preliminary hazards control and safety measures analysis€¦ · 2.6 asphyxiation 65 2.7 toxic...
TRANSCRIPT
-
European Commission Seventh Framework programme
MODSafe Modular Urban Transport Safety and Security Analysis
Preliminary Hazards Control and Safety Measures Analysis
-
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.doc Date: 110215 ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0 Revision: V1.0 Restricted Page 2/138
Contract No. 218606
Document type DEL
Version V1.0
Status Released
Date 110215
WP WP 3
Lead Author BTSERCS
Contributors Alstom, Ansaldo, AREVA, Dimet, LU, RATP, Thales RSS, TRIT, UVHC, UITP
Description D3.1
Document ID DEL_D3.1_BTSERCS_WP3_110215_V1.0
Dissemination level PU
Distribution Consortium members and EC
Document History:
Version Date Author Modification [very short description]
V0.1 2010-08-31 BTSERCS Initial draft based on D2.1_Annex_Hazard_Analysis_091102_v3 with safety measures updated by WP3 members
V0.2 2010-11-01 BTSERCS Updated based on review comments 2010-09-27.
V0.3 2010-12-17 BTSERCS Minor corrections.
V0.4 2011-02-04 BTSERCS Updated based on review comments 2011-01-10.
V1.0 2011-02-15 BTSERCS Final approved version.
Approval:
Authority Name/Partner Date
WP responsible BTSERCS - WP3 Consensus 2010-08-31
EB members WP10 Consensus 2011-02-15
Coordinator TRIT 2011-02-16
-
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.doc Date: 110215 ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0 Revision: V1.0 Restricted Page 3/138
Table of Content 1. Summary .................................................................................................................. 6
2. References ............................................................................................................... 6
3. Terms and Abbreviations........................................................................................ 6
4. Explanation of the Table.......................................................................................... 7
5. Conclusion ............................................................................................................... 7
Table of Hazards and Safety Functions
1 Train movement 8
1.1 Train infringes clearance envelope 8
1.2 Object / person infringes clearance envelope 29
1.3 Train collision hazard within uninfringed clearance envelope 45
2 Train interior 58
2.1 Person struck / hurt by object 58
2.2 Explosion 61
2.3 Person fall in train 62
2.4 Fire 63
2.5 Inadequate temperature 64
2.6 Asphyxiation 65
2.7 Toxic releases 65
2.8 Radiation 65
2.9 Electrocution in train 66
2.10 Person contact with machinery 66
2.11 Person exposed to noise 66
2.12 Person needs urgent assistance 66
3 Train-Station interface (with train in station) 67
3.1 Passenger falls from train on station track 67
3.2 Passenger injured by door closing 67
3.3 Train departs with passenger trapped in doors 69
3.4 Train moves at passenger exchange 71
3.5 Person between vehicle / vehicle gaps 74
3.6 Person steps / falls into vehicle – platform gap 75
3.7 Electrocution 77
-
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.doc Date: 110215 ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0 Revision: V1.0 Restricted Page 4/138
4 Train-Station interface (without train in station) 79
4.1 Person struck by falling object 79
4.2 Person hit by sharp object 79
4.3 Person hurt by protruding object 79
4.4 Wheelchair / baby carriage hazards 79
4.5 Person falls in station 80
4.6 Person falls / intrudes on station track 81
4.7 Electrocution in station 82
4.8 Smoke 83
4.9 Explosion 86
4.10 Fire in station 87
4.11 Toxic release 90
5 Depot 91
5.1 Staff injured by operation of machines and equipment 91
5.2 Shunting hazards 91
5.3 Undue train / vehicle enters operation area 91
5.4 Passenger in depot area 92
5.5 Staff run over by train 92
6 OCC 94
6.1 Fire in OCC 94
6.2 Electrocution in OCC 96
6.3 Explosion in OCC 97
6.4 Building collapse 98
6.5 Terrorism, attacks, criminal acts 98
6.6 Radiation in OCC 98
6.7 Asphyxiation / poisoning in OCC 99
7 Maintenance 100
7.1 Staff injured by operation of machines and equipment 100
7.2 Electrocution / lightning 102
7.3 Staff endangered by moving train 103
7.4 Obstacles on guideway or walkway 105
7.5 Explosion during maintenance 109
7.6 Fire during maintenance 110
7.7 Asphyxiation / poisoning 111
7.8 Inappropriate temperature 113
7.9 Staff in danger cannot escape guideway 113
7.10 Radiation 114
7.11 Staff caught in machinery 114
-
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.doc Date: 110215 ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0 Revision: V1.0 Restricted Page 5/138
8 Emergency – Evacuation 116
8.1 People hit by train: involved track, adjacent track 116
8.2 Burn / fire 124
8.3 Asphyxiation / poisoning 128
8.4 Electrocution / lightning 130
8.5 Explosion during evacuation 131
8.6 Inappropriate temperature 131
8.7 Radiation 132
8.8 Drowning 132
8.9 Person hurt during evacuation (others) 133
9 Environmental influences 136
9.1 Weather conditions (moderate) 136
9.2 Force of nature 136
-
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.doc Date: 110215 ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0 Revision: V1.0 Restricted Page 6/138
1. Summary
This deliverable is the first analysis in which the existing generic safety functions from previous EC projects and other generic safety functions of the supply industry are mapped with the hazards from the Modsafe WP2 D2.1 Preliminary Hazard Analysis /1 / and /2/. This is the preliminary hazards control and safety measures analysis that will be used as a basis for D3.2 which is the final hazards control and safety measures analysis.
2. References
/1/ MODSafe DEL_D2.1_TUD_WP2_091102_V3
/2/ MODSafe_WP2_D2.1_Annex_Hazard_Analysis
/3/ MODURBAN DEL_D80_v2-5_BVG_WP21_090317
/4/ IEC 62290-2
/5/ MODSafe DEL_D10.5_RATP_WP10_101005_V3
/6/ MODSafe WP4 – D4.2 Analysis of Safety Requirements for MODSafe Continuous Safety Measures and Functions
3. Terms and Abbreviations
The terms and abbreviations used in this project are explained in the Glossary /5/. In addition, the following abbreviations are used here:
Abbreviation Explanation
EB Emergency Brake
M Mandatory
NA Not applicable, because the safety measure apply only to the technical system and not to operational staff
O Optional
TSR Temporary Speed Restriction
-
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.doc Date: 110215 ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0 Revision: V1.0 Restricted Page 7/138
4. Explanation of the Table
This deliverable is presented in the same format as the Preliminary Hazard Analysis /2/, with corresponding safety functions and grade of automation added in separate columns. The entire sections 2 - 4 and sections 7 – 9 in the Preliminary Hazard Analysis /2/ are excluded since the major part of the safety measures for these hazards are not directly related to the train operation. Otherwise this delivery provides a complete list of safety functions. GOA0 is not within the scope of this analysis. The other grade of automations: GOA1a, GOA1b, GOA2, GOA3 and GOA4, are marked as not applicable, mandatory or optional. The safety functions are referenced to the corresponding functional requirements from MODURBAN WP21 D80 /3/ and the draft standard IEC 62290-2 /4/ which is compatible to D80. Non safety functions are excluded from this analysis.
