Presentation is loading. Please wait.

Presentation is loading. Please wait.

ANNEX 4 : EXAMPLE STANDARDISED LEVEL CROSSING SYSTEM

Published byBenedict Reed Modified over 6 years ago

Similar presentations

Presentation on theme: "ANNEX 4 : EXAMPLE STANDARDISED LEVEL CROSSING SYSTEM"— Presentation transcript:

1 ANNEX 4 : EXAMPLE STANDARDISED LEVEL CROSSING SYSTEM
Guideline for the Application of CSM-DT from Regulation 2015/1136 ANNEX 4 : EXAMPLE STANDARDISED LEVEL CROSSING SYSTEM Roman Slovák, FOT, CH ERA, Valenciennes, November 2016

2 Overview System definition List of functions
Scope, assumptions and limits of the risk assessment Hazard identification and classification Applicability of CSM-DT Setting up of applicable category Allocated quantitative requirements Conclusions

3 1. System Definition Context
Due to the high acquisition costs many level crossings (LC) on secondary lines remain equipped with only passive level crossing signs like the St. Andrew cross Solution Low-cost Level Crossing System (LCS) MICRO Simplification of the existing standardised type MINI Purpose To warn the road users against the railway traffic

4 2. List of functions Function MINI MICRO Warn the road user against the danger on LC X Inform the train driver on the LC system activation Warn the road user against the LC system failure flashing yellow light warns road users in the case LCS failure in which: the responsibility for passing over the level crossing lies fully with the road user. road users must be able to check that the track is safe to cross misjudging his ability to safely pass over the LC situation while a train is approaching has to be considered as an important risk

5 3. Scope and limits of the assessment
Application parameters MINI MICRO Maximum density of road traffic [vehicles/h] 6 equal to 8 persons/h 1.5 equal to 2 persons/h Visibility for road traffic irrelevant adequate Maximum density of rail traffic [trains/h] 10 Maximum speed of trains [km/h] 100 Maximum number of tracks 1 Maximum hazard detection time [h] 8 the probability of the hazard detection by a third party at the LCS MICRO is much smaller than at the LCS MINI. The hazard detection time (HDT) of the MICRO is set to 8h

6 4a. Hazard identification
Failure Mode and Effect Analysis (FMEA) used Considered operational condition of the LCS MICRO Not considered were consequences due to an accident involving release of danger goods as: This kind of extreme consequences of a LC accident is not present in any Swiss accident database. much lower probability of such a kind of accident due to designation of MICRO to local railway lines and very low traffic flows The consequences from a collision on LC on factory siding, where a transport with danger goods is credible, are additionally reduced by the general speed limit for tracks in factory sidings of 10 km/h

7 4a. Hazard identification
Functional failure modes Cause HAZARD - Consequence at level of technical system Consequences at train level 1. Warning does not start LCS failed Road user is not warned against train arrival when required Road user is not informed to stop in front of the LC and may collide with a passing train on the LC 2. Warning starts when not required Spurious warning against train arrival Road user is unnecessarily required to stop in front of the LC Road traffic operation is unnecessarily disturbed 3. Warning is delayed in response Road user is not informed on time to stop in front of the LC and may collide with a passing train on the LC 4. Warning of the road user is not terminated after passing of the train Warning of the road user is not terminated after train passing  5. Warning of the road user is terminated before the train is passing the LC Train driver is not informed about the LCS system failure and does not stop the train to prevent a possible collision Road user is not warned against the train arrival when required  6. LCS is in a constant degraded state (yellow flashing light) LCS detected a failure of one of its functions Indication of the degraded state by yellow flashing light Road user is infomed to cross the LC on his own responsibility  7. LCS switches to a degraded state during the warning Indication of the degradeted state by yellow flashing light starts immediately after the warning (red constant light) Road user misinterprets the change of the warning from red to yellow and starts to pass the LC and thus may likely collide with a passing train

