TSC Ievc Doc Rams Pha V3.2

iEVC Preliminary Hazard Analysis
ID: tsc_ievc_doc_rams_pha
Version: V3.2
Status: Published
Author: Marianne Roussel
Date: 14/12/2022
Review: !1108
Authorized by: Alexandre Betis
Configuration Management
Commit: d9b20221
Document signature
381783a7f0b45c8b0c2df11e1a7cc16cb71b2b7d
CONTENTS
1 Revision history [artifact history] 3
2 Introduction 4
2.1 Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3 Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.4 Applicable documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.5 Reference documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.6 Terms and definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.7 Artifacts definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Management of the PHA 6

3.1 Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2 Revision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.3 Filing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4 Scope of the PHA 7
5 Limitations of the PHA 8
6 System Description 9
7 Hazard Analysis Methodology 11

7.1 Hazard Identification List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
7.2 Preliminary Hazard Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
8 Conclusions 15
9 Annex A Causes 39
10 Annex B Preliminary hazard analysis (PHA) 79
2 of 79 CONTENTS
CHAPTER
ONE
REVISION HISTORY [ARTIFACT HISTORY]
This artifact version is: V3.2
This artifact signature: 381783a7f0b45c8b0c2df11e1a7cc16cb71b2b7d
Name Description Date Author Signature MR

Integration of comments and observations 074f1339e8b228ad04045
V1 30/04/2021 Dario Alasia !435
from VER, VAL, quality engineer 0dae45b6311af6e7e7c
Address comments from TUV technical note 7754f1914ffe81ec13f41
V2 22/06/2021 Dario Alasia !495
TRRC-T21-1983 2b3b9d9c3cfb23b8bf4
Housekeeping change: migration to TSC adc07e2cb99c745f903b3
V2.1 13/08/2021 Amina Zitouni !523
format. No change to content. 9a82b95b72271538bba
"Housekeeping change: remove incorrect
dependency to legacy safety plan in PDF for- 06e5cecad3264f1e430f2
V2.2 01/02/2022 Amina Zitouni !644
mat, now that plan is fully in Sphinx. No f6b457b6c1ee9c2c49d
change to content."
Complete revision of the document in rela-
tion to the current situation. New scope (pre-
Marianne Rous- 6950487a45200f4717643
V3 vious was limited to GDSC) New organiza- 03/03/2022 !744
sel 61806309220c16dac1a
tion (teams) New strategy (kits) Reception of
ISA comments
Update of mitigation status, update recap ta- Marianne Rous- 3687067700147afc6cf42
V3.1 08/06/2022 !890
ble formula sel dea093697a1af1762fe
Marianne Rous- 381783a7f0b45c8b0c2df
V3.2 House keeping change (see issue 4520) 14/12/2022 !1108
sel 11e1a7cc16cb71b2b7d
1. Revision history [artifact history] 3 of 79

CHAPTER
TWO
INTRODUCTION
2.1 Context
The IEVC project consists into developing an ETCS on-board inter-operable constituent (IC). This project also
covers tools developed around this IC.
The present document constitutes the main deliverable of CENELEC phase 3 (“Risk analysis and evaluation”). It
describes (i) how the risk assessment (risk analysis and risk evaluation) is undertaken during the earlier stages of
the iEVC project and (ii) how hazards are tracked, managed and closed through a specific hazard log.
2.2 Purpose
This documents describes the generation and the basic approach of a first accident list generation (high-level
hazards), its extension to a preliminary hazard analysis (PHA) and their inclusion into an agile structure of hazard
log (HazLog).
The present deliverable responds to the following objectives:
1. to identify hazards derived from possible system errors and faulty states in main operative conditions;
2. to assess the resulting risk level derived from identified hazards (risk qualifying);
3. to identify mitigation measures for each identified hazard;
4. to evaluate resulting safety level (residual risk) after implementation of the measures;
5. to identify Safety Related Application Conditions (operational procedures to be applied in normal or de-
graded conditions, respectively operational maintenance activities);
The safety assessment of the iEVC ETCS system consists in identification of hazards that can be induced by
failures of the system. The identified hazards are then analyzed, and the risks associated with these hazards
evaluated. Finally, all the information concerning safety management activities, hazards identification, decisions
undertaken and solutions adopted is recorded in a HazLog (Hazard Log) table.
2.3 Contents
The document is structured as follows:

• Introduction;
• Management of the PHA;
• Scope of the PHA;
• Limitations of the PHA;
• System Description;
• Hazard Analysis Methodology;
4 of 79 2. Introduction
• Conclusions;
• Annex A Causes;
• Annex B Preliminary hazard analysis (PHA).
2.4 Applicable documents
[PHA-R1-PQP] IEVC Project Quality Plan [id: tsc_ievc_doc_system_pqp]

[PHA-R2-SD] System definition [id: tsc_ievc_doc_system_sd]
[PHA-R3-hazlog] iEVC Hazard Log [id: tsc_ievc_doc_rams_hazard_log]
2.5 Reference documents
[PHA-R4-Glossary] TSC Glossary [id: glossary]

[PHA-R5-LineasBR001] Lineas BR001 Contract User Requirement Specification [id:
tsc_sources_doc_stakeholders_urs_lineas_urs]
[PHA-R6-Subset-026] UNISIG Subset-026 v3.6.0 System Requirements Specification - Baseline 3
[PHA-R7-Subset-088] SUBSET-088, ETCS Application Levels 1 & 2 - Safety Analysis (Parts 0, 1.1, 1.2, 2.1,
2.2, 3) v3.7.0
[PHA-R8-Subset-091] SUBSET-091, Safety Requirements for the Technical Interoperability of ETCS in Levels
1 & 2 v3.6.0
[PHA-R9-Subset-118] SUBSET-118, Functional Safety Analysis of ETCS DMI for ETCS Auxiliary Hazard
v1.5.0
[PHA-R10-ETCSSP] IEVC ETCS Safety Plan [id: tsc_ievc_doc_rams_ievc_etcs_safetyplan]
2.6 Terms and definitions
The terms and definitions used in the IEVC project are summarized and explained in the TSC glossary
[PHA-R4-Glossary].
2.7 Artifacts definition
This document defines the PHA of the IEVC project.
Artifact
iEVC Preliminary Hazard Analysis [artifact]
2.4. Applicable documents 5 of 79

CHAPTER
THREE
MANAGEMENT OF THE PHA
3.1 Creation
The PHA is elaborated by the iEVC Safety Assurance Engineer[role].
3.2 Revision
This PHA represents the initial risk analysis performed for the iEVC system. This document is created at the
beginning of the program, and to be used as the basis for performing other safety-related activities.
New revisions of the PHA are triggered by the iEVC Safety Assurance Manager[role]. The document is to be
updated by the occurrence of:
• Addition of other hazards, possibly identified throughout the iEVC Program development process (and
documented as part of this hazard analysis and subsequent hazard analyses);
• Occurrence of relevant changes to the requirements, organization or process;
• Reception of comments from the Employer or independent body.
3.3 Filing
Storage and diffusion of this document is performed according to the rules described in [PHA-R1-PQP].
6 of 79 3. Management of the PHA

CHAPTER
FOUR
SCOPE OF THE PHA
In application of the iEVC ETCS Safety [PHA-R10-ETCSSP], the scope of this analysis is to identify all haz-
ards related to the iEVC Platform System during normal or degraded operation conditions, respectively during
preventive, corrective maintenance, or decommissioning activities.
All the risks identified during the PHA are registered in the hazard log [PHA-R3-hazlog].
All the other hazards, which are related to railway operations or to permanent railway infrastructure, trackside sys-
tems and routing/interlocking equipment are transferred respectively to the Railway Company or the Infrastructure
Manager.
Specific use and limitations of the system (with respect to geographical boundaries, interfaces, modes, etc.) are
detailed further in the system definition [PHA-R2-SD].
4. Scope of the PHA 7 of 79

CHAPTER
FIVE
LIMITATIONS OF THE PHA
The analysis was carried out under the following assumption: iEVC design currently do not include any battery
or accumulator. The system is fully powered by current delivered by train equipment
8 of 79 5. Limitations of the PHA

CHAPTER
SIX
SYSTEM DESCRIPTION
The iEVC project consists into developing an ETCS on-board based on ERTMS interoperability constituents (IC)
including tools development around this IC. A description of the IEVC ETCS system is given in the IEVC System
Definition [PHA-R2-SD].
The iEVC ETCS system is a model-oriented on-board platform. Its main purpose is to execute on-board signalling
applications, as specified in [PHA-R6-Subset-026]. Applications are executed on-board by a Virtual Machine. The
applications loaded on this VM are grouped in a coherent package, that regroups the applications to run, but also
their configuration, as well as the sequence in which these applications must be run.
In order to support the execution of ETCS signalling applications, the iEVC platform interfaces this VM with
speed sensors, balises and radio communications.
The iEVC ETCS system is composed of the iEVC Platform and a Safe Integrated Development Environment
(SIDE) suite, for configuration and authorization purposes.
The iEVC Platform is mainly composed by three hardware boxes (Computer box, Sensor box and Telecom box),
driver machine interfaces (DMI) in the driver cabin and a crash protected memory (CPM), Eurobalise antenna and
odometry sensors as illustrated in Fig. 6.1. Each box regroups together components having similar life cycles and
managing similar peripherals. Additional computer box is optional.
6. System Description 9 of 79
Figure 6.1: Simplified iEVC Platform hardware overview
10 of 79
CHAPTER
SEVEN
HAZARD ANALYSIS METHODOLOGY
The initial identification of hazards is elementary for the further risk assessment of a system. The Preliminary
Hazard Analysis (PHA) is an inherent part of the risk assessment process.
For railway systems, the focus on hazard analysis is on the physical integrity of human and on the undisturbed
operation of the transportation system. By consequence, the hazard analysis shall systematically identify potential
impacts (i) on the physical integrity of persons and (ii) on the integrity of the infrastructure (i.e. rolling stock,
track, civil works, etc.) or the environment.
The complexity of the PHA depends on several boundary conditions (e.g. physical, operational), which are gen-
erally specified in the system definition for further assessment as well as the level of detail of the PHA.
An deductive, or top-down, approach is used to develop the PHA. Significant or top-level events (i.e. hazards) are
initially identified, followed by what might have caused them.
The main goal being to achieve the most complete as possible hazard identification.
7.1 Hazard Identification List
The preliminary hazard analysis of the IEVC ETCS system consists of:
• Research the causes and circumstances of potential accidents related to the system and its interfaces (with
other subsystems and with the environment), whether they are generated directly by the IEVC ETCS system
or by events outside the IEVC ETCS system;
• Identify the subsystems or elements of the system that may cause these hazards;
• Define mitigation measures to be applied to eliminate or reduce the criticality of the identified potential
hazards and make this level of criticality acceptable (according to the definitions accepted for the project).
• This analysis is based on the development of a hazard tree, which details the potential accidents applicable
to the entire IEVC ETCS system.
Based on this hazard tree, hazard analysis tables identify the elements that can cause hazards, depending on the
circumstances in which they may occur.
PHA leads to the definition of mitigation measures to be taken to reduce the occurrence of potential hazards, or
even to reduce the severity of the consequences of a potential accident in order to make the risk acceptable.
Note: Only direct hazards created by external events are considered. Each of these events can also have indirect
repercussions following the degradation of equipment (example: lightning causes a failure of the system is con-
sidered but lightning causes a failure of signalling is not considered. . . ); this point is not taken into account in this
analysis.
At the Risk Analysis phase, this analysis reveals safety requirements for the various parties in charge of the
subsystems making up the transport system:
• On the structural subsystems: onboard safe computer, DMI, iBTM, Euroantenna, odometry system, TIU.
7. Hazard Analysis Methodology 11 of 79

• On the operational subsystems: operation, maintenance.