5. Conclusion
For each hazard within the scope of this analysis, it has been possible to find corresponding safety functions in the MODURBAN WP21 D80 /3/. Some hazards are not covered by the draft standard IEC 62290-2 /4/. This preliminary hazards control and safety measures analysis can be updated in a second step to fulfil the objectives of the MODSafe WP3 D3.2. To some extent then also non-technical safety measures like procedures will be added and the analysis will be updated with respect to the table sections 2 – 4 and 7 – 9. The final hazards control and safety measures analysis will also be updated to conform to MODSafe WP4 D4.2 /6/.
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
1 Train Movement
Hazards
1.1 Train infringes
clearance
envelope1.1.1 Train (car) leaves
guideway
(momentarily or
irrevocably /
derailment )1.1.1.1 Inappropriate
speed
1.1.1.1.1 VT(x) > VL(x)
1.1.1.1.1.1 Wrong position
registered
Odometer
failure
Derail-
ment
Collision Catastrophic Determine Train Location NA M M M M 5.4.1.2 5.1.2.2.3 Safety function
Catastrophic Respond to Train Location
Failure
NA M M M M 5.7.2 NA Safety function
1.1.1.1.1.2 Wrong speed
registered
1.1.1.1.1.2.1 Speed
measurement
failure
Wheelspin Derail-
ment
Collision Catastrophic Calculate Train Speed - This
function determines train speed.
O M M M M 5.4.1.7 5.1.5.1 Safety function
Catastrophic Supervise Actual Speed - This
function supervises the operation
of trains to ensure that trains
remain within the dynamic speed
profile.
O M M M M 5.4.3.4 5.1.5.2 Safety function
1.1.1.1.1.2.2 On-board speed
processing failure
On-Board ATP
equipment
design failure
Derail-
ment
Collision Catastrophic Calculate Train Speed - This
function determines train speed.
O M M M M 5.4.1.7 5.1.5.1 Safety function
Incorrect
maintenance
of On-Board
ATP
Derail-
ment
Collision Regular inspection and
maintenance of ATP equipment
NA NA Non functional
requirement.
Maintenance manuals.
1.1.1.1.1.3 Insufficient
deceleration
1.1.1.1.1.3.1 Improper vehicle -
guideway
coupling
(adhesion)9.1.1 Anything (snow,
rain, leaves,
greasy material)
on guideway
Insufficient
maintenance
or clearance of
guideway by
crew
Derail-
ment
Collision Regular Inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
Guideway heating NA NA
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 8/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Check of weather data NA NA
Provide enough staff for
clearance works
NA NA
1.1.1.1.1.3.1.2 Wheel failure /
wear
Faulty design
of wheels
Derail-
ment
Collision Ensure correct initial design NA NA
Insufficient
maintenance
Derail-
ment
Collision Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
1.1.1.1.1.3.1.3 Track wear Faulty design
of track
Derail-
ment
Collision Ensure correct initial design NA NA
Insufficient
maintenance
Derail-
ment
Collision Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
1.1.1.1.1.3.1.4 Wheel-track
interface failure
(incorrect design)
Disrespect of
Wheel-Track-
Interface
specifications
or legal
regulations
Derail-
ment
Collision Ensure correct initial design NA NA
1.1.1.1.1.3.1.5 Wheel slip / slide
due to excessive
braking force
Faulty design
of braking
system
Derail-
ment
Collision Catastrophic Calculate ATP Speed Profile -
Ensure correct initial design
O M M M M 5.4.3.3 5.1.4.2 Safety function
Insufficient
maintenance
Derail-
ment
Collision Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
Incorrect
usage of
braking
system by
driver
Derail-
ment
Collision Braking system supervision NA NA
Slip - Slide - Control NA NA
Training of driver NA NA Non functional
requirement.
Operation manuals.
1.1.1.1.1.3.1.6 Insufficient
adhesion
Insufficient
braking force
Derail-
ment
Collision Insufficient
braking force
results in
lower
frictional
forces, and
therefore in
less
adhesion
Catastrophic Calculate ATP Speed Profiles -
Ensure correct braking curves
O M M M M 5.4.3.3 5.1.4.2 Safety function
Provide enough braking force /
contact
NA NA
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 9/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
1.1.1.1.1.3.2 Insufficient
braking (braking-
force)1.1.1.1.1.3.2.1 Braking system
failure
Faulty design
of braking
system
Derail-
ment
Collision Catastrophic Supervise Actual Speed and Test
EB Performance - Ensure correct
initial design of braking system
O M M M M 5.4.3.4 &
5.3.2
5.1.5.2 &
5.5.10.3
Safety function
Insufficient
maintenance
of braking
system
Derail-
ment
Collision Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
Greasing
problems
(greasing
scheme)
Derail-
ment
Collision Configuration Management NA NA
1.1.1.1.1.3.2.2 Underestimated
mass / train
configuration
Incorrect
design of
mass / train
configuration
Derail-
ment
Collision Ensure correct procedure for
calculation and design of mass /
train configuration
NA NA
Wrong data
used
Derail-
ment
Collision Ensure correct data as input for
mass / train configuration
NA NA
1.1.1.1.1.3.3 Wrong brake
command
Faulty design
of on-board
equipment
Derail-
ment
Collision Catastrophic Supervise Actual Speed - This
function supervises the operation
of trains to ensure that the trains
remain within the dynamic speed
profile.
O M M M M 5.4.3.4 5.1.5.2 Safety function
Insufficient
maintenance
of on-board
equipment
Derail-
ment
Collision Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
Wrong
command by
driver
Derail-
ment
Collision Training of staff i.e. driver NA NA Non functional
requirement.
Operation manuals.
Employ well educated drivers NA NA
Well design and user supportive
HMI driver desk
NA NA
1.1.1.1.1.4 Wrong speed
command
Faulty design
of on-board
equipment
Derail-
ment
Collision Catastrophic Supervise Actual Speed - This
function supervises the operation
of trains to ensure that the trains
remain within the dynamic speed
profile.
O M M M M 5.4.3.4 5.1.5.2 Safety function
Insufficient
maintenance
of on-board
equipment
Derail-
ment
Collision Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
Wrong
command by
driver
Derail-
ment
Collision Training of staff i.e. driver NA NA Non functional
requirement.
Operation manuals.Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 10/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Employ well educated drivers NA NA
Well design and user supportive
HMI driver desk
NA NA
1.1.1.1.1.5 Untimely
acceleration /
propulsion
command error
Faulty design
of propulsion
system
Derail-
ment
Collision Catastrophic Supervise Actual Speed - This
function supervises the operation
of trains to ensure that the trains
remain within the dynamic speed
profile.
