Beruflich Dokumente
Kultur Dokumente
WP 4 - D4.2
Version V2.0
Status Final
WP WP 4
Lead Author WP 4
Dissemination level PU
Document History:
Approval:
This deliverable concludes the results of the safety requirement allocation process to MODSafe safety
functions. Therefore, the method to allocate safety requirements and the MODSafe safety functions
are introduced. The allocation method is recommended in MODSafe deliverable 4.1 [13]. MODSafe
safety functions are mainly taken from the international standard IEC 62290-2 [10]. All MODSafe
safety functions are subject to a safety and risk consideration to estimate appropriate safety integrity
requirements. Finally allocated results shall represent potential generic values for safety integrity
requirements, depending on the operational context.
The deliverable is structured into the following clauses. Firstly, the method for safety requirement
allocation and its according application conditions are explained (clause 5 and 6). Secondly, the
MODSafe safety functions are introduced (clause 7). An exemplified application and results of the
process can be found in clause 8 and 9. Detailed protocols of an allocation of safety requirements are
shown in the annex.
The scope of MODSafe is the urban guided transport sector in Europe covering metros, trams and
other light rail systems under regard of different grades of automation. These grades of automation
are distinguished from driving on sight up to unattended train operation. This deliverable covers
mainly safety functions for system applications of UGTMS (or e.g. CBTC) for which the functional
requirements are specified by IEC 62290-2 [10] and by IEC 62267 [8] and for which the results of
MODURBAN had been taken into account, including additional safety functions for system
applications designated to train operation on sight (GOA0). This deliverable is written for MODSafe
project partners and European transport authorities i.e. operators of urban guided transport systems.
The focus of this document is put on safety functions and measures from the signalling domain
specified for UGTMS, however if safety integrity requirements are assumed as independent from a
UGTMS application specific information for the use by other systems is provided. This deliverable will
not specify risk analyses for a specific application with a certain combination of safeguards or safety
functions. Because of that all safety functions are regarded as independent from the allocation of
Mandatory and Optional provided by IEC 62290-2 in order to ensure that the user can trust in the
determined safety integrity requirement if he chose a function or a safeguard for his application.
Nonetheless, the described safety requirement allocation scheme may also be applied to areas others
than signalling, e.g. interfaces between signalling equipment and vehicle equipment or other safety
functions in general. It is therefore not necessary to deal with other domains in detail.
This deliverable deals with safety requirements and is not applicable to security aspects. An analysis
of security is covered in MODSafe WP 8 and 9 and according deliverables.
Note: The title of this document is changed. In the MODSafe description of work the deliverable 4.2 is
originally called: Analysis of common safety requirements allocation for MODSafe continuous safety
measures and functions. An alteration is made since safety requirements for MODSafe safety
function are not assumed to be common (i.e. in the meaning of Common Safety Measures/Targets
issues by the European Railway Agency). However, these safety requirements shall rather be
understood as recommendations for the appropriate urban guided rail systems.
3.1 Terms
Operation control Centre from which operation of the line or the network is
IEC 62290-1
centre supervised and managed.
Transport Entity which is responsible for safe and orderly operation IEC 62267
authority of a transport system. IEC 62290-1
3.2 Abbreviations
Abbreviation Definition
A Frequency of, and exposure time in, the hazardous zone
ATO Automatic train operation
ATS Automatic train supervision
C Consequence reduction probability
CBTC Communication-based train control
Comit Europen de Normalisation lectrotechnique
CENELEC
(European Committee for Electrotechnical Standardisation)
D Deliverable
E Exposure probability to hazard
E/E/PE Electrical/electronic/programmable electronic
EN European standard
EUC Equipment under control
G Possibility of failing to avoid the hazardous event
GOA Grade of automation
HMI Human machine interface
IEC International electrotechnical commission
MA Movement authority
MODSafe Modular urban transport safety and security analysis
MODURBAN Modular urban guided rail systems
Nr Number
OCC Operations control centre
P Accident probability reduction
This deliverable has to be read in the light of the European standard EN 50126 which requires a
system lifecycle for railway applications. Within this lifecycle the determination of safety requirements
is indispensible to be performed in the first four phases, which are mainly under responsibility of the
transport authority. Phase four, which is called system requirements, is of special interest in this
context. Alongside other tasks, the recommended safety related tasks are:
[..]
The origin of the method for an allocation of safety requirements, which shall be used in this
deliverable, is the MODURBAN1 deliverable D86 [16]. However, a comparison of different safety
requirement allocation methods is presented in MODSafe deliverable 4.1 [13]. As one outcome of the
MODSafe deliverable 4.1 certain criteria have been specified as being advantageous for a safety
requirement allocation method. With respect to the method, a detailed description and additional
information about the method and possible alternative applications can be found in MODURBAN
deliverable D86 and MODSafe deliverable 4.1. Additionally, a second method is outlined in a brief
form to ease subsequent analyses.
Starting point of the method is the risk matrix introduced in the European and meanwhile international
standard EN 50126 or IEC 62278 respectively. The matrix describes the correlation of the rate of
occurrence of accidents and incidents resulting in harm (caused by a hazard) and the degree of
severity of that harm [2]. Subsequently, the risk matrix, see Table 1, provides a risk level which can be
e.g. tolerable or intolerable, according to the combination of frequency of occurrence and the
severity level of hazard consequences.
Table 1 Frequency-consequence matrix or risk matrix
Frequency of
occurrence of Risk levels
hazardous event
frequent undesirable intolerable intolerable intolerable
probable tolerable undesirable intolerable intolerable
occasional tolerable undesirable undesirable intolerable
remote negligible tolerable undesirable undesirable
improbable negligible negligible tolerable tolerable
incredible negligible negligible negligible negligible
insignificant marginal critical catastrophic
Severity levels of hazard consequence
Following EN 50126 the parameter describing the severity level of hazard consequences can be
understood as:
1
MODURBAN is a European research and development project covering metros and light rail systems.
