WP 4 - D4.2 Analysis of Safety Requirements for MODSafe ... · V1.0 13.August 2010 WP 4 New...

European Commission

Seventh Framework programme

MODSafe Modular Urban Transport Safety and Security Analysis

WP 4 - D4.2

Analysis of Safety Requirements for MODSafe Continuous Safety Measures

and Functions

Doc name : Analysis of Safety Requirements for MODSafe Continuous Safety Measures and Functions ID : DEL_D4.2_UITP_WP4_110121_V2.0 Revision: WP4 partners

Public 06/01/2011

2 of 120

Reviewed by: WP 4 partners

Authors: WP 4 (support by VDV)

Document ID: DEL_D4.2_UITP_WP4_110121_V2.0

Date: 21.January 2011

Contract No: 218606


Public 06/01/2011

3 of 120

Contract No. 218606

Document type DEL

Version V2.0

Status Final

Date 21.January 2011

WP WP 4

Lead Author WP 4

Contributors WP 4 and external experts (VDV)

Description Analysis of safety requirements of MODSafe continuous safety measures and functions

Document ID DEL_D4.2_UITP_WP4_110121_V2.0

Dissemination level PU

Distribution MODSafe consortium

Document History:

Version Date Author Modification

V1.0 13.August 2010 WP 4 New document

V1.1 10.December 2010 WP 4 and external experts (VDV)

Consideration of comments from LUL, RATP, VDV, Ansaldo, AREVA

V2.0 21.January 2011 WP 4 Consideration of comments from R&B, RATP, Ansaldo, Bombardier

Approval:

Authority Name/Partner Date

WP responsible UITP (WP4 consensus of V1.1) 10/12/2010

EB members RATP (WP10 consensus of V2.0) 24/01/2011

Coordinator TRIT 25/01/2011


Public 06/01/2011

4 of 120

Table of contents

1 Summary of the document ................................................................................................. 12

2 Bibliography ........................................................................................................................ 13

3 Terms and abbreviations .................................................................................................... 14

3.1 Terms .................................................................................................................................... 14

3.2 Abbreviations ......................................................................................................................... 16

4 System lifecycle and safety requirements ....................................................................... 18

5 Process for allocation of safety requirements ................................................................. 20

5.1 Description of the semi-quantitative MODURBAN process .................................................. 20

5.1.1 Risk parameter used in the method ...................................................................................... 20

5.1.2 Numerical interpretation of risk parameter ........................................................................... 21

5.1.3 Application of the method ..................................................................................................... 23

5.2 Description of the risk graph based method ......................................................................... 24

6 Mode of operation and grade of automation .................................................................... 26

6.1 Definition of mode of operation ............................................................................................. 26

6.2 Grade of automation ............................................................................................................. 28

6.2.1 Grade of automation 0 (GOA0): On-sight train operation ..................................................... 28

6.2.2 Grade of automation 1 (GOA1): Non-automated train operation ......................................... 28

6.2.3 Grade of automation 2 (GOA2): Semi-automated train operation ........................................ 31

6.2.4 Grade of automation 3 (GOA3): Driverless train operation .................................................. 32

6.2.5 Grade of automation 4 (GOA4): Unattended train operation ................................................ 33

7 Functions to be analysed ................................................................................................... 33

7.1 Principle structure of basic functions for train operation ....................................................... 33

7.2 List of MODSafe safety functions .......................................................................................... 35

7.2.1 Ensure safe movement of trains ........................................................................................... 37

7.2.1.1 Ensure safe route .................................................................................................................. 37

7.2.1.2 Ensure safe separation of trains ........................................................................................... 38

7.2.1.3 Determine permitted speed ................................................................................................... 38

7.2.1.4 Authorise train movement ..................................................................................................... 39

7.2.1.5 Supervise train movement .................................................................................................... 40

7.2.2 Provide interface with external interlocking .......................................................................... 41


Public 06/01/2011

5 of 120

7.2.3 Supervise guideway .............................................................................................................. 41

7.2.3.1 Prevent collision with obstacles ............................................................................................ 41

7.2.3.2 Prevent collision with persons on tracks ............................................................................... 41

7.2.4 Protect staff on track ............................................................................................................. 42

7.2.5 Supervise passenger transfer ............................................................................................... 42

7.2.5.1 Control passenger doors ....................................................................................................... 42

7.2.5.2 Prevent person injuries between platform and train ............................................................. 43

7.2.5.3 Prevent person injuries between train cars ........................................................................... 43

7.2.5.4 Ensure safe starting conditions ............................................................................................. 44

7.2.6 Operate a train ...................................................................................................................... 44

7.2.6.1 Put in or take out of operation ............................................................................................... 44

7.2.6.2 Manage driving modes .......................................................................................................... 44

7.2.6.3 Manage movement of trains between two operational stops ................................................ 45

7.2.6.4 Manage depot and stabling areas ......................................................................................... 45

7.2.6.5 Manage UGTMS transition areas ......................................................................................... 45

7.2.6.6 Restrict train entry to station ................................................................................................. 45

7.2.6.7 Manage the platform or siding stopping position of the train ................................................ 46

7.2.6.8 Change the travel direction ................................................................................................... 46

7.2.6.9 Couple and split a train ......................................................................................................... 46

7.2.6.10 Supervise the status of the train ........................................................................................... 47

7.2.7 Ensure detection and management of emergency situations .............................................. 48

8 Allocation of safety integrity requirements ...................................................................... 49

9 Overview of results ............................................................................................................. 53

9.1 Table of safety requirements for MODSafe safety functions ................................................ 53

9.2 Conclusion ............................................................................................................................. 60

10 Annex – Allocation of safety requirements to MODSafe safety functions .................... 61

10.1 Ensure safe movement of trains ........................................................................................... 61

10.1.1 Ensure safe route ................................................................................................................. 61

10.1.1.1 Check route availability ......................................................................................................... 62

10.1.1.2 Set route ................................................................................................................................ 63

10.1.1.3 Supervise route ..................................................................................................................... 65

10.1.1.4 Supervise level crossing as secured ..................................................................................... 66

10.1.1.5 Lock route ............................................................................................................................. 67


Public 06/01/2011

6 of 120

10.1.1.6 Release route ........................................................................................................................ 68

10.1.2 Ensure safe separation of trains ........................................................................................... 69

10.1.2.1 Initialise UGTMS reporting trains location ............................................................................. 69

10.1.2.2 Determine train orientation .................................................................................................... 71

10.1.2.3 Determine actual train travel direction .................................................................................. 72

10.1.2.4 Determine train location ........................................................................................................ 73

10.1.2.5 Locate non reporting trains by track sections ....................................................................... 75

10.1.3 Determine permitted speed .................................................................................................. 76

10.1.3.1 Determine static speed profile .............................................................................................. 76

10.1.3.2 Determine temporary infrastructure speed restrictions ......................................................... 78

10.1.3.3 Determine permanent rolling stock speed restrictions .......................................................... 79

10.1.3.4 Determine temporary rolling stock speed restrictions ........................................................... 80

10.1.4 Authorise train movement ..................................................................................................... 80

10.1.4.1 Determine movement authority limit ..................................................................................... 80

10.1.4.2 Determine train protection profile .......................................................................................... 82

10.1.4.3 Authorise train movement by wayside signals ...................................................................... 85

10.1.4.4 Determine a zone of protection ............................................................................................. 88

10.1.4.5 Stopping a train en route ....................................................................................................... 89

10.1.4.6 Authorise the entry of non-operative UGTMS trains into UGTMS territory ........................... 89

10.1.5 Supervise train movement .................................................................................................... 90

10.1.5.1 Determine actual train speed ................................................................................................ 90

10.1.5.2 Supervise safe train speed ................................................................................................... 92

10.1.5.3 Inhibit train stops ................................................................................................................... 94

10.1.5.4 Monitor speed limit at discrete location ................................................................................. 95

10.1.5.5 Supervise train rollaway ........................................................................................................ 96

10.1.5.6 Immobilisation of train ........................................................................................................... 96

10.1.5.7 Detect unauthorised movement of non-operative trains ....................................................... 96

10.1.5.8 React to unauthorised movement of non-operative trains .................................................... 97

10.1.5.9 Detect intruding unequipped train ......................................................................................... 98

10.1.6 Provide interface with external interlocking .......................................................................... 98

10.2 Drive train .............................................................................................................................. 99

10.3 Supervise guideway .............................................................................................................. 99

10.3.1 Prevent collision with obstacles ............................................................................................ 99


Public 06/01/2011

7 of 120

10.3.1.1 Supervise wayside obstacle detection device....................................................................... 99

10.3.1.2 Supervise onboard obstacle detection device ...................................................................... 99

10.3.2 Prevent collision with persons on tracks ............................................................................... 99

10.3.2.1 Warn passengers to stay away from the platform edge ....................................................... 99

10.3.2.2 React on emergency stop request from platforms ................................................................ 99

10.3.2.3 Supervise platform doors .................................................................................................... 100

10.3.2.4 Supervise platform tracks.................................................................................................... 102

10.3.2.5 Supervise border between platform tracks and other tracks .............................................. 102

10.3.2.6 Supervise platform end doors ............................................................................................. 102

10.3.3 Protect staff on track ........................................................................................................... 103

10.3.3.1 Protect staff on track ........................................................................................................... 103

10.4 Supervise passenger transfer ............................................................................................. 104

10.4.1 Control passenger doors .................................................................................................... 104

10.4.1.1 Authorise train doors opening ............................................................................................. 104

10.4.1.2 Command doors opening .................................................................................................... 107

10.4.1.3 Request doors closing ......................................................................................................... 107

10.4.1.4 Supervise doors closing ...................................................................................................... 107

10.4.1.5 Supervise closed and locked status of train doors ............................................................. 108

10.4.2 Prevent person injuries between platform and train ........................................................... 109

10.4.2.1 Prevent person injuries between platform and train ........................................................... 109

10.4.2.2 Prevent person being trapped between platform screen doors and train ........................... 110

10.4.3 Prevent person injuries between train cars ........................................................................ 111

10.4.3.1 Prevent person injuries between train cars ......................................................................... 111

10.4.4 Ensure safe starting conditions ........................................................................................... 111

10.4.4.1 Authorise station departure (safety related conditions) ...................................................... 111

10.4.4.2 Authorise station departure (operational conditions) .......................................................... 111

10.4.4.3 Command station departure ............................................................................................... 111

10.5 Operate a train .................................................................................................................... 111

10.5.1 Put in or take out of operation ............................................................................................. 111

10.5.1.1 Awake trains ........................................................................................................................ 111

10.5.1.2 Set train to sleep ................................................................................................................. 111

10.5.2 Manage driving modes ....................................................................................................... 112

10.5.3 Manage movement of trains between two operational stops ............................................. 112


Public 06/01/2011

8 of 120

10.5.4 Manage depots and stabling areas .................................................................................... 112

10.5.5 Manage UGTMS transition area ......................................................................................... 112

10.5.6 Restrict train entry to station ............................................................................................... 112

10.5.7 Manage the platform or siding stopping position of the train .............................................. 112

10.5.8 Change the travel direction ................................................................................................. 112

10.5.9 Couple and split a train ....................................................................................................... 112

10.5.9.1 Couple trains automatically ................................................................................................. 112

10.5.9.2 Split trains – untimely uncoupling protection ...................................................................... 113

10.5.10 Supervise the status of the train ......................................................................................... 113

10.5.10.1 Supervise UGTMS onboard equipment status prior to entering service ............................ 113

10.5.10.2 Supervise UGTMS onboard equipment status during operation ........................................ 115

10.5.10.3 Test emergency braking performance ................................................................................ 116

10.5.10.4 React to detected train equipment failure ........................................................................... 117

10.5.10.5 Manage traction power supply on train ............................................................................... 117

10.6 Ensure detection and management of emergency situations ............................................. 117

10.6.1 Perform train diagnostic, detect fire/smoke and detect derailment, handle emergency situations ............................................................................................................................. 117

10.6.1.1 Detect fire and smoke ......................................................................................................... 117

10.6.1.2 React to detected fire/smoke .............................................................................................. 117

10.6.1.3 React to detected or suspected broken rail ........................................................................ 117

10.6.1.4 Monitor emergency calls ..................................................................................................... 117

10.6.1.5 React to passenger alarm device activation ....................................................................... 118

10.6.1.6 React to emergency release of train doors ......................................................................... 118

10.6.1.7 Detect loss of train integrity ................................................................................................. 118

10.6.1.8 React to loss of train integrity .............................................................................................. 118

10.6.1.9 Detect derailment ................................................................................................................ 118

10.6.1.10 Trigger emergency brake .................................................................................................... 119


Public 06/01/2011

9 of 120

List of figures

Figure 1 – Safety functions in system lifecycle and MODSafe .............................................................. 19

Figure 2 – General procedure of the method for SIL allocation ............................................................ 23

Figure 3 – Risk graph according to VDV 331 ........................................................................................ 25

Figure 4 – State diagram for continuous and high demand mode of operation .................................... 27

Figure 5 – GOA0 On-sight train operation ............................................................................................. 28

Figure 6 – GOA1 Train stops and wayside signals and fixed block system ......................................... 29

Figure 7 – GOA1 Semi continuous speed supervision and fixed block systems with wayside signals 30

Figure 8 – GOA1 Continuous speed supervision with cab signals ....................................................... 30

Figure 9 – GOA1 Continuous supervision of speed by system and wayside signals ........................... 31

Figure 10 – Responsibility of operations staff in GOA2 ........................................................................ 32



Figure 13 – General procedure of the elaboration of the list of MODSafe safety functions .................. 36


Public 06/01/2011

10 of 120

List of tables

Table 1 – Frequency-consequence matrix or risk matrix ...................................................................... 20

Table 2 – THR/SIL table according to EN 50129 .................................................................................. 23

Table 3 – Risk reduction and SIL (example from IEC 61508 and used in VDV 331) ............................ 25

Table 4 – Grades of automation according to IEC 62290-1 .................................................................. 35

Table 5 – Application table – description of risk analysis parameter .................................................... 50

Table 6 – Example Application: Determine actual train speed .............................................................. 52

Table 7 – List of safety requirements for MODSafe safety functions .................................................... 53

Table 8 – RA Check route availability for GOA1 to GOA4 .................................................................... 62

Table 9 – RA Set route for GOA0 .......................................................................................................... 63

Table 10 – RA Set route for GOA1 to GOA4 ......................................................................................... 64

Table 11 – RA Supervise route for GOA1 to GOA4 .............................................................................. 65

Table 12 – RA Supervise level crossing as secured for GOA1 and GOA2 .......................................... 66

Table 13 – RA Lock route for GOA1 to GOA4 ...................................................................................... 67

Table 14 – RA Release route for GOA1 to GOA4 ................................................................................. 68

Table 15 – RA Initialise UGTMS reporting trains location for GOA1 to GOA4 ..................................... 70

Table 16 – RA Determine train orientation for GOA1 to GOA4 ............................................................. 71

Table 17 – RA Determine actual train travel direction for GOA1 to GOA4 ........................................... 72

Table 18 – RA Determine train location for GOA1 (with wayside signals) ............................................ 73

Table 19 – RA Determine train location for GOA1 to GOA4 (without wayside signals) ........................ 74

Table 20 – RA Locate non reporting trains by track sections for GOA1 to GOA4 ................................ 75

Table 21 – RA Determine static speed profile for GOA1 (with wayside signals) .................................. 76

Table 22 – RA Determine static speed profile for GOA1 to GOA4 (without wayside signals) .............. 77

Table 23 – RA Determine permanent rolling stock speed restrictions for GOA1 to GOA4 ................... 79

Table 24 – RA Determine movement authority limit for GOA1 (with wayside signals) ......................... 81

Table 25 – RA Determine movement authority limit for GOA1 to GOA4 (without wayside signals) ..... 82

Table 26 – RA Determine train protection profile for GOA1 (with wayside signals) .............................. 83

Table 27 – RA Determine train protection profile for GOA1 to GOA4 (without wayside signals) ......... 83

Table 28 – RA Authorise train movement by wayside signals for GOA0 (single track operation) ........ 86

Table 29 – RA Indicate position of switches for GOA0 (signal for switch control) ................................ 87

Table 30 – RA Authorise train movement by wayside signals for GOA1 (for GOA2 to GOA4 also for mixed operation) .................................................................................................................................... 88


Public 06/01/2011

11 of 120

Table 31 – RA Authorise the entry of non-operative UGTMS trains into UGTMS territory for GOA1 to GOA4 ..................................................................................................................................................... 89

Table 32 – RA Determine actual train speed for GOA1 (with wayside signals containing allowed speed) .................................................................................................................................................... 90

Table 33 – RA Determine actual train speed for all GOA1 to GOA4 (without wayside signals) ........... 91

