IEC TR 62267-2: Hazard Analysis for Automated Urban Guided Transport (AUGT) Systems

IEC TR 62267-2:2011 — A Comprehensive Top-Level Hazard Analysis Framework for Driverless Urban Rail Systems

Introduction to AUGT Safety and IEC 62267

IEC TR 62267-2:2011 presents a comprehensive top-level hazard analysis for Automated Urban Guided Transport (AUGT) systems — the technology behind driverless metros and automated people movers in cities worldwide. Part 2 of the IEC 62267 series provides the methodological framework and results of a generic hazard analysis conducted to compensate for the absence of a driver or attendant staff from the train. This technical report is an essential reference for transport authorities, safety engineers, and system integrators developing or deploying automated urban rail systems.

The hazard analysis in TR 62267-2 is structured around the basic functions of train operations from IEC 62267:2009: ensuring safe movement, driving, supervising the guideway, supervising passenger transfer, and operating the train. Each function is analyzed independently to identify hazards, causes, triggers, and potential safeguards.

Methodology: From Hazard Identification to Safeguard Allocation

The hazard analysis methodology defined in TR 62267-2 follows a systematic five-step process. First, hazard identification catalogs top-level hazards present as a consequence of train operations (e.g., closing and opening of train doors, obstacles in the guideway). Second, cause identification analyzes why each hazard may lead to an accident. Third, trigger identification determines the events or conditions that transition a hazardous situation into an actual accident. The combination of hazard, cause, and trigger forms a hazardous situation — the fundamental unit of analysis. Finally, possible safeguards are listed: design measures that can compensate for the absence of operational staff.

Analysis Element Definition Example (Door Operation)
Hazard Inherent condition of the system Train doors closing
Cause Why hazard may lead to accident Passenger trapped between closing doors
Trigger Event that transitions hazard to accident Train departs before door obstruction detected
Hazardous Situation Hazard + Cause + Trigger Door closing traps passenger, train departs
Safeguard Measure to mitigate or eliminate Door obstruction detection, interlock with traction
The report explicitly states that the choice of safeguards and the acceptable level of residual risk depend on local safety culture and regulatory requirements. The hazard analysis provides a toolkit — not a prescription. Transport authorities must perform a specific risk analysis tailored to their system environment.

Key Hazard Categories and Their Associated Safeguards

The hazard analysis covers five functional domains: safe movement of trains (collision avoidance, overspeed protection), driving operations (traction control, braking), guideway supervision (obstacle detection, track integrity), passenger transfer supervision (door safety, platform edge protection), and train operation (fire detection, emergency communication). For each domain, the report tabulates specific hazardous situations and cross-references them with possible safeguards drawn from existing AUGT systems in North America, Europe, and Asia.

Notable safeguard categories include train-borne detection systems (obstacle detectors, door obstruction sensors), wayside protection systems (platform screen doors, track vacancy detection), operational procedures (manual intervention by remote operators, emergency evacuation protocols), and communication-based train control (CBTC) architectures that ensure fail-safe train separation even in driverless operation.

Relationship to the Safety Lifecycle (IEC 62278 / EN 50126)

IEC TR 62267-2 is designed to integrate with the railway RAMS (Reliability, Availability, Maintainability, and Safety) lifecycle defined in IEC 62278 (EN 50126). The generic hazard analysis corresponds to lifecycle phases 3 (risk analysis) and 4 (safety requirements specification). By starting from this pre-existing generic analysis, AUGT projects can significantly reduce the effort required for hazard identification while ensuring comprehensive coverage. However, the report stresses that the generic analysis must be complemented by project-specific analysis addressing local conditions, existing infrastructure interfaces, and the prevailing safety culture.

A key engineering insight: the hazard analysis tables in TR 62267-2 serve as an excellent checklist for safety case development. Each hazardous situation can be traced to specific design requirements, verification activities, and acceptance criteria — forming the backbone of a structured safety argument for the AUGT system.

Practical Implications for System Design

For engineers designing AUGT systems, TR 62267-2 provides a structured basis for safety requirements allocation. Each identified safeguard in the hazard analysis can be allocated to a specific subsystem (rolling stock, signaling, platform edge doors, communications) with defined safety integrity levels (SIL). The report emphasizes that safeguards should be diverse and independent to avoid common-cause failures — a principle that drives architectural decisions such as separating train-borne obstacle detection from wayside track vacancy detection.

Commissioning and validation considerations are equally important for AUGT system deployment. The generic hazard analysis provides the baseline, but each specific installation must undergo rigorous testing that validates all safeguard mechanisms under realistic operating conditions. This includes normal service scenarios, degraded modes (such as communication interruptions or sensor failures), and emergency situations (fire, evacuation, medical emergencies on board). The testing philosophy should follow the verification and validation lifecycle defined in IEC 62278, with progressive integration from component testing through subsystem testing to full system acceptance. International experience from systems in cities such as Dubai, Paris, Singapore, and Copenhagen demonstrates that commissioning a new AUGT system typically takes 12 to 24 months of intensive testing before revenue service begins.

Q: What is the difference between IEC 62267-1 and IEC TR 62267-2?
A: IEC 62267-1 (the main standard) specifies safety requirements for AUGT systems. TR 62267-2 documents the generic hazard analysis that underpins those requirements. Think of Part 1 as the “what” and Part 2 as the “why” and “how” of the safety framework.
Q: Can this hazard analysis be applied to conventional (crewed) rail systems?
A: While specifically developed for driverless AUGT systems, the methodology and many of the hazardous situations are applicable to any rail system. The difference lies in the safeguards, which are designed to compensate for the absence of a driver.
Q: How does SIL allocation work in the context of this hazard analysis?
A: The report does not prescribe SIL levels — these must be determined by project-specific risk analysis. However, the hazard identification and safeguard tables provide the necessary inputs for SIL determination per IEC 61508 methodology.
Q: Is TR 62267-2 applicable to monorail and maglev systems?
A: The AUGT scope includes steel-wheel-on-steel-rail, rubber-tyred, monorail, and maglev systems, as long as they operate in dedicated guideways with full automation. The hazard analysis covers the common functional domains shared by all these technologies.
© 2026 TNLab — This article is for educational and technical reference purposes.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

IEC 60300-3-7: Reliability Stress Screening — Exposing Hidden Defects Before They Reach Your Customer
IEC 60309-4: Industrial Plugs and Sockets — How Colour Coding and Keying Prevent Fatal Wiring Errors
IEC 60310: Traction Transformers — The Heartbeat Device Powering High-Speed Trains and Metros
IEC 60318-2: Acoustic Couplers — The “Artificial Ear” Calibrating Hearing Aids and Headphones