Euro-Interlocking Generic Hazard List Methodology · · 2008-12-16... J., May, J.:...

EUR INTERLOCKING

GENERIC HAZARD LIST

GUIDELINE

© UIC 2006

Generic Hazard List Guideline v2.0 Page 3 of 33 Euro-Interlocking Document #EI 5225

EURO-INTERLOCKING

Document Data Sheet

Filing name

Generic Hazard List Guideline v2.0

Document Type Technical Methods

Last saved

27.04.06 9:56 Last saved by

Pope

Languages Title of Document

Approach to the Generic Hazard List Method Original

English Translations

Pages Figures Tables Subject

Generic Hazard List 32

Price Author(s)

Drewes, May, Ständer (Tech. Uni. Braunschweig) Document

Right of Use

All UIC Performing Body

(UIC) Euro-Interlocking / T.U.B Sponsoring Body

UIC Approved by Performing Body Approved by Sponsoring Body Availability of Document

Name M.E. POPE (Euro-Interlocking)

Name

Dr P WINTER (UIC)

Application Used

Microsoft Word 9.0 Template Name

EI Report6.dot Last Printed

Date of Publication

Abstract

This document is the first delivery version of the methodology

2/322/32

© UIC 2006


EURO-INTERLOCKING

Table of Contents

Table of Contents............................................................................................................3

Abbreviations ..................................................................................................................4

References:.....................................................................................................................5

1. Introduction..........................................................................................................6

2. Hazard list ...........................................................................................................6

2.1 A structured and generic hazard list ....................................................................7

2.2 Hazard - Transitional States ................................................................................7

2.2.1 Accident characteristics.................................................................................10

2.3 System definitions, abstraction layers and boundaries......................................14

2.3.1 Structure of railway systems .........................................................................14

2.3.2 Railway operation..........................................................................................14

2.3.3 Protection of the Railway...............................................................................16

2.3.4 Structure of the environmental system..........................................................19

3. Structure of generic hazards .............................................................................21

4. Hazards .............................................................................................................22

Amendment Sheet ........................................................................................................32

3/323/32

© UIC 2006


EURO-INTERLOCKING

Abbreviations HazOp Review of Operational Hazards UIC International Union of Railways UML Unified Modelling Language

4/324/32

© UIC 2006


EURO-INTERLOCKING

References:

[1] Eriksson, U.; (Banverket): Signalling hazard list, (2000).

[2] Drewes, J., May, J.: Szenarienbasierte Methode für einen quantitativen Sicherheitsnachweis nach CENELEC am Beispiel eines realen ETCS-Betriebsprozesses. ZEL-Symposium 2004, Eisenbahn an der Schwelle zum 3ten Jahrtausend, Zilina, (2004).

[3] Gemeinsames Signalbuch der Deutschen Bahn AG – 301 DS/DV (in German). September 2002.

[4] Konzernrichtlinie d408 der Deutschen Bah AG – Züge fahren und Rangieren (in German). October 2002.

[5] Jarefors, H.: Euro-Interlocking Hazard Indentification, version 0.1. (2000).

[6] CENELEC–Standard: EN 50126 Railway applications – The specification and demonstration of Reliabaility, Availability, Maintainability and Safety (RAMS). English version; Brussels, (2001).

[7] CENELEC– Standard: prEN 50129Bahnanwendungen – Sicherheitsrelevante elektronische Systeme für Signaltechnik (in German). Brussels, November 2000.

[8] Euro-Interlocking Glossary

[9] van der Hoeven, B.; Frenken, L.: EURO-INTERLOCKING Preliminary hazard analysis template, version 0.3. (2002).

[10] Jarefors, H.: EURO-INTERLOCKING – modified signalling hazard list, version 0.2. (2000).

[11] Euro-Interlocking Safety requirements (generated from DOORS), version 7.0. (2003).

[12] Gaudiere, F.: Preliminary hazard list SA-NBS Gesamtsystem, version X0.1 (German 2003).

[13] Schnieder, E.: Methoden der Automatisierung, Beschreibungsmittel; Modellkonzepte und Werkzeuge für Automatisierungssysteme (German). (1999).

[14] Schnieder, E.: Automatisierung von Sicherheitsfunktionen für den Schienenverkehr; aus : Automatisierungstechnik (at)Nr. 46 (in German). (1998).