Table 34 – RA Supervise safe train speed for GOA1 (with wayside signals) ....................................... 92

Table 35 – RA Supervise safe train speed for GOA1 to GOA4 (without wayside signals) ................... 93

Table 36 – RA Inhibit train stops for GOA1 to GOA4 ............................................................................ 94

Table 37 – RA Monitor speed limit at discrete location for GOA1 ......................................................... 95

Table 38 – RA Supervise train rollaway for GOA1 to GOA4 ................................................................. 96

Table 39 – RA React to unauthorised movement of non-operative trains for GOA1 to GOA4 ............. 97

Table 40 – RA Provide interface with external interlocking for GOA1 to GOA4 ................................... 98

Table 41 – RA Supervise platform doors for GOA1 and GOA2 .......................................................... 100

Table 42 – RA Supervise platform doors for GOA3 and GOA4 .......................................................... 101

Table 43 – RA Protect staff on track for GOA1 to GOA4 .................................................................... 103

Table 44 – RA Authorise train doors opening for GOA1 to GOA4 (on passenger request) ............... 105

Table 45 – RA Authorise train doors opening for GOA1 to GOA4 (automatically) ............................. 106

Table 46 – RA Supervise closed and locked status of train doors for GOA1 to GOA4 ...................... 108

Table 47 – RA Prevent person injuries between platform and train for GOA1 to GOA4 .................... 109

Table 48 – RA Prevent person being trapped between platform screen doors and train for GOA1 to GOA4 ................................................................................................................................................... 110

Table 49 – RA Supervise UGTMS onboard equipment status prior to entering service for GOA1 to GOA4 ................................................................................................................................................... 114

Table 50 – RA Supervise UGTMS onboard equipment status during operation for GOA1 to GOA4 . 115

Table 51 – RA Test emergency braking performance for GOA1 to GOA4 ......................................... 116

Table 52 – RA Trigger emergency brake for GOA1 and GOA2 .......................................................... 119

Table 53 – RA Trigger emergency brake for GOA3 and GOA4 .......................................................... 120


Public 06/01/2011

12 of 120

1 Summary of the document

This deliverable concludes the results of the safety requirement allocation process to MODSafe safety functions. Therefore, the method to allocate safety requirements and the MODSafe safety functions are introduced. The allocation method is recommended in MODSafe deliverable 4.1 [13]. MODSafe safety functions are mainly taken from the international standard IEC 62290-2 [10]. All MODSafe safety functions are subject to a safety and risk consideration to estimate appropriate safety integrity requirements. Finally allocated results shall represent potential generic values for safety integrity requirements, depending on the operational context.

The deliverable is structured into the following clauses. Firstly, the method for safety requirement allocation and its according application conditions are explained (clause 5 and 6). Secondly, the MODSafe safety functions are introduced (clause 7). An exemplified application and results of the process can be found in clause 8 and 9. Detailed protocols of an allocation of safety requirements are shown in the annex.

The scope of MODSafe is the urban guided transport sector in Europe covering metros, trams and other light rail systems under regard of different grades of automation. These grades of automation are distinguished from “driving on sight” up to “unattended train operation”. This deliverable covers mainly safety functions for system applications of UGTMS (or e.g. CBTC) for which the functional requirements are specified by IEC 62290-2 [10] and by IEC 62267 [8] and for which the results of MODURBAN had been taken into account, including additional safety functions for system applications designated to “train operation on sight” (GOA0). This deliverable is written for MODSafe project partners and European transport authorities i.e. operators of urban guided transport systems.

The focus of this document is put on safety functions and measures from the signalling domain specified for UGTMS, however if safety integrity requirements are assumed as independent from a UGTMS application specific information for the use by other systems is provided. This deliverable will not specify risk analyses for a specific application with a certain combination of safeguards or safety functions. Because of that all safety functions are regarded as independent from the allocation of “Mandatory” and “Optional” provided by IEC 62290-2 in order to ensure that the user can trust in the determined safety integrity requirement if he chose a function or a safeguard for his application. Nonetheless, the described safety requirement allocation scheme may also be applied to areas others than signalling, e.g. interfaces between signalling equipment and vehicle equipment or other safety functions in general. It is therefore not necessary to deal with other domains in detail.

This deliverable deals with safety requirements and is not applicable to security aspects. An analysis of security is covered in MODSafe WP 8 and 9 and according deliverables.

Note: The title of this document is changed. In the MODSafe description of work the deliverable 4.2 is originally called: “Analysis of common safety requirements allocation for MODSafe continuous safety measures and functions”. An alteration is made since safety requirements for MODSafe safety function are not assumed to be common (i.e. in the meaning of Common Safety Measures/Targets issues by the European Railway Agency). However, these safety requirements shall rather be understood as recommendations for the appropriate urban guided rail systems.


Public 06/01/2011

13 of 120

2 Bibliography

[1] COMITÉ EUROPÉEN DE NORMALISATION ÉLECTROTECHNIQUE: “EN 50126 Railway applications – The specification and demonstration of reliability, availability, maintainability and safety (RAMS)”, CENELEC 1999

[2] COMITÉ EUROPÉEN DE NORMALISATION ÉLECTROTECHNIQUE: “CLC/TR 50126-2 Railway applications – The specification and demonstration of reliability, availability, maintainability and safety (RAMS) - Part 2: Guide to the application of EN 50126 for safety”, CENELEC 2006

[3] COMITÉ EUROPÉEN DE NORMALISATION ÉLECTROTECHNIQUE: “EN 50129 Railway application – communication, signalling and processing systems – safety related electronic systems for signalling”, CENELEC 2003

[4] EUROPEAN UNION: “Commission Regulation (EC) No 352/2009 of 24 April 2009 on the adoption of a common safety method on risk evaluation and assessment as referred to in Article 6(3)(a) of Directive 2004/49/EC of the European Parliament and of the Council”, Official Journal of the European Union L108/4 – 29.04.2009

[5] INTERNATIONAL ELECTROTECHNICAL COMMISSION: “IEC 61508-2 Ed. 2.0: Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems - Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems“, IEC 2010

[6] INTERNATIONAL ELECTROTECHNICAL COMMISSION: “IEC 61508-4 Ed. 2.0: Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems - Part 4: Definitions and abbreviations“, IEC 2010

[7] INTERNATIONAL ELECTROTECHNICAL COMMISSION: “IEC 61508-5 Ed. 2.0: Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems - Part 5: Examples of methods for the determination of safety integrity levels“, IEC 2010

[8] INTERNATIONAL ELECTROTECHNICAL COMMISSION: “IEC 62267 Railway Applications - Automated Urban Guided Transport (AUGT) - Safety Requirements”, IEC 2006 Note: IEC 62267 is a European standard.

[9] INTERNATIONAL ELECTROTECHNICAL COMMISSION: “IEC 62290-1 Railway applications - Urban guided transport management and command/control systems (UGTMS) - Part 1 System principles and fundamental concepts”, IEC 2009 Note: IEC 62290 is a draft European standard (prEN).

[10] INTERNATIONAL ELECTROTECHNICAL COMMISSION: “IEC 62290-2 Railway applications - Urban guided transport management and command/control systems (UGTMS) - Part 2 Functional requirement specification”, IEC 2010 Note 1: For the compilation of MODSafe deliverable 4.2 the CDV (committee draft for vote) of IEC 62290-2 was available only. Note 2: IEC 62290 is a draft European standard (prEN).

[11] MODULAR URBAN TRANSPORT SAFETY AND SECURITY ANALYSIS: “Deliverable 2.1 First list of hazards, preliminary hazard analysis”, MODSafe WP2 2009

[12] MODULAR URBAN TRANSPORT SAFETY AND SECURITY ANALYSIS: “Deliverable 2.2 Consistency analysis and final hazard analysis“, MODSafe WP2 2010

[13] MODULAR URBAN TRANSPORT SAFETY AND SECURITY ANALYSIS: “Deliverable 4.1 – State of the art analysis and review of results from previous projects”, MODSafe WP4 2010

[14] MODULAR URBAN TRANSPORT SAFETY AND SECURITY ANALYSIS: “Deliverable 4.3 – Analysis of on demand functions and systematic failures”, MODSafe WP4 (not yet published, planned 2011)


Public 06/01/2011

14 of 120

[15] MODULAR URBAN GUIDED RAIL SYSTEMS: “D80 – Comprehensive operational, functional and performance requirements”, MODURBAN – MODSYSTEM WP21 2009

[16] MODULAR URBAN GUIDED RAIL SYSTEMS: “D86 – Safety conceptual approach for functional and technical prescriptions“, MODURBAN – MODSYSTEM WP23 2006

[17] VERBAND DEUTSCHER VERKEHRSUNTERNEHMEN: “VDV Schriften 161-Teil 2 – Sicherheitstechnische Anforderungen an die elektrische Ausrüstung von Stadt- und U-Bahn-Fahrzeugen“, VDV 2009

[18] VERBAND DEUTSCHER VERKEHRSUNTERNEHMEN: “VDV Schriften 331 – Sicherheitsintegritäts-anforderungen für Signal- und Zugsicherungsanlagen gemäß BOStrab“, VDV 2007

[19] VOM HÖVEL, RÜDIGER; BRABAND, JENS ; SCHÄBE, HENDRIK: “The probability of failure on demand – the why and the how“, Proceedings of the International Conference on Computer Safety, Reliability and Security SafeComp 2009

3 Terms and abbreviations

3.1 Terms

Term Definition Reference

Accident An accident is an unintended event or series of events that results in death, injury, loss of a system or service, or environmental damage.

EN 50129

Danger point The location after the end of movement authority beyond which the front of the train may not pass without creating a hazardous situation.

MODURBAN

Driving mode A driving mode describes how a train should be driven in a defined situation and can be performed either by an acting driver or automatically.

UGTMS

Emergency braking

Brake or combination of brakes which ensures that the train will stop with the brake rate agreed between authority having jurisdiction, transport authority and train manufacturer.

IEC 62290-2

Grade of automation

Automation level of train operation, in which Urban guided Transport (UGT) can be operated, resulting from sharing responsibility for given basic functions of train operation between operations staff and system

IEC 62290-1

Hazard A condition that could lead to an accident. EN 50129


Public 06/01/2011

15 of 120


Mode of operation

Way in which a safety function operates, which may be either low demand mode, high demand mode or continuous mode. Note 1: Definition is based on IEC 61508 part 4. Note 2: A more detailed definition will be given in MODSafe deliverable 4.3 depending on the definition of the concept of “low demand”.

For more information refer to sub-clause 6.1

Movement authority

Permission for a train to run, within the constraints of the infrastructure, up to a specific location. IEC 62290-2

Non-operative UGTMS trains

Non UGTMS equipped trains and trains with inoperative UGTMS equipment. IEC 62290-2

Operation control centre

Centre from which operation of the line or the network is supervised and managed. IEC 62290-1

Reporting train UGTMS equipped trains able to report its location and other relevant information. IEC 62290-2

Risk The rate of occurrence of accidents and incidents resulting in harm (caused by a hazard) and the degree of severity of that harm.

CLC/TR 50126-2

Safety Freedom from unacceptable level of risk of harm. EN 50129

Safety function

Function to be implemented by an E/E/PE safety-related system or other risk reduction measures that is intended to achieve or maintain a safe state for the EUC, in respect of a specific hazardous event.

IEC 61508-4

Safety integrity

The ability of a safety-related system to achieve its required safety functions under all the stated conditions within a stated operational environment and within a stated period of time.

EN 50129

Safety integrity level

A number which indicates the required degree of confidence that a system will meet its specified safety functions with respect to systematic failures.

EN 50129

Safety measure

Means a set of actions either reducing the rate of occurrence of a hazard or mitigating its consequences in order to achieve and/or maintain an acceptable level of risk.

Commission regulation (EC) No 352/2009

Tolerable hazard rate

Rate of occurrence of a hazard that would result in an acceptable level of risk for that hazard (normally judged acceptable by a recognised body e.g. railway authority or railway support industry by consultation with the safety regulatory authority or recognised by the safety regulatory authority itself)

CLC/TR 50126-2

Transport authority

Entity which is responsible for safe and orderly operation of a transport system.

IEC 62267 IEC 62290-1


Public 06/01/2011

16 of 120


Urban guided transport

Urban Guided Transport (UGT) is defined as a public transportation system in an urban environment with self-propelled vehicles operated on a guideway.

MODURBAN

Urban guided transport system

operator

The urban guided transport system operator (UGTSO) is an entity which is responsible for safe and orderly operation of an urban guided transport system. (Note: For safety aspects the term “UGTSO” is equivalent to the term “railway authority” as used in EN 50126)

MODSafe

Zone of protection

A zone where no train is allowed to run as a response to various kinds of incidents. IEC 62290-2

3.2 Abbreviations

Abbreviation Definition

A Frequency of, and exposure time in, the hazardous zone

ATO Automatic train operation

ATS Automatic train supervision

C Consequence reduction probability

CBTC Communication-based train control

CENELEC Comité Européen de Normalisation Électrotechnique (European Committee for Electrotechnical Standardisation)

D Deliverable

E Exposure probability to hazard

E/E/PE Electrical/electronic/programmable electronic

EN European standard

EUC Equipment under control

G Possibility of failing to avoid the hazardous event

GOA Grade of automation

HMI Human machine interface

IEC International electrotechnical commission

MA Movement authority

MODSafe Modular urban transport safety and security analysis

MODURBAN Modular urban guided rail systems

Nr Number

OCC Operations control centre

P Accident probability reduction


Public 06/01/2011

17 of 120

Abbreviation Definition

prEN Draft European standard

RA Risk analysis

RAMS Reliability, availability, maintainability, safety

TFM Target failure measure

THR Tolerable hazard rate

THRi Initial THR

TPP Train protection profile

S Consequences of hazardous events

SIL Safety integrity level

SL Severity level

SPAD Signal passed at danger

STO Semi automated train operation

UGTMS Urban guided transport management and command/control systems

VDV Verband Deutscher Verkehrsunternehmen (Association of German public transport undertakings)

W Probability of the unwanted occurrence

WP Work package


Public 06/01/2011

18 of 120

4 System lifecycle and safety requirements

This deliverable has to be read in the light of the European standard EN 50126 which requires a system lifecycle for railway applications. Within this lifecycle the determination of safety requirements is indispensible to be performed in the first four phases, which are mainly under responsibility of the transport authority. Phase four, which is called “system requirements”, is of special interest in this context. Alongside other tasks, the recommended safety related tasks are:

• Specify system safety requirements (overall)

• Define safety acceptance criteria (overall)

• Define safety related functional requirements

• Establish safety management

The third point is based on risk analysis to be performed in phase 3. This is within the scope of this deliverable. In particular EN 50126 states:

The RAMS requirements, for the system under consideration, shall include:

• [..]

• Functional requirements and supporting performance requirements, including safety functional requirements and safety integrity requirements for each safety functions [1].

The operator (i.e. railway authority) is responsible to determine the SIL for the system according to the prevailing operation and local circumstances.

Therefore, this deliverable shall:

• Introduce the MODSafe safety functions

• Allocate safety requirements to the MODSafe safety functions

Safety requirements for the MODSafe safety functions depend on the risk associated with the functions. It is assumed that hazardous situations and the associated risk may arise from functional failures of the safety functions that contributed to cover the hazardous situation in a first place. Availability aspects are not considered. An undetected termination or insufficient performance of the tasks, provided by the safety function, is considered safety relevant.

When speaking about basic functions for train operation, functions are meant to e.g. “ensure safe route” or to “supervise passenger transfer”. Many functions are based on external devices providing inputs (e.g. switch, emergency stop handle) and are intended to provide outputs to external devices (e.g. switch, platform screen door). Each function is realised by realisation entities (e.g. objects, staff, etc.) and intended to be implemented in an E/E/PE safety related system or subsystem. In the subsequent lifecycle phase five, which is not in the scope of this deliverable, system requirements including safety requirements are assigned to the system architecture and used for the design of systems, sub-systems, components and external devices. Because of that, the determination of safety integrity requirements for a function, taken into account their interfaces to other functions or external devices, shall be determined in a generic way in order to allow its use for different system approaches. This shall be done by the main contractor/system supplier, compare [1].


Public 06/01/2011

19 of 120

The results of the deliverable shall be incorporated in the overall MODSafe approach. In particular, the identified MODSafe safety functions shall be used to act as hazard control measures to cover relevant hazards, delineated in the MODSafe hazard log of MODSafe WP2 ([11], [12]) and MODSafe WP3. Furthermore, the list of MODSafe safety functions is input to the functional model developed in MODSafe WP5.

Figure 1 gives an overview of the tasks, treated in this deliverable, within the overall system lifecycle and the MODSafe project.

