European Commission Seventh Framework programme MODSafe ...

European Commission Seventh Framework programme

MODSafe Modular Urban Transport Safety and Security Analysis

ANNEX: Final Hazards Control

and Safety Measures Analysis

Deliverable D3.2

Doc Name: Final Hazards Control and Safety Measures Analysis Annex Date.28-08-2012 ID: DEL_D3.2_BTSERCS_WP3_120828_V2.2 Revision: V2.2 of 4

Contract No. 218606

Document type DEL

Version V2.2

Status Final

Date 28-08-2012

WP WP 3

Lead Author BTSERCS

Contributors Alstom, Ansaldo, AREVA, Dimetronic, LU, RATP, Thales RSS, TRIT, UVHC, UITP

Description D3.2

Document ID DEL_D3.2_BTSERCS_WP3_120828_V2.1

Dissemination level PU

Distribution Consortium members and EC

Document History:

Version Date Author Modification [very short description]

V1.0 01-03-2012 BTSERCS New document

V2.0 07-03-2012 WP3 Team Reviewed by WP3 partners

V2.1 06-08-2012 WP3 Team WP10 comments incorporated.

V2.2 23-08-2012 WP3 Team WP10 comments incorporated.

Approval:

Authority Name/Partner Date

WP responsible BTSERCS – WP3 Consensus 11-08-2012

EB members WP10 Consensus 23-08-2012

Coordinator TRIT 28-08-2012


Annex History

File Version Date Description

V0.1 01/03/2012 Table heading changed from 'Severity' to 'Estimation of initial risk'. Received comments are added in Red throughout the document.

V0.2 07/03/2012 Updated to include Ludoic Michel comments

V0.3 13/03/2012 Missing items in lines 781 and 782 updated by Ludoic Michel comments

V0.4 21/03/2012 Chapter 7 completed by Gilles Legoff

V0.5 21/03/2012 Revision History added by Rajinder Sadheura Chapter 8 updated by Rajinder Sadheura

V0.6 16/04/2012 Updated to include references to MODURBAN D80 and IEC62290-2 in chapters 4 and 9 by Ludovic Michel (RATP).

V0.7 20/04/2012 Additional rows added 1.2.1.3.2 to 1.2.1.3.3.3 inclusive. 'Estimation of initial risk' columns aligned with D2.3.

V0.8 30/04/2012 Alstom completion of rows "2"

V0.9 30/04/2012 additional sheet for tracebility with IEC functions

V0.10 02/05/2012 Additional updates to tidy up document

V0.11 12/05/2012 Alstom updates

V0.12 09/05/2012 Additional column 'Category of Safety Measure' TPM added.

V0.13 25/05/2012 Incorporate comments from WP3 partners: - Alfonso Alonso Dimetronic: updated chapters 1.1.1.2, 1.1.1.3, 5, 6 - Robert Capel Alstom : Chapters 1.3 and 2 updated. - Gilles Legoff Ansaldo: Chapters 1.1.1.6, 1.1.2, 7 - Raj Sadheura BTSERCS: Sections 1.2 and 8 updated.

V0.14 06/06/2012 RATP & LU updates included.

V0.15 07/06/2012 Thales (David Dimmer) updates included

V0.16 12/06/2012 Updated by Alfonso Alonso Dimetronic to close out comments 27-33 from 'Consolidated comments list'.

V0.17 12/06/2012 Regis Girka [Areva]: Section 1.1.1.5 updated. Item 51 from 'Consolidated comments' closed by BTRCS.

V0.18 21/06/2012 Updated by Timothee Loveluck (RATP) - changed the classification of the safety measure from P to T for safety measures consisting in ensuring correct initial design, and did the action in comment 53, for sections 4 and 9) and an updated compilation of comments with my last answers

V0.19 29/06/2012 Consistency check by David Dimmer (Thales)


Document History File Version Date Description

V0.20 06/08/2012 Respond to TRIT comments

V0.21 14/08/2012 Further clarification on TRIT comments

V0.22 23/08/2012 Respond to UITP Comments Further clarification on some function (take into account IEC safety functions which were not identified as safety measure).

MODSafe WP3 Final Hazards Control and Safety Measures Analysis

Safety Measures

1a 1b 2 3 4

1 Train Movement

Hazards1.1 Train infringes

clearance

envelope

1.1.1 Train (car) leaves

guideway

(momentarily or

irrevocably /

derailment )1.1.1.1 Inappropriate

speed1.1.1.1.1 VT(x) > VL(x)

1.1.1.1.1.1 Wrong position

registered

Odometer

failure

Derail-

ment

Catastrophic Frequent 1 Intolerabl

e

Determine Train Location

T

NA M M M M 5.4.1.2 5.1.2.2.3

5.1.2.1

5.1.2.2.2

Safety function

Respond to Train Location

FailureT

NA M M M M 5.7.2 NA Safety function

1.1.1.1.1.2 Wrong speed

registeredT

1.1.1.1.1.2.1 Speed

measurement

failure

Wheelspin Derail-

ment


e

Calculate Train Speed - This

function determines train speed. T

O M M M M 5.4.1.7 5.1.5.1

5.1.5.4

Safety function

Supervise Actual Speed - This

function supervises the operation

of trains to ensure that trains

remain within the dynamic speed

profile.

T

O M M M M 5.4.3.4 5.1.5.2 Safety function

1.1.1.1.1.2.2 On-board speed

processing failure

On-Board ATP

equipment

design failure

Derail-

ment


e

Calculate Train Speed - This

function determines train speed.T

O M M M M 5.4.1.7 5.1.5.1

5.1.5.4

Safety function

Incorrect

maintenance

of On-Board

ATP

equipment

Derail-

ment

Regular inspection and

maintenance of ATP equipment.

M

5.13.2,

5.13.3

NA Non functional

requirement.

Maintenance manuals.

1.1.1.1.1.3 Insufficient

deceleration

Hazard Identification Estimation of initial risk

Hazard Numbering

(up to 10 level) Hazard Hazard Cause

Type of

Accident

(primary)

Severity of

Consequences Assumed Probability

Risk

reduction

Generic Safety Measures GOA

Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Doc Name: DEL_D3.2_BTSERCS_WP3_120828_Annex V2.2.xls

ID: DEL_D3.2_BTSERCS_WP3_120828_V222

Revision: V2.2 RestrictedDate:28-08-2012

Page 1 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

0.1821/06/2012U

p

d

a

t

e

d

b

y

T

i

m

o

t

h

e

e

L

o

v

e

l

u

c

k

(

R

A

T

P

)

-

1.1.1.1.1.3.1 Improper vehicle -

guideway coupling

(adhesion)

1.1.1.1.1.3.1 Anything (snow,

rain, leaves,

greasy material)

on guideway

Insufficient

maintenance

or clearance

of guideway

by crew

Derail-

ment

Catastrophic Occasional 1 Intolerabl

e

Regular Inspection and

maintenance.

System should detect poor

adhesion and report to central.

This will be a trigger for

maintenance action. Running a

non-revenue train before service

opens would be an appopriate

way to detect problems.

M

NA NA Non functional

requirement.


Guideway heating T NA NA

Check of weather data P NA NA

Provide enough staff for

clearance worksP

NA NA

1.1.1.1.1.3.1.2 Wheel failure /

wear

Faulty design

of wheels

Derail-

ment


e

Ensure correct initial designT

NA NA

Insufficient

maintenance

Derail-

ment


maintenance.

P


requirement.





Page 2 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.1.1.1.1.3.1.3 Track wear Faulty design

of track

Derail-

ment


e

Ensure correct initial designT

NA NA

Insufficient

maintenance

Derail-

ment


maintenance P


requirement.


1.1.1.1.1.3.1.4 Wheel-track

interface failure

(incorrect design)

Disrespect of

Wheel-Track-

Interface

specifications

or legal

regulations

Derail-

ment

Catastrophic Remote 1 Undesira

ble

Ensure correct initial design

ATC could detect areas with poor

adhesion.T

5.4.3.3 NA

1.1.1.1.1.3.1.5 Wheel slip / slide

due to excessive

braking force

Faulty design

of braking

system

Derail-

ment


e

Calculate ATP Speed Profile -


ATC can provide a function to

lower braking rates when

adhesion conditions degrade (ie.

Wet rail)

T


Insufficient

maintenance

Derail-

ment


maintenance

M


requirement.


Incorrect

usage of

braking

system by

driver

Derail-

ment

Braking system supervision

T

NA NA

Slip - Slide - Control T O M M M M 5.4.3.4 5.1.4.2

Training and education of driver

P


requirement.

Operation manuals.

1.1.1.1.1.3.1.6 Insufficient

adhesion

Insufficient

braking force

Derail-

ment


e

Calculate ATP Speed Profiles -

Ensure correct braking curves

Areas of poor adhesion can be

detected. ATC can provide a

function to lower braking rates

when adhesion conditions

degrade (ie. Wet rail)

T


Provide enough braking force /

contactT

O M M M M 5.4.3.3 5.1.4.2

1.1.1.1.1.3.2 Insufficient

braking (braking-

force)1.1.1.1.1.3.2.1 Braking system

failure

Faulty design

of braking

system

Derail-

ment


e

Supervise Actual Speed and Test

EB Performance - Ensure correct

initial design of braking systemT

O M M M M 5.4.3.4 &

5.3.2

5.1.5.2 &

5.5.10.3

Safety function




Page 3 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Insufficient

maintenance

of braking

system

Derail-

ment


maintenance

Testing of EB performance will

cover situations where

maintenance has not been

properly performed.

M & T


requirement.


Greasing

problems

(greasing

scheme)

Derail-

ment

Configuration Management

P

NA NA

1.1.1.1.1.3.2.2 Underestimated

mass / train

configuration

Incorrect

design of

mass / train

configuration

Derail-

ment


ble

Ensure correct procedure for

calculation and design of mass /

train configuration

Train braking should be tested

under various loading conditions

before the train is put into

revenue service

P

NA NA

Wrong data

used

Derail-

ment

Ensure correct data as input for

mass / train configurationP

NA NA

1.1.1.1.1.3.3 Wrong brake

command

Faulty design

of on-board

equipment

Derail-

ment


e



of trains to ensure that the trains


profile.

T


Insufficient

maintenance

of on-board

equipment

Derail-

ment

Built-in testing of onboard ATC

will detect dormant failures.

T

O M M M M 5.3.1 NA Safety Function

Wrong

command by

driver

Derail-

ment

Training of staff i.e. driver

Only relevant if ATC is bypassed. P


requirement.

Operation manuals.

Employ well educated drivers P NA NA

Well design and user supportive

HMI driver deskT

NA NA

1.1.1.1.1.4 Wrong speed

command

Faulty design

of on-board

equipment

Derail-

ment


e





profile.

T


Insufficient

maintenance

of on-board

equipment

Derail-

ment

Supervise Actual Speed function

will react to all overspeed

conditions. T

O M M M M NA NA Safety Function




Page 4 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Wrong

command by

driver

Derail-

ment

Training of staff i.e. driver

P


requirement.

Operation manuals.

Only relevant if ATC is

bypassed.

Employ well educated drivers P NA NA

Well design and user supportive

HMI driver deskT

NA NA

1.1.1.1.1.5 Untimely

acceleration /

propulsion

command error

Faulty design

of propulsion

system

Derail-

ment


e





profile.

T


Insufficient

maintenance

of propulsion

system

Derail-

ment



conditions. T

O M M M M NA NA Safety function

1.1.1.1.2 Wrong speed limit

VL(X)1.1.1.1.2.1 Wrong static route

data

Incorrect

surveying and

mapping

Derail-

ment

Check consistency of data - This

function is intended to check the

consistency of available data

Verification of data is part of ATC

system commissioningP

5,14 NA

Employ well educated and

trained staffP

NA NA

Wrong input of

route data

Derail-

ment

Load Infrastructure Data onto

onboard equipment

ATC can use an automated

process to verify that onboard

and wayside equipment have the

correct infrastructure data

T

M M M M M 5,14 NA


wayside equipmentT

O M M M M 5,14 NA

1.1.1.1.2.2 Wrong route

1.1.1.1.2.2.1 Wrong route

selection

ATP failure Derail-

ment


e

Ensure Safe Route as

Combination of Route Elements -

This function is intended to allow

ATP to define and implement a

route as a combination of route

elements according to the needs

of the operator and to release

routes as part of it either by train

movement or manually.

T

M M M M M 5.4.2.2 5.1.1.1.1-3

&

5.1.1.2 &

5.1.1.1.3

Safety function




Page 5 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Wrong route

selection by

OCC staff

Derail-

ment

Safe process for data entry on

the non safe OCC HMI display

P

5.4.2.2 5.1.1.1.1-3

&

5.1.1.2 &

5.1.1.1.3

Supportive functions for stress or

emergency cases T

NA NA

Clear and understandable

operational rules P


requirement.

Operation manuals.

Withdrawal of

route (e.g.

emergency

release)

without

communicatio

n to the train

Derail-

ment


e



This function is intended to allow

ATP to define and implement a

route as a combination of route

elements according to the needs

of the operator and to release

routes as part of it either by train

movement or manually.

T

M M M M M 5.4.2.2 5.1.1.1.1-3

&

5.1.1.2 &

5.1.1.1.3

Safety function


emergency cases

NA NA

1.1.1.1.2.2.2 Wrong switch

setting

ATP failure Derail-

ment


e

Ensure Safe Route Elements -

This function is intended to

switch switchable route elements

and ensure the switching is

performed under normal and safe

conditions.

T

M M M M M 5.4.2.1 5.1.1.1.1-6 Safety function

Wrong switch

setting by

OCC staff

Derail-

ment

Safe process for data entry on

the non safe OCC HMI display

P

5.4.2.2 5.1.1.1.1-3

&

5.1.1.2 &

5.1.1.1.3


emergency cases T

NA NA


operational rules P


requirement.

Operation manuals.

1.1.1.1.2.3 Wrong (temporary)

speed restriction

wayside

Wrong

maintenance

Derail-

ment


e

Manage Temporary Speed

Restrictions (TSRs) - Load

Infrastructure Data onto onboard

equipmentT

NA M M M M 5.1.5 5.1.3.1.2 Safety function


wayside equipment T

NA M M M M 5.1.5 NA




Page 6 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Ensure correct maintenance

M

Incorrect input

of data

Derail-

ment


Restrictions (TSRs) - Load

Infrastructure Data onto onboard

equipment

T

NA M M M M 5.1.5 5.1.3.1.2 Safety function


wayside equipment T

M M M M M 5.1.5 NA

1.1.1.1.2.4 Failed or incorrect

communication of

speed restriction

Faulty or

insufficient

communicatio

n system

Derail-

ment


e

Supervise data communication

equipment - This function is

intended to inform staff about

availability of functions

concerning operation and status

of data communication

equipment.T

O M M M M N/A NA Communications

protocol meets EN

50159

1.1.1.1.2.5 Wrong data of

speed limits on

train (track

database)

Wrong input

by engineers,

OCC or

maintenance

crew

Derail-

ment


e

Check consistency of data - This

function is intended to check the

consistency of available data

Verification of data is part of ATC

system commissioningP

NA NA


onboard equipmentT

M M M M M 5,14 NA


wayside equipment T

M M M M M 5,14 NA

1.1.1.1.2.6 Faulty onboard

speed restriction

processing

Faulty design

of on-board

equipment

Derail-

ment


e





profile.

T


Determine Static Speed Profiles -

This function determines the

static train speed profiles, which

are based on infrastructure data

such as track geometry and

quality, infrastructure constraints

(tunnels, bridges etc.) and train

data.

T

O M M M M 5.4.3.2 5.1.3.1.1 Safety function




Page 7 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Calculate ATP Speed Profiles -

this function is intended to

calculate for each segment of the

route the train speed limit. This

function calculates the dynamic

speed profiles of each train. The

dynamic speed profile is based

on the static speed profile, the

TSR, the braking profile with the

relevant safety margin.

T


Incorrect

maintenance

of on-board

equipment

Derail-

ment



conditions.T

O M M M M NA NA Safety function

1.1.1.2 Switch hazard

1.1.1.2.1 Wrong switch

status1.1.1.2.1.1 Undetected

misaligned switch

Interlocking

failure or

erroneous

status control

Derail-

ment


e

Ensure Safe Route Elements

T

M M M M M 5.4.2.1 5.1.1.1.1-6 Safety function.

This function is

intended to switch

switchable route

elements (points,

diamond crossings

with slips, crossings

with moveable frogs

and derailer) and

ensures the switching

is performed under

normal (undisturbed)

and safe conditions.

Incorrect

maintenance

of switch

Derail-

ment


maintenance M


requirement.


1.1.1.2.1.2 Undetected

unlocked switch

Interlocking

failure or

erroneous

status control

Derail-

ment


e


T


This function is

intended to switch

switchable route

elements (points,

diamond crossings


with moveable frogs

and derailer) and

ensures the switching

is performed under



Incorrect

maintenance

of switch

Derail-

ment


maintenance M


requirement.





Page 8 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)


broken switch

components

Erroneous

status control

Derail-

ment


e

Supervise Safety Related Inputs.

T

M M M M M 5.3.5 5.3.1.2 Safety function

This function is

intended to supervise

the detection of

hazardous situations

by external sensors.

Incorrect

maintenance

of switch

Derail-

ment


maintenance M


requirement.


1.1.1.2.2 Insufficient safety

distance to

moving switch1.1.1.2.2.1 Insufficient worst

case safety

distance1.1.1.2.2.1.1 Wrong worst case

safety distance

registered (on

train)

1.1.1.2.2.1.1.1 Failed or incorrect

communication of

worst case safety

distance (stop

point / speed limit)

Data

communicatio

n failure

Derail-

ment


e

Provide Communication with

Staff

T

M M M M M 5.9.2 6,6 Safety function

This function is

intended to inform

staff about availability

of functions

concerning operation

and status of data

communication

equipment.

Faulty

communicatio

n system due

to incorrect

maintenance

Derail-

ment


maintenance

M


requirement.


Faulty design

of

communicatio

n system

Derail-

ment

Ensure correct initial design of

communication systemT

NA NA Safety function.

Communication

protocol compliant with

EN50159.

1.1.1.2.2.1.1.2 Wrong worst case

safety distance

estimation /

determination




Page 9 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.1.1.2.2.1.1.2.1 Wrong train

parameters input

Mistake by

driver during

input

Derail-

ment


e

Perform Tests during Power on

Process.

Supervise UGTMS onboard

equipment status during

operation

T

O M M M M 5.3.1 5.5.10.1 &

5.5.10.2

Assuming this

parameter is wheel

diameter then it is

compensated by ATC

system.

Assuming this

parameter is train

length there may not

be technical control

but there should be

procedurall control

This function is

intended to perform all

necessary tests on

vital equipment during

the power on process.

Generally this function

includes only those

self tests that deal with

the safety of the ATP

and the inputs and

outputs necessary for Design of supportive functions for

data input

T

NA NA No vital data should be

introduced by driver

Safety Data

preparation

1.1.1.2.2.1.1.2.2 Wrong route

parameters input

Derail-

ment


e


MODURBAN - Onboard



operation

T

NA M M M M 5.14 NA Safety function


MODURBAN - WaysideT

NA M M M M 5.14 NA Safety function

1.1.1.2.2.1.1.2.3 Safety distance

calculation/determ

ination error

Interlocking

failure

Derail-

ment


e

Determine Movement Authority

Limit.

T

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

5.1.4.3

Safety function

To ensure safe train

movement, this

function determines

for each train its limit

of the MA,

corresponding to the

first danger point

ahead of the train.

