Appendix to risk analysis concerning the impact of changes in the licence conditions of mobile operators on GSM-R

Transcription

1 Appendix to risk analysis concerning the impact of changes in the licence conditions of mobile operators on GSM-R Scenario 1: GSM-R voice communication between train driver and traffic control not working (also including voice communication between drivers). THREAT Description of cause Description of outcome (worst case) Main communication direction/type RISK AREA: TRAFFIC SAFETY Hazardous goods delayed response obstructed further alarm S1:1 Inability to send alarm in case of accident Accident outcome made worse Driver/TSM ==> traffic control 112/TKL/TSM impacts If the chances to activate an accident alarm are lacking/made difficult, its s can be made worse S1:2 Disrupted/broken communication when activating alarm and in safety dialogue Disruption misunderstanding not possible to communicate - misunderstanding during alarm activation - misunderstanding when giving order Near-accidents and accidents - consultation during work/shunting Driver/TSM ==> traffic control Traffic control ==> driver/tsm driver/tsm ==> driver/tsm Without a reliable communication system, the risk of misunderstandings in conjunction with alarm activation and safety communications increases - delayed action - fault report infrastructure - fault report vehicle S1:3 S1:4 Inability to activate alarm about a dangerous situation (REC) Inability to stop a train/maintenance works Possible to prevent accident derailing level crossing accident Accident driver/tsm ==> traffic control traffic control ==> driver/tsm Cannot prevent accident Collision, derailment Traffic control ==> driver/tsm S1:5 detector alarm (hot box detection) The alarm is not activated Derailment Detector ==> traffic control required If there is no possibility to activate an alarm regarding a dangerous situation, the likelihood of an accident occurring increases For Systems S and M, it is in most cases the only possibility to stop a train or maintenance works The communication with the detector is monitored. If the on GSM-R terminal if communication is disrupted, necessary due to the action will need to be. constant (The difference here is that the communication site is fixed and the disruption more digital than for vehicles) S1:6 Risk behaviour Worse accessibility to communication; short-cuts Near-accidents and accidents (collisions) - Without a reliable communication system, the risk increases that a short-cut is in order to solve a particular situation that has arisen

2 Scenario 1: GSM-R voice communication between train driver and traffic control not working (also including voice communication between drivers). THREAT Description of cause Description of outcome (worst case) Main communication direction/type RISK AREA: Availability, punctuality and quality S1:7 Absence of/delayed order, at the scene of fault Issueing of orders impossible Delay traffic control centre ==> driver/tsm Issueing of orders impossible, excessively serious s in densely trafficated, urban areas where the disruptions are considered to be greatest S1:8 GSM-R activated services impossible to implement -JIMO (request for level crossing gate lowering) K-Report (Depature clearence from driver) driver/tsm ==> traffic control centre Delay, quality fees driver/tsm ==> background operation system JIMO is used in a few places. It is possible to make a K-Report in some other way S1:9 n-functioning GSM-R on the Öresund Link Order giving Delay, cancelled services traffic control centre ==> driver/tsm Öresund Bridge regulations do not allow traffic without GSM- R. Train services cancelled S1:10 Function number registration does not work FN calls do not work S1:11 Group calls do not work Group calls do not work S1:12 Traffic information does not work S1:13 Communication with assistance vehicles does not work Platform signs/ displays, loudspeaker announcements and clocks do not work Assistance services cannot be provided Difficult to call vehicles; it could also have an impact on traffic safety Information distribution made more difficult traffic control centre ==> driver/tsm operation control centre ==> driver/tsm driver/tsm ==> driver/tsm Train delay traffic control centre ==> passengers Train delay driver/tsm ==> driver/tsm needed Without function number registration, above all TKL's (dispatcher) chances of reaching drivers is made difficult. The driver can make the registration a little later and TKL can use group call. This is mainly a problem in urban areas and there it is unacceptable Group calls (not railway emergency calls) are used above all for information distribution to, for example, vehicles in a geographical area. Uncertain function complicates direct information distribution The communication with traffic information equipment is monitored. If communication is disturbed, measures have to be. (The difference here is that the communication place is fixed and more digital than for vehicles) as an individual point but weighed together with all others, unacceptable

3 Scenario 2: GSM-R data communication for ETCS not working. THREAT Description of cause Description of outcome (worst case) Main communication direction/type RISK AREA: TRAFFIC SAFETY S2:1 Delay in activation of emergency stop Emergency stop request to train delayed/non-activated Accident RBC ==> ETCS onboard system In ERTMS, the train is braked to stop status by the running brake if communication with the RBC has been absent for 100 seconds. RISK AREA Availability, punctuality and quality S2:2 Train receives no movement authority Train not allowed to leave station or serious delays RBC ==> ETCS onboard system Individual train movements possible, but scheduled services cannot be run S2:3 HHT does not function (Hand-Held Terminal provided to secure work on E3) TSM cannot carry out work/alternatively hand back on completion of work HHT ==> RBC TSM cannot establish contact from the Handheld Terminal (HHT) to RBC. The HandHeldTerminal cannot be protected without TSM moving to a location where the HHT is not disturbed. Applies only to one line Information to TSMs on the fact that HHT can function less reliably after 1/ If these areas are too large, an extension of the GSM-R network will have to be considered S2:4 Interlocking loses connection with trackeside signal box (E3) A movement authority cannot be given; emergency stop if the train path is controlled by the interlocking (a filter could be needed on a trackside signal box that communicate over GSM-R) Interlocking ==> trackside signal box required Communication with the trackside signaling box is of the GSM-R terminal monitored. If the if it is needed based communication is disrupted, on the constant action will have to be (the difference here is that the communication location is fixed and the disruption more digital than for vehicles) Version Author: Jonas Lindh

4 Explanation of terms in the Risk Log Term TKL TSM Operation control Detectors JIMO FN Function Number Traffic information equipment Explanation Dispatcher Inspector/Responsible for maintenance/train driver Collective term for contact with the operation control centre but mainly it means TKL and the electrical control centre Equipment in tracks that detect damage to vehicles, primarily hotrunning and dragging brake detectors Järnvägstjänster I Mobilen (railway services in mobile phones ). Requests for train paths, departure requests and barrier lowering, used at Malmö Central Station A function number is the telephone number that the driver can be contacted on during the course of a train journey (train number) Platform signs/displays loudspeaker announcements with JÄRDA and clocks at smaller stations are often connected to the central system by means of GSM-R ERTMS ETCS European Rail Traffic Management System consists of the technical systems GSM-R and ETCS European Train Control System, consists of an infrastructure component (ground) consisting of balises and Radio Block Centres (RBC) and a vehicle component consisting of onboard systems ETCS with STM that read the information on ATC stretches of line.

5 RBC E3 HHT Interlocking Signal box Radio Block Centres, are the units of equipment in ETCS that communicate with the vehicle equipment by means of GSM-R ERTMS Level 3 or ERTMS Regional HandHeldTerminals are used to safeguard works performed in tracks. (Compare short-circuiting devices for lines with track circuits). The terminal is a GSM-R telephone Central part of the signaling system co-located with the RBCs Trackside equipment in which points and track circuits are connected.