Accident Probability Reduction P: Is there good reason to conservatively assume that the
evolvement of a certain hazard into an accident can be clearly controlled by additional barriers
or circumstances (reduction of rate by orders of magnitude)?
Consequence Reduction Probability C: Is there good reason to conservatively assume that the
members of the risk group (e.g. passenger, workers or neighbours) can clearly avoid being
subject to the hazard (by orders of magnitude) or reduce considerably the potential damage
(by severity class)?
Considering the severity level of hazard consequences and the three risk reduction measures, a rate
of frequency can be estimated which represents the tolerable risk and corresponds to the tolerable
hazard rate (THR).
An actual application is started with an estimation of the possible hazard consequences of a wrong
side failure of the safety function. This is followed by a description of the operational or environmental
circumstances to estimate valid risk reduction measures and its according numerical values.
For that purpose, a initial THR2 has to be estimated, which does not consider any risk reduction
measures and is only estimated by the severity of the potential hazard consequences, graded in four
severity levels (SL). With the help of Table 2 leaving out the SIL so far the level of severity can be
expressed as follows:
2
Considering its estimation, actually this initial THR is a tolerable hazard rate since it leaves out any
consideration of possible risk reduction measures. However, setting all risk reduction measures initially to a value
of 1 (1 = no impact), the actual tolerable hazard rate can be understood as initial THR (initial in the meaning that
risk reduction measures are not considered so far).
THRi
(1) THR =
E P C
The safety integrity level can be determined by using the following table:
Tolerable Hazard Rate THR per hour and per Safety Integrity
function Level SIL
THR 4: 10-9 THR < 10-8 SIL 4
-8 -7
THR 3: 10 THR < 10 SIL 3
THR 2: 10-7 THR < 10-6 SIL 2
THR 1: 10-6 THR < 10-5 SIL 1
The method shall be applied to one particular function. All numerical values apply to this particular
function and shall be expressed in the unit per hour.
The procedure is described in the following figure in a general manner:
Figure 2 General procedure of the method for SIL allocation
During an application to allocate safety requirements to safety functions the following aspects shall be
considered:
For some generic safety functions the German VDV 331 [18] defines required safety integrity levels
thus these safety integrity levels can be applied to the system in question. The background of the risk
graph is part 5 from IEC 61508 [7].
According to IEC 61508 the quantitative component (Target Failure Measure (TFM) which is
equivalent to Tolerable Hazard Rate (THR)) can be derived directly from the SIL.
It shall be noted that the congruency of the results obtained by the semi-quantitative allocation method
from MODURBAN had been verified with an independent method, the risk graph semi-quantitative
method outlined before. In the deliverable D86 of MODURBAN, all considered continuous safety
functions had been analysed applying both methods and the obtained results were identical in all
cases.
Due to the identity of results this present analysis applies one method as representative method for
both. Since the MODURBAN method is an agreed method from the European project MODURBAN
and the results found broad consensus at European level, the semi-quantitative MODURBAN method
W3 W2 W1
S1
1 Severity of loss
- S1 Minor injury
G1 2 1 - S2 Serious permanent injury to one or more persons; death to one person
- S3 Death to several people
S2 A1 G2 3 2 1 - S4 Very many people killed
Duration of stay
A2 G1 4 3 2 - A1 Rare to more often exposure in the hazardous zone
- A2 Frequent to permanent exposure in the hazardous zone
G2 5 4 3 Averting the danger
- G1 Possible under certain conditions
S3 A1 6 5 4 - G2 Almost impossible
Probability of the unwanted occurrence
A2 7 6 5 - W1 very slight
S4 - W2 slight
8 7 6 - W3 relatively high
The analysis follows the principles described in IEC 61508 calibrated within VDV331/332 to the
process to be regarded. The safety function is analysed according to four attributes, which are:
S consequences of hazardous events
The result of the risk analysis provides a necessary minimum risk reduction from which the safety
integrity levels (SIL) can be derived directly. The connection between the results of the analysis for
safety functions derived from the risk graph and safety integrity level are shown in Table 3.
Table 3 Risk reduction and SIL (example from IEC 61508 and used in VDV 331)
- No safety requirements
- 1 No special safety requirements
10-6 to <10-5 2, 3 1
-7 -6
10 to <10 4 2
-8 -7
10 to <10 5, 6 3
10-9 to <10-8 7 4
- 8 An E/E/PE SRS is not sufficient
One goal of this deliverable is to recommend the deduced safety requirements to European urban
guided transport system operators as potential generic safety integrity requirements. This can be done
if safety functions do not, or only weakly, depend on an operational context. For the purpose of
MODSafe, two criteria are considered to describe the operational context. These are the mode of
operation and the grade of automation under regard of an unambiguous, consistent and complete
functional requirement specification.
The mode of operation can be understood as the way in which safety functions operate, according to
IEC 61508 part 4 [6]. This international standard differentiates between three modes of operations with
respect to the frequency of demand:
low demand mode: where the safety function is only performed on demand, in order to
transfer the EUC into a specified safe state, and where the frequency of demands is no
greater than one per year; or
high demand mode: where the safety function is only performed on demand, in order to
transfer the EUC into a specified safe state, and where the frequency of demands is greater
than one per year; or
continuous mode: where the safety function retains the EUC in a safe state as part of normal
operation [6]
However, it shall be noted that apart from the definition of a strict number of events (demand) per
year, IEC 61508 proposes to explicitly consider the diagnostics in all three modes of operation, if the
ratio of the diagnostic test rate to the demand rate equals or exceeds 100 [5]. Taking into account this
ratio, any specific demand rate and the associated safety level of the safety function can be calculated
for a specific case. The above categorisation is not necessary in this case. This issue will be
addressed in detail in the MODSafe deliverable 4.3 and therefore, shall not be discussed in more
detail in this deliverable.