Examples of danger

points are other trains




Page 10 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.1.1.2.2.1.3 Wrong position

registered

Odometer

failure

Derail-

ment


e




operationT

NA M M M M 5.4.1.2 5.1.2.2.3

5.1.2.1

5.1.2.2.2

Safety function


FailureT

NA M M M M 5.7.2 5.1.2.3 Safety function

1.1.1.2.2.1.4 Wrong route

1.1.1.2.2.1.4.1 Wrong route

selection /

authorization

ATP failure Derail-

ment


e


Combination of Route Elements

T


This function is

intended to allow ATP

to define and

implement a route as a

combination of route

elements according to

the needs of the

operator and to

release routes as part

of it either by train

movement or

manually.

Wrong route

selection by

OCC staff in

exceptional

cases e.g.

emergency

cases

Derail-

ment

Manage information to and from

OCC and wayside HMIs.

T

M M M M M 5.11.1 6.5.1 Safety function

Safe process for data

entry on the non safe

OCC HMI display


emergency cases T

NA NA Safety function


operational rules P


requirement.

Operation manuals.

1.1.1.2.2.1.4.2 Wrong switch

setting

ATP failure Derail-

ment


e


T


This function is

intended to switch

switchable route

elements and ensure

the switching is

performed under

normal and safe

conditions.

Wrong switch

setting by

OCC staff in

exceptional

cases

Derail-

ment

Manage information to and from

OCC and wayside HMIs T




OCC HMI displaySupportive functions for stress or

emergency cases T



operational rules P


requirement.

Operation manuals.




Page 11 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.1.1.2.2.1.5 Wrong train

departure1.1.1.2.2.1.5.1 Wrong departure

command

ATP failure Derail-

ment


e


Limit

Inmobilisation of train

T

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

5.1.4.3

Safety function


movement, this

function determines


of the MA,


first danger point

ahead of the train.

Examples of danger


(communicating or

not), faulty points,

suspected broken

rails, etc.

Authorise Train Departure after

Station Stop & Manage Train

Departure after a Stop outside

Station.T

O O M M M 5.5.4 &

5.5.8

5.4.3.1 Safety function

Ensure correct initial

design of ATP

regarding departure

command


maintenance M


requirement.


Wrong

departure

command by

driver

Derail-

ment

Authorise Train Movement by

Wayside Signals -

Add “Inmobilisation of train” to

1.1.1.2.2.1.5.1 “Wrong departure

command”.

T

M O O O O 5.4.3.8 5.1.4.3 Safety function

This function supports

train movement

authorisation to be

provided to trains by

wayside signals

Provide high visibility on signalsT


requirement

1.1.1.2.2.1.5.2 Immobilisation

brake deficient

Faulty design

of braking

system

Derail-

ment


ble

Respond to Unexpected Train

Movements - This function covers

the reaction of ATP in case of roll

away.



operation

M

O M M M M 5.7.4 5.1.5.5 Correct and sufficient

maintenance




Page 12 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Test EB Performance

T

NA NA NA O M 5.3.2 5.5.10.3 Safety function


design of braking

system

Incorrect

maintenance

of braking

system

Derail-

ment




away.

M

O M M M M 5.7.4 5.1.5.5 Correct and sufficient

maintenance


maintenance M

O M M M M NA NA Non functional

requirement.


1.1.1.2.2.1.5.3 Wrong departure

authorisation

Interlocking

failure

Derail-

ment


e


Limit

T

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

5.1.4.3

Safety function


movement, this

function determines


of the MA,


first danger point

ahead of the train. Authorise Train Movement by

Wayside Signals -

Not necessaryT

M O O O O 5.4.3.8 5.1.4.3 Safety function

This function supports

train movement

authorisation to be

provided to trains by

wayside signals

Incorrect

authorisation

by OCC in

case of

exceptional

cases e.g.

emergency

cases

Derail-

ment

Manage Onboard HMI

T

O M M O O 5.11.2 6.5.2 Safety function



OCC HMI display


emergency cases T



operational rules P


requirement.

Operation manuals.




Page 13 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.1.1.2.2.2 Wrong switch

command

Interlocking

failure

Derail-

ment


e


T


This function is

intended to switch

switchable route

elements (points,

diamond crossings


with moveable frogs

and derailer) and

ensure the switching is

performed under



Erroneous

switch

command by

OCC staff

Derail-

ment


T


This function is

intended to switch

switchable route

elements (points,

diamond crossings


with moveable frogs

and derailer) and

ensure the switching is

performed under



Manage Onboard HMI

T

O M M O O 5.11.2 6.5.2 Safety function



OCC HMI display


emergency cases T



operational rules P


requirement.

Operation manuals.

1.1.1.2.2.3 Wrong travel

direction1.1.1.2.2.3.1 Faulty direction

control

Derail-

ment


e

Determine Actual Train Travel

Direction.

Determine train orientation

T

NA M M M M 5.4.1.3 5.1.2.2.2 Safety function

This function

determines the travel

direction of trains.




Page 14 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.1.1.2.2.3.2 Roll back Insufficient

braking force

Derail-

ment


e


Movements

Trigger Emergency Brake

T

O M M M M 5.7.4 5.1.5.5 Safety function

This function covers

the reaction of ATP in

case of roll away.

Faulty design

of brakes

Derail-

ment

Test EB Performance - Ensure

correct initial design of brakesT

NA NA NA O M 5.3.2 5.5.10.3 Safety function

Incorrect

maintenance

of brakes

Derail-

ment


maintenance M


requirement.


1.1.1.2.3 Switch moves

under running

train1.1.1.2.3.1 Wrong switch

command1.1.1.2.3.1.1 by system Interlocking

failure

Derail-

ment


e


T


This function is

intended to switch

switchable route

elements and ensure

the switching is

performed under



1.1.1.2.3.1.2 by staff No support for

decision of

switch

command

during

exceptional

cases

Derail-

ment


e


Staff - Supportive functions for

staff of OCC in exceptional

cases, where no technical control

of switch command can be

provided

T

M M M M M 5.9.2 6,6 Non functional

requirement

1.1.1.2.3.3 Wrong train

detection1.1.1.2.3.3.1 Train not detected Unequipped or

failed train

Derail-

ment


e

Detect Unequipped or Failed

Trains.

T

O O O O O 5.4.1.5 5.1.2.3 Safety function

This function

determines whether a

section of track is

occupied by an

unequipped or failed

train.

Data

communicatio

n failure e.g.

data loss

Derail-

ment


T

NA M M M M 5.4.1.2 5.1.2.2.3

5.1.2.1

5.1.2.2.2

Safety function




Page 15 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.1.1.2.3.3.2 End of train

detected untimely

Unequipped or

failed train

Derail-

ment,

Collision


e


Trains

T


This function

determines whether a

section of track is

occupied by an

unequipped or failed

train.

Data

communicatio

n failure e.g.

data loss or

delay

Derail-

ment


T

NA M M M M 5.4.1.2 5.1.2.2.3

5.1.2.1

5.1.2.2.2

Safety function

1.1.1.3 Guideway

structural failure

Faulty design

of guideway

Derail-

ment


ble

Supervise Safety Related Inputs

T


This function is


the detection of




Limit

T

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

5.1.4.3

Safety function


movement, this

function determines


of the MA,


first danger point

ahead of the train.

Examples of danger


(communicating or


suspected broken

rails, etc.


guidewayT


requirement

Incorrect

maintenance

of guideway

Derail-

ment


T


This function is


the detection of






Page 16 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)


Limit.

T

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

5.1.4.3

Safety function


movement, this

function determines


of the MA,


first danger point

ahead of the train.

Examples of danger


(communicating or


suspected broken

rails, etc.


maintenance M


requirement.


1.1.1.4 Vehicle structural

failure (component

break)

Faulty design

of vehicle


e


vehicle

T

NA NA

Incorrect

maintenance

of vehicle


maintenance M


requirement.


1.1.1.5 Object on

guideway1.1.1.5.1 System object on

guideway 1.1.1.5.1.1 Forgotten

working/

maintenance/

rescue objects

Incorrect

maintenance

of guideway

Derail-

ment

Catastrophic Probable 1 Intolerabl

e

Establish Work Zones - Regular

inspection and maintenance

P

M M M M M 5.9.3 5.3.3 Indirect safety

measure

Establish Work Zones -

Clearance verification systemP

M M M M M 5.9.3 5.3.3 Indirect safety

measure

Establish a Zone of Protection -

Ensure procedures to clear

guideway after evacuation or

emergency case

P


1.1.1.5.1.2 Element from train

falls on track

1.1.1.5.1.2.1 Vehicle Structural

failure

Faulty design

of vehicle

Derail-

ment


e


vehicle T

NA NA Rolling Stock Safety

function

Incorrect

maintenance

of vehicle

Derail-

ment


maintenance M


requirement.


1.1.1.5.1.2.2 Vehicle load falls

on track

Overloaded

vehicle

Derail-

ment

Ensure correct loading of vehicle

(e.g. by vehicle examiner) P

NA NA Rolling stock non

safety function. To be

confirmed.




Page 17 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Clearance verification system P Input to be confirmed

1.1.1.5.1.3 Wayside element

infringes

clearance

envelope

1.1.1.5.1.3.1 Power supply

(catenary, third rail

etc.)

Faulty design

of power

supply system

Derail-

ment


e

Supervise Other Safety Related

Inputs - This function is intended

to supervise the detection of

hazardous situations by external

sensors.

T



power supply systemT

NA NA Power supply safety

function

Incorrect

maintenance

of power

supply system

Derail-

ment





sensors.

T



maintenance of power supply

systemM


requirement.


Environmental

forces

violating

power supply

system

Derail-

ment





sensors.

T



power supply system considering

environmental forcesT

NA NA Power supply safety

function

Criminal acts

on power

supply system

Derail-

ment





sensors.

T



power supply system considering

criminal acts

T

NA NA Security function

1.1.1.5.1.3.2 Signalling

Components

Faulty design

of signalling

components

Derail-

ment


e





sensors.

T



signalling componentsT

NA NA Signalling safety

function

Incorrect

maintenance

of signalling

components

Derail-

ment





sensors.

T



maintenance of signalling

components M


requirement.





Page 18 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Environmental

forces

violating

signalling

components

Derail-

ment





sensors.

T



signalling components

considering environmental forcesT

M M M M M NA NA Signalling safety

function

Criminal acts

on signalling

components

Derail-

ment





sensors.

T



signalling components

considering criminal acts

T

M M M M M NA NA Security function

1.1.1.5.1.3.3 Equipment

cabinets/ Platform

door enclosures/

Tunnel doors

Faulty design

of equipment

cabinets,

platform doors

enclosures,

tunnel doors

Derail-

ment


e

Supervise Intrusion or Fall on

Track & Supervise Other Safety

Related Inputs - This function is

intended to supervise the

detection of hazardous situations


T

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1

Safety function when

external sensors are

fitted


equipment cabinets, platform

doors enclosures, tunnel doors

T

NA NA PSD safety function

Incorrect

maintenance

of equipment

cabinets,

platform doors

enclosures,

tunnel doors

Derail-

ment







T

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted


maintenance of equipment

cabinets, platform doors

enclosures, tunnel doors

M


requirement.


Environmental

forces

violating

equipment

cabinets,

platform doors

enclosures,

tunnel doors

Derail-

ment







T

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted




considering environmental forces

T

NA NA PSD safety function




Page 19 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Criminal acts

on equipment

cabinets,

platform doors

enclosures,

tunnel doors

Derail-

ment







T

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted





T


1.1.1.5.1.3.4 Flooding gates Faulty design

of flooding

gates

Derail-

ment


e





sensors.

T

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted


flooding gatesT

NA NA Flooding gates safety

function

Incorrect

maintenance

of flooding

gates

Derail-

ment







T

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted


maintenance of flooding gates M


requirement.


Environmental

forces

violating

flooding gates

Derail-

ment







T

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted


flooding gates considering

environmental forces

T

NA NA Flooding Gates Safety

function

Criminal acts

on flooding

gates

Derail-

ment







T

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted


flooding gates considering

criminal acts

T


1.1.1.5.2 Foreign objects on

guideway




Page 20 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.1.1.5.2.1 External vehicle

(on level crossing)

Insufficient

protection of

level crossing

Derail-

ment


e







T

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted

Installation of warning signals

and barriers for level crossings T

NA NA Level crossing

protection safety

function

1.1.1.5.2.2 Environmental

impacts, fallen

objects (crane,

tree, branches,

stones, mud ...)

Insufficient

precautions

regarding

environmental

impacts or

fallen objects

Derail-

ment


e







T

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted

Installation of precautions against

environmental impact and fallen

objects

T, P, M

NA NA Proection against

envionnement fallen

objects

1.1.1.5.2.3 Debris from

structural

breakdown

(bridges,

buildings,...)

Faulty design

bridges,

buildings ..

Derail-

ment


e







T

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted


bridges and building etc ..T

NA NA Structure safety

design

Incorrect

maintenance

of bridges,

buildings, ..

Derail-

ment







T

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted

Ensure correct maintenance of

bridges and buildings etc ..M


requirement.


1.1.1.5.2.4 Human impact/

Criminal acts

No boundaries

on critical sites

Derail-

ment


e







T

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted

Installation of barriers to secure

guidewayT

NA NA Security barrier

installation

Insufficient

supervision of

guideway

Derail-

ment

Installation of barriers to secure

guideway T

M M M M M NA NA Security barrier

installation




Page 21 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Installation of supervision of

guidewayT

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted

9.2.1 Flooding Insufficient

precautions

Derail-

ment


e







T

M M M M M 5.3.4.1

5.3.5

5.3.1.1 &

5.3.1.2 &

5.3.2.4 &

5.6.1



fitted.

Intrusion supervision

coud be a system

depending on general

security system (not

modurban function).Insufficient

maintenance

of protection

constructions

Derail-

ment


flooding gatesM


requirement.


1.1.1.6 Train lifted from

track through

aerodynamic force

1.1.1.6.1 Air draught in

tunnel

Faulty design

of tunnel

Derail-

ment


e

Correct initial tunnel design

minimising dangerous air

draughts


requirement

Insufficient

maintenance /

faulty

construction

work

Derail-

ment

Correct maintenance and

construction work

M


requirement

1.1.1.6.2 Pressure by

passing train

Faulty design

of

tunnel/guidew

ay

Derail-

ment


e

Correct initial tunnel/guideway

design considering increasing

pressure by passing train


requirement

Insufficient

maintenance /

faulty

construction

work

Derail-

ment


construction work

M


requirement

1.1.1.6.3 Environmental

impact on vehicle

(wind, gales)

Insufficient

precautions

Derail-

ment


e

Establish a Zone of Protection -

Ensure appropriate system-

design regarding exceptional

environmental conditions

(extreme wind etc.)

T



Restriction (TSRs) - Establish

operational rules e.g. speed

reductions at critical areas

T

M M M M M

5.1.5 5.1.3.1.2

Safety function

Insufficient

maintenance

(construction

work) on

protection

constructions

Derail-

ment


construction work on protection

constructions

M


requirement




Page 22 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.1.2 Train on guideway

infringes

clearance

envelope

1.1.2.1 Object protrudes

from train1.1.2.1.1 Vehicle structural

failure

Faulty design

of vehicle

Derail-

ment


e


vehicle T


requirement

Incorrect

maintenance

of vehicle

Derail-

ment


maintenance M


requirement

1.1.2.1.2 Bad distribution of

freight load

Incorrect

loading

Derail-

ment

Supervise loading procedure as

well as actual freight vehicle (e.g.

by vehicle examiner)

P

NA NA Not Relevant

Training of staff regarding

loadingP

NA NA Not Relevant

Faulty design

of freight cars

Derail-

ment


freight cars considering the

distribution of goods

NA NA Not Relevant

Incorrect

maintenance

of vehicle

Derail-

ment


vehicle M

NA NA Not Relevant

1.1.2.2 Clearance

envelope

underdimensioned

Faulty design /

dimensioning

of clearance

envelope by

engineers

Derail-

ment


ble

Ensure correct initial design /

dimensioning of clearance

envelope


requirement

1.1.2.3 Train leans

excessively

sideways1.1.2.3.1 Wrong load

distributions

Faulty design

of freight

vehicle

Derail-

ment


freight cars considering the

distribution of goods


requirement

Incorrect

maintenance

of vehicle

Derail-

ment


vehicle M


requirement

Incorrect

loading

Derail-

ment

Supervise loading procedure as

well as actual freight vehicle (e.g.

by vehicle examiner)


requirement

Training of staff regarding

loading


requirement

1.1.2.3.2 Excessive

bogie/Axle/

Damping system

dynamics

Faulty design

of bogies,

axles and

damping

system

Derail-

ment


e


bogie/axle/damping system

design


requirement

Incorrect

maintenance

of bogies,

axles and

damping

system

Derail-

ment


bogies, axles and damping

systemM


requirement




Page 23 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.1.2.3.3 Guideway

structural failure

Faulty design

of guideway

Derail-

ment


ble

Supervise Safety Related Inputs -


supervise the detection of


sensors.

T



Limit - To ensure safe train

movement, this function

determines for each train its limit

of the MA, corresponding to the

first danger point ahead of the

train.

T

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

5.1.4.3

Safety function

Examples of danger


(communicating or


suspected broken

rails, etc.


guideway


requirement

Incorrect

maintenance

of guideway

Derail-

ment





sensors.

T



Limit - To ensure safe train

movement, this function

determines for each train its limit

of the MA, corresponding to the

first danger point ahead of the

train.

T

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

5.1.4.3

Safety

functionExamples of

danger points are

other trains

(communicating or


suspected broken

rails, etc.


maintenance M


requirement.


1.2 Object / person

infringes train

clearance

envelope 1.2.1 Object infringes

clearance

envelope1.2.1.1 Other train /

vehicle infringes

clearance

envelope (flank

protection)

Incorrect

Movement

Authority

Derail-

ment,

Collision


e


Limit

T

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

5.1.4.3

Safety function


movement, this

function determines


of the MA,


first danger point

ahead of the train.




Page 24 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Interlocking

failure

Derail-

ment,

Collision


Combination of Route Elements

T

M M M M M 5.4.2.2 5.1.1.1.1-3

&

5.1.1.2 &

5.1.1.1.3

Safety function

This function is

intended to allow ATP

to define and

implement a route as a

combination of route

elements according to

the needs of the

operator and to

release routes as part

of it either by train

movement or

manually.

Broken switch

or derailer

Derail-

ment,

Collision


T

O O O M M 5.3.5 5.3.1.2

5.6.3

Safety function

These function is


the detection of


by external sensors

and to react to

detected or suspected

broken rail

1.2.1.2 Civil structure

fault / protrusion

in clearance

envelope1.2.1.2.1 Tunnel structural

fault/ collapse

Faulty design

of tunnel

Derail-

ment,

Collision


ble


the structure of the tunnel

NA NA


the structure of the tunnel

NA NA

Incorrect

maintenance

or incorrect

construction

work on tunnel

Derail-

ment,

Collision


T

O O O M M 5.3.5 5.3.1.2 Safety function

This function is


the detection of



Ensure correct inspection,

maintenance and construction

works on tunnel

NA NA




Page 25 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.2.1.2.2 Drilling or

excavation above

tunnel

Insufficient

maintenance

rules or

procedures

i.e. incorrect

planning of

construction

site

Derail-

ment,

Collision


e


T


This function is


the detection of



Ensure adequate planning of

construction site

NA NA

Incorrect

maintenance

or construction

works

(disobeying of

given rules or

procedures)

Derail-

ment,

Collision


T


This function is


the detection of




maintenance and construction

works - Ensure obeying of rules

and procedures

NA NA

1.2.1.2.3 Station structural

fault

Faulty design

of station

Derail-

ment,

Collision


ble


station

NA NA


station

NA NA

Incorrect

maintenance

or construction

works on

station

Derail-

ment,

Collision


station

NA NA


station

NA NA

1.2.1.3 System object

infringes

clearance

envelope

1.2.1.3.1 Train components

(train underfloor-

box/ motor/ object)

fall from train

Faulty design

of vehicle

Derail-

ment


e


vehicle

T

N/A N/A




Page 26 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Incorrect

maintenance

of vehicle

Derail-

ment


maintenance

M


requirement.


