This paper describes the procedure used to validate a risk acceptance criterion for technical systems in the rail industry proposed by the European Railway Agency (ERA) as an addition to the CSM regulation. The validation was carried out as part of a risk analysis of the standardised Swiss level crossing systems. The risk acceptance was derived from the criterion for the individual MEM (minimum endogenous mortality) risk. Formal Petri net models were used for the quantitative calculation of the risk.
The European Union CSM regulation  defines a risk acceptance criterion for technical systems (RAC-TS) . The regulation provides for the international recognition  of safety-related technical systems for railways, where for every function  whose failure can lead directly to catastrophic consequences, the failure rate can be proved to be less than or equal to 10-9 per operating hour. Catastrophic consequences are defined as “fatalities and/or multiple severe injuries and/or major damage to the environment resulting from an accident”.
In 2013 the European Railway Agency (ERA) published a proposal for an addition to the CRM regulation . This concerns refining the RAC-TS to add further degrees of severity. The following addition is proposed to paragraph 2.5.4 of the annex:
b) For a failure that has a typical credible potential to lead directly to an accident affecting an individual person and resulting in fatality and/or severe injury, the frequency of the failure of the function does not have to be reduced further if it is demonstrated to be less than or equal to 10-7 failures per operating hour.
These requirements shall be referred to as the harmonised quantitative design targets that shall be used for the design of technical systems.
Following the publication of the proposal for an addition to the CSM regulation, the ERA has called on the railway industry to validate the proposed quantitative value of the permitted failure rates. Based on the statistical data, the level crossing safety systems, among others, could also be included in the group of systems whose failure is expected to have the level of severity defined in paragraph 2.5.4.b. Therefore, the maximum failure rate of 10-7 per operating hour applies.
In 2010, the FOT defined the safety integrity requirements for the standardised level crossing configurations MIDI, MINI and MICRO (see section 3) at the level of individual system functions on the basis of a risk analysis , which was carried out in accordance with the CSM regulation  using stochastic models based on the formal description methods of Petri nets.
These formal stochastic models will now be used to validate the ERA’s proposal. During the validation process, the aim is to investigate whether the safety targets proposed by the ERA for technical systems are sufficient to meet the FOT safety integrity requirements for the MIDI, MINI and MICRO level crossing configurations.
This document has the following structure: Section 2 demonstrates how the acceptable risk to users of level crossings was defined. In Section 3, the standardised level crossing configurations in Switzerland are described from the perspective of their functional and operational conditions. After a brief introduction to the formal description methods used, Section 4 explains the modelling process and the model analysis methods. In Section 5, the results of the model analysis and their significance from the perspective of validating the proposal for an addition to the CSM regulation are discussed.
- Risk acceptance for users of level crossings
The definition of the safety integrity requirements is based on the acceptance criterion for the individual Minimal Endogenous Mortality (MEM) risk specified in the informative part of the CENELEC standard 50126 . Level crossing users (pedestrians, cyclists, motorists etc.) are considered to be the group most affected by the failure of a level crossing system. The risk to other groups, such as rail staff (in particular train drivers) and passengers, is regarded as lower. If sufficient protection is provided for level crossing users, then this also covers the other groups of people affected.
2.1 Accepted individual risk to level crossing users
In the literature , the group of level crossing users is assigned to risk category 2, which in practice is often given a limit for the acceptance of the individual risk of 10-4 deaths per person per year. However, because of the very small likelihood of users of level crossings being able to react to technical failures of the system, risk category 3 was selected for the definition of the safety integrity requirements, which has a limit of 10-5 deaths per person per year. (As rail passengers fall into the same category, this also enabled potential risks to them resulting from a breach of the safety integrity of the level crossings systems to be covered.)
On the basis of this categorisation, the general safety requirement can be formulated as follows: “The individual risk of the death of a level crossing user because of a technical failure of the level crossing systems must not exceed 10-5 deaths per person per year.” 
2.3 Permitted frequency of accidents involving level crossing users
Using the stochastic Petri net models developed in 2010, it is possible to calculate the frequency of accidents at level crossings by entering the rates of hazardous failures of the system functions considered and the intensity of road and rail traffic. In order to be able to reach a conclusion about the acceptance of the failure rates, it is therefore necessary to derive the permitted frequency of accidents involving individual level crossing users from the risk acceptance criterion. This frequency is independent of the specific functional or technical form of the level crossing safety systems. It can even be applied to level crossings not equipped with any active safety system.