• On the interfaces between the subsystems.
• During the detailed design phase, the hazards identified in the PHA will have to be analyzed at the level of
each subsystem, in particular by the companies holding the contracts.
The safety requirements will be monitored through the Hazards log.
Hazard Log
Categorization of hazards [hazard log]
7.2 Preliminary Hazard Analysis
The structure of the PHA sheet in of Section 10 is described below:

• PHA ID: Unique and sequential Identification number;
• old PHA id: Identification id until version V2.2 of the PHA, this version is obsolete.
• Hazards:
– Hazard situation id: “Hazard Accident List” reference number (cf. Section 7.1);
– Hazard category: category from the “Hazard Accident List” (cf. Section 7.1);
• Causes:
– Cause(s) description: technical/functional event(s) leading to a functional failure (cf. Section 9);
– Event id: reference of Event from Subset 088 / 118
– ETCS applicable hazard (SS088,SS118): reference of applicable Hazards from Subset 088 / 118
– ETCS Core Hazard (SS091): reference of applicable core Hazard from Subset 091
– System/subsystem/LRU Configuration Item: system/subsystem/LRU or Configuration Item associated
to the hazardous event;
– Associated URS function: System Definition high-level system function(s) associated to the hazard
(from [PHA-R2-SD])
• Initial Risk estimation:
– Initial Gravity: initial gravity estimated in a qualitative/semi-quantitative/quantitative way according
to Fig. 7.1. The gravity is estimated in function of the hazard category:
* derailement, collision and fire could lead to multiple fatalities

* person fall, explosion or toxic release, asphyxiation (smothering and drowning), electric shocks
or electrocution and person being struck or getting hurt by objects could lead to fatalities
* entrapment, lightning and injuries, diseases and dangerous occurrences could lead to multiple
injuries (for lightning, the locomotive is a Faraday cage, in consequence, the gravity is considered
as low)
This is resumed in the table Fig. 7.2;
– Initial Occurrence: initial occurrence estimated in a qualitative/semi- quantitative/quantitative way
according to Fig. 7.3;
– Initial Risk: initial risk estimation according to Fig. 7.4 and Fig. 7.5 ;
12 of 79 7.2. Preliminary Hazard Analysis

Figure 7.1: Consequence Severity Categories
Figure 7.2: Severity Categories Evaluation
Figure 7.3: Hazard Frequency Categories
7.2. Preliminary Hazard Analysis 13 of 79

Figure 7.4: Risk Acceptance Matrix
Figure 7.5: Risk Acceptance Categories
• Mitigation measures:
– Measure ID: Unique and sequential Identification number;
– Measure description: detailed description of the mitigation measure;
– Measure owner: responsible for the implementation of the measure ;
• Residual risk estimation:
The residual risk is to consider for all the mitigation of a scenario.
Two incompatible mitigations for the same cause should not happen.
– Final Gravity: gravity estimated after the implementation of the measure(s) according to
Fig. 7.1;
– Final Occurrence: occurrence estimated after the implementation of the measure(s) accord-
ing to Fig. 7.3;
– Final Risk: risk estimation after the implementation of the measure(s) according to Fig. 7.4
and Fig. 7.5;
• General remarks: additional information about pending actions, references and/or exported hazards.
The Hazard Log that has been opened and updated as the consequence of Preliminary Hazard Analysis, (see
[PHA-R3-hazlog]).
14 of 79 7.2. Preliminary Hazard Analysis

CHAPTER
EIGHT
CONCLUSIONS
The preliminary hazard analysis has been performed for the iEVC ETCS system.
A hazard identification list has been proposed and all applicable potential hazards have been analyzed considering
personnel error, environmental conditions, design inadequacies, procedural deficiencies, system, subsystem or
component failure, or malfunction. Potential impacts (i) on the physical integrity of persons and (ii) on the
integrity of the infrastructure (i.e. rolling stock, track, civil works, etc.), as well as (iii) consequences for the
environment have been also considered.
The main inputs that have been used for the Hazard Analysis are:
• The iEVC system definition [PHA-R2-SD];
• The Lineas BR001 Contract User Requirement Specification [PHA-R5-LineasBR001];
• The detailed analysis of Safety Requirements for the Technical Interoperability of ETCS in Levels 1 & 2
(Subset 091) [PHA-R8-Subset-091];
• The detailed Safety Analysis of ETCS Application Levels 1 & 2 (Subset 088) [PHA-R7-Subset-088];
• The detailed Functional Safety Analysis of ETCS DMI for ETCS Auxiliary Hazard (Subset 118)
[PHA-R9-Subset-118].
The results of the analysis are recorded in the Hazard Log V1 [PHA-R3-hazlog] which contains the hazards iden-
tified during the PHA and the evaluated risk, proposed mitigations measures, derived requirements and SRACs.
Additional hazards may be identified in the future phases of the project.
From each hazard a requirement has been defined, this requirement aims to reduce the initial risk to acceptable
level where possible. Where appropriate a resulting mitigation measure and a formal property has been identified
and recorded. The requirement ID contains the indication of the component /function of the system to which is
applicable.
The residual risk corresponds to the level of risk after the application of identified safety requirements/ mitigation
measures; where the residual risk is different from negligible, further mitigation (technical and/or operation) is
needed.
The following tables resumes the mitigations identified during the PHA.
The structure of the table is:
• id: Unique Identification number
• argument: mitigation description
• allocated_to: ci to which the mitigation is allocated
• exported_to: (only for exported mitigation): responsible for the implementation of the measure
Recap Table
iEVC PHA Mitigation [recap table]
8. Conclusions 15 of 79
Mitigations identified during the PHA
Table 8.1: iEVC PHA Mitigation

Id Description Allocated to
IEVC-PHA-MM-001 Integration of approved railway iEVC ETCS kit[ci] PHA[ci]
industry systems, subsystems
and components
IEVC-PHA-MM-002 The pulse generator must be iEVC ETCS kit[ci] PHA[ci]
able to produce a continous fail-
safe pulse signal from the wheel
rotation
IEVC-PHA-MM-002B Not applicable to the PHA iEVC ETCS kit[ci] PHA[ci]
- cf https://gitlab.com/tsc-
projects/tsc/-/issues/3632
IEVC-PHA-MM-003 Redundancy of the functional iEVC ETCS kit[ci] PHA[ci]
architecture of the odometry
system with a secondary speed
sensor of different technology
and form of output signals
(functionally independent of the
wheel rotation)
IEVC-PHA-MM-004 iEVC system, subsystems and iEVC ETCS kit[ci] PHA[ci]
components must be compliant
with requirements (design and
testing) of EN 50155:2017
testing) of EN 50125-1:2014
testing) of EN 50121-3-2:2017
testing) of EN 61373:2011
IEVC-PHA-MM-008 iEVC external subsystems and iEVC ETCS kit[ci] PHA[ci]
components design shall be
consistent with clearance enve-
lope and actual available and
practical space for installation
outside and under the car body
(including any fastener or adap-
tor)
IEVC-PHA-MM-009 Not applicable to the PHA iEVC ETCS kit[ci] PHA[ci]
IEVC-PHA-MM-012 iEVC cables should be reclam- iEVC ETCS kit[ci] PHA[ci]
pable and/or easy to replace
(to avoid possible contact mis-
matching) and robustly locked
IEVC-PHA-MM-015C Not applicable to the PHA iEVC ETCS kit[ci] PHA[ci]
16 of 79
IEVC-PHA-MM-015D Not applicable to the PHA iEVC ETCS kit[ci] PHA[ci]

components must be compli-
ant with reliability, availability,
maintainability and safety re-
quirements of EN 50126:2017
ant with control and protection
applications software require-
ments of EN 50128:2011
ant with safety-related elec-
tronic systems acceptance re-
IEVC-PHA-MM-026 iEVC system shall supervise the iEVC ETCS kit[ci] PHA[ci]
driver actions according to Sub-
set 026 in a safe way
IEVC-PHA-MM-027 iEVC system shall be fault tol- iEVC ETCS kit[ci] PHA[ci]
erent compliant with SIL4 target
IEVC-PHA-MM-028 The DMI shall not distract the iEVC ETCS kit[ci] PHA[ci]
driver, on the normal operation
screen, with non safety mes-
sages (i.e. maintenance alerts,
event reports, etc.)
IEVC-PHA-MM-029 Access and display of mainte- iEVC ETCS kit[ci] PHA[ci]
nance and faults information on
DMI shall be inhibited in nor-
mal operation conditions, but at
standstill
IEVC-PHA-MM-030 iEVC system shall be able to iEVC ETCS kit[ci] PHA[ci]
compute the dynamic speed
profile according to Subset 026
in a reliable and safe way
IEVC-PHA-MM-031 iEVC system shall be able to su- iEVC ETCS kit[ci] PHA[ci]
pervise the dynamic speed pro-
file according to Subset 026 in a
reliable and safe way
17 of 79
IEVC-PHA-MM-032B iEVC onboard subsystems and iEVC ETCS kit[ci] PHA[ci]

components design should be
engineered free of sharp or cut-
ting edges
IEVC-PHA-MM-035 iEVC external subsystems and iEVC ETCS kit[ci] PHA[ci]
components design shall be ro-
bust and resistant to ordinary
washing and cleaning opera-
tions of locomotives (typically
under the car body)
IEVC-PHA-MM-037 iEVC subsystems and compo- iEVC ETCS kit[ci] PHA[ci]
nents (under the train) enclosure
must be compliant with require-
ments of EN 62262:2004 rela-
tively to impact resistance and
protection provided by enclo-
sures for electrical equipment
components (both internal and
external) shall be immune
against lightning strike
components (both internal and
external) shall be designed to
reduce intrinsic noise emission,
respectively inside the locomo-
tive cabin and outside the train
IEVC-PHA-MM-041 iEVC internal subsystems and iEVC ETCS kit[ci] PHA[ci]
components design shall be
consistent with actual available
and practical space for installa-
tion inside the locomotive cabin
(including any fastener or adap-
tor)
IEVC-PHA-MM-042 The DMI computer shall of- iEVC ETCS kit[ci] PHA[ci]
fer the possibility to adjust the
loudspeaker volume level using
a softkey, a plus or minus key or
a volume control (in case of ex-
ternal loudspeakers were used)
IEVC-PHA-MM-043 The DMI computer shall offer iEVC ETCS kit[ci] PHA[ci]
the possibility to test and detect
a possible malfuntion or fault of
the internal loudspeaker
IEVC-PHA-MM-046 iEVC antennas shall be iEVC ETCS kit[ci] PHA[ci]
designed for nominal and
degraded railway conditions,
though limiting unuseful exces-
sive power emission for people
and systems (i.e. maximum
allowed power)
18 of 79
IEVC-PHA-MM-047 iEVC onboard (i.e. rooftop iEVC ETCS kit[ci] PHA[ci]