1.2.1.3.2 Wayside system

objects infringes

CE inappropriately

Wayside

traction power

device (Cable

tray /

overhead

lines) infrin-

ges CE inap-

propriately

Derail-

ment


e

Supervise other safety relevant

Inputs

T


This function is


the detection of




maintenance

M NA NA

Non functional

requirement.


other wayside

system object

infringes CE

Derail-

ment

Supervise other safety relevant

Inputs

T

M M M M M N/A N/A This function is


the detection of




maintenance

M

Non functional

requirement.


1.2.1.3.3 Hazards related to

wayside traction

power devices

1.2.1.3.3.1 Current collector

gets caught with

wayside traction

power device

Inadequate

adjustment of

current

collector

Derail-

ment


e


maintenance

M

N/A N/A Non functional

requirement.





Page 27 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Supervise traction power supply

M

M M M M M 5.12.3.1 6.4.2 Non functional

requirement.


This function is

intended to powering

on/off of the traction

supply by the operator

at the OCC, or locally,

either on given

sections or on all

sections.

1.2.1.3.3.2 Short circuits undetected

short circuits

on track

Electrocut

ion, Burns

Critical Probable 1 Intolerabl

e

Protect critical electronic

equipment, e.g. by short circuit

protectionT


Faulty design

of equipment

Electrocut

ion


equipment

T


requirement.

Protect critical electronic

equipment, e.g. by short circuit

protectionT


Incorrect

maintenance

of equipment

Electrocut

ion

Ensure correct inspection and


M


requirement.


1.2.1.3.3.3 Power transformer

catches fire

excess

voltage, failure

of equipment

Fire Critical Probable 1 Intolerabl

e


equipment

T


requirement.


maintenance of power supply

systemM


requirement.





Page 28 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Installation of fire and smoke

protection

M

M M M M M 5.3.5 6.4.1 Non functional

requirement.

1.2.1.4 Object thrown at

train


equipment

Non functional

requirement.

1.2.1.4.1 Object thrown at

train from bridges

Insufficient

precautions

against

objects thrown

Derail-

ment,

Collision


e

Ensure correct initial system

design considering the possibility

of object thrown at train.P

NA NA


train from platform

Insufficient

precautions

against

objects thrown

at train

Derail-

ment,

Collision


e




NA NA


train from beside

the line

Insufficient

precautions

against

objects thrown

Derail-

ment,

Collision


e




NA NA


train from passing

train

Insufficient

precautions

against

objects thrown

Derail-

ment,

Collision


e




NA NA

1.2.1.5 Animals infringe

clearance

envelope

Insufficient

precautions

against

animals

Derail-

ment,

Collision


e



of animal entering railway

equipment.

P

NA NA

1.2.1.6 Environment

elements infringes

clearance

envelope

1.2.1.6.1 Stalactites in

tunnel

Insufficient

inspection of

tunnel

Derail-

ment,

Collision


e


maintenance of tunnel

M

NA NA


maintenance of tunnelM

NA NA

Too much

water/humidity

in tunnel

Derail-

ment,

Collision



M

NA NA

Ensure correct initial tunnel

design considering water and

general humidity

T

NA NA




Page 29 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.2.1.6.2 Trees Insufficient

precautions to

protect track

Derail-

ment,

Collision


e


maintenance

M

NA NA


maintenanceM

NA NA

Insufficient

inspections of

track

Derail-

ment,

Collision


maintenance

M

NA NA


maintenance on trackM

NA NA

1.2.1.6.3 Avalanche /

landslide/ falling

stones

Insufficient

precautions to

protect track

Derail-

ment,

Collision


e


maintenance

M

NA NA

Correct initial design considering

the possibility of avalanches or

falling stones

T

NA NA

Insufficient

inspections of

track

Derail-

ment,

Collision


maintenance

M

NA NA


maintenance on trackM

NA NA

1.2.1.6.4 Flooding Insufficient

precautions

track and

system

Derail-

ment,

Collision


e


maintenance

M

NA NA


considering the possibility of

flooding

T

NA NA




Page 30 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Insufficient

inspection and

maintenance

of flooding

protection

equipment

Derail-

ment,

Collision


maintenance

M

NA NA


maintenance on flooding

protection equipment

M

NA NA

1.2.1.7 Train at standstill

between stations

Loss of power

supply

Collision Catastrophic Frequent 1 Intolerabl

e

Ensure power supply during train

movementT

M M M M M 5.12.3.1 6.4.1 Safety function

Power loss will lead to

loss of air conditioning


Limit

T

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

5.1.4.3

Safety function


movement, this

function determines


of the MA,


first danger point

ahead of the train.


T

M M M M M 5.4.1.2 5.1.2.2.3

5.1.2.1

5.1.2.2.2

Safety function

Extreme

weather

conditions e.g.

coldness

Collision Ensure power supply during train

movementP


requirement.


Limit

T

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

5.1.4.3

Safety function


movement, this

function determines


of the MA,


first danger point

ahead of the train.

Asphyxiati

on,

Suffocatio

n

Passenger announcement

P

NA NA Not a functional

requirement.

Passenger - Staff communication

P


requirement.

1.2.2 Person intrusion

into clearance

envelope




Page 31 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.2.2.1 Person too close

to station platform

edge

Overcrowded

situation

Fall of

person,

Electrocut

ion,

Object

striking

person


e

Platform screen doors

T


Warning flashing light at platform

edge when train arrives

T

M M M M M 5.10.1 5.3.2.1 Indeed this function

could not be

considered with SIL

level. Anyway, even if

it a low factor, it

contributes to avoid

passanger panic and

degraded modes

which could be

accident source.

Attention line on platform

P


could not be

considered with SIL


it a low factor, it


passanger panic and

degraded modes

which could be

accident source.

Platform supervision (Detection

of person too close to platform

edge / train stop)

P

O O O O M 5.10.1 5.4.2 Safety function

Manual emergency stop for

passengers/staff : platform/trainT

O M M M M 6.3.3 5.8.2 Safety function

Ensure adherence to timetable

scheduleT

M M M M M 5.1.1.1 6.1.2 Functional

requirement.

Inattentive or

unconscious

person

Fall of

person,

Electrocut

ion,

Object

striking

person

Platform screen doors

T





Page 32 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Warning flashing light at platform

edge when train arrives

T


could not be

considered with SIL


it a low factor, it


passanger panic and

degraded modes

which could be

accident source.

Attention line on platform P

Platform supervision (Detection

of person too close to platform

edge / train stop)

P

O O O O M 5.10.1 5.4.2 Safety function


passengers/staff : platform/train T

M M M M M 5,8 5.1.4.5 Safety function

1.2.2.2 Person between

two cars

1.2.2.2.1 Person between

two cars coming

from inside car

Faulty design

of train cars

Fall of

person,

Electrocut

ion,

Object

striking

person

Critical Occasional 1 Undesira

ble


vehicle considering the possibility

of climbing between cars

T

NA NA

Incorrect

maintenance

of train cars

Fall of

person,

Electrocut

ion,

Object

striking

person


maintenance to prevent

possibilities for climbing out of

the car M

NA NA

No installation

of precautions

Fall of

person,

Electrocut

ion,

Object

striking

person

Authorise Train Departure after

Station Stop - Supervise

conditions for start of train

movement

T

O O M M M 5.5.4 5.4.1 Safety function

This function is


all prerequisites

related to doors and

emergency handles

necessary for safe

start of train

movement.




Page 33 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.2.2.2.2 Person between

two cars coming

from outside

No installation

of precautions

Fall of

person,

Electrocut

ion,

Object

striking

person


ble


Track

P


This function is


the intrusion detection

/ avoidance system.

Such system covers

the protection of areas

in which passengers

are not permitted.

Installation of Platform Screen

DoorsT

NA NA

Faulty design

of precautions

on station and

guideway

Fall of

person,

Electrocut

ion,

Object

striking

person


precautions

T

NA NA

Incorrect

maintenance

of precautions

on station and

guideways

Fall of

person,

Electrocut

ion,

Object

striking

person


maintenance of precautions

M

NA NA

1.2.2.4 Person falls/

intrudes on track

1.2.2.4.1 Intrusion on the

line by persons

from train


persons by

evacuation on line

No evacuation

supervision

Fall of

person,

Electrocut

ion,

Object

striking

person


e

Supervise Evacuation

P

O O O O M 5.7.6 N/A Safety function

This function is


passenger evacuation.

Such system covers

the protection of

passengers in areas in

which they are not

normally permitted.


person leaves/falls

out of the train




Page 34 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.2.2.4.1.2.1 Undetected

person leaves/falls

out of the train by

door

No installation

of precautions

Fall of

person,

Electrocut

ion,

Object

striking

person


e

Manage Door Opening

T

NA O O O M 5.6.1.1 5.4.1 Safety function

This function is


all prerequisites

necessary for safe

passenger exchange.

Manage Door Opening

T


This function is


the external train door

control function.

Faulty design

of precautions

Fall of

person,

Electrocut

ion,

Object

striking

person


doors

T

NA NA

Incorrect

maintenance

of precautions

Fall of

person,

Electrocut

ion,

Object

striking

person


maintenance of all door related

systems

M

NA NA


person leaves/falls

out of the train by

window

Faulty design

of windows

Fall of

person,

Electrocut

ion,

Object

striking

person

Critical Remote 1 Undesira

ble


windows

T


Insufficient

maintenance

(e.g. broken

window)

Fall of

person,

Electrocut

ion,

Object

striking

person


maintenance of train windows

M

NA NA


person leaves/falls

out of the train by

the end of train

wall / after

separation of cars

Unauthorised

decoupling

Fall of

person,

Electrocut

ion,

Object

striking

person


ble

Supervise Train Integrity

T


This function is


the integrity of the

train (loss of coupling

between vehicles of

one unit)


train i.e. wagonT

NA NA


maintenance or train i.e. wagonM

NA NA


brakes / Emergency brakes

NA NA




Page 35 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Undetected

parted train /

separated

wagon

Fall of

person,

Electrocut

ion,

Object

striking

person

Supervise Train Integrity

T


This function is


the integrity of the

train (loss of coupling

between vehicles of

one unit)


train i.e. wagonT

NA NA



NA NA


brakes / Emergency brakes M

NA NA

T

1.2.2.4.2 Person falls /

intrudes track

(from outside /

from station -

wayside)1.2.2.4.2.1 Risky behaviour

1.2.2.4.2.1.1 Person intrudes

track wilfully (not

suicide)

Insufficient

precautions

against

intrusion

Fall of

person,

Electrocut

ion,

Object

striking

person


e


Track

T, P

M M M M M 5.3.4.1,

5.7.1,

5.8.1 &

5.8.2

5.1.4.5,

5.3.2.2,

5.3.1.1,

5.3.2.4,

5.3.2.5,

5.3.2.6 &

5.3.2.7

Safety function

This function is



/ avoidance system.

Such system covers


in which passengers

are not permitted e.g.

the track.

1.2.2.4.2.1.2 Person intrudes

track

unconsciously

Insufficient

precautions

against

intrusion

Fall of

person,

Electrocut

ion,

Object

striking

person


e


Track

T

M M M M M 5.3.4.1,

5.7.1,

5.8.1 &

5.8.2

5.1.4.5,

5.3.2.2,

5.3.1.1,

5.3.2.4,

5.3.2.5,

5.3.2.6 &

5.3.2.7

Safety function

This function is



/ avoidance system.

Such system covers


in which passengers


the track.




Page 36 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.2.2.4.2.2 Unnoticed track No installation

of precautions

Fall of

person,

Electrocut

ion,

Object

striking

person


e


Track

T

M M M M M 5.3.4.1,

5.7.1,

5.8.1 &

5.8.2

5.1.4.5,

5.3.2.2,

5.3.1.1,

5.3.2.4,

5.3.2.5,

5.3.2.6 &

5.3.2.7

Safety function

This function is



/ avoidance system.

Such system covers


in which passengers


the track.

Faulty design

of precautions

Fall of

person,

Electrocut

ion,

Object

striking

person


track and precautions

T

NA NA

Incorrect

maintenance

of precautions

Fall of

person,

Electrocut

ion,

Object

striking

person


maintenance of track and

precautions

M

NA NA

1.2.2.4.2.3 Person fall

1.2.2.4.2.3.1 obstacles -

stumble

Any reason Fall of

person,

Electrocut

ion,

Object

striking

person


e


Track

T


This function is



/ avoidance system.

Such system covers


in which passengers


the track.


maintenance of station

M

NA NA




Page 37 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.2.2.4.2.3.2 rush / hustle /

push

Overcrowded

situation

Fall of

person,

Electrocut

ion,

Object

striking

person


e


Track

T


This function is



/ avoidance system.

Such system covers


in which passengers


the track.

Prevent overcrowded situations

P

NA NA

Criminal or

terroristic acts

Fall of

person,

Electrocut

ion,

Object

striking

person


Track

T


This function is



/ avoidance system.

Such system covers


in which passengers


the track.

Prevent criminal acts

P

NA NA

1.2.2.4.2.3.3 slippery ground Faulty design

of station

floor,

Environmental

condition

(Humidity,

Rain, Snow ..),

Slope of

platform or

whole station

Fall of

person,

Electrocut

ion,

Object

striking

person


e


station

T

NA NA


stationT

NA NA




Page 38 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Incorrect

maintenance

of station floor

Fall of

person,

Electrocut

ion,

Object

striking

person


station

T

NA NA


maintenance of station M

NA NA

1.2.2.4.2.3.4 insufficient

lighting

Faulty design Fall of

person,

Electrocut

ion,

Object

striking

person


e


lightning system

T

NA NA


lightning systemT

NA NA

Incorrect

maintenance

of lightning

Fall of

person,

Electrocut

ion,

Object

striking

person


Track

M


This function is



/ avoidance system.

Such system covers


in which passengers


the track.


maintenance of lightning systemM

NA NA

1.2.2.4.2.3.5 platform faulty

design

Disrespect of

possibility

person fall

Fall of

person,

Electrocut

ion,

Object

striking

person


ble


platform

T

NA NA




Page 39 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)


platformM

NA NA

1.2.2.4.2.4 Criminal act Insufficient

security

precautions

Fall of

person,

Electrocut

ion,

Object

striking

person


e


platform

T

NA NA


platformT

NA NA

1.2.2.4.3 Person falls from

above (bridge etc.)

Insufficient

precautions

Fall of

person,

Electrocut

ion,

Object

striking

person


ble


Track

M


This function is



/ avoidance system.

Such system covers


in which passengers


the track.

Installation of precautions like

barriers, fences and railings

against fall of person

T

NA NA

Faulty design

of e.g. bridge

Fall of

person,

Electrocut

ion,

Object

striking

person


bridges considering that persons

might fall from e.g. bridges

T

NA NA


Track

T


This function is



/ avoidance system.

Such system covers


in which passengers


the track.




Page 40 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Incorrect

maintenance

of precautions

Fall of

person,

Electrocut

ion,

Object

striking

person



M

NA NA


Track

T


This function is



/ avoidance system.

Such system covers


in which passengers


the track.

1.2.2.4.3.5 Suicide Insufficient

precautions

Fall of

person,

Electrocut

ion,

Object

striking

person


ble


Track

T


This function is



/ avoidance system.

Such system covers


in which passengers


the track.

Installation of precautions like

barriers, fences and railings

against suicide

T

NA NA

Faulty design

of e.g. bridge

Fall of

person,

Electrocut

ion,

Object

striking

person


bridges considering that persons

might fall from e.g. bridges

T

NA NA


Track

T


This function is



/ avoidance system.

Such system covers


in which passengers


the track.




Page 41 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Incorrect

maintenance

of precautions

Fall of

person,

Electrocut

ion,

Object

striking

person



M

NA NA


Track

T


This function is



/ avoidance system.

Such system covers


in which passengers


the track.

1.2.2.5 Staff inside

clearance

envelope during

operation,

maintenance,

evacuation

Operational

need

Fall of

person,

Electrocut

ion,

Object

striking

person


e

Operational rules

P

NA NA

Maintenance rules P NA NA

Evacuation rules P NA NA

Warning signals for worker P NA NA

1.2.2.7 Person leaning out

of train infringes

train clearance

envelope

1.2.2.7.1 Person leaning out

of train infringes

train clearance

envelope:

out of door

Faulty design

of doors;

Insufficient

maintenance;

Insufficient

precautions

Fall of

person,

Electrocut

ion,

Object

striking

person


e

Supervise Train Doors

T

O M M M M 5.3.3.3 5.6.6 Safety function

This function is


the train door control

system.

Manage Door Opening

T

NA O O O M 5.6.1 5.4.1 Safety function

This function is


all prerequisites

necessary for safe

passenger exchange.

Installation of broken doors

detectionT

NA NA




Page 42 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Faulty design

of doors and

precaution

systems

Fall of

person,

Electrocut

ion,

Object

striking

person


doors and precaution systems

T

NA NA

Incorrect

maintenance

of doors and

precaution

systems

Fall of

person,

Electrocut

ion,

Object

striking

person


maintenance of doors and

precaution systems

M

NA NA

1.2.2.7.2 Person leaning out

of train infringes

train clearance

envelope:

out of window

Insufficient

precautions

Fall of

person,

Electrocut

ion,

Object

striking

person


e

Installation of detector of

open/closed/broken window

T

NA NA

Windows are not able to be open

that a person could lean out T

NA NA

Faulty design

of windows

Fall of

person,

Electrocut

ion,

Object

striking

person

Ensure correct design of

windows and precautions

T

NA NA

Incorrect

maintenance

of windows

Fall of

person,

Electrocut

ion,

Object

striking

person


maintenance of windows and

precautions

M

NA NA

1.3 Train collision

hazard within

uninfringed

clearance

envelope1.3.1 Train too close to

other vehicle1.1.1.2.2.1 Insufficient worst

case safety

distance1.3.1.2 Undetected

train/vehicle1.3.1.2.1 Undetected /

uncommunicated

(stranded) train




Page 43 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

1.3.1.2.1.1 Train presence

signal failure

(trainside)

Faulty design

of trainside

equipment


e


Trains - This function determines

whether a section of track is

occupied by an unequipped or

failed train.

T


Ensure Safe Route Elements &






performed under normal

(undisturbed) and safe

conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function


trainside equipmentT


requirement.

Incorrect

maintenance

of train side

equipment

Collision Detect Unequipped or Failed




failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function


maintenance of trainside

equipment

M

NA NA Not a design

requirement


signal failure

(wayside)

Faulty design

of secondary

train detection

system


e





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function


secondary train detection system T


requirement.

Incorrect

maintenance

of secondary

train detection

system





failed train.

T





Page 44 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)









conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function


maintenance of wayside

equipment

M

NA NA Not a design

requirement

1.3.1.2.1.3 Train detection

information

processing /

communication

Faulty design

of data

communicatio

n system


e





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function


Failure & Detect Unequipped or

Failied Trains- This function is





equipment.