The general safety requirement RiLCacc taken from CENELEC standard 50126 relates to a risk exposure duration of one year. However, this does not correspond to the time that an individual person is exposed to the risks of level crossings. The corresponding conversion is based on an estimate of the maximum exposure time during which road users can be exposed to the risks of the technical failure of the level crossings (Table 1).
|Assumptions about behaviour|
|Max. duration of exposure each time a pedestrian passes over a level crossing in [s]||9|
|Max. duration of exposure each time a road vehicle passes over a level crossing in [s]||6|
|Max. number of times per day an individual pedestrian passes over a level crossing||6|
|Max. number of times per day an ind. road vehicle occupant passes over a level crossing||8|
|Resulting exposure times|
|Exposure time for pedestrians on level crossings per year in [h]||5.5|
|Exposure time for road vehicles on level crossings per year in [h]||4.8|
|Total exposure time on level crossings per year in [h]||10.3|
Table 1 Assumptions about the behaviour of an individual person at the greatest danger
On the basis of the assumptions made, the maximum exposure time for an individual person to the risks of level crossings is EmaxLC=10.3 hours per year. This results in the following permitted individual risk per hour and per second of exposure time on the level crossing:
The permitted risk of a fatality for pedestrians and occupants of road vehicles passing over a level crossing can be derived from this:
The two limits have the same order of magnitude, which means that the joint risk acceptance value RiLCmax of 2•10-9 D/P/passage can be used for further analysis of both groups of people.
A statistical evaluation of level crossing accidents in Switzerland shows that not all accidents on level crossings result in fatalities. A fatality factor of 0.3 for accidents involving pedestrians (collision between a train and a person) and of 0.05 for collisions between trains and road vehicles can be calculated on the basis of the data for the last ten years.
The wording of the proposal for an addition to the CSM regulation in paragraph 2.5.4 describes the severity level as “a typical credible potential to lead directly to an accident affecting an individual person and resulting in fatality and/or severe injury”. This corresponds to the typical potential severity level of an accident at a level crossing. In order to be able to validate the proposed value of 10-7 per hour, the conservative assumption was made that every accident at a level crossing leads to a fatality. Therefore, the following acceptance criterion can be used for the subsequent analyses:
A fatality factor was deliberately not taken into consideration.
- Standardised types of level crossings in Switzerland
Equipping level crossings with technical safety systems, referred to below as level crossing systems, is an effective measure to reduce the risk to the users of the level crossing and, in particular, to those users who have no intention of disregarding the warning signals. However, installing level crossing systems is very costly. In order to promote the development of relatively low-cost systems, which would allow more danger points to be equipped using limited funding, the Verband öffentlicher Verkehr (VöV) (the Swiss Public Transport Union) has drawn up functional specifications for three simple, standardised types of level crossings . These are referred to as MIDI, MINI and MICRO (Figure 1).
Table 2 lists the functions of the three level crossing types.
|Train protection system and control light or protection signal||x||x|
|Train clearing recognition||x||x||x|
|Fault display (Yellow flashing light)||x|
|Hazard recognition of all other functions||x|
Table 2 Functions of the standardised level crossing configurations
The individual types of level crossings differ with regard to their operational conditions. Table 3 summarises the main differences in their use, in accordance with the standard. 
|Maximum density of road traffic [vehicles/h]||irrelevant||6 vehicles/h = 8 person equivalents/h||1.5 vehicles/h = 2 person equivalents/h|
|Visibility for road traffic||irrelevant||irrelevant||adequate|
|Maximum density of rail traffic [trains/h]||12||10||10|
|Maximum speed of trains [km/h]||160||100||100|
|Maximum number of tracks||irrelevant||1||1|
Table 3 Operational conditions for the MIDI, MINI and MICRO level crossings
One important distinction between the different level crossing types is the presence of the control light or protection signal which brings the train to a stop before it reaches a level crossing with a faulty system. For the MIDI and MINI configurations, the control light for the train driver is a mandatory requirement, while the MICRO configuration has a flashing yellow light that warns road users of a fault with the system. Therefore, in the case of a fault, the responsibility for passing over the level crossing lies with the road user. For this reason, where the MICRO configurations are installed, road users must be able to check that the track is safe to cross. A risk which must be taken into consideration with this configuration is the possibility of a road user misjudging the situation as a train approaches.
