SPECIAL ISSUE PAPER 419

Risk analysis of level crossing accidents

based on systems control for safety
T Kohda1* and H Fujihara2
1
Department of Aeronautics and Astronautics, Kyoto University, Kyoto, Japan
2
Human Science Division, Railway Technical Research Institute, Tokyo, Japan

The manuscript was received on 11 October 2007 and was accepted after revision for publication on 7 February 2008.

DOI: 10.1243/1748006XJRR127

Abstract: Train protection systems in Japan such as signalling systems and level crossing
protection systems have been mostly developed by the improvement of individual subsystems
in their performance as well as specific post-accident measures to prevent similar accidents
from happening again. However, level crossing accidents are still a major contributor to the
total number of railway accidents. The importance of prior risk assessment of the total railway
system increases, and risk management is to be desired for taking efficient measures without
any degradation of the present safety level. This paper, with consideration of accident
sequences and multilayered safety functions, presents a simple feasibility study for quantitative
risk assessment of level crossing accidents with the aim of efficient and effective safety mana-
gement for Japanese railway systems. Accident scenarios are described which initiate from a
trapped motorcar through the failure of protection systems, including human actions. A simple
phenomenal model is introduced in evaluating the accident occurrence probability. The
positive correlation between the train velocity and accident frequency is derived, which can
be considered acceptable as common sense.

Keywords: Japanese level crossing accidents, train protection systems, system accident
occurrence probability, phenomenal model, probabilistic risk analysis

1 INTRODUCTION accident; V, roadway interference accident (tramway

Train protection systems in the Japanese railway
including level crossing protection systems have
been mostly developed as upgrades of individual
subsystems and post-accident measures. Prior asse-
ssment of risk has not been executed sufficiently to
influence policy decisions. In recent years, the impor-
tance of risk assessment and information disclosure
is greatly increasing in most industrial sectors.
Japanese railway shall also be required to adapt to
this trend.
Table 1 shows the recent status of railway acci-
dents in Japan [1]. Railway accidents are, according
to the Japanese MLIT (Ministry of Land, Infrastruc-
ture and Transport), divided into seven categories
[2]: I, train collision accident; II, train derailment
accident; III, train fire accident; IV, level crossing
*Corresponding author: Department of Aeronautics and Astro-
nautics, Kyoto University, Kyoto 606-8501, Japan. email:
kohda@kuaero.kyoto-u.ac.jp
accident); VI, human injury accident; and VII, prop-
erty damage accident. The first three categories,
which are generically and simply called ‘train
accidents’, can lead to the most critical consequence.
A level crossing accident, the fourth accident cate-
gory, is legally defined as ‘collision or contact
between a train and road vehicles or pedestrians at
a level crossing’. The fifth category is defined as
‘collision or contact between a train and road vehi-
cles or pedestrians at a roadway (except a level cross-
ing)’. This category usually occurs only at the
sections where the roadway and the rail track are in
concomitant use, i.e. tramway. Human injury acci-
dent, the sixth category, is defined as ‘accidents
where human injuries or fatalities are caused by rail-
way vehicle’s operation, except those which should
correspond to categories I to V’.
As shown in Table 1, level crossing accidents
account for around half the number of cases and
about 40 per cent of the number of fatalities in recent

