Viet Pic Tec Tts Sao l00 74032 e 3a

HANOI PEOPLES COMMITTEE
HANOI METROPOLITAN RAILWAY MANAGEMENT BOARD (MRB)
SYSTRA S.A.
PROJECT IMPLEMENTATION CONSULTANT (PIC)
TECHNICAL DESIGN REPORT

VOLUME II
PROJECT: HANOI PILOT LIGHT METRO LINE
Section Nhon - Hanoi Railway Station
PACKAGE: RAIL SYSTEM 1

PACKAGE NUMBER: HPLMLP/CP-06
SYSTEM SAFETY PROGRAM PLAN
Location: Tu Liem, Cau Giay, Ba Dinh, Dong Da, Hoan Kiem Districts, Ha Noi
PROJECT IMPLEMENTATION CONSULTANT: SYSTRA S.A

December 2012
Project Reference: PIC-TEC-TTS-SAO-L00-74032-E-3A
TECHNICAL DESIGN REPORT
VOLUME II
PROJECT: HANOI PILOT LIGHT METRO LINE
Section Nhon - Hanoi Railway Station
PACKAGE: RAIL SYSTEM 1
PACKAGE NUMBER: HPLMLP/CP-06
SYSTEM SAFETY PROGRAM PLAN
Location: Tu Liem, Cau Giay, Ba Dinh, Dong Da, Hoan Kiem Districts, Ha Noi
Hanoi, 15 December, 2012
HANOI METROPOLITAN PROJECT IMPLEMENTATION

RAILWAY MANAGEMENT CONSULTANT
BOARD (SYSTRA S.A.)
Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 2 / 43

Hanoi Metro Light Metro Line System Safety Program Plan
Contractor Approval / Revision Record Sheet
Revision Date Subject of issue / Revision Authors
1A 17/06/2009 First Issue R. Eveillard
2A 07/10/2011 Update due to internal revision R. Eveillard

3A 15/12/2012 Update due to Sener comments A. Izopet
Revision
3A Name Date Signature
N°:
Prepared by A. Izopet 15/12/2012
Checked by 15/12/2012
A N. Tran
Approved by 15/12/2012
A. Bechereau
Contractor specific comments:
This System Safety Program Plan shall be agreed by the Employer and the Safety Authority appointed.

Table of contents
1. INTRODUCTION 8
1.1 FOREWORD ............................................................................................................................... 8
1.2 PURPOSE OF THE DOCUMENT .................................................................................................... 9
1.3 SCOPE OF THE DOCUMENT ........................................................................................................ 9
1.3.1 Health and Safety Requirements 10
1.3.2 HPLM System Safety Requirements 10
1.4 HPLM SYSTEM EQUIPMENT AND INFRASTRUCTURE ............................................................... 12
1.5 REFERENCE STANDARDS ......................................................................................................... 13
2. SAFETY MANAGEMENT REQUIREMENTS 14
2.1 SCOPE ..................................................................................................................................... 14
2.2 SAFETY MANAGEMENT OBJECTIVES FOR THE PROJECT ........................................................... 14
2.3 QUALITY ASSURANCE ............................................................................................................. 14
2.4 COMPLIANCE MANAGEMENT .................................................................................................. 14
2.5 SYSTEM BREAKDOWN ............................................................................................................. 15
2.6 SAFETY INTEGRITY LEVELS..................................................................................................... 15
2.7 SOFTWARE SAFETY MANAGEMENT ......................................................................................... 15
2.8 SAFETY OF INTERFACES .......................................................................................................... 15
2.9 SAFETY WITHIN THE SYSTEM LIFE CYCLE ............................................................................... 15
2.9.1 Development V-cycle 16
2.9.2 Safety V-cycle 16
2.10 SYSTEM DOCUMENTATION ...................................................................................................... 17
2.11 SYSTEM CONFIGURATION MANAGEMENT ............................................................................... 18
2.12 TESTING AND COMMISSIONING ............................................................................................... 18
2.13 HUMAN FACTORS ................................................................................................................... 19
2.14 DATA REPORTING AND CORRECTIVE ACTION SYSTEM (DRACAS) ....................................... 19
2.15 TRACEABILITY OF SAFETY REQUIREMENTS ............................................................................. 19
2.16 PROJECT MANAGEMENT .......................................................................................................... 19
2.17 CROSS ACCEPTANCE ............................................................................................................... 20
3. ORGANISATIONAL REQUIREMENTS 21
3.1 THE CONTRACTOR .................................................................................................................. 21
3.2 THE O&M ENTITY .................................................................................................................. 22
3.3 PROJECT IMPLEMENTATION CONSULTANT.............................................................................. 22
3.4 THE INDEPENDENT SAFETY ASSESSOR ................................................................................... 22
3.5 THE INDEPENDENT SOFTWARE ASSESSOR .............................................................................. 22
4. SAFETY TECHNICAL REQUIREMENTS 23
4.1 STANDARDS TO BE APPLIED .................................................................................................... 23
4.2 SAFETY POLICY ...................................................................................................................... 23
4.3 SYSTEM SAFETY PLAN ............................................................................................................ 23
4.4 HAZARD IDENTIFICATION AND MANAGEMENT ........................................................................ 24
4.4.1 Hazard Identification 24
4.4.2 Hazard Management 24
4.4.3 Hazard Transfer 25
4.5 SAFETY AND RISK ACCEPTANCE CRITERIA............................................................................. 25
4.6 DESIGN SAFETY STUDIES ........................................................................................................ 25
4.6.1 Preliminary Hazard Analysis 25
4.6.2 Failure Mode, Effects & Criticality Analysis and SIL Allocation 26
4.6.3 Detailed safety analysis 26
4.6.4 Engineering safety verification plan 27
4.7 DESIGN SAFETY CASES ........................................................................................................... 27
4.8 MANUFACTURING AND INSTALLATION ................................................................................... 28
4.9 ON-SITE TESTING AND INTEGRATED SYSTEM TESTING........................................................... 29
4.10 FINAL SAFETY CASE ............................................................................................................... 29
4.11 TRIAL RUNNING...................................................................................................................... 30
5. SAFETY TARGETS 31

5.1 RISK DEFINITION AND CATEGORISATION................................................................................ 31

5.1.1 Frequency of occurrence of hazards 31
5.1.2 Severity of hazards 31
5.1.3 Risk assessment matrix 32
5.2 RISK MITIGATION STRATEGY .................................................................................................. 32
5.2.1 Acceptable and unacceptable risks 32
5.2.2 Other risks 32
5.2.3 Justification, discussion of the mitigation measures 33
5.2.4 Conduct of the safety analysis 33
5.2.5 Link between safety objectives and SILs 33
5.2.6 Implementation of SIL 4, SIL 3, SIL 2 and SIL 1 constituents 33
5.2.7 Safety techniques to be used 34
5.2.8 Documentation of SILs and above constituents 35
5.3 SAFETY OBJECTIVES ............................................................................................................... 35
5.3.1 Approach for safety objectives 35
5.3.2 Overall System objectives 35
5.3.3 Structure parts 36
5.3.4 Rolling Stock 36
5.3.5 Track 36
5.3.6 Power Supply 36
5.3.7 Signalling 36
5.3.8 Telecommunication, ICS and OCC 37
5.3.9 Operation and Maintenance 38
5.3.10 Depot Equipment 38
6. SAFETY SUBMISSION 39
6.1 SAFETY DELIVERABLES .......................................................................................................... 39
6.2 DELIVERABLES SCHEDULE ..................................................................................................... 39
6.3 DELIVERABLES HANDOVER REQUIREMENTS ........................................................................... 39
7. APPENDIX 01: V-CYCLE AND TASKS ACCORDING TO STANDARD 40
7.1 OVERVIEW OF THE SYSTEM DEVELOPMENT V-CYCLE ........................................................... 40
7.2 SAFETY TASKS AND RESPONSIBILITIES .................................................................................... 41
8. APPENDIX 02: SOFTWARE RAMS PROGRAM PLAN 43

Abbreviations
AFC Automatic Fare Collection

ATC Automatic Train Control
ATP Automatic Train Protection
ECO Emergency Cut Off
ECS Environmental Control System
EMC Electro-Magnetic Compatibility
EMI Electro-Magnetic Interference
HAZOP HAZard and Operability Analysis
HPLM Hanoi Pilot Light Metro
HRB Hanoi Metropolitan Rail Transport Project Board
ICS Integrated Control System
O&M Operation and Maintenance
OCC Operating Control Centre
PIC Project Implementation Consultant ( SYSTRA)
SIG Signalling
SIL Safety Integrity Level
TSR Temporary Speed Restriction
TVS Tunnel Ventilation System
Definitions
Definitions in italics are taken from the Standards.
Contractor Any entity(ies) contracted by HRB to perform design,

construction, supervision of the project of HANOI PILOT LIGHT
METRO LINE / Section Nhon - Hanoi Railway Station.
Deliverables Document to be submitted for the project of HANOI PILOT
LIGHT METRO LINE / Section Nhon - Hanoi Railway Station
Engineer The Engineer as defined by FIDIC contract from the Employer
Exhaustive Means “aims at exhaustiveness”
Hazard A physical situation with a potential for human injury and/or
impacts on HPLM service
Hold point A point, defined in an appropriate document, beyond which an
activity must not proceed without the approval of a designated
organisation or authority.
O&M Entity The entity that will be responsible for the O&M of the HPLM
Line
Project HANOI PILOT LIGHT METRO LINE / Section Nhon - Hanoi
Railway Station
Risk The probable rate of occurrence of a hazard (expressed in a time
interval) causing harm and the degree of severity (expressed in
hazard severity levels) of the harm
Validation Activity of demonstration, by analysis and test, that the product
meets, in all respects, its specified requirements.