Using hazard analyses, the risks involved in the three types of level crossing with their specific functional configuration can be identified. It becomes clear that the failure of individual functions of the systems either leads directly to a hazard at a system level, or could potentially lead to such a hazard (i.e. where a hazard only results from a combination of factors, for example the failure of a second function). In addition to the risks resulting from the failure of an individual system function, the possible risks relating to the staff involved must also be taken into account. These include the possibility of the train driver failing to notice that the control light is not functioning (in the case of the level crossing configurations with this function), which will lead to the train passing through a completely or partially unsecured level crossing. The frequency of this mistake can be significantly reduced by installing a train protection system. As current legislation  requires train protection systems to be installed, the probability of a train passing over a level crossing with a non-functioning control light is very low (10-5 failures per passage).
- Formal modelling of the level crossings
4.1 Petri nets
The individual risk to level crossing users is calculated on the basis of the creation of a formal model for each of the three types of level crossing. Petri nets are used to produce the models . These are a widely used method of describing stochastic and deterministic dynamic systems. In this case, a class of EDSPN (Extended Deterministic and Stochastic Petri nets) is used with the net elements shown in Figure 2.
An event in a Petri net model can only occur if all its input places are marked with a token. The state change is untimed (transitions as narrow bars – see Figure 3). Allocating timed (deterministic or stochastic) parameters to the transitions (black or white rectangles) enables the temporary dynamic behaviour of a system to be modelled in addition to the logical behaviour.
In order to enable the ergonomics and traceability to be retained in more complex situations, Petri nets offer the option of developing hierarchical and modular models. The so-called fusion places play a key role in this respect. They mirror existing places and can be used in several parts of the model. Fusion places always have the tokens of their original places. They link the parts of the model (modules or hierarchical refinements) together to form a complete model.
The modelling process is based on knowledge of the operational activities, the dangerous situations, the functions of the systems and the types of functional failures. It allows the resulting risk to level crossing users to be calculated in the form of the frequency of accidents, taking into account the different functions of the system (depending on the type) with their specific failure frequencies and the intensity of the traffic on the road and the railway. In addition, the probability of road users preventing an accident in the event of the failure of one or more functions of the system can be modelled and evaluated by specifying the weighting of the untimed (immediate) transitions (W).
The Petri net tool p-Tool  was used to create, verify and analyse the models. This tool was developed by the Braunschweig University of Technology (Institute for Traffic Safety and Automation Engineering) specifically to provide formal support for risk analyses. Figure 4 shows the top level of the model, which consists of seven model parts.
The model parts are as follows:
- Dangerous situations – operational situations which could lead to an accident on the level crossing
- Accidents – types of collisions between road and rail traffic
- Road traffic – traffic on the road, accident prevention and mistakes made by road users (deliberate or negligent disregard of the red light or red flashing lights and passing over the level crossing when the barrier is down were not taken into consideration)
- Rail traffic – train operations including mistakes by train drivers who fail to notice the control light (any deliberate or negligent actions excluded) (Figure 5),
LC functionality (level crossing functionality) – functions of the system depending on the level crossing configuration (MIDI, MINI, MICRO)
- LC dependability (dependability of the functions of the level crossing system) – types of hazardous failure of the system functions, together with rates of hazardous failures and disclosure of failures
- LC hazards (dependability of the entire level crossing system) – hazardous failures of the entire system depending on the hazardous failures of the system functions and the current operational situation (Figure 6).
The different parts of the model are linked to one another by shared places (fusion places). As an example, Figure 5 shows the model of rail traffic on the level crossing. The model contains, on the one hand, stochastic transitions which model the frequency of the trains (with exponential distribution with λ corresponding to frequencies in table 3) and the time spent on different parts of the track before the danger area (deterministic times) and, on the other hand, untimed transitions which represent the train driver’s possible failure to notice the control light (the probability of a failure to notice the light is 10-5 per passage over the level crossing because of the technical train protection system).
