Derivation of harmonised high-level safety requirements for self-driving cars using railway experience

Dan Smith

Railway experience

Railways belong to a regulated and very safe transport sector18 and since the very beginning, railway safety has been based on conservative principles and worst-case approach. The worst-case approach takes into account many scenarios and assumptions that are unlikely to occur simultaneously. Railway technical systems shall be sufficiently safe, but they must be not safer than is actually required, otherwise they would be more expensive, and no one would use them. In addition to safety, great attention is also paid to the efficiency of rail transport. The European Railway Traffic Management System (ERTMS) is a centralised command and control system conceived to prevent human errors and was designed more than 25 years ago to manage railway operations safely and efficiently across borders between different European countries having their own proprietary system. The ERTMS system authorizes the train to move to a predetermined point as soon as the train position is determined, and all the safety conditions are met. The position of train compliant with safety integrity level (SIL) 4 and THR < 1 × 10−9/ h is determined by an on-board odometer, the errors of which are periodically reset by means of transponders (balises) installed along the railway. A key feature of the ERTMS is to ensure interoperability19 among on-board and track-side subsystems shared between different actors, in particular infrastructure managers and railway undertakings. The same requirement is applicable for ensuring interoperability between car systems and road infrastructures. The high safety and dependability requirements for ERTMS must be met—also in cases where track balises are replaced by virtual balises and detected by GNSS-based positioning. It is necessary to go through a certification and authorization process that guarantees compliance with all ERTMS requirements—i.e. CENELEC (Comité Européen de Normalisation Électrotechnique) railway safety standards, technical specifications for interoperability (TSIs), EU regulations, directives, etc.). A clear specification of the system safety requirements is therefore essential. Most importantly, European railways already use the concept of Common Safety Targets (CSTs)18, which in fact means the minimum levels of safety that the railway system should achieve. CSTs are therefore more general and do not only concern the technical system. In addition, railways are also recommended to use the so called Common Safety Method Design Targets (CSM-DT)13,14 which are actually harmonised semi-quantitative safety requirements for railway safety systems when explicit risk estimation is performed—i.e. when there is insufficient experience with the new system. CSM-DT are consistent not only with the current European safety levels used in the quantitative assessment of railway risks, but also with the design targets used in aviation. As will be shown below, the use of CSM-DT in the automotive industry can also help significantly simplify the derivation of high-level safety requirements for SDC.

Risk acceptance principles and criteria

Railway stakeholders must safely manage all changes to upgrade the ERTMS using the so-called Common Safety Method for Risk evaluation and Assessment (CSM-RA)12 according to European railway regulations. This also applies to the above-mentioned integration of GNSS with ERTMS for virtual balise detection. A diagram of CSM-RA is shown in Fig. 1. The main part of the CSM-RA is the risk assessment process, the output of which is the harmonised safety requirements for the system. The risk assessment is a responsibility of the system change proposer, e.g. railway infrastructure manager or equipment manufacturer/supplier. Hazard management is provided in operation by the railway infrastructure manager or train operator using a safety management system. Risk assessment and hazard management form the risk management process. An independent assessment body (AsBo) supervises the correct application of CSM-RA.

Figure 1
figure 1

Diagram of common safety method for risk evaluation and assessment.

CSM-RA harmonises the risk management process across Europe and leads to harmonised safety requirements for safety systems. It differs from the safety management process that must be performed for the railway safety-related system according to the railway CENELEC safety standards EN 5012x7,8,9,10. CSM-RA is applied at the level of the whole railway system, whereas the safety management process concerns safety-relevant systems. Nevertheless, the CSM-RA complies with the CENELEC EN 5012x. Risk harmonisation is ensured through the following three risk acceptance principles (RAP) and risk acceptance criteria (RAC): codes of practice (CoP), similar reference systems and explicit risk estimation (Fig. 1). In addition to railway systems, harmonisation of risks and related technical safety requirements is also important in the field of self-driving cars, as it leads to the specification of widely acceptable safety requirements. Consensus on the car safety requirements is a pre-requisite to promote technical interoperability and also to facilitate the type-approval process in this field.

Explicit risk estimation

Harmonisation of risk acceptance and specification of safety requirements in land transport, such as rail or road, is crucial for the system for complying with the safety requirements and also for achieving the required efficiency. Compared to risk assessment of driverless cars, railways have undergone a process of harmonisation of risk acceptance over the last few decades and have also developed a basic framework for a safety certification and approval process for advanced technical systems (TS). As mentioned above, the agreed RAP and RAC are the main means of harmonising and mutual recognition of safety requirements12. Widely acceptable CoP, such as ERTMS Technical Specifications for Interoperability (TSIs), CENELEC safety standards, etc., used as RAP, make it possible to harmonise risk and thus railway safety requirements across Europe—widely accepted world-wide (see Fig. 1). These CoPs have been developed on the basis of the experience of designing and deployment of ERTMS systems on about 110,000 km of lines, 50% of which are outside of Europe. Reference systems can be used as RAP in a very similar way as CoP because a reference system is a system that has demonstrated an acceptable level of safety in practice. Both CoP and similar reference systems used as RAP can also be considered as risk acceptance criteria (RAC). In the absence of proven return of experience in the design and evaluation of a specific safety system, as is the case of SDCs, an explicit risk estimation should be used as a RAP. A flowchart of explicit risk estimation is shown in Fig. 2. Risk is explicitly estimated either qualitatively, especially in the initial phase of risk estimation when there is not yet sufficient data on the system, or quantitatively by estimating the frequency of hazardous events and their severity. To determine the safety requirements for the system, specific railway RAC are then needed—e.g. MEM, ALARP (As Low As Reasonably Practicable), GAME (Globalement Au Moins Équivalent), etc.8. The problem is that these RAC are not harmonised in Europe. Therefore, the associated risk with a given safety system may not be acceptable in all EU countries. This means that it is also not possible to harmonise the resulting safety requirements for TS. As outlined in the following section, widely acceptable RAC are needed.

Figure 2
figure 2

Flowchart of explicit risk estimation.

Design safety targets for technical systems

In the rail domain, it was obviously necessary to ensure mutual recognition of risk assessment of technical systems (TS) when explicit risk estimation as RAP is used. In order to harmonise safety requirements for the design of E/E/PE (Electric/ Electronic/ Programmable Electronic) safety-related systems, CSM Design Targets (CSM-DT)13,14 have been introduced by the EU Agency for Railways (ERA). The CSM Design Targets are harmonised RAC for TS. The term ‘Design Targets’ was introduced to distinguish the acceptance of risks associated with technical systems from the acceptance of operational risks and the overall risk at the railway system level. CSM Designed Targets are defined in terms of the frequency of dangerous failure (FF) of TS as shown in Table 113. There are used by system designers and manufactures to answer the question: ‘Is my system safe enough?’. The goal of the harmonised CSM-DT is to assure that the designed TS is safe enough, as it is required by society. At the same time, the TS will not be safer than actually required.

Table 1 Common safety method—design targets for railway technical systems.

The CSM-DT were derived on the basis of current experience and best practice in the design of railway safety systems and are only applicable to functional failures that directly lead to accidents. CSM Design Targets represent harmonised functional safety requirements for TS and apply to both random failures and systematic failures13. Design targets are used as semi-quantitative safety requirements for random HW failures of E/E/EP technical systems. The associated systematic failures shall be managed by safety and quality processes in accordance with the required safety integrity level (SIL) corresponding to the design target. The relationship between FF and SIL is defined e.g., by the SIL table in IEC 61508 or EN 50129. A similar table for automotive SIL (ASIL) is in ISO 26262. It is therefore clear that CSM-Design Targets can also be applied to systematic failures due to software errors, which are a major problem in modern safety systems. According to Table 1, there are two classes of failure frequencies: Class (a) with FF = 1 × 10−9/ h and Class (b) with FF = 1 × 10−7/ h. The relevant FF class is determined by the estimated risk associated with the technical system, i.e. by the number of persons exposed to the hazardous event and the expected number of deaths. It should be noted that the failure frequency (FF) corresponds to the rate of occurrence of failures (ROCOF). It is also called unconditional failure rate/ intensity of an item at time t and is often denoted by w

  • Catastrophic failure consequences resulting in multiple fatalities usually with loss of plane (thus impacting all occupants), should not exceed an occurrence of 1 × 10−9/ flight hour. Failure consequences are extremely improbable in this case.

  • Hazardous failure consequences reducing capability of airplane, large reduction in safety margins, physical distress or excessive workload on crew and impacting a relatively small number of occupants, should not exceed an occurrence of 1 × 10−7/ flight hour. Failure consequences are extremely remote in this case.
  • Railways:

    • Failures of functions having possibility to affect whole train (i.e. all occupants) and resulting in fatalities should not exceed an occurrence of 1 × 10−9/ 1 h. Failure consequences are catastrophic in this case.

    • Failures of functions having possibility to affect a limited area of train (thus a relatively small number of occupants) and resulting in at least one fatality should not exceed an occurrence of 1 × 10−7/ 1 h. Failure consequences are classified as critical in this case.
    Catastrophic safety risks are generally controlled with safety-related systems compliant with SIL 4 and critical safety risks by systems compliant with SIL 3. It is evident that failure occurrences and consequences in aviation and on railways are classified in a very similar way.

    The use of the semi-quantitative railway CSM Design Targets is proposed to harmonise safety requirements for SDCs derived from the target individual risk of fatality (TIR). This solution is described in more detail below.