SPECIAL ISSUE PAPER 419

Risk analysis of level crossing accidents

based on systems control for safety
T Kohda1* and H Fujihara2
1
Department of Aeronautics and Astronautics, Kyoto University, Kyoto, Japan
2
Human Science Division, Railway Technical Research Institute, Tokyo, Japan
The manuscript was received on 11 October 2007 and was accepted after revision for publication on 7 February 2008.
DOI: 10.1243/1748006XJRR127

Abstract: Train protection systems in Japan such as signalling systems and level crossing
protection systems have been mostly developed by the improvement of individual subsystems
in their performance as well as specific post-accident measures to prevent similar accidents
from happening again. However, level crossing accidents are still a major contributor to the
total number of railway accidents. The importance of prior risk assessment of the total railway
system increases, and risk management is to be desired for taking efficient measures without
any degradation of the present safety level. This paper, with consideration of accident
sequences and multilayered safety functions, presents a simple feasibility study for quantitative
risk assessment of level crossing accidents with the aim of efficient and effective safety management for Japanese railway systems. Accident scenarios are described which initiate from a
trapped motorcar through the failure of protection systems, including human actions. A simple
phenomenal model is introduced in evaluating the accident occurrence probability. The
positive correlation between the train velocity and accident frequency is derived, which can
be considered acceptable as common sense.
Keywords: Japanese level crossing accidents, train protection systems, system accident
occurrence probability, phenomenal model, probabilistic risk analysis

1 INTRODUCTION
Train protection systems in the Japanese railway
including level crossing protection systems have
been mostly developed as upgrades of individual
subsystems and post-accident measures. Prior assessment of risk has not been executed sufficiently to
influence policy decisions. In recent years, the importance of risk assessment and information disclosure
is greatly increasing in most industrial sectors.
Japanese railway shall also be required to adapt to
this trend.
Table 1 shows the recent status of railway accidents in Japan [1]. Railway accidents are, according
to the Japanese MLIT (Ministry of Land, Infrastructure and Transport), divided into seven categories
[2]: I, train collision accident; II, train derailment
accident; III, train fire accident; IV, level crossing
*Corresponding author: Department of Aeronautics and Astronautics, Kyoto University, Kyoto 606-8501, Japan. email:
kohda@kuaero.kyoto-u.ac.jp
JRR127
IMechE 2008

accident; V, roadway interference accident (tramway

accident); VI, human injury accident; and VII, property damage accident. The first three categories,
which are generically and simply called train
accidents, can lead to the most critical consequence.
A level crossing accident, the fourth accident category, is legally defined as collision or contact
between a train and road vehicles or pedestrians at
a level crossing. The fifth category is defined as
collision or contact between a train and road vehicles or pedestrians at a roadway (except a level crossing). This category usually occurs only at the
sections where the roadway and the rail track are in
concomitant use, i.e. tramway. Human injury accident, the sixth category, is defined as accidents
where human injuries or fatalities are caused by railway vehicles operation, except those which should
correspond to categories I to V.
As shown in Table 1, level crossing accidents
account for around half the number of cases and
about 40 per cent of the number of fatalities in recent
Proc. IMechE Vol. 222 Part O: J. Risk and Reliability

420

Table 1

T Kohda and H Fujihara

Recent status of railway accidents in Japan (April

2004 to March 2005)
Number of cases

Number of fatalities

Accident category

Number

Ratio (%)

Number

Ratio (%)

I
II
III
IV
V
VI
VII
Total

3
14
2
367
72
383
8
849

0.3
1.1
0.2
43.2
8.5
45.1
0.9
100

0
1
1
122
12
192

317

0
0.3
0.3
38.5
0.3
60.6

100

years. The sixth category, human injury accident, also

has as a similarly large proportion of cases and fatalities as level crossing accidents. Thus, appropriate
measures to prevent level crossing accidents and
human injury accidents are much needed. Almost
all of the human injury accidents are caused by the
suicidal action of the casualties themselves, such as
trespassing [3]. Therefore, most of their root causes
are related to the personal problems of the accident
victims. Further, the preventive measures for this
category of accidents are usually obtained through
the psychological approach and social science. On
the other hand, most of the level crossings in the
Japanese railway are composed of mechanical, electric, and electronic equipment, and so level crossing
accidents can be prevented more suitably by using
technical solutions. Thus, this paper considers the
derivation of a systematic solution for level crossing
accidents as the first step.
Regarding the safety analysis of level crossings,
previous reports studied the effect of the visibility of
crossing rods on the invasion by motorcars [46]
and the functional advancement of the obstruction
detector to detect an emergency condition in a level
crossing [7, 8]. Meanwhile, the Railtrack report [9]
tried to perform risk quantification for level crossing
accidents, which was based on a static logical model.
However, these previous studies did not consider
accident sequences and multilayered safety functions. This paper, with consideration of accident
sequences and multilayered safety functions, presents a simple feasibility study for quantitative risk
assessment of level crossing accidents with the aim
of efficient and effective safety management for
Japanese railway systems. Based on the system control function model for safety, this paper obtains
the accident occurrence conditions by considering
available protective systems at the occurrence of a
trapped motorcar. The main subject of this paper is
the development of a framework to compare the
alternative safety measures for a system accident.
First, how a level crossing accident occurs is analysed based on the concept of control functions for
Proc. IMechE Vol. 222 Part O: J. Risk and Reliability

