A sAfety relAted perspective for the power supply systems in rAilwAy industry Bezpieczeństwo systemów zAsilAniA w przemyśle kolejowym

Railways and highways are the two main means of public transport over the land. When compared to highways, railways are much more advantageous due to the fact that railways can carry a large amount of cargo and larger number of passengers faster and more comfortable over long distances. These advantages result in more railways being built especially in urban areas and more passengers choosing railway transportation. This increasing demand has forced the local operators to decrease the headway times up to 90 seconds and the availability of the overall system has become more important than ever. So that an incident or major failure can cause catastrophic problems for operating companies and this is unacceptable in any situation. Therefore analyzing the risks and the verification of the SRFs that satisfy the corresponding safety level is mandatory according to CENELEC 50126 [2]. Most of the railway systems, such as rolling stocks [13], fire safety systems [11] and railway trackside equipment [14], are already considered as safety related system. Whereas railway safety, railway power supply system’s availability is usually analysed from a reliability perspective using methods such as Bayesian networks [22], state-space partitioning [7] and an innovative method supported by state enumeration technique [5]. In a study by Rosinski A. and Dabrowski T. issues related to the reliability of power supply systems have been discussed and analysed [19]. On the other hand, if a safety related function does not operate properly on time, the system and the establishment can be seriously harmed. Therefore only calculating the reliability of the power system is not enough to guarantee system availability but also system’s safety level must be greater than an expected value. In this context, all safety functions of the railway power supply system should be assessed according to IEC 65108 perspective and a detailed analysis containing failure modes should be made. This paper proposes that the railway power supply systems have to be analysed as a safety related system. For this purpose a risk analysis is made and the corresponding safety related functions are examined and each function is modelled in detail using Markov modelling method. The justification of the proposal and the developed easily adaptable Markov models can be considered as the original contributions of this study. Also this study points out the risks of inaccurate calculation of the SIL level by comparing applied detailed Markov model results to applied Fault Tree results. Oz MA, KAyMAKcı OT, KOyun A. A safety related perspective for the power supply systems in railway industry. Eksploatacja i niezawodnosc – Maintenance and Reliability 2017; 19 (1): 114–120, http://dx.doi.org/10.17531/ein.2017.1.16.


Introduction
Railways and highways are the two main means of public transport over the land.When compared to highways, railways are much more advantageous due to the fact that railways can carry a large amount of cargo and larger number of passengers faster and more comfortable over long distances.These advantages result in more railways being built especially in urban areas and more passengers choosing railway transportation.This increasing demand has forced the local operators to decrease the headway times up to 90 seconds and the availability of the overall system has become more important than ever.So that an incident or major failure can cause catastrophic problems for operating companies and this is unacceptable in any situation.Therefore analyzing the risks and the verification of the SRFs that satisfy the corresponding safety level is mandatory according to CENELEC 50126 [2].
Most of the railway systems, such as rolling stocks [13], fire safety systems [11] and railway trackside equipment [14], are already considered as safety related system.Whereas railway safety, railway power supply system's availability is usually analysed from a reliability perspective using methods such as Bayesian networks [22], state-space partitioning [7] and an innovative method supported by state enumeration technique [5].In a study by Rosinski A. and Dabrowski T. issues related to the reliability of power supply systems have been discussed and analysed [19].On the other hand, if a safety related function does not operate properly on time, the system and the establishment can be seriously harmed.Therefore only calculating the reliability of the power system is not enough to guarantee system availability but also system's safety level must be greater than an expected value.In this context, all safety functions of the railway power supply system should be assessed according to IEC 65108 perspective and a detailed analysis containing failure modes should be made.This paper proposes that the railway power supply systems have to be analysed as a safety related system.For this purpose a risk analysis is made and the corresponding safety related functions are examined and each function is modelled in detail using Markov modelling method.The justification of the proposal and the developed easily adaptable Markov models can be considered as the original contributions of this study.Also this study points out the risks of inaccurate calculation of the SIL level by comparing applied detailed Markov model results to applied Fault Tree results.

