Preliminary Hazards Control and Safety Measures Analysis€¦ · 2.6 Asphyxiation 65 2.7 Toxic...

European Commission Seventh Framework programme

MODSafe Modular Urban Transport Safety and Security Analysis

Preliminary Hazards Control and Safety Measures Analysis

Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.doc Date: 110215 ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0 Revision: V1.0 Restricted Page 2/138

Contract No. 218606

Document type DEL

Version V1.0

Status Released

Date 110215

WP WP 3

Lead Author BTSERCS

Contributors Alstom, Ansaldo, AREVA, Dimet, LU, RATP, Thales RSS, TRIT, UVHC, UITP

Description D3.1

Document ID DEL_D3.1_BTSERCS_WP3_110215_V1.0

Dissemination level PU

Distribution Consortium members and EC

Document History:

Version Date Author Modification [very short description]

V0.1 2010-08-31 BTSERCS Initial draft based on D2.1_Annex_Hazard_Analysis_091102_v3 with safety measures updated by WP3 members

V0.2 2010-11-01 BTSERCS Updated based on review comments 2010-09-27.

V0.3 2010-12-17 BTSERCS Minor corrections.

V0.4 2011-02-04 BTSERCS Updated based on review comments 2011-01-10.

V1.0 2011-02-15 BTSERCS Final approved version.

Approval:

Authority Name/Partner Date

WP responsible BTSERCS - WP3 Consensus 2010-08-31

EB members WP10 Consensus 2011-02-15

Coordinator TRIT 2011-02-16


Table of Content 1. Summary .................................................................................................................. 6

2. References ............................................................................................................... 6

3. Terms and Abbreviations........................................................................................ 6

4. Explanation of the Table.......................................................................................... 7

5. Conclusion ............................................................................................................... 7

Table of Hazards and Safety Functions

1 Train movement 8

1.1 Train infringes clearance envelope 8

1.2 Object / person infringes clearance envelope 29

1.3 Train collision hazard within uninfringed clearance envelope 45

2 Train interior 58

2.1 Person struck / hurt by object 58

2.2 Explosion 61

2.3 Person fall in train 62

2.4 Fire 63

2.5 Inadequate temperature 64

2.6 Asphyxiation 65

2.7 Toxic releases 65

2.8 Radiation 65

2.9 Electrocution in train 66

2.10 Person contact with machinery 66

2.11 Person exposed to noise 66

2.12 Person needs urgent assistance 66

3 Train-Station interface (with train in station) 67

3.1 Passenger falls from train on station track 67

3.2 Passenger injured by door closing 67

3.3 Train departs with passenger trapped in doors 69

3.4 Train moves at passenger exchange 71

3.5 Person between vehicle / vehicle gaps 74

3.6 Person steps / falls into vehicle – platform gap 75

3.7 Electrocution 77


4 Train-Station interface (without train in station) 79

4.1 Person struck by falling object 79

4.2 Person hit by sharp object 79

4.3 Person hurt by protruding object 79

4.4 Wheelchair / baby carriage hazards 79

4.5 Person falls in station 80

4.6 Person falls / intrudes on station track 81

4.7 Electrocution in station 82

4.8 Smoke 83

4.9 Explosion 86

4.10 Fire in station 87

4.11 Toxic release 90

5 Depot 91

5.1 Staff injured by operation of machines and equipment 91

5.2 Shunting hazards 91

5.3 Undue train / vehicle enters operation area 91

5.4 Passenger in depot area 92

5.5 Staff run over by train 92

6 OCC 94

6.1 Fire in OCC 94

6.2 Electrocution in OCC 96

6.3 Explosion in OCC 97

6.4 Building collapse 98

6.5 Terrorism, attacks, criminal acts 98

6.6 Radiation in OCC 98

6.7 Asphyxiation / poisoning in OCC 99

7 Maintenance 100

7.1 Staff injured by operation of machines and equipment 100

7.2 Electrocution / lightning 102

7.3 Staff endangered by moving train 103

7.4 Obstacles on guideway or walkway 105

7.5 Explosion during maintenance 109

7.6 Fire during maintenance 110

7.7 Asphyxiation / poisoning 111

7.8 Inappropriate temperature 113

7.9 Staff in danger cannot escape guideway 113

7.10 Radiation 114

7.11 Staff caught in machinery 114


8 Emergency – Evacuation 116

8.1 People hit by train: involved track, adjacent track 116

8.2 Burn / fire 124

8.3 Asphyxiation / poisoning 128

8.4 Electrocution / lightning 130

8.5 Explosion during evacuation 131

8.6 Inappropriate temperature 131

8.7 Radiation 132

8.8 Drowning 132

8.9 Person hurt during evacuation (others) 133

9 Environmental influences 136

9.1 Weather conditions (moderate) 136

9.2 Force of nature 136


1. Summary

This deliverable is the first analysis in which the existing generic safety functions from previous EC projects and other generic safety functions of the supply industry are mapped with the hazards from the Modsafe WP2 D2.1 Preliminary Hazard Analysis /1 / and /2/. This is the preliminary hazards control and safety measures analysis that will be used as a basis for D3.2 which is the final hazards control and safety measures analysis.