8 4b. Hazard classification
The 7 functional failure modes are classified in the following 7 categories: failure modes 1 and 5 are resulting in the “non-warning” of the road user. failure modes 2 and 4 are resulting in a spurious warning of road users - road traffic operation is unnecessarily disturbed; failure mode 3 is resulting in a too late “warning”. failure mode 6 is resulting in operation of the level crossing in full responsibility of the road user failure mode 7 is resulting in a situation causing a high misinterpretation potential by the road user Bahnonline.ch

9 4b. Hazard classification
Functional failure modes Cause Potential accident Potential for at least 1 fatality 1. Warning does not start LCS failed Collision train with road vehicle Collision train with person YES (i.e. risk not broadly acceptable) 2. Warning starts when not required No – Specific operational procedures must be defined to prescribe the actions of the road user NO (i.e. risk is broadly acceptable) 3. Warning is delayed in response 4. Warning of the road user is not terminated after passing of the train  5. Warning of the road user is terminated before the train is passing the LC Train driver is not informed about the LCS system failure and does not stop the train to prevent a possible collision  6. LCS is in a constant degraded state (yellow flashing light) LCS detected a failure of one of its functions Yes - but operation in full responsibility of the road user  7. LCS switches to a degraded state during the warning

10 5. Applicability of CSM-DT
What are the conditions which have a credible potential to LEAD DIRECTLY to an accident in case of failure of the LCS? IF the following two conditions are met during the same period of time : the LCS MICRO is faulty. In concrete terms, this means: the function warning the road user against the train on LC is failed, AND there is a road user in the danger zone of the level crossing or approaching it THEN there is “a credible potential to lead directly to … a catastrophic … or a critical accident”,” …  

11 6. Setting up of applicable category CSM DT
HAZARD – Conse­quence at level of technical system Consequences at train level Potential accident Potential for at least 1 fatality Consequence limited to a specific area of train Associated CSM DT 1 Road user is not warned against arrival of train when required Road user is not informed to stop and prevent a collision with a train on the level crossing Collision train with road vehicle Collision train with person YES (i.e. risk not broadly acceptable) Yes (head of the train exposed to risk) 10‑ 7 h‑1 2. Spurious warning against arrival of a train Road user is required to stop on level crossing whereas not necessary Road traffic operation disturbed No – Specific operational procedures must be defined to prescribe the actions of the road user NO (i.e. risk is broadly acceptable) Not applicable  3. Warning of the road user is terminated before the arrival of the train Road user is not informed on time to stop and prevent a collision with a train on the level crossing Collision train with person 4.  5. 6. Indication of the degradeted state by yellow flashing light Road user is infomed to cross the level crossing in his own responsibility Yes - but operation in full responsibility of the road user  7. Indication of the degradeted state by yellow flashing light starts immediately after the warning (red constant light) before arrival of the train Road user misinterprets the change of the warning from red to yellow and enters the level crossing with high potential of a collision with a train

12 6. Setting up of applicable category of CSM DT
In conclusion, if following “logical condition” is met: there is a road user in the danger zone of the LC or approaching it; AND during the same period of time the function warning the road user against the danger on LC is failed; OR the LCS entered into the degraded state during the warning before arrival of the train there is “a credible potential to lead directly to a critical accident” … “typically affecting a very small number of people and resulting in at least one fatality” The associated risk is acceptable if the frequency of occurrence of that logical condition mentioned in the section above is “… demonstrated to be less than or equal to 10–7 per operating hour”. The most credible CSM DT category applicable to that logical condition is therefore 10‑7 h‑1.

13 7a. Allocated quantitative requirements on system level
General quantitative requirements on LCS given by the CSM-DT category of 10-7 h-1 (corresponds to SIL 3) Validation of the set requirement can be reached by: estimation of the resulting level crossing accident rate quantification of the corresponding fatality rate comparison with and independent risk acceptance criterion – e.g. MEM (Minimal Endogenous Mortality) from EN Estimation of the accident rate requires consideration of potential accident scenarios including assumptions on human behaviour – modelling using Petri Nets (class EDSPN)

14 Formal modelling of the LC Potential accident scenarios
Two accident situations considered: Collision train –> road vehicle Collision road vehicle –> train Estimation of situation specific risk reduction parameters Severity of accident not further refined – assumption 1.5 fatality per accident (worst case)