Figure 1 – Safety functions in system lifecycle and MODSafe


Public 06/01/2011

20 of 120

5 Process for allocation of safety requirements

The origin of the method for an allocation of safety requirements, which shall be used in this deliverable, is the MODURBAN1 deliverable D86 [16]. However, a comparison of different safety requirement allocation methods is presented in MODSafe deliverable 4.1 [13]. As one outcome of the MODSafe deliverable 4.1 certain criteria have been specified as being advantageous for a safety requirement allocation method. With respect to the method, a detailed description and additional information about the method and possible alternative applications can be found in MODURBAN deliverable D86 and MODSafe deliverable 4.1. Additionally, a second method is outlined in a brief form to ease subsequent analyses.

5.1 Description of the semi-quantitative MODURBAN process

5.1.1 Risk parameter used in the method

Starting point of the method is the risk matrix introduced in the European and meanwhile international standard EN 50126 or IEC 62278 respectively. The matrix describes the correlation of the rate of occurrence of accidents and incidents resulting in harm (caused by a hazard) and the degree of severity of that harm [2]. Subsequently, the risk matrix, see Table 1, provides a risk level which can be e.g. “tolerable” or “intolerable”, according to the combination of frequency of occurrence and the severity level of hazard consequences.

Table 1 – Frequency-consequence matrix or risk matrix

Frequency of occurrence of

hazardous event Risk levels

frequent undesirable intolerable intolerable intolerable

probable tolerable undesirable intolerable intolerable

occasional tolerable undesirable undesirable intolerable

remote negligible tolerable undesirable undesirable

improbable negligible negligible tolerable tolerable

incredible negligible negligible negligible negligible

insignificant marginal critical catastrophic

Severity levels of hazard consequence

Following EN 50126 the parameter describing the severity level of hazard consequences can be understood as:

1 MODURBAN is a European research and development project covering metros and light rail systems.


Public 06/01/2011

21 of 120

Catastrophic: Fatalities and/or multiple severe injuries and/or major damage to the environment

Critical: Singe fatality and/or severe injury and/or significant damage to the environment

Marginal: Minor injury and/or significant threat to the environment

Insignificant: Possible minor injury

Additionally to the two introduced risk parameter, such as severity level and frequency of occurrence, three more parameters are mentioned in the context of the MODURBAN method. These are parameter which may reduce the initial risk, so far expressed by the severity level only. MODURBAN D86 describes the parameter for risk reduction (or risk reduction measures) like this:

• Exposure Probability to Hazard E: Is there good reason to conservatively assume that members of the risk group (e.g. passenger) are exposed to the hazard clearly less than permanently (by orders of magnitude in probability)?

• Accident Probability Reduction P: Is there good reason to conservatively assume that the evolvement of a certain hazard into an accident can be clearly controlled by additional barriers or circumstances (reduction of rate by orders of magnitude)?

• Consequence Reduction Probability C: Is there good reason to conservatively assume that the members of the risk group (e.g. passenger, workers or neighbours) can clearly avoid being subject to the hazard (by orders of magnitude) or reduce considerably the potential damage (by severity class)?

Considering the severity level of hazard consequences and the three risk reduction measures, a rate of frequency can be estimated which represents the tolerable risk and corresponds to the tolerable hazard rate (THR).

5.1.2 Numerical interpretation of risk parameter

An actual application is started with an estimation of the possible hazard consequences of a wrong side failure of the safety function. This is followed by a description of the operational or environmental circumstances to estimate valid risk reduction measures and its according numerical values.

For that purpose, a initial THR2 has to be estimated, which does not consider any risk reduction measures and is only estimated by the severity of the potential hazard consequences, graded in four severity levels (SL). With the help of Table 2 – leaving out the SIL so far – the level of severity can be expressed as follows:

• Catastrophic: THR = 10-9/h (SL4)

• Critical: THR = 10-8/h (SL3)

• Marginal: THR = 10-7/h (SL2)

2 Considering its estimation, actually this initial THR is a tolerable hazard rate since it leaves out any consideration of possible risk reduction measures. However, setting all risk reduction measures initially to a value of 1 (1 = no impact), the actual tolerable hazard rate can be understood as initial THR (initial in the meaning that risk reduction measures are not considered so far).


Public 06/01/2011

22 of 120

• Insignificant: THR = 10-6/h (SL1)

The risk reduction measures can be understood in the following way, as described in MODURBAN deliverable D86:

E=1: Exposure of members of the risk group to hazard is conservatively to be assumed frequent or permanent

E=10-1: Exposure of members of the risk group to hazard can conservatively assumed to be rare, only in exceptional cases (e.g. passengers in a turn back train, passengers walking into the tunnel etc.)

E=10-2: Exposure of members of a risk group to hazard is only in very rare cases to be expected (e.g. passengers in depot etc.)

P=1 There can no additional barrier be conservatively assumed that would reduce the probability of the hazard evolving into an accident.

P=10-1: There exists means or circumstances to clearly reduce the probability that a certain hazard evolves into an accident (e.g. additional barriers than the one being subject to analysis, driver that notices positioning failure and corrects manually, personnel onboard/in station that notice an otherwise undetected open door at train departure etc.)

P=10-2: There exist two means or circumstances to clearly reduce independently the probability that a certain hazard evolves into an accident (e.g. a personnel onboard/in station notices an otherwise undetected open door at train departure and an independent door interlock senses the open door before train departs).

C=1 There is no reason to conservatively assume that a member of the risk group (e.g. passenger) may avoid being subject to the consequences of a certain hazard.

C=10-1 There is good reason to conservatively assume that a member of the risk group (e.g. passenger) can avoid being subject to the consequences of a certain hazard (e.g. in low headway train operation a passenger fallen into station tracks may climb out or move into emergency bay, driver notices overspeed protection system failure and reduces himself manually speed to avoid catastrophic accident and collide in Severity Level SL3 instead of SL4)

C=10-2 There are two independent good reasons to conservatively assume that a member of the risk group can avoid being subject to the consequences of a certain hazard (e.g. passenger on track in Tramway operations can move away from track and driver can stop the train in time, Overspeed Protection Failure at End of Track (SL4-SL3) noticed by driver and manual speed reduction reduces further consequence to SL2)

Based on the initial THR (THRi) and considering the three risk reduction measures a final THR can be calculated by dividing the initial THR by the risk reduction measures.

(1) CPETHRTHR i

⋅⋅=

The safety integrity level can be determined by using the following table:


Public 06/01/2011

23 of 120

Table 2 – THR/SIL table according to EN 50129

Tolerable Hazard Rate THR per hour and per function

Safety Integrity Level SIL

THR 4: 10-9 ≤ THR < 10-8 SIL 4

THR 3: 10-8 ≤ THR < 10-7 SIL 3

THR 2: 10-7 ≤ THR < 10-6 SIL 2

THR 1: 10-6 ≤ THR < 10-5 SIL 1

5.1.3 Application of the method

The method shall be applied to one particular function. All numerical values apply to this particular function and shall be expressed in the unit “per hour”.

The procedure is described in the following figure in a general manner:

Figure 2 – General procedure of the method for SIL allocation

During an application to allocate safety requirements to safety functions the following aspects shall be considered:

Severity of Consequences: Catastrophic THR = 10-9 /h Critical THR = 10-8 /h Marginal THR = 10-7 /h Insignificant THR = 10-6 /h

Expose of members:Frequent E = 1 Rare E = 0,1 Very rare E = 0,01

Accident reduction:No barrier P = 1 One barrier P = 0,1 Two barriers P = 0,01

Consequences reduction: No barrier C = 1 One barrier C = 0,1 Two barriers C = 0,01

Level of safety integrity:THR = 10-9 /h SIL4 THR = 10-8 /h SIL3 THR = 10-7 /h SIL2 THR = 10-6 /h SIL1


Public 06/01/2011

24 of 120

The exposure probability to the hazard (E) shall be used to describe whether persons are involved in a regularly occurring hazardous situation or not. In other words, the hazardous situation can be observed frequently but for example passengers are not exposed to every instance of the hazardous situation. This risk reduction measure does not describe a demand rate how often a particular hazard arises with passenger permanently exposed to the hazard. Examples for the first case are maintenance hazards. These hazards occur frequently, but passengers are not exposed to them on a regular basis. Whereas passenger, which are frequently exposed to the hazard of emergency brake failure because they are permanently on board of the train. However, this latter hazard occurs not regularly and the hazard rate is usually described with a demand rate and other relevant rates. The issue of safety functions required in a low demand mode of operation is treated in MODSafe deliverable 4.3 [14].

The risk reduction measures abbreviated with P and C using the idea of barriers reducing either the accident frequency or the severity of hazard consequences. These barriers can be understood as means or reasons to reduce risk. If a risk reducing barrier can be assumed, the value of how efficient the barrier acts to reduce risk is not considered. If a barrier can be considered, it is estimated with a factor of 1:10. If the risk reduction shall be estimated with a higher value, two independent means or reasons have to be considered.

With respect to a calibration of results, the particular result for a hazard arising from a failure of a safety function with direct credible potential and catastrophic hazard consequences is estimated with 10-9 per hour, according to the method described here. This estimation originates from the European regulation 352/2009 for the heavy railway sector [4]. In particular it states: For technical systems where a functional failure has credible direct potential for a catastrophic consequence, the associated risk does not have to be reduced further if the rate of that failure is less than or equal to 10-9 per operating hour. [4] However, by no means shall any assumptions be made on the applicability of the European Regulation 352/2009 to the domain of Urban Guided Transport. It is even anticipated that Urban Railways such as metro, light rail and tramway are explicitly excluded as it is stated in clause 2 (3) of the European Regulation 352/2009. Therefore, the above mentioned value of 10-9 per hour is only mentioned as a reference value for acceptable safety regardless of the specific railway domain.

5.2 Description of the risk graph based method

For some generic safety functions the German VDV 331 [18] defines required safety integrity levels thus these safety integrity levels can be applied to the system in question. The background of the risk graph is part 5 from IEC 61508 [7].

According to IEC 61508 the quantitative component (“Target Failure Measure (TFM)” which is equivalent to “Tolerable Hazard Rate (THR)”) can be derived directly from the SIL.

It shall be noted that the congruency of the results obtained by the semi-quantitative allocation method from MODURBAN had been verified with an independent method, the risk graph semi-quantitative method outlined before. In the deliverable D86 of MODURBAN, all considered continuous safety functions had been analysed applying both methods and the obtained results were identical in all cases.

Due to the identity of results this present analysis applies one method as representative method for both. Since the MODURBAN method is an agreed method from the European project MODURBAN and the results found broad consensus at European level, the semi-quantitative MODURBAN method


Public 06/01/2011

25 of 120

is used. Anyway, the risk analysis and specified safety requirements which can be found on the VDV331 for some of the function were found compatible and may therefore serve as a guideline of the functions under consideration are covered by the VDV331.

W1 W2

1

2

3

4

5

6

7

W3

8

G1

G2

G1

G2

A1

A2

A1

A2

S4

S3

S2

S1

1

2

3

4

5

6

7

1

2

3

4

5

6

The analysis follows the principles described in IEC 61508 calibrated within VDV331/332 to the process to be regarded. The safety function is analysed according to four attributes, which are:

S – consequences of hazardous events

A – frequency of, and exposure time in, the hazardous zone

G – possibility of failing to avoid the hazardous event

W – probability of the unwanted occurrence.

The result of the risk analysis provides a “necessary minimum risk reduction” from which the safety integrity levels (SIL) can be derived directly. The connection between the results of the analysis for safety functions derived from the risk graph and safety integrity level are shown in Table 3.

Table 3 – Risk reduction and SIL (example from IEC 61508 and used in VDV 331)

Tolerable Hazard Rate (THR)

Necessary minimum risk reduction

Safety integrity level

- — No safety requirements

- 1 No special safety requirements

≥10-6 to <10-5 2, 3 1

≥10-7 to <10-6 4 2

≥10-8 to <10-7 5, 6 3

≥10-9 to <10-8 7 4

- 8 An E/E/PE SRS is not sufficient

Figure 3 – Risk graph according to VDV 331

Severity of loss - S1 Minor injury - S2 Serious permanent injury to one or more persons; death to one person - S3 Death to several people - S4 Very many people killed Duration of stay - A1 Rare to more often exposure in the hazardous zone - A2 Frequent to permanent exposure in the hazardous zone Averting the danger - G1 Possible under certain conditions - G2 Almost impossible Probability of the unwanted occurrence - W1 very slight - W2 slight - W3 relatively high


Public 06/01/2011

26 of 120

6 Mode of operation and grade of automation

One goal of this deliverable is to recommend the deduced safety requirements to European urban guided transport system operators as potential generic safety integrity requirements. This can be done if safety functions do not, or only weakly, depend on an operational context. For the purpose of MODSafe, two criteria are considered to describe the operational context. These are the mode of operation and the grade of automation under regard of an unambiguous, consistent and complete functional requirement specification.

6.1 Definition of mode of operation

The mode of operation can be understood as the way in which safety functions operate, according to IEC 61508 part 4 [6]. This international standard differentiates between three modes of operations with respect to the frequency of demand:

• low demand mode: where the safety function is only performed on demand, in order to transfer the EUC into a specified safe state, and where the frequency of demands is no greater than one per year; or

• high demand mode: where the safety function is only performed on demand, in order to transfer the EUC into a specified safe state, and where the frequency of demands is greater than one per year; or

• continuous mode: where the safety function retains the EUC in a safe state as part of normal operation [6]

However, it shall be noted that apart from the definition of a strict number of events (demand) per year, IEC 61508 proposes to explicitly consider the diagnostics in all three modes of operation, if the ratio of the diagnostic test rate to the demand rate equals or exceeds 100 [5]. Taking into account this ratio, any specific demand rate and the associated safety level of the safety function can be calculated for a specific case. The above categorisation is not necessary in this case. This issue will be addressed in detail in the MODSafe deliverable 4.3 and therefore, shall not be discussed in more detail in this deliverable.

Additionally, IEC 61508 states that if the total demand rate arising from all the demands on the system exceeds 1 per year then the critical factor is the dangerous failure rate of the E/E/PE safety-related system. Hence, the operational mode for high demand and continuous can be treated as one, considering the demand rate.

For safety functions acting in a high demand or continuous mode of operation it is expected that a failed safety function is equivalent to an unsafe state or a hazard. Expressed in a state diagram the system would turn from a safe state to an unsafe state by the wrong side failure rate of the safety function (λSF), see figure below. (The label µR might be equivalent to a repair or restore rate.)


Public 06/01/2011

27 of 120

Figure 4 – State diagram for continuous and high demand mode of operation

However, for safety functions with a low frequency of demand, this would not necessarily be true. It is expected that for safety functions acting in a low demand mode of operation, the consequences of a hazard are not immediately severe. The probability that an accident will happen immediately after the failure of the low demand safety function is anticipated considerably lower than 1. For example, in operations with two minute headway, or even less, a train running in the wrong direction would immediately collide with other trains. Hence, a determination of the train travel direction is required to work safely in every case. But, devices for a detection of derailment can be broken with only one requirement: detect derailment if a derailment has occurred. So, a failure of a derailment detection device leads to an accident only, if a demand (a derailment) is given, which is a very rare event compared to the potential failure of travel direction.

Therefore, it is assumed that for safety functions, acting not in a high demand or continuous mode of operation, other safety relevant criteria have to be considered such as the frequency of demand and the diagnostic test interval of the safety function. An approach which takes into account these considerations is presented in [19]. This perspective is in line with the IEC 61508 but the safety requirement allocation method proposed here does not take into account these issues in an appropriate manner. This process cannot be applied to these functions required in a low demand mode of operation and has to be considered separately. This issue is covered in MODSafe deliverable 4.3.

Moreover, IEC 61508 part 5 corroborates the belief to select the most appropriate method for SIL allocation since the mode of operation has to be considered and some methods are only suitable for low demand mode and vice versa.

For the purpose of this document, safety functions are considered which act clearly in a continuous mode of operation which might be equivalent to a frequency of demand which would be clearly more often than once a year (e.g. functions associated with train movement and passenger exchange which are in everyday use and not exceptional situations like emergency cases). Another characteristic of the analysed safety functions is that wrong side failure, are expected to lead to a hazardous situation with direct severe hazard consequences.


Public 06/01/2011

28 of 120

6.2 Grade of automation

The following definitions of grade of automations (GOA) are proposed by IEC 62290-1 [9]. Basis of the differentiation between GOA are shared responsibilities between operational staff and the system according to the basic functions of train operation. Information which functions are realised by system or by staff can be found in Table 4.

6.2.1 Grade of automation 0 (GOA0): On-sight train operation

In this grade of automation the driver has full responsibility and no system is required to supervise his activities. However, points and single tracks can be partially supervised by the system [9].