2. References

/1/ MODSafe DEL_D2.1_TUD_WP2_091102_V3

/2/ MODSafe_WP2_D2.1_Annex_Hazard_Analysis

/3/ MODURBAN DEL_D80_v2-5_BVG_WP21_090317

/4/ IEC 62290-2

/5/ MODSafe DEL_D10.5_RATP_WP10_101005_V3

/6/ MODSafe WP4 – D4.2 Analysis of Safety Requirements for MODSafe Continuous Safety Measures and Functions

3. Terms and Abbreviations

The terms and abbreviations used in this project are explained in the Glossary /5/. In addition, the following abbreviations are used here:

Abbreviation Explanation

EB Emergency Brake

M Mandatory

NA Not applicable, because the safety measure apply only to the technical system and not to operational staff

O Optional

TSR Temporary Speed Restriction


4. Explanation of the Table

This deliverable is presented in the same format as the Preliminary Hazard Analysis /2/, with corresponding safety functions and grade of automation added in separate columns. The entire sections 2 - 4 and sections 7 – 9 in the Preliminary Hazard Analysis /2/ are excluded since the major part of the safety measures for these hazards are not directly related to the train operation. Otherwise this delivery provides a complete list of safety functions. GOA0 is not within the scope of this analysis. The other grade of automations: GOA1a, GOA1b, GOA2, GOA3 and GOA4, are marked as not applicable, mandatory or optional. The safety functions are referenced to the corresponding functional requirements from MODURBAN WP21 D80 /3/ and the draft standard IEC 62290-2 /4/ which is compatible to D80. Non safety functions are excluded from this analysis.

5. Conclusion

For each hazard within the scope of this analysis, it has been possible to find corresponding safety functions in the MODURBAN WP21 D80 /3/. Some hazards are not covered by the draft standard IEC 62290-2 /4/. This preliminary hazards control and safety measures analysis can be updated in a second step to fulfil the objectives of the MODSafe WP3 D3.2. To some extent then also non-technical safety measures like procedures will be added and the analysis will be updated with respect to the table sections 2 – 4 and 7 – 9. The final hazards control and safety measures analysis will also be updated to conform to MODSafe WP4 D4.2 /6/.

MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis

Safety Measures

1a 1b 2 3 4

1 Train Movement

Hazards

1.1 Train infringes

clearance

envelope1.1.1 Train (car) leaves

guideway

(momentarily or

irrevocably /

derailment )1.1.1.1 Inappropriate

speed

1.1.1.1.1 VT(x) > VL(x)

1.1.1.1.1.1 Wrong position

registered

Odometer

failure

Derail-

ment

Collision Catastrophic Determine Train Location NA M M M M 5.4.1.2 5.1.2.2.3 Safety function

Catastrophic Respond to Train Location

Failure

NA M M M M 5.7.2 NA Safety function

1.1.1.1.1.2 Wrong speed

registered

1.1.1.1.1.2.1 Speed

measurement

failure

Wheelspin Derail-

ment

Collision Catastrophic Calculate Train Speed - This

function determines train speed.

O M M M M 5.4.1.7 5.1.5.1 Safety function

Catastrophic Supervise Actual Speed - This

function supervises the operation

of trains to ensure that trains

remain within the dynamic speed

profile.


1.1.1.1.1.2.2 On-board speed

processing failure

On-Board ATP

equipment

design failure

Derail-

ment

Collision Catastrophic Calculate Train Speed - This

function determines train speed.


Incorrect

maintenance

of On-Board

ATP

Derail-

ment

Collision Regular inspection and

maintenance of ATP equipment

NA NA Non functional

requirement.

Maintenance manuals.

1.1.1.1.1.3 Insufficient

deceleration

1.1.1.1.1.3.1 Improper vehicle -

guideway

coupling

(adhesion)9.1.1 Anything (snow,

rain, leaves,

greasy material)

on guideway

Insufficient

maintenance

or clearance of

guideway by

crew

Derail-

ment

Collision Regular Inspection and

maintenance


requirement.


Guideway heating NA NA

Hazard Identification Severity

Hazard Numbering

(up to 10 level) Hazard Hazard Cause

Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks

Generic Safety Measures GOA

Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls

ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0

Revision: V1.0 RestrictedDate:110215

Page 8/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

Check of weather data NA NA

Provide enough staff for

clearance works

NA NA

1.1.1.1.1.3.1.2 Wheel failure /

wear

Faulty design

of wheels

Derail-

ment

Collision Ensure correct initial design NA NA

Insufficient

maintenance

Derail-

ment


maintenance


requirement.


1.1.1.1.1.3.1.3 Track wear Faulty design

of track

Derail-

ment


Insufficient

maintenance

Derail-

ment


maintenance


requirement.


1.1.1.1.1.3.1.4 Wheel-track

interface failure

(incorrect design)

Disrespect of

Wheel-Track-

Interface

specifications

or legal

regulations

Derail-

ment


1.1.1.1.1.3.1.5 Wheel slip / slide

due to excessive

braking force

Faulty design

of braking

system

Derail-

ment

Collision Catastrophic Calculate ATP Speed Profile -

Ensure correct initial design


Insufficient

maintenance

Derail-

ment


maintenance


requirement.