T

O M M M M 5.7.2 &

5.4.1.5

5.1.2.3 Safety function.

Normally in case of

failure of

communication,

wayside equipement

considers a non

"talkative" train as a

Failed Train.


data communication systemT


requirement.

Incorrect

maintenance

of data

communicatio

n system





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function




Page 45 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)








equipment.

T

O M M M M 5.7.2 &

5.4.1.5


Normally in case of

failure of

communication,

wayside equipement

considers a non


Failed Train.


maintenance of data

communication system

M

NA NA Not a design

requirement

1.3.1.2.2 Undetected train

enters system

No

communicatio

n established

prior entry

Derail-

ment,

Collision


e





failed train.

T






sensors.

T

M M M M M 5.3.5 5.3.1.2

Supervise the Entry of Equipped

Trains into UGTMS Territory -

Transition to CBTC AreaT

NA M M M M 5.4.4.1 5.1.4.6 Safety function

1.3.1.2.3 System loses

unnoticed tracking

of train1.3.1.2.3.1 Train presence

signal failure

(trainside)

Faulty design

of trainside

equipment


e





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function




requirement.

Incorrect

maintenance

of train side

equipment





failed train.

T





Page 46 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)









conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function



equipment

M


requirement.


detection failure

(wayside)

Faulty design

of secondary

train detection

system


e





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function




requirement.

Incorrect

maintenance

of secondary

train detection

system





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function



equipment

M

NA NA Not a design

requirement


information

processing /

communication

failure

Faulty design

of data

communicatio

n system


e





failed train.

T





Page 47 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)









conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function








equipment.

T

O M M M M 5.7.2 &

5.4.1.5


Normally in case of

failure of

communication,

wayside equipement

considers a non


Failed Train.




requirement.

Incorrect

maintenance

of data

communicatio

n system





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function








equipment.

T

O M M M M 5.7.2 &

5.4.1.5


Normally in case of

failure of

communication,

wayside equipement

considers a non


Failed Train.


maintenance of data


M

NA NA Not a design

requirement

1.3.1.2.4 Undetected parted

train / separated

wagon

Faulty design

of train i.e.

wagon

Collision Catastrophic Probable 1 Intolerabl

e

Supervise Train Integrity - This

function is intended to supervise

the integrity of the train (loss of

coupling between vehicles of one

unit)

T





Page 48 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)









conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function


train i.e. wagonT


requirement.

Incorrect

maintenance

of train i.e.

wagon

Collision Supervise Train Integrity - This




unit)

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function



NA NA Not a design

requirement

Unauthorised

decoupling

Collision Supervise Train Integrity - This




unit)

T

M M M M M 5.3.3.2 5.6.5

Ensure Safe Route Elements -






conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3


maintenance or train i.e. wagon MNA NA Not a functional

requirement.

1.3.1.2.5 Undetected /

unpermitted

maintenance car /

work train

Faulty design

of operational

rules


e





failed train.

T

O O O O O 5.4.1.5 5.1.2.3

5.1.5.6

Safety function

Establish clear and

understandable operational

procedures and rules

P

NA NA Not a design

requirement

Disrespect of

operational

rules





failed train.

T

O O O O O 5.4.1.5 5.1.2.3

5.1.5.6

Safety function




Page 49 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Ensure adherence and respect of

operational rules and procedures P

NA NA Not a design

requirement

1.3.1.3 Wrong train

detection

(position)1.3.1.3.1 Wrong "position /

track segment"

from train

detection1.3.1.3.1.1 Train presence

signal failure

(trainside)

Faulty design

of trainside

equipment


e





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function




requirement.

Incorrect

maintenance

of train side

equipment





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function



equipment

M

NA NA Not a design

requirement


detection failure

(wayside)

Faulty design

of secondary

train detection

system


e





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function




Page 50 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)




requirement.

Incorrect

maintenance

of secondary

train detection

system





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function



equipment

M

NA NA Not a design

requirement


information

processing /

communication

failure

Faulty design

of data

communicatio

n system


e





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function


Failure T





requirement.

Incorrect

maintenance

of data

communicatio

n system





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3


Failure TNA M M M M 5.7.2 5.1.2.3 Safety function




Page 51 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)


maintenance of data


M

NA NA Not a design

requirement

Train receive

information of

wrong track

section

(adjacent

track)

Collision Ensure correct initial design of

data communication system

T


requirement.


operational rules

P

NA NA

1.3.1.3.2 Wrong timing of

train "position"

detection

communication1.3.1.3.2.1 Train presence

signal failure

(trainside)

Faulty design

of trainside

equipment


e





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function




requirement.

Incorrect

maintenance

of train side

equipment





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function



equipment

M

NA NA Not a design

requirement




Page 52 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)


detection failure

(wayside)

Faulty design

of secondary

train detection

system


e





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function




requirement.

Incorrect

maintenance

of secondary

train detection

system





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function



equipment

M

NA NA Not a design

requirement


information

processing /

communication

failure

Faulty design

of data

communicatio

n system


e





failed train.

T

O O O O O 5.4.1.5 5.1.2.3 Safety function.

Communication

protocol compliant with

EN50159.









conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function


FailureT





requirement.




Page 53 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Incorrect

maintenance

of data

communicatio

n system





failed train.

T










conditions.

T

M M M M M 5.4.2.1 &

5.4.2.2

5.1.1.1.1-3

&

5.1.1.1.1-6

&

5.1.1.2 &

5.1.1.1.3

Safety function


FailureT



maintenance of data


M

NA NA Not a design

requirement

1.1.1.2.2.3 (1.3.1.4) Wrong travel

direction

1.1.1.1.1.3 (1.3.1.5) Insufficient

deceleration1.3.2 Train too close to

end of track1.3.2.2 Unrecognised end

of track

Maintenance

works


e





sensors.

T


Ensure correct adherence of

maintenance proceduresM

NA NA Not a design

requirement

Bad weather

conditions

Collision Supervise Safety Related Inputs -




sensors.

T


Ensure good view for driverT


requirement

1.1.1.2.2.3 (1.3.2.3) Wrong travel

direction (back

movement)1.1.1.1.1.3 (1.3.2.4) Insufficient

deceleration




Page 54 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

2 Train Interior

Hazards2.1 Person struck/hurt

by object

2.1.1 Break of train

equipment fixation

2.1.1.1 Faulty design,

implementation,

maintenance

Mistakes by

staff during

design,

implementatio

n and

maintenance

Person

Struck /

Hurt by

Object

Marginal Remote 1 Tolerable Adequate education and training

for staff

P

NA NA Not a design

requirement

Employ well educated staff onlyP

NA NA Not a design

requirement

Inadequate or

no rules for

design,

implementatio

n and

maintenance

Person

Struck /

Hurt by

Object

Establish rules for design

T


requirement.

Establish rules for

implementationT


requirement.

Establish rules for maintenanceM

NA NA Not a design

requirement

2.1.1.2 Vibration Faulty design

of train cars

Person

Struck /

Hurt by

Object

Marginal Remote 1 Tolerable Ensure correct initial design of

train cars considering the

possibility of vibrationT


requirement.

Incorrect

maintenance

of train cars

Person

Struck /

Hurt by

Object

Ensure correct maintenance and

inspection to prevent vibrationM

NA NA Not a design

requirement

2.1.2 Luggage / similar

objects2.1.2.1 Faulty design,

implementation,

maintenance of

luggage rack

Mistake by

staff during

design,

implementatio

n and

maintenance

of luggage

rack

Person

Struck /

Hurt by

Object

Marginal Remote 1 Tolerable Adequate training and education

of staff

P

NA NA Not a design

requirement

Insufficient or

no rules for

the design,

implementatio

n and

maintenance

for luggage

racks

Person

Struck /

Hurt by

Object

Establish rules regarding luggage

racks

T


requirement.

2.1.2.2 Operation error

2.1.2.2.1 Acceleration Unskilled

Driver

Person

Struck /

Hurt by

Object

Marginal Probable 1 Undesira

ble

Adequate training and education

of staffP

NA NA Not a design

requirement




Page 55 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Provide well designed HMI driver

deskT


requirement.

2.1.2.2.2 Deceleration Unskilled

Driver

Person

Struck /

Hurt by

Object


ble


of staffP

NA NA Not a design

requirement

Provide well designed HMI driver

deskT


requirement.

2.1.2.2.3 Jerk of moving

train2.1.3 Arris by vandalism Insufficient

supervision

Person

Struck /

Hurt by

Object

Marginal Occasional 1 Undesira

ble

Supervise Passengers in trains

T

O O O O O 5.10.2 6.3.3.2 This is partially

contributor (video) but

function cannot

considered as SIL4

function.

Faulty design

of train

equipment

(not

considering

the possibility

of vandalism)

Person

Struck /

Hurt by

Object


train equipment considering the

possibility of vandalism

T


requirement.

Incorrect

maintenance

and inspection

Person

Struck /

Hurt by

Object

Prevent vandalism by regular

inspection and maintenanceM

NA NA Not a design

requirement

2.1.4 Jerk of moving

train2.1.4.1 Propulsion failure Faulty design

of propulsion

system

Person

Struck /

Hurt by

Object


ble


propulsion system

T


requirement.

Responsibility of

Rolling stocks designs.

Incorrect

maintenance

of propulsion

system

Person

Struck /

Hurt by

Object


maintenance of propulsion

systemM

NA NA Not a design

requirement

2.1.4.2 Brake failure Faulty design

of braking

system

Person

Struck /

Hurt by

Object


ble


braking system

T


requirement.

Responsibility of


Incorrect

maintenance

of braking

system

Person

Struck /

Hurt by

Object


maintenance of braking systemM

NA NA Not a design

requirement

2.1.4.3 Environmental

conditions9.1.2 Wind Inadequate

precaution

against wind

Person

Struck /

Hurt by

Object


ble

Consider wind force during

planning and design of

railway/metro system T


requirement.

Responsibility of





Page 56 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Operational rules to stop all trains

in case of extreme wind

P


requirement.

Responsibility of


9.2.4 Earthquake Inadequate

precaution

against

earthquakes

Person

Struck /

Hurt by

Object


e

Consider earthquakes during


railway/metro system T


requirement.

Responsibility of



is case of forecasted earthquake P

NA NA Not a design

requirement

2.1.4.4 Guideway

structural failure

Faulty design

of guideway

Person

Struck /

Hurt by

Object


guidewayT


requirement.

Responsibility of

Guideway design.

Incorrect

maintenance

of guideway

Person

Struck /

Hurt by

Object


maintenance of guidewayM

NA NA Not a design

requirement

2.1.4.5 Excessive

deceleration

ATP on-board

equipment

failure

Person

Struck /

Hurt by

Object


ble


ATP on-board equipmentT


requirement.


maintenance of ATP on-board

equipment

M

NA NA Not a design

requirement

Mistake by

driver

Person

Struck /

Hurt by

Object

Ensure correct execution of

operational rulesP

NA NA Not a design

requirement

Employ trained and well

educated staff onlyP

NA NA Not a design

requirement

Unconscious driverP

NA NA Not a design

requirement

2.1.4.6 Excessive

acceleration

ATP on-board

equipment

failure

Person

Struck /

Hurt by

Object


ble





profile.

T

M M M M M 5.4.3.4 5.1.5.2 Safety function


ATP on-board equipmentT


requirement.



equipment

M

NA NA Not a design

requirement

Mistake by

driver

Person

Struck /

Hurt by

Object


operational rulesP

NA NA Not a design

requirement



NA NA Not a design

requirement

Unconscious driver P




Page 57 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

2.1.4.7 Emergency

braking

Any reason Person

Struck /

Hurt by

Object


ble

Ensure a limitation of braking

force to an unharmful level for

passenger T

O M M M M 5.4.3.3 No

reference

found.

There is no IEC

corresponding

function. However the

5.2.1 function is

suppose to limit jerk.

Provide enough halt (e.g.

handrails) in trainsT

Prevent unnecessary emergency

brakes by passenger P

2.1.5 Unintended

movement of

wheelchair

Any reason Person

Struck /

Hurt by

Object


ble

Devices to fix wheelchair in train

carsT


requirement.

2.2 Explosion

2.2.1 Explosion in train

2.2.1.1 Criminal acts Insufficient

supervision

Explosion Catastrophic Remote 1 Undesira

ble

Provide enough supervision in

train

T



function cannot

considered as SIL4

function.

Training and education of staff P

NA NA Not a design

requirement.

Operational rule to stop all trains

is case of a criminal or terroristic

act

P

NA NA Not a design

requirement.

2.2.1.2 Egression of

explosive

substances in

train2.2.1.2.1 Maintenance

errors

Mistake by

maintenance

crew

Explosion Catastrophic Occasional 1 Intolerabl

e


of staff P

NA NA Not a design

requirement.

Technical and procedural supportM

NA NA Not a design

requirement.

2.2.1.2.2 Faulty design,

improper design

Insufficient

training for

staff


ble


of staff P

NA NA Not a design

requirement.

Insufficient

rules/guideline

s for design of

train cars

Explosion Establish technical and

procedural support for design

e.g. by guidelinesT

NA NA Not a design

requirement.

2.2.1.3 Explosive material

storage

Faulty design Explosion Catastrophic Remote 1 Undesira

ble


vehicle considering possible

explosions

T

NA NA Not a design

requirement.

2.2.1.4 Explosive

products carried

by passenger

Any reason Explosion Catastrophic Remote 1 Undesira

ble

Passenger information

T



function cannot

considered as SIL4

function.

Passenger control at entrance of

station/trainP

NA NA Not a design

requirement.

2.2.2 Explosion on

guideway




Page 58 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

2.2.2.1 Criminal acts Insufficient

supervision


ble

Provide enough supervision on

guidewayP

NA NA Not a design

requirement.

Training and education of staff P

NA NA Not a design

requirement.

Operational rule to stop all trains

is case of a criminal or terroristic

act

P

NA NA Not a design

requirement.

2.2.2.2 Egression of

explosive

substances on

guideway2.2.2.2.1 Maintenance

errors

Mistake by

maintenance

crew


ble


of staff P

NA NA Not a design

requirement.

Technical and procedural supportP

NA NA Not a design

requirement.

2.2.2.2.2 Faulty design,

improper design

Insufficient

training for

staff


ble


of staff P

NA NA Not a design

requirement.

Insufficient

rules/guideline

s for design of

train cars

Explosion Establish technical and

procedural support for design

e.g. by guidelinesT

NA NA Not a design

requirement.

2.3 Person fall in train

2.3.1 Brake failure Unskilled

Driver

Fall of

person in

train


ble


operational rules P

NA NA Not a design

requirement.



NA NA Not a design

requirement.

Unconscious driverP

NA NA Not a design

requirement.

ATP On-board

problem

Fall of

person in

train


ATP on-board equipment T

NA NA Not a design

requirement.



equipment

M


requirement.

2.3.2 Obstacles in train Inappropriate

Design

Fall of

person in

train


train cars considering possible

obstacles

T


requirement.

Incorrect

maintenance

Fall of

person in

train



obstacles in train cars

M

NA NA Not a design

requirement.

2.3.3 Panic/hustle in

train (by criminal

act, jerk,...)

Any reason Fall of

person in

train


ble

Supervise train i.e. passenger

T



function cannot

considered as SIL4

function.

Employ security guards and train

on-board personnelP

NA NA Not a design

requirement.

2.3.4 Insufficient

lighting

Power

blackout

Fall of

person in

train


ble

Installation of secondary power

supply system T


requirement.

Faulty design

of lightning

system

Fall of

person in

train

Ensure correct design of lightning

system in train T


requirement.




Page 59 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Incorrect

maintenance

of lightning

system

Fall of

person in

train


maintenance of lightning systemM

NA NA Not a design

requirement.

2.3.5 Inexistence or

broken support

elements

Faulty design

of support

elements

Fall of

person in

train


support elements T


requirement.

Incorrect

maintenance

of support

elements

Fall of

person in

train


maintenance of support elementsM

NA NA Not a design

requirement.

2.3.6 Slippery train floor Faulty design

of train floor

Fall of

person in

train

Marginal Pobable 1 Undesira

ble


train floors T


requirement.

Incorrect

maintenance

of train floor

Fall of

person in

train

Marginal Ensure correct inspection and

cleaning of train floors M

NA NA Not a design

requirement.

2.4 Fire

2.4.1 Fire in train

2.4.1.1 Inflammable

material used on

train

Faulty design -

inflammable

material used

Fire Catastrophic Remote 1 Undesira

ble


vehicle T


requirement.

Incorrect

maintenance -

inflammable

material used

Fire Ensure correct inspection and

maintenance of train carsM

NA NA Not a design

requirement.

2.4.1.2 Ignition Faulty design

e.g. faulty

designed

electrical

components


ble


vehicle

T


requirement.

Maintenance

error


maintenance of train carsM

NA NA Not a design

requirement.

2.4.1.3 Unobstructed

spread of fire

Faulty design

of train cars


ble


vehicleT


requirement.


protection and

React to detected fire/smoke

T

- 5.6.1 no corresponding

Modurban D80

function.

Maintenance

error

Fire Ensure correct execution of

maintenance rulesM

NA NA Not a design

requirement.

2.4.1.4 Explosion

2.4.2 Fire on guideway

ignites train

2.4.2.1 Inflammable

material used on

guideway

Faulty design -

inflammable

material used

on guideway


ble


guidewaysT


requirement.

Incorrect

maintenance -

inflammable

material used


maintenance on guidewaysM

NA NA Not a design

requirement.

2.4.2.2 Ignition Faulty design

e.g. faulty

designed

electrical

components


ble


guideway

T


requirement.




Page 60 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Maintenance

error


maintenance of guidewaysM

NA NA Not a design

requirement.

2.4.2.3 Unobstructed

spread of fire

Faulty design

of guideways


ble


guidewaysT


requirement.


protection and

React to detected fire/smoke

T

- 5.6.1 no corresponding

Modurban D80

function.

Maintenance

error

Fire Ensure correct execution of

maintenance rulesM

NA NA Not a design

requirement.

2.4.2.4 Explosion

2.5 Inadequate

temperature

Faulty design

of train cars

Super

cooling/

Superhea

ting of

Passenge

r


ble

Installation of air renewal and air

conditioning systems

T


requirement.


HEVACM

NA NA Not a design

requirement.

Ensure correct handling of

HEVACP


requirement.

2.6 Asphyxiation

2.6.1 Smoke Fire Asphyxiati

on of

passenge

r


e

See subtree 2.4.1 Fire in train

Faulty design

of vehicle

Asphyxiati

on of

passenge

r


train cars in order to prevent the

possibility of development of

smoke e.g. from electronical

equipment

T


requirement.

Incorrect

maintenance

Asphyxiati

on of

passenge

r



development of smoke M

NA NA Not a design

requirement.

2.6.2 Air renewal failure Faulty design

of air renewal

system

Asphyxiati

on of

passenge

r


e

Ensure correct initial design of air

renewal systemT


requirement.

Provide possibilities to open

windows or doors in emergency

cases

T


requirement.

Incorrect

maintenance

Asphyxiati

on of

passenge

r


maintenance of air renewal

systemM

NA NA Not a design

requirement.

Provide possibilities to open

windows or doors in emergency

cases

T


requirement.

2.7 Toxic releases

2.7.1 Toxic releases in

train

Faulty design

of vehicle

leads to

combustion,

leakage ..

Asphyxiati

on, burns

of

passenge

r


ble


vehicle to prevent any form of

toxic release by combustion,

leakage etc.

