Professional Documents
Culture Documents
TSC Tbl1plus Rams Pha DRAFT
TSC Tbl1plus Rams Pha DRAFT
TSC Tbl1plus Rams Pha DRAFT
Hazard Analysis
ID: tsc_tbl1plus_rams_pha
Version: DRAFT
Status: Review
Date:
Configuration Management
Commit: 57a34cfa
On branch: 5061-create-tbl1-app-pha
Document signature
02c4b9d1d1035800ef16f69071c8cb6bcb155256
CONTENTS
2 Introduction 4
2.1 Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3 Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.4 Applicable documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.5 Reference documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.6 Terms and definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.7 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.8 Artifacts definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
5 System Description 9
7 Conclusions 15
9 Annex C Causes 17
10 Annex D Mitigations 18
2 of 18 CONTENTS
02c4b9d1d1035800ef16f69071c8cb6bcb155256
CHAPTER
ONE
TWO
INTRODUCTION
2.1 Context
The TBL1+ program consists into developing a Generic Application kit that is intended to be used to-
gether with the iEVC platform. The TBL1+ application from this kit implements the requirements
from [TBL1Plus-PHA-R10_ARS-R5-INF-TBL1plus-SGv3.4], [TBL1Plus-PHA-R11_ARS-R6-MEMOR] and
[TBL1Plus-PHA-R2-SYAD].
The TBL1+ application may be used either as a stand-alone signalling application or in bi-standard mode (under
the supervision of the ETCS signalling application).
The present document constitutes the main deliverable of CENELEC phase 3 (“Risk analysis and evaluation”). It
describes (i) how the risk assessment (risk analysis and risk evaluation) is undertaken during the earlier stages of
TBL1 Plus Application and (ii) how hazards are tracked, managed and closed through a specific hazard log.
This document is the TBL1 Plus Application Preliminary Hazard Analysis
2.2 Purpose
This documents describes the generation and the basic approach of a first accident list generation (high-level
hazards), its extension to a preliminary hazard analysis (PHA) and their inclusion into an agile structure of hazard
log (HazLog).
The present deliverable responds to the following objectives:
1. to identify hazards derived from possible system errors and faulty states in main operative conditions;
2. to assess the resulting risk level derived from identified hazards (risk qualifying);
3. to identify mitigation measures for each identified hazard;
4. to evaluate resulting safety level (residual risk) after implementation of the measures;
5. to identify Safety Related Application Conditions (operational procedures to be applied in normal or de-
graded conditions, respectively operational maintenance activities);
The safety assessment of TBL1+ Application consists in identification of hazards that can be induced by failures
of the application. The identified hazards are then analyzed, and the risks associated with these hazards evaluated.
Finally, all the information concerning safety management activities, hazards identification, decisions undertaken
and solutions adopted is recorded in a HazLog (Hazard Log) table.
4 of 18 2. Introduction
02c4b9d1d1035800ef16f69071c8cb6bcb155256
TBL1 Plus Application Preliminary Hazard Analysis
2.3 Contents
The terms and definitions used in the TBL1+ program are summarized and explained in the TSC glossary
[TBL1Plus-PHA-R7-Glossary].
2.3. Contents 5 of 18
02c4b9d1d1035800ef16f69071c8cb6bcb155256
TBL1 Plus Application Preliminary Hazard Analysis
2.7 Prerequisites
The application component, its functional architecture, its interfaces and its requirements are defined in
[TBL1Plus-PHA-R2-SYAD].
Apportionment of safety requirements has not been completed. As a consequence not all of the requirements have
a defined safety-related tag “[safety]” or “[non safety]”.
Artifact
TBL1 Plus Application Preliminary Hazard Analysis [artifact]
6 of 18 2.7. Prerequisites
02c4b9d1d1035800ef16f69071c8cb6bcb155256
CHAPTER
THREE
3.1 Creation
Following [TBL1Plus-PHA-R4-SP], the iEVC TBL1 Plus Application Preliminary Hazard Analysis is elaborated
by Safety Assurance Engineer[role], as required in [TBL1Plus-PHA-R4-SP].
3.2 Revision
This iEVC TBL1 Plus Application Preliminary Hazard Analysis represents the system interface hazard analysis
performed for the iEVC system architecture. This document is dynamic, designed to be updated throughout the
project’s evolution, and to be used as the basis for performing other safety-related activities.
New revisions of the iEVC TBL1 Plus Application Preliminary Hazard Analysis are triggered by the iEVC Safety
Assurance Engineer[role].
