System Safety Practice in China

1
System Safety Practice in China

• Huibing Zhao
• 30/10/2007

2
Contents

• Organizations
• Education and Programmes
• Practice in Railway Signalling
• Example Cab Signalling
• Practice in Other Areas
• Mining Industries
• Civil Aviation
• Urban Industry and Public Safety
• National Research Plan
• Observations
• Summary

3
Organizations 1

• Administration Organizations
• State Committee of Work Safety
• Director of the committee is the vice prime
  minister of State Council
• Members include ministers or vice ministers of
  State Council
• State Administration of Work Safety
• Attached State Administration of Coal Mine
  Safety
• Provincial or Municipal Administration Bureau of
  Work Safety
• Supervising 7 safety related associations
• China Work Safety Association
• China Occupation Safety Health Association
• China Coal Mine Labour Protection Association
• China Coal Mine Pulmonary Disease Therapy
  Foundation
• China Cableway Association
• China Chemical Product Safety Association
• China Civil Dynamite Product Circulation
  Association

4
Organizations 2

• Research Organizations
• China Academy of Safety Science and Technology
• Strategy research of the guidelines and policies
  for work safety , esp. coal mine industry
• Consultation and assessment of vital
  techno-economy issues
• Training and consultation for industries
• Research Centre under State Administration of
  Work Safety
• Originating from Labour Protection Science
  Institute and Work Accident Investigation Centre
• Authentication of State Registered Safety
  Engineer
• Safety Assessment Service
• Occupation Safety and Health Certification and
  Consultation
• Safety related research
• Civil Aviation Safety Research Institute
• Developing strategy research of civil aviation
• Assessment of civil aviation system
• Research in the area of human factors, management
  and safety techniques

5
Organizations 3

• Research Organizations
• Research centre or Key Laboratory at Universities
• State Key Laboratory of Coal Resources and Mine
  Safety (MUC)
• State Key Laboratory of Fire Science (USTC)
• State Key Laboratory of Rail Traffic Control and
  Safety (BJTU)
• State Key Laboratory of Automotive Safety and
  Energy (TsingHua)
• State Key Laboratory of Disaster Prevention in
  Civil Engineering (TongJ)
• State Key Laboratory of Information Security
  (CAS)
• State Key Laboratory of Novel Software Technology
  (NJU)
• State Key Laboratory of Software Engineering
  (WuHan)
• Trusted Computing Platform
• State Key Laboratory of Software Development
  Environment (BUAA)
• State Key Laboratory of Pathogen and Biosecurity
  (PLA)

6
Education and Programmes

• Up to 2004, 69 universities has set up Safety
  Technology and Engineering (Class 2)
  undergraduate program.
• Most of them are set up after 2000
• 32 of them has graduate program
• 11 of them has PhD program, e.g. China Mining
  University, USTC, Central South University
• Class 1 program of STE is Mining Engineering
  (mature industry)
• Argument STE should be upgraded to Class 1
  program
• Proposed by several senior experts in August 2005
• Class 1 Safety Science and Engineering
• Class 2 Safety Science Safety Engineering

7
Practice in Railway Signalling 1

• Traditional safety related techniques used in
  Railway Signalling
• Fail-safe principle, e.g. relay, track circuit
• Eliminating danger by compensating
• automatically for a failure or malfunction
• A concept which is incorporated into the
• design of a product such that, in the event
• of failure, it enters or remain in a safe
  state

8
Practice in Railway Signalling 2

• Traditional safety related techniques used in
  Railway Signalling
• Fail-safe principle
• Operation error prevention, e.g. Mechanical
  interlocking
• Failure effect mitigation, e.g. manual/accident
  release button
• Failure rate minimizing, e.g. fuse installed to
  prevent short circuit
• Redundancy and reconstruction
• Failure diagnose and detection
• Reduced load in use