or stationary) antennas must
be compliant with require-
ments of EN 301489-1:2019
(V2.2.3) and EN 301489-
3:2013 (V1.6.1)
IEVC-PHA-MM-050 iEVC antennas must be com- iEVC ETCS kit[ci] PHA[ci]
pliant with EIRENE System
Requirement Specifications
(v16.0.0) for GSM-R applica-
tions
IEVC-PHA-MM-051 iEVC on-board Euroantenna iEVC ETCS kit[ci] PHA[ci]
units must be compliant with
specific EMC requirements for
antennas of UNISIG Subset 036
for balise applications
IEVC-PHA-MM-058 All vehicle electrical circuits iEVC ETCS kit[ci] PHA[ci]
(included iEVC system, sub-
systems and components) shall
comply with the protective
earthing requirements of EN
50153:2018
IEVC-PHA-MM-059 All exposed or accessible con- iEVC ETCS kit[ci] PHA[ci]
ductive components, box enclo-
sures, cable screens and/or pan-
els must be protected against
onboard induced stray currents
with a proper functional earth-
ing (i.e. surge protection)
IEVC-PHA-MM-061 iEVC subsystems and compo- iEVC ETCS kit[ci] PHA[ci]
nents must be compliant with
(or better than) insulation re-
IEVC-PHA-MM-065 iEVC components must be iEVC ETCS kit[ci] PHA[ci]
compliant with high temper-
ature requirements of class
T3 or TX according to EN
50155:2017
IEVC-PHA-MM-066 iEVC components must be iEVC ETCS kit[ci] PHA[ci]
compliant with high operating
temperature requirements of
class OT3 or OT4 according to
EN 50155:2017
components must be designed
without any use of toxic, harm-
ful or environmentally damag-
ing material (i.e. cadmium,
hexavalent chromium, mercury,
lead, phtalates for paints and/or
circuit boards)
IEVC-PHA-MM-070 The wheel pulse generator sys- iEVC ETCS kit[ci] PHA[ci]
tem must be compliant with
at least HL2 fire behaviour re-
quirements of EN45545-2:2013
19 of 79
IEVC-PHA-MM-071 All cables (both exterior and in- iEVC ETCS kit[ci] PHA[ci]
terior) must be compliant with
IEVC-PHA-MM-072 The secondary odometry sen- iEVC ETCS kit[ci] PHA[ci]
sor must be compliant with at
least HL2 fire behaviour re-
IEVC-PHA-MM-073 The antennas (GSM-R, 4G iEVC ETCS kit[ci] PHA[ci]
and/or GPS) must be com-
pliant with at least HL2 fire
behaviour requirements of
EN45545-2:2013
IEVC-PHA-MM-074 The iODO module must be iEVC ETCS kit[ci] PHA[ci]
compliant with at least HL2
fire behaviour requirements of
EN45545-2:2013
IEVC-PHA-MM-075 The iODO BITE module must iEVC ETCS kit[ci] PHA[ci]
be compliant with at least HL2
EN45545-2:2013
IEVC-PHA-MM-076 The Computer box hardware iEVC ETCS kit[ci] PHA[ci]
must be compliant with at least
HL2 fire behaviour require-
ments of EN45545-2:2013
IEVC-PHA-MM-077 The Sensor box hardware must iEVC ETCS kit[ci] PHA[ci]
EN45545-2:2013
IEVC-PHA-MM-078 The Telecom box hardware iEVC ETCS kit[ci] PHA[ci]
must be compliant with at least
HL2 fire behaviour require-
ments of EN45545-2:2013
IEVC-PHA-MM-079 The Crash protected memory iEVC ETCS kit[ci] PHA[ci]
(CPM) must be compliant with
IEVC-PHA-MM-080 The DMI hardware must be iEVC ETCS kit[ci] PHA[ci]
EN45545-2:2013
IEVC-PHA-MM-082 Power supplies for iEVC system iEVC ETCS kit[ci] PHA[ci]
must be properly sized to match
overall loads from all subsys-
tems and components, in order
to optimize thermal dissipation
and reduce electrical stress at
line extremes (i.e. fuse break-
ing)
IEVC-PHA-MM-083 The systhem design shall speci- iEVC ETCS kit[ci] PHA[ci]
fiy a maximum consumption for
the iEVC system
20 of 79
IEVC-PHA-MM-084 Power supply perturbations po- iEVC ETCS kit[ci] PHA[ci]

tentially leading to high tran-
sient loads, overtemperature,
overvoltage or overcurrent must
be monitored and properly dis-
played on the front panel of
each box
IEVC-PHA-MM-085 Power supply perturbations po- iEVC ETCS kit[ci] PHA[ci]
tentially leading to high tran-
sient loads, overtemperature,
overvoltage or overcurrent must
be prevented by proper protec-
tion strategies (i.e. limiting in-
rush current of PFC) to min-
imise breaking of fuse elements
IEVC-PHA-MM-085B Maximum tolerable inrush cur- iEVC ETCS kit[ci] PHA[ci]
rent for each powered subsys-
tem and/or component must be
defined
IEVC-PHA-MM-086 The output of galvanically iso- iEVC ETCS kit[ci] PHA[ci]
lated power supply units is not
allowed to float and must be ref-
erenced to a voltage source, re-
spectively an earth point
IEVC-PHA-MM-089 Galvanic isolation Sensors iEVC ETCS kit[ci] PHA[ci]
(wheel PG and secondary
odometry sensor) and actu-
ators (included safe I/O and
BTM) must be tested accord-
ing to requirements of EN
50155:2017
IEVC-PHA-MM-090 Front side of DMI hardware (in- iEVC ETCS kit[ci] PHA[ci]
cluded external loudspeakers if
applicable) must be protected
from water projection and dust
and properly sealed to a mini-
mum of IP55, in order to pre-
vent electrical shortcircuits in
the cabin environment
IEVC-PHA-MM-091 The pulse generator (including iEVC ETCS kit[ci] PHA[ci]
cables) must be protected from
water projection and dust and
properly sealed to a minimum of
IP65, in order to prevent electri-
cal shortcircuits
IEVC-PHA-MM-092 The secondary odometry sensor iEVC ETCS kit[ci] PHA[ci]
(including cables) must be pro-
tected from water projection and
dust and properly sealed to a
minimum of IP65, in order to
prevent electrical shortcircuits
21 of 79
IEVC-PHA-MM-093 Antennas (including cables) iEVC ETCS kit[ci] PHA[ci]

must be protected from water
projection and dust and properly
sealed to a minimum of IP65,
in order to prevent electrical
shortcircuits or discharges
IEVC-PHA-MM-094 The BTM Antenna Unit enclo- iEVC ETCS kit[ci] PHA[ci]
sures (including cables) must be
protected from water projection
and dust and properly sealed
to a minimum of IP65, in or-
der to prevent electrical short-
circuits or discharges
IEVC-PHA-MM-095 The subsystems enclosures iEVC ETCS kit[ci] PHA[ci]
(computer, sensor and tele-
com boxes) must be protected
from water projection and
dust and properly sealed to a
minimum of IP55, in order to
prevent electrical shortcircuits
or discharges
IEVC-PHA-MM-096 The CPM enclosures (including iEVC ETCS kit[ci] PHA[ci]
cables) must be protected from
water projection and dust and
properly sealed to a minimum of
IP65, in order to prevent electri-
cal shortcircuits or discharges
IEVC-PHA-MM-097 iEVC on-board subsystem must iEVC ETCS kit[ci] PHA[ci]
be able to retrieve, display and
acknowledge the built-in train
integrity information through its
own train interface unit (TIU)
IEVC-PHA-MM-098 iEVC train interface subsystem iEVC ETCS kit[ci] PHA[ci]
must be compliant with func-
tional requirements of Subset
034
IEVC-PHA-MM-099 The system must provide a spe- iEVC ETCS kit[ci] PHA[ci]
cific iEVC interactive test mode
for the maintainer being able
to trigger tests inside the iBTM
(i.e. through a Built-In Test ca-
pacity)
IEVC-PHA-MM-100 iEVC on-board Euroantenna iEVC ETCS kit[ci] PHA[ci]
units must be compliant with
specific balise air-gap interface
and environmental conditions
requirements for antennas of
UNISIG Subset 036 for balise
applications
IEVC-PHA-MM-102 Tele-powering of any inactive iEVC ETCS kit[ci] PHA[ci]
Euroantenna installed on-board
must be disabled, and an alarm
must be raised in case of unat-
tended activation during normal
train operations
22 of 79
IEVC-PHA-MM-103 The iEVC shall be compliant iEVC ETCS kit[ci] PHA[ci]

with requirements of Subset-
085 v3.0.0 (Test specification
for Eurobalise FFFIS)
IEVC-PHA-MM-104 Test interfaces V1 and V2 for iEVC ETCS kit[ci] PHA[ci]
iBTM function must be inhib-
ited when not in test mode, and
an alarm must be raised for
proper action to the on-board
safe computer in case of unat-
tended activation during normal
train operations
IEVC-PHA-MM-105 iBTM tests on the Euroantenna iEVC ETCS kit[ci] PHA[ci]
must not be executed unless the
train is stopped (or has come to
a complete stop) and is not re-
ceiving up-link telegrams from
a balise
IEVC-PHA-MM-105B iBTM subsystem must switch iEVC ETCS kit[ci] PHA[ci]
off tele-powering of any Eu-
roantenna before starting test
session
IEVC-PHA-MM-106 All alarms raised by the iBTM iEVC ETCS kit[ci] PHA[ci]
subsystem must be reported for
proper action to the on-board
safe computer
044 v2.4.0 (Euroloop)
103 v1.1.0 (Test specification
for Euroloop)
IEVC-PHA-MM-109 Operating temperature of iBTM iEVC ETCS kit[ci] PHA[ci]
Tele-powering component must
be monitored and an alarm must
be raised for proper action to the
on-board safe computer when a
given defined threshold is ex-
ceeded
IEVC-PHA-MM-110 The iEVC system must only iEVC ETCS kit[ci] PHA[ci]
take into account the messages
encoded inside the Eurobalises
according to Subset 026.
IEVC-PHA-MM-111 Tele-powering of Euroantennas iEVC ETCS kit[ci] PHA[ci]
must be defined one and for all
(within acceptable tolerances)
for all possible operational con-
ditions (i.e. balise size, instal-
lation type, etc.) and must not
be allowed to be adjusted during
normal train operations
23 of 79
IEVC-PHA-MM-112 Tele-powering signal must not iEVC ETCS kit[ci] PHA[ci]

