WP2 Hazard Analysis Annex D2 - MODSafe · 2011. 12. 9. · 6.4 Building collapse 6.5 Terrorism, Attacks, Criminal Acts 6.6 Radiation in OCC 6.7 asphyxiation / toxication in OCC 7

European Commission Seventh Framework programme

MODSafe Modular Urban Transport Safety and Security Analysis

WP2 Hazard Analysis Annex D2.2

Authors: TU Dresden Document ID: D2.2_Annex_Hazard_Analysis_100430_v8 Date: 2010-04-30 Contract No: 218606

Table of Content Document History Overview MODSafe Hazard Analysis 1 Train movement

4

2 Train interior

68

3 Train-Station Interface (with train in station)

79

4 Train-Station Interface (without train in station)

96

5 Depot

112

6 OCC

116

7 Maintenance

123

8 Emergency – Evacuation

145

9 Environment (force of nature)

172

04.05.2010 MODSafe WP2 Hazard AnalysisDocument History

File version Date Name of editorHazard numbering Hazard Description

V0.5 09.06.2009 A Herr Initial Draft D2.1

V0.6 10.06.2009 A HerrHazard Identification: Addition of further column "Possible consequential accidents"

V0.7 29.07.2009 A.Herr include comments on V06 V0.8 03.09.2009 A. Schindelhauer includes Comments on V07V1.0 15.09.2009 A. Schindelhauer approved by WP2 membersV2 21.10.2009 A. Schindelhauer includes comments WP10 membersV3 02.11.2009 A. Schindelhauer includes Comments WP10 memebers (Compilation D2.1V2)

V4 25.01.2010 A. Schindelhauer, A. Naundorf; TUD expansion of Annex D2.1, renaming into D2.2V5 02.02.2010 A. Naundorf, TUD approved by WP2 membersV6 09.03.2010 A. Schindelhauer, A. Naundorf; TUD includes comments on V5V7 09.04.2010 A. Schindelhauer, A. Naundorf; TUD includes comments on V6V8 30.04.2010 A. Schindelhauer, A. Naundorf; TUD includes comments on V7

Document History

04.05.2010 MODSafe WP2Overview Hazard Analysis

Hazard

1 Train movement1.1 Train infringes clearance envelope1.2 Object / person infringes train clearance envelope 1.3 Train collision hazard within uninfringed clearance envelope

2 Train interior2.1 person struck/hurt by object2.2 explosion2.3 person fall in train2.4 fire2.5 Inadequate temperature2.6 asphyxiation2.7 toxic releases2.8 radiation2.9 electrocution in train2.10 person contact with machinery2.11 person exposed to noise2.12 Person needs urgent asisstance

3 Train-Station Interface (with train in station)3.1 passenger falls from train on station track3.2 Passenger injured by door closing

3.3train departs with passenger trapped in doors (limb of passenger, clothes, bags, other objects from passenger, leash... )

3.4 Train moves at passenger exchange 3.5 Person between Vehicle/ Vehicle gaps3.6 Person steps / falls into Vehicle- Platform Gap3.7 electrocution

Overview MODSafe Hazard AnalysisHazard

3.7 e ect ocut o

4 Train-Station Interface (without train in station)4.1 person struck by falling object4.2 person hit by sharp object4.3 person hurt by protruding object4.4 wheelchair hazards4.5 person fall in station4.6 person falls/intrudes on station track4.7 electrocution in station4.8 smoke4.9 explosion4.10 fire in station4.11 toxic release

5 Depot5.1 Staff injured by operation of machines and equipment5.2 Shunting hazards5.3 undue train / vehicle enters operation area5.4 passenger in depot area5.5 staff run over by train

04.05.2010 MODSafe WP2Overview Hazard Analysis

6 OCC6.1 Fire in OCC6.2 Electrocution in OCC6.3 Explosion in OCC6.4 Building collapse6.5 Terrorism, Attacks, Criminal Acts6.6 Radiation in OCC 6.7 asphyxiation / toxication in OCC

7 Maintenance7.1 Staff injured by operation of machines and equipment7.2 Electrocution / Lightning7.3 staff endangered by moving train7.4 obstacles on guideway or walkway7.5 explosion during maintenance7.6 fire during maintenance7.7 asphyxiation/ toxication7.8 inappropriate temperature7.9 staff in danger cannot escape guideway7.10 radiation7.11 Staff caught in machinery

8 Emergency – Evacuation8.1 people hit by train: involved track, adjacent track8.2 burn / fire8.3 asphyxiation / toxication8.4 electrocution / lightning8.5 explosion during evacuation8.6 inappropriate temperature8.7 radiation8.7 radiation8.8 drowning8.9 person hurt during evacuation (others)

9 Environment (force of nature)9.1 weather conditions (moderate)9.2 Force of nature

04.05.2010 MODSafe WP2 Hazard Analysis Page 4

Safety measuresgeneric safety measures

0 1a 1b 2 3 4

1 Train Movement Hazards

1.1 Train infringes clearance envelope (CE)

1.1.1 Train (car) leaves guideway

GOA Respon-sibilities Remarks

X = responsibility of operations staff (may be realised by techn. system)S= realised by the control/command and supervision of train movement system

Hazard Identification Estimation of Risk

Hazard Numbering (up to 10 level) Hazard

Hazard Cause

Type of Accident (primary)

Possible consequential accidents Remarks

Severity of Conse-quences

Likeli-hood Risk Remarks

guideway (momentarily or irrevocably / derailment )

1.1.1.1 Inappropriate speed

1.1.1.1.1 VT(x) > VL(x)1.1.1.1.1.1 Wrong position

registeredOdometer failure

Derail-ment

Collision Catastrophic Determine Train Location S S S S Design and installation of absolute and relative position measurement

Respond to Train Location Failure

S S S S Ensure safe route

1 1 1 1 1 2 W d1.1.1.1.1.2 Wrong speed registered

1.1.1.1.1.2.1 Speed Measurement failure

Wheelspin Derail-ment

Collision Catastrophic Calculate Train Speed - This function determines train speed.

X S S S S Ensure safe speed; Adequate speed measurement

Supervise Actual Speed - This function supervises the operation of trains to ensure that trains remain within the dynamic speed profile.

X S S S S Ensure safe speed; Adequate speed supervision

1.1.1.1.1.2.2 On-board Speed Processing failure

On-Board ATP

Derail-ment

Collision Catastrophic Calculate Train Speed - This function determines train speed.

X S S S S Ensure safe speed; g

equipment design failure

Adequate speed measurement



0 1a 1b 2 3 4





Hazard Cause





Incorrect maintenance of On-Board ATP equipment

Derail-ment

Collision Catastrophic Regular inspection and maintenance of ATP equipment

1.1.1.1.1.3 Insufficient decelerationdeceleration

1.1.1.1.1.3.1 Improper vehicle - guideway coupling (adhesion)

9.1.1 Anything (snow, rain, leaves, greasy material) on guideway

Insufficient maintenance or clearance of guideway by crew

Derail-ment

Collision Catastrophic Regular Inspection and maintenance

Guideway heatingCheck of weather dataProvide enough staff for clearance worksclearance works

1.1.1.1.1.3.1.2 Wheel failure / wear

Faulty design of wheels

Derail-ment

Collision Catastrophic Ensure correct initial design of vehicle

Insufficient maintenance

Derail-ment

Collision Catastrophic Regular inspection and maintenance

Preventive maintenance, regular inspections, corrective maintenance

1.1.1.1.1.3.1.3 Track wear Faulty design of track

Derail-ment

Collision Catastrophic Ensure correct initial design of guideway


Derail-ment


Preventive maintenance, regular inspections, correctivecorrective maintenance

1.1.1.1.1.3.1.4 Wheel-track interface failure (incorrect design)

Disrespect of Wheel-Track-Interface specifications or legal regulations

Derail-ment

Collision Catastrophic Ensure correct initial design of guideway



0 1a 1b 2 3 4





Hazard Cause





1.1.1.1.1.3.1.5 Wheel slip / slide due to excessive braking force

Faulty design of braking system

Derail-ment

Collision Catastrophic Ensure correct initial design of braking system (and Emergency brakes)

Brake supervision, slip-slide control


Derail-ment


Preventive maintenance, regularregular inspections, corrective maintenance

Incorrect usage of braking system by driver

Derail-ment

Collision Catastrophic Braking system supervision X S S S S Control acceleration and braking

Slip - Slide - Control X S S S S Control acceleration and braking

Training and education of driver

1.1.1.1.1.3.1.6 Insufficient dh i

Insufficient braking force

Derail-ment

Collision Insufficient braking

Catastrophic Ensure correct braking curves X S S S S Control accelerationadhesion braking force ment braking

force results in lower frictional forces, and therefore in less adhesion

acceleration and braking

Provide enough braking force / contact

X S S S S Control acceleration and braking

1.1.1.1.1.3.2 Insufficient braking (braking-f )force)

1.1.1.1.1.3.2.1 Braking system failure


Derail-ment




0 1a 1b 2 3 4





Hazard Cause





Insufficient maintenance of braking system

Derail-ment



greasing Derail- Collision Catastrophic Configuration Managementgreasing problems (greasing scheme)

Derailment

Collision Catastrophic Configuration Management

1.1.1.1.1.3.2.2 Underestimated mass / train configuration

Incorrect design of mass / train configuration

Derail-ment

Collision Catastrophic Ensure correct procedure for calculation and design of mass / train configuration

Wrong data used

Derail-ment

Collision Catastrophic Ensure correct data as input for mass / train configuration

1.1.1.1.1.3.3 Wrong brake command

Faulty design of on-board equipment

Derail-ment

Collision Catastrophic Supervise Actual Speed - This function supervises the operation of trains to ensure that trains remain within the dynamic speed profile.

X S S S S Ensure safe speed

I ffi i t D il C lli i C t t hi R l i ti d P tiInsufficient maintenance of on-board equipment

Derail-ment



Wrong command by driver

Derail-ment

Collision Catastrophic Training and education of driver

Employ well educated driversWell design and user supportive HMI driver desk

1.1.1.1.1.4 Wrong speed command


Derail-ment

Collision Catastrophic Supervise Actual Speed - This function supervises the operation of trains to ensure that trains remain within the dynamic speed


remain within the dynamic speed profile.

Insufficient maintenance of on-board equipment

Derail-ment





0 1a 1b 2 3 4





Hazard Cause





Wrong command by driver

Derail-ment

Collision Catastrophic Training and education of driver

Employ well educated driversWell design and user supportive HMI driver desk

1.1.1.1.1.5 Untimely Faulty design Derail- Collision Catastrophic Supervise Actual Speed - This X S S S S Ensure safe 1.1.1.1.1.5 Untimely acceleration / propulsion command error

Faulty design of propulsion system

Derailment

Collision Catastrophic Supervise Actual Speed This function supervises the operation of trains to ensure that trains remain within the dynamic speed profile.

X S S S S Ensure safe speed, Propulsion control; Overspeed protection

Insufficient maintenance of propulsion system

Derail-ment



1.1.1.1.2 Wrong speed limit VL(X)

1.1.1.1.2.1 Wrong static route data

Incorrect surveying and

i

Derail-ment

Collision Catastrophic Check consistency of data - This function is intended to check the

i t f il bl d t

Adequate route-database

fi timapping consistency of available data configuration and management

Employ trained and well educated staff only

Wrong input of route data

Derail-ment

Collision Catastrophic Load Infrastructure Data onto onboard equipment

S S S S

Load Infrastructure Data onto wayside equipment

S S S S

1.1.1.1.2.2 Wrong route1.1.1.1.2.2.1 Wrong route

selection ATP failure Derail-

mentCollision Catastrophic Ensure safe route as

combination of route elements - This function is intended to allow ATP to define and implement a

S S S S S Ensure safe route

ATP to define and implement a route as a combination of route elements according to the needs of the operator and to release routes as part of it either by train movement or manually.



0 1a 1b 2 3 4





Hazard Cause





Wrong route selection by OCC staff

Derail-ment

Collision Catastrophic Safe display - HMI OCC

Supportive functions for stress or emergency cases Clear and understandable operational rulesoperational rules

withdrawal of route (e.g. emergency release) without communication to the train

Derail-ment

Collision Catastrophic Ensure safe route as combination of route elements - This function is intended to allow ATP to define and implement a route as a combination of route elements according to the needs of the operator and to release routes as part of it either by train movement or manually.


Supportive functions for stress or emergency cases

1.1.1.1.2.2.2 Wrong switch setting

ATP failure Derail-ment

Collision Catastrophic Ensure Safe Switchable Route Elements - This function is intended to switch switchable


intended to switch switchable route elements and ensure the switching is performed under normal (undisturbed) and safe conditions.

Wrong switch setting by OCC staff

Derail-ment


Supportive functions for stress or emergency cases Clear and understandable operational rules

1.1.1.1.2.3 Wrong (temporary) speed restriction wayside

Wrong maintenance

Derail-ment


S S S S

waysideLoad Infrastructure Data onto wayside equipment

S S S S

Ensure correct maintenanceIncorrect input of data

Derail-ment


S S S S


S S S S



0 1a 1b 2 3 4





Hazard Cause





1.1.1.1.2.4 Failed or incorrect communication of speed restriction

Faulty or insufficient communication system

Derail-ment

Collision Catastrophic Supervise data communication equipment - This function is intended to inform staff about availability of functions concerning operation and status of data communication equipment.equipment.

Software Intrusion (6.5.1)

see WP 9

1.1.1.1.2.5 Wrong data of speed limits on train (track database)

Wrong input by engineers, OCC or maintenance crew

Derail-ment

Collision Catastrophic Check consistency of data - This function is intended to check the consistency of available data

Adequate route-database (i.e. speed limits) configuration and management

Load Infrastructure Data onto onboard equipment

S S S S


S S S Swayside equipment

1.1.1.1.2.6 Faulty onboard speed restriction processing


Derail-ment

Collision Catastrophic Supervise Actual Speed - This function supervises the operation of trains to ensure that trains remain within the dynamic speed profile.

X S S S S Ensure safe speed; Ensure correct speed restriction processing

Determine static speed profile - This function determines the static train speed profiles, which are based on infrastructure data such as track geometry and quality, infrastructure constraints (tunnels, bridges etc.) and train

X S S S S

( , g )data.



0 1a 1b 2 3 4





Hazard Cause





Calculate dynamic train speed profiles - this function is intended to calculate for each segment of the route the train speed limit. This function calculates the dynamic speed profiles of each train. The dynamic speed profile

S S S Ensure safe speed

train. The dynamic speed profile is based on the static speed profile, the TSR, the braking profile with the relevant safety margin.

Incorrect maintenance of on-board equipment

Derail-ment



1.1.1.2 Switch hazard1.1.1.2.1 Wrong switch

status1.1.1.2.1.1 Undetected

misaligned switch Interlocking failure or erroneous status control

Derail-ment

Collision Catastrophic Ensure Safe Switchable Route Elements - This function is intended to switch switchable route elements and ensure the switching is performed under normal (undisturbed) and safe conditions.


Incorrect maintenance of switch

Derail-ment



1.1.1.2.1.2 Undetected unlocked switch

Interlocking failure or

Derail-ment

Collision Catastrophic Ensure Safe Switchable Route Elements - This function is

S S S S S Ensure safe routeunlocked switch failure or

erroneous status control

ment Elements - This function is intended to switch switchable route elements and ensure the switching is performed under normal (undisturbed) and safe conditions.

route



0 1a 1b 2 3 4





Hazard Cause






Derail-ment



1 1 1 2 1 3 Undetected Erroneous Derail Collision Catastrophic Supervise other safety relevant S S S S S Optional1.1.1.2.1.3 Undetected broken switch components

Erroneous status control

Derail-ment

Collision Catastrophic Supervise other safety relevant Inputs - This function is intended to supervise the detection of hazardous situations by external sensors.

S S S S S Optional device;Supervising guideway


Derail-ment



1.1.1.2.2 Insufficient safety distance to moving switchmoving switch

1.1.1.2.2.1 Insufficient worst case safety distance

1.1.1.2.2.1.1 Wrong worst case safety distance registered (on train)

1.1.1.2.2.1.1.1 Failed or incorrect communication of worst case safety distance (stop point / speed limit)

Data communication failure

Derail-ment

Collision Catastrophic Supervise data communication equipment - This function is intended to inform staff about availability of functions concerning operation and status of data communication equipment.q p

Faulty communication system due to incorrect maintenance

Derail-ment





0 1a 1b 2 3 4





Hazard Cause





Faulty design of communication system

Derail-ment

Collision Catastrophic Ensure correct initial design of communication system

1.1.1.2.2.1.1.2 Wrong worst case safety distance estimation / estimation / determination

1.1.1.2.2.1.1.2.1 Wrong train parameters input

Mistake by driver during input

Derail-ment

Collision Catastrophic Perform self tests during power on - This function is intended to perform all necessary tests on vital equipment during the power on process. Generally this function includes only those self tests that deal with the safety of the ATP and the inputs and outputs necessary for a vital operation. Self tests that are necessary to achieve the safety features of vital processors (computing unit including

X S S S S Supervise status of train

( p g goperating system) are not included here.Design of supportive functions for data input

Assistance during data input through intelligent design of HMI driver desk

1.1.1.2.2.1.1.2.2 Wrong route parameters input

Derail-ment


S S S S


S S S S

1.1.1.2.2.1.1.2.3 Safety distance calculation/ determination

Interlocking failure

Derail-ment

Collision Catastrophic Determine Movement Authority Limit - To ensure safe train movement, this function

S S S S S Examples of danger points are other trains determination

errormovement, this function determines for each train its limit of the MA, corresponding to the first danger point ahead of the train.

are other trains (communicating or not), faulty points, suspected broken rails, etc.