15 Formal modelling of the LC Description means (IEC 62551)
Extended Deterministic and Stochastic Petri nets: Dynamics in a Petri net

16 Formal modelling of the LC Method and Tool
Modelling Methodology: ProFunD [IEC 62551] Process Functionality Dependability -Tool

17 Allocated quantitative requirements on system level
EDSPN provides resulting accident frequency in relation to the hazard rate of the entire LCS Validation by individual risk acceptance criterion MEM confirms acceptable accident rate resulting from the chosen DT (10-7 per hour) CSM-RA-DT class (b) 2x10-9 Acc/h derived from MEM

18 7b. Allocated quantitative requirements on subsystem level
Considered subsystem functions in the EDSPN model of the LCS: Train recognition Warning lights Train clearing recognition Fault display (Yellow flashing light) Hazard recognition of all other functions Hazards of all functions have been considered as independent Possible dependencies (e.g. due to common power supply) would have to be additionally included in the model – out of scope of the system functional modelling

19 7b. Allocated quantitative requirements on subsystem level

20 7b. Allocated quantitative requirements on subsystem level
Subsystem function Tolerable hazard rate Alternative tolerable hazard rate Train recognition 3.3x10-7 h-1 1x10-8 h-1 Warning lights Train clearing recognition 1x10-6 h-1 Fault display (Yellow flashing light) Hazard recognition of all other functions Considered hazard detection time of all subsystem functions: 8h Subsystem function’s requirements corresponds to SIL3 or alernativelly to combination of SIL 4 and SIL 2 elements

21 Analysing the influence of the variation of the hazard detection time

22 8. Conclusions from the risk assessment and allocation of CSM DT
the design of the level crossing system is based on the safety requirements of CSM-DT class (b) (10-7hazards per hour) – SIL3 the hazard detection time of 8h does not have to be exceeded the sight condition of the road user on the track will be kept free; the road user is adequately informed on the meaning of the yellow flashing light indicating the degraded state of the level crossing system and the transfer of the full responsibility for crossing the track on himself;

23 8. Conclusions from the risk assessment and allocation of CSM DT
the level crossing system is safely integrated within the railway infrastructure providing automatically information on his degraded state to the infrastructure manger (e.g. by an SMS) If the operational requirements cannot be met, additional limitations of the rail or road traffic are necessary (e.g. prohibition of the LC use by road users in case of yellow flashing light)

24 Thank you for your attention.
Roman Slovák Federal Office of Transport FOT Risk Management & Management Support CH-3003 Bern Tel: /

Download ppt "ANNEX 4 : EXAMPLE STANDARDISED LEVEL CROSSING SYSTEM"

Similar presentations

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
Federal department of environment, transport, energy and communications ETEC Federal Office for the Environment FOEN Risk Assessment on Pipelines: the.

Federal department of environment, transport, energy and communications ETEC Federal Office for the Environment FOEN Risk Assessment on Pipelines: the.
SCHOOL BUS STOPS OVERHEAD LIGHT and HAZARD LIGHT Effective July 21, 2004 Revised January 2007.

SCHOOL BUS STOPS OVERHEAD LIGHT and HAZARD LIGHT Effective July 21, 2004 Revised January 2007.
Vulnerable Road User needs towards ITS. HUMANIST Conference, June 2014, Vienna Duration: 1.4.2013-31.3.2016 Consortium: Associated Members: Ertico, ECF,

Vulnerable Road User needs towards ITS. HUMANIST Conference, June 2014, Vienna Duration: Consortium: Associated Members: Ertico, ECF,
Brief Overview of New ALCAM

Brief Overview of New ALCAM
Does 20mph make roads safer? Eric Bridgstock Independent Road Safety Researcher St Albans National Road Safety Conference 13 November 2013.

Does 20mph make roads safer? Eric Bridgstock Independent Road Safety Researcher St Albans National Road Safety Conference 13 November 2013.
Hazard and Incident Warning « Majority of events occurring on the road represent a danger for road users » By transmitting road events and road status.