Additionally, IEC 61508 states that if the total demand rate arising from all the demands on the system
exceeds 1 per year then the critical factor is the dangerous failure rate of the E/E/PE safety-related
system. Hence, the operational mode for high demand and continuous can be treated as one,
considering the demand rate.
For safety functions acting in a high demand or continuous mode of operation it is expected that a
failed safety function is equivalent to an unsafe state or a hazard. Expressed in a state diagram the
system would turn from a safe state to an unsafe state by the wrong side failure rate of the safety
function (SF), see figure below. (The label R might be equivalent to a repair or restore rate.)
However, for safety functions with a low frequency of demand, this would not necessarily be true. It is
expected that for safety functions acting in a low demand mode of operation, the consequences of a
hazard are not immediately severe. The probability that an accident will happen immediately after the
failure of the low demand safety function is anticipated considerably lower than 1. For example, in
operations with two minute headway, or even less, a train running in the wrong direction would
immediately collide with other trains. Hence, a determination of the train travel direction is required to
work safely in every case. But, devices for a detection of derailment can be broken with only one
requirement: detect derailment if a derailment has occurred. So, a failure of a derailment detection
device leads to an accident only, if a demand (a derailment) is given, which is a very rare event
compared to the potential failure of travel direction.
Therefore, it is assumed that for safety functions, acting not in a high demand or continuous mode of
operation, other safety relevant criteria have to be considered such as the frequency of demand and
the diagnostic test interval of the safety function. An approach which takes into account these
considerations is presented in [19]. This perspective is in line with the IEC 61508 but the safety
requirement allocation method proposed here does not take into account these issues in an
appropriate manner. This process cannot be applied to these functions required in a low demand
mode of operation and has to be considered separately. This issue is covered in MODSafe deliverable
4.3.
Moreover, IEC 61508 part 5 corroborates the belief to select the most appropriate method for SIL
allocation since the mode of operation has to be considered and some methods are only suitable for
low demand mode and vice versa.
For the purpose of this document, safety functions are considered which act clearly in a continuous
mode of operation which might be equivalent to a frequency of demand which would be clearly more
often than once a year (e.g. functions associated with train movement and passenger exchange which
are in everyday use and not exceptional situations like emergency cases). Another characteristic of
the analysed safety functions is that wrong side failure, are expected to lead to a hazardous situation
with direct severe hazard consequences.
The following definitions of grade of automations (GOA) are proposed by IEC 62290-1 [9]. Basis of the
differentiation between GOA are shared responsibilities between operational staff and the system
according to the basic functions of train operation. Information which functions are realised by system
or by staff can be found in Table 4.
In this grade of automation the driver has full responsibility and no system is required to supervise his
activities. However, points and single tracks can be partially supervised by the system [9].
In terms of responsibilities for operational staff this means the following, see figure below:
In this grade of automation, the driver is in the front cabin of the train observing the guideway and
stops the train in the case of a hazardous situation. Acceleration and braking are commanded by the
driver in compliance with wayside signals or cab-signal. The system supervises the activities of the
driver. This supervision may be done at specific locations, be semi-continuous or continuous, notably
in respect of the signals and the speed. Safe departure of the train from the station, including door
closing, is the responsibility of the operations staff. [9]
Adherence to signals
Supervision of train movements by train stops and possibly speed supervision by wayside
equipment at discrete locations
Danger
point
Figure 6 GOA1 Train stops and wayside signals and fixed block system
Semi continuous speed supervision and fixed block systems with wayside signals:
Supervision of train movements including permitted speed by train protection profile, which is
provided at discrete locations or in dedicated areas (semi-continuous speed supervision)
Danger point
Train location relative to TPP
Train detection
Balise at discrete Infil-loop in
by wayside
locations dedicated areas
devices
Figure 7 GOA1 Semi continuous speed supervision and fixed block systems with wayside signals
Authorisation of movement by cab signals derived from train protection profile which is
provided continuously
In this grade of automation, the driver is in the front cabin of the train observing the guideway and
stops the train in the case of a hazardous situation. Acceleration and braking is automated and the
speed is supervised continuously by the system. Safe departure of the train from the station is the
responsibility of the operations staff (door opening and closing may be done automatically). [9]
In terms of responsibilities for operational staff this means the following, see figure below:
In this grade of automation, additional measures are needed compared to GOA2 because there is no
driver in the front cabin of the train to observe the guideway and stop the train in case of a hazardous
situation.
In this grade of automation, a member of the operations staff is necessary onboard. Safe departure of
the train from the station, including door closing, can be the responsibility of the operations staff or
may be done automatically. [9]
In terms of responsibilities for operational staff this means the following, see figure below:
In this grade of automation, additional measures are needed compared to GOA3 because there are no
onboard operations staff.
Safe departure of the train from the station, including door closing, has to be done automatically.
More specifically, the system supports detection and management of hazardous conditions and
emergency situations such as the evacuation of passengers. Some hazardous conditions or
emergency situations, such as derailment or the detection of smoke or fire, may require staff
interventions. [9]
Fully unattended train operation does not cover responsibilities for operational staff on board of train or
station. Human responsibility remains, but moves party to OCC staff and also to maintenance staff (in
order to be sure that all functions are available during the mission).
7 Functions to be analysed
The origin of the majority of the MODSafe safety functions is the international standard IEC 62290 part
2 [10], which covers functions of an urban guided transport management and command/control
system (UGTMS).