0 1a 1b 2 3 4





Hazard Cause





1.1.1.2.2.1.3 Wrong position registered

Odometer failure

Derail-ment

Collision Catastrophic Determine Train Location S S S S Design and installation of absolute and relative position measurement

Respond to Train Location S S S S Ensure safeRespond to Train Location Failure


1.1.1.2.2.1.4 Wrong route1.1.1.2.2.1.4.1 Wrong route

selection / authorization


Collision Catastrophic Ensure safe route as combination of route elements - This function is intended to allow ATP to define and implement a route as a combination of route elements according to the needs of the operator and to release routes as part of it either by train movement or manually.


Wrong route selection by OCC staff in

Derail-ment


OCC staff in exceptional cases e.g. emergency cases


1.1.1.2.2.1.4.2 Wrong switch setting




conditions.

Wrong switch setting by OCC staff in exceptional cases

Derail-ment


Supportive functions for stress or emergency cases



0 1a 1b 2 3 4





Hazard Cause





Clear and understandable operational rules

1.1.1.2.2.1.5 Wrong train departure

1.1.1.2.2.1.5.1 Wrong departure command


Collision Catastrophic Determine Movement Authority Limit - To ensure safe train movement this function

S S S S S Examples of danger points are other trainsmovement, this function

determines for each train its limit of the MA, corresponding to the first danger point ahead of the train.

are other trains (communicating or not), faulty points, suspected broken rails, etc.

Ensure correct initial design of ATP regarding departure commandRegular inspection and maintenance

Preventive maintenance, regular inspections, correctivecorrective maintenance

Wrong departure command by driver

Authorise Train Movement by Wayside Signals - This function supports train movement authorisation to be provided to trains by wayside signals

S X X X X Ensure safe route

Provide high visibility on signals

1.1.1.2.2.1.5.2 Immobilisation brake deficient


Derail-ment

Collision Catastrophic Respond to Unexpected Train Movements - This function covers the reaction of ATP in case of roll away.

X S S S S Correct and sufficient maintenance

Ensure correct initial design of braking system (and Emergency braking system (and Emergency brakes)

Incorrect maintenance of braking system

Derail-ment

Collision Catastrophic Respond to Unexpected Train Movements - This function covers the reaction of ATP in case of roll away.




0 1a 1b 2 3 4





Hazard Cause





Regular inspection and maintenance


1 1 1 2 2 1 5 3 W d t I t l ki D il C lli i C t t hi D t i M t A th it S S S S S E l f1.1.1.2.2.1.5.3 Wrong departure authorisation


Derail-ment

Collision Catastrophic Determine Movement Authority Limit - To ensure safe train movement, this function determines for each train its limit of the MA, corresponding to the first danger point ahead of the train.

S S S S S Examples of danger points are other trains (communicating or not), faulty points, suspected broken rails, etc.

Authorise Train Movement by Wayside Signals - This function supports train movement authorisation to be provided to trains by wayside signals

S X X X X Ensure safe route

Incorrect authorisation by OCC in case of exceptional cases e.g. emergency cases

Derail-ment



1.1.1.2.2.2 Wrong switch command


Derail-ment

Collision Catastrophic Ensure Safe Switchable Route Elements - This function is intended to switch switchable





0 1a 1b 2 3 4





Hazard Cause





Erroneous switch command by OCC staff

Derail-ment



conditions.

Safe display - HMI OCCSupportive functions for stress or emergency cases


1.1.1.2.2.3 Wrong travel direction

1.1.1.2.2.3.1 Faulty direction control

Derail-ment

Collision Catastrophic Determine Actual Train Travel Direction - This function determines the travel direction of trains.

S S S S Control acceleration and braking

1.1.1.2.2.3.2 Roll back Insufficient braking force

Derail-ment

Collision Catastrophic Respond to Unexpected Train Movements - This function covers the reaction of ATP in

X S S S S Correct and sufficient maintenancecovers the reaction of ATP in

case of roll away.maintenance

Faulty design of brakes

Derail-ment


Incorrect maintenance of brakes

Derail-ment



1.1.1.2.3 Switch moves under running train

1 1 1 2 3 1 W it h1.1.1.2.3.1 Wrong switch command



0 1a 1b 2 3 4





Hazard Cause





1.1.1.2.3.1.1 Wrong switch command by system


Derail-ment



conditions.

1.1.1.2.3.1.2 Wrong switch command by staff

No support for decision of switch command during exceptional cases

Derail-ment

Collision Catastrophic Supportive functions for staff of OCC in exceptional cases, where no technical control of switch command can be provided

Operational rules, Scenarios for fall back levels or emergency cases, Precautions against stress and work overload

1.1.1.2.3.3 Wrong train detection

1 1 1 2 3 3 1 T i t d t t d U i d D il C lli i C t t hi D t t U i d F il d X X X X X E f1.1.1.2.3.3.1 Train not detected Unequipped or failed train

Derail-ment

Collision Catastrophic Detect Unequipped or Failed Trains - This function determines whether a section of track is occupied by an unequipped or failed train.

X X X X X Ensure safe separation of trains

Data communication failure e.g. data loss

Derail-ment

Collision Catastrophic Determine Train Location S S S S Ensure safe route

1.1.1.2.3.3.2 End of train detected untimely

Unequipped or failed train

Derail-ment, Collision

Catastrophic Detect Unequipped or Failed Trains - This function determines whether a section of track is occupied by an unequipped or failed train.


Data Derail- Collision Catastrophic Determine Train Location S S S S Ensure safe atacommunication failure e.g. data loss or delay

e ament

Co s o Catast op c ete e a ocat o S S S S su e sa eroute



0 1a 1b 2 3 4





Hazard Cause





1.1.1.3 Guideway structural failure

Faulty design of guideway

Derail-ment



Determine Movement Authority Limit - To ensure safe train movement, this function determines for each train its limit of the MA, corresponding to the first danger point ahead of the train.


Ensure correct initial design of guideway

Incorrect maintenance of guideway

Derail-ment

Collision Catastrophic Supervise other safety relevant Inputs - This function is intended to supervise the detection of

S S S S S Optional device;Supervising g y p

hazardous situations by external sensors.

p gguideway




Preventive maintenance, ,regular inspections, corrective maintenance

1.1.1.4 Vehicle structural failure (component break)

Faulty design of vehicle

Derail-ment




0 1a 1b 2 3 4





Hazard Cause





Incorrect maintenance of vehicle

Derail-ment



1.1.1.5 Object on 1.1.1.5 Object on guideway

1.1.1.5.1 System object on guideway

1.1.1.5.1.1 Forgotten working/ maintenance/ rescue objects


Derail-ment



Clearance verification system S S S S S Optional device

Ensure procedures to clear X X X X SEnsure procedures to clear guideway after evacuation or emergency case

X X X X S

1.1.1.5.1.2 Element from train falls on track

1.1.1.5.1.2.1 Vehicle Structural failure


Derail-ment



Derail-ment



1.1.1.5.1.2.2 Vehicle load falls Overloaded Derail- Collision Catastrophic Ensure correct loading of vehicle on track vehicle ment

p ge.g. by vehicle examiner

Clearance verification system S S S S S Optional device



0 1a 1b 2 3 4





Hazard Cause





1.1.1.5.1.3 Wayside element infringes clearance envelope

1.1.1.5.1.3.1 Power supply (catenary third

Faulty design of power

Derail-ment

Collision Catastrophic Supervise other safety relevant Inputs - This function is intended

S S S S S Optional device;(catenary, third

rail etc.)of power supply system

ment Inputs - This function is intended to supervise the detection of hazardous situations by external sensors.

device;Supervising guideway

Ensure correct initial design of power supply system

Incorrect maintenance of power supply system

Derail-ment



Regular inspection and maintenance of power supply

Preventive maintenance, p pp y

system,

regular inspections, corrective maintenance

Environmental forces violating power supply system

Derail-ment



Ensure correct initial design of power supply system considering environmental forces

Criminal acts Derail- Collision Catastrophic Supervise other safety relevant S S S S S OptionalCriminal acts on power supply system

Derail-ment



Ensure correct initial design of power supply system considering criminal acts



0 1a 1b 2 3 4





Hazard Cause





1.1.1.5.1.3.2 Signalling Components

Faulty design of signalling components

Derail-ment



Ensure correct initial design ofEnsure correct initial design of signalling components

Incorrect maintenance of signalling components

Derail-ment



Regular inspection and maintenance of signalling components


Environmental Derail- Collision Catastrophic Supervise other safety relevant S S S S S Optional forces violating signalling components



Ensure correct initial design of signalling components considering environmental forces

Criminal acts on signalling components

Derail-ment



Ensure correct initial design of signalling components considering criminal acts



0 1a 1b 2 3 4





Hazard Cause





1.1.1.5.1.3.3 Equipment Cabinets/ Platform Door Enclosures/ Tunnel doors

Faulty design of equipment cabinets, platform doors enclosures, tunnel doors

Derail-ment



Ensure correct initial design of equipment cabinets, platform doors enclosures, tunnel doors

Incorrect maintenance of equipment cabinets, platform doors enclosures, tunnel doors

Derail-ment



Regular inspection and maintenance of equipment cabinets, platform doors

Preventive maintenance, regular cabinets, platform doors

enclosures, tunnel doorsregular inspections, corrective maintenance

Environmental forces violating equipment cabinets, platform doors enclosures, tunnel doors

Derail-ment



Ensure correct initial design ofCriminal acts on equipment

Derail-ment

Collision Catastrophic Supervise other safety relevant Inputs This function is intended

S S S S S Optional device;on equipment

cabinets, platform doors enclosures, tunnel doors





0 1a 1b 2 3 4





Hazard Cause





Ensure correct initial design of equipment cabinets, platform doors enclosures, tunnel doors considering criminal acts

1.1.1.5.1.3.4 Flooding Gates Faulty design of flooding

Derail-ment

Collision Catastrophic Supervise other safety relevant Inputs - This function is intended

S S S S S Optional device;of flooding

gatesment Inputs - This function is intended

to supervise the detection of hazardous situations by external sensors.


Ensure correct initial design of flooding gates

Incorrect maintenance of flooding gates

Derail-ment



Regular inspection and maintenance of flooding gates

Preventive maintenance,

lregular inspections, corrective maintenance

Environmental forces violating flooding gates

Derail-ment



Ensure correct initial design of flooding gates considering environmental forces

Criminal acts fl di

Derail-t

Collision Catastrophic Supervise other safety relevant I t Thi f ti i i t d d

S S S S S Optional d ion flooding

gatesment Inputs - This function is intended



Ensure correct initial design of flooding gates considering criminal acts



0 1a 1b 2 3 4





Hazard Cause





1.1.1.5.2 Foreign objects on guideway

1.1.1.5.2.1 External vehicle (on level crossing)

Insufficient protection of level crossing

Derail-ment

Collision Catastrophic Supervise other safety relevant Inputs - This function is intended to supervise the detection of hazardous situations by external sensors

S S S S S Optional device;Supervising guideway; Provide levelsensors. Provide level crossing supervision

Installation of warning signals and barriers for level crossings

1.1.1.5.2.2 Environmental impacts, fallen objects (crane, tree, branches, stones, mud ...)

Insufficient precautions regarding environmental impacts or fallen objects

Derail-ment


S S S S S Optional device;Supervising guideway; Clearance supervision; e.g Installation of precautions against genvironmental impact and fallen objects

1.1.1.5.2.3 Debris from structural breakdown (bridges, buildings,...)

Faulty design bridges, buildings ..

Derail-ment


S S S S S Optional device;Supervising guideway; Clearance supervision

Ensure correct initial design of bridges and building etc ..

Incorrect maintenance

Derail-ment

Collision Catastrophic Supervise other safety relevant Inputs This function is intended

S S S S S Optional device;maintenance

of bridges, buildings, ..


device;Supervising guideway; Clearance supervision

Ensure correct maintenance of bridges and buildings etc ..



0 1a 1b 2 3 4





Hazard Cause





1.1.1.5.2.4 Human impact/ Criminal Acts

No boundaries on critical sites

Derail-ment


S S S S S Optional device;Supervising guideway; e.g. Installation of barriers to secure secure guideway

Insufficient supervision of guideway

Derail-ment


S S S S S Optional device;Supervising guideway; e.g. Installation of barriers to secure guideway

Installation of supervision of guideway

S S S S S Optional device

9.2.1 Flooding Insufficient precautions

Derail-ment


S S S S S Optional device;Supervising guideway; Water (level) measurement and indicator

Insufficient maintenance of protection constructions

Derail-ment

Collision Catastrophic Ensure correct maintenance of flooding gates

1.1.1.6 Train lifted from track throughtrack through aerodynamic force

1.1.1.6.1 Air draught in tunnel

Faulty design of tunnel

Derail-ment

Collision Catastrophic Correct initial tunnel design minimising dangerous air draughts



0 1a 1b 2 3 4





Hazard Cause





Insufficient maintenance / faulty construction work

Derail-ment

Collision Catastrophic Correct maintenance and construction work

1.1.1.6.2 Pressure by passing train

Faulty design of

Derail-ment

Collision Catastrophic Correct initial tunnel/guideway design considering increasing passing train of

tunnel/guideway

ment design considering increasing pressure by passing train

Insufficient maintenance / faulty construction work

Derail-ment

Collision Catastrophic Correct maintenance and construction work

9.2.2 Environmental impact on vehicle (wind, gales)

Insufficient precautions

Derail-ment

Collision Catastrophic Ensure appropriate system-design regarding exceptional environmental conditions (extreme wind etc.)

Establish operational rules e.g. speed reductions at critical areas

Insufficient Derail Collision Catastrophic Correct maintenance andInsufficient maintenance (construction work) on protection constructions

Derail-ment

Collision Catastrophic Correct maintenance and construction work on protection constructions

1.1.2 Train on guideway infringes clearance envelope

1.1.2.1 Object protrudes from train

1.1.2.1.1 Vehicle structural Faulty design Derail- Collision Catastrophic Ensure correct initial design of failure

y gof vehicle ment

p gvehicle


Derail-ment





0 1a 1b 2 3 4





Hazard Cause





1.1.2.1.2 Bad distribution of freight load

Incorrect loading

Derail-ment

Collision Catastrophic Supervise loading procedure as well as actual freight vehicle (e.g. by vehicle examiner)Training of staff regarding loading

Faulty design of freight cars

Derail-ment

Collision Catastrophic Ensure correct initial design of freight cars considering the of freight cars ment freight cars considering the distribution of goods


Derail-ment

Collision Catastrophic Ensure correct maintenance of vehicle

1.1.2.2 Clearance envelope underdimensioned

Faulty design / dimensioning of clearance envelope by engineers

Derail-ment

Collision Catastrophic Ensure correct initial design / dimensioning of clearance envelope

1.1.2.3 train leans excessively sideways

1.1.2.3.1 Wrong Load Distributions

Faulty design of freight

Derail-ment

Collision Catastrophic Ensure correct initial design of freight cars considering theDistributions of freight

vehiclement freight cars considering the

distribution of goodsIncorrect maintenance of vehicle

Derail-ment

Collision Catastrophic Ensure correct maintenance of vehicle

Incorrect loading

Derail-ment

Collision Catastrophic Supervise loading procedure as well as actual freight vehicle (e.g. by vehicle examiner)Training of staff regarding loading

1.1.2.3.2 Excessive Bogie/Axle/ Damping System Dynamics

Faulty design of bogies, axles and damping system

Derail-ment

Collision Catastrophic Ensure correct initial bogie/axle/damping system design

Incorrect Derail- Collision Catastrophic Ensure correct maintenance ofIncorrect maintenance of bogies, axles and damping system

Derail-ment

Collision Catastrophic Ensure correct maintenance of bogies, axles and damping system



0 1a 1b 2 3 4





Hazard Cause





1.1.2.3.3 Guideway structural failure


Derail-ment



D t i M t A th it S S S S S E l fDetermine Movement Authority Limit - To ensure safe train movement, this function determines for each train its limit of the MA, corresponding to the first danger point ahead of the train.


Ensure correct initial design of guideway


Derail-ment

Collision Catastrophic Supervise other safety relevant Inputs - This function is intended to supervise the detection of

S S S S S Optional device;Supervising g y p


p gguideway




Preventive maintenancemaintenance maintenance, regular inspections, corrective maintenance

1.2 Object / person infringes train clearance envelope



0 1a 1b 2 3 4





Hazard Cause





1.2.1 Object infringes clearance envelope

1.2.1.1 Other train / vehicle infringes clearance

l (fl k

Incorrect Movement Authority


Catastrophic Determine Movement Authority Limit - To ensure safe train movement, this function determines for each train its limit

S S S S S Examples of danger points are other trains (communicatinenvelope (flank

protection)determines for each train its limit of the MA, corresponding to the first danger point ahead of the train.

(communicating or not), faulty points, suspected broken rails, etc.



Catastrophic Ensure safe route as combination of route elements - This function is intended to allow ATP to define and implement a route as a combination of route elements according to the needs of the operator and to release routes as part of it either by train movement or manually


movement or manually.

Broken switch or derailer


Catastrophic Supervise other safety relevant Inputs - This function is intended to supervise the detection of hazardous situations by external sensors.

