A Bayesian Network methodology for railway risk, safety and decision support

For railways, risk analysis is carried out to identify hazardous situations and their consequences. Until recently, classical methods such as Fault Tree Analysis (FTA) and Event Tree Analysis (ETA) were applied in modelling the linear and logically deterministic aspects of railway risks, safety and reliability. However, it has been proven that modern railway systems are rather complex, involving multi-dependencies between system variables and uncertainties about these dependencies. For train derailment accidents, for instance, high train speed is a common cause of failure; slip and failure of brake applications are disjoint events; failure dependency exists between the train protection and warning system and driver errors; driver errors are time dependent and there is functional uncertainty in derailment conditions. Failing to incorporate these aspects of a complex system leads to wrong estimations of the risks and safety, and, consequently, to wrong management decisions. Furthermore, a complex railway system integrates various technologies and is operated in an environment where the behaviour and failure modes of the system are difficult to model using probabilistic techniques. Modelling and quantification of the railway risk and safety problems that involve dependencies and uncertainties such as mentioned above are complex tasks. Importance measures are useful in the ranking of components, which are significant with respect to the risk, safety and reliability of a railway system. The computation of importance measures using FTA has limitation for complex railways. ALARP (As Low as Reasonably Possible) risk acceptance criteria are widely accepted as ’\'best practice’’ in the railways. According to the ALARP approach, a tolerable region exists between the regions of intolerable and negligible risks. In the tolerable region, risk is undertaken only if a benefit is desired. In this case, one needs to have additional criteria to identify the socio-economic benefits of adopting a safety measure for railway facilities. The Life Quality Index (LQI) is a rational way of establishing a relation between the financial resources utilized to improve the safety of an engineering system and the potential fatalities that can be avoided by safety improvement. This thesis shows the application of the LQI approach to quantifying the social benefits of a number of safety management plans for a railway facility. We apply Bayesian Networks and influence diagrams, which are extensions of Bayesian Networks, to model and assess the life safety risks associated with railways. Bayesian Networks are directed acyclic probabilistic graphical models that handle the joint distribution of random variables in a compact and flexible way. In influence diagrams, problems of probabilistic inference and decision making – based on utility functions – can be combined and optimized, especially, for systems with many dependencies and uncertainties. The optimal decision, which maximizes the total benefits to society, is obtained. In this thesis, the application of Bayesian Networks to the railway industry is investigated for the purpose of improving modelling and the analysis of risk, safety and reliability in railways. One example application and two real world applications are presented to show the usefulness and suitability of the Bayesian Networks for the quantitative risk assessment and risk-based decision support in reference to railways.:ACKNOWLEDGEMENTS IV ABSTRACT VI ZUSAMMENFASSUNG VIII LIST OF FIGURES XIV LIST OF TABLES XVI CHAPTER 1: Introduction 1 1.1 Need to model and quantify the causes and consequences of hazards on railways 1 1.2 State-of-the art techniques in the railway 2 1.3 Goals and scope of work 4 1.4 Existing work 6 1.5 Outline of the thesis 7 CHAPTER 2: Methods for safety and risk analysis 10 2.1 Introduction 10 2.1.1 Simplified risk analysis 12 2.1.2 Standard risk analysis 12 2.1.3 Model-based risk analysis 12 2.2 Risk Matrix 14 2.2.1 Determine the possible consequences 14 2.2.2 Likelihood of occurrence 15 2.2.3 Risk scoring matrix 15 2.3 Failure Modes & Effect Analysis – FMEA 16 2.3.1 Example application of FMEA 17 2.4 Fault Tree Analysis – FTA 19 2.5 Reliability Block Diagram – RBD 22 2.6 Event Tree Analysis – ETA 24 2.7 Safety Risk Model – SRM 25 2.8 Markov Model – MM 27 2.9 Quantification of expected values 31 2.9.1 Bayesian Analysis – BA 35 2.9.2 Hazard Function – HF 39 2.9.3 Monte Carlo (MC) Simulation 42 2.10 Summary 46 CHAPTER 3: Introduction to Bayesian Networks 48 3.1 Terminology in Bayesian Networks 48 3.2 Construction of Bayesian Networks 49 3.3 Conditional independence in Bayesian Networks 51 3.4 Joint probability distribution in Bayesian Networks 52 3.5 Probabilistic Inference in Bayesian Networks 53 3.6 Probabilistic inference by enumeration 54 3.7 Probabilistic inference by variable elimination 55 3.8 Approximate inference for Bayesian Networks 57 3.9 Dynamic Bayesian Networks 58 3.10 Influence diagrams (IDs) 60 CHAPTER 4: Risk acceptance criteria and safety targets 62 4.1 Introduction 62 4.2 ALARP (As Low As Reasonably Possible) criteria 62 4.3 MEM (Minimum Endogenous Mortality) criterion 63 4.4 MGS (Mindestens Gleiche Sicherheit) criteria 64 4.5 Safety Integrity Levels (SILs) 65 4.6 Importance Measures (IMs) 66 4.7 Life Quality Index (LQI) 68 4.8 Summary 72 CHAPTER 5: Application of Bayesian Networks to complex railways: A study on derailment accidents 73 5.1 Introduction 73 5.2 Fault Tree Analysis for train derailment due to SPAD 74 5.2.1 Computation of importance measures using FTA 75 5.3 Event Tree Analysis (ETA) 78 5.4 Mapping Fault Tree and Event Tree based risk model to Bayesian Networks 79 5.4.1 Computation of importance measures using Bayesian Networks 81 5.5 Risk quantification 82 5.6 Advanced aspects of example application 83 5.6.1 Advanced aspect 1: Common cause failures 83 5.6.2 Advanced aspect 2: Disjoint events 84 5.6.3 Advanced aspect 3: Multistate system and components 84 5.6.4 Advanced aspect 4: Failure dependency 85 5.6.5 Advanced aspect 5: Time dependencies 85 5.6.6 Advanced aspect 6: Functional uncertainty and factual knowledge 85 5.6.7 Advanced aspect 7: Uncertainty in expert knowledge 86 5.6.8 Advanced aspect 8: Simplifications and dependencies in Event Tree Analysis 86 5.7 Implementation of the advanced aspects of the train derailment model using Bayesian Networks. 88 5.8 Results and discussions 92 5.9 Summary 93 CHAPTER 6: Bayesian Networks for risk-informed safety requirements for platform screen doors in railways 94 6.1 Introduction 94 6.2 Components of the risk-informed safety requirement process for Platform Screen Door system in a mega city 97 6.2.1 Define objective and methodology 97 6.2.2 Familiarization of system and information gathering 97 6.2.3 Hazard identification and hazard classification 97 6.2.4 Hazard scenario analysis 98 6.2.5 Probability of occurrence and failure data 99 6.2.6 Quantification of the risks 105 6.2.6.1. Tolerable risks 105 6.2.6.2. Risk exposure 105 6.2.6.3. Risk assessment 106 6.3 Summary 107 CHAPTER 7: Influence diagrams based decision support for railway level crossings 108 7.1 Introduction 108 7.2 Level crossing accidents in railways 109 7.3 A case study of railway level crossing 110 7.4 Characteristics of the railway level crossing under investigation 111 7.5 Life quality index applied to railway level crossing risk problem 115 7.6 Summary 119 CHAPTER 8: Conclusions and outlook 120 8.1 Summary and important contributions 120 8.2 Originality of the work 122 8.3 Outlook 122 BIBLIOGRAPHY 124 APPENDIX 1 13

