Legal information

Copyright DB Netz AG, licensed under CC-BY SA 3.0 DE (see full text in CC-BY-SA-3.0-DE)

ARCH.026 Define the state model of accidents, hazardous and safe state

SM-2762 - Populate Confluence page for activity definition: ARCH.026 Identify operational safety risks (hazard-accident mapping) Finished

SM-2480 - Update modelling rules and ARCH.026 / ARCH.020 for operational level safety elements Finished

SM-5059 - Update ARCH.026 after feedback from RAMS manager Finished

DBSRAMS-23 - Jira issue doesn't exist or you don't have permission to view it.

---------- Tickets from TaskForce ---------------

---------- Tickets from TaskForce ---------------

GoalProvide a consistent starting point for safety risk analysis
Requirements met by this process step

CSM-SMS guidance 1.1  b), 3.1.1.1 a)

CSM-RA

EN 50126-1/2

EN 50129

Inputs

AMOD-128 Safety compliance strategy

AMOD-129 Relevant safety legislation/regulations

AMOD-109 Accident hazard record

OutputsAMOD-030 Accident & hazard state model

Methodology

Content

Scope

In this process activity a risk model is set up. The risk model contains all identified accidents and their related hazards. Further it contains a non-hazard, which is the opposite of the hazard. Accidents, hazards and non-hazards are represented as states (accident state, hazardous state, safe state). Transition between these states represent identified conditions that lead to the leaving of one state and the entering of another state. Conditions may be unwanted events that have to be prevented, wanted events that are desired and combinations of both (e.g. train movement and an obstacle on the track). 

The scope of ARCH.026 is limited to the definition of the bespoken states (by using AMOD-109 as input) and the definition of following transitions:

  • Safe state to hazardous state: It represents unwanted combination of events that contribute to the entering of the hazardous state.
  • Hazardous state to accident state: It represents a trigger that results in the entering of the accident state while the conditions that led to the hazardous state are still present. 
  • Hazardous state to safe state: It represents wanted events that contribute to the entering of the safe state, i.e. the conditions that must occur for making the hazard disappear. without considering any measures (e.g. conditions that led to the transitions from safe state to hazardous state disappear). For the scope of ARCH.026 this transition represents the negation of a condition that resulted in the entering of the hazardous state.
  • Accident state to accident state: It represents the fact that once the accident state is reached, it cannot be left.
  • Hazardous state to hazardous state: It represents the possibility that a hazardous state is still active but an accident has not occurred. Since it is considered that in general a hazardous state cannot be kept long compared to the accident and the safe state, thus the probability of this transition is initially set to zero. 

Not in the scope of ARCH.026 is:

  • Definition of safety measure: It represents mitigating conditions that increases the probability of the transition from hazardous state to safe state or decreases the probability of the transition from safe state to hazardous state
  • Assessment of the probability of a transition occurring: It represent the assessment of a safety expert on the probability of the occurrence of bespoke transitions.
  • Linking of transitions of design elements: It represents the connection of the condition that contribute to a transition with a functional flow element that is used for system design.
  • Definition of transition from safe state to safe state: It represents probability of mitigating conditions from leaving the safe state. It completes the state diagram as a hidden Markov model where the sum of all outgoing transitions from a state has probability 1.

Process Steps

Preconditions / Considerations for implementation

Before defining a new risk model via the process steps below the following shall be noted:

  • Check, if the accident hazard combination you are about to implement in a new risk model is already covered by an existing risk model. If there is a variation in terms of conditions involved to lead to the accident then a new risk model is recommended.


Implementation

Following steps shall be implemented:

  1. Implement an accident taken from finite set of accidents in AMOD-109 as accident state. Define four accident states for this accident, with the 4 different possible severities (insignificant, marginal, critical, catastrophic)
  2. Implement related hazard taken from finite set of hazards in AMOD-109 as hazardous state.
  3. Define the transition from hazardous state to the accident states and describe the condition under which this transition occurs (triggering external event) in plain text.
  4. Implement the safe state as opposite of the hazardous state.
  5. Implement the transition from safe state to hazardous state as defined in AMOD-109. The following requirements apply simultaneously:
    1. For each condition that contributes to the entry into the hazardous state an individual transition shall be defined and described in plain text.
    2. In case more than one condition contributes to the entry into the hazardous state an AND gate shall be defined to logically combine the transitions. From that OR/AND gate a single transition to the hazardous state shall be defined. No description is needed for this transitions, since it represents the combination of the transitions leading into that AND gate. This gate shall be called "Hazardous state entry gate"
  6. Define the transitions from hazardous state to safe state. The following requirements apply simultaneously:
    1. For each transition that is defined to contribute to the transition from safe state to the hazardous state an opposite transition shall be defined having the same description plus a leading "NOT". E.g. "Obstacle is in path of train unit" becomes "NOT(Obstacle is in path of train unit)".
    2. In case more than one transition contributes to the entry into the safe state an OR gate shall be defined to logically combine the transitions. From that OR/AND gate a single transition to the safe state shall be defined. No description is needed for this transitions, since it represents the combination of the transitions leading into that OR gate. This gate shall be called "Hazardous state recovery gate".
  7. Define the persistence transitions:
    1. Define one transition from accident state to accident state. A description shall not be defined. The probability of this transition shall be set to 1. 
    2. Define one transition from hazardous state to hazardous state. The probability of the related event (deviation) is initially set to zero.

The resulting risk model should look as follows after ARCH.026:

Notes:


Tools and non-human resourcesTeam for Capella
CardinalityOne-off with possiblity of revisions - refinement in several model if the conditions transitions cannot be put together
Completion criteria

The accident states and hazard states set is complete

The accident states and hazard states set covers the needs of the relevant safety legislation/regulations

The output view conforms to its modelling rules

Design reviewARCH.R.2 Operational review - consolidated
Step done by (Responsible)RAMS Architect
Provides input to/assists (Contributes)

Operational concept architect

Uses outputs (Informed)None directly