safety to obtain occurrence conditions for a collision

accident at a typical Japanese level crossing; their
occurrence probabilities are then evaluated using a
simple phenomenon model. This model shows the
positive correlation between accident occurrence
probability and train speed, which reasonably corresponds to common sense.
2 ACCIDENT OCCURRENCE CONDITIONS
BASED ON CONTROL FUNCTIONS
FOR SAFETY
2.1 Accident occurrence conditions
Generally speaking, to prevent and mitigate a system
accident, several types of safety protection systems
are installed in such large-scale systems as nuclear
and chemical plants and railway systems. The concept of independent protection layers [10] or
defence in depth [11] is considered as a general
approach for safety design in these complex systems.
To mitigate the effect of a failure of some protection
system, another independent protection system is
installed as back-up in the system. To obtain the
merits of redundancy, the independence of protection systems must be maintained. Otherwise, an
unexpected dependency may affect the system
safety. Table 2 shows examples of multilayered protection systems in a Japanese railway system [12].
Considering the occurrence of an accident in this
kind of system, the accident occurs owing to the failure of its control functions for safety [13]. Here, control functions for safety mean not only safety
protection systems, but also human actions to reduce
the risk caused by a disturbance or component failure. A control system for safety corresponds to a set
of components which accomplish a control function
for safety. If a control system for safety is normal, it
can accomplish its function to prevent or mitigate a
disturbance. Thus, for a system accident to occur,
the following two conditions must be satisfied.
Condition 1 (C1) A disturbance such as human
erroneous action and component failure must occur
that can cause an initial deviation leading to a system
accident.
Condition 2 (C2) Control systems for safety must
fail, which can prevent or mitigate the disturbance.
Figure 1 shows accident occurrence conditions in
terms of the event tree representation. An accident
sequence can be obtained tracing the branches
from left to right. For example, by tracing the upper
branch for each divided branch, event sequence
I*S1 can be obtained, which represents a logical
AND combination of the occurrence of a disturbance,
I, and the success of safety control function 1. Consequence No Damage means success in preventing
JRR127
IMechE 2008

Risk analysis of level crossing accidents based on systems control for safety

Table 2

421

Examples of multilayered protection systems in railway systems

Levels of
protection

Accident case I:
Railway signal violation

Accident case II:

Level crossing accident

Level I
(Prevention of failures)

Quality improvement of train drivers

Reliability improvement of signal system

Level II
(Prevention of
critical conditions)
Level III
(Prevention of
accidental progression)
Level IV
(Mitigation of
accident consequence)

Automatic train stop (ATS)

Fail-safe mechanism
in signal system
Catch point
(Transmission of train protection
radio signal)
Transmission of train protection
radio signal
Accident restoration work

Prevention of road vehicles

incautious approach to the
level crossing
Easily escapable crossing rod
at exit
Obstruction detector
Emergency brake of train
Transmission of train
protection radio signal
Accident restoration work

Fig. 1 Event tree for a system accident

a system accident. Similarly, an event sequence

leading to a fatal damage is obtained as I*F1*F2,
which represents a logical AND combination of the
occurrence of a disturbance, I, the failure of safety
control function 1, F1, and the failure of safety control function 2, F2. Thus, the accident occurrence
condition in the event tree can be represented as a
logical AND combination of the occurrence condition of a disturbance (which corresponds to C1)
and failure conditions of safety control systems
related to the disturbance (which correspond to C2).
To obtain the accident occurrence conditions, both
the disturbances leading to system accidents and
the control systems for safety related to them must
be identified. In Fig. 1, control functions are safety
control functions 1 and 2. Condition C1 corresponds
to I, while condition C2 corresponds to F1*F2.
2.2 Occurrence conditions of disturbances
To identify a disturbance or initiating event which
can lead to a system accident, there are two types of
approaches: bottom-up and top-down. The former
corresponds to failure-mode-and-effects analysis
(FMEA) [14], while the latter corresponds to fault
tree analysis (FTA) [15]. In FMEA, the possible effect
of a component failure, human erroneous action, or
external event is evaluated from the component level
to the system level using functional relations among
components in the system hierarchical structure.
JRR127
IMechE 2008