In terms of responsibilities for operational staff this means the following, see figure below:

• Ensure safe separation of trains

• Observation of guideway and stopping the train in hazardous situations

• Control of acceleration and braking

• Supervision of safe speed

• Control and supervise switches

• Supervision of train departure

• Operate train and detect hazardous situations

Figure 5 – GOA0 On-sight train operation

6.2.2 Grade of automation 1 (GOA1): Non-automated train operation

In this grade of automation, the driver is in the front cabin of the train observing the guideway and stops the train in the case of a hazardous situation. Acceleration and braking are commanded by the driver in compliance with wayside signals or cab-signal. The system supervises the activities of the driver. This supervision may be done at specific locations, be semi-continuous or continuous, notably in respect of the signals and the speed. Safe departure of the train from the station, including door closing, is the responsibility of the operations staff. [9]


Public 06/01/2011

29 of 120

In terms of responsibilities for operational staff this means the following:

• Observation of guideway and stopping the train in hazardous situations

• Adherence to signals

• Control of acceleration and braking



For GOA1 the following applications of train control and protection systems with their characteristics and safety functions are regarded in this deliverable.

Train stops and wayside signals and fixed block system:

• Detection of trains by wayside devices as basis for safe separation of trains

• Authorisation of movement by wayside signals

• Supervision of train movements by train stops and possibly speed supervision by wayside equipment at discrete locations

Speed supervision at

discrete location

Train stops atdiscrete locations

Train detection by wayside

devices

Danger point

Figure 6 – GOA1 Train stops and wayside signals and fixed block system

Semi continuous speed supervision and fixed block systems with wayside signals:

• Detection of trains by wayside devices as basis for safe separation of trains

• Authorisation of movement by wayside signals

• Supervision of train movements including permitted speed by train protection profile, which is provided at discrete locations or in dedicated areas (semi-continuous speed supervision)


Public 06/01/2011

30 of 120

Infil-loop in dedicated areas

Balise at discrete locations

Train detection by wayside

devices

Danger point

Train protection profile

Train location relative to TPP

Movement authority limit Speed restriction within intended route of train

Figure 7 – GOA1 Semi continuous speed supervision and fixed block systems with wayside signals

Continuous speed supervision with cab signals:

• Localisation of trains by reporting trains as basis for safe separation of trains

• Authorisation of movement by cab signals derived from train protection profile which is provided continuously

• Supervision of train movements including permitted speed by train protection profile

Danger point



Train localisation by reporting trains


Figure 8 – GOA1 Continuous speed supervision with cab signals


Public 06/01/2011

31 of 120

Continuous supervision of speed by the system and wayside signals:

• Localisation of trains by reporting trains as basis for safe separation of trains

• Authorisation of movement provided by wayside signals

• Supervision of train movements including permitted speed by train protection profile

Danger point



Train localisation by reporting trains


Figure 9 – GOA1 Continuous supervision of speed by system and wayside signals

6.2.3 Grade of automation 2 (GOA2): Semi-automated train operation

In this grade of automation, the driver is in the front cabin of the train observing the guideway and stops the train in the case of a hazardous situation. Acceleration and braking is automated and the speed is supervised continuously by the system. Safe departure of the train from the station is the responsibility of the operations staff (door opening and closing may be done automatically). [9]


• Observation of guideway and stopping the train in hazardous situation




Public 06/01/2011

32 of 120


Train location Authorised speed

Figure 10 – Responsibility of operations staff in GOA2

6.2.4 Grade of automation 3 (GOA3): Driverless train operation

In this grade of automation, additional measures are needed compared to GOA2 because there is no driver in the front cabin of the train to observe the guideway and stop the train in case of a hazardous situation.

In this grade of automation, a member of the operations staff is necessary onboard. Safe departure of the train from the station, including door closing, can be the responsibility of the operations staff or may be done automatically. [9]








Public 06/01/2011

33 of 120

6.2.5 Grade of automation 4 (GOA4): Unattended train operation

In this grade of automation, additional measures are needed compared to GOA3 because there are no onboard operations staff.

Safe departure of the train from the station, including door closing, has to be done automatically.

More specifically, the system supports detection and management of hazardous conditions and emergency situations such as the evacuation of passengers. Some hazardous conditions or emergency situations, such as derailment or the detection of smoke or fire, may require staff interventions. [9]

Fully unattended train operation does not cover responsibilities for operational staff on board of train or station. Human responsibility remains, but moves party to OCC staff and also to maintenance staff (in order to be sure that all functions are available during the mission).




7 Functions to be analysed

The origin of the majority of the MODSafe safety functions is the international standard IEC 62290 part 2 [10], which covers functions of an urban guided transport management and command/control system (UGTMS).

7.1 Principle structure of basic functions for train operation


Public 06/01/2011

34 of 120

The principle structure of the MODSafe safety functions is taken from the IEC 62290 part 1 [9]. The table below outlines the structure. It shows general functions required for train operation as well as the associated grade of automation for each basic function.


Public 06/01/2011

35 of 120

Table 4 – Grades of automation according to IEC 62290-1

Basic functions of train operation

On-sight train

operation

Non-automated

train operation

Semi automated

train operation

Driverless train

operation

Unattended train

operation

GOA0 GOA1 GOA2 GOA3 GOA4

Ensuring safe movement of trains

Ensure safe route

X (points

command/ control in system)

S S S S

Ensure safe separation of trains X S S S S

Ensure safe speed X

X (partly

supervised by system)

S S S

Driving Control acceleration and braking X X S S S

Supervising guideway

Prevent collision with obstacles X X X S S

Prevent collision with persons on tracks X X X S S

Supervising passenger transfer

Control passenger doors X X X X S

Prevent person injuries between cars or between platform and train

X X X X S

Ensure safe starting conditions X X X X S

Operating a train

Set in / set off operation X X X X S

Supervise the status of the train X X X X S

Ensuring detection and management of emergency situations

Perform train diagnostic, detect fire/smoke and detect derailment, handle emergency situations (call/evacuation, supervision)

X X X X S and/or staff in OCC

NOTE X = responsibility of operations staff (may be realised by UGTMS system) S = shall be realised by UGTMS system

7.2 List of MODSafe safety functions

For a selection of safety function from IEC 62290-2 the following criteria are considered:

• The MODSafe safety function shall act as safety function (Functions obviously intended to be realised in an ATO or ATS subsystem are not considered.)

This criterion also applies to MODSafe safety functions which are newly added to the list.


Public 06/01/2011

36 of 120

Most safety functions are directly taken from IEC 62290-2 but were complemented by the work previously done in the context of the MODURBAN project. Since this draft standard IEC 62290-2 is based on MODURBAN, namely on the deliverable D80 [15] compatibility to the MODURBAN work is maintained in principle. Besides, more recent considerations regarding urban guided transport management and command/control system have been taken into account during the elaboration of IEC 62290-2. Therefore, direct reference to this draft standard is appropriate.

Some MODURBAN functions from D86 [16] have also been taken into account where suitable, especially those functions which were subject to risk analyses and a safety requirement allocation in D86. Compatibility and consistency with the more recent work in MODSafe shall be achieved when taking into account the D86 analyses.

Complementary to the IEC 62290 and the MODURBAN analyses new functions are added or existing functions are clarified in terms of a more appropriate naming (cf. Figure 13). Especially those functions which are important for higher grades of automation, such as derailment detection, guideway intrusion detection or the detection of intruding unequipped trains have been added. Therewith, more recent developments in this field shall be considered.

MODSafe example functions for WP4

Create a list of functions

IEC 62290 function names and structure

(complement MODURBAN list)

MODURBAN D86 functions, risk analysis

and SIL allocation process

Select functions

Check compatibility with MODURBAN analysis results

SIL allocation to these functions

Deliverable 4.2

Reviewed and discussed by WP4

Figure 13 – General procedure of the elaboration of the list of MODSafe safety functions

Each MODSafe safety function will be analysed according to the grade of automation and therefore taking into account the operational context of each function. It has been agreed for the project to concentrate efforts on safety relevant functions. Risk and safety considerations are made primarily for GOA1 to 4. In GOA0 the driver has full responsibility for “safe train separation” and for “ensure safe speed” and no technical management and command/control system is assumed to implement any of


Public 06/01/2011

37 of 120

these safety functions. However, some safety functions need to be considered also in GOA0 for ensuring safe routes, such as partial supervision of switches, single tracks and level crossings.

The generated list of MODSafe safety functions contains the following information:

1. Numbering, which is unique for each MODSafe safety function used within this document

2. Name of safety function, as described in IEC 62290-2 or new if necessary

3. Description of the function

4. Reference, in particular IEC 62290-2 including the appropriate sub-clause. The label “New for MODSafe” indicates that these safety functions cannot be found in IEC 62290-2.

7.2.1 Ensure safe movement of trains

7.2.1.1 Ensure safe route

Nr. Name of safety function

Description Reference

1 Check route availability

For the route to be set, the conflict free availability of all determined route elements shall be checked.

IEC 62290-2 5.1.1.1.1-3

2 Set route This function is intended to set a route by command provided by operation control HMI or by the function set routes automatically.

IEC 62290-2 5.1.1.1.1

3 Supervise route This function is intended to supervise that all conditions for the route are still in place.

IEC 62290-2 5.1.1.1.2

4 Supervise level crossing as secured

This function is intended to supervise that a level crossing is secured and locked in order to forbid its conflicting use by general road and pedestrian traffic.

New for MODSafe

5 Lock route This function is intended to lock the route against route release by operator command if a train is approaching and the movement authority allows entry into route, or a train is within the route.

IEC 62290-2 5.1.1.1.3

6 Release route This function is intended to release a route and its elements.

IEC 62290-2 5.1.1.2


Public 06/01/2011

38 of 120

7.2.1.2 Ensure safe separation of trains



7 Initialise UGTMS reporting trains location

This function is intended to initialise the location of reporting trains which are:

• stationary in stabling locations • entering UGTMS territory • recovering from localisation failures

IEC 62290-2 5.1.2.1

8 Determine train orientation

This function is intended to determine the physical orientation of the train relative to the defined orientation of the track.

IEC 62290-2 5.1.2.2.1

9 Determine actual train travel direction

This function determines the travel direction of trains.

IEC 62290-2 5.1.2.2.2

10 Determine train location

This function is intended to determine the location of all UGTMS equipped trains according to the train orientation and train length.

IEC 62290-2 5.1.2.2.3

11 Locate non reporting trains by track sections

This function is intended to determine the location of non reporting trains using external devices.

IEC 62290-2 5.1.2.3

7.2.1.3 Determine permitted speed



12 Determine static speed profile

This function determines the static speed profiles, which are based on infrastructure data such as track geometry and quality, infrastructure constraints (tunnels, bridges, platforms, etc.).

IEC 62290-2 5.1.3.1.1

13 Determine temporary infrastructure speed restrictions

This function is intended to set and remove temporary speed restrictions for selected areas by operational commands or as result of system reactions.

IEC 62290-2 5.1.3.1.2

14 Determine permanent rolling stock speed restrictions

This function is intended to determine the maximum permitted speed for each type of rolling stock.

IEC 62290-2 5.1.3.1.3


Public 06/01/2011

39 of 120



15 Determine temporary rolling stock speed restrictions

This function is intended to determine temporary rolling stock speed restrictions due to train failures and to driving modes.

IEC 62290-2 5.1.3.1.4

7.2.1.4 Authorise train movement



16 Determine movement authority limit

To ensure safe train movement, this function determines for each train its limit of the movement authority, corresponding to the first danger point ahead of the train.

IEC 62290-2 5.1.4.1

17 Determine train protection profile

This function determines the train protection profile for all trains to ensure their limits of movement authority and authorised speeds are never exceeded. The train protection profile terminates at a target point. The train protection profile shall be determined by the applicable safe braking model.

IEC 62290-2 5.1.4.2

18 Authorise train movement by wayside signals

This function is intended to authorise train movement by wayside signals for non UGTMS-operated trains if conditions of safe route and safe separation are fulfilled. Wayside signals are used to allow mixed traffic or, as one possibility, for degraded operation.

IEC 62290-2 5.1.4.3

19 Determine a zone of protection

This function is intended to set and remove zones of protection for selected areas by operational command or as result of system reactions.

IEC 62290-2 5.1.4.4

20 Stopping a train en route

This function is intended to stop a train immediately in case of emergency.

IEC 62290-2 5.1.4.5

21 Authorise the entry of non-operative UGTMS trains into UGTMS territory

This function is intended to authorise the entry of non-operative UGTMS trains into the UGTMS territory.

IEC 62290-2 5.1.4.6


Public 06/01/2011

40 of 120

7.2.1.5 Supervise train movement



22 Determine actual train speed

This function is intended to determine the actual train speed.

IEC 62290-2 5.1.5.1

23 Supervise safe train speed

This function is intended to supervise actual speed against the permitted speed of UGTMS-equipped trains with respect to the train protection profile.

IEC 62290-2 5.1.5.2

24 Inhibit train stops This function is intended to avoid UGTMS operating trains to be tripped by train stops.

IEC 62290-2 5.1.5.3

25 Monitor speed limit at discrete location

This function is intended to monitor external wayside equipment detecting predefined overspeed.

IEC 62290-2 5.1.5.4

26 Supervise train rollaway

This function is intended to supervise the train in case of rollaway.

IEC 62290-2 5.1.5.5

27 Immobilisation of train

This function is intended to constrain the train against motion during station stop for passenger exchange.

New for MODSafe

28 Detect unauthorised movement of non-operative trains

This function is intended to detect unauthorised movements of non-equipped or non-reporting trains.

New for MODSafe

29 React to unauthorised movement of non-operative trains

This function is intended to react to unauthorised movements of non-operative trains in order to prevent collisions.

IEC 62290-2 5.1.5.6

30 Detect intruding unequipped train

This function is intended to detect an intrusion of an unequipped train into UGTMS territory.

New for MODSafe


Public 06/01/2011

41 of 120

7.2.2 Provide interface with external interlocking



31 Provide interface with external interlocking

This function is intended to provide an interface to an external interlocking if the basic function ensure safe route and other functions (e.g. authorise train movement by wayside signals, locate non reporting trains by track sections) are not realised inside UGTMS.

IEC 62290-2 5.1.6

7.2.3 Supervise guideway

7.2.3.1 Prevent collision with obstacles



32 Supervise wayside obstacle detection device

This function is intended to supervise external devices in charge of detecting obstacles on the track.

IEC 62290-2 5.3.1.1

33 Supervise onboard obstacle detection device

This function is intended to supervise the actions of an external onboard obstacle detection device to stop the train in case of collision with obstacle.

IEC 62290-2 5.3.1.2

7.2.3.2 Prevent collision with persons on tracks



34 Warn passenger to stay away from the platform edge

This function is intended to warn passenger to stay away from platform edge if a train is in approach to the platform track.

IEC 62290-2 5.3.2.1

35 React on emergency stop request from platforms

This function is intended to react to emergency stop request from platforms initiated by passengers or staff

IEC 62290-2 5.3.2.2


Public 06/01/2011

42 of 120



36 Supervise platform doors

This function is intended to supervise the closed and locked status of the platform doors if they are not required to be open.

IEC 62290-2 5.3.2.3

37 Supervise platform tracks

This function is intended to supervise the actions of an external platform track detection device to stop the train in case of intrusion of person.

IEC 62290-2 5.3.2.4

38 Supervise border between platform tracks and other tracks

This function is intended to supervise the actions of an external device which supervises both borders of platform tracks detecting persons which are intruding the adjacent track areas.

IEC 62290-2 5.3.2.5

39 Supervise platform end doors

This function is intended to supervise the actions of an external device which supervises doors on both ends of platforms detecting not permitted opening of doors and intrusion of persons to tracks between stations via that way.

IEC 62290-2 5.3.2.6

7.2.4 Protect staff on track



40 Protect staff on track

This function is intended to establish and subsequently remove work zones in order to protect staff on the track. A work zone is set as long as the protection is required.

IEC 62290-2 5.3.3

7.2.5 Supervise passenger transfer

7.2.5.1 Control passenger doors



41 Authorise train doors opening

This function is intended to authorise train doors opening regarding all conditions which are required to ensure a safe passenger transfer.

IEC 62290-2 5.4.1.1

42 Command doors opening

This function is intended to command train doors and platform doors (if installed) opening when opening authorisation conditions are met.

IEC 62290-2 5.4.1.2


Public 06/01/2011

43 of 120



43 Request doors closing

This function is intended to request the train door and platform doors (if installed) closing at stations.

IEC 62290-2 5.4.1.3

44 Supervise doors closing

This function is intended to supervise the train door and platform door (if installed) closing at stations.