5/325/32

© UIC 2006


EURO-INTERLOCKING

1. Introduction Hazard lists are a necessary part of system design and implementation, and are usually defined at ‘HazOp’ meetings by a group of experts in the associated technical field. Hazards can however be defined in different ways according to the viewer and the target system for which they are being developed. Depending on the domains of those experts gathered in the ‘HazOp’ meeting, the level of abstraction may vary and therefore desired or required consistency within the hazard list is often missing. Most available hazard lists are based on a given implementation using a bottom up approach starting from i.e. a broken screw. But what if the screw does not exist in future implementations? The answer lies in the preparation of a Generic Hazard List from close consideration of the usage of the system or subsystem to which it refers. In the case of this Guideline, the target is Railway Operations, and the linkages between sections of the railway system architecture, e.g. Trains, Tracks, Signalling Systems, other property or personnel, whether employed by the railway or merely travelling on it or existing alongside it. Whilst railway systems throughout Europe vary in many and subtle ways not only in terms of their components but also in their functional elements, reducing these systems and their accompanying hazards to a common denominator permits a simpler approach to isolating applicable safety-requirements in order to prevent the hazards. Other documents and processes required by CENELEC, including RAMS requirements, must also be developed in close collaboration with an understanding of their potential hazards. Whilst it is often simpler to define hazards in relation to malfunctions of implementations or even technical systems, the system life cycle according to CENELEC also requires that risk analyses be carried out before system implementation. These are subjects associated with but not necessarily described in detail herein. This document therefore provides the guideline for a Generic Signalling Hazard List Methodology for railway systems using formal techniques.

2. Hazard list A hazard list is a collection of possible hazards. It explains situations that are basically due to failures, malfunctions or other undesired events. If a hazard is not acceptable to the operator or the society every effort must be made to prevent the hazard from occurring. This can be done by defining functional (safety) requirements for the system, and by providing a system design that reduces Hazards to an occurrence ratio As Low As Reasonably Practical (ALARP Principles). According to [6] then, hazards are defined to: “State the potential of harming persons and/or things”. In general the consequence of a hazard is “possible damage”.

6/326/32

© UIC 2006


EURO-INTERLOCKING

2.1 A structured and generic hazard list

While the conventional approach to hazard identification relies upon the experience of experts and their reports of historical situations, the methodology applied herein begins with only a single hazard. An example of the application might be a: “Hazard causing possible damage to either persons or things”. The necessary requirement in mitigation would of course be: prevent any person or item from suffering harm. This is a very basic example but one nevertheless that gives an idea of the process. What this shows however is that the actual analysis of possible hazards is done using a top-down approach, by starting at the “Results” end of the sequence of consequences arising from the undesired state – damage to either things or human beings. While any damage arising is always preceded by a hazardous state, not every hazardous state will result in damage, as a safe state may result. For example Damage caused by a derailment can be due to a broken rail, but not every broken rail must lead to a derailment with any kind of damage. The occurrence of a hazardous state must by its nature require that specific conditions and sequences be fulfilled, e.g. a broken rail must be associated with a railway vehicle movement over it in order to form a hazardous state. Furthermore, each condition may have several pre-conditions, which may themselves require pre-conditions and so on. The sets of conditions leading to possible hazardous event occurrences and thence to possible damage will form the input for this generic hazard list. It has proven important to select the same level of abstraction in describing conditions within a set in order to maintain consistency and generality. Since the Interlocking System is integrated into a railway system that incorporates many functional elements, this hazard list is structured according to the railway system as a whole and not just the interlocking system. This leaves open an opportunity to implement different interlocking system approaches in the future. The structure of railway systems – in fact the common denominator of all European railway systems – is therefore being described formally using UML class diagrams. Each hazard in the generic hazard list can therefore be assigned to a specific sub-class within the railway system class diagram and is also being described formally using UML activity diagrams.

2.2 Hazard - Transitional States Considering the transition from a hazard to damage an undesired event must exist. This is generally described as an accident. The possibility of an accident occurring is stated through a hazard. In the following this will be called hazardous state.

7/327/32

© UIC 2006


EURO-INTERLOCKING

hazardous state undesired state(damage)

undesired event(accident occurence)

Figure 1: General process model

Depending on the characteristics of the undesired event (accident characteristics) different possible hazardous states exist. The description of the hazardous state “possible train collision” will in most cases be different from the description of a hazardous state “possible train derailment”. Detailed accident characteristics are described in the next chapter. Not every hazardous state will lead inescapably to an accident and as a consequence of this to damage. This will extend the model to the following:

hazardous state undesired state(damage)


λ

safe state

i.e. protection process

λa

p

Figure 2: Formal description - damage potential using the splitting definition of activity diagrams

According to Figure 2 there is a possibility to escape from a hazardous state to a safe state, for example due to a protection, a suitable mitigation input or perhaps just pure luck. Following the causal chain even further backwards will lead to a set of conditions that must be fulfilled in order to reach a specific hazardous state (possibility for a specific accident characteristic). For example having defective brakes on a railway vehicle will not lead to a hazardous state as long as the railway vehicle is not required to reduce speed. The consequence of both conditions being present at the same time will lead to the hazardous states “possible train collision” and

8/328/32

© UIC 2006


EURO-INTERLOCKING

also “possible train derailment”. This causal dependency will extend the model to the following:

hazardouscondition 1

HAZARD

hazardous stateundesired state

(damage)


λ

safe state

i.e. protection process

λa

p

hazard occurence




Figure 3: Different states in a causal order describing hazard conditions

As shown in figure 3 the combination of different hazardous conditions or ‘states’ lead to a hazardous state with the potential for damaging either persons or things. The hazardous conditions can also have a causal dependency as seen by the dotted transitions between each condition. The set of existing conditions will therefore express the hazard as:

The defined or described set of hazardous conditions and the state transition leading to a hazardous state with the potential of damaging persons and or objects due to an accident.

