Safety system for civilian objects

Abstract

 The invention enables the translation of the status of components within a civil object to the operational safety and/or availability of the object. More in particular this concerns objects such as infrastructural objects (for example a tunnel for railroad traffic or road traffic), buildings and industrial installations (for example a nuclear power plant). Herewith a possible interaction among systems, among operational functions and among systems and operational functions is taken into account. It is possible that a system interacts with several objects, such as for example a ventilation system can provide flows of air in different parts of a railroad tunnel and influence each other in this manner.

Description

FIELD OF THE INVENTION

[0001] The present invention relates to a system, method and computer program product for the determination of an operational security and/or availability of a civil object. More specifically, it relates to civil objects such as infrastructural objects, buildings and industrial installations. Tunnels for railroad or road traffic are examples of infrastructural objects.

BACKGROUND

[0002] US 7.222.003 B2 describes a method and a computer program for monitoring the integrity of a train. Virtual blocks along the track are capable of detecting the front side and the rear side of the train, for thus determining if the entire train has passed a virtual block. It thus becomes possible to determine if trains are at a safe mutual distance. Moreover it is possible to detect if a train is disconnected. US 7.222.003 B2 does not teach how to monitor the integrity of the environment of the train - for example of a railroad tunnel -, but aims at the train itself.

[0003] US 6.972.687 B1 describes a system and a method for detecting a break in a construction such as a bridge or a road. When the construction breaks, a cable, which is connected to the construction, will break too. The break in the cable is detected, upon which it becomes possible to warn road traffic by means of a traffic light. US 6.972.687 B1 does not make it possible to distinguish subtle distinctions in the integrity of the construction. In US 6.972.687 B1 only a break or no break is mentioned. Moreover, detection is limited to detection of a cable break.

SUMMARY OF THE INVENTION

[0004] The present invention aims to provide an improved safety system, a method and a computer program product for the determination of an operational safety and/or availability of a civil object. Here, more specifically civil objects such as infrastructural objects, buildings and industrial installations are concerned.

[0005] For realizing the aforementioned aim, the invention provides in a first aspect thereof a safety system for determining an operational safety and/or availability of a civil object. The object comprises several systems each comprising a number of components. The safety system comprises a memory arranged for the storage of operational functions and boundary value functions. Each operational function is related to one or more boundary value functions. The boundary value functions define a minimal availability of the components for the operational functions. The safety system further comprises a component analyzer arranged for the determination of availability values of the components. The safety system further comprises a function analyzer connected to the component analyzer and the memory and arranged for calculating an availability of at least one of the operational functions based on a boundary value function and the availability values of the components that are related to the boundary value function. The calculated availability of the operational functions is an indication of the operational safety and/or availability of the civil object.

[0006] In a second aspect of the invention, a method is provided for determining an operational safety and/or availability of a civil object with the characterizing features of claim 8. The safety system operates typically as a safety monitor that analyses objects, operational functions, systems and components of the civil objects with respect to their correct operation.

[0007] Because the invention utilizes boundary value functions for the determination of the operational safety and availability, it is possible to make statements based on what the components and systems do instead of only based on the technical status of a component or system. An example is a boundary function that is defined such that it takes air flows into account generated by ventilators and translates this into for example a minimal number of ventilators that must be capable of being active, which is used by the operational function in order to for example determine if it is still possible to satisfy the requirement of offering a safe escape route.

[0008] In the embodiment of claims 2 and 9 it is possible to take into account interactions among components and systems of different objects.

[0009] In the embodiment of claims 3 and 10 it is possible to define and use complex rules relating to the availability of components and the impact of the unavailability of components.

[0010] In the embodiment of claims 4 and 11 the availability of individual components may be taken into account to a higher or lower degree in the calculations.

[0011] In the embodiment of claims 5 and 12 it becomes possible to model complex objects by the creation of dependencies among boundary value functions.

[0012] In the embodiment of claims 6 and 13 it is possible to determine the operational safety and/or the availability at a higher level, for example at the level of mitigation that includes several operational functions.

[0013] In the embodiment of claims 7 and 12, it is possible to present or store information on the operational safety and/or the availability.

[0014] In the embodiment of claims 8 and 13 simulations may be executed, by which it for example becomes possible to calculate scenarios before the start of using a safety system or for searching back when an error was made at some point.

[0015] In a third aspect of the invention a computer program product is provided that is capable of executing the aforementioned method.