Non- Semi
On-sight Driverless Unattended
automated automated
train train train
train train
Basic functions of train operation operation operation operation
operation operation
GOA0 GOA1 GOA2 GOA3 GOA4
X
(points
Ensure safe route command/ S S S S
control in
Ensuring safe system)
movement of Ensure safe separation
X S S S S
trains of trains
X
(partly
Ensure safe speed X S S S
supervised
by system)
Control acceleration and
Driving X X S S S
braking
Prevent collision with
X X X S S
Supervising obstacles
guideway Prevent collision with
X X X S S
persons on tracks
For a selection of safety function from IEC 62290-2 the following criteria are considered:
The MODSafe safety function shall act as safety function (Functions obviously intended to be
realised in an ATO or ATS subsystem are not considered.)
This criterion also applies to MODSafe safety functions which are newly added to the list.
Reviewed and
IEC 62290 function discussed by WP4
names and structure
(complement
MODURBAN list)
MODURBAN D86
functions, risk analysis Check compatibility
and SIL allocation with MODURBAN
process analysis results
Deliverable 4.2
Figure 13 General procedure of the elaboration of the list of MODSafe safety functions
Each MODSafe safety function will be analysed according to the grade of automation and therefore
taking into account the operational context of each function. It has been agreed for the project to
concentrate efforts on safety relevant functions. Risk and safety considerations are made primarily for
GOA1 to 4. In GOA0 the driver has full responsibility for safe train separation and for ensure safe
speed and no technical management and command/control system is assumed to implement any of
1 Check route For the route to be set, the conflict free availability IEC 62290-2
availability of all determined route elements shall be checked. 5.1.1.1.1-3
3 Supervise route This function is intended to supervise that all IEC 62290-2
conditions for the route are still in place. 5.1.1.1.2
4 Supervise level This function is intended to supervise that a level New for
crossing as crossing is secured and locked in order to forbid MODSafe
secured its conflicting use by general road and pedestrian
traffic.
5 Lock route This function is intended to lock the route against IEC 62290-2
route release by operator command if a train is 5.1.1.1.3
approaching and the movement authority allows
entry into route, or a train is within the route.
6 Release route This function is intended to release a route and its IEC 62290-2
elements. 5.1.1.2
7 Initialise UGTMS This function is intended to initialise the location of IEC 62290-2
reporting trains reporting trains which are: 5.1.2.1
location stationary in stabling locations
entering UGTMS territory
recovering from localisation failures
8 Determine train This function is intended to determine the physical IEC 62290-2
orientation orientation of the train relative to the defined 5.1.2.2.1
orientation of the track.
9 Determine actual This function determines the travel direction of IEC 62290-2
train travel trains. 5.1.2.2.2
direction
10 Determine train This function is intended to determine the location IEC 62290-2
location of all UGTMS equipped trains according to the 5.1.2.2.3
train orientation and train length.
11 Locate non This function is intended to determine the location IEC 62290-2
reporting trains by of non reporting trains using external devices. 5.1.2.3
track sections
12 Determine static This function determines the static speed profiles, IEC 62290-2
speed profile which are based on infrastructure data such as 5.1.3.1.1
track geometry and quality, infrastructure
constraints (tunnels, bridges, platforms, etc.).
17 Determine train This function determines the train protection IEC 62290-2
protection profile profile for all trains to ensure their limits of 5.1.4.2
movement authority and authorised speeds are
never exceeded. The train protection profile
terminates at a target point. The train protection
profile shall be determined by the applicable safe
braking model.
19 Determine a zone This function is intended to set and remove zones IEC 62290-2
of protection of protection for selected areas by operational 5.1.4.4
command or as result of system reactions.
21 Authorise the This function is intended to authorise the entry of IEC 62290-2
entry of non- non-operative UGTMS trains into the UGTMS 5.1.4.6
operative UGTMS territory.
trains into UGTMS
territory
22 Determine actual This function is intended to determine the actual IEC 62290-2
train speed train speed. 5.1.5.1
24 Inhibit train stops This function is intended to avoid UGTMS IEC 62290-2
operating trains to be tripped by train stops. 5.1.5.3
25 Monitor speed limit This function is intended to monitor external IEC 62290-2
at discrete location wayside equipment detecting predefined 5.1.5.4
overspeed.
26 Supervise train This function is intended to supervise the train in IEC 62290-2
rollaway case of rollaway. 5.1.5.5
38 Supervise border This function is intended to supervise the actions IEC 62290-2
between platform of an external device which supervises both 5.3.2.5
tracks and other borders of platform tracks detecting persons which
tracks are intruding the adjacent track areas.
41 Authorise train This function is intended to authorise train doors IEC 62290-2
doors opening opening regarding all conditions which are 5.4.1.1
required to ensure a safe passenger transfer.
42 Command doors This function is intended to command train doors IEC 62290-2
opening and platform doors (if installed) opening when 5.4.1.2
opening authorisation conditions are met.
43 Request doors This function is intended to request the train door IEC 62290-2
closing and platform doors (if installed) closing at 5.4.1.3
stations.
44 Supervise doors This function is intended to supervise the train IEC 62290-2
closing door and platform door (if installed) closing at 5.4.1.4
stations.
45 Supervise closed This function is intended to supervise the closed IEC 62290-2
and locked status and locked status provided by the rolling stock. 5.6.6
of train doors
47 Prevent person This function is intended to detect persons being New for
being trapped trapped between platform screen doors (if MODSafe
between platform installed) and train doors, when they are closing.
screen doors and
train
49 Authorise station This function is intended to verify all prerequisites IEC 62290-2
departure (safety necessary for safe station departure. 5.4.3.1
related conditions)
50 Authorise station This function is intended to verify all prerequisites IEC 62290-2
departure necessary due to operational constraints in order 5.4.3.2
(operational to authorise station departure.
conditions)
52 Awake trains This function is intended to awake trains which are IEC 62290-2
in stabling locations (in workshop, sidings or in the 5.5.1.1
line) before they enter service by the action of the
driver, or by remote action from the OCC.