S S S S S Optional device;Supervising guideway; Broken rail detector

1.2.1.2 Civil structure fault / protrusion in clearance envelope

1 2 1 2 1 Tunnel structural Faulty design Derail- Catastrophic Supervise other safety relevant S S S S S Optional1.2.1.2.1 Tunnel structural fault/ collapse

Faulty design of tunnel



S S S S S Optional device;Supervising guideway; Obstacle detection in front of train

Ensure correct initial design of the structure of the tunnel



0 1a 1b 2 3 4





Hazard Cause





Incorrect maintenance or incorrect construction work on tunnel



S S S S S Optional device;Supervising guideway; Obstacle detection in front of trainfront of train

Ensure correct inspection, maintenance and construction works on tunnel

1.2.1.2.2 Drilling or excavation above tunnel

Insufficient maintenance rules or procedures i.e. incorrect planning of construction site




Ensure adequate planning of construction site

Incorrect Derail- Catastrophic Supervise other safety relevant S S S S S Optional maintenance or construction works (disobeying of given rules or procedures)

ment, Collision

Inputs - This function is intended to supervise the detection of hazardous situations by external sensors.

device;Supervising guideway; Obstacle detection in front of train

Ensure correct inspection, maintenance and construction works - Ensure obeying of rules and procedures

1.2.1.2.3 Station structural fault

Faulty design of station


Catastrophic Supervise other safety relevant Inputs - This function is intended to supervise the detection of

S S S S S Optional device;SupervisingCollision to supervise the detection of


Supervising guideway; Obstacle detection in front of train

Ensure correct initial design of station



0 1a 1b 2 3 4





Hazard Cause





Incorrect maintenance or construction works on station




Ensure correct inspection, maintenance and construction works on and in station

1.2.1.3 System object infringes Clearance envelope

1.2.1.3.1 Train components (train underfloor-box/ motor/ object) fall from train


Derail-ment



Derail-ment



1.2.1.3.2 Wayside system objects infringes CE inappropriately

Wayside traction power device (Cable tray / overhead lines) infrin-ges CE inap-propriately

Derail-ment







0 1a 1b 2 3 4





Hazard Cause





other wayside system object infringes CE

Derail-ment





1.2.1.3.3 Hazards related to wayside traction power devices

1.2.1.3.3.1 Current collector gets caught with wayside traction power device

Inadequate adjustment of current collector

Derail-ment


Preventive maintenance, regular inspections, pcorrective maintenance

Supervise traction power supply - This function is intended to powering on/off of the traction supply by the operator at the OCC, or locally, either on given sections or on all sections.

X X X X X

1.2.1.3.3.2 Short circuits undetected short circuits on track

Electrocution, Burns

Critical Protect critical electronic equipment, e.g. by short circuit protection

S S S S S Optional device;Supervise other safety relevant Inputsp

Faulty design of equipment

Electrocution

Critical Ensure correct initial design of equipment

Consideration of the possibility of short circuits



0 1a 1b 2 3 4





Hazard Cause





Protect critical electronic equipment, e.g. by short circuit protection

S S S S S Optional device;Supervise other safety relevant Inputs

Incorrect maintenance of equipment

Electrocution

Critical Ensure correct inspection and maintenance of equipment

1.2.1.3.3.3 Power transformer catches fire

excess voltage, failure of equipment

Fire Explosion Critical Ensure correct initial design of equipment

Regular inspection and maintenance of power supply system

Preventive maintenance, regular inspections, corrective

i tmaintenance

Installation of fire and smoke protection


1.2.1.4 Object thrown at train

Ensure correct initial design of equipment

1.2.1.4.1 Object thrown at train from bridges

Insufficient precautions against objects thrown at train


Catastrophic Ensure correct initial system design considering the possibility of object thrown at train.

1.2.1.4.2 Object thrown at train from platform

Insufficient precautions against


Catastrophic Ensure correct initial system design considering the possibility of object thrown at train.from platform against

objects thrown at train

Collision of object thrown at train.

1.2.1.4.3 Object thrown at train from beside the line






0 1a 1b 2 3 4





Hazard Cause





1.2.1.4.4 Object thrown at train from passing train




1.2.1.5 Animals infringe Insufficient Derail- Catastrophic Ensure correct initial system 1.2.1.5 Animals infringe cleareance envelope

Insufficient precautions against animals entering guideway

Derailment, Collision

Catastrophic Ensure correct initial system design considering the possibility of animal entering railway equipment.

1.2.1.6 Environment elements infringes clearance envelope

9.2.5 Stalactites in tunnel

Insufficient inspection of tunnel


Catastrophic Supervise other safety relevant Inputs - This function is intended to supervise the detection of hazardous situations by external sensors

S S S S S Optional device;Supervising guideway; Obstaclesensors. Obstacle detection in front of train

Ensure correct inspection and maintenance of tunnel

Too much water/humidity in tunnel




Ensure correct initial tunnel design considering water and general humiditygeneral humidity

1.2.1.6.2 Trees Insufficient precautions to protect track






0 1a 1b 2 3 4





Hazard Cause





Correct initial design considering the possibility of falling trees on guideway

Insufficient inspections of track


Catastrophic Supervise other safety relevant Inputs - This function is intended to supervise the detection of hazardous situations by external

S S S S S Optional device;Supervising guideway; hazardous situations by external

sensors.guideway; Obstacle detection in front of train

Ensure correct inspection and maintenance on track

9.2.3 Avalanche / landslide/ falling stones

Insufficient precautions to protect track




Correct initial design considering the possibility of avalanches orthe possibility of avalanches or falling stones





Ensure correct inspection and maintenance on track

9.2.1 Flooding Insufficient precautions track and system


Catastrophic Supervise other safety relevant Inputs - This function is intended to supervise the detection of hazardous situations by external

S S S S S Optional device;Supervising guideway;

sensors. Obstacle detection in front of train

Ensure correct initial design considering the possibility of flooding



0 1a 1b 2 3 4





Hazard Cause





Insufficient inspection and maintenance of flooding protection equipment




Ensure correct inspection and maintenance on flooding protection equipment

Inspection of guideway and surrounding area

1.2.1.7 Train at standstill between stations

loss of power supply

Collision Catastrophic Ensure power supply during train movement

X X X X X Control acceleration and braking

Determine Movement Authority Limit - To ensure safe train movement, this function determines for each train its limit f th MA di t th

S S S S S Examples of danger points are other trains (communicatin

t) f ltof the MA, corresponding to the first danger point ahead of the train.

g or not), faulty points, suspected broken rails, etc.

extreme weather conditions e.g. coldness

Collision Catastrophic Ensure power supply during train movement

X X X X X Control acceleration and braking

Determine Movement Authority Limit - To ensure safe train movement, this function determines for each train its limit

S S S S S Examples of danger points are other trains (communicatin

of the MA, corresponding to the first danger point ahead of the train.

g or not), faulty points, suspected broken rails, etc.



0 1a 1b 2 3 4





Hazard Cause





Asphyxiation, Suffocation

Injury of person

Marginal Passenger announcement

Passenger - Staff communication

1 2 2 P i t i1.2.2 Person intrusion into clearance envelope

1.2.2.1 Person too close to station platform edge

Overcrowded situation

Fall of person, Electrocution, Object striking person

Critical Platform screen doors S S S S S Optional device

Warning flashing light at platform edge when train arrives

Attention line on platformAttention line on platformSupervise passengers on platform (Detection of overcrowding station)(Detection of person too close to platform edge / train stop)

x x x x S Optional device

Manual emergency stop for passengers/staff : platform/train

Ensure adherence to timetable

Inattentive or unconscious person

Fall of person, Electrocution,

Critical Platform screen doors S S S S S Optional device

ion, Object striking person

Warning flashing light at platform edge when train arrives

Attention line on platform



0 1a 1b 2 3 4





Hazard Cause





Supervise passengers on platform (Detection of overcrowding station)(Detection of person too close to platform edge / train stop)

x x x x S Optional device

Manual emergency stop for passengers/staff : platform/trainpassengers/staff : platform/train

1.2.2.2 Person between two cars

1.2.2.2.1 Person between two cars coming from inside car

Faulty design of train cars


Critical Ensure correct initial design of vehicle considering the possibility of climbing between cars

Incorrect maintenance of train cars

Fall of person, Electrocut

Critical Ensure correct inspection and maintenance to prevent possibilities for climbing out of


p gthe car

No installation of precautions


Critical Supervise conditions for start of train movement - This function is intended to supervise all prerequisites related to doors and emergency handles necessary for safe start of train movement.

X X S S S Put in or take out of operation

1.2.2.2.2 Person between two cars coming from



Critical Supervise Intrusion Detection / Avoidance System - This function is intended to supervise

S S S S S Optional device;Supervisingcoming from

outsideElectrocution, Object striking person

function is intended to supervise the intrusion detection / avoidance system. Such system covers the protection of areas in which passengers are not permitted e.g. the track.

Supervising guideway



0 1a 1b 2 3 4





Hazard Cause





Installation of platform screen doors

S S S S S Optional device; One possibility to prevent passengers from climbing between train between train carsFaulty design

of precautions on station and guideway


Critical Ensure correct initial design of precautions

Incorrect maintenance of precautions on station and guideways


Critical Ensure correct inspection and maintenance of precautions

1.2.2.4 Person falls/1.2.2.4 Person falls/ intrudes on track

1.2.2.4.1 Intrusion on the line by persons from train

1.2.2.4.1.1 Undetected persons by evacuation on line

No evacuation supervision


Catastrophic Supervise evacuation - This function is intended to supervise passenger evacuation. Such system covers the protection of passengers in areas in which they are not normally permitted.

X X X X S Ensuring detection and management of emergency situations

1 2 2 4 1 2 Undetected1.2.2.4.1.2 Undetected person leaves/falls out of the train



0 1a 1b 2 3 4





Hazard Cause





1.2.2.4.1.2.1 Undetected person leaves/falls out of the train by door



Note: here train doors. platform doors are mentioned in 1.2.2.4.2.3.5 as an

Critical Supervise Door Opening - This function is intended to supervise all prerequisites necessary for safe passenger exchange.

X X X S Control passenger doors

person as an realisation example)

Supervise Train Doors - This function is intended to supervise the train door control system.

X S S S S Control passenger doors

Faulty design of precautions


Critical Ensure correct initial design of door system

p

Incorrect maintenance of precautions


Critical Ensure correct inspection and maintenance of all door related systems

1.2.2.4.1.2.2 Undetected person leaves/falls out of the train by window

Faulty design of windows


Critical Ensure correct initial design of windows

Examples: Windows unable to open, Detection of broken windows

Insufficient maintenance (e.g. broken window)


Critical Ensure correct inspection and maintenance of train windows



0 1a 1b 2 3 4





Hazard Cause





1.2.2.4.1.2.3 Undetected person leaves/falls out of the train by end of train wall / after separation of cars

unauthorised decoupling


Critical Supervise Train Integrity - This function is intended to supervise the integrity of the train (loss of coupling between vehicles of one unit)

S S S S S Supervise stauts of the train

separation of cars person

Ensure correct initial design of train i.e. wagon

Ensure correct inspection and maintenance or train i.e. wagon

Ensure correct initial design of braking system (and Emergency brakes)

Undetected parted train / separated wagon

Fall of person, Electrocution, Object

Critical Supervise Train Integrity - This function is intended to supervise the integrity of the train (loss of coupling between vehicles of one unit)


Object striking person

unit)

Ensure correct initial design of train i.e. wagonEnsure correct inspection and maintenance or train i.e. wagon

Ensure correct initial design of braking system (and Emergency brakes)

1.2.2.4.2 Person falls / intrudes track (from outside / (from outside / from station - wayside)

1.2.2.4.2.1 Risky behaviour



0 1a 1b 2 3 4





Hazard Cause





1.2.2.4.2.1.1 Person intrudes track wilfully (not suicide)

Insufficient precautions against intrusion


Critical Supervise Intrusion Detection / Avoidance System - This function is intended to supervise the intrusion detection / avoidance system. Such system covers the protection of areas in which passengers are not

S S S S S Optional device;Supervising guideway; Examples for realisation: Guideway person which passengers are not

permitted e.g. the track.Guideway Intrusion Protection System (GIPS); Fences at dedicated areas; Penalty for intrusion; Passenger information; Manual emergency stop for passengers/ staff : l tf /t iplatform/train

1.2.2.4.2.1.2 Person intrudes track unconsciously

Insufficient precautions against intrusion


Critical Supervise Intrusion Detection / Avoidance System - This function is intended to supervise the intrusion detection / avoidance system. Such system covers the protection of areas in which passengers are not permitted e.g. the track.

S S S S S Optional device;Example for realisation: Platform Screen Doors; Guideway Intrusion Protection System (GIPS); Fences at dedicateddedicated areas; Manual emergency stop for passengers/ staff : platform/train



0 1a 1b 2 3 4





Hazard Cause





1.2.2.4.2.2 Unnoticed track No installation of precautions




person which passengers are not permitted e.g. the track.



Critical Ensure correct initial design of track and precautions

Examples for realisation: Mark track (e.g. mark stones in different colours); Fences at dedicated areas; Obstacle detection and warningwarning signals by driver



Critical Ensure correct inspection and maintenance of track and precautions

1.2.2.4.2.3 Person fall



0 1a 1b 2 3 4





Hazard Cause





1.2.2.4.2.3.1 obstacles - stumble

Any reason Fall of person, Electrocution, Object striking person


S S S S S Optional device;Supervising guideway; Example for realisation: Platform person which passengers are not

permitted e.g. the track.Platform screen doors; Guideway intrusion protection system; Manual emergency stop for passengers/ staff : platform/train

Ensure correct inspection and maintenance of station

Prevent obstacles in station which could be a reason to stumble by maintenance as well as regular cleaning



0 1a 1b 2 3 4





Hazard Cause





1.2.2.4.2.3.2 Rush / hustle / push

Overcrowded situation


Catastrophic Supervise Intrusion Detection / Avoidance System - This function is intended to supervise the intrusion detection / avoidance system. Such system covers the protection of areas in which passengers are not

S S S S S Optional device;Supervising guideway; Platform screen doors; Guideway person which passengers are not

permitted e.g. the track.Guideway intrusion protection system; Manual emergency stop for passengers/ staff : platform/train

Prevent overcrowded situations Ensure enough room for passengers and avoid train d ldelays

Criminal or terroristic acts



S S S S S Optional device;Supervising guideway, Platform screen doors; Guideway intrusion protection system; Manual emergency stop for passengers/passengers/ staff : platform/train

Prevent criminal or terroristic acts

Supervision of station to prevent criminal acts



0 1a 1b 2 3 4





Hazard Cause





1.2.2.4.2.3.3 Slippery ground Faulty design of station floor, Environmental condition (Humidity, Rain, Snow ..),



S S S S S Optional device;Supervising guideway; Examples for realisation: Platform Rain, Snow ..),

Slope of platform or whole station

person which passengers are not permitted e.g. the track.

Platform screen doors; Guideway intrusion protection system; Manual emergency stop for passengers/ staff : platform/train

Ensure correct initial design of station

Considering humidity, rain,

l fsnow, slope of station or platform

Incorrect maintenance of station floor



S S S S S Optional device;Supervising guideway; Examples for realisation: Platform screen doors; Guideway intrusion protection system; Manual emergency stop for passengers/ staff : platform/train



0 1a 1b 2 3 4





Hazard Cause





Ensure correct inspection and maintenance of station

Sufficient cleaning on platform and station

1.2.2.4.2.3.4 Insufficient lighting

Faulty design Fall of person, El t t

Critical Supervise Intrusion Detection / Avoidance System - This f ti i i t d d t i

S S S S S Optional device;S i iElectrocut


function is intended to supervise the intrusion detection / avoidance system. Such system covers the protection of areas in which passengers are not permitted e.g. the track.

Supervising guideway; Examples for realisation: Platform screen doors; Guideway intrusion protection system; Manual emergency stop for passengers/ staff : platform/trainplatform/train

Ensure correct initial design of lightning system

Considering the level of brightness



0 1a 1b 2 3 4





Hazard Cause





Incorrect maintenance of lightning



S S S S S Optional device;Supervising guideway; Examples for realisation: Platform person which passengers are not

permitted e.g. the track.Platform screen doors; Guideway intrusion protection system; Manual emergency stop for passengers/ staff : platform/train

Ensure correct inspection and maintenance of lightning system

1.2.2.4.2.3.5 Platform faulty design

Disrespect of possibility person fall



S S S S S Optional device;Supervising guideway; Examples for realisation: Platform screen doors; Guideway intrusion protection system; Manual emergency stop forstop for passengers/ staff : platform/train; Correct initial platform design



0 1a 1b 2 3 4





Hazard Cause





Ensure well educated and well trained engineers

1.2.2.4.2.4 criminal act Insufficient security precautions

Fall of person, Electrocution, Object

Catastrophic Supervise Intrusion Detection / Avoidance System - This function is intended to supervise the intrusion detection / avoidance system. Such system

S S S S S Optional device;Supervising guideway; Examples for Object

striking person

avoidance system. Such system covers the protection of areas in which passengers are not permitted e.g. the track.

Examples for realisation: Platform screen doors; Guideway intrusion protection system; Manual emergency stop for passengers/ staff : platform/train

Ensure supervision of station area

1.2.2.4.3 Person falls from above (bridge etc.)




S S S S S Optional device;Supervising guideway; Examples for realisation: Guideway intrusion detection system

Faulty design of e.g. bridge

Fall of person, Electrocuti

Critical Ensure correct initial design of bridges considering that persons might fall from e.g. bridges

Installation of precautions like fences, b i dion,

Object striking person

barriers and railings against fall of person from e.g. bridge



0 1a 1b 2 3 4





Hazard Cause





Supervise Intrusion Detection / Avoidance System - This function is intended to supervise the intrusion detection / avoidance system. Such system covers the protection of areas in which passengers are not

S S S S S Optional device;Supervising guideway; Examples for realisation: Guideway which passengers are not

permitted e.g. the track.Guideway intrusion detection system




Supervise Intrusion Detection / Avoidance System - This function is intended to supervise the intrusion detection / avoidance system Such system

S S S S S Optional device;Supervising guideway; Examples foravoidance system. Such system

covers the protection of areas in which passengers are not permitted e.g. the track.

Examples for realisation: Guideway intrusion detection system

1.2.2.4.3.5 Suicide Insufficient precautions



S S S S S Optional device;Supervising guideway; Examples for realisation: Guideway intrusion detection systemsystem



0 1a 1b 2 3 4





Hazard Cause





Faulty design of e.g. bridge


Critical Ensure correct initial design of bridges considering that persons might fall from e.g. bridges

Installation of precautions like fences, barriers and railings against fall of person from e.g. person from e.g. bridge

Supervise Intrusion Detection / Avoidance System - This function is intended to supervise the intrusion detection / avoidance system. Such system covers the protection of areas in which passengers are not permitted e.g. the track.





of precautions Electrocution, Object striking person

Supervise Intrusion Detection / Avoidance System - This function is intended to supervise the intrusion detection / avoidance system. Such system covers the protection of areas in which passengers are not permitted e.g. the track.