In some cases and dependent on the implementation depth of the system, it may be useful to describe single hazardous conditions in a more detailed way. For this purpose the hazard description can be extended in the following way:

9/329/32

© UIC 2006


EURO-INTERLOCKING

condition 1

condition 2

condition 3

hazardous state 1

hazard occurence 1

HAZARD A

pre-condition 1

pre-condition 2

pre-condition 3

internalprocess

Figure 4: Detailed description of hazardous pre-conditions

The foregoing indicates that the more detailed the description of the conditions the more detailed the resulting hazard list will be. By extension, the more detailed the hazard list the less is the available freedom to select visionary implementations for systems. This document does not specify hazardous pre-conditions in a formal way.

2.2.1 Accident characteristics This document specifies the consequence of an accident to be damage and this is defined as follows

damage ['dæmıdʒ]

“Injury or harm impairing the function or condition of a person or thing”.

According to the definition then damage means injury to or, at its most severe, death of persons, or harm to or loss of things or objects.

As mentioned in the previous section, hazardous states have a close relationship to the accident that may result. Yet again, the more detail in the way the accident is described the more detailed the hazardous state and in consequence the hazard description will be. In considering the railway system, accidents can be grouped into several classes. It is important to realise that the classification must be done consistently. Accidents that are similar from the safeguarding point of view must be aggregated. At a high level of abstraction it is not important if a collision of a railway vehicle with another railway vehicle is a head-on, rear-end

10/3210/32

© UIC 2006


EURO-INTERLOCKING

or train flank collision. The important fact is the collision between two railway vehicles itself, because both elements belong to the railway system.

moving person

fixed object

moving object

collision with object on track

moving person

parking railway veh .

standing/waiting person

moving railway vehicle

head-on train collision

train flank collision

rear-end train collision

railway vehicle

object on level crossing

fixed objectmoving object

standing/waiting person

other than railway vehicle

fixed track element

derailment on

moveable track element

crossing

curved line

straight line

turntable/transfer table

derailer

point

chemicals/biohazardsother accidents due to

radiation

fire

electricity

nature

Figure 5: Different accident characteristics related to railway system operations

All Railway accidents can be divided into three subclasses:

1) Collisions This category includes all accidents with at least one railway vehicle colliding with another object. The object can be, besides another railway vehicle, any other material object. Collisions with other railway vehicles can be split into collision with moving railway vehicles and collision with parked railway vehicles.

11/3211/32

© UIC 2006


EURO-INTERLOCKING

The hazard list in this document only considers the collision with railway vehicles in general. Collision with other than railway vehicle is divided into collision with objects on track, and collisions with objects on level crossings. The reasons for this differentiation are the different responsibilities and intentions. While the usage of a level crossing for objects other than railway vehicles is intended, the usage of track by other objects is in most cases unintended, except use by occupational staff. The responsibility may vary from railway system to railway system; especially regarding legal responsibility for the outcome.

railway vehicle collision

railway vehicle collisionwith other railway vehicle

railway vehicle collisionwith object other than railway vehicle

railway vehicle collision with object other than railway vehicle

inside dynamic envelope

railway vehicle collision with object other than railway vehicle

on level crossing

railway vehicle collisionwith other moving railway vehicle

railway vehicle collisionwith a parking railway vehicle

Figure 6: Classification of railway vehicle collisions

2) Derailments

This class includes any derailment of a railway vehicle. A differentiation can be made by considering variations in railway infrastructure in terms of track elements or objects over or upon which derailments may occur. The main differentiation between elements of railway infrastructure can be made by separation into moveable and fixed track elements.

12/3212/32

© UIC 2006


EURO-INTERLOCKING

railway vehicle derailments

railway vehicle derailments on fixed track element

railway vehicle derailments on moveable track element

Figure 7: Classification of railway vehicle derailments

3) Other accidents

Since not only collisions and derailments contribute to possible damage to persons and objects, other accidents may occur in a railway system especially while considering environmental influences. This class includes all undesired events due to nature, fire, chemical/biohazards, electricity and radiation. This may sound a bit strange, but thinking of an avalanche or track fire warning system which stops trains from running into an avalanche or an open fire on track connected to an interlocking system will make things more clear. And there are of course areas around the world where systems like this are in discussion.

other accidents

nature fire chemicals/biohazards electriciy radiation

Figure 8: Classification of other accidents due to other undesired events

Occurrences of each of these possible accident sequences may lead to possible damage to persons and/or things. Severity is not an issue here as this is dealt with under the subject of risk avoidance and associated cost. In order to explain the dependency between hazardous conditions an understanding of the corresponding system must be gained first.

13/3213/32

© UIC 2006


EURO-INTERLOCKING

2.3 System definitions, abstraction layers and boundaries In order to achieve a structure for the hazards it is useful to define the systems involved into possible hazards according to sections before. This section describes the railway and environmental systems and the interaction between them.