O M M M M 5.4.3.4 5.1.5.2 Safety function
Insufficient
maintenance
of propulsion
system
Derail-
ment
Collision Regular inspection and
maintenance
NA NA
1.1.1.1.2 Wrong speed limit
VL(X)
1.1.1.1.2.1 Wrong static route
data
Incorrect
surveying and
mapping
Derail-
ment
Collision Check consistency of data - This
function is intended to check the
consistency of available data
NA NA
Employ well educated and
trained staff
NA NA
Wrong input of
route data
Derail-
ment
Collision Load Infrastructure Data onto
onboard equipment
NA NA
Load Infrastructure Data onto
wayside equipment
NA NA
1.1.1.1.2.2 Wrong route
1.1.1.1.2.2.1 Wrong route
selection
ATP failure Derail-
ment
Collision Catastrophic Ensure Safe Route as
Combination of Route Elements -
This function is intended to allow
ATP to define and implement a
route as a combination of route
elements according to the needs
of the operator and to release
routes as part of it either by train
movement or manually.
M M M M M 5.4.2.2 5.1.1.1.1-3
&
5.1.1.2 &
5.1.1.1.3
Safety function
Wrong route
selection by
OCC staff
Derail-
ment
Collision Safe process for data entry on
the non safe OCC HMI display
NA NA
Supportive functions for stress or
emergency cases
NA NA
Clear and understandable
operational rules
NA NA Non functional
requirement.
Operation manuals.
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 11/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Withdrawal of
route (e.g.
emergency
release)
without
communicatio
n to the train
Derail-
ment
Collision Catastrophic Ensure Safe Route as
Combination of Route Elements -
This function is intended to allow
ATP to define and implement a
route as a combination of route
elements according to the needs
of the operator and to release
routes as part of it either by train
movement or manually.
M M M M M 5.4.2.2 5.1.1.1.1-3
&
5.1.1.2 &
5.1.1.1.3
Safety function
Supportive functions for stress or
emergency cases
NA NA
1.1.1.1.2.2.2 Wrong switch
setting
ATP failure Derail-
ment
Collision Catastrophic Ensure Safe Route Elements -
This function is intended to
switch switchable route elements
and ensure the switching is
performed under normal and safe
conditions.
M M M M M 5.4.2.1 5.1.1.1.1-6 Safety function
Wrong switch
setting by
OCC staff
Derail-
ment
Collision Safe process for data entry on
the non safe OCC HMI display
NA NA
Supportive functions for stress or
emergency cases
NA NA
Clear and understandable
operational rules
NA NA Non functional
requirement.
Operation manuals.
1.1.1.1.2.3 Wrong
(temporary) speed
restriction
wayside
Wrong
maintenance
Derail-
ment
Collision Catastrophic Manage Temporary Speed
Restrictions (TSRs) - Load
Infrastructure Data onto onboard
equipment
NA M M M M 5.1.5 5.1.3.1.2 Safety function
Load Infrastructure Data onto
wayside equipment
NA NA
Ensure correct maintenance NA NA Non functional
requirement.
Maintenance manuals.
Incorrect input
of data
Derail-
ment
Collision Catastrophic Manage Temporary Speed
Restrictions (TSRs) - Load
Infrastructure Data onto onboard
equipment
NA M M M M 5.1.5 5.1.3.1.2 Safety function
Load Infrastructure Data onto
wayside equipment
NA NA
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 12/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
1.1.1.1.2.4 Failed or incorrect
communication of
speed restriction
Faulty or
insufficient
communicatio
n system
Derail-
ment
Collision Supervise data communication
equipment - This function is
intended to inform staff about
availability of functions
concerning operation and status
of data communication
equipment.
NA NA
1.1.1.1.2.5 Wrong data of
speed limits on
train (track
database)
Wrong input
by engineers,
OCC or
maintenance
crew
Derail-
ment
Collision Check consistency of data - This
function is intended to check the
consistency of available data
NA NA
Load Infrastructure Data onto
onboard equipment
NA NA
Load Infrastructure Data onto
wayside equipment
NA NA
1.1.1.1.2.6 Faulty onboard
speed restriction
processing
Faulty design
of on-board
equipment
Derail-
ment
Collision Catastrophic Supervise Actual Speed - This
function supervises the operation
of trains to ensure that trains
remain within the dynamic speed
profile.
O M M M M 5.4.3.4 5.1.5.2 Safety function
Catastrophic Determine Static Speed Profiles -
This function determines the
static train speed profiles, which
are based on infrastructure data
such as track geometry and
quality, infrastructure constraints
(tunnels, bridges etc.) and train
data.
O M M M M 5.4.3.2 5.1.3.1.1 Safety function
Catastrophic Calculate ATP Speed Profiles -
this function is intended to
calculate for each segment of the
route the train speed limit. This
function calculates the dynamic
speed profiles of each train. The
dynamic speed profile is based
on the static speed profile, the
TSR, the braking profile with the
relevant safety margin.
O M M M M 5.4.3.3 5.1.4.2 Safety function
Incorrect
maintenance
of on-board
equipment
Derail-
ment
Collision Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
1.1.1.2 Switch hazard
1.1.1.2.1 Wrong switch
status
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 13/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
1.1.1.2.1.1 Undetected
misaligned switch
Interlocking
failure or
erroneous
status control
Derail-
ment
Collision Catastrophic Ensure Safe Route Elements -
This function is intended to
switch switchable route elements
(points, diamond crossings with
slips, crossings with moveable
frogs and derailer) and ensures
the switching is performed under
normal (undisturbed) and safe
conditions.
M M M M M 5.4.2.1 5.1.1.1.1-6 Safety function
Incorrect
maintenance
of switch
Derail-
ment
Collision Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
1.1.1.2.1.2 Undetected
unlocked switch
Interlocking
failure or
erroneous
status control
Derail-
ment
Collision Catastrophic Ensure Safe Route Elements -
This function is intended to
switch switchable route elements
(points, diamond crossings with
slips, crossings with moveable
frogs and derailer) and ensures
the switching is performed under
normal (undisturbed) and safe
conditions.
M M M M M 5.4.2.1 5.1.1.1.1-6 Safety function
Incorrect
maintenance
of switch
Derail-
ment
Collision Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
1.1.1.2.1.3 Undetected
broken switch
components
Erroneous
status control
Derail-
ment
Collision Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
M M M M M 5.3.5 5.3.1.2 Safety function
Incorrect
maintenance
of switch
Derail-
ment
Collision Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
1.1.1.2.2 Insufficient safety
distance to
moving switch1.1.1.2.2.1 Insufficient worst
case safety
distance1.1.1.2.2.1.1 Wrong worst case
safety distance
registered (on
train)
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 14/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
1.1.1.2.2.1.1.1 Failed or incorrect
communication of
worst case safety
distance (stop
point / speed limit)
Data
communicatio
n failure
Derail-
ment
Collision Catastrophic Provide Communication with
Staff - This function is intended to
inform staff about availability of
functions concerning operation
and status of data
communication equipment.
M M M M M 5.9.2 Ref.
Missing
Safety function
Faulty
communicatio
n system due
to incorrect
maintenance
Derail-
ment
Collision Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
Faulty design
of
communicatio
n system
Derail-
ment
Collision Ensure correct initial design of
communication system
NA NA Safety function.
Communication
protocol compliant with
EN50159.