Based on its effect on the system, a disturbance to

be considered for the safety design can be selected.
On the other hand, in FTA, an end state, or a system
accident to be prevented and mitigated, is first
defined, and then a logic tree is constructed step by
step, which shows the causeeffect relation between
the system accident and basic events representing
component failures and human errors. Minimal
combinations of basic events leading to the system
accident can be obtained, each of which corresponds
to an occurrence condition of the specified system
accident. In this paper, the FMEA approach is applied
to the selection of an initiating event based on the
previous accident data. So, disturbances to be mitigated are assumed at first.
2.3 Failure conditions of control systems
for safety
Control functions for safety, which can prevent or
mitigate a specific abnormal event, are generally
composed of three basic functions: detection, diagnosis, and execution. Detection consists of monitoring system states continuously or periodically to
obtain information on the current state of the plant,
and detecting its abnormality. Diagnosis is composed
of identifying the cause of the system abnormality
and selecting an appropriate control action. Execution corresponds to the execution of the selected control action. Corresponding to these basic functions, a
Proc. IMechE Vol. 222 Part O: J. Risk and Reliability

422

T Kohda and H Fujihara

control system for safety can be composed of three

parts: the sensing part, controlling part, and executing part. The primary function of a component can
clarify which part of a control system for safety it
constitutes. For each disturbance or initiating event,
control systems for safety which can prevent it must
be identified. By examining whether its sensing part
can detect the effect of a disturbance or not, a control
system for safety related to the accident can be easily
identified. Tracing the information flow from the sensing part, the whole structure of a control system for
safety can be identified, where each function can be
achieved by a different system component such as
human operator or computerized machine.
In obtaining failure conditions of a control system
for safety, its decomposition into sensing, controlling, and executing parts can clarify what kinds of
dysfunction can happen. For a control function for
safety to work successfully, all three basic functions
must work successfully. Thus, the failure condition
of a control system for safety can be obtained as a
logical OR combination of failure conditions of each
part. For example, consider an operator recovery
action initiated by an alarm. The alarm corresponds
to the detection of a disturbance, and the operator
plays the role of diagnosis of the disturbance and
the execution of an appropriate action. In this case,

both the normal function of the alarm and the

successful performance of the human operator are
essential to accomplish the control function for
safety. Human errors such as perceptional error and
omission error must be considered based on the
diagnosis and execution actions required of human
operators. Human factor analysis [16] should be
performed by focusing on the basic functions allocated to operators, which can also clarify the necessary interactions of human operators with system
components.
3 LEVEL CROSSING ACCIDENTS
In the following section, consider the risk caused by
a trapped vehicle in a level crossing as shown in
Fig. 2. When a train approaches a level crossing,
the automatic approaching train detector makes the
level crossing signals ring and flash. Simultaneously,
crossing rods automatically begin to fall down to
close the level crossing and block the entry of road
vehicles and pedestrians. If a road vehicle or pedestrian is trapped in the closed level crossing, the
obstruction detector will detect it, mainly as the
interception of an infrared ray. At the same time, a
driver in the trapped vehicle also can push on the
obstruction warning device to activate the special

Fig. 2 Typical level crossing system in Japan

Proc. IMechE Vol. 222 Part O: J. Risk and Reliability

JRR127
IMechE 2008

Risk analysis of level crossing accidents based on systems control for safety

signal. Then, the special signal will flash and inform

the train driver about the emergency. The train driver
will brake the train immediately after detecting the
signal flashing and ringing. Even if the train driver
passes by the special signal without noticing its alert,
he can perform an emergency stop by catching sight
of the trapped motorcar himself.
3.1 Level crossing protection system in the
Japanese railway
A brief history of level crossing protection systems
in the Japanese railways is summarized as follows
[17, 18]. In the 1920s, about 50 years after the start of
the Japanese railway, collision accidents of trains
and road vehicles at level crossings increased. Soon
afterwards, some safety devices were developed and
introduced to prevent these accidents automatic
approaching train detectors in 1928 and crossing rods
of the mechanical falling type in 1930. In 1952, when
crossing rods of the automatic falling type combined
with automatic approaching train detector were introduced, the basis of the modern style of Japanese level
crossing system was established. Then, level crossing
obstruction detectors, one of the most important
devices for todays level crossing safety, were introduced as additional equipment in 1962.
3.2 Level crossing model
As shown in Fig. 2, the following equipment and
devices are assumed to make up the level crossing
protection systems considered in this paper.
a1. An automatic approaching train detector detects
the approach of a train and controls the level crossing
system by activating level crossing gates and level
crossing signals.
a2. Level crossing obstruction detectors detect the
existence of pedestrians and vehicles trapped in the
level crossing and turn on special signals to stop an
approaching train.
a3. A driver in the trapped vehicle can turn on the
special signal by pushing on the obstruction warning
device of the signal to inform the driver of the
approaching train about the emergency.
3.3 Accident scenarios
Collision objects related to level crossing accidents
include motorcars, motorcycles, bicycles, and pedestrians. Recent statistics [1] show that motorcars
amount to about two-thirds of total collision accidents. Also, owing to their weight and size, motorcars
as collision objects can lead to the most severe consequences. Meanwhile, the immediate causes of level
crossing accidents include trapping (a motorcar
comes first to the level crossing) and side collision
(a train comes first). Trapping is mostly caused by
JRR127
IMechE 2008