Incorrect

usage of

braking

system by

driver

Derail-

ment

Collision Braking system supervision NA NA

Slip - Slide - Control NA NA

Training of driver NA NA Non functional

requirement.

Operation manuals.

1.1.1.1.1.3.1.6 Insufficient

adhesion

Insufficient

braking force

Derail-

ment

Collision Insufficient

braking force

results in

lower

frictional

forces, and

therefore in

less

adhesion

Catastrophic Calculate ATP Speed Profiles -

Ensure correct braking curves


Provide enough braking force /

contact

NA NA




Page 9/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

1.1.1.1.1.3.2 Insufficient

braking (braking-

force)1.1.1.1.1.3.2.1 Braking system

failure

Faulty design

of braking

system

Derail-

ment

Collision Catastrophic Supervise Actual Speed and Test

EB Performance - Ensure correct

initial design of braking system

O M M M M 5.4.3.4 &

5.3.2

5.1.5.2 &

5.5.10.3

Safety function

Insufficient

maintenance

of braking

system

Derail-

ment


maintenance


requirement.


Greasing

problems

(greasing

scheme)

Derail-

ment

Collision Configuration Management NA NA

1.1.1.1.1.3.2.2 Underestimated

mass / train

configuration

Incorrect

design of

mass / train

configuration

Derail-

ment

Collision Ensure correct procedure for

calculation and design of mass /

train configuration

NA NA

Wrong data

used

Derail-

ment

Collision Ensure correct data as input for

mass / train configuration

NA NA

1.1.1.1.1.3.3 Wrong brake

command

Faulty design

of on-board

equipment

Derail-

ment

Collision Catastrophic Supervise Actual Speed - This


of trains to ensure that the trains


profile.


Insufficient

maintenance

of on-board

equipment

Derail-

ment


maintenance


requirement.


Wrong

command by

driver

Derail-

ment

Collision Training of staff i.e. driver NA NA Non functional

requirement.

Operation manuals.

Employ well educated drivers NA NA

Well design and user supportive

HMI driver desk

NA NA

1.1.1.1.1.4 Wrong speed

command

Faulty design

of on-board

equipment

Derail-

ment





profile.


Insufficient

maintenance

of on-board

equipment

Derail-

ment


maintenance


requirement.


Wrong

command by

driver

Derail-

ment

Collision Training of staff i.e. driver NA NA Non functional

requirement.

Operation manuals.Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls



Page 10/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

Employ well educated drivers NA NA

Well design and user supportive

HMI driver desk

NA NA

1.1.1.1.1.5 Untimely

acceleration /

propulsion

command error

Faulty design

of propulsion

system

Derail-

ment





profile.


Insufficient

maintenance

of propulsion

system

Derail-

ment


maintenance

NA NA

1.1.1.1.2 Wrong speed limit

VL(X)

1.1.1.1.2.1 Wrong static route

data

Incorrect

surveying and

mapping

Derail-

ment

Collision Check consistency of data - This

function is intended to check the

consistency of available data

NA NA

Employ well educated and

trained staff

NA NA

Wrong input of

route data

Derail-

ment

Collision Load Infrastructure Data onto

onboard equipment

NA NA

Load Infrastructure Data onto

wayside equipment

NA NA

1.1.1.1.2.2 Wrong route

1.1.1.1.2.2.1 Wrong route

selection

ATP failure Derail-

ment

Collision Catastrophic Ensure Safe Route as

Combination of Route Elements -

This function is intended to allow

ATP to define and implement a

route as a combination of route

elements according to the needs

of the operator and to release

routes as part of it either by train

movement or manually.

M M M M M 5.4.2.2 5.1.1.1.1-3

&

5.1.1.2 &

5.1.1.1.3

Safety function

Wrong route

selection by

OCC staff

Derail-

ment

Collision Safe process for data entry on

the non safe OCC HMI display

NA NA

Supportive functions for stress or

emergency cases

NA NA

Clear and understandable

operational rules


requirement.

Operation manuals.




Page 11/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

Withdrawal of

route (e.g.

emergency

release)

without

communicatio

n to the train

Derail-

ment










M M M M M 5.4.2.2 5.1.1.1.1-3

&

5.1.1.2 &

5.1.1.1.3

Safety function


emergency cases

NA NA

1.1.1.1.2.2.2 Wrong switch

setting

ATP failure Derail-

ment

Collision Catastrophic Ensure Safe Route Elements -

This function is intended to

switch switchable route elements

and ensure the switching is

performed under normal and safe

conditions.

M M M M M 5.4.2.1 5.1.1.1.1-6 Safety function

Wrong switch

setting by

OCC staff

Derail-

ment

Collision Safe process for data entry on

the non safe OCC HMI display

NA NA


emergency cases

NA NA


operational rules


requirement.

Operation manuals.