Validator Person or agent appointed to carry out validation.

Verification Activity of determination, by analysis and test, that the output of
each phase of the lifecycle fulfils the requirements of the
previous phase.
Verifier Person or agent appointed to carry out verification.
Project References
Ref N° Ref ID number Ref description

[R01] PIC-TRE-DOO-L00-00010-E/V- Feasibility Study - Final report (Parts 1 and 2)
3A
[R02] PIC-TRE-DOO-L00-00015-E/V- Basic Design - Final report (Volumes 1 and 2)
3A
[R03] PIC-TRE-DOO-L00-00070-E-1C Official Option
[R04] PIC-MLT-00525-E/V (February Appraisal of project technical characteristics
13th, 2009)
[R05] SDC-REP-DOO-L00-00001-E/V- Technical Standard Framework
8A
[R06] 6117/APA/VT/231-06/JCV Appendix A: Description of Services

1. INTRODUCTION
1.1 FOREWORD
This document deals with Safety of the project “Hanoi Pilot Light Metro (HPLM) Line – Section
Nhon to Hanoi Railway Station”.
Hanoi Pilot Light Metro Line, section Nhon – Hanoi Railway Station is a major project for Hanoi City.
According to the Hanoi Transportation Master Plan till 2020, total length of HPLML (Line 3) shall
reach 21,5km from Nhon to Hoang Mai. The first phase of this line, and part of this contract is from
Nhon to Hanoi Railway Station, with about 8.5 km elevated section and 4.0 km underground section.
This line includes 12 stations as presented in Figure 1 (with 8 elevated and 4 underground stations).
The Depot is located at Nhon with area of 150550m².
After starting at Nhon, the Metro line runs to the east along National Road 32, crosses Cau Dien
district and pursues its route on Ho Tung Mau where it passes over the 3rd Ring Road. It then continues
on Xuan Thuy, Cau Giay until it reaches the bus transfer station in front of Thu Le Park. At this stage,
the line plunges underground, follows Kim Ma, passes next to Horizon Hotel, goes straight on Cat
Linh and Quoc Tu Giam and terminates at Hanoi railway station.
Line alignment

Main features of the Metro line 3 are described in the table below:
Items Option/Solution
Standard metro
Car average length: 19.7 to 21 m
Rolling Stock
Maximum length over coupler of the train≤ 83m length (train with 4
cars) and 104m length (train with 5 cars)
Track gauge 1.435 mm
Power supply system 3rd Rail - 750 DCV
7 power supply stations
Driver mode Automatic with Driver
Elevated stations with concourse level, escalator and lift.
Underground stations with concourse level, escalator and lift.
Station Length of platform is about 109 m.
8 elevated stations and 4 underground stations
Typical Viaduct Single track U girder

25 m of length
At Cau Dien, National railway crossing, 3rd Ring Road and 2nd Ring
Special bridge Road (PC Box girder, variable height or constant height with axial
extradossed cables)
Tunnel Bi-tube with TBM method.
The term “Safety” here deals with the safe behaviour of the HPLM System considering all passengers
and public at large, and with O&M Entity personnel in its subsequent operation and maintenance, but
do not include Health and Safety of personnel (see part 1.3.2.1).
The Safety activity is about risk management. Basically, risks must be identified, managed, mitigated
then closed before revenue service. Most of the System Safety activities are performed before revenue
service in such a way safety is ensured from day one.
The Life Cycle Cost requirements are not addressed in this document.
1.2 PURPOSE OF THE DOCUMENT
The purpose of this document is to define the main principles that the Contractor shall implement in
order to manage the Safety of the system throughout the Project.
These principles shall apply to any Contractor/Subcontractor involved in the development of the
Project’s safety-related systems.
The goal of safety management is to prevent the occurrence of random faults and systematic faults
over the whole HPLM System lifecycle.
Therefore, this document covers safety and quality process, methodological and technical, operational
and managerial issues of the safety-related systems.
1.3 SCOPE OF THE DOCUMENT
This document covers the Design, Build and T&C and Trial Running stages of the Project.
The principles defined within this document shall apply to the Hanoi Pilot Light Metro Line System in
general and to all safety-related systems in particular.

This document covers the CP06 systems of the rail System. Thus, this document concerns the
following systems:
The rolling Stock,
The signalling
The OCC, ICS and Telecom,
The Power Supply, and
The Depot Equipment.
The system E&M, Building services, Track and AFC will be considered in an update.
Generally speaking, the Contractor in charge of a system shall:

demonstrates and implements its ability to conform to all phases of the safety management
process from the System Requirements to the System Validation activities,
carries out the safety management activities throughout all stages of the Project in order to
avoid causing injuries or damages to equipment and environment involved, and to ensure the
safety of the O&M Entity personnel in its subsequent operation and maintenance, and of all
passengers and public at large.
Safety covers two items:

Health and Safety of personnel covering the protection of personnel during installation, T&C
and O&M of the systems (out of scope of this document, see part 1.3.2.1).
HPLM System safety covering the whole HPLM System lifecycle including possible system
modifications and maintenance,
These items are detailed in the following two chapters.
1.3.1 Health and Safety Requirements

The relevant statutory Health and Safety regulations shall apply to any Contractor involved on the
Project as well as to any Sub-contractor.
The requirements for safety on site during the construction and testing stages prior to the
commencement of Trial Running shall be determined from the Site Safety Plan prepared by each
contractor involved and shall not form part of the System Safety activities described in this
Specification.
Therefore, Health and Safety is out of scope of this document.
1.3.2 HPLM System Safety Requirements

In view of the characteristics of the HPLM System, for example, tracks, rolling stocks, signalling, and
so on, most of the safety-related issues are beyond the scope of the general safety and hygiene
regulations.
These safety-related issues, especially when relevant to the evacuation and the safety critical functions,
should be properly planned at the design stage, clearly specified in the contract documents, and
thoroughly validated in the period of testing and commissioning.
The Contractor shall in its System, Sub-systems and Component Safety Studies and Safety Validation
Studies identify and address the actual safety-related issues.
In the present project, Safety must be considered at the HPLM System level which means safety
covers both the Overall System and the O&M Rules.

Therefore, these requirements are divided into two items:

O&M safety requirements
Overall System safety requirements
These are discussed in the following two chapters.
1.3.2.1 O&M safety requirements

The O&M safety requirements as such are out of scope of this document, however, the Contractor
shall hand over to the O&M Entity the system Hazard Log and ensure that the O&M Entity has all
required information in order to ensure safe O&M activities.
1.3.2.2 Overall System safety requirements

Since O&M safety is out of scope of this document, from now on, this document only cover Overall
System safety. Therefore, in this document “Safety” now means “Overall System Safety”.
Thus, the requirements set for the safety management are divided into the following items:
Safety management requirements, setting the main principles that shall govern all the other
requirements (see part [2]),
Organisational requirements, setting the main principles that shall govern the roles and
responsibilities of the Contractor (see part [3]),
Technical requirements, setting the main principles that shall govern the system safety
management activities to be undertaken by the Contractors (see part [4]),
Safety Targets setting figures and detailed techniques the Contractors must use (see part [5]).
Safety submission requirements summarising the main safety documents that shall be
produced by the Contractors (see part [6]).
All these items are detailed in the following chapters.

1.4 HPLM SYSTEM EQUIPMENT AND INFRASTRUCTURE

The HPLM transportation system (TS) consists of:
Figure 1: HPLM Transportation System breakdown
1
: including Fire Detection system, Elevators, Escalators, Fire extinguish system, Stations’
environmental control and tunnel ventilation systems, Dewatering system for stations and tunnels,
Water supply system, Lighting system (except in the Tunnel)
2
: including Low voltage, Plumbing and Lighting in the Tunnel
3
: including Low voltage and Plumbing

1.5 REFERENCE STANDARDS
EN 50126 Specification & Demonstration of Reliability, Availability,

Maintainability & Safety (RAMS) for Railway Applications
(equivalent to IEC 62278)
EN 50128 Railway Application: Software for Railway Control & Protection
Systems
EN 50129 Railway Application: Safety Related Electronic System for
Signalling
EN 50121-1 Railway Applications – Electromagnetic compatibility – Part 1:
General
EN 50122-1 Railway applications – Fixed installations – part 1: Protective
provisions relating to electrical safety and earthing
EN 50122-2 Railway applications – Fixed installations – part 2: Protective
provisions against the effects of stray currents caused by D.C.
traction systems
EN 50159-1 Railway applications – Communication, signalling and processing
systems – Part 1: Safety-related communication in closed
transmission systems
EN 50159-2 Railway applications – Communication, signalling and processing
systems – Part 1: Safety-related communication in open
transmission systems
NFPA 130 Standard for Fixed Guideway Transit and Passenger Rail Systems
- 2007
Building Code of Vietnam Dated 25 September 1997
TCVN 2622:1995 Fire protection of building – Design requirements
IEC 61508 Functional Safety of Electrical/Electronic/Programmable
Electronic Safety Related Systems
ISO 9001 Model for quality assurance in design, development, production,
installing and servicing.
IS0 9000-3 Guidelines for the application of ISO 9001 to the development,
supply and maintenance of software.