2.3.1 Structure of railway systems As mentioned in the previous section, the structure of the railway system can be regarded from an object-oriented view using UML class diagrams. When talking about objects inside the railway system, consideration must be given to the rolling stock (railway vehicles) and the Tracks (railway infrastructure) on which the railway vehicles will move.

2.3.2 Railway operation In order to make any controlled movement possible a power supply of some kind is necessary that may supply the railway vehicles and/or the railway infrastructure with power. While the railway vehicles may consist of traction units and wagons, the railway infrastructure consists of track elements and level crossings. The reasons for not including the level crossing to track elements is on one hand the significance of level crossings respectively accidents and on the other hand the intended interaction with road vehicles and persons on level crossings. The track elements can be separated into fixed and moveable types. straight lines, curved lines and diamond crossings form the fixed track elements, so points, derailers and transfer/turn tables belong to the class of moveable track elements. In order to include functionality and protection of railway vehicle movements into the class diagram the following approach is provided. At a high level of abstraction the railway system includes all necessary components, functions or even subsystems in order to enable railway vehicle movements. Any specific implementation or system designs are not relevant at this abstraction level. The common denominator for all interlocking systems is the necessity and realization of railway vehicle movements. Consider railway vehicle movements on a single track with one starting and one destination point being used by a single railway vehicle, the abstraction looks very easy.

A

Train Path 1

B

Figure 9: Railway operation with one railway vehicle on a single track

14/3214/32

© UIC 2006


EURO-INTERLOCKING

The only function necessary to ensure correct railway vehicle operation is the vehicle speed control. Concerning safety functions though, there is a general protection issue that must be guaranteed. The railway vehicle may (correctly) only move if it can be assured that no obstacle is in the way. This safeguarding against obstacles can be separated into two further aspects. First is protection against failures of the infrastructure such as broken rails, etc. while the second is protection against third party collisions. This includes other persons, animals or objects. If the railway system is extended by additional destination or starting points but is still being operated by a single railway vehicle the situation is changed as shown in figure 10.

A

B

C

D

E

F

Train Path 1

Figure 10: Railway operation with a single railway vehicle on a multi-route track

For safe operation the system is in need of railway vehicle speed and direction control functions. By enabling these functions the railway vehicle can reach every point in the system. With regard to safety we are lead to the previously mentioned necessity for protection against obstacles, but now, protection of the route is also necessary in order to ensure the correct destinations. Protection against obstacles in this case also includes possible hazardous states of points that may lead to derailment.

Adding railway vehicles to the system will only increase the necessity of additional safeguarding functions but not any additional operational functions. In addition to safeguarding against obstacles and of the route the safeguarding against other railway vehicles has to be considered. Since obstacles mostly belong to third parties the safeguarding against other railway vehicles will be regarded separately even though in general it is still an obstacle.

15/3215/32

© UIC 2006


EURO-INTERLOCKING

A

B

C

D

E

F

Train Path 1

Train Path 2

Figure 11: Railway operation with multiple railway vehicles on a multi-route track

In looking at the operational and protection functions one can separate them into two classes. Firstly direction control and secondly speed control. All movement and protection functions are realized by these two classes in combination with the classes railway vehicle and railway infrastructure.

2.3.3 Protection of the Railway Protection is a process that ensures the safe operation of railway vehicles on railway infrastructure. Whilst the operational process only considers operational goals, for example the transport of load X from position A to position B using a railway vehicle on day Z by analysis of system information (i.e. which railway vehicle is where) and choosing an appropriate railway vehicle to take the shortest route, Protection needs safety rules in order to decide if a detected or planned railway vehicle movement or a detected situation is safe or not. Further it outputs speed and direction set values for the railway vehicle and the railway infrastructure whilst not considering the safety of the railway vehicle movement. The system interventions performed by the protection are proprietary and may either change or limit speed or direction set values for railway vehicles or infrastructure in order to prevent the system to reach an unsafe state

operation

protection

set valuesintervention

safe

ty ru

les

oper

atio

nal

goal

s

information information

railway infrastructurerailway vehicles

set valuesintervention

Figure 12: Railway system operational and protection functions

16/3216/32

© UIC 2006


EURO-INTERLOCKING

In order to show the causal dependency of the partial protection processes a sequence diagram is pictured in figure 13.

System Information Retrieval Protection Control Intervention

Throughset Values Execution

Figure 13: Sequence diagram for protection partial processes

While avoiding hazardous states through safeguarding the complete system information is needed. Following adequate safety rules within the protection control (vital) core the according set values are generated and transferred to railway vehicles and infrastructure, upon which the execution of those values is performed.

17/3217/32

© UIC 2006


EURO-INTERLOCKING

-id-speed-position-status

A railway vehicle

-id-direction-status

B railway infrastructure

B-A track element

C power supply

D speed control

F protection

E direction control

A-B traction unitA-A wagon B-B level crossing

G operation

H-A ATP-railw.veh.train:status-railw.veh.:speed-railway infr.:status-railway infr.:direction

I-B device information-railw.veh.:positionI-A location of vehiclesH-B signalling

I system informationH system intervention

Figure 14: Railway system structure in a UML class diagram

Figure 14 shows the static structure of the railway system in a UML class diagram. The main focus lies on the two classes: railway vehicle, railway infrastructure as well as power supply, which represent the resources for all railway vehicle movements. According to the preceding section the functionality (operation) and protection of railway vehicle movement is done through system interventions, speed control and direction control by using ATP (automatic train protection) and/or trackside signalling. As also described, system information, gathered from railway vehicles and the infrastructure, is needed for operational and protection purposes. Hazardous states do not only occur inside the railway system itself, as they can also occur in combination with the environmental system.