53 Set trains to sleep This function is intended to set the train to sleep in IEC 62290-2
stabling locations (in workshop, sidings or in the 5.5.1.2
line) after they leave service by the action of the
driver, or by remote action from the OCC:
61 Couple trains This function is intended to automatically join two IEC 62290-2
automatically separate trains operated independently, in 5.5.9.1
designated coupling area, to be operated as a
single train consist.
62 Split trains This function is intended to split a train consisting IEC 62290-2
untimely train of two or more trains sets into two separate trains 5.5.9.2
uncoupling to be operated independently.
63 Supervise UGTMS This function is intended to perform all necessary IEC 62290-2
onboard tests on vital equipment during the power on 5.5.10.1
equipment status process or prior to entering UGTMS territory.
prior to entering Generally this function includes only those self
service tests that deal with the safety of UGTMS and the
inputs and outputs necessary for a vital operation.
Self tests that are necessary to achieve the safety
features of vital processors (computing unit
including operating system) are not included here.
64 Supervise UGTMS This function is intended to perform all necessary IEC 62290-2
onboard tests during operation of the system. Generally 5.5.10.2
equipment status this function includes only those self tests that
during operation deal with the safety of the UGTMS application and
the inputs and outputs necessary for a vital
operation. Self tests that are necessary to achieve
the safety features of vital processors are not
included here.
For an allocation of safety requirements to MODSafe safety functions the following procedure is
applied, based on the method introduced in clause 5. For each safety function a table is used to
analyse the risk of wrong side failures. The table below (see Table 5) represents the structure of the
procedure including advice on how the method can be applied.
For the actual application, the MODURBAN deliverable D86 is used as reference. This is done since
D86 dealt with the same topic i.e. to allocate safety requirements to a list of safety functions. As far as
it is possible, risk analysis for MODSafe safety function is conducted in the same way as in D86. This
applies mainly to MODSafe safety functions, where the same (or similar) function is treated already in
D86. For MODSafe safety function without a comparable D86 function an estimation of risk is
performed as well. Additionally, reference documents are used such as VDV 161 [17] and VDV 331
[18]. These documents allocate safety requirements as well.
In general the application followed the approach:
To choose the risk parameter rather pessimistically, because it has to be definite that results
are not too optimistic. One example is the number passengers either in stations or in the
trains. Conservatively, it cannot be excluded that overcrowded situations occur during
operation; on the other hand it will not happen in usual cases.
Risk parameter and according results for the safety functions shall be generic in order to be
applicable to a majority of the European urban guided transport systems as long as they are in
line with the functionality of IEC 62290-2. (This, in turn, leads to rather conservative
assumptions for risk parameter.)
In later phases of the system life cycle (cf. Figure 1) safety integrity levels are allocated to
technical equipment. However, staffs responsibility is considered as measure for risk
reduction, if appropriate. Functions in full responsibility of operational staff are not analysed.
Each safety integrity requirement for a grade of automation represents a value for particular
operational circumstances or procedures or possible technical implementations. If required,
these particularities are describes for each safety function. Hence, each safety integrity level
represents one scenario, which has to be revised for a specific application.
Reference for risk A reference where identical or similar risk analysis of the safety
5
analysis function can be found.
Possible wrong side What can be assumed to be the failure, which would act as
6
failure cause leading to the hazardous situation?
15 Risk reduction P 1
factors 0,1
0,01
16 C 1
0,1
0,01
The final THR shall be calculated by taking the initial THR (Nr.
17 Final THR 13) and divide it by the risk parameter E, P and C (Nr. 14, 15
and 16) see formula (1)
Item Description
E 1
Risk reduction
P 1
factors
C 1
This clause summarises the results of the allocation of safety requirements to MODSafe safety
functions.
Safety integrity levels indicated with see D4.3 are to be verified in MODSafe deliverable 4.3, if these
functions are acting in a low demand or continuous mode of operation. For these functions it is not
possible to allocate safety requirements with the means of the method, proposed here.
Safety requirements treated with ---, no SIL can be applied. This may be due to the fact that this
function is assumed to be no safety function or the function is excluded from the analysis.
Safety requirements of SIL 0: these functions are assumed to be safety relevant functions and have to
be fulfilled according to relevant standards.
All results are covered in the following table which shows all MODSafe safety functions and safety
requirements associated with all grade of automations.