exceed a given defined thresh-
old, in order to avoid cross-
talk between balises or nearby
cables, and an alarm must be
raised for proper action to the
on-board safe computer in case
of overrun
IEVC-PHA-MM-113 Too low tele-powering signals iEVC ETCS kit[ci] PHA[ci]
must be detected, and an alarm
must be raised for proper action
to the on-board safe computer
when balise reading is not pos-
sible
IEVC-PHA-MM-114 In case two antenna are installed iEVC ETCS kit[ci] PHA[ci]
on-board, the iEVC shall guar-
antee that iBTM function is us-
ing the correct antenna.
IEVC-PHA-MM-115 An alarm must be raised to the iEVC ETCS kit[ci] PHA[ci]
on-board safe computer when
information of current installed
cabin is not available
IEVC-PHA-MM-116 The iBTM subsystem must be iEVC ETCS kit[ci] PHA[ci]
able to reject erroneous mes-
sages for eurobalise
047 v3.0.0 (Radio in-fill)
048 v3.0.0 (Train-borne for Ra-
dio in-fill)
with requirements of SubSet
037 (Euroradio)
092-1 v3.1.0 (ERTMS EuroRa-
dio Conformance Requirements
and test cases safety layers)
IEVC-PHA-MM-128 Quality management system for iEVC ETCS kit[ci] PHA[ci]
software engineering must be
compliant with requirements of
ISO 90003
24 of 79
IEVC-PHA-MM-129 The iEVC system must continue iEVC ETCS kit[ci] PHA[ci]
to display the speed of the train
on the DMI screen, even if the
iEVC is isolated
IEVC-PHA-MM-130 The iEVC DMI screen shall be iEVC ETCS kit[ci] PHA[ci]
compliant with requirements of
ERA_ERTMS_015660 v3.6.0
subset
IEVC-PHA-MM-131 All specific DMI functions that iEVC ETCS kit[ci] PHA[ci]
are not specified in the applica-
ble standards (i.e. dealing with
degraded modes) must be in-
cluded in the O&M manuals
IEVC-PHA-MM-132 Functional redundancy of the iEVC ETCS kit[ci] PHA[ci]
DMI screen, with one screen
presenting mandatory ETCS in-
formations and a second screen
presenting non-ETCS data or
applications chosen by the user
(typically the driver during nor-
mal operations)
IEVC-PHA-MM-133 Inhibition of the primary DMI iEVC ETCS kit[ci] PHA[ci]
screen in case of faults or fail-
ures and presentation of manda-
tory ETCS informations in the
second screen (degraded mode)
IEVC-PHA-MM-134 Speed determination from the iEVC ETCS kit[ci] PHA[ci]
wheel pulse generator primary
information must take into ac-
count a reasonable slip or slide
tolerance on the wheel rotation
IEVC-PHA-MM-135 The iEVC system shall be tested iEVC ETCS kit[ci] PHA[ci]
in different low track-adhesion
conditions before commission-
ing
IEVC-PHA-MM-136 DMI audio signals (i.e. mes- iEVC ETCS kit[ci] PHA[ci]
sages and alarms) must be com-
pliant with requirements of ISO
7731
IEVC-PHA-MM-137 The iEVC DMI screen shall iEVC ETCS kit[ci] PHA[ci]
be compliant with luminance,
brightness and viewing angle re-
IEVC-PHA-MM-138 The DMI computer shall offer iEVC ETCS kit[ci] PHA[ci]
the possibility to adjust the lu-
minance and the brightness of
the screen using a softkey or a
plus/minus key
IEVC-PHA-MM-140 The system must provide a spe- iEVC ETCS kit[ci] PHA[ci]
cific iEVC interactive test mode
for the maintainer being able
to trigger tests inside the DMI
computer (i.e. through a Built-
In Test capacity)
25 of 79
IEVC-PHA-MM-141 The iEVC system shall require iEVC ETCS kit[ci] PHA[ci]
the driver to identify on DMI
display before being able to
configure train data
IEVC-PHA-MM-142 The iEVC system shall require iEVC ETCS kit[ci] PHA[ci]
the driver to validate train data
configuration through the DMI
display
IEVC-PHA-MM-143 A specific data entry opera- iEVC ETCS kit[ci] PHA[ci]
tional procedure shall be de-
fined to protect against hu-
man error during train con-
figuration (i.e. wheel diame-
ter, tilting/non-tilting category,
length, load and axle gauge,
maximum speed, etc.)
IEVC-PHA-MM-144 The DMI display must give the iEVC ETCS kit[ci] PHA[ci]
possibility to the driver to ad-
just the adhesion factor on the
DMI, when the system acquires
an adhesion factor that is greater
than achievable under prevailing
conditions
IEVC-PHA-MM-147 iEVC communications shall iEVC ETCS kit[ci] PHA[ci]
comply with EN 50159
IEVC-PHA-MM-150 iEVC system shall detect the iEVC ETCS kit[ci] PHA[ci]
Functional Failure of the stand-
still detection according to Sub-
IEVC-PHA-MM-151 iEVC system shall detect the iEVC ETCS kit[ci] PHA[ci]
failure of Standstill Supervision
Function as per subset-026-3
movement authority (MA) ac-
cording to Subset 026 in a safe
way
IEVC-PHA-MM-153 iEVC system shall compute the iEVC ETCS kit[ci] PHA[ci]
confidence interval and reloca-
tion of the train position accord-
ing to Subset 026 in a safe way
IEVC-PHA-MM-154 iEVC system shall compute a iEVC ETCS kit[ci] PHA[ci]
traction/braking model accord-
IEVC-PHA-MM-155 iEVC system shall supervise re- iEVC ETCS kit[ci] PHA[ci]
verse movement according to
Subset 026 in a safe way
IEVC-PHA-MM-156 The iEVC system shall identify iEVC ETCS kit[ci] PHA[ci]
the position of the train in rela-
tion to the reference position ac-
way
IEVC-PHA-MM-157 iEVC system shall identify the iEVC ETCS kit[ci] PHA[ci]
cab status (TIU failure) accord-
26 of 79
IEVC-PHA-MM-158 iEVC system shall check the iEVC ETCS kit[ci] PHA[ci]
Balise messages consistency ac-
way.
Radio messages consistency ac-
way.
Loop messages consistency ac-
way.
IEVC-PHA-MM-161 iEVC system shall supervise or iEVC ETCS kit[ci] PHA[ci]
monitor the train trip monitor-
ing according to Subset 026 in
a safe way
IEVC-PHA-MM-162 iEVC system shall supervise iEVC ETCS kit[ci] PHA[ci]
the driver acknowledgement ac-
way
IEVC-PHA-MM-163 iEVC system shall inform the iEVC ETCS kit[ci] PHA[ci]
trackside with train data accord-
IEVC-PHA-MM-164 the iEVC system shall not con- iEVC ETCS kit[ci] PHA[ci]
tain potentially ignition sources
IEVC-PHA-MM-165 the iEVC system shall control iEVC ETCS kit[ci] PHA[ci]
the of electromechanical equip-
ment temperature
IEVC-PHA-MM-166 the iEVC system shall not con- iEVC ETCS kit[ci] PHA[ci]
tains potentially explosive mater
IEVC-PHA-MM-167 the installation of iEVC system iEVC ETCS kit[ci] PHA[ci]
on the roof of the locomotive
shall not be a point of attraction
for lightning
IEVC-PHA-MM-168 The speed measure system shall iEVC ETCS kit[ci] PHA[ci]
allow to reach SIL4 for the
odometry function of the iEVC
IEVC-PHA-MM-169 The iEVC system shall process iEVC ETCS kit[ci] PHA[ci]
DMI display according to Sub-
IEVC-PHA-MM-170 In case of multiple installations iEVC ETCS kit[ci] PHA[ci]
of IEVC systems on a train, the
leading iEVC shall be identi-
fied.
train movement in order to pro-
tect against the undesired move-
ment according to Subset 026 in
a safe way
IEVC-PHA-MM-172 The driver shall not be hurt iEVC ETCS kit[ci] PHA[ci]
by the alarm noise level of the
iEVC system.
IEVC-PHA-MM-173 The iEVC system shall allow to iEVC ETCS kit[ci] PHA[ci]
reach SIL4 for the braking func-
tion (including TIU)
27 of 79
IEVC-PHA-MM-174 The design shall take into ac- iEVC ETCS kit[ci] PHA[ci]
count adhesion conditions for
the calculation of train speed
and position
IEVC-PHA-MM-176 The installation of the iEVC iEVC ETCS kit[ci] PHA[ci]
system shall respect the ac-
cepted or qualified loading
gauge
IEVC-PHA-MM-177 The iEVC system must be pro- iEVC ETCS kit[ci] PHA[ci]
tected against cyber-attacks, es-
pecially if the iEVC system
opens new access doors to the
system (usb port, 4G access
point, ethernet port, etc.)
IEVC-PHA-MM-179 The iBTM RX module must iEVC ETCS kit[ci] PHA[ci]
EN45545-2:2013
IEVC-PHA-MM-180 The iBTM TX module must iEVC ETCS kit[ci] PHA[ci]
EN45545-2:2013
IEVC-PHA-MM-181 The Euroantenna must be iEVC ETCS kit[ci] PHA[ci]
EN45545-2:2013
IEVC-PHA-MM-183 The elements of the iEVC sys- iEVC ETCS kit[ci] PHA[ci]
tem that normaly are not in-
teracting with the driver shall
not distract him, during the nor-
mal operation (for exemple with
sounds or lights)
IEVC-PHA-MM-184 The ievc shall be fixed such that iEVC ETCS kit[ci] PHA[ci]
the element are not easily acces-
sible and demontable
IEVC-PHA-MM-185 Freeze of DMI display shall de- iEVC ETCS kit[ci] PHA[ci]
tect and system shall switch to a
safe state
IEVC-PHA-MM-186 Alarms of the iEVC system iEVC ETCS kit[ci] PHA[ci]
shall be heard by the driver in
every condition.
Recap Table
Exported iEVC PHA Mitigation [recap table]
Exported mitigations identified during the PHA
28 of 79
Table 8.2: Exported iEVC PHA Mitigation

Id Description Allocated to Exported to
IEVC-PHA-MM-010 Installation must only iEVC ETCS kit[ci] Installation de-
be performed by qual- PHA[ci] signer[stakeholder]
ified and competent
service personnel
in compliance of
technical standards
and applicable re-
quirements, including
SRACs from suppliers
IEVC-PHA-MM-011 All iEVC suppliers are iEVC ETCS kit[ci] Installation project
expected to be compli- PHA[ci] manager[stakeholder]
ant with an accredited
quality process (i.e.
ISO 9001)
IEVC-PHA-MM-013 iEVC external cables iEVC ETCS kit[ci] Installation de-
and connectors shall PHA[ci] signer[stakeholder]
resist pulling and being
torn.
IEVC-PHA-MM-014 An wiring diagram iEVC ETCS kit[ci] Installation de-
plan should be pre- PHA[ci] signer[stakeholder]
pared for installation
purposes (i.e. number
of minimal required
channels, number
of wires, interfacing
constraints, etc.). This
should be included in
the Installation Plan
IEVC-PHA-MM-015 The installation of all iEVC ETCS kit[ci] Installation de-
electrical systems shall PHA[ci] signer[stakeholder]
apply the EN 50121
standard to mitigate
EMC-related hazards
(i.e. grounding, in-
sulation rules, cable
segregations etc. . . )
IEVC-PHA-MM-015B The installation of iEVC ETCS kit[ci] Installation de-
all electrical systems PHA[ci] signer[stakeholder]
shall apply state of the
art rules to mitigate
electric shocks related
hazards (i.e. proper
grounding, effective
insulation rules, etc. . . )
IEVC-PHA-MM-016 Maintenance opera- iEVC ETCS kit[ci] Maintainer[stakeholder]
tions (i.e. first and PHA[ci]
second line) should
only be performed by
qualified and compe-
tent service personnel
in compliance of all
applicable require-
ments described in
O&M manuals
29 of 79
IEVC-PHA-MM-017 Periodic inspections of iEVC ETCS kit[ci] IEVC mainte-

pulse wheel generators PHA[ci] nance[stakeholder]
(included cables and
junction box) and
preventive mainte-
nance procedures and
operations (included
tests) must be included
in the O&M manual
IEVC-PHA-MM-017B Any obsolescence in- iEVC ETCS kit[ci] IEVC mainte-
formation from suppli- PHA[ci] nance[stakeholder]
ers for installed com-
ponents should be in-
cluded in the O&M
manual
IEVC-PHA-MM-021 The installation of iEVC ETCS kit[ci] Installation project
iEVC system, subsys- PHA[ci] manager[stakeholder]
tems and components
must be compliant with
the assembling, wiring,
grounding/earthing, in-
tegrating, conditioning
instructions and spe-
cific conditions listed
in the Installation Plan
IEVC-PHA-MM-022 A specific and con- iEVC ETCS kit[ci] IEVC mainte-
tinuous training pro- PHA[ci] nance[stakeholder]
gram for maintenance
staff should be pro-
vided based on O&M
manual
IEVC-PHA-MM-032 When installed in iEVC ETCS kit[ci] Installation de-
the locomotive, the PHA[ci] signer[stakeholder]
iEVC onboard subsys-
tems and components
design shall be inte-
grated to the exiting
environement
IEVC-PHA-MM-033 Periodic inspections iEVC ETCS kit[ci] IEVC mainte-
of antennas (included PHA[ci] nance[stakeholder]
cables and junction
boxes) and preventive
maintenance proce-
dures and operations
(included tests) shall
be included in the
O&M manual
30 of 79
IEVC-PHA-MM-034 Periodic inspections iEVC ETCS kit[ci] Maintainer[stakeholder]

of external mounted PHA[ci]
components (included
cables and junction
boxes) and preventive
maintenance proce-
dures and operations
(included recov-
ery tests) should be
planned and performed
on a O&M manual
basis
IEVC-PHA-MM-036 iEVC system, subsys- iEVC ETCS kit[ci] Installation de-
tems and components PHA[ci] signer[stakeholder]
(both internal and ex-
ternal) shall be de-
signed without any use
of welding for connec-
tions, fastening or bolt-
ing
IEVC-PHA-MM-038 iEVC system, subsys- iEVC ETCS kit[ci] Installation de-
tems and components PHA[ci] signer[stakeholder]
ternal) shall be de-
signed without any use
of threaded rods point-
ing out, for connec-
tions, fastening or bolt-
ing
of DMI computer PHA[ci] nance[stakeholder]
(included cables,
screen and internal
loudspeakers) and
preventive mainte-
tests) shall be included
in the O&M manual
of DMI computer PHA[ci]
(included cables,
screen and internal
loudspeakers) and
preventive mainte-
recovery tests) should
be planned and per-
formed on a O&M
manual basis
31 of 79
IEVC-PHA-MM-048 Specific precautions iEVC ETCS kit[ci] IEVC mainte-

during maintenance PHA[ci] nance[stakeholder]
operations on active
antennas shall be
provided in O&M
manual (i.e. keeping
safe distance from
any active antenna,
requesting to have
the antennas powered
donw or moved, using
RF monitor, etc.)
IEVC-PHA-MM-049 Maintenance staff iEVC ETCS kit[ci] Maintainer[stakeholder]
should keep a safe dis- PHA[ci]
tance from any active
antenna or request to
have the antennas pow-
ered down (or moved)
before performing
maintenance opera-
tions, as described in
O&M manual
IEVC-PHA-MM-052 A lightning protection iEVC ETCS kit[ci] Installation de-
system (i.e. lightning PHA[ci] signer[stakeholder]
rods or lightnings ar-
resters) should be in-
stalled on the train to
protect systems, sub-
systems and compo-
nents from damages
due to lightning strikes
- in particular from
high currents to ground
and induced currents
on electronic boards
and ground planes
IEVC-PHA-MM-053 Proper and adequate iEVC ETCS kit[ci] Installation de-
electrical separation PHA[ci] signer[stakeholder]
between low and
medium voltage sys-
tems (i.e. grounding
or isolation) must be
provided
IEVC-PHA-MM-054 Cable screens and iEVC ETCS kit[ci] Installation de-
boxes shall be PHA[ci] signer[stakeholder]
ground/earth bonded
at the point of entry to
enclosures
IEVC-PHA-MM-055 Grounding/earthing iEVC ETCS kit[ci] Installation de-
and bonding shall be PHA[ci] signer[stakeholder]
resistant to corrosion,
shock and vibration
32 of 79
IEVC-PHA-MM-056 Bonding connections iEVC ETCS kit[ci] Installation de-