18/3218/32

© UIC 2006


EURO-INTERLOCKING

2.3.4 Structure of the environmental system

H-A-A occupational staff

H-B-A freight

H-A persons H-A-B passengers H-A-C external persons

H-B objects

H-C environment

H-A-B external objects

H-C-A chemicals biohazards H-C-B fire H-C-C rays

H environmental system

H-C-D electricity H-C-E nature

Figure 15: Structure of the environmental system in a UML class diagram

The environmental system consists of all persons, objects and the environment itself. Further, if thinking in an object-oriented manner according to UML, the specialization of the class persons can be passengers, occupational staff or external persons depending on their role. The objects can be divided into freight and external objects depending to the type of interaction with the railway system. As parts of the environment the classes: chemicals, fire, radiation electricity and nature can be defined. The reason for including rather abstract subclasses in the environment is due to e.g. fire, chemicals etc. The UML class diagram for the environmental system is shown in figure 15. Combining the UML class diagram of the environmental system and the railway system will lead to the following diagram:

19/3219/32

© UIC 2006


EURO-INTERLOCKING

-id-speed-position-status

A railway vehicle

-id-direction-status

B railway infrastructure

B-A track element

C power supply

D speed control

F protection

E direction control

A-B traction unitA-A wagon B-B level crossing

G operation

H-A ATP-railw.veh.train:status-railw.veh.:speed-railway infr.:status-railway infr.:direction

I-B device information-railw.veh.:positionI-A location of vehiclesH-B signalling

I system informationH system intervention

H-A persons

H-B objects

H-C environment

H environmental system

Figure 16: Interaction of railway and environmental system

20/3220/32

© UIC 2006


EURO-INTERLOCKING

3. Structure of generic hazards According to section 2.2.1 accidents can occur in various ways. While collisions and derailments may lead to damage also undesired effects of nature, fire, chemicals, electricity or radiation can be causes for harming effect on persons or things. It is quite clear that the collision can be classified very deeply up to head-on railway vehicle collision and so on. But for the generic hazard list even the differentiation between moving and parking railway vehicles is not important because the conditions are the same expect that one vehicle is either moving or parking. But it is relevant to differ between railway and other than railway vehicles because presently only railway vehicles are detectable on track. This leads to an even more detailed view of differing track and level crossing. On level crossing it is on one hand possible to detect objects inside the danger zone and on the other hand in most cases there are safeguarding functions that prevent any collisions with crossing objects.

The subject ‘collision’ is divided into three possibilities:

- Collision with other railway vehicles

- Collision with other than railway vehicles on track

- Collision with other than railway vehicles on level crossings

Derailments of railway vehicles can also have different characteristics with different causes and conditions. Derailments can be specialized using the infrastructure elements the derailments occur on. That leads to a classification of flexible, which means a possible external control re: interaction, and fixed track elements with no possible external interaction. As seen in figure 9 points, derailers and transfer-/turn tables or platforms are flexible track elements while straight line, curved line and crossings are fixed track elements. Considering conditions and causes a further differentiation is not necessary. The subject ‘derailment’ is divided into two possibilities:

- Derailments on moveable track elements

- Derailments on fixed track elements

Other accidents:

- Fire accident (e.g. forest fire while train crosses)

- Chemical/biological accident (e.g. accidental escape of acid )

- Radiation accident (e.g. accidental escape of nuclear radiation)

- Electrical accident (e.g. accident with catenary)

- Accident due to nature (e.g. avalanches while train passes danger zone)

21/3221/32

© UIC 2006


EURO-INTERLOCKING

A basic assumption of this hazard list approach is that every possible accident mentioned above will cause damage. For that reason these accidents must be avoided by the safeguarding process.

As explained in the previous sections, protection in part consists of system information, with its underlying safety rules, set values and the subsequent execution on railway vehicles and/or infrastructure. Assuming that the system information is always correct and available, all possible protection rules are complete and correctly implemented inside the safeguarding core, and the set values are never incorrect and that execution would be perfect, none of the above accidents could ever happen, since this is the purpose of the provision of protection. This also implies that accidents and therefore damage is only possible if at least one of the protecting processes fails and no adequate functional (safety) requirement is defined in mitigation.

Every hazard is developed by assuming a non-functionality of the four safeguarding partial processes (system information retrieval, safeguarding core process, set value transmission, and set value execution) for every single class inside the railway system.

Once more, the more detailed the manner in which the accident process is treated, the more causes will be derived. For example, and considering the possibility of “incorrect system information” it is quite clear that ‘system information’ consists of other different information elements generalized to one term. By reducing “system information” into “speed information”, “position information” and “status information” additional causes may be derived.