Figure 6 shows the model of the system dependability for the MINI level crossing configuration. The model contains only immediate transitions which are activated by the fusion places of the other parts of the model. If the entire system is in a hazardous state, this can be caused by the simultaneous failure of the control light and the train recognition system or of the control light and the warning lights for road traffic. Alternatively, the premature opening of the level crossing because of the hazardous failure of the train clearing recognition system can also lead to a hazardous state, if the train has already passed the control light. The hazardous system failure rate of the level crossing is the total of the rates of all four transitions from the LC_SystemSafe place to the LC_SystemHazard place.
The Petri net p-Tool supports the modelling process by means of an animation with manual or automatic activation of the transitions (state change) and of checks for untimed cycles and deadlocks based on calculations of the state space in the form of a reachability graph. This significantly reduces the work involved in verifying and validating the model. The animation of the model dynamics in particular allows technical experts without an in-depth knowledge of Petri nets to take part directly in the validation process.
4.3 Analysing the model
Using a quantitative model analysis, the Petri net p-Tool calculates the rates for all the transitions in the model. For all the places (see section 4.1), the tool calculates the probability of a steady system state occurring (steady state analysis). Two procedures are provided for this purpose:
- A simulation-based analysis which evaluates the models using a Monte Carlo simulation. The models can contain any combination of untimed, deterministic and stochastic (exponential and also other general stochastic) transitions.
- A numerical analysis which transfers the Petri net models into a Markov chain and solves a corresponding system of linear equations. The requirement for this is that the model contains only a combination of untimed and exponential stochastic transitions.
A clear advantage of the numerical analysis is the very rapid calculation of the solution (within a few seconds), which is carried out with almost absolute accuracy. In contrast, a simulation takes several hours to complete and produces results with an error rate of under 10%. The greater the difference between the lowest and the highest rate of events in a model, the longer the calculation time.
By comparing the results of the simulation and the numerical analysis, it is possible to show that when modelling the MIDI, MINI and MICRO configurations, the use of deterministic or general stochastic transitions has no relevant influence on the results. This can be explained by the fact that stochastic processes running in parallel in the model (rail traffic, road traffic and system dependability) have no competitive dynamic dependency on one another. As a result, the mean values of the stochastic transitions play a decisive role for the solution in a steady state (regardless of the stochastic distributions used). For this reason, it is also not expected that the use of more realistic stochastic distributions to model a function’s hazards (instead of the exponential distributions used) would influence the results of the risk analysis. Therefore it is assumed that the numerical analysis can be used as a risk evaluation procedure with no significant loss of accuracy.
- Results of the risk analysis
5.1 Risk of the failure of the individual functions
Figure 7 shows the results of the model analysis during which the rates of hazardous failures of the individual functions were varied within the range of [0.1 – 1•10-9] per hour. This was based on the assumption that all the system functions would have the same rate of hazards. The permitted frequency of accidents to an individual person on the level crossing, RiLCmax, which is derived from the MEM risk acceptance criterion, is represented by the red dashed line.
The results of the analysis indicate that an acceptable individual risk for level crossing users can be achieved for the MIDI level crossing configuration if each system function has a hazard rate of a maximum of 1•10-5 per hour (safety integrity level SIL 1.  However, in order to guarantee the acceptable level of individual risk for the MINI and MICRO configurations, the individual functions must have a hazard rate of a maximum of 1•10-6 per hour (SIL 2).
This difference in the safety requirements can be explained by the different functional structure of the three level crossing configurations. In the MIDI system, the barrier has a functional redundancy with the flashing light, while the MINI, which warns road users with a red light, has no fallback level. The MICRO does not have the control light safety function.
A more thorough analysis of the model shows that the hazardous failure of the train clearing recognition function in the MIDI and MINI level crossing configurations has a decisive impact on the frequency of accidents. A failure of this kind can result in the level crossing safety system being deactivated at an inappropriate time. If the train has already passed the control light at the time of the failure, there is no means for the system to prevent an accident. As a result, for these level crossing configurations, the safety integrity of the train clearing recognition system is decisive for the safety integrity of the entire system.