1 2 2 5 Staff inside Operational Fall of Critical Operational rules1.2.2.5 Staff inside clearance envelope during operation, maintenance, evacuation

Operational need


Critical Operational rules

Maintenance rulesEvacuation rules



0 1a 1b 2 3 4





Hazard Cause





Warning signals for worker1.2.2.7 Person leaning

out of train infringes train clearance envelope

in focus: single person

1.2.2.7.1 Person leaning out of train infringes train clearance envelope: out of door

Faulty design of doors; Insufficient maintenance; Insufficient precautions


Critical Supervise Train Doors - This function is intended to supervise the train door control system.


Supervise Door Opening - This function is intended to supervise all prerequisites necessary for safe passenger exchange.


Installation of broken doors detection

Faulty design of doors and

Fall of person

Critical Ensure correct initial design of doors and precaution systemsof doors and

precaution systems

person, Electrocution, Object striking person

doors and precaution systems

Incorrect maintenance of doors and precaution systems


Critical Ensure correct inspection and maintenance of doors and precaution systems

1.2.2.7.2 Person leaning out of train infringes train



Critical Installation of detector of open/closed/broken window

infringes train clearance envelope: out of window

Electrocution, Object striking person

Windows are not able to be open that a person could lean out



0 1a 1b 2 3 4





Hazard Cause





Faulty design of windows


Critical Ensure correct design of windows and precautions

personIncorrect maintenance of windows


Critical Ensure correct inspection and maintenance of windows and precautions

1.3 Train collision hazard within uninfringed clearance envelope

1.3.1 Train too close to other vehicle

1 1 1 2 2 1 Insufficient worst respect1.1.1.2.2.1 Insufficient worst case safety distance

respect sublevels

1.3.1.2 Undetected train/vehicle

1.3.1.2.1 Undetected / uncommunicated (stranded) train

1.3.1.2.1.1 Train presence signal failure (trainside)

Faulty design of trainside equipment



Ensure Safe Switchable Route El t Thi f ti i

S S S S S Ensure safe tElements - This function is


route

Ensure correct initial design of trainside equipment



0 1a 1b 2 3 4





Hazard Cause





Incorrect maintenance of train side equipment



Ensure Safe Switchable Route Elements - This function is

S S S S S Ensure safe routeElements This function is


route

Ensure correct inspection and maintenance of trainside equipment

1.3.1.2.1.2 Train presence signal failure (wayside)

Faulty design of secondary train detection system




S S S S S Ensure safe routeElements - This function is


route

Ensure correct initial design of secondary train detection system

Incorrect maintenance of secondary train detection system



E S f S it h bl R t S S S S S E fEnsure Safe Switchable Route Elements - This function is intended to switch switchable route elements and ensure the switching is performed under normal (undisturbed) and safe conditions.




0 1a 1b 2 3 4





Hazard Cause





Ensure correct inspection and maintenance of wayside equipment

1.3.1.2.1.3 Train detection information processing / communication

Faulty design of data communication system

Collision Catastrophic Detect Unequipped or Failed Trains - This function determines whether a section of track is occupied by an unequipped or


communication n system occupied by an unequipped or failed train.Ensure Safe Switchable Route Elements - This function is intended to switch switchable route elements and ensure the switching is performed under normal (undisturbed) and safe conditions.


Supervise data communication equipment - This function is intended to inform staff about availability of functions concerning operation and status of data communication equipment.equipment.

Ensure correct initial design of data communication system

Incorrect maintenance of data communication system



Ensure Safe Switchable Route Elements - This function is intended to switch switchable route elements and ensure the switching is performed under normal (undisturbed) and safe conditions.


Supervise data communication equipment - This function is intended to inform staff about availability of functions concerning operation and status of data communication equipment.



0 1a 1b 2 3 4





Hazard Cause





Ensure correct inspection and maintenance of data communication system

1.3.1.2.2 Undetected train enters system

No communication established prior entry


Catastrophic Detect Unequipped or Failed Trains - This function determines whether a section of track is occupied by an unequipped or


prior entry occupied by an unequipped or failed train.Supervise other safety relevant Inputs - This function is intended to supervise the detection of hazardous situations by external sensors.


Transition to CBTC Area Technical Solution of Entry into CBTC Area

1.3.1.2.3 System loses unnoticed tracking of train

1.3.1.2.3.1 Train presence signal failure

Faulty design of trainside

Collision Catastrophic Detect Unequipped or Failed Trains - This function determines

X X X X X Ensure safe separation ofsignal failure

(trainside)of trainside equipment

Trains - This function determines whether a section of track is occupied by an unequipped or failed train.

separation of trains




Incorrect maintenance of train side

Collision Catastrophic Detect Unequipped or Failed Trains - This function determines whether a section of track is

X X X X X Ensure safe separation of trainsof train side

equipmentwhether a section of track is occupied by an unequipped or failed train.

trains



0 1a 1b 2 3 4





Hazard Cause







conditions.


1.3.1.2.3.2 Train presence detection failure (wayside)






conditions.





Ensure Safe Switchable Route Elements - This function is intended to switch switchable route elements and ensure the switching is performed under normal (undisturbed) and safe


normal (undisturbed) and safe conditions.




0 1a 1b 2 3 4





Hazard Cause





1.3.1.2.3.3 Train detection information processing / communication failure




Ensure Safe Switchable Route El t Thi f ti i

S S S S S Ensure safe tElements - This function is


route

Supervise data communication equipment - This function is intended to inform staff about availability of functions concerning operation and status of data communication equipment.

Ensure correct initial design of data communication systemdata communication system






Supervise data communication equipment - This function is intended to inform staff aboutintended to inform staff about availability of functions concerning operation and status of data communication equipment.




0 1a 1b 2 3 4





Hazard Cause





1.3.1.2.4 Undetected parted train / separated wagon

Faulty design of train i.e. wagon

Collision Derail-ment

Catastrophic Supervise Train Integrity - This function is intended to supervise the integrity of the train (loss of coupling between vehicles of one unit)


Ensure Safe Switchable Route Elements This function is



route

Ensure correct initial design of train i.e. wagon

Incorrect maintenance of train i.e. wagon


Catastrophic Supervise Train Integrity - This function is intended to supervise the integrity of the train (loss of coupling between vehicles of one unit)





route


Unauthorised decoupling


Supervise Train Integrity - This function is intended to supervise the integrity of the train (loss of coupling between vehicles of one unit)








0 1a 1b 2 3 4





Hazard Cause





1.3.1.2.5 Undetected / unpermitted maintenance car / work train

Faulty design of operational rules



Establish clear and understandable operational understandable operational procedures and rules

Disrespect of operational rules



Ensure adherence and respect of operational rules and procedures

1.3.1.3 Wrong train detection (position)

1.3.1.3.1 Wrong "position / track segment" from train from train detection







Ensure correct initial design of trainside equipmenttrainside equipment






0 1a 1b 2 3 4





Hazard Cause







conditions.








conditions.







normal (undisturbed) and safe conditions.




0 1a 1b 2 3 4





Hazard Cause





1.3.1.3.1.3 Train detection information processing / communication failure







route







Ensure Safe Switchable Route S S S S S Ensure safeEnsure Safe Switchable Route Elements - This function is intended to switch switchable route elements and ensure the switching is performed under normal (undisturbed) and safe conditions.





Train receive information of wrong track section

Collision Catastrophic Ensure correct initial design of data communication system

section (adjacent track)



0 1a 1b 2 3 4





Hazard Cause






Prevention of pick up an adjacent position reference if a train drives in reverse reverse (passing a point) a limited distance and then continues forward

1.3.1.3.2 Wrong timing of train "position" detection communication




X X X X X Ensure safe separation of trains(trainside) equipment whether a section of track is

occupied by an unequipped or failed train.

trains







equipment occupied by an unequipped or failed train.Ensure Safe Switchable Route Elements - This function is intended to switch switchable route elements and ensure the switching is performed under normal (undisturbed) and safe conditions.




0 1a 1b 2 3 4





Hazard Cause










system occupied by an unequipped or failed train.Ensure Safe Switchable Route Elements - This function is intended to switch switchable route elements and ensure the switching is performed under normal (undisturbed) and safe conditions.



Incorrect maintenance of secondary train detection



train detection system

occupied by an unequipped or failed train.




1.3.1.3.2.3 Train detection information processing /

Faulty design of data communicatio


X X X X X Ensure safe separation of trainsprocessing /

communication failure

communication system

whether a section of track is occupied by an unequipped or failed train.

trains



0 1a 1b 2 3 4





Hazard Cause







conditions.









( )conditions.




1.1.1.2.2.3 (1.3.1.4) Wrong travel direction

respect sublevels

1.1.1.1.1.3 (1.3.1.5) Insufficient deceleration

respect sublevels

1.3.2 Train too close to end of track



0 1a 1b 2 3 4





Hazard Cause





1.3.2.2 Unrecognised end of track

Maintenance works


S S S S S Optional device;Supervising guideway; Example for realisation: obstacle obstacle detection in front of train (technical or by driver)

Ensure correct adherence of maintenance procedures

Communication between train, OCC and maintenance crew

Bad weather conditions

Supervise other safety relevant Inputs - This function is intended to supervise the detection of hazardous situations by external

S S S S S Optional device;Supervising guideway; hazardous situations by external

sensors.guideway; Example for realisation: obstacle detection in front of train (technical or by driver)

Ensure good view for driver1.1.1.2.2.3 (1.3.2.3) Wrong travel

direction (back movement)

respect sublevels

1.1.1.1.1.3 (1.3.2.4) Insufficient deceleration

respect sublevels



0 1a 1b 2 3 4





Hazard Cause





2 Train Interior Hazards

2.1 Person struck/hurt by object

2.1.1 Break of train equipmentequipment fixation

2.1.1.1 Faulty design, implementation, maintenance

Mistakes by staff during design, implementation and maintenance

Person Struck / Hurt by Object

Marginal Adequate training and education of staff


Inadequate or no rules for design, implementation and maintenance


Marginal Establish rules for design

maintenanceEstablish rules for implementationEstablish rules for maintenance

2.1.1.2 Vibration Faulty design of train cars


Marginal Ensure correct initial design of train cars considering the possibility of vibration



Marginal Ensure correct maintenance and inspection to prevent vibration

2.1.2 Luggage / similar objects

2 1 2 1 Faulty design Mistake by Person Marginal Adequate training and education2.1.2.1 Faulty design, implementation, maintenance of luggage rack

Mistake by staff during design, implementation and maintenance of luggage rack





0 1a 1b 2 3 4





Hazard Cause





Insufficient or no rules for the design, implementation and maintenance for luggage


Marginal Establish rules regarding luggage racks

for luggage racks

2.1.2.2 Operation error2.1.2.2.1 Acceleration Unskilled

DriverPerson Struck / Hurt by Object


Well design and user supportive HMI driver desk

2.1.2.2.2 Deceleration Unskilled Driver



Well design and user supportive HMI driver desk

2.1.2.2.3 Jerk of moving see 2.1.42.1.2.2.3 Jerk of moving train

see 2.1.4

2.1.3 Arris by vandalism

Insufficient supervision


Marginal Supervise train equipment

Faulty design of train equipment (not considering the possibility of vandalism)


Marginal Ensure correct initial design of train equipment considering the possibility of vandalism


Person Struck /

Marginal Prevent vandalism by regular inspection and maintenance

and inspection Hurt by Object

p

2.1.4 Jerk of moving train

2.1.4.1 Propulsion failure Faulty design of propulsion system


Marginal Ensure correct initial design of propulsion system



0 1a 1b 2 3 4





Hazard Cause





Incorrect maintenance of propulsion system


Marginal Ensure correct inspection and maintenance of propulsion system

2.1.4.2 Brake failure Faulty design of braking system

Person Struck / Hurt by

Marginal Ensure correct initial design of braking system (and Emergency brakes)system Hurt by

Objectbrakes)



Marginal Ensure correct inspection and maintenance of braking system

2.1.4.3 Environmental conditions

9.1.2 Wind Inadequate precaution against wind


Marginal Consider wind force during planning and design of railway/metro system

Operational rules to stop all trains in case of extreme wind

9 2 4 Earthquake Inadequate Person Catastrophic Consider earthquakes during9.2.4 Earthquake Inadequate precaution against earthquakes


Catastrophic Consider earthquakes during planning and design of railway/metro system

Operational rules to stop all trains is case of forecasted earthquake

2.1.4.4 Guideway structural failure



Marginal Ensure correct initial design of guideway



Marginal Ensure correct inspection and maintenance of guideway

j

2.1.4.5 Excessive deceleration

ATP on-board equipment failure


Marginal Ensure correct initial design of ATP on-board equipment

Ensure correct inspection and maintenance of ATP on-board

i t



0 1a 1b 2 3 4





Hazard Cause





Mistake by driver


Marginal Ensure correct execution of operational rules


U i d iUnconscious driver2.1.4.6 Excessive

accelerationATP on-board equipment failure


Catastrophic Supervise Actual Speed - This function supervises the operation of trains to ensure that trains remain within the dynamic speed profile.


Ensure correct initial design of ATP on-board equipmentEnsure correct inspection and maintenance of ATP on-board equipment

Mistake by driver

Person Struck / Hurt by Obj t

Catastrophic Ensure correct execution of operational rules

ObjectEmploy trained and well educated staff only

Unconscious driver2.1.4.7 Emergency

brakingAny reason Person

Struck / Hurt by Object

Marginal Ensure a limitation of braking force to an unharmful level for passenger

X S S S S Control acceleration and braking

Provide enough halt (e.g. handrails) in trains

Prevent unnecessary emergency brakes by passenger

2 2 Explosion2.2 Explosion2.2.1 Explosion in train

2.2.1.1 Criminal acts Insufficient supervision

Explosion Catastrophic Provide enough supervision in train

Training and education of staff



0 1a 1b 2 3 4





Hazard Cause





Operational rule to stop all trains in case of a criminal or terroristic act

2.2.1.2 Egression of explosive substances in traintrain

2.2.1.2.1 Maintenance errors

Mistake by maintenance crew

Explosion e.g. due to cabling error

Catastrophic Adequate training and education of staff

Technical and procedural support

2.2.1.2.2 Faulty design, improper design

Insufficient training for staff

Explosion systematic error

Catastrophic Adequate training and education of staff

Insufficient rules/guidelines for design of train cars

Explosion Catastrophic Establish technical and procedural support for design e.g. by guidelines

2.2.1.3 Explosive material storage

Faulty design Explosion Catastrophic Ensure correct initial design of vehicle considering possible gexplosions

2.2.1.4 Explosive products carried by passenger

Any reason Explosion Catastrophic Passenger information

Passenger control at entrance of station/train

2.2.2 Explosion on guideway

2.2.2.1 Criminal acts Insufficient supervision

Explosion Catastrophic Supervise Intrusion Detection / Avoidance System - This function is intended to supervise the intrusion detection / avoidance system. Such system


y ycovers the protection of areas in which passengers are not permitted e.g. the track.

Training and education of staff Operational rule to stop all trains is case of a criminal or terroristic act



0 1a 1b 2 3 4





Hazard Cause





2.2.2.2 Egression of explosive substances on guideway

2.2.2.2.1 Maintenance errors

Mistake by maintenance crew

Explosion Catastrophic Adequate training and education of staff

crewTechnical and procedural support

2.2.2.2.2 Faulty design, improper design

Insufficient training for staff

Explosion Catastrophic Adequate training and education of staff

Insufficient rules/guidelines for design of train cars

Explosion Catastrophic Establish technical and procedural support for design e.g. by guidelines

2.3 Person fall in train

2.3.1 Brake failure Unskilled Driver

Fall of person in train

Marginal Ensure correct execution of operational rules

Employ trained and well educated staff onlyUnconscious driver

ATP On-board problem


Marginal Ensure correct initial design of ATP on-board equipment

Ensure correct inspection and maintenance of ATP on-board equipment

2.3.2 Obstacles in train Inappropriate Design


Marginal Ensure correct initial design of train cars considering possible obstacles



Marginal Ensure correct inspection and maintenance to prevent obstacles in train cars

2 3 3 Panic/hustle in Any reason Fall of Catastrophic Supervise train i e passenger2.3.3 Panic/hustle in train (by criminal act, jerk,...)