Check route
(1) --- 4 4 4 4
availability
Supervise level
(4) crossing as --- 3 3 --- ---
secured
Initialise UGTMS
(7) reporting trains --- 4 4 4 4
location
Determine train
(8) --- 4 4 4 4
orientation
Determine actual
(9) train travel --- 4 4 4 4
direction
4
(with
wayside
Determine train
(10) --- signals) 4 4 4
location
Locate non
(11) reporting trains --- 4 4 4 4
by track sections
3
(with
Determine static wayside
(12) --- 4 4 4
speed profile signals)
Determine
temporary
(13) --- see D4.3 see D4.3 see D4.3 see D4.3
infrastructure
speed restrictions
Determine
permanent rolling
(14) --- 4 4 4 4
stock speed
restrictions
Determine
(15) temporary rolling --- see D4.3 see D4.3 see D4.3 see D4.3
stock speed
restrictions
3
Determine (with
(16) movement --- wayside 4 4 4
authority limit signals)
3
(with
wayside
signals)
Determine train
(17) --- 4 4 4
protection profile
2
(single track
operation) 4 4 4
Authorise train
(18) movement by 4 (mixed (mixed (mixed
wayside signals 34 operation) operation) operation)
(indicate
position of
switches)
Determine a zone
(19) --- see D4.3 see D4.3 see D4.3 see D4.3
of protection
Stopping a train
(20) --- Covered by: Trigger emergency brake
en route
Authorise the
entry of non-
operative
(21) --- 4 4 4 4
UGTMS trains
into UGTMS
territory
3
(with
wayside
signals
containing
allowed
Determine actual speed)
(22) --- 4 4 4
train speed
3
(with
Supervise safe wayside
(23) --- signals) 4 4 4
train speed
Monitor speed
(25) limit at discrete --- 3 --- --- ---
location
Supervise train
(26) --- 4 4 4 4
rollaway
Detect
unauthorised
(28) movement of --- Covered by: Locate non reporting trains by track sections
non-operative
trains
React to
unauthorised
(29) movement of --- 4 4 4 4
non-operative
trains
Detect intruding
(30) --- Covered by: Locate non reporting trains by track sections
unequipped train
Provide interface
(31) with external --- 4 4 4 4
interlocking
Supervise
(32) wayside obstacle --- --- --- see D4.3 see D4.3
detection devices
Supervise
(33) onboard obstacle --- --- --- see D4.3 see D4.3
detection device
Warn passenger
(34) to stay away from --- --- --- --- ---
Supervising guideway
React on
emergency stop
(35) --- see D4.3 see D4.3 see D4.3 see D4.3
request from
platforms
Supervise
platform doors
--- 12 12 23 23
(medium number
of passenger)
(36)
Supervise
platform doors
--- 23 23 34 34
(overcrowded
situation)
Supervise
(37) --- see D4.3 see D4.3 see D4.3 see D4.3
platform tracks
Supervise border
between platform
(38) --- see D4.3 see D4.3 see D4.3 see D4.3
tracks and other
tracks
Supervise
(39) platform end --- see D4.3 see D4.3 see D4.3 see D4.3
doors
Protect staff on
(40) --- 2 2 2 2
track
Authorise train
doors opening
--- 23 23 23 23
(medium number
of passenger)
(41)
Authorise train
doors opening
--- 34 34 34 34
(overcrowded
situation)
Command doors
(42) --- --- --- --- ---
opening
Request doors
(43) --- --- --- --- ---
Supervise passenger transfer
closing
Supervise closed
and locked status
of train doors --- 2 2 2 2
(medium number
of passenger)
(45)
Supervise closed
and locked status
of train doors 3 3 3 3
(overcrowded
situation)
Prevent person
injuries between
(46) platform and train --- 01 01 01 01
(operational staff
supervision)
Prevent person
injuries between
platform and train --- 12 12 12 12
(no staff
responsibility)
Prevent person
being trapped
(47) between platform --- 3 3 3 3
screen doors and
train
Prevent person
(48) injuries between --- see D4.3 see D4.3 see D4.3 see D4.3
car
Authorise station
departure (safety Covered by: Supervise closed and locked status of train
(49) ---
related doors
conditions)
Authorise station
departure
(50) --- --- --- --- ---
(operational
conditions)
Command station
(51) --- --- --- --- ---
departure
Manage driving
(54) --- --- --- --- ---
modes
Manage
movement of
(55) trains between --- --- --- --- ---
two operational
stops
Operating a train
Manage depot
(56) and stabling --- --- --- --- ---
areas
Manage UGTMS
(57) --- --- --- --- ---
transition areas
Restrict train
(58) --- --- --- --- ---
entry to station
Manage the
platform or siding
(59) --- --- --- --- ---
stopping position
of the train
Couple trains
(61) --- --- --- --- ---
automatically
Split trains
untimely
(62) --- --- --- --- ---
uncoupling
protection
Supervise
UGTMS onboard
(63) equipment status --- 4 4 4 4
prior to entering
service
Supervise
UGTMS onboard
(64) --- 4 4 4 4
equipment status
during operation
Test emergency
(65) brake --- 4 4 4 4
performance
React to detected
(66) train equipment --- Covered by: Trigger emergency brake
failure
Manage traction
(67) power supply on --- --- --- --- ---
train
React to detected
Ensure detection and management of emergency situations
(69) --- see D4.3 see D4.3 see D4.3 see D4.3
fire/smoke
React to detected
(70) or suspected --- see D4.3 see D4.3 see D4.3 see D4.3
broken rail
Monitor
(71) --- see D4.3 see D4.3 see D4.3 see D4.3
emergency calls
React to
(72) passenger alarm --- see D4.3 see D4.3 see D4.3 see D4.3
device activation
React to
emergency
(73) --- see D4.3 see D4.3 see D4.3 see D4.3
release of train
doors
Detect loss of
(74) --- see D4.3 see D4.3 see D4.3 see D4.3
train integrity
React to loss of
(75) --- see D4.3 see D4.3 see D4.3 see D4.3
train integrity
(76) Detect derailment --- see D4.3 see D4.3 see D4.3 see D4.3
Trigger
(77) --- 3 3 4 4
emergency brake
9.2 Conclusion
With respect to the method, described in clause 5, it can be stated that it is possible to apply the
method consistently.
In case of similarity between functional descriptions of MODURBAN deliverable D86 and MODSafe
safety functions, safety requirements are transferred to this deliverable. For all other functions a risk
and safety consideration is performed.
Safety requirements are not allocated to safety functions when they are assumed to work not in
continuous mode of operation. This is done since the method for SIL allocation does not fully reflect all
aspects supposed to be considered within this mode of operation.
For some MODSafe safety functions no safety requirements are estimated, because these safety
functions are either supposed to be no safety function, covered by other safety functions or are
excluded.