IEC 62290-2 5.4.1.4

45 Supervise closed and locked status of train doors

This function is intended to supervise the closed and locked status provided by the rolling stock.

IEC 62290-2 5.6.6

7.2.5.2 Prevent person injuries between platform and train



46 Prevent person injuries between platform and train

This function is intended to detect persons between platform and train. (Prevented hazard include falling or trapping between platform and train.)

New for MODSafe

47 Prevent person being trapped between platform screen doors and train

This function is intended to detect persons being trapped between platform screen doors (if installed) and train doors, when they are closing.

New for MODSafe

7.2.5.3 Prevent person injuries between train cars



48 Prevent person injuries between train cars

This function is intended to detect persons between train cars. (Prevented hazard include falling or trapping between train cars.)

New for MODSafe


Public 06/01/2011

44 of 120

7.2.5.4 Ensure safe starting conditions



49 Authorise station departure (safety related conditions)

This function is intended to verify all prerequisites necessary for safe station departure.

IEC 62290-2 5.4.3.1

50 Authorise station departure (operational conditions)

This function is intended to verify all prerequisites necessary due to operational constraints in order to authorise station departure.

IEC 62290-2 5.4.3.2

51 Command station departure

This function is intended to command a train to leave the station when the required operational and safety conditions are met.

IEC 62290-2 5.4.3.3

7.2.6 Operate a train

7.2.6.1 Put in or take out of operation



52 Awake trains This function is intended to awake trains which are in stabling locations (in workshop, sidings or in the line) before they enter service by the action of the driver, or by remote action from the OCC.

IEC 62290-2 5.5.1.1

53 Set trains to sleep This function is intended to set the train to sleep in stabling locations (in workshop, sidings or in the line) after they leave service by the action of the driver, or by remote action from the OCC:

IEC 62290-2 5.5.1.2

7.2.6.2 Manage driving modes



54 Manage driving modes

This function is intended to manage the driving modes of the train.

IEC 62290-2 5.5.2


Public 06/01/2011

45 of 120

7.2.6.3 Manage movement of trains between two operational stops



55 Manage movement of trains between two operational stops

This function is intended to manage the movement of trains on the guideway between stations taken into account different operational disturbances leading to stops outside stations.

IEC 62290-2 5.5.3

7.2.6.4 Manage depot and stabling areas



56 Manage depot and stabling areas

This function is intended to manage train movement in depots and stabling areas.

IEC 62290-2 5.5.4

7.2.6.5 Manage UGTMS transition areas



57 Manage UGTMS transition areas

This function is intended to manage the train movement from or to UGTMS transition areas.

IEC 62290-2 5.5.5

7.2.6.6 Restrict train entry to station



58 Restrict train entry to station

This function is intended to prevent entry of a train into station when the required operational conditions are not met.

IEC 62290-2 5.5.6


Public 06/01/2011

46 of 120

7.2.6.7 Manage the platform or siding stopping position of the train



59 Manage the platform or siding stopping position of the train

This function is intended to manage different stopping positions of trains per platform or siding due to operational reasons.

IEC 62290-2 5.5.7

7.2.6.8 Change the travel direction



60 Change the travel direction

This function is intended to define the conditions and process in order to change the travel direction of a train.

IEC 62290-2 5.5.8

7.2.6.9 Couple and split a train



61 Couple trains automatically

This function is intended to automatically join two separate trains operated independently, in designated coupling area, to be operated as a single train consist.

IEC 62290-2 5.5.9.1

62 Split trains – untimely train uncoupling

This function is intended to split a train consisting of two or more trains sets into two separate trains to be operated independently.

IEC 62290-2 5.5.9.2


Public 06/01/2011

47 of 120

7.2.6.10 Supervise the status of the train



63 Supervise UGTMS onboard equipment status prior to entering service

This function is intended to perform all necessary tests on vital equipment during the power on process or prior to entering UGTMS territory. Generally this function includes only those self tests that deal with the safety of UGTMS and the inputs and outputs necessary for a vital operation. Self tests that are necessary to achieve the safety features of vital processors (computing unit including operating system) are not included here.

IEC 62290-2 5.5.10.1

64 Supervise UGTMS onboard equipment status during operation

This function is intended to perform all necessary tests during operation of the system. Generally this function includes only those self tests that deal with the safety of the UGTMS application and the inputs and outputs necessary for a vital operation. Self tests that are necessary to achieve the safety features of vital processors are not included here.

IEC 62290-2 5.5.10.2

65 Test emergency braking performance

This function is intended to perform a dynamic emergency braking test by commanding emergency braking during motion.

IEC 62290-2 5.5.10.3

66 React to detected train equipment failure

This function is intended to react to train equipment failures reported by the rolling stock impacting operation.

IEC 62290-2 5.5.10.4

67 Manage traction power supply on train

This function is intended to manage traction power supply during train operation (e.g. selection of current collector, AC/DC selection, voltage selection, automatic raising and lowering of pantographs and collector shoes, automatic opening/closing of circuit breakers). This function is for instance applicable if several power systems are fitted for a given line.

IEC 62290-2 5.5.11


Public 06/01/2011

48 of 120

7.2.7 Ensure detection and management of emergency situations



68 Detect fire and smoke

This function is intended to detect fire or smoke onboard of train.

New for MODSafe

69 React to detected fire/smoke

This function is intended to supervise an external onboard fire/smoke detection device in order to report corresponding emergency conditions to OCC and to hold train at next station or optionally at the next evacuation point.

IEC 62290-2 5.6.1

70 React to detected or suspected broken rail

This function is intended to react to detected broken rail by external devices. This function describes as well the reaction of UGTMS for suspected broken rails when no broken rail detectors are implemented, but track circuits are used as train detection devices.

IEC 62290-2 5.6.3

71 Monitor emergency calls

This function is intended to monitor external emergency calls.

IEC 62290-2 5.6.4.1

72 React to passenger alarm device activation

This function is intended to react to the activation of an external onboard passenger alarm device.

IEC 62290-2 5.6.4.2

73 React to emergency release of train doors

This function is intended to manage the actions following the emergency release request of train doors. Such request is triggered by activating an onboard device if fitted.

IEC 62290-2 5.6.4.3

74 Detect loss of train integrity

This function is intended to detect when a train of two or more cars has parted.

New for MODSafe

75 React to loss of train integrity

This function is intended to react to the loss of the train integrity provided by the rolling stock.

IEC 62290-2 5.6.5

76 Detect derailment This function is intended to detect derailment by an external onboard derailment detection device.

New for MODSafe

77 Trigger emergency brake

This function is intended to initiate application of emergency brake e.g. due to detected overspeed or passing signals at danger.

New for MODSafe


Public 06/01/2011

49 of 120

8 Allocation of safety integrity requirements

For an allocation of safety requirements to MODSafe safety functions the following procedure is applied, based on the method introduced in clause 5. For each safety function a table is used to analyse the risk of wrong side failures. The table below (see Table 5) represents the structure of the procedure including advice on how the method can be applied.

For the actual application, the MODURBAN deliverable D86 is used as reference. This is done since D86 dealt with the same topic i.e. to allocate safety requirements to a list of safety functions. As far as it is possible, risk analysis for MODSafe safety function is conducted in the same way as in D86. This applies mainly to MODSafe safety functions, where the same (or similar) function is treated already in D86. For MODSafe safety function without a comparable D86 function an estimation of risk is performed as well. Additionally, reference documents are used such as VDV 161 [17] and VDV 331 [18]. These documents allocate safety requirements as well.

In general the application followed the approach:

• To choose the risk parameter rather pessimistically, because it has to be definite that results are not too optimistic. One example is the number passengers either in stations or in the trains. Conservatively, it cannot be excluded that overcrowded situations occur during operation; on the other hand it will not happen in usual cases.

• Risk parameter and according results for the safety functions shall be generic in order to be applicable to a majority of the European urban guided transport systems as long as they are in line with the functionality of IEC 62290-2. (This, in turn, leads to rather conservative assumptions for risk parameter.)

• In later phases of the system life cycle (cf. Figure 1) safety integrity levels are allocated to technical equipment. However, staffs responsibility is considered as measure for risk reduction, if appropriate. Functions in full responsibility of operational staff are not analysed.

• Each safety integrity requirement for a grade of automation represents a value for particular operational circumstances or procedures or possible technical implementations. If required, these particularities are describes for each safety function. Hence, each safety integrity level represents one scenario, which has to be revised for a specific application.


Public 06/01/2011

50 of 120

Table 5 – Application table – description of risk analysis parameter

Nr. Item Description

1 Number of safety function

Unique reference of MODSafe safety function – used in this deliverable

2 Name of safety function Name of MODSafe safety functions

3 Description Covers a short description of the MODSafe safety functions

4 Reference of functions

Provides the reference of the document the MODSafe safety function was taken from, in most case this is IEC 62290-2. “New for MODSafe” indicates that this safety function is created for MODSafe purposes.

5 Reference for risk analysis

A reference where identical or similar risk analysis of the safety function can be found.

6 Possible wrong side failure

What can be assumed to be the failure, which would act as cause leading to the hazardous situation?

7 Hazardous situation Conceivable consequence of the possible wrong side failure.

8 Possible hazard consequences – accidents

Accidents as consequences of a hazard are defined as an unintended event or series of events that result in death, injury or loss of system or service, or environmental damage [3]

9 Exposure probability to hazard

Is there good reason to conservatively assume that subjects of the risk group (e.g. passenger) are exposed to the hazard clearly less than permanently (by orders of magnitude in probability)? [16]

10 Accident probability reduction

Is there good reason to conservatively assume that the evolvement of a certain hazard into an accident can be clearly controlled by additional barriers or circumstances (reduction of rate by orders of magnitude)? [16]

11 Consequence reduction probability

Is there good reason to conservatively assume that the members of the risk group (e.g. passenger, workers or neighbours) can clearly avoid being subject to the hazard (by orders of magnitude) or reduce considerably the potential damage (by severity class)? [16]


Public 06/01/2011

51 of 120

Table 5 - Description of risk analysis parameter (continued)

Nr. Item Description

12 Severity of consequences due to failure of safety function

Decisive event to estimate the severity of consequences is the assumed accident. The severity of hazard consequences may be expressed as:

• Catastrophic • Critical • Marginal • Insignificant

13 Initial THR per hour

According to the verbal expression of the severity of hazard consequences an initial tolerable hazard rate can be assumed:

• Catastrophic would correspond to a THR of 10-9 /h • Critical would correspond to a THR of 10-8 /h • Marginal would correspond to a THR of 10-7 /h • Insignificant would correspond to a THR of 10-6 /h

14

Risk reduction factors

E

According to the exposure probability a numerical value of:

• 1

• 0,1

• 0,01

15 P

According to the accident probability reduction a numerical value of:

• 1

• 0,1

• 0,01

16 C

According to the consequence reduction probability a numerical value of:

• 1

• 0,1

• 0,01

17 Final THR The final THR shall be calculated by taking the initial THR (Nr. 13) and divide it by the risk parameter E, P and C (Nr. 14, 15 and 16) see formula (1)

18 Final SIL

The safety integrity level shall be taken from Table 2: • THR = 10-9 /h - SIL 4 • THR = 10-8 /h - SIL 3 • THR = 10-7 /h - SIL 2 • THR = 10-6 /h - SIL 1


Public 06/01/2011

52 of 120

To illustrate the application of the method allocating safety requirements to MODSafe safety functions an example is given below. All detailed risk analyses can be found in the annex. All results are summarised in clause 9.

Table 6 – Example Application: Determine actual train speed

Item Description

Number of safety function 22

Name of safety function Determine actual train speed

Description This function is intended to determine the actual train speed.

Reference of functions IEC 62290-2 – 5.1.5.1

Reference for risk analysis MODURBAN D86 - 1.5 “Speed determination/calculation”

Possible wrong side failure

Undetected too low speed determination Overspeed cannot be detected, because the processed value of velocity seems to be correct, which in fact is wrong

Hazardous situation Train travels above permitted speed which is determined by train protection profile or behind movement authority limits (determination of way is part of the function)

Possible hazard consequences – accidents

Collision due to travelling beyond movement authority limits Derailment due to overspeed

Exposure probability to hazard Passenger are permanently in train

Accident probability reduction No barrier can be assumed

Consequence reduction probability Passenger cannot escape consequences

Severity of consequences due to failure of safety function Catastrophic

Initial THR per hour 10-9


E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

53 of 120

9 Overview of results

This clause summarises the results of the allocation of safety requirements to MODSafe safety functions.

9.1 Table of safety requirements for MODSafe safety functions

Safety integrity levels indicated with “see D4.3” are to be verified in MODSafe deliverable 4.3, if these functions are acting in a low demand or continuous mode of operation. For these functions it is not possible to allocate safety requirements with the means of the method, proposed here.

Safety requirements treated with “---”, no SIL can be applied. This may be due to the fact that this function is assumed to be no safety function or the function is excluded from the analysis.

Safety requirements of SIL 0: these functions are assumed to be safety relevant functions and have to be fulfilled according to relevant standards.

All results are covered in the following table which shows all MODSafe safety functions and safety requirements associated with all grade of automations.

Table 7 – List of safety requirements for MODSafe safety functions

Nr. Safety function Safety integrity level


Ens

ure

safe

mov

emen

t of t

rain

s

(1) Check route availability --- 4 4 4 4

(2) Set route 3 4 4 4 4

(3) Supervise route --- 4 4 4 4

(4) Supervise level crossing as secured

--- 3 3 --- ---

(5) Lock route --- 4 4 4 4

(6) Release route --- 4 4 4 4

(7) Initialise UGTMS reporting trains location

--- 4 4 4 4

(8) Determine train orientation --- 4 4 4 4

(9) Determine actual train travel direction

--- 4 4 4 4


Public 06/01/2011

54 of 120



(10) Determine train location ---

4 (with

wayside signals) 4 4 4

4

(11) Locate non reporting trains by track sections

--- 4 4 4 4

(12) Determine static speed profile ---

3 (with

wayside signals)

4 4 4

4

(13)

Determine temporary infrastructure speed restrictions

--- see D4.3 see D4.3 see D4.3 see D4.3

(14)

Determine permanent rolling stock speed restrictions

--- 4 4 4 4

(15)

Determine temporary rolling stock speed restrictions


(16) Determine movement authority limit

---

3 (with

wayside signals)

4 4 4

4

(17) Determine train protection profile ---

3 (with

wayside signals)

4 4 4

4


Public 06/01/2011

55 of 120



(18) Authorise train movement by wayside signals

2 (single track operation)

4 4

(mixed operation)

4 (mixed

operation)

4 (mixed

operation) 3 – 4 (indicate

position of switches)

(19) Determine a zone of protection --- see D4.3 see D4.3 see D4.3 see D4.3

(20) Stopping a train en route --- Covered by: “Trigger emergency brake”

(21)

Authorise the entry of non-operative UGTMS trains into UGTMS territory

--- 4 4 4 4

(22) Determine actual train speed ---

3 (with

wayside signals

containing allowed speed) 4 4 4

4

(23) Supervise safe train speed ---

3 (with

wayside signals) 4 4 4

4

(24) Inhibit train stops --- 3 3 3 3

(25) Monitor speed limit at discrete location

--- 3 --- --- ---


Public 06/01/2011

56 of 120



(26) Supervise train rollaway --- 4 4 4 4

(27) Immobilisation of train --- Covered by: “Authorise station departure (safety related

conditions)”

(28)

Detect unauthorised movement of non-operative trains

--- Covered by: “Locate non reporting trains by track sections”

(29)

React to unauthorised movement of non-operative trains

--- 4 4 4 4

(30) Detect intruding unequipped train --- Covered by: “Locate non reporting trains by track sections”

(31) Provide interface with external interlocking

--- 4 4 4 4

Sup

ervi

sing

gui

dew

ay

(32) Supervise wayside obstacle detection devices

--- --- --- see D4.3 see D4.3

(33) Supervise onboard obstacle detection device

--- --- --- see D4.3 see D4.3

(34) Warn passenger to stay away from the platform edge

--- --- --- --- ---

(35)

React on emergency stop request from platforms


(36)

Supervise platform doors (medium number of passenger)

--- 1 – 2 1 – 2 2 – 3 2 – 3

Supervise platform doors (overcrowded situation)

--- 2 – 3 2 – 3 3 – 4 3 – 4


Public 06/01/2011

57 of 120



(37) Supervise platform tracks --- see D4.3 see D4.3 see D4.3 see D4.3

(38)

Supervise border between platform tracks and other tracks


(39) Supervise platform end doors


(40) Protect staff on track --- 2 2 2 2

Sup

ervi

se p

asse

nger

tran

sfer

(41)

Authorise train doors opening (medium number of passenger)