Hazard and Incident Warning « Majority of events occurring on the road represent a danger for road users » By transmitting road events and road status.
Vectus Ltd. 2008 Copyright Page 1 Safety Process in Vectus ’ PRT Project Inge Alme: Safety Manager Jörgen Gustafsson: CTO.

Vectus Ltd Copyright Page 1 Safety Process in Vectus ’ PRT Project Inge Alme: Safety Manager Jörgen Gustafsson: CTO.
Road Safety Audits Ghazwan al-Haji PhD student ”On whats goes wrong in road design and how to put it right safely”

Road Safety Audits Ghazwan al-Haji PhD student ”On whats goes wrong in road design and how to put it right safely”
1 Risk evaluation Risk treatment. 2 Risk Management Process Risk Management Process.

1 Risk evaluation Risk treatment. 2 Risk Management Process Risk Management Process.
Analysis of the influence of aiming, on visibility distance and glare Poland 65 GRE, 29 March 2011 Dr EngTomasz Targosinski Informal document No. GRE-65-30.

Analysis of the influence of aiming, on visibility distance and glare Poland 65 GRE, 29 March 2011 Dr EngTomasz Targosinski Informal document No. GRE
2015 Traffic Signals 101 Topic 11 Emergency Vehicle Preemption (EVP) and Railroad (RR) Preemption.

2015 Traffic Signals 101 Topic 11 Emergency Vehicle Preemption (EVP) and Railroad (RR) Preemption.
Hans-Martin Gerhard28. April 2010 Seite 1Dr. Ing. h. c. F. Porsche AG Pedestrian Safety - Quiet Cars Hans-Martin Gerhard Dr. Ing. h.c. F. Porsche AG Quiet.

Hans-Martin Gerhard28. April 2010 Seite 1Dr. Ing. h. c. F. Porsche AG Pedestrian Safety - Quiet Cars Hans-Martin Gerhard Dr. Ing. h.c. F. Porsche AG Quiet.
Drive Right Chapter 7 Negotiating Intersections Unit 4

Drive Right Chapter 7 Negotiating Intersections Unit 4
Www.bmvi.de Presentation for Document ACSF-03-03_rev1 Oliver Kloeckner 2.-3. September 2015 3rd meeting of the IG ASCF Munich, Airport Informal Document.

Presentation for Document ACSF-03-03_rev1 Oliver Kloeckner September rd meeting of the IG ASCF Munich, Airport Informal Document.
Railway Safety Commission An Coimisiún Sábháilteachta Iarnróid The Management of Third Party Generated Risk in Ireland International Railway Safety Conference.

Railway Safety Commission An Coimisiún Sábháilteachta Iarnróid The Management of Third Party Generated Risk in Ireland International Railway Safety Conference.
INTERNATIONAL EDUCATIONAL CONFERENCE „LET‘S SAVE LIVES“ Tallinn, Estonia, March 15 th, 2011 Martina Pavlíková ŽSR – The Railways of the Slovak Republic.

INTERNATIONAL EDUCATIONAL CONFERENCE „LET‘S SAVE LIVES“ Tallinn, Estonia, March 15 th, 2011 Martina Pavlíková ŽSR – The Railways of the Slovak Republic.
Traffic Accidents caused by Lane Departure in Japan  Data of Traffic Accidents around Japan Transmitted by the expert from Japan Informal document GRRF-75-33.

Traffic Accidents caused by Lane Departure in Japan  Data of Traffic Accidents around Japan Transmitted by the expert from Japan Informal document GRRF
1 ACSF Test Procedure Draft proposal – For discussion OICA and CLEPA proposal for the IG Group ACSF Tokyo, 2015, June 16-17 Informal Document ACSF-02-07.

1 ACSF Test Procedure Draft proposal – For discussion OICA and CLEPA proposal for the IG Group ACSF Tokyo, 2015, June Informal Document ACSF
Working paper number WLTP-DHC-03-04 1 Comparison of different European databases with respect to road category and time periods (on peak, off peak, weekend)

Working paper number WLTP-DHC Comparison of different European databases with respect to road category and time periods (on peak, off peak, weekend)

Similar presentations

Ads by Google