BRIEF DESCRIPTION OF THE DRAWINGS

[0016] The safety system, the method and the computer program according to the present invention are further described with reference to the accompanying drawings, wherein:

Figs. 1 and 2 show simplified top views of a railroad tunnel complex;

Fig.3 shows a functional model;

Fig.4 shows a physical model;

Figs. 5-7 show numerical models; and

Fig.8 shows a simplified system architecture.

DETAILED DESCRIPTION

[0017] By the invention it becomes possible to translate the status of components within a civil object to the operational safety and/or availability of the object. More specifically, this concerns civil objects such as infrastructural objects (for example a tunnel for railroad traffic or road traffic), buildings and industrial installations (for example a nuclear power plant).

[0018] An object typically comprises several systems. As an example an underground tunnel complex is mentioned, comprising a number of tunnels or tube pieces. However, the invention is not limited to this. In a railroad train tunnel complex the operational safety and availability are typically determined for each tunnel piece or tube piece. Here the objects are also the tunnel pieces. Each tunnel piece comprises several systems, such as for example a ventilation system. The ventilation system comprises several components, among which for example a ventilator.

[0019] In the determination of the operational safety and/or availability of the object, a possible interaction among the systems, among operational functions and among systems and operational functions is taken into account. It is possible for a system to interact with several objects, such as for example a ventilation system may provide air flows in different tunnel pieces and as such mutually influence each other.

[0020] A suitable but not limitative embodiment of the present invention is described below, referring to the Figures.

[0021] Fig.1 shows a simplified top view of a railroad tunnel complex 1. The railroad tunnel complex 1 comprises tunnel pieces 11-14 and tunnel pieces 21-24 through which railroad tracks 2 pass. Each of the tunnel pieces is an object for which the operational safety and/or availability may be determined or within which operational functions are defined of which the availability can be determined. An underground station 3 is positioned between the tunnel pieces 11-14 and the tunnel pieces 21-24. The station 3 is also an object.

[0022] A system, such as for example a ventilation system, belongs to its own tunnel piece, but is often also supportive for other tunnel pieces. When a calamity occurs in a tunnel piece, the ventilation system is used for removing for example the smoke. However, not the ventilators in the respective tunnel piece generate the largest fraction of the ventilation power, but instead the ventilation systems in the opposing tunnel pieces, i.e. at the other side of the station 3, realize this power.

[0023] Fig.2 shows again the top view of the railroad tunnel complex 1. For better readability, the reference numerals of Fig.1 are left out in Fig.2. The black surface 4 visualizes a required availability of ventilation systems related to tunnel piece 23. More in specific, it shows which tunnel pieces have a dependency with tunnel piece 23 regarding the possibility of offering a safe escape route related to ventilation systems in the tunnel pieces. In this example it is assumed that the maximal capacity of the ventilation systems in the separate tunnel pieces is equal. In a calamity in tunnel piece 23 for example only an available capacity of 20% is required for the ventilation system in this tunnel piece in order to guarantee a safe escape route, while for example an available capacity of 80% is required of the opposing tunnel pieces 11-14. The capacities of the tunnel pieces 21, 22 and 24 are not relevant in this case. Indeed, in these tunnel pieces it is not necessary to switch on the ventilation for the calamity in tunnel piece 23. For a calamity in tunnel piece 23 the ventilation in tunnel pieces 11-14 this has a supportive function and as a result thereof it is one of the factors influencing the availability of the safe escape route in tunnel piece 23.

[0024] The example of Figs. 1 and 2 may be translated into a functional model as shown in Fig.3. At the highest level there is an indicator 100 for the total of objects comprising the railroad tunnel complex 1. For each railroad tunnel object 11-14, 21-24 an availability indicator 201-208 is defined. This offers the possibility to make a functional statement about the availability for each piece of the tunnel. Next, to each availability indicator is connected a functional group 301-308. There may be several groups for each availability indicator, but for this example we use only one function group of the type "mitigation".

[0025] To each function group an operational function 401-408 is connected. Examples of operational functions are the offer of a safe escape route, the supply of fire extinguishing water and the supply of current supply. Arbitrary other operational functions can be defined.

[0026] Function groups may be defined that are related for one or more systems with one or more operational functions. Examples of function groups related to operational safety are prevention, mitigation, ability to manage for oneself and assistance. This allows for charting the most important aspects related to operational safety. These function groups, also designated as "safeguard classes", are used in various legislational and legal rules, national and international. In European railroad applications a safeguard class is also called a "line-of-defense". It is possible to define other function groups.

[0027] The example of Figs. 1 and 2 can be translated to a physical model as shown in Fig.4. At the highest level there is an indicator 150 for the railroad tunnel complex 1. For each of the tunnel pieces 11-14, 21-24 a system entity 501-508 is defined, in this example for ventilation systems in the tunnel pieces. The ventilation systems 501-508 in this example comprise three components: a ventilator 601, a vibration sensor 602 and a switch 603. It is possible that various instances of each type are present.