9
Practice in Railway Signalling 3

• Modern Railway Signalling System
• Complicated System
• Digitalization, Network, Intelligent,
  Comprehensive
• Computers have been widely used in train control
• Vital Computer is the kernel component
• Vital means Contributing to life,necessary to,or
  supporting life,more than fail-safe
• Fault tolerant, redundancy (hardware or
  software), e.g. TMR, N-Version, recovery block,
  etc
• Safety critical System
• A computer,electronic or electromechanical
  system whose failure may cause injure or death to
  human beings
• Another term used Safety related System
• Example ETCS-European Train Control System
• CTCS-Chinese Train Control
  System

10
System Requirements Specification SRS
FFFIS
downloading unit
Driver
Train
FIS
Data recording
MMI
TIU
ETCS
Onboard Unit
kernel
Odometer
STM
GSM-R Mobile unit
Euroradio
BTM
LTM
airgap
Eurobalise
Euroloop
Euroradio
National System
GSM-R fixed network
radio- Infill unit
Euroradio
RBC 1
Interlocking and LEU
Key Management Centre
RBC 2
Remote control centre
ETCS wayside equipment
11
SRS System- description (1)
ETCS level 3
Radioblock
GSM-R
(including Interlocking- functions)
Train integrity check
Eurobalises
12
SRS System- description (2)
Dataflow in ETCS level 3
ETCS onboard unit
Train data
Static v profile
Dynamic v profile
Lowest value
Position and train ID
Comparison
Break initiation
Eurobalise
GSM-R
GSM-R
Air Gap
Primary track data
Movement Authority MA
Movement Authority from Radioblock
ETCS trackside equipment
13
Driver MMI for ETCS

• Areas for the main tasks
• Speed-
• control
• Planning
• Monitoring
• Drivers-
• Input

14
Practice in Railway Signalling 4

• Example Cab Signalling in CTCS L0 L1

Cab Signalling Principle
15
3rd generation of DSP based universal cab
signaling A
1st, 2nd generation of universal cab signaling
4th generation of principal cab signaling
3rd generation of DSP based universal cab
signaling B
16

• Cab Signal Products

JT1-CZ2000,JT1-A/B Cab Signaling Host, Remote
monitoring device and Track Circuit Reader
17
Cab Signaling Testing and Assistant Development
Platform
18
Data Processing Software for Cab Signaling
Recorder
19

• Safety criteria of JT1-CZ2000 Cab Signal
• Cannot give high level permitted indication at
  any time under any condition
• Cannot give White indication under given level
  of interference or EMI
• RAMS requirements
• Reliability and safety requirements refer to
  IEC62278 (EN50126)
• EMC complies with TB/T 3073-2003
• Environmental test requirements comply with TB/T
  3021-2001
• SIL 4
• MTBF 106 hour
• MTBF of track circuit equipment 1.5 ? 105 hour
• Life-span 8 years
• Technical requirements
• Functional requirements
• System configuration requirements
• Response time requirements
• Work sensitivity requirements
• Carrier frequency switchover requirement

20
System Definition Boundary and Context
21

• Safety design of JT1-CZ2000 Cab Signal
• Hot-standby architecture
• 2 out of 2 structure for the main-board of each
  set
• Unique signal processing method joint time and
  frequency domain

22
(No Transcript)
23
(No Transcript)
24

• Safety analysis of JT1-CZ2000 Cab Signal
• Safety analysis of Cab Signal Host
• 2 out of 2 configuration based on the mature
  feedback check circuit of JT1-A/B
• Dynamic power supply for display unit
• Output Control CPU (OC-CPU) with watchdog and
  reset circuit
• OC-CPU provides watchdog and reset for Decode DSP
• CR1 and CR2 functions as closedown control in
  case of abnormal
• OC-CPUs work under timing interrupt mode
  interrupt frequency is checked in real time
• Self test and diagnose
• Power-on self test completely for each CPU/DSP
• On-line diagnose for each CPU/DSP

25

• Safety analysis of JT1-CZ2000 Cab Signal
• Safety analysis of Parallel Port
• Display Unit is powered by dynamic power supply
  controlled by dynamic signal of OC-CPU2, CR1 and
  CR2, which is fail-safe
• Real time check of PP and feedback to Mainboard
  DSP any inconsistency can be detected
• Display information is coded by 1 out of 8,
  i.e. information redundancy. Any wire-broken or
  wire-mix failure is fail safe or can be detected.
  