T


requirement.

Avoid the use of toxic material on

train for constructionT


requirement.




Page 61 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Incorrect

maintenance

of vehicle

leads to

combustion,

leakage ..

Asphyxiati

on, burns

of

passenge

r


maintenance on vehicle to

prevent any form of toxic release

by combustion, leakage etc.M

NA NA Not a design

requirement.

Avoid the use of toxic material on

train for maintenance purposes T


requirement.

2.7.2 Toxic releases

coming from

outside2.8 Radiation

2.8.1 Radiation from

equipment

Faulty design

of train cars

Burns of

passenge

r


ble



possibility of radiation

T


requirement.

Incorrect

maintenance

on train cars

Burns of

passenge

r


maintenance on train cars


radiation

M

NA NA Not a design

requirement.

2.8.2 Foreign radiation/

Strong Fields

Faulty design

of vehicle e.g.

insufficient

precaution

Burns of

passenge

r


ble

Minimise the impact of foreign

radiation and strong fieldsT


requirement.


maintenance of precautionsM

NA NA Not a design

requirement.

2.9 Electrocution in

train

Faulty design

of train cars

Electrocut

ion


ble



possibility of electrocution

T


requirement.

Incorrect

maintenance

of train cars

Electrocut

ion


maintenance to ensure the

protection of passenger

M

NA NA Not a design

requirement.

2.10 Person contact

with machinery

Faulty design

of train cars

Cuts,

burns,

contamin

ation,

suffocatio

ns of

passenge

r


ble


machinery

T


requirement.

Incorrect

maintenance

of train cars

Cuts,

burns,

contamin

ation,

suffocatio

ns of

passenge

r



against contact of passenger with

machineryM

NA NA Not a design

requirement.

2.11 Person exposed to

noise

Faulty design

of train cars

Suffocatio

n

Insignificant Probable 1 Tolerable Ensure correct initial design of


possibility of loud noises

T


requirement.

Incorrect

maintenance

of train cars

Suffocatio

n


maintenance M

NA NA Not a design

requirement.




Page 62 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

2.12 Person needs

urgent asisstance

heart attack,

childbirth, …

Injury of

person


ble

Installation of emergency call

device onboard

/ Monitor passenger emergency

calls

/ React to passenger alarm

device activation

T

O O O O M 5.7.6

5.8.1

5.6.4.1

5.6.4.2

5.6.4.3

Provide communication onboard

staff and OCC:

IEC function : Provide interface

with the communication system

for passengers and staff.T

M M M M M 5.10.3 6.6

6.7

These function are not

safety function but it

could help the

operator to avoid

passeger panic in

case of evacuation.

Ensure Possibility of

Announcement inside trainP


requirement.




Page 63 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

3 Train-Station-

Interface Hazards

(with train already

in station)

3.1 Passenger falls

from train on

station track3.1.1 Incorrect train

alignment

No location

measurement

Fall of

person,

Electrocut

ion


e


Onboard ATC will only allow

doors open if train is correctly

docked. Doors are only enable

on the side with a platform.

T

5.6.1 5.4.1.1

Support driver with signs

ATC will indicate to the driver

when the train is correctly docked

T

NA NA

3.1.2 Vehicle doors are

open on the wrong

side at station

3.1.2.1 Wrong train

orientation

No

measurement

of train

orientation

Fall of

person,

Electrocut

ion


e

Determine Actual Train Travel

Direction - This function

determines the travel direction of

trains.

Train travel direction is not

relevant to passenger transfer.

The train is not moving.

Determine train orientation

T

O M M M M NA 5.1.2.2.1

5.1.2.1

5.1.2.2.2

3.1.2.2 Door control

failure

No door

control system

Fall of

person,

Electrocut

ion


e

Supervise Train Doors - This


the train door control system.T

O M M M M 5.3.3.3 5.6.6

Supervise Door Opening - This


all prerequisites necessary for

safe passenger exchange.

T

O O O O M 5.6.1.1 5.4.1.1

3.1.3 Train departure

with (unnoticed)

open doors

Door control

failure

Fall of

person,

Electrocut

ion


e



the train door control system.

T

O M M M M 5.3.3.3 5.6.6




Page 64 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Supervise Conditions for Start of

Train Movement - This function is

intended to supervise all

prerequisites related to doors and

emergency handles necessary

for safe start of train movement.

Onboard ATC will not allow

departure without all train and

platform doors reporting closed

status.

T

O O M M M 5.5.4 5.4.3

Installation of CCTV system to

monitor platform area P

NA NA

3.2 Passenger injured

by doors3.2.1 Inadequate

pressure/forces

Faulty design

of doors

system

Trapping

of person


e






for safe start of train movement.T

O O M M M 5.5.4 5.4.3


door system T

NA NA

Installation of door control and

obstacle detection systemT

NA NA

Incorrect

maintenance

of door system

Trapping

of person







T

O O M M M 5.5.4 5.4.3


maintenance of door systemM

NA NA

3.2.2 Passenger injured

by platform screen

doors




Page 65 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

3.2.2.1 Person hit by

platform screen's

doors during

closing

Injury of

person,

Passange

r hit by

train,

Trapping

of person


ble

Establish clear and



P

NA NA

3.2.2.2 Installation of PSD

- Passenger

smashed against

PSD/construction

material during

passenger

boarding

Wrong

installation

procedure

Fall of

person


ble

Migration phase procedures

P

NA NA

overcrowded

situation

Fall of

person

P

NA NA

3.2.2.3 Misuse of manual

control panel for

PSD by staff in

case of PSD

failure

Staff

communicatio

n,

misunderstand

ings,

insufficient

education

Trapping

of person


ble

Training/ Education for staffs

P

NA NA

Establish clear and



P

NA NA

3.2.2.4 Loss of locking

status of PSD

Fall of

person


e

ATC will detect loss of Platform

Door closed and locked status

and close the platform track

preventing trains from entering

the station. Track can only

opened by OCC operator

command once the door lock

status is restored.

T

M M M M M 5.3.4.3 5.3.2.3

3.2.3 Inadequate space

between door leaf

and car body

Faulty design

of doors

system

Trapping

of person


ble


door system T

NA NA

Installation of door control and

obstacle detection systemT

NA NA

Incorrect

maintenance

of door system

Trapping

of person


maintenance of door systemM

NA NA

3.3 Train departs with

passenger trapped

in doors

E.g. limb of

passenger, clothes,

bags, other objects

from passenger, leash

etc.




Page 66 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

3.3.1 Wrong door

closing /

interlocking signal

No door

control

Trapping

of person


e




O M M M M 5.3.3.3 5.6.6

Conditions for

start of train

are not fulfilled

Trapping

of person







T

O O M M M 5.5.4 5.4.3

3.3.2 Undetected

obstacles

Obstacle

detector

signals

clearance

Trapping

of person

Critical Frequent 1 Intolerabl

e




O M M M M 5.3.3.3 5.6.6

Mistake by

driver

Trapping

of person




O M M M M 5.3.3.3 5.6.6

Support driver during clearance

check P

NA NA

Design or

maintenance

error of train

doors

Objects

striking

person

Correct initial design of train

doorsT

NA NA


maintenanceM

NA NA

Overcrowded

situations,

Vandalism,

Panic,

Unawareness

of Passenger;

Objects

striking

person

Correct initial design of train

doors

T

NA NA

3.3.3 Passenger/object

trapped in

platform screen

doors


maintenanceM

NA NA

3.3.3.1 Person stuck

between train

doors and

screen's doors

Design or

maintenance

errors of PSD

Injury of

person


e


Platform door design should be

such that the door cannot close if

a person is between the train and

platform door.

T

NA NA


maintenance

M

NA NA

Supervise devices that detect

when a passenger is stuck

between train and platform

doors.

T

O O O O M 5.10.1 5.4.2.2




Page 67 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

3.3.3.2 Something

(leashes, ties,

wrist of a child ..)

sticks in PSD and

is not detected by

PSD

Overcrowded

situations,

Vandalism,

Panic,

Unawareness

of Passenger

Injury of

person


e

Availability of emergency stop

buttons on the platform and on

the train so other passengers can

prevent the train from departingT

O O O M M 5.8.1 5.3.2.2

Design or

maintenance

error of PSD

Injury of

person


T

NA NA

3.3.3.3 Person or object is

between closed

PSD and closed

train doors -> and

train departs with

passenger in

doors

Design or

maintenance

error of PSD

Injury of

person


e


Platform door design should be

such that the door cannot close if

a person is between the train and

platform door.

T

NA NA

3.4 Train moves at

passenger

exchange 3.4.1 Incorrect train

departure3.4.1.1 Wrong departure

authorisation /

command

Conditions for

start are not

fulfilled

Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person)


e






for safe start of train movement. T

O O M M M 5.5.4 5.4.3

3.4.1.2 Door status

failures

Door status is

lost

Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person)


e




T

O M M M M 5.3.3.3 5.6.6

Door status

signals

clearance but

door occupied

Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person)




T

O M M M M 5.3.3.3 5.6.6




Page 68 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

3.4.2 Rear end collision Train enters

occupied track

in station


e

Ensure exclusiveness of train in

track sectionT

M M M M M 5.4.3 5.1.4

3.4.3 Propulsion failure Faulty design

of propulsion

system

Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person)


e


propulsion system

T

NA NA





profile.

T

5.4.3.4 5.1.5.2




away.

T

5.7.4 5.1.5.5

Prevent movement of train during

passenger transferT

5.6.1.1 5.4.1.1

Incorrect

maintenance

of propulsion

system

Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person)


maintenance of propulsion

system

M

NA NA





profile.

T

5.4.3.4 5.1.5.2




away.

T

5.7.4 5.1.5.5

Prevent movement of train during

passenger transferT

5.6.1.1 5.4.1.1

3.4.4 Brakes failure Faulty design

of braking

system

Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person)


e


braking system

T

NA NA




Page 69 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)





profile.

T

5.4.3.4 5.1.5.2




away.

T

5.7.4 5.1.5.5

Incorrect

maintenance

of braking

system

Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person)


maintenance of braking system

M

NA NA





profile.

T

5.4.3.4 5.1.5.2




away.

T

5.7.4 5.1.5.5

3.4.5 Important

passenger

movement in the

vehicle

Overcrowded

situation

Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person)


ble

Provide enough room for

passenger in station

Prevent overcrowding of station

platform.T& P

5.10.1 6.3.3.1

Provide enough room for

passenger in trainP

Provide enough halt inside of

train

Safety measure does not make

sense

3.5 Person between

vehicle/ vehicle

gaps




Page 70 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

3.5.1 Passengers risky

behaviour

Any reason Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person)


e

Installation of platform screen

doors

T

NA NA

Installation of manual emergency

stop for passenger and staff on

platform and train

T

5.8.1 5.3.2.2

Manage train door closing - This

function is intended to manage

the train door closing at stations.

T

5.6.2 5.4.1.4

Manage PSDs closing - This


the platform door closing if

existing after exchange of

passenger at stations.

T

5.6.2 5.4.1.4

3.5.2 Unconsciousness

(children, elder

people...)

Any reason Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person)


e


doors

T

NA NA



platform and train

T

5.8.1 5.3.2.2



the train door closing at stations.T

5.6.2 5.4.1.4






T

5.6.2 5.4.1.4




Page 71 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

3.5.3 Rush / hustle /

push

Any reason Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person)


e


doors

T

NA NA



platform and train

T

5.8.1 5.3.2.2




5.6.2 5.4.1.4






T

5.6.2 5.4.1.4

Prevent criminal actP

NA NA

Avoid overcrowded situationsP&T

5.10.1 6.3.3.1

Ensure adherence of timetableP

NA NA

3.5.4 Unknown

misalignment of

train

ATC will ensure alignment. A

secondary alignment detection

system should be used if

necessary.

T

5.6.1.1 5.4.1.1

3.6 Person steps /

falls into vehicle-

platform gap3.6.1 Risky behaviour

along the train

Any reason Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person)


e


doors

T

NA NA



platform and train

T

5.8.1 5.3.2.2

Supervision of platformT

5.10.1 6.3.3.1




5.6.2 5.4.1.4




Page 72 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)






T

5.6.2 5.4.1.4

3.6.2 Excessive gap Faulty design

of vehicle-

platform gap

Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person),

Electrocut

ion


ble


station i.e. vehicle-platform gap

T

NA NA

Installation of gap filling devices T NA 5.4.2.1

Announcements and warnings

regarding the gapT

NA NA



platform and train

T

5.8.1 5.3.2.2

Supervision of gap T NA 5.4.2.2

Ensure gap is free before train

departureT

NA 5.4.2.2

3.6.3 Passenger steps /

falls in gap at door

area

Insufficient

warnings

Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person),

Electrocut

ion


e

Announcements and warnings

regarding the gap

T

NA NA



platform and train

T

5.8.1 5.3.2.2

Supervision of gap T NA NA

Ensure gap is free before train

departureT

NA 5.4.2.2

vehicles doors

open but PSD

are closed

Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person),

Electrocut

ion


interaction traindoor / Platform

screen doors

Disagree with this being a Critical

hazardT

5.6.1.1 5.4.1.1




Page 73 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

PSD opens

but train doors

are closed

Fall of

person,

Trapping

of person;

Impact on

person

(object

striking

person),

Electrocut

ion


interaction traindoor / Platform

screen doors

Disagree with this being a Critical

hazardT

5.6.1.1 5.4.1.1

3.6.4 Person fall

Overcrowded

situations,

Panic,

Unawareness

of Passenger

Injury of

person


e

Installation of Platform Screen

Doors

T

NA NA

Faulty design

of precautions

Injury of

person


precautions T

NA NA

Incorrect

maintenance

of precautions

Injury of

person



NA NA

3.7 Electrocution

3.7.1 Difference of

potential between

train and other

equipment

Faulty design Electrocut

ion


ble


train and other railway/metro

equipment T

NA NA

Incorrect

maintenance

Electrocut

ion


maintenance to prevent potential

differences

M

NA NA

3.7.2 Contact with train

power supply

Faulty design

of train power

supply

Electrocut

ion


ble


train power supply

T

NA NA

Incorrect

maintenance

of train power

supply

Electrocut

ion


maintenance of train power

supplyM

NA NA




Page 74 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

4 Station Interior

Hazards (with no

train presence)

4.1 Person struck by

falling object

Faulty design

of station

Impact on

person


ble


station building

T NA NA

Incorrect

maintenance

of station

Impact on

person


maintenance of station building

M NA NA

4.2 Person hit by

sharp object

Faulty design

of station

Impact on

person


ble


station building

T NA NA

Incorrect

maintenance

of station

Impact on

person



M NA NA

4.3 Person hurt by

protruding object

Faulty design

of station

Impact on

person


ble


station building

T NA NA

Incorrect

maintenance

of station

Impact on

person



M NA NA

4.4 Wheelchair/ baby

carriage hazards

4.4.1 Uncontrolled

wheelchair/ baby

carriage

movement

Faulty design

of station

Impact on

person


ble


station building

T NA NA

Incorrect

maintenance

of station

Impact on

person



M NA NA

Panic, rush,

hustle

Impact on

person

Prevent panic P NA NA

4.4.2 Wheelchair/ baby

carriage rolls over

Faulty design

of station

Impact on

person


ble


station building

T NA NA




Page 75 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Incorrect

maintenance

of station

Impact on

person



M NA NA

Panic, rush,

hustle

Impact on

person

Prevent panic P NA NA

4.5 Person fall in

station4.5.1 Person fall

4.5.1.1 Obstacles Faulty design

of station

building

Fall of

person


ble


station building

T NA NA

Insufficient

cleaning of

station

building

Fall of

person

Ensure correct maintenance and

cleaning of station building

M NA NA

4.5.1.2 Rush/hustle Overcrowded

situation due

to faulty

design of

station

Fall of

person


e


station building

T NA NA

Overcrowded

situation due

to train delays

Fall of

person


station building

T NA NA

Criminal or

terroristic acts

Fall of

person

Prevent criminal or terroristic acts P NA NA

4.5.1.3 Slippery floor Faulty design

of station floor

i.e.

wrong/slippery

material used

Fall of

person


ble


station building

T NA NA

Faulty design

of platform

and station -

slope of

platform or

whole station

Fall of

person


station building

T NA NA

Environmental

conditions

(Humidity,

rain, snow ..)

Fall of

person


station building

T NA NA

Incorrect

maintenance

of station floor

i.e. insufficient

cleaning

Fall of

person


maintenance and cleaning of

station floor and precautions

against environment

M NA NA




Page 76 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

4.5.1.4 Insufficient

lighting

Faulty design

of lightning

system

Fall of

person


ble


lightning system

T NA NA Lighting failure should

also be considered

Incorrect

maintenance

of lightning

system

Fall of

person


maintenance of lightning system

M NA NA

4.5.1.5 Platform faulty

design

Badly

educated and

untrained

engineers

Fall of

person


ble

Employ professionals only,

sufficient retraining of all

employees (especially planning

staff)

P NA NA

Insufficient

rules and

guidelines for

planning and

design of

platforms

Fall of

person

Establish or provide sufficient

rules and guidelines for planning

and design of platforms

P NA NA

4.5.2 Escalator hazard Faulty design

of escalator

e.g. jerk

Fall of

person


ble


escalator

T NA NA

Incorrect

maintenance

of escalator

Fall of

person


maintenance of escalator

M NA NA

4.5.3 Lift hazard Faulty design

of lift - sudden

stop or jerk

Fall of

person


ble

Ensure correct initial design of lift T NA NA

Incorrect

maintenance

of lift

Fall of

person


maintenance of lift

M NA NA

4.6 Person

falls/intrudes on

station track

4.6.1 Person falls from

platform into track

Panic,

Suicide,

inattention, etc

Fall of

person


e

Detection of guideway intrusion

on platform

T M M M M M 5.3.4.1 5.3.2.4 Safety function :

supervise platform

tracks


passengers/staff : platform/train

T M M M M M 5.8.1 &

5.8.2

5.3.2.2 &

5.1.4.5

Safety function




Page 77 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Supervise traction power supply T O O O O O 5.12.3.1

& 5.12.3.3

6.4.2 &

6.4.3

4.6.2 Person leaning

against PSD which

suddenly opens

Faulty design

of equipment

Fall of

person


ble


on platform


supervise platform

doors



T M M M M M 5.8.1 &

5.8.2

5.3.2.2 &

5.1.4.5

Safety function


& 5.12.3.3

6.4.2 &

6.4.3

4.6.3 Person climbs

over PSD and

enters track area

Panic,

Suicide,

Vandalism, etc

Fall of

person


e


on platform


supervise platform

tracks.

