Del D4 2 Uitp WP4 110121 V2 0

European Commission
Seventh Framework programme

MODSafe Modular Urban Transport Safety and Security Analysis
WP 4 - D4.2
Analysis of Safety Requirements for

MODSafe Continuous Safety Measures
and Functions
Reviewed by: WP 4 partners
Authors: WP 4 (support by VDV)
Document ID: DEL_D4.2_UITP_WP4_110121_V2.0
Date: 21.January 2011
Contract No: 218606
Doc name : Analysis of Safety Requirements for Public 06/01/2011

MODSafe Continuous Safety Measures and
Functions 2 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Revision: WP4 partners
Contract No. 218606
Document type DEL
Version V2.0
Status Final
Date 21.January 2011
WP WP 4
Lead Author WP 4
Contributors WP 4 and external experts (VDV)

Analysis of safety requirements of MODSafe continuous safety measures
Description
and functions
Document ID DEL_D4.2_UITP_WP4_110121_V2.0
Dissemination level PU
Distribution MODSafe consortium
Document History:
Version Date Author Modification
V1.0 13.August 2010 WP 4 New document
WP 4 and external Consideration of comments from

V1.1 10.December 2010
experts (VDV) LUL, RATP, VDV, Ansaldo, AREVA
Consideration of comments from

V2.0 21.January 2011 WP 4
R&B, RATP, Ansaldo, Bombardier
Approval:
Authority Name/Partner Date
WP responsible UITP (WP4 consensus of V1.1) 10/12/2010
EB members RATP (WP10 consensus of V2.0) 24/01/2011
Coordinator TRIT 25/01/2011

Functions 3 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table of contents
1 Summary of the document ................................................................................................. 12

2 Bibliography ........................................................................................................................ 13
3 Terms and abbreviations .................................................................................................... 14
3.1 Terms .................................................................................................................................... 14
3.2 Abbreviations......................................................................................................................... 16
4 System lifecycle and safety requirements ....................................................................... 18
5 Process for allocation of safety requirements ................................................................. 20
5.1 Description of the semi-quantitative MODURBAN process .................................................. 20
5.1.1 Risk parameter used in the method ...................................................................................... 20
5.1.2 Numerical interpretation of risk parameter ........................................................................... 21
5.1.3 Application of the method ..................................................................................................... 23
5.2 Description of the risk graph based method ......................................................................... 24
6 Mode of operation and grade of automation .................................................................... 26
6.1 Definition of mode of operation ............................................................................................. 26
6.2 Grade of automation ............................................................................................................. 28
6.2.1 Grade of automation 0 (GOA0): On-sight train operation ..................................................... 28
6.2.2 Grade of automation 1 (GOA1): Non-automated train operation ......................................... 28
6.2.3 Grade of automation 2 (GOA2): Semi-automated train operation ........................................ 31
6.2.4 Grade of automation 3 (GOA3): Driverless train operation .................................................. 32
6.2.5 Grade of automation 4 (GOA4): Unattended train operation................................................ 33
7 Functions to be analysed ................................................................................................... 33
7.1 Principle structure of basic functions for train operation ....................................................... 33
7.2 List of MODSafe safety functions .......................................................................................... 35
7.2.1 Ensure safe movement of trains ........................................................................................... 37
7.2.1.1 Ensure safe route .................................................................................................................. 37
7.2.1.2 Ensure safe separation of trains ........................................................................................... 38
7.2.1.3 Determine permitted speed ................................................................................................... 38
7.2.1.4 Authorise train movement ..................................................................................................... 39
7.2.1.5 Supervise train movement .................................................................................................... 40
7.2.2 Provide interface with external interlocking .......................................................................... 41

Functions 4 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
7.2.3 Supervise guideway .............................................................................................................. 41
7.2.3.1 Prevent collision with obstacles ............................................................................................ 41
7.2.3.2 Prevent collision with persons on tracks ............................................................................... 41
7.2.4 Protect staff on track ............................................................................................................. 42
7.2.5 Supervise passenger transfer ............................................................................................... 42
7.2.5.1 Control passenger doors ....................................................................................................... 42
7.2.5.2 Prevent person injuries between platform and train ............................................................. 43
7.2.5.3 Prevent person injuries between train cars ........................................................................... 43
7.2.5.4 Ensure safe starting conditions ............................................................................................. 44
7.2.6 Operate a train ...................................................................................................................... 44
7.2.6.1 Put in or take out of operation ............................................................................................... 44
7.2.6.2 Manage driving modes .......................................................................................................... 44
7.2.6.3 Manage movement of trains between two operational stops................................................ 45
7.2.6.4 Manage depot and stabling areas......................................................................................... 45
7.2.6.5 Manage UGTMS transition areas ......................................................................................... 45
7.2.6.6 Restrict train entry to station ................................................................................................. 45
7.2.6.7 Manage the platform or siding stopping position of the train ................................................ 46
7.2.6.8 Change the travel direction ................................................................................................... 46
7.2.6.9 Couple and split a train ......................................................................................................... 46
7.2.6.10 Supervise the status of the train ........................................................................................... 47
7.2.7 Ensure detection and management of emergency situations .............................................. 48
8 Allocation of safety integrity requirements ...................................................................... 49
9 Overview of results ............................................................................................................. 53
9.1 Table of safety requirements for MODSafe safety functions ................................................ 53
9.2 Conclusion............................................................................................................................. 60
10 Annex Allocation of safety requirements to MODSafe safety functions .................... 61
10.1 Ensure safe movement of trains ........................................................................................... 61
10.1.1 Ensure safe route ................................................................................................................. 61
10.1.1.1 Check route availability ......................................................................................................... 62
10.1.1.2 Set route ................................................................................................................................ 63
10.1.1.3 Supervise route ..................................................................................................................... 65
10.1.1.4 Supervise level crossing as secured..................................................................................... 66
10.1.1.5 Lock route ............................................................................................................................. 67

Functions 5 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.1.6 Release route ........................................................................................................................ 68
10.1.2 Ensure safe separation of trains ........................................................................................... 69
10.1.2.1 Initialise UGTMS reporting trains location............................................................................. 69
10.1.2.2 Determine train orientation .................................................................................................... 71
10.1.2.3 Determine actual train travel direction .................................................................................. 72
10.1.2.4 Determine train location ........................................................................................................ 73
10.1.2.5 Locate non reporting trains by track sections ....................................................................... 75
10.1.3 Determine permitted speed .................................................................................................. 76
10.1.3.1 Determine static speed profile .............................................................................................. 76
10.1.3.2 Determine temporary infrastructure speed restrictions ......................................................... 78
10.1.3.3 Determine permanent rolling stock speed restrictions .......................................................... 79
10.1.3.4 Determine temporary rolling stock speed restrictions ........................................................... 80
10.1.4 Authorise train movement ..................................................................................................... 80
10.1.4.1 Determine movement authority limit ..................................................................................... 80
10.1.4.2 Determine train protection profile .......................................................................................... 82
10.1.4.3 Authorise train movement by wayside signals ...................................................................... 85
10.1.4.4 Determine a zone of protection ............................................................................................. 88
10.1.4.5 Stopping a train en route ....................................................................................................... 89
10.1.4.6 Authorise the entry of non-operative UGTMS trains into UGTMS territory........................... 89
10.1.5 Supervise train movement .................................................................................................... 90
10.1.5.1 Determine actual train speed ................................................................................................ 90
10.1.5.2 Supervise safe train speed ................................................................................................... 92
10.1.5.3 Inhibit train stops ................................................................................................................... 94
10.1.5.4 Monitor speed limit at discrete location ................................................................................. 95
10.1.5.5 Supervise train rollaway ........................................................................................................ 96
10.1.5.6 Immobilisation of train ........................................................................................................... 96
10.1.5.7 Detect unauthorised movement of non-operative trains ....................................................... 96
10.1.5.8 React to unauthorised movement of non-operative trains .................................................... 97
10.1.5.9 Detect intruding unequipped train ......................................................................................... 98
10.1.6 Provide interface with external interlocking .......................................................................... 98
10.2 Drive train .............................................................................................................................. 99
10.3 Supervise guideway .............................................................................................................. 99
10.3.1 Prevent collision with obstacles ............................................................................................ 99

Functions 6 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.3.1.1 Supervise wayside obstacle detection device....................................................................... 99
10.3.1.2 Supervise onboard obstacle detection device ...................................................................... 99
10.3.2 Prevent collision with persons on tracks ............................................................................... 99
10.3.2.1 Warn passengers to stay away from the platform edge ....................................................... 99
10.3.2.2 React on emergency stop request from platforms ................................................................ 99
10.3.2.3 Supervise platform doors .................................................................................................... 100
10.3.2.4 Supervise platform tracks.................................................................................................... 102
10.3.2.5 Supervise border between platform tracks and other tracks .............................................. 102
10.3.2.6 Supervise platform end doors ............................................................................................. 102
10.3.3 Protect staff on track ........................................................................................................... 103
10.3.3.1 Protect staff on track ........................................................................................................... 103
10.4 Supervise passenger transfer ............................................................................................. 104
10.4.1 Control passenger doors .................................................................................................... 104
10.4.1.1 Authorise train doors opening ............................................................................................. 104
10.4.1.2 Command doors opening .................................................................................................... 107
10.4.1.3 Request doors closing......................................................................................................... 107
10.4.1.4 Supervise doors closing ...................................................................................................... 107
10.4.1.5 Supervise closed and locked status of train doors ............................................................. 108
10.4.2 Prevent person injuries between platform and train ........................................................... 109
10.4.2.1 Prevent person injuries between platform and train ........................................................... 109
10.4.2.2 Prevent person being trapped between platform screen doors and train ........................... 110
10.4.3 Prevent person injuries between train cars ........................................................................ 111
10.4.3.1 Prevent person injuries between train cars ......................................................................... 111
10.4.4 Ensure safe starting conditions........................................................................................... 111
10.4.4.1 Authorise station departure (safety related conditions) ...................................................... 111
10.4.4.2 Authorise station departure (operational conditions) .......................................................... 111
10.4.4.3 Command station departure ............................................................................................... 111
10.5 Operate a train .................................................................................................................... 111
10.5.1 Put in or take out of operation............................................................................................. 111
10.5.1.1 Awake trains ........................................................................................................................ 111
10.5.1.2 Set train to sleep ................................................................................................................. 111
10.5.2 Manage driving modes ....................................................................................................... 112
10.5.3 Manage movement of trains between two operational stops ............................................. 112

Functions 7 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.5.4 Manage depots and stabling areas .................................................................................... 112
10.5.5 Manage UGTMS transition area ......................................................................................... 112
10.5.6 Restrict train entry to station ............................................................................................... 112
10.5.7 Manage the platform or siding stopping position of the train .............................................. 112
10.5.8 Change the travel direction ................................................................................................. 112
10.5.9 Couple and split a train ....................................................................................................... 112
10.5.9.1 Couple trains automatically ................................................................................................. 112
10.5.9.2 Split trains untimely uncoupling protection ...................................................................... 113
10.5.10 Supervise the status of the train ......................................................................................... 113
10.5.10.1 Supervise UGTMS onboard equipment status prior to entering service ............................ 113
10.5.10.2 Supervise UGTMS onboard equipment status during operation ........................................ 115
10.5.10.3 Test emergency braking performance ................................................................................ 116
10.5.10.4 React to detected train equipment failure ........................................................................... 117
10.5.10.5 Manage traction power supply on train ............................................................................... 117
10.6 Ensure detection and management of emergency situations ............................................. 117
10.6.1 Perform train diagnostic, detect fire/smoke and detect derailment, handle emergency
situations ............................................................................................................................. 117
10.6.1.1 Detect fire and smoke ......................................................................................................... 117
10.6.1.2 React to detected fire/smoke .............................................................................................. 117
10.6.1.3 React to detected or suspected broken rail ........................................................................ 117
10.6.1.4 Monitor emergency calls ..................................................................................................... 117
10.6.1.5 React to passenger alarm device activation ....................................................................... 118
10.6.1.6 React to emergency release of train doors ......................................................................... 118
10.6.1.7 Detect loss of train integrity ................................................................................................. 118
10.6.1.8 React to loss of train integrity .............................................................................................. 118
10.6.1.9 Detect derailment ................................................................................................................ 118
10.6.1.10 Trigger emergency brake .................................................................................................... 119

Functions 8 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
List of figures
Figure 1 Safety functions in system lifecycle and MODSafe.............................................................. 19

Figure 2 General procedure of the method for SIL allocation ............................................................ 23
Figure 3 Risk graph according to VDV 331 ........................................................................................ 25
Figure 4 State diagram for continuous and high demand mode of operation .................................... 27
Figure 5 GOA0 On-sight train operation............................................................................................. 28
Figure 6 GOA1 Train stops and wayside signals and fixed block system ......................................... 29
Figure 7 GOA1 Semi continuous speed supervision and fixed block systems with wayside signals 30
Figure 8 GOA1 Continuous speed supervision with cab signals ....................................................... 30
Figure 9 GOA1 Continuous supervision of speed by system and wayside signals ........................... 31
Figure 10 Responsibility of operations staff in GOA2 ........................................................................ 32
Figure 13 General procedure of the elaboration of the list of MODSafe safety functions .................. 36

Functions 9 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
List of tables
Table 1 Frequency-consequence matrix or risk matrix ...................................................................... 20

Table 2 THR/SIL table according to EN 50129 .................................................................................. 23
Table 3 Risk reduction and SIL (example from IEC 61508 and used in VDV 331)............................ 25
Table 4 Grades of automation according to IEC 62290-1 .................................................................. 35
Table 5 Application table description of risk analysis parameter .................................................... 50
Table 6 Example Application: Determine actual train speed.............................................................. 52
Table 7 List of safety requirements for MODSafe safety functions .................................................... 53
Table 8 RA Check route availability for GOA1 to GOA4 .................................................................... 62
Table 9 RA Set route for GOA0 .......................................................................................................... 63
Table 10 RA Set route for GOA1 to GOA4......................................................................................... 64
Table 11 RA Supervise route for GOA1 to GOA4 .............................................................................. 65
Table 12 RA Supervise level crossing as secured for GOA1 and GOA2 .......................................... 66
Table 13 RA Lock route for GOA1 to GOA4 ...................................................................................... 67
Table 14 RA Release route for GOA1 to GOA4 ................................................................................. 68
Table 15 RA Initialise UGTMS reporting trains location for GOA1 to GOA4 ..................................... 70
Table 16 RA Determine train orientation for GOA1 to GOA4............................................................. 71
Table 17 RA Determine actual train travel direction for GOA1 to GOA4 ........................................... 72
Table 18 RA Determine train location for GOA1 (with wayside signals) ............................................ 73
Table 19 RA Determine train location for GOA1 to GOA4 (without wayside signals) ........................ 74
Table 20 RA Locate non reporting trains by track sections for GOA1 to GOA4 ................................ 75
Table 21 RA Determine static speed profile for GOA1 (with wayside signals) .................................. 76
Table 22 RA Determine static speed profile for GOA1 to GOA4 (without wayside signals) .............. 77
Table 23 RA Determine permanent rolling stock speed restrictions for GOA1 to GOA4 ................... 79
Table 24 RA Determine movement authority limit for GOA1 (with wayside signals) ......................... 81
Table 25 RA Determine movement authority limit for GOA1 to GOA4 (without wayside signals) ..... 82
Table 26 RA Determine train protection profile for GOA1 (with wayside signals).............................. 83
Table 27 RA Determine train protection profile for GOA1 to GOA4 (without wayside signals) ......... 83
Table 28 RA Authorise train movement by wayside signals for GOA0 (single track operation) ........ 86
Table 29 RA Indicate position of switches for GOA0 (signal for switch control) ................................ 87
Table 30 RA Authorise train movement by wayside signals for GOA1 (for GOA2 to GOA4 also for
mixed operation) .................................................................................................................................... 88