2. SAFETY MANAGEMENT REQUIREMENTS

2.1 SCOPE
The scope of the system safety assurance activities to be carried out by the Contractor for the system
he provides shall be defined in a dedicated “System Safety Plan”.
The Contractor shall execute the system safety activities through all stages of design, construction and
testing in accordance with the project’s System Safety Program Plan.
The activities of System Safety shall be developed in accordance with the life cycle model defined in
the standard [EN 50126].
2.2 SAFETY MANAGEMENT OBJECTIVES FOR THE PROJECT
Safety risk management shall deal with any risks which lead to death, injury and material loss (i.e.
property and/or environmental damage).
The Contractor shall carry out pro-active and exhaustive identification of hazards relating to the
system and wherever reasonably practical, hazards shall be eliminated at the design stages.
Where it is not reasonably practical to eliminate such hazards at the design stage, risk assessment shall
be carried out to ensure that the risks associated with residual hazards are in order of precedence:
Minimised at the design stage;
Mitigated wherever possible (with O&M procedures or training for example); and
Able to be subsequently managed (evacuation procedures for example).
The basis of safety risk management shall follow the “as low as reasonably practicable” (ALARP)
principle as stipulated in [EN 50126].
In order to ensure a seamless approach to safety management of all aspects of the system, the
Contractor shall also identify all risks arising from the Operation and Maintenance and implement the
necessary mitigation action with the O&M Entity.
The Contractor shall develop and maintain a Hazard Log for all identified hazards of the system it
provides and this hazard log shall form part of the of Safety documentation.
2.3 QUALITY ASSURANCE
Since Safety cannot be achieved if Quality is not guaranteed, as a minimum, the Contractor shall
implement the relevant part of [ISO 9001] standard in accordance with the [EN 50126] standard.
The Contractor shall be, as a minimum, an ISO 9001 certified company. Based on this certification,
the Contractor shall produce a Quality Assurance Plan covering all safety-related systems, whatever
their SILs.
The objective of the system quality assurance is to ensure that the development of systems is
performed in such a way the desired quality has been achieved. This is performed by creating a
process which notably provides a clear framework for the safety demonstration activity.
In connection with its Quality Assurance Plan, the Contractor shall provide a System Development
Plan covering all re-used, newly developed or modified systems.
2.4 COMPLIANCE MANAGEMENT
The Contractor shall ensure compliance with all statutory requirements relating to the safety of
operation and maintenance of the transportation system and shall cross reference them in the Hazard
Log.
All codes of practice, standards and specifications contained within or required by the Contract shall
also be complied with and cross referenced in the Hazard Log.

The Contractor shall be responsible throughout the course of this Contract to bring to the attention of
Employer, in writing, any changes in such laws, rules, orders, regulations and codes and any
condition(s), whether caused by its design, any Contract requirement, or any other basis, which it
believes might result in, or has resulted in, an unsafe condition.
The Contractor shall remain fully responsible, at its own expense, to rectify any such condition that
results from its design and not directly as a result of any Contract requirement.
2.5 SYSTEM BREAKDOWN
The Overall System can be broken down into the Structure Part (Civil Works), the Rail System part
and the Depot Infrastructure.
As far as the Structure Part is concerned safety of Stations & Facilities, Workshop and along the line
(viaduct and tunnel parts) is ensured via compliance with Regulations (especially with NFPA 130,
2007 Edition), Design Standards and Criteria. This compliance shall be ensured via independent
checking.
As far as the Rail System is concerned, the Contractor will present the functional tree of its Systems in
the functional level specifications. The Contractor shall provide a functional architecture which will be
made up of functional modules. All interfaces shall be clearly identified.
As the Design is developed, the Contractor will present the technical tree of the systems in the
technical level specifications.
The Contractor shall propose a hierarchical tree and a definition of each item composing the technical
breakdown of the systems. For example, the following one:
System, the highest level of the system breakdown,
Subsystem, the middle level of the system breakdown,
Component, the lowest level of the system breakdown.
For each system/subsystem delivered, the Contractor shall provide the Employer/Engineer with its
technical tree in a document called Product Breakdown Structure.
2.6 SAFETY INTEGRITY LEVELS
The standard [EN 50129] specifies five Safety Integrity Levels (SILs). The required Safety Integrity
Level shall be decided on the basis of the level of risks (see details in part [5.2.5] to [5.2.8]).
The Contractor shall allocate a SIL at functional level and functional modules level. As well,
Contractor shall assign to all Systems/Subsystems/Components a Safety Integrity Level (SIL). This
allocation of SIL shall be approved by the Employer/Engineer.
The Contractor shall propose design, implementation techniques and measures depending on the SIL
of the function to be performed by each individual System, Subsystem or Component.
2.7 SOFTWARE SAFETY MANAGEMENT
Cf. Appendix 02 to this document for a complete description of the Software RAMS requirements.
2.8 SAFETY OF INTERFACES
Safety related interfaces shall be identified by the Contractor for the System it provides. The
Contractor shall manage the safety-related interfaces with the other contractors involved, i.e.:
ensure the integration of the safety requirements coming from other systems interfacing in its
own safety demonstration
export safety requirement to systems interfacing when needed, ascertaining the information
has been taken into account.
2.9 SAFETY WITHIN THE SYSTEM LIFE CYCLE
In order to control both quality and safety of the systems, the Contractor shall implement the concept
of double V-cycle which comprises:

The Development V-cycle,

The Safety V-cycle.
These two are described below.
2.9.1 Development V-cycle

In order to control its quality therefore its RAM and Safety objectives, the systems shall be developed
and validated according to a strictly defined Development V-cycle. An overview of this V-cycle is
given in the figure below:
Development
Design Validation
Manufacture
Figure 2: Overview of the System Development V-cycle
This V-cycle is detailed in the Appendix 01 of this document which illustrates an example of the
various steps of the system design and validation. This is compliant with [EN 50126] and [EN 50129].
The Contractor may propose a different system lifecycle provided that a clear mapping between the
adopted phases, including the combination of individual phases, is given. Where phases are combined,
then the Contractor shall ensure that all of the requirements for the individual phases are collectively
met.
All the phases constituting the development V-cycle implemented by the Contractor for the system
shall be detailed in terms of:
Objectives for the phase,
Methodologies used to carry out the safety activities during the phase,
Input documentation,
Output documentation.
The Contractor shall produce and maintain a Traceability Matrix that demonstrates that all
requirements have been achieved and no untraceable material has been included.
2.9.2 Safety V-cycle

In parallel with the Development V-cycle followed by any system, the safety-related systems must
also follow a Safety V-cycle.

In order to control its safety, the safety-related systems shall be designed and validated according to a
strictly defined Safety V-cycle. An overview of this V-cycle is given in the figure here below:
Safety
Safety Safety
Requirements Requirements
Definition Validation
Manufacture
Figure 3: Overview of the System Safety V-cycle
Therefore, the safety related systems must follow a double V-cycle as shown hereafter.
Contractor
Development Safety
Safety Safety
Requirements Requirements
Definition Validation
Design Validation
Manufacture
Figure 4: Safety-related Systems Double V-cycle

Thus, for each step of the Development V-cycle a safety step must be undertaken. This double V-cycle
must be followed by the Contractor. To do so, the Contractor shall set up both a Development team
and a Safety team. The Contractor must ensure a strict independence between its Development team
and its Safety team.
The Contractor shall produce a System Safety Plan describing the implemented Safety V-cycle and its
link with the Development V-cycle.
2.10 SYSTEM DOCUMENTATION
To illustrate the above in terms of documentation, the Contractor shall provide a System
Documentation Submission Schedule which shall list all the system documentation to be produced

by the Contractor. This schedule shall define when the documentation is to be submitted in the
lifecycle and what is the status of each document (for information, for review, for acceptance). This
schedule shall be attached to the Master Schedule of the Contractor, and shall be delivered to the
Employer/Engineer for acceptance.
The system documentation produced by the Contractor shall be of two different types:
The Development documentation, written by the Contractor’s Development teams.
Typically, this documentation will be made of the System Specifications, the System
Validation Plan, the System Test Specifications and the System Validation Reports.
The Safety documentation, written by the Contractor’s Safety team. Typically, this
documentation is constituted by the various Safety Cases but also by any detailed Safety
studies and Safety Validation Studies supporting these Safety Cases. The Contractor’s Safety
team shall also produce a Hazard Log identifying and tracing the processing of all the Safety
Requirements until their closure. Safety Requirements pointing to the O&M Entity shall be
identified separately.
2.11 SYSTEM CONFIGURATION MANAGEMENT
The system configuration management activity shall be carried out by the Contractor. The Contractor
shall produce a System Configuration Management Plan to cover changes that occur during the
development phases and to monitor the system configuration.
When system design changes are planned and/or performed, the organizations responsible for the
system changes shall ensure that review and any necessary updates of relevant Safety Acceptance
Documents take place. The impact of the change shall be explained in the context of safety. General
rules for differentiating between design changes and routine maintenance should be included in the
safety case.
The System Configuration Management Plan shall refer to the configuration management of the
Contractor in terms of configuration control, problem reporting, change control, media control and
configuration management tools.
2.12 TESTING AND COMMISSIONING
A hold point shall be respected between the installation stage and the T&C stage. Thus, for the safety
of T&C activities, installation clearance (Post Installation Checkouts, PICO) should be confirmed and
approved by the Employer/Engineer prior to starting tests.
An installation checklist prepared and maintained by the Contractor shall be counter-signed by the
Contractor and the Engineer after the satisfactory completion of each part constituting a system.
On satisfactory completion of all installation checklists (including safety-related items) for a group of
works, the relevant authority will issue an Installation Clearance Certificate (Post Installation
Checkouts, PICO) which is a prerequisite to start System, Subsystems or Component T&C.
The Design Safety Case and the Hazard Log showing the evidence that the hazards have been
mitigated at design stage is required to start the installation activity, then the T&C activity.
Any non-conformity shall be identified and analysed from a safety point of view before the
authorisation is granted to carry out dynamic testing.
In the event of a safety related non-conformity is covered by a procedure during the testing period, this
procedure shall be approved by the Employer/Engineer.
The safety procedures for T&C shall be specified in the relevant testing procedures of each T&C Plan,
including, where necessary, the protection measures for any part of the Transportation System which is
already in operation. The system’s specific safety requirements coming from Hazard Log shall be
addressed in these procedures, respecting traceability procedure defined in the system safety plan.