1.1.1.1.2.3 Wrong

(temporary) speed

restriction

wayside

Wrong

maintenance

Derail-

ment

Collision Catastrophic Manage Temporary Speed

Restrictions (TSRs) - Load

Infrastructure Data onto onboard

equipment

NA M M M M 5.1.5 5.1.3.1.2 Safety function


wayside equipment

NA NA

Ensure correct maintenance NA NA Non functional

requirement.


Incorrect input

of data

Derail-

ment

Collision Catastrophic Manage Temporary Speed

Restrictions (TSRs) - Load

Infrastructure Data onto onboard

equipment

NA M M M M 5.1.5 5.1.3.1.2 Safety function


wayside equipment

NA NA




Page 12/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

1.1.1.1.2.4 Failed or incorrect

communication of

speed restriction

Faulty or

insufficient

communicatio

n system

Derail-

ment

Collision Supervise data communication

equipment - This function is

intended to inform staff about

availability of functions

concerning operation and status

of data communication

equipment.

NA NA

1.1.1.1.2.5 Wrong data of

speed limits on

train (track

database)

Wrong input

by engineers,

OCC or

maintenance

crew

Derail-

ment

Collision Check consistency of data - This

function is intended to check the

consistency of available data

NA NA


onboard equipment

NA NA


wayside equipment

NA NA

1.1.1.1.2.6 Faulty onboard

speed restriction

processing

Faulty design

of on-board

equipment

Derail-

ment



of trains to ensure that trains


profile.


Catastrophic Determine Static Speed Profiles -

This function determines the

static train speed profiles, which

are based on infrastructure data

such as track geometry and

quality, infrastructure constraints

(tunnels, bridges etc.) and train

data.

O M M M M 5.4.3.2 5.1.3.1.1 Safety function

Catastrophic Calculate ATP Speed Profiles -

this function is intended to

calculate for each segment of the

route the train speed limit. This

function calculates the dynamic

speed profiles of each train. The

dynamic speed profile is based

on the static speed profile, the

TSR, the braking profile with the

relevant safety margin.


Incorrect

maintenance

of on-board

equipment

Derail-

ment


maintenance


requirement.


1.1.1.2 Switch hazard

1.1.1.2.1 Wrong switch

status




Page 13/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

1.1.1.2.1.1 Undetected

misaligned switch

Interlocking

failure or

erroneous

status control

Derail-

ment




(points, diamond crossings with

slips, crossings with moveable

frogs and derailer) and ensures

the switching is performed under

normal (undisturbed) and safe

conditions.


Incorrect

maintenance

of switch

Derail-

ment


maintenance


requirement.



unlocked switch

Interlocking

failure or

erroneous

status control

Derail-

ment






frogs and derailer) and ensures



conditions.


Incorrect

maintenance

of switch

Derail-

ment


maintenance


requirement.



broken switch

components

Erroneous

status control

Derail-

ment

Collision Catastrophic Supervise Safety Related Inputs -


supervise the detection of

hazardous situations by external

sensors.

M M M M M 5.3.5 5.3.1.2 Safety function

Incorrect

maintenance

of switch

Derail-

ment


maintenance


requirement.


1.1.1.2.2 Insufficient safety

distance to

moving switch1.1.1.2.2.1 Insufficient worst

case safety

distance1.1.1.2.2.1.1 Wrong worst case

safety distance

registered (on

train)




Page 14/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

1.1.1.2.2.1.1.1 Failed or incorrect

communication of

worst case safety

distance (stop

point / speed limit)

Data

communicatio

n failure

Derail-

ment

Collision Catastrophic Provide Communication with

Staff - This function is intended to

inform staff about availability of

functions concerning operation

and status of data

communication equipment.

M M M M M 5.9.2 Ref.

Missing

Safety function

Faulty

communicatio

n system due

to incorrect

maintenance

Derail-

ment


maintenance


requirement.


Faulty design

of

communicatio

n system

Derail-

ment

Collision Ensure correct initial design of

communication system

NA NA Safety function.

Communication

protocol compliant with

EN50159.

1.1.1.2.2.1.1.2 Wrong worst case

safety distance

estimation /

determination

1.1.1.2.2.1.1.2.1 Wrong train

parameters input

Mistake by

driver during

input

Derail-

ment

Collision Catastrophic Perform Tests during Power on

Process - This function is

intended to perform all necessary

tests on vital equipment during

the power on process. Generally

this function includes only those

self tests that deal with the safety

of the ATP and the inputs and

outputs necessary for a vital

operation. Self tests that are

necessary to achieve the safety

features of vital processors

(computing unit including

operating system) are not

included here.

O M M M M 5.3.1 5.5.10.1 Safety function

Design of supportive functions for

data input

NA NA No vital data should be

introduced by driver

Safety Data

preparation

1.1.1.2.2.1.1.2.2 Wrong route

parameters input

Derail-

ment

Collision Catastrophic Load Infrastructure Data onto

MODURBAN - Onboard

NA M M M M 5.14 Ref.

Missing

Safety function

Catastrophic Load Infrastructure Data onto

MODURBAN - Wayside

NA M M M M 5.14 Ref.