Reliability analysis of dynamic systems by translating temporal fault trees into Bayesian networks

Classical combinatorial fault trees can be used to assess combinations of failures but are unable to capture sequences of faults, which are important in complex dynamic systems. A number of proposed techniques extend fault tree analysis for dynamic systems. One of such technique, Pandora, introduces temporal gates to capture the sequencing of events and allows qualitative analysis of temporal fault trees. Pandora can be easily integrated in model-based design and analysis techniques. It is, therefore, useful to explore the possible avenues for quantitative analysis of Pandora temporal fault trees, and we identify Bayesian Networks as a possible framework for such analysis. We describe how Pandora fault trees can be translated to Bayesian Networks for dynamic dependability analysis and demonstrate the process on a simplified fuel system model. The conversion facilitates predictive reliability analysis of Pandora fault trees, but also opens the way for post-hoc diagnostic analysis of failures

Quantitative evaluation of Pandora Temporal Fault Trees via Petri Nets

© 2015, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. Using classical combinatorial fault trees, analysts are able to assess the effects of combinations of failures on system behaviour but are unable to capture sequence dependent dynamic behaviour. Pandora introduces temporal gates and temporal laws to fault trees to allow sequence-dependent dynamic analysis of events. Pandora can be easily integrated in model-based design and analysis techniques; however, the combinatorial quantification techniques used to solve classical fault trees cannot be applied to temporal fault trees. Temporal fault trees capture state and therefore require a state space solution for quantification of probability. In this paper, we identify Petri Nets as a possible framework for quantifying temporal trees. We describe how Pandora fault trees can be mapped to Petri Nets for dynamic dependability analysis and demonstrate the process on a fault tolerant fuel distribution system model

Assessing the reliability of adaptive power system protection schemes

Adaptive power system protection can be used to improve the performance of existing protection schemes under certain network conditions. However, their deployment in the field is impeded by their perceived inferior reliability compared to existing protection arrangements. Moreover, their validation can be problematic due to the perceived high likelihood of the occurrence of failure modes or incorrect setting selection with variable network conditions. Reliability (including risk assessment) is one of the decisive measures that can be used in the process of verifying adaptive protection scheme performance. This paper proposes a generic methodology for assessing the reliability of adaptive protection. The method involves the identification of initiating events and scenarios that lead to protection failures and quantification of the probability of the occurrence of each failure. A numerical example of the methodology for an adaptive distance protection scheme is provided