1.1.1.2.2.1.1.2 Wrong worst case
safety distance
estimation /
determination
1.1.1.2.2.1.1.2.1 Wrong train
parameters input
Mistake by
driver during
input
Derail-
ment
Collision Catastrophic Perform Tests during Power on
Process - This function is
intended to perform all necessary
tests on vital equipment during
the power on process. Generally
this function includes only those
self tests that deal with the safety
of the ATP and the inputs and
outputs necessary for a vital
operation. Self tests that are
necessary to achieve the safety
features of vital processors
(computing unit including
operating system) are not
included here.
O M M M M 5.3.1 5.5.10.1 Safety function
Design of supportive functions for
data input
NA NA No vital data should be
introduced by driver
Safety Data
preparation
1.1.1.2.2.1.1.2.2 Wrong route
parameters input
Derail-
ment
Collision Catastrophic Load Infrastructure Data onto
MODURBAN - Onboard
NA M M M M 5.14 Ref.
Missing
Safety function
Catastrophic Load Infrastructure Data onto
MODURBAN - Wayside
NA M M M M 5.14 Ref.
Missing
Safety function
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 15/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
1.1.1.2.2.1.1.2.3 Safety distance
calculation/determ
ination error
Interlocking
failure
Derail-
ment
Collision Catastrophic Determine Movement Authority
Limit - To ensure safe train
movement, this function
determines for each train its limit
of the MA, corresponding to the
first danger point ahead of the
train. Examples of danger points
are other trains (communicating
or not), faulty points, suspected
broken rails, etc.
M M M M M 5.4.3.1 5.1.1.1.2 &
5.1.4.1
Safety function
1.1.1.2.2.1.3 Wrong position
registered
Odometer
failure
Derail-
ment
Collision Catastrophic Determine Train Location NA M M M M 5.4.1.2 5.1.2.2.3 Safety function
Catastrophic Respond to Train Location
Failure
NA M M M M 5.7.2 Ref.
Missing
Safety function
1.1.1.2.2.1.4 Wrong route
1.1.1.2.2.1.4.1 Wrong route
selection /
authorization
ATP failure Derail-
ment
Collision Catastrophic Ensure Safe Route as
Combination of Route Elements -
This function is intended to allow
ATP to define and implement a
route as a combination of route
elements according to the needs
of the operator and to release
routes as part of it either by train
movement or manually.
M M M M M 5.4.2.1 5.1.1.1.1-6 Safety function
Wrong route
selection by
OCC staff in
exceptional
cases e.g.
emergency
cases
Derail-
ment
Collision Catastrophic Manage information to and from
OCC and wayside HMIs - Safe
process for data entry on the non
safe OCC HMI display
M M M M M 5.11.1 Ref.
Missing
Safety function
Supportive functions for stress or
emergency cases
NA NA Safety function
Clear and understandable
operational rules
NA NA Non functional
requirement.
Operation manuals.
1.1.1.2.2.1.4.2 Wrong switch
setting
ATP failure Derail-
ment
Collision Catastrophic Ensure Safe Route Elements -
This function is intended to
switch switchable route elements
and ensure the switching is
performed under normal and safe
conditions.
M M M M M 5.4.2.1 5.1.1.1.1-6 Safety function
Wrong switch
setting by
OCC staff in
exceptional
cases
Derail-
ment
Collision Catastrophic Manage information to and from
OCC and wayside HMIs - Safe
process for data entry on the non
safe OCC HMI display
M M M M M 5.11.1 Ref.
Missing
Safety function
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 16/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Supportive functions for stress or
emergency cases
NA NA Safety function
Clear and understandable
operational rules
NA NA Non functional
requirement.
Operation manuals.
1.1.1.2.2.1.5 Wrong train
departure
1.1.1.2.2.1.5.1 Wrong departure
command
ATP failure Derail-
ment
Collision Catastrophic Determine Movement Authority
Limit - To ensure safe train
movement, this function
determines for each train its limit
of the MA, corresponding to the
first danger point ahead of the
train. Examples of danger points
are other trains (communicating
or not), faulty points, suspected
broken rails, etc.
M M M M M 5.4.3.1 5.1.1.1.2 &
5.1.4.1
Safety function
Catastrophic Authorise Train Departure after
Station Stop & Manage Train
Departure after a Stop outside
Station - Ensure correct initial
design of ATP regarding
departure command
O O M M M 5.5.4 &
5.5.8
5.4.3.1 &
5.4.3.2 &
5.5.3
Safety function
Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
Wrong
departure
command by
driver
Derail-
ment
Collision Catastrophic Authorise Train Movement by
Wayside Signals - This function
supports train movement
authorisation to be provided to
trains by wayside signals
M O O O O 5.4.3.8 Ref.
Missing
Safety function
Provide high visibility on signals NA NA Non functional
requirement
1.1.1.2.2.1.5.2 Immobilisation
brake deficient
Faulty design
of braking
system
Derail-
ment
Collision Catastrophic Respond to Unexpected Train
Movements - This function
covers the reaction of ATP in
case of roll away.
O M M M M 5.7.4 5.1.5.5 Correct and sufficient
maintenance
Catastrophic Test EB Performance - Ensure
correct initial design of braking
system
NA NA NA O M 5.3.2 5.5.10.3 Safety function
Incorrect
maintenance
of braking
system
Derail-
ment
Collision Catastrophic Respond to Unexpected Train
Movements - This function
covers the reaction of ATP in
case of roll away.
O M M M M 5.7.4 5.1.5.5 Correct and sufficient
maintenance
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 17/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Regular inspection and
maintenance
O M M M M NA NA Non functional
requirement.
Maintenance manuals.
1.1.1.2.2.1.5.3 Wrong departure
authorisation
Interlocking
failure
Derail-
ment
Collision Catastrophic Determine Movement Authority
Limit - To ensure safe train
movement, this function
determines for each train its limit
of the MA, corresponding to the
first danger point ahead of the
train. Examples of danger points
are other trains (communicating
or not), faulty points, suspected
broken rails, etc.
M M M M M 5.4.3.1 5.1.1.1.2 &
5.1.4.1
Safety function
Catastrophic Authorise Train Movement by
Wayside Signals - This function
supports train movement
authorisation to be provided to
trains by wayside signals
M O O O O 5.4.3.8 Ref.
Missing
Safety function
Incorrect
authorisation
by OCC in
case of
exceptional
cases e.g.
emergency
cases
Derail-
ment
Collision Catastrophic Manage Onboard HMI - Safe
process for data entry on the non
safe OCC HMI display
O M M O O 5.11.2 Ref.
Missing
Safety function
Supportive functions for stress or
emergency cases
NA NA Safety function
Clear and understandable
operational rules
NA NA Non functional
requirement.
Operation manuals.
1.1.1.2.2.2 Wrong switch
command
Interlocking
failure
Derail-
ment
Collision Catastrophic Ensure Safe Route Elements -
This function is intended to
switch switchable route elements
(points, diamond crossings with
slips, crossings with moveable
frogs and derailer) and ensure
the switching is performed under
normal (undisturbed) and safe
conditions.