must be kept as short PHA[ci] signer[stakeholder]
as possible to be as low
resistive and inductive
as possible
IEVC-PHA-MM-057 All exposed or ac- iEVC ETCS kit[ci] Installation de-
cessible conductive PHA[ci] signer[stakeholder]
components, box en-
closures, cable screens
and/or panels must
be protected against
electrick shocks with
a proper equipotential
ground/earth bonding
IEVC-PHA-MM-060 Grounding/earthing iEVC ETCS kit[ci] Maintainer[stakeholder]
and bonding shall be PHA[ci]
periodically inspected
(and tested)
IEVC-PHA-MM-062 Accessible parts of iEVC ETCS kit[ci] Installation de-
DMI enclosure, touch- PHA[ci] signer[stakeholder]
screen or key elements
must be isolated during
normal operations to
prevent electric shocks
IEVC-PHA-MM-063 Subsystem enclosures, iEVC ETCS kit[ci] Maintainer[stakeholder]
components and acces- PHA[ci]
sible parts (i.e. DMI
touchscreen, etc.) must
be fully de-energized
by disconnecting
power sources before
any preventive or
corrective maintenance
operations
IEVC-PHA-MM-064 iEVC boxes and DMI iEVC ETCS kit[ci] Installation de-
hardware must be pro- PHA[ci] signer[stakeholder]
tected against acciden-
tal and/or intentional
access by the driver
during normal opera-
tions
IEVC-PHA-MM-068 Compliance to RoHS iEVC ETCS kit[ci] Installation de-
and REACH require- PHA[ci] signer[stakeholder]
ments (or equivalent)
for electronics mate-
rials (included paints,
cables, coatings, etc.),
equipment and compo-
nents must be verified
during installation
33 of 79
IEVC-PHA-MM-069 Specific activities iEVC ETCS kit[ci] IEVC mainte-

and/or special pre- PHA[ci] nance[stakeholder]
cautions against toxic
materials that might
be undertaken by staff
during ordinary main-
tenance operations
(both preventive and
corrective) shall be
included in O&M
manual
IEVC-PHA-MM-081 Specific activities iEVC ETCS kit[ci] IEVC mainte-
and/or special pre- PHA[ci] nance[stakeholder]
cautions against ESD
that might be under-
taken by staff during
ordinary maintenance
operations (both pre-
ventive and corrective)
shall be included in
O&M manual
IEVC-PHA-MM-087 Protection against po- iEVC ETCS kit[ci] Installation de-
larity reversal of the in- PHA[ci] signer[stakeholder]
coming power supply
must be prevented and
verified by proper me-
chanical means during
installation
IEVC-PHA-MM-101 The Euroantenna must iEVC ETCS kit[ci] Installation de-
be placed at a mini- PHA[ci] signer[stakeholder]
mum distance of 2m
between the front of
the engine and1st axle
of the engine and the
Eurobalise antenna, up
to 12.5m in the rear of
the 1st axle
IEVC-PHA-MM-124 Specific application iEVC ETCS kit[ci] Installation de-
conditions, restrictions PHA[ci] signer[stakeholder]
or exported constraints
imposed by the air-
borne antennas to the
other radio frequencs
(RF) equipment pos-
sibly used on train
(respectively work
vehicles) must be
included in the O&M
manual
34 of 79
IEVC-PHA-MM-125 Compliance of iEVC iEVC ETCS kit[ci] Installation de-

air-borne anten- PHA[ci] signer[stakeholder]
nas with EMC re-
quirements of EN
50155:2017, with
respect to RF inter-
ferences with other
radio frequency equip-
ment possibly used
on train (respectively
work vehicles), must
be verified during
installation
of air-borne antennas PHA[ci]
(included cables and
junction boxes) and
preventive mainte-
tests) should be in-
cluded in the O&M
manual
IEVC-PHA-MM-127 Sensors calibration iEVC ETCS kit[ci] Installation de-
(wheel PG and sec- PHA[ci] signer[stakeholder]
ondary odometry
sensor) and actuators
(included safe I/O and
BTM) must be prop-
erly calibrated before
delivery and verified
during installation
IEVC-PHA-MM-139 The DMI computer iEVC ETCS kit[ci] Installation de-
must be provided with PHA[ci] signer[stakeholder]
a watchdog timer, to
be able to get rid of
hardware faults and
unattended software
execution and possibly
reboot the system
of Safe computer PHA[ci] nance[stakeholder]
(included cables,
connectors, I/O) and
preventive mainte-
tests) should be in-
cluded in the O&M
manual
35 of 79

of Safe computer PHA[ci]
(included cables,
connectors, I/O) and
preventive mainte-
recovery tests) should
be planned and per-
formed on a O&M
manual basis
IEVC-PHA-MM-149 There shall be periodic iEVC ETCS kit[ci] Maintainer[stakeholder]
checks of the wheel di- PHA[ci]
ameter for the iEVC
IEVC-PHA-MM-175 The driver shall be iEVC ETCS kit[ci] Operator[stakeholder]
training to identify PHA[ci]
which conditions
could lead to a loss
of adherence and take
appropriate action.
IEVC-PHA-MM-178 Data to be entered by iEVC ETCS kit[ci] Operator[stakeholder]
the driver have to be PHA[ci]
at a level of quality
and confidence consis-
tent with their intended
use
IEVC-PHA-MM-182 The iEVC installation iEVC ETCS kit[ci] Installation de-
shall not reduce the PHA[ci] signer[stakeholder]
driver's field of vision
The following table resumes the mitigations identified as not applicable during the PHA.
• argument: mitigation description
• status: Status of the requirement
• source_justification: justification of the requirement status
• mitigation_status: Status of the mitigation
Recap Table
Not applicable Mitigations [recap table]
Mitigations identified identified as not-applicable
Table 8.3: Not applicable Mitigations

Id Description Status Source justification Mitigation
status
IEVC-PHA- Not applicable Unsupported None In Analysis
MM-002B to the PHA - cf
https://gitlab.com/tsc-
projects/tsc/-
/issues/3632
36 of 79

MM-009 to the PHA - cf
projects/tsc/-
/issues/3632
MM-015C to the PHA - cf
projects/tsc/-
/issues/3632
MM-015D to the PHA - cf
projects/tsc/-
/issues/3632
projects/tsc/-
/issues/3632
projects/tsc/-
/issues/3632
projects/tsc/-
/issues/3632
projects/tsc/-
/issues/3632
projects/tsc/-
/issues/3632
projects/tsc/-
/issues/3632
projects/tsc/-
/issues/3632
37 of 79
IEVC-PHA- Test interfaces V1 Unsupported Will be exported to In Analysis

MM-104 and V2 for iBTM the FHA. It has been
function must be agreed during the de-
inhibited when not sign review of PHA
in test mode, and an V1 not to trace this
alarm must be raised measure at URS level
for proper action to
the on-board safe
computer in case of
unattended activation
during normal train
operations
IEVC-PHA- The iEVC shall Unsupported Radio in-fill is out of In Analysis
MM-117 be compliant with scope
requirements of
Subset-047 v3.0.0
(Radio in-fill)
IEVC-PHA- The iEVC shall Unsupported Radio in-fill is out of In Analysis
MM-118 be compliant with scope
requirements of
Subset-048 v3.0.0
(Train-borne for
Radio in-fill)
projects/tsc/-
/issues/3632
projects/tsc/-
/issues/3632
projects/tsc/-
/issues/3632
IEVC-PHA- The iEVC system Unsupported Measure is exported In Analysis
MM-129 must continue to to GASC. It has been
display the speed of agreed during the de-
the train on the DMI sign review of PHA
screen, even if the V1 not to trace this
iEVC is isolated measure at URS level
38 of 79
CHAPTER
NINE
ANNEX A CAUSES
The following table resumes the applicable causes identified during the PHA.
• argument: cause description
• mitigation: list of the mitigations required for this cause
• applicable: if false, the mitigation is not applicable
• justification: (only for non applicable causes) justification of the non applicability of the cause
Recap Table
PHA Causes [recap table]
Applicable causes identified during the PHA
Table 9.1: PHA Causes

Id Description Mitigation Applicable
IEVC-CAUSE-001 Generic mechanical tsc-req-ievc-pha-mm- True
failure 007[req]
IEVC-CAUSE-002 Extreme vibrations or tsc-req-ievc-pha-mm- True

sollicitations 007[req]
IEVC-CAUSE-003 Improper or faulty in- tsc-req-ievc-pha-mm- True

stallation 010[req]
IEVC-CAUSE-004 The adhesion con- tsc-req-ievc-pha-mm- True

ditions are not suf- 174[req]
ficiently taken into
account in the iEVC
calculations such as
speed or position
IEVC-CAUSE-005 The tracks are not tsc-req-ievc-pha-mm- True
cleaned - presence of 175[req]
leaves, ice
IEVC-CAUSE-007 iEVC installation in- tsc-req-ievc-pha-mm- True
creases the gauge of 176[req]
the train
9. Annex A Causes 39 of 79
IEVC-CAUSE-040 Generic optical or me- tsc-req-ievc-pha-mm- True

chanical failure of the 001[req] tsc-req-ievc-
wheel pulse generator pha-mm-002[req]
system tsc-req-ievc-pha-mm-
003[req]
IEVC-CAUSE-041 Premature aging or tsc-req-ievc-pha-mm- True

deterioration of the 004[req] tsc-req-ievc-
odometry system pha-mm-005[req]
due to adverse or tsc-req-ievc-pha-mm-
unfavourable environ- 007[req] tsc-req-ievc-
mental conditions pha-mm-034[req]
tsc-req-ievc-pha-mm-
035[req]
IEVC-CAUSE-042 Equipment mis- tsc-req-ievc-pha-mm- True

operation or malfunc- 006[req] tsc-req-ievc-
tion of the odometry pha-mm-015[req]
system due to elec- tsc-req-ievc-pha-mm-
tromagnetic field 168[req]
interferences
IEVC-CAUSE-043 Breaking or cutting tsc-req-ievc-pha-mm- True
of cables and elec- 008[req] tsc-req-ievc-
tric wirings of the pha-mm-013[req]
odometry system tsc-req-ievc-pha-mm-
035[req]

stallation 010[req] tsc-req-ievc-
pha-mm-011[req]
021[req] tsc-req-ievc-
pha-mm-012[req]
pha-mm-127[req]
IEVC-CAUSE-045 Improper or poor main- tsc-req-ievc-pha-mm- True

tenance 016[req] tsc-req-ievc-
pha-mm-017[req]
017b[req] tsc-req-
ievc-pha-mm-034[req]
022[req]
IEVC-CAUSE-046 Wear of the wheel ; tsc-req-ievc-pha-mm- True

change of wheel diam- 149[req]
eter over time
40 of 79
IEVC-CAUSE-047 Generic software fault tsc-req-ievc-pha-mm- True

or error 023[req] tsc-req-ievc-
pha-mm-024[req]
pha-mm-030[req]
pha-mm-168[req]
IEVC-CAUSE-048 iEVC system is the tar- tsc-req-ievc-pha-mm- True

get of a cyber-attack 177[req]
IEVC-CAUSE-049 Generic failure of the tsc-req-ievc-pha-mm- True

onboard computer 001[req] tsc-req-ievc-
pha-mm-006[req]
pha-mm-007[req]
pha-mm-066[req]
168[req]
IEVC-CAUSE-050 Generic failure of tsc-req-ievc-pha-mm- True

I/O boards or inter- 006[req] tsc-req-ievc-
faces (i.e. electrical, pha-mm-004[req]
mechanical, etc.) tsc-req-ievc-pha-mm-
pha-mm-146[req]
168[req]
IEVC-CAUSE-051 Wrong processing of tsc-req-ievc-pha-mm- True

