Chapter 14
Hypothetical Rail Train Braking System (Example)
Abstract
This chapter briefly discusses a combination of two safety-related systems in Rail Train Braking. Respective SIL targets and failure rate data are also covered.
Keywords
Air pressure; Emergency braking; Failure rate data; High demand; Low demand; Primary braking
The following example has been simplified and, as a consequence, some of the operating modes have been changed in order to maintain the overall philosophy but give clarity to the example.
14.1. The Systems
In this example we have a combination of two safety-related systems. One is a “high-demand” train primary braking system, together with a second level of protection consisting of a “low-demand” emergency braking system.
Typically there are at least two methods of controlling the brakes on carriage wheels. The “high-demand” system would be the primary braking function activated by either the train driver or any automatic signaled input (such as ATP). This system would send electronic signals to operate the brakes on each bogie via an air-operated valve. This is a proportional signal to regulate the degree of braking. The system is normally energized to hold brakes off. The output solenoid is de-energized to apply the brakes.
Each bogie has its own air supply reservoir topped up by an air generator. Air pressure has to be applied to operate the brakes. However, each bogie braking system is independent and each train has a minimum of two carriages. The loss of one bogie braking system would reduce braking by a maximum of 25%. It is assumed that the safety function is satisfied by three out of the four bogies operating (i.e., two must fail).
In addition to this primary braking system there is separate emergency braking. This is a single electrical wire loop that runs the full length of the train connected to an emergency button in the driver's cab. This circuit operates a normally energized solenoid valve. This circuit holds the brakes off and the emergency solenoids are de-energized to apply full braking pressure to the brakes.
Figure 14.1 shows the general arrangement of the two systems serving four bogies over two carriages.
14.2. The SIL Targets
The specification for this design requires a SIL 2 target for the primary braking system, and a SIL 3 target for the emergency braking system.
These targets may have been arrived at by a risk-graph approach. Therefore, unlike Chapter 11 where a specific quantified target was assessed, the SIL targets only provide an order of magnitude range of failure rates (or probabilities of failure on demand) for each of the two safety-related systems.
The SIL 2 braking system is a high-demand system and, thus, the target is that the failure rate is less than 10−2 pa.
The SIL 3 emergency braking system is a low-demand system and, thus, the target is that the probability of failure on demand is less than 10−3.
It should be noted that the two systems are not independent in that they share the air power and brake actuator systems. As a result the overall safety-integrity cannot be assessed as the combination of independent SIL 2 and SIL 3 systems. The common elements necessitate that the overall integrity is assessed as a combination of the two systems and this will be addressed in Section 14.6.
14.3. Assumptions
Assumptions are key to the validity of any reliability model and its quantification.
(a) Failure rates (symbol λ), for the purpose of this prediction, are assumed to be constant with time. Both early and wearout-related failures are assumed to be removed by burn-in and preventive replacement, respectively.
(b) The majority of failures are revealed on the basis of two hourly usages. Thus, half the usage interval (1 hr) is used as the down time.
(c) The proof test interval of the emergency brake lever is 1 day. Thus the average down time of a failure will be 12 hrs.
(d) The common cause failure beta factor will be determined. A 1% partial beta is assumed for this example.
(e) The main braking cab PE controller operates via a digital output. The bogie PE operates the valve via an analogue output.
14.4. Failure Rate Data
Credible failure rate data for this example might be as follows.
| Item | Failure mode | Failure rates (10−6 per hr) | MDT (hrs) | |
| Total | Mode | |||
| PES (cab) | Serial output low | 2 | 0.6 | 1 |
| PES (bogie) | Analog output low | 2 | 0.6 | 1 |
| Actuated valve | Fail to move | 5 | 1.5 | 1 |
| Solenoid valve | Fail to open | 0.8 | 0.16 | |
| Driver's levers | ||||
| Emergency | Fail to open contact | 1 | 0.1 | 12 |
| Main | No braking | 1 | 0.1 | 1 |
| Bogie air reservoir system (reservoir check valve and compressor) achieved by regular (daily use) | Fail | 1 | 1 | 1 |
| Brake shoes—A low failure rate achieved by regular (2 weeks) inspection | Fail | 0.5 | 0.5 | 1 |
| Common cause failure of air | 0.05 | |||
| Common cause failure of brake shoes | 0.005 | |||
14.5. Reliability Models
It is necessary to model the “top event” failure for each of the two systems. Chapter 11 used the reliability block diagram method and, by contrast, this chapter will illustrate the fault tree approach.
14.5.1. Primary Braking System (High Demand)
Figure 14.2 is the fault tree for failure of the primary braking system. Gates G22 and G23 have been suppressed to simplify the graphics. They are identical, in function, to G21 and G24. Note that the Gate G2 shows a figure “2,” being the number of events needed to fail.
The frequency of the top event is 6.6 × 10−3 pa, which meets the SIL 2 target.
The table below the fault tree in Figure 14.2 shows part of the fault tree output from the Technis TTREE package (see end of book). The cut sets have been ranked in order of frequency since this is a high-demand scenario which deals with a failure rate. Note that 80% of the contribution to the top event is from the PE1 event.
14.5.2. Emergency Braking System (Low Demand)
Figure 14.3 is the fault tree for failure of the emergency braking system. Gates G22 and G23 have been suppressed in the same way as for Figure 14.2.
The probability of the top event is 1.3 × 10−6, which meets the SIL 3 target with approximately two orders of magnitude margin.
The table below the fault tree in Figure 14.3 shows part of the fault tree output as in the previous section. In this case the cut sets have been ranked in order of probability since this is a low demand scenario which deals with a PFD. Note that >95% of the contribution to the top event is from the EMERG event (lever).
14.6. Overall Safety-Integrity
As mentioned in Section 14.2 the two safety-related systems are not independent. Therefore the overall failure rate (made up of the failure rate of the primary braking and the PFD of the emergency braking) is calculated as follows. The fault tree in Figure 14.4 combines the systems and thus takes account of the common elements in its quantification.
The overall failure rate is 4.8 × 10−4 pa. The cut set rankings show that the air supply Common Cause Failure accounts for 90% of the failures.
This example emphasizes that, since the two systems are not independent, one cannot multiply the failure rate of the primary braking system (6.6 × 10−3 pa) by the PFD of the emergency braking system (3.6 × 10−6). The result would be nearly four orders optimistic and the overall arrangement has to be modeled as shown in Figure 14.4.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.