M M M M M 5.4.2.1 5.1.1.1.1-6 Safety function
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 18/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Erroneous
switch
command by
OCC staff
Derail-
ment
Collision Catastrophic Ensure Safe Route Elements -
This function is intended to
switch switchable route elements
(points, diamond crossings with
slips, crossings with moveable
frogs and derailer) and ensure
the switching is performed under
normal (undisturbed) and safe
conditions.
M M M M M 5.4.2.1 5.1.1.1.1-6 Safety function
Catastrophic Manage Onboard HMI - Safe
process for data entry on the non
safe OCC HMI display
O M M O O 5.11.2 Ref.
Missing
Supportive functions for stress or
emergency cases
NA NA Safety function
Clear and understandable
operational rules
NA NA Non functional
requirement.
Operation manuals.
1.1.1.2.2.3 Wrong travel
direction
1.1.1.2.2.3.1 Faulty direction
control
Derail-
ment
Collision Catastrophic Determine Actual Train Travel
Direction - This function
determines the travel direction of
trains.
NA M M M M 5.4.1.3 5.1.2.2.2 Safety function
1.1.1.2.2.3.2 Roll back Insufficient
braking force
Derail-
ment
Collision Catastrophic Respond to Unexpected Train
Movements - This function
covers the reaction of ATP in
case of roll away.
O M M M M 5.7.4 5.1.5.5 Safety function
Faulty design
of brakes
Derail-
ment
Collision Catastrophic Test EB Performance - Ensure
correct initial design of brakes
NA NA NA O M 5.3.2 5.5.10.3 Safety function
Incorrect
maintenance
of brakes
Derail-
ment
Collision Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
1.1.1.2.3 Switch moves
under running
train1.1.1.2.3.1 Wrong switch
command
1.1.1.2.3.1.1 by system Interlocking
failure
Derail-
ment
Collision Catastrophic Ensure Safe Route Elements -
This function is intended to
switch switchable route elements
and ensure the switching is
performed under normal
(undisturbed) and safe
conditions.
M M M M M 5.4.2.1 5.1.1.1.1-6 Safety function
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 19/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
1.1.1.2.3.1.2 by staff No support for
decision of
switch
command
during
exceptional
cases
Derail-
ment
Collision Catastrophic Provide Communication with
Staff - Supportive functions for
staff of OCC in exceptional
cases, where no technical control
of switch command can be
provided
M M M M M 5.9.2 Ref.
Missing
Non functional
requirement
1.1.1.2.3.3 Wrong train
detection
1.1.1.2.3.3.1 Train not detected Unequipped or
failed train
Derail-
ment
Collision Catastrophic Detect Unequipped or Failed
Trains - This function determines
whether a section of track is
occupied by an unequipped or
failed train.
O O O O O 5.4.1.5 5.1.2.3 Safety function
Data
communicatio
n failure e.g.
data loss
Derail-
ment
Collision Catastrophic Determine Train Location NA M M M M 5.4.1.2 5.1.2.2.3 Safety function
1.1.1.2.3.3.2 End of train
detected untimely
Unequipped or
failed train
Derail-
ment,
Collision
Catastrophic Detect Unequipped or Failed
Trains - This function determines
whether a section of track is
occupied by an unequipped or
failed train.
O O O O O 5.4.1.5 5.1.2.3 Safety function
Data
communicatio
n failure e.g.
data loss or
delay
Derail-
ment
Collision Catastrophic Determine Train Location NA M M M M 5.4.1.2 5.1.2.2.3 Safety function
1.1.1.3 Guideway
structural failure
Faulty design
of guideway
Derail-
ment
Collision Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
M M M M M 5.3.5 5.3.1.2 Safety function
Catastrophic Determine Movement Authority
Limit - To ensure safe train
movement, this function
determines for each train its limit
of the MA, corresponding to the
first danger point ahead of the
train. Examples of danger points
are other trains (communicating
or not), faulty points, suspected
broken rails, etc.
M M M M M 5.4.3.1 5.1.1.1.2 &
5.1.4.1
Safety function
Ensure correct initial design of
guideway
NA NA Non functional
requirement
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 20/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Incorrect
maintenance
of guideway
Derail-
ment
Collision Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
M M M M M 5.3.5 5.3.1.2 Safety function
Catastrophic Determine Movement Authority
Limit - To ensure safe train
movement, this function
determines for each train its limit
of the MA, corresponding to the
first danger point ahead of the
train. Examples of danger points
are other trains (communicating
or not), faulty points, suspected
broken rails, etc.
M M M M M 5.4.3.1 5.1.1.1.2 &
5.1.4.1
Safety function
Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
1.1.1.4 Vehicle structural
failure
(component
break)
Faulty design
of vehicle
Ensure correct initial design of
vehicle
NA NA
Incorrect
maintenance
of vehicle
Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
1.1.1.5 Object on
guideway
1.1.1.5.1 System object on
guideway
1.1.1.5.1.1 Forgotten
working/
maintenance/
rescue objects
Incorrect
maintenance
of guideway
Derail-
ment
Collision Catastrophic Establish Work Zones - Regular
inspection and maintenance
M M M M M 5.9.3 5.3.3 Indirect safety
measure
Catastrophic Establish Work Zones -
Clearance verification system
M M M M M 5.9.3 5.3.3 Indirect safety
measure
Catastrophic Establish a Zone of Protection -
Ensure procedures to clear
guideway after evacuation or
emergency case
M M M M M 5.7.1 5.1.4.4 Safety function
1.1.1.5.1.2 Element from train
falls on track
1.1.1.5.1.2.1 Vehicle Structural
failure
Faulty design
of vehicle
Derail-
ment
Collision Ensure correct initial design of
vehicle
NA NA Rolling Stock Safety
function
Incorrect
maintenance
of vehicle
Derail-
ment
Collision Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 21/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
1.1.1.5.1.2.2 Vehicle load falls
on track
Overloaded
vehicle
Derail-
ment
Collision Ensure correct loading of vehicle
(e.g. by vehicle examiner)
NA NA Rolling stock non
safety function. To be
confirmed.
Clearance verification system Input to be confirmed
1.1.1.5.1.3 Wayside element
infringes
clearance
envelope
1.1.1.5.1.3.1 Power supply
(catenary, third
rail etc.)
Faulty design
of power
supply system
Derail-
ment
Collision Catastrophic Supervise Other Safety Related
Inputs - This function is intended
to supervise the detection of
hazardous situations by external
sensors.
M M M M M 5.3.5 5.3.1.2 Safety function
Ensure correct initial design of
power supply system
NA NA Power supply safety
function
Incorrect
maintenance
of power
supply system
Derail-
ment
Collision Catastrophic Supervise Other Safety Related
Inputs - This function is intended
to supervise the detection of
hazardous situations by external
sensors.
M M M M M 5.3.5 5.3.1.2 Safety function
Regular inspection and
maintenance of power supply
system
NA NA Non functional
requirement.
Maintenance manuals.
Environmental
forces
violating
power supply
system
Derail-
ment
Collision Catastrophic Supervise Other Safety Related
Inputs - This function is intended
to supervise the detection of
hazardous situations by external
sensors.