Missing

Safety function




Page 15/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

1.1.1.2.2.1.1.2.3 Safety distance

calculation/determ

ination error

Interlocking

failure

Derail-

ment

Collision Catastrophic Determine Movement Authority

Limit - To ensure safe train

movement, this function

determines for each train its limit

of the MA, corresponding to the

first danger point ahead of the

train. Examples of danger points

are other trains (communicating

or not), faulty points, suspected

broken rails, etc.

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

Safety function

1.1.1.2.2.1.3 Wrong position

registered

Odometer

failure

Derail-

ment


Catastrophic Respond to Train Location

Failure

NA M M M M 5.7.2 Ref.

Missing

Safety function

1.1.1.2.2.1.4 Wrong route

1.1.1.2.2.1.4.1 Wrong route

selection /

authorization

ATP failure Derail-

ment











Wrong route

selection by

OCC staff in

exceptional

cases e.g.

emergency

cases

Derail-

ment

Collision Catastrophic Manage information to and from

OCC and wayside HMIs - Safe

process for data entry on the non

safe OCC HMI display

M M M M M 5.11.1 Ref.

Missing

Safety function


emergency cases

NA NA Safety function


operational rules


requirement.

Operation manuals.

1.1.1.2.2.1.4.2 Wrong switch

setting

ATP failure Derail-

ment





performed under normal and safe

conditions.


Wrong switch

setting by

OCC staff in

exceptional

cases

Derail-

ment

Collision Catastrophic Manage information to and from

OCC and wayside HMIs - Safe



M M M M M 5.11.1 Ref.

Missing

Safety function




Page 16/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2


emergency cases



operational rules


requirement.

Operation manuals.

1.1.1.2.2.1.5 Wrong train

departure

1.1.1.2.2.1.5.1 Wrong departure

command

ATP failure Derail-

ment










broken rails, etc.

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

Safety function

Catastrophic Authorise Train Departure after

Station Stop & Manage Train

Departure after a Stop outside

Station - Ensure correct initial

design of ATP regarding

departure command

O O M M M 5.5.4 &

5.5.8

5.4.3.1 &

5.4.3.2 &

5.5.3

Safety function

Regular inspection and

maintenance


requirement.


Wrong

departure

command by

driver

Derail-

ment

Collision Catastrophic Authorise Train Movement by

Wayside Signals - This function

supports train movement

authorisation to be provided to

trains by wayside signals

M O O O O 5.4.3.8 Ref.

Missing

Safety function

Provide high visibility on signals NA NA Non functional

requirement

1.1.1.2.2.1.5.2 Immobilisation

brake deficient

Faulty design

of braking

system

Derail-

ment

Collision Catastrophic Respond to Unexpected Train

Movements - This function

covers the reaction of ATP in

case of roll away.

O M M M M 5.7.4 5.1.5.5 Correct and sufficient

maintenance

Catastrophic Test EB Performance - Ensure

correct initial design of braking

system

NA NA NA O M 5.3.2 5.5.10.3 Safety function

Incorrect

maintenance

of braking

system

Derail-

ment




case of roll away.

O M M M M 5.7.4 5.1.5.5 Correct and sufficient

maintenance




Page 17/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2


maintenance

O M M M M NA NA Non functional

requirement.


1.1.1.2.2.1.5.3 Wrong departure

authorisation

Interlocking

failure

Derail-

ment










broken rails, etc.

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

Safety function

Catastrophic Authorise Train Movement by

Wayside Signals - This function

supports train movement

authorisation to be provided to

trains by wayside signals

M O O O O 5.4.3.8 Ref.

Missing

Safety function

Incorrect

authorisation

by OCC in

case of

exceptional

cases e.g.

emergency

cases

Derail-

ment

Collision Catastrophic Manage Onboard HMI - Safe



O M M O O 5.11.2 Ref.

Missing

Safety function


emergency cases



operational rules


requirement.

Operation manuals.

1.1.1.2.2.2 Wrong switch

command

Interlocking

failure

Derail-

ment






frogs and derailer) and ensure



conditions.





Page 18/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

Erroneous

switch

command by

OCC staff

Derail-

ment






frogs and derailer) and ensure



conditions.


Catastrophic Manage Onboard HMI - Safe



O M M O O 5.11.2 Ref.

Missing


emergency cases



operational rules


requirement.

Operation manuals.

1.1.1.2.2.3 Wrong travel

direction

1.1.1.2.2.3.1 Faulty direction

control

Derail-

ment

Collision Catastrophic Determine Actual Train Travel

Direction - This function

determines the travel direction of

trains.

NA M M M M 5.4.1.3 5.1.2.2.2 Safety function

1.1.1.2.2.3.2 Roll back Insufficient

braking force

Derail-

ment




case of roll away.

O M M M M 5.7.4 5.1.5.5 Safety function

Faulty design

of brakes

Derail-

ment

Collision Catastrophic Test EB Performance - Ensure

correct initial design of brakes

NA NA NA O M 5.3.2 5.5.10.3 Safety function

Incorrect

maintenance

of brakes

Derail-

ment


maintenance


requirement.


1.1.1.2.3 Switch moves

under running

train1.1.1.2.3.1 Wrong switch

command

1.1.1.2.3.1.1 by system Interlocking

failure

Derail-

ment





performed under normal

(undisturbed) and safe

conditions.