[0028] A set of numerical rules connects the systems 501-508 from the physical model with the operational functions 401-408 in the functional model. The table below provides an example of numerical rules for the example of Figs. 1 and 2. The reference numerals in Figs. 1, 3 and 4 were used in the table. The first rule indicates that all systems (indicated by a wildcard) of the type "ventilation system" have a supporting relation (indicated by type "I") for the operational function "offering a safe escape path" regardless of the tunnel tube in which they are located (object = "*"). For this supporting relationship at least 8 out of 10 ventilators need to be available (the so-called boundary value) and no two adjacent ventilators are allowed to fail (defined under the heading correction as "1 out of 2"). Additionally operational relations (indicated by type "II") are defined that define for a specific system a boundary value of 2/10, thus minimally 2 out of 10 ventilators must be available, holds between the ventilation system indicated by 501-508 and the function "offering a safe escape route" indicated by 401-408.

Type	Object	Operational function	System	Boundary value	Correction
I	*	Offering a safe escape path	*	8/10	1 van 2
II	11	401	501	2/10
II	12	402	502	2/10
II	13	403	503	2/10
II	14	404	504	2/10
II	21	405	505	2/10
II	22	406	506	2/10
II	23	407	507	2/10
II	24	408	508	2/10

[0029] The boundary values and correction functions may be defined in an arbitrary different manner, for example in terms of a maximal number of components that is allowed to fail, as long as it is possible to determine when an operational function 401-408 drops out in case of failure of one or more components 601-603.

[0030] The numerical rules are used as boundary values in a numerical model in which the physical model is combined with the functional model. At the level of operational functions 401-408 and systems 501-508 the actual connections are made, based on the boundary value functions. On the basis of the numerical rules, the availability of an operational function for an object is determined.

[0031] Fig.5 shows a part of the numerical model related to ventilation system 501 in tunnel piece 11 and the relation between this ventilation system 501 and all operational functions 401-408. Boundary value function 701 defines for ventilation system 501, comprising the components 601-603, that maximally 2 out of 10 ventilators 601 are allowed to drop out for the sake of the operational safety 401 of tunnel piece 11. Boundary value function 702 also defines that a supportive function exists for ventilation system 401 in relation to the operational safety 402-408 of tunnel pieces 12-14 and 21-24, by defining that maximally 8 out of 10 ventilators are allowed to drop out in ventilation system 501 and in ventilation system 501 it is not allowed that two adjacent ventilators are allowed to fail. Not all ventilators 601 are shown in Fig.5.

[0032] The numerical model of Fig.5 may be simplified by not showing the systems. This has as an advantage that in the determination of the operational safety and/or availability a calculating step, being the calculation with respect to the system, is omitted. The simplified numerical model is shown in Fig.6, in which the shown elements correspond to the elements of Fig.5.

[0033] Fig.7 shows the complete numerical model for the tunnel pieces 11-14 and 21-24, including the interactions among the systems in the tunnel pieces. For each tunnel piece two boundary value functions 701, 702 to and including 715, 716 have been defined on the basis of the numerical rules in the previously shown table and analogous to the boundary value functions 701 and 702 related to tunnel piece 11. In order to illustrate the effect of dropout of ventilators, only ventilator components 601 are shown, in contrast to Fig.6. Also shown are the function groups 301-308 that indicate that mitigation is concerned and the availability indicators 201-208 are shown.

[0034] In the example of Fig.7, in tunnel piece 11 three ventilators have dropped out. This is indicated by a cross through three of the ventilator components 601. For the operational function 401 (offering an escape route in tunnel piece 11) this has no consequences, since according to boundary value function 701 at least 2 out of 10 ventilators must be operational. This rule is satisfied for tunnel piece 11. As a result of the drop out, it is no longer possible to provide a supportive function by ventilation system 11 to the other tunnel pieces 12-14 and 21-24, since according to boundary value function 702, at least 8 out of 10 ventilators must be operational in tunnel piece 11, which is not the case. It thus is no longer possible to satisfy the operational functions 402-408 (offering an escape route in tunnel pieces 12-14 and 21-24).

[0035] The correction function in the preceding example defines that it is not allowed that two adjacent ventilators fail. If this is the case, even when eight ventilators would still be operating, the operational function related to the boundary value function would obtain the status of not available. The invention is not limited to correction functions that determine that a minimal number of components must be available (or the equivalent thereof that a maximum number of components is allowed to drop out). Alternative correction functions may be defined, such as for example a dependency of a moment in time (certain parts of the day may for example be given a higher weight) or the duration of dropout of component (a short dropout for example need not result in dropout of the operational function).