--- 2 – 3 2 – 3 2 – 3 2 – 3

Authorise train doors opening (overcrowded situation)

--- 3 – 4 3 – 4 3 – 4 3 – 4

(42) Command doors opening --- --- --- --- ---

(43) Request doors closing --- --- --- --- ---

(44) Supervise doors closing ---

Covered by: “Supervise closed and locked status of train doors”

Covered by: “Supervise platform doors”

(45)

Supervise closed and locked status of train doors (medium number of passenger)

--- 2 2 2 2

Supervise closed and locked status of train doors (overcrowded situation)

3 3 3 3

(46)

Prevent person injuries between platform and train (operational staff supervision)

--- 0 – 1 0 – 1 0 – 1 0 – 1


Public 06/01/2011

58 of 120



Prevent person injuries between platform and train (no staff responsibility)

--- 1 – 2 1 – 2 1 – 2 1 – 2

(47)

Prevent person being trapped between platform screen doors and train

--- 3 3 3 3

(48) Prevent person injuries between car


(49)

Authorise station departure (safety related conditions)

--- Covered by: “Supervise closed and locked status of train doors”

(50)

Authorise station departure (operational conditions)

--- --- --- --- ---

(51) Command station departure --- --- --- --- ---

Ope

ratin

g a

train

(52) Awake trains --- --- --- --- ---

(53) Set train to sleep --- --- --- --- ---

(54) Manage driving modes --- --- --- --- ---

(55)

Manage movement of trains between two operational stops

--- --- --- --- ---

(56) Manage depot and stabling areas

--- --- --- --- ---

(57) Manage UGTMS transition areas --- --- --- --- ---

(58) Restrict train entry to station --- --- --- --- ---

(59)

Manage the platform or siding stopping position of the train

--- --- --- --- ---

(60) Change the travel direction --- --- --- --- ---


Public 06/01/2011

59 of 120



(61) Couple trains automatically --- --- --- --- ---

(62)

Split trains – untimely uncoupling protection

--- --- --- --- ---

(63)

Supervise UGTMS onboard equipment status prior to entering service

--- 4 4 4 4

(64)

Supervise UGTMS onboard equipment status during operation

--- 4 4 4 4

(65) Test emergency brake performance

--- 4 4 4 4

(66) React to detected train equipment failure

--- Covered by: “Trigger emergency brake”

(67) Manage traction power supply on train

--- --- --- --- ---

Ens

ure

dete

ctio

n an

d m

anag

emen

t of e

mer

genc

y si

tuat

ions

(68) Detect fire and smoke --- see D4.3 see D4.3 see D4.3 see D4.3

(69) React to detected fire/smoke --- see D4.3 see D4.3 see D4.3 see D4.3

(70) React to detected or suspected broken rail


(71) Monitor emergency calls --- see D4.3 see D4.3 see D4.3 see D4.3

(72) React to passenger alarm device activation


(73)

React to emergency release of train doors


(74) Detect loss of train integrity --- see D4.3 see D4.3 see D4.3 see D4.3

(75) React to loss of train integrity --- see D4.3 see D4.3 see D4.3 see D4.3


Public 06/01/2011

60 of 120



(76) Detect derailment --- see D4.3 see D4.3 see D4.3 see D4.3

(77) Trigger emergency brake --- 3 3 4 4

9.2 Conclusion

With respect to the method, described in clause 5, it can be stated that it is possible to apply the method consistently.

In case of similarity between functional descriptions of MODURBAN deliverable D86 and MODSafe safety functions, safety requirements are transferred to this deliverable. For all other functions a risk and safety consideration is performed.

Safety requirements are not allocated to safety functions when they are assumed to work not in continuous mode of operation. This is done since the method for SIL allocation does not fully reflect all aspects supposed to be considered within this mode of operation.

For some MODSafe safety functions no safety requirements are estimated, because these safety functions are either supposed to be no safety function, covered by other safety functions or are excluded.

Finally, the results from the table of safety requirements for MODSafe safety functions can be considered as a recommendation for appropriate urban guided rail systems.

Regarding the possibility that several levels could be allocated to a given function when performing the final SIL allocation (depending of the context of application of this function), it shall be noted that the following points are not considered in this deliverable:

• will suppliers produce a portfolio of products covering a same function with different SIL?

• will an operator on a given line use different equipment (according to the SIL) for implementing the same function, for example, according to the number of passengers in stations?


Public 06/01/2011

61 of 120

10 Annex – Allocation of safety requirements to MODSafe safety functions

This annex provides the detailed risk and safety considerations made to the MODSafe safety functions. In principle, it is the goal to provide a single application table for each safety function and each grade of automation. However, where appropriate, application tables are combined for relevant grade of automations.

Functions which do not act in a clearly continuous mode of operation are not analysed in this deliverable. It has been agreed that further analyses will be developed in MODSafe D4.3 which may lead to a revision of MODSafe D4.2 at the end of the project.

10.1 Ensure safe movement of trains

10.1.1 Ensure safe route

According to “Table 4 – Grades of automation according to IEC 62290-1” safety functions to “ensure safe route” are realised by the technical system for grades of automation 1 to 4 and partly for GOA0.


Public 06/01/2011

62 of 120

10.1.1.1 Check route availability

Table 8 – RA Check route availability for GOA1 to GOA4

Item Description


Name of safety function Check route availability

Description

For the route to be set, the availability of all determined route elements shall be checked. Availability shall be given if a route element is not used for another route or blocked against route setting.

Reference of functions IEC 62290-2 – 5.1.1.1.1-3/4

Reference for risk analysis None

Possible wrong side failure Route is deemed to be not used for another route or not blocked against route setting, but in fact it is conflicting with another route or is blocked against route setting.

Associated hazard Conflicting use of a route Route leads into area not blocked or inhibited for use (e.g. not blocked for maintenance)


Collision with other train Derailment in area not blocked or inhibited for use Collision with maintenance staff or maintenance vehicles

Exposure probability to hazard Passengers are permanently onboard of trains


Consequence reduction probability Passenger cannot escape from hazard consequences




E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

63 of 120

10.1.1.2 Set route

Table 9 – RA Set route for GOA0

Item Description


Name of safety function Set route

Description

This function is intended to set a route by command provided by operation control HMI or by the function set routes automatically. Check permission for movement of route elements GOA0 (valid for single point control application only)

Reference of functions None


Possible wrong side failure Status of movable route element is lost

Hazardous situation Train movement over unsecured route elements

Possible hazard consequences – accidents Derailment


Accident probability reduction

Operational procedures for on-sight train operation are considered. It is assumed that train driver recognises train on switch and does not give any command to move movable route element.





E 1

P 0,1

C 1

Final THR 10-8

Final SIL SIL 3


Public 06/01/2011

64 of 120

Table 10 – RA Set route for GOA1 to GOA4

Item Description


Name of safety function Set route

Description This function is intended to set a route by command provided by operation control HMI or by the function set routes automatically.

Reference of functions IEC 62290-2 – 5.1.1.1.1


Possible wrong side failure Movable route element deems not occupied by a train, not locked or not blocked against movement

Hazardous situation Movable route element moves even if safety conditions for movement are not met

Possible hazard consequences – accidents Derailment







E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

65 of 120

10.1.1.3 Supervise route

Table 11 – RA Supervise route for GOA1 to GOA4

Item Description


Name of safety function Supervise route

Description

This function is intended to supervise that all conditions for the route are still in place. UGTMS shall supervise that determined route elements are confirmed and locked in the required position.



Possible wrong side failure Route elements have no safe status, but route seems to be supervised in safe condition

Hazardous situation Train movement into unsecured route


Derailment due to overspeed or moving switch while train passing Collision with oncoming train or flank movement







E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

66 of 120

10.1.1.4 Supervise level crossing as secured

Table 12 – RA Supervise level crossing as secured for GOA1 and GOA2

Item Description


Name of safety function Supervise level crossing as secured

Description This Function is intended to supervise that a level crossing is secured and locked in order to forbid its conflicting use by general road and pedestrian traffic.

Reference of functions New for MODSAFE

Reference for risk analysis VDV 331 - 3.2.9

Possible wrong side failure Level crossing is wrongly reported as secured as precondition for movement authority

Hazardous situation Conflicting use by road and pedestrian traffic while train is in approach and passing

Possible hazard consequences – accidents Collision with vehicles on level crossing

Exposure probability to hazard Passengers are permanently in trains (possible dependent to frequency of road and pedestrian traffic)


Consequence reduction probability Observation of guideway by train driver




E 1

P 1

C 0,1

Final THR 10-8

Final SIL SIL 3


Public 06/01/2011

67 of 120

10.1.1.5 Lock route

Table 13 – RA Lock route for GOA1 to GOA4

Item Description


Name of safety function Lock route

Description

This function is intended to lock the route against route release by operator command if a train is approaching and the movement authority allows entry into route, or a train is within the route.



Possible wrong side failure Route locking on approach is missing, unintended route release or route release by operators request is possible










E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

68 of 120

10.1.1.6 Release route

Table 14 – RA Release route for GOA1 to GOA4

Item Description


Name of safety function Release route

Description This function is intended to release a route and its elements.




Unintended route release even though route shall be locked Release of route elements before train left relevant route elements










E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

69 of 120

10.1.2 Ensure safe separation of trains

According to “Table 4 – Grades of automation according to IEC 62290-1” safety functions to “ensure safe separation of trains” are realised by the technical system for grades of automation 1 to 4. Localisation or detection of trains as basic conditions for safe train separation can be done by:

• reporting trains

• by wayside equipment (e.g. axle counters, track circuits).

The above mentioned specific safety functions are regarded as primary localisation/detection device. (If wayside equipment is used as secondary device for fall back operation risk allocation might be subject to change (fall back operation can be seen as rare event)).

10.1.2.1 Initialise UGTMS reporting trains location

Assumed scenario: The UGTMS train location determination function is self initialising without requiring the manual input of train location or train length data. Wayside equipment shall provide absolute position reference to onboard equipment (cf. IEC 62290-2 – 5.1.2.1-4).

This function is relevant only for systems providing their location by reporting trains.


Public 06/01/2011

70 of 120

Table 15 – RA Initialise UGTMS reporting trains location for GOA1 to GOA4

Item Description


Name of safety function Initialise UGTMS reporting trains location

Description

This function is intended to initialise the location of reporting trains which are:

stationary in stabling locations, entering UGTMS territory, recovering from localisation failures.

Reference of functions IEC 62290-2 –5.1.2.1


Possible wrong side failure Train initializes train location wrongly

Hazardous situation

Train is at other location than actually reported 1st - train with failure determines wrong danger point for safe separation with following train 2nd - train with failure determines a wrong position relative to train protection profile to be followed (wrong distance to movement authority limits or speed restriction areas)


Collision due to insufficient train separation Derailment due to unsupervised movement

Exposure probability to hazard

Passenger are on board of train permanently (considering wrong side failures while train enters UGTMS territory or during recovery from localisation failures) If wrong side failure occurs at stabling areas, passengers are not necessarily onboard of train. However, wrongly localised trains may jeopardise regularly operating trains (e.g. flank collision) No risk reduction can be assumed

Accident probability reduction No barrier can be assumed (even for staff onboard of train it may be too late to react to e.g. excessive speed or train movement over unlocked switches)





E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

71 of 120

10.1.2.2 Determine train orientation


Table 16 – RA Determine train orientation for GOA1 to GOA4

Item Description


Name of safety function Determine train orientation

Description This function is intended to determine the physical orientation of the train relative to the defined orientation of the track.

Reference of functions IEC 62290-2 – IEC 5.1.2.2.1


Possible wrong side failure Wrong determination of train orientation – remains unnoticed wrong (e.g. positive instead of negative train orientation is processed)

Hazardous situation

1st - Train doors open on wrong side for passenger exchange 2nd - Wrong determination of rear and front end of train – trains may get too close one another


Even in low headway operation, wrong determination of front and rear end of the train may lead to collision

Exposure probability to hazard Passenger are permanently on train

Accident probability reduction No barrier can be assumed (It can conservatively not be assumed that operational staff may recognize wrong train orientation.)

Consequence reduction probability Passenger cannot escape hazard consequences




E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

72 of 120

10.1.2.3 Determine actual train travel direction


Table 17 – RA Determine actual train travel direction for GOA1 to GOA4

Item Description


Name of safety function Determine actual train travel direction

Description This function determines the travel direction of trains.


Reference for risk analysis MODURBAN D86 – 1.7 “Travel direction measurement”

Possible wrong side failure Train travels undetected in wrong travel direction

Hazardous situation Trains may get too close Trains may drive over unlocked switches at inadequate speed


Collision Derailment

Exposure probability to hazard Passenger are permanently in trains


In case of undetected wrong travel direction, no further barrier can conservatively be assumed to reduce consequences Routine checks like unexpected position reports may come too late





E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

73 of 120

10.1.2.4 Determine train location

This function is relevant for systems with reporting trains.

Table 18 – RA Determine train location for GOA1 (with wayside signals)

Item Description


Name of safety function Determine train location

Description This function is intended to determine the location of all UGTMS equipped trains according to the train orientation and train length.


Reference for risk analysis (MODURBAN D86 – 1.3/1.4) VDV 331 - 3.9.8

Possible wrong side failure Train determines train location wrongly or is undetected

Hazardous situation Train with failure determines a wrong position relative to train protection profile to be followed (wrong distance to movement authority limits or speed restriction areas)









E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

74 of 120

Table 19 – RA Determine train location for GOA1 to GOA4 (without wayside signals)

Item Description


Name of safety function Determine train location

Description This function is intended to determine the location of all UGTMS equipped trains according to the train orientation and train length.


Reference for risk analysis (MODURBAN D86 – 1.3/1.4) VDV 331 - 3.9.8

Possible wrong side failure Train determines train location wrongly or is undetected

Hazardous situation Train with failure determines a wrong position relative to train protection profile to be followed (wrong distance to movement authority limits or speed restriction areas)









E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

75 of 120

10.1.2.5 Locate non reporting trains by track sections

This function is relevant if track sections are used as primary detection device in all grades of automation.

Table 20 – RA Locate non reporting trains by track sections for GOA1 to GOA4

Item Description


Name of safety function Locate non reporting trains by track sections

Description This function is intended to determine the location of non reporting trains using external devices.


Reference for risk analysis MODURBAN D86 – 3.1 “Unequipped train presence detection” VDV 331 - 3.1.1

Possible wrong side failure Occupied status of track section based on external devices (e.g. track circuits, axle counter) fails

Hazardous situation 1st - no danger point based on presence of train determined 2nd - movable route element is occupied by train


Collision due to insufficient train separation Derailment due to movement of movable route elements (in case of movements without locked routes)

Exposure probability to hazard Passenger are permanent on board of equipped trains


Consequence reduction probability

Passenger cannot escape hazard consequences (It can conservatively not be assumed that the train driver notices wrongly occupied track section. Hence, to trigger emergency brake will come too late when too close danger point is recognised.)




E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

76 of 120

10.1.3 Determine permitted speed

10.1.3.1 Determine static speed profile

This function is relevant for systems providing train protection profile.

Table 21 – RA Determine static speed profile for GOA1 (with wayside signals)

Item Description


Name of safety function Determine static speed profile

Description

This function determines the static speed profiles, which are based on infrastructure data such as track geometry and quality, infrastructure constraints (tunnel, bridges, platforms, etc.)

Reference of functions IEC 62290-2 - 5.1.3.1.1


Possible wrong side failure Too high speed allowed on relevant track section Unprocessed infrastructure change Wrong change/configuration management

Hazardous situation Wrong determination of speed limits as a basic condition for train protection profile, may lead to excessive speed


Collision because overspeed may lead to travelling beyond movement authority limit Derailment due to overspeed

Exposure probability to hazard Passenger are permanently on board of train

Accident probability reduction Train driver is responsible for regarding wayside signals containing allowed speed and the relevant signal aspects while driving the train.


Passenger cannot escape consequences It can conservatively not be assumed that operational staff on board of train is able to notice overspeed early enough and to trigger emergency brake to reduce severity consequences significantly.




E 1

P 0,1

C 1

Final THR 10-8


Public 06/01/2011

77 of 120

Final SIL SIL 3

Table 22 – RA Determine static speed profile for GOA1 to GOA4 (without wayside signals)

Item Description


Name of safety function Determine static speed profile

Description

This function determines the static speed profiles, which are based on infrastructure data such as track geometry and quality, infrastructure constraints (tunnel, bridges, platforms, etc.)