Page 19/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

1.1.1.2.3.1.2 by staff No support for

decision of

switch

command

during

exceptional

cases

Derail-

ment

Collision Catastrophic Provide Communication with

Staff - Supportive functions for

staff of OCC in exceptional

cases, where no technical control

of switch command can be

provided

M M M M M 5.9.2 Ref.

Missing

Non functional

requirement

1.1.1.2.3.3 Wrong train

detection

1.1.1.2.3.3.1 Train not detected Unequipped or

failed train

Derail-

ment

Collision Catastrophic Detect Unequipped or Failed

Trains - This function determines

whether a section of track is

occupied by an unequipped or

failed train.

O O O O O 5.4.1.5 5.1.2.3 Safety function

Data

communicatio

n failure e.g.

data loss

Derail-

ment


1.1.1.2.3.3.2 End of train

detected untimely

Unequipped or

failed train

Derail-

ment,

Collision

Catastrophic Detect Unequipped or Failed

Trains - This function determines

whether a section of track is

occupied by an unequipped or

failed train.

O O O O O 5.4.1.5 5.1.2.3 Safety function

Data

communicatio

n failure e.g.

data loss or

delay

Derail-

ment


1.1.1.3 Guideway

structural failure

Faulty design

of guideway

Derail-

ment





sensors.


Catastrophic Determine Movement Authority









broken rails, etc.

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

Safety function

Ensure correct initial design of

guideway


requirement




Page 20/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

Incorrect

maintenance

of guideway

Derail-

ment





sensors.











broken rails, etc.

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

Safety function


maintenance


requirement.


1.1.1.4 Vehicle structural

failure

(component

break)

Faulty design

of vehicle


vehicle

NA NA

Incorrect

maintenance

of vehicle


maintenance


requirement.


1.1.1.5 Object on

guideway

1.1.1.5.1 System object on

guideway

1.1.1.5.1.1 Forgotten

working/

maintenance/

rescue objects

Incorrect

maintenance

of guideway

Derail-

ment

Collision Catastrophic Establish Work Zones - Regular

inspection and maintenance

M M M M M 5.9.3 5.3.3 Indirect safety

measure

Catastrophic Establish Work Zones -

Clearance verification system

M M M M M 5.9.3 5.3.3 Indirect safety

measure

Catastrophic Establish a Zone of Protection -

Ensure procedures to clear

guideway after evacuation or

emergency case


1.1.1.5.1.2 Element from train

falls on track

1.1.1.5.1.2.1 Vehicle Structural

failure

Faulty design

of vehicle

Derail-

ment


vehicle

NA NA Rolling Stock Safety

function

Incorrect

maintenance

of vehicle

Derail-

ment


maintenance


requirement.





Page 21/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

1.1.1.5.1.2.2 Vehicle load falls

on track

Overloaded

vehicle

Derail-

ment

Collision Ensure correct loading of vehicle

(e.g. by vehicle examiner)

NA NA Rolling stock non

safety function. To be

confirmed.

Clearance verification system Input to be confirmed

1.1.1.5.1.3 Wayside element

infringes

clearance

envelope

1.1.1.5.1.3.1 Power supply

(catenary, third

rail etc.)

Faulty design

of power

supply system

Derail-

ment

Collision Catastrophic Supervise Other Safety Related

Inputs - This function is intended

to supervise the detection of


sensors.



power supply system

NA NA Power supply safety

function

Incorrect

maintenance

of power

supply system

Derail-

ment





sensors.



maintenance of power supply

system


requirement.


Environmental

forces

violating

power supply

system

Derail-

ment





sensors.



power supply system considering

environmental forces

NA NA Power supply safety

function

Criminal acts

on power

supply system

Derail-

ment





sensors.



power supply system considering

criminal acts

NA NA Security function

1.1.1.5.1.3.2 Signalling

Components

Faulty design

of signalling

components

Derail-

ment





sensors.



signalling components

NA NA Signalling safety

function




Page 22/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

Incorrect

maintenance

of signalling

components

Derail-

ment





sensors.



maintenance of signalling

components


requirement.


Environmental

forces

violating

signalling

components

Derail-

ment





sensors.




considering environmental forces

NA NA Signalling safety

function

Criminal acts

on signalling

components

Derail-

ment





sensors.




considering criminal acts


1.1.1.5.1.3.3 Equipment

cabinets/ Platform

door enclosures/

Tunnel doors

Faulty design

of equipment

cabinets,

platform doors

enclosures,

tunnel doors

Derail-

ment

Collision Catastrophic Supervise Intrusion or Fall on

Track & Supervise Other Safety

Related Inputs - This function is

intended to supervise the

detection of hazardous situations

by external sensors.

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1

Safety function when

external sensors are

fitted


equipment cabinets, platform

doors enclosures, tunnel doors

NA NA PSD safety function

Incorrect

maintenance

of equipment

cabinets,

platform doors

enclosures,

tunnel doors

Derail-

ment







M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted


maintenance of equipment

cabinets, platform doors

enclosures, tunnel doors


requirement.