JRR127
IMechE 2008 Proc. IMechE Vol. 222 Part O: J. Risk and Reliability
420 T Kohda and H Fujihara
Table 1 Recent status of railway accidents in Japan (April
2004 to March 2005)
Number of cases Number of fatalities
Accident category Number Ratio (%) Number Ratio (%)
I 3 0.3 0 0
II 14 1.1 1 0.3
III 2 0.2 1 0.3
IV 367 43.2 122 38.5
V 72 8.5 12 0.3
VI 383 45.1 192 60.6
VII 8 0.9 – –
Total 849 100 317 100
years. The sixth category, human injury accident, also
has as a similarly large proportion of cases and fatal-
ities as level crossing accidents. Thus, appropriate
measures to prevent level crossing accidents and
human injury accidents are much needed. Almost
all of the human injury accidents are caused by the
suicidal action of the casualties themselves, such as
trespassing [3]. Therefore, most of their root causes
are related to the personal problems of the accident
victims. Further, the preventive measures for this
category of accidents are usually obtained through
the psychological approach and social science. On
the other hand, most of the level crossings in the
Japanese railway are composed of mechanical, elec-
tric, and electronic equipment, and so level crossing
accidents can be prevented more suitably by using
technical solutions. Thus, this paper considers the
derivation of a systematic solution for level crossing
accidents as the first step.
Regarding the safety analysis of level crossings,
previous reports studied the effect of the visibility of
crossing rods on the invasion by motorcars [4–6]
and the functional advancement of the obstruction
detector to detect an emergency condition in a level
crossing [7, 8]. Meanwhile, the Railtrack report [9]
tried to perform risk quantification for level crossing
accidents, which was based on a static logical model.
However, these previous studies did not consider
accident sequences and multilayered safety func-
tions. This paper, with consideration of accident
sequences and multilayered safety functions, pre-
sents a simple feasibility study for quantitative risk
assessment of level crossing accidents with the aim
of efficient and effective safety management for
Japanese railway systems. Based on the system con-
trol function model for safety, this paper obtains
the accident occurrence conditions by considering
available protective systems at the occurrence of a
trapped motorcar. The main subject of this paper is
the development of a framework to compare the
alternative safety measures for a system accident.
First, how a level crossing accident occurs is ana-
lysed based on the concept of control functions for
Proc. IMechE Vol. 222 Part O: J. Risk and Reliability
safety to obtain occurrence conditions for a collision
accident at a typical Japanese level crossing; their
occurrence probabilities are then evaluated using a
simple phenomenon model. This model shows the
positive correlation between accident occurrence
probability and train speed, which reasonably corre-
sponds to common sense.
2 ACCIDENT OCCURRENCE CONDITIONS
BASED ON CONTROL FUNCTIONS
FOR SAFETY
2.1 Accident occurrence conditions
Generally speaking, to prevent and mitigate a system
accident, several types of safety protection systems
are installed in such large-scale systems as nuclear
and chemical plants and railway systems. The con-
cept of ‘independent protection layers’ [10] or
‘defence in depth’ [11] is considered as a general
approach for safety design in these complex systems.
To mitigate the effect of a failure of some protection
system, another independent protection system is
installed as back-up in the system. To obtain the
merits of redundancy, the independence of protec-
tion systems must be maintained. Otherwise, an
unexpected dependency may affect the system
safety. Table 2 shows examples of multilayered pro-
tection systems in a Japanese railway system [12].
Considering the occurrence of an accident in this
kind of system, the accident occurs owing to the fail-
ure of its control functions for safety [13]. Here, con-
trol functions for safety mean not only safety
protection systems, but also human actions to reduce
the risk caused by a disturbance or component fail-
ure. A control system for safety corresponds to a set
of components which accomplish a control function
for safety. If a control system for safety is normal, it
can accomplish its function to prevent or mitigate a
disturbance. Thus, for a system accident to occur,
the following two conditions must be satisfied.
Condition 1 (C1) A disturbance such as human
erroneous action and component failure must occur
that can cause an initial deviation leading to a system
accident.
Condition 2 (C2) Control systems for safety must
fail, which can prevent or mitigate the disturbance.
Figure 1 shows accident occurrence conditions in
terms of the event tree representation. An accident
sequence can be obtained tracing the branches
from left to right. For example, by tracing the upper
branch for each divided branch, event sequence
I*S1 can be obtained, which represents a logical
AND combination of the occurrence of a disturbance,
I, and the success of safety control function 1. Conse-
quence ‘No Damage’ means success in preventing
JRR127
IMechE 2008
 Risk analysis of level crossing accidents based on systems control for safety 421

Table 2 Examples of multilayered protection systems in railway systems

Levels of Accident case I: Accident case II:

protection Railway signal violation Level crossing accident

Level I Quality improvement of train drivers Prevention of road vehicle’s

(Prevention of failures) Reliability improvement of signal system incautious approach to the
level crossing
Level II Automatic train stop (ATS) Easily escapable crossing rod
(Prevention of Fail-safe mechanism at exit
critical conditions) in signal system
Level III Catch point Obstruction detector
(Prevention of (Transmission of train protection Emergency brake of train
accidental progression) radio signal)
Level IV Transmission of train protection Transmission of train
(Mitigation of radio signal protection radio signal
accident consequence) Accident restoration work Accident restoration work

Fig. 1 Event tree for a system accident

a system accident. Similarly, an event sequence
leading to a fatal damage is obtained as I*F1*F2,
which represents a logical AND combination of the
occurrence of a disturbance, I, the failure of safety
control function 1, F1, and the failure of safety con-
trol function 2, F2. Thus, the accident occurrence
condition in the event tree can be represented as a
logical AND combination of the occurrence con-
dition of a disturbance (which corresponds to C1)
and failure conditions of safety control systems
related to the disturbance (which correspond to C2).
To obtain the accident occurrence conditions, both
the disturbances leading to system accidents and
the control systems for safety related to them must
be identified. In Fig. 1, control functions are safety
control functions 1 and 2. Condition C1 corresponds
to I, while condition C2 corresponds to F1*F2.
2.2 Occurrence conditions of disturbances
To identify a disturbance or initiating event which
can lead to a system accident, there are two types of
approaches: bottom-up and top-down. The former
corresponds to failure-mode-and-effects analysis
(FMEA) [14], while the latter corresponds to fault
tree analysis (FTA) [15]. In FMEA, the possible effect
of a component failure, human erroneous action, or
external event is evaluated from the component level
to the system level using functional relations among
components in the system hierarchical structure.
Based on its effect on the system, a disturbance to
be considered for the safety design can be selected.
On the other hand, in FTA, an end state, or a system
accident to be prevented and mitigated, is first
defined, and then a logic tree is constructed step by
step, which shows the cause–effect relation between
the system accident and basic events representing
component failures and human errors. Minimal
combinations of basic events leading to the system
accident can be obtained, each of which corresponds
to an occurrence condition of the specified system
accident. In this paper, the FMEA approach is applied
to the selection of an initiating event based on the
previous accident data. So, disturbances to be miti-
gated are assumed at first.
2.3 Failure conditions of control systems
for safety
Control functions for safety, which can prevent or
mitigate a specific abnormal event, are generally
composed of three basic functions: detection, diag-
nosis, and execution. Detection consists of monitor-
ing system states continuously or periodically to
obtain information on the current state of the plant,
and detecting its abnormality. Diagnosis is composed
of identifying the cause of the system abnormality
and selecting an appropriate control action. Execu-
tion corresponds to the execution of the selected con-
trol action. Corresponding to these basic functions, a