PSD may also be

equipped with

intrusion detection

devices (e.g. pressure

sensitive mats)



T M M M M M 5.8.1 &

5.8.2

5.3.2.2 &

5.1.4.5

Safety function


& 5.12.3.3

6.4.2 &

6.4.3

Closely linked to the

emergency stop

request: the traction

cut off is usually

designed to trigger an

emergency break by

the system


station4.7.1 Equipment

insulation fault

Faulty design

of equipment

insulation (e.g.

too little

insulation or

too high

voltage)

Electrocut

ion


ble


insulation of equipment

T NA NA

Incorrect

maintenance

of equipment

insulation

Electrocut

ion



insulation

M NA NA




Page 78 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

4.7.2 Short circuit Faulty design

of equipment

Electrocut

ion


ble


equipment

T NA NA

Incorrect

maintenance

of equipment

Electrocut

ion



M NA NA

4.7.3 Criminal acts Insufficient

security

precautions

(e.g. not

enough

security

personnel or

technical

supervision)

Electrocut

ion


ble

Provide sufficient platform/station

supervision

T & P O O O O M 5.10.1 6.3.3.1 Supervise passengers

on platform

Design of station considering

criminal acts (security aspect)

P NA NA

4.7.4 Contact with train

power supply

Faulty design -

insufficient

boundary/war

nings to

protect

passenger

Electrocut

ion


e


train power supply

T NA NA

Incorrect

maintenance

of power

supply - no

protection of

passenger

Electrocut

ion


maintenance of train power

supply

M NA NA

4.8 Smoke

4.8.1 Fire Faulty design

of station -

combustible

material used

Asphyxiati

on,

Contamin

ation,

Burns


e


station building

T NA NA

Supervise other safety related

inputs - This function is intended



sensors

T M M M M M 5.3.5 NA Safety function

Supervise infrastructure - This

function is intended to provide

alarms about critical auxiliaries in

order to inform the OCC

operator: then staff can perform

necessary actions on critical

auxiliaries, including components

of signalling system, pumps, fans

and escalators.

T NA NA Safety function




Page 79 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Maintenance

error

Asphyxiati

on,

Contamin

ation,

Burns


maintenance on station building

and fire protection equipment

M NA NA





sensors










and escalators.


4.8.2 Chemical reaction Faulty design

of station - use

of toxic

material

Asphyxiati

on,

Contamin

ation,

Burns


e


station

T NA NA





sensors










and escalators.


Maintenance

error

Asphyxiati

on,

Contamin

ation,

Burns



and fire protection equipment i.e.

smoke detectors

M NA NA





sensors





Page 80 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)









and escalators.


4.8.3 Emission of

smoke through

failure

Faulty design

of station (e.g.

pipe work -

leakage)

Asphyxiati

on,

Contamin

ation,

Burns


e


station

T NA NA





sensors










and escalators.


Maintenance

error

Asphyxiati

on,

Contamin

ation,

Burns



and fire protection equipment i.e.

smoke detectors

M





sensors










and escalators.



of station (e.g.

air

conditioning

system)

Asphyxiati

on,

Contamin

ation,

Burns


e


station i.e. air renewal system

T NA NA




Page 81 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)





sensors










and escalators.


Maintenance

error

Asphyxiati

on,

Contamin

ation,

Burns



system and fire protection

equipment i.e. smoke detectors

M





sensors










and escalators.


4.9 Explosion

4.9.1 Criminal act Insufficient

security

precautions

(e.g. not

enough

security

personnel or

technical

supervision)


ble

Design of station considering


P NA NA

Provide sufficient platform/station

supervision

P & T O O O O M 5.10.1 6.3.3.1 Supervise passengers

on platform

4.9.2 Maintenance error Insufficient

training or

badly

educated staff

Explosion Catastrophic Probable 1 Intolerabl

e

Engagement of well educated

staff

P NA NA

Ensure sufficient training P NA NA

Supervise adherence of

maintenance procedures

P NA NA




Page 82 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

4.9.3 Faulty design,

improper design

Insufficient

training or

badly

educated staff


ble


staff

P NA NA

Ensure sufficient training P NA NA

Establish guidelines P NA NA

Establish quality management P NA NA

4.9.4 Explosive material

storage

Wrong

storage

Explosion Catastrophic Occasional 1 Intolerabl

e

Correct station design

considering the storage of

explosive material

P NA NA


maintenance of storage

equipment

M NA NA

4.9.5 Explosive

products

transported by

passenger


ble

Detain passenger from entering

station with explosive products

P NA NA

4.10 Fire in station

4.10.1 Inflammable

material used

Faulty design

of station

Fire Catastrophic Remote 1 Intolerabl

e


station

T NA NA





sensors










and escalators.


Incorrect

maintenance

on station



M NA NA





sensors





Page 83 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)









and escalators.


4.10.2 Ignition Faulty design

of station


ble


station

T NA NA





sensors










and escalators.


Incorrect

maintenance

on station



M NA NA





sensors










and escalators.


4.10.3 Unobstructed

spread of fire

Faulty design

of station -

e.g.

insufficient

barriers or

precautions


ble


station

T NA NA




Page 84 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)





sensors










and escalators.


Incorrect

maintenance

on station -

e.g. disrespect

of

maintenance

rules



M NA NA





sensors










and escalators.


4.11 Toxic release

4.11.1 Toxic elements Faulty design

of station by

use of toxic

elements

Contamin

ation,

Burns,

Suffocatio

n


ble


station

T NA NA

Incorrect

maintenance -

incorrect use

of toxic

elements

Contamin

ation,

Burns,

Suffocatio

n



M NA NA




Page 85 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

5 Depot Hazards

5.1 Staff injured by

operation of

machines and

equipment

Faulty design

of machines

and

equipment


ble


machines and equipment for

operation in depotT

NA NA Non a functional

requirement.

Insufficient

precautions

against

injuries -

insufficient

safety at work

Establish rules and procedures

for safety at work - supervise

their adherence

P

NA NA Non a functional

requirement.

Establish rules and

procedures for safety

at work

Insufficient

educated and

trained staff

Ensure well educated and well

trained staff at depot P


requirement. Manuals

and training

5.2 Shunting hazards Insufficient

safety at work -

insufficient

operational

rules


e


for safety at work and operations -

supervise their adherence

P

NA NA Non a design

requirement.

Procedures and

operation for safety at

work

Insufficient

educated and

trained staff -

disrespect of

procedures


trained staff at depot

P



and training

5.3 Undue train /

vehicle enters

operation area

Unoccupied or

unsupervised

vehicles

Collision,

Derail-

ment,

Injury of

staff


e


Limit

T

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

5.1.4.3

Safety function


movement , this

function determines


of the movement

authority,

corresponding to the Establish Work Zones -

Supervise shunting areaT

M M M M M 5.9.3 5.3.3 E.g. by personnel of

CCTV

Installation of mechanical barriers

T

Safety function.

Bariers shall have

requirements to

interface with a safety

equipment to open

and close the barrier




Page 86 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

5.4 Passenger in

depot area

Passenger still

in train after

service;

Insufficient

precautions

against

passenger

entering depot


e

Ensure passenger are all gone

after termination of service

P

NA NA Non design

requirement. E.g. by:

Train interior check

(whether empty or

not), before taking out

of service;

Announcement inside

train, when train will be

taken out of service;

Possibility for

emergency-call inside

train

Insufficient

precautions

against

passenger

entering depot

Protect depot against passenger

entrance

P

NA NA Not a functionnal

requirement. E.g. by:

Barriers

5.5 Staff run over by

train

Unoccupied or

unsupervised

vehicles;

Insufficient

precautions

(safety at

work);

Operational

mistakes/failur

e

Injury of

person


e


Limit

T

M M M M M 5.4.3.1 5.1.1.1.2 &

5.1.4.1

5.1.4.3

Safety function


movement , this

function determines


of the movement

authority,


first danger point

ahead of the train.

Establish Work Zones -

Supervise shunting areaT

M M M M M 5.9.3 5.3.3 E.g. by personnel of

CCTV

Insufficient

safety at work -

insufficient

operational

rules


for safety at work and operations -

supervise their adherence

P

NA NA Non design

requirement.

Procedures and

operation for safety at

work

E.g. Shunting rules

and procedures,

Insufficient

educated and

trained staff -

disrespect of

procedures


trained staff at depot

P



and training




Page 87 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

6 OCC Hazards

6.1 Fire in OCC

6.1.1 Inflammable

material used

Faulty design

of OCC

Fire Catastrophic Occasional 1 Undesira

ble


OCCT


requirement.Prevent

usage of (highly)

inflammable material


T


This function is


the detection of


by external sensors


Staff & Provide Maintenance

Support

T

M M M M M 5.9.2 &

5.13.3

6,6 Safety function

This function is

intended to provide

alarms about critical

auxiliaries in order to

inform the OCC

operator: then staff

can perform necessary

actions on critical

auxiliaries, including Incorrect

maintenance

on OCC


maintenance on OCC M

NA NA Prevent usage of

(highly) inflammable

material

Fire Supervise other safety related

inputs

T


This function is


the detection of


by external sensors



Support.

T

M M M M M 5.9.2 &

5.13.3

6,6 Safety function

This function is

intended to provide



inform the OCC



actions on critical

auxiliaries, including

components of

signalling system,

pumps, fans and

escalators.

6.1.2 Ignition Faulty design

of OCC


ble


OCC

T


requirement. Prevent

usage of material or

equipment which

easily leads to ignition




Page 88 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)


inputs .

T


This function is


the detection of


by external sensors



Support.

T

M M M M M 5.9.2 &

5.13.3

6,6 This function is

intended to provide



inform the OCC



actions on critical


components of

signalling system,

pumps, fans and

escalators.

Incorrect

maintenance

on OCC


maintenance on OCC

M


requirement. Prevent

usage of material or

equipment which

easily leads to ignition


inputs.

T


This function is


the detection of


by external sensors



Support.

T

M M M M M 5.9.2 &

5.13.3

6,6 Safety function

This function is

intended to provide



inform the OCC



actions on critical


components of

signalling system,

pumps, fans and

escalators.

6.1.3 Unobstructed

spread of fire

Faulty design

of OCC - e.g.

insufficient

barriers or

precautions


OCC

T


requierment. E.g. by

installation of fire

doors or barriers




Page 89 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)


ble


inputs .

T


This function is


the detection of


by external sensors



Support.

T

M M M M M 5.9.2 &

5.13.3

6,6 This function is

intended to provide



inform the OCC



actions on critical


components of

signalling system,

pumps, fans and

escalators.

Incorrect

maintenance

on OCC - e.g.

disrespect of

maintenance

rules


maintenance on OCC

M


requirement. Ensure

adherence to

maintenance rules e.g.

use of temporary fire

barriers

Fire Supervise other safety related

inputs .

T


This function is


the detection of


by external sensors



Support .

T

M M M M M 5.9.2 &

5.13.3

6,6 Safety function

This function is

intended to provide



inform the OCC



actions on critical


components of

signalling system,

pumps, fans and

escalators.


OCC




Page 90 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

6.2.1 Equipment

insulation fault

Faulty design

of equipment

insulation (e.g.

too little

insulation or

too high

voltage)

Electrocut

ion


ble


insulation of equipment

T


requirement

Incorrect

maintenance

of equipment

insulation

Electrocut

ion



insulationM

NA NA Non design

requirement

6.2.2 Short circuits Faulty design

of equipment

Electrocut

ion


ble


equipment

T


requirement.

Consideration of the

possibility of short

circuits

Incorrect

maintenance

of equipment

Electrocut

ion


maintenance of equipment M


requirement


security

precautions

(e.g. not

enough

security

personnel or

technical

supervision)

Electrocut

ion


ble

Provide sufficient supervision

around and inside of OCC

P


requirement. E.g. by

CCTV or personnel;

Entrance control at

OCC

Design of OCC considering


T


requirement. Protect

highly critical

components even

against criminal acts

6.3 Explosion in OCC


security

precautions

(e.g. not

enough

security

personnel or

technical

supervision)

Explosion Catastrophic Occasional 1 Imtolerab

le



T


requirement


around and inside of OCC

P


requirement. E.g. by

CCTV or personnel;

Entrance control at

OCC


training or

badly

educated staff

Explosion Catastrophic Probable 1 Imtolerab

le


staff

P



and trainin

Ensure sufficient trainingP


requirement




Page 91 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)


maintenance proceduresP


requirement


improper design

Insufficient

training or

badly

educated staff

Explosion Engagement of well educated

staff

P


requirement

Ensure sufficient trainingP

NA NA Non design

requirement

Establish guidelines

P


requirement.

Consideration of

explosion during

planning phase.

Establish quality management

P

NA NA Verification and

Validation procedures

6.4 Building collapse Mistaken

design of OCC

building

Severe

injury of

person


ble


building of OCC T


requirement

Incorrect

maintenance

or construction

work

Severe

injury of

person

Insufficient

precautions

against

potential

environmental

forces

Severe

injury of

person


building of OCC - Design of

precautions against

environmental forcesT


requirement

Crminal/terrori

stic acts

Severe

injury of

person


criminal acts (security aspect) T


requirement


around and inside of OCC P

NA NA E.g. by CCTV or

personnel; Entrance

control at OCC

6.5 Terrorism, attacks,

criminal acts

Insufficient

precautions

against

criminal or

terroristic act

Severe

injury of

person


ble


OCC building considering the

possibility of terroristic or criminal

acts

T


requirement

Entrance supervision of staff and

visitorsP

NA NA Non design

requirement

Permanent supervision of OCC

and adjacent area by CCTV or

personnel

P


requirement

6.5.1 Software intrusion

6.6 Radiation in OCC


equipment

Faulty design

of OCC

equipment

Burns of

staff


ble


OCC equipment considering the


T


requirement




Page 92 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

6.6.2 Foreign radiation/

strong fields

Faulty design

of OCC

equipment

insufficient

precaution

Burns of

staff


ble


radiation and strong fields

T


requirement

6.7 Asphyxiation /

poisoning in OCC

6.7.1 Smoke Fire Burns,

Asphyxiati

on,

Suffocatio

n


e

Supervise Safety Related Inputs .

T


This function is


the detection of


by external detectors.

6.7.2 Air renewal failure System

damaged

Asphyxiati

on,

Suffocatio

n


e


T


This function is


the detection of





Page 93 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

7 Maintenance

Hazards7.1 Staff injured by

operation of

machines and

equipment

Protect staff in the guideway

M

O O O M M 5.9.1 6.9 This NON SAFETY

function is intended

to support securityty

of staff for its

interventions in the

guideway7.1.1 Insufficient

education /

training

Bad company

management

Impact on

persons

(object

striking

person),

Cuts,

Contamin

ation,

Asphyxia,

Burns,

Electrocut

ion


e

Establish a company wide safety

culture to ensure the importance

of safety (i.e. safety at work)

NA NA

Ensure regular and adequate

training coordinated for each

individual working group or

department

NA NA

Lazy workers Impact on

persons

(object

striking

person),

Cuts,

Contamin

ation,

Asphyxia,

Burns,

Electrocut

ion

Employ staff which is willing to

learn

NA NA

Unqualified

tutors

Impact on

persons

(object

striking

person),

Cuts,

Contamin

ation,

Asphyxia,

Burns,

Electrocut

ion

Control/test of quality of training

(teachers as well as staff) -

Approval/certificate of quality

NA NA




Page 94 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Mismanageme

nt of

maintenance

alarms

Injury of

person

Maintenance procedures at depot

M

O O O O M 5.13.3 6.9 Provide maintenace

support : this function

is not safety related

but it could help

maintenance operator

to anticipate

equiqment failure and

avoid degraded modes

which can be accident

sources.

Clarify responsibility of

maintenance alarm between

dispatcher, OCC, Depot,

Maintenance Crew

NA NA

7.1.2 Disregard of

safety regulations

Insufficient

supervision of

adherence of

safety

regulations

Impact on

persons

(object

striking

person),

Cuts,

Contamin

ation,

Asphyxiati

on, Burns,

Electrocut

ion


e

Ensure adherence to safety

regulations by regular and strict

supervision

M




but it could help


to anticipate




sources.

Stress/ work

overload

Impact on

persons

(object

striking

person),

Cuts,

Contamin

ation,

Asphyxiati

on, Burns,

Electrocut

ion

Establish procedures to cope

with stress or work overload

NA NA

Mismanageme

nt of

maintenance

alarms

Injury of

person


M




but it could help


to anticipate




sources.




Page 95 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)




Maintenance Crew

NA NA

7.1.3 Insufficient

lighting

Faulty design Fall of

person,

Electrocut

ion,

Object

striking

person


ble

Supervise Intrusion Detection /

Avoidance System - This function

is intended to supervise the

intrusion detection / avoidance

system. Such system covers the

protection of areas in which

passengers are not permitted

e.g. the track.

M

O O O M M 5.9.1 6.9 This function (6.9) is

not safety related but it

could help


to anticipate




sources. Protect staff

in with a guide way .

7.2 Electrocution /

lightning7.2.1 Staff too close to

power supply 7.2.1.1 Improvidence by

staff

Insufficient

training or

badly

educated staff

Electrocut

ion, Burns

Critical Occasional 1 Intolerabl

e

Ensure correct education and

training for staff

NA NA


culture to ensure that it is for the

good of employee and company

to work correct and thoughtful

NA NA

Stress / work

overload

Electrocut

ion, Burns



NA NA

7.2.1.2 Staff on guideway

procedures /

behaviour

Insufficient

training or

badly

educated staff

Electrocut

ion, Burns


e


training for staff

NA NA

Stress / work

overload

Electrocut

ion, Burns



NA NA

Faulty design

of guideway

i.e. too little

protection of

electronic

components

Electrocut

ion, Burns


guideway to protect staff and

provide sufficient room for

maintenance works

NA NA




Page 96 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Incorrect

maintenance

procedures

Electrocut

ion, Burns

Establish clear and

understandable maintenance

procedures

M




but it could help


to anticipate




sources.

Disregard of

maintenance

procedures

Electrocut

ion, Burns



NA NA

7.2.1.3 Faulty power

shutdown

Incorrect

maintenance

procedures

Electrocut

ion, Burns


ble

Establish clear and


procedures

M




but it could help


to anticipate




sources.

Disregard of

maintenance

procedures

Electrocut

ion, Burns



Insufficient

training or

badly

educated staff

Electrocut

ion, Burns


training for staff

NA NA

Stress / work

overload

Electrocut

ion, Burns



NA NA

Communicatio

n problem

between staff

Electrocut

ion, Burns

Ensure communication

procedures to avoid

misunderstandings

M

M M M M M 5.9.2 6.6 Provide NON VITAL

communication with

staff. This function is

not safety function but

it could help the

operator to enforce

procedure respect.

Incorrect

design of

power supply

Electrocut

ion, Burns


power supply system to prevent

faulty power shutdown

NA NA

7.2.2 Short circuits

7.2.2.1 Equipment

insulation failure

Faulty design

of insulation

equipment

insulation

Electrocut

ion, Burns


ble


insulation of equipmentT

M M M M M 5.7.1 5.1.4.4. Establish a protection

zone




Page 97 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Incorrect

maintenance

on insulation

of equipment

Electrocut

ion, Burns



insulation

M




but it could help


to anticipate




sources.

7.3 Staff endangered

by moving train

7.3.1 Insufficient

information about

maintenance on

track

Insufficient

communicatio

n between

staff

Severe

injury of

person


e

Provide communication with staff -


provide voice and data

communication notably between

staff fulfilling different functions

for operation and maintenance. M


communication with



it could help the

operator to enforce

procedure respect.

Insufficient

maintenance

procedures

Severe

injury of

person

Establish clear and


procedures

M


support :this function


but it could help


to anticipate




sources.

Disregard of

maintenance

procedures

Severe

injury of

person



NA NA




Page 98 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Mismanageme

nt of

maintenance

alarms

Injury of

person


M




but it could help


to anticipate




sources.




Maintenance Crew

NA NA

7.3.2 Insufficient

warning to track

workers

Insufficient

communicatio

n between

staff

Severe

injury of

person


e

Provide communication with staff -


provide voice and data

communication notably between

staff fulfilling different functions

for operation and maintenance. M


communication with



it could help the

operator to enforce

procedure respect.

Insufficient

warning

system

Severe

injury of

person

Establish warning system

M




but it could help


to anticipate




sources.

Insufficient

maintenance

procedures

Severe

injury of

person

Establish clear and


procedures

M




but it could help


to anticipate




sources.