• Speed level information is specially encoded, so
  as to any wire-broken failure is fail safe any
  wire-mix failure can be detected in real time.

26

• Reliability analysis of JT1-CZ2000 Cab Signal
• Qualitative analysis based on the compare with
  JT1-A/B Cab signal (over 10 years experience,
  over 20,000 sets)
• Mature circuits and components in JT1-A/B were
  adopted
• Flaws and weak points were modified and improved,
  including
• Dual independently configured antenna
• Dual 110V-50V DC-DC power supply
• Improved hot standby and switchover architecture
• Improved power protection circuit
• Improved Display Unit, i.e. dual facet LED
  display replaces the lamp bulb display
• Improved signal input isolation circuit, i.e.
  isolation amplifier replaces the isolation
  transformer
• More rigorous EMC performance, i.e. random
  sampling product may pass the prescribed EMC test
• Data shown that JT1-CZ2000 was much more reliable
  than JT1-A/B after 3 years of deployment.

27
Practice in Other Areas 1

• Practice in Mining Industry
• Mine gas?dustproof and fire are the major
  problems exiting in mining industry
• Researches focus on
• mine gas prevention
• fire prevention
• mine safety supervising
• mine ventilation and dustproof

28
Practice in Other Areas 2

• Practice in Civil Aviation Area Research
  Projects
• Flight Quality Supervision and Flight Graph
  Simulation System
• Civil Fight Engine Reliability Research
• Human Factors in Civil Aviation (Database)
• Sino Confidential Aviation Safety reporting
  System
• Comparative Research of Civil Aviation between
  China and World
• Accident/Accident Symptom Analysis Methods
• Airways Safety Evaluation System
• Civil Airdrome Safety Evaluation System
• Air Traffic Service Safety Evaluation System
• Airways Safety Information Management System
• Crew Resources Management Research
• Virtual Reality Technology used in Accident
  Analysis
• Aviation Accident Statistics Index System
• Aviation Safety Assessment and Audit System
• Airdrome Safety Management System

29
Practice in Other Areas 3

• Practice in Urban Industry
• The project Vital Hazard Database Stage I for
  Urban Industry was finished at Aug,2004
• Achievements
• Establishing vital hazard classification system
• Hazard checklists and Fast Assessment Method
• Establishing identification standard for 9
  classes of vital hazards
• Data management system, i.e. database
• Pilot application in Beijing, Shanghai, Shantou,
  Nannin and Wuxi. 4520 records of vital hazard
  data were collected.
• Practice in Urban Public Safety
• The project Urban Public Safety Planning and
  Emergency Scheme Research was finished at May,
  2004.
• Achievements
• Urban regional accident risk assessment and safe
  functional region planning methodology
• Standardized emergency scheme and first aid
  system
• Urban hazard and public safety data management
  system

30
Practice in Other Areas 3
31
Two passenger train collision happened in
Beijing-Kowloon railway on April 11, 2006.
The driver was told that Ground Signal 20679
failed at that time. As the train run close to
Ground Signal 20667, which gave an indication of
Red Lamp due to the track occupation of another
train ahead, the driver took the later signal as
the former one and the collision took place. As
the result, 2 stewards died, 3 stewards and 18
passengers injured.
32
National Research Plan -1