423

errors of car drivers such as running off and rushing,

engine stall, or a traffic jam at the level crossing exit.
In recent years, about three-quarters of level crossing
accidents have trapping as the direct cause [19]. This
means collision between a trapped motorcar and a
train is the most typical pattern of level crossing accidents in Japan. Thus, the following initiating event is
assumed in this example.
a4. A motorcar is trapped in the closed level crossing
and has no chance of evacuation.
Under this condition, a level crossing accident can
occur if the train cannot stop in front of the level
crossing.
3.4 Control systems for safety
To obtain the accident occurrence conditions, the
first step is to identify control systems for safety (or
protection systems) which can prevent the accident
caused by a trapped motorcar. The first necessary
function is to detect the occurrence of the trapped
motorcar. The trapped motorcar can be detected in
the following three ways: S1, the detection by the
obstruction detector; S2, the detection by the driver
himself in the trapped motorcar who pushes on the
obstruction warning device; and S3, the driver of the
approaching train with his sight.
For each case, controlling and executing parts of
the corresponding protection system are identified
as follows.
S1. The obstruction detectors activate the special signal to inform the train driver in the train about the
emergency, and he notices the signal to brake the
train.
S2. The special signal activated by the driver of the
trapped motorcar directs the driver in the approaching train to brake.
S3. The train driver in the train by himself brakes.
From the viewpoint of control systems for safety, the
difference between S1 and S2 exists only in the sensing part, while their controlling and execution parts
are the same. Thus, they should be combined into
one control system for safety. This combined control
system is denoted as (S1 S2), which means a
logical OR combination of S1 and S2. In S3, the train
driver himself plays all functions of a control system
for safety. The primary control system is for the train
driver to stop the train with the aid of obstruction
detectors and special signals. The other control system is the train driver by himself, who detects the
trapped motorcar and brakes the train. This system
can function only if the primary control system fails.
Thus, two control systems for safety can be identified. Note that all control systems for safety include
the train driver as their controlling and execution
Proc. IMechE Vol. 222 Part O: J. Risk and Reliability

424

T Kohda and H Fujihara

Motorcar
Trapped

Safety Control
Function (S1+S2):
Train Stop with
Special Signal
Success

Safety Control
Function (S3):
Train Stop with
Drivers Visual Recognition

Success

Occurrence
Failure

Failure

NO ACCIDENT

NO ACCIDENT

ACCIDENT

Fig. 3 Event tree representation

parts. Accident sequences can be obtained as shown

in Fig. 3, with an initiating event, a trapped motorcar,
and two control functions for safety: (S1 S2), train
stop with special signal; and S3, train stop with
drivers visual recognition. In this example, since
accident is defined as collision between a train
and a motorcar at a level crossing, safe state should
correspond to no accident.

3.5 Accident occurrence conditions

3.5.1 Initiating events
Primary causes of trapped motorcars in a level crossing are as follows [19]: errors of a motorcar driver in
detecting the warning signal at the level crossing
such as his slip (denoted as I1), a traffic jam in the
front owing to the motorcar drivers judgement error
or violation (denoted as I2), and motorcar failure or
lack of motorcar drivers skill (denoted as I3).
For simplicity, the following assumption is made
on the occurrence of a trapped motorcar.
a5. Initiating events occur statistically independently,
and the average occurrence rate of trapped motorcars can be obtained based on the previous accident
data at the level crossing.
The effect of the operating conditions of the train can
be obtained by the risk analysis of the average cumulative frequency during a specific operating period.
3.5.2 Failure conditions of protection systems
Failure conditions of protection using the special signal to stop the train and those of direct protection by
the train driver can be obtained as the fault tree
representations [15] in Figs 4 and 5, respectively. In
Fig. 4, basic events (component failure or human
error) and intermediate events are denoted in terms
of Am, Amn, Amnh, and Amnhi, where
m, n, h, and i are specific index numbers, while
Bm denotes a basic event in Fig. 5.
Both of the control functions for safety are composed of three basic functions: detection, diagnosis,
and execution. All basic functions must work for the
Proc. IMechE Vol. 222 Part O: J. Risk and Reliability

corresponding control function. Thus, failure conditions of a control function can be represented as
logical OR combination of failure of each basic function at the first stage. Note that some basic functions
are considered to be combined into one function.
In control system S3, for example, the basic function
of detection is provided by the train driver, and its
failure is represented as B1 in Fig. 5. Since the train
driver takes a protection action immediately after
the detection of an emergency condition, the diagnosis function can be combined with the detection one.
The execution is the train drivers stopping action,
whose failure is B2 in Fig. 5. Even if the driver takes
a normal response, the brake failure nullifies the
safety control action. So, trains brake system failure,
B3, is added as a cause of the failure condition. Since
any of the failure conditions B1, B2, and B3 can cause
the safety control failure, they are connected as a
logical OR combination. In this way, failure conditions for each control function are represented by
their detailed function failure conditions.
3.5.3 Accident occurrence conditions
According to the event tree shown in Fig. 3, an accident
occurs if the initiating event occurs with failures of
control systems (S1 S2) and S3. Thus, logical AND
combinations of occurrence conditions for a trapped
motorcar, failure conditions of the control system
(S1 S2), and failure conditions of the control system
S3 give accident occurrence conditions. Failure conditions of control systems (S1 S2) and S3 are obtained
from fault trees in Figs 4 and 5, respectively. Thus, accident conditions are obtained as follows
(I1 OR I2 OR I3)
AND[{(A1111 OR A1112 OR A112)
AND (A121 OR A1221 OR A1222)}
OR (A21 OR A22) OR (A31 OR A32 OR A33)]
AND (B1 OR B2 OR B3)
The above equation is a logical AND combination of
three main terms. The first term (I1 OR I2 OR I3)
represents the occurrence conditions of a trapped
motorcar, meaning that a trapped motorcar is caused
by any of I1, I2, and I3. The second [ ] term
JRR127
IMechE 2008

