410 likes | 825 Views
System Safety Practice in China. Huibing Zhao 30/10/2007. Contents. Organizations Education and Programmes Practice in Railway Signalling Example: Cab Signalling Practice in Other Areas Mining Industries Civil Aviation Urban Industry and Public Safety National Research Plan
E N D
System Safety Practice in China Huibing Zhao 30/10/2007
Contents • Organizations • Education and Programmes • Practice in Railway Signalling • Example: Cab Signalling • Practice in Other Areas • Mining Industries • Civil Aviation • Urban Industry and Public Safety • National Research Plan • Observations • Summary
Organizations 1 • Administration Organizations • State Committee of Work Safety • Director of the committee is the vice prime minister of State Council • Members include ministers or vice ministers of State Council • State Administration of Work Safety • Attached: State Administration of Coal Mine Safety • Provincial or Municipal Administration Bureau of Work Safety • Supervising 7 safety related associations: • China Work Safety Association • China Occupation Safety & Health Association • China Coal Mine Labour Protection Association • China Coal Mine Pulmonary Disease Therapy Foundation • China Cableway Association • China Chemical Product Safety Association • China Civil Dynamite Product Circulation Association
Organizations 2 • Research Organizations • China Academy of Safety Science and Technology • Strategy research of the guidelines and policies for work safety , esp. coal mine industry • Consultation and assessment of vital techno-economy issues • Training and consultation for industries • Research Centre under State Administration of Work Safety • Originating from Labour Protection Science Institute and Work Accident Investigation Centre • Authentication of State Registered Safety Engineer • Safety Assessment Service • Occupation Safety and Health Certification and Consultation • Safety related research • Civil Aviation Safety Research Institute • Developing strategy research of civil aviation • Assessment of civil aviation system • Research in the area of human factors, management and safety techniques
Organizations 3 • Research Organizations • Research centre or Key Laboratory at Universities • State Key Laboratory of Coal Resources and Mine Safety (MUC) • State Key Laboratory of Fire Science (USTC) • State Key Laboratory of Rail Traffic Control and Safety (BJTU) • State Key Laboratory of Automotive Safety and Energy (TsingHua) • State Key Laboratory of Disaster Prevention in Civil Engineering (TongJ) • State Key Laboratory of Information Security (CAS) • State Key Laboratory of Novel Software Technology (NJU) • State Key Laboratory of Software Engineering (WuHan) • Trusted Computing Platform • State Key Laboratory of Software Development Environment (BUAA) • State Key Laboratory of Pathogen and Biosecurity (PLA)
Education and Programmes • Up to 2004, 69 universities has set up Safety Technology and Engineering (Class 2) undergraduate program. • Most of them are set up after 2000 • 32 of them has graduate program • 11 of them has PhD program, e.g. China Mining University, USTC, Central South University • Class 1 program of STE is Mining Engineering; (mature industry) • Argument: STE should be upgraded to Class 1 program • Proposed by several senior experts in August 2005 • Class 1: Safety Science and Engineering • Class 2: Safety Science; Safety Engineering
Practice in Railway Signalling 1 • Traditional safety related techniques used in Railway Signalling • Fail-safe principle, e.g. relay, track circuit • ‘Eliminating danger by compensating automatically for a failure or malfunction’ • ‘A concept which is incorporated into the design of a product such that, in the event of failure, it enters or remain in a safe state’
Practice in Railway Signalling 2 • Traditional safety related techniques used in Railway Signalling • Fail-safe principle • Operation error prevention, e.g. Mechanical interlocking • Failure effect mitigation, e.g. manual/accident release button • Failure rate minimizing, e.g. fuse installed to prevent short circuit • Redundancy and reconstruction • Failure diagnose and detection • Reduced load in use
Practice in Railway Signalling 3 • Modern Railway Signalling System • Complicated System • Digitalization, Network, Intelligent, Comprehensive • Computers have been widely used in train control • Vital Computer is the kernel component • Vital means “Contributing to life,necessary to,or supporting life”,more than ‘fail-safe’ • Fault tolerant, redundancy (hardware or software), e.g. TMR, N-Version, recovery block, etc • Safety critical System • “A computer,electronic or electromechanical system whose failure may cause injure or death to human beings” • Another term used: Safety related System • Example: ETCS-European Train Control System CTCS-Chinese Train Control System