Functions 10 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 31 RA Authorise the entry of non-operative UGTMS trains into UGTMS territory for GOA1 to
GOA4 ..................................................................................................................................................... 89
Table 32 RA Determine actual train speed for GOA1 (with wayside signals containing allowed
speed) .................................................................................................................................................... 90
Table 33 RA Determine actual train speed for all GOA1 to GOA4 (without wayside signals) ........... 91
Table 34 RA Supervise safe train speed for GOA1 (with wayside signals) ....................................... 92
Table 35 RA Supervise safe train speed for GOA1 to GOA4 (without wayside signals) ................... 93
Table 36 RA Inhibit train stops for GOA1 to GOA4 ............................................................................ 94
Table 37 RA Monitor speed limit at discrete location for GOA1 ......................................................... 95
Table 38 RA Supervise train rollaway for GOA1 to GOA4 ................................................................. 96
Table 39 RA React to unauthorised movement of non-operative trains for GOA1 to GOA4 ............. 97
Table 40 RA Provide interface with external interlocking for GOA1 to GOA4 ................................... 98
Table 41 RA Supervise platform doors for GOA1 and GOA2 .......................................................... 100
Table 42 RA Supervise platform doors for GOA3 and GOA4 .......................................................... 101
Table 43 RA Protect staff on track for GOA1 to GOA4 .................................................................... 103
Table 44 RA Authorise train doors opening for GOA1 to GOA4 (on passenger request) ............... 105
Table 45 RA Authorise train doors opening for GOA1 to GOA4 (automatically) ............................. 106
Table 46 RA Supervise closed and locked status of train doors for GOA1 to GOA4 ...................... 108
Table 47 RA Prevent person injuries between platform and train for GOA1 to GOA4 .................... 109
Table 48 RA Prevent person being trapped between platform screen doors and train for GOA1 to
GOA4 ................................................................................................................................................... 110
Table 49 RA Supervise UGTMS onboard equipment status prior to entering service for GOA1 to
GOA4 ................................................................................................................................................... 114
Table 50 RA Supervise UGTMS onboard equipment status during operation for GOA1 to GOA4 . 115
Table 51 RA Test emergency braking performance for GOA1 to GOA4 ......................................... 116
Table 52 RA Trigger emergency brake for GOA1 and GOA2 .......................................................... 119
Table 53 RA Trigger emergency brake for GOA3 and GOA4 .......................................................... 120

Functions 11 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
1 Summary of the document
This deliverable concludes the results of the safety requirement allocation process to MODSafe safety
functions. Therefore, the method to allocate safety requirements and the MODSafe safety functions
are introduced. The allocation method is recommended in MODSafe deliverable 4.1 [13]. MODSafe
safety functions are mainly taken from the international standard IEC 62290-2 [10]. All MODSafe
safety functions are subject to a safety and risk consideration to estimate appropriate safety integrity
requirements. Finally allocated results shall represent potential generic values for safety integrity
requirements, depending on the operational context.
The deliverable is structured into the following clauses. Firstly, the method for safety requirement
allocation and its according application conditions are explained (clause 5 and 6). Secondly, the
MODSafe safety functions are introduced (clause 7). An exemplified application and results of the
process can be found in clause 8 and 9. Detailed protocols of an allocation of safety requirements are
shown in the annex.
The scope of MODSafe is the urban guided transport sector in Europe covering metros, trams and
other light rail systems under regard of different grades of automation. These grades of automation
are distinguished from driving on sight up to unattended train operation. This deliverable covers
mainly safety functions for system applications of UGTMS (or e.g. CBTC) for which the functional
requirements are specified by IEC 62290-2 [10] and by IEC 62267 [8] and for which the results of
MODURBAN had been taken into account, including additional safety functions for system
applications designated to train operation on sight (GOA0). This deliverable is written for MODSafe
project partners and European transport authorities i.e. operators of urban guided transport systems.
The focus of this document is put on safety functions and measures from the signalling domain
specified for UGTMS, however if safety integrity requirements are assumed as independent from a
UGTMS application specific information for the use by other systems is provided. This deliverable will
not specify risk analyses for a specific application with a certain combination of safeguards or safety
functions. Because of that all safety functions are regarded as independent from the allocation of
Mandatory and Optional provided by IEC 62290-2 in order to ensure that the user can trust in the
determined safety integrity requirement if he chose a function or a safeguard for his application.
Nonetheless, the described safety requirement allocation scheme may also be applied to areas others
than signalling, e.g. interfaces between signalling equipment and vehicle equipment or other safety
functions in general. It is therefore not necessary to deal with other domains in detail.
This deliverable deals with safety requirements and is not applicable to security aspects. An analysis
of security is covered in MODSafe WP 8 and 9 and according deliverables.
Note: The title of this document is changed. In the MODSafe description of work the deliverable 4.2 is
originally called: Analysis of common safety requirements allocation for MODSafe continuous safety
measures and functions. An alteration is made since safety requirements for MODSafe safety
function are not assumed to be common (i.e. in the meaning of Common Safety Measures/Targets
issues by the European Railway Agency). However, these safety requirements shall rather be
understood as recommendations for the appropriate urban guided rail systems.

Functions 12 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
2 Bibliography
[1] COMIT EUROPEN DE NORMALISATION LECTROTECHNIQUE: EN 50126 Railway applications

The specification and demonstration of reliability, availability, maintainability and safety
(RAMS), CENELEC 1999
[2] COMIT EUROPEN DE NORMALISATION LECTROTECHNIQUE: CLC/TR 50126-2 Railway
applications The specification and demonstration of reliability, availability, maintainability and
safety (RAMS) - Part 2: Guide to the application of EN 50126 for safety, CENELEC 2006
[3] COMIT EUROPEN DE NORMALISATION LECTROTECHNIQUE: EN 50129 Railway application
communication, signalling and processing systems safety related electronic systems for
signalling, CENELEC 2003
[4] EUROPEAN UNION: Commission Regulation (EC) No 352/2009 of 24 April 2009 on the adoption
of a common safety method on risk evaluation and assessment as referred to in Article 6(3)(a)
of Directive 2004/49/EC of the European Parliament and of the Council, Official Journal of the
European Union L108/4 29.04.2009
[5] INTERNATIONAL ELECTROTECHNICAL COMMISSION: IEC 61508-2 Ed. 2.0: Functional Safety of
Electrical/Electronic/Programmable Electronic Safety-Related Systems - Part 2: Requirements
for electrical/electronic/programmable electronic safety-related systems, IEC 2010
Electrical/Electronic/Programmable Electronic Safety-Related Systems - Part 4: Definitions and
abbreviations, IEC 2010
Electrical/Electronic/Programmable Electronic Safety-Related Systems - Part 5: Examples of
methods for the determination of safety integrity levels, IEC 2010
[8] INTERNATIONAL ELECTROTECHNICAL COMMISSION: IEC 62267 Railway Applications - Automated
Urban Guided Transport (AUGT) - Safety Requirements, IEC 2006
Note: IEC 62267 is a European standard.
[9] INTERNATIONAL ELECTROTECHNICAL COMMISSION: IEC 62290-1 Railway applications - Urban
guided transport management and command/control systems (UGTMS) - Part 1 System
principles and fundamental concepts, IEC 2009
Note: IEC 62290 is a draft European standard (prEN).
[10] INTERNATIONAL ELECTROTECHNICAL COMMISSION: IEC 62290-2 Railway applications - Urban
guided transport management and command/control systems (UGTMS) - Part 2 Functional
requirement specification, IEC 2010
Note 1: For the compilation of MODSafe deliverable 4.2 the CDV (committee draft for vote) of IEC 62290-2
was available only.
Note 2: IEC 62290 is a draft European standard (prEN).
[11] MODULAR URBAN TRANSPORT SAFETY AND SECURITY ANALYSIS: Deliverable 2.1 First list of hazards,
preliminary hazard analysis, MODSafe WP2 2009
[12] MODULAR URBAN TRANSPORT SAFETY AND SECURITY ANALYSIS: Deliverable 2.2 Consistency
analysis and final hazard analysis, MODSafe WP2 2010
[13] MODULAR URBAN TRANSPORT SAFETY AND SECURITY ANALYSIS: Deliverable 4.1 State of the art
analysis and review of results from previous projects, MODSafe WP4 2010
[14] MODULAR URBAN TRANSPORT SAFETY AND SECURITY ANALYSIS: Deliverable 4.3 Analysis of on
demand functions and systematic failures, MODSafe WP4 (not yet published, planned 2011)

Functions 13 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
[15] MODULAR URBAN GUIDED RAIL SYSTEMS: D80 Comprehensive operational, functional and
performance requirements, MODURBAN MODSYSTEM WP21 2009
[16] MODULAR URBAN GUIDED RAIL SYSTEMS: D86 Safety conceptual approach for functional and
technical prescriptions, MODURBAN MODSYSTEM WP23 2006
[17] VERBAND DEUTSCHER VERKEHRSUNTERNEHMEN: VDV Schriften 161-Teil 2
Sicherheitstechnische Anforderungen an die elektrische Ausrstung von Stadt- und U-Bahn-
Fahrzeugen, VDV 2009
[18] VERBAND DEUTSCHER VERKEHRSUNTERNEHMEN: VDV Schriften 331 Sicherheitsintegritts-
anforderungen fr Signal- und Zugsicherungsanlagen gem BOStrab, VDV 2007
[19] VOM HVEL, RDIGER; BRABAND, JENS ; SCHBE, HENDRIK: The probability of failure on demand
the why and the how, Proceedings of the International Conference on Computer Safety,
Reliability and Security SafeComp 2009
3 Terms and abbreviations
3.1 Terms
Term Definition Reference
An accident is an unintended event or series of events

Accident that results in death, injury, loss of a system or service, or EN 50129
environmental damage.
The location after the end of movement authority beyond

Danger point which the front of the train may not pass without creating MODURBAN
a hazardous situation.
A driving mode describes how a train should be driven in

Driving mode a defined situation and can be performed either by an UGTMS
acting driver or automatically.
Brake or combination of brakes which ensures that the

Emergency train will stop with the brake rate agreed between
IEC 62290-2
braking authority having jurisdiction, transport authority and train
manufacturer.
Automation level of train operation, in which Urban
Grade of guided Transport (UGT) can be operated, resulting from
IEC 62290-1
automation sharing responsibility for given basic functions of train
operation between operations staff and system
Hazard A condition that could lead to an accident. EN 50129

Functions 14 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Way in which a safety function operates, which may be

either low demand mode, high demand mode or
continuous mode. For more
Mode of
Note 1: Definition is based on IEC 61508 part 4. information refer
operation
Note 2: A more detailed definition will be given in MODSafe to sub-clause 6.1
deliverable 4.3 depending on the definition of the concept of
low demand.
Movement Permission for a train to run, within the constraints of the

IEC 62290-2
authority infrastructure, up to a specific location.
Non-operative Non UGTMS equipped trains and trains with inoperative

IEC 62290-2
UGTMS trains UGTMS equipment.
Operation control Centre from which operation of the line or the network is
IEC 62290-1
centre supervised and managed.
UGTMS equipped trains able to report its location and

Reporting train IEC 62290-2
other relevant information.
The rate of occurrence of accidents and incidents

Risk resulting in harm (caused by a hazard) and the degree of CLC/TR 50126-2
severity of that harm.
Safety Freedom from unacceptable level of risk of harm. EN 50129
Function to be implemented by an E/E/PE safety-related

system or other risk reduction measures that is intended
Safety function IEC 61508-4
to achieve or maintain a safe state for the EUC, in
respect of a specific hazardous event.
The ability of a safety-related system to achieve its

required safety functions under all the stated conditions
Safety integrity EN 50129
within a stated operational environment and within a
stated period of time.
A number which indicates the required degree of

Safety integrity
confidence that a system will meet its specified safety EN 50129
level
functions with respect to systematic failures.
Means a set of actions either reducing the rate of

Commission
occurrence of a hazard or mitigating its consequences in
Safety measure regulation (EC)
order to achieve and/or maintain an acceptable level of
No 352/2009
risk.
Rate of occurrence of a hazard that would result in an

acceptable level of risk for that hazard (normally judged
Tolerable hazard acceptable by a recognised body e.g. railway authority or
CLC/TR 50126-2
rate railway support industry by consultation with the safety
regulatory authority or recognised by the safety
regulatory authority itself)
Transport Entity which is responsible for safe and orderly operation IEC 62267
authority of a transport system. IEC 62290-1

Functions 15 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Urban Guided Transport (UGT) is defined as a public

Urban guided
transportation system in an urban environment with self- MODURBAN
transport
propelled vehicles operated on a guideway.
The urban guided transport system operator (UGTSO) is

Urban guided an entity which is responsible for safe and orderly
transport system operation of an urban guided transport system. MODSafe
operator (Note: For safety aspects the term UGTSO is equivalent to the term
railway authority as used in EN 50126)
Zone of A zone where no train is allowed to run as a response to

IEC 62290-2
protection various kinds of incidents.
3.2 Abbreviations
Abbreviation Definition
A Frequency of, and exposure time in, the hazardous zone
ATO Automatic train operation
ATS Automatic train supervision
C Consequence reduction probability
CBTC Communication-based train control
Comit Europen de Normalisation lectrotechnique
CENELEC
(European Committee for Electrotechnical Standardisation)
D Deliverable
E Exposure probability to hazard
E/E/PE Electrical/electronic/programmable electronic
EN European standard
EUC Equipment under control
G Possibility of failing to avoid the hazardous event
GOA Grade of automation
HMI Human machine interface
IEC International electrotechnical commission
MA Movement authority
MODSafe Modular urban transport safety and security analysis
MODURBAN Modular urban guided rail systems
Nr Number
OCC Operations control centre
P Accident probability reduction

Functions 16 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Abbreviation Definition
prEN Draft European standard
RA Risk analysis
RAMS Reliability, availability, maintainability, safety
TFM Target failure measure
THR Tolerable hazard rate
THRi Initial THR
TPP Train protection profile
S Consequences of hazardous events
SIL Safety integrity level
SL Severity level
SPAD Signal passed at danger
STO Semi automated train operation
UGTMS Urban guided transport management and command/control systems
Verband Deutscher Verkehrsunternehmen
VDV
(Association of German public transport undertakings)
W Probability of the unwanted occurrence
WP Work package

Functions 17 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
4 System lifecycle and safety requirements
This deliverable has to be read in the light of the European standard EN 50126 which requires a
system lifecycle for railway applications. Within this lifecycle the determination of safety requirements
is indispensible to be performed in the first four phases, which are mainly under responsibility of the
transport authority. Phase four, which is called system requirements, is of special interest in this
context. Alongside other tasks, the recommended safety related tasks are:
Specify system safety requirements (overall)
Define safety acceptance criteria (overall)
Define safety related functional requirements
Establish safety management

The third point is based on risk analysis to be performed in phase 3. This is within the scope of this
deliverable. In particular EN 50126 states:
The RAMS requirements, for the system under consideration, shall include:
[..]
Functional requirements and supporting performance requirements, including safety functional

requirements and safety integrity requirements for each safety functions [1].
The operator (i.e. railway authority) is responsible to determine the SIL for the system according to the
prevailing operation and local circumstances.
Therefore, this deliverable shall:
Introduce the MODSafe safety functions
Allocate safety requirements to the MODSafe safety functions

Safety requirements for the MODSafe safety functions depend on the risk associated with the
functions. It is assumed that hazardous situations and the associated risk may arise from functional
failures of the safety functions that contributed to cover the hazardous situation in a first place.
Availability aspects are not considered. An undetected termination or insufficient performance of the
tasks, provided by the safety function, is considered safety relevant.
When speaking about basic functions for train operation, functions are meant to e.g. ensure safe
route or to supervise passenger transfer. Many functions are based on external devices providing
inputs (e.g. switch, emergency stop handle) and are intended to provide outputs to external devices
(e.g. switch, platform screen door). Each function is realised by realisation entities (e.g. objects, staff,
etc.) and intended to be implemented in an E/E/PE safety related system or subsystem. In the
subsequent lifecycle phase five, which is not in the scope of this deliverable, system requirements
including safety requirements are assigned to the system architecture and used for the design of
systems, sub-systems, components and external devices. Because of that, the determination of safety
integrity requirements for a function, taken into account their interfaces to other functions or external
devices, shall be determined in a generic way in order to allow its use for different system approaches.
This shall be done by the main contractor/system supplier, compare [1].

Functions 18 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
The results of the deliverable shall be incorporated in the overall MODSafe approach. In particular, the
identified MODSafe safety functions shall be used to act as hazard control measures to cover relevant
hazards, delineated in the MODSafe hazard log of MODSafe WP2 ([11], [12]) and MODSafe WP3.
Furthermore, the list of MODSafe safety functions is input to the functional model developed in
MODSafe WP5.
Figure 1 gives an overview of the tasks, treated in this deliverable, within the overall system lifecycle
and the MODSafe project.
Figure 1 Safety functions in system lifecycle and MODSafe

Functions 19 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
5 Process for allocation of safety requirements
The origin of the method for an allocation of safety requirements, which shall be used in this
deliverable, is the MODURBAN1 deliverable D86 [16]. However, a comparison of different safety
requirement allocation methods is presented in MODSafe deliverable 4.1 [13]. As one outcome of the
MODSafe deliverable 4.1 certain criteria have been specified as being advantageous for a safety
requirement allocation method. With respect to the method, a detailed description and additional
information about the method and possible alternative applications can be found in MODURBAN
deliverable D86 and MODSafe deliverable 4.1. Additionally, a second method is outlined in a brief
form to ease subsequent analyses.
5.1 Description of the semi-quantitative MODURBAN process
5.1.1 Risk parameter used in the method
Starting point of the method is the risk matrix introduced in the European and meanwhile international
standard EN 50126 or IEC 62278 respectively. The matrix describes the correlation of the rate of
occurrence of accidents and incidents resulting in harm (caused by a hazard) and the degree of
severity of that harm [2]. Subsequently, the risk matrix, see Table 1, provides a risk level which can be
e.g. tolerable or intolerable, according to the combination of frequency of occurrence and the
severity level of hazard consequences.
Table 1 Frequency-consequence matrix or risk matrix
Frequency of
occurrence of Risk levels
hazardous event
frequent undesirable intolerable intolerable intolerable
probable tolerable undesirable intolerable intolerable
occasional tolerable undesirable undesirable intolerable
remote negligible tolerable undesirable undesirable
improbable negligible negligible tolerable tolerable
incredible negligible negligible negligible negligible
insignificant marginal critical catastrophic
Severity levels of hazard consequence
Following EN 50126 the parameter describing the severity level of hazard consequences can be
understood as:
1
MODURBAN is a European research and development project covering metros and light rail systems.