Reference of functions IEC 62290-2 - 5.1.3.1.1


Possible wrong side failure Too high speed allowed on relevant track section Unprocessed infrastructure change Wrong change/configuration management

Hazardous situation Wrong determination of speed limits as a basic condition for train protection profile, may lead to excessive speed


Collision overspeed may lead to travelling beyond movement authority limit Derailment due to overspeed


Accident probability reduction No barrier assumed





E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

78 of 120

10.1.3.2 Determine temporary infrastructure speed restrictions

Safety function does not act in a clearly continuous mode of operation. Therefore, this function will analysed in D4.3 in more detail.


Public 06/01/2011

79 of 120

10.1.3.3 Determine permanent rolling stock speed restrictions

This function is relevant for systems providing train protection profiles, in other cases the function might be realised by rolling stock.

Table 23 – RA Determine permanent rolling stock speed restrictions for GOA1 to GOA4

Item Description


Name of safety function Determine permanent rolling stock speed restrictions

Description This function is intended to determine the maximum permitted speed for each type of rolling stock.




Too high speed allowed on class or configuration of trains (systematic failure) Unprocessed change of train configuration Wrong change/configuration management

Hazardous situation Wrong determination of speed limits / train protection profile may lead to excessive speed (undetected overspeed)




Accident probability reduction No barrier assumed


Passenger cannot escape consequences It can conservatively not be assumed that operational staff (if present) is able to notice overspeed early enough to trigger emergency brake to reduce severity consequences significantly.




E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

80 of 120

10.1.3.4 Determine temporary rolling stock speed restrictions

This function is assumed to work only in rare degraded modes of operation and is subject of MODSafe deliverable 4.3.

10.1.4 Authorise train movement

10.1.4.1 Determine movement authority limit

This function is relevant for systems providing train protection profiles.


Public 06/01/2011

81 of 120

Table 24 – RA Determine movement authority limit for GOA1 (with wayside signals)

Item Description


Name of safety function Determine movement authority limit

Description To ensure safe train movement, this function determines for each train its limit of the movement authority, corresponding to the first danger point ahead of the trains.

Reference of functions IE 62290-2 – 5.1.4.1

Reference for risk analysis MODURBAN D86 – 4.3 “Determine and communicate train movement authority”

Possible wrong side failure Wrong determination of movement authority limit as basic condition for train protection profile (unnoticed beyond danger point)

Hazardous situation Movements beyond movement authority limits (e.g. end of route, rear end of train, end of track, zone of protection, etc.)


Collision with other train or Infrastructure Derailment due to entering in unsecured routes


Accident probability reduction Train driver is responsible for regarding wayside signals and the relevant signal aspects while driving the train.





E 1

P 0,1

C 1

Final THR 10-8

Final SIL SIL 3


Public 06/01/2011

82 of 120

Table 25 – RA Determine movement authority limit for GOA1 to GOA4 (without wayside signals)

Item Description


Name of safety function Determine movement authority limit

Description To ensure safe train movement, this function determines for each train its limit of the movement authority, corresponding to the first danger point ahead of the trains.

Reference of functions IE 62290-2 – 5.1.4.1

Reference for risk analysis MODURBAN D86 – 4.3 “Determine and communicate train movement authority” (VDV 331 – 3.9.5)

Possible wrong side failure Wrong determination of movement authority limit as basic condition for train protection profile (unnoticed beyond danger point)

Hazardous situation Movements beyond movement authority limits (e.g. end of route, rear end of train, end of track, zone of protection, etc.)


Collision with other train or Infrastructure Derailment due to entering in unsecured routes







E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4

10.1.4.2 Determine train protection profile



Public 06/01/2011

83 of 120

Table 26 – RA Determine train protection profile for GOA1 (with wayside signals)

Item Description


Name of safety function Determine train protection profile

Description



Reference for risk analysis (MODURBAN D86 - 4.8 “Safe speed limits”) VDV 331 – 3.9.10


Wrong determination of train protection profile taken into account safe braking model 1st - Wrong safety distance to target points 2nd - Wrong consideration of allowed speed within the area covered by movement authority taken into account all static and temporary wayside or rolling stock conditions

Hazardous situation Wrong determination of permitted speed causes overspeed and too short braking distances related to existing danger points


Collision due to insufficient braking distances Derailment due to overspeed



Train driver is responsible for regarding wayside signals and the relevant signal aspects while driving the train (location of signals represents relevant movement authority limits)





E 1

P 0,1

C 1

Final THR 10-8

Final SIL SIL 3

Table 27 – RA Determine train protection profile for GOA1 to GOA4 (without wayside signals)


Public 06/01/2011

84 of 120

Item Description


Name of safety function Determine train protection profile

Description



Reference for risk analysis (MODURBAN D86 - 4.8 “Safe speed limits”) VDV 331 – 3.9.10


Wrong determination of train protection profile taken into account safe braking model 1st - Wrong safety distance to target points 2nd - Wrong consideration of allowed speed within the area covered by movement authority taken into account all static and temporary wayside or rolling stock conditions

Hazardous situation Wrong determination of permitted speed causes overspeed and too short braking distances related to existing danger points


Collision due to insufficient braking distances Derailment due to overspeed







E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

85 of 120

10.1.4.3 Authorise train movement by wayside signals

This function is relevant for systems providing movement instructions by wayside signals:

• In GOA0 to allow train movement in accordance to rules for train operation on sight

• GOA1 as primary movement authority.


Public 06/01/2011

86 of 120

Table 28 – RA Authorise train movement by wayside signals for GOA0 (single track operation)

Item Description


Name of safety function Authorise train movement by wayside signals

Description

This function is intended to authorise train movement by wayside signals under rules for train operation on sight, if single track section is not reserved for or occupied by approaching train.


Reference for risk analysis VDV 331 – 2.3

Possible wrong side failure Signal displays movement authority inadvertently

Hazardous situation

Train movement is allowed while the necessary conditions are not met In a single track operation two trains would enter one track section in confliction travel direction


Collision with other train (Due to on-sight train operation the severity of consequences is assumed to be “critical”.)


Accident probability reduction It is assumed that in on-sight train operation train driver notices hazardous situation and reduces accident probability.


Severity of consequences due to failure of safety function Critical



E 1

P 0,1

C 1

Final THR 10-7

Final SIL SIL 2


Public 06/01/2011

87 of 120

Table 29 – RA Indicate position of switches for GOA0 (signal for switch control)

Item Description

Number of safety function 18-2

Name of safety function Indicate position of switches

Description This function is intended to indicate the position of switches if required.


Reference for risk analysis VDV 331 – 2.1.2

Possible wrong side failure Signal displays wrong position switch

Hazardous situation Train movement is allowed while the necessary conditions are not met i.e. position is displayed while switch is not in final position, wrong position in indicated.


Collision with other train or road and pedestrian traffic Derailment




Severity of consequences due to failure of safety function

According to the prevailing operation or local circumstances the severity of consequences can be assumed to be “critical” or “catastrophic”.”

Critical Catastrophic

Initial THR per hour 10-8 10-9


E 1 1

P 1 1

C 1 1

Final THR 10-8 10-9

Final SIL SIL 3 SIL 4


Public 06/01/2011

88 of 120

Table 30 – RA Authorise train movement by wayside signals for GOA1 (for GOA2 to GOA4 also for mixed operation)

Item Description


Name of safety function Authorise train movement by wayside signals

Description

This function is intended to authorise train movement by wayside signals for non UGTMS-operated trains if conditions of safe route and safe separation are fulfilled. Wayside signals are used to allow mixed traffic or, as one possibility, for degraded operation.


Reference for risk analysis MODURBAN D86 – 4.5.2 “Train movement authority by wayside signals (GOA1a/b)” VDV 331 – 3.3.1

Possible wrong side failure 1st - Signal displays movement authority inadvertently 2nd - Signal displays wrong speed information inadvertently

Hazardous situation Train movement is allowed while the necessary conditions (safe route, safe separation) are not met (SPAD)


Collision with other train Derailment due to entering in unsecured routes







E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4

10.1.4.4 Determine a zone of protection



Public 06/01/2011

89 of 120

10.1.4.5 Stopping a train en route

It is assumed that this function is covered by the safety function “Trigger emergency brake”.

10.1.4.6 Authorise the entry of non-operative UGTMS trains into UGTMS territory

Table 31 – RA Authorise the entry of non-operative UGTMS trains into UGTMS territory for GOA1 to GOA4

Item Description


Name of safety function Authorise the entry of non-operative UGTMS trains into UGTMS territory

Description This function is intended to authorise the entry of non-operative UGTMS trains into the UGTMS territory.



Possible wrong side failure Unauthorised train movement into UGTMS territory e.g. from workshop or depot

Hazardous situation Train cars get too close Train movement over unsecured track elements


Collision with other train Derailment due to entering in unsecured routes

Exposure probability to hazard Passenger are permanently on board of trains



Passenger cannot escape consequences (Conservatively it cannot be assumed that operational staff recognises hazardous situation early enough to trigger safety reaction.)




E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

90 of 120

10.1.5 Supervise train movement

10.1.5.1 Determine actual train speed

This function is relevant for systems providing continuous speed supervision by train protection profile.

Table 32 – RA Determine actual train speed for GOA1 (with wayside signals containing allowed speed)

Item Description






Possible wrong side failure Speed is determined as too low

Hazardous situation

Train might be accelerated by train driver above permitted speed which is determined by train protection profile or behind movement authority limits (determination of way is part of the function).




Accident probability reduction Train driver is responsible for driving the train in the first place e.g. to stop the train at signals which show stop or to stay within indicated speeds by wayside signalisation.





E 1

P 0,1

C 1

Final THR 10-8

Final SIL SIL 3


Public 06/01/2011

91 of 120

Table 33 – RA Determine actual train speed for all GOA1 to GOA4 (without wayside signals)

Item Description







Undetected too low speed determination Overspeed cannot be detected, because the processed value of velocity seems to be correct, which in fact is wrong

Hazardous situation Train travels above permitted speed which is determined by train protection profile or behind movement authority limits (determination of way is part of the function)









E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

92 of 120

10.1.5.2 Supervise safe train speed

This function is relevant for systems providing continuous speed supervision by train protection profile.

Table 34 – RA Supervise safe train speed for GOA1 (with wayside signals)

Item Description


Name of safety function Supervise safe train speed

Description This function is intended to supervise actual speed against the permitted speed of UGTMS equipped trains with respect to the train protection profile.


Reference for risk analysis MODURBAN D86 – 1.6 “Overspeed detection” VDV 331 – 3.9.10


Overspeed not detected (actual train speed exceeds speed protection profile undetected) No safety reaction (e.g. immediate emergency brake application) is triggered

Hazardous situation Excessive speed Trains cars may get too close to one another


Derailment due to overspeed Collision overspeed may lead to travelling beyond movement authority limit

Exposure probability to hazard Passenger permanently in trains


Train driver is responsible for driving the train in accordance to wayside speed (containing allowed speed) signalisation e.g. within the indicated wayside speed signalisation.

Consequence reduction probability Passenger cannot escape consequences.




E 1

P 0,1

C 1

Final THR 10-8

Final SIL SIL 3


Public 06/01/2011

93 of 120

Table 35 – RA Supervise safe train speed for GOA1 to GOA4 (without wayside signals)

Item Description


Name of safety function Supervise safe train speed

Description This function is intended to supervise actual speed against the permitted speed of UGTMS equipped trains with respect to the train protection profile.


Reference for risk analysis MODURBAN D86 – 1.6 “Overspeed detection” VDV 331 – 3.9.10


Overspeed not detected (actual train speed exceeds speed protection profile undetected) No safety reaction (e.g. immediate emergency brake application) is triggered

Hazardous situation Excessive speed Trains cars may get too close to one another


Derailment due to overspeed Collision overspeed may lead to travelling beyond movement authority limit


Accident probability reduction If too high speed is not detected no barrier can be assumed which would prevent the hazard turning into an accident


Passenger cannot escape consequences It can conservatively not be assumed that operational staff is able to notice overspeed early enough and to trigger emergency brake to reduce severity consequences significantly.




E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

94 of 120

10.1.5.3 Inhibit train stops

It is assumed that this function is required in mixed operation where both trains:

• provided with speed supervision by train protection profile

• provided with movement supervision by train stops

are operated on a regular basis.

Table 36 – RA Inhibit train stops for GOA1 to GOA4

Item Description


Name of safety function Inhibit train stops

Description This function is intended to avoid UGTMS operating trains to be tripped by train stops.



Possible wrong side failure After inhibition of the relevant train stop (and an automatic train has passed the relevant train stop) the train stop is not de-inhibited.

Hazardous situation Non-automatic train (i.e. speed and train separation is protected by train stops) cannot be protected by train stop


Derailment of non-automatic train due to undetected overspeed Collision of trains (signal passed at danger)

Exposure probability to hazard Passenger are permanently exposed to hazardous situation

Accident probability reduction Train driver is responsible for driving the train in accordance to wayside signalling e.g. to stop train at signals which show stop or are at danger.

Consequence reduction probability Passenger are exposed to full hazard consequences




E 1

P 0,1

C 1

Final THR 10-8

Final SIL SIL 3


Public 06/01/2011

95 of 120

10.1.5.4 Monitor speed limit at discrete location

This function is relevant for systems providing wayside speed supervision.

Table 37 – RA Monitor speed limit at discrete location for GOA1

Item Description


Name of safety function Monitor speed limit at discrete location

Description This function is intended to monitor external wayside equipment detecting predefined overspeed.



Possible wrong side failure Train movements with overspeed not detected No safety reaction (e.g. immediate emergency brake application) is triggered

Hazardous situation

Based on train drivers failure train moves: 1st - with too high speed in a designated area 2nd - too high speed causes entrance into unsecured routes or areas with insufficient train separation


Collision with other train or other danger point Derailment due to entering in unsecured routes



Train driver is in first instance responsible for observing signals Not every instance of overspeed is assumed to lead to an accident since actual speed has to exceed speed limit for track guidance. Additionally, train driver is responsible for correct and safe speed and shall adhere to given speed limits.





E 1

P 0,1

C 1

Final THR 10-8

Final SIL SIL 3


Public 06/01/2011

96 of 120

10.1.5.5 Supervise train rollaway

The following table analyses the case that a train rolls back against authorised travel direction.

Table 38 – RA Supervise train rollaway for GOA1 to GOA4

Item Description


Name of safety function Supervise train rollaway

Description This function is intended to supervise the train in case of rollaway at stations.



Possible wrong side failure Undetected train roll away

Hazardous situation Unintended train movement against travel direction. Safety margin of following train is disturbed.

Possible hazard consequences – accidents Collision







E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4

10.1.5.6 Immobilisation of train

This case is included in safety function “Authorise station departure (safety related conditions)”.

10.1.5.7 Detect unauthorised movement of non-operative trains

This function is covered by function “Locate non reporting trains by track sections”.


Public 06/01/2011

97 of 120

10.1.5.8 React to unauthorised movement of non-operative trains


Table 39 – RA React to unauthorised movement of non-operative trains for GOA1 to GOA4

Item Description


Name of safety function React to unauthorised movements of non-operative trains

Description This function is intended to react to unauthorised movements of non-operative trains in order to prevent collisions.



Possible wrong side failure Non-operative (i.e. unequipped or unauthorised) train is not detected

Hazardous situation UGTMS cannot restrict the movement authority of the trains that are in conflict with unauthorised movement.

Possible hazard consequences – accidents Collision between unauthorised and authorised trains

Exposure probability to hazard Passenger are permanently on board of trains (unauthorised as well as authorised trains)

Accident probability reduction No barrier is assumed


Passenger cannot escape hazard consequences It can conservatively not be assumed that operational staff (e.g. train driver in driver cabin) is able to notice dangerous/unauthorised train movement early enough to trigger emergency brake to reduce severity consequences significantly.




E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

98 of 120

10.1.5.9 Detect intruding unequipped train

This function is covered by function “Locate non reporting trains by track sections”.

10.1.6 Provide interface with external interlocking

Table 40 – RA Provide interface with external interlocking for GOA1 to GOA4

Item Description


Name of safety function Provide interface with external interlocking

Description

This function is intended to provide an interface to an external interlocking if the basic function ensure safe route and other functions (e.g. authorise train movement by wayside signals, locate non reporting trains by track sections) are not realised inside UGTMS.

Reference of functions IEC 62290-2 – 5.1.6

Reference for risk analysis VDV 331 – 3.9.3 VDV 331 – 3.9.4

Possible wrong side failure Wrong data input/output via interface between external interlocking and UGTMS

Hazardous situation Status information of route elements, routes and localisation of trains is wrong, movement with insufficient route protection and insufficient separation


Collision due to insufficient separation Derailment due to insufficient safety of route







E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

99 of 120

10.2 Drive train

All functions covered by IEC 62290-2 in chapter 5.2 “Drive Train” are intended to be realised in non safety related subsystems (ATO), because all hazardous situations arising from insufficient braking (service brake) and insufficient acceleration (inadvertently acceleration) must be secured by basic function “Ensure safe speed”).