Muhammet Ali Oz Ozgur Turay KAyMAKcı Ayhan KOyun
A sAfety relAted perspective for the power supply systems in rAilwAy industry

Bezpieczeństwo systemów zAsilAniA w przemyśle kolejowym
Within its structure railway transportation systems contain very critical subsystems that can seriously harm the system itself, people or the environment if not properly controlled.Therefore, these critical subsystems are analysed according to the related standards and necessary safety functions are implemented, verified and operated.On the other hand, railway power supply system, which is a critical subsystems, is generally properly analysed from a reliability perspective whereas the corresponding safety related functions are roughly examined.This paper proposes that the railway power supply systems should be considered as safety critical systems and justifies this proposal using risk analysis as presented in the standard IEC 61508.The safety related functions of the system are examined and each function is modelled in detail using Markov modelling method.These models are implemented over a power supply system of Istanbul

sciENcE aNd tEchNology
For safety assessments a system modelling method is needed in order to determine safety integrity level (SIL) of the system.In general, Fault Tree method is used and this method is also recommended by the standard IEC 61025 [9].Fault Tree analysis is a simple and a primitive method.This method is also insufficient to reflect the dynamics of the system when the system have too many failure modes.In spite of all the drawbacks of Fault Tree analysis, it is frequently used.Collong and Kouta evaluated probability of explosion and identified critical failure sequences of a fuel cell system using Fault Trees [3].To overcome the drawbacks of FTA modified versions of Fault Tree method such as conditional Fault Tree [20] or combination of methods such as fuzzy logic [16] and generic algorithm [12] with FTA can be used.Detailed modelling capabilities of Markov modelling makes it a better alternative and is used by many researchers when modelling safety related systems for instance systems with selfdiagnostic components [23] and redundant standby safety systems [8] and is also used for different purposes such as SIL verification [21] and performance assessments [15].In this paper Markov modelling technique, which is recommended by the standard IEC 61165, will be used for its detailed modelling capabilities and precise results.It is also be noted that the created models are modular and easily adaptable for all railway power supply systems.
The organization of paper is as follows, in section 2 parameters and techniques used in the paper will be explained.In section 3 the power supply system, which is analysed, will be introduced and the desired SIL level of the power supply system is obtained by examining the risk factors.Railway power supply system's safety related functions are examined and each function is modelled in detail using Markov modelling method in section 4. Finally results and discussions are given in section 5.

Safety relaed system
A safety-related system is a system which ensures or maintains safety therefore correct operation of this system is crucial for ensuring or maintaining safety.The purpose of a safety related system is to transit the system to a safe state when a dangerous state is detected.All safety related systems are composed of a combination of sensors, logic solvers and final elements.There are three stages of a properly realized of safety life cycle SRS called design, implementation and operation phases.Existing standards act a guide and explain the important steps of the safety life cycle.Major necessities of all phases are defined in the IEC 61508 standard [9].EN 50128 describes the essential aspects of developing software for E/E/PE systems used in railway safety related applications (CENELEC 2011) [10].

The safety lifecycle
The safety life cycle is a series of phases starting from initiation to specifications of safety requirements.It covers the design and development of safety features in a safety-critical system, and the termination of that system.In the analysis phase a risk and hazard analysis is made for the designed system.Frequencies, causes and aftereffects of possible threats are considered when the operation mode of the SRS is determined.IEC 61508 determines the operation mode of the SRS with the demand rate.Also at this phase a SIL (Safety integrity level) is assigned to the system which is a measurement of performance required for a safety instrumented function.
One of the methods, which is approved by IEC 61508, for determining the required safety integrity level of the system is the risk graph.Risk graph method requires the knowledge of the risk factors of the system.The risk factors associated with the system are represented as C, F, P and W parameters.The description of these parameters is as give in table 1.
There are six possible outcomes of the risk graph.Numbers 1 through 4 indicate the safety integrity level where integrity level increases from level 1 to 4 meaning 4 represents the highest and level 1 represents the lowest integrity level.The symbol "a" represents there is no safety requirement and the symbol "b" means a single E/E/PE safety system is not sufficient.The risk graph method, which is obtained from IEC 61508 Part 5 Annex B (IEC 2002), is given in figure 1.