In the period of T&C, modifications on design or installation may become necessary when non-
conformance to the safety validation occurs. If modifications in design are needed, they shall
follow the procedures of both the System Development Plan and the System Configuration
Management Plan.
2.13 HUMAN FACTORS
The Contractor shall consider human factors in his safety studies and demonstrate that the design is
consistent with the minimisation of human delay and error, so far as is reasonably practicable, and the
optimisation of the efficiency of operatives. This demonstration involves consultation with the
Engineer and is carried out using recognised techniques of ergonomics, human error and task analysis
with suitable reference to the proposed method of operating the Transportation System. Assumptions
concerning procedures and staffing arrangements shall be clearly defined by the Contractor.
2.14 DATA REPORTING AND CORRECTIVE ACTION SYSTEM (DRACAS)
DRACAS shall be established by the Contractor to provide a documented history of problems and
failures that occur during manufacture, construction and installation. It shall indicate how and why
each problem arose and present corrective action options.
DRACAS shall be implemented by the Contractor for monitoring the safety and RAM performance of
the equipment, during manufacture, installation, testing and commissioning into operation and also the
maintenance of the system to provide feedback to the design of this equipment.
DRACAS shall be used to monitor the performance of components and to identify patterns of failures
so that corrective action can be taken.
In addition, DRACAS shall be used:

To promote reliability growth of equipment beyond achievement of the target values;
To consolidate failure data of equipment for reference of design review; and
To verify the capacity and possible decline of equipment capacity during the verification
testing and revenue operation in order to ensure the reliability level of equipment is
sustainable.
2.15 TRACEABILITY OF SAFETY REQUIREMENTS
A specific part of the System Safety Plan must be dedicated to the traceability of safety requirements
and mitigation means into the safety process, from Design phase to Revenue Service.
Therefore, a codification system shall be defined by the Contractor in its System Safety Plan.
Every safety requirement or mitigation means shall be:
Referenced in the System Hazard Log by a unique code,
Addressed as much as needed in development and safety documentation thanks to its unique
reference.
2.16 PROJECT MANAGEMENT
It is the Contractor responsibility to ensure the system is developed, tested and delivered on time. To
do so, the Contractor shall create and maintain a RAMS Detailed Work Schedule. From this schedule
it shall be possible to identify critical paths, slippage and resources.
As part of any overall reporting mechanism to the Engineer, progress information shall be included
relating to the systems. In addition to regularly producing an updated RAMS Detailed Work Schedule
the Contractor shall indicate which phases are not begun, in progress or completed.
The Engineer shall have full access to the Contractor and all its contractors/subcontractors. The
Contractor shall agree and record the access required by the Engineer.

2.17 CROSS ACCEPTANCE
One approach enables securing the necessary safety approvals from the Safety Authority relies on
cross-acceptance by the Safety Authority of the Safety Cases from other projects, which have been
assessed, reviewed and approved by an independent agency or other recognised competent body.
Whichever approach is adopted, the involved Contractor is responsible for providing the appropriate
level of documentation (see part [4.10]).
Whenever the Contractor adopts a cross acceptance strategy, he shall seek for the Approval of the
Safety Authority to use such a “not Vietnamese” reference within the project as earliest as possible
during the Construction Design phase.

3. ORGANISATIONAL REQUIREMENTS
3.1 THE CONTRACTOR
The Contractor shall produce the various Safety Cases of the technical system it provides (excluding
O&M Rules), according to the standard [EN 50126].
The Contractor is responsible for the Safety of the system it provides.
The Contractor shall set up a Safety Team independent from the Design and Building Team, able to
address the system safety issues.
A safety manager is appointed to lead the team, according to the standard [EN 50126]. He shall:
coordinate and validate the safety activities of its contractors/subcontractor
carry out the safety strengthening of its system including:
o safety demonstration of subsystems it is constituted
o follow-up of safety requirements exchanges inside its system
ensure the integration of the safety requirements coming from other systems interfacing in its
own safety demonstration
export safety requirement to systems interfacing when needed.
seek for approval of the Employer/Engineer.
The Contractor’s Safety Team

During phases 4, 5, 6, 7, 8, 9 and 10 of the V-cycle (see Appendix 01), the main roles of the
Contractor’s Safety Team shall be to:
Ensure the day-to-day building of the system safety in liaison with the Engineer
Ensure that the reaching of Safety Targets is demonstrable to the Safety Authority
Produce and submit the safety documents to the Engineer before they are given to the Safety
Authority
Produce on time, as required by the Employer/Engineer, all information necessary to the safety
approval process.
The Contractor’s Safety Team shall:
Follow the safety approval process in a timely manner as set by the Employer/Engineer
Take into account the Safety Targets and allocate them to the various Systems and Sub-
systems
Produce a Safety Program for review by the Engineer
Produce all safety studies as required by the Engineer and update them according to
Engineer’s comments
Participate, along with the Engineer in the Safety Reviews, HAZOP Sessions and Safety
Progress Meetings as set in the Safety Program
Take on board the advice from the Engineer or provide corresponding justifications if not
doing so
Produce all Safety Cases as required by the Engineer and have them reviewed and updated
before they are sent to the Safety Authority.
The Contractor shall give all required access to information and premises for the following:
The Engineer shall carry out Safety Audits at the Contractor’s premises if and when the
Engineer deems it necessary. If deemed needed, the Engineer can carry out any Technical

Review or HAZOP Session on the top of those planned by the Contractor in its System Safety
Program.
An Independent Safety Assessor (ISA) with appropriate skills may be appointed. The ISA
shall be given adequate means to perform the Safety Assessment tasks (see part [3.4]).
The Contractor shall address any question or request for information raised by the ISA.
3.2 THE O&M ENTITY
The O&M Entity is in charge to integrate the O&M requirements exported from Hazard Log into the
Operating and Maintenance procedures developed for the project. When an exported requirement
assessed seems unfounded from an O&M point of view, the O&M Entity can request the arbitrage of
the Employer.
3.3 PROJECT IMPLEMENTATION CONSULTANT
SYSTRA – France is a Consultant for implementing Project
3.4 THE INDEPENDENT SAFETY ASSESSOR
The Independent Safety Assessor (ISA) may be appointed.
When appointed, the ISA shall be given adequate authority and means to perform the Safety
Assessment tasks, which deal with assessing whenever the specified safety targets of the project are
reached.
The ISA shall carry out the Safety Assessment Audits at the Contractor’s premises when he deems it
necessary (at any stage of the project).
If deemed needed, the ISA can carry out some technical reviews which are not as formal as the audits
and focus on particular technical issues, especially when some documentation, for whatever reasons,
are not provided to the Engineer.
3.5 THE INDEPENDENT SOFTWARE ASSESSOR
Software supporting functions allocated with Safety Integrity Level 1 (SIL 1) and above shall meet the
requirement identified by EN 50 128.
For these software, an Independent Software Assessor (ISwA) shall perform an assessment as per EN
50 128 requirement.
At the discretion of the Safety Authority, the Assessor may be part of the contractor’s organization, but
he shall:
be authorized by the Safety Authority,
be totally independent from the project team,
report directly to the Safety Authority.
See part [2.7]

4. SAFETY TECHNICAL REQUIREMENTS

The methodological and technical requirements which are described here below shall be detailed by
the Contractor in a document called System Safety Plan which shall be submitted to the
Employer/Engineer for approval.
The Contractor shall use the findings of the Safety studies as part of the process of evolving the
design.
The Contractor shall implement a series of audits of Subcontractors to ensure their compliance with
the Contractor’s “System Safety Program Plan” and acceptance criteria for systems and sub-systems.
The outcome of these audits shall be presented as audit reports and be available for the Engineer to
review.
The Contractor shall put a system in place for managing the close out of corrective actions raised
during audits, and to ensure that changes are fully implemented, as required.
4.1 STANDARDS TO BE APPLIED
The Contractor shall apply the following standards in the way shown by the following table:
Quality Safety
RAMS EN 50126
Hardware ISO 9001 EN 50129(*)
Software ISO 9000-3 EN 50128
Figure 5: Standards to be applied
(*): CENELEC EN 50129 is dedicated to Communication, Signalling and Processing systems.
However, the methodology and requirements defined in this standard to produce Safety Case - and all
safety studies it is composed of - shall be followed by the Contractor to establish its Safety Case.
4.2 SAFETY POLICY
The Contractor shall set down in the System Safety Plan his approach and commitment to safety in a
statement of safety policy endorsed by senior management.
4.3 SYSTEM SAFETY PLAN
The Contractor is responsible for the management of safety it provides and the means by which
adequate safety justification of the system will be ensured at various stages in the system life cycle.
This information about safety management within the life-cycle is presented by the Contractor in the
System Safety Plan.
The Safety Plan shall be a standalone document. This document shall cover, as a minimum, the
following items:
Referenced safety standards and documents,
Safety management principles,
Description of the systems/subsystems,
Safety organisation,
o Independence of Safety Team,
o Safety roles & responsibility,

o Requirement for competence of key personnel,

Safety requirements,
Safety documentation and deliverables
Safety Case methodology,
Safety Approval process,
Monitoring and control of safety program.
Production of a Safety Critical items list which shall be used for recording and tracking of all
issues critical to the safety of the HPLM system in Revenue Service.
The Contractor shall seek the approval of its System Safety Plan by the Employer/Engineer.
4.4 HAZARD IDENTIFICATION AND MANAGEMENT
4.4.1 Hazard Identification