Functions 20 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Catastrophic: Fatalities and/or multiple severe injuries and/or major damage to the environment
Critical: Singe fatality and/or severe injury and/or significant damage to the environment
Marginal: Minor injury and/or significant threat to the environment
Insignificant: Possible minor injury
Additionally to the two introduced risk parameter, such as severity level and frequency of occurrence,
three more parameters are mentioned in the context of the MODURBAN method. These are
parameter which may reduce the initial risk, so far expressed by the severity level only. MODURBAN
D86 describes the parameter for risk reduction (or risk reduction measures) like this:
Exposure Probability to Hazard E: Is there good reason to conservatively assume that

members of the risk group (e.g. passenger) are exposed to the hazard clearly less than
permanently (by orders of magnitude in probability)?
Accident Probability Reduction P: Is there good reason to conservatively assume that the
evolvement of a certain hazard into an accident can be clearly controlled by additional barriers
or circumstances (reduction of rate by orders of magnitude)?
Consequence Reduction Probability C: Is there good reason to conservatively assume that the
members of the risk group (e.g. passenger, workers or neighbours) can clearly avoid being
subject to the hazard (by orders of magnitude) or reduce considerably the potential damage
(by severity class)?
Considering the severity level of hazard consequences and the three risk reduction measures, a rate
of frequency can be estimated which represents the tolerable risk and corresponds to the tolerable
hazard rate (THR).
5.1.2 Numerical interpretation of risk parameter
An actual application is started with an estimation of the possible hazard consequences of a wrong
side failure of the safety function. This is followed by a description of the operational or environmental
circumstances to estimate valid risk reduction measures and its according numerical values.
For that purpose, a initial THR2 has to be estimated, which does not consider any risk reduction
measures and is only estimated by the severity of the potential hazard consequences, graded in four
severity levels (SL). With the help of Table 2 leaving out the SIL so far the level of severity can be
expressed as follows:
Catastrophic: THR = 10-9/h (SL4)
Critical: THR = 10-8/h (SL3)
Marginal: THR = 10-7/h (SL2)
2
Considering its estimation, actually this initial THR is a tolerable hazard rate since it leaves out any
consideration of possible risk reduction measures. However, setting all risk reduction measures initially to a value
of 1 (1 = no impact), the actual tolerable hazard rate can be understood as initial THR (initial in the meaning that
risk reduction measures are not considered so far).

Functions 21 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Insignificant: THR = 10-6/h (SL1)
The risk reduction measures can be understood in the following way, as described in MODURBAN
deliverable D86:
E=1: Exposure of members of the risk group to hazard is conservatively to be assumed frequent or
permanent
E=10-1: Exposure of members of the risk group to hazard can conservatively assumed to be rare, only
in exceptional cases (e.g. passengers in a turn back train, passengers walking into the tunnel etc.)
E=10-2: Exposure of members of a risk group to hazard is only in very rare cases to be expected (e.g.
passengers in depot etc.)
P=1 There can no additional barrier be conservatively assumed that would reduce the probability of
the hazard evolving into an accident.
P=10-1: There exists means or circumstances to clearly reduce the probability that a certain hazard
evolves into an accident (e.g. additional barriers than the one being subject to analysis, driver that
notices positioning failure and corrects manually, personnel onboard/in station that notice an otherwise
undetected open door at train departure etc.)
P=10-2: There exist two means or circumstances to clearly reduce independently the probability that a
certain hazard evolves into an accident (e.g. a personnel onboard/in station notices an otherwise
undetected open door at train departure and an independent door interlock senses the open door
before train departs).
C=1 There is no reason to conservatively assume that a member of the risk group (e.g. passenger)
may avoid being subject to the consequences of a certain hazard.
C=10-1 There is good reason to conservatively assume that a member of the risk group (e.g.
passenger) can avoid being subject to the consequences of a certain hazard (e.g. in low headway
train operation a passenger fallen into station tracks may climb out or move into emergency bay, driver
notices overspeed protection system failure and reduces himself manually speed to avoid catastrophic
accident and collide in Severity Level SL3 instead of SL4)
C=10-2 There are two independent good reasons to conservatively assume that a member of the risk
group can avoid being subject to the consequences of a certain hazard (e.g. passenger on track in
Tramway operations can move away from track and driver can stop the train in time, Overspeed
Protection Failure at End of Track (SL4-SL3) noticed by driver and manual speed reduction reduces
further consequence to SL2)
Based on the initial THR (THRi) and considering the three risk reduction measures a final THR can be
calculated by dividing the initial THR by the risk reduction measures.
THRi
(1) THR =
E P C
The safety integrity level can be determined by using the following table:

Functions 22 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 2 THR/SIL table according to EN 50129
Tolerable Hazard Rate THR per hour and per Safety Integrity
function Level SIL
THR 4: 10-9 THR < 10-8 SIL 4
-8 -7
THR 3: 10 THR < 10 SIL 3
THR 2: 10-7 THR < 10-6 SIL 2
THR 1: 10-6 THR < 10-5 SIL 1
5.1.3 Application of the method
The method shall be applied to one particular function. All numerical values apply to this particular
function and shall be expressed in the unit per hour.
The procedure is described in the following figure in a general manner:
Figure 2 General procedure of the method for SIL allocation
Severity of Consequences: Expose of members:

-9
Catastrophic THR = 10 /h Frequent E=1
-8
Critical THR = 10 /h Rare E = 0,1
Marginal THR = 10-7 /h Very rare E = 0,01
Insignificant THR = 10-6 /h
Consequences reduction: Accident reduction:

No barrier C=1 No barrier P=1
One barrier C = 0,1 One barrier P = 0,1
Two barriers C = 0,01 Two barriers P = 0,01
Level of safety integrity:

-9
THR = 10 /h SIL4
-8
THR = 10 /h SIL3
THR = 10-7 /h SIL2
THR = 10-6 /h SIL1
During an application to allocate safety requirements to safety functions the following aspects shall be
considered:

Functions 23 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
The exposure probability to the hazard (E) shall be used to describe whether persons are involved in a
regularly occurring hazardous situation or not. In other words, the hazardous situation can be
observed frequently but for example passengers are not exposed to every instance of the hazardous
situation. This risk reduction measure does not describe a demand rate how often a particular hazard
arises with passenger permanently exposed to the hazard. Examples for the first case are
maintenance hazards. These hazards occur frequently, but passengers are not exposed to them on a
regular basis. Whereas passenger, which are frequently exposed to the hazard of emergency brake
failure because they are permanently on board of the train. However, this latter hazard occurs not
regularly and the hazard rate is usually described with a demand rate and other relevant rates. The
issue of safety functions required in a low demand mode of operation is treated in MODSafe
deliverable 4.3 [14].
The risk reduction measures abbreviated with P and C using the idea of barriers reducing either the
accident frequency or the severity of hazard consequences. These barriers can be understood as
means or reasons to reduce risk. If a risk reducing barrier can be assumed, the value of how efficient
the barrier acts to reduce risk is not considered. If a barrier can be considered, it is estimated with a
factor of 1:10. If the risk reduction shall be estimated with a higher value, two independent means or
reasons have to be considered.
With respect to a calibration of results, the particular result for a hazard arising from a failure of a
safety function with direct credible potential and catastrophic hazard consequences is estimated with
10-9 per hour, according to the method described here. This estimation originates from the European
regulation 352/2009 for the heavy railway sector [4]. In particular it states: For technical systems
where a functional failure has credible direct potential for a catastrophic consequence, the associated
risk does not have to be reduced further if the rate of that failure is less than or equal to 10-9 per
operating hour. [4] However, by no means shall any assumptions be made on the applicability of the
European Regulation 352/2009 to the domain of Urban Guided Transport. It is even anticipated that
Urban Railways such as metro, light rail and tramway are explicitly excluded as it is stated in clause 2
(3) of the European Regulation 352/2009. Therefore, the above mentioned value of 10-9 per hour is
only mentioned as a reference value for acceptable safety regardless of the specific railway domain.
5.2 Description of the risk graph based method
For some generic safety functions the German VDV 331 [18] defines required safety integrity levels
thus these safety integrity levels can be applied to the system in question. The background of the risk
graph is part 5 from IEC 61508 [7].
According to IEC 61508 the quantitative component (Target Failure Measure (TFM) which is
equivalent to Tolerable Hazard Rate (THR)) can be derived directly from the SIL.
It shall be noted that the congruency of the results obtained by the semi-quantitative allocation method
from MODURBAN had been verified with an independent method, the risk graph semi-quantitative
method outlined before. In the deliverable D86 of MODURBAN, all considered continuous safety
functions had been analysed applying both methods and the obtained results were identical in all
cases.
Due to the identity of results this present analysis applies one method as representative method for
both. Since the MODURBAN method is an agreed method from the European project MODURBAN
and the results found broad consensus at European level, the semi-quantitative MODURBAN method

Functions 24 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
is used. Anyway, the risk analysis and specified safety requirements which can be found on the
VDV331 for some of the function were found compatible and may therefore serve as a guideline of the
functions under consideration are covered by the VDV331.
W3 W2 W1
S1
1 Severity of loss
- S1 Minor injury
G1 2 1 - S2 Serious permanent injury to one or more persons; death to one person
- S3 Death to several people
S2 A1 G2 3 2 1 - S4 Very many people killed
Duration of stay
A2 G1 4 3 2 - A1 Rare to more often exposure in the hazardous zone
- A2 Frequent to permanent exposure in the hazardous zone
G2 5 4 3 Averting the danger
- G1 Possible under certain conditions
S3 A1 6 5 4 - G2 Almost impossible
Probability of the unwanted occurrence
A2 7 6 5 - W1 very slight
S4 - W2 slight
8 7 6 - W3 relatively high
Figure 3 Risk graph according to VDV 331
The analysis follows the principles described in IEC 61508 calibrated within VDV331/332 to the
process to be regarded. The safety function is analysed according to four attributes, which are:
S consequences of hazardous events
A frequency of, and exposure time in, the hazardous zone
G possibility of failing to avoid the hazardous event
W probability of the unwanted occurrence.
The result of the risk analysis provides a necessary minimum risk reduction from which the safety
integrity levels (SIL) can be derived directly. The connection between the results of the analysis for
safety functions derived from the risk graph and safety integrity level are shown in Table 3.
Table 3 Risk reduction and SIL (example from IEC 61508 and used in VDV 331)
Tolerable Hazard Necessary minimum Safety integrity level

Rate (THR) risk reduction
- No safety requirements
- 1 No special safety requirements
10-6 to <10-5 2, 3 1
-7 -6
10 to <10 4 2
-8 -7
10 to <10 5, 6 3
10-9 to <10-8 7 4
- 8 An E/E/PE SRS is not sufficient

Functions 25 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
6 Mode of operation and grade of automation
One goal of this deliverable is to recommend the deduced safety requirements to European urban
guided transport system operators as potential generic safety integrity requirements. This can be done
if safety functions do not, or only weakly, depend on an operational context. For the purpose of
MODSafe, two criteria are considered to describe the operational context. These are the mode of
operation and the grade of automation under regard of an unambiguous, consistent and complete
functional requirement specification.
6.1 Definition of mode of operation
The mode of operation can be understood as the way in which safety functions operate, according to
IEC 61508 part 4 [6]. This international standard differentiates between three modes of operations with
respect to the frequency of demand:
low demand mode: where the safety function is only performed on demand, in order to
transfer the EUC into a specified safe state, and where the frequency of demands is no
greater than one per year; or
high demand mode: where the safety function is only performed on demand, in order to
transfer the EUC into a specified safe state, and where the frequency of demands is greater
than one per year; or
continuous mode: where the safety function retains the EUC in a safe state as part of normal
operation [6]
However, it shall be noted that apart from the definition of a strict number of events (demand) per
year, IEC 61508 proposes to explicitly consider the diagnostics in all three modes of operation, if the
ratio of the diagnostic test rate to the demand rate equals or exceeds 100 [5]. Taking into account this
ratio, any specific demand rate and the associated safety level of the safety function can be calculated
for a specific case. The above categorisation is not necessary in this case. This issue will be
addressed in detail in the MODSafe deliverable 4.3 and therefore, shall not be discussed in more
detail in this deliverable.
Additionally, IEC 61508 states that if the total demand rate arising from all the demands on the system
exceeds 1 per year then the critical factor is the dangerous failure rate of the E/E/PE safety-related
system. Hence, the operational mode for high demand and continuous can be treated as one,
considering the demand rate.
For safety functions acting in a high demand or continuous mode of operation it is expected that a
failed safety function is equivalent to an unsafe state or a hazard. Expressed in a state diagram the
system would turn from a safe state to an unsafe state by the wrong side failure rate of the safety
function (SF), see figure below. (The label R might be equivalent to a repair or restore rate.)

Functions 26 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Figure 4 State diagram for continuous and high demand mode of operation
However, for safety functions with a low frequency of demand, this would not necessarily be true. It is
expected that for safety functions acting in a low demand mode of operation, the consequences of a
hazard are not immediately severe. The probability that an accident will happen immediately after the
failure of the low demand safety function is anticipated considerably lower than 1. For example, in
operations with two minute headway, or even less, a train running in the wrong direction would
immediately collide with other trains. Hence, a determination of the train travel direction is required to
work safely in every case. But, devices for a detection of derailment can be broken with only one
requirement: detect derailment if a derailment has occurred. So, a failure of a derailment detection
device leads to an accident only, if a demand (a derailment) is given, which is a very rare event
compared to the potential failure of travel direction.
Therefore, it is assumed that for safety functions, acting not in a high demand or continuous mode of
operation, other safety relevant criteria have to be considered such as the frequency of demand and
the diagnostic test interval of the safety function. An approach which takes into account these
considerations is presented in [19]. This perspective is in line with the IEC 61508 but the safety
requirement allocation method proposed here does not take into account these issues in an
appropriate manner. This process cannot be applied to these functions required in a low demand
mode of operation and has to be considered separately. This issue is covered in MODSafe deliverable
4.3.
Moreover, IEC 61508 part 5 corroborates the belief to select the most appropriate method for SIL
allocation since the mode of operation has to be considered and some methods are only suitable for
low demand mode and vice versa.
For the purpose of this document, safety functions are considered which act clearly in a continuous
mode of operation which might be equivalent to a frequency of demand which would be clearly more
often than once a year (e.g. functions associated with train movement and passenger exchange which
are in everyday use and not exceptional situations like emergency cases). Another characteristic of
the analysed safety functions is that wrong side failure, are expected to lead to a hazardous situation
with direct severe hazard consequences.