[0036] The availability of a component 601, 602, 603 depends on the status of the component. The component status may originate from a computer system that registers the component status. The component status may also originate directly from the components. It is also possible that the component status is maintained manually and subsequently entered into the computer system, for example in case the status of a component is checked by an inspector during a visual inspection. A component typically has the status "available" or "not available".

[0037] As shown in the example of Fig.4, a component 601, 602, 603 belongs to a system 501-508, in which the system 501-508 possibly is constituted of one or more subsystems. It is possible that systems are defined such that a component belongs to several systems. A component is for example assigned a weighing factor that indicates the relative importance of the system or subsystem to which it belongs. Examples of components in a tunnel tube are section valve and main valve. Here the main valve will typically have a higher weighing factor that a section valve, because the results of dropout of a main valve are larger than of a section valve. A system or subsystem comprises one or more components. A system or subsystem has a maximal availability value "BW_max" that for example is determined by the addition of the weighing factor "C" of all underlying components "i": BW_max=sum(C_i) . A system or subsystem has an actual availability value "BW" that is for example determined by adding the weighing factors "C_B" of all available components "i": BW=sum(C_Bi) , in which BW<=BW_max. In a system comprising one or more components "j" and a subsystem having components "k", the availability value "BW" is for example determined as follows: BW=sum(C_Bj)+sum(C_Bk), or if the availability value of the subsystem "BW_subsystem" is known: BW=sum(C_Bj)+BW_subsystem. A weighing factor may also be assigned to the subsystem. If for example the weighing factor "D" is assigned to the subsystem, the availability value is for example determined as follows: BW=sum(C_Bj)+D*BW_subsystem. This example may be extended by applying a weighing factor "W" to the components directly belonging to the system: BW=W*sum(C_Bj)+D*BW_subsystem. The aforementioned examples are not limiting, other ways may be applied to calculate the availability of a system on the basis of the availability of components and subsystems.

[0038] It is possible that in the calculation of the actual availability value additional rules must be taken into account. These rules are automatically translated into correction functions.

[0039] A subsystem may have been assigned to more than one dominating systems. For each system, a weighing factor may have been registered in order to indicate how large the contribution of the specific subsystem is to that system. An example of a subsystem is a sprinkler system. Suppose the sprinkler system comprises 100 section valves, each having a weighing factor 1. A special correction function tells that no 2 subsequent section valves are allowed to have the status "not available". If this is the case, an additional subtraction of T=5 is made. This conditional subtraction is the correction function. If two adjacent section valves have the status "not available", then in this example the availability value is: BW_subsystem=sum(C_Bk)-T=98-5=93. The system thus has an availability value of 93, which may possibly translate to a relative availability of 93/100=93%.

[0040] It is possible that an operational function has a dependency with one or more other operational functions. The dropout of an operational function may in that case lead to the dropout of another operational function.

[0041] The availability of an operational function depends on the boundary value functions and underlying systems. For the operational function a value may be calculated, for example the Value Available (A) or Not-Available (NA).

[0042] At various levels means may be provided for the generation of an output signal based on the calculated or derived status. For instance, the status of an operational function, a function group, an object or complex of objects may be presented or stored.

[0043] In the example of the tunnel for railroad traffic, the safety status of a tunnel part may for instance be translated to the values GREEN, YELLOW or RED. These selected values should not be construed as limitative for the invention. The number of possible values and the possible values themselves may be determined for each safety system. For example, only the values green and red could be possible or other colors could be used as values. It is also possible that the operational safety is expressed in different values than colors, for example as numerical value, as value in the collection {high, low}, as value in the collection {good, average, bad}, as value in the collection {safe, unsafe}, and etcetera.

[0044] The safety system for determining the operational safety and/or availability of the object comprises a number of components. Fig.8 shows an example of a safety system 30 comprising a memory 31, a component analyzer 32 and a function analyzer 33. The memory 31 may be realized as a database.

[0045] The safety system may be used for the generation of maintenance advice. Because the safety system may determine which component defects are the most critical, i.e. have the highest impact to the operational safety and/or availability of objects, a prioritized list of objects to be repaired may be generated.

[0046] The safety system may be used for the execution of simulations in which for example disaster scenarios are tested. The simulations may utilize historical data from for example log files of the component analyzer and/or the function analyzer. It is possible that simulated availability values of components are used.