Any reason Fall of person in train

Catastrophic Supervise train i.e. passenger

Employ security guards and train on-board personnel



0 1a 1b 2 3 4





Hazard Cause





2.3.4 Insufficient lighting

Power blackout


Marginal Installation of secondary power supply system

Faulty design of lightning system


Marginal Ensure correct design of lightning system in train

Incorrect Fall of Marginal Ensure correct inspection andIncorrect maintenance of lightning system


Marginal Ensure correct inspection and maintenance of lightning system

2.3.5 Inexistence or broken support elements

Faulty design of support elements


Marginal Ensure correct initial design of support elements

Incorrect maintenance of support elements


Marginal Ensure correct inspection and maintenance of support elements

2.3.6 Slippery train floor

Faulty design of train floor


Marginal Ensure correct initial design of train floors

Incorrect Fall of Marginal Ensure correct inspection andIncorrect maintenance of train floor


Marginal Ensure correct inspection and cleaning of train floors

2.4 Fire2.4.1 Fire in train

2.4.1.1 Inflammable material used on train

Faulty design - inflammable material used

Fire Catastrophic Ensure correct initial design of vehicle

Incorrect maintenance - inflammable material used

Fire Catastrophic Ensure correct inspection and maintenance of train cars

2.4.1.2 Ignition Faulty design e.g. faulty designed


designed electrical components

Maintenance error

Fire Catastrophic Ensure correct inspection and maintenance of train cars

2.4.1.3 Unobstructed spread of fire





0 1a 1b 2 3 4





Hazard Cause







Maintenance error

Fire Catastrophic Ensure correct execution of maintenance rules

2.4.1.4 Explosion see 2.22.4.2 Fire on guideway

ignites trainignites train

2.4.2.1 Inflammable material used on guideway

Faulty design - inflammable material used on guideway

Fire Catastrophic Ensure correct initial design of guideway

Incorrect maintenance - inflammable material used

Fire Catastrophic Ensure correct inspection and maintenance on guideway

2.4.2.2 Ignition Faulty design e.g. faulty designed electrical components


components

Maintenance error

Fire Catastrophic Ensure correct inspection and maintenance of guideway

2.4.2.3 Unobstructed spread of fire

Faulty design of guideways




Maintenance error

Fire Catastrophic Ensure correct execution of maintenance rules

2.4.2.4 Explosion see 2.22.5 Inadequate

temperatureFaulty design of train cars

Super cooling/ Superheating of

Marginal Installation of air renewal and air conditioning systems


Passenger

Ensure correct maintenance of HEVAC


Ensure correct handling of HEVAC

2.6 Asphyxiation



0 1a 1b 2 3 4





Hazard Cause





2.6.1 Smoke Fire Asphyxiation of passenger

Catastrophic See subtree 2.4.1 Fire in train


Asphyxiation of passenge

Catastrophic Ensure correct initial design of train cars in order to prevent the possibility of development of passenge

rpossibility of development of smoke e.g. from electronical equipment


Asphyxiation of passenger

Catastrophic Ensure correct inspection and maintenance to prevent development of smoke

2.6.2 Air renewal failure Faulty design of air renewal system


Catastrophic Ensure correct initial design of air renewal system

Provide possibilities to open windows or doors in emergency cases



Catastrophic Ensure correct inspection and maintenance of air renewal system


Catastrophic Provide possibilities to open windows or doors in emergency cases

2.7 Toxic releases2.7.1 Toxic releases in

trainFaulty design of vehicle leads to combustion, leakage ..

Asphyxiation, burns of passenger

Catastrophic Ensure correct initial design of vehicle to prevent any form of toxic release by combustion, leakage etc.

Avoid the use of toxic material on train for construction

Incorrect maintenance of vehicle leads to combustion, leakage …

Asphyxiation, burns of passenger

Catastrophic Ensure correct inspection and maintenance on vehicle to prevent any form of toxic release by combustion, leakage etc.



0 1a 1b 2 3 4





Hazard Cause





Avoid the use of toxic material on train for maintenance purposes

2.7.2 Toxic releases coming from outside

Supervise Infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCCorder to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of the signalling system, pumps, fans and escalators.

2.8 Radiation2.8.1 Radiation from

equipmentFaulty design of train cars

Burns of passenger

Critical Ensure correct initial design of train cars considering the possibility of radiation

Incorrect maintenance on train cars

Burns of passenger

Critical Ensure correct inspection and maintenance on train cars considering the possibility of radiation

2.8.2 Foreign radiation/ Strong Fields

Faulty design of vehicle e.g. insufficient precaution

Burns of passenger

Critical Minimise the impact of foreign radiation and strong fields

Ensure correct inspection and maintenance of precautions

2.9 Electrocution in train


Electrocution

Critical Ensure correct initial design of train cars considering the possibility of electrocution


Electrocution

Critical Ensure correct inspection and maintenance to ensure the protection of passenger

2.10 Person contact with machinery


Cuts, burns, contamination, suffocations of passenger

Critical Ensure correct initial design of machinery



0 1a 1b 2 3 4





Hazard Cause






Cuts, burns, contamination, suffocations of passenge

Critical Ensure correct inspection and maintenance of precautions against contact of passenger with machinery

passenger

2.11 Person exposed to noise


Suffocation

Insignificant Ensure correct initial design of train cars considering the possibility of loud noises


Suffocation

Insignificant Ensure correct inspection and maintenance

2.12 Person needs urgent asisstance

heart attack, childbirth, …

Injury of person

Critical Installation of emergency call device onboard

S S S S S

Provide communication onboard staff and OCCEnsure Possibility of Announcement inside train e.g. ask for

d t b ddoctor onboard



0 1a 1b 2 3 4





Hazard Cause





3 Train-Station- Interface Hazards (with train already in station)

3.1 Passenger falls from train onfrom train on station track

3.1.1 Incorrect train alignment

No location measurement

Fall of person, Electrocution

Catastrophic Determine Train Location S S S S Ensure safe route

Support driver with signs To indicate correct location for passenger exchange

3.1.2 Vehicle doors are open on the wrong side at stationstation

3.1.2.1 Wrong Travel Direction

No measurement of travel direction


Catastrophic Determine Actual Train Travel Direction - This function determines the travel direction of trains.

S S S S Control acceleration and braking

3.1.2.2 Door control failure

No door control system


Catastrophic Supervise Train Doors - This function is intended to supervise the train door control system.


Supervise Door Opening - This function is intended to supervise all prerequisites necessary for safe passenger exchange.


3.1.3 Train departure ith ( ti d)

Door control f il

Fall of Catastrophic Supervise Train Doors - This f ti i i t d d t i

X S S S S Control with (unnoticed) open doors

failure person, Electrocution

function is intended to supervise the train door control system.

passenger doors



0 1a 1b 2 3 4





Hazard Cause





Supervise Conditions for Start of Train Movement - This function is intended to supervise all prerequisites related to doors and emergency handles necessary for safe start of train movement.

X X S S S Put in or take out of operation; Example for realisation: Installation of manual movement. manual emergency stop for passengers/staff on platform and train

Installation of CCTV system to monitor platform area

Prevention of untimely departure by monitoring

3.2 Passenger injured by door closing

3.2.1 Inadequate Pressure/ Forces

Faulty design of doors system

Trapping of person

Critical Supervise Conditions for Start of Train Movement - This function is intended to supervise all prerequisites related to doors and emergency handles necessary for safe start of train movement.


Ensure correct initial design of door system

Test correct door closing pressure/ force

Installation of door control and obstacle detection system

X X X X S

Incorrect maintenance of door system

Trapping of person





0 1a 1b 2 3 4





Hazard Cause





Ensure correct inspection and maintenance of door system

Including obstacle detection and door closing pressure/ force

3 2 2 Passenger injured3.2.2 Passenger injured by platform screen doors

3.2.2.1 Person hit by platform screen's doors during closing

Injury of person, Passenger hit by train, Trapping of person

Marginal Installation of door control and obstacle detection system

X X X X S

3.2.2.2 Installation of PSD - Passenger

h d i t

Wrong installation procedure

Fall of person

Injury of person, Passange

Marginal Migration phase procedures

smashed against PSD/ construction material during passenger boarding

procedure Passanger hit by train, Trapping of person

overcrowded situation

Fall of person

Injury of person, Passanger hit by train, Trapping of person

Marginal Supervise Infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of the signalling system, pumps, of the signalling system, pumps, fans and escalators.



0 1a 1b 2 3 4





Hazard Cause





3.2.2.3 Misuse of manual control panel for PSD by staff in case of PSD failure

Staff communication, misunderstandings, insufficient education Trapping

Passanger hit by

Marginal Training and education of staff

education pp gof person

ytrain

Establish clear and understandable operational procedures and rules

3.2.2.4 Loss of locking status of PSD

Fall of person

Injury of person, Passanger hit by train, Trapping of person

Marginal Manage PSDs closing - This function is intended to manage the platform door closing if existing after exchange of passenger at stations.


3.2.3 Inadequate space between door leaf

d b d

Faulty design of doors system

Trapping of person

Critical Ensure correct initial design of door system

and car body system

Installation of door control and obstacle detection system

X X X X S

Incorrect maintenance of door system

Trapping of person

Critical Ensure correct inspection and maintenance of door system

3.3 Train departs with passenger trapped in doors (limb of passenger, clothes, bags, other objects fromother objects from passenger, leash... )

3.3.1 Wrong door closing / interlocking signal

No door control

Trapping of person





0 1a 1b 2 3 4





Hazard Cause





Conditions for start of train are not fulfilled

Trapping of person



movement.

3.3.2 Undetected obstacles

Obstacle detector signals clearance

Trapping of person


X S S S S Control passenger doors; Example for realisation: Obstacle detection in doors (train and PSD)

Mistake by driver

Trapping of person


X S S S S Control passenger doors; Example for prealisation: Obstacle detection in doors (train and PSD)

Support driver during clearance check

X X S S S Ensure sufficient sight onto platform and doors

Design or maintenance error of train doors

Objects striking person

Injury of person

Critical Correct initial design of train doors

doors




0 1a 1b 2 3 4





Hazard Cause





Overcrowded situations, Vandalism, Panic, Unawareness of Passenger


Injury of person

Critical Correct initial design of train doors

3.3.3 Passenger/ object trapped in platform screen doors


3.3.3.1 Person stuck between train doors and screen's doors

Dsign or maintenance errors of PSD

Injury of person

Objects striking person, Trapping of person Critical

Ensure correct initial design of interaction traindoor / Platform screen doors


3.3.3.2 Anything (leashes, ties,

Overcrowded situations,

Ensure correct initial design of PSD(leashes, ties,

wrist of a child ..) sticks in PSD and is not detected by PSD

situations, Vandalism, Panic, Unawareness of Passenger

Injury of person

Objects striking person, Trapping of person Critical

PSD

Manage PSDs closing - This function is intended to manage the platform door closing if existing after exchange of passenger at stations.


Design or maintenance

Objects striking

Ensure correct initial design of PSDmaintenance

error of PSDInjury of person

striking person, Trapping of person Critical

PSD



0 1a 1b 2 3 4





Hazard Cause





3.3.3.3 Person or object is between closed PSD and closed train doors -> and train departs with passenger in doors

Design or maintenance error of PSD


Ensure correct initial design of PSD

doors Injury of person

person, Trapping of person Critical

3.4 Train moves at passenger exchange

3.4.1 Incorrect Train Departure

3.4.1.1 Wrong Departure Authorisation / Command

Conditions for start are not fulfilled

Fall of person, Trapping of person; Impact on person (object

Catastrophic Supervise Conditions for Start of Train Movement - This function is intended to supervise all prerequisites related to doors and emergency handles necessary for safe start of train movement.


(object striking person)

movement.

3.4.1.2 Door Status Failures

Door status is lost

Fall of person, Trapping of person; Impact on person (object striking person)

Catastrophic Supervise Train Doors - This function is intended to supervise the train door control system.

X S S S S Control passenger doors; Installation of door status control



0 1a 1b 2 3 4





Hazard Cause





Door status signals clearance but door occupied



X S S S S Control passenger doors; Installation of obstacle detection


3.4.2 Rear end collision Train enters occupied track in station

collision Catastrophic Ensure exclusiveness of train in track section

3.4.3 Propulsion Failure Faulty design of propulsion system


Catastrophic Ensure correct initial design of propulsion system




Respond to Unexpected Train Movements - This function covers the reaction of ATP in case of roll away.




0 1a 1b 2 3 4





Hazard Cause





Incorrect maintenance of propulsion system


Catastrophic Ensure correct inspection and maintenance of propulsion system






3.4.4 Brakes Failure Faulty design Fall of Catastrophic Ensure correct initial design of 3.4.4 Brakes Failure Faulty design of braking system

Fall of person, Trapping of person; Impact on person (object striking person)

Catastrophic Ensure correct initial design of braking system (and Emergency brakes)



p o e





0 1a 1b 2 3 4





Hazard Cause







Catastrophic Ensure correct inspection and maintenance of braking system






3.4.5 Important Overcrowded it ti

Fall of Marginal Provide enough room for i t tipassenger

movement in the vehicle

situation person, Trapping of person; Impact on person (object striking person)

passenger in station

Provide enough room for passenger in train

Provide enough halt inside of train

3 5 Person between3.5 Person between Vehicle/ Vehicle gaps



0 1a 1b 2 3 4





Hazard Cause





3.5.1 Passengers risky behaviour

Any reason Fall of person, Trapping of person; Impact on person (object

Critical Installation of platform screen doors



Installation of manual emergency stop for passenger and staff on platform and train

S S S S S

Manage train door closing - This function is intended to manage the train door closing at stations.

X X X X S Control passenger doors

Manage PSDs closing - This function is intended to manage

S S S S S Control passenger function is intended to manage

the platform door closing if existing after exchange of passenger at stations.

passenger doors

3.5.2 Unconsciousness (children, elder people...)

Any reason Fall of person, Trapping of person; Impact on person (object striking person)


S S S S S Optional device; Control passenger doors

Installation of manual emergency S S S S SInstallation of manual emergency stop for passenger and staff on platform and train

S S S S S





0 1a 1b 2 3 4





Hazard Cause






S S S S S Control passenger doors

3.5.3 Rush / hustle / push

Any reason Fall of person


S S S S S Optional device;push person,

Trapping of person; Impact on person (object striking person)

doors device; Control passenger doors


S S S S S

Manage train door closing - This X X X X S Control g gfunction is intended to manage the train door closing at stations.

passenger doors



Prevent criminal or terroristic acts

Supervision of station

Avoid overcrowded situations Provide enough room in station

Ensure adherence to timetable In order toEnsure adherence to timetable In order to prevent rush

3.5.4 Unknown misalignment of train





0 1a 1b 2 3 4





Hazard Cause





3.6 Person steps / falls into Vehicle- Platform Gap

3.6.1 Risky behaviour along the train

Any reason Fall of person, T i


S S S S S Optional device; C t lTrapping

of person; Impact on person (object striking person)

Control passenger doors


S S S S S

Supervision of platform Detection of person falls inperson falls in gap







0 1a 1b 2 3 4





Hazard Cause





3.6.2 Excessive gap Faulty design of vehicle-platform gap


Critical Ensure correct initial design of station i.e. vehicle-platform gap

Consider the dimension of the vehicle to construct platform

(object striking person), Electrocution

Installation of gap filling devices E.g. Movable step

Announcements and warnings regarding the gap

E.g. "Mind the gap"


S S S S S

Supervision of gap S S S S S Optional device;Prevent injuries to persons between cars or between platform and train

Ensure gap is free before train departure

X X S S S Prevent injuries to persons between cars

b tor between platform and train



0 1a 1b 2 3 4





Hazard Cause





3.6.3 Passenger steps / falls in gap at door area

Insufficient warnings


Critical Announcements and warnings regarding the gap

E.g. "Mind the gap"



S S S S S

Supervision of gap S S S S S Optional device;Prevent injuries to persons between cars or between platform and train

Ensure gap is free before train departure

X X S S S Prevent injuries to persons between cars or between platform and train



0 1a 1b 2 3 4





Hazard Cause





vehicles doors open but PSD are closed


Critical Ensure correct initial design of interaction traindoor / Platform screen doors


PSD opens but train doors are closed

Fall of person, Trapping of person; Impact on person (object striking person),

Critical Ensure correct initial design of interaction traindoor / Platform screen doors

person), Electrocution

3.6.4 Person fall Overcrowded situations, Panic, Unawareness of Passenger

Injury of person

Installation of Platform Screen Doors



Injury of person

Electrocution

Critical Ensure correct initial design of precautions

Incorrect Injury of Electrocut Critical Ensure correct inspection andIncorrect maintenance of precautions

Injury of person

Electrocution


3.7 Electrocution



0 1a 1b 2 3 4





Hazard Cause





3.7.1 Difference of potential between train and other equipment

Faulty design Electrocution

Critical Ensure correct initial design of train and other railway/metro equipment

Considering the possibility of potential differences


Electrocution

Critical Ensure correct inspection and maintenance to prevent potentialmaintenance ion maintenance to prevent potential differences

3.7.2 Contact with train power supply

Faulty design of train power supply

Electrocution

Critical Ensure correct initial design of train power supply

Considering the position of the power supply in connection to the passengers, to cover the power supply against contact of persons

Incorrect Electrocut Critical Ensure correct inspection and maintenance of train power supply

ion maintenance of train power supply



0 1a 1b 2 3 4





Hazard Cause





4 Station Interior Hazards (with no train presence)

4.1 Person struck by falling object


Impact on person

Marginal Ensure correct initial design of station building

Consideration of possibility that objectthat object might fall on persons

Incorrect maintenance of station

Impact on person

Marginal Ensure correct inspection and maintenance of station building

Prevention of object fall on person, neither caused by maintenance works or during works

4.2 Person hit by sharp object


Impact on person


Consideration of possibility that sharp object might hitobject might hit persons


Impact on person


Prevention of sharp object hits person, neither caused by maintenance works or during works

4.3 Person hurt by protruding object


Impact on person


Consideration of possibility that protruding objects might hurt personhurt person



0 1a 1b 2 3 4





Hazard Cause






Impact on person


Prevention of that protruding object might hurt person, neither caused by maintenance maintenance works or during works

4.4 Wheelchair/ baby carriage hazards

4.4.1 Uncontrolled wheelchair/ baby carriage movement


Impact on person


Considering safety for wheelchairs e.g. ramps, lifts, dedicated places.

Incorrect Impact on Marginal Ensure correct inspection and Ensure that all Incorrect maintenance of station

Impact on person


Ensure that all facilities for wheelchairs are properly maintained e.g. cleaning to prevent slippery floors

Panic, rush, hustle

Impact on person

Marginal Prevent panic Prevent overcrowded situations, train delays, criminal acts.

4 4 2 Wh l h i / b b F lt d i I t M i l E t i iti l d i f C id i4.4.2 Wheelchair/ baby carriage rolls over


Impact on person


Considering safety for wheelchairs e.g. ramps, lifts, dedicated places.