JRR127
IMechE 2008 Proc. IMechE Vol. 222 Part O: J. Risk and Reliability
422
control system for safety can be composed of three
parts: the sensing part, controlling part, and execut-
ing part. The primary function of a component can
clarify which part of a control system for safety it
constitutes. For each disturbance or initiating event,
control systems for safety which can prevent it must
be identified. By examining whether its sensing part
can detect the effect of a disturbance or not, a control
system for safety related to the accident can be easily
identified. Tracing the information flow from the sen-
sing part, the whole structure of a control system for
safety can be identified, where each function can be
achieved by a different system component such as
human operator or computerized machine.
In obtaining failure conditions of a control system
for safety, its decomposition into sensing, control-
ling, and executing parts can clarify what kinds of
dysfunction can happen. For a control function for
safety to work successfully, all three basic functions
must work successfully. Thus, the failure condition
of a control system for safety can be obtained as a
logical OR combination of failure conditions of each
part. For example, consider an operator recovery
action initiated by an alarm. The alarm corresponds
to the detection of a disturbance, and the operator
plays the role of diagnosis of the disturbance and
the execution of an appropriate action. In this case,
Fig. 2 Typical level crossing system in Japan
Proc. IMechE Vol. 222 Part O: J. Risk and Reliability
T Kohda and H Fujihara
both the normal function of the alarm and the
successful performance of the human operator are
essential to accomplish the control function for
safety. Human errors such as perceptional error and
omission error must be considered based on the
diagnosis and execution actions required of human
operators. Human factor analysis [16] should be
performed by focusing on the basic functions allo-
cated to operators, which can also clarify the neces-
sary interactions of human operators with system
components.
3 LEVEL CROSSING ACCIDENTS
In the following section, consider the risk caused by
a trapped vehicle in a level crossing as shown in
Fig. 2. When a train approaches a level crossing,
the automatic approaching train detector makes the
level crossing signals ring and flash. Simultaneously,
crossing rods automatically begin to fall down to
close the level crossing and block the entry of road
vehicles and pedestrians. If a road vehicle or pedes-
trian is trapped in the closed level crossing, the
obstruction detector will detect it, mainly as the
interception of an infrared ray. At the same time, a
driver in the trapped vehicle also can push on the
obstruction warning device to activate the special
JRR127
IMechE 2008
 Risk analysis of level crossing accidents based on systems control for safety
signal. Then, the special signal will flash and inform
the train driver about the emergency. The train driver
will brake the train immediately after detecting the
signal flashing and ringing. Even if the train driver
passes by the special signal without noticing its alert,
he can perform an emergency stop by catching sight
of the trapped motorcar himself.
3.1 Level crossing protection system in the
Japanese railway
A brief history of level crossing protection systems
in the Japanese railways is summarized as follows
[17, 18]. In the 1920s, about 50 years after the start of
the Japanese railway, collision accidents of trains
and road vehicles at level crossings increased. Soon
afterwards, some safety devices were developed and
introduced to prevent these accidents – automatic
approaching train detectors in 1928 and crossing rods
of the mechanical falling type in 1930. In 1952, when
crossing rods of the automatic falling type combined
with automatic approaching train detector were intro-
duced, the basis of the modern style of Japanese level
crossing system was established. Then, level crossing
obstruction detectors, one of the most important
devices for today’s level crossing safety, were intro-
duced as additional equipment in 1962.
3.2 Level crossing model
As shown in Fig. 2, the following equipment and
devices are assumed to make up the level crossing
protection systems considered in this paper.
a1. An automatic approaching train detector detects
the approach of a train and controls the level crossing
system by activating level crossing gates and level
crossing signals.
a2. Level crossing obstruction detectors detect the
existence of pedestrians and vehicles trapped in the
level crossing and turn on special signals to stop an
approaching train.
a3. A driver in the trapped vehicle can turn on the
special signal by pushing on the obstruction warning
device of the signal to inform the driver of the
approaching train about the emergency.
3.3 Accident scenarios
Collision objects related to level crossing accidents
include motorcars, motorcycles, bicycles, and pedes-
trians. Recent statistics [1] show that motorcars
amount to about two-thirds of total collision acci-
dents. Also, owing to their weight and size, motorcars
as collision objects can lead to the most severe conse-
quences. Meanwhile, the immediate causes of level
crossing accidents include trapping (a motorcar
comes first to the level crossing) and side collision
(a train comes first). Trapping is mostly caused by
JRR127
IMechE 2008
423
errors of car drivers such as running off and rushing,
engine stall, or a traffic jam at the level crossing exit.
In recent years, about three-quarters of level crossing
accidents have trapping as the direct cause [19]. This
means collision between a trapped motorcar and a
train is the most typical pattern of level crossing acci-
dents in Japan. Thus, the following initiating event is
assumed in this example.
a4. A motorcar is trapped in the closed level crossing
and has no chance of evacuation.
Under this condition, a level crossing accident can
occur if the train cannot stop in front of the level
crossing.
3.4 Control systems for safety
To obtain the accident occurrence conditions, the
first step is to identify control systems for safety (or
protection systems) which can prevent the accident