Risk analysis of level crossing accidents based on systems control for safety

425

Failure of Train Stop with

Special Signal
(CFS1)

Detection Failure of
Trapped Motorcar

OR

Control Failure
by Special Signal

(A1)

Failure of
Stopping Procedure

(A2)

(A3)
OR

AND

Failure of
Special Signal

Failure of
Transfer System
of
Special Signal

Train Drivers
Failure of
Detecting
Special Signal

(A2-1)

(A2-2)

(A3-1)

Obstruction Detectors
Failure of Detection
(A1-1)

OR

Train Drivers
Failure of
Stopping
Action

Trains
Brake System
Failure

(A3-2)

(A3-3)

Detection Failure with

Obstruction Warning Device
(A1-2)

OR

OR

Obstruction Detector
Failure

Undetected
Position of
Objects by
Detectors

(A1-1-1)
OR

(A1-1-2)

Failure of
Obstruction
Warning
Device

Failure to Push on
Obstruction Warning Device
(A1-2-2)
OR

(A1-2-1)

Infrared Emitter
Failure

Infrared Receiver
Failure

Persons
Ignorance of
Device

Nonexistence
of Persons
Concerned

(A1-1-1-1)

(A1-1-1-2)

(A1-2-2-1)

(A1-2-2-2)

Fig. 4 Fault tree for control system (S1 S2)

corresponds to the failure conditions of the control

system (S1 S2), whose logical expression can be
obtained from the fault tree in Fig. 4. By sequentially
replacing an upper event by either AND or OR combination of its lower events, depending on the logical
gate, the second [ ] term can be obtained. The last
term (B1 OR B2 OR B3) means the failure conditions
of control system S3 represented by the fault tree in
Fig. 5. Expanding the above equation into logical OR
of logical AND of basic events, each logical AND
combination represents a minimal cut set (or a minimal combination of basic events which causes an
accident). In this case, 127 minimal cut sets are
obtained.
JRR127
IMechE 2008

Failure of Train Stop with

Drivers Visual Recognition
(CFS2)
OR

Train Drivers
Failure
of Detecting
Trapped
Vehicle

Train Drivers
Failure of
Stopping
Action

(B1)

(B2)

Trains
Brake System
Failure
(B3)=(A3-3)

Fig. 5 Fault tree for control system S3

Proc. IMechE Vol. 222 Part O: J. Risk and Reliability

426

T Kohda and H Fujihara

Human error probabilities are considered to be

much higher than hardware component failure probabilities. Since hardware component failure probabilities are relatively low, the higher product terms of
hardware component failures can be negligible.
Thus, 15 minimal cut sets simplified under these
assumptions are obtained as shown in Table 3. A logical AND combination of basic events in a minimal
cut set shows an accident condition.
Without noticing the special signals (represented by
A31), the train driver can find the emergency only by
looking at the sight. However, if a driver fails in the
operation of the stopping action after noticing the special signal, it seems impossible that he can stop the
train with his visual inspection. Considering dependency between successive driver actions, the minimal
cut sets can be simplified further as shown in Table 4.
The potential significant contributors to an accident
are the train drivers loss of braking action (represented by A32) and the failure of the train brake system (represented by B3). However, comparing their
failure frequencies, the latter can be neglected and
the drivers actions are the most important.

4 OCCURRENCE PROBABILITY OF LEVEL

CROSSING ACCIDENTS
4.1 Context dependency in accident scenarios
The event tree in Fig. 3 assumes that all protection
systems installed in a level crossing are available,
and first the protection system with the special signal
tries to prevent the accident; in the worst case the
driver himself can brake the train by noticing the
trapped motorcar. However, depending on the train
position when a motorcar is trapped in the level
crossing, the effective protection systems vary, resulting in different accident sequences. In this section,
Table 3

Simplified minimal cut sets for accident occurrence

Simplified minimal cut sets

(I1,
(I2,
(I3,
(I1,

A31, B1),
A31, B1),
A31, B1),
B3),

(I1,
(I2,
(I3,
(I2,

A31, B2),
A31, B2),
A31, B2),
B3),

(I1,
(I2,
(I3,
(I3,

A32, B1),
A32, B1),
A32, B1),
B3)

(I1, A32, B2)

(I2, A32, B2)
(I3, A32, B2)

depending on the trains velocity and position when

a motorcar is trapped, how the accident scenario
changes will be investigated. To simplify the discussion, the following assumptions are made on the
trapped motorcar and the train operation.
b1. A single direction of the railway track is considered.
b2. The train passes over an automatic approaching
train detector at a velocity of V m/s, and continues
to run at the same velocity until its driver brakes.
b3. At the level crossing with signals flashing and
ringing, the occurrence rate of a trapped motorcar is
constant, denoted as l times/h.
At the first step, examine whether the running train
can be stopped before the level crossing by the train
drivers braking action. If the driver tries with the
train running at the velocity of V m/s, the minimal
distance necessary for the train to stop, Dmin (m),
can be calculated as
Dmin

V2
2a

where a denotes the constant deceleration (m/s2).

