Certification experiences of ULTra PRT and 2gtthere PRT vendors, as part of the Heathrow Airport and Masdar Eco-City applications - plus some basic guidance from the extensive experience and practice of Jeff Davis
Both PRT systems were examined, tested extensively and certified before being opened to the public. Here are some observations from two people who were closely involved with that certification process that should be helpful to other companies who will face some type of certification process that is likely to be needed before their systems can be opened for public service. Clearly, the process will differ in some respects, depending on a number of local variables and requirements, but it seems likely that the similarities will be greater than the differences, for the most part. Jeff Davis has had extensive experience with certification
processes used for a variety of public transit systems and has provided a useful guide to the basic elements of the certification process.Observations by Nathan Koren regarding the ULtra certification process:
Governments have been involved -- not as the investigative bodies, per se, but rather as the entity that approves of the investigative bodies.
I can only speak to Ultra's case in any detail, but Robbert Lohmann from 2getthere and I have discussed the Masdar certification process, and the two experiences have been broadly similar. In the case of Ultra, the organisation which was required to approve a new non-road-based transport system was the HMRI ("Her Majesty's Rail Inspectorate"). Obviously Ultra is not a rail system, so the following process was devised:When the SVT had gone through each line of standards, and all the tests had been completed and signed off, they endorsed the system as safe to carry the public. The HMRI, meanwhile, had pre-agreed to endorse whatever the SVT decided.
- A panel of independent experts from industry and academia was jointly agreed to by Ultra and the HMRI. This was the "Safety Verification Team" (SVT).
- The expense of employing the experts was actually borne by Ultra, but not at Ultra's discretion -- we were contractually unable to fire them if we didn't like what they said. So they were truly independent.
- The SVT based its analysis on the ASCE APM standards. Going line-by-line through the APM standards they identified elements which Ultra was already in compliance with, and documented exactly how and why -- and also identified elements which Ultra was not in compliance with. In the case of the latter, the SVT had three options: (1) Agree unanimously that the APM standards did not apply in Ultra's case, and that the intent of the specific standard was being clearly and obviously met via other means,. (2) Where it was not 1000% clear and obvious that Ultra's non-compliant solution was as safe as the default standards, devise a QRA and/or demonstration programme to prove that that Ultra was just as safe. This resulted in a lot of demonstrating and testing -- very, very comprehensive,. (3) Failing 1 & 2, design changes to bring Ultra into compliance and/or the (proven by testing) equivalent.
This is how Ultra was certified at Heathrow, and they're taking a similar approach at Amritsar, in India.. 2getthere used a slightly different formulation at Masdar, but the approach was broadly the same, and I know they're also keen to repeat it in other jurisdictions. I haven't discussed Vectus' certification processes in any detail, but I suspect that it has also been along similar lines. In truth, this is the only way to properly certify novel systems: have an independent knowledgeable party do routine tests and analysis to ensure they're safe in whatever ways you already know about, and then devise extra tests to verify that they're safe in any capacity which appears novel to you.
People who think that that the safety of their technologies can be vouched for simply on the basis of their own personal say-so -- and think that this will be sufficient to be awarded public concessions and receive large amounts of private finance -- are frankly not being realistic.Observations by Robbert Lohmann of 2getthere PRT
We have a history with automated projects which resulted in many consistency checks and safety measures being redundant features in the vehicles. For Masdar we had to demonstrate that each one works (despite the fact they had been proven in previous applications). There were special tests set up for this, where every possible fault we and the reviewers could think of, were tested. What happens if this wire comes loose? How do we expect the system to react, does the system react that way and does it stop within the parameters that are considered safe?
With regard to the safety approval process, we followed a model very similar to what was applied for the Heathrow application. The only small difference was that in our case the 3rd party was hired by the customer, and reporting to the authorities (Abu Dhabi Department of Transportation).. We have worked with the ISA (Lloyds Rail Register) and IHA (Bureau Veritas), resulting in a system, we, our customer and the authorities have confidence in.
The assessor doesn't have to understand the detailed engineering: the engineering is the responsibility of the supplier, the ISA and IHA verify the system reacts according to design and thus meets the safety criteria set. The ISA and IHA determine whether the testing plan is sufficient: if not, additional work is going to be required as the supplier will need to demonstrate that it works according to the engineering design.
Observations from Jeff Davis on his experiences regarding the Safety Certification process for transportation systems
The following are some brief notes regarding the Safety Certification process for public transportation systems. These notes are just that, some notes. They are not intended to be all inclusive of the process or applicable safety standards to be followed.
