TBL1 Plus Application Preliminary

Hazard Analysis

ID: tsc_tbl1plus_rams_pha
Version: DRAFT
Status: Review
Date:

Configuration Management
Commit: 57a34cfa
On branch: 5061-create-tbl1-app-pha

Document signature
02c4b9d1d1035800ef16f69071c8cb6bcb155256
 CONTENTS

1 Revision history [artifact history] 3

2 Introduction 4
2.1 Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3 Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.4 Applicable documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.5 Reference documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.6 Terms and definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.7 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.8 Artifacts definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Management of iEVC TBL1 Plus Application Preliminary Hazard Analysis 7

3.1 Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2 Revision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.3 Filing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4 Scope, Limitations and Assumptions 8

4.1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.2 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.3 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

5 System Description 9

6 Hazard Analysis Methodology 11

6.1 Hazard Identification List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
6.2 Hazard Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
6.3 TBL1 Plus Application PHA Analysis Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . 12

7 Conclusions 15

8 Annex B TBL1 Plus Application Preliminary Hazard Analysis 16

9 Annex C Causes 17

10 Annex D Mitigations 18

2 of 18 CONTENTS
02c4b9d1d1035800ef16f69071c8cb6bcb155256
 CHAPTER

ONE

REVISION HISTORY [ARTIFACT HISTORY]

This artifact version is: DRAFT

This artifact signature: 02c4b9d1d1035800ef16f69071c8cb6bcb155256

Name Description Date Author Signature MR

1. Revision history [artifact history] 3 of 18

02c4b9d1d1035800ef16f69071c8cb6bcb155256
 CHAPTER

TWO

INTRODUCTION

2.1 Context

The TBL1+ program consists into developing a Generic Application kit that is intended to be used to-
gether with the iEVC platform. The TBL1+ application from this kit implements the requirements
from [TBL1Plus-PHA-R10_ARS-R5-INF-TBL1plus-SGv3.4], [TBL1Plus-PHA-R11_ARS-R6-MEMOR] and
[TBL1Plus-PHA-R2-SYAD].
The TBL1+ application may be used either as a stand-alone signalling application or in bi-standard mode (under
the supervision of the ETCS signalling application).
The present document constitutes the main deliverable of CENELEC phase 3 (“Risk analysis and evaluation”). It
describes (i) how the risk assessment (risk analysis and risk evaluation) is undertaken during the earlier stages of
TBL1 Plus Application and (ii) how hazards are tracked, managed and closed through a specific hazard log.
This document is the TBL1 Plus Application Preliminary Hazard Analysis

2.2 Purpose

This documents describes the generation and the basic approach of a first accident list generation (high-level
hazards), its extension to a preliminary hazard analysis (PHA) and their inclusion into an agile structure of hazard
log (HazLog).
The present deliverable responds to the following objectives:
1. to identify hazards derived from possible system errors and faulty states in main operative conditions;
2. to assess the resulting risk level derived from identified hazards (risk qualifying);
3. to identify mitigation measures for each identified hazard;
4. to evaluate resulting safety level (residual risk) after implementation of the measures;
5. to identify Safety Related Application Conditions (operational procedures to be applied in normal or de-
graded conditions, respectively operational maintenance activities);
The safety assessment of TBL1+ Application consists in identification of hazards that can be induced by failures
of the application. The identified hazards are then analyzed, and the risks associated with these hazards evaluated.
Finally, all the information concerning safety management activities, hazards identification, decisions undertaken
and solutions adopted is recorded in a HazLog (Hazard Log) table.

4 of 18 2. Introduction
02c4b9d1d1035800ef16f69071c8cb6bcb155256
 TBL1 Plus Application Preliminary Hazard Analysis

2.3 Contents

The document is structured as follows:

• Introduction. This section;
• Management of iEVC TBL1 Plus Application Preliminary Hazard Analysis. Describes the rules for the
management of this TBL1 Plus Application Preliminary Hazard Analysis;
• Scope, Limitations and Assumptions. Presents the scope, limitations and assumptions for this TBL1 Plus
Application Preliminary Hazard Analysis;
• System Description. Describes the object of the analysis;
• Hazard Analysis Methodology. Describes the methodology of the analysis;
• Conclusions. Presents the conclusions of the analysis;
• Annex B TBL1 Plus Application Preliminary Hazard Analysis. TBL1 Plus Application Preliminary Hazard
Analysis;
• Annex C Causes. Causes.
• Annex D Mitigations. Mitigations.