Functions 27 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
6.2 Grade of automation
The following definitions of grade of automations (GOA) are proposed by IEC 62290-1 [9]. Basis of the
differentiation between GOA are shared responsibilities between operational staff and the system
according to the basic functions of train operation. Information which functions are realised by system
or by staff can be found in Table 4.
6.2.1 Grade of automation 0 (GOA0): On-sight train operation
In this grade of automation the driver has full responsibility and no system is required to supervise his
activities. However, points and single tracks can be partially supervised by the system [9].
In terms of responsibilities for operational staff this means the following, see figure below:
Ensure safe separation of trains
Observation of guideway and stopping the train in hazardous situations
Control of acceleration and braking
Supervision of safe speed
Control and supervise switches
Supervision of train departure
Operate train and detect hazardous situations
Figure 5 GOA0 On-sight train operation
6.2.2 Grade of automation 1 (GOA1): Non-automated train operation
In this grade of automation, the driver is in the front cabin of the train observing the guideway and
stops the train in the case of a hazardous situation. Acceleration and braking are commanded by the
driver in compliance with wayside signals or cab-signal. The system supervises the activities of the
driver. This supervision may be done at specific locations, be semi-continuous or continuous, notably
in respect of the signals and the speed. Safe departure of the train from the station, including door
closing, is the responsibility of the operations staff. [9]

Functions 28 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
In terms of responsibilities for operational staff this means the following:
Observation of guideway and stopping the train in hazardous situations
Adherence to signals
Control of acceleration and braking

For GOA1 the following applications of train control and protection systems with their characteristics
and safety functions are regarded in this deliverable.
Train stops and wayside signals and fixed block system:
Detection of trains by wayside devices as basis for safe separation of trains
Authorisation of movement by wayside signals
Supervision of train movements by train stops and possibly speed supervision by wayside
equipment at discrete locations
Danger
point
Train detection Train stops at Speed

by wayside discrete supervision at
devices locations discrete location
Figure 6 GOA1 Train stops and wayside signals and fixed block system
Semi continuous speed supervision and fixed block systems with wayside signals:
Detection of trains by wayside devices as basis for safe separation of trains
Authorisation of movement by wayside signals
Supervision of train movements including permitted speed by train protection profile, which is
provided at discrete locations or in dedicated areas (semi-continuous speed supervision)

Functions 29 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Speed restriction within
Movement authority limit
intended route of train
Train protection profile
Danger point
Train location relative to TPP
Train detection
Balise at discrete Infil-loop in
by wayside
locations dedicated areas
devices
Figure 7 GOA1 Semi continuous speed supervision and fixed block systems with wayside signals
Continuous speed supervision with cab signals:
Localisation of trains by reporting trains as basis for safe separation of trains
Authorisation of movement by cab signals derived from train protection profile which is
provided continuously
Supervision of train movements including permitted speed by train protection profile


Train localisation by
reporting trains Danger point
Figure 8 GOA1 Continuous speed supervision with cab signals

Functions 30 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Continuous supervision of speed by the system and wayside signals:
Localisation of trains by reporting trains as basis for safe separation of trains
Authorisation of movement provided by wayside signals
Supervision of train movements including permitted speed by train protection profile


Train localisation by
reporting trains Danger point
Figure 9 GOA1 Continuous supervision of speed by system and wayside signals
6.2.3 Grade of automation 2 (GOA2): Semi-automated train operation
In this grade of automation, the driver is in the front cabin of the train observing the guideway and
stops the train in the case of a hazardous situation. Acceleration and braking is automated and the
speed is supervised continuously by the system. Safe departure of the train from the station is the
responsibility of the operations staff (door opening and closing may be done automatically). [9]
Observation of guideway and stopping the train in hazardous situation

Functions 31 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Movement authority limit Speed restriction within
Train location Authorised speed
Figure 10 Responsibility of operations staff in GOA2
6.2.4 Grade of automation 3 (GOA3): Driverless train operation
In this grade of automation, additional measures are needed compared to GOA2 because there is no
driver in the front cabin of the train to observe the guideway and stop the train in case of a hazardous
situation.
In this grade of automation, a member of the operations staff is necessary onboard. Safe departure of
the train from the station, including door closing, can be the responsibility of the operations staff or
may be done automatically. [9]


Functions 32 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
6.2.5 Grade of automation 4 (GOA4): Unattended train operation
In this grade of automation, additional measures are needed compared to GOA3 because there are no
onboard operations staff.
Safe departure of the train from the station, including door closing, has to be done automatically.
More specifically, the system supports detection and management of hazardous conditions and
emergency situations such as the evacuation of passengers. Some hazardous conditions or
emergency situations, such as derailment or the detection of smoke or fire, may require staff
interventions. [9]
Fully unattended train operation does not cover responsibilities for operational staff on board of train or
station. Human responsibility remains, but moves party to OCC staff and also to maintenance staff (in
order to be sure that all functions are available during the mission).

7 Functions to be analysed
The origin of the majority of the MODSafe safety functions is the international standard IEC 62290 part
2 [10], which covers functions of an urban guided transport management and command/control
system (UGTMS).
7.1 Principle structure of basic functions for train operation

Functions 33 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
The principle structure of the MODSafe safety functions is taken from the IEC 62290 part 1 [9]. The
table below outlines the structure. It shows general functions required for train operation as well as the
associated grade of automation for each basic function.

Functions 34 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 4 Grades of automation according to IEC 62290-1
Non- Semi
On-sight Driverless Unattended
automated automated
train train train
train train
Basic functions of train operation operation operation operation
operation operation
GOA0 GOA1 GOA2 GOA3 GOA4
X
(points
Ensure safe route command/ S S S S
control in
Ensuring safe system)
movement of Ensure safe separation
X S S S S
trains of trains
X
(partly
Ensure safe speed X S S S
supervised
by system)
Control acceleration and
Driving X X S S S
braking
Prevent collision with
X X X S S
Supervising obstacles
guideway Prevent collision with
X X X S S
persons on tracks
Control passenger doors X X X X S
Supervising Prevent person injuries

passenger between cars or
X X X X S
transfer between platform and
train
Ensure safe starting
X X X X S
conditions
Set in / set off operation X X X X S
Operating a
train Supervise the status of
X X X X S
the train
Perform train diagnostic,
Ensuring detect fire/smoke and
detection and detect derailment,
S and/or
management handle emergency X X X X
staff in OCC
of emergency situations
situations (call/evacuation,
supervision)
NOTE
X = responsibility of operations staff (may be realised by UGTMS system)
S = shall be realised by UGTMS system
7.2 List of MODSafe safety functions
For a selection of safety function from IEC 62290-2 the following criteria are considered:
The MODSafe safety function shall act as safety function (Functions obviously intended to be
realised in an ATO or ATS subsystem are not considered.)
This criterion also applies to MODSafe safety functions which are newly added to the list.

Functions 35 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Most safety functions are directly taken from IEC 62290-2 but were complemented by the work
previously done in the context of the MODURBAN project. Since this draft standard IEC 62290-2 is
based on MODURBAN, namely on the deliverable D80 [15] compatibility to the MODURBAN work is
maintained in principle. Besides, more recent considerations regarding urban guided transport
management and command/control system have been taken into account during the elaboration of
IEC 62290-2. Therefore, direct reference to this draft standard is appropriate.
Some MODURBAN functions from D86 [16] have also been taken into account where suitable,
especially those functions which were subject to risk analyses and a safety requirement allocation in
D86. Compatibility and consistency with the more recent work in MODSafe shall be achieved when
taking into account the D86 analyses.
Complementary to the IEC 62290 and the MODURBAN analyses new functions are added or existing
functions are clarified in terms of a more appropriate naming (cf. Figure 13). Especially those functions
which are important for higher grades of automation, such as derailment detection, guideway intrusion
detection or the detection of intruding unequipped trains have been added. Therewith, more recent
developments in this field shall be considered.
Reviewed and
IEC 62290 function discussed by WP4
names and structure
(complement
MODURBAN list)
Create a list of MODSafe example

Select functions
functions functions for WP4
MODURBAN D86
functions, risk analysis Check compatibility
and SIL allocation with MODURBAN
process analysis results
SIL allocation to these

functions
Deliverable 4.2
Figure 13 General procedure of the elaboration of the list of MODSafe safety functions
Each MODSafe safety function will be analysed according to the grade of automation and therefore
taking into account the operational context of each function. It has been agreed for the project to
concentrate efforts on safety relevant functions. Risk and safety considerations are made primarily for
GOA1 to 4. In GOA0 the driver has full responsibility for safe train separation and for ensure safe
speed and no technical management and command/control system is assumed to implement any of

Functions 36 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
these safety functions. However, some safety functions need to be considered also in GOA0 for
ensuring safe routes, such as partial supervision of switches, single tracks and level crossings.
The generated list of MODSafe safety functions contains the following information:
1. Numbering, which is unique for each MODSafe safety function used within this document
2. Name of safety function, as described in IEC 62290-2 or new if necessary
3. Description of the function
4. Reference, in particular IEC 62290-2 including the appropriate sub-clause. The label New for
MODSafe indicates that these safety functions cannot be found in IEC 62290-2.
7.2.1 Ensure safe movement of trains
7.2.1.1 Ensure safe route
Nr. Name of safety Description Reference

function
1 Check route For the route to be set, the conflict free availability IEC 62290-2
availability of all determined route elements shall be checked. 5.1.1.1.1-3
2 Set route This function is intended to set a route by IEC 62290-2

command provided by operation control HMI or by 5.1.1.1.1
the function set routes automatically.
3 Supervise route This function is intended to supervise that all IEC 62290-2
conditions for the route are still in place. 5.1.1.1.2
4 Supervise level This function is intended to supervise that a level New for
crossing as crossing is secured and locked in order to forbid MODSafe
secured its conflicting use by general road and pedestrian
traffic.
5 Lock route This function is intended to lock the route against IEC 62290-2
route release by operator command if a train is 5.1.1.1.3
approaching and the movement authority allows
entry into route, or a train is within the route.
6 Release route This function is intended to release a route and its IEC 62290-2
elements. 5.1.1.2

Functions 37 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
7.2.1.2 Ensure safe separation of trains

function
7 Initialise UGTMS This function is intended to initialise the location of IEC 62290-2
reporting trains reporting trains which are: 5.1.2.1
location stationary in stabling locations
entering UGTMS territory
recovering from localisation failures
8 Determine train This function is intended to determine the physical IEC 62290-2
orientation orientation of the train relative to the defined 5.1.2.2.1
orientation of the track.
9 Determine actual This function determines the travel direction of IEC 62290-2
train travel trains. 5.1.2.2.2
direction
10 Determine train This function is intended to determine the location IEC 62290-2
location of all UGTMS equipped trains according to the 5.1.2.2.3
train orientation and train length.
11 Locate non This function is intended to determine the location IEC 62290-2
reporting trains by of non reporting trains using external devices. 5.1.2.3
track sections
7.2.1.3 Determine permitted speed

function
12 Determine static This function determines the static speed profiles, IEC 62290-2
speed profile which are based on infrastructure data such as 5.1.3.1.1
track geometry and quality, infrastructure
constraints (tunnels, bridges, platforms, etc.).
13 Determine This function is intended to set and remove IEC 62290-2

temporary temporary speed restrictions for selected areas by 5.1.3.1.2
infrastructure operational commands or as result of system
speed restrictions reactions.
14 Determine This function is intended to determine the IEC 62290-2

permanent rolling maximum permitted speed for each type of rolling 5.1.3.1.3
stock speed stock.
restrictions

Functions 38 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
function
15 Determine This function is intended to determine temporary IEC 62290-2

temporary rolling rolling stock speed restrictions due to train failures 5.1.3.1.4
stock speed and to driving modes.
restrictions
7.2.1.4 Authorise train movement

function
16 Determine To ensure safe train movement, this function IEC 62290-2

movement determines for each train its limit of the movement 5.1.4.1
authority limit authority, corresponding to the first danger point
ahead of the train.
17 Determine train This function determines the train protection IEC 62290-2
protection profile profile for all trains to ensure their limits of 5.1.4.2
movement authority and authorised speeds are
never exceeded. The train protection profile
terminates at a target point. The train protection
profile shall be determined by the applicable safe
braking model.
18 Authorise train This function is intended to authorise train IEC 62290-2

movement by movement by wayside signals for non UGTMS- 5.1.4.3
wayside signals operated trains if conditions of safe route and safe
separation are fulfilled. Wayside signals are used
to allow mixed traffic or, as one possibility, for
degraded operation.
19 Determine a zone This function is intended to set and remove zones IEC 62290-2
of protection of protection for selected areas by operational 5.1.4.4
command or as result of system reactions.
20 Stopping a train This function is intended to stop a train IEC 62290-2

en route immediately in case of emergency. 5.1.4.5
21 Authorise the This function is intended to authorise the entry of IEC 62290-2
entry of non- non-operative UGTMS trains into the UGTMS 5.1.4.6
operative UGTMS territory.
trains into UGTMS
territory

Functions 39 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
7.2.1.5 Supervise train movement

function
22 Determine actual This function is intended to determine the actual IEC 62290-2
train speed train speed. 5.1.5.1
23 Supervise safe This function is intended to supervise actual IEC 62290-2

train speed speed against the permitted speed of UGTMS- 5.1.5.2
equipped trains with respect to the train protection
profile.
24 Inhibit train stops This function is intended to avoid UGTMS IEC 62290-2
operating trains to be tripped by train stops. 5.1.5.3
25 Monitor speed limit This function is intended to monitor external IEC 62290-2
at discrete location wayside equipment detecting predefined 5.1.5.4
overspeed.
26 Supervise train This function is intended to supervise the train in IEC 62290-2
rollaway case of rollaway. 5.1.5.5
27 Immobilisation of This function is intended to constrain the train New for

train against motion during station stop for passenger MODSafe
exchange.
28 Detect This function is intended to detect unauthorised New for

unauthorised movements of non-equipped or non-reporting MODSafe
movement of non- trains.
operative trains
29 React to This function is intended to react to unauthorised IEC 62290-2

unauthorised movements of non-operative trains in order to 5.1.5.6
movement of non- prevent collisions.
operative trains
30 Detect intruding This function is intended to detect an intrusion of New for

unequipped train an unequipped train into UGTMS territory. MODSafe

Functions 40 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
7.2.2 Provide interface with external interlocking

function
31 Provide interface This function is intended to provide an interface to IEC 62290-2

with external an external interlocking if the basic function 5.1.6
interlocking ensure safe route and other functions (e.g.
authorise train movement by wayside signals,
locate non reporting trains by track sections) are
not realised inside UGTMS.
7.2.3 Supervise guideway
7.2.3.1 Prevent collision with obstacles

function
32 Supervise This function is intended to supervise external IEC 62290-2

wayside obstacle devices in charge of detecting obstacles on the 5.3.1.1
detection device track.
33 Supervise This function is intended to supervise the actions IEC 62290-2

onboard obstacle of an external onboard obstacle detection device 5.3.1.2
detection device to stop the train in case of collision with obstacle.
7.2.3.2 Prevent collision with persons on tracks

function
34 Warn passenger This function is intended to warn passenger to IEC 62290-2

to stay away from stay away from platform edge if a train is in 5.3.2.1
the platform edge approach to the platform track.
35 React on This function is intended to react to emergency IEC 62290-2

emergency stop stop request from platforms initiated by 5.3.2.2
request from passengers or staff
platforms

Functions 41 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
function
36 Supervise This function is intended to supervise the closed IEC 62290-2

platform doors and locked status of the platform doors if they are 5.3.2.3
not required to be open.

platform tracks of an external platform track detection device to 5.3.2.4
stop the train in case of intrusion of person.
38 Supervise border This function is intended to supervise the actions IEC 62290-2
between platform of an external device which supervises both 5.3.2.5
tracks and other borders of platform tracks detecting persons which
tracks are intruding the adjacent track areas.

platform end of an external device which supervises doors on 5.3.2.6
doors both ends of platforms detecting not permitted
opening of doors and intrusion of persons to
tracks between stations via that way.
7.2.4 Protect staff on track

function
40 Protect staff on This function is intended to establish and IEC 62290-2

track subsequently remove work zones in order to 5.3.3
protect staff on the track. A work zone is set as
long as the protection is required.
7.2.5 Supervise passenger transfer
7.2.5.1 Control passenger doors

function
41 Authorise train This function is intended to authorise train doors IEC 62290-2
doors opening opening regarding all conditions which are 5.4.1.1
required to ensure a safe passenger transfer.
42 Command doors This function is intended to command train doors IEC 62290-2
opening and platform doors (if installed) opening when 5.4.1.2
opening authorisation conditions are met.

Functions 42 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
function
43 Request doors This function is intended to request the train door IEC 62290-2
closing and platform doors (if installed) closing at 5.4.1.3
stations.
44 Supervise doors This function is intended to supervise the train IEC 62290-2
closing door and platform door (if installed) closing at 5.4.1.4
stations.
45 Supervise closed This function is intended to supervise the closed IEC 62290-2
and locked status and locked status provided by the rolling stock. 5.6.6
of train doors
7.2.5.2 Prevent person injuries between platform and train

function
46 Prevent person This function is intended to detect persons New for

injuries between between platform and train. (Prevented hazard MODSafe
platform and train include falling or trapping between platform and
train.)
47 Prevent person This function is intended to detect persons being New for
being trapped trapped between platform screen doors (if MODSafe
between platform installed) and train doors, when they are closing.
screen doors and
train
7.2.5.3 Prevent person injuries between train cars

function
48 Prevent person This function is intended to detect persons New for

injuries between between train cars. (Prevented hazard include MODSafe
train cars falling or trapping between train cars.)