Here, value a is fixed so as to satisfy the Japanese
regulation [20] that the necessary distance to stop
trains by initiating an emergency brake must be less
than or equal to 600 m. Since the maximal velocity
of a conventional train is 140 km/h, or 38.9 m/s, a
can be estimated as 1.26 m/s2. This value is applied
in the current example. For V 80 km/h, Dmin
196.0 m. Unless a special signal is identified at least
600 m before a level crossing, a local train with the
maximal velocity cannot stop before the level
crossing. Note that the value of a is dependent on
the weather conditions in such a way that it
decreases in rainy conditions.
The following characteristic values of the level crossing system are defined as shown in Fig. 6: Dc (m) is the
distance of the automatic approaching train detector
from the level crossing; Ds (m) is the distance of the
special signal from the level crossing; Dsh (m) is the
maximal distance from the level crossing at which a
train driver can identify the state of the special signal
visually; Dh (m) is the maximal distance from the level
crossing at which a train driver can identify its state
visually.
Generally speaking, it can be assumed that
b4. Dc > Ds > Dh

Table 4

Finally simplified minimal cut sets

Simplified minimal cut sets

(I1,
(I1,
(I1,
(I1,

A31, B1),
A31, B2),
A32),
B3),

(I2,
(I2,
(I2,
(I2,

A31, B1),
A31, B2),
A32),
B3),

(I3,
(I3,
(I3,
(I3,

Proc. IMechE Vol. 222 Part O: J. Risk and Reliability

A31, B1),
A31, B2),
A32),
B3)

Depending on the necessary distance to stop the

train Dmin, and the train drivers visible distances
Dsh and Dh, the availability of protection systems
(S1 S2) and S3 can be determined as follows.
C1. Dmin > Dsh: Neither of the protection systems
(S1 S2) and S3 functions; the train driver cannot
prevent a collision accident.
JRR127
IMechE 2008

Risk analysis of level crossing accidents based on systems control for safety

Train Drivers
Cabin
Train

Dsh

427

Level Crossing

Special Signal

Dh
Dc

Ds

Automatic Approaching Train Detector

Fig. 6 Characteristic distances of level crossing

Table 5

Average frequency of trapping

Trapping condition

Available
protection systems

Average
cumulative frequency

Dc > Dt>Ds
Ds > Dt > Dmin
Dmin > Dt

1&2
2
Null

l(Dc
Ds)/V
l(Ds
Dmin)/V
lDmin/V

C2. Dsh > Dmin > Dh: Only protection system (S1 S2)
can function; special signals can prevent a collision
accident, but the train driver cannot prevent it by
himself.
C3. Dh > Dmin: Both protection systems (S1 S2) & S3
can function; with special signals or the sight of level
crossing, the train driver can prevent a collision
accident.
Distances Dc, Ds, Dh, and Dmin are determined by the
facility of a level crossing, its environmental conditions, and the operating conditions or speed of trains.
Train operating condition affects the availability of
protection systems as shown above and the integrity
of the overall level crossing system. Further, in a
practical case, characteristic values of distance parameters depend on the geographical factors such as
undulations and curvature of a railway track, as well
as the weather conditions.
In the following discussion, consider case C3 to
evaluate accident occurrence probability. For simplicity, the following assumption is made.
b5. The train track is straight with an unobstructed view.
4.2 Occurrence probabilities of basic events
4.2.1 Occurrence of trapped motorcars
A trapping can occur if a motorcar enters the level
crossing after a train passes over the automatic
approaching train detector. From assumption b3 on
the occurrence of a trapped motorcar, the average
cumulative trapping frequency during time period
Dc/V (s) when crossing rods are activated can be
obtained as lDc/V times according to the Poisson
distribution. Let Dt (m) denote the distance of the
JRR127
IMechE 2008