MA information (i.e. 152[req]
distance or timers) in-
volving delay between
receiving of a balise
message and reporting
the resulting change of
status on-board
IEVC-CAUSE-052 Incorrect confidence tsc-req-ievc-pha-mm- True
interval determining 153[req]
max front/rear position
of the train (unsafe
dynamic profile)
IEVC-CAUSE-053 Incorrect trac- tsc-req-ievc-pha-mm- True
tion/braking model 154[req]
(e.g. brake use restric-
tions) leading to unsafe
dynamic profile
41 of 79

(only for aceleration)
leading to an incorrect
speed monitoring
IEVC-CAUSE-055 Failure of backward tsc-req-ievc-pha-mm- True
distance monitoring 155[req]
(PT or RV mode)
IEVC-CAUSE-056 Failure of standstill tsc-req-ievc-pha-mm- True
supervision (in SB 151[req]
mode), Refer to 1.6.5
IEVC-CAUSE-057 Incorrect standstill in- tsc-req-ievc-pha-mm- True
dication 150[req]
IEVC-CAUSE-058 Failure of reverse tsc-req-ievc-pha-mm- True

movements monitoring 155[req]
(FS, LS, SR, OS, PT or
RV mode)
IEVC-CAUSE-059 Incorrect reference po- tsc-req-ievc-pha-mm- True
sition 156[req]
IEVC-CAUSE-060 Incorrect System data tsc-req-ievc-pha-mm- True

(e.g.current level) 031[req]

DMI computer 001[req] tsc-req-ievc-
pha-mm-004[req]
pha-mm-006[req]
139[req]
IEVC-CAUSE-062 Generic failure of DMI tsc-req-ievc-pha-mm- True

screen (i.e. frozen 131[req] tsc-req-ievc-
screen) pha-mm-132[req]
pha-mm-090[req]
185[req]
IEVC-CAUSE-063 Wrong or erroneous tsc-req-ievc-pha-mm- True

presentation of data 130[req] tsc-req-ievc-
(i.e. speed or distance) pha-mm-132[req]
on the DMI screen tsc-req-ievc-pha-mm-
139[req]
IEVC-CAUSE-064 Wrong or erroneous tsc-req-ievc-pha-mm- True

presentation of data on 130[req]
the DMI screen
IEVC-CAUSE-065 Incorrect standstill in- tsc-req-ievc-pha-mm- True
dication 150[req]
42 of 79

DMI computer 001[req] tsc-req-ievc-
pha-mm-004[req]
pha-mm-006[req]
139[req]
IEVC-CAUSE-067 Incorrect determina- tsc-req-ievc-pha-mm- True

tion of the adhesion 003[req] tsc-req-ievc-
factor (i.e. rail or pha-mm-135[req]
wheel slip)
IEVC-CAUSE-068 Valid ETCS-onboard tsc-req-ievc-pha-mm- True
output via DMI ob- 132[req] tsc-req-ievc-
scured by erroneous pha-mm-133[req]
output (audio or visual) tsc-req-ievc-pha-mm-
pha-mm-090[req]
001[req]
IEVC-CAUSE-069 The wrong train tsc-req-ievc-pha-mm- True

cabin/desk is active 157[req]
IEVC-CAUSE-070 Incorrect or insuffi- tsc-req-ievc-pha-mm- True

cient sound level of the 136[req] tsc-req-ievc-
DMI loudspeaker pha-mm-042[req]
186[req]
IEVC-CAUSE-071 Incorrect or insuffi- tsc-req-ievc-pha-mm- True

cient luminance of the 130[req] tsc-req-ievc-
DMI screen pha-mm-137[req]
138[req]

stallation of DMI com- 010[req] tsc-req-ievc-
puter(s) (i.e. screen or pha-mm-011[req]
loudspeaker) tsc-req-ievc-pha-mm-
pha-mm-014[req]
041[req]
IEVC-CAUSE-073 Improper or poor main- tsc-req-ievc-pha-mm- True

tenance operations 016[req] tsc-req-ievc-
pha-mm-044[req]
017b[req] tsc-req-
140[req]
43 of 79
IEVC-CAUSE-074 A balise group (re- tsc-req-ievc-pha-mm- True

spectively a Loop) 033[req]
is not detected, due
to mechanical failure
within the on-board
BTM function
IEVC-CAUSE-075 A balise group (respec- tsc-req-ievc-pha-mm- True
tively a Loop) is not 010[req] tsc-req-ievc-
detected, due to func- pha-mm-100[req]
tional failure within the tsc-req-ievc-pha-mm-
on-board BTM func- 101[req] tsc-req-ievc-
tion pha-mm-102[req]
pha-mm-104[req]
pha-mm-106[req]
pha-mm-108[req]
099[req]

spectively a Loop) 109[req]
is not detected, due
to mechanical failure
within the on-board
BTM function
IEVC-CAUSE-077 Transmission to the on- tsc-req-ievc-pha-mm- True
board kernel of an erro- 110[req] tsc-req-ievc-
neous telegram, inter- pha-mm-114[req]
pretable as correct, due tsc-req-ievc-pha-mm-
to failure within the on- 116[req]
board BTM function
board kernel of an er- 115[req]
roneous telegram, in-
terpretable as correct,
due to mechanical fail-
ure within the on-board
BTM function
IEVC-CAUSE-079 Erroneous localisation tsc-req-ievc-pha-mm- True
or reporting from 111[req]
balise(s) due to a func-
tional failure within
the on-board BTM
system (i.e. erroneous
threshold or excessive
tele-powering signal)
44 of 79

or reporting from 112[req] tsc-req-ievc-
balise(s) due to a me- pha-mm-113[req]
chanical failure within
the on-board BTM
IEVC-CAUSE-081 Transmission of cor- tsc-req-ievc-pha-mm- True
rupted messages inter- 001[req] tsc-req-ievc-
pretable as correct due pha-mm-004[req]
to a failure within on- tsc-req-ievc-pha-mm-
board Euroradio 125[req] tsc-req-ievc-
pha-mm-124[req]
pha-mm-034[req]
pha-mm-123[req]
pha-mm-118[req]
IEVC-CAUSE-082 Balise linking consis- tsc-req-ievc-pha-mm- True

tency checking failure 158[req]
IEVC-CAUSE-083 Balise group message tsc-req-ievc-pha-mm- True

consistency checking 158[req]
failure
sition 156[req]
IEVC-CAUSE-085 Failure of loop mes- tsc-req-ievc-pha-mm- True

sage consistency 160[req]
checking
IEVC-CAUSE-086 Wrong acceptance of tsc-req-ievc-pha-mm- True
incomplete MA infor- 152[req]
mation from trackisde
IEVC-CAUSE-087 Incorrect cab status tsc-req-ievc-pha-mm- True
(TIU failure) implying 157[req]
that an incorrect train
position is reported to
Trackside
IEVC-CAUSE-088 Failure of message cor- tsc-req-ievc-pha-mm- True
rectness or sequenc- 158[req] tsc-req-ievc-
ing checking (involv- pha-mm-159[req]
ing receipt of inconsis-
tent messages)
IEVC-CAUSE-089 Communication ses- tsc-req-ievc-pha-mm- True
sion or radio link 159[req]
supervision checking
failure
45 of 79

board kernel of an erro- 116[req]
neous telegram, inter-
pretable as correct, due
to failure within the on-
board BTM function
IEVC-CAUSE-091 Inappropriate sleeping tsc-req-ievc-pha-mm- True
request 171[req]
IEVC-CAUSE-092 Incorrect brake status tsc-req-ievc-pha-mm- True

(TIU failure) 171[req]
IEVC-CAUSE-093 Incorrect direction tsc-req-ievc-pha-mm- True

controller position 171[req]
report (TIU failure)
IEVC-CAUSE-094 The wrong train tsc-req-ievc-pha-mm- True
cabin/desk is active 157[req]
IEVC-CAUSE-095 In case there are sev- tsc-req-ievc-pha-mm- True

eral antennas installed 114[req] tsc-req-ievc-
under the train, a pha-mm-010[req]
wrong antenna is used tsc-req-ievc-pha-mm-
to compute its speed 016[req]
and position
IEVC-CAUSE-096 Inappropriate passive tsc-req-ievc-pha-mm- True
shunting request 171[req]
IEVC-CAUSE-097 Inappropriate Non tsc-req-ievc-pha-mm- True

Leading permitted 171[req]
signal received
IEVC-CAUSE-098 Falsification of train tsc-req-ievc-pha-mm- True
data received by Exter- 171[req]
nal Source
IEVC-CAUSE-099 Traction Cut-Off not tsc-req-ievc-pha-mm- True
commanded when re- 171[req]
quired
IEVC-CAUSE-100 the leader protection tsc-req-ievc-pha-mm- True
system not correctely 170[req]
identified
IEVC-CAUSE-101 train data are incor- tsc-req-ievc-pha-mm- True
rectly entered by driver 141[req] tsc-req-ievc-
pha-mm-142[req]
143[req]

pha-mm-142[req]
143[req]
46 of 79

pha-mm-142[req]
143[req]
IEVC-CAUSE-104 Incorrect train data en- tsc-req-ievc-pha-mm- True

tered by driver 178[req]
IEVC-CAUSE-105 Incorrect additional tsc-req-ievc-pha-mm- True

data as part of driver 144[req] tsc-req-ievc-
input pha-mm-141[req]
pha-mm-143[req]
IEVC-CAUSE-106 Incorrect determina- tsc-req-ievc-pha-mm- True

tion of the adhesion 134[req] tsc-req-ievc-
factor (i.e. rail or pha-mm-003[req]
wheel slip) tsc-req-ievc-pha-mm-
pha-mm-168[req]
IEVC-CAUSE-107 Emergency Message tsc-req-ievc-pha-mm- True

Acknowledgement 161[req]
Failure
IEVC-CAUSE-108 Functional failure of tsc-req-ievc-pha-mm- True
standstill detection 150[req]
(e.g. brake release
prior to train being
at standstill) Refer to
1.6.5
(e.g. brake use restric-
tions)
(TIU failure) 157[req]
IEVC-CAUSE-111 Incorrect train status tsc-req-ievc-pha-mm- True

TIU sleeping/cab sta- 157[req]
tus
IEVC-CAUSE-112 Failure of train trip su- tsc-req-ievc-pha-mm- True
pervision, in OS, LS 161[req]
and FS
IEVC-CAUSE-113 Failure of train trip su- tsc-req-ievc-pha-mm- True
pervision, shunting and 161[req]
SR
IEVC-CAUSE-114 Failure of message ac- tsc-req-ievc-pha-mm- True
knowledgement 162[req]
IEVC-CAUSE-115 Service brake / emer- tsc-req-ievc-pha-mm- True

gency brake not com- 151[req]
manded when required
47 of 79
IEVC-CAUSE-116 The service/emergency tsc-req-ievc-pha-mm- True

brakes are no longer 151[req] tsc-req-ievc-
applied when braking pha-mm-173[req]
is required
gency brake are dis- 015[req]
turbed by the EMC
from iEVC
IEVC-CAUSE-118 The driver is distracted tsc-req-ievc-pha-mm- True
by DMI display 028[req] tsc-req-ievc-
pha-mm-029[req]
169[req]
IEVC-CAUSE-119 An iEVC element lim- tsc-req-ievc-pha-mm- True

its the driver's visibil- 182[req]
ity: some line-side sig-
nals could be hidden.
pha-mm-029[req]
pha-mm-137[req]

pha-mm-137[req]
141[req]
IEVC-CAUSE-122 The safety inputs tsc-req-ievc-pha-mm- True

from the driver are 142[req] tsc-req-ievc-
not checked ( e.g. via pha-mm-143[req]
double encoding)
pha-mm-169[req]

pha-mm-029[req]
169[req]

pha-mm-029[req]
169[req]

gency brake not com- 173[req]
manded when required
48 of 79
IEVC-CAUSE-127 The speed is underesti- tsc-req-ievc-pha-mm- True

mated, and estimated at 150[req]
zero when it is not
IEVC-CAUSE-128 the system is unable to tsc-req-ievc-pha-mm- True
control a speed equal to 151[req] tsc-req-ievc-
zero pha-mm-031[req]
IEVC-CAUSE-134 Incorrect train integrity tsc-req-ievc-pha-mm- True