caused by a trapped motorcar. The first necessary
function is to detect the occurrence of the trapped
motorcar. The trapped motorcar can be detected in
the following three ways: S1, the detection by the
obstruction detector; S2, the detection by the driver
himself in the trapped motorcar who pushes on the
obstruction warning device; and S3, the driver of the
approaching train with his sight.
For each case, controlling and executing parts of
the corresponding protection system are identified
as follows.
S1. The obstruction detectors activate the special sig-
nal to inform the train driver in the train about the
emergency, and he notices the signal to brake the
train.
S2. The special signal activated by the driver of the
trapped motorcar directs the driver in the approach-
ing train to brake.
S3. The train driver in the train by himself brakes.
From the viewpoint of control systems for safety, the
difference between S1 and S2 exists only in the sen-
sing part, while their controlling and execution parts
are the same. Thus, they should be combined into
one control system for safety. This combined control
system is denoted as ‘(S1 þ S2)’, which means a
logical OR combination of S1 and S2. In S3, the train
driver himself plays all functions of a control system
for safety. The primary control system is for the train
driver to stop the train with the aid of obstruction
detectors and special signals. The other control sys-
tem is the train driver by himself, who detects the
trapped motorcar and brakes the train. This system
can function only if the primary control system fails.
Thus, two control systems for safety can be identi-
fied. Note that all control systems for safety include
the train driver as their controlling and execution
Proc. IMechE Vol. 222 Part O: J. Risk and Reliability
424 T Kohda and H Fujihara
Safety Control
Function (S1+S2):
Train Stop with
Special Signal
Motorcar
Success
Trapped
Occurrence
Failure
Fig. 3 Event tree representation
parts. Accident sequences can be obtained as shown
in Fig. 3, with an initiating event, a trapped motorcar,
and two control functions for safety: (S1 þ S2), train
stop with special signal; and S3, train stop with
driver’s visual recognition. In this example, since
‘accident’ is defined as ‘collision between a train
and a motorcar at a level crossing’, ‘safe state’ should
correspond to ‘no accident’.
3.5 Accident occurrence conditions
3.5.1 Initiating events
Primary causes of trapped motorcars in a level cross-
ing are as follows [19]: errors of a motorcar driver in
detecting the warning signal at the level crossing
such as his slip (denoted as I1), a traffic jam in the
front owing to the motorcar driver’s judgement error
or violation (denoted as I2), and motorcar failure or
lack of motorcar driver’s skill (denoted as I3).
For simplicity, the following assumption is made
on the occurrence of a trapped motorcar.
a5. Initiating events occur statistically independently,
and the average occurrence rate of trapped motor-
cars can be obtained based on the previous accident
data at the level crossing.
The effect of the operating conditions of the train can
be obtained by the risk analysis of the average cum-
ulative frequency during a specific operating period.
3.5.2 Failure conditions of protection systems
Failure conditions of protection using the special sig-
nal to stop the train and those of direct protection by
the train driver can be obtained as the fault tree
representations [15] in Figs 4 and 5, respectively. In
Fig. 4, basic events (component failure or human
error) and intermediate events are denoted in terms
of ‘Am’, ‘Am–n’, ‘Am–n–h’, and ‘Am–n–h–i’, where
m, n, h, and i are specific index numbers, while
‘Bm’ denotes a basic event in Fig. 5.
Both of the control functions for safety are com-
posed of three basic functions: detection, diagnosis,
and execution. All basic functions must work for the
Proc. IMechE Vol. 222 Part O: J. Risk and Reliability
Safety Control
Function (S3):
Train Stop with
Driver’s Visual Recognition
NO ACCIDENT
Success
NO ACCIDENT
Failure
ACCIDENT
corresponding control function. Thus, failure condi-
tions of a control function can be represented as
logical OR combination of failure of each basic func-
tion at the first stage. Note that some basic functions
are considered to be combined into one function.
In control system S3, for example, the basic function
of detection is provided by the train driver, and its
failure is represented as B1 in Fig. 5. Since the train
driver takes a protection action immediately after
the detection of an emergency condition, the diagno-
sis function can be combined with the detection one.
The execution is the train driver’s stopping action,
whose failure is B2 in Fig. 5. Even if the driver takes
a normal response, the brake failure nullifies the
safety control action. So, train’s brake system failure,
B3, is added as a cause of the failure condition. Since
any of the failure conditions B1, B2, and B3 can cause
the safety control failure, they are connected as a
logical OR combination. In this way, failure condi-
tions for each control function are represented by
their detailed function failure conditions.
3.5.3 Accident occurrence conditions
According to the event tree shown in Fig. 3, an accident
occurs if the initiating event occurs with failures of
control systems (S1 þ S2) and S3. Thus, logical AND
combinations of occurrence conditions for a trapped
motorcar, failure conditions of the control system
(S1 þ S2), and failure conditions of the control system
S3 give accident occurrence conditions. Failure condi-
tions of control systems (S1 þ S2) and S3 are obtained
from fault trees in Figs 4 and 5, respectively. Thus, acci-
dent conditions are obtained as follows
(I1 OR I2 OR I3)
AND[{(A1–1–1–1 OR A1–1–1–2 OR A1–1–2)
AND (A1–2–1 OR A1–2–2–1 OR A1–2–2–2)}
OR (A2–1 OR A2–2) OR (A3–1 OR A3–2 OR A3–3)]
AND (B1 OR B2 OR B3)
The above equation is a logical AND combination of
three main terms. The first term (I1 OR I2 OR I3)
represents the occurrence conditions of a trapped
motorcar, meaning that a trapped motorcar is caused
by any of I1, I2, and I3. The second [ ] term
JRR127
IMechE 2008
 Risk analysis of level crossing accidents based on systems control for safety 425