Functions 43 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
7.2.5.4 Ensure safe starting conditions

function
49 Authorise station This function is intended to verify all prerequisites IEC 62290-2
departure (safety necessary for safe station departure. 5.4.3.1
related conditions)
50 Authorise station This function is intended to verify all prerequisites IEC 62290-2
departure necessary due to operational constraints in order 5.4.3.2
(operational to authorise station departure.
conditions)
51 Command station This function is intended to command a train to IEC 62290-2

departure leave the station when the required operational 5.4.3.3
and safety conditions are met.
7.2.6 Operate a train
7.2.6.1 Put in or take out of operation

function
52 Awake trains This function is intended to awake trains which are IEC 62290-2
in stabling locations (in workshop, sidings or in the 5.5.1.1
line) before they enter service by the action of the
driver, or by remote action from the OCC.
53 Set trains to sleep This function is intended to set the train to sleep in IEC 62290-2
stabling locations (in workshop, sidings or in the 5.5.1.2
line) after they leave service by the action of the
driver, or by remote action from the OCC:
7.2.6.2 Manage driving modes

function
54 Manage driving This function is intended to manage the driving IEC 62290-2
modes modes of the train. 5.5.2

Functions 44 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
7.2.6.3 Manage movement of trains between two operational stops

function
55 Manage This function is intended to manage the movement IEC 62290-2
movement of of trains on the guideway between stations taken 5.5.3
trains between into account different operational disturbances
two operational leading to stops outside stations.
stops
7.2.6.4 Manage depot and stabling areas

function
56 Manage depot This function is intended to manage train IEC 62290-2
and stabling areas movement in depots and stabling areas. 5.5.4
7.2.6.5 Manage UGTMS transition areas

function
57 Manage UGTMS This function is intended to manage the train IEC 62290-2
transition areas movement from or to UGTMS transition areas. 5.5.5
7.2.6.6 Restrict train entry to station

function
58 Restrict train entry This function is intended to prevent entry of a train IEC 62290-2
to station into station when the required operational 5.5.6
conditions are not met.

Functions 45 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
7.2.6.7 Manage the platform or siding stopping position of the train

function
59 Manage the This function is intended to manage different IEC 62290-2
platform or siding stopping positions of trains per platform or siding 5.5.7
stopping position due to operational reasons.
of the train
7.2.6.8 Change the travel direction

function
60 Change the travel This function is intended to define the conditions IEC 62290-2
direction and process in order to change the travel direction 5.5.8
of a train.
7.2.6.9 Couple and split a train

function
61 Couple trains This function is intended to automatically join two IEC 62290-2
automatically separate trains operated independently, in 5.5.9.1
designated coupling area, to be operated as a
single train consist.
62 Split trains This function is intended to split a train consisting IEC 62290-2
untimely train of two or more trains sets into two separate trains 5.5.9.2
uncoupling to be operated independently.

Functions 46 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
7.2.6.10 Supervise the status of the train

function
63 Supervise UGTMS This function is intended to perform all necessary IEC 62290-2
onboard tests on vital equipment during the power on 5.5.10.1
equipment status process or prior to entering UGTMS territory.
prior to entering Generally this function includes only those self
service tests that deal with the safety of UGTMS and the
inputs and outputs necessary for a vital operation.
Self tests that are necessary to achieve the safety
features of vital processors (computing unit
including operating system) are not included here.
64 Supervise UGTMS This function is intended to perform all necessary IEC 62290-2
onboard tests during operation of the system. Generally 5.5.10.2
equipment status this function includes only those self tests that
during operation deal with the safety of the UGTMS application and
the inputs and outputs necessary for a vital
operation. Self tests that are necessary to achieve
the safety features of vital processors are not
included here.
65 Test emergency This function is intended to perform a dynamic IEC 62290-2

braking emergency braking test by commanding 5.5.10.3
performance emergency braking during motion.
66 React to detected This function is intended to react to train IEC 62290-2

train equipment equipment failures reported by the rolling stock 5.5.10.4
failure impacting operation.
67 Manage traction This function is intended to manage traction IEC 62290-2

power supply on power supply during train operation (e.g. selection 5.5.11
train of current collector, AC/DC selection, voltage
selection, automatic raising and lowering of
pantographs and collector shoes, automatic
opening/closing of circuit breakers). This function
is for instance applicable if several power systems
are fitted for a given line.

Functions 47 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
7.2.7 Ensure detection and management of emergency situations

function
68 Detect fire and This function is intended to detect fire or smoke New for
smoke onboard of train. MODSafe
69 React to detected This function is intended to supervise an external IEC 62290-2
fire/smoke onboard fire/smoke detection device in order to 5.6.1
report corresponding emergency conditions to
OCC and to hold train at next station or optionally
at the next evacuation point.
70 React to detected This function is intended to react to detected IEC 62290-2
or suspected broken rail by external devices. This function 5.6.3
broken rail describes as well the reaction of UGTMS for
suspected broken rails when no broken rail
detectors are implemented, but track circuits are
used as train detection devices.
71 Monitor This function is intended to monitor external IEC 62290-2
emergency calls emergency calls. 5.6.4.1
72 React to This function is intended to react to the activation IEC 62290-2
passenger alarm of an external onboard passenger alarm device. 5.6.4.2
device activation
73 React to This function is intended to manage the actions IEC 62290-2
emergency following the emergency release request of train 5.6.4.3
release of train doors. Such request is triggered by activating an
doors onboard device if fitted.
74 Detect loss of train This function is intended to detect when a train of New for
integrity two or more cars has parted. MODSafe
75 React to loss of This function is intended to react to the loss of the IEC 62290-2
train integrity train integrity provided by the rolling stock. 5.6.5
76 Detect derailment This function is intended to detect derailment by New for
an external onboard derailment detection device. MODSafe
77 Trigger This function is intended to initiate application of New for
emergency brake emergency brake e.g. due to detected overspeed MODSafe
or passing signals at danger.

Functions 48 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
8 Allocation of safety integrity requirements
For an allocation of safety requirements to MODSafe safety functions the following procedure is
applied, based on the method introduced in clause 5. For each safety function a table is used to
analyse the risk of wrong side failures. The table below (see Table 5) represents the structure of the
procedure including advice on how the method can be applied.
For the actual application, the MODURBAN deliverable D86 is used as reference. This is done since
D86 dealt with the same topic i.e. to allocate safety requirements to a list of safety functions. As far as
it is possible, risk analysis for MODSafe safety function is conducted in the same way as in D86. This
applies mainly to MODSafe safety functions, where the same (or similar) function is treated already in
D86. For MODSafe safety function without a comparable D86 function an estimation of risk is
performed as well. Additionally, reference documents are used such as VDV 161 [17] and VDV 331
[18]. These documents allocate safety requirements as well.
In general the application followed the approach:
To choose the risk parameter rather pessimistically, because it has to be definite that results
are not too optimistic. One example is the number passengers either in stations or in the
trains. Conservatively, it cannot be excluded that overcrowded situations occur during
operation; on the other hand it will not happen in usual cases.
Risk parameter and according results for the safety functions shall be generic in order to be
applicable to a majority of the European urban guided transport systems as long as they are in
line with the functionality of IEC 62290-2. (This, in turn, leads to rather conservative
assumptions for risk parameter.)
In later phases of the system life cycle (cf. Figure 1) safety integrity levels are allocated to
technical equipment. However, staffs responsibility is considered as measure for risk
reduction, if appropriate. Functions in full responsibility of operational staff are not analysed.
Each safety integrity requirement for a grade of automation represents a value for particular
operational circumstances or procedures or possible technical implementations. If required,
these particularities are describes for each safety function. Hence, each safety integrity level
represents one scenario, which has to be revised for a specific application.

Functions 49 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 5 Application table description of risk analysis parameter
Nr. Item Description
Number of safety Unique reference of MODSafe safety function used in this

1
function deliverable
2 Name of safety function Name of MODSafe safety functions
3 Description Covers a short description of the MODSafe safety functions
Provides the reference of the document the MODSafe safety

function was taken from, in most case this is IEC 62290-2.
4 Reference of functions
New for MODSafe indicates that this safety function is created
for MODSafe purposes.
Reference for risk A reference where identical or similar risk analysis of the safety
5
analysis function can be found.
Possible wrong side What can be assumed to be the failure, which would act as
6
failure cause leading to the hazardous situation?
7 Hazardous situation Conceivable consequence of the possible wrong side failure.
Possible hazard Accidents as consequences of a hazard are defined as an

8 consequences unintended event or series of events that result in death, injury
accidents or loss of system or service, or environmental damage [3]
Is there good reason to conservatively assume that subjects of

Exposure probability to the risk group (e.g. passenger) are exposed to the hazard
9
hazard clearly less than permanently (by orders of magnitude in
probability)? [16]
Is there good reason to conservatively assume that the

Accident probability evolvement of a certain hazard into an accident can be clearly
10
reduction controlled by additional barriers or circumstances (reduction of
rate by orders of magnitude)? [16]
Is there good reason to conservatively assume that the

members of the risk group (e.g. passenger, workers or
Consequence reduction
11 neighbours) can clearly avoid being subject to the hazard (by
probability
orders of magnitude) or reduce considerably the potential
damage (by severity class)? [16]

Functions 50 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 5 - Description of risk analysis parameter (continued)
Nr. Item Description
Decisive event to estimate the severity of consequences is the

assumed accident.
The severity of hazard consequences may be expressed as:
Severity of
12 consequences due to Catastrophic
failure of safety function Critical
Marginal
Insignificant
According to the verbal expression of the severity of hazard

consequences an initial tolerable hazard rate can be assumed:
Catastrophic would correspond to a THR of 10-9 /h
13 Initial THR per hour
Critical would correspond to a THR of 10-8 /h
Marginal would correspond to a THR of 10-7 /h
Insignificant would correspond to a THR of 10-6 /h
According to the exposure probability a numerical value of:

1
14 E
0,1
0,01
According to the accident probability reduction a numerical

value of:
15 Risk reduction P 1
factors 0,1
0,01
According to the consequence reduction probability a numerical

value of:
16 C 1
0,1
0,01
The final THR shall be calculated by taking the initial THR (Nr.
17 Final THR 13) and divide it by the risk parameter E, P and C (Nr. 14, 15
and 16) see formula (1)
The safety integrity level shall be taken from Table 2:

THR = 10-9 /h - SIL 4
18 Final SIL THR = 10-8 /h - SIL 3
THR = 10-7 /h - SIL 2
THR = 10-6 /h - SIL 1

Functions 51 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
To illustrate the application of the method allocating safety requirements to MODSafe safety functions
an example is given below. All detailed risk analyses can be found in the annex. All results are
summarised in clause 9.
Table 6 Example Application: Determine actual train speed
Item Description
Number of safety function 22

Name of safety function Determine actual train speed
This function is intended to determine the actual train
Description
speed.
Reference of functions IEC 62290-2 5.1.5.1
Reference for risk analysis MODURBAN D86 - 1.5 Speed determination/calculation

Undetected too low speed determination
Overspeed cannot be detected, because the processed
Possible wrong side failure
value of velocity seems to be correct, which in fact is
wrong
Train travels above permitted speed which is determined
Hazardous situation by train protection profile or behind movement authority
limits (determination of way is part of the function)
Collision due to travelling beyond movement authority
Possible hazard consequences
limits
accidents
Derailment due to overspeed
Exposure probability to hazard Passenger are permanently in train
Accident probability reduction No barrier can be assumed
Consequence reduction probability Passenger cannot escape consequences

Severity of consequences due to
Catastrophic
failure of safety function
Initial THR per hour 10-9
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 52 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
9 Overview of results
This clause summarises the results of the allocation of safety requirements to MODSafe safety
functions.
9.1 Table of safety requirements for MODSafe safety functions
Safety integrity levels indicated with see D4.3 are to be verified in MODSafe deliverable 4.3, if these
functions are acting in a low demand or continuous mode of operation. For these functions it is not
possible to allocate safety requirements with the means of the method, proposed here.
Safety requirements treated with ---, no SIL can be applied. This may be due to the fact that this
function is assumed to be no safety function or the function is excluded from the analysis.
Safety requirements of SIL 0: these functions are assumed to be safety relevant functions and have to
be fulfilled according to relevant standards.
All results are covered in the following table which shows all MODSafe safety functions and safety
requirements associated with all grade of automations.
Table 7 List of safety requirements for MODSafe safety functions
Safety integrity level

Nr. Safety function
Check route
(1) --- 4 4 4 4
availability
(2) Set route 3 4 4 4 4
(3) Supervise route --- 4 4 4 4

Ensure safe movement of trains
Supervise level
(4) crossing as --- 3 3 --- ---
secured
(5) Lock route --- 4 4 4 4
(6) Release route --- 4 4 4 4
Initialise UGTMS
(7) reporting trains --- 4 4 4 4
location
Determine train
(8) --- 4 4 4 4
orientation
Determine actual
(9) train travel --- 4 4 4 4
direction

Functions 53 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Nr. Safety function
4
(with
wayside
Determine train
(10) --- signals) 4 4 4
location
Locate non
(11) reporting trains --- 4 4 4 4
by track sections
3
(with
Determine static wayside
(12) --- 4 4 4
speed profile signals)
Determine
temporary
(13) --- see D4.3 see D4.3 see D4.3 see D4.3
infrastructure
speed restrictions
Determine
permanent rolling
(14) --- 4 4 4 4
stock speed
restrictions
Determine
(15) temporary rolling --- see D4.3 see D4.3 see D4.3 see D4.3
stock speed
restrictions
3
Determine (with
(16) movement --- wayside 4 4 4
authority limit signals)
3
(with
wayside
signals)
Determine train
(17) --- 4 4 4
protection profile

Functions 54 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Nr. Safety function
2
(single track
operation) 4 4 4
Authorise train
(18) movement by 4 (mixed (mixed (mixed
wayside signals 34 operation) operation) operation)
(indicate
position of
switches)
Determine a zone
of protection
Stopping a train
(20) --- Covered by: Trigger emergency brake
en route
Authorise the
entry of non-
operative
(21) --- 4 4 4 4
UGTMS trains
into UGTMS
territory
3
(with
wayside
signals
containing
allowed
Determine actual speed)
(22) --- 4 4 4
train speed
3
(with
Supervise safe wayside
(23) --- signals) 4 4 4
train speed
(24) Inhibit train stops --- 3 3 3 3
Monitor speed
(25) limit at discrete --- 3 --- --- ---
location

Functions 55 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Nr. Safety function
Supervise train
(26) --- 4 4 4 4
rollaway
Immobilisation of Covered by: Authorise station departure (safety related

(27) ---
train conditions)
Detect
unauthorised
(28) movement of --- Covered by: Locate non reporting trains by track sections
non-operative
trains
React to
unauthorised
(29) movement of --- 4 4 4 4
non-operative
trains
Detect intruding
(30) --- Covered by: Locate non reporting trains by track sections
unequipped train
Provide interface
(31) with external --- 4 4 4 4
interlocking
Supervise
(32) wayside obstacle --- --- --- see D4.3 see D4.3
detection devices
Supervise
(33) onboard obstacle --- --- --- see D4.3 see D4.3
detection device
Warn passenger
(34) to stay away from --- --- --- --- ---
Supervising guideway
the platform edge
React on
emergency stop
request from
platforms
Supervise
platform doors
--- 12 12 23 23
(medium number
of passenger)
(36)
Supervise
platform doors
--- 23 23 34 34
(overcrowded
situation)

Functions 56 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Nr. Safety function
Supervise
platform tracks
Supervise border
between platform
tracks and other
tracks
Supervise
(39) platform end --- see D4.3 see D4.3 see D4.3 see D4.3
doors
Protect staff on
(40) --- 2 2 2 2
track
Authorise train
doors opening
--- 23 23 23 23
(medium number
of passenger)
(41)
Authorise train
doors opening
--- 34 34 34 34
(overcrowded
situation)
Command doors
(42) --- --- --- --- ---
opening
Request doors
(43) --- --- --- --- ---
Supervise passenger transfer
closing
Covered by: Supervise closed and locked status of train

Supervise doors doors
(44) ---
closing
Covered by: Supervise platform doors
Supervise closed
and locked status
of train doors --- 2 2 2 2
(medium number
of passenger)
(45)
Supervise closed
and locked status
of train doors 3 3 3 3
(overcrowded
situation)
Prevent person
injuries between
(46) platform and train --- 01 01 01 01
(operational staff
supervision)

Functions 57 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Nr. Safety function
Prevent person
injuries between
platform and train --- 12 12 12 12
(no staff
responsibility)
Prevent person
being trapped
(47) between platform --- 3 3 3 3
screen doors and
train
Prevent person
(48) injuries between --- see D4.3 see D4.3 see D4.3 see D4.3
car
Authorise station
departure (safety Covered by: Supervise closed and locked status of train
(49) ---
related doors
conditions)
Authorise station
departure
(50) --- --- --- --- ---
(operational
conditions)
Command station
(51) --- --- --- --- ---
departure
(52) Awake trains --- --- --- --- ---
(53) Set train to sleep --- --- --- --- ---
Manage driving
(54) --- --- --- --- ---
modes
Manage
movement of
(55) trains between --- --- --- --- ---
two operational
stops
Operating a train
Manage depot
(56) and stabling --- --- --- --- ---
areas
Manage UGTMS
(57) --- --- --- --- ---
transition areas
Restrict train
(58) --- --- --- --- ---
entry to station
Manage the
platform or siding
(59) --- --- --- --- ---
stopping position
of the train
Change the travel