Hazard identification and analysis is the process of identifying the potential hazards inherent in a
system, the accidents that could result and the accident triggers that could give rise to these accidents.
The process is started early in the project and repeated as design proceeds so that at every stage,
hazards can be removed and the residual risks of accidents could be minimized.
At the beginning of the Construction design stage, the Contractor shall perform a Preliminary Hazard
Analysis (PHA). The input to this PHA draws from experience from other similar systems and from
the system design tender documents.
The PHA format will be included in Appendix.
This PHA takes the high level hazards to classify the severity and frequency of occurrence. Preventive
or mitigation measures to the hazards identified are also included in this PHA.
System PHA initializes Overall System Hazard Log which is an input to the Contractors Hazard
Analysis: System level PHA, System Hazard Analysis (SHA), Interface Hazard Analysis (IHA) and
Operating & Support Hazard Analysis (OSHA) where a lower level of analysis is performed by the
Contractors.
The identified hazards are captured via the Hazard Log (MS Excel worksheet) and risk classification is
given based on the severity and frequency categories as defined here above.
A “top level hazard Log” (Overall System Hazard Log) integrates all “hazard Log” of the CPXX.
4.4.2 Hazard Management

Following on from the Hazard Identification phase, an entry in the Overall System Hazard Log is
raised. This entry enables progressive tracking in the reduction of hazard risk status. The Hazard Log
also facilitates traceability, transparency and accountability in the processes.
The Hazard Log format will be included in Appendix.
The safety team of the contractor will manage hazards that were raised in the PHA.

4.4.3 Hazard Transfer

If an Overall System hazard is raised that is to be mitigated only by means external to Overall System
or System control (i.e. a hazard whose status is sole responsibility of the Operator or Maintainer), then
it shall be highlighted and transferred to the Operator/Maintainer for appropriate action.
If a hazard has been closed by design (i.e. a hazard whose status is “Design Closed”), but it includes
mitigations deemed to be controlled by the Operator or Maintainer, then it shall be highlighted and
transferred to the Operator/Maintainer for appropriate action. The transfer and registration of Overall
System hazards is managed solely by the Engineer. The safety team of the contractor should highlight
in their individual hazard logs those hazards that are solely or partly owned by the Operator such that
the Overall System is up to date on these hazards. In addition those exported safety requirements shall
all be gathered in a specific safety document like the Safety Related Application Conditions (SRAC).
Confirmation and acceptance of the transfer will be transmitted to the Engineer and safety team of the
contractor for reference and inclusion in their respective hazard logs.
Where practicable, hazards will be compiled and submitted in batches to the Operator.
4.5 SAFETY AND RISK ACCEPTANCE CRITERIA
The risk acceptance criteria are driven by the Risk Assessment matrix: risks shall be mitigated to an
acceptable level.
For the risks which are Tolerable and Undesirable, the Contractor shall demonstrate the risk has been
reduced ALARP.
To demonstrate the risk has been reduced ALARP, the following criteria shall be used (in order of
priority)
show compliance with standards applicable to the project
use of product already accepted by internationally recognised railways agency: “proven in
use”
perform a Cost Benefit Analysis
The Cost Benefit Analysis should be used as less as possible, priority shall be given to technical
argument. Whenever such an analysis would be conducted, the value of a life saved shall be
determined by the Safety Authority.
4.6 DESIGN SAFETY STUDIES
The purpose of the “Design Safety Studies” is to document the process of design to ensure that it
incorporates the general principle of minimising risk in design as a first priority.
“Design Safety Studies” shall be prepared for system and sub-system elements that are considered to
be safety critical or related. “Design Safety Studies” is necessary for elements that require hazard
analysis to a greater level of detail and with a greater level of knowledge of the design (both for
hardware and software components).
The System level Hazard Analysis process and the Hazard Log shall form a baseline for the “Design
Safety Studies”.
The “Design Safety Studies” shall be implemented using recognized quantitative and qualitative
techniques, which may be expected according to specific requirements.
4.6.1 Preliminary Hazard Analysis

At the beginning of the Construction design stage, the Contractor shall perform a Preliminary
Hazard Analysis (PHA). This analysis can be based on its experience of similar system but shall take

into account the Overall System level Preliminary Hazard Analysis and the specificities of the project,
especially the environmental conditions.
The Contractor shall treat at least the hazards identified within the Overall System level Draft
Preliminary Hazard Analysis for the system it provides, and develop it as needed.
4.6.2 Failure Mode, Effects & Criticality Analysis and SIL Allocation
At interim Construction Design Outline Stage, the Contractor shall carry out a functional Failure
Mode, Effects and Criticality Analysis (FMECA): this analysis shall assess the consequence of the
failure of each function performed by the system it provides.
Within the FMECA, the Contractor shall ensure:
the integration of the safety requirements coming from other systems interfacing in its own
safety demonstration
the export of safety requirement to systems interfacing when needed. These requirements shall
be handed over to the Employer/Engineer for approval.
The purpose of this analysis is to identify the criticality of the function and allocate the appropriate
SIL. This allocation shall be summarised in the SIL Allocation Document. Criteria for allocation of
SIL are described hereafter.
4.6.3 Detailed safety analysis

The Contractor shall then perform detailed Safety Analyses:
System Hazard Analysis (SHA)
Operating and Support Hazard Analysis (OSHA)
Interface Hazard Analysis (IHA)
The purpose of these safety analyses is to identify Safety Requirement to be implemented by design or
operation procedure.
Each hazard identified during these safety analyses shall be logged in the Hazard Log, the closure of
the hazards will be done when the evidence is given that the requirements are met.
The traceability shall be done with the design document to ensure the exhaustiveness of the analyses.
The Safety Analyses shall consider the following operation modes:
Normal operations including maintenance;
Degraded modes of operation;
Emergency situations.
During the IHA, the Contractor will identify requirement to be met by other systems.
These requirements shall be passed to the Engineer.
Additional safety studies are required for safety critical components

FMECA at component level
Fault Tree to demonstrate the wrong side failure rate correspond to the SIL
For the Critical and Catastrophic Hazards, Quantitative Risk Assessment shall be carried out by the
involved Contractor to demonstrate their frequency has been reduced to an acceptable level.

4.6.4 Engineering safety verification plan

At Construction Design stage, the Contractor shall provide an Engineering Safety Verification Plan to
the Employer/Engineer for approval.
The scope of the Engineering Safety Verification Plan and its implementation schedule shall be
defined and described by the Contractor in its System Safety Plan.
The engineering safety verification plan shall include;
The list of safety field verifications for systems and equipment including manufacturing,
installation and systems interfaces integration testing;
The schedule of safety field verifications;
The purpose of each verification;
The acceptance criteria by reference to any related safety study;
The recommended method of verification at each phase of the project (notably Testing
phases), including the processing of software safety key issues verification;
The plan for witnessing the results of verification;
The recommended format of the verification report;
The submission list of Contractor’s verification and testing reports;
The resumes of key safety verification and testing staff;
The recommended assessment procedure with respect to deficiencies in the verification
results.
4.7 DESIGN SAFETY CASES
The demonstration of system safety by the Contractor shall be undertaken via the concept of Safety
Cases.
The structure of the Safety Cases shall be in accordance to the standards [EN 50129], namely:
Part 1: Definition of System,
Part 2: Quality Management Report,
Part 3: Safety Management Report,
Part 4: Technical Safety Report,
Part 5: Related Safety Cases,
Part 6: Conclusion.
The traceability of safety requirement and mitigations means through the safety related
documentation, from Design phase to the end of Trial Running, must be ensured by the Safety process
set up by the Contractor (see part [2.15]).
The Safety Case is meant to be reviewed by the Engineer and possibly assessed by the ISA and
software assessed by the ISwA before its acceptance by the Safety Authority.
The Safety Case shall be supported by Hazard Analysis and Design Safety studies (see part [4.6]) to be
submitted to the Engineer.
By the end of the Design Stage, the Contractor shall produce a Design Safety Case dealing with safety
requirements status of integration at Design Stage. This Design Safety Case summarizes the safety
analyses and brings the evidence that:
the overall risk criteria for the system have been addressed satisfactorily at the Design stage
and that the Design proposals are mutually compatible with such risk criteria,