Failure of “Train Stop with

Special Signal”
(CFS1)
OR

Detection Failure of Control Failure Failure of

Trapped Motorcar by Special Signal Stopping Procedure
(A1) (A2) (A3)
AND OR OR

Failure of Train Driver’s Train Driver’s

Train’s
Failure of Transfer System Failure of Failure of
Brake System
Special Signal of Detecting Stopping
Failure
Special Signal Special Signal Action

(A2-1) (A2-2) (A3-1) (A3-2) (A3-3)

Obstruction Detector’s Detection Failure with

Failure of Detection Obstruction Warning Device

(A1-1) (A1-2)
OR OR

Obstruction Detector Undetected Failure of Failure to Push on

Failure Position of Obstruction Obstruction Warning Device
Objects by Warning
(A1-1-1) Detectors Device (A1-2-2)
OR OR
(A1-1-2) (A1-2-1)

Person’s Nonexistence
Infrared Emitter Infrared Receiver
Ignorance of of Persons
Failure Failure
Device Concerned

(A1-1-1-1) (A1-1-1-2) (A1-2-2-1) (A1-2-2-2)

Fig. 4 Fault tree for control system (S1 þ S2)

corresponds to the failure conditions of the control Failure of “Train Stop with
system (S1 þ S2), whose logical expression can be Driver’s Visual Recognition”
obtained from the fault tree in Fig. 4. By sequentially (CFS2)
replacing an upper event by either AND or OR combi-
OR
nation of its lower events, depending on the logical
gate, the second [ ] term can be obtained. The last
term (B1 OR B2 OR B3) means the failure conditions
of control system S3 represented by the fault tree in Train Driver’s Train Driver’s
Failure Train’s
Fig. 5. Expanding the above equation into logical OR Failure of
of Detecting Brake System
of logical AND of basic events, each logical AND Stopping Failure
Trapped
combination represents a minimal cut set (or a mini- Action
Vehicle
mal combination of basic events which causes an
(B1) (B2) (B3)=(A3-3)
accident). In this case, 127 minimal cut sets are
obtained. Fig. 5 Fault tree for control system S3

JRR127
IMechE 2008 Proc. IMechE Vol. 222 Part O: J. Risk and Reliability
426 T Kohda and H Fujihara