System Requirements Specification SRS FFFIS downloading unit Train Driver FIS Data recording MMI TIU ETCS Onboard Unit kernel STM Odometer GSM-R Mobile unit BTM Euroradio LTM airgap Euroloop Eurobalise Euroradio National System GSM-R fixed network radio- Infill unit Euroradio RBC 1 Interlocking and LEU Key Management Centre RBC 2 Remote control centre ETCS wayside equipment
Eurocab SRS: System- description (1) ETCS level 3 Radioblock GSM-R (including Interlocking- functions) Train integrity check Eurobalises
SRS: System- description (2) Dataflow in ETCS level 3 ETCS onboard unit Train data Static v profile Lowest value Dynamic v profile Position and train ID Comparison Break initiation GSM-R Eurobalise GSM-R Air Gap Primary track data Movement Authority MA Movement Authority from Radioblock ETCS trackside equipment
Driver MMI for ETCS Areas for the main tasks • Speed- control • Planning • Monitoring • Drivers- Input
Practice in Railway Signalling 4 • Example: Cab Signalling in CTCS L0 & L1 Cab Signalling Principle
3rd generation of DSP based universal cab signaling –A 1st, 2nd generation of universal cab signaling 4th generation of principal cab signaling 3rd generation of DSP based universal cab signaling –B
Cab Signal Products JT1-CZ2000,JT1-A/B Cab Signaling Host, Remote monitoring device and Track Circuit Reader
Safety criteria of JT1-CZ2000 Cab Signal • Cannot give high level permitted indication at any time under any condition • Cannot give ‘White’ indication under given level of interference or EMI • RAMS requirements • Reliability and safety requirements refer to IEC62278 (EN50126) • EMC complies with TB/T 3073-2003 • Environmental test requirements comply with TB/T 3021-2001 • SIL 4 • MTBF ≥106 hour • MTBF of track circuit equipment: ≥1.5 105 hour • Life-span: 8 years • Technical requirements • Functional requirements • System configuration requirements • Response time requirements • Work sensitivity requirements • Carrier frequency switchover requirement • Testability requirements • Degradation usage requirements
Safety design of JT1-CZ2000 Cab Signal • Hot-standby architecture • 2 out of 2 structure for the main-board of each set • Unique signal processing method: joint time and frequency domain
Safety analysis of JT1-CZ2000 Cab Signal • Safety analysis of Cab Signal Host • ‘2 out of 2’ configuration based on the mature feedback check circuit of JT1-A/B • Dynamic power supply for display unit • Output Control CPU (OC-CPU) with watchdog and reset circuit • OC-CPU provides watchdog and reset for Decode DSP • CR1 and CR2 functions as closedown control in case of abnormal • OC-CPUs work under timing interrupt mode; interrupt frequency is checked in real time • Self test and diagnose • Power-on self test completely for each CPU/DSP • On-line diagnose for each CPU/DSP
Safety analysis of JT1-CZ2000 Cab Signal • Safety analysis of Parallel Port • Display Unit is powered by dynamic power supply controlled by dynamic signal of OC-CPU2, CR1 and CR2, which is fail-safe • Real time check of PP and feedback to Mainboard DSP; any inconsistency can be detected • Display information is coded by ‘1 out of 8’, i.e. information redundancy. Any wire-broken or wire-mix failure is fail safe or can be detected. • Speed level information is specially encoded, so as to any wire-broken failure is fail safe; any wire-mix failure can be detected in real time.
Reliability analysis of JT1-CZ2000 Cab Signal • Qualitative analysis based on the compare with JT1-A/B Cab signal (over 10 years experience, over 20,000 sets) • Mature circuits and components in JT1-A/B were adopted • Flaws and weak points were modified and improved, including: • Dual independently configured antenna • Dual 110V-50V DC-DC power supply • Improved hot standby and switchover architecture • Improved power protection circuit • Improved Display Unit, i.e. dual facet LED display replaces the lamp bulb display • Improved signal input isolation circuit, i.e. isolation amplifier replaces the isolation transformer • More rigorous EMC performance, i.e. random sampling product may pass the prescribed EMC test • Data shown that JT1-CZ2000 was much more reliable than JT1-A/B after 3 years of deployment.