• A Grand Research Plan for Foundational Research
  of Trustworthy Software was issued in Oct 2007
• Analyze and resolve the related issues of
  software dependability in the nationwide key
  application fields
• Pilot deployment in embedded software and network
  applied software
• Provide scientific support within national grand
  engineering project
• Key issues
• Software Dependability Measurement (assessment),
  Modeling and Prediction
• Trustworthy Software Realization and Validation
• Trustworthy Software Evolvement and Control
• Trustworthy Environment Realization and
  Assessment
• Integration and Validation of Trustworthy
  Software Development and Runtime Support

33
National Research Plan -2

• Key Issue 1 Software Dependability Measurement
  (assessment), Modeling and Prediction
• 1.1 Software Dependability Measurement
  (assessment)
• The inherent relationship between software flaw
  and dependability, as well as the software flaw
  predication and flaw distribution discipline.
• Multi-scale quantitative index system for
  multi-dimensional dependability attribution
• Measurement, evaluation and assessment system for
  multi-dimensional dependability attribute
• Interrelationship of the dependability
  attributions and possible exposed
  characteristics, including local/global
  compatibility and unsuitability between several
  attributions and global dependability.
• Technical standard or management standard of
  software dependability.
• 1.2. Evolvement and Predication of Software
  Dependability
• Methodology of dependability data collecting,
  analysis and knowledge mining
• Evolving discipline of software dependability
  under certain environment, as well as the
  self-evolving discipline
• On-line evolving discipline of software
  dependability
• Behavior based software dependability increment
• Threaten oriented online evaluation and
  predication theory
• 1.3 Risk and process management for software
  dependability
• Risk identification, evaluation, management and
  control pattern and method during whole software
  life-cycle
• Attribution and assessment framework and
  quantitative control and evaluation for
  trustworthy software process
• Trustworthy software modeling, satisfying the
  distributive, agile and reusability of process
  asset requirement, as well as the customization,
  simulation and optimization methods
• Human-Information system interaction and
  optimization mechanism

34
National Research Plan -3

• Key Issue 2 Trustworthy Software Realization
  and Validation
• 2.1 Programming Theory and Methodology for
  Trustworthy Software
• 2.2 Requirement Engineering for Trustworthy
  Software
• 2.3 Trustworthy Software Design, Realization and
  Compilation
• 2.4 Trustworthy Software Validation and Testing

35
National Research Plan -4

• Key Issue 3 Trustworthy Software Evolvement and
  Control
• 3.1 Runtime Supervision Mechanism
• 3.2 Dynamic Control Method for Dependability

36
National Research Plan -5

• Key Issue 4 Trustworthy Environment Realization
  and Assessment
• 4.1 Mathematical Theory and Dependability
  Evolvement Theory for Trustworthy Environment
• 4.2 Realization Mechanism and Method of
  Trustworthy Computation Environment
• 4.3 Trustworthy Environment Assessment

37
National Research Plan -6

• Key Issue 5 Integration and Validation of
  Trustworthy Software Development and Runtime
  Support
• 5.1 Comprehensive Experiment Environment for
  Trustworthy software
• 5.2 Dependable embedded software system
  experiment and validation environment
• 5.3 Dependable network application software
  system experiment and validation environment

38
National Research Plan -7

• Compare with the research proposal of USA
• Three Es fundamental for software dependability
• Evidence, Explicit claims and Expertise
• Observations
• Trusted Computing Information Security
• Software Flaws not the focus of software system
  safety
• Go too far at present

39
Observations

• Extraordinary challenge faced in China
• Rapid development of national economy
• Large population and great difference in
  education
• Deficiency in legislation and execution
• Management and public perception of safety
• E.g. safe belt
• Bad situation in mature industry, esp. coal
  mining accidents
• Better in aviation and railway practice, but not
  enough
• Less systematic approach to safety in practices
• E.g. bolting on, just following standards,
  system boundary
• Increased investment in safety education and
  research, but need know the right way

40
Summary

• Great effort is needed to develop system safety
  engineering in China.
• Establishing the common language about system
  safety among different industrial domains is the
  cornerstone.
• Cooperation with HISE at York is expected.