M M M M M 5.3.5 5.3.1.2 Safety function
Ensure correct initial design of
power supply system considering
environmental forces
NA NA Power supply safety
function
Criminal acts
on power
supply system
Derail-
ment
Collision Catastrophic Supervise Other Safety Related
Inputs - This function is intended
to supervise the detection of
hazardous situations by external
sensors.
M M M M M 5.3.5 5.3.1.2 Safety function
Ensure correct initial design of
power supply system considering
criminal acts
NA NA Security function
1.1.1.5.1.3.2 Signalling
Components
Faulty design
of signalling
components
Derail-
ment
Collision Catastrophic Supervise Other Safety Related
Inputs - This function is intended
to supervise the detection of
hazardous situations by external
sensors.
M M M M M 5.3.5 5.3.1.2 Safety function
Ensure correct initial design of
signalling components
NA NA Signalling safety
function
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 22/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Incorrect
maintenance
of signalling
components
Derail-
ment
Collision Catastrophic Supervise Other Safety Related
Inputs - This function is intended
to supervise the detection of
hazardous situations by external
sensors.
M M M M M 5.3.5 5.3.1.2 Safety function
Regular inspection and
maintenance of signalling
components
NA NA Non functional
requirement.
Maintenance manuals.
Environmental
forces
violating
signalling
components
Derail-
ment
Collision Catastrophic Supervise Other Safety Related
Inputs - This function is intended
to supervise the detection of
hazardous situations by external
sensors.
M M M M M 5.3.5 5.3.1.2 Safety function
Ensure correct initial design of
signalling components
considering environmental forces
NA NA Signalling safety
function
Criminal acts
on signalling
components
Derail-
ment
Collision Catastrophic Supervise Other Safety Related
Inputs - This function is intended
to supervise the detection of
hazardous situations by external
sensors.
M M M M M 5.3.5 5.3.1.2 Safety function
Ensure correct initial design of
signalling components
considering criminal acts
NA NA Security function
1.1.1.5.1.3.3 Equipment
cabinets/ Platform
door enclosures/
Tunnel doors
Faulty design
of equipment
cabinets,
platform doors
enclosures,
tunnel doors
Derail-
ment
Collision Catastrophic Supervise Intrusion or Fall on
Track & Supervise Other Safety
Related Inputs - This function is
intended to supervise the
detection of hazardous situations
by external sensors.
M M M M M 5.3.4.1
5.3.5
5.3.1.1 &
5.3.1.2 &
5.3.2.4 &
5.6.1
Safety function when
external sensors are
fitted
Ensure correct initial design of
equipment cabinets, platform
doors enclosures, tunnel doors
NA NA PSD safety function
Incorrect
maintenance
of equipment
cabinets,
platform doors
enclosures,
tunnel doors
Derail-
ment
Collision Catastrophic Supervise Intrusion or Fall on
Track & Supervise Other Safety
Related Inputs - This function is
intended to supervise the
detection of hazardous situations
by external sensors.
M M M M M 5.3.4.1
5.3.5
5.3.1.1 &
5.3.1.2 &
5.3.2.4 &
5.6.1
Safety function when
external sensors are
fitted
Regular inspection and
maintenance of equipment
cabinets, platform doors
enclosures, tunnel doors
NA NA Non functional
requirement.
Maintenance manuals.
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 23/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Environmental
forces
violating
equipment
cabinets,
platform doors
enclosures,
tunnel doors
Derail-
ment
Collision Catastrophic Supervise Intrusion or Fall on
Track & Supervise Other Safety
Related Inputs - This function is
intended to supervise the
detection of hazardous situations
by external sensors.
M M M M M 5.3.4.1
5.3.5
5.3.1.1 &
5.3.1.2 &
5.3.2.4 &
5.6.1
Safety function when
external sensors are
fitted
Ensure correct initial design of
equipment cabinets, platform
doors enclosures, tunnel doors
considering environmental forces
NA NA PSD safety function
Criminal acts
on equipment
cabinets,
platform doors
enclosures,
tunnel doors
Derail-
ment
Collision Catastrophic Supervise Intrusion or Fall on
Track & Supervise Other Safety
Related Inputs - This function is
intended to supervise the
detection of hazardous situations
by external sensors.
M M M M M 5.3.4.1
5.3.5
5.3.1.1 &
5.3.1.2 &
5.3.2.4 &
5.6.1
Safety function when
external sensors are
fitted
Ensure correct initial design of
equipment cabinets, platform
doors enclosures, tunnel doors
considering criminal acts
NA NA Security function
1.1.1.5.1.3.4 Flooding gates Faulty design
of flooding
gates
Derail-
ment
Collision Catastrophic Supervise Other Safety Related
Inputs - This function is intended
to supervise the detection of
hazardous situations by external
sensors.
M M M M M 5.3.4.1
5.3.5
5.3.1.1 &
5.3.1.2 &
5.3.2.4 &
5.6.1
Safety function when
external sensors are
fitted
Ensure correct initial design of
flooding gates
NA NA Flooding gates safety
function
Incorrect
maintenance
of flooding
gates
Derail-
ment
Collision Catastrophic Supervise Intrusion or Fall on
Track & Supervise Other Safety
Related Inputs - This function is
intended to supervise the
detection of hazardous situations
by external sensors.
M M M M M 5.3.4.1
5.3.5
5.3.1.1 &
5.3.1.2 &
5.3.2.4 &
5.6.1
Safety function when
external sensors are
fitted
Regular inspection and
maintenance of flooding gates
NA NA Non functional
requirement.
Maintenance manuals.
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 24/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Environmental
forces
violating
flooding gates
Derail-
ment
Collision Catastrophic Supervise Intrusion or Fall on
Track & Supervise Other Safety
Related Inputs - This function is
intended to supervise the
detection of hazardous situations
by external sensors.
M M M M M 5.3.4.1
5.3.5
5.3.1.1 &
5.3.1.2 &
5.3.2.4 &
5.6.1
Safety function when
external sensors are
fitted
Ensure correct initial design of
flooding gates considering
environmental forces
NA NA Flooding Gates Safety
function
Criminal acts
on flooding
gates
Derail-
ment
Collision Catastrophic Supervise Intrusion or Fall on
Track & Supervise Other Safety
Related Inputs - This function is
intended to supervise the
detection of hazardous situations
by external sensors.
M M M M M 5.3.4.1
5.3.5
5.3.1.1 &
5.3.1.2 &
5.3.2.4 &
5.6.1
Safety function when
external sensors are
fitted
Ensure correct initial design of
flooding gates considering
criminal acts
NA NA Security function
1.1.1.5.2 Foreign objects
on guideway
1.1.1.5.2.1 External vehicle
(on level crossing)
Insufficient
protection of
level crossing
Derail-
ment
Collision Catastrophic Supervise Intrusion or Fall on
Track & Supervise Other Safety
Related Inputs - This function is
intended to supervise the
detection of hazardous situations
by external sensors.
M M M M M 5.3.4.1
5.3.5
5.3.1.1 &
5.3.1.2 &
5.3.2.4 &
5.6.1
Safety function when
external sensors are
fitted
Installation of warning signals
and barriers for level crossings
NA NA Level crossing
protection safety
function
1.1.1.5.2.2 Environmental
impacts, fallen
objects (crane,
tree, branches,
stones, mud ...)