2.4 Applicable documents

[TBL1Plus-PHA-R1-PQP] TBL1 Plus Program Quality plan [id: tsc_tbl1plus_pmqa_pqp].

[TBL1Plus-PHA-R2-SYAD] TBL1 Plus Architecture Description [id: tsc_tbl1plus_system_syad].
[TBL1Plus-PHA-R4-SP] TBL1 Plus Application Safety Plan [id: tsc_tbl1plus_rams_safetyplan].
[TBL1Plus-PHA-R5-Hz_log] TBL1 Plus Application Hazard Log [id: tsc_tbl1plus_rams_hlog].
[TBL1Plus-PHA-R6-SD] System Definition.

2.5 Reference documents

[TBL1Plus-PHA-R7-Glossary] TBL1 Plus Glossary [id: tsc_tbl1plus_glossary]

[TBL1Plus-PHA-R8-hazlog-proc] Hazard Log Process “How to” Manage Hazard Log
[TBL1Plus-PHA-R9-SA_proc] Safety Analysis Process “How to” Perform Safety Analysis V1.0
[TBL1Plus-PHA-R10_ARS-R5-INF-TBL1plus-SGv3.4] TBL1 Plus General specification v3.4
[TBL1Plus-PHA-R11_ARS-R6-MEMOR] A.M. from 30 July 2010 – Part C - Generic description of MEMOR
system

2.6 Terms and definitions

The terms and definitions used in the TBL1+ program are summarized and explained in the TSC glossary
[TBL1Plus-PHA-R7-Glossary].

2.3. Contents 5 of 18
02c4b9d1d1035800ef16f69071c8cb6bcb155256
TBL1 Plus Application Preliminary Hazard Analysis

2.7 Prerequisites

The application component, its functional architecture, its interfaces and its requirements are defined in
[TBL1Plus-PHA-R2-SYAD].
Apportionment of safety requirements has not been completed. As a consequence not all of the requirements have
a defined safety-related tag “[safety]” or “[non safety]”.

2.8 Artifacts definition

This document define TBL1 Plus Application Preliminary Hazard Analysis.

Artifact
TBL1 Plus Application Preliminary Hazard Analysis [artifact]

6 of 18 2.7. Prerequisites
02c4b9d1d1035800ef16f69071c8cb6bcb155256
 CHAPTER

THREE

MANAGEMENT OF IEVC TBL1 PLUS APPLICATION PRELIMINARY

HAZARD ANALYSIS

3.1 Creation

Following [TBL1Plus-PHA-R4-SP], the iEVC TBL1 Plus Application Preliminary Hazard Analysis is elaborated
by Safety Assurance Engineer[role], as required in [TBL1Plus-PHA-R4-SP].

3.2 Revision

This iEVC TBL1 Plus Application Preliminary Hazard Analysis represents the system interface hazard analysis
performed for the iEVC system architecture. This document is dynamic, designed to be updated throughout the
project’s evolution, and to be used as the basis for performing other safety-related activities.
New revisions of the iEVC TBL1 Plus Application Preliminary Hazard Analysis are triggered by the iEVC Safety
Assurance Engineer[role].
The document is to be updated by the occurrence of:
• Addition of other hazards, possibly identified throughout the iEVC project development process (and docu-
mented as part of this hazard analysis and subsequent hazard analyses);
• Addition of other system elements/functions, as necessary;
• Occurrence of relevant changes to the requirements, organization or process;
• Achievement of Major Contract Milestone (if needed);
• Reception of comments from the Employer or independent body.

3.3 Filing

Storage and diffusion of this document is performed according to the rules described in
[TBL1Plus-PHA-R1-PQP].

3. Management of iEVC TBL1 Plus Application Preliminary Hazard Analysis 7 of 18

02c4b9d1d1035800ef16f69071c8cb6bcb155256
 CHAPTER

FOUR

SCOPE, LIMITATIONS AND ASSUMPTIONS

4.1 Scope

In application of TBL1 Plus Safety Plan [TBL1Plus-PHA-R4-SP], the scope of this analysis is to identify all
hazards related to the TBL1 Plus Application during normal or degraded operation conditions, respectively during
preventive, corrective maintenance, or decommissioning activities.
All the risks identified during the PHA are registered in the hazard log.
All the other hazards, which are related to railway operations or to permanent railway infrastructure, trackside sys-
tems and routing/interlocking equipment are transferred respectively to the Railway Company or the Infrastructure
Manager.

