Signal Passed at Danger (SPAD) — Fault Tree

The scenario

SPAD is the canonical rail-domain hazard: a train passes a signal at danger without authority, exposing it to potential collision with conflicting movements. Most modern signalling architectures defend against SPAD with a layered combination of trackside infrastructure, on-board Automatic Train Protection (ATP) and driver vigilance — and the fault tree must show that all three layers must fail to produce the top event.

Top event and decomposition

The top OR gate splits SPAD into three independent failure pathways:

• Signalling infrastructure failure — interlocking logic fault, trackside signal lamp failure, axle counter or track-circuit miscount that wrongly clears a route.
• ATP system failure — ETCS / TPWS / PZB onboard equipment fault, balise read failure, or supervision curve mis-computation. Modelled with a 2-out-of-3 voting structure where the architecture demands it.
• Driver-error pathway — incapacitation, mis-reading the aspect, deliberate disregard. Modelled with a human-error rate from THERP or the rail-specific RARA database.

EN 50126 risk analysis quantifies each branch and demonstrates that the combined top-event probability falls below the SIL 4 tolerable hazard rate (THR ≤ 10⁻⁹ /h for a continuous-mode safety function).

Standards alignment

EN 50126 Phase 4 requires a quantitative hazard analysis with FTA as a primary technique; EN 50129 then maps the FTA results onto the safety case (SR-01 / SR-02 sections). This template gives you the structural skeleton — failure rates, gate logic and basic events — that a SIL 4 safety case typically expects, ready to be tailored with your operator's empirical data and regional ATP variant.

Use this template

Open the tree in FTA Studio, swap in your ATP variant (ETCS L1/L2/L3, TPWS, PZB, ATC) and signalling-supplier λ data, run MOCUS for cut sets, and export the CENELEC-style FTA report for inclusion in the safety case.