(60) --- --- --- --- ---
direction

Functions 58 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Nr. Safety function
Couple trains
(61) --- --- --- --- ---
automatically
Split trains
untimely
(62) --- --- --- --- ---
uncoupling
protection
Supervise
UGTMS onboard
(63) equipment status --- 4 4 4 4
prior to entering
service
Supervise
UGTMS onboard
(64) --- 4 4 4 4
equipment status
during operation
Test emergency
(65) brake --- 4 4 4 4
performance
React to detected
(66) train equipment --- Covered by: Trigger emergency brake
failure
Manage traction
(67) power supply on --- --- --- --- ---
train
Detect fire and

smoke
React to detected
Ensure detection and management of emergency situations
fire/smoke
React to detected
(70) or suspected --- see D4.3 see D4.3 see D4.3 see D4.3
broken rail
Monitor
emergency calls
React to
(72) passenger alarm --- see D4.3 see D4.3 see D4.3 see D4.3
device activation
React to
emergency
release of train
doors
Detect loss of
train integrity
React to loss of
train integrity

Functions 59 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Nr. Safety function
(76) Detect derailment --- see D4.3 see D4.3 see D4.3 see D4.3
Trigger
(77) --- 3 3 4 4
emergency brake
9.2 Conclusion
With respect to the method, described in clause 5, it can be stated that it is possible to apply the
method consistently.
In case of similarity between functional descriptions of MODURBAN deliverable D86 and MODSafe
safety functions, safety requirements are transferred to this deliverable. For all other functions a risk
and safety consideration is performed.
Safety requirements are not allocated to safety functions when they are assumed to work not in
continuous mode of operation. This is done since the method for SIL allocation does not fully reflect all
aspects supposed to be considered within this mode of operation.
For some MODSafe safety functions no safety requirements are estimated, because these safety
functions are either supposed to be no safety function, covered by other safety functions or are
excluded.
Finally, the results from the table of safety requirements for MODSafe safety functions can be
considered as a recommendation for appropriate urban guided rail systems.
Regarding the possibility that several levels could be allocated to a given function when performing the
final SIL allocation (depending of the context of application of this function), it shall be noted that the
following points are not considered in this deliverable:
will suppliers produce a portfolio of products covering a same function with different SIL?
will an operator on a given line use different equipment (according to the SIL) for implementing
the same function, for example, according to the number of passengers in stations?

Functions 60 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10 Annex Allocation of safety requirements to MODSafe safety
functions
This annex provides the detailed risk and safety considerations made to the MODSafe safety
functions. In principle, it is the goal to provide a single application table for each safety function and
each grade of automation. However, where appropriate, application tables are combined for relevant
grade of automations.
Functions which do not act in a clearly continuous mode of operation are not analysed in this
deliverable. It has been agreed that further analyses will be developed in MODSafe D4.3 which may
lead to a revision of MODSafe D4.2 at the end of the project.
10.1 Ensure safe movement of trains
10.1.1 Ensure safe route
According to Table 4 Grades of automation according to IEC 62290-1 safety functions to ensure
safe route are realised by the technical system for grades of automation 1 to 4 and partly for GOA0.

Functions 61 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.1.1 Check route availability
Table 8 RA Check route availability for GOA1 to GOA4
Item Description

Name of safety function Check route availability
For the route to be set, the availability of all determined
route elements shall be checked. Availability shall be given
Description
if a route element is not used for another route or blocked
against route setting.
Reference of functions IEC 62290-2 5.1.1.1.1-3/4
Reference for risk analysis None

Route is deemed to be not used for another route or not
Possible wrong side failure blocked against route setting, but in fact it is conflicting with
another route or is blocked against route setting.
Conflicting use of a route
Associated hazard Route leads into area not blocked or inhibited for use (e.g.
not blocked for maintenance)
Collision with other train
Derailment in area not blocked or inhibited for use
accidents
Collision with maintenance staff or maintenance vehicles
Exposure probability to hazard Passengers are permanently onboard of trains
Consequence reduction probability Passenger cannot escape from hazard consequences

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 62 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.1.2 Set route
Table 9 RA Set route for GOA0
Item Description

Name of safety function Set route
This function is intended to set a route by command
provided by operation control HMI or by the function set
routes automatically.
Description
Check permission for movement of route elements GOA0
(valid for single point control application only)
Reference of functions None
Possible wrong side failure Status of movable route element is lost
Hazardous situation Train movement over unsecured route elements

Derailment
accidents
Operational procedures for on-sight train operation are
considered. It is assumed that train driver recognises train
Accident probability reduction
on switch and does not give any command to move
movable route element.
Catastrophic
E 1
Risk reduction
P 0,1
factors
C 1
Final THR 10-8
Final SIL SIL 3

Functions 63 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 10 RA Set route for GOA1 to GOA4
Item Description

Name of safety function Set route
This function is intended to set a route by command
Description provided by operation control HMI or by the function set
routes automatically.
Reference of functions IEC 62290-2 5.1.1.1.1

Movable route element deems not occupied by a train, not
locked or not blocked against movement
Movable route element moves even if safety conditions for
Hazardous situation
movement are not met
Derailment
accidents

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 64 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.1.3 Supervise route
Table 11 RA Supervise route for GOA1 to GOA4
Item Description

Name of safety function Supervise route
This function is intended to supervise that all conditions for
the route are still in place.
Description
UGTMS shall supervise that determined route elements
are confirmed and locked in the required position.

Route elements have no safe status, but route seems to be
supervised in safe condition
Hazardous situation Train movement into unsecured route
Derailment due to overspeed or moving switch while train
passing
accidents
Collision with oncoming train or flank movement

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 65 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.1.4 Supervise level crossing as secured
Table 12 RA Supervise level crossing as secured for GOA1 and GOA2
Item Description

Name of safety function Supervise level crossing as secured
This Function is intended to supervise that a level crossing
Description is secured and locked in order to forbid its conflicting use
by general road and pedestrian traffic.
Reference of functions New for MODSAFE
Reference for risk analysis VDV 331 - 3.2.9

Level crossing is wrongly reported as secured as
precondition for movement authority
Conflicting use by road and pedestrian traffic while train is
Hazardous situation
in approach and passing
Collision with vehicles on level crossing
accidents
Passengers are permanently in trains (possible dependent
Exposure probability to hazard
to frequency of road and pedestrian traffic)
Consequence reduction probability Observation of guideway by train driver

Catastrophic
E 1
Risk reduction P 1
factors
C 0,1
Final THR 10-8
Final SIL SIL 3

Functions 66 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.1.5 Lock route
Table 13 RA Lock route for GOA1 to GOA4
Item Description

Name of safety function Lock route
This function is intended to lock the route against route
release by operator command if a train is approaching and
Description
the movement authority allows entry into route, or a train is
within the route.

Route locking on approach is missing, unintended route
release or route release by operators request is possible
passing
accidents

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 67 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.1.6 Release route
Table 14 RA Release route for GOA1 to GOA4
Item Description

Name of safety function Release route
This function is intended to release a route and its
Description
elements.

Unintended route release even though route shall be
locked
Release of route elements before train left relevant route
elements
passing
accidents

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 68 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.2 Ensure safe separation of trains
According to Table 4 Grades of automation according to IEC 62290-1 safety functions to ensure
safe separation of trains are realised by the technical system for grades of automation 1 to 4.
Localisation or detection of trains as basic conditions for safe train separation can be done by:
reporting trains
by wayside equipment (e.g. axle counters, track circuits).

The above mentioned specific safety functions are regarded as primary localisation/detection device.
(If wayside equipment is used as secondary device for fall back operation risk allocation might be
subject to change (fall back operation can be seen as rare event)).
10.1.2.1 Initialise UGTMS reporting trains location
Assumed scenario: The UGTMS train location determination function is self initialising without
requiring the manual input of train location or train length data. Wayside equipment shall provide
absolute position reference to onboard equipment (cf. IEC 62290-2 5.1.2.1-4).
This function is relevant only for systems providing their location by reporting trains.

Functions 69 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 15 RA Initialise UGTMS reporting trains location for GOA1 to GOA4
Item Description

Name of safety function Initialise UGTMS reporting trains location
This function is intended to initialise the location of
reporting trains which are:
Description stationary in stabling locations,
entering UGTMS territory,
recovering from localisation failures.
Possible wrong side failure Train initializes train location wrongly

Train is at other location than actually reported
1st - train with failure determines wrong danger point for
safe separation with following train
Hazardous situation
2nd - train with failure determines a wrong position relative
to train protection profile to be followed (wrong distance to
movement authority limits or speed restriction areas)
Possible hazard consequences Collision due to insufficient train separation
accidents Derailment due to unsupervised movement
Passenger are on board of train permanently (considering
wrong side failures while train enters UGTMS territory or
during recovery from localisation failures)
If wrong side failure occurs at stabling areas, passengers
are not necessarily onboard of train. However, wrongly
localised trains may jeopardise regularly operating trains
(e.g. flank collision)
No risk reduction can be assumed
No barrier can be assumed (even for staff onboard of train
Accident probability reduction it may be too late to react to e.g. excessive speed or train
movement over unlocked switches)
Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 70 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.2.2 Determine train orientation
Table 16 RA Determine train orientation for GOA1 to GOA4
Item Description

Name of safety function Determine train orientation
This function is intended to determine the physical
Description orientation of the train relative to the defined orientation of
the track.
Reference of functions IEC 62290-2 IEC 5.1.2.2.1

Wrong determination of train orientation remains
Possible wrong side failure unnoticed wrong (e.g. positive instead of negative train
orientation is processed)
1st - Train doors open on wrong side for passenger
exchange
Hazardous situation
2nd - Wrong determination of rear and front end of train
trains may get too close one another
Possible hazard consequences Even in low headway operation, wrong determination of
accidents front and rear end of the train may lead to collision
Exposure probability to hazard Passenger are permanently on train
No barrier can be assumed
Accident probability reduction (It can conservatively not be assumed that operational staff
may recognize wrong train orientation.)
Consequence reduction probability Passenger cannot escape hazard consequences
Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 71 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.2.3 Determine actual train travel direction
Table 17 RA Determine actual train travel direction for GOA1 to GOA4
Item Description

Name of safety function Determine actual train travel direction
Description This function determines the travel direction of trains.
Reference for risk analysis MODURBAN D86 1.7 Travel direction measurement
Possible wrong side failure Train travels undetected in wrong travel direction
Trains may get too close
Hazardous situation Trains may drive over unlocked switches at inadequate
speed
Possible hazard consequences Collision
accidents Derailment
Exposure probability to hazard Passenger are permanently in trains
In case of undetected wrong travel direction, no further
barrier can conservatively be assumed to reduce
Accident probability reduction consequences
Routine checks like unexpected position reports may come
too late
Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 72 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.2.4 Determine train location
This function is relevant for systems with reporting trains.

Table 18 RA Determine train location for GOA1 (with wayside signals)
Item Description

Name of safety function Determine train location
This function is intended to determine the location of all
Description UGTMS equipped trains according to the train orientation
and train length.
(MODURBAN D86 1.3/1.4)
Reference for risk analysis
VDV 331 - 3.9.8
Possible wrong side failure Train determines train location wrongly or is undetected
Train with failure determines a wrong position relative to
Hazardous situation train protection profile to be followed (wrong distance to

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 73 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 19 RA Determine train location for GOA1 to GOA4 (without wayside signals)
Item Description

Name of safety function Determine train location
This function is intended to determine the location of all
Description UGTMS equipped trains according to the train orientation
and train length.
(MODURBAN D86 1.3/1.4)
VDV 331 - 3.9.8
Possible wrong side failure Train determines train location wrongly or is undetected
Train with failure determines a wrong position relative to
Hazardous situation train protection profile to be followed (wrong distance to

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 74 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.2.5 Locate non reporting trains by track sections
This function is relevant if track sections are used as primary detection device in all grades of
automation.
Table 20 RA Locate non reporting trains by track sections for GOA1 to GOA4
Item Description

Name of safety function Locate non reporting trains by track sections
This function is intended to determine the location of non
Description
reporting trains using external devices.
MODURBAN D86 3.1 Unequipped train presence
Reference for risk analysis detection
VDV 331 - 3.1.1
Occupied status of track section based on external devices
(e.g. track circuits, axle counter) fails
1st - no danger point based on presence of train
Hazardous situation determined
2nd - movable route element is occupied by train
Collision due to insufficient train separation
Derailment due to movement of movable route elements
accidents
(in case of movements without locked routes)
Exposure probability to hazard Passenger are permanent on board of equipped trains

Passenger cannot escape hazard consequences
(It can conservatively not be assumed that the train driver
Consequence reduction probability notices wrongly occupied track section. Hence, to trigger
emergency brake will come too late when too close danger
point is recognised.)
Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 75 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.3 Determine permitted speed
10.1.3.1 Determine static speed profile
This function is relevant for systems providing train protection profile.

Table 21 RA Determine static speed profile for GOA1 (with wayside signals)
Item Description

Name of safety function Determine static speed profile
This function determines the static speed profiles, which
are based on infrastructure data such as track geometry
Description
and quality, infrastructure constraints (tunnel, bridges,
platforms, etc.)
Reference of functions IEC 62290-2 - 5.1.3.1.1

Too high speed allowed on relevant track section
Possible wrong side failure Unprocessed infrastructure change
Wrong change/configuration management
Wrong determination of speed limits as a basic condition
Hazardous situation
for train protection profile, may lead to excessive speed
Collision because overspeed may lead to travelling beyond
movement authority limit
accidents
Exposure probability to hazard Passenger are permanently on board of train
Train driver is responsible for regarding wayside signals
Accident probability reduction containing allowed speed and the relevant signal aspects
while driving the train.
Passenger cannot escape consequences
It can conservatively not be assumed that operational staff
Consequence reduction probability on board of train is able to notice overspeed early enough
and to trigger emergency brake to reduce severity
consequences significantly.
Catastrophic
E 1
Risk reduction
P 0,1
factors
C 1
Final THR 10-8

Functions 76 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Final SIL SIL 3
Table 22 RA Determine static speed profile for GOA1 to GOA4 (without wayside signals)
Item Description

Name of safety function Determine static speed profile
This function determines the static speed profiles, which
are based on infrastructure data such as track geometry
Description
and quality, infrastructure constraints (tunnel, bridges,
platforms, etc.)
Reference of functions IEC 62290-2 - 5.1.3.1.1

Too high speed allowed on relevant track section
Possible wrong side failure Unprocessed infrastructure change
Wrong determination of speed limits as a basic condition
Hazardous situation
for train protection profile, may lead to excessive speed
Collision overspeed may lead to travelling beyond
accidents
Accident probability reduction No barrier assumed

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 77 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.3.2 Determine temporary infrastructure speed restrictions
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will
analysed in D4.3 in more detail.

Functions 78 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.3.3 Determine permanent rolling stock speed restrictions
This function is relevant for systems providing train protection profiles, in other cases the function
might be realised by rolling stock.
Table 23 RA Determine permanent rolling stock speed restrictions for GOA1 to GOA4
Item Description

Name of safety function Determine permanent rolling stock speed restrictions
This function is intended to determine the maximum
Description
permitted speed for each type of rolling stock.

Too high speed allowed on class or configuration of trains
(systematic failure)
Unprocessed change of train configuration
Wrong determination of speed limits / train protection
Hazardous situation profile may lead to excessive speed (undetected
overspeed)
Accident probability reduction No barrier assumed

Consequence reduction probability (if present) is able to notice overspeed early enough to
trigger emergency brake to reduce severity consequences
significantly.
Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 79 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.3.4 Determine temporary rolling stock speed restrictions
This function is assumed to work only in rare degraded modes of operation and is subject of MODSafe
deliverable 4.3.
10.1.4 Authorise train movement
10.1.4.1 Determine movement authority limit
This function is relevant for systems providing train protection profiles.

