Application of safety principles for a guidance system in public transport

Similar documents
FUNCTIONAL SAFETY SOLUTIONS in Solenoid Valves

Session Four Applying functional safety to machine interlock guards

Automated driving in urban environments: technical challenges, open problems and barriers. Fawzi Nashashibi

Sitras SCS, -RCI, -FFP, -TTU

Functional Safety Plant Safety and Personal Security. SIL 3, PL e

NHP SAFETY REFERENCE GUIDE

AUTOMATIC VEHICLE STABILIZATION SYSTEM Gaurav Pednekar 1, Raunak Borwankar 2 and Purva Sawant 3 1, 2, 3

Contents INTRODUCTION...

Reducing Train Weight and Simplifying Train Design by Using Active Redundancy of Static Inverters for the Onboard Supply of Rolling Stock

Automated Driving - Object Perception at 120 KPH Chris Mansley

The Brake Assist System

NHP SAFETY REFERENCE GUIDE

Purpose of the System...3. System Components...3 Instrument Cluster Display...4

Modular Standardized Electrical and Control Solutions for Fast Track Projects

4 Redundant Control System

The electro-mechanical power steering with dual pinion

SMSIL-4THGU-E ISSUE: 12/12 SIL-SAFETY MANUAL. Upgrade Series Actuators

LGV INSTRUCTOR EXAMINING CRITERIA

HEIDENHAIN Measuring Technology for the Elevators of the Future TECHNOLOGY REPORT. Traveling Vertically and Horizontally Without a Cable

Case Study on On EHV Circuit Breaker Flashover NTPC-SINGRAULI

Servo Creel Development

DPA UPScale RI kw The modular UPS for customized solutions

Achieving Required Safety Levels Using a Pneumatic Safety Exhaust Valve

THE TRANSRAPID MAGLEV MAINTENANCE PROCESS

Steering Actuator for Autonomous Driving and Platooning *1

Analyzing Feature Interactions in Automobiles. John Thomas, Ph.D. Seth Placke

Contents Maglev Train Overview Technology Development and Application Research of Maglev Control

Competence in Functional Safety MANUAL. principle and typical applications

THE NEXT GENERATION- YAW AND PITCH POSITION MONITORING

OPERATIONS SEAFARER CERTIFICATION GUIDANCE NOTE. Level 3 Assessment Chief and Second Engineer <3000kW

Intelligent Drive next LEVEL

A problem with the motor windings. A phase loss on mains terminals L1, L2, or L3 during run mode. Parameter 2-3 Current Imbalance Delay.

ENTRY LEVEL DRIVER TRAINING (ELDT) Effective February 7, 2020

Mar H: SUPPLEMENTAL PARALLELING GEAR (16315-H)

Latest Trend and Safety and Reliability Technology of Rolling Stock Doors

WHITE PAPER. SVM4001 Series standstill monitor. Stop everything! Standstill monitors add sensorless safety features to motor-driven machinery

Electronic Protection Systems for Direct Current Railways. The Future for Railways Made in Germany

NASA Glenn Research Center Intelligent Power System Control Development for Deep Space Exploration

Dual Power. Protection. Protection

Electronic Brake by Wire

Modular three-phase UPS system. DPA UPScale RI kw The modular UPS for customized solutions

DASSAULT AVIATION Proprietary Data

UNISIG * EEIG ERTMS USERS GROUP * UNIFE

Onboard power supply management

INSTRUCTION MANUAL_1219_ENGLISH SUPER ELF X3. Operating Instructions for DORNIER looms. Robustness Reliability Quality Productivity Versatility

Redundant Control System

Measure Evaluation Results

ESTIMATING CAPACITY OF HIGH VOLUME BUS RAPID TRANSIT STATIONS

Electronic Limit Switch Type

RNRG WHITE PAPER Early Detection of High Speed Bearing Failures

Brakes Objectives of the Module...2 Purpose of the System...3

Automatic conductive charging of electric cars

This specification describes the minimum requirements for a hoist maintenance safeguard (HMS) system for mine hoists.

About this Troubleshooting Document

SAFETY AND RELIABILITY ANALYSIS OF ELECTRIC POWER STEERING SYSTEM USED IN AUTOMOBILES

«From human driving to automated driving"

ISO Rules Part 500 Facilities Division 502 Technical Requirements Section Interconnected Electric System Protection Requirements

Compatibility of STPA with GM System Safety Engineering Process. Padma Sundaram Dave Hartfelder

REDUCING THE OCCURRENCES AND IMPACT OF FREIGHT TRAIN DERAILMENTS

Automatic Traffic Counter and Classifier Using TIRTL Technology

Safety Design of CHAdeMO Quick Charging System

APR1400 Electric System Design. KHNP KEPCO E&C November 29, 2017

Technical Article. ISO26262: ams deploys unique technology to meet every new safety requirement. Roland Einspieler

&MFDUSJGJDBUJPO Products 1PXFS 2VBMJUZ 'JMUFST 12'* o 12'. o 12'4 )BSNPOJDT NJUJHBUJPO MPBE CBMBODJOH BOE SFBDUJWF DPNQFOTBUJPO PO -7 OFUXPSLT