all Safety Critical systems/sub-systems have been identified at the Design stage and the
apportionment of risks between the major systems and sub-systems support the overall safety
criteria approved in the “System Safety Plan”,
the results of the Design Safety Studies have been incorporated into the design, and shall be
carried forward into the definitive Design, Manufacturing and Installation processes,
everywhere it has been decided to ensure the management of an hazard by operating and/or
maintenance procedure or other management control measures, auditable methods by which
such measures shall be introduced into operating/maintenance provisions have been
established,
robust process has been implemented to validate the Safety Critical aspects of software design,
processes for assessing the potential safety impact of design changes exist.
The technical section of the “Design Safety Case” shall address but not be limited to the following
subjects.
Advancement of the design, and validation of this advancement by the Employer,
The standards used in the design which are related to safety,
The assumptions concerning how the item or component will be used and/or maintained,
Conformance of sub-systems and component items of equipment to the risk criteria specified
within the core safety management section,
Status of all system and/or sub-system internal and external interfaces,
Specification of any on-site testing and integrated system testing parameters that shall be
demonstrate to operate safely (as an individual item or item(s) and/or as part of a system
and/or sub-system).
As an annex of the Design Safety Case, the Contractor shall submit the updated Hazard Log showing
the hazards have been all mitigated at design stage.
4.8 MANUFACTURING AND INSTALLATION
Manufacture or Installation shall not proceed until the System Safety Plan and Design Safety Case
have received the approval of the Employer/Engineer.
The Contractor shall continue to identify issues and comply with the System Safety Plan and related
documents during the manufacturing and installation stage.
The Manufacturing and Installation section of the System Safety Plan shall cover safety considerations
for all manufacturing and installation activities both on and/or off site and shall include, but not be
limited to, the following elements.
Identification of the safety management organisation to set up during the manufacturing and
installation stages including the provision of appropriate levels of site management,
supervision and safety personnel,
The arrangements for ensuring that the results of the Design Safety Studies shall be carried
forward into the manufacturing and installation processes,
The process for assessing the impact on safety of any change occurring during manufacturing
or installation stage,
The formulation and implementation of safe process to carry out the required activities and the
issue of the necessary procedures, rules and regulations to secure implementation of such safe
process,
The specification of all training needs arising from the requirements for safe working
procedures (the safety requirements addressed into the Training specifications must be
traceable).
The Contractor shall update the Design Safety Case and the Engineering Safety Verification Plan and
submit them to the Employer/Engineer for approval.

4.9 ON-SITE TESTING AND INTEGRATED SYSTEM TESTING
The Design Safety Case and Engineering Safety Verification Plan updated at Manufacturing and
Installation stage and the On-Site Testing and Integrated System Testing section of the each System
Safety Plan shall receive the approval of the Employer/Engineer prior to the commencement of on-site
tests and integrated system tests.
This section of the System Safety Plan shall demonstrate as a minimum the following requirements:
the safety management organisation to control the on-site Testing and Integrated System
Testing is in place,
the scope of activities to be carried out during the on-site Testing and Integrated System
Testing period covers all Safety Critical functions,
the segregation of on-site Testing and Integrated System Testing activities from residual
construction and installation activities shall be implemented,
the procedures required to conduct on-site Testing and Integrated System Testing activities
safely, including where necessary, the protection measures for any part of the Transportation
System which may be in operation shall be implemented,
the processes which are to be implemented to validate the Safety Critical aspects of software
installation and testing shall be implemented,
the processes required to assess the safety implications of the results of tests and inspections
carried out during the periods of on-site Testing and Integrated System Testing activities shall
be implemented,
the processes required to control and validate the safety implications of modifications carried
out during the period of on-site Testing and Integrated System Testing activities shall be
implemented,
the arrangements which are to be utilised to record, report and investigate accidents and
incidents together with the systems necessary to formulate and implement measures to prevent
reoccurrence shall be implemented,
effective controls shall be implemented in respect of the activities of all other contractors.
The Engineering Safety Verification Plan and implementation schedule shall updated prior starting
the Test Running phase.
The Contractor shall confirm within an Engineering Safety Verification Report by reference to the
engineering safety verification tests results that all safety design criteria have been achieved or shall
otherwise propose remedial action to ensure that safety design criteria shall be complied with.
The Contractor shall provide a Final Safety Case to the Employer/Engineer for approval (see part
4.10).
4.10 FINAL SAFETY CASE
The Final Safety Case shall demonstrate that the system is fit for the purpose of commencing Trial
Running.
Its format should be identical to the System Design Safety Case (see part[4.7]).
The Safety Case is meant to be reviewed by the Engineer and possibly assessed by the ISA and
software assessed by the ISwA before its acceptance by the Safety Authority.
The Safety Case shall be supported by Hazard Analysis, Interface Hazard Analysis, Safety Studies &
Safety Validation Studies and an Operating and Support Hazard Analysis to be submitted to the
Engineer.
The Safety Case produced by the Contractor for a safety related electronic systems it provides shall
follow the pattern mentioned in the standard [EN 50129], including for each safety-related system:

A Generic Product Safety Case, covering the unmodified safety items,

A Generic Application Safety Case, covering those safety items generic to several systems
composing the Rail System,
A Specific Application Safety Case, covering those safety items especially developed for the
Project.
The Final Safety Case shall make traceable reference to system documentation that shall demonstrate
as a minimum the following requirements have been met:
the system has been manufactured, installed and tested up to and including Integrated System
Testing in a manner to ensure that the system can be operated and maintained as approved in
the System Design Safety Case and that there are no safety issues outstanding,
the recommended safety performance criteria and safety thresholds for the safe operation and
maintenance of the system have been set,
the standards and specifications upon which the safe operation and maintenance of the system
are based have been set,
the safe process, rules and procedures required to operate and maintain the system within the
defined parameters as approved to minimise or mitigate risks in the “System Design Safety
Case” have been verified.
4.11 TRIAL RUNNING
The Final Safety Case shall be approved by the Employer/Engineer prior to the commencement of
Trial Running.
The Contractor shall continue to implement safety activities during the Trial Running until the
transition to revenue service.
The Contractor shall describe specific activities to be carried out during the period of Trial Running in
its System Safety Plan.
Indeed, in addition to the validation of technical and functional aspects of the system provided by the
Contractor during the period of Trial Running, O&M procedures exhaustiveness and effectiveness will
be assessed, and particularly safety related procedures. The validation of safety related procedures at
Overall System level could lead to add or modify some safety requirement impacting the System
provided by the Contractor.
Moreover, the Contractor shall provide support to the Operator to ensure that the documentation and
safety related procedures have been fully assimilated into the Operator’s Safety Management System
and organization.
The Contractor shall provide a definitive Final Safety Case during Trial Running Phase taken into
account the return of experience accumulated during the Trial Running.
The Revenue Service will not start until the definitive edition of the Final Safety Case has been
approved by the Employer/Engineer and the Safety Authority.

5. SAFETY TARGETS
5.1 RISK DEFINITION AND CATEGORISATION
Risk is defined as a combination between the frequency of occurrence of hazard(s) and severity of the
corresponding hazard(s).
Hazards shall be categorised according to both their frequency of occurrence and their severity as per
the [EN 50126] approach. All this is described below.
5.1.1 Frequency of occurrence of hazards

The following categories shall be used to classify the frequency of occurrence of hazards:
Frequency of Hazard Occurrence

Probabilities
Category Description
(per hour)
Likely to occur frequently. The hazard will be almost
A Frequent F > 10-5
continually experienced.
-6 -5 Will occur several times. The hazard can be expected to
B Probable 10 < F < 10
occur often.
Likely to occur several times. The hazard can be
C Occasional 10-7 < F < 10-6
expected to occur several times.
Likely to occur sometimes in the system life cycle. The
D Remote 10-8 < F < 10-7 hazard can be reasonably expected to occur a few times
over the system life.
Unlikely to occur but possible. It can be assumed that the
E Improbable 10-9 < F < 10-8
hazard may exceptionally occur during the system life.
Extremely unlikely to occur. It can be assumed that the
F Incredible F < 10-9
hazard may not occur during the whole system life.
Table 1
The frequency of the hazard shall be assessed for the whole line, taking into account the number of
equipment, except for the rolling stock for which the frequency shall be assessed on a train basis.
5.1.2 Severity of hazards

The following levels shall be used to classify the severity of the consequences of the hazards.
Consequences taken into account are consequences for people, system and environment.
Hazard Severity Levels

Consequences to Persons or
Severity Level Consequences for system
Environment
Fatalities and/or multiple severe injuries
1 Catastrophic and/or major damage to the
environment.
Single fatality and/or severe injury
2 Critical and/or significant damage to the Loss of train or of a major system
environment.
Minor injury and/or significant threat to
3 Marginal Severe system(s) damage
the environment.
4 Insignificant Possible minor injury. Minor system damage
Table 2

5.1.3 Risk assessment matrix

As shown in the matrix below, frequency of occurrence and severity of the consequences are
combined together in order to further process the risks.
This matrix presents the possible combinations of frequency of occurrence and severity of the
consequences of the hazards. It also presents the various zones of acceptability of the risk.
Hazard Severity Level

1 2 3 4
Catastrophic Critical Marginal Insignificant
A Frequent R1 R1 R1 R2
Frequency of
Occurrence
B Probable R1 R1 R2 R3
Hazard
C Occasional R1 R2 R2 R3
D Remote R2 R2 R3 R4
E Improbable R3 R3 R4 R4
F Incredible R4 R4 R4 R4
Table 3
Where:
Risk Definition
R1 Intolerable Unacceptable. Shall be eliminated.
R2 Undesirable Shall only be accepted when risk reduction is impracticable and with the
agreement of Employer or the local Safety Authority
R3 Tolerable Acceptable with adequate control and the agreement of the Client
R4 Negligible Acceptable
Table 4
Each risk shall be assessed to determine which zone it belongs to.
5.2 RISK MITIGATION STRATEGY
According the level of their acceptability, the risks shall be managed in different ways.
5.2.1 Acceptable and unacceptable risks

As seen above:
Intolerable risks (R1) are those which have:
o Catastrophic consequences with a frequency greater than Remote
o Critical consequences with a frequency greater than Occasional
o Marginal consequences with a frequency greater than Probable
Negligible risks (R4) are those which are:
o Of an Incredible frequency
o Of an Improbable frequency with consequences less than Critical
o Of a Remote frequency with consequences less than Marginal
Since no prevention / mitigation measures shall cover these risks, the allocation of risks to these two
categories has to be thoroughly documented.
5.2.2 Other risks