4. Hazards The following two tables (figs. 17, 18) show the relationship between the respective railway environmental systems, the four partial protection processes and the resulting accidents.

22/3222/32

© UIC 2006


EURO-INTERLOCKING

spee

d in

form

atio

n

posi

tion

info

rmat

ion

stat

us in

form

atio

n

spee

d co

ntro

l

dire

ctio

n co

ntro

l

othe

r con

trol t

asks

spee

d se

t-val

ues

dire

ctio

n se

t-val

ues

othe

r set

-val

ues

spee

d ex

ecut

ion

dire

ctio

n ex

ecut

ion

othe

r exe

cutio

n ta

sks

collis

ion

of a

railw

ay v

ehic

le w

ith o

ther

ra

ilway

veh

icle

collis

ion

of ra

ilway

veh

icle

with

oth

er

than

railw

ay v

ehic

le o

n tra

ck

collis

ion

of ra

ilway

veh

icle

with

oth

er

than

railw

ay v

ehic

le o

n le

vel c

ross

ing

dera

ilmen

t on

fixed

trac

k el

emen

t

dera

ilmen

t on

flexi

ble

track

ele

men

t

othe

r acc

iden

t due

to n

atur

e

othe

r acc

iden

t due

to fi

re

othe

r acc

iden

t due

to

chem

ical

s/bi

ohaz

ard

othe

r acc

iden

t due

to e

lect

ricity

othe

r acc

iden

t due

to ra

diat

ion

SYS1 SYS2 SYS3 PRO1 PRO2 PRO3 SET1 SET2 SET3 EXE1 EXE2 EXE3 A1 A2 A3 A4 A5 A6 A7 A8 A9 A10F 1 1 1 1 1

F 2 2 2 2 2

F 3 3

F 3 3 3 4 4

F n.a.F

FF n.a.

FF 4 4 4 5 5

F n.a.F

F n.a.F n.a.

F 5 5 5 6 6

F n.a.F 6 6 6 7

FF n.a.

F 7 7 7 8

FF n.a.

F 8 8 8 9

FF n.a.

F n.a.F 9

F n.a.F n.a.

F 10

F n.a.F n.a.

F 11

F n.a.F n.a.

F 12

F n.a.F n.a.

FF n.a.

F n.a.F

F n.a.F n.a.

FF n.a.

F n.a.F

F 9 13

F 10 14

FF 11 15

F 12 16

FF 13 17

F 14 18

FF 15 19

F 16 20

FF 17 21

F 18 22

FF 19 23

F 20 24

FF 21 25

F 22 26

FF 23 27

F 24 28

F

power supply

persons

objects

railway vehicle

railw

ay in

frast

ruct

ure

track element

level crossing

execution accident characteristics

addi

tiona

l rem

arks

collision derailment other accident

class

system information process set-values

Figure 17: Table of possible hazards (part 1)

23/3223/32

© UIC 2006


EURO-INTERLOCKING

spee

d in

form

atio

n

posi

tion

info

rmat

ion

stat

us in

form

atio

n

spee

d co

ntro

l

dire

ctio

n co

ntro

l

othe

r con

trol t

asks

spee

d se

t-val

ues

dire

ctio

n se

t-val

ues

othe

r set

-val

ues

spee

d ex

ecut

ion

dire

ctio

n ex

ecut

ion

othe

r exe

cutio

n ta

sks

collis

ion

of a

railw

ay v

ehic

le w

ith o

ther

ra

ilway

veh

icle

collis

ion

of ra

ilway

veh

icle

with

oth

er

than

railw

ay v

ehic

le o

n tra

ck

collis

ion

of ra

ilway

veh

icle

with

oth

er

than

railw

ay v

ehic

le o

n le

vel c

ross

ing

dera

ilmen

t on

fixed

trac

k el

emen

t

dera

ilmen

t on

flexi

ble

track

ele

men

t

othe

r acc

iden

t due

to n

atur

e

othe

r acc

iden

t due

to fi

re

othe

r acc

iden

t due

to

chem

ical

s/bi

ohaz

ard

othe

r acc

iden

t due

to e

lect

ricity

othe

r acc

iden

t due

to ra

diat

ion

SYS1 SYS2 SYS3 PRO1 PRO2 PRO3 SET1 SET2 SET3 EXE1 EXE2 EXE3 A1 A2 A3 A4 A5 A6 A7 A8 A9 A10F n.a.

F n.a.F 1

F n.a.F n.a.

F 2F n.a.

F n.a.F 3

F n.a.F n.a.

F 4

F n.a.F n.a.

F 1

F n.a.F n.a.

F 2F n.a.

F n.a.F 3

F n.a.F n.a.

F 4

F n.a.F n.a.

F 1

F n.a.F n.a.

F 2F n.a.

F n.a.F 3

F n.a.F n.a.

F 4

F n.a.F n.a.

F 1

F n.a.F n.a.

F 2

F n.a.F n.a.

F 3F n.a.

F n.a.F 4

F n.a.F n.a.

F 1

F n.a.F n.a.