Insufficient
precautions
regarding
environmental
impacts or
fallen objects
Derail-
ment
Collision Catastrophic Supervise Intrusion or Fall on
Track & Supervise Other Safety
Related Inputs - This function is
intended to supervise the
detection of hazardous situations
by external sensors.
M M M M M 5.3.4.1
5.3.5
5.3.1.1 &
5.3.1.2 &
5.3.2.4 &
5.6.1
Safety function when
external sensors are
fitted
Installation of precautions against
environmental impact and fallen
objects
NA NA Proection against
envionnement fallen
objects
1.1.1.5.2.3 Debris from
structural
breakdown
(bridges,
buildings,...)
Faulty design
bridges,
buildings ..
Derail-
ment
Collision Catastrophic Supervise Intrusion or Fall on
Track & Supervise Other Safety
Related Inputs - This function is
intended to supervise the
detection of hazardous situations
by external sensors.
M M M M M 5.3.4.1
5.3.5
5.3.1.1 &
5.3.1.2 &
5.3.2.4 &
5.6.1
Safety function when
external sensors are
fitted
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 25/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Ensure correct initial design of
bridges and building etc ..
NA NA Structure safety
design
Incorrect
maintenance
of bridges,
buildings, ..
Derail-
ment
Collision Catastrophic Supervise Intrusion or Fall on
Track & Supervise Other Safety
Related Inputs - This function is
intended to supervise the
detection of hazardous situations
by external sensors.
M M M M M 5.3.4.1
5.3.5
5.3.1.1 &
5.3.1.2 &
5.3.2.4 &
5.6.1
Safety function when
external sensors are
fitted
Ensure correct maintenance of
bridges and buildings etc ..
NA NA Non functional
requirement.
Maintenance manuals.
1.1.1.5.2.4 Human impact/
Criminal acts
No boundaries
on critical sites
Derail-
ment
Collision Catastrophic Supervise Intrusion or Fall on
Track & Supervise Other Safety
Related Inputs - This function is
intended to supervise the
detection of hazardous situations
by external sensors.
M M M M M 5.3.4.1
5.3.5
5.3.1.1 &
5.3.1.2 &
5.3.2.4 &
5.6.1
Safety function when
external sensors are
fitted
Installation of barriers to secure
guideway
NA NA Security barrier
installation
Insufficient
supervision of
guideway
Derail-
ment
Collision Installation of barriers to secure
guideway
NA NA Security barrier
installation
Catastrophic Installation of supervision of
guideway
M M M M M 5.3.4.1
5.3.5
5.3.1.1 &
5.3.1.2 &
5.3.2.4 &
5.6.1
Safety function when
external sensors are
fitted
9.2.1 Flooding Insufficient
precautions
Derail-
ment
Collision Catastrophic Supervise Intrusion or Fall on
Track & Supervise Other Safety
Related Inputs - This function is
intended to supervise the
detection of hazardous situations
by external sensors.
M M M M M 5.3.4.1
5.3.5
5.3.1.1 &
5.3.1.2 &
5.3.2.4 &
5.6.1
Safety function when
external sensors are
fitted.
Intrusion supervision
coud be a system
depending on general
security system (not
modurban function).Insufficient
maintenance
of protection
constructions
Derail-
ment
Collision Ensure correct maintenance of
flooding gates
NA NA Non functional
requirement.
Maintenance manuals.
1.1.1.6 Train lifted from
track through
aerodynamic force
1.1.1.6.1 Air draught in
tunnel
Faulty design
of tunnel
Derail-
ment
Collision Catastrophic Correct initial tunnel design
minimising dangerous air
draughts
NA NA Non functional
requirement
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 26/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Insufficient
maintenance /
faulty
construction
work
Derail-
ment
Collision Correct maintenance and
construction work
NA NA Non functional
requirement
1.1.1.6.2 Pressure by
passing train
Faulty design
of
tunnel/guidew
ay
Derail-
ment
Collision Correct initial tunnel/guideway
design considering increasing
pressure by passing train
NA NA Non functional
requirement
Insufficient
maintenance /
faulty
construction
work
Derail-
ment
Collision Correct maintenance and
construction work
NA NA Non functional
requirement
9.2.2 Environmental
impact on vehicle
(wind, gales)
Insufficient
precautions
Derail-
ment
Collision Catastrophic Establish a Zone of Protection -
Ensure appropriate system-
design regarding exceptional
environmental conditions
(extreme wind etc.)
M M M M M 5.7.1 5.1.4.4 Safety function
Catastrophic Manage Temporary Speed
Restriction (TSRs) - Establish
operational rules e.g. speed
reductions at critical areas
M M M M M
5.1.5 5.1.3.1.2
Safety function
Insufficient
maintenance
(construction
work) on
protection
constructions
Derail-
ment
Collision Correct maintenance and
construction work on protection
constructions
NA NA Non functional
requirement
1.1.2 Train on guideway
infringes
clearance
envelope
1.1.2.1 Object protrudes
from train
1.1.2.1.1 Vehicle structural
failure
Faulty design
of vehicle
Derail-
ment
Collision Ensure correct initial design of
vehicle
NA NA Non functional
requirement
Incorrect
maintenance
of vehicle
Derail-
ment
Collision Regular inspection and
maintenance
NA NA Non functional
requirement
1.1.2.1.2 Bad distribution of
freight load
Incorrect
loading
Derail-
ment
Collision Supervise loading procedure as
well as actual freight vehicle (e.g.
by vehicle examiner)
NA NA Not Relevant
Training of staff regarding loading NA NA Not Relevant
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 27/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Faulty design
of freight cars
Derail-
ment
Collision Ensure correct initial design of
freight cars considering the
distribution of goods
NA NA Not Relevant
Incorrect
maintenance
of vehicle
Derail-
ment
Collision Ensure correct maintenance of
vehicle
NA NA Not Relevant
1.1.2.2 Clearance
envelope
underdimensione
d
Faulty design /
dimensioning
of clearance
envelope by
engineers
Derail-
ment
Collision Ensure correct initial design /
dimensioning of clearance
envelope
NA NA Non functional
requirement
1.1.2.3 Train leans
excessively
sideways1.1.2.3.1 Wrong load
distributions
Faulty design
of freight
vehicle
Derail-
ment
Collision Ensure correct initial design of
freight cars considering the
distribution of goods
NA NA Non functional
requirement
Incorrect
maintenance
of vehicle
Derail-
ment
Collision Ensure correct maintenance of
vehicle
NA NA Non functional
requirement
Incorrect
loading
Derail-
ment
Collision Supervise loading procedure as
well as actual freight vehicle (e.g.
by vehicle examiner)
NA NA Non functional
requirement
Training of staff regarding loading NA NA Non functional
requirement
1.1.2.3.2 Excessive
bogie/Axle/
Damping system
dynamics
Faulty design
of bogies,
axles and
damping
system
Derail-
ment
Collision Ensure correct initial
bogie/axle/damping system
design
NA NA Non functional
requirement
Incorrect
maintenance
of bogies,
axles and
damping
system
Derail-
ment
Collision Ensure correct maintenance of
bogies, axles and damping
system
NA NA Non functional
requirement
1.1.2.3.3 Guideway
structural failure
Faulty design
of guideway
Derail-
ment
Collision Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
M M M M M 5.3.5 5.3.1.2 Safety function
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 28/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Catastrophic Determine Movement Authority
Limit - To ensure safe train
movement, this function
determines for each train its limit
of the MA, corresponding to the
first danger point ahead of the
train. Examples of danger points
are other trains (communicating
or not), faulty points, suspected
broken rails, etc.
