidence level. 5.4.3 Equipment reliability requirements
Quantitative CBTC system and subsystem MTBF and MTBFF requirements shall be established by the authority having jurisdiction, consistent with the CBTC system availability requirement of 5.4.2.
5.4.3.1 Design life
CBTC equipment shall have a design life of 30 y.NOTE—The ability of a CBTC system to remain in operation to the end of its design life will be driven largely by long-term availability of spare parts. Specific requirements with respect to spare part availability shall be defined by the authority having jurisdiction and do not form part of this standard.
页眉值得一读