4.2 Limitations

Recap Table

iEVC TBL1 Plus Application Preliminary Hazarnd Analysis Limitations [recap table]

Table 4.2.1: iEVC TBL1 Plus Application Preliminary Hazarnd Analysis

Limitations
Description Id
The TBL1 Plus on-board equipment belongs to the SIL category
TBL1Plus-LIMIT-PHA-001
"Basic Integrity".

4.3 Assumptions

Recap Table

TBL1 Plus Application Preliminary Hazard Analysis Assumptions [recap table]

Table 4.3.1: TBL1 Plus Application Preliminary Hazard Analysis

Assumptions
Description Id
CyberSecurity activity will be addressed by application for the
TBL1Plus-ASS-PHA-001
TBL1+ program scope of the iEVC Cybersecurity Plan.

8 of 18 4. Scope, Limitations and Assumptions

02c4b9d1d1035800ef16f69071c8cb6bcb155256
 CHAPTER

FIVE

SYSTEM DESCRIPTION

The TBL1+ system consists of a Generic Application kit that contains a signalling application and associated
documentation. The TBL1+ signalling application is executed on a generic on-board platform (iEVC) that pro-
vides interfaces to the train and to wayside information. The TBL1+ application is modeled in a domain specific
language called EXS, for ERTMS executable Specification. This language is executable directly by the Virtual
Machine of the iEVC platform.
In order to support the execution of TBL1+ application, the iEVC platform provides interfaces with:
• speed information through its odometry function
• balise information through its iBTM function
• one or several DMI to exchange information with the driver/operator
• a recorder (the iEVC Crash Protected Memory) to log operational and maintenance information
• digital I/O to command outputs and collect specific input in the train interface.
The iEVC platform as defined in [TBL1Plus-PHA-R2-SYAD] and [TBL1Plus-PHA-R6-SD] is composed of the
iEVC Basic kit, the iEVC Sensor kit and the iEVC Telecom kit. Refer to [TBL1Plus-PHA-R2-SYAD] for a
detailed description of these kits.
The TBL1+ system needs to access the crocodile information on the tracks. This is possible through the use of a
brush and an associated Crocodile Information Translator[ci]. The translator is a piece of hardware that translates
the crocodile polarity received from the brush into digital inputs that can be connected to the iEVC platform.
Two versions of the application are developed in the frame of this program:
• a stand-alone TBL1+ application that is able to be executed without any ETCS signalling application (Subset
026 application[ci]) inside the iEVC platform
• a bi-standard TBL1+ application that is able to interface the ETCS application through an interface imple-
menting the application layer of the Subset-035 interface internally to the Virtual Machine.
The Fig. 5.1 kit of TBL1+ provides a generic application certification that covers the development activities related
to the TBL1+ program. It only covers the application it-self and needs to be associated with the iEVC Basic kit,
iEVC Sensor kit and possibly the iEVC ETCS kit on which the application relies.

5. System Description 9 of 18
02c4b9d1d1035800ef16f69071c8cb6bcb155256
TBL1 Plus Application Preliminary Hazard Analysis

Figure 5.1: TBL1+ system by kit

10 of 18
02c4b9d1d1035800ef16f69071c8cb6bcb155256
 CHAPTER

SIX

HAZARD ANALYSIS METHODOLOGY

The initial identification of hazards is elementary for the further risk assessment of a system. The Preliminary
Hazard Analysis (PHA) is an inherent part of the risk assessment process.
For railway systems, the focus on hazard analysis is on the physical integrity of human and on the undisturbed
operation of the transportation system. By consequence, the hazard analysis shall systematically identify potential
impacts (i) on the physical integrity of persons and (ii) on the integrity of the infrastructure (i.e. rolling stock,
track, civil works, etc.) or the environment.
The complexity of the PHA depends on several boundary conditions (e.g. physical, operational), which are gen-
erally specified in the system definition for further assessment as well as the level of detail of the PHA.
An deductive, or top-down, approach is used to develop the PHA. Significant or top-level events (i.e. hazards) are
initially identified, followed by what might have caused them.
The main goal being to achieve the most complete as possible hazard identification.

6.1 Hazard Identification List

The preliminary hazard analysis of TBL1+ Application consists of:

• Research the causes and circumstances of potential accidents related to the system and its interfaces (with
other subsystems and with the environment), whether they are generated directly by the TBL1+ Application
or by events outside the TBL1+ program;
• Identify the subsystems or elements of the system that may cause these hazards;
• Define mitigation measures to be applied to eliminate or reduce the criticality of the identified potential
hazards and make this level of criticality acceptable
• This analysis is based on the development of a hazard tree, which details the potential accidents applicable
to the entire TBL1+ program.
Based on this hazard tree, hazard analysis tables identify the elements that can cause hazards, depending on the
circumstances in which they may occur.
PHA leads to the definition of mitigation measures to be taken to reduce the occurrence of potential hazards, or
even to reduce the severity of the consequences of a potential accident in order to make the risk acceptable.
The safety requirements will be monitored through the Hazards log.