Page 23/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

Environmental

forces

violating

equipment

cabinets,

platform doors

enclosures,

tunnel doors

Derail-

ment







M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted




considering environmental forces

NA NA PSD safety function

Criminal acts

on equipment

cabinets,

platform doors

enclosures,

tunnel doors

Derail-

ment







M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted




considering criminal acts


1.1.1.5.1.3.4 Flooding gates Faulty design

of flooding

gates

Derail-

ment





sensors.

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted


flooding gates

NA NA Flooding gates safety

function

Incorrect

maintenance

of flooding

gates

Derail-

ment







M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted


maintenance of flooding gates


requirement.





Page 24/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

Environmental

forces

violating

flooding gates

Derail-

ment







M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted


flooding gates considering

environmental forces

NA NA Flooding Gates Safety

function

Criminal acts

on flooding

gates

Derail-

ment







M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted


flooding gates considering

criminal acts


1.1.1.5.2 Foreign objects

on guideway

1.1.1.5.2.1 External vehicle

(on level crossing)

Insufficient

protection of

level crossing

Derail-

ment







M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted

Installation of warning signals

and barriers for level crossings

NA NA Level crossing

protection safety

function

1.1.1.5.2.2 Environmental

impacts, fallen

objects (crane,

tree, branches,

stones, mud ...)

Insufficient

precautions

regarding

environmental

impacts or

fallen objects

Derail-

ment







M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted

Installation of precautions against

environmental impact and fallen

objects

NA NA Proection against

envionnement fallen

objects

1.1.1.5.2.3 Debris from

structural

breakdown

(bridges,

buildings,...)

Faulty design

bridges,

buildings ..

Derail-

ment







M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted




Page 25/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2


bridges and building etc ..

NA NA Structure safety

design

Incorrect

maintenance

of bridges,

buildings, ..

Derail-

ment







M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted

Ensure correct maintenance of

bridges and buildings etc ..


requirement.


1.1.1.5.2.4 Human impact/

Criminal acts

No boundaries

on critical sites

Derail-

ment







M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted

Installation of barriers to secure

guideway

NA NA Security barrier

installation

Insufficient

supervision of

guideway

Derail-

ment

Collision Installation of barriers to secure

guideway

NA NA Security barrier

installation

Catastrophic Installation of supervision of

guideway

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted

9.2.1 Flooding Insufficient

precautions

Derail-

ment







M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted.

Intrusion supervision

coud be a system

depending on general

security system (not

modurban function).Insufficient

maintenance

of protection

constructions

Derail-

ment

Collision Ensure correct maintenance of

flooding gates


requirement.


1.1.1.6 Train lifted from

track through

aerodynamic force

1.1.1.6.1 Air draught in

tunnel

Faulty design

of tunnel

Derail-

ment

Collision Catastrophic Correct initial tunnel design

minimising dangerous air

draughts


requirement




Page 26/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

Insufficient

maintenance /

faulty

construction

work

Derail-

ment

Collision Correct maintenance and

construction work


requirement

1.1.1.6.2 Pressure by

passing train

Faulty design

of

tunnel/guidew

ay

Derail-

ment

Collision Correct initial tunnel/guideway

design considering increasing

pressure by passing train


requirement

Insufficient

maintenance /

faulty

construction

work

Derail-

ment


construction work


requirement

9.2.2 Environmental

impact on vehicle

(wind, gales)

Insufficient

precautions

Derail-

ment

Collision Catastrophic Establish a Zone of Protection -

Ensure appropriate system-

design regarding exceptional

environmental conditions

(extreme wind etc.)


Catastrophic Manage Temporary Speed

Restriction (TSRs) - Establish

operational rules e.g. speed

reductions at critical areas

M M M M M

5.1.5 5.1.3.1.2

Safety function

Insufficient

maintenance

(construction

work) on

protection

constructions

Derail-

ment


construction work on protection

constructions


requirement

1.1.2 Train on guideway

infringes

clearance

envelope

1.1.2.1 Object protrudes

from train

1.1.2.1.1 Vehicle structural

failure

Faulty design

of vehicle

Derail-

ment


vehicle


requirement

Incorrect

maintenance

of vehicle

Derail-

ment


maintenance


requirement

1.1.2.1.2 Bad distribution of

freight load

Incorrect

loading

Derail-

ment

Collision Supervise loading procedure as

well as actual freight vehicle (e.g.

by vehicle examiner)

NA NA Not Relevant

Training of staff regarding loading NA NA Not Relevant




Page 27/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

Faulty design

of freight cars

Derail-

ment


freight cars considering the

distribution of goods

NA NA Not Relevant

Incorrect

maintenance

of vehicle

Derail-

ment


vehicle

NA NA Not Relevant

1.1.2.2 Clearance

envelope

underdimensione

d

Faulty design /

dimensioning

of clearance

envelope by

engineers

Derail-

ment

Collision Ensure correct initial design /

dimensioning of clearance

envelope


requirement

1.1.2.3 Train leans

excessively

sideways1.1.2.3.1 Wrong load

distributions

Faulty design

of freight

vehicle

Derail-

ment


freight cars considering the

distribution of goods


requirement

Incorrect

maintenance

of vehicle

Derail-

ment


vehicle


requirement

Incorrect

loading

Derail-

ment

Collision Supervise loading procedure as

well as actual freight vehicle (e.g.

