Jens Braband

Probability of Failure on Demand --- The Why and the How

In the paper, we will study the PFD and its connection with the probability of failure per hour and failure rates of equipment using very simple models. We describe the philosophies that are standing behind the PFD and the THR. A comparison shows, how the philosophies are connected and which connections between PFH and PFD are implied. Depending on additional parameters, there can be deviations between safety integrity levels that are derived on the basis of the PFD and the PFH. Problems are discussed, which can arise when working with the PFD. We describe, how PFD and PFH in IEC 61508 are connected with the THR defined in the standard EN 50129. We discuss arguments that show, why care is needed when using the PFD. Moreover, we present a reasoning, why a probability of failure on demand (PFD) might be misleading.

On the Justification of a Risk Matrix for Technical Systems in European Railways

The European Railway Agency (ERA) has the challenging task of establishing common safety targets (CSTs) and common safety methods (CSMs) throughout Europe. In this context, the harmonization of risk matrices is also discussed. The purpose of this paper is to provide a formal justification of risk matrices for technical systems and the means by which compliance with legal and regulatory requirements can be demonstrated. A proposal for a standard risk matrix applicable to technical systems is derived.

Towards an IT security protection profile for safety-related communication in railway automation

Some recent incidents have shown that possibly the vulnerability of IT systems in railway automation has been underestimated so far. Fortunately so far almost only denial of service attacks have been successful, but due to several trends, such as the use of commercial IT and communication systems or privatization, the threat potential could increase in the near future. However, up to now, no harmonized IT security requirements for railway automation exist. This paper defines a reference communication architecture which aims to separate IT security and safety requirements as well as certification processes as far as possible, and discusses the threats and IT security objectives including typical assumptions in the railway domain. Finally examples of IT security requirements are stated and discussed based on the approach advocated in the Common Criteria, in the form of a protection profile.

Waiting time distributions for closed M/M/N processor sharing queues

We consider a multiple server processor sharing model with a finite number of terminals (customers). Each terminal can submit at most one job for service at any time. The think times of the terminals and the service time demands are independently exponentially distributed. We focus our attention on the exact detailed analysis of the waiting time distribution of a tagged job. We give the Laplace-Stieltjes transform of the waiting time distribution conditioned on the jobs service time demand and the state of the other terminals and show that these transforms can be efficiently evaluated and inverted. Further results include the representation of conditioned waiting times as mixtures of a constant and several exponentially distributed components. The numerical precision of our results is being compared with results from a discrete approximation of the waiting time distributions.

Assessment of national reference values for railway safety: a statistical treatment

We discuss the decision procedure used in the Commission Decision for national reference values. According to the safety directive, every year seven safety indicators have to be computed for every member state. In the decision, a fixed procedure has been presented for computing the safety indicators and to assess whether there is a possible deterioration in safety. In the safety assessment, the decision depends on a weighted sum in place of an arithmetic mean. It is then of interest how such a decision procedure would behave and what would be the advantages and disadvantages of the particular method. In this article, we study a slightly simplified version of the procedure by two means. First, we analyze the weighted sum and derive its characteristic as efficiency. Moreover, we compare it via a spread with an ordinary sample mean. We support the theoretical results with the help of a simple simulation study in order to estimate failure probabilities of the first and second kinds. In particular, we construct such alternative distributions that the decision procedure cannot distinguish.

Definition and Analysis of a New Risk Priority Number Concept

Risk Priority Numbers (RPNs) are a powerful qualitative method for discovering and prioritising critical issues in early design phases. They have become very popular in particular as a tool in automotive or software Failure Modes, Effects, and Criticality Analysis (FMECA). However, it has been shown that the existing RPN concept is seriously flawed. This paper presents a theoretical approach towards a new RPN concept, called the Improved Risk Priority Number (IRPN), which is based on a sound model of risk and can be used with equal ease, but does not suffer from the shortcomings of the existing RPN concept. A particular example from a railway application is discussed.

Cyber Security in Railways: Quo Vadis?

Some recent incidents and analyses have indicated that possibly the vulnerability of IT systems in railway automation is increasing. Due to several trends, such as digitalization or the use of commercial IT and communication systems the threat potential has increased. This paper discusses the way forward for the railway sector, how many advantages of digitalization can be realized without compromising safety. In particular topics like standardization or certification are covered, but also technical issues like SW update.

A Risk-based Approach towards Assessment of Potential Safety Deficiencies

On August 1, 2009, a standard DIN V VDE V 0831-100 was published, which deals with the risk assessment of potential safety deficiencies (PSD). This paper presents the assessment process and a specific procedure complying with the requirements of this standard and ensuring that decision-making in the case of potential safety deficiencies is both traceable and transparent. The socalled PSD risk priority number (PSD-RPN) procedure has been proven by many years of practical application in different variants. It has been designed in accordance with sound engineering principles and produces dependable decisions if used correctly. It makes a major contribution to both increasing the costeffectiveness of railway operations and improving quality, in particular in the field of complaint management. The procedure is explained and illustrated by a realworld example.

Safety Analysis according to IEC 61508 — Putting it into Practice

Since its finalisation in 2000, IEC 61508 [6] has become very popular and its publication represents a major step forward. When implementing this safety standard, however, the user is faced with a number of challenges and ambiguities, which are already under consideration by maintenance teams within the IEC, namely the absence of a harmonised approach to risk analysis, confusion due to the existence of two different operation modes and the verification of the underlying modelling assumptions for quantitative safety integrity analysis. This paper discusses these issues and provides suggestions for their rectification.

Risk assessment in railroad signaling: experience gained and lessons learned

A generic framework for risk analysis is presented, comprising the following tasks: system definition, hazard identification, definition of risk tolerability criteria, consequence and loss analysis, and risk assessment. The object of this approach is to derive qualitative and quantitative safety integrity requirements for technological systems. The framework is holistic and covers technological as well as human and operational factors. The framework is compared to other approaches. Three different railroad signaling case studies, that use the same process, but under different circumstances, are presented. The lessons learned from these case studies, which, like the process itself have applications beyond railroad signaling, are reported and discussed.