6. Hazard Analysis Methodology 11 of 18

02c4b9d1d1035800ef16f69071c8cb6bcb155256
TBL1 Plus Application Preliminary Hazard Analysis

6.1.1 Hazard Mitigation

After the hazard assessment is completed, hazards can be mitigated by deciding to either assume the risk associated
with the hazard or to eliminate or control the hazard. Mitigation of the risk associated with each hazard to an
acceptable level can be accomplished in a variety of ways.

6.1.2 Management of Mitigation Measures

All hazards and mitigations measures which have been identified during the TBL1 Plus Application Preliminary
Hazard Analysis are recorded in the TBL1 Plus Application Hazard Log [TBL1Plus-PHA-R5-Hz_log] : they will
be followed-up during each next phase of the project.

6.2 Hazard Log

The hazards identified during the TBL1 Plus Application Preliminary Hazard Analysis are logged into TBL1 Plus
Application Hazard Log [TBL1Plus-PHA-R5-Hz_log] and managed according to the safety management process
described in the safety plan [TBL1Plus-PHA-R4-SP]. The proposed mitigations measures, their justification,
derived requirements, and SRACs are also recorded.

6.2.1 Management of Hazards

All details regarding the Hazard, Cause and mitigation attributes are presented in the Hazard Log management
procedure [TBL1Plus-PHA-R8-hazlog-proc].

6.3 TBL1 Plus Application PHA Analysis Worksheet

Preliminary Hazard Analysis of TBL1 Plus Application has been performed and presented in the form of a
FMECA table. In accordance with [TBL1Plus-PHA-R9-SA_proc] ,
The excel file contains the following sheets :

6.3.1 PHA Tabulation

(1) IHA_id: Unique and sequential Identification number.

Interface identification
(2) ID: Unique identification number of the analyzed interface according to [TBL1Plus-PHA-R2-SYAD] . See
7.2.6 Interface list Page : 86.
(3) Description: Interface name as per System Architecture Document [TBL1Plus-PHA-R2-SYAD] .
(4) Type: type of the interface (physical or Logical).
(5) Interface_Definition: Precise description of the analyzed interface (according to
[TBL1Plus-PHA-R2-SYAD] definition).
(6) Functional_Variable: Messages expressed as functional variables (According to SIF: system interface spec-
ification).
(7) Stream_of_communication: Describe the sense of communication between sender and receiver component.
(8) Functional_Variable_Definition: A clear wording of each Functional variable documented from interface
specification documents.
Interface Analysis

12 of 18 6.2. Hazard Log

02c4b9d1d1035800ef16f69071c8cb6bcb155256
 TBL1 Plus Application Preliminary Hazard Analysis

(9) Failure_mode: The manner in which the item potentially fails to meet or deliver the intended function and
associated requirements.
(10) ID_Cause: Id of the cause identified.
(11) Cause(s): Clear identification of the cause of each failure mode.
(12) Operational consequences on subsystem(s) / LRU(s) : Effects of the failure at subsystem level.
(13) Effect on system : Effects of the failure at system (iEVC) level.
(14) Effect on train : Effects of the failure at train level (impact on operation and service).
Hazard related / Initial Risk estimation
(15) Hazard_situation_id: ID Hazardous scenario from the hazard list.
(16) Initial Gravity: initial gravity estimated in a qualitative/semi-quantitative/quantitative way;
(17) Initial Occurrence: initial occurrence estimated in a qualitative/semi- quantitative/quantitative way;
(18) Initial Risk : initial risk estimation according to [TBL1Plus-PHA-R9-SA_proc] ;

Note: In case of non-safety related functions, risk parameters are set to ‘-’ meaning that there is no risk associated
with the scenario.

Mitigation measures
(19) Measure ID: Unique and sequential Identification number.
(20) Measure Type: Allocation of the measure as follow.
• D: design;
• O: operational;
• M: maintenance;
• P: process;
• ‘-’: Not applicable;
(21) Measure description : detailed description of the mitigation measure.
(22) Measure owner : responsible for the implementation of the measure.
• iEVC designer
• iEVC Installation Designer
• Maintainer : external to TSC, is the vehicle maintainer
• Infrastructure manager
• Operator
• iEVC Safety
• iEVC maintenance : internal to TSC, is the maintenance team
(23) General remarks: Additional information on the hazardous event.