status (TIU failure), 097[req] tsc-req-ievc-
which means that in pha-mm-098[req]
the case of a loss of
wagons, information
about the presence of
wagons on the track
is not known to the
trackside.
IEVC-CAUSE-135 Incorrect use of train tsc-req-ievc-pha-mm- True
integrity status (IEVC 097[req]
failure), which means
that in the case of a loss
of wagons, information
about the presence of
wagons on the track is
not known to the track-
side.
IEVC-CAUSE-136 DMI display failure tsc-req-ievc-pha-mm- True
pha-mm-044[req]
pha-mm-132[req]
IEVC-CAUSE-137 Failure of the DMI in- tsc-req-ievc-pha-mm- True

terface 044[req] tsc-req-ievc-
pha-mm-045[req]
IEVC-CAUSE-138 Driver mistake tsc-req-ievc-pha-mm- True

pha-mm-138[req]
139[req]
IEVC-CAUSE-139 Supervision of stand- tsc-req-ievc-pha-mm- True

still fails Refer to 1.6.5 031[req]
IEVC-CAUSE-140 the dectection of the tsc-req-ievc-pha-mm- True

direction of the train 155[req]
movement fails
49 of 79

spectively a Loop) 033[req] tsc-req-ievc-
is not detected, due pha-mm-103[req]
to mechanical failure tsc-req-ievc-pha-mm-
within the on-board 100[req] tsc-req-ievc-
BTM function pha-mm-106[req]
pha-mm-107[req]
pha-mm-109[req]
099[req]
IEVC-CAUSE-142 A balise group (respec- tsc-req-ievc-pha-mm- True

tively a Loop) is not 010[req] tsc-req-ievc-
detected, due to func- pha-mm-101[req]
tional failure within the tsc-req-ievc-pha-mm-
on-board BTM func- 104[req] tsc-req-ievc-
tion pha-mm-105[req]

board kernel of an er- 110[req] tsc-req-ievc-
roneous telegram, in- pha-mm-114[req]
terpretable as correct, tsc-req-ievc-pha-mm-
due to functional fail- 147[req]
BTM function
board kernel of an er- 115[req] tsc-req-ievc-
roneous telegram, in- pha-mm-116[req]
terpretable as correct,
due to mechanical fail-
BTM function
or reporting from 111[req] tsc-req-ievc-
balise(s) due to a func- pha-mm-112[req]
tional failure within tsc-req-ievc-pha-mm-
the on-board BTM 113[req]
50 of 79
IEVC-CAUSE-146 Transmission of cor- tsc-req-ievc-pha-mm- True

rupted messages inter- 001[req] tsc-req-ievc-
pretable as correct due pha-mm-004[req]
to a failure within on- tsc-req-ievc-pha-mm-
board Euroradio 125[req] tsc-req-ievc-
pha-mm-124[req]
pha-mm-034[req]
pha-mm-123[req]
pha-mm-118[req]
IEVC-CAUSE-147 Balise linking consis- tsc-req-ievc-pha-mm- True

tency checking failure 158[req]
IEVC-CAUSE-148 Balise group message tsc-req-ievc-pha-mm- True

consistency checking 158[req]
failure
sition 156[req]
IEVC-CAUSE-150 Failure of loop mes- tsc-req-ievc-pha-mm- True

sage consistency 160[req]
checking
(TIU failure) implying 157[req]
that an incorrect train
position is reported to
Trackside
IEVC-CAUSE-153 Failure of message cor- tsc-req-ievc-pha-mm- True
rectness or sequenc- 159[req]
ing checking (involv-
ing receipt of inconsis-
tent messages)
IEVC-CAUSE-154 Communication ses- tsc-req-ievc-pha-mm- True
sion or radio link 159[req]
supervision checking
failure
IEVC-CAUSE-155 The confidence inter- tsc-req-ievc-pha-mm- True
val for distance mea- 168[req] tsc-req-ievc-
surement does not in- pha-mm-153[req]
clude the real position
of the train
IEVC-CAUSE-156 Incorrect actual physi- tsc-req-ievc-pha-mm- True
cal speed direction 168[req]
51 of 79
IEVC-CAUSE-157 Wrong processing of tsc-req-ievc-pha-mm- True

MA information (i.e. 152[req]
distance or timers) in-
volving delay between
receiving of a balise
message and reporting
the resulting change of
status on-board
IEVC-CAUSE-158 Incorrect supervision tsc-req-ievc-pha-mm- True
of MA time-outs 152[req]
(sections and over-
laps) involving delay
between receiving of
a balise message and
reporting the result-
ing change of status
on-board
IEVC-CAUSE-159 Incorrect confidence tsc-req-ievc-pha-mm- True
interval determining 153[req]
max front/rear position
of the train (unsafe
dynamic profile)
IEVC-CAUSE-160 Incorrect train position tsc-req-ievc-pha-mm- True
or data sent from on- 163[req]
board to trackside
IEVC-CAUSE-161 Failure of backward tsc-req-ievc-pha-mm- True
distance monitoring 155[req]
(PT or RV mode)
IEVC-CAUSE-162 Failure of reverse tsc-req-ievc-pha-mm- True
movements monitoring 155[req]
(FS, LS, SR, OS, PT or
RV mode)
IEVC-CAUSE-163 Failure of standstill su- tsc-req-ievc-pha-mm- True
pervision (in SB mode) 151[req]
Refer to 1.6.5
IEVC-CAUSE-164 Failure of train trip tsc-req-ievc-pha-mm- True
monitoring and super- 161[req]
vision
IEVC-CAUSE-165 Ineffective or wrong tsc-req-ievc-pha-mm- True
shortening of MA (in- 152[req]
consistent EoA, LoA)
IEVC-CAUSE-166 Incorrect supervi- tsc-req-ievc-pha-mm- True
sion of EoA/LoA 152[req]
involving an overrun
of emergency stop
location
IEVC-CAUSE-302 Refer to 1.4.2.2 True
IEVC-CAUSE-324 External components tsc-req-ievc-pha-mm- True
(i.e. peripherals or 008[req]
sensors) of the iEVC
system exceeding
permissible standard
rolling stock static or
dynamic outline
52 of 79
IEVC-CAUSE-325 The confidence inter- tsc-req-ievc-pha-mm- True

val for distance mea- 153[req]
surement does not in-
clude the real position
of the train
tion/braking model 026[req] tsc-req-ievc-
(e.g. brake use restric- pha-mm-154[req]
tions)
IEVC-CAUSE-360 Failure of improper ac- tsc-req-ievc-pha-mm- True
tion of control supervi- 027[req]
sion system (i.e. iEVC
critical error)
IEVC-CAUSE-361 Incorrect supervision tsc-req-ievc-pha-mm- True
of MA time-outs 152[req]
(sections and overlaps)
IEVC-CAUSE-362 Wrong or inappropri- tsc-req-ievc-pha-mm- True
ate messages and/or 028[req] tsc-req-ievc-
alerts provided to the pha-mm-029[req]
driver through the DMI
IEVC-CAUSE-363 Does iEVC control the tsc-req-ievc-pha-mm- True
service brake (+. . . .) ? 154[req]
Other brake than emer-
gency break
IEVC-CAUSE-364 Speed calculation tsc-req-ievc-pha-mm- True
underestimates train 030[req]
speed
(Acceleration only)
still fails during evacu- 031[req]
ation Refer to 1.6.5
IEVC-CAUSE-367 Detection of standstill tsc-req-ievc-pha-mm- True
fails Refer to 1.6.5 031[req]
IEVC-CAUSE-386 Poor design of iEVC tsc-req-ievc-pha-mm- True

system 037[req]
IEVC-CAUSE-386b Improper or faulty in- tsc-req-ievc-pha-mm- True

pha-mm-010[req]
IEVC-CAUSE-387 Inadapted or inappro- tsc-req-ievc-pha-mm- True

priate maintenance op- 016[req] tsc-req-ievc-
erations pha-mm-017[req]
pha-mm-034[req]
035[req]
53 of 79
IEVC-CAUSE-387b Improper or faulty in- tsc-req-ievc-pha-mm- True

stallation 010[req]

system, subsystems or 008[req] tsc-req-ievc-
components pha-mm-032[req]
032b[req] tsc-req-
pha-mm-016[req]
IEVC-CAUSE-389 Aging or deterioration tsc-req-ievc-pha-mm- True

of an equipment or the 037[req] tsc-req-ievc-
system pha-mm-017[req]
pha-mm-034[req]
pha-mm-036[req]

system, subsystems or 008[req] tsc-req-ievc-
components pha-mm-032[req]
032b[req] tsc-req-
038[req]
IEVC-CAUSE-391 iEVC system, subsys- tsc-req-ievc-pha-mm- True

tems or components 038[req]
ternal) uses of threaded
rods pointing out, for
connections, fastening
or bolting
system (i.e. breakage) pha-mm-035[req]

system pha-mm-033[req]
034[req]

still fails 151[req]
IEVC-CAUSE-395 Detection of standstill tsc-req-ievc-pha-mm- True

fails 150[req]
54 of 79

still fails 151[req]
IEVC-CAUSE-397 battery explosion or . . . tsc-req-ievc-pha-mm- True

166[req]
IEVC-CAUSE-398 Inappropriate mainte- tsc-req-ievc-pha-mm- True

nance of iEVC equip- 016[req] tsc-req-ievc-
ment (i.e. accumulator pha-mm-022[req]
batteries---)
IEVC-CAUSE-399 battery leakage tsc-req-ievc-pha-mm- True
067[req]

nance (i.e. pressure 016[req] tsc-req-ievc-
regulation system of pha-mm-022[req]
tanks and reservoirs, tsc-req-ievc-pha-mm-
accumulator batteries-- 069[req]
-)
nance (i.e. pressure 016[req] tsc-req-ievc-
regulation system of pha-mm-022[req]
tanks and reservoirs,
accumulator batteries)
IEVC-CAUSE-402 Fire on-board a train tsc-req-ievc-pha-mm- True
due to poor design of 076[req] tsc-req-ievc-
iEVC system, subsys- pha-mm-077[req]
tems and components tsc-req-ievc-pha-mm-
(i.e. inflammable or 078[req] tsc-req-ievc-
explosive materials and pha-mm-079[req]
components, etc.) tsc-req-ievc-pha-mm-
pha-mm-071[req]
pha-mm-070[req]
072[req]
IEVC-CAUSE-403 Fire on a train due tsc-req-ievc-pha-mm- True

to the presence of po- 010[req]
tential ignition sources
(i.e. wastes, accumu-
lated dust, filters, etc.)
IEVC-CAUSE-404 Fire on a train due tsc-req-ievc-pha-mm- True
to the presence of po- 016[req]
tential ignition sources
(i.e. wastes, accumu-
lated dust, filters, etc.)

priate design 164[req]
55 of 79

priate design 165[req]

priate maintenance op- 016[req]
erations
IEVC-CAUSE-408b Inadapted or inappro- tsc-req-ievc-pha-mm- True
priate installation oper- 010[req]
ations
priate design (i.e. cir- 083[req] tsc-req-ievc-
cuit boards, power sup- pha-mm-082[req]
plies, cables, bond- tsc-req-ievc-pha-mm-
ings/earthings) 084[req] tsc-req-ievc-
pha-mm-004[req]
pha-mm-085b[req]
pha-mm-006[req]
pha-mm-095[req]
096[req]

pha-mm-014[req]
pha-mm-089[req]

081[req]

system 070[req] tsc-req-ievc-
pha-mm-071[req]
pha-mm-074[req]
pha-mm-179[req]
pha-mm-181[req]
56 of 79
IEVC-CAUSE-413 Overheating of elec- tsc-req-ievc-pha-mm- True

tromechanical equip- 001[req] tsc-req-ievc-
ment (i.e. iBTM, pha-mm-004[req]
euroantenna) tsc-req-ievc-pha-mm-
pha-mm-109[req]
IEVC-CAUSE-414 Short-circuits / electro- tsc-req-ievc-pha-mm- True

static discharges 004[req] tsc-req-ievc-
pha-mm-006[req]
pha-mm-092[req]
094[req]
IEVC-CAUSE-415 Overheating of odome- tsc-req-ievc-pha-mm- True

try system(s) 001[req] tsc-req-ievc-
pha-mm-004[req]
pha-mm-034[req]
IEVC-CAUSE-416 Poor train design of tsc-req-ievc-pha-mm- True

iEVC system 073[req] tsc-req-ievc-
pha-mm-093[req]
IEVC-CAUSE-417 Poor design tsc-req-ievc-pha-mm- True