The document is to be updated by the occurrence of:
• Addition of other hazards, possibly identified throughout the iEVC project development process (and docu-
mented as part of this hazard analysis and subsequent hazard analyses);
• Addition of other system elements/functions, as necessary;
• Occurrence of relevant changes to the requirements, organization or process;
• Achievement of Major Contract Milestone (if needed);
• Reception of comments from the Employer or independent body.
3.3 Filing
Storage and diffusion of this document is performed according to the rules described in
[TBL1Plus-PHA-R1-PQP].
FOUR
4.1 Scope
In application of TBL1 Plus Safety Plan [TBL1Plus-PHA-R4-SP], the scope of this analysis is to identify all
hazards related to the TBL1 Plus Application during normal or degraded operation conditions, respectively during
preventive, corrective maintenance, or decommissioning activities.
All the risks identified during the PHA are registered in the hazard log.
All the other hazards, which are related to railway operations or to permanent railway infrastructure, trackside sys-
tems and routing/interlocking equipment are transferred respectively to the Railway Company or the Infrastructure
Manager.
4.2 Limitations
Recap Table
iEVC TBL1 Plus Application Preliminary Hazarnd Analysis Limitations [recap table]
4.3 Assumptions
Recap Table
FIVE
SYSTEM DESCRIPTION
The TBL1+ system consists of a Generic Application kit that contains a signalling application and associated
documentation. The TBL1+ signalling application is executed on a generic on-board platform (iEVC) that pro-
vides interfaces to the train and to wayside information. The TBL1+ application is modeled in a domain specific
language called EXS, for ERTMS executable Specification. This language is executable directly by the Virtual
Machine of the iEVC platform.
In order to support the execution of TBL1+ application, the iEVC platform provides interfaces with:
• speed information through its odometry function
• balise information through its iBTM function
• one or several DMI to exchange information with the driver/operator
• a recorder (the iEVC Crash Protected Memory) to log operational and maintenance information
• digital I/O to command outputs and collect specific input in the train interface.
The iEVC platform as defined in [TBL1Plus-PHA-R2-SYAD] and [TBL1Plus-PHA-R6-SD] is composed of the
iEVC Basic kit, the iEVC Sensor kit and the iEVC Telecom kit. Refer to [TBL1Plus-PHA-R2-SYAD] for a
detailed description of these kits.
The TBL1+ system needs to access the crocodile information on the tracks. This is possible through the use of a
brush and an associated Crocodile Information Translator[ci]. The translator is a piece of hardware that translates
the crocodile polarity received from the brush into digital inputs that can be connected to the iEVC platform.
Two versions of the application are developed in the frame of this program:
• a stand-alone TBL1+ application that is able to be executed without any ETCS signalling application (Subset
026 application[ci]) inside the iEVC platform
• a bi-standard TBL1+ application that is able to interface the ETCS application through an interface imple-
menting the application layer of the Subset-035 interface internally to the Virtual Machine.
The Fig. 5.1 kit of TBL1+ provides a generic application certification that covers the development activities related
to the TBL1+ program. It only covers the application it-self and needs to be associated with the iEVC Basic kit,
iEVC Sensor kit and possibly the iEVC ETCS kit on which the application relies.
5. System Description 9 of 18
02c4b9d1d1035800ef16f69071c8cb6bcb155256
TBL1 Plus Application Preliminary Hazard Analysis
10 of 18
02c4b9d1d1035800ef16f69071c8cb6bcb155256
CHAPTER
SIX
The initial identification of hazards is elementary for the further risk assessment of a system. The Preliminary
Hazard Analysis (PHA) is an inherent part of the risk assessment process.
For railway systems, the focus on hazard analysis is on the physical integrity of human and on the undisturbed
operation of the transportation system. By consequence, the hazard analysis shall systematically identify potential
impacts (i) on the physical integrity of persons and (ii) on the integrity of the infrastructure (i.e. rolling stock,
track, civil works, etc.) or the environment.
The complexity of the PHA depends on several boundary conditions (e.g. physical, operational), which are gen-
erally specified in the system definition for further assessment as well as the level of detail of the PHA.
An deductive, or top-down, approach is used to develop the PHA. Significant or top-level events (i.e. hazards) are
initially identified, followed by what might have caused them.
The main goal being to achieve the most complete as possible hazard identification.
After the hazard assessment is completed, hazards can be mitigated by deciding to either assume the risk associated
with the hazard or to eliminate or control the hazard. Mitigation of the risk associated with each hazard to an
acceptable level can be accomplished in a variety of ways.
All hazards and mitigations measures which have been identified during the TBL1 Plus Application Preliminary
Hazard Analysis are recorded in the TBL1 Plus Application Hazard Log [TBL1Plus-PHA-R5-Hz_log] : they will
be followed-up during each next phase of the project.