Note: The Mitigation measures applies if the risk is NOT acceptable. If no mitigation measure is expected the
columns have to be filled in with Risk is negligible ; no mitigation is assigned.

Note: In case, of the implementation of a mitigation is outside of the scope of iEVC, the mitigation will be
exported.

6.3. TBL1 Plus Application PHA Analysis Worksheet 13 of 18

02c4b9d1d1035800ef16f69071c8cb6bcb155256
TBL1 Plus Application Preliminary Hazard Analysis

6.3.2 Causes Tabulation

The Causes tab includes the following items:

(1) Cause(s) ID: A unique ID used across the analysis.
(2) Description: A clear wording of the cause.
(3) Category : Category of the cause:
• Hardware failure
• Random failure
• Human error
• Environment

Note: In case of non-safety related function, the causes are not included.

6.3.3 M-Mitigation Tabulation

The “M-Mitigation” tab includes the following items:

(1) Measure ID.
(2) Measure type D/O/M/P.
(3) weight control measure - design of the IEVC components and interfaces shall be reviewed and controlled in
accordance with EN / Quality First Article Inspections.
(4) Measure Owner [Maintainer], [Installation Designer], [‘IEVC Designer].

6.3.4 Risk Matrix Tabulation

The “Risk Matrix” tab includes 4 tables that was extracted from “Annex A CATEGORIES AND RISK ACCEP-
TANCE CRITERIA” of iEVC Platform Safety Plan [TBL1Plus-PHA-R4-SP]
(1) Risk Acceptance Matrix.
(2) Risk Acceptance Categories.
(3) Consequence Severity Categories.
(4) Hazard Frequency Categories.

14 of 18 6.3. TBL1 Plus Application PHA Analysis Worksheet

02c4b9d1d1035800ef16f69071c8cb6bcb155256
 CHAPTER

SEVEN

CONCLUSIONS

xxx
The mitigations identified during the TBL1 Plus Application Preliminary Hazard Analysis are included in Annex
D Mitigations.

7. Conclusions 15 of 18
02c4b9d1d1035800ef16f69071c8cb6bcb155256
 CHAPTER

EIGHT

ANNEX B TBL1 PLUS APPLICATION PRELIMINARY HAZARD

ANALYSIS

Attached file

TBL1 Plus Application Preliminary Hazard Analysis [attach]

16 of 18 8. Annex B TBL1 Plus Application Preliminary Hazard Analysis

02c4b9d1d1035800ef16f69071c8cb6bcb155256
 CHAPTER

NINE

ANNEX C CAUSES

The following table resumes the applicable causes identified during the TBL1 Plus Application Preliminary Hazard
Analysis.
The structure of the table is:
• id: Unique Identification number
• argument: cause description
• mitigation: list of the mitigations required for this cause
• applicable: if false, the mitigation is not applicable
• justification: (only for non applicable causes) justification of the non applicability of the cause

Recap Table

TBL1 Plus Application Preliminary Hazard Analysis Causes [recap table]

Applicable causes identified during TBL1 Plus Application Preliminary Hazard Analysis

Table 9.1: TBL1 Plus Application Preliminary Hazard Analysis Causes

Id Description Mitigation Applicable

9. Annex C Causes 17 of 18
02c4b9d1d1035800ef16f69071c8cb6bcb155256
 CHAPTER

TEN

ANNEX D MITIGATIONS

The structure of the table is:

• id: Unique Identification number
• argument: mitigation description
• allocated_to: ci to which the mitigation is allocated
• exported_to: (only for exported mitigation): responsible for the implementation of the measure

Recap Table

iEVC TBL1 Plus Application Preliminary Hazard Analysis Mitigation [recap table]

Mitigations identified during the iEVC TBL1 Plus Application Preliminary Hazard Analysis

Table 10.1: iEVC TBL1 Plus Application Preliminary Hazard Analysis

Mitigation
Id Description Allocated to
TBL1Plus-PHA-MM-001 Blalalallalabbaa TBL1 Plus[ci]

Recap Table

Exported iEVC TBL1 Plus Application Preliminary Hazard Analysis Mitigation [recap table]

Exported mitigations identified during the iEVC TBL1 Plus Application Preliminary Hazard Analysis

Table 10.2: Exported iEVC TBL1 Plus Application Preliminary Hazard

Analysis Mitigation
Id Description Allocated to Exported to

18 of 18 10. Annex D Mitigations

02c4b9d1d1035800ef16f69071c8cb6bcb155256