train from the level crossing when a motorcar is

trapped. Depending on Dt, the availability of protection systems (S1 S2) and S3 changes according to
conditions C1, C2, and C3, which also modifies its
accident scenario. Consider the case where
b6. Dc > Ds > Dh > Dmin
and available protection systems and the average
cumulative trapping frequency can be obtained as a
function of Dt, as shown in Table 5.
For each trapping condition, accident scenarios
can be obtained using the available protection systems. The sum of average cumulative frequency
amounts to the average cumulative occurrence frequency of trappings. Multiply the frequency of trains
running at the velocity of V (m/s) by the average
cumulative occurrence frequency to give the basic
occurrence frequency of trappings.
4.2.2 Failure of protection systems
Generally speaking, compared with hardware component failure probability, human error probability
is much higher. Human error related to the operation
of stopping the train is the most significant contributor to the failure of protection system (S1 S2).
Similarly, for the protection system S3, human error
probability is much higher than failure probability
of the brake system.
In the evaluation of human error probability in the
stopping action, HEART (human error assessment
and reduction technique) [21], is applied in this
paper. The operation of stopping the train is composed of perceiving the abnormal conditions by seeing the special signal or the sight, and braking the
train immediately. This task corresponds to general
task type E in the classification by HEART, which is
a well-trained quick task that does not require much
skill. The basic error probability is 0.02 per demand.
4.3 Quantitative risk assessment
4.3.1 Occurrence of trapped motorcars
Depending on train position Dt (m) when a motorcar is trapped in the level crossing, the accident
Proc. IMechE Vol. 222 Part O: J. Risk and Reliability

428

T Kohda and H Fujihara

occurrence probability can be obtained as shown in

Table 6. The average frequency per month of accident conditions is obtained as the average cumulative frequency in Table 5, multiplied by the number
of trains per month passing the level crossing at the
velocity of V (m/s).
4.3.2 Numerical example
The following parameter values are assumed regarding the level crossing systems.
b7. Average number of trains running at the velocity
of V (m/s) is 3600 per month.
b8. Occurrence rate of a trapped motorcar per
passing train, l, is 0.0001 (times/h).
b9. Ds 0.9 (km) and Dc 1.2 (km).
b10. Human errors occur independently, whose
occurrence probabilities are 0.02 per demand.
In order to consider the effect of train velocity on
the accident frequency, obtain the accident frequency for V 80, 90, 100, 110 (km/h). Table 7 shows
the results. These results show that the accident
occurrence frequency increases as the train velocity
increases from 80 (km/h) to 110 (km/h). The period
when the level crossing is closed is shorter as the
train velocity increases, leading to the decrease of
trapping frequency. On the other hand, the period
when no protection system is available increases
because the exposure time to fatal trapping is given
as (Dmin/V V/(2a)). Since the accident occurrence
probability (AOP) under conditions where protection
systems are available is much lower than the AOP
without protection systems, the increase of period
Table 7

when no protection system is available has a considerable effect on the accident frequency. In total, the
accident frequency increases as the train velocity
increases. Note that this evaluation does not consider
the effect of train velocity on operation errors of the
train driver. As the train velocity increases, the available time for the preventive action becomes less
and the visibility also becomes worse, leading to the
increase of human errors. Thus, the human factor
[16] must be considered for the improvement of the
proposed model.
Further, reducing the train velocity will reduce the
accident frequency, but only marginally. If the risk
of level crossing accidents is still rather high, some
protective measures must be considered. However,
the above analysis shows that the most significant
contributing factor to the collision accident is the
uncontrolled area owing to the train inertia. No protection system is effective to reduce the inertia effect.
To reduce the uncontrolled area a, more powerful

Table 6

Accident occurrence condition and probability

Condition

MCS for FPS

AOP under condition

Dc > Dt>Ds

(A31, B1)
(A31, B2)
(A32)

Pr{A31}[Pr{B1}
(1Pr{B1})Pr{B2}]
(1Pr{A31}) Pr{A32}

Ds > Dt>Dmin

(A31)
(A32)

Pr{A31} (1Pr{A31}) Pr{A32}

Dmin > Dt

(1)

Note: MCS denotes minimal cut sets; FPS denotes failure of

protection system; AOP denotes accident occurrence probability;
(1) means that it is always true.

Accident frequency

Trapping condition

Trapping frequency

AOP under condition

Accident frequency

(a) V 80 (km/h)
Dc > Dt > Ds
Ds > Dt > Dmin
Dmin > Dt
Total

0.001 35
0.003 17
0.000 882
0.005 40

0.0204
0.0396
1

2.75 10
5
0.000 125
0.000 882
0.001 03

(b) V 90 (km/h)
Dc > Dt > Ds
Ds > Dt > Dmin
Dmin > Dt
Total

0.001 20
0.002 51
0.000 992
0.004 80

0.0204
0.0396
1

2.45 10
5
0.000 103
0.000 992
0.001 12

(c) V 100 (km/h)

Dc > Dt > Ds
Ds > Dt > Dmin
Dmin > Dt
Total

0.001 08
0.002 14
0.001 10
0.004 32

0.0204
0.0396
1

2.20 105
8.47 105
0.001 02
0.001 21

(d) V 110 (km/h)