Human error probabilities are considered to be depending on the train’s velocity and position when
much higher than hardware component failure prob- a motorcar is trapped, how the accident scenario
abilities. Since hardware component failure probabi- changes will be investigated. To simplify the discus-
lities are relatively low, the higher product terms of sion, the following assumptions are made on the
hardware component failures can be negligible. trapped motorcar and the train operation.
Thus, 15 minimal cut sets simplified under these
b1. A single direction of the railway track is considered.
assumptions are obtained as shown in Table 3. A logi-
b2. The train passes over an automatic approaching
cal AND combination of basic events in a minimal
train detector at a velocity of V m/s, and continues
cut set shows an accident condition. to run at the same velocity until its driver brakes.
Without noticing the special signals (represented by b3. At the level crossing with signals flashing and
A3–1), the train driver can find the emergency only by ringing, the occurrence rate of a trapped motorcar is
looking at the sight. However, if a driver fails in the constant, denoted as l times/h.
operation of the stopping action after noticing the spe-
cial signal, it seems impossible that he can stop the At the first step, examine whether the running train
train with his visual inspection. Considering depen- can be stopped before the level crossing by the train
dency between successive driver actions, the minimal driver’s braking action. If the driver tries with the
cut sets can be simplified further as shown in Table 4. train running at the velocity of V m/s, the minimal
The potential significant contributors to an accident distance necessary for the train to stop, Dmin (m),
are the train driver’s loss of braking action (repre- can be calculated as
sented by A3–2) and the failure of the train brake sys-
V2
tem (represented by B3). However, comparing their Dmin ¼ ð1Þ
failure frequencies, the latter can be neglected and 2a
the driver’s actions are the most important. where a denotes the constant deceleration (m/s2).
Here, value a is fixed so as to satisfy the Japanese
regulation [20] that the necessary distance to stop
4 OCCURRENCE PROBABILITY OF LEVEL trains by initiating an emergency brake must be less
CROSSING ACCIDENTS than or equal to 600 m. Since the maximal velocity
of a conventional train is 140 km/h, or 38.9 m/s, a
4.1 Context dependency in accident scenarios can be estimated as 1.26 m/s2. This value is applied
in the current example. For V ¼ 80 km/h, Dmin ¼
The event tree in Fig. 3 assumes that all protection 196.0 m. Unless a special signal is identified at least
systems installed in a level crossing are available, 600 m before a level crossing, a local train with the
and first the protection system with the special signal maximal velocity cannot stop before the level
tries to prevent the accident; in the worst case the crossing. Note that the value of a is dependent on
driver himself can brake the train by noticing the the weather conditions in such a way that it
trapped motorcar. However, depending on the train decreases in rainy conditions.
position when a motorcar is trapped in the level The following characteristic values of the level cross-
crossing, the effective protection systems vary, result- ing system are defined as shown in Fig. 6: Dc (m) is the
ing in different accident sequences. In this section, distance of the automatic approaching train detector
from the level crossing; Ds (m) is the distance of the
Table 3 Simplified minimal cut sets for accident occur- special signal from the level crossing; Dsh (m) is the
rence maximal distance from the level crossing at which a
train driver can identify the state of the special signal
Simplified minimal cut sets visually; Dh (m) is the maximal distance from the level
(I1, A3–1, B1), (I1, A3–1, B2), (I1, A3–2, B1), (I1, A3–2, B2) crossing at which a train driver can identify its state
(I2, A3–1, B1), (I2, A3–1, B2), (I2, A3–2, B1), (I2, A3–2, B2) visually.
(I3, A3–1, B1), (I3, A3–1, B2), (I3, A3–2, B1), (I3, A3–2, B2) Generally speaking, it can be assumed that
(I1, B3), (I2, B3), (I3, B3)
b4. Dc > Ds > Dh
Depending on the necessary distance to stop the
Table 4 Finally simplified minimal cut sets
train Dmin, and the train driver’s visible distances
Simplified minimal cut sets Dsh and Dh, the availability of protection systems
(S1 þ S2) and S3 can be determined as follows.
(I1, A3–1, B1), (I2, A3–1, B1), (I3, A3–1, B1),
(I1, A3–1, B2), (I2, A3–1, B2), (I3, A3–1, B2), C1. Dmin > Dsh: Neither of the protection systems
(I1, A3–2), (I2, A3–2), (I3, A3–2),
(I1, B3), (I2, B3), (I3, B3)
(S1 þ S2) and S3 functions; the train driver cannot
prevent a collision accident.

Proc. IMechE Vol. 222 Part O: J. Risk and Reliability JRR127
IMechE 2008
 Risk analysis of level crossing accidents based on systems control for safety
Train Driver’s
Cabin
Train
Automatic Approaching Train Detector
Fig. 6 Characteristic distances of level crossing
Table 5 Average frequency of trapping
Available Average
Trapping condition protection systems cumulative frequency
Dc > Dt>Ds 1&2 l(Dc
Ds)/V
Ds > Dt > Dmin 2 l(Ds
Dmin)/V
Dmin > Dt Null lDmin/V
C2. Dsh > Dmin > Dh: Only protection system (S1 þ S2)
can function; special signals can prevent a collision
accident, but the train driver cannot prevent it by
himself.
C3. Dh > Dmin: Both protection systems (S1 þ S2) & S3
can function; with special signals or the sight of level
crossing, the train driver can prevent a collision
accident.
Distances Dc, Ds, Dh, and Dmin are determined by the
facility of a level crossing, its environmental condi-
tions, and the operating conditions or speed of trains.
Train operating condition affects the availability of
protection systems as shown above and the integrity
of the overall level crossing system. Further, in a
practical case, characteristic values of distance para-
meters depend on the geographical factors such as
undulations and curvature of a railway track, as well
as the weather conditions.
In the following discussion, consider case C3 to
evaluate accident occurrence probability. For simpli-
city, the following assumption is made.
b5. The train track is straight with an unobstructed view.
4.2 Occurrence probabilities of basic events
4.2.1 Occurrence of trapped motorcars
A trapping can occur if a motorcar enters the level
crossing after a train passes over the automatic
approaching train detector. From assumption b3 on
the occurrence of a trapped motorcar, the average
cumulative trapping frequency during time period
Dc/V (s) when crossing rods are activated can be
obtained as lDc/V times according to the Poisson
distribution. Let Dt (m) denote the distance of the
JRR127
IMechE 2008
427
Level Crossing
Special Signal
Dsh
Dh
Dc
Ds
train from the level crossing when a motorcar is
trapped. Depending on Dt, the availability of protec-
tion systems (S1 þ S2) and S3 changes according to
conditions C1, C2, and C3, which also modifies its
accident scenario. Consider the case where
b6. Dc > Ds > Dh > Dmin
and available protection systems and the average
cumulative trapping frequency can be obtained as a
function of Dt, as shown in Table 5.
For each trapping condition, accident scenarios
can be obtained using the available protection sys-
tems. The sum of average cumulative frequency
amounts to the average cumulative occurrence fre-
quency of trappings. Multiply the frequency of trains
running at the velocity of V (m/s) by the average
cumulative occurrence frequency to give the basic
occurrence frequency of trappings.
4.2.2 Failure of protection systems
Generally speaking, compared with hardware com-
ponent failure probability, human error probability
is much higher. Human error related to the operation
of stopping the train is the most significant contri-
butor to the failure of protection system (S1 þ S2).
Similarly, for the protection system S3, human error
probability is much higher than failure probability
of the brake system.
In the evaluation of human error probability in the
stopping action, HEART (human error assessment
and reduction technique) [21], is applied in this
paper. The operation of stopping the train is com-
posed of perceiving the abnormal conditions by see-
ing the special signal or the sight, and braking the
train immediately. This task corresponds to general
task type E in the classification by HEART, which is
a well-trained quick task that does not require much
skill. The basic error probability is 0.02 per demand.
4.3 Quantitative risk assessment
4.3.1 Occurrence of trapped motorcars
Depending on train position Dt (m) when a motor-
car is trapped in the level crossing, the accident
Proc. IMechE Vol. 222 Part O: J. Risk and Reliability
428 T Kohda and H Fujihara