Page 99 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Disregard of

maintenance

procedures

Severe

injury of

person



M




but it could help


to anticipate




sources.

7.3.3 Risky behaviour Insufficient

maintenance

procedures

Severe

injury of

person


e

Establish clear and


procedures

M

O M M M M 5.13.2 6.9 Interface for recording

information for

maintenace purpose :

this function is not

safety related but it

could help


to anticipate




sources.

Disregard of

maintenance

procedures

Severe

injury of

person



NA NA

Insufficient

training or

badly

educated staff

Severe

injury of

person


training for staff

NA NA

Stress / work

overload

Severe

injury of

person



NA NA

7.3.4 Insufficient

training

Bad company

management

Severe

injury of

person


ble


culture to ensure the importance

of safety (i.e. safety at work)

NA NA

Ensure regular and adequate

training coordinated for each

individual working group or

department

NA NA

Lazy workers Severe

injury of

person

Employ staff which is willing to

learn

NA NA

Unqualified

tutors

Severe

injury of

person

Control/test of quality of training

(teachers as well as staff) -

Approval/certificate of quality

NA NA




Page 100 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

7.4 Obstacles on

guideway or

walkway

Provide "fisrst train procedure"

for cleareance of track before

starting operation

P




but it could help


to anticipate




sources.

7.4.1 Fallen tree,

branches, crane

Environmental

forces

Injury of

member

of

maintena

nce crew


ble

Correct initial design of guideway

and walkways considering the

possibility of fallen trees, braches

or cranes (e.g. installation of

precautions - protection against

environmental forces)

NA NA

Supervision of guideway,

walkway and adjacent area and

eventual warning of maintenance

crew

M

O O O M M 5.9.1 6.9 This function (6.9) is


could help


to anticipate





in with a guide way .

7.4.2 Fallen from bridge Incorrect

design of

bridges

Injury of

member

of

maintena

nce crew


ble

Correct initial design of bridge


fallen objects from bridge (e.g.

installation of precautions like

fences or barriers on bridge)

NA NA




crew

M

O O O M M 5.9.1 6.9 This function(6.9) is


could help


to anticipate





with a guide way.




Page 101 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Incorrect

maintenance

of bridges

Injury of

member

of

maintena

nce crew


maintenance works on bridge

M



could help


to anticipate





with a guide way.




crew

M



could help


to anticipate





with a guide way.

7.4.3 Blown by wind Insufficient

installation of

precautions

against

obstacles

blown on

guideway

Injury of

member

of

maintena

nce crew


ble

Correct initial design of guideway

and walkways considering the

possibility of objects might be

blown on guideway or walkway

(e.g. installation of precautions

like fences or barriers on guide

and walkway)

NA NA




crew

M



could help


to anticipate





with a guide way.

7.4.4 Guideway

structural failure

Faulty design

of guideway

Injury of

member

of

maintena

nce crew


ble


guideways

NA NA




Page 102 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)




crew

O O O O M 5.13.3 6.9 This function(6.9) is


could help


to anticipate





with a guide way.

Incorrect

maintenance

on guideway

Injury of

member

of

maintena

nce crew


maintenance on guideway

M



could help


to anticipate





with a guide way.




crew

M

O O O O M 5.13.3 6.9 This function(6.9) is


could help


to anticipate





with a guide way.

Environmental

forces like

earthquakes

Injury of

member

of

maintena

nce crew


guideways considering the

possibility of earthquakes

NA NA




crew

M

O O O O M 5.13.3 6.9 This function is not

safety related but it

could help


to anticipate




sources.




Page 103 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

7.4.5 Faulty design Insufficient

training or

badly

educated staff

Injury of

member

of

maintena

nce crew


ble


training for staff

NA NA

Insufficient

quality

management

procedures

Injury of

member

of

maintena

nce crew

Ensure adequate quality

management procedures

NA NA

7.4.6 Infrastructure

failure

Faulty design

of

infrastructure

Injury of

member

of

maintena

nce crew


ble


infrastructure

NA NA




crew

M




but it could help


to anticipate




sources.

Incorrect

maintenance

on

infrastructure

Injury of

member

of

maintena

nce crew


maintenance on infrastructure

M




but it could help


to anticipate




sources.




crew

M




but it could help


to anticipate




sources.

Environmental

forces like

earthquakes

Injury of

member

of

maintena

nce crew


infrastructure considering the

possibility of earthquakes

NA NA




Page 104 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)




crew

M




but it could help


to anticipate




sources.

7.4.7 Forgotten/ non

orderly left after

maintenance

Insufficient

maintenance

procedures

Injury of

member

of

maintena

nce crew


e

Establish clear and


procedures

NA NA

Disregard of

maintenance

procedures

Injury of

member

of

maintena

nce crew



M




but it could help


to anticipate




sources.

Insufficient

training or

badly

educated staff

Injury of

member

of

maintena

nce crew


training for staff

NA NA

Stress / work

overload

Injury of

member

of

maintena

nce crew



NA NA

7.4.8 Forgotten/ non

orderly left after

evacuation

Insufficient

evacuation

procedures

Injury of

member

of

maintena

nce crew


e

Establish clear and

understandable evacuation

procedures T

O O O O O 5.7.6 5.6. Ensure detection and

management of

emergency situations




Page 105 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Disregard of

evacuation

procedures

Injury of

member

of

maintena

nce crew


evacuation procedures

P




but it could help


to anticipate




sources.

Insufficient

training or

badly

educated staff

Injury of

member

of

maintena

nce crew


training for staff

NA NA

Stress / work

overload

Injury of

member

of

maintena

nce crew


with stress or work overload -

especially for evacuation cases

NA NA

7.4.9 Vandalism Faulty design

of guideway

and walk way -

disrespect of

possibility of

vandalism

Injury of

member

of

maintena

nce crew


e


considering security aspects and

potential vandalism

NA NA

Insufficient

supervision of

guideway and

walkways

Injury of

member

of

maintena

nce crew

Supervision of guideway and

walkway (personnel or CCTV)

T

O O O M M 5.9.1 5.3.3 Protect staff in the

guideway

Insufficient

removal or

cleaning of old

damages from

vandalism

Injury of

member

of

maintena

nce crew

Remove immediately all

damages of vandalism

NA NA

7.4.10 Corrosion/oxidatio

n of wayside

structures

equipment

Faulty design Injury of

member

of

maintena

nce crew


ble


considering potential corrosion or

oxidation

NA NA




Page 106 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Incorrect

maintenance

Injury of

member

of

maintena

nce crew


maintenance

M




but it could help


to anticipate




sources.

9.2.1 Flooding Faulty design

i.e. insufficient

precautions

against

flooding

Injury of

member

of

maintena

nce crew


ble



flooding i.e. installation of

flooding precautions

NA NA

Supervision of surrounding area

M




but it could help


to anticipate




sources.

Insufficient

maintenance

of guideways

and flooding

precautions

Injury of

member

of

maintena

nce crew


maintenance of guideways,

walkways and flooding

precautions

M




but it could help


to anticipate




sources.

Supervision of surrounding area

M




but it could help


to anticipate




sources.

7.5 Explosion during

maintenance




Page 107 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)


maintenance

procedures

Explosion Critical Probable 1 Intolerabl

e

Establish clear and


procedures

M


communication with



it could help the

operator to enforce

procedure respect.

Disregard of

maintenance

procedures

Explosion Supervise adherence of


NA NA

Insufficient

training or

badly

educated staff

Explosion Ensure correct education and

training for staff

NA NA

Stress / work

overload

Explosion Establish procedures to cope


NA NA


security

precautions

(e.g. not

enough

security

personnel or

technical

supervision)

Explosion Critical Occasional 1 Undesira

ble

Design of railway

equipment/building/constructions


(security aspect)

P


communication with



it could help the

operator to enforce

procedure respect.


M




but it could help


to anticipate




sources.


improper design

Insufficient

procedures or

guidelines for

design

Explosion Critical Remote 1 Undesira

ble

Establish clear and

understandable procedures and

guidelines for planning and

designP


communication with



it could help the

operator to enforce

procedure respect.

Disregard of

procedures or

guidelines


procedures and guidelines

NA NA

Insufficient

training or

badly

educated staff


training for staff

NA NA

Stress / work

overload



NA NA




Page 108 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

7.5.4 Inadequate

storage

Faulty design

of storage

equipment

Explosion Critical Occasional 1 Undesira

ble


railway equipment considering

adequate storage possibilities

NA NA

Insufficient

procedures

regarding

storage

Explosion Establish clear and

understandable procedures and

guidelines for planning and

designP


communication with



it could help the

operator to enforce

procedure respect.

Disregard of

procedures for

storage


procedures for storage

NA NA

Insufficient

training or

badly

educated staff


training for staff

NA NA

Stress / work

overload



NA NA

7.6 Fire during

maintenance7.6.1 Explosion during

maintenance

Communication with staff

including maintenance staff

P


communication with



it could help the

operator to enforce

procedure respect.

7.6.2 Inflammable

material

Insufficient

procedures

regarding the

use of

inflammable

material

Fire Critical Remote 1 Undesira

ble

Establish clear and

understandable procedures for

the use of inflammable material

P


communication with



it could help the

operator to enforce

procedure respect.

Disregard of

procedures for

the use of

inflammable

material

Fire Supervise adherence of


NA NA

Insufficient

training or

badly

educated staff

Fire Ensure correct education and

training for staff

NA NA

Stress / work

overload

Fire Establish procedures to cope


NA NA




Page 109 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

7.6.3 Ignition Insufficient

procedures

regarding the

ignition of fire


ble

Establish clear and

understandable procedures

regarding the potential of ignition

P


communication with



it could help the

operator to enforce

procedure respect.

Disregard of

procedures for

the use of

inflammable

material



NA NA

Insufficient

training or

badly

educated staff


training for staff

NA NA

Stress / work

overload



NA NA

7.6.4 Unobstructed

spread of fire

Insufficient

procedures

regarding

unobstructed

speed of fire


ble

Establish clear and


regarding the potential of

unobstructed spread of fire


communication with



it could help the

operator to enforce

procedure respect.

Disregard of

procedures

regarding fire

protection



NA NA

Insufficient

training or

badly

educated staff


training for staff

NA NA

Stress / work

overload



NA NA

7.7 Asphyxiation/

poisoning7.7.1 Smoke Insufficient

procedures

regarding the

danger of

smoke

Asphyxiati

on;

Contamin

ation


ble

Establish clear and


regarding the dangerous

potential of smokeP


communication with



it could help the

operator to enforce

procedure respect.

Disregard of

procedures

regarding

smoke

Asphyxiati

on;

Contamin

ation



NA NA

Insufficient

training or

badly

educated staff

Asphyxiati

on;

Contamin

ation


training for staff

NA NA




Page 110 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Stress / work

overload

Asphyxiati

on;

Contamin

ation



NA NA

7.7.2 Air renewal failure Insufficient

procedures

regarding the

maintenance

of air renewal

system

Asphyxiati

on;

Contamin

ation


ble

Establish clear and


regarding the maintenance of the

air renewal system P


communication with



it could help the

operator to enforce

procedure respect.

Disregard of

procedures

regarding the

maintenance

of air renewal

system

Asphyxiati

on;

Contamin

ation



NA NA

Insufficient

training or

badly

educated staff

Asphyxiati

on;

Contamin

ation


training for staff

NA NA

Stress / work

overload

Asphyxiati

on;

Contamin

ation



NA NA

7.7.3 Toxic release

7.7.3.2 Smoke Insufficient

procedures

regarding the

danger of

smoke

Asphyxiati

on;

Contamin

ation


ble

Establish clear and


regarding the dangerous

potential of smoke - especially

regarding toxic releases

P


communication with



it could help the

operator to enforce

procedure respect.

Disregard of

procedures

regarding

smoke

Asphyxiati

on;

Contamin

ation



NA NA

Insufficient

training or

badly

educated staff

Asphyxiati

on;

Contamin

ation


training for staff

NA NA

Stress / work

overload

Asphyxiati

on;

Contamin

ation



NA NA

7.7.3.3 Toxic elements Insufficient

procedures

regarding toxic

elements

Asphyxiati

on;

Contamin

ation


ble

Establish clear and


regarding toxic elements

P


communication with



it could help the

operator to enforce

procedure respect.




Page 111 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Disregard of

procedures

regarding toxic

elements

Asphyxiati

on;

Contamin

ation



NA NA

Insufficient

training or

badly

educated staff

Asphyxiati

on;

Contamin

ation


training for staff

NA NA

Stress / work

overload

Asphyxiati

on;

Contamin

ation



NA NA

7.7.3.4 Noxious leakage

by maintenance

Insufficient

procedures

regarding

maintenance

on pipe works

Asphyxiati

on;

Contamin

ation


ble

Establish clear and


regarding toxic elements e.g. the

maintenance on pipe works M


communication with



it could help the

operator to enforce

procedure respect.

Disregard of

procedures

regarding

maintenance

on pipe works

Asphyxiati

on;

Contamin

ation



NA NA

Insufficient

training or

badly

educated staff

Asphyxiati

on;

Contamin

ation


training for staff

NA NA

Stress / work

overload

Asphyxiati

on;

Contamin

ation



NA NA

7.8 Inappropriate

temperature

M


communication with



it could help the

operator to enforce

procedure respect.


of air renewal

system

Suffocatio

n


ble

Ensure correct initial design of air

renewal system

NA NA

Incorrect

maintenance

of air renewal

system

Suffocatio

n



system

M




but it could help


to anticipate




sources.




Page 112 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

7.9 Staff in danger

cannot escape

guidewayM


communication with



it could help the

operator to enforce

procedure respect.

7.9.1 Insufficient/

obstructed

emergency

walkway

Faulty design

of emergency

walkway

Severe

injury of

person


ble


emergency walkways

NA NA

Incorrect

maintenance

of emergency

walkway

Severe

injury of

person


maintenance of emergency

walkways

M




but it could help


to anticipate




sources.

Obstacles on

guideway or

walkway

NA NA

7.9.2 Emergency exits/

access protection

closed

Faulty design

of emergency

exits or

accesses

Severe

injury of

person


ble


emergency exits and accesses

NA NA

Incorrect

maintenance

of emergency

exits or

accesses

Severe

injury of

person


maintenance of emergency exits

and accesses

M




but it could help


to anticipate




sources.

7.9.3 Captured by

broken down

structures, fires

etc.

Faulty design

of guideway

Severe

injury of

person


ble


guideway

NA NA




Page 113 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Incorrect

maintenance

of guideway

Severe

injury of

person


maintenance on guideway

M




but it could help


to anticipate




sources.

7.10 Radiation

M


communication with



it could help the

operator to enforce

procedure respect.


equipment

Faulty design

of equipment

e.g. train,

buildings ..

Burns,

Suffocatio

n


ble


equipment considering the


NA NA

Incorrect

maintenance

on equipment

e.g. Trains,

buildings

Burns,

Suffocatio

n


maintenance on equipment


radiation

M

NA NA

7.10.2 Foreign radiation Faulty design

of vehicle,

buildings,

surrounding

facilities e.g.

insufficient

precaution

Burns,

Suffocatio

n


ble


radiation and strong fields

NA NA



NA NA

7.11 Staff caught

M


communication with



it could help the

operator to enforce

procedure respect.

7.11.1 in machinery Faulty design

of machinery

Cuts,

Burns,

Electrocut

ion,

Contamin

ations


ble


machinery

NA NA

Insufficient

procedures

regarding

correct use of

machinery

Cuts,

Burns,

Electrocut

ion,

Contamin

ations

Establish clear and


regarding the use of machinery

NA NA




Page 114 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Disregard of

procedures

regarding use

of machinery

Cuts,

Burns,

Electrocut

ion,

Contamin

ations



NA NA

Insufficient

training or

badly

educated staff

Cuts,

Burns,

Electrocut

ion,

Contamin

ations


training for staff

NA NA

Stress / work

overload

Cuts,

Burns,

Electrocut

ion,

Contamin

ations



NA NA

7.11.2 in moving

equipment

(switch,…)

Faulty design

of moving

equipment

Cuts,

Suffocatio

n


ble


moving equipment

NA NA

Insufficient

procedures

regarding

correct use

and handling

of moving

equipment

Cuts,

Suffocatio

n

Establish clear and


regarding the use moving

equipment

P




but it could help


to anticipate




sources.

Disregard of

procedures

Cuts,

Suffocatio

n



NA NA

Insufficient

training or

badly

educated staff

Cuts,

Suffocatio

n


training for staff

NA NA

Stress / work

overload

Cuts,

Suffocatio

n



NA NA




Page 115 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

8 Emergency and

Evacuation

Hazards8.1 People hit by train:

involved track,

adjacent track

8.1.1 Evacuation not

signalled

Geographical/

structural

circumstances

(i.e. potential

evacuation

behind

bridges, turns

etc)

Derail-

ment,

Collision,

Objects

striking

person,

Fall of

person


e


P

O O O O M 5.7.6 N/A Non functional


and training

This function is



Such system covers

the protection of


which they are not

normally permitted.

No signalling

signs available

Derail-

ment,

Collision,

Objects

striking

person,

Fall of

person


P



and training

This function is



Such system covers

the protection of


which they are not

normally permitted.

8.1.2 OCC failure Communicatio

n system

failure (i.e.

OCC has only

insufficient or

wrong

information)

Derail-

ment,

Collision,

Objects

striking

person,

Fall of

person


e


P

O O O O M 5.7.6 6,7 Non functional


and training

This function is



Such system covers

the protection of


which they are not

normally permitted.




Page 116 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Provide communication with staff

P

M M M M M 5.9.2 6,6 Provide

communication with

staff

This function is

intended to provide

voice and data

communication

between staff fulfilling

different functions for

operation and

maintenance.

Stress / work

overload for

staff

Derail-

ment,

Collision,

Objects

striking

person,

Fall of

person


P



and training

This function is



Such system covers

the protection of


which they are not

normally permitted.



N/A N/A

Insufficient

rules or

procedures

regarding

emergency

cases and

evacuation

Derail-

ment,

Collision,

Objects

striking

person,

Fall of

person


P



and training

This function is



Such system covers

the protection of


which they are not

normally permitted.

Establish clear and

understandable procedures for

emergency and evacuation casesP



and training

Disregard of

evacuation

and

emergency

procedures

Derail-

ment,

Collision,

Objects

striking

person,

Fall of

person


emergency and evacuation

procedures

P



and training




Page 117 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

8.1.3 Undetected

passengers by

evacuation

Communicatio

n problems or

failures (i.e.

staff has only

insufficient or

wrong

information)

Derail-

ment,

Collision,

Objects

striking

person,

Fall of

person


e


P



and training

This function is



Such system covers

the protection of


which they are not

normally permitted.


P

M M M M M 5.9.2 6,6 Non functional


and training

This function is

intended to provide

voice and data

communication

Stress / work

overload for

staff

Derail-

ment,

Collision,

Objects

striking

person,

Fall of

person


P



and training

This function is



Such system covers

the protection of


which they are not

normally permitted.


with stress or work overloadP

N/A N/A

Darkness Derail-

ment,

Collision,

Objects

striking

person,

Fall of

person


P



and training

This function is



Such system covers

the protection of


which they are not

normally permitted.




Page 118 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Geographical /

structural

demanding

area

Derail-

ment,

Collision,

Objects

striking

person,

Fall of

person


P



and training

This function is



Such system covers

the protection of


which they are not

normally permitted.