Acronyms:
AHJ Authority Having Jurisdiction
APM Automated People Movers
ASCE American Society of Civil Engineers
EN European Norm (European Standard)
FMEA Failure Mode and Effects Analysis
DHA Designated Hazards Analysis
MIL STD Military Standard
NFPA National Fire Protection Agency
RAMS Reliability, Availability, Maintainability and Safety
Reference Applicable Standards:
ASCE 21 Automated People Movers
EN 50126 Specification and Demonstration of Reliability, Availability, Maintainability and Safety
EN 50128 Railway applications - Communication, Signalling and Processing Systems - Software for Railway Control and Protection Systems
EN 50129 Railway applications Communication, Signalling and Processing Systems Safety Related Electronic Systems for Signalling
MIL STD 882 Department of Defense Standard Practice: System Safety
NFPA 130 Standard for Fixed Guideway Transit and Passenger Rail Systems
When beginning the initial design phases it is useful to set up, or establish a committee or group of people involved with the safety aspects of the delivered transportation system. At a minimum the committee must consist of representatives from the System Owner, System Supplier/ Contractor, Authority Having Jurisdiction in regards to life safety code compliance, local Fire/Life Safety Department, and local police/security. This committee is sometimes called the Safety and Security Committee, and some of the members must be knowledgeable and experienced in administering the various safety standards and codes. Note that implementing required safety measures during construction is typically not discussed nor covered by this particular committee.
In general, it is the burden of the transportation supplier to prove that the delivered system will not contain design flaws or defects that could lead to passenger injury or death, within a reasonable certainty. This not only includes the original design and as-constructed system, but also operational or maintenance procedures that if not performed correctly could endanger passengers or personnel.
The transportation system supplier prepares, maintains, and submits written documentation to this safety committee detailing the various analyses and measures they have undertaken to ensure that the delivered system will be safe for public transportation.
One of the first steps in this process if for the transportation system supplier to prepare and submit a Failure Mode and Effects Analysis (FMEA), or sometimes called a Failure Mode and Effects Criticality Analysis (FMECA). FMEAs are performed in conjunction with Hazards Analyses and used to demonstrate by analysis the consequences of failures of critical components. In this case critical being interpreted as presenting a hazard to life safety. For example, what is the resulting effect if a vehicle experiences a single brake failure, or what is the effect if a certain electrical relay fails to energize? Note that only single failures are considered. Any component failures that might result in an unsafe condition must be included in a Hazard Analysis along with mitigation.
In addition to the FMEAs, the transportation system supplier prepares and submits various Hazards Analyses and supporting documentation in accordance with ASCE 21 APM Standards and MIL STD 882. The Designated Hazard Analysis includes those failure modes identified in the FMEA as presenting a safety hazard as well as other possible hazards.
Typical examples from a Hazard Analysis:
Hazard Possible Cause Consequences Mitigation Fire inside vehicle Faulty/faulted wiring Smoke Inhalation by Passengers
Passengers burned
1. Require all vehicle wiring to be protected by circuit breakers
2. Require all vehicle wiring to be low smoke/zero halogen
3. Require fire barrier separation between high voltage/high power wiring and vehicle interior
Fire inside vehicle Hot power wiring or vehicle equipment igniting vehicle interior, or passenger induced Smoke Inhalation by Passengers
Passengers burned
1. Require vehicle interiors to be constructed with non flammable materials.
2. Require vehicle interiors to be constructed using only low smoke/zero halogen materials.
Passengers exit moving vehicle Passengers opening vehicle doors Falling/impact hazard to passengers 1. Require the vehicle doors to be locked such that they can only be opened when the vehicle is at zero speed.
2. Require the vehicle doors to be monitored such that the vehicle stops if a passenger unlocks a door.
Note that Hazards may be mitigated by design where reasonable/practical or procedure where not reasonable to mitigate by design.
During the construction process members of the safety group perform inspections of identified hazards to insure that the proposed mitigations have been implemented appropriately. These inspections will include reviews of operational and maintenance procedures that were identified as necessary to mitigate certain hazards.
During all phases of the project an independent safety organization comprising of specialists in safety standards and codes performs periodic reviews of the projects safety related documentation and audits of the actual construction.
All of the safety related documentation, including Hazards Analyses, FMEAs, field inspections, reports, letter of Approval from the independent safety organization, etc. are assembled to form a safety case which is then submitted to the governmental certifying body for review and approval. If approved, the transportation system receives a safety certification allowing it to operate and carry passengers.
Finally, note that safety certifications for a given system are just that, for the system analyzed. Altering components (hardware or software), or procedures may invalidate the safety certification if they affect the safety aspects, or design of the system, and the Operations and Maintenance company is not allowed to make the decision as to whether or not it is safe to change, alter, or modify system designs. These decisions must be documented and submitted to the original supplier for review and approval since they could potentially affect the safety integrity of the system.
Suggested Reading;
Fatal Defect: Chasing Killer Computer Bugs by Ivars Peterson
This is an excellent compilation of stories of design flaws that inadvertently caused system failures, loss of equipment, and sometimes loss of life. I highly recommend that at least one, maybe two people within a PRT suppliers organization read this book.
Last modified: June 12, 2012