In the case of the MICRO level crossing configuration, the failure of any individual function is indicated to users of the level crossing by the illumination of the yellow light. This can be regarded as the system preventing an accident from occurring, but it is possible for the level crossing users to misinterpret this behaviour by the system. As a result of the very low road traffic density where this type of level crossing is used, this type of fault indication is adequate from the perspective of individual risk.
The analysis did not look in more detail at the extent to which the hazardous failure rates of the individual system functions differed. It is probable that if the decisive functions were to have a safer design, the safety requirements for the other functions could be reduced.
5.2 Risk of the failure of the entire system
The analysis of the safety integrity of the entire system plays a decisive role in the validation of the ERA proposal for an additional RAC-TS. The submodel “LC Hazards” shows the effects of the failure of the individual functions of the level crossing system on the safety integrity of the entire system. This allows the dependency between the frequency of accidents for an individual person and the hazardous failure rate of the entire system to be investigated. Figure 8 shows the results of an analysis of this kind.
Figure 8 shows that the accident frequency for an individual person in relation to the hazardous failure rate of the entire system rises almost consistently and to a similarly negative extent across all the level crossing configurations.
The comparison between Figures 7 and 8 indicates that the specific link between the individual system functions for all level crossing configurations brings an increase in safety. For MIDI and MINI, the hazardous failure rate of the system is lower by around a factor of 10 (11.2 and 13.5) than the failure rate of the individual system functions, while the safety increase for MICRO is only around a factor of 3. This is a result of the lack of opportunity to influence the rail traffic in the event of a fault and of the assumption of much longer hazard disclosure times for the MICRO system (6 hours compared with 1 hour for MIDI and MINI).
The ERA’s proposal for a new RAC-TS relates to the hazardous failure rate of the entire level crossing system. This failure rate does not need to be reduced any further if it is equal to or less than 10-7 per hour. On the basis of the analysis results from Figure 8, it is clear that the individual risk to level crossing users from the MIDI, MINI and MICRO level crossing configurations under the specified technical and operational conditions is within an acceptable range and that the safety requirements of the proposed new RAC-TS can be regarded as corresponding with current practice.
5.3 Risk of the disclosure time of function hazards
In the event of a hazardous failure of a system function, the time during which this failure remains unnoticed by the operator of the level crossing plays a decisive role. The functional specifications of the MIDI and MINI level crossing configurations indicate that a hazardous function failure will be disclosed within an hour. In contrast, this disclosure period is 6 hours for the MICRO configuration. During the course of a sensitivity analysis these disclosure times were varied.
Using the example of the MINI level crossing configuration, Figure 9 shows the influence of extending the disclosure time for the hazardous function failure on the accident frequency for an individual person and on the hazardous failure rate of the entire system. The figure shows the results for disclosure times of 8 hours, one day, two days and one week. The dashed arrow assigns the value of the hazard rates of all system functions to the value of the hazard rate of the entire system (this can be read on the x axis).
The results of the sensitivity analysis in Figure 9 indicate that extending the disclosure time has a highly negative effect on the probability of an individual level crossing user having an accident. In contrast, extending the disclosure time has only a very slight impact on the hazardous failure rate of the entire system within the specified operational conditions. This is due to the fact that (in the case of the MINI level crossing type) individual function failures do not lead to a hazardous system failure (the trains come to a stop before the level crossing and continue at walking pace). Because the model does not exclude the possibility of incorrect action by a road user when a train passes over an unsecured level crossing (assuming 1 in 1000 users has an accident), as the failure disclosure time becomes longer, so the risk which cannot be reduced by the system increases.
Figure 9 makes it clear that a failure rate for the entire system of 10-7 per hour (in accordance with the ERA proposal for an additional RAC-TS) will only result in an acceptable level of individual risk for level crossing users in the case of the MINI level crossing configuration if the disclosure time for hazardous function failures does not exceed 8 hours. If the manufacturer or the operator cannot guarantee that this requirement will be met, a lower hazardous failure rate of, for example, 10-8 per hour (SIL 4) would be required.
A corresponding analysis of the MICRO level crossing configuration leads to the same requirements as the MINI configuration. In the case of the MIDI, the additional function in the form of the barrier creates a redundancy which, even if the disclosure time is longer, still guarantees an acceptable level of individual risk for level crossing users.