Other risks (R2 and R3) are those risks which have:
Insignificant consequences with Frequent frequency
Marginal or Insignificant consequences with Probable frequency

Critical, Marginal or Insignificant consequences with Occasional frequency

Catastrophic, Critical or Marginal consequences with Remote frequency
Catastrophic or Critical consequences with Improbable frequency
These risks need to be discussed in writing and submitted to the Client and or the Safety Authority for
approval of both the risks and the corresponding prevention / mitigation measures.
5.2.3 Justification, discussion of the mitigation measures

The following shall be addressed:
Residual risk, cost of the measures. Alternative measures will be proposed.
The feasibility and cost of the measures is an important part of the justification / discussion.
Input data used in the assessment, justification, discussion shall be provided with reference of
their origin and copy of the statements to be considered.
Measures of SILs equal or greater than 2 shall be stated in the safety analysis.
5.2.4 Conduct of the safety analysis

Safety analysis(s) must be conducted with the following minimum requirements:
The safety objective is reached when the level of risk has reached the “acceptable” area with
acceptable justification.
Every safety related function shall be identified and assessed for its related hazards.
Every safety related constituent shall be identified and assessed for its related hazards.
Every safety related interface shall be identified and assessed for its related hazards.
5.2.5 Link between safety objectives and SILs

The following links shall be used:
Functions which failure can lead to an R1 risk with catastrophic consequences shall be
supported with SIL4 constituents.
Functions which failure can lead to an R1 risk with critical or marginal consequences shall be
supported with SIL3 constituents.
Functions which failure can lead to an R3 or R2 risk shall be supported with SIL2
constituents.
Functions which failure can lead to an R4 risk shall be supported with SIL1 constituents.
5.2.6 Implementation of SIL 4, SIL 3, SIL 2 and SIL 1 constituents

Equipment shall have a SIL at least equal to the functions it implements.
As a minimum, SIL 4, SIL 3, SIL 2 and SIL 1 constituents shall comply with the following
requirements.
Compliance to standards
EN (EN 50126, EN 50129, EN 50128, EN 50159) norms shall be complied with
Quality assurance
Quality of the constituents shall be verified according to a quality plan over the construction
and operation phases.
Safety assurance
Safety of the constituents shall be demonstrated according to a safety plan over the
construction and operation phases.

5.2.7 Safety techniques to be used

Recognised techniques used in the railway application for implementation of SIL 4 or 3 constituents
are as follows:
5.2.7.1 “Fail safe” technique

A constituent (or component) of a system is built on "fail safe" technique when a failure of this
constituent cannot lead to a more permissive status of that system. For example, a failure of a fail safe
relay cannot lead to a green signal when the signal should be red.
For this technique there is no mathematical estimate of the level of safety of a constituent. The
constituent is considered of SIL 4 once every hypothesis is verified. It is assumed that the SIL 4
component never fails inside the limits of its specification.
5.2.7.2 “Checked safety” technique

A constituent (or component) of a system is built on "checked safety" technique when certain failures
of this constituent can be detected by another independent device. This independent device reads a
safety status of the constituent. When the safety status becomes unsafe due to certain failures of the
constituent, the independent device inhibits the outputs of the constituent. This independent device can
be built on "fail safe" technique.
5.2.7.3 “Probabilistic safety” technique

A constituent (or component) of a system is built on "Probabilistic safety" technique when it can be
demonstrated that failures cannot happen more often than a certain limit. This limit must be considered
as sufficient.
This technique shall be handled carefully.
5.2.7.4 “Safety concept” approach of the programmable electronic equipment

Safety equipment use safety concepts of the sort defined above. Safety analysis and demonstration
shall include:
the identification and description of the safety concept used,
Definition of the hypothesis on which safety relies,
the complete and precise definition of the safety technique used,
the safety criteria and requirements to be abided by,
the methods of verification and validation that need to be unfolded to assure safety.
The specific program plan to be unfolded for ensuring safety.
The identification of the techniques or mechanisms that have not yet been proven as safe by a
certification body.
5.2.7.5 Use of “safety software”

Safety software, i.e. executing SIL 4 or SIL 3 functions shall be developed and demonstrated safe
according to [EN 50128]. The use of formal methods for demonstrating that the software is error free
is highly recommended.
5.2.7.6 Use of “proven safety techniques”

Only proven safety technique will be allowed to be used for the Project. The safety techniques to be
used shall be presented by the Contractor using it.
Proven safety techniques are those that:
Have been already approved as safe by an independent competent party.

Have been used successfully in revenue service for at least two years since the end of warranty
of the system, at the date of the Contractor’s bid.
Allow to be easily customized to the needs of a new project.
Techniques not complying with those requirements or for which the documentation establishing
compliance with the present requirements is not available or insufficient will be rejected.
5.2.8 Documentation of SILs and above constituents

Evidences of compliance with the safety requirements of SIL 4 and 3 constituents shall be recorded in
the safety case of the component.
The systems shall be broken down in such a manner that the safety evidence of any part of the system
sustaining SIL 4 or 3 functions can be documented in a specific part of the system safety case.
5.3 SAFETY OBJECTIVES
5.3.1 Approach for safety objectives

Safety objectives are set for several major functions part of the HPLM Project. These targets are based
on the results of the Preliminary Hazard Analysis and on a benchmark of modern Rapid Mass Transit
System. These objectives apply to the Contractor in charge of providing the function.
The Contractor remains responsible for carrying out hazard analysis and identifies additional safety
requirement or Safety Integrity Level to be met to ensure the reduction of the risks.
However, the result of the safety analysis shall not lead the Contractor to lower the safety objectives
listed below.
5.3.2 Overall System objectives
5.3.2.1 Electrical hazard

Electrical hazard are not only linked to the power supply subsystem. Electrical risk must be treated by
each Contractor in order to protect people against electrocution, and to mitigate the consequences of
stray currents and electrical disturbances due to
the system on its environment (EMC, EMI, harmonic requirements)
the environment on the system (EMC, EMI).
Therefore, every Contractor shall produce for the System it provides a specific compliance matrix
with at least the following standard:
EN 50121-1
EN 50122-1,
EN 50122-2.
5.3.2.2 Fire safety requirement

As for the electrical risk, every Contractor shall assess the risk of Fire.
At least, the fire fighting and prevention of the HPLM Transportation system shall be designed taking
into account the NFPA 130 ed. 2007 standard and the Vietnamese regulation (particularly the standard
TCVN-1995 Fire protection of building – Design Requirements).
The Contractor shall produce a Fire Engineering Plan for the system it provides, which shall be
developed into a program indicating the criteria and predicted timings for the choice of materials
(including paints), submission of test certifications and test of materials.
The Contractor shall seek the acceptance of its Fire Engineering Plan by the Engineer.

5.3.3 Structure parts

The Structure parts shall be dimensioned taking into account the environmental risks (fire resistance,
earthquake, flooding, chocks with vehicles …) and the operational risks (vibrations, train or equipment
load, risk of fire…).
5.3.4 Rolling Stock

In addition to the Safety Integrity Level allocated to the function listed below, the rolling stock shall
comply with the requirement of the NFPA 130 ed. 2007 standard regarding Fire Safety requirement.
Safety Integrity Level (SIL) associated with

Safety Functional Requirements
system/equipment failure
In case of loss of train integrity, emergency braking 4
shall be triggered on each car of the consist (safety critical)
In case of emergency braking, the braking 4
performance shall be guaranteed (safety critical)
Any failure in the braking system shall not lead to a 4
total loss of braking (safety critical)
Parking brake on each car 3
(safety critical)
Unwanted opening of door shall trigger emergency 4
braking (safety critical)
Movement of train with open door shall be 4
prevented (safety critical)
Kinetic energy of doors shall be limited 3
(safety critical)
Obstacle shall be detected on door closure 3
(safety critical)
5.3.5 Track
The frequency of a failure or a combination of failure leading to a potential derailment (undetected
switch movement for instance) shall be less than 10-10 /hour for each point machine.
5.3.6 Power Supply

Regarding the Emergency Cut-Off system two approaches are accepted:
SIL 4 (safety critical) if its implementation relies on a computer based solution and a network
Or
Fail safe hardwired solution using safety relay if its implementation relies on hardware.
5.3.7 Signalling
The following Safety Integrity Levels are required for the main ATC/Signalling functions. The ATC,
ATP and Interlocking System shall at least be assigned with an overall SIL4 level.
The Contractor will remain responsible for performing extensive safety analysis and allocate
additional Safety Integrity Level for any safety critical or safety related function.
Safety Integrity Level

Safety Functional
(SIL) associated with Comments
Requirements

Safety Integrity Level

Safety Functional
(SIL) associated with Comments
Requirements
Protection against head on 4 To apply during bi-directional
collision caused between two (safety critical) operation and as a consequence of
trains running on the same track mis-routing. The interlocking
towards each other. should protect against a conflicting
route being set.
Protection against side collision 4 The interlocking should prevent
caused between two trains (safety critical) train conflicts at junctions, making
converging to a junction at the due allowance with respect to
same time. clearance points between
conflicting trains.
Protection against rear-end 4 The Signalling System in
collision between two or more (safety critical) conjunction with train detection
trains caused by release of the system should prevent the route
route ahead of train when it is not being set before the route ahead is
safe to do so (including clear.
protection against collision with
lost of train detection).
Protection against derailment due 4 Automatic Train Protection (ATP)
to trains over-speeding with (safety critical) should intervene and apply brakes
respect to permanent or if the driver exceeds the indicated
temporary speed restrictions. speed restriction.
Protection against derailment 4 The interlocking must establish the
caused by point movement under (safety critical) correct position of each switchblade
the train or directly over the and locking mechanism before
points. releasing the route over the points.
It should also prevent the points
being moved while that section of
track is occupied.
Protection of train against 4 It includes all the classical ATP
overspeed or non respect of (safety critical) functions.
lineside signalling
Protection against train given a 4 The interlocking should not allow a
proceed indication before route is (safety critical) train to proceed until it is confirmed
correctly set that the route ahead is correctly set.
Prevention of mis-routing of a 4 The interlocking should prevent the
train into an absolute possession (safety critical) main route being set into a section
of track under an absolute
possession.
5.3.8 Telecommunication, ICS and OCC