10.3 Supervise guideway

10.3.1 Prevent collision with obstacles

10.3.1.1 Supervise wayside obstacle detection device

It is assumed that this function is not relevant in GOA0, 1 and 2 since this function is realised by the train driver.

Safety function does not act in a clearly continuous mode of operation. Therefore, this function will be analysed in D4.3 in more detail.

10.3.1.2 Supervise onboard obstacle detection device

In GOA0, 1 and 2 this functions is realised by the train driver.


10.3.2 Prevent collision with persons on tracks

10.3.2.1 Warn passengers to stay away from the platform edge

This function is assumed to be no safety function.

10.3.2.2 React on emergency stop request from platforms

It is assumed that any reaction on emergency stop requests would include a detection of the emergency stop request.



Public 06/01/2011

100 of 120

10.3.2.3 Supervise platform doors

Table 41 – RA Supervise platform doors for GOA1 and GOA2

Item Description


Name of safety function Supervise platform doors

Description This function is intended to supervise the closed and locked status of the platform doors if they are not required to be open.



Possible wrong side failure Platform screen doors status is indicated as closed and locked, in fact platform screen doors are not closed or not locked.

Hazardous situation Person may get trapped in platform screen doors and is exposed to starting train

Possible hazard consequences – accidents Injury of person by starting train

Exposure probability to hazard Case 1: Passenger is exposed to the hazard only at the end of passenger transfer

Case 2: Passengers are permanently exposed to hazard


Consequence reduction probability Train driver may notice person trapped in doors


Critical (for medium number of

passengers)

Catastrophic (for overcrowded situations)



E 0,1 (case 1)

1 (case 2)

0,1 (case 1)

1 (case 2)

P 1 1 1 1

C 0,1 0,1 0,1 0,1

Final THR 10-6 10-7 10-7 10-8

Final SIL SIL 1 SIL 2 SIL 2 SIL 3


Public 06/01/2011

101 of 120

Table 42 – RA Supervise platform doors for GOA3 and GOA4

Item Description


Name of safety function Supervise platform doors

Description This function is intended to supervise the closed and locked status of the platform doors if they are not required to be open.



Possible wrong side failure Platform screen doors status is indicated as closed and locked, in fact platform screen doors are not closed or not locked.

Hazardous situation Person may get trapped in platform screen doors and is exposed to starting train

Possible hazard consequences – accidents Injury of person by starting train

Exposure probability to hazard Case 1: Passenger is exposed to the hazard only at the end of passenger transfer

Case 2: Passengers are permanently exposed to hazard


Consequence reduction probability Passenger can conservatively not escape form hazard consequences



passengers)

Catastrophic (for overcrowded

situations)



E 0,1 (case 1)

1 (case 2)

0,1 (case 1)

1 (case 2)

P 1 1 1 1

C 1 1 1 1

Final THR 10-7 10-8 10-8 10-9



Public 06/01/2011

102 of 120

10.3.2.4 Supervise platform tracks


10.3.2.5 Supervise border between platform tracks and other tracks


10.3.2.6 Supervise platform end doors



Public 06/01/2011

103 of 120

10.3.3 Protect staff on track

10.3.3.1 Protect staff on track

Table 43 – RA Protect staff on track for GOA1 to GOA4

Item Description


Name of safety function Protect staff on track

Description This function is intended to establish and subsequently remove work zones in order to protect staff on track. A work zone is set as long as the protection is required.



Possible wrong side failure No or wrong setting of work zone

Hazardous situation Work is not at correct track section Work zone is removed too early or set too late Too high train speed is allowed at adjacent track sections


Multiple staff fatalities (Passenger injuries)

Exposure probability to hazard If work zone shall be set and staff shall work there, staffs are assumed to be in work zone permanently. However, work zone are not permanently required to be set.

Accident probability reduction Conservatively, it cannot be assumed that accident probability can be reduced.

Consequence reduction probability Working areas are secured by staff




E 0,1

P 1

C 0,1

Final THR 10-7

Final SIL SIL 2


Public 06/01/2011

104 of 120

10.4 Supervise passenger transfer

10.4.1 Control passenger doors

10.4.1.1 Authorise train doors opening

For the risk and safety consideration of this function two cases are analysed:

• Door opening on passenger request (Train doors opening on passenger request is not relevant if platform screen doors are installed.)

• Automatic train doors opening procedure


Public 06/01/2011

105 of 120

Table 44 – RA Authorise train doors opening for GOA1 to GOA4 (on passenger request)

Item Description


Name of safety function Authorise train doors opening

Description This function is intended to authorise train doors opening regarding all conditions which are required to ensure a safe passenger transfer.




Untimely unlocking of train doors e.g. in tunnel (It is assumed that train doors unlocking and train doors opening are not directly connected i.e. unlocking is not directly followed by opening.)

Hazardous situation Train doors are opened not in front of platform (e.g. in tunnel or on wrong side – opposite track, third rail) and passenger may fall out of the train


Fall of person Injury of person Electrocution

Exposure probability to hazard Passenger are permanently exposed to hazardous situation (e.g. standing in front of doors)


It is assumed that if function fails, train doors do not open instantaneously. To open doors, doors have to be requested individually by passenger. Hence, hazardous situation occurs only if safety function fails and doors opening request exists.


In peak headway operation or overcrowded situations it is assumed that passengers are subject to hazard consequences. Conservatively, it cannot be assumed that operational staff in driver cabin (if present) recognises hazardous situations early enough to initiate safety reaction and to reduce the severity of hazard consequences significantly.



passenger)

Catastrophic (in overcrowded situations)



E 1 1

P 0,1 0,1

C 1 1

Final THR 10-7 10-8



Public 06/01/2011

106 of 120

Table 45 – RA Authorise train doors opening for GOA1 to GOA4 (automatically)

Item Description


Name of safety function Authorise train doors opening

Description

This function is intended to authorise train doors opening regarding all conditions which are required to ensure a safe passenger transfer. (Train doors authorisation, unlocking and opening are linked directly.)



Possible wrong side failure Untimely authorisation of train doors e.g. in tunnel (Wrong authorisation would instantaneously lead to unlocked and open train doors)

Hazardous situation Train doors are opened not in front of platform (e.g. in tunnel or on wrong side – opposite track, third rail) and passenger may fall out of the train


Fall of person Injury of person Electrocution

Exposure probability to hazard Passenger are permanently exposed to hazardous situation



In peak headway operation or overcrowded situations it is assumed that passengers are subject to full hazard consequences. But, operational staff is assumed to be on board of train in passenger area. Conservatively, it cannot be assumed that operational staff would react to hazardous situation early enough to reduce the severity of consequences significantly.



passenger)

Catastrophic (in overcrowded situations)



E 1 1

P 1 1

C 1 1

Final THR 10-8 10-9



Public 06/01/2011

107 of 120

10.4.1.2 Command doors opening


10.4.1.3 Request doors closing


10.4.1.4 Supervise doors closing

This function is assumed to be covered by the safety functions “Supervise closed and locked status of train doors” and “Supervise platform doors”.


Public 06/01/2011

108 of 120

10.4.1.5 Supervise closed and locked status of train doors

Table 46 – RA Supervise closed and locked status of train doors for GOA1 to GOA4

Item Description


Name of safety function Supervise closed and locked status of train doors

Description This function is intended to supervise the closed and locked status provided by the rolling stock.


Reference for risk analysis MODURBAN D86 – 1.2 “Train doors status supervision”

Possible wrong side failure Undetected train door failure signals closed and locked while train doors remain unlocked/open

Hazardous situation During station departure train doors status is not assured


Injury of person Person dragged by starting train

Exposure probability to hazard Passenger are permanently onboard of train and the hazard of open doors


Consequence reduction probability Passenger is aware of starting train



passenger)

Catastrophic (for overcrowded

situations)



E 1 1

P 1 1

C 0,1 0,1

Final THR 10-7 10-8



Public 06/01/2011

109 of 120

10.4.2 Prevent person injuries between platform and train

10.4.2.1 Prevent person injuries between platform and train

Table 47 – RA Prevent person injuries between platform and train for GOA1 to GOA4

Item Description


Name of safety function Prevent person injuries between platform and train

Description This function is intended to detect persons between platform and train. (Prevented hazard include falling or trapping between platform and train)

Reference of functions (IEC 62290-2 – 5.4.2)


Possible wrong side failure Device does not detect person between platform and train

Hazardous situation Person exposed to train movement

Possible hazard consequences – accidents Severe person injuries by falling or being dragged by train

Exposure probability to hazard Passenger are rarely exposed to the hazard

Accident probability reduction Case 1: Gap filling device Case 2: No gap filling device


Case 1: Operational staff at station has the obligation to supervise passenger transfer and to assure safe station departure for passengers. Severity of consequences can be reduced by staff, observing critical situation and prevent the train from starting.

Case 2: No staff at station (Staff has no obligation to supervise passenger transfer.)




E 0,1

P 0,1 (case 1)

1 (case 2)

C 0,1 (case 1)

1 (case 2)

0,1 (case 1)

1 (case 2)

Final THR 10-5 10-6 10-6 10-7



Public 06/01/2011

110 of 120

10.4.2.2 Prevent person being trapped between platform screen doors and train

Table 48 – RA Prevent person being trapped between platform screen doors and train for GOA1 to GOA4

Item Description


Name of safety function Prevent person being trapped between platform screen doors and train

Description This function is intended to detect persons being trapped between platform screen doors (if installed) and train doors, when they are closing.

Reference of functions New for MODSafe


Possible wrong side failure Device does not detect person between platform screen doors and train doors when they are closing for train departure.

Hazardous situation Person exposed to train movement

Possible hazard consequences – accidents Severe person injuries or death

Exposure probability to hazard Passengers (particularly children) are permanently exposed to the hazard at each passenger transfer where gap is sizeable (e.g. in curve stations)


No barrier can be assumed. Operational staff cannot observe the gap between platform screen doors and train doors (particularly in curve stations). Furthermore, train cannot be stopped in time by other passengers applying some kind of emergency brake.





E 1

P 1

C 1

Final THR 10-8

Final SIL SIL 3


Public 06/01/2011

111 of 120

10.4.3 Prevent person injuries between train cars

10.4.3.1 Prevent person injuries between train cars


10.4.4 Ensure safe starting conditions

10.4.4.1 Authorise station departure (safety related conditions)

It is assumed that this function is covered by “Supervise closed and locked status of train doors”.

10.4.4.2 Authorise station departure (operational conditions)

It is assumed that this function is not a safety function.

10.4.4.3 Command station departure

It is assumed that this function is not safety relevant.

10.5 Operate a train

10.5.1 Put in or take out of operation

10.5.1.1 Awake trains


10.5.1.2 Set train to sleep

It is assumed that this function is not a safety function. An untimely command to set a train to sleep is assumed to lead to train standstill. However, the function for the determination of the train location is assumed to be still active.


Public 06/01/2011

112 of 120

10.5.2 Manage driving modes


10.5.3 Manage movement of trains between two operational stops


10.5.4 Manage depots and stabling areas


10.5.5 Manage UGTMS transition area


10.5.6 Restrict train entry to station

This function is not a safety function. It is assumed to be realised by ATO as it manages operational conditions.

10.5.7 Manage the platform or siding stopping position of the train


10.5.8 Change the travel direction


10.5.9 Couple and split a train

10.5.9.1 Couple trains automatically

This function is assumed to be no safety function. (Note: correct speed is assured by train protection profile.)


Public 06/01/2011

113 of 120

10.5.9.2 Split trains – untimely uncoupling protection

This function is assumed to be no safety function. (Note: Untimely command is prevented by specific de-coupling conditions.)

10.5.10 Supervise the status of the train

10.5.10.1 Supervise UGTMS onboard equipment status prior to entering service


Public 06/01/2011

114 of 120

Table 49 – RA Supervise UGTMS onboard equipment status prior to entering service for GOA1 to GOA4

Item Description


Name of safety function Supervise UGTMS onboard equipment status prior to entering service

Description

This function is intended to perform all necessary tests on vital equipment during the power on process or prior to entering UGTMS territory. Generally this function includes only those self tests that deal with the safety of UGTMS and the inputs and outputs necessary for a vital operation. Self tests that are necessary to achieve the safety features of vital processors (computing unit including operating system) are not included here.




System signals successful conduction of test on vital equipment – when in fact test failures occurred System test is wrongly recognised as successful, operation of equipment is not shut down as result of recognised failure

Hazardous situation Excessive speed Train movement over moving track elements Train cars get too close









E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

115 of 120

10.5.10.2 Supervise UGTMS onboard equipment status during operation

Table 50 – RA Supervise UGTMS onboard equipment status during operation for GOA1 to GOA4

Item Description


Name of safety function Supervise UGTMS onboard equipment status during operation

Description

This function is intended to perform all necessary tests during operation of the system. Generally this function includes only those self tests that deal with the safety of the UGTMS application and the inputs and outputs necessary for a vital operation. Self tests that are necessary to achieve the safety features of vital processors are not included here.



Possible wrong side failure Undetected failed system tests (no safety reaction can be initiated)

Hazardous situation Excessive speed Train cars get too close (Too high temperature on onboard equipment)


Collision Derailment (Fire/smoke)







E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

116 of 120

10.5.10.3 Test emergency braking performance

Table 51 – RA Test emergency braking performance for GOA1 to GOA4

Item Description


Name of safety function Test emergency braking performance

Description This function is intended to perform a dynamic emergency braking test by commanding emergency braking during motion.



Possible wrong side failure UGTMS reports to train/OCC HMI the emergency brake performance is sufficient when in fact emergency brake performance is poor.

Hazardous situation

Emergency brake performance insufficient when applied so: Train cars get too close Excessive speed









E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4


Public 06/01/2011

117 of 120

10.5.10.4 React to detected train equipment failure

This function is covered by “Trigger emergency brake”.

10.5.10.5 Manage traction power supply on train

This function is assumed not to be a safety function.

(An unintended loss of traction power may lead to a hazardous situation when train is forced to stop between stations and is unable to re-start. Secondary hazard, which may arise from this situation are assumed to be subject of MODSafe deliverable 4.3.)

10.6 Ensure detection and management of emergency situations

10.6.1 Perform train diagnostic, detect fire/smoke and detect derailment, handle emergency

situations

10.6.1.1 Detect fire and smoke


10.6.1.2 React to detected fire/smoke


10.6.1.3 React to detected or suspected broken rail


10.6.1.4 Monitor emergency calls



Public 06/01/2011

118 of 120

10.6.1.5 React to passenger alarm device activation


10.6.1.6 React to emergency release of train doors


10.6.1.7 Detect loss of train integrity


10.6.1.8 React to loss of train integrity

This function is covered by safety function “Determine zone of protection” and “Trigger emergency brake”.

10.6.1.9 Detect derailment

Derailment is a rare event and the detection device is not intended to prevent a derailment, but only to detect it and might reduce the possible consequences of a derailment. Because of that the derailment detection device is not a classic safety function and can be regarded as operated in low demand mode. Therefore, the function is analysed in MODSafe D4.3.


Public 06/01/2011

119 of 120

10.6.1.10 Trigger emergency brake

The case of triggering the emergency brake after a loss of train integrity, OCC command or train equipment failures are not considered in the safety function. Hence, in on-sight train operation (i.e. GOA0) this function is not relevant.

Table 52 – RA Trigger emergency brake for GOA1 and GOA2

Item Description


Name of safety function Trigger emergency brake

Description This function is intended to initiate application of emergency brake at detected overspeed.



Possible wrong side failure No safety reaction when required i.e. emergency brake is not triggered

Hazardous situation Excessive speed



Exposure probability to hazard Passenger are permanently exposed to hazard


Train driver is responsible for driving the train and to follow speed indications. It is assumed that there is the possibility for the train driver to recognise overspeed and to trigger emergency brake.





E 1

P 0,1

C 1

Final THR 10-8

Final SIL SIL 3


Public 06/01/2011

120 of 120

Table 53 – RA Trigger emergency brake for GOA3 and GOA4

Item Description


Name of safety function Trigger emergency brake

Description This function is intended to initiate application of emergency brake at detected overspeed.



Possible wrong side failure No safety reaction when required i.e. emergency brake is not triggered

Hazardous situation Excessive speed



Exposure probability to hazard Passenger are permanently exposed to hazard






E 1

P 1

C 1

Final THR 10-9

Final SIL SIL 4

WP 4 - D4.2 Analysis of Safety Requirements for MODSafe ... · V1.0 13.August 2010 WP 4 New...

Documents

Transcript of WP 4 - D4.2 Analysis of Safety Requirements for MODSafe ... · V1.0 13.August 2010 WP 4 New...