Functional Safety of Railway Systems

Marika Arena, Federica Foiadelli Giuseppe Acquaro, Maurizio Gentile

Politecnico di Milano Rete Ferroviaria Italiana
Milano, Italy Roma, Italy

Abstract—The paper presents an overview of the common The first regulatory action was the Directive 2004/49/EC of
regulatory framework for railway safety. Safety levels in the the European Parliament and of the Council of 29 April 2004,
Community railway system are generally high, in particular also called Railway Safety Directive [2].
compared to road transport. However, it is necessary to very least
maintain safety during the liberalization process and, in line with This directive assumes that safety levels in the Community
technical and scientific progress, to further improve it, when rail system are higher than road transport. The liberalization
reasonably practicable, taking into account the competitiveness of process has to increase the competitiveness of the railway sector
the rail transport mode. The paper will analyze the requirements but it does not have to affect its safety. On the contrary, thanks
present in the common standards and will propose a guide to to the improving in the technological solutions, the effort has to
choose the best method for the risk evaluation. be addressed to its increasing.
Keywords—railway systems; safety; risk; technical rules However, it is necessary to very least maintain safety during
the liberalization process and, in line with technical and
I. INTRODUCTION scientific progress, to further improve it, when reasonably
Transport is a key factor in modern economies. But there is practicable, taking into account the competitiveness of the rail
a permanent contradiction between society, which demands ever transport mode.
more mobility, and public opinion, which is becoming Requirements on safety were established imposing technical
increasingly intolerant of chronic delays and the poor quality of common standards (technical specifications for interoperability
some transport services. As demand for transport keeps (TSIs)) and common methods (common safety methods
increasing, the Community's answer cannot be just to build new (CSMs)).
infrastructure and open up markets. The transport system needs
to be optimized to meet the demands of enlargement and At the same time performance indices (common safety
sustainable development and therefore it is necessary a new indicators (CSIs)) were introduced, together with common
regulatory framework [1]. safety objectives (common safety targets (CSTs)).
A modern transport system must be sustainable from an This standardization wanted to provide tools for assessment
economic and social as well as an environmental viewpoint. of the safety level and the performance of the operators at
Community level as well as in the Member States.
Plans for the future of the transport sector must take account
of its economic importance. Total expenditure runs to some 1 All those operating the railway system, infrastructure
000 billion euros, which is more than 10% of gross domestic managers and railway undertakings, should bear the full
product. The sector employs more than ten million people. It responsibility for the safety of the system, each for their own
involves infrastructure and technologies whose cost to society is part. Every infrastructure manager has a key responsibility for
such that there must be no errors of judgment. Indeed, it is the safe design, maintenance and operation of its rail network.
because of the scale of investment in transport and its Therefore, in carrying out their duties and fulfilling their
determining role in economic growth that the authors of the responsibilities, infrastructure managers and railway
Treaty of Rome made provision for a common transport policy undertakings should implement a safety management system
with its own specific rules. (according to requirements and criteria inside the Commission
A result of this policy was to develop the most modern Regulation (EU) No 1169/2010 of 10 December 2010), fulfilling
techniques within a European framework of interoperability. Community requirements and containing common elements.
Projects launched at the end of the 1980s are now bearing fruit, Information on safety and the implementation of the safety
as symbolized by the trans-European high-speed rail network. management system should be submitted to the safety authority
in the Member State concerned.
However, modern techniques and infrastructure have to be
matched by modernization of company management, In this context, the safety certificate should give evidence
particularly in the railway field. that the railway undertaking has established its safety
management system and is able to comply with the relevant
safety standards and rules.
 In the case of railway safety, the safety management system The paper will present the main contents of these rules,
can be defined as that part of the business system that allows to trying to give an overview on the main safety aspects.
identify and minimize risks associated with the satisfaction
failure of its customers, through a proper management of III. CHANGES MANAGEMENT PROCESS
resources, rules and own organization. Attention is given to the The Commission Regulation (EU) No 402/2013 of 30 April
functional safety that is that part of safety that is dependent upon 2013 describes a common safety method for risk evaluation and
the functions of a system in the normal operation, in response to assessment [9]. This Regulation shall apply to the proposer
external stimuli and under failure modes. In fact, with difference (company or organization in charge of implementing the
to the safety concept, that is the freedom from unacceptable risk change) when making any change to the railway system in a
of physical injury or of damage to the health of people, either Member State. Such changes may be of a technical, operational
directly, or indirectly as a result of damage to property or to the or organizational nature. Whether or not a change is significant
environment, functional safety is the part of the overall safety for the safety in a Member State, proposer should initially
that depends on a system or equipment operating correctly in consider the potential impact of the change in question on the
response to its inputs [3]. As stated in [4], it looks at aspects of safety of the railway system. If the proposed change has an
safety that relate to the function of a device or system and impact on safety, the proposer should assess, by expert
ensures that it works correctly in response to commands it judgement, the significance of the change based on a set of
receives. In a systemic approach functional safety identifies criteria, such as:
potentially dangerous conditions, situations or events that could
result in an accident that could harm somebody or destroy  failure consequence: credible worst-case scenario in the
something. It enables corrective or preventive actions to avoid event of failure of the system under assessment, taking into
or reduce the impact of an accident. Therefore, functional safety account the existence of safety barriers outside the system
is the detection of a potentially dangerous condition resulting in under assessment;
the activation of a protective or corrective device or mechanism  novelty used in implementing the change: this concerns
to prevent hazardous events arising or providing mitigation to both what is innovative in the railway sector, and what is
reduce the fight consequence of the hazardous event. The IEC new for the organization implementing the change;
61508 series are the International Standards for electrical,  complexity of the change;
electronic and programmable electronic safety related systems  monitoring: the inability to monitor the implemented
[5].
change throughout the system life-cycle and intervene
The complexity of the subject is due to the intricacy of the appropriately;
system and the lack of standardization aspects. This is even more  reversibility: the inability to revert to the system before the
true for innovative transportation systems such as urban and change;
suburban systems [6]-[8].  additionality: assessment of the significance of the change
This paper aims to illustrate the main criteria and methods taking into account all recent safety-related changes to the
for controlling the risks involved in the current regulatory system under assessment and which were not judged to be
framework for the railway sector. significant.