Practice in Other Areas 1 • Practice in Mining Industry • Mine gas、dustproof and fire are the major problems exiting in mining industry • Researches focus on: • mine gas prevention • fire prevention • mine safety supervising • mine ventilation and dustproof
Practice in Other Areas 2 • Practice in Civil Aviation Area – Research Projects • Flight Quality Supervision and Flight Graph Simulation System • Civil Fight Engine Reliability Research • Human Factors in Civil Aviation (Database) • Sino Confidential Aviation Safety reporting System • Comparative Research of Civil Aviation between China and World • Accident/Accident Symptom Analysis Methods • Airways Safety Evaluation System • Civil Airdrome Safety Evaluation System • Air Traffic Service Safety Evaluation System • Airways Safety Information Management System • Crew Resources Management Research • Virtual Reality Technology used in Accident Analysis • Aviation Accident Statistics Index System • Aviation Safety Assessment and Audit System • Airdrome Safety Management System
Practice in Other Areas 3 • Practice in Urban Industry • The project ‘Vital Hazard Database Stage I for Urban Industry’ was finished at Aug,2004 • Achievements: • Establishing vital hazard classification system • Hazard checklists and Fast Assessment Method • Establishing identification standard for 9 classes of vital hazards • Data management system, i.e. database • Pilot application in Beijing, Shanghai, Shantou, Nannin and Wuxi. 4520 records of vital hazard data were collected. • Practice in Urban Public Safety • The project ‘Urban Public Safety Planning and Emergency Scheme Research’ was finished at May, 2004. • Achievements: • Urban regional accident risk assessment and safe functional region planning methodology • Standardized emergency scheme and first aid system • Urban hazard and public safety data management system
Two passenger train collision happened in Beijing-Kowloon railway on April 11, 2006. The driver was told that Ground Signal 20679 failed at that time. As the train run close to Ground Signal 20667, which gave an indication of Red Lamp due to the track occupation of another train ahead, the driver took the later signal as the former one and the collision took place. As the result, 2 stewards died, 3 stewards and 18 passengers injured.
National Research Plan -1 • A Grand Research Plan for ‘Foundational Research of Trustworthy Software’ was issued in Oct 2007 • Analyze and resolve the related issues of software dependability in the nationwide key application fields • Pilot deployment in embedded software and network applied software • Provide scientific support within national grand engineering project • Key issues • Software Dependability Measurement (assessment), Modeling and Prediction • Trustworthy Software Realization and Validation • Trustworthy Software Evolvement and Control • Trustworthy Environment Realization and Assessment • Integration and Validation of Trustworthy Software Development and Runtime Support
National Research Plan -2 • Key Issue 1: Software Dependability Measurement (assessment), Modeling and Prediction • 1.1 Software Dependability Measurement (assessment) • The inherent relationship between software flaw and dependability, as well as the software flaw predication and flaw distribution discipline. • Multi-scale quantitative index system for multi-dimensional dependability attribution • Measurement, evaluation and assessment system for multi-dimensional dependability attribute • Interrelationship of the dependability attributions and possible exposed characteristics, including local/global compatibility and unsuitability between several attributions and global dependability. • Technical standard or management standard of software dependability. • 1.2. Evolvement and Predication of Software Dependability • Methodology of dependability data collecting, analysis and knowledge mining • Evolving discipline of software dependability under certain environment, as well as the self-evolving discipline • On-line evolving discipline of software dependability • Behavior based software dependability increment • Threaten oriented online evaluation and predication theory • 1.3 Risk and process management for software dependability • Risk identification, evaluation, management and control pattern and method during whole software life-cycle • Attribution and assessment framework and quantitative control and evaluation for trustworthy software process • Trustworthy software modeling, satisfying the distributive, agile and reusability of process asset requirement, as well as the customization, simulation and optimization methods • Human-Information system interaction and optimization mechanism
National Research Plan -3 • Key Issue 2: Trustworthy Software Realization and Validation • 2.1 Programming Theory and Methodology for Trustworthy Software • 2.2 Requirement Engineering for Trustworthy Software • 2.3 Trustworthy Software Design, Realization and Compilation • 2.4 Trustworthy Software Validation and Testing
National Research Plan -4 • Key Issue 3: Trustworthy Software Evolvement and Control • 3.1 Runtime Supervision Mechanism • 3.2 Dynamic Control Method for Dependability
National Research Plan -5 • Key Issue 4: Trustworthy Environment Realization and Assessment • 4.1 Mathematical Theory and Dependability Evolvement Theory for Trustworthy Environment • 4.2 Realization Mechanism and Method of Trustworthy Computation Environment • 4.3 Trustworthy Environment Assessment
National Research Plan -6 • Key Issue 5: Integration and Validation of Trustworthy Software Development and Runtime Support • 5.1 Comprehensive Experiment Environment for Trustworthy software • 5.2 Dependable embedded software system experiment and validation environment • 5.3 Dependable network application software system experiment and validation environment
National Research Plan -7 • Compare with the research proposal of USA • Three Es – fundamental for software dependability Evidence, Explicit claims and Expertise • Observations • Trusted Computing – Information Security • Software Flaws – not the focus of software system safety • Go too far at present
Observations • Extraordinary challenge faced in China • Rapid development of national economy • Large population and great difference in education • Deficiency in legislation and execution • Management and public perception of safety • E.g. safe belt • Bad situation in mature industry, esp. coal mining accidents • Better in aviation and railway practice, but not enough • Less systematic approach to safety in practices • E.g. “bolting on”, just following standards, system boundary • Increased investment in safety education and research, but need know the right way
Summary • Great effort is needed to develop system safety engineering in China. • Establishing the common language about system safety among different industrial domains is the cornerstone. • Cooperation with HISE at York is expected.