Claims

1. A safety system (30) for determining an operational safety and/or availability of a civil object (11-14,21-24), wherein the object (11-24,21-24) comprises several systems (501-508) each comprising a number of components (601-603), the safety system comprising:

a memory (31) arranged for the storage of operational functions (401-408) and boundary value functions (701-716),
wherein each operational function (401-408) is related to one or more boundary value functions (701-716),
and wherein the boundary value functions (701-716) define a minimal availability of the components (601-603) for the operational functions (401-408);

a component analyzer (32) arranged for the determination of availability values of the components (601-603); and

a function analyzer (33) connected to the component analyzer (32) and the memory (31) and arranged for the calculation of an availability of at least one of the operational functions (401-408) based on a boundary value function (701-716) and the availability values of the components (601-603) that are related to the boundary value function (701-716),
and wherein the calculated availability of the operational functions (401-408) are an indication of the operational safety and/or availability of the civil object (11-14,21-24).

2. The safety system according to claim 1, wherein:

two or more boundary values (701-716) are related to the components (601-603) of a single system (501-508); and

wherein the two or more boundary value functions (701-716) are related to two or more operational functions (401-408) related to the components (601-603) of different systems (501-508).

3. The safety system (30) according to one of the preceding claims, wherein the boundary value function (701-716) comprises a correction function with rules related to one or more components (601-603).

4. The safety system (30) according to one of the preceding claims, wherein the boundary value function for one or more components (601-603) defines a weighing factor for influencing the availability value of the respective components (601-603).

5. The safety system (30) according to one of the preceding claims, wherein a first boundary value function (701-716) is related to a second boundary value function (701-716) and wherein the first boundary value function (701-716) defines a dependency of the second boundary value function (701-716).

6. The safety system (30) according to one of the preceding claims, wherein the memory (31) further is arranged for the storage of one or more function groups (301-308) that are related to one or more operational functions (401-408).

7. The safety system according to one of the preceding claims, further comprising means for generating an output signal comprising an indication of the operational safety of the object (11-14,21-24) or an indication of the availability of the operational function (401-408) based on the calculated availability of the operational functions.

8. The safety system according to one of the preceding claims, further comprising a simulation module for the execution of simulations based on historical data of the component analyzer and/or the function analyzer and/or based on simulated availability values of components.

9. A method for determining an operational safety and/or availability of a civil object (11-14,21-24), wherein the object (11-14,21-24) comprises several systems (501-508) each comprising a number of components (601-603), the method comprising:

retrieving, from a memory (31), of operational functions (401-408) and boundary value functions (701-716),
wherein each operational function (401-408) is related to one or a more boundary value functions (701-716),
and wherein the boundary value functions (701-716) define a minimal availability of the components (601-603) for the operational functions (401-408);

determining with a component analyzer (32) of the availability values of the components (601-603); and

calculating with a function analyzer (33) of an availability of at least one of the operational functions (401-408) based on a boundary value function (701-716) and the availability values of the components (601-603) that are related to the boundary value function (701-716),
and wherein the calculated availability of the operational functions (401-408) are an indication of the operational safety and/or availability of the civil object (11-14,21-24).

10. The method according to claim 9, wherein:

two or more boundary value functions (701-716) are related to the components (601-603) of a single system (501-508); and

wherein the two or more boundary value functions (701-716) are related to two or more operational functions (401-408) related to the components (601-603) of different systems (501-508).

11. The method according to one of the claims 9-10, wherein the boundary value function (701-716) comprises a correction function with rules related to one or more components (601-603).

12. The method according to one of the claims 9-11, wherein the boundary value function for one or more components (601-603) defines a weighing factor for influencing the availability value of the respective components (601-603).

13. The method according to one of the claims 9-12, wherein a first boundary value function (701-716) is related to a second boundary value function (701-716) and wherein the first boundary value function (701-716) defines a dependency of the second boundary value function.

14. The method according to one of the claims 9-13, further comprising storing in the memory (31) of one or more function groups (301-308) that are related to one or more operational functions (401-408).

15. The method according to one of the claims 9-14, further comprising generating of an output signal comprising an indication of the operational safety of the object (11-14, 21-24) or an indication of the availability of the operational function (401-408) based on the calculated availability of the operational functions.

16. The method according to one of the claims 9-15, further comprising executing with a simulation module of simulations based on historical data of the component analyzer and/or the function analyzer and/or based on simulated availability values of components.

17. A computer program product for the determination of an operational safety and/or availability of a civil object (11-14, 21-24), comprising computer code parts which, when being executed by a processor, are arranged for executing the method according to one of the claims 9-16.

Drawing