occurrence probability can be obtained as shown in
Table 6. The average frequency per month of acci-
dent conditions is obtained as the average cumula-
tive frequency in Table 5, multiplied by the number
of trains per month passing the level crossing at the
velocity of V (m/s).
4.3.2 Numerical example
The following parameter values are assumed regard-
ing the level crossing systems.
b7. Average number of trains running at the velocity
of V (m/s) is 3600 per month.
b8. Occurrence rate of a trapped motorcar per
passing train, l, is 0.0001 (times/h).
b9. Ds ¼ 0.9 (km) and Dc ¼ 1.2 (km).
b10. Human errors occur independently, whose
occurrence probabilities are 0.02 per demand.
In order to consider the effect of train velocity on
the accident frequency, obtain the accident fre-
quency for V ¼ 80, 90, 100, 110 (km/h). Table 7 shows
the results. These results show that the accident
occurrence frequency increases as the train velocity
increases from 80 (km/h) to 110 (km/h). The period
when the level crossing is closed is shorter as the
train velocity increases, leading to the decrease of
trapping frequency. On the other hand, the period
when no protection system is available increases
because the exposure time to fatal trapping is given
as (Dmin/V ¼ V/(2a)). Since the accident occurrence
probability (AOP) under conditions where protection
systems are available is much lower than the AOP
without protection systems, the increase of period
when no protection system is available has a consid-
erable effect on the accident frequency. In total, the
accident frequency increases as the train velocity
increases. Note that this evaluation does not consider
the effect of train velocity on operation errors of the
train driver. As the train velocity increases, the avail-
able time for the preventive action becomes less
and the visibility also becomes worse, leading to the
increase of human errors. Thus, the human factor
[16] must be considered for the improvement of the
proposed model.
Further, reducing the train velocity will reduce the
accident frequency, but only ‘marginally’. If the risk
of level crossing accidents is still rather high, some
protective measures must be considered. However,
the above analysis shows that the most significant
contributing factor to the collision accident is the
uncontrolled area owing to the train inertia. No pro-
tection system is effective to reduce the inertia effect.
To reduce the uncontrolled area a, more powerful
Table 6 Accident occurrence condition and probability
Condition MCS for FPS AOP under condition
Dc > Dt>Ds (A3–1, B1) Pr{A3–1}[Pr{B1}
(A3–1, B2) þ (1–Pr{B1})Pr{B2}]
(A3–2) þ (1–Pr{A3–1}) Pr{A3–2}
Ds > Dt>Dmin (A3–1) Pr{A3–1} þ (1–Pr{A3–1}) Pr{A3–2}
(A3–2)
Dmin > Dt (1) 1
Note: MCS denotes minimal cut sets; FPS denotes failure of
protection system; AOP denotes accident occurrence probability;
(1) means that it is always true.

Table 7 Accident frequency

Trapping condition Trapping frequency AOP under condition Accident frequency

(a) V ¼ 80 (km/h)
Dc > Dt > Ds 0.001 35 0.0204 2.75 · 10
5
Ds > Dt > Dmin 0.003 17 0.0396 0.000 125
Dmin > Dt 0.000 882 1 0.000 882
Total 0.005 40 – 0.001 03

(b) V ¼ 90 (km/h)
Dc > Dt > Ds 0.001 20 0.0204 2.45 · 10
5
Ds > Dt > Dmin 0.002 51 0.0396 0.000 103
Dmin > Dt 0.000 992 1 0.000 992
Total 0.004 80 – 0.001 12

(c) V ¼ 100 (km/h)

Dc > Dt > Ds 0.001 08 0.0204 2.20 · 10–5
Ds > Dt > Dmin 0.002 14 0.0396 8.47 · 10–5
Dmin > Dt 0.001 10 1 0.001 02
Total 0.004 32 – 0.001 21

(d) V ¼ 110 (km/h)

Dc > Dt > Ds 0.000 98 0.0204 2.00 · 10
5
Ds > Dt > Dmin 0.001 74 0.0396 6.87 · 10
5
Dmin > Dt 0.001 21 1 0.001 21
Total 0.003 93 – 0.001 30