As a minimum, the SIL requirements are the following
SIL 4 functions:
The interlocking system,
All trains stop,

All traction power cut off,

Section power cut off,
Section power re-energization,
ECO remote override,
Temporary Speed Restriction (TSR),
Protection of working area.
SIL 2 (safety related) functions
Train traffic follow up,
Fire fighting system and ventilation control and monitoring,
Power monitoring.
The Contractor is responsible for identifying any other function which could require a specific SIL
5.3.9 Operation and Maintenance

Safety related procedure shall be written to ensure:
A safe utilization of the line for every passenger of the line (in stations, in line and trains)
Safe working conditions for operator and maintenance staff within the Main Line and the Depot area.
5.3.10 Depot Equipment

The equipment in Depot shall assure a high level of safety for the operator and maintenance staff
during maintenance activities.
The Depot Equipment shall not reduce the safety in operation.
The safety activities related to depot equipment are supported in the Operating and Support Hazard
Analysis (OSHA).

6. SAFETY SUBMISSION
6.1 SAFETY DELIVERABLES
The Contractor shall implement and submit safety supporting documents in accordance with the
System Safety Program Plan which shall include, but not be limited to, the following documents at the
times indicated in the table below;
Deliverables Master Schedule

Construction Manufacture On-site
Item Document Description Trial
Design & Test & Test DLP
Running
Outline End Installation Running
1 System Safety Plan P U U U
2 Safety Policy P
System Safety
3 Documentation Submission P U U U
Schedule
4 Design safety studies P U
5 Specific compliance matrix P U U U U
6 Fire Engineering Plan P U U U U
7 Hazard review procedure P U
8 Hazard Log P U U U U U
9 Hazard Analysis Report P U U U U U
10 Design Safety Case P U U
DRACAS procedures and U
11 P U U U
reports
Engineering Safety
12 P U U
Verification Plan
Engineering Safety
13 P U
Verification Report
14 Final Safety Case P U U
15 Safety progress reports P P P P P P
16 Audit reports P P P P
P – Doc. Produce
U – Doc. Update
6.2 DELIVERABLES SCHEDULE

The Contractor shall provide a System Safety Documentation Submission Schedule. In case this
Schedule is included in the System Documentation Submission Schedule defined in part [2.10], safety
items shall be easily recognizable.
6.3 DELIVERABLES HANDOVER REQUIREMENTS
The format of deliverable delivered shall respect the contract’s requirements.
As a minimum, handover of final Hazard Log shall include a fully functional soft copy of the database
together with all passwords, supporting software and instructions on its use and further development
during Revenue Service.

7. APPENDIX 01: V-CYCLE AND TASKS ACCORDING TO STANDARD

7.1 OVERVIEW OF THE SYSTEM DEVELOPMENT V-CYCLE
1. Concept 11. Operation &

O&M
Maintenance (including
Entity
performance monitoring)
2. System Definition 10. System

Acceptance
3. Risk Analysis
4. System
Requirements
9. System Validation
(including safety
acceptance and
commissioning)
5. Apportionment of
System Requirements
6. Design & 8. Installation

Implementation
7. Manufacture

7.2 SAFETY TASKS AND RESPONSIBILITIES

The table below gives, for each phase of the V-cycle, the safety task as indicated in the Standard
[EN 50126].
A responsibility column is added to show who is in charge on the Project.
Lifecycle Phase Safety Tasks Description Responsibility

1.1. Review previously achieved safety performance.
1. Concept 1.2. Consider the safety implications of the project. PIC SYSTRA
1.3. Review the Safety Policy and Safety Targets.
2.1. Evaluate past experience data for safety.
2.2. Perform the Preliminary Hazard Analysis.
PIC
2. System 2.3. Establish the RAMS Management Plan
SYSTRA/O&M
Definition 2.4. Define the risk acceptance criteria.
Entity
2.5. Identify the influence on the system safety of the existing
infrastructure constraints.
3.1. Perform the System Hazards and Safety Risks Analysis.
3. Risk Analysis 3.2. Set up the hazard log. PIC SYSTRA
3.3. Perform the risks assessment.
4. System 4.1. Specify the System Safety Requirements (overall).
PIC SYSTRA
Requirements 4.2. Define the safety acceptance criteria (overall).
4.3. Define the safety-related functional requirements of the
system. Contractor
4.4. Establish the safety management.
5.1. Apportion the System Safety Targets and Requirements.
a. Specify the Sub-system and Components Safety
5. Apportionment
Requirements.
of System Contractor
b. Define the Sub-system and Components safety
Requirements
acceptance criteria.
5.2. Update the System Safety Plan.
6.1. Implement the Safety Plan by review, analysis, testing and
data assessment, addressing:
a. The Hazard Log,
b. The Hazard Analysis
6. Design &
c. Justify the safety-related design decisions
Implementatio Contractor
d. Undertake the Safety Program control, covering:
n
i. safety management,
ii. Control of Sub-contractor and Suppliers.
6.2. Prepare the Generic Product Safety Case.
6.3. Prepare (if appropriate) the Generic Application Safety Case.
7.1. Implement the Safety Plan by review, analysis, testing and
7. Manufacture data assessment. Contractor
7.2. Use the Hazard Log.
8.1. Establish the Installation Programme.
8. Installation Contractor
8.2. Implement the Installation Programme.
9. System 9.1. Establish the Commissioning Programme.
Validation 9.2. Implement the Commissioning Programme.
(including 9.3. Prepare the Application Specific Safety Case. Contractor
safety +
acceptance and O&M Entity
commissioning
)

Lifecycle Phase Safety Tasks Description Responsibility

10.1. Assess the Application Specific Safety Case. ISA and or
10. System
Safety
Acceptance
Authority
11.1. Undertake on-going safety-centred maintenance
11. Operation and
11.2. Perform on-going Safety performance monitoring and O&M Entity
Maintenance
Hazard Log Maintenance

8. APPENDIX 02: SOFTWARE RAMS PROGRAM PLAN
Cf. document PIC-TEC-TTS-SAO-L00-74032-E-2A
END OF THE DOCUMENT

Viet Pic Tec Tts Sao l00 74032 e 3a

Uploaded by

Copyright:

Available Formats

Viet Pic Tec Tts Sao l00 74032 e 3a

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Viet Pic Tec Tts Sao l00 74032 e 3a

Uploaded by

Copyright:

Available Formats

HANOI PEOPLES COMMITTEE

HANOI METROPOLITAN RAILWAY MANAGEMENT BOARD (MRB)

TECHNICAL DESIGN REPORT

PACKAGE: RAIL SYSTEM 1

SYSTEM SAFETY PROGRAM PLAN

PROJECT IMPLEMENTATION CONSULTANT: SYSTRA S.A

SYSTEM SAFETY PROGRAM PLAN

Hanoi, 15 December, 2012

HANOI METROPOLITAN PROJECT IMPLEMENTATION

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 2 / 43

Contractor Approval / Revision Record Sheet

Revision Date Subject of issue / Revision Authors

1A 17/06/2009 First Issue R. Eveillard

2A 07/10/2011 Update due to internal revision R. Eveillard

Prepared by A. Izopet 15/12/2012

Contractor specific comments:

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 3 / 43

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 4 / 43

5.1 RISK DEFINITION AND CATEGORISATION................................................................................ 31

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 5 / 43

AFC Automatic Fare Collection

Contractor Any entity(ies) contracted by HRB to perform design,

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 6 / 43

Validator Person or agent appointed to carry out validation.

Ref N° Ref ID number Ref description

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 7 / 43

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 8 / 43

Typical Viaduct Single track U girder

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 9 / 43

Generally speaking, the Contractor in charge of a system shall:

Safety covers two items:

1.3.1 Health and Safety Requirements

1.3.2 HPLM System Safety Requirements

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 10 / 43

Therefore, these requirements are divided into two items:

1.3.2.1 O&M safety requirements

1.3.2.2 Overall System safety requirements

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 11 / 43

1.4 HPLM SYSTEM EQUIPMENT AND INFRASTRUCTURE

Figure 1: HPLM Transportation System breakdown

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 12 / 43

1.5 REFERENCE STANDARDS

EN 50126 Specification & Demonstration of Reliability, Availability,

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 13 / 43

2. SAFETY MANAGEMENT REQUIREMENTS

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 14 / 43

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 15 / 43

The Development V-cycle,

2.9.1 Development V-cycle

Figure 2: Overview of the System Development V-cycle

2.9.2 Safety V-cycle

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 16 / 43

Figure 3: Overview of the System Safety V-cycle

Figure 4: Safety-related Systems Double V-cycle

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 17 / 43

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 18 / 43

In addition, DRACAS shall be used:

2.15 TRACEABILITY OF SAFETY REQUIREMENTS

2.16 PROJECT MANAGEMENT

Doc N°: PIC-TEC-TTS-SAO-L00-74032-E-2A Page 19 / 43