System reliability analysis of interactions between ETCS, train drivers and dispatchers, demonstrated by STPA
Julian Aantjes (TU Delft - Civil Engineering & Geosciences)
Pieter H.A.J.M. Van Gelder – Mentor (TU Delft - Safety and Security Science)
RMP Goverde – Graduation committee member (TU Delft - Transport and Planning)
W.M.T. Mennen – Coach (ProRail)
G.M. Verduijn – Coach (ProRail)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
The Dutch railway transport system is a system of systems and also a sociotechnical system that will migrate to a radio-based signalling standard ERTMS (European Rail Traffic Management System). ERTMS will influence the train drivers and dispatchers the most, especially due to the introduction of the signalling and control element of ERTMS: the European train control system (ETCS). A reliability requirement for the migration towards ERTMS obligates to demonstrate that the reliability of the system stays the same or improves. Reliability can be quantified if all the possible risks are known, but identifying risks with traditional models is insufficient, because they do not capture the complexities and dynamics of socio-technical systems.
The hazard analysis technique ‘systems theoretic process analysis’ (STPA) is a promising technique to sufficiently identify hazards that models the system in a control structure and searches systematically for hazards. The main research question of this thesis is: ‘To what extent can STPA be applied to identify risks and determine the system reliability of interactions between ETCS, train drivers and dispatchers?’ What are the risks caused by those interactions and how can STPA be applied for an effective risk assessment are the two research objectives.
STPA consists of 4 structured steps. First the analysed system is described and the purpose of the analysis is set. The system is modelled in a control structure in the second step. The third step of STPA is to identify unsafe control actions with guided words. 27 unsafe control actions are identified for the 8 control actions that are present in the control structure. The last step of STPA is to identify loss scenarios that could lead to the unsafe control actions, those were formulated with system experts.
The desk research and this research demonstrates that STPA is completer and more thorough in identifying hazards than the tradition hazard analysis technique ‘failure mode effect and criticality analysis’ (FMECA). In this research, STPA identified 70 loss scenarios in the analysed procedure (compared to 4 issues identified with FMECA), those hazards ranged from missing or inadequate feedback mechanisms to inconsistent process models of the train drivers or dispatchers. STPA identified besides technical failures also design flaws in the procedure and unsafe interaction between the ETCS, train drivers and dispatchers.
Besides the conclusion that STPA turned out to be more complete and thorough in identifying hazards, another advantages of STPA is that performing STPA is very structured and not superficial. An identified disadvantage of STPA is that the method stops immediately after the hazards are defined. Determining the probability of occurrence and the impact expressed in train delay minutes can result in prioritization of the hazards and a better risk assessment.
To conclude, this research recommends applying STPA for complex systems where multiple controllers are involved. An STPA expert, someone who has experience with applying STPA in different projects, is a key to successfully implement STPA in an organisation.