II. RISKS EVALUATION The evaluation lets to understand whether or not a change is
Based on the rules mentioned above, each infrastructure significant. When a change is significant, the method described
manager and railway undertaking shall be made responsible for in the Procedure shall be applied and the risk acceptability of the
its part of the system and its safe operation, including supply of system under assessment shall be evaluated by using one or
material and contracting of services, vis-à-vis users, customers, more of the following risk acceptance principles:
the workers concerned and third parties. (a) the application of codes of practice;
The main requirements for a correct approach in the risks (b) a comparison with similar systems
evaluation concerning the railway field are described in the (c) an explicit risk estimation
common methods for the management of the changes. It is Based on the method application, the risk estimation means the
important to take into account what told above regarding the process used to produce a measure of the level of risks being
high safety levels in the Community rail system, in particular analysed, consisting of the following steps:
compared to road transport. Therefore the focus is to control the  hazards identification;
changes processes.  estimation of frequency;
The most important technical rules for this sector are the  consequence analysis;
Commission Implementing Regulation (EU) No 402/2013 of  integration of the previous factors
30 April 2013, the CENELEC - CEI EN 50126/2000 and its  verification of the acceptability of the level of a risk,
guide to application CEI CLC/TR 50126-2 of 2007 [10]-[11]. that means that it is not necessary to take any
Moreover there is the directive 2008/57/EC on the immediate action to reduce it further.
interoperability of the rail system within the Community, that The hazard identification shall be carried out after thee system
repealed Directives 96/48/EC and 2001/16/EC from 19 July definition, that shall address at least the following issues:
2010. (a) system objective (intended purpose);
(b) system functions and elements, where relevant (including The general safety essential requirements regard safety,
human, technical and operational elements); reliability and availability, health, environmental protection and
(c) system boundary including other interacting systems; technical compatibility.
(d) physical (interacting systems) and functional (functional The evaluation is performed by the notified bodies which are
input and output) interfaces; responsible for assessing the conformity or suitability for use of
(e) system environment (for example energy and thermal flow, the interoperability constituents or for appraising the ‘EC’
shocks, vibrations, electromagnetic interference, operational procedure for verification of the subsystems.
use);
(f) existing safety measures and, after the necessary relevant Therefore the EC declaration of conformity or suitability for
iterations, definition of the safety requirements identified by the use is necessity and sufficiency to demonstrate the respect of
what imposed by the law regarding the interoperability
risk assessment process;
principles.
(g) assumptions that determine the limits for the risk assessment.
The risk management shall also check that the safety measures Finally, it is important to underline that Dgls 162/2007
that make the risk(s) of the system under assessment acceptable imposes to the railway infrastructure manager to publically open
are adequately applied. a new or renovated railway line or a line with new structural
The safety measures are a set of actions either reducing the subsystems, only after having all the certifications,
frequency of occurrence of a hazard or mitigating its homologations and authorizations requested by the directives
consequences in order to achieve and/or maintain an acceptable and the EC declaration is considered as a homologation
level of risk. document and therefore as necessity.
The significant changes can be performed only after having
IV. INFRASTRUCURAL CHANGES the commissioning Authorization released by the national
The Italian law D.Lgs 191/2010 sets out to establish the Authority.
conditions to be met to achieve interoperability within the
Community rail system. These conditions concern the design, Figure 1 depicts a flowchart of the changes management
construction, placing in service, upgrading, renewal, operation process with reference to the two rules above described.
and maintenance of the parts of this system as well as the A. Code of Practice
professional qualifications and health and safety conditions of
Code of practice means a written set of rules that, when
the staff who contribute to its operation and maintenance.
correctly applied, can be used to control one or more specific
Therefore, the concept of interoperability covers both hazards.
tangible objects and intangible objects such as software. This
Analyzing the contemporary regulatory contest, it is possible
law defines ‘interoperability constituents’ any elementary
to consider as code of practice:
component, group of components, subassembly or complete
assembly of equipment incorporated or intended to be  Technical specifications for interoperability (TSIs)
incorporated into a subsystem, upon which the interoperability
of the rail system depends directly or indirectly.  National rules notified