REDUNDANT PROPULSION SHIPS RULES FOR CLASSIFICATION OF NEWBUILDINGS DET NORSKE VERITAS SPECIAL EQUIPMENT AND SYSTEMS ADDITIONAL CLASS PART 6 CHAPTER 2

7 Services Control and monitoring

Intermodality - A Solution to the Problems of Large Urban Agglomerations. Author: Eng. Eugenia Alina Roman

Design considerations for generator set mounted paralleling breakers

TRANSPORTATION TECHNOLOGY 10

Research Challenges for Automated Vehicles

AC Irrigation and Propagation Controllers I Four Station, 5006-I and 5006-IP Six Station

DESIGN PRACTICE NOTE MOBILITY VEHICLE SIMULATIONS AT PEDESTRIAN CROSSINGS

Don t Discriminate: The importance of selective coordination in electrical installations

Summary of Revision, IEEE C , Guide for Breaker Failure Protection of Power Circuit Breakers

Automatic Genset Controller, AGC-4 Display readings Push-button functions Alarm handling Log list

18th ICTCT Workshop, Helsinki, October Technical feasibility of safety related driving assistance systems

LOW VOLTAGE WIND CONVERTERS. ABB wind turbine converters ACS880, 800 kw to 8 MW

Mechanical Trainstop Systems

MAJOR SYSTEM FUNCTIONS

INTRODUCTION. Ansaldo STS. Ansaldo STS is a leading technology company operating in railway and underground transportation.

ATA 49 AUXILIARY POWER UNIT

Exterior Lighting ! WARNING: MASTER LIGHTING SWITCH. Headlights

IMPROVEMENT CONCEPTS

i n s t r u c t i o n m a n u a l

H2020 (ART ) CARTRE SCOUT

Linear Actuator with Ball Screw Series OSP-E..S. Contents Description Overview Technical Data Dimensions 79

Industry input to ACSF-18 meeting, June 6-8, 2018 The Hague Homework from ACSF-17

Overview. Battery Monitoring

A Presentation on. Human Computer Interaction (HMI) in autonomous vehicles for alerting driver during overtaking and lane changing

Safe, fast HV circuit breaker testing with DualGround technology

Interconnected vehicles: the French project


School Driver Trainer Inservice

Annex A. to Technical Specification "Operations and traffic management" adopted by

Module 11: Antilock Brakes Systems

Electromechanical Steering with Parallel-axis Drive

Modbus Register Map:Galaxy VM (3: kVA 400/480V)

Development of a Train Control System by Using the On-board Interlocking

User Manual Rittal PMC UPS 6kVA

TECHNICAL PAPER 1002 FT. WORTH, TEXAS REPORT X ORDER

Transcription:

Application of safety principles for a guidance system in public transport H. Schäbe TÜV Rheinland InterTraffic, Cologne, Germany H. Vis & R. Bouwman Advanced Public Transport systems, Helmond, The Netherlands 10/12/2009 1

Content 1. Introduction 2. Decription of the Phileas 3. Guidance system and guidance computer 4. Front axle steering 5. Rear axle steering 6. Power supply 7. Sensors 8. Bus system 9. Additional advantages 10.Conclusions 10/12/2009 2

1. Introduction In Gayen & Schäbe (2008), safety principles have been discussed.i In this paper: Application of safety principles to the design of technical systems. Demonstration with the help of the Phileas, aguided bus, developed and manufactured by Advanced Public Transport systems in Helmond, The Netherlands. The vehicle is developed for use in Douai (France) and has to fulfill several safety requirements. The applicable standards are the CENELEC railways standards EN 50126, EN 50128 and EN 50129. Safety principles can help to efficiently construct a safety architecture. Main safety principles: Safe life Redundancy Diversity 10/12/2009 3

2. Decription of the Phileas Single-articulated 18,5 m length or double-articulated with a length of 24,5 m. Width of 2.55 m and maximum height of 3.24 m. Highly manoeuvrable with limited swept path because all wheels are steered. Large doors both at left and right side New concept for comfortable passenger transport on high frequency dedicated bus lanes and for mixed traffic, for SMTD (Douai, France) Phileas meets all legal requirements for city buses and has unlimited access to the public road. The electronic guidance and precision docking system will be approved according to the rail standards EN 50126, 50128 and 50129. with automatic side selection during guided mode. 30 cm high platforms for step and gap free entry and exit of the passengers, allowing short stopping times and high average operational speed. Public road on both sides of the concrete bus lane, stop platforms in the centre of the bus lane (requires doors at left side), or at the right side of the bus lane (requires doors at right side). 10/12/2009 4

3. Guidance system and guidance computer Safety integrity level 4 (SIL 4) required. The bus is guided with a computer-based system consisting of a central guidance computer system (GCS), front axle steering and rear axle steering. Sensors measuring angles of the axles and articulations, counting the revolutions of the wheels and the jaw rate between different vehicle compartments, the position and orientation of the bus are determined. Magnets placed in the bus lane used to precise the position. Guidance function must be realized as a safe life function (no safe state that can be reached instantaneously) Guidance computer: 2-out-of-3 computer system. Three computers are crosschecking each other permanently; When inconsistencies of results are detected, the deviating computer is turned off (majority vote) and automatic braking is initiated until standstill. Automatic braking is part of the safety concept. Sufficient measures to be implemented to protect the system from common cause failures and common mode failures: sufficient degree of diversity for the three computers. 10/12/2009 5