The results indicate that the application of the new acceptance criterion described in the ERA proposal to the standardised MIDI, MINI and MICRO level crossing configurations would not lead to an unacceptable level of risk. It is also clear that the RAC-TS would not require the current safety requirements to be made more stringent in relation to existing practice. It is important that the proposed operational conditions, including the maximum disclosure time, are complied with.
The permitted failure rate defined in the RAC-TS criterion of the CSM regulation could be interpreted as only relating to hazardous failures of the technical system (hazards). This implies that a non- hazardous failure of the technical system would not expose people to any risks. As the example of the level crossing system shows, the risks involved in a safe failure for users are often not trivial. If the risk involved in a safe failure state in the technical system is dependent on another less safe system or on organisational measures with a high level of human responsibility, an analysis of the risk to the people whose safety is jeopardised should be carried out. An analysis of this kind that takes into consideration the probability of errors in organisational measures in relation to a safe failure can in some cases lead to more stringent requirements for the safety integrity of the technical system under investigation than are called for by the RAC-TS criterion.
From a methodological perspective, formal modelling with Petri nets provides effective support for the safety analysis with regard to the quantitative evaluation of the risk and represents an alternative to the frequently used fault and event tree method (FTA, ETA). Provided that the complexity of the system under investigation permits the use of Petri nets, they offer particular advantages in applications where different operational, technical and organisational states need to be taken into consideration during the risk analysis.
The Petri net models of the MIDI, MINI and MICRO level crossing systems that have been developed can be used again in the context of the approval and authorisation procedures. In a further research project, it would be interesting to investigate how a type of quantified event tree could be automatically generated from the Petri net, which would strongly support the validation of the quantitative results of the risk analysis. Furthermore, when observing the linear dependencies in results in Figures 7 and 8, it should be also possible to find an analytic or approximate solution to the model.
This paper was originally published by the conference FORMS/FORMAT 2014 in Braunschweig, Germany. 
 COMMISSION IMPLEMENTING REGULATION (EU) No 402/2013 of 30 April 2013 on the common safety method for risk evaluation and assessment and repealing Regulation (EC) No 352/2009 (Source: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2013.121.01.0008.01.ENG)
 Information note about ERA’s plan for the way forward for the DEVELOPMENT OF EXPLICIT HARMONISED RISK ACCEPTANCE CRITERIA FOR FAILURES OF FUNCTIONS OF TECHNICAL SYSTEMS, http://www.era.europa.eu/Document-Register/Pages/RAC-note-1-2013.aspx
 MIDI, MINI, MICRO: Risk analysis and definition of the safety integrity requirements (in German), Internal FOT report, 2010
 EN 50126: Railway applications. The specification and demonstration of reliability, availability, maintainability and safety (RAMS), 1999
 Merz, H., Schneider, T., Bohnenblust, H.: Evaluating technical risks (in German). Verlag der Fachvereine Zürich 1995
 Method of evaluating the individual risk to passengers and employees (in German). FOT instructions 2014, http://www.bav.admin.ch/grundlagen/03514/03589/03593/index.html?lang=de
 R RTE 25931 (SN 671 512) Basic level crossing documentation, technical railway regulations RTE (in German). Swiss Public Transport Union (VöV) 2012
 Implementing provisions to the Railways ordinance (AB-EBV) (in German). Federal Office of Transport, Bern 2013
 IEC 62551 ed1.0: Analysis techniques for dependability – Petri net techniques. IEC 2012
 Website for p-Tool: http://www.iqst.de/?page_id=24
 EN50129 Railway applications. Communication, signalling and processing systems. Safety related electronic systems for signalling, 2003
 Slovak, R., Meuli, H.: Petri Net-Based Validation of New Safety Requirements of the CSM Regulation in relation to Standardised Level Crossings in Switzerland. In Schnieder, E., Tarnai, G. (eds.): 10th Symposium on Formal Methods for Automation and Safety in Railways and Automotive Systems. Institute for Traffic Safety and Automation Engineering, Technical University of Braunschweig, 2014
Roman Slovak, Hannes Meuli
Federal Office of Transport, Switzerland