F 2

F n.a.F n.a.

F 3

F n.a.F n.a.

F 4

accident characteristics

addi

tiona

l rem

arks

collision derailment other accidentsystem information process set-values execution

electricity

radiation

envi

ronm

ent

nature

fire

chemicals/ biohazard

class

Figure 18: Table of possible hazards (part 2)

The grey marked lines show combinations that are not applicable (n.a.) in real life. Incorrect speed information of a level crossing is just not available as correct speed information since a level crossing does not move. All other combinations may lead to possible accident characteristics marked with an X. The number inside the cells combined with the accident number (A1 to A10) result into the ID of every hazard inside the next table (for example A1-1 results from the Accident A1 and the first X in the column). The following table shows all written hazards sorted by classes according to figure 14, 15.

24/3224/32

© UIC 2006


EURO-INTERLOCKING

Railway vehicle

No. Hazard ID

1 Possibility of a collision of a railway vehicle with another railway vehicle due to incorrect speed information of a railway vehicle A1-1

2 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect speed information of a railway vehicle A2-1

3 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect speed information of a railway vehicle

A3-1

4 Possibility of a derailment of a railway vehicle on a fixed track element due to incorrect speed information of a railway vehicle A4-1

5 Possibility of a derailment of a railway vehicle on a flexible track element due to incorrect speed information of a railway vehicle A5-1

6 Possibility of a collision of a railway vehicle with another railway vehicle due to incorrect position information of a railway vehicle A1-2

7 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect position information of a railway vehicle A2-2

8 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect position information of a railway vehicle

A3-2

9 Possibility of a derailment of a railway vehicle on a fixed track element due to incorrect position information of a railway vehicle A4-2

10 Possibility of a derailment of a railway vehicle on a flexible track element due to incorrect position information of a railway vehicle A5-2

11 Possibility of a derailment of a railway vehicle on a fixed track element due to incorrect status information of a railway vehicle A4-3

12 Possibility of a derailment of a railway vehicle on a flexible track element due to incorrect status information of a railway vehicle A5-3

13 Possibility of a collision of a railway vehicle with another railway vehicle due to incorrect speed control of a railway vehicle A1-3

14 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect speed control of a railway vehicle A2-3

15 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect speed control of a railway vehicle

A3-3

16 Possibility of a derailment of a railway vehicle on a fixed track element due to incorrect speed control of a railway vehicle A4-4

17 Possibility of a derailment of a railway vehicle on a flexible track element due to incorrect speed control of a railway vehicle A5-4

18 Possibility of a collision of a railway vehicle with another railway vehicle A1-4

25/3225/32

© UIC 2006


EURO-INTERLOCKING

No. Hazard ID due to incorrect speed set values for a railway vehicle

19 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect speed set values for a railway vehicle A2-4

20 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect speed set values for a railway vehicle

A3-4

21 Possibility of a derailment of a railway vehicle on a fixed track element due to incorrect speed set values for a railway vehicle A4-5

22 Possibility of a derailment of a railway vehicle on a flexible track element due to incorrect speed set values for a railway vehicle A5-5

23 Possibility of a collision of a railway vehicle with another railway vehicle due to incorrect speed execution of a railway vehicle A1-5

24 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect speed execution of a railway vehicle A2-5

25 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect speed execution of a railway vehicle

A3-5

26 Possibility of a derailment of a railway vehicle on a fixed track element due to incorrect speed execution of a railway vehicle A4-6

27 Possibility of a derailment of a railway vehicle on a flexible track element due to incorrect speed execution of a railway vehicle A5-6

Track element

No. Hazard ID

28 Possibility of a collision of a railway vehicle with another railway vehicle due to incorrect status information of a track element A1-6

29 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect status information of a track element A2-6

30 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect status information of a track element

A3-6

31 Possibility of a derailment of a railway vehicle on a fixed track element due to incorrect status information of a track element A4-7

32 Possibility of a derailment of a railway vehicle on a flexible track element due to incorrect status information of a track element A5-7

33 Possibility of a collision of a railway vehicle with another railway vehicle due to incorrect direction control for a track element A1-7

34 Possibility of a collision of a railway vehicle with other than railway A2-7

26/3226/32

© UIC 2006


EURO-INTERLOCKING

No. Hazard ID vehicle on track due to incorrect direction control for a track element

35 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect direction control for a track element

A3-7

36 Possibility of a derailment of a railway vehicle on a flexible track element due to incorrect direction control for a track element A5-8

37 Possibility of a collision of a railway vehicle with another railway vehicle due to incorrect direction set values for a track element A1-8

38 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect direction set values for a track element A2-8

39 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect direction set values for a track element

A3-8

40 Possibility of a derailment of a railway vehicle on a flexible track element due to incorrect direction set values for a track element A5-9

41 Possibility of a collision of a railway vehicle with another railway vehicle due to incorrect direction execution of a track element A1-9

42 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect direction execution of a track element A2-9

43 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect direction execution of a track element

A3-9

44 Possibility of a derailment of a railway vehicle on a flexible track element due to incorrect direction execution of a track element A5-10