Functions 80 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 24 RA Determine movement authority limit for GOA1 (with wayside signals)
Item Description

Name of safety function Determine movement authority limit
To ensure safe train movement, this function determines
Description for each train its limit of the movement authority,
corresponding to the first danger point ahead of the trains.
Reference of functions IE 62290-2 5.1.4.1
MODURBAN D86 4.3 Determine and communicate train
movement authority
Wrong determination of movement authority limit as basic
Possible wrong side failure condition for train protection profile (unnoticed beyond
danger point)
Movements beyond movement authority limits (e.g. end of
Hazardous situation route, rear end of train, end of track, zone of protection,
etc.)
Possible hazard consequences Collision with other train or Infrastructure
accidents Derailment due to entering in unsecured routes
and the relevant signal aspects while driving the train.
Catastrophic
E 1
Risk reduction
P 0,1
factors
C 1
Final THR 10-8
Final SIL SIL 3

Functions 81 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 25 RA Determine movement authority limit for GOA1 to GOA4 (without wayside signals)
Item Description

Name of safety function Determine movement authority limit
To ensure safe train movement, this function determines
Description for each train its limit of the movement authority,
corresponding to the first danger point ahead of the trains.
Reference of functions IE 62290-2 5.1.4.1
MODURBAN D86 4.3 Determine and communicate train
Reference for risk analysis movement authority
(VDV 331 3.9.5)
Wrong determination of movement authority limit as basic
Possible wrong side failure condition for train protection profile (unnoticed beyond
danger point)
Movements beyond movement authority limits (e.g. end of
Hazardous situation route, rear end of train, end of track, zone of protection,
etc.)
Possible hazard consequences Collision with other train or Infrastructure

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4
10.1.4.2 Determine train protection profile

Functions 82 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 26 RA Determine train protection profile for GOA1 (with wayside signals)
Item Description

Name of safety function Determine train protection profile
This function determines the train protection profile for all
trains to ensure their limits of movement authority and
authorised speeds are never exceeded. The train
Description
protection profile terminates at a target point. The train
protection profile shall be determined by the applicable
safe braking model.
(MODURBAN D86 - 4.8 Safe speed limits)
VDV 331 3.9.10
Wrong determination of train protection profile taken into
account safe braking model
1st - Wrong safety distance to target points
2nd - Wrong consideration of allowed speed within the area
covered by movement authority taken into account all
static and temporary wayside or rolling stock conditions
Wrong determination of permitted speed causes
Hazardous situation overspeed and too short braking distances related to
existing danger points
Possible hazard consequences Collision due to insufficient braking distances
accidents Derailment due to overspeed
and the relevant signal aspects while driving the train
(location of signals represents relevant movement authority
limits)
Catastrophic
E 1
Risk reduction
P 0,1
factors
C 1
Final THR 10-8
Final SIL SIL 3
Table 27 RA Determine train protection profile for GOA1 to GOA4 (without wayside signals)

Functions 83 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Item Description

Name of safety function Determine train protection profile
This function determines the train protection profile for all
trains to ensure their limits of movement authority and
authorised speeds are never exceeded. The train
Description
protection profile terminates at a target point. The train
protection profile shall be determined by the applicable
safe braking model.
(MODURBAN D86 - 4.8 Safe speed limits)
VDV 331 3.9.10
Wrong determination of train protection profile taken into
account safe braking model
1st - Wrong safety distance to target points
2nd - Wrong consideration of allowed speed within the area
covered by movement authority taken into account all
static and temporary wayside or rolling stock conditions
Wrong determination of permitted speed causes
Hazardous situation overspeed and too short braking distances related to
existing danger points
Possible hazard consequences Collision due to insufficient braking distances
accidents Derailment due to overspeed

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 84 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.4.3 Authorise train movement by wayside signals
This function is relevant for systems providing movement instructions by wayside signals:
In GOA0 to allow train movement in accordance to rules for train operation on sight
GOA1 as primary movement authority.

Functions 85 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 28 RA Authorise train movement by wayside signals for GOA0 (single track operation)
Item Description

Name of safety function Authorise train movement by wayside signals
This function is intended to authorise train movement by
wayside signals under rules for train operation on sight, if
Description
single track section is not reserved for or occupied by
approaching train.
Reference for risk analysis VDV 331 2.3
Possible wrong side failure Signal displays movement authority inadvertently

Train movement is allowed while the necessary conditions
are not met
Hazardous situation
In a single track operation two trains would enter one track
section in confliction travel direction
Collision with other train
(Due to on-sight train operation the severity of
accidents
consequences is assumed to be critical.)
It is assumed that in on-sight train operation train driver
Accident probability reduction notices hazardous situation and reduces accident
probability.
Critical
E 1
Risk reduction
P 0,1
factors
C 1
Final THR 10-7
Final SIL SIL 2

Functions 86 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 29 RA Indicate position of switches for GOA0 (signal for switch control)
Item Description
Number of safety function 18-2

Name of safety function Indicate position of switches
This function is intended to indicate the position of
Description
switches if required.
Reference for risk analysis VDV 331 2.1.2
Possible wrong side failure Signal displays wrong position switch

Hazardous situation are not met i.e. position is displayed while switch is not in
final position, wrong position in indicated.
Possible hazard consequences Collision with other train or road and pedestrian traffic

According to the prevailing operation or local
Severity of consequences due to circumstances the severity of consequences can be
failure of safety function assumed to be critical or catastrophic.
Critical Catastrophic
-8
Initial THR per hour 10 10-9
E 1 1
Risk reduction
P 1 1
factors
C 1 1
Final THR 10-8 10-9
Final SIL SIL 3 SIL 4

Functions 87 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 30 RA Authorise train movement by wayside signals for GOA1 (for GOA2 to GOA4 also for mixed
operation)
Item Description

Name of safety function Authorise train movement by wayside signals
This function is intended to authorise train movement by
wayside signals for non UGTMS-operated trains if
Description conditions of safe route and safe separation are fulfilled.
Wayside signals are used to allow mixed traffic or, as one
possibility, for degraded operation.
MODURBAN D86 4.5.2 Train movement authority by
Reference for risk analysis wayside signals (GOA1a/b)
VDV 331 3.3.1
1st - Signal displays movement authority inadvertently
2nd - Signal displays wrong speed information inadvertently
Hazardous situation
(safe route, safe separation) are not met (SPAD)
Possible hazard consequences Collision with other train

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4
10.1.4.4 Determine a zone of protection

Functions 88 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.4.5 Stopping a train en route
It is assumed that this function is covered by the safety function Trigger emergency brake.
10.1.4.6 Authorise the entry of non-operative UGTMS trains into UGTMS territory
Table 31 RA Authorise the entry of non-operative UGTMS trains into UGTMS territory for GOA1 to GOA4
Item Description

Name of safety function Authorise the entry of non-operative UGTMS trains
into UGTMS territory
This function is intended to authorise the entry of non-
Description
operative UGTMS trains into the UGTMS territory.

Unauthorised train movement into UGTMS territory e.g.
from workshop or depot
Train cars get too close
Hazardous situation
Train movement over unsecured track elements
Possible hazard consequences Collision with other train
Exposure probability to hazard Passenger are permanently on board of trains

(Conservatively it cannot be assumed that operational staff
Consequence reduction probability
recognises hazardous situation early enough to trigger
safety reaction.)
Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 89 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.5 Supervise train movement
10.1.5.1 Determine actual train speed
This function is relevant for systems providing continuous speed supervision by train protection profile.
Table 32 RA Determine actual train speed for GOA1 (with wayside signals containing allowed speed)
Item Description

Description
speed.
Possible wrong side failure Speed is determined as too low

Train might be accelerated by train driver above permitted
speed which is determined by train protection profile or
Hazardous situation
behind movement authority limits (determination of way is
part of the function).
limits
accidents
Train driver is responsible for driving the train in the first
Accident probability reduction place e.g. to stop the train at signals which show stop or to
stay within indicated speeds by wayside signalisation.
Catastrophic
E 1
Risk reduction
P 0,1
factors
C 1
Final THR 10-8
Final SIL SIL 3

Functions 90 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 33 RA Determine actual train speed for all GOA1 to GOA4 (without wayside signals)
Item Description

Description
speed.

Undetected too low speed determination
Overspeed cannot be detected, because the processed
value of velocity seems to be correct, which in fact is
wrong
Train travels above permitted speed which is determined
Hazardous situation by train protection profile or behind movement authority
limits (determination of way is part of the function)
limits
accidents

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 91 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.5.2 Supervise safe train speed
This function is relevant for systems providing continuous speed supervision by train protection profile.
Table 34 RA Supervise safe train speed for GOA1 (with wayside signals)
Item Description

Name of safety function Supervise safe train speed
This function is intended to supervise actual speed against
Description the permitted speed of UGTMS equipped trains with
respect to the train protection profile.
MODURBAN D86 1.6 Overspeed detection
VDV 331 3.9.10
Overspeed not detected (actual train speed exceeds speed
protection profile undetected)
No safety reaction (e.g. immediate emergency brake
application) is triggered
Excessive speed
Hazardous situation
Trains cars may get too close to one another
accidents
Exposure probability to hazard Passenger permanently in trains
Train driver is responsible for driving the train in
accordance to wayside speed (containing allowed speed)
signalisation e.g. within the indicated wayside speed
signalisation.
Consequence reduction probability Passenger cannot escape consequences.
Catastrophic
E 1
Risk reduction
P 0,1
factors
C 1
Final THR 10-8
Final SIL SIL 3

Functions 92 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 35 RA Supervise safe train speed for GOA1 to GOA4 (without wayside signals)
Item Description

Name of safety function Supervise safe train speed
This function is intended to supervise actual speed against
Description the permitted speed of UGTMS equipped trains with
respect to the train protection profile.
MODURBAN D86 1.6 Overspeed detection
VDV 331 3.9.10
Overspeed not detected (actual train speed exceeds speed
protection profile undetected)
No safety reaction (e.g. immediate emergency brake
Excessive speed
Hazardous situation
Trains cars may get too close to one another
accidents
If too high speed is not detected no barrier can be
Accident probability reduction assumed which would prevent the hazard turning into an
accident
Consequence reduction probability is able to notice overspeed early enough and to trigger
emergency brake to reduce severity consequences
significantly.
Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 93 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.5.3 Inhibit train stops
It is assumed that this function is required in mixed operation where both trains:
provided with speed supervision by train protection profile
provided with movement supervision by train stops

are operated on a regular basis.
Table 36 RA Inhibit train stops for GOA1 to GOA4
Item Description

Name of safety function Inhibit train stops
This function is intended to avoid UGTMS operating trains
Description
to be tripped by train stops.

After inhibition of the relevant train stop (and an automatic
Possible wrong side failure train has passed the relevant train stop) the train stop is
not de-inhibited.
Non-automatic train (i.e. speed and train separation is
Hazardous situation
protected by train stops) cannot be protected by train stop
Derailment of non-automatic train due to undetected
overspeed
accidents
Collision of trains (signal passed at danger)
Passenger are permanently exposed to hazardous
situation
Train driver is responsible for driving the train in
Accident probability reduction accordance to wayside signalling e.g. to stop train at
signals which show stop or are at danger.
Consequence reduction probability Passenger are exposed to full hazard consequences
Catastrophic
E 1
Risk reduction
P 0,1
factors
C 1
Final THR 10-8
Final SIL SIL 3

Functions 94 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.5.4 Monitor speed limit at discrete location
This function is relevant for systems providing wayside speed supervision.

Table 37 RA Monitor speed limit at discrete location for GOA1
Item Description

Name of safety function Monitor speed limit at discrete location
This function is intended to monitor external wayside
Description
equipment detecting predefined overspeed.

Train movements with overspeed not detected
Possible wrong side failure No safety reaction (e.g. immediate emergency brake
Based on train drivers failure train moves:
1st - with too high speed in a designated area
Hazardous situation
2nd - too high speed causes entrance into unsecured
routes or areas with insufficient train separation
Possible hazard consequences Collision with other train or other danger point
Train driver is in first instance responsible for observing
signals
Not every instance of overspeed is assumed to lead to an
Accident probability reduction accident since actual speed has to exceed speed limit for
track guidance.
Additionally, train driver is responsible for correct and safe
speed and shall adhere to given speed limits.
Catastrophic
E 1
Risk reduction
P 0,1
factors
C 1
Final THR 10-8
Final SIL SIL 3

Functions 95 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.5.5 Supervise train rollaway
The following table analyses the case that a train rolls back against authorised travel direction.
Table 38 RA Supervise train rollaway for GOA1 to GOA4
Item Description

Name of safety function Supervise train rollaway
This function is intended to supervise the train in case of
Description
rollaway at stations.
Possible wrong side failure Undetected train roll away

Unintended train movement against travel direction.
Hazardous situation
Safety margin of following train is disturbed.
Collision
accidents

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4
10.1.5.6 Immobilisation of train
This case is included in safety function Authorise station departure (safety related conditions).
10.1.5.7 Detect unauthorised movement of non-operative trains
This function is covered by function Locate non reporting trains by track sections.

Functions 96 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.5.8 React to unauthorised movement of non-operative trains

Table 39 RA React to unauthorised movement of non-operative trains for GOA1 to GOA4
Item Description

Name of safety function React to unauthorised movements of non-operative
trains
This function is intended to react to unauthorised
Description movements of non-operative trains in order to prevent
collisions.

Non-operative (i.e. unequipped or unauthorised) train is not
detected
UGTMS cannot restrict the movement authority of the
Hazardous situation
trains that are in conflict with unauthorised movement.
Collision between unauthorised and authorised trains
accidents
Passenger are permanently on board of trains
(unauthorised as well as authorised trains)
Accident probability reduction No barrier is assumed
Passenger cannot escape hazard consequences
(e.g. train driver in driver cabin) is able to notice
dangerous/unauthorised train movement early enough to
trigger emergency brake to reduce severity consequences
significantly.
Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 97 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.1.5.9 Detect intruding unequipped train
This function is covered by function Locate non reporting trains by track sections.
10.1.6 Provide interface with external interlocking
Table 40 RA Provide interface with external interlocking for GOA1 to GOA4
Item Description

Name of safety function Provide interface with external interlocking
This function is intended to provide an interface to an
external interlocking if the basic function ensure safe route
Description and other functions (e.g. authorise train movement by
wayside signals, locate non reporting trains by track
sections) are not realised inside UGTMS.
Reference of functions IEC 62290-2 5.1.6
VDV 331 3.9.3
VDV 331 3.9.4
Wrong data input/output via interface between external
interlocking and UGTMS
Status information of route elements, routes and
Hazardous situation localisation of trains is wrong, movement with insufficient
route protection and insufficient separation
Possible hazard consequences Collision due to insufficient separation
accidents Derailment due to insufficient safety of route

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

Functions 98 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.2 Drive train
All functions covered by IEC 62290-2 in chapter 5.2 Drive Train are intended to be realised in non
safety related subsystems (ATO), because all hazardous situations arising from insufficient braking
(service brake) and insufficient acceleration (inadvertently acceleration) must be secured by basic
function Ensure safe speed).
10.3 Supervise guideway
10.3.1 Prevent collision with obstacles
10.3.1.1 Supervise wayside obstacle detection device
It is assumed that this function is not relevant in GOA0, 1 and 2 since this function is realised by the
train driver.
Safety function does not act in a clearly continuous mode of operation. Therefore, this function will be
10.3.1.2 Supervise onboard obstacle detection device
In GOA0, 1 and 2 this functions is realised by the train driver.

10.3.2 Prevent collision with persons on tracks
10.3.2.1 Warn passengers to stay away from the platform edge
This function is assumed to be no safety function.
10.3.2.2 React on emergency stop request from platforms
It is assumed that any reaction on emergency stop requests would include a detection of the
emergency stop request.

Functions 99 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.3.2.3 Supervise platform doors
Table 41 RA Supervise platform doors for GOA1 and GOA2
Item Description

Name of safety function Supervise platform doors
This function is intended to supervise the closed and
Description locked status of the platform doors if they are not required
to be open.

Platform screen doors status is indicated as closed and
Possible wrong side failure locked, in fact platform screen doors are not closed or not
locked.
Person may get trapped in platform screen doors and is
Hazardous situation
exposed to starting train
Injury of person by starting train
accidents
Case 1: Passenger is exposed to the hazard only at the
Exposure probability to hazard end of passenger transfer
Case 2: Passengers are permanently exposed to hazard
Consequence reduction probability Train driver may notice person trapped in doors
Critical
Severity of consequences due to Catastrophic
(for medium number of
failure of safety function (for overcrowded situations)
passengers)
Initial THR per hour 10-8 10-9
0,1 1 0,1 1
E
(case 1) (case 2) (case 1) (case 2)
Risk reduction
factors P 1 1 1 1
C 0,1 0,1 0,1 0,1

-6 -7 -7
Final THR 10 10 10 10-8
Final SIL SIL 1 SIL 2 SIL 2 SIL 3

Functions 100 of 120
ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 42 RA Supervise platform doors for GOA3 and GOA4
Item Description

Name of safety function Supervise platform doors
Description locked status of the platform doors if they are not required
to be open.