M M M M M 5.4.3.1 5.1.1.1.2 &
5.1.4.1
Safety function
Ensure correct initial design of
guideway
NA NA Non functional
requirement
Incorrect
maintenance
of guideway
Derail-
ment
Collision Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
M M M M M 5.3.5 5.3.1.2 Safety function
Catastrophic Determine Movement Authority
Limit - To ensure safe train
movement, this function
determines for each train its limit
of the MA, corresponding to the
first danger point ahead of the
train. Examples of danger points
are other trains (communicating
or not), faulty points, suspected
broken rails, etc.
M M M M M 5.4.3.1 5.1.1.1.2 &
5.1.4.1
Safety function
Regular inspection and
maintenance
NA NA Non functional
requirement.
Maintenance manuals.
1.2 Object / person
infringes train
clearance
envelope 1.2.1 Object infringes
clearance
envelope1.2.1.1 Other train /
vehicle infringes
clearance
envelope (flank
protection)
Incorrect
Movement
Authority
Derail-
ment,
Collision
Catastrophic Determine Movement Authority
Limit - To ensure safe train
movement, this function
determines for each train its limit
of the MA, corresponding to the
first danger point ahead of the
train.
M M M M M 5.4.3.1 5.1.1.1.2 &
5.1.4.1
Safety function
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 29/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Interlocking
failure
Derail-
ment,
Collision
Catastrophic Ensure Safe Route as
Combination of Route Elements -
This function is intended to allow
ATP to define and implement a
route as a combination of route
elements according to the needs
of the operator and to release
routes as part of it either by train
movement or manually.
M M M M M 5.4.2.2 5.1.1.1.1-3
&
5.1.1.2 &
5.1.1.1.3
Safety function
Broken switch
or derailer
Derail-
ment,
Collision
Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
O O O M M 5.3.5 5.3.1.2 Safety function
1.2.1.2 Civil structure
fault / protrusion
in clearance
envelope1.2.1.2.1 Tunnel structural
fault/ collapse
Faulty design
of tunnel
Derail-
ment,
Collision
Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
O O O M M 5.3.5 5.3.1.2 Safety function
Ensure correct initial design of
the structure of the tunnel
NA NA
Incorrect
maintenance
or incorrect
construction
work on tunnel
Derail-
ment,
Collision
Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
O O O M M 5.3.5 5.3.1.2 Safety function
Ensure correct inspection,
maintenance and construction
works on tunnel
NA NA
1.2.1.2.2 Drilling or
excavation above
tunnel
Insufficient
maintenance
rules or
procedures i.e.
incorrect
planning of
construction
site
Derail-
ment,
Collision
Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
O O O M M 5.3.5 5.3.1.2 Safety function
Ensure adequate planning of
construction site
NA NA
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 30/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
Incorrect
maintenance
or construction
works
(disobeying of
given rules or
procedures)
Derail-
ment,
Collision
Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
O O O M M 5.3.5 5.3.1.2 Safety function
Ensure correct inspection,
maintenance and construction
works - Ensure obeying of rules
and procedures
NA NA
1.2.1.2.3 Station structural
fault
Faulty design
of station
Derail-
ment,
Collision
Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
O O O M M 5.3.5 5.3.1.2 Safety function
Ensure correct initial design of
station
NA NA
Incorrect
maintenance
or construction
works on
station
Derail-
ment,
Collision
Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
O O O M M 5.3.5 5.3.1.2 Safety function
Ensure correct inspection,
maintenance and construction
works on and in station
NA NA
1.2.1.3 System object
infringes
clearance
envelope (cable
tray, overhead
lines, train
underfloor-
box/motor/object)
1.2.1.4 Object thrown at
train
1.2.1.4.1 from bridges Insufficient
precautions
against
objects thrown
at train
Derail-
ment,
Collision
Ensure correct initial system
design considering the possibility
of object thrown at train.
NA NA
1.2.1.4.2 from platform Insufficient
precautions
against
objects thrown
at train
Ensure correct initial system
design considering the possibility
of object thrown at train.
NA NA
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 31/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
1.2.1.4.3 from beside the
line
Insufficient
precautions
against
objects thrown
at train
Ensure correct initial system
design considering the possibility
of object thrown at train.
NA NA
1.2.1.4.4 from passing train Insufficient
precautions
against
objects thrown
at train
Ensure correct initial system
design considering the possibility
of object thrown at train.
NA NA
1.2.1.5 Animals Insufficient
precautions
against
animals
entering
Derail-
ment,
Collision
Ensure correct initial system
design considering the possibility
of animal entering railway
equipment.
NA NA
1.2.1.6 Environment
elements infringes
clearance
envelope
9.2.5 Stalactites in
tunnel
Insufficient
inspection of
tunnel
Derail-
ment,
Collision
Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
O O O M M 5.3.5 5.3.1.2 Safety function
Ensure correct inspection and
maintenance of tunnel
NA NA
Too much
water/humidity
in tunnel
Derail-
ment,
Collision
Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
O O O M M 5.3.5 5.3.1.2 Safety function
Ensure correct initial tunnel
design considering water and
general humidity
NA NA
1.2.1.6.2 Trees Insufficient
precautions to
protect track
Derail-
ment,
Collision
Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
O O O M M 5.3.5 5.3.1.2 Safety function
Correct initial design considering
the possibility of falling trees on
guideway
NA NA
Insufficient
inspections of
track
Derail-
ment,
Collision
Catastrophic Supervise Safety Related Inputs -
This function is intended to
supervise the detection of
hazardous situations by external
sensors.
O O O M M 5.3.5 5.3.1.2 Safety function
Ensure correct inspection and
maintenance on track
NA NA
Doc Name: DEL_D3.1_BTSERCS_WP3_110215_V1.0.xls
ID: DEL_D3.1_BTSERCS_WP3_110215_V1.0
Revision: V1.0 RestrictedDate:110215
Page 32/138
-
MODSafe WP3 Preliminary Hazards Control and Safety Measures Analysis
Safety Measures
1a 1b 2 3 4
Hazard Identification Severity
Hazard Numbering
(up to 10 level) Hazard Hazard Cause
Type of
Accident
(primary)
Possible
consequ
ential
accidents Remarks
Severity of
Conse-
quences Remarks
Generic Safety Measures GOA
Remarks
Ref.
Modurban
D80
Ref. IEC
62290-2
9.2.3 Avalanche /
landslide/ falling
stones
Insufficient
precautions to
protect track
Derail-
ment,
Collision
Catastrophic