The hazards identified during the TBL1 Plus Application Preliminary Hazard Analysis are logged into TBL1 Plus
Application Hazard Log [TBL1Plus-PHA-R5-Hz_log] and managed according to the safety management process
described in the safety plan [TBL1Plus-PHA-R4-SP]. The proposed mitigations measures, their justification,
derived requirements, and SRACs are also recorded.
All details regarding the Hazard, Cause and mitigation attributes are presented in the Hazard Log management
procedure [TBL1Plus-PHA-R8-hazlog-proc].
Preliminary Hazard Analysis of TBL1 Plus Application has been performed and presented in the form of a
FMECA table. In accordance with [TBL1Plus-PHA-R9-SA_proc] ,
The excel file contains the following sheets :
(9) Failure_mode: The manner in which the item potentially fails to meet or deliver the intended function and
associated requirements.
(10) ID_Cause: Id of the cause identified.
(11) Cause(s): Clear identification of the cause of each failure mode.
(12) Operational consequences on subsystem(s) / LRU(s) : Effects of the failure at subsystem level.
(13) Effect on system : Effects of the failure at system (iEVC) level.
(14) Effect on train : Effects of the failure at train level (impact on operation and service).
Hazard related / Initial Risk estimation
(15) Hazard_situation_id: ID Hazardous scenario from the hazard list.
(16) Initial Gravity: initial gravity estimated in a qualitative/semi-quantitative/quantitative way;
(17) Initial Occurrence: initial occurrence estimated in a qualitative/semi- quantitative/quantitative way;
(18) Initial Risk : initial risk estimation according to [TBL1Plus-PHA-R9-SA_proc] ;
Note: In case of non-safety related functions, risk parameters are set to ‘-’ meaning that there is no risk associated
with the scenario.
Mitigation measures
(19) Measure ID: Unique and sequential Identification number.
(20) Measure Type: Allocation of the measure as follow.
• D: design;
• O: operational;
• M: maintenance;
• P: process;
• ‘-’: Not applicable;
(21) Measure description : detailed description of the mitigation measure.
(22) Measure owner : responsible for the implementation of the measure.
• iEVC designer
• iEVC Installation Designer
• Maintainer : external to TSC, is the vehicle maintainer
• Infrastructure manager
• Operator
• iEVC Safety
• iEVC maintenance : internal to TSC, is the maintenance team
(23) General remarks: Additional information on the hazardous event.
Note: The Mitigation measures applies if the risk is NOT acceptable. If no mitigation measure is expected the
columns have to be filled in with Risk is negligible ; no mitigation is assigned.
Note: In case, of the implementation of a mitigation is outside of the scope of iEVC, the mitigation will be
exported.
Note: In case of non-safety related function, the causes are not included.
The “Risk Matrix” tab includes 4 tables that was extracted from “Annex A CATEGORIES AND RISK ACCEP-
TANCE CRITERIA” of iEVC Platform Safety Plan [TBL1Plus-PHA-R4-SP]
(1) Risk Acceptance Matrix.
(2) Risk Acceptance Categories.
(3) Consequence Severity Categories.
(4) Hazard Frequency Categories.
SEVEN
CONCLUSIONS
xxx
The mitigations identified during the TBL1 Plus Application Preliminary Hazard Analysis are included in Annex
D Mitigations.
7. Conclusions 15 of 18
02c4b9d1d1035800ef16f69071c8cb6bcb155256
CHAPTER
EIGHT
Attached file
NINE
ANNEX C CAUSES
The following table resumes the applicable causes identified during the TBL1 Plus Application Preliminary Hazard
Analysis.
The structure of the table is:
• id: Unique Identification number
• argument: cause description
• mitigation: list of the mitigations required for this cause
• applicable: if false, the mitigation is not applicable
• justification: (only for non applicable causes) justification of the non applicability of the cause
Recap Table
Applicable causes identified during TBL1 Plus Application Preliminary Hazard Analysis
9. Annex C Causes 17 of 18
02c4b9d1d1035800ef16f69071c8cb6bcb155256
CHAPTER
TEN
ANNEX D MITIGATIONS
Recap Table
iEVC TBL1 Plus Application Preliminary Hazard Analysis Mitigation [recap table]
Mitigations identified during the iEVC TBL1 Plus Application Preliminary Hazard Analysis
Recap Table
Exported iEVC TBL1 Plus Application Preliminary Hazard Analysis Mitigation [recap table]
Exported mitigations identified during the iEVC TBL1 Plus Application Preliminary Hazard Analysis