Platform screen doors status is indicated as closed and
Possible wrong side failure locked, in fact platform screen doors are not closed or not
locked.
Person may get trapped in platform screen doors and is
Hazardous situation
exposed to starting train
Injury of person by starting train
accidents
Case 1: Passenger is exposed to the hazard only at the
Exposure probability to hazard end of passenger transfer
Case 2: Passengers are permanently exposed to hazard
Passenger can conservatively not escape form hazard
consequences
(for medium number of (for overcrowded
passengers) situations)
0,1 1 0,1 1
E
Risk reduction
factors P 1 1 1 1
C 1 1 1 1
Final THR 10-7 10-8 10-8 10-9

ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.3.2.4 Supervise platform tracks
10.3.2.5 Supervise border between platform tracks and other tracks
10.3.2.6 Supervise platform end doors

ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.3.3 Protect staff on track
10.3.3.1 Protect staff on track
Table 43 RA Protect staff on track for GOA1 to GOA4
Item Description

Name of safety function Protect staff on track
This function is intended to establish and subsequently
Description remove work zones in order to protect staff on track. A
work zone is set as long as the protection is required.
Possible wrong side failure No or wrong setting of work zone

Work is not at correct track section
Hazardous situation Work zone is removed too early or set too late
Too high train speed is allowed at adjacent track sections
Possible hazard consequences Multiple staff fatalities
accidents (Passenger injuries)
If work zone shall be set and staff shall work there, staffs
Exposure probability to hazard are assumed to be in work zone permanently. However,
work zone are not permanently required to be set.
Conservatively, it cannot be assumed that accident
probability can be reduced.
Consequence reduction probability Working areas are secured by staff
Catastrophic
E 0,1
Risk reduction
P 1
factors
C 0,1
Final THR 10-7
Final SIL SIL 2

ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.4 Supervise passenger transfer
10.4.1 Control passenger doors
10.4.1.1 Authorise train doors opening
For the risk and safety consideration of this function two cases are analysed:
Door opening on passenger request (Train doors opening on passenger request is not
relevant if platform screen doors are installed.)
Automatic train doors opening procedure

ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 44 RA Authorise train doors opening for GOA1 to GOA4 (on passenger request)
Item Description

Name of safety function Authorise train doors opening
This function is intended to authorise train doors opening
Description regarding all conditions which are required to ensure a
safe passenger transfer.

Untimely unlocking of train doors e.g. in tunnel
(It is assumed that train doors unlocking and train doors
opening are not directly connected i.e. unlocking is not
directly followed by opening.)
Train doors are opened not in front of platform (e.g. in
Hazardous situation tunnel or on wrong side opposite track, third rail) and
passenger may fall out of the train
Fall of person
Injury of person
accidents
Electrocution
situation (e.g. standing in front of doors)
It is assumed that if function fails, train doors do not open
instantaneously. To open doors, doors have to be
Accident probability reduction requested individually by passenger. Hence, hazardous
situation occurs only if safety function fails and doors
opening request exists.
In peak headway operation or overcrowded situations it is
assumed that passengers are subject to hazard
consequences.
Consequence reduction probability Conservatively, it cannot be assumed that operational staff
in driver cabin (if present) recognises hazardous situations
early enough to initiate safety reaction and to reduce the
severity of hazard consequences significantly.
Critical
failure of safety function (in overcrowded situations)
passenger)
E 1 1
Risk reduction
P 0,1 0,1
factors
C 1 1
Final THR 10-7 10-8

ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 45 RA Authorise train doors opening for GOA1 to GOA4 (automatically)
Item Description

Name of safety function Authorise train doors opening
This function is intended to authorise train doors opening
regarding all conditions which are required to ensure a
safe passenger transfer.
Description
(Train doors authorisation, unlocking and opening are
linked directly.)

Untimely authorisation of train doors e.g. in tunnel
Possible wrong side failure (Wrong authorisation would instantaneously lead to
unlocked and open train doors)
Train doors are opened not in front of platform (e.g. in
Hazardous situation tunnel or on wrong side opposite track, third rail) and
passenger may fall out of the train
Fall of person
Injury of person
accidents
Electrocution
situation
In peak headway operation or overcrowded situations it is
assumed that passengers are subject to full hazard
consequences.
But, operational staff is assumed to be on board of train in
passenger area. Conservatively, it cannot be assumed that
operational staff would react to hazardous situation early
enough to reduce the severity of consequences
significantly.
Critical
failure of safety function (in overcrowded situations)
passenger)
E 1 1
Risk reduction
P 1 1
factors
C 1 1
Final THR 10-8 10-9

ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.4.1.2 Command doors opening
10.4.1.3 Request doors closing
10.4.1.4 Supervise doors closing
This function is assumed to be covered by the safety functions Supervise closed and locked status of
train doors and Supervise platform doors.

ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.4.1.5 Supervise closed and locked status of train doors
Table 46 RA Supervise closed and locked status of train doors for GOA1 to GOA4
Item Description

Name of safety function Supervise closed and locked status of train doors
Description
locked status provided by the rolling stock.
Reference for risk analysis MODURBAN D86 1.2 Train doors status supervision
Undetected train door failure signals closed and locked
while train doors remain unlocked/open
Hazardous situation During station departure train doors status is not assured
Possible hazard consequences Injury of person
accidents Person dragged by starting train
Passenger are permanently onboard of train and the
hazard of open doors
Consequence reduction probability Passenger is aware of starting train

(for medium number of (for overcrowded
passenger) situations)
E 1 1
Risk reduction
P 1 1
factors
C 0,1 0,1
Final THR 10-7 10-8

ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.4.2 Prevent person injuries between platform and train
10.4.2.1 Prevent person injuries between platform and train
Table 47 RA Prevent person injuries between platform and train for GOA1 to GOA4
Item Description

Name of safety function Prevent person injuries between platform and train
This function is intended to detect persons between
Description platform and train. (Prevented hazard include falling or
trapping between platform and train)
Reference of functions (IEC 62290-2 5.4.2)
Possible wrong side failure Device does not detect person between platform and train
Hazardous situation Person exposed to train movement

Severe person injuries by falling or being dragged by train
accidents
Exposure probability to hazard Passenger are rarely exposed to the hazard
Case 1: Gap filling device
Case 2: No gap filling device
Case 1: Operational staff at station has the obligation to
supervise passenger transfer and to assure safe station
departure for passengers. Severity of consequences can
Consequence reduction probability be reduced by staff, observing critical situation and prevent
the train from starting.
Case 2: No staff at station (Staff has no obligation to
supervise passenger transfer.)
Critical
E 0,1
0,1 1
Risk reduction P
factors (case 1) (case 2)
0,1 1 0,1 1
C
Final THR 10-5 10-6 10-6 10-7

ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.4.2.2 Prevent person being trapped between platform screen doors and train
Table 48 RA Prevent person being trapped between platform screen doors and train for GOA1 to GOA4
Item Description

Name of safety function Prevent person being trapped between platform
screen doors and train
This function is intended to detect persons being trapped
Description between platform screen doors (if installed) and train
doors, when they are closing.
Reference of functions New for MODSafe

Device does not detect person between platform screen
Possible wrong side failure doors and train doors when they are closing for train
departure.
Hazardous situation Person exposed to train movement
Severe person injuries or death
accidents
Passengers (particularly children) are permanently
Exposure probability to hazard exposed to the hazard at each passenger transfer where
gap is sizeable (e.g. in curve stations)
No barrier can be assumed. Operational staff cannot
observe the gap between platform screen doors and train
Accident probability reduction doors (particularly in curve stations). Furthermore, train
cannot be stopped in time by other passengers applying
some kind of emergency brake.
Critical
E 1
Risk reduction P 1
factors
C 1
Final THR 10-8
Final SIL SIL 3

ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.4.3 Prevent person injuries between train cars
10.4.3.1 Prevent person injuries between train cars
10.4.4 Ensure safe starting conditions
10.4.4.1 Authorise station departure (safety related conditions)
It is assumed that this function is covered by Supervise closed and locked status of train doors.
10.4.4.2 Authorise station departure (operational conditions)
It is assumed that this function is not a safety function.
10.4.4.3 Command station departure
It is assumed that this function is not safety relevant.
10.5 Operate a train
10.5.1 Put in or take out of operation
10.5.1.1 Awake trains
10.5.1.2 Set train to sleep
It is assumed that this function is not a safety function. An untimely command to set a train to sleep is
assumed to lead to train standstill. However, the function for the determination of the train location is
assumed to be still active.

ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.5.2 Manage driving modes
10.5.3 Manage movement of trains between two operational stops
10.5.4 Manage depots and stabling areas
10.5.5 Manage UGTMS transition area
10.5.6 Restrict train entry to station
This function is not a safety function. It is assumed to be realised by ATO as it manages operational
conditions.
10.5.7 Manage the platform or siding stopping position of the train
10.5.8 Change the travel direction
10.5.9 Couple and split a train
10.5.9.1 Couple trains automatically
This function is assumed to be no safety function. (Note: correct speed is assured by train protection
profile.)

ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.5.9.2 Split trains untimely uncoupling protection
This function is assumed to be no safety function. (Note: Untimely command is prevented by specific
de-coupling conditions.)
10.5.10 Supervise the status of the train
10.5.10.1 Supervise UGTMS onboard equipment status prior to entering service

ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 49 RA Supervise UGTMS onboard equipment status prior to entering service for GOA1 to GOA4
Item Description

Name of safety function Supervise UGTMS onboard equipment status prior to
entering service
This function is intended to perform all necessary tests on
vital equipment during the power on process or prior to
entering UGTMS territory. Generally this function includes
only those self tests that deal with the safety of UGTMS
Description
and the inputs and outputs necessary for a vital operation.
Self tests that are necessary to achieve the safety features
of vital processors (computing unit including operating
system) are not included here.

System signals successful conduction of test on vital
equipment when in fact test failures occurred
Possible wrong side failure System test is wrongly recognised as successful, operation
of equipment is not shut down as result of recognised
failure
Excessive speed
Hazardous situation Train movement over moving track elements

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.5.10.2 Supervise UGTMS onboard equipment status during operation
Table 50 RA Supervise UGTMS onboard equipment status during operation for GOA1 to GOA4
Item Description

Name of safety function Supervise UGTMS onboard equipment status during
operation
This function is intended to perform all necessary tests
during operation of the system. Generally this function
includes only those self tests that deal with the safety of
Description the UGTMS application and the inputs and outputs
necessary for a vital operation. Self tests that are
necessary to achieve the safety features of vital
processors are not included here.

Undetected failed system tests (no safety reaction can be
initiated)
Excessive speed
Hazardous situation Train cars get too close
(Too high temperature on onboard equipment)
Collision
Derailment
accidents
(Fire/smoke)

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.5.10.3 Test emergency braking performance
Table 51 RA Test emergency braking performance for GOA1 to GOA4
Item Description

Name of safety function Test emergency braking performance
This function is intended to perform a dynamic emergency
Description braking test by commanding emergency braking during
motion.

UGTMS reports to train/OCC HMI the emergency brake
Possible wrong side failure performance is sufficient when in fact emergency brake
performance is poor.
Emergency brake performance insufficient when applied
so:
Hazardous situation
Excessive speed

Catastrophic
E 1
Risk reduction
P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.5.10.4 React to detected train equipment failure
This function is covered by Trigger emergency brake.
10.5.10.5 Manage traction power supply on train
This function is assumed not to be a safety function.

(An unintended loss of traction power may lead to a hazardous situation when train is forced to stop
between stations and is unable to re-start. Secondary hazard, which may arise from this situation are
assumed to be subject of MODSafe deliverable 4.3.)
10.6 Ensure detection and management of emergency situations
10.6.1 Perform train diagnostic, detect fire/smoke and detect derailment, handle emergency
situations
10.6.1.1 Detect fire and smoke
10.6.1.2 React to detected fire/smoke
10.6.1.3 React to detected or suspected broken rail
10.6.1.4 Monitor emergency calls

ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.6.1.5 React to passenger alarm device activation
10.6.1.6 React to emergency release of train doors
10.6.1.7 Detect loss of train integrity
10.6.1.8 React to loss of train integrity
This function is covered by safety function Determine zone of protection and Trigger emergency
brake.
10.6.1.9 Detect derailment
Derailment is a rare event and the detection device is not intended to prevent a derailment, but only to
detect it and might reduce the possible consequences of a derailment. Because of that the derailment
detection device is not a classic safety function and can be regarded as operated in low demand
mode. Therefore, the function is analysed in MODSafe D4.3.

ID : DEL_D4.2_UITP_WP4_110121_V2.0
10.6.1.10 Trigger emergency brake
The case of triggering the emergency brake after a loss of train integrity, OCC command or train
equipment failures are not considered in the safety function. Hence, in on-sight train operation (i.e.
GOA0) this function is not relevant.
Table 52 RA Trigger emergency brake for GOA1 and GOA2
Item Description

Name of safety function Trigger emergency brake
This function is intended to initiate application of
Description
emergency brake at detected overspeed.

No safety reaction when required i.e. emergency brake is
not triggered
Hazardous situation Excessive speed
Exposure probability to hazard Passenger are permanently exposed to hazard
Train driver is responsible for driving the train and to follow
speed indications. It is assumed that there is the possibility
for the train driver to recognise overspeed and to trigger
emergency brake.
Catastrophic
E 1
Risk reduction P 0,1
factors
C 1
Final THR 10-8
Final SIL SIL 3

ID : DEL_D4.2_UITP_WP4_110121_V2.0
Table 53 RA Trigger emergency brake for GOA3 and GOA4
Item Description

Name of safety function Trigger emergency brake
This function is intended to initiate application of
Description
emergency brake at detected overspeed.

No safety reaction when required i.e. emergency brake is
not triggered
Hazardous situation Excessive speed
Exposure probability to hazard Passenger are permanently exposed to hazard

Catastrophic
E 1
Risk reduction P 1
factors
C 1
Final THR 10-9
Final SIL SIL 4

ID : DEL_D4.2_UITP_WP4_110121_V2.0

Del D4 2 Uitp WP4 110121 V2 0

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Del D4 2 Uitp WP4 110121 V2 0

Caricato da

Copyright:

Formati disponibili

European Commission

Seventh Framework programme

Analysis of Safety Requirements for

Doc name : Analysis of Safety Requirements for Public 06/01/2011

Document type DEL

Date 21.January 2011

Contributors WP 4 and external experts (VDV)

Distribution MODSafe consortium

Version Date Author Modification

V1.0 13.August 2010 WP 4 New document

WP 4 and external Consideration of comments from

Consideration of comments from

Authority Name/Partner Date

WP responsible UITP (WP4 consensus of V1.1) 10/12/2010

EB members RATP (WP10 consensus of V2.0) 24/01/2011

Coordinator TRIT 25/01/2011

Doc name : Analysis of Safety Requirements for Public 06/01/2011

1 Summary of the document ................................................................................................. 12

Doc name : Analysis of Safety Requirements for Public 06/01/2011

Doc name : Analysis of Safety Requirements for Public 06/01/2011

Doc name : Analysis of Safety Requirements for Public 06/01/2011

Doc name : Analysis of Safety Requirements for Public 06/01/2011

Doc name : Analysis of Safety Requirements for Public 06/01/2011

Figure 1 Safety functions in system lifecycle and MODSafe.............................................................. 19

Doc name : Analysis of Safety Requirements for Public 06/01/2011

Table 1 Frequency-consequence matrix or risk matrix ...................................................................... 20

Doc name : Analysis of Safety Requirements for Public 06/01/2011

Doc name : Analysis of Safety Requirements for Public 06/01/2011

Doc name : Analysis of Safety Requirements for Public 06/01/2011

[1] COMIT EUROPEN DE NORMALISATION LECTROTECHNIQUE: EN 50126 Railway applications

Doc name : Analysis of Safety Requirements for Public 06/01/2011

3 Terms and abbreviations

Term Definition Reference

An accident is an unintended event or series of events

The location after the end of movement authority beyond

A driving mode describes how a train should be driven in

Brake or combination of brakes which ensures that the

Doc name : Analysis of Safety Requirements for Public 06/01/2011

Way in which a safety function operates, which may be

Movement Permission for a train to run, within the constraints of the

Non-operative Non UGTMS equipped trains and trains with inoperative

UGTMS equipped trains able to report its location and

The rate of occurrence of accidents and incidents

Safety Freedom from unacceptable level of risk of harm. EN 50129

Function to be implemented by an E/E/PE safety-related

The ability of a safety-related system to achieve its

A number which indicates the required degree of

Means a set of actions either reducing the rate of

Rate of occurrence of a hazard that would result in an

Doc name : Analysis of Safety Requirements for Public 06/01/2011

Urban Guided Transport (UGT) is defined as a public

The urban guided transport system operator (UGTSO) is

Zone of A zone where no train is allowed to run as a response to

Doc name : Analysis of Safety Requirements for Public 06/01/2011

Doc name : Analysis of Safety Requirements for Public 06/01/2011

Specify system safety requirements (overall)

Define safety acceptance criteria (overall)

Define safety related functional requirements

Establish safety management

Functional requirements and supporting performance requirements, including safety functional

Introduce the MODSafe safety functions

Allocate safety requirements to the MODSafe safety functions