A TSI sets all the conditions with which an interoperability If the risk for a particular hazard cannot be made acceptable
constituent must conform, and the procedure to be followed in by the application of codes of practice, additional safety
assessing conformity. In addition, it is necessary to specify that measures shall be identified by applying one of the two other
every constituent must undergo the procedure for assessing risk acceptance principles.
conformity and suitability for the use indicated in the TSIs, and B. Use of reference system
have the corresponding certificate.
Based on this criteria, it is necessary to analyze whether one,
It is important to discriminate the changes on the several or all hazards are appropriately covered by a similar
infrastructure, at least: system that could be taken as a reference system.
 upgrading, that means any major modification work on a A reference system shall satisfy at least the following
subsystem or part subsystem which improves the overall requirements:
performance of the subsystem;
(a) it has already been proven in-use to have an acceptable
 renewal that means any major substitution work on a safety level;
subsystem or part subsystem which does not change the (b) it has similar functions and interfaces as the system under
overall performance of the subsystem. assessment;
The interoperability constituents shall comply with the (c) it is used under similar operational conditions as the
essential requirements if they obtain the EC declarations of system under assessment;
conformity or suitability for use. The structural subsystems, on
which the railway systems are based, can be considered as (d) it is used under similar environmental conditions as the
interoperable and laid down to the essential requirements when system under assessment
they have the EC declaration.
Fig. 1. Flowchart of the changes management process

If a reference system fulfils the requirements, then for the All the methods for the risks evaluation are affected by
system under assessment the safety requirements for the hazards uncertainties and their results have to be used only as input data
covered by the reference system may be derived from the safety for the decisional process. Therefore the risks evaluation process
analyses or from an evaluation of safety records of the reference has to be considered as procedure that helps to strongly reduce
system. the uncertainty grades. These methods have to be applied
conveniently and they can be combined depending on the hazard
If at least the same safety level as the reference system and functional failure typologies and on the uncertainty grade in
cannot be demonstrated, additional safety measures shall be the input data.
identified for the deviations, applying the explicit risk
estimation. The risks estimation process consists in the estimation of:
C. explicit risk estimation  frequency of occurrence of the hazard;
When the explicit risk estimation is requested, a deeper  evaluation of the consequences;
analysis is necessary using the quantitative or semi-quantitative
approaches, according with EN 50126:2000 Railway  combination of these factors.
applications and CEI CLC/TR 50126-2 of 2007-06 “Parte 2:
Referring to the consequences, the European regulations
Guide to the application of EN 50126-1 for safety”.
define the Fatalities and Weighted Seriour Injuries (FWSI) index
The required method should be selected carefully to provide as a measure of fatalities. Based on this definition, a severe
the degree of risk assessment required for the operations being injury corresponds to 0.1 FWSI. The technical regulation has not
considered. Qualitative ranking schemes for frequency and fixed a specific value for minor injuries but the literature states
consequence may be appropriate as a first pass at assessing risk a minor injury equal to 0.01 FWSI.
or for assessing risk in simple cases. Generally, a qualitative
Similarly, starting from the definition of “significant
ranking approach would not be adequate in a risk assessment and
accident” reported in the Commission directive 2014/88/UE, it
a more explicit method is necessary.
is possible to quantify also the equivalent economic damage
expressed in FWSI [14]. In fact it is reasonable to set equal to
0.1 FWSI a significant damage to stock, track, other installations The categories, their numbers and their numerical scaling to
or environment, that the regulation fix equal to EUR 150.000. be applied shall be defined by the Railway Authority,
appropriate to the application under consideration. An example
Based on these definitions, the qualitative classification table of frequency ranking scheme derived from CEI CLC/TR 50126-
(CEI-EN-50126:2000) of the typical hazard severity levels and 2 is reported in Figure 3.
the consequences associated with each severity level can be
quantified. Table I reports possible severity values G associated
to each severity level.