0 1a 1b 2 3 4





Hazard Cause






Impact on person


Ensure that all facilities for wheelchairs are properly maintained e.g. cleaning to prevent prevent slippery floors

Panic, rush, hustle

Impact on person

Marginal Prevent panic Prevent overcrowded situations, train delays, criminal acts

4.5 Person fall in station

4.5.1 Person fall4.5.1.1 Obstacles (trip

hazard)Faulty design of station building

Fall of person


Ensure no obstacles are laying aroundbuilding laying around

Insufficient cleaning of station building

Fall of person

Marginal Ensure correct maintenance and cleaning of station building

Ensure no obstacles are laying around

4.5.1.2 Rush/ hustle Overcrowded situation due to faulty design of station

Fall of person

Catastrophic Ensure correct initial design of station building

Provide enough room for passenger

Overcrowded situation due to train delays

Fall of person


Minimise train delays and following departure/arrival changesg

Criminal or terroristic acts

Fall of person

Critical Prevent criminal or terroristic acts

Supervision of station building, Control entrance



0 1a 1b 2 3 4





Hazard Cause





4.5.1.3 Slippery floor Faulty design of station floor i.e. wrong/slippery material used

Fall of person


Avoid slippery material is used for station floor

Faulty design Fall of Marginal Ensure correct initial design of AvoidFaulty design of platform and station - slope of platform or whole station

Fall of person


Avoid jeopardising slope of platform or whole station

Environmental conditions (Humidity, rain, snow ..)

Fall of person


Installation of precautions to minimise influence of environmental forces

Incorrect maintenance of station floor

Fall of person

Marginal Ensure correct inspection, maintenance and cleaning of station floor and precautions of station floor

i.e. insufficient cleaning

station floor and precautions against environment

4.5.1.4 Insufficient lighting

Faulty design of lightning system

Fall of person

Marginal Ensure correct initial design of lightning system

Consideration of level of brightness

Incorrect maintenance of lightning system

Fall of person

Marginal Ensure correct inspection and maintenance of lightning system

4.5.1.5 Platform faulty design

Badly educated and untrained engineers

Fall of person

Marginal Employ professionals only, sufficient retraining of all employees (especially planning staff)

Insufficient rules and guidelines for planning and design of platforms

Fall of person

Marginal Establish or provide sufficient rules and guidelines for planning and design of platforms



0 1a 1b 2 3 4





Hazard Cause





4.5.2 Escalator hazard Faulty design of escalator e.g. jerk

Fall of person

Critical Ensure correct initial design of escalator

Consideration that it is dangerous if escalator moves ways too fast or stops suddenlystops suddenly

Incorrect maintenance of escalator

Fall of person

Marginal Ensure correct inspection and maintenance of escalator

Consideration that it is dangerous if escalator moves ways too fast or stops suddenly

4.5.3 Lift hazard Faulty design of lift - sudden stop or jerk

Fall of person

Marginal Ensure correct initial design of lift Consideration that it is dangerous if lift suddenly stops orstops or moves too fast

Incorrect maintenance of lift

Fall of person

Marginal Ensure correct inspection and maintenance of lift

Consideration that it is dangerous if lift suddenly stops or moves too fast

4.6 Person falls/intrudes on station track

4.6.1 Person falls from platform into track

Panic, Suicide,

Fall of person

Electrocution

critical Detection of guideway intrusion on platform

S S S S S Optional device;platform into track Suicide,

inattention, etcperson ion on platform device;

Supervising guideway

4.6.2 Person leaning against PSD which suddenly opens


Fall of person

Electrocution





0 1a 1b 2 3 4





Hazard Cause





4.6.3 Person climbs over PSD and enters track area

Panic, Suicide, Vandalism, etc

Fall of person

Electrocution



Supervise traction power supply - This function is intended to powering on/off of the traction

X X X X X

powering on/off of the traction supply by the operator at the OCC, or locally, either on given sections or on all sections.

4.7 Electrocution in station

4.7.1 Equipment insulation fault

Faulty design of equipment insulation (e.g. too little insulation or too high voltage)

Electrocution

Critical Ensure correct initial design of insulation of equipment

I t El t t C iti l E t i ti dIncorrect maintenance of equipment insulation

Electrocution

Critical Ensure correct inspection and maintenance of equipment insulation

4.7.2 Short circuits Faulty design of equipment

Electrocution



Protect highly critical electronic equipment , e.g. short circuit protection



Electrocution




0 1a 1b 2 3 4





Hazard Cause





4.7.3 Criminal acts Insufficient security precautions (e.g. not enough security personnel or

Electrocution

Critical Provide sufficient platform/station supervision

E.g. by CCTV or personnel

personnel or technical supervision)

Critical Design of station considering criminal acts (security aspect)

Protect highly critical components even against criminal acts

4.7.4 Contact with train power supply

Faulty design - insufficient boundary/warnings to protect passenger

Electrocution

Critical Ensure correct initial design of train power supply

Considering the position of the power supply in connection to the passengers, to cover thecover the power supply against contact of persons

Incorrect maintenance of power supply - no protection of passenger

Electrocution

Critical Ensure correct inspection and maintenance of train power supply

4.8 Smoke4.8.1 Fire Faulty design

of station - combustible

Asphyxiation, Contamin

Catastrophic Ensure correct initial design of station building

Minimise the use of combustible

material used ation, Burns

material - and therefore the likelihood of ignition of fire



0 1a 1b 2 3 4





Hazard Cause





Supervise other safety relevant Inputs - This function is intended to supervise the detection of hazardous situations by external sensors.


Supervise infrastructure ThisSupervise infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of signalling system, pumps, fans and escalators.

Maintenance error

Asphyxiation, Contamination, Burns

Catastrophic Ensure correct inspection and maintenance on station building and fire protection equipment i.e. smoke detectors



Supervise infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of signalling system, pumps, fans and escalators.and escalators.

4.8.2 Chemical reaction Faulty design of station - use of toxic material


Catastrophic Ensure correct initial design of station

Minimise the use of toxic material



0 1a 1b 2 3 4





Hazard Cause








Maintenance error





Supervise infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of signalling system, pumps, fans and escalators. and escalators.

4.8.3 Emission of smoke through failure

Faulty design of station (e.g. pipe work - leakage)



E.g. minimise leakage of pipe works



0 1a 1b 2 3 4





Hazard Cause







S i i f t t ThiSupervise infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of signalling system, pumps, fans and escalators.

Maintenance error





Supervise infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of signalling system, pumps, fans

d l tand escalators.

4.8.4 Air renewal failure Faulty design of station (e.g. air conditioning system)


Catastrophic Ensure correct initial design of station i.e. air renewal system



0 1a 1b 2 3 4





Hazard Cause







Supervise infrastructure - ThisSupervise infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of signalling system, pumps, fans and escalators.

Maintenance error


Catastrophic Ensure correct inspection and maintenance of air renewal system and fire protection equipment i.e. smoke detectors



Supervise infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of signalling system, pumps, fans and escalatorsand escalators.

4.9 Explosion



0 1a 1b 2 3 4





Hazard Cause





4.9.1 Criminal act Insufficient security precautions (e.g. not enough security personnel or

Explosion Catastrophic Design of station considering criminal acts (security aspect)

E.g.: No paper bin, Light and open station buildings


Provide sufficient platform/station supervision

E.g.: By CCTV or personnel

4.9.2 Maintenance error Insufficient training or badly educated staff

Explosion Catastrophic Employ trained and well educated staff only


Supervise adherence of maintenance procedures

4.9.3 Faulty design, improper design

Insufficient training or badly educated staff



Establish guidelines Consideration of explosion during planning phase

Establish quality management Verification and Validation procedures

4.9.4 Explosive material storage

Wrong storage

Explosion Catastrophic Correct station design considering the storage of explosive material

Ensure correct inspection and maintenance of storage equipment



0 1a 1b 2 3 4





Hazard Cause





4.9.5 Explosive products transported by passenger

Any reason Explosion Catastrophic Detain passenger from entering station with explosive products

Control of passenger when entering station via security guards and technical systemssystems

4.10 Fire in station4.10.1 Inflammable

material usedFaulty design of station

Fire Catastrophic Ensure correct initial design of station

Prevent usage of (highly) inflammable material


S S S S S Optional device;E.g. Fire/Smoke detectors


Incorrect maintenance on station

Fire Catastrophic Ensure correct inspection and maintenance of station






0 1a 1b 2 3 4





Hazard Cause





Supervise infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components auxiliaries, including components of signalling system, pumps, fans and escalators.

4.10.2 Ignition Faulty design of station


Prevent usage of material or equipment which easily leads to ignition

Supervise other safety relevant Inputs - This function is intended to supervise the detection of hazardous situations by external

S S S S S Optional device;E.g. Fire/Smokehazardous situations by external

sensors.Fire/Smoke detectors

Supervise infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of signalling system, pumps, fans and escalators.



Prevent usage of material ormaintenance

on station maintenance of station of material or

equipment which easily leads to ignition



0 1a 1b 2 3 4





Hazard Cause








4.10.3 Unobstructed spread of fire

Faulty design of station - e.g. insufficient barriers or

ti


E.g. by installation of fire doors or barriers

precautions






0 1a 1b 2 3 4





Hazard Cause





Incorrect maintenance on station - e.g. disrespect of maintenance rules


Ensure adherence to maintenance rules e.g. use of temporary fire barriers

rules




4.11 Toxic release 4.11.1 Toxic elements Faulty design

of station by use of toxic elements

Contamination, Burns, Suffocation


Minimise the use of toxic elements during planning and construction

Incorrect maintenance - incorrect use of toxic elements

Contamination, Burns, Suffocation

Catastrophic Ensure correct inspection and maintenance of station

Minimise the use of toxic elements during maintenance; Prevent maintenance errors while working on toxic elements



0 1a 1b 2 3 4





Hazard Cause





5 Depot Hazards5.1 Staff injured by

operation of machines and equipment

Faulty design of machines and equipment

Impact on persons (object striking person), Cuts,

Critical Ensure correct initial design of machines and equipment for operation in depot

Cuts, Contamination, Asphyxia, Burns, Electrocution

Insufficient precautions against injuries - insufficient safety at work

Impact on persons (object striking person), Cuts, Contamination,

Critical Establish rules and procedures for safety at work and operations - supervise their adherence

ation, Asphyxia, Burns, Electrocution

Insufficient educated and trained staff

Impact on persons (object striking person), Cuts, Contamination, Asphyxia, Burns

Critical Ensure well educated and well trained staff at depot

Burns, Electrocution



0 1a 1b 2 3 4





Hazard Cause





5.2 Shunting hazards Insufficient safety at work -insufficient operational rules

Collision, Derail-ment, Injury of staff

Critical Severity "Critical" justified by category Depot Hazard, less

Establish rules and procedures for safety at work and operations - supervise their adherence

E.g. Shunting rules and procedures, Shunting areas or times

less person exposed

Insufficient educated and trained staff - disrespect of procedures


Critical Severity "Critical" justified by category Depot Hazard, less person exposed

Ensure well educated and well trained staff at depot

5.3 Undue train / Unoccupied or Collision, Critical Severity Determine Movement Authority S S S S S Examples of 5.3 Undue train / vehicle enters operation area

Unoccupied or unsupervised vehicles


Critical Severity "Critical" justified by category Depot Hazard, less person exposed



Supervise shunting area E.g. by personnel of CCTV

Installation of mechanical barriers

E.g. derailer



0 1a 1b 2 3 4





Hazard Cause





5.4 Passenger in depot area

Passenger still in train after service; Insufficient precautions against passenger

Injury of person

Critical Ensure passenger are all gone after termination of service

E.g. by: Train interior check (whether empty or not), before taking out of service; Announcement passenger

entering depotAnnouncement inside train, when train will be taken out of service; Possibility for emergency-call inside train

Insufficient precautions against passenger entering depot

Injury of person

Critical Protect depot against passenger entrance

E.g. by: Barriers

entering depot

5.5 Staff run over by train

Unoccupied or unsupervised vehicles; Insufficient precautions (safety at work); Operational mistakes/ failure

Injury of person

Critical Determine Movement Authority Limit - To ensure safe train movement, this function determines for each train its limit of the MA, corresponding to the first danger point ahead of the train.


Supervise shunting area E.g. by personnel of CCTVCCTV

Insufficient safety at work -insufficient operational rules

Injury of person

Critical Establish rules and procedures for safety at work and operations - supervise their adherence

E.g. Shunting rules and procedures, Shunting areas or times



0 1a 1b 2 3 4





Hazard Cause





Insufficient educated and trained staff - disrespect of procedures

Injury of person

Critical Ensure well educated and well trained staff at depot



0 1a 1b 2 3 4





Hazard Cause





6 OCC Hazards6.1 Fire in OCC

6.1.1 Inflammable material used

Faulty design of OCC

Fire Catastrophic Ensure correct initial design of OCC





Incorrect maintenance on OCC

Fire Catastrophic Ensure correct inspection and maintenance on OCC




Supervise infrastructure - This function is intended to provide function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of signalling system, pumps, fans and escalators.



0 1a 1b 2 3 4





Hazard Cause





6.1.2 Ignition Faulty design of OCC






Incorrect maintenance on OCC







0 1a 1b 2 3 4





Hazard Cause







Faulty design of OCC - e.g. insufficient barriers or precautions


E.g. by installation of fire doors or barriers




Incorrect maintenance on OCC - e.g. disrespect of maintenance


Ensure adherence to maintenance rules e.g. use of temporary

rulesp y

fire barriers





0 1a 1b 2 3 4





Hazard Cause






6.2 Electrocution in OCC

6.2.1 Equipment insulation fault

Faulty design of equipment insulation (e.g. too little insulation or too high voltage)

Electrocution



Electrocution


of equipment insulation

q pinsulation

6.2.2 short circuits Faulty design of equipment

Electrocution






Electrocution

Critical Ensure correct inspection and maintenance of equipmentmaintenance

of equipmention maintenance of equipment



0 1a 1b 2 3 4





Hazard Cause





6.2.3 Criminal act Insufficient security precautions (e.g. not enough security personnel or

Electrocution

Critical Provide sufficient supervision around and inside of OCC

E.g. by CCTV or personnel; Entrance control at OCC


Design of OCC considering criminal acts (security aspect)

Protect highly critical components even against criminal acts

6.3 Explosion in OCC

6.3.1 Criminal act Insufficient security precautions (e.g. not enough

Explosion Catastrophic Design of OCC considering criminal acts (security aspect)

gsecurity personnel or technical supervision)

Provide sufficient supervision around and inside of OCC


6.3.2 Maintenance error Insufficient training or badly educated staff


Training and education of staffTraining and education of staff

Supervise adherence of maintenance procedures






0 1a 1b 2 3 4





Hazard Cause





Training and education of staff Establish guidelines Consideration

of explosion during planning phase

E t bli h lit t V ifi tiEstablish quality management Verification and Validation procedures

6.4 Building collapse Mistaken design of OCC building

Severe injury of person

Catastrophic Ensure correct initial design of building of OCC

Incorrect maintenance or construction work


Catastrophic Ensure correct inspection and maintenance of building

Insufficient precautions against potential


Catastrophic Ensure correct initial design of building of OCC - Design of precautions against environmental forcespotential

environmental forces


Crminal/ terroristic acts


Catastrophic Design of OCC considering criminal acts (security aspect)

Provide sufficient supervision around and inside of OCC


6.5 Terrorism, Attacks, Criminal Acts

Insufficient precautions against criminal or


Catastrophic Ensure correct initial design of OCC building considering the possibility of terroristic or criminal acts

terroristic actEntrance supervision of staff and visitorsProvide sufficient supervision around and inside of OCC

6.5.1 Software Intrusion See WP 9



0 1a 1b 2 3 4





Hazard Cause





6.6 Radiation in OCC

6.6.1 Radiation from equipment

Faulty design of OCC equipment

Burns of staff

Critical Ensure correct initial design of OCC equipment considering the possibility of radiation

6.6.2 Foreign radiation/ Faulty design Burns of Critical Minimise the impact of foreign Strong Fields of OCC

equipment insufficient precaution

staff radiation and strong fields

6.7 Asphyxiation / toxication in OCC

6.7.1 Smoke Fire Burns, Asphyxia, Suffocation



6.7.2 Air renewal failure System damaged

Asphyxiation,

Catastrophic Supervise other safety relevant Inputs - This function is intended

S S S S S Optional device;

Suffocation


E.g. Fire/Smoke detectors



0 1a 1b 2 3 4





Hazard Cause





7 Maintenance Hazards

7.1 Staff injured by operation of machines and equipment

7.1.1 Insufficient education / training

Bad company management

Impact on persons (object striking person), Cuts, Contamination, Asphyxia, Burns, Electrocution

Critical Establish a company wide safety culture to ensure the importance of safety (i.e. safety at work)

Ensure regular and adequate training coordinated for eachtraining coordinated for each individual working group or department

Lazy workers Impact on persons (object striking person), Cuts, Contamination, Asphyxia, Burns, Electrocution

Critical Employ staff which is willing to learn



0 1a 1b 2 3 4





Hazard Cause





Unqualified tutors

Impact on persons (object striking person), Cuts, Contamin

Critical Control/test of quality of training (teachers as well as staff) - Approval/certificate of quality

Contamination, Asphyxia, Burns, Electrocution

Mismanagement of maintenance alarms

Injury of person

Fire Critical Maintenance procedures at depot

Clarify responsibility of maintenance alarm between dispatcher, OCC, Depot, Maintenance CrewMaintenance Crew

7.1.2 Disregard of safety regulations

Insufficient supervision of adherence of safety regulations

Impact on persons (object striking person), Cuts, Contamination, Asphyxia, Burns, Electrocution

Critical Ensure adherence to safety regulations by regular and strict supervision



0 1a 1b 2 3 4





Hazard Cause





Stress/ work overload

Impact on persons (object striking person), Cuts, Contamin

Critical Establish procedures to cope with stress or work overload

Staff as well as management

Contamination, Asphyxia, Burns, Electrocution


Injury of person


Clarify responsibility of maintenance alarm between dispatcher, OCC, Depot, Maintenance Crew

7 1 3 Insufficient Faulty design Fall of Critical Supervise Intrusion Detection / S S S S S Optional7.1.3 Insufficient lighting

Faulty design Fall of person, Electrocution, Object striking person



7.2 Electrocution / Lightning

7.2.1 Staff too close to power supply

7.2.1.1 Improvidence by Insufficient Electrocut Critical Training and education of staff 7.2.1.1 Improvidence by staff



Critical Training and education of staff



0 1a 1b 2 3 4





Hazard Cause





Establish a company wide safety culture to ensure that it is for the good of employee and company to work correct and thoughtful

Stress / work l d

Electrocuti B

Critical Establish procedures to cope ith t k l d

Staff as well as toverload ion, Burns with stress or work overload management

7.2.1.2 Staff on guideway procedures / behaviour




Stress / work overload




Faulty design of guideway i.e. too little protection of


Critical Ensure correct initial design of guideway to protect staff and provide sufficient room for maintenance worksprotection of

electronic components

maintenance works

Incorrect maintenance procedures


Critical Establish clear and understandable maintenance procedures

Disregard of maintenance procedures


Critical Supervise adherence of maintenance procedures

7.2.1.3 Faulty power shutdown

Incorrect maintenance procedures






proceduresInsufficient training or badly educated staff





0 1a 1b 2 3 4





Hazard Cause









Communication problem between staff


Critical Ensure communication procedures to avoid misunderstandings

Incorrect design of power supply


Critical Ensure correct initial design of power supply system to prevent faulty power shutdown

7.2.2 Short circuits7.2.2.1 Equipment

insulation failureFaulty design of insulation equipment insulation



Incorrect maintenance on insulation of equipment


Critical Ensure correct inspection and maintenance of equipment insulation

7.2.2.2 Short circuits due Faulty design Electrocut Critical Ensure correct initial design of Consideration 7.2.2.2 Short circuits due to maintenance action


Electrocution






Electrocution


7 3 Staff endangered7.3 Staff endangered by moving train



0 1a 1b 2 3 4





Hazard Cause





7.3.1 Insufficient information about maintenance on track

Insufficient communication between staff


Critical Provide communication with staff - This function is intended to provide voice and data communication notably between staff fulfilling different functions for operation and maintenance.

