SIGNAL + DRAHT (104) 10/2012 ETCS n 41 5 Formulation of the model 5.1 Analysis of multiple causes For the final situation of a full fleet of trains equipped with the onboard ETCS level 1 equipment running on a rail network fully equipped with the trackside ETCS level 1 system, the associated basic fault tree for rail collisions is given in Figure 2. The top event ER (Evènement Redouté, undesired event) is broken down into the following two causes: ER(1) – Overpassing of the danger point covered by a valid target point. The train is running with a level 1 Movement Authority extending to the end of authority which protects the danger point. The end of authority is overpassed at low speed but the coverage distance is not enough for the train to stop without reaching the danger point. ER(2) – The ETCS supervised location (end of authority) is located downstream of the closed signal and the driver is not aware (or is aware too late). The train is running with a permissive Movement Authority which does not protect the train’s movement against overpassing a danger point. The consequences of this situation are generally not recoverable by the driver. Estimations show that the tolerable frequency of occurrence of hazard ER(1) is one order of magnitude higher than the respective rate of ER(2). ER(1) has all the human driving errors as its dominant cause. This operational cause should be compared with the causes of fault that are technical in nature (random or systematic) at the source of hazard ER(2). THR (ER) THR (ER1) = Freq {EV(C)}. Prob {EV(B)} Quantification of the event ER(1) in the tree involves combination of two factors: firstly the frequency of overpassing end of authority incidents, Freq{EV(C)}, and secondly the conditional probability of overpassing a danger point in the presence of ETCS1 given that an end of authority protecting this danger point has been overpassed, Prob{EV(B)}. 5.2 Quantification of the EV(C) incident rate Among the causes EV(Ci) of the overpassing end of authority incident, the intrinsic human error of the driver failing to respect the ETCS1 stop instruction, i. e. event EV(C1), constitutes the dominant cause with the largest impact on the incident rate Freq{EV(C)}. In fact the frequency of occurrence of EV(C1) is at least two orders of magnitude higher than those of the other causes: Freq {EV(C)} Freq {EV(C1)} The driver’s human error EV(C1) is itself broken down into a number of basic causes (distraction or lack of vigilance, observation error, forgetfulness, inadequate knowledge of the site or the rolling stock, lack of driving experience, late braking, failure to respect the signal, error in applying procedures, fatigue, error in estimating the distance to the stopping point, etc.). Studying the many cases of signal passed at danger currently observed allows us to establish a breakdown of elementary causes of error with lineside signalling. The influence of the ETCS1 supervision system is analysed for each elementary cause and for the four groups of technical modes or operational circumstances: full supervision & on sight Release Speed Monitoring (cause EV (C11), hazard § 3.1) shunting & staff responsible (cause EV ( C12), hazard § 3.2) N: operational circumstances in which the ETCS1 operation control functions are ineffective (cause EV(C13), hazard § 3.3) full supervision & on sight Dynamic Speed Supervision (cause EV(C14)) Figure 2: Fault tree for a train collision under ETCS level 1
RkJQdWJsaXNoZXIy MjY3NTk=