Table I – Hazard Severity Level

Severity Level FWSI Consequences to
persons or environment

Catastrophic G>1 Fatalities and/or multiple

severe injuries and/or
major damage to the
environment.

Critical 0,1 <= G <= 1 Single fatality and/or Fig. 3. Example of frequency ranking scheme - CEI CLC/TR 50126-2
severe injury and/or
significant damage to the Using the data available in the database, frequency of
environment.
occurrence of each hazardous event can be calculated as the
Marginal 0,01 < G < 0,1 More than one minor mean value of the number of events occurred in the last eight
injury and less than one
severe injury and/or years, starting from the year previous the observation period.
significant threat to the Once that F and G are estimated, the frequency - consequence
environment
matrix reported in Figure 4 lets to identify the risk level
Insignificant G <= 0,01 One or less minor injury associated to the considered hazardous.

D. Semi-quantitative Approach Class og frequency F (event/year)

When data are available or a good degree of judgment can Frequent

Probable
F>= 4
0,8<= F < 4
Undesiderable
Tollerable
Intolerable
Indesiderabile
Intolerable
Intolerable
Intolerable
Intolerable
be applied to estimate the frequency and consequences of each Occasional
Remote
0,143 <= F < 0.8
0,029 <= F < 0,143
Tollerable
Negligible
Indesiderabile
Tollerable
Indesiderabile
Indesiderabile
Indesiderabile
Indesiderabile
hazard, a greater level of accuracy and consistency in the risk Improbable 0,006 <= F < 0,029 Negligible Negligible Tollerable Tollerable

estimation can be obtained by using a semi-quantitative risk Incredible F< 0,006 Negligible
G <= 0,01
Negligible
0,01 < G < 0,1
Negligible
0,1 <= G <= 1
Negligible
G > 1

ranking approach. Ins ignificant Marginal

Severity level
Critical Catas trophic

Risk evaluation shall be performed by combining the

Fig. 4. Frequency-consequence matrix
frequency of occurrence of a hazardous event (number of
hazards per year) with the severity of its consequence (damages
to persons and environment) to establish the level of risk
generated by the hazardous event.
The table reported in Figure 5 defines qualitative categories of
Figure 2 provides, in qualitative terms, typical categories of risk and the actions to be applied against each category.
probability or frequency of occurrence of a hazardous event and
a description of each category for a railway system.