Establish information and communication system to ensure that all participating participating parties are well informed about maintenance work (between OCC, Maintenance Crew and Driver)

Insufficient maintenance procedures



Clear wording while communication

t- prevents misunderstandings





Injury of person


Clarify responsibility of maintenance alarm between dispatcher, OCC, Depot, M i t CMaintenance Crew



0 1a 1b 2 3 4





Hazard Cause





7.3.2 Insufficient warning to track workers

Insufficient communication between staff


Critical Provide communication with staff - This function is intended to provide voice and data communication notably between staff fulfilling different functions for operation and maintenance.

Establish information and communication system to ensure that all participating participating parties are well informed about maintenance work (between OCC, Maintenance Crew and Driver)

Insufficient warning system


Critical Establish warning system E.g. by personnel or technicaly p




Clear wording while communication - prevents misunderstandings




7.3.3 Risky behaviour Insufficient maintenance procedures



Clear wording while communication - prevents

i d t dmisunderstandings






0 1a 1b 2 3 4





Hazard Cause








Stress / work l d

Severe i j f

Critical Establish procedures to cope ith t k l d

Staff as well as toverload injury of

personwith stress or work overload management

7.3.4 Insufficient training

Bad company management


Critical Establish a company wide safety culture to ensure the importance of safety (i.e. safety at work)

Ensure regular and adequate training coordinated for each individual working group or department

Lazy workers Severe injury of person

Critical Employ staff which is willing to learn

Unqualified tutors


Critical Control/test of quality of training (teachers as well as staff) - Approval/certificate of qualityperson Approval/certificate of quality

7.4 Obstacles on guideway or walkway

7.4.1 Fallen tree, branches, crane

Environmental forces

Injury of member of maintenance crew

Critical Correct initial design of guideway and walkways considering the possibility of fallen trees, braches or cranes (e.g. installation of precautions - protection against environmental forces)

E.g.: Ensure trees and cranes should have a minimum distance to guideway and walkways

Supervision of guideway, p g ywalkway and adjacent area and eventual warning of maintenance crew



0 1a 1b 2 3 4





Hazard Cause





7.4.2 Fallen from bridge Incorrect design of bridges


Critical Correct initial design of bridge considering the possibility of fallen objects from bridge (e.g. installation of precautions like fences or barriers on bridge)

S i i f idSupervision of guideway, walkway and adjacent area and eventual warning of maintenance crew

Incorrect maintenance of bridges


Critical Ensure correct execution of maintenance works on bridge

Supervision of guideway, walkway and adjacent area and eventual warning of maintenance crew

Avoid maintenance works under bridge which is under under construction

7.4.3 Blown by wind Insufficient installation of precautions against obstacles blown on guideway


Marginal Correct initial design of guideway and walkways considering the possibility of objects might be blown on guideway or walkway (e.g. installation of precautions like fences or barriers on guide and walkway)


7.4.4 Guideway structural failure



Critical Ensure correct initial design of guideway



0 1a 1b 2 3 4





Hazard Cause






Incorrect maintenance on guideway

Injury of member of

Critical Ensure correct inspection and maintenance on guideway

on guideway of maintenance crew


Environmental forces like earthquakes


Critical Ensure correct initial design of guideway considering the possibility of earthquakes

S f SSupervision of guideway, walkway and adjacent area and eventual warning of maintenance crew

Supervision includes earthquake detection

7.4.5 Faulty design Insufficient training or badly educated staff



Insufficient quality management procedures

Injury of member of maintena

Critical Ensure adequate quality management procedures

nce crew

7.4.6 Infrastructure failure

Faulty design of infrastructure


Critical Ensure correct initial design of infrastructure



0 1a 1b 2 3 4





Hazard Cause






Incorrect maintenance on

Injury of member of

Critical Ensure correct inspection and maintenance on infrastructure

on infrastructure

of maintenance crew


Environmental forces like earthquakes


Critical Ensure correct initial design of infrastructure considering the possibility of earthquakes

Supervision of guideway SupervisionSupervision of guideway, walkway and adjacent area and eventual warning of maintenance crew

Supervision includes earthquake detection

7.4.7 Forgotten/ non orderly left after maintenance






Injury of member of maintena


nce crew






0 1a 1b 2 3 4





Hazard Cause









7 4 8 Forgotten/ non Insufficient Injury of Critical Establish clear and Clear wording7.4.8 Forgotten/ non orderly left after evacuation

Insufficient evacuation procedures


Critical Establish clear and understandable evacuation procedures


Disregard of evacuation procedures


Critical Supervise adherence of evacuation procedures

Insufficient training or badly

Injury of member of


badly educated staff

of maintenance crew



Critical Establish procedures to cope with stress or work overload - especially for evacuation cases


7.4.9 Vandalism Faulty design of guideway and walk way - disrespect of possibility of


Critical Ensure correct initial design considering security aspects and potential vandalism

Installation of fences and barriers in order to prevent access

vandalism to guideway and walkway



0 1a 1b 2 3 4





Hazard Cause





Insufficient supervision of guideway and walkways


Critical Supervision of guideway and walkway (personnel or CCTV)

Insufficient removal or cleaning of old damages from vandalism


Critical Remove immediately all damages of vandalism

7.4.10 Corrosion/ oxidation of wayside structures equipment

Faulty design Injury of member of maintenance crew

Critical Ensure correct initial design considering potential corrosion or oxidation


Injury of member

Critical Ensure correct inspection and maintenancemaintenance member

of maintenance crew

maintenance

9.2.1 Flooding Faulty design i.e. insufficient precautions against flooding


Critical Ensure correct initial design considering the possibility of flooding i.e. installation of flooding precautions

Supervision of surrounding area Flooding detection


Injury of member

Critical Ensure correct inspection and maintenance of guideways,

of guideways and flooding precautions

of maintenance crew

g y ,walkways and flooding precautions

Supervision of surrounding area Flooding detection



0 1a 1b 2 3 4





Hazard Cause





7.5 Explosion during maintenance

7.5.1 Maintenance error Insufficient maintenance procedures

Explosion Critical Establish clear and understandable maintenance procedures

Disregard of Explosion Critical Supervise adherence ofDisregard of maintenance procedures

Explosion Critical Supervise adherence of maintenance procedures


Explosion Critical Training and education of staff


Explosion Critical Establish procedures to cope with stress or work overload


7.5.2 Criminal act Insufficient security precautions (e g not

Explosion Critical Design of railway equipment/building/constructions considering criminal acts (security aspect)

Installation of access barriers or fences to(e.g. not

enough security personnel or technical supervision)

(security aspect) fences to railway equipment

Provide sufficient supervision E.g. by: CCTV or personnel


Insufficient procedures or guidelines for design

Explosion Critical Establish clear and understandable procedures and guidelines for planning and design

Disregard of procedures or

Explosion Critical Supervise adherence of procedures and guidelines

E.g. by: Validation and procedures or

guidelinesprocedures and guidelines Validation and

verification procedures





0 1a 1b 2 3 4





Hazard Cause








7.5.4 Inadequate storage

Faulty design of storage equipment

Explosion Critical Ensure correct initial design of railway equipment considering adequate storage possibilities

Insufficient procedures regarding storage

Explosion Critical Establish clear and understandable procedures and guidelines for planning and design

Disregard of procedures for storage

Explosion Critical Supervise adherence of procedures for storage



Stress / work Explosion Critical Establish procedures to copeStress / work overload


7.6 Fire during maintenance

7.6.1 Explosion during maintenance

see 7.5

7.6.2 Inflammable material

Insufficient procedures regarding the use of inflammable material

Fire Critical Establish clear and understandable procedures for the use of inflammable material

Includes rules for correct clothing and adequate working equipment

Disregard of procedures for the use of inflammable material

Fire Critical Supervise adherence of procedures and rules



0 1a 1b 2 3 4





Hazard Cause






Fire Critical Training and education of staff


Fire Critical Establish procedures to cope with stress or work overload

Staff as well as managementoverload with stress or work overload management

7.6.3 Ignition Insufficient procedures regarding the ignition of fire

Fire Critical Establish clear and understandable procedures regarding the potential of ignition


Disregard of procedures for the use of inflammable material


Insufficient Fire Critical Training and education of staffInsufficient training or badly educated staff






Insufficient procedures regarding unobstructed speed of fire

Fire Critical Establish clear and understandable procedures regarding the potential of unobstructed spread of fire


Disregard of Fire Critical Supervise adherence ofDisregard of procedures regarding fire protection




0 1a 1b 2 3 4





Hazard Cause









Staff as well as managementoverload with stress or work overload management

7.7 Asphyxiation/ toxication

7.7.1 Smoke Insufficient procedures regarding the danger of smoke

Asphyxiation; Contamination

Critical Establish clear and understandable procedures regarding the dangerous potential of smoke


Disregard of procedures regarding smoke


Critical Supervise adherence of procedures and rules








7.7.2 Air renewal failure Insufficient procedures regarding the maintenance of air renewal system


Critical Establish clear and understandable procedures regarding the maintenance of the air renewal system


Disregard of procedures regarding the maintenance of air renewal system





0 1a 1b 2 3 4





Hazard Cause









Asphyxiation;


Staff as well as managementoverload on;

Contamination

with stress or work overload management

7.7.3 Toxic release7.7.3.2 Smoke Insufficient

procedures regarding the danger of smoke


Critical Establish clear and understandable procedures regarding the dangerous potential of smoke - especially regarding toxic releases


Disregard of procedures regarding smoke



Insufficient Asphyxiati Critical Training and education of staffInsufficient training or badly educated staff







7.7.3.3 Toxic elements Insufficient procedures regarding toxic elements


Critical Establish clear and understandable procedures regarding toxic elements


Disregard of procedures regarding toxic elements





0 1a 1b 2 3 4





Hazard Cause









Asphyxiation;


Staff as well as managementoverload on;

Contamination

with stress or work overload management

7.7.3.4 Noxious leakage by maintenance

Insufficient procedures regarding maintenance on pipe works


Critical Establish clear and understandable procedures regarding toxic elements e.g. the maintenance on pipe works


Disregard of procedures regarding maintenance on pipe works










7.8 Inappropriate temperature

7.8.2 Air renewal failure Faulty design Suffocatio Marginal Ensure correct initial design of y gof air renewal system

ng g

air renewal system

Incorrect maintenance of air renewal system

Suffocation

Marginal Ensure correct inspection and maintenance of air renewal system



0 1a 1b 2 3 4





Hazard Cause





7.9 Staff in danger cannot escape guideway

7.9.1 Insufficient/ Obstructed Emergency W lk

Faulty design of emergency walkway


Critical Ensure correct initial design of emergency walkways

WalkwayIncorrect maintenance of emergency walkway


Critical Ensure correct inspection and maintenance of emergency walkways

Obstacles on guideway or walkway

Ensure correct inspection and maintenance of emergency walkways

7.9.2 Emergency Exits/ Access Protection Closed

Faulty design of emergency exits or accesses


Critical Ensure correct initial design of emergency exits and accesses

Incorrect maintenance of emergency exits or accesses


Critical Ensure correct inspection and maintenance of emergency exits and accesses

7.9.3 Captured by broken down structures, fires etc.



Critical Ensure correct initial design of guideway

Consideration of possible brake downs, fire, flooding, explosions



Critical Ensure correct inspection and maintenance on guideway

of guideway person7.10 Radiation

7.10.1 Radiation from equipment

Faulty design of equipment e.g. train, buildings

Burns, Suffocation

Critical Ensure correct initial design of equipment considering the possibility of radiation

E.g. construction of heat barriers



0 1a 1b 2 3 4





Hazard Cause





Incorrect maintenance on equipment e.g. Trains, buildings

Burns, Suffocation

Critical Ensure correct inspection and maintenance on equipment considering the possibility of radiation

7.10.2 Foreign radiation Faulty design of vehicle

Burns, Suffocatio

Critical Minimise the impact of foreign radiation and strong fields

Adequate system designof vehicle,

buildings, surrounding facilities e.g. insufficient precaution

Suffocation

radiation and strong fields system design (plan precautions against these unavoidable hazards)

Ensure correct inspection and maintenance of precautions

7.11 Staff caught in equipment

7.11.1 Staff caught in machinery

Faulty design of machinery

Cuts, Burns, Electrocution,

Critical Ensure correct initial design of machinery

Ensure healthy use of machines

ion, Contaminations

Insufficient procedures regarding correct use of machinery

Cuts, Burns, Electrocution, Contaminations

Critical Establish clear and understandable procedures regarding the use of machinery

Disregard of procedures regarding use of machinery





Critical Training and education of staff Special training for each type of machinery



0 1a 1b 2 3 4





Hazard Cause









7 11 2 Staff ca ght Faulty design Cuts Critical Ensure correct initial design of Ensure healthy7.11.2 Staff caught in moving equipment (switch,…)

Faulty design of moving equipment

Cuts, Suffocation

Critical Ensure correct initial design of moving equipment

Ensure healthy use of moving equipment

Insufficient procedures regarding correct use and handling of moving equipment

Cuts, Suffocation

Critical Establish clear and understandable procedures regarding the use moving equipment

Disregard of procedures

Cuts, Suffocation



Cuts, Suffocation

Critical Training and education of staff Special training for each type of machinery


Cuts, Suffocation





0 1a 1b 2 3 4





Hazard Cause





8 Emergency and Evacuation Hazards

8.1 People hit by train: involved track, adjacent tracktrack

8.1.1 Evacuation not signalled

Geographical/ structural circumstances (i.e. potential evacuation behind bridges, turns etc)

Derail-ment, Collision, Objects striking person, Fall of person


X X X X S Ensuring detection and management of emergency situations; Enlarge evacuation area at difficult sites

No signalling signs available

Derail-ment, Collision, Objects striking

Catastrophic Supervise evacuation - This function is intended to supervise passenger evacuation. Such system covers the protection of passengers in areas in which

X X X X S Ensuring detection and management of emergency situationsstriking

person, Fall of person

passengers in areas in which they are not normally permitted.

situations

8.1.2 OCC failure Communication system failure (i.e. OCC has only insufficient or wrong information)




Provide communication with staff - This function is intended to provide voice and dataprovide voice and data communication notably between staff fulfilling different functions for operation and maintenance.



0 1a 1b 2 3 4





Hazard Cause





Stress / work overload for staff

Derail-ment, Collision, Objects striking person, Fall of



Fall of person

Establish procedures to cope with stress or work overload

Insufficient rules or procedures regarding emergency cases and evacuation




Establish clear and easy-understandable emergency and evacuation procedures

Disregard of Derail- Catastrophic Supervise adherence ofDisregard of evacuation and emergency procedures


Catastrophic Supervise adherence of emergency and evacuation procedures

8.1.3 Undetected passengers by evacuation

Communication problems or failures (i.e. staff has only insufficient or wrong information)




p

Provide communication with staff - This function is intended to provide voice and data communication notably between staff fulfilling different functions for operation and maintenance.