Finally, the results from the table of safety requirements for MODSafe safety functions can be
considered as a recommendation for appropriate urban guided rail systems.
Regarding the possibility that several levels could be allocated to a given function when performing the
final SIL allocation (depending of the context of application of this function), it shall be noted that the
following points are not considered in this deliverable:
will suppliers produce a portfolio of products covering a same function with different SIL?
will an operator on a given line use different equipment (according to the SIL) for implementing
the same function, for example, according to the number of passengers in stations?
This annex provides the detailed risk and safety considerations made to the MODSafe safety
functions. In principle, it is the goal to provide a single application table for each safety function and
each grade of automation. However, where appropriate, application tables are combined for relevant
grade of automations.
Functions which do not act in a clearly continuous mode of operation are not analysed in this
deliverable. It has been agreed that further analyses will be developed in MODSafe D4.3 which may
lead to a revision of MODSafe D4.2 at the end of the project.
According to Table 4 Grades of automation according to IEC 62290-1 safety functions to ensure
safe route are realised by the technical system for grades of automation 1 to 4 and partly for GOA0.
Item Description
E 1
Risk reduction
P 1
factors
C 1
Item Description
E 1
Risk reduction
P 0,1
factors
C 1
Item Description
E 1
Risk reduction
P 1
factors
C 1
Item Description
E 1
Risk reduction
P 1
factors
C 1
Item Description
E 1
Risk reduction P 1
factors
C 0,1
Final THR 10-8
Final SIL SIL 3
Item Description
E 1
Risk reduction
P 1
factors
C 1
Item Description
E 1
Risk reduction
P 1
factors
C 1
According to Table 4 Grades of automation according to IEC 62290-1 safety functions to ensure
safe separation of trains are realised by the technical system for grades of automation 1 to 4.
Localisation or detection of trains as basic conditions for safe train separation can be done by:
reporting trains
Assumed scenario: The UGTMS train location determination function is self initialising without
requiring the manual input of train location or train length data. Wayside equipment shall provide
absolute position reference to onboard equipment (cf. IEC 62290-2 5.1.2.1-4).
This function is relevant only for systems providing their location by reporting trains.
Item Description
E 1
Risk reduction
P 1
factors
C 1
This function is relevant only for systems providing their location by reporting trains.
Table 16 RA Determine train orientation for GOA1 to GOA4
Item Description
E 1
Risk reduction
P 1
factors
C 1
This function is relevant only for systems providing their location by reporting trains.
Table 17 RA Determine actual train travel direction for GOA1 to GOA4
Item Description
Reference for risk analysis MODURBAN D86 1.7 Travel direction measurement
Possible wrong side failure Train travels undetected in wrong travel direction
Trains may get too close
Hazardous situation Trains may drive over unlocked switches at inadequate
speed
Possible hazard consequences Collision
accidents Derailment
Exposure probability to hazard Passenger are permanently in trains
In case of undetected wrong travel direction, no further
barrier can conservatively be assumed to reduce
Accident probability reduction consequences
Routine checks like unexpected position reports may come
too late
Consequence reduction probability Passenger cannot escape consequences
Severity of consequences due to
Catastrophic
failure of safety function
Initial THR per hour 10-9
E 1
Risk reduction
P 1
factors
C 1
Item Description
E 1
Risk reduction
P 1
factors
C 1
Item Description
E 1
Risk reduction
P 1
factors
C 1
This function is relevant if track sections are used as primary detection device in all grades of
automation.
Table 20 RA Locate non reporting trains by track sections for GOA1 to GOA4
Item Description
E 1
Risk reduction
P 1
factors
C 1
Item Description
E 1
Risk reduction
P 0,1
factors
C 1
Table 22 RA Determine static speed profile for GOA1 to GOA4 (without wayside signals)
Item Description
E 1
Risk reduction
P 1
factors
C 1
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will
analysed in D4.3 in more detail.
This function is relevant for systems providing train protection profiles, in other cases the function
might be realised by rolling stock.
Table 23 RA Determine permanent rolling stock speed restrictions for GOA1 to GOA4
Item Description
E 1
Risk reduction
P 1
factors
C 1
This function is assumed to work only in rare degraded modes of operation and is subject of MODSafe
deliverable 4.3.
Item Description
E 1
Risk reduction
P 0,1
factors
C 1
Item Description
E 1
Risk reduction
P 1
factors
C 1
Item Description
E 1
Risk reduction
P 0,1
factors
C 1
Table 27 RA Determine train protection profile for GOA1 to GOA4 (without wayside signals)
E 1
Risk reduction
P 1
factors
C 1
This function is relevant for systems providing movement instructions by wayside signals:
In GOA0 to allow train movement in accordance to rules for train operation on sight
Item Description
E 1
Risk reduction
P 0,1
factors
C 1
Item Description
E 1 1
Risk reduction
P 1 1
factors
C 1 1
Item Description
E 1
Risk reduction
P 1
factors
C 1
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will
analysed in D4.3 in more detail.
It is assumed that this function is covered by the safety function Trigger emergency brake.
10.1.4.6 Authorise the entry of non-operative UGTMS trains into UGTMS territory
Table 31 RA Authorise the entry of non-operative UGTMS trains into UGTMS territory for GOA1 to GOA4
Item Description
E 1
Risk reduction
P 1
factors
C 1
This function is relevant for systems providing continuous speed supervision by train protection profile.
Table 32 RA Determine actual train speed for GOA1 (with wayside signals containing allowed speed)
Item Description
E 1
Risk reduction
P 0,1
factors
C 1
Item Description
E 1
Risk reduction
P 1
factors
C 1
This function is relevant for systems providing continuous speed supervision by train protection profile.