Fig. 5. Frequency-consequence matrix

E. Quantitative Approach
The semi-quantitative method presents limits concerning the
Fig. 2. Example of frequency ranking scheme - CEI CLC/TR 50126-2 uncertainty. The first problem is that, referring to the frequency,
it is possible to estimate only events at least remote, since no
more historical data are available. Improbable or incredible
values need the existence of a long-term database, since an The cases marked with the letter “B” require a deeper
improbable event happens every 100 years and an incredible analysis using methods of quantitative evaluation, such as
event every 500 years. ALARO, GAMAP/GAMA, MEM, FMEA,/FMECA, FTA.
A great care has to be addressed to that events that can be In the cases marked with the letter “C” it is possible to use
classified as improbable or incredible due to the available the criteria code of practice and reference system defined in the
information, leading to underestimate events with consequences regulation UE 402/2013 and described in the previous
potentially serious. In these cases quantitative approaches are Paragraph. When these criteria show that the risk can be
suggested. considered as acceptable, no more deeper analysis is necessary.
When these criteria do not confirm the acceptability of the risk,
The cases in which the semi-quantitative approaches cannot it is necessary to refer to the case “B”.
be considered as absolute are:
- the evaluation process identifies hazardous with fatalities VI. CONCLUSIONS
and/or multiple severe injuries The paper presented an overview of the common regulatory
framework for railway safety. The liberalization process of the
- the risk evaluation denotes that the individual risk for one or
railway transportation system meant to find common standards
more risk categories can fall in the intolerable area
without affecting the safety level. On the contrary, it is necessary
- there is a significant contribution to the collective risk and to very least maintain safety and, in line with technical and
there is an uncertainty grade in the frequency estimation scientific progress, to further improve it, when reasonably
practicable, taking into account the competitiveness of the rail
These cases require a deeper analysis using more suitable transport mode.
methodologies chosen and applied by qualified personnel. The
technical regulation suggests to implement one of the following The paper analyzed the indication given in the common
methods of quantitative evaluation: ALARP, GAMAP/GAMA, standards regarding the risk evaluation and safety management
MEM, FMEA/FMECA, FTA. in order to underline the most important warnings and limits. the
different methods that can be adopted are described,
V. GUIDELINES FOR THE CHOICE OF THE METHOD highlighting the assessment of the adequacy of the methods.
After a deep analysis of the constraints set in the regulations Finally, guidelines for the choice of the right method,
and the positive and negative aspects of each method, a guideline considering the regulatory constrains, has been proposed.
is presented. Table II shows how to choose the best risk
evaluation method, taking into account the presence of the event REFERENCES
in the historical database and its impact. [1] WHITE PAPER: European transport policy for 2010: time to decide -
COM(2001) 370 – European Commission Bruxelles, 12/09/2001
[2] Directive 2004/49/EC of the European Parliament and of the Council of
Table II – Hazard Severity Level 29 April 2004
[3] www.iec.ch/functionalsafety
0,1 FWSI 
[4] International Electrotechnical Commission, “Functional Safety -
G < 0,1 FWSI  < G <   G > 1 FWSI Essential to overall safety, An Introduction to Functional Safety and the
1 FWSI IEC 61508 series”, Copyright © IEC, Geneva, Switzerland. 2015.
Monitored hazards that [5] IEC 61508:2010 Commented version. Functional safety of
are classified as frequent electrical/electronic/programmable electronic safety-related systems
A A A
or probable
[6] G. Malavasi, “Obiettivi di sicurezza per i sistemi di trasporto innovativi”,
Monitored hazards that 6° Convegno Nazionale Sistema Tram, Ministero delle infrastrutture e dei
are classified as A A B trasporti, Roma, 19 e 20 marzo 2015.
occasional or remote [7] M. G. Marzoni, La sicurezza Nel sistema ferroviario, 6° Convegno
Unmonitored hazards or Nazionale Sistema Tram, Ministero delle infrastrutture e dei trasporti,
monitored hazards that Roma, 19 e 20 marzo 2015.
cannot be classified as [8] E. Molinaro, “Nuovi orientamenti per la sicurezza”, 6° Convegno
frequent, probable, Nazionale Sistema Tram, Ministero delle infrastrutture e dei trasporti,
occasional or remote but Roma, 19 e 20 marzo 2015.
that have to be C B B
[9] Commission Regulation (EU) No 402/2013 of 30 April 2013
considered since their
potential catastrophic [10] EN 50126:2000 Railway applications. The specification and
consequence (unseen demonstration of reliability, availability, maintainability and safety
frequency). (RAMS). Basic requirements and generic process
[11] CEI CLC/TR 50126-2 of 2007-06 “Parte 2: Guide to the application of
EN 50126-1 for safety”
The cases marked with the letter “A” present the possibility [12] Railway safety (2002) - Guidance on the Preparation of Risk Assessments
to maintain the reference to the historical data inserted in the within Railway Safety Cases
database. Therefore the criteria based on the acceptability matrix [13] ERA (2014) - Railway safety performance in the european union
before described can be applied. [14] Commission Directive 2014/88/EU of 9 July 2014