066[req]
IEVC-CAUSE-418 Untrained maintenance tsc-req-ievc-pha-mm- True

service personnel 016[req]
IEVC-CAUSE-419 Substances or materi- tsc-req-ievc-pha-mm- True

als becoming danger- 001[req] tsc-req-ievc-
ous under the effect of pha-mm-067[req]
temperature (i.e. react- tsc-req-ievc-pha-mm-
ing materials, paints, 068[req] tsc-req-ievc-
etc.) pha-mm-065[req]
066[req]

ous by contact with pha-mm-068[req]
other substances or ma-
terials (i.e. reacting
materials, paints, etc.)
IEVC-CAUSE-421 Use of toxic substances tsc-req-ievc-pha-mm- True
or materials (i.e. react- 067[req] tsc-req-ievc-
ing materials, asbestos, pha-mm-068[req]
etc.) tsc-req-ievc-pha-mm-
069[req]
57 of 79
IEVC-CAUSE-422 overheating of a com- tsc-req-ievc-pha-mm- True

ponent near the iEVC 164[req]
System
ponent of the iEVC 166[req]
system
ous by contact with pha-mm-068[req]
other substances or ma-
terials (i.e. reacting
materials, paints, etc.)
IEVC-CAUSE-425 Fluids or gases be- tsc-req-ievc-pha-mm- True
coming dangerous 067[req]
by contact with other
substances or materials
(i.e. reacting materials,
poor design, etc.)
IEVC-CAUSE-426 Batteries or accumu- tsc-req-ievc-pha-mm- True
lators toxic leak (i.e. 067[req]
potassium hydroxide,
etc.)
priate use of substances 067[req] tsc-req-ievc-
or materials with re- pha-mm-068[req]
spect to their intended
and safe conditions of
use
priate maintenance op- 069[req]
erations
IEVC-CAUSE-429 Inadapted or inap- tsc-req-ievc-pha-mm- True
propriate design of 057[req] tsc-req-ievc-
grounding for iEVC pha-mm-054[req]
systems tsc-req-ievc-pha-mm-
pha-mm-056[req]
pha-mm-059[req]
060[req]
IEVC-CAUSE-430 Inadapted or faulty in- tsc-req-ievc-pha-mm- True

stallation of grounding 015b[req] tsc-req-
for iEVC systems ievc-pha-mm-021[req]
053[req]

priate design (i.e. poor 061[req]
choice of materials,
dielectric degradations,
insulation level, etc.)
for iEVC subsystems
and components
58 of 79
IEVC-CAUSE-432 Inadapted of improper tsc-req-ievc-pha-mm- True

electrical insulation 057[req] tsc-req-ievc-
level of directly ac- pha-mm-062[req]
cessible subsystems
and components by the
driver during normal
operations (i.e. DMI)
IEVC-CAUSE-433 Inadapted of improper tsc-req-ievc-pha-mm- True
electrical insulation 063[req]
level of directly acces-
sible subsystems and
components by staff
during maintenance
operations (i.e. boxes,
DMI, etc.)
IEVC-CAUSE-434 Negligence or unob- tsc-req-ievc-pha-mm- True
served operational pro- 064[req]
cedures
IEVC-CAUSE-435 Negligence or unob- tsc-req-ievc-pha-mm- True
served maintenance 016[req] tsc-req-ievc-
procedures pha-mm-022[req]
IEVC-CAUSE-436 An equipment or a part tsc-req-ievc-pha-mm- True

of the iEVC system at- 039[req] tsc-req-ievc-
tracts lightning pha-mm-052[req]
167[req]

ponent 165[req]
IEVC-CAUSE-438 poor design tsc-req-ievc-pha-mm- True

165[req]
IEVC-CAUSE-439 poor maintenance de- tsc-req-ievc-pha-mm- True

sign 016[req]
IEVC-CAUSE-440 Acoustic noise by me- tsc-req-ievc-pha-mm- True

chanical vibrations of 040[req]
inductive components
(i.e. transformers or in-
verters)
IEVC-CAUSE-441 Acoustic noise by tsc-req-ievc-pha-mm- True
mechanical vibrations 010[req] tsc-req-ievc-
of aging or badly pha-mm-041[req]
mounted fasteners
and/or junction boxes
IEVC-CAUSE-442 Mis-operation of mal- tsc-req-ievc-pha-mm- True
function of the DMI 043[req] tsc-req-ievc-
loudspeaker pha-mm-044[req]
pha-mm-172[req]
59 of 79
IEVC-CAUSE-443 Negligence / Unob- tsc-req-ievc-pha-mm- True

served maintenance 016[req]
operations
IEVC-CAUSE-444 Excessive DMI loud- tsc-req-ievc-pha-mm- True
speaker volume (i.e. 042[req]
for alerts or alarms)
IEVC-CAUSE-445 Inadapted or in- tsc-req-ievc-pha-mm- True
appropriate design 006[req] tsc-req-ievc-
requirements for elec- pha-mm-015[req]
trical and electronic
subsystems and com-
ponents (i.e. supplies,
ground planes, etc.)
IEVC-CAUSE-446 Inadapted ranges or tsc-req-ievc-pha-mm- True
inappropriate emit- 004[req] tsc-req-ievc-
ting frequencies of pha-mm-050[req]
antennas (included tsc-req-ievc-pha-mm-
cables) 051[req] tsc-req-ievc-
pha-mm-105b[req]
pha-mm-049[req]
IEVC-CAUSE-447 Inadapted or in- tsc-req-ievc-pha-mm- True

appropriate design 006[req] tsc-req-ievc-
requirements for elec- pha-mm-015[req]
trical and electronic
subsystems and com-
ponents (i.e. supplies,
ground planes, etc.)
IEVC-CAUSE-448 Excessive antennas tsc-req-ievc-pha-mm- True
emitted power 004[req] tsc-req-ievc-
pha-mm-046[req]
pha-mm-105b[req]
pha-mm-048[req]
049[req]

by a sound from the 183[req]
iEVC system.
IEVC-CAUSE-450 Vandalism tsc-req-ievc-pha-mm- True
184[req]
Recap Table
PHA nor applicable Causes [recap table]
Not applicable causes used during the PHA
60 of 79
Table 9.2: PHA nor applicable Causes

Id Description Mitigation Applicable Justification
IEVC-CAUSE- Refer to 1.1.3.3.4 False "Refer to" re-
006 placed by use of
:same_scenario_as:
in tsc_hazard
IEVC-CAUSE- overspeed of the False It is a hazard not a
008 train in a zone cause
where the speed is
temporarily lim-
ited
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
61 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
IEVC-CAUSE- overspeed of the False It is a hazard not a
024 train in a zone cause
where the speed is
limited
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
62 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
IEVC-CAUSE- Refer to 1.4.1.2 False "Refer to" re-
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
63 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
64 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
IEVC-CAUSE- refer to 2.1.1.3.3 False "Refer to" re-
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
65 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
66 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
67 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
68 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
69 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
70 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
71 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
72 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
73 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
IEVC-CAUSE- Pedestrians desta- False It is a hazard not a
327 bilized due to ex- cause
cessive speed of
the train
74 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
75 of 79

:same_scenario_as:
in tsc_hazard
IEVC-CAUSE- Pedestrians desta- False It is a hazard not a
343 bilized due to ex- cause
cessive speed of
the train
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
76 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
IEVC-CAUSE- Overspeed False It is a hazard not a
368 cause
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
77 of 79

:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
:same_scenario_as:
in tsc_hazard
IEVC-CAUSE- Detection of False "Refer to" re-
384 standstill fails placed by use of
Refer to 1.6.5 :same_scenario_as:
in tsc_hazard
IEVC-CAUSE- Detection of False "Refer to" re-
385 standstill fails placed by use of
Refer to 1.6.5 :same_scenario_as:
in tsc_hazard
Some causes of type ‘Refer to’ were used in the PHA excel file to make the link between hazard with identical
scenarios.
78 of 79
CHAPTER
TEN
ANNEX B PRELIMINARY HAZARD ANALYSIS (PHA)
Attached file
tsc_ievc_rams_pha [attach]
10. Annex B Preliminary hazard analysis (PHA) 79 of 79


TSC Ievc Doc Rams Pha V3.2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TSC Ievc Doc Rams Pha V3.2

Uploaded by

Copyright:

Available Formats

iEVC Preliminary Hazard Analysis

1 Revision history [artifact history] 3

3 Management of the PHA 6

4 Scope of the PHA 7

5 Limitations of the PHA 8

7 Hazard Analysis Methodology 11

10 Annex B Preliminary hazard analysis (PHA) 79

REVISION HISTORY [ARTIFACT HISTORY]

This artifact version is: V3.2

This artifact signature: 381783a7f0b45c8b0c2df11e1a7cc16cb71b2b7d

Name Description Date Author Signature MR

1. Revision history [artifact history] 3 of 79

The document is structured as follows:

2.4 Applicable documents

[PHA-R1-PQP] IEVC Project Quality Plan [id: tsc_ievc_doc_system_pqp]

2.5 Reference documents

[PHA-R4-Glossary] TSC Glossary [id: glossary]

2.6 Terms and definitions

2.7 Artifacts definition

This document defines the PHA of the IEVC project.

2.4. Applicable documents 5 of 79

MANAGEMENT OF THE PHA

The PHA is elaborated by the iEVC Safety Assurance Engineer[role].

6 of 79 3. Management of the PHA

SCOPE OF THE PHA

4. Scope of the PHA 7 of 79

LIMITATIONS OF THE PHA

8 of 79 5. Limitations of the PHA

Figure 6.1: Simplified iEVC Platform hardware overview

HAZARD ANALYSIS METHODOLOGY

7.1 Hazard Identification List

7. Hazard Analysis Methodology 11 of 79

• On the operational subsystems: operation, maintenance.

Categorization of hazards [hazard log]

7.2 Preliminary Hazard Analysis

The structure of the PHA sheet in of Section 10 is described below:

* derailement, collision and fire could lead to multiple fatalities

12 of 79 7.2. Preliminary Hazard Analysis

Figure 7.1: Consequence Severity Categories

Figure 7.2: Severity Categories Evaluation

Figure 7.3: Hazard Frequency Categories

7.2. Preliminary Hazard Analysis 13 of 79

Figure 7.4: Risk Acceptance Matrix

Figure 7.5: Risk Acceptance Categories

14 of 79 7.2. Preliminary Hazard Analysis

iEVC PHA Mitigation [recap table]

Mitigations identified during the PHA

Table 8.1: iEVC PHA Mitigation

IEVC-PHA-MM-015D Not applicable to the PHA iEVC ETCS kit[ci] PHA[ci]

IEVC-PHA-MM-032B iEVC onboard subsystems and iEVC ETCS kit[ci] PHA[ci]

IEVC-PHA-MM-047 iEVC onboard (i.e. rooftop iEVC ETCS kit[ci] PHA[ci]

IEVC-PHA-MM-084 Power supply perturbations po- iEVC ETCS kit[ci] PHA[ci]

IEVC-PHA-MM-093 Antennas (including cables) iEVC ETCS kit[ci] PHA[ci]

IEVC-PHA-MM-103 The iEVC shall be compliant iEVC ETCS kit[ci] PHA[ci]

IEVC-PHA-MM-112 Tele-powering signal must not iEVC ETCS kit[ci] PHA[ci]

Exported iEVC PHA Mitigation [recap table]

Exported mitigations identified during the PHA

Table 8.2: Exported iEVC PHA Mitigation

IEVC-PHA-MM-017 Periodic inspections of iEVC ETCS kit[ci] IEVC mainte-

IEVC-PHA-MM-034 Periodic inspections iEVC ETCS kit[ci] Maintainer[stakeholder]

IEVC-PHA-MM-048 Specific precautions iEVC ETCS kit[ci] IEVC mainte-

IEVC-PHA-MM-056 Bonding connections iEVC ETCS kit[ci] Installation de-

IEVC-PHA-MM-069 Specific activities iEVC ETCS kit[ci] IEVC mainte-