Functional reliability parameters
Some reliability parameters for the safety related systems are introduced by the IEC 61508 standard.These parameters are used to classify hardware aspects of systems.Below are some of the major related parameters: Failure rate: Failure rate is the frequency with which a system or component fails, expressed in failures per unit of time and is represented by λ.Failure rates can be categorized into safe failures (S) and dangerous failures (D).As shown in Equation (1) and Equation (2), dangerous failures can also be separated into two types called detectable dangerous failures (DD) and undetectable dangerous failures (DU) [1].
Safe failure factor: the relation between λ d and is λ s described with safe failure factor S as given in equation ( 3): Safe failure fraction (): Safe failure fraction is the ratio of the total safe failure rate of a subsystem plus the dangerous detected failure rate of the subsystem to the total failure rate of the subsystem.The calculation of SFF is shown in Equation ( 4) and is proposed in IEC 61508-6 Annex C: Proof test Interval (Ti): It is the interval of time between two proof tests.According to the IEC/EN 62061 proof test is a test to detect fault and degradation in SRCs in order to restore the system to brand new condition.All dangerous faults must be detected while proof testing.
Mean time to failure (MTTF): According to the standard IEC/EN 60050, it is the statistical average elapsed time until the first occurrence of failure of a system or a unit [17].This time is depended on the architecture and the failure rate of the system.
Mean time to repair (MTTR): It represents the average time required to repair a failed component or device.IEC/EN 61508 defines MTTR as 8 hours.
Probability of failure on demand (PFD): A value that indicates the probability of a system failing to respond to a demand.Usually average probability of failure on demand is discussed in SRS [17].PFD avg value is defined in Equation ( 5): Hardware fault tolerance (HFT): HFT is the number of hardware faults that the system or the unit can tolerate until a dangerous failure [13].The HFT is calculated as given in Equation (6): HFT n min i After the safety related system is designed its performance is calculated and a comparison is made in order to check if the required SIL level has been achieved or not.The SRS must be improved until the required SIL level is achieved.The performance of the SRS is measured using the PFD avg , PFH, SFF and HFT measures.The standard takes into account PFD avg for low demand system and PFH for high demand systems.Table 2 shows SIL levels and their corresponding probability intervals for PFD avg and PFH.Table 3 shows the maximum allowable SIL when SFF and HFT is taken into account.Values of table 2 and table 3 are taken from the standard IEC 61508.IEC 61508 defines the safety level and safety conditions that must be ensured by all E/E/PE devices and all industrial standards are derived from this standard.Therefore these values are well suited for this study.

Markov Model Analysis
In safety related systems system availability is very important therefore these systems are usually repairable systems.Simple probabilistic methods cannot adequately model repairable systems when issues such as system configuration, entire or partial system repairs, repair time, diagnostic time, diagnostic coverage, etc. are taken into consideration.In order to introduce these parameters Markov model is a good alternative.Markov models have two components: states and the transitions.States are represented by circles while transition curves are represented by lines with direction arrows.
These transition rates and the states can be written as a matrix rows representing states and matrix entities representing transitions.System model can be expressed as equation (8) where P is the transition matrix and x is the probability vector of states at time t: Probability of failure on demand is calculated as shown in equation (9) where the initial state condition vector is x 0 and c is a constant vector defining in which states the system is safe:

description of railway power supply systems
Railway systems consist of many critical sub-systems that require clean power without drop-offs or variances which is why power supply systems are a crucial part of the railway systems.Power supply system generally converts the electrical energy from the national grid and feeds all components of the railway system.A malfunction in the power supply system can cause unacceptable situations resulting serious passenger grievances or accidents.In order to prevent these kinds of situations, the safety analysis of the system must be made and the required SIL level have to be accomplished.In this context, a railway power supply system of Istanbul Transportation Co. is analysed as an example system but introduced models in this paper can easily be extended and adopted to other railway power systems.Railway power supply system consists of five main parts which are traction power transformers, the ring line which connects substations to each other, Medium Voltage Switchgear System, DC Switchgear System and the catenary line.
Power supply system is connected to the national grid via three main feeding points and the traction power needed on the catenary line is supplied through 11 substations.These substations are connected to each other because of high reliability and flexible management advantages.Electrical diagram of the power supply system is given in figure 2.
Inside the substation medium voltage busbar is connected to the traction power transformer via a medium voltage circuit breaker.Traction power transformers have one primary connected in delta and two secondary connected in delta and star.These power transform-   sciENcE aNd tEchNology ers transform incoming 34,5 kV to 580V.Afterwards a rectifier converts 580 V. AC into 750 V. DC.Positive pole of the rectifier is connected to DC busbar via manual disconnector.From the DC busbar using DC cables, four DC circuit breakers and a manual disconnector the catenary line is energized.Rolling stocks get the power they need from this catenary line using a pantograph and the circuit is completed when the rails are connected to the negative pole of the rectifier by means of disconnector.In this study only the safety system of the traction power transformer's medium voltage circuit breaker is analyzed by taking account the protection functions which protect the traction power transformer and rectifier from the AC and DC side.The safety system consists of four safety related functions which cause a tripping of the traction power transformer's medium voltage circuit breaker as listed below.In the system two control systems are used, one for the DC section and another for the medium voltage section of the system.Voltage detection and current detection which are called frame leakage faults are first received by the control system which is on the DC section then later transferred to the medium voltage control system.In this paper medium voltage control system is considered as the main control system and DC control system is considered as the secondary control system.Current inside the traction transformers phases is tracked by a connected current transformer.Secondary winding of the current transformer is connected to the main control system and if the current exceeds a predetermined threshold value the main control system sends an open command to the medium voltage circuit breaker.
The temperature of the traction power transformer's coils is • tracked using a thermistor.The temperature readings of the thermistor is monitored by a temperature relay and if the temperature exceeds a predetermined value the main control sys- tem sends an open command to the medium voltage circuit breaker.This SRF is one of two types of frame leakage fault detections.

•
In this case the voltage between DC switchgear frame (structure earth) and traction earth (negative potential) is measured.This voltage detection identifies dangerous touch voltages which may occur in the switchgear.The measuring value is determined by means of a voltage transducer.If the voltage exceeds a predetermined value four DC circuit breakers through secondary control system and medium voltage circuit breaker through main control system are switched off.
The other frame leakage fault detection is the current detec-• tion between DC switchgear and structure earth.If a current is detected between DC switchgear frame and structure earth this means the isolation between +750 V positive circuits and the frame failed.The measuring value is determined by means of a shunt resistor and a current transducer.If the current exceeds a predetermined value four DC circuit breakers through secondary control system and medium voltage circuit breaker through main control system are switched off.
The block diagram of the system is given in figure 3. Probability of someone getting harmed inside a power station is very unlikely but since the station feeds trams through the catenary line, high voltages or high currents or even the lack of power can indirectly harm many passengers, personnel and even people nearby tramlines.Based on figure 1, the risk parameters will be CD, FB, PA and W2 respectively.Based on these parameters the required SIL of the system have to be SIL 3 and from table 1 the of the system should be between.

reliability analysis of the power supply system
An SRS is made up of sensors, control units and actuators.For precise calculation the reliability parameters must be authentic, to ensure this data provided from the vendor and the OREDA (Offshore Reliability Data) has been used in this study and these failure rates of MV switchboard is given in table 5 [4].There are 6 main SRFs in this safety system and they are described in table 4.  Calculations have been done with the following assumptions: For all SRF components proof test interval is assumed to be 1 • year and testing is presumed to be ideal.All redundant components are assumed to have the same fail-• ure rate.
Repair is presumed to be ideal and MTTR is presumed to be • 8 hours.Cable and pipe installation failures are neglected.