Dc > Dt > Ds
Ds > Dt > Dmin
Dmin > Dt
Total

0.000 98
0.001 74
0.001 21
0.003 93

0.0204
0.0396
1

2.00 10
5
6.87 10
5
0.001 21
0.001 30

Proc. IMechE Vol. 222 Part O: J. Risk and Reliability

JRR127
IMechE 2008

Risk analysis of level crossing accidents based on systems control for safety

brake system should be developed to reduce the

necessary distance to stop, or the occurrence rate of
a trapped motorcar should be reduced. In this sense,
the prevention of an initiating event should be considered first, and then the residual risk should be
mitigated by addition of protection systems.
5 CONCLUSIONS
This paper presents a primitive risk analysis study of
accident occurrences caused by a trapped motorcar
at a conventional level crossing in Japan. A simple
analysis result using a simple phenomenal model of
the train movement shows that the period when no
protection systems are available has a considerable
effect on the accident probability, and the exposure
time to this period increases as the train velocity
increases. Thus, a well-known fact that the increase
of the train velocity leads to the increase of accident
frequency can be explained more analytically by the
model-based approach.
The presented analysis is the first step toward the
analysis of accidents caused by a trapped motorcar
at the level crossing. In this paper, the prevention of
initiating events or disturbances and the background
factors of human errors were not considered. An initiating event can happen even with complete measures
on the level crossing system or against human factor
problems, and so the protection measures after the
occurrence of initiating events must be prepared and
validated. The focus of the paper is on the effectiveness of protection systems activated after the occurrence of an initiating event. However, as shown in
the example, the risk reduction using protection systems cannot be sufficient, and so the prevention of
initiating events must be considered. For identification and prevention of latent conditions such as organizational influences, Reasons Swiss Cheese Model
[22] should be applied. The next step in the authors
study is to consider effective protection measures,
including the prevention of trapping at the level crossing. For this purpose, the proposed method should be
improved by conducting more practical case studies.
REFERENCES
1 Database of Railway Safety (in Japanese), 2006 (Railway
Technical Research Institute, Japan).
2 Railway Accidents Reporting Regulation (in Japanese,
revised in 2001 by the Ministry of Land, Infrastructure
and Transport, Japan), 1987 (Ministry of Transport, Japan).
3 Information about the Safety of Railways and Tramways
(in Japanese), 2007 (Ministry of Land, Infrastructure and
Transport, Japan).

JRR127
IMechE 2008

429

4 Mori, N. Safety measures for level crossings (in

Japanese). Railway Electl Engng, 2003, 14(2), 36.
5 Kawano, T. The effect of introduction of red & white
large-diameter crossing rods (in Japanese). Railway
Electl Engng, 2003, 14(2), 3641.
6 Inoue, T. and Fukuda, H. Study on evaluation methods
of visibility of level crossing (in Japanese). RTRI (Railway
Technical Research Institute) Report, 2000, 14(12), 712.
7 Ohta, M. An obstacle detection system for level crossings using stereo cameras (in Japanese). RTRI (Railway
Technical Research Institute) Report, 2003, 17(6),
1116.
8 Sato, K. and Nakajima, K. Obstruction detecting
devices on a level crossing using ultrasonic sensors
(in Japanese). Railway Electl Engng, 2001, 12(7), 2428.
9 EE&CS Report: Infrastructure risk modelling Automatic
level crossing Automatic half barrier type (consequence
models), 1998 (Railtrack).
10 AIChE Center for Chemical Process Safety. Layer of
protection analysis, simplified process risk assessment, 2001 (American Institute of Chemical Engineers, New York).
11 International Nuclear Safety Group (INSAG). Defence
in depth in nuclear safety, 1996, INSAG-10 (International Atomic Energy Agency).
12 Fujihara, H. Safety and multi-layered protection in railway system (in Japanese). RRR (Railway Research
Review), 2005, 62(11), 1013.
13 Kohda, T. and Fujihara, H. Accident sequence analysis
of railway accidents based on safety control functions.
In Proceedings of 2005 Asia-Pacific Conference on Risk
Management and Safety, 2005, pp. 346351 (Hong
Kong Association of Risk Management and Safety,
Hong Kong).
14 Henley, E. J. and Kumamoto, H. Probabilistic risk
assessment, reliability engineering, design and analysis,
1991 (IEEE Press, California).
15 NASA. Fault tree handbook with aerospace applications,
Version 1.1, 2002 (NASA).
16 Vincent, K. J. The human factor: Revolutionizing
the way people live with technology, 2003 (Routledge,
New York).
17 Development history of railway signal (in Japanese),
1980, p. 441 (Signal Safety Association of Japan).
18 Level crossing safety devices (in Japanese), 2002 (Railway
Electrical Engineering Association of Japan).
19 Inoue, T., Kusukami, K., and Konno, S. Car driver
behavior in railway crossing accident (in Japanese).
RTRI (Railway Technical Research Institute) Report,
1994, 8(12), 1318.
20 Article 54, Regulation for railway operating (in
Japanese), 1987 (rescinded in 2002).
21 Williams, J. C. A data-based method for assessing
and reducing human error to improve operational
performance. In Proceedings of 4th IEEE Conference
on Human factors in nuclear power plants, Monterey,
California, 1988, pp. 436450.
22 Reason, J. Human error, 1990 (Cambridge University
Press, New York).

Proc. IMechE Vol. 222 Part O: J. Risk and Reliability