8.1.4 Passenger

trapped in

equipment8.1.4.1 Caught by a

moving switch

No evacuation

area defined

by OCC

Trapping

of person

Critical Occasional 1 Undisera

ble


P



and training

This function is


Insufficient

rules and

procedures for

emergency

cases and

evacuation to

guide a

structured

evacuation -

Passenger

leaving

accident site

Trapping

of person


P



and training

This function is



Such system covers

the protection of


which they are not

normally permitted.

Ensure rules and procedures for

emergency cases and evacuation P



and training

8.1.4.2 Person jammed in

lift or escalator

No evacuation

area defined

by OCC - Lift

and escalators

continue

operation

during

evacuation or

emergency

case

Trapping

of person


ble


P

O O O O M 5.7.6 6,8 Non functional


and training

This function is



Such system covers

the protection of


which they are not

normally permitted.




Page 119 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Insufficient

rules and

procedures for

emergency

cases and

evacuation to

guide a

structured

evacuation

Trapping

of person

Ensure rules and procedures for

emergency cases and evacuation

P

N/A 6,8 Non functional


and training

8.1.4.3 Passenger

trapped in doors

(limb of

passenger,

clothes, bags,

other objects from

passenger, leash)

Untimely or

wrong train

door closing

command

Trapping

of person


ble

Manage (or command) Train

Doors

T

O O O O M 5.6.2.1 5.4.1.4 Safety function

This function is


train doors.

8.1.4.4 Person jammed in

swing door or

track access door

Untimely

swing door or

track access

door

command

Trapping

of person


ble

Manage swing doors or track

access doors in case of

emergency P

N/A 5.4.1.4 Safety function

8.1.5 Inappropriate

emergency egress

8.1.5.1 Emergency egress

blocked

Faulty design Passenge

r hit by

train


e


P



and training

This function is



Such system covers Ensure correct initial design of

emergency egresses

N/A N/A

Blocked by

construction

site

Passenge

r hit by

train


P



and training

This function is


Ensure correct planning of

construction sites

N/A N/A

Blocked due

to

environmental

forces (snow,

obstacles

blown by wind

..)

Passenge

r hit by

train


P



and training

This function is



Such system covers

the protection of


which they are not

normally permitted.




Page 120 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Ensure correct design of

infrastructure

N/A N/A


not appropriated

maintenance

(rusted...)

Insufficient

procedures

regarding

correct

maintenance

Passenge

r hit by

train


e


P



and training

This function is



Such system covers

the protection of

passengers in areas in Establish clear and


regarding correct maintenance



and training

Disregard of

maintenance

procedures

Passenge

r hit by

train


P



and training

This function is



Such system covers

the protection of


which they are not

normally permitted.



N/A N/A

Insufficient

training or

badly

educated staff

Passenge

r hit by

train


P



and training

This function is



Such system covers

the protection of


which they are not

normally permitted.


training for staff



and training

Stress / work

overload

Passenge

r hit by

train


P



and training

This function is





Page 121 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)





and training


inappropriate

signed

Faulty design

of emergency

egress signs

Passenge

r hit by

train


e


P



and training

This function is



emergency egresses - especially

signing

N/A N/A

Signs are

missing due to

vandalism

Passenge

r hit by

train


P



and training

This function is



signs - protection against

vandalism

N/A N/A

Supervision of infrastructure N/A N/A

Signs are

missing due

environmental

forces i.e.

extreme wind

Passenge

r hit by

train


M



and training

This function is

intended to supervise Ensure correct initial design of

signs - protection against

environmental forces

N/A N/A

Signs are

blocked by

construction

site

Passenge

r hit by

train


P



and training

This function is


Ensure correct planning of

construction sites

N/A N/A

8.1.6 Inadequate

walkway8.1.6.1 Missing walkway Faulty design

of

infrastructure

Passenge

r hit by

train


ble


P



and training

This function is



infrastructure: including

emergency walkways

N/A N/A




Page 122 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

8.1.6.2 Obstructed

walkway

Faulty design

of walkways

Passenge

r hit by

train


e


P



and training

This function is


passenger evacuation. Ensure correct initial design of

walkways

N/A N/A

Incorrect

maintenance

of walkways

Passenge

r hit by

train


P



and training

This function is



maintenance of walkwaysM

N/A N/A

Obstruction

due to

environmental

forces e.g.

snow, object

blown by wind

Passenge

r hit by

train


P



and training

This function is



walkways

N/A N/A

Obstruction

due to

vandalism

Passenge

r hit by

train


P



and training

This function is



walkways

N/A N/A

8.1.6.3 Important gap

from walkway to

platform

Faulty design

of walkway

Passenge

r hit by

train


e


P



and training

This function is



walkways

N/A

8.1.6.4 Walkway on the

other side of the

access door

Faulty design

of walkways

Passenge

r hit by

train


e


P



and training

This function is



walkways

N/A

8.1.6.5 Inadequate size /

arrangement

Faulty design

of walkways

Passenge

r hit by

train


e


P



and training

This function is



walkways

N/A N/A




Page 123 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

8.1.6.6 Walkway opposed

to the platform

Faulty design

of walkways

Passenge

r hit by

train


e


P



and training

This function is



walkways

N/A N/A

8.1.6.7 Handrail failure Faulty design

of walkways

i.e. handrail

Passenge

r hit by

train


e


P



and training

This function is



walkways

N/A N/A

Incorrect

maintenance

of walkways

i.e. handrail

Passenge

r hit by

train


M



and training

This function is



Such system covers

the protection of


which they are not

normally permitted.


maintenance of walkways

N/A N/A


lighting on

walkway

Faulty design

of walkways

i.e. lightning

on walkways

Passenge

r hit by

train


ble


M



and training

This function is



walkways

N/A N/A

Incorrect

maintenance

of walkways

i.e. lightning

on walkways

Passenge

r hit by

train


M



and training

This function is


passenger evacuation. Ensure correct inspection and

maintenance of walkways

N/A N/A

8.1.7 Passenger

trapped in train

Untimely or no

door closing

Fall of

person

inside

train


ble


P



and training

This function is





Page 124 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Manage (or command) Train

Doors

T

O O O O M 5.6.2.1 N/A Safety function

This function is

intended to manage

(or command) train

doors.Provide communication with staff

P

M M M M M 5.9.2 N/A Safety function

This function is

intended to provide

voice data

communication

notably between staff

fulfilling different Insufficient

emergency

egress on

train

Fall of

person

inside

train


P



and training

This function is



P


This function is

intended to provide

voice data

communication

notably between staff Installation of emergency egress

on windows and doors

N/A N/A

8.2 Burn / fire

8.2.1 Undetected

passengers by

evacuation8.2.1.6 Panic / rush /

hustle

Inadequate

evacuation

procedures

Burns,

Asphyxiati

on,

Suffocatio

n


e


P



and training

This function is


Supervise Infrastructure

T


This function is

intended to provide



inform the OCC



actions on critical Establish clear and easy-

understandable emergency and

evacuation procedures P

N/A 5.6.1 Non functional


and training




Page 125 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Inappropriate

emergency

egress

Burns,

Asphyxiati

on,

Suffocatio

n


emergency exists and accesses.

T

N/A N/A

Inadequate

walkway

Burns,

Asphyxiati

on,

Suffocatio

n


emergency walkways.

T

N/A N/A

8.2.2 Passenger

trapped in train

Untimely or no

door opening

Burns,

Asphyxiati

on,

Suffocatio

n


e


P



and training

This function is



Such system covers

the protection of Manage (or command) Train

Doors

T

O O O O M 5.6.2.1 N/A Safety function

This function is

intended to manage

(or command) train

doors.Provide communication with staff

P

M M M M M 5.9.2 N/A Provide

communication with

staff

This function is

intended to provide

voice data

communication Supervise other safety related

inputs

P


This function is


the detection of

hazardous situations Supervise Infrastructure

T


This function is

intended to provide



inform the OCC



actions on critical


components of the

signalling system,

pumps, fans and

escalators.




Page 126 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Insufficient

emergency

egress on

train

Burns,

Asphyxiati

on,

Suffocatio

n


P



and training

This function is


passenger evacuation. Provide communication with staff

P

M M M M M 5.9.2 N/A Provide

communication with

staff

This function is

intended to provide

voice data Installation of emergency egress

on windows and doors

N/A N/A


inputs

P


This function is


the detection of


T


This function is

intended to provide



inform the OCC



actions on critical


components of the

signalling system,

pumps, fans and

escalators.

8.2.3 Passenger

trapped in

equipment

Any reason Burns,

Asphyxiati

on,

Suffocatio

n


e


train equipment

T

N/A N/A

8.2.4 Inappropriate

emergency egress

Faulty design Burns,

Asphyxiati

on,

Suffocatio

n


e


emergency egress

T

N/A N/A

Inappropriate

emergency

and

evacuation

procedures

Burns,

Asphyxiati

on,

Suffocatio

n

Emergency and evacuation

procedures

P

N/A N/A




Page 127 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

8.2.5 Train enters

section with fire in

progress

wrong

operational

decision /

failure of

communicatio

n OCC - Train

Burns,

Asphyxiati

on,

Suffocatio

n


e


T


This function is

intended to provide



inform the OCC



actions on critical


components of the

signalling system,

pumps, fans and

escalators.


P

M M M M M 5.9.2 5.6.1 Provide

communication with

staff

This function is

intended to provide

voice data

communication

notably between staff

fulfilling different

functions for operation

or maintenance.


protection PM M M M M 5.3.5 5.6.1 Safety function




equipment i.e. smoke detectorsM

N/A N/A

Establish clear and




P

N/A N/A




Page 128 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

8.2.6 Train stops at

station with fire in

progress

wrong

operational

decision /

failure of

communicatio

n OCC - Train

Burns,

Asphyxiati

on,

Suffocatio

n


e


T


This function is

intended to provide



inform the OCC



actions on critical


components of the

signalling system,

pumps, fans and

escalators.


P

M M M M M 5.9.2 5.6.1 Provide

communication with

staff

This function is

intended to provide

voice data Installation of fire and smoke

protectionP





equipment i.e. smoke detectors

M

N/A N/A

Establish clear and




P

N/A N/A

8.3 Asphyxiation /

toxication8.3.1 Smoke Fire Burns,

Asphyxiati

on,

Suffocatio

n


e


inputs

T


This function is


the detection of


by external detectors.




Page 129 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)


P

M M M M M 5.3.5 5.6.1 Non functional


and training

This function is

intended to provide



inform the OCC



actions on critical


components of the

signalling system,

pumps, fans and

escalators.


P

O O O O M 5.7.6 5.6.1 Non functional


and training

This function is


passenger evacuation. 8.3.2 Air renewal failure System

damaged due

to accident

Asphyxiati

on,

Suffocatio

n


e


inputs

T


This function is


the detection of


by external detectors.Supervise Infrastructure

P

M M M M M 5.3.5 N/A Non functional


and training

This function is

intended to provide



inform the OCC



actions on critical


components of the

signalling system,

pumps, fans and

escalators.


P



and training

This function is






Page 130 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

8.3.3 Toxic release Leakage e.g.

By freight

train, storage

Burns,

Asphyxiati

on,

Suffocatio

n


ble


inputs

P



and training

This function is


the detection of Supervise Infrastructure

P



and training

This function is

intended to provide



inform the OCC



actions on critical


components of the

signalling system,

pumps, fans and

escalators.

Supervise Evacuation - This


passenger evacuation. Such

system covers the protection of

passengers in areas in which

they are not normally permitted.

P



and training

Ensure evacuation procedures

regarding toxic materialP

N/A N/A

8.4 Electrocution /

lightning8.4.1 Persons too close

to equipment for

power supply

Inadequate

evacuation

procedures

Electrocut

ion, Burns


e


P



and training

This function is


Establish clear and easy-



P

N/A N/A

Supervise traction power supply P


Doors open on

wrong side off

train

Electrocut

ion, Burns


P



and training

This function is





Page 131 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

8.4.2 Power shutdown

failure

No

communicatio

n to OCC

Electrocut

ion, Burns


e


P



and training

This function is


passenger evacuation. Incorrect cut-

off of power

supply rail

during

evacuation

(wrong section

is cut-off) ,

misunderstand

ing,

communicatio

n problems

Electrocut

ion, Burns

Education/ Training of staff

P



and training

Supervise traction power supply P

N/A N/A

Reinjection of

braking

current while

track section

was cut-off

power (during

passenger

evacuation)

Electrocut

ion, Burns




P



and training

Prevent regenerative braking on

all trains that could feed a

traction power supply section that

has been cut off for passengers

or staff protection

P



and training

8.4.3 Short circuits Electronical

equipment

damaged due

to accident

Electrocut

ion, Burns


ble



evacuation proceduresP

N/A N/A

Protect highly critical electronic

equipment even against

accidents

P

M M M M M 5.3.5 N/A

8.4.4 Electrical

equipment

abnormally

accessible

Equipment

damaged by

accident

Electrocut

ion, Burns


ble



evacuation proceduresP

N/A N/A

Protect highly critical electronic

equipment even against

accidentsP


requirement.

8.5 Explosion during

evacuation


ble


inputs

P


This function is


the detection of




Page 132 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)


P


This function is

intended to provide



inform the OCC



actions on critical


components of the

signalling system,

pumps, fans and

escalators.


P



and training

This function is


8.6 Inappropriate

temperature

N/A

8.6.1 Air renewal failure Any reason Asphyxiati

on,

Suffocatio

n


e


P

N/A Safety function

This function is

intended to provide



inform the OCC



actions on critical


components of the

signalling system,

pumps, fans and

escalators.

8.6.2 Explosion during

evacuation


ble


inputs

P


This function is


the detection of 8.6.3 Burns/fire Any reason Fire Catastrophic Occasional 1 Intolerabl

e


inputs

P


This function is


the detection of




Page 133 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

8.7 Radiation Any reason Burns,

Suffocatio

n


ble


P

Safety function

This function is

intended to provide



inform the OCC



actions on critical


components of the

signalling system,

pumps, fans and

escalators.

8.8 Drowning Any reason,

flooding

Drowning,

Suffocatio

n


e


inputs

P


This function is


the detection of


by external detectors.Supervise Infrastructure

P

Safety function

This function is

intended to provide



inform the OCC



actions on critical


components of the

signalling system,

pumps, fans and

escalators.


P



and training

This function is





P

N/A

8.9 Person hurt during

evacuation

(others)

8.9.1 Passenger fall




Page 134 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

8.9.1.1 Slippery floor Water or

chemicals due

to flooding or

fire-fighters

Fall of

person


e


P



and training

This function is



Such system covers Establish clear and easy-


evacuation procedures (in order

to prevent further damage)

P

N/A

8.9.1.2 Slope (of platform,

rescue walkway, )

Platform or

walkway hit by

train cars

Fall of

person


ble


P



and training

This function is


passenger evacuation. Establish clear and easy-




P

N/A Non functional


and training

8.9.1.3 Unadjusted

levelling at lift

enter/exit (small

step)

Lift got hit e.g.

by train cars,

obstacles

Fall of

person


ble


P



and training

This function is






P

N/A Non functional


and training


lighting8.9.1.4.1 System

breakdown/default

Any reason Fall of

person


ble


P



and training

This function is






P

N/A Non functional


and training

Design and installation of

emergency power system

N/A

8.9.1.4.2 Insufficient

lighting level

Any reason Fall of

person


ble

Supervise Evacuation - This


passenger evacuation. Such

system covers the protection of

passengers in areas in which

they are not normally permitted.

P



and training





P

N/A




Page 135 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

Design and installation of

emergency power systemP

N/A

8.9.1.5 Train movement

during evacuation

No evacuation

area defined

Fall of

person


e


P



and training

This function is


passenger evacuation. Establish clear and easy-




P

8.9.1.7 Obstacles

8.9.1.7.1 Obstacles on

guideway or

walkway

Any reason

(e.g.: train

cars,

equipment of

fire-fighters)

Fall of

person


ble


P



and training

This function is






P

N/A Non functional


and training

8.9.1.7.2 Obstacles in the

train

Any reason

(e.g.: Lifeless

bodies, Fallen

or broken

objects)

Fall of

person


ble


P



and training

This function is






P

N/A Non functional


and training

8.9.1.7.3 Obstacles in the

station

Any reason

(e.g.: fallen or

broken objects

e.g. part of

bridges, train

cars,

Fall of

person


ble


P



and training

This function is






P

N/A Non functional


and training

8.9.2 Passenger hit by

sharp / protruding

object

Any reason

(e.g.:

damaged train

cars, building

or bridges)

Fall of

person


ble


P



and training

This function is






P

N/A Non functional


and training




Page 136 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

8.9.3 Passenger caught

by moving switch

Inappropriate

emergency

and

evacuation

procedures

Person

struck /

Hurt by

object


ble


P



and training

This function is


Emergency and evacuation

proceduresP

N/A




Page 137 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

9

Environmental

Influences

9.1 Weather

conditions

(moderate)9.1.1 Anything (snow,

rain, leaves,

greasy material)

on guideway

Insufficient

maintenance

or clearance

of guideway

by crew

Derail-

ment


e


maintenance

M NA NA

Guideway heating T NA NA

Check of weather data P

Provide enough staff for

clearance works

P NA NA

9.1.2 Wind Inadequate

precaution

against wind

Person

Struck /

Hurt by

Object


ble

Consider wind force during


railway/metro system

T NA NA


in case of extreme wind

P NA NA

9.2 Force of nature

9.2.1 Flooding Insufficient

precautions

Derail-

ment,

Collision


e





sensors.


Insufficient

maintenance

of protection

constructions

Derail-

ment,

Collision


flooding gates

M NA NA



flooding

T NA NA

Insufficient

inspection and

maintenance

of flooding

protection

equipment

Derail-

ment,

Collision





sensors.


9.2.2 Environmental

impact on vehicle

(wind, gales)

Insufficient

precautions

Derail-

ment


e

Ensure appropriate system-

design regarding exceptional

environmental conditions

(extreme wind etc.)

T NA NA

Establish operational rules e.g.

speed reductions at critical areas

P NA NA

Insufficient

maintenance

(construction

work) on

protection

constructions

Derail-

ment


construction work on protection

constructions

M NA NA




Page 138 / 139


Safety Measures

1a 1b 2 3 4


Hazard Numbering


Type of

Accident

(primary)

Severity of


Risk

reduction


Remarks

Ref.

Modurban

D80

Ref. IEC

62290-2Risk

Category of Safety

Measure (T, P, M)

9.2.3 Avalanche /

landslide/ falling

stones

Insufficient

precautions to

protect track

Derail-

ment,

Collision


e





sensors.


Correct initial design considering

the possibility of avalanches or

falling stones

P NA NA

Insufficient

inspections of

track

Derail-

ment,

Collision





sensors.



maintenance on track

M NA NA


maintenance on flooding

protection equipment

M NA NA

9.2.4 Earthquake Inadequate

precaution

against

earthquakes

Person

Struck /

Hurt by

Object


e

Consider earthquakes during


railway/metro system

T NA NA


is case of forecasted earthquake

P NA NA

9.2.5 Stalactites in

tunnel

Insufficient

inspection of

tunnel

Derail-

ment,

Collision

Catastrophic Remote 1 Intolerabl

e





sensors.




M NA NA

Too much

water/humidity

in tunnel

Derail-

ment,

Collision





sensors.


Ensure correct initial tunnel

design considering water and

general humidity

T NA NA

9.2.6 Lightning Inadequate

precaution

against

lightning

Electrocut

ion


e





sensors.





Page 139 / 139

European Commission Seventh Framework programme MODSafe ...

Documents

Transcript of European Commission Seventh Framework programme MODSafe ...