Proc. IMechE Vol. 222 Part O: J. Risk and Reliability JRR127
IMechE 2008
 Risk analysis of level crossing accidents based on systems control for safety
brake system should be developed to reduce the
necessary distance to stop, or the occurrence rate of
a trapped motorcar should be reduced. In this sense,
the prevention of an initiating event should be con-
sidered first, and then the residual risk should be
mitigated by addition of protection systems.
5 CONCLUSIONS
This paper presents a primitive risk analysis study of
accident occurrences caused by a trapped motorcar
at a conventional level crossing in Japan. A simple
analysis result using a simple phenomenal model of
the train movement shows that the period when no
protection systems are available has a considerable
effect on the accident probability, and the exposure
time to this period increases as the train velocity
increases. Thus, a well-known fact that the increase
of the train velocity leads to the increase of accident
frequency can be explained more analytically by the
model-based approach.
The presented analysis is the first step toward the
analysis of accidents caused by a trapped motorcar
at the level crossing. In this paper, the prevention of
initiating events or disturbances and the background
factors of human errors were not considered. An initi-
ating event can happen even with complete measures
on the level crossing system or against human factor
problems, and so the protection measures after the
occurrence of initiating events must be prepared and
validated. The focus of the paper is on the effective-
ness of protection systems activated after the occur-
rence of an initiating event. However, as shown in
the example, the risk reduction using protection sys-
tems cannot be sufficient, and so the prevention of
initiating events must be considered. For identifica-
tion and prevention of latent conditions such as orga-
nizational influences, Reason’s Swiss Cheese Model
[22] should be applied. The next step in the authors’
study is to consider effective protection measures,
including the prevention of trapping at the level cross-
ing. For this purpose, the proposed method should be
improved by conducting more practical case studies.
REFERENCES
1 Database of Railway Safety (in Japanese), 2006 (Railway
Technical Research Institute, Japan).
2 Railway Accidents Reporting Regulation (in Japanese,
revised in 2001 by the Ministry of Land, Infrastructure
and Transport, Japan), 1987 (Ministry of Transport, Japan).
3 Information about the Safety of Railways and Tramways
(in Japanese), 2007 (Ministry of Land, Infrastructure and
Transport, Japan).
JRR127
IMechE 2008
429
4 Mori, N. Safety measures for level crossings (in
Japanese). Railway Electl Engng, 2003, 14(2), 3–6.
5 Kawano, T. The effect of introduction of ‘red & white’
large-diameter crossing rods (in Japanese). Railway
Electl Engng, 2003, 14(2), 36–41.
6 Inoue, T. and Fukuda, H. Study on evaluation methods
of visibility of level crossing (in Japanese). RTRI (Railway
Technical Research Institute) Report, 2000, 14(12), 7–12.
7 Ohta, M. An obstacle detection system for level cross-
ings using stereo cameras (in Japanese). RTRI (Railway
Technical Research Institute) Report, 2003, 17(6),
11–16.
8 Sato, K. and Nakajima, K. Obstruction detecting
devices on a level crossing using ultrasonic sensors
(in Japanese). Railway Electl Engng, 2001, 12(7), 24–28.
9 EE&CS Report: Infrastructure risk modelling – Automatic
level crossing – Automatic half barrier type (consequence
models), 1998 (Railtrack).
10 AIChE Center for Chemical Process Safety. Layer of
protection analysis, simplified process risk assess-
ment, 2001 (American Institute of Chemical Engi-
neers, New York).
11 International Nuclear Safety Group (INSAG). Defence
in depth in nuclear safety, 1996, INSAG-10 (Interna-
tional Atomic Energy Agency).
12 Fujihara, H. Safety and multi-layered protection in rail-
way system (in Japanese). RRR (Railway Research
Review), 2005, 62(11), 10–13.
13 Kohda, T. and Fujihara, H. Accident sequence analysis
of railway accidents based on safety control functions.
In Proceedings of 2005 Asia-Pacific Conference on Risk
Management and Safety, 2005, pp. 346–351 (Hong
Kong Association of Risk Management and Safety,
Hong Kong).
14 Henley, E. J. and Kumamoto, H. Probabilistic risk
assessment, reliability engineering, design and analysis,
1991 (IEEE Press, California).
15 NASA. Fault tree handbook with aerospace applications,
Version 1.1, 2002 (NASA).
16 Vincent, K. J. The human factor: Revolutionizing
the way people live with technology, 2003 (Routledge,
New York).
17 Development history of railway signal (in Japanese),
1980, p. 441 (Signal Safety Association of Japan).
18 Level crossing safety devices (in Japanese), 2002 (Railway
Electrical Engineering Association of Japan).
19 Inoue, T., Kusukami, K., and Konno, S. Car driver
behavior in railway crossing accident (in Japanese).
RTRI (Railway Technical Research Institute) Report,
1994, 8(12), 13–18.
20 Article 54, Regulation for railway operating (in
Japanese), 1987 (rescinded in 2002).
21 Williams, J. C. A data-based method for assessing
and reducing human error to improve operational
performance. In Proceedings of 4th IEEE Conference
on Human factors in nuclear power plants, Monterey,
California, 1988, pp. 436–450.
22 Reason, J. Human error, 1990 (Cambridge University
Press, New York).
Proc. IMechE Vol. 222 Part O: J. Risk and Reliability