The guidance control computer is the master of the guidance control system. It is responsible for diagnosis and bringing the system in the safe state in case of failure. The guidance system requires sufficiently reliable power supply and sufficiently reliably communication with high detection probability of faulty messages. 10/12/2009 6

4. Front axle steering Part of the guidance system, therefore a safe life system. Three servo controllers are applied. Each servo controller provides sufficient torque to steer the front axle. In case of failure of one servo controller, there are always two other servo controllers to fight the wrong servo and provide sufficient torque. Safe-life architecture using the redundancy principle. Any reactive fail safety approach would be too slow The safe guidance computer is responsible for fault diagnosis (comparing the set points with achieved steering angles and checking the current of the electric motors). Upon force fighting, the guidance computer would diagnose a fault and initiate automatic braking. Thoroughly applied diversity principle to the three servo controllers and motors, including the transmission of the torque to the steering column. This includes sufficiently different servo controllers, motors and transmission, allowing the use of many standard components. Supported by an analysis for common cause failures and common mode failures. 10/12/2009 7

5. Rear axle steering The same principles as for the front axle could not be applied to the rear axle, for the high energy consumption For a rear axle steering system the reaction time must not be that short as for the front axle. A redundant hydraulic steering system has been applied. Only one steering sub system is active, the other being in hot standby. Each hydraulic steering sub-system is supervised by itself and by the guidance control system (active and the hot-standby sub-systems): verifying axle position, execution of set points, availability of hydraulic pressure etc. Faulty steering sub-systems are detected and control is passed to the hot standby system. Both systems are tested thoroughly according to a test procedure several times during one trip. Both hydraulic subsystems are made different (sensors, pressures to be applied for control etc.) to avoid common mode failures, applying the principle of diversity. 10/12/2009 8

6. Power supply In order to protect the guidance system from loss of power, a single power supply system is not sufficient. Power supply is not a safety issue, it is an availability issue, but necessary for the safe life system A fully redundant power supply system buffered with one battery each has been applied. In order to protect the Phileas from common cause failures of other subsystems caused by the power supply, all systems have been connected to both power supply systems in such a manner, that failure of one power supply will not cause a critical combination of failing systems: 10/12/2009 9

a) Sensors; no critical configuration of sensors fails when one power supply system fails b) Guidance control computers: Two computers are connected to one power supply each and the third is connected to both. c) Failure of one power supply only causes the failure of one CAN open communication bus. d) Failure of one power supply causes failure of only one hydraulic steering circuit per axle; e) Failure of a power supply system always leaves at least one servocontroller of the front axle steering systems in a working state (sufficient to steer). Upon failure of one power supply system, automatic braking of the Phileas is initiated. 10/12/2009 10

7. Sensors To reduce safety requirements for sensors, the diversity principle has been applied. Sensors measuring according to different physical principles have been applied (different angle sensors and gyroscopes). Such a combination of sensors has been applied that the guidance computer is able to crosscheck the values in order to detect possible failures. After determining the faulty sensor and isolating it, the bus can still be used until such a number of sensors has failed that the following two failures could be dangerous, i.e. the second of them could lead to loss of the steering function of the bus. Principle of redundancy has been used. Application of both principles allowed to use as much as possible standard components (diversity) and enhance reliability of the sensor system (redundancy). 10/12/2009 11

8. Bus system Information needs to be passed between different systems in the bus (sensor information, set points for front axle steering system and rear axle steering system etc.) A CANopen communication system has been applied. Measures have been implemented to detect communication failures (Bit errors, delayed messages, lost messages etc. ) IEC 62280 applied (use of time stamps, cyclic redundancy checks etc.) Faults on the CAN bus can be detected. The redundancy principle has been applied using a second CANopen bus for communication. Both buses are connected in such a manner to sensors, guidance control computers and axle steering systems that upon failure of one CAN open bus, the Phileas can still be safely steered. In case of failure of one CANopen, the guidance control computer initiates automatic braking. 10/12/2009 12

9 Additional advantages It is necessary that the guidance control system is able to initiate an automatic braking. For brake initiation the safe brake has been separated from the service brake. The safe brake has been designed using the principles of redundancy and diversity, i.e. activating the pneumatic brake using different mechanisms to prevent that double safety-critical failures occur simultaneously. 10/12/2009 13

Conclusions We have shown how safety principles cane be efficiently applied to design a safe system. Safety principles allow to bypass a trial and error phase in development. They allow to design a safe architecture in a straightforward manner. We have demonstrated how to apply principles as safe-life, redundancy, diversity and others. This shows clearly, how safety principles can be applied and how they allow to simplify a design, compared with an approach not using these principles. Future: The authors hope to come up with new applications of safety principles in the near future. 10/12/2009 14

2024 © autodocbox.com Privacy Policy | Terms of Service | Feedback