Table 34 RA Supervise safe train speed for GOA1 (with wayside signals)
Item Description
E 1
Risk reduction
P 0,1
factors
C 1
Item Description
E 1
Risk reduction
P 1
factors
C 1
It is assumed that this function is required in mixed operation where both trains:
Item Description
E 1
Risk reduction
P 0,1
factors
C 1
Item Description
E 1
Risk reduction
P 0,1
factors
C 1
The following table analyses the case that a train rolls back against authorised travel direction.
Table 38 RA Supervise train rollaway for GOA1 to GOA4
Item Description
E 1
Risk reduction
P 1
factors
C 1
This case is included in safety function Authorise station departure (safety related conditions).
This function is covered by function Locate non reporting trains by track sections.
Item Description
E 1
Risk reduction
P 1
factors
C 1
This function is covered by function Locate non reporting trains by track sections.
Item Description
E 1
Risk reduction
P 1
factors
C 1
All functions covered by IEC 62290-2 in chapter 5.2 Drive Train are intended to be realised in non
safety related subsystems (ATO), because all hazardous situations arising from insufficient braking
(service brake) and insufficient acceleration (inadvertently acceleration) must be secured by basic
function Ensure safe speed).
It is assumed that this function is not relevant in GOA0, 1 and 2 since this function is realised by the
train driver.
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will be
analysed in D4.3 in more detail.
It is assumed that any reaction on emergency stop requests would include a detection of the
emergency stop request.
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will be
analysed in D4.3 in more detail.
Item Description
Consequence reduction probability Train driver may notice person trapped in doors
Critical
Severity of consequences due to Catastrophic
(for medium number of
failure of safety function (for overcrowded situations)
passengers)
Initial THR per hour 10-8 10-9
0,1 1 0,1 1
E
(case 1) (case 2) (case 1) (case 2)
Risk reduction
factors P 1 1 1 1
Item Description
C 1 1 1 1
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will
analysed in D4.3 in more detail.
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will
analysed in D4.3 in more detail.
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will
analysed in D4.3 in more detail.
Item Description
E 0,1
Risk reduction
P 1
factors
C 0,1
For the risk and safety consideration of this function two cases are analysed:
Door opening on passenger request (Train doors opening on passenger request is not
relevant if platform screen doors are installed.)
Item Description
E 1 1
Risk reduction
P 0,1 0,1
factors
C 1 1
Item Description
E 1 1
Risk reduction
P 1 1
factors
C 1 1
This function is assumed to be covered by the safety functions Supervise closed and locked status of
train doors and Supervise platform doors.
Table 46 RA Supervise closed and locked status of train doors for GOA1 to GOA4
Item Description
Reference for risk analysis MODURBAN D86 1.2 Train doors status supervision
Undetected train door failure signals closed and locked
Possible wrong side failure
while train doors remain unlocked/open
Hazardous situation During station departure train doors status is not assured
Possible hazard consequences Injury of person
accidents Person dragged by starting train
Passenger are permanently onboard of train and the
Exposure probability to hazard
hazard of open doors
Accident probability reduction No barrier can be assumed
E 1 1
Risk reduction
P 1 1
factors
C 0,1 0,1
Table 47 RA Prevent person injuries between platform and train for GOA1 to GOA4
Item Description
Possible wrong side failure Device does not detect person between platform and train
E 0,1
0,1 1
Risk reduction P
factors (case 1) (case 2)
0,1 1 0,1 1
C
(case 1) (case 2) (case 1) (case 2)
Final THR 10-5 10-6 10-6 10-7
Table 48 RA Prevent person being trapped between platform screen doors and train for GOA1 to GOA4
Item Description
E 1
Risk reduction P 1
factors
C 1
Final THR 10-8
Final SIL SIL 3
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will
analysed in D4.3 in more detail.
It is assumed that this function is covered by Supervise closed and locked status of train doors.
It is assumed that this function is not a safety function. An untimely command to set a train to sleep is
assumed to lead to train standstill. However, the function for the determination of the train location is
assumed to be still active.
This function is not a safety function. It is assumed to be realised by ATO as it manages operational
conditions.
This function is assumed to be no safety function. (Note: correct speed is assured by train protection
profile.)
This function is assumed to be no safety function. (Note: Untimely command is prevented by specific
de-coupling conditions.)
Item Description
E 1
Risk reduction
P 1
factors
C 1
Table 50 RA Supervise UGTMS onboard equipment status during operation for GOA1 to GOA4
Item Description
E 1
Risk reduction
P 1
factors
C 1
Item Description
E 1
Risk reduction
P 1
factors
C 1
10.6.1 Perform train diagnostic, detect fire/smoke and detect derailment, handle emergency
situations
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will
analysed in D4.3 in more detail.
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will
analysed in D4.3 in more detail.
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will
analysed in D4.3 in more detail.
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will
analysed in D4.3 in more detail.
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will
analysed in D4.3 in more detail.
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will
analysed in D4.3 in more detail.
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will
analysed in D4.3 in more detail.
This function is covered by safety function Determine zone of protection and Trigger emergency
brake.
Derailment is a rare event and the detection device is not intended to prevent a derailment, but only to
detect it and might reduce the possible consequences of a derailment. Because of that the derailment
detection device is not a classic safety function and can be regarded as operated in low demand
mode. Therefore, the function is analysed in MODSafe D4.3.
The case of triggering the emergency brake after a loss of train integrity, OCC command or train
equipment failures are not considered in the safety function. Hence, in on-sight train operation (i.e.
GOA0) this function is not relevant.
Table 52 RA Trigger emergency brake for GOA1 and GOA2
Item Description
E 1
Risk reduction P 0,1
factors
C 1
Final THR 10-8
Final SIL SIL 3
Item Description
E 1
Risk reduction P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4