0 1a 1b 2 3 4





Hazard Cause





Stress / work overload for staff

Derail-ment, Collision, Objects striking person, Fall of



Fall of person


Darkness Derail-ment, Collision, Objects striking person, Fall of person


X X X X S Ensuring detection and management of emergency situations; Ensure sufficient lightning during evacuation

Geographical / structural

Derail-ment

Catastrophic Supervise evacuation - This function is intended to supervise

X X X X S Ensuring detection andstructural

demanding area

ment, Collision, Objects striking person, Fall of person

function is intended to supervise passenger evacuation. Such system covers the protection of passengers in areas in which they are not normally permitted.

detection and management of emergency situations; Establish special procedures for these demanding areas

8.1.4 Passenger trapped in equipment

8.1.4.1 Caught by a moving switch

No evacuation area defined

Trapping of person

Critical Supervise evacuation - This function is intended to supervise

X X X X S Ensuring detection and moving switch area defined

by OCCof person function is intended to supervise

passenger evacuation. Such system covers the protection of passengers in areas in which they are not normally permitted.

detection and management of emergency situations



0 1a 1b 2 3 4





Hazard Cause





Insufficient rules and procedures for emergency cases and evacuation to guide a

Trapping of person

Critical Supervise evacuation - This function is intended to supervise passenger evacuation. Such system covers the protection of passengers in areas in which they are not normally permitted.


guide a structured evacuation - Passenger leaving accident site

Ensure rules and procedures for emergency cases and evacuation

8.1.4.2 Person jammed in lift or escalator

No evacuation area defined by OCC - Lift and escalators continue operation

Trapping of person

Critical Supervise evacuation - This function is intended to supervise passenger evacuation. Such system covers the protection of passengers in areas in which the are not normall permitted

X X X X S Ensuring detection and management of emergency situations; Ens re liftsoperation

during evacuation or emergency case

they are not normally permitted. Ensure lifts and escalator stop operation in case of emergency

Insufficient rules and procedures for emergency cases and evacuation to guide a structured

Trapping of person

Critical Ensure rules and procedures for emergency cases and evacuation

Ensure no person is jammed in lift or escalator

evacuation



0 1a 1b 2 3 4





Hazard Cause





8.1.4.3 Passenger trapped in doors (limb of passenger, clothes, bags, other objects from passenger leash)

Untimely or wrong train door closing command

Trapping of person

Critical Manage train door closing - This function is intended to manage the train door closing at stations.


passenger, leash)

8.1.4.4 Person jammed in swing door or track access door

Untimely swing door or track access door command

Trapping of person

Critical Manage swing doors or track access doors in case of emergency

8.1.5 Inappropriate emergency egress

8.1.5.1 Emergency egress blocked

Faulty design Passenger hit by train

Catastrophic Supervise evacuation - This function is intended to supervise passenger evacuation. Such system covers the protection of

X X X X S Ensuring detection and management of emergency


situations

Ensure correct initial design of emergency exits and accesses

Blocked by construction site

Passenger hit by train



Ensure correct planning of construction sites



0 1a 1b 2 3 4





Hazard Cause





Blocked due to environmental forces (snow, obstacles blown by wind ..)




..)

Ensure correct design of infrastructure

Consideration of environmental forces and installation of precautions to protect emergency egresses

8.1.5.2 Emergency egress not appropriated maintenance

Insufficient procedures regarding correct


Catastrophic Supervise evacuation - This function is intended to supervise passenger evacuation. Such system covers the protection of

X X X X S Ensuring detection and management of emergencymaintenance

(rusted...)correct maintenance

system covers the protection of passengers in areas in which they are not normally permitted.

of emergency situations

Establish clear and understandable procedures regarding correct maintenance





Supervise adherence of procedures and rules



0 1a 1b 2 3 4





Hazard Cause









Training and education of staff Stress / work overload






8.1.5.3 Emergency Faulty design Passenge Catastrophic Supervise evacuation - This X X X X S Ensuring 8.1.5.3 Emergency egress inappropriate signed

Faulty design of emergency egress signs


Catastrophic Supervise evacuation This function is intended to supervise passenger evacuation. Such system covers the protection of passengers in areas in which they are not normally permitted.


Ensure correct initial design of emergency exits and accesses

Signs are missing due to vandalism




they are not normally permitted.

Ensure correct initial design of signs - protection against vandalism

E.g. by: Fences, barriers

Supervision of infrastructure E.g. by: CCTV or personnel



0 1a 1b 2 3 4





Hazard Cause





Signs are missing due environmental forces i.e. extreme wind




Ensure correct initial design of signs - protection against environmental forces

Signs are blocked by construction site




Ensure correct planning of construction sites

8.1.6 Inadequate walkway

8.1.6.1 Missing walkway Faulty design of infrastructure




Ensure correct initial design of infrastructure: including emergency walkways

8.1.6.2 Obstructed walkway

Faulty design of walkways

Passenger hit by


X X X X S Ensuring detection andwalkway of walkways r hit by

trainfunction is intended to supervise passenger evacuation. Such system covers the protection of passengers in areas in which they are not normally permitted.




0 1a 1b 2 3 4





Hazard Cause





Ensure correct initial design of walkways

Incorrect maintenance of walkways



X X X X S Ensuring detection and management of emergency situationspassengers in areas in which

they are not normally permitted. situations

Ensure correct inspection and maintenance of walkways

Obstruction due to environmental forces e.g. snow, object blown by wind




Ensure correct initial design of Consideration walkways of


Obstruction due to vandalism





Consideration of vandalism

8.1.6.3 Important gap from walkway to

Faulty design of walkway

Passenger hit by


X X X X S Ensuring detection andfrom walkway to

platformof walkway r hit by






0 1a 1b 2 3 4





Hazard Cause





8.1.6.4 Walkway on the other side of the access door






8.1.6.5 Inadequate size / arrangement






8.1.6.6 Walkway opposed t th l tf


Passenger hit by


X X X X S Ensuring detection andto the platform of walkways r hit by




8.1.6.7 Handrail failure Faulty design of walkways i.e. handrail





Consideration of correct design of handrails



0 1a 1b 2 3 4





Hazard Cause





Incorrect maintenance of walkways i.e. handrail





Consideration of correct maintenance of handrails

8.1.6.8 Insufficient lighting on walkway

Faulty design of walkways i.e. lightning on walkways





Consideration of lightningwalkways of lightning

Incorrect maintenance of walkways i.e. lightning on walkways





Consideration of correct maintenance of lightning

8.1.7 Passenger t d i t i

Untimely or no d l i

Fall of Critical Supervise evacuation - This f ti i i t d d t i

X X X X S Ensuring d t ti dtrapped in train door closing person

inside train

function is intended to supervise passenger evacuation. Such system covers the protection of passengers in areas in which they are not normally permitted.




0 1a 1b 2 3 4





Hazard Cause







Provide communication with staff - This function is intended to provide voice and dataprovide voice and data communication notably between staff fulfilling different functions for operation and maintenance.

Insufficient emergency egress on train

Fall of person inside train




Installation of emergency egress on windows and doors

8.2 Burn / fire8.2.1 Undetected

passengers by evacuation

8.2.1.6 Panic / rush / hustle

Inadequate evacuation

Burns, Asphyxia,


X X X X S Ensuring detection and

procedures Suffocation

passenger evacuation. Such system covers the protection of passengers in areas in which they are not normally permitted.

management of emergency situations



0 1a 1b 2 3 4





Hazard Cause





Supervise Infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components auxiliaries, including components of the signalling system, pumps, fans and escalators.


Inappropriate emergency egress

Burns, Asphyxia, Suffocation

Catastrophic Ensure correct initial design of emergency exits and accesses

Inadequate walkway

Burns, Asphyxia, Suffocatio

Catastrophic Ensure correct initial design of emergency walkways

Suffocation

8.2.2 Passenger trapped in train

Untimely or no door opening






P id i ti ith t ffProvide communication with staff - This function is intended to provide voice and data communication notably between staff fulfilling different functions for operation and maintenance.



0 1a 1b 2 3 4





Hazard Cause







Supervise Infrastructure ThisSupervise Infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of the signalling system, pumps, fans and escalators.

Insufficient emergency egress on train






Installation of emergency egress on windows and doors

Supervise other safety relevant S S S S S Optional Inputs - This function is intended to supervise the detection of hazardous situations by external sensors.

device



0 1a 1b 2 3 4





Hazard Cause





Supervise Infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components auxiliaries, including components of the signalling system, pumps, fans and escalators.

8.2.3 Passenger trapped in equipment

Any reason Burns, Asphyxia, Suffocation

Catastrophic Ensure correct initial design of train equipment

8.2.4 Inappropriate emergency egress

Faulty design Burns, Asphyxia, Suffocation

Catastrophic Ensure correct initial design of emergency exits and accesses

Inappropriate Burns, Catastrophic Emergency and evacuation emergency and evacuation procedures

Asphyxia, Suffocation

procedures

8.2.5 Train enters section with fire in progress

wrong operational decision / failure of communication OCC - Train


Catastrophic Supervise Infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of the signalling system, pumps, fans and escalators.

P id i ti ith t ffProvide communication with staff - This function is intended to provide voice and data communication notably between staff fulfilling different functions for operation and maintenance.



0 1a 1b 2 3 4





Hazard Cause







Ensure correct inspection and maintenance of air renewal system and fire protection equipment i.e. smoke detectors

Establish clear and understandable procedures regarding the potential of unobstructed spread of fire

8.2.6 Train stops at station with fire in progress

wrong operational decision / failure of communication OCC - Train






Ensure correct inspection and maintenance of air renewal system and fire protection equipment i.e. smoke detectors

Establish clear and understandable procedures regarding the potential of unobstructed spread of fire

8.3 Asphyxiation / toxication



0 1a 1b 2 3 4





Hazard Cause





8.3.1 Smoke Fire Burns, Asphyxia, Suffocation


S S S S S Optional device;E.g.: Smoke / fire detection

Supervise Infrastructure - ThisSupervise Infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of the signalling system, pumps, fans and escalators.

Supervise evacuation - This function is intended to supervise passenger evacuation. Such system covers the protection of passengers in areas in which th t ll itt d



8.3.2 Air renewal failure System damaged due to accident

Asphyxiation, Suffocation



Supervise Infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical ecessa y act o s o c t caauxiliaries, including components of the signalling system, pumps, fans and escalators.



0 1a 1b 2 3 4





Hazard Cause





Supervise evacuation - This function is intended to supervise passenger evacuation. Such system covers the protection of passengers in areas in which they are not normally permitted.


8.3.3 Toxic release Leakage e.g. By freight train, storage




Supervise Infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of the signalling system, pumps,of the signalling system, pumps, fans and escalators.



Ensure evacuation procedures regarding toxic material

8.4 Electrocution /8.4 Electrocution / lightning



0 1a 1b 2 3 4





Hazard Cause





8.4.1 Persons too close to equipment for power supply

Inadequate evacuation procedures






X X X X X

Doors open on wrong side off train


Catastrophic Supervise evacuation - This function is intended to supervise passenger evacuation Such

X X X X S Ensuring detection and managementoff train passenger evacuation. Such



8.4.2 Power shutdown failure

No communication to OCC






0 1a 1b 2 3 4





Hazard Cause





Incorrect cut-off of power supply rail during evacuation (wrong section is cut-off) ,


Catastrophic Training and education of staff

is cut off) , misunderstanding, communication problems


X X X X X

Reinjection of braking current while track section was cut-off power (during passenger evacuation)


Catastrophic Establish clear and easy-understandable emergency and evacuation procedures

Prevent regenerative braking on all trains that could feed a traction power supply section

X X X X

traction power supply section that has been cut off for passengers or staff protection



0 1a 1b 2 3 4





Hazard Cause





8.4.3 Short circuits Electronical equipment damaged due to accident



Protect critical electronic equipment, e.g. by short circuit protection even against

S S S S S Optional device;Superviseprotection even against

accidentsSupervise other safety relevant Inputs

8.4.4 Electrical equipment abnormally accessible

Equipment damaged by accident



Protect critical electronic equipment, e.g. by short circuit protection even against accidents


8.5 Explosion during Any reason Explosion Catastrophic Supervise other safety relevant S S S S S Optional8.5 Explosion during evacuation

Any reason Explosion Catastrophic Supervise other safety relevant Inputs - This function is intended to supervise the detection of hazardous situations by external sensors.


Supervise Infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of the signalling system, pumps, fans and escalators.



0 1a 1b 2 3 4





Hazard Cause







8.6 Inappropriate temperature

8.6.1 Air renewal failure Any reason Asphyxiation, Suffocation


8 6 2 Explosion during Any reason Explosion Catastrophic Supervise other safety relevant S S S S S Optional8.6.2 Explosion during evacuation

Any reason Explosion Catastrophic Supervise other safety relevant Inputs - This function is intended to supervise the detection of hazardous situations by external sensors.


8.6.3 Burns/fire Any reason Fire Catastrophic Supervise other safety relevant Inputs - This function is intended to supervise the detection of hazardous situations by external sensors.




0 1a 1b 2 3 4





Hazard Cause





8.7 Radiation Any reason (insufficient electromagnetic compatibility (EMC); laser radiation, radiation

Burns, Suffocation

Catastrophic Supervise Infrastructure - This function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components radiation

within the infrared, visible and ultraviolet area)

auxiliaries, including components of the signalling system, pumps, fans and escalators.

8.8 Drowning Any reason, flooding

Drowning, Suffocation


S S S S S Optional device;E.g.: Flooding detection

Supervise Infrastructure - This function is intended to provide function is intended to provide alarms about critical auxiliaries in order to inform the OCC operator: then staff can perform necessary actions on critical auxiliaries, including components of the signalling system, pumps, fans and escalators.






0 1a 1b 2 3 4





Hazard Cause





8.9 Person hurt during evacuation (others)

8.9.1 Passenger fall8.9.1.1 Slippery floor Water or

h i l dFall of Critical Supervise evacuation - This

f i i i d d iX X X X S Ensuring

d i dchemicals due to flooding or fire-fighters

person function is intended to supervise passenger evacuation. Such system covers the protection of passengers in areas in which they are not normally permitted.


Establish clear and easy-understandable emergency and evacuation procedures (in order to prevent further damage)

8.9.1.2 Slope (of platform, rescue walkway )

Platform or walkway hit by train cars

Fall of person

Critical Supervise evacuation - This function is intended to supervise passenger evacuation Such

X X X X S Ensuring detection and managementwalkway, ) train cars passenger evacuation. Such




8.9.1.3 Unadjusted levelling at lift enter/exit (small step)

Lift got hit e.g. by train cars, obstacles

Fall of person

Critical Supervise evacuation - This function is intended to supervise passenger evacuation. Such system covers the protection of

X X X X S Ensuring detection and management of emergency step) y p


g ysituations



0 1a 1b 2 3 4





Hazard Cause






8.9.1.4 Insufficient lightinglighting

8.9.1.4.1 System breakdown/ default





Design and installation of emergency power system

8.9.1.4.2 Insufficient lighting level





D i d i t ll ti fDesign and installation of emergency power system



0 1a 1b 2 3 4





Hazard Cause





8.9.1.5 Train movement during evacuation

No evacuation area defined

Fall of person




8.9.1.7 Obstacles8.9.1.7.1 Obstacles on

guideway or walkway

Any reason (e.g.: train cars, equipment of fire-fighters)

Fall of person




Free guideways and walkway; Do not obstruct them even in emergency cases

8.9.1.7.2 Obstacles in the train

Any reason (e.g.: Lifeless bodies, Fallen or broken objects)

Fall of person

Critical Supervise evacuation - This function is intended to supervise passenger evacuation. Such system covers the protection of passengers in areas in which th t ll itt d






0 1a 1b 2 3 4





Hazard Cause





8.9.1.7.3 Obstacles in the station

Any reason (e.g.: fallen or broken objects e.g. part of bridges, train cars, buildings)

Fall of person



buildings)


8.9.2 Passenger hit by sharp / protruding object

Any reason (e.g.: damaged train cars, building or bridges)

Fall of person




Get passenger as fast as possible out of dangerous area

8.9.3 Passenger caught by moving switch

Inappropriate emergency and evacuation procedures


Marginal Supervise evacuation - This function is intended to supervise passenger evacuation. Such system covers the protection of passengers in areas in which they are not normally permitted.


Emergency and evacuation procedures



0 1a 1b 2 3 4





Hazard Cause





9Environmental influences

9.1 Weather conditions (moderate)

9.1.1 Anything (snow, rain, leaves,


Derail-ment

Collision Catastrophic Regular Inspection and maintenancerain, leaves,

greasy material) on guideway

maintenance or clearance of guideway by crew

ment maintenance

Guideway heatingCheck of weather data

Provide enough staff for clearance works

9.1.2 Wind Inadequate precaution against wind


Marginal Consider wind force during planning and design of railway/metro system

Wind barriers like walls or tunnels

Operational rules to stop all trains in case of extreme wind

9.2 Force of nature9.2 Force of nature9.2.1 Flooding Insufficient

precautionsDerail-ment, Collision


S S S S S Optional device;Water (level) measurement and indicator

Insufficient maintenance of protection constructions


Catastrophic Ensure correct maintenance of flooding gates

Ensure correct initial design considering the possibility of flooding

Insufficient Derail- Catastrophic Supervise other safety relevant S S S S S OptionalInsufficient inspection and maintenance of flooding protection equipment



S S S S S Optional device;Obstacle detection in front of train



0 1a 1b 2 3 4





Hazard Cause





9.2.2 Environmental impact on vehicle (wind, gales)


Derail-ment

Collision Catastrophic Ensure appropriate system-design regarding exceptional environmental conditions (extreme wind etc.)

Establish operational rules e.g. speed reductions at critical areasp

Insufficient maintenance (construction work) on protection constructions

Derail-ment

Collision Catastrophic Correct maintenance and construction work on protection constructions

9.2.3 Avalanche / landslide/ falling stones

Insufficient precautions to protect track




Correct initial design considering the possibility of avalanches or the possibility of avalanches or falling stones





Ensure correct inspection and maintenance on trackEnsure correct inspection and maintenance on flooding protection equipment

Inspection of guideway and surrounding area

9.2.4 Earthquake Inadequate precaution

Person Struck /

Catastrophic Consider earthquakes during planning and design ofprecaution

against earthquakes

Struck / Hurt by Object

planning and design of railway/metro system

Operational rules to stop all trains is case of forecasted earthquake



0 1a 1b 2 3 4





Hazard Cause





9.2.5 Stalactites in tunnel

Insufficient inspection of tunnel




Ensure correct inspection andEnsure correct inspection and maintenance of tunnel

Too much water/ humidity in tunnel




Ensure correct initial tunnel design considering water and general humidity

Inadequate precaution against

Electrocution

Critical Supervise other safety relevant Inputs - This function is intended to supervise the detection of


9.2.6 Lightning

lightning hazardous situations by external sensors.

Documents

WP2 Hazard Analysis Annex D2 - MODSafe · 2011. 12. 9. · 6.4 Building collapse 6.5 Terrorism, Attacks, Criminal Acts 6.6 Radiation in OCC 6.7 asphyxiation / toxication in OCC 7