•
The beta factor is accepted as 2% which is recommended in • IEC61508-6 Annex D. An exponential failure rate distribution is presumed for • all components as suggested in the ABB Power Technologies handbook and OREDA.The detection time is assumed to be 1 hour.

•
The probability of two or more components have state • transitions at the same time is zero.
The Markov model developed for safety related function 3 is shown in figure 4, where μ r , μ LT and μ d represents repair time, testing interval time and detection time respectively.Also μ S is the addition of all safe failure rates.In the model, state 1 indicates that all components of the system are working flawlessly.State 6 shows the combined safe faults of all components and in this state the system is shut down until all detectable faults are fixed.Thus safe failures effects the reliability of the system negatively but does not affect the safety of the system.State 2 indicates that one of the two secondary control system have failed.Since the secondary control system is 1002D, SRS is still operational.From state 2 if the last secondary control system fails before fault is detected a transition is made to state 3 in which the SRS fails.States 9 and 5 represents when isolation amplifier and main control system fails respectively.If a failure is detected a transition is made to safe state immediately.Only exception being state 7 because it represents an error on the breaker, which is the component that transitions the system into safe state.Lastly states 4 and 5 represent where an undetectable dangerous fault happens on the switchboard and the breaker respectively.These faults are not repairable since they are not detected.Only in states 1, 2 and 6 our system is safe.From the Markov model in fig. 4 translation matrix and the constant matrix are obtained.Substituting probability vector of states, which is calculated from equation ( 8), into equation ( 9) PFD avg values are calculated.Following a very similar path PFD avg values for other SRFs can be calculated.

sciENcE aNd tEchNology
Table 6 shows the results of the analysis and the PFD avg values calculated using Fault Tree analysis.The safety level of the overall system is the minimum SIL of all SRFs.Therefore desired SIL level, which has been decided on as level 3, is not accomplished meaning this railway system is not safe as required.
There is a huge gap between PFD avg values calculated from Fault Tree analysis and Markov model analysis such that in SRF 2 this difference causes the SIL level to appear as level 1 when it should be level 2. It should be noted that if there is inadequate information or less information about the system components then the obtained values from FTA and Markov are nearly same.On the other hand if detailed information is obtained about the system components like detailed failure modes, its failure rates, repair times, diagnostic coverage, proof test interval time, proof test coverage factor, etc. than the calculated PFD avg values are seriously different.This is actually an expected variation as the dynamics of the system can be further expressed by Markov models.
Then these results support our view which is that power supply subsystems of railway systems must be considered and analyzed as a SRS and furthermore while analysing SRSs Markov models should be used because of Markov models highly detailed modelling capabilities.

Conclusion
Railway power supply systems are generally not considered as a safety system and therefore they are also not analysed as one.This is a significant hazard for not only human life but also for the system itself.In this paper railway power supply system's safety related functions are examined and each function is modelled in detail using Markov modelling method.The introduced models are modular and can easily be applied to all railway power supply systems.Also the desired safety integrity level of the power supply system is calculated by examining the risk factors.In this context, a power supply system of Istanbul Transportation Co. is analysed to demonstrate how to apply our modelling method and the results strengthen the claim that all railway supply systems should be considered and analysed as safety related systems.Furthermore when Markov modelling and Fault Tree modelling is compared using data from the analysis, the superiority of Markov modelling is observed for this problem.The reason behind this superiority is that the introduced Markov models represent the system failure dynamics better when detailed information on the failure modes of the system components are known.

Fig. 2 .
Fig. 2. Electrical diagram of the power supply system

Table 1 .
Risk factor parameter explanations

Table 3 .
Maximum allowable SIL for a safety related function

Table 4 .
The description of the SRFs

Table 5 .
Failure rates of the MV switchboard Fig. 4. Markov model for SRF4

Table 6 .
PFD avg calculation results