Level crossing

No. Hazard ID

45 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect status information of a level crossing

A3-10

46 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect other control tasks for a level crossing

A3-11

47 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect other set values for a level crossing

A3-12

48 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect other execution of a level crossing

A3-13

Person

27/3227/32

© UIC 2006


EURO-INTERLOCKING

No. Hazard ID

49 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect speed information of a person A2-10

50 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect speed information of a person A3-14

51 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect position information of a person A2-11

52 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect position information of a person A3-15

53 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect speed control of a person A2-12

54 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect speed control of a person A3-16

55 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect direction control of a person A2-13

56 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect direction control of a person A3-17

57 possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect speed set values for a person A2-14

58 possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect speed set values for a person A3-18

59 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect direction set values for a person A2-15

60 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect direction set values for a person

A3-19

61 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect speed execution of a person A2-16

62 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect speed execution of a person A3-20

63 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect direction execution of a person A2-17

64 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect direction execution of a person A3-21

Object

28/3228/32

© UIC 2006


EURO-INTERLOCKING

No. Hazard ID

65 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect speed information of an object A2-18

66 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect speed information of an object A3-22

67 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect position information of an object A2-19

68 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect position information of an object A3-23

69 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect speed control of an object A2-20

70 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect speed control of an object A3-24

71 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect direction control of an object A2-21

72 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect direction control of an object A3-25

73 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect speed set values for an object A2-22

74 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect speed set values for an object A3-26

75 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect direction set values for an object A2-23

76 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect direction set values for an object A3-27

77 Possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect speed execution of an object A2-24

78 possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect speed execution of an object A3-28

79 possibility of a collision of a railway vehicle with other than railway vehicle on track due to incorrect direction execution of an object A2-25

80 Possibility of a collision of a railway vehicle with other than railway vehicle on level crossing due to incorrect direction execution of an object A3-29

Nature

29/3229/32

© UIC 2006


EURO-INTERLOCKING

No. Hazard ID

81 Possibility of an accident due to nature because of incorrect status information of nature A6-1

82 Possibility of an accident due to nature because of incorrect other control task for nature A6-2

83 Possibility of an accident due to nature because of incorrect other set values for nature A6-3

84 Possibility of an accident due to nature because of incorrect other execution tasks for nature A6-4

Fire

No. Hazard ID

85 Possibility of an accident due to fire because of incorrect status information of fire A7-1

86 Possibility of an accident due to fire because of incorrect other control task for fire A7-1

87 Possibility of an accident due to fire because of incorrect other set values for fire A7-1

88 Possibility of an accident due to fire because of incorrect other execution tasks for fire A7-1

Chemicals / Biohazards

No. Hazard ID

89 Possibility of an accident due to chemicals/biohazards because of incorrect status information of chemicals/biohazards A8-1

90 Possibility of an accident due to chemicals/biohazards because of incorrect other control task for chemicals/biohazards A8-2

91 Possibility of an accident due to chemicals/biohazards because of incorrect other set values for chemicals/biohazards A8-3

92 Possibility of an accident due to chemicals/biohazards because of incorrect other execution tasks for chemicals/biohazards A8-4

Electrical

30/3230/32

© UIC 2006


EURO-INTERLOCKING

No. Hazard ID

93 Possibility of an accident due to electricity because of incorrect status information of electricity A9-1

94 Possibility of an accident due to electricity because of incorrect other control task for electricity A9-2

95 Possibility of an accident due to electricity because of incorrect other set values for electricity A9-3

96 Possibility of an accident due to electricity because of incorrect other execution tasks for electricity A9-4

Radiation

No. Hazard ID

97 Possibility of an accident due to radiation because of incorrect status information of radiation A10-1

98 Possibility of an accident due to radiation because of incorrect other control task for radiation A10-2

99 Possibility of an accident due to radiation because of incorrect other set values for radiation A10-3

100 Possibility of an accident due to radiation because of incorrect other execution tasks for radiation A10-4

31/3231/32

© UIC 2006


EURO-INTERLOCKING

Amendment Sheet

Version Date Changes editor

0.1 31.03.2004 First document setup May, Drewes

0.2 01.04.2004 Guideline Drewes













0.15 29.04.2004 Guideline review May

0.16 30.07.2004 Changes Drewes

0.17 03.08.2004 Changes formatting Drewes

0.18 03.08.2004 Changes formatting May

0.19 04.08.2004 Changes Drewes

0.20 25.08.2004 Remarks from Change Control Board Meeting Drewes

0.21 30.09.2004 Changes for review Drewes

1.0 31.01.2005 Final version May, Drewes

1.1 14.02.2005 Corrections though EI Pope

2.0 31.04.2006 Final edit for release Pope

32/3232/32

Euro-Interlocking Generic Hazard List Methodology · · 2008-12-16... J., May, J.:...

Documents

Transcript of Euro-Interlocking Generic Hazard List Methodology · · 2008-12-16... J., May, J.:...