by vehicle examiner)


requirement

Training of staff regarding loading NA NA Non functional

requirement

1.1.2.3.2 Excessive

bogie/Axle/

Damping system

dynamics

Faulty design

of bogies,

axles and

damping

system

Derail-

ment

Collision Ensure correct initial

bogie/axle/damping system

design


requirement

Incorrect

maintenance

of bogies,

axles and

damping

system

Derail-

ment


bogies, axles and damping

system


requirement

1.1.2.3.3 Guideway

structural failure

Faulty design

of guideway

Derail-

ment





sensors.





Page 28/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2










broken rails, etc.

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

Safety function


guideway


requirement

Incorrect

maintenance

of guideway

Derail-

ment





sensors.











broken rails, etc.

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

Safety function


maintenance


requirement.


1.2 Object / person

infringes train

clearance

envelope 1.2.1 Object infringes

clearance

envelope1.2.1.1 Other train /

vehicle infringes

clearance

envelope (flank

protection)

Incorrect

Movement

Authority

Derail-

ment,

Collision







train.

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

Safety function




Page 29/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

Interlocking

failure

Derail-

ment,

Collision

Catastrophic Ensure Safe Route as









M M M M M 5.4.2.2 5.1.1.1.1-3

&

5.1.1.2 &

5.1.1.1.3

Safety function

Broken switch

or derailer

Derail-

ment,

Collision

Catastrophic Supervise Safety Related Inputs -




sensors.

O O O M M 5.3.5 5.3.1.2 Safety function

1.2.1.2 Civil structure

fault / protrusion

in clearance

envelope1.2.1.2.1 Tunnel structural

fault/ collapse

Faulty design

of tunnel

Derail-

ment,

Collision





sensors.



the structure of the tunnel

NA NA

Incorrect

maintenance

or incorrect

construction

work on tunnel

Derail-

ment,

Collision





sensors.


Ensure correct inspection,

maintenance and construction

works on tunnel

NA NA

1.2.1.2.2 Drilling or

excavation above

tunnel

Insufficient

maintenance

rules or

procedures i.e.

incorrect

planning of

construction

site

Derail-

ment,

Collision





sensors.


Ensure adequate planning of

construction site

NA NA




Page 30/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

Incorrect

maintenance

or construction

works

(disobeying of

given rules or

procedures)

Derail-

ment,

Collision





sensors.




works - Ensure obeying of rules

and procedures

NA NA

1.2.1.2.3 Station structural

fault

Faulty design

of station

Derail-

ment,

Collision





sensors.



station

NA NA

Incorrect

maintenance

or construction

works on

station

Derail-

ment,

Collision





sensors.




works on and in station

NA NA

1.2.1.3 System object

infringes

clearance

envelope (cable

tray, overhead

lines, train

underfloor-

box/motor/object)

1.2.1.4 Object thrown at

train

1.2.1.4.1 from bridges Insufficient

precautions

against

objects thrown

at train

Derail-

ment,

Collision

Ensure correct initial system

design considering the possibility

of object thrown at train.

NA NA

1.2.1.4.2 from platform Insufficient

precautions

against

objects thrown

at train




NA NA




Page 31/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

1.2.1.4.3 from beside the

line

Insufficient

precautions

against

objects thrown

at train




NA NA

1.2.1.4.4 from passing train Insufficient

precautions

against

objects thrown

at train




NA NA

1.2.1.5 Animals Insufficient

precautions

against

animals

entering

Derail-

ment,

Collision



of animal entering railway

equipment.

NA NA

1.2.1.6 Environment

elements infringes

clearance

envelope

9.2.5 Stalactites in

tunnel

Insufficient

inspection of

tunnel

Derail-

ment,

Collision





sensors.


Ensure correct inspection and

maintenance of tunnel

NA NA

Too much

water/humidity

in tunnel

Derail-

ment,

Collision





sensors.


Ensure correct initial tunnel

design considering water and

general humidity

NA NA

1.2.1.6.2 Trees Insufficient

precautions to

protect track

Derail-

ment,

Collision





sensors.


Correct initial design considering

the possibility of falling trees on

guideway

NA NA

Insufficient

inspections of

track

Derail-

ment,

Collision





sensors.


Ensure correct inspection and

maintenance on track

NA NA




Page 32/138


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Possible

consequ

ential

accidents Remarks

Severity of

Conse-

quences Remarks


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2

9.2.3 Avalanche /

landslide/ falling

stones

Insufficient

precautions to

protect track

Derail-

ment,

Collision

Catastrophic

Preliminary Hazards Control and Safety Measures Analysis€¦ · 2.6 Asphyxiation 65 2.7 Toxic...

Documents

Transcript of Preliminary Hazards Control and Safety Measures Analysis€¦ · 2.6 Asphyxiation 65 2.7 Toxic...