The impact of Safety Integrity Level (SIL) requirements on the Phileas vehicle

Phileas is a new concept for comfortable, high frequent passenger transport. Run on a dedicated bus lane, the Phileas combines the advantages of rail transport with the low costs and flexibility of a bus system. With precision docking along a raised platform, fast passenger entry and exit will reduce the stop times and increase the average operational speed.

A conventional infrastructure with lanes for city buses is needed with the following additional systems:

• Magnets for automatic guidance in the road surface of the bus lanes
• Raised platforms for the bus stops
• Route management system for the management of guided routes

The Phileas in Douai is capable of driving in manual mode like a normal bus, or semi-automatic mode. In semi-automatic mode, the on-board Guidance Control System (GCS) automatically guides the Phileas along a pre-determined trajectory with magnetic markers, with the aid of a variety of inputs from different types of navigation sensors. The GCS is also in control of activating the doors at the correct side of the vehicle, limiting speed to the maximum allowed, and preventing spontaneous acceleration. The driver only controls the acceleration and braking of the vehicle. Only in the event of danger can he take over the steering control by actuating the steering wheel.

Deviations from the ideal trajectory must be controlled continuously by the GCS due to factors such as the finite intrinsic accuracy of the GCS, the dynamic behaviour of a moving vehicle, and the external forces on the vehicle. A guided Phileas vehicle shall always stay within its defined confines; also termed the Gabarit Limite d’Obstacle (GLO). To stay within the GLO, the lateral deviations of the vehicle from the ideal trajectory must be less than 35cm on either the left or right.

Because leaving the GLO, termed ‘loss of guidance’, can have catastrophic consequences (such as collisions with people, obstacles or other vehicles), a tolerable hazard rate of <10-8 per hour (approximately less than one hazardous event every 10,000 years) is required for the guidance functionality. This corresponds to a Safety Integrity Level (SIL) requirement of SIL4.

Safety integrity is defined as the probability of a safety-related system to satisfactorily perform the required safety functions. This is necessary in order to achieve a safe state for the vehicle, under all stated conditions within a given period of time. However, a SIL requirement concerns an expected level of confidence in the safety of a system.

The required safety integrity must be of such a level to ensure that:

• The frequency of failure of the safety-related system is sufficiently low to prevent the hazardous event frequency exceeding a value that is required to meet the tolerable risk
• The consequences of failure are modified by the safety-related system to the extent required to meet the tolerable risk

In this context, the tolerable risk can be understood as the multiplication of the required frequency with some measure of the consequences of a hazardous event.

Safety functionality, implemented by a safety-related (sub) system, is intended as a preventive measure to reduce the frequency that a hazardous failure may occur. The GCS in the Phileas has been designed to ensure that, should any single component in a safety-related sub-system in the vehicle fail, it will never result in loss of guidance. All safety-critical components are redundant and monitored. In addition, the system checks whether the vehicle follows the route as programmed within certain limits. With a hazardous failure of hardware or software of the GCS, of the steering systems, or if a tracking error of greater than 15cm is detected by the GCS, the safety braking is activated automatically so that the vehicle comes to a controlled stop.

From a safety point of view, it would be ideal to physically separate all primary control functionality and safety functionality (the different hardware and software) so as to avoid dependencies between performances of both functionalities. Such safety-related systems would typically operate in low demand mode. In this case, the probability of a hazardous event is the product of the hazard frequency and the unavailability (probability of failure on demand) of the safety functionality. The height of the unavailability of safety functionality is classified with a SIL number of 1 up to 4, where ten percent unavailable corresponds with SIL1, one percent with SIL2, 0.1 percent with SIL3, and 0.01 percent with SIL4.

However, the Advanced Public Transport Systems (APTS) solution for the GCS in the Phileas is to fully integrate all primary control functions and safety functions using the same software run on the same hardware. In this case, a first fault shall be detected and a safe state (the vehicle stopped within the GLO) be enforced in a time sufficiently short to ensure that the risk of a second hazardous fault occurring before the vehicle is stopped is smaller than the specified probabilistic safety target (that is <10-8 per hour).

Integrating part of the primary control functionality and safety functionality in one system implies that there are dependencies. If the steering capability of the vehicle is not affected by a first fault, then safety braking results in enforcing a safe state within a few seconds. However, in case of a failure that would reduce the steering capability of the vehicle, safety braking alone may not be sufficient to prevent loss of guidance. Thus, the safety-related steering control functionality in the Phileas, which consists of the steering systems as well as the GCS, is operating in a high demand or continuous mode. For this reason, the APTS must demonstrate that the safety-related steering control functionality is highly reliable and shall be available continuously with a frequency of failure of 10-8 per hour. The high reliability is not only required from a safety point of view, but also to prevent safety braking as a result of detecting tracking errors greater than 15cm occurring too frequently; such that the availability of the tram service required by the company is not high enough.

By imposing a requirement for the frequency of failure at 10-8 per hour to the primary control functionality, involving the GCS, and demonstrating compliance of this requirement, the risk of catastrophic accidents as a consequence of loss of guidance is reduced by a SIL4 risk reduction factor of 104 in comparison with a simple control system without safety functionality. In such a simple control system the consequence of a single failure, which is assumed to occur in the order of once per year, would directly result in functional failure of the system.

The imposed SIL4 requirements for the guidance control and safety functionality are a real challenge, both for the hardware architecture design and for the software development processes. For demonstrating the SIL4 performance of the safety functions, it must be considered that all kind of combinations of technical failures are possible that involve a demand on the safety functionality while the safety functions cannot use the complete hardware and software. An extreme situation would be that all GCS computers fail simultaneously.

Concerning the development process, APTS has organised its safety management according to the Railway standard EN50126. Particular attention is given to assure completeness and correctness of the traceability from user requirements to requirements for the vehicle system and its sub-systems. A consistent set of clearly understood, detailed GCS hardware and software requirements is being derived with the aid of dedicated requirement software tools; on the basis of which a SIL4 compliant GCS architecture and SIL4 compliant software will be designed and realised. Furthermore, effort is being made to design and optimise the motion model used in the GCS software.

Demonstrating compliance with SIL4 requirements is compulsory for safety certification of the Phileas and approval and acceptance